Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
On September 13, the CFPB released its summer 2019 Supervisory Highlights, which outlines its supervisory and enforcement actions in the areas of automobile loan origination, credit card account management, debt collection, furnishing, and mortgage origination. The findings of the report cover examinations that generally were completed between December 2018 and March 2019. Highlights of the examination findings include:
- Auto loan origination. The Bureau noted that one or more examinations found that guaranteed asset protection (GAP) products were sold to consumers with low loan-to-value (LTV) loans, resulting in those consumers purchasing a product that was not beneficial to them. The Bureau concluded these sales were an abusive practice, as “the lenders took unreasonable advantage of the consumers’ lack of understanding of the material risks, costs, or conditions of the product.”
- Credit card account management. The Bureau found several issues with credit card account servicing, including violations of Regulation Z for failing to clearly and conspicuously provide disclosures required by triggering terms in online advertisements and for offsetting consumers’ credit card debt against funds that the consumers had on deposit with the issuers without sufficient indication that the consumer intended to grant a security interest in those funds.
- Debt collection. The Bureau noted violations of the FDCPA’s prohibition on falsely representing the amount due when debt collectors claimed and collected interest that was not authorized by the underlying contracts between the debt collectors and the creditors.
- Credit information furnishing. The Bureau found multiple violations of the FCRA, including furnishers failing to complete dispute investigations within the required time period and failing to promptly send corrections or updates to all applicable credit reporting agencies after a determination that the information was no longer accurate.
- Mortgage origination. The Bureau noted that creditors had violated Regulation Z by disclosing inaccurate APRs for closed-end reverse mortgages and also by using a unit-period of one month instead of one year to calculate the total annual loan cost (TALC) rate and the future value of all advances, leading to inaccurate TALC disclosures.
The report notes that in response to most examination findings, the companies have taken, or are taking, remedial and corrective actions, including by identifying and compensating impacted consumers and updating their policies and procedures to prevent future violations.
Lastly, the report also highlights the Bureau’s recently issued rules and guidance.
On September 6, the Illinois Appellate Court, 5th District, vacated a circuit court’s $4.3 million settlement in a class action brought against a merchant for allegedly violating the Fair and Accurate Credit Transaction Act (FACTA) when it printed the first six and last four digits of customers’ 16-digit credit card account numbers on receipts. The appeals court held, among other things, that the “record is devoid of facts that would have permitted a reasoned judgment that the class settlement was fair, reasonable and in the best interests of all affected.” Under FACTA, merchants are prohibited from including on a receipt more than the last five digits of a consumer’s credit card number, and a credit card’s expiration date. A class action suit claiming the merchant violated the restriction was originally filed in New York federal court, but the preliminarily approved settlement was later dismissed after objectors argued that the plaintiffs lacked standing. The named plaintiff requested dismissal of the federal action and subsequently filed suit immediately after in Illinois state court, asking the court to adopt a settlement agreement identical to the one that had been preliminarily approved by the federal court. The objector appealed once again, challenging, among other things, (i) the named plaintiff’s ability to adequately represent the settlement class; (ii) the original class notice, which she argued was insufficient to cover the state court settlement; and (iii) the “fairness, reasonableness, and adequacy of the ‘coupon settlement,’” in which class members received $12 merchant gift cards, while the named plaintiff received $4,000 and class counsel was awarded $500,000.
On appeal, the appeals court disagreed with the objector’s contention that the named plaintiff lacked standing to represent the class because he kept his receipt and therefore had not been injured under FACTA, but found “a number of red flags” regarding the sub-class of more than 350,000 members of the merchant’s loyalty program, questioning whether the named plaintiff was an adequate representative for those class members since there was nothing in the record indicating whether he was a member of the program. Moreover, the appeals court agreed with the objector that the original class notice provided under the federal settlement did not sufficiently protect the due process rights of the settlement class, and that “due process requires the giving of notice anew of the pending state court settlement to absent class members so that they have the opportunity to protect their own interests.” The appeals court remanded the case to allow the trial court to more carefully scrutinize the terms of the settlement, stating that “we are unable to determine whether the trial court evaluated the merits of the cause of action, the prospects and problems of litigating the cause or the fairness of the terms of compromise.” The appeals court also ordered the trial court to further explain its findings that the $500,000 attorneys’ fee award and $4,000 lead plaintiff award are reasonable given the possibility that not every class member will use the coupon.
