InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
Ed. Dept. discharges additional $3.9 billion
On August 16, the Department of Education announced that 208,000 borrowers who attended a large for-profit post-secondary education institution will receive full student loan discharges totaling $3.9 billion. The announcement builds on previous actions taken by the Department that have resulted in the approval of $1.9 billion in discharges for another 130,000 borrowers, including borrower defense findings that the institution “engaged in widespread and pervasive misrepresentations related to the ability of students to get a job or transfer credits” and lied about certain program accreditation. State attorneys general around the country, the CFPB, and Veterans Education Success also provided significant assistance in the Department’s findings. The Department referred in its announcement to a 2014 CFPB action, which alleged that the institution pressured students into taking out high-cost private loans even though it allegedly knew that most students would ultimately default. The Bureau ultimately announced a judgment barring the institution from offering or providing student loans, and obtained judgments against several entities accused of providing substantial assistance to the institution (covered by InfoBytes here). “While today’s action affects federal loans, and while past CFPB actions have addressed many of the private loans peddled by [the institution],” CFPB Director Rohit Chopra said in remarks following the announcement, he stressed that the Bureau “will continue our work with the Department of Education and other regulators to open up the books on in-house institutional lending programs—these are private loans pushed directly by schools—to ensure that they are not strongarming their students with illegal practices.”
The Department also announced that it has notified another for-profit institution that it is required to pay millions of dollars for approved borrower defense to repayment discharges. The institution can present arguments as to why it should not be required to pay or request a hearing before the Department’s Office of Hearings and Appeals, the Department said.
District Court dismisses EFTA claims over prepaid debit card fraud
On August 11, the U.S. District Court for the District of Maryland dismissed a putative class action alleging violations of the EFTA and state privacy and consumer protection laws brought against a national bank on behalf of consumers who were issued prepaid debit cards providing pandemic unemployment benefits. The named plaintiff—a self-employed individual who did not qualify for state unemployment insurance but who was eligible to receive temporary Pandemic Unemployment Assistance (PUA) benefits—alleged that he lost nearly $15,000 when an unauthorized user fraudulently used a prepaid debit card containing PUA funds that were intended for him. The court dismissed the class claims with respect to the EFTA and Regulation E, finding that the Covid-19 pandemic was a “qualified disaster” under applicable law and regulations (i.e. PUA payments were “qualified disaster relief payments”), and that as such, the payments satisfied the CFPB’s official interpretation of Regulation E and were excluded from the definition of a “prepaid account.” The court further explained that while relevant CFPB regulations define an “account” to include a prepaid account, Regulation E excludes “any ‘account that is directly or indirectly established through a third party and loaded only with qualified disaster relief payments.’” Because the prepaid debit card in question was established through a third party and was loaded only with PUA funds, it did not meet the definition of a “prepaid account” and therefore fell outside the EFTA’s definition of a covered account. The court also disagreed with the plaintiff’s contention that PUA payments were authorized by Congress in the CARES Act due to the public health emergency rather than a disaster.
FDIC announces Missouri disaster relief
On August 12, the FDIC issued FIL-39-2022 to provide regulatory relief to financial institutions and help facilitate recovery in areas of Missouri affected by severe storms and flooding from July 25-28. The FDIC acknowledged the unusual circumstances faced by institutions affected by the storms and suggested that institutions work with impacted borrowers to, among other things: (i) extend repayment terms; (ii) restructure existing loans; or (iii) ease terms for new loans to those affected by the severe weather, provided the measures are done “in a manner consistent with sound banking practices.” Additionally, the FDIC noted that institutions “may receive favorable Community Reinvestment Act consideration for community development loans, investments, and services in support of disaster recovery.” The FDIC will also consider regulatory relief from certain filing and publishing requirements.
Chopra considers banking to be “under threat”
On August 10, CFPB Director Rohit Chopra discussed the digital market before the 2022 National Association of Attorneys General Presidential Summit. In his remarks, Chopra first discussed the evolution of advertising models over time, describing how the persuasion of advertising continues to be used to target an individual based on “voluminous amounts of personal data.” Chopra also discussed HUD’s 2019 complaint against a social media platform, stating that it “illustrates the stark differences between traditional advertising and today’s digital marketing.” According to Chopra, the social media platform “helped advertisers limit the audience for ads and enabled advertisers to target specific groups of people to the exclusion of protected classes.” Chopra further noted that “state attorneys general have already begun to recognize that these platforms are not passive advertisers.” Chopra also noted that the CFPB recently issued an interpretive rule explaining that the service provider exemption for “time or space” will typically not apply to the digital marketing services offered by major platforms (covered by InfoBytes here). Chopra described that though “they may be providing space for ads, these firms are commingling many other features that go well beyond the exemption.” To conclude, Chopra expressed that “banking is under threat.” He described that “sensitive data is viewed as more valuable to firms than our actual selves,” and that “advances in technology should help our economy and society advance, rather than incentivizing a rush to seize our sensitive financial data and to allow tech giants to evade existing laws that other firms must comply with.”
CFPB: Digital marketing providers/big tech liable for UDAAP violations
On August 10, the CFPB issued an interpretive rule addressing when the CFPA’s UDAAP provisions cover digital marketing providers that commingle the targeting and delivery of advertisements to consumers with the provision of advertising “time or space.” Currently, traditional marketing firms are exempt from the CFPA provided they allow banks and other financial institutions “time and space” in traditional media outlets such as television and newspapers to advertise products. The Bureau stated, however, that digital marketers go beyond this approach when they harvest large amounts of information about consumers and use this data to shape their marketing content strategy.
Under the interpretive rule, this exception does not apply to firms that are materially involved in the development of content strategy. Due to the different nature of the services provided, behavioral marketing and advertising for financial institutions could subject marketers to legal liability depending on how those practices are designed and implemented, the Bureau said. Because “[d]igital marketing providers are typically materially involved in the development of content strategy when they identify or select prospective customers or select or place content in order to encourage consumer engagement with advertising,” the Bureau explained that digital marketers “engaged in this type of ad targeting and delivery are not merely providing ad space and time,” and therefore do not qualify under the “time or space” exception. The interpretive rule noted, among other things, that while a covered person may specify certain parameters of the intended audience for a financial product, the digital marketers’ ads and delivery algorithms “identify the audience with the desired characteristics and determine whether and/or when specific consumers see an advertisement.”
“When Big Tech firms use sophisticated behavioral targeting techniques to market financial products, they must adhere to federal consumer financial protection laws,” CFPB Director Rohit Chopra said in the announcement. “The CFPB, states, and other consumer protection enforcers can sue digital marketers to stop violations of consumer financial protection law: Service providers are liable for unfair, deceptive, or abusive acts or practices under the Consumer Financial Protection Act. When digital marketers act as service providers, they are liable for consumer protection law violations,” the Bureau added.
FHFA to require servicers to maintain fair lending data
On August 10, the FHFA announced that Fannie Mae and Freddie Mac will start requiring servicers to obtain and maintain borrowers’ fair lending data on their loans. Data must transfer with servicing throughout the mortgage term, the announcement states, adding that beginning March 1, 2023, servicers will be required to collect borrower data including age, race, ethnicity, gender, and preferred language. The update follows an announcement issued in May (covered by InfoBytes here), which requires lenders to collect information on the borrower’s language preference, and on any homebuyer education or housing counseling that the borrower received, so that lenders can increase their understanding of borrowers’ needs throughout the home buying process. To facilitate the upcoming changes, Freddie Mac issued servicing Bulletin 2022-17, which outlines servicing requirements and notes that data elements must be stored in a format that can be searched, queried, and transferred. Simultaneously, Fannie Mae issued SVC-2022-06 to incorporate the new fair lending data requirements into its Servicing Guide. “Having fair lending data travel with servicing will help servicers do the important work of providing assistance to borrowers in need, helping to further a sustainable and equitable housing finance system,” FHFA Director Sandra Thompson said, adding that this need arose from the foreclosure crisis and Covid-19 response.