On August 28, the U.S. District Court for the District of Arizona denied motions to dismiss an enforcement action brought by the FTC against a group of individuals and entities that allegedly facilitated a telemarketing scheme that previously resulted in the principal actors in the scheme settling with the FTC and later pleading guilty to state criminal charges. The alleged scheme involved “credit card laundering”—the creation of fictitious entities to process customer credit card transactions so that the actual entity receiving the funds would not be identified. The defendants in the current matter are an Independent Sales Organization and several of its officers allegedly involved in that effort (prior Info Bytes coverage here). The defendants first argued that the relevant part of the FTC Act only permits injunctive relief and that the FTC’s requests for restitution and disgorgement were improper because those forms of relief are penalties, not equitable relief, under Kokesh v. Securities and Exchange Commission. The court noted, however, that the Supreme Court in Kokesh expressly limited the holding to the question of the statute of limitations applicable to the SEC, and that the Ninth Circuit has subsequently approved decisions granting restitution and disgorgement under the FTC Act. The defendants also argued that injunctive relief was not warranted where the unlawful conduct in question ceased in 2013, but the court ruled that the FTC need only show that it has “reason to believe” that a defendant is violating or is about to violate the law. The court declined to address the FTC’s argument that its “reason to believe” decision is unreviewable, but it found that the FTC had pled sufficient facts to establish that it has reason to believe that the defendants would violate the statute. In particular, the court noted that a “court’s power to grant injunctive relief survives the discontinuance of illegal conduct,” that “an inference arises from illegal past conduct that future violations may occur,” and that “courts should be wary of a defendant’s termination of illegal conduct when a defendant voluntarily ceases unlawful conduct in anticipation of formal intervention.” Those factors were all present, along with the fact that the defendants “remain in the same professional occupation.”
On August 27, the CFPB released its fourth biennial report on the state of the credit card market as required by Section 502 of the Credit Card Accountability Responsibility and Disclosure Act (CARD Act). The 2019 report covers the credit card market for the 2017-2018 period. In opening remarks, CFPB Director Kathy Kraninger notes that with the passage of time, it has become “increasingly difficult to correlate the CARD Act with specific effects in the marketplace that have occurred since the issuance of the Bureau’s last biennial report, and, even more so, to demonstrate a causal relationship between the CARD Act and those effects,” and therefore, future reports will focus more on overall market conditions. Key findings of the report include, (i) total outstanding credit card balances continue to grow; (ii) total cost of credit stood at 18.7 percent at the end of 2018, which is the highest overall level observed by the Bureau in its biennial reports; (iii) total credit line across all consumer credit cards reached $4.3 trillion in 2018, which is largely due to the increase in unused credit lines held by superprime score consumers; and (iv) consumers are increasingly using their cards through digital portals, including those accessed via mobile devices.
Regarding current trends, the report notes that over the last few years, the total amount of credit card spending has grown “much faster” than the total volume of balances carried on the cards. In addition, while cardholders with prime or superprime credit scores still account for most debt and spending, lower credit score consumers have been increasing their debt at a faster rate than cardholders with higher credit scores. Notably, delinquency and charge-off rates still remain lower than they were prior to the recession, even though they have slightly increased in recent years. Additionally, since the last report, issuers have lowered their daily limits on debt collection phone calls for delinquent accounts and average daily attempts remain “well below” stated limits. Issuers are also beginning to supplement communications for account servicing with email and text messages.
On August 22, two members of the U.S. House of Representatives, Katie Porter (D-Calif.) and Nydia Velázquez (D-N.Y.), sent a letter to the U.S. Department of Treasury requesting that the Financial Stability Oversight Council (FSOC) consider designating the three leading providers of cloud-based storage systems for the financial industry as systemically important financial market utilities. The letter is in response to the recent data breach announcement by a national bank (covered by InfoBytes here), where an alleged former employee of the bank’s cloud-based storage system gained unauthorized access to the personal information of credit card customers and people who had applied for credit card products. According to the Congresswomen, 57 percent of the cloud services market is “cornered by” three main providers, and “a lack of substitutability for the services provided by these very few firms creates systemic risk.” The letter argues that cloud services are not currently subject to an enforced regulatory regime and, “[w]ithout a dedicated regulatory regime proportional and tailored to their very unique structure and risks, cloud comparing companies will continue to evade supervision.”
On August 1, the U.S. District Court for the Southern District of New York allowed breach of contract and clear and conspicuous disclosure claims brought by a proposed class of consumers against a national bank to proceed, finding that ambiguity exists over whether credit card cryptocurrency purchases are “cash-like transactions.” The plaintiffs claimed that the bank