CFPB: Financial services companies must safeguard consumer data
On August 11, the CFPB released Circular 2022-04 to reiterate that financial services companies may violate the CFPA’s prohibition on unfair acts or practices if they fail to safeguard consumer data. The Circular explained that, in addition to other federal laws governing data security for financial institutions, such as the Safeguards Rules issued under the Gramm-Leach-Bliley Act (which was updated in 2021 and covered by InfoBytes here), “covered persons” and “service providers” are required to comply with the prohibition on unfair acts or practices in the CFPA. Examples of when firms can be held liable for lax data security protocols are provided within the Circular, as are examples of widely implemented data security practices. The Bureau explained that inadequate data security measures may cause significant harm to a few consumers who become victims of targeted identity theft as a result, or may harm potentially millions of consumers if a large customer-base-wide data breach occurs. The Bureau reiterated that actual injury is not required to satisfy the unfairness prong in every case. “A significant risk of harm is also sufficient,” the Bureau said, noting that the “prong of unfairness is met even in the absence of a data breach. Practices that ‘are likely to cause’ substantial injury, including inadequate data security measures that have not yet resulted in a breach, nonetheless satisfy this prong of unfairness.”
While the circular does not suggest that any of the outlined security practices are specifically required under the CFPA, it does provide examples of situations where the failure to implement certain data security measures might increase the risk of legal liability. Measures include: (i) using multi-factor authentication; (ii) ensuring adequate password management; and (iii) implementing timely software updates. “Financial firms that cut corners on data security put their customers at risk of identity theft, fraud, and abuse,” CFPB Director Rohit Chopra said in the announcement. “While many nonbank companies and financial technology providers have not been subject to careful oversight over their data security, they risk legal liability when they fail to take commonsense steps to protect personal financial data.”
10th Circuit says materiality is determined through the perspective of the “reasonable consumer”
On August 8, the U.S. Court of Appeals for the Tenth Circuit upheld the dismissal of an FDCPA action, concluding that an alleged false or misleading communication must be material in order to be considered a violation of the statute, and that materiality is determined through the perspective of the “reasonable consumer.” The plaintiff, a student loan debtor, alleged that he received a letter attempting to collect on debt from the defendant. The defaulted debt in question had been sold to a federal student-loan guaranty agency (creditor), which contracted with the defendant to collect the debt. According to the plaintiff, the letter appeared as if it were sent by the creditor, primarily because the letter displayed the guaranty agency’s name and logo instead of the defendant’s own information. According to the plaintiff, the letter violated several sections of the FDCPA, which prohibit the use of false representations or deceptive means to collect a debt or obtain information concerning a consumer and require a debt collector to use their “true name.” The district court dismissed the action for failure to state a claim, ruling that the letter in question was not misleading and that the plaintiff failed to establish that the defendant used materially misleading, unfair, or unconscionable means to collect the debt.
On appeal, the 10th Circuit held that “a reasonable consumer would not be misled,” because the letter (i) identifies the creditor as “the holder of a defaulted federally insured student loan”; (ii) states that the letter “is an attempt, by a debt collector, to collect a debt”; and (iii) clarifies that the defendant “is assisting [the creditor] with administrative activities associated with this administrative wage garnishment.” Moreover, “[e]ven assuming a reasonable consumer would believe [the creditor] and not [the defendant] sent the letter, [the plaintiff] fails to demonstrate how that would frustrate the reasonable consumer’s ability to respond intelligently,” the appellate court wrote.
In its determination, the 10th Circuit also considered differences related to the “least sophisticated consumer” and a “reasonable consumer” in determining how materiality should be measured. According to the appellate court, even the courts that apply the least sophisticated consumer standard tend to agree that the consumer’s interpretation must be reasonable, thereby incorporating aspects of the reasonable consumer standard. The 10th Circuit pointed out that while many courts have referenced the “least sophisticated consumer” in their rulings, few actually use that perspective. “In applying the least sophisticated consumer standard, courts typically begin by noting the least sophisticated consumer is not an expert but then quickly explain he is not actually the least sophisticated consumer,” the 10th Circuit said, adding that “[i]n reality, the nebulous least sophisticated consumer standard is simply a misnomer. A few circuits, recognizing problems with the least sophisticated consumer standard, instead look to the ‘unsophisticated consumer.’” The appellate court concluded that, assuming “the reasonable consumer would read a communication in its entirety and make sense of a communication by assessing it as a whole and in its context,” no reasonable consumer would have been materially misled.
CFPB fines fintech for algorithm-induced overdraft charges
On August 10, the CFPB announced a consent order against a California-based fintech company for allegedly using an algorithm that caused consumers to be charged overdrafts on their checking accounts when using the company’s personal finance-management app. According to the Bureau, the app promotes automated savings with a proprietary algorithm, which analyzes consumers’ checking-account data to determine when and how much to save for each consumer. The app then automatically transfers funds from consumers’ checking accounts to accounts held in the company’s name. The Bureau asserted, however, that the company engaged in deceptive acts or practices in violation of the CFPA by (i) causing consumers’ checking accounts to incur overdraft charges from their banks even though it guaranteed no overdrafts and represented that its app never transferred more than a consumer could afford; (ii) representing that it would reimburse overdraft charges (the Bureau claims the company has received nearly 70,000 overdraft-reimbursement requests since 2017); and (iii) keeping interest that should have gone to consumers even though it told consumers it would not keep any interest earned on consumer funds. Under the terms of the consent order, the company is required to provide consumer redress for overdraft charges that it previously denied and must pay a $2.7 million civil penalty.
FTC charges healthcare company with fraud
On August 8, the FTC announced it has taken action against a healthcare company, two subsidiaries, and the former CEO and former vice president of sales (collectively, “defendants”) for allegedly misleading consumers about their health insurance plans and using deceptive lead generation websites. According to the complaint, the defendants, along with their third-party partners, allegedly engaged in deceptive sales practices in violation of the FTC Act, the Telemarketing Sales Rule, and the Restore Online Shoppers Confidence Act (ROSCA). These practices included allegedly (i) lying to consumers about the nature of their healthcare plans; (ii) bundling and charging junk fees for unwanted products that were typically not clearly disclosed (consumers were often charged for these additional products after they cancelled their core healthcare plans); and (iii) making it difficult for consumers to cancel their plans. The FTC further alleged that the company (which sells association memberships and other healthcare-related products to consumers, often through telemarketing companies and lead generators), as well as the former CEO and former vice president of sales, were aware of the agents’ misconduct but allegedly “took steps to disguise and further the deception” instead of stopping the deceptive practices.
The FTC stated that the company and two of its subsidiaries have agreed to a proposed court order, which requires the payment of $100 million in consumer redress. The proposed order also requires the company to contact current customers and allow them to cancel their enrollment. The company is also required to send refunds to consumers who cancel right after their order is entered. Additionally, the proposed order prohibits the company from misleading consumers about their products, requires the disclosure of total costs and limitations prior to purchase, and requires consumers to provide express informed consent before they are billed. The company must also provide a simple and easy-to-use cancellation method and closely monitor other companies that sell its products.
The FTC also filed separate proposed court orders against the individual defendants (see here and here), which impose similar prohibitions and permanently bans them from playing any role in the sale or marketing of any healthcare-related product or service. The proposed orders also prohibit the former CEO from engaging in deceptive or abusive telemarketing practices, and bans the former vice president of sales from participating in any telemarketing whatsoever in the future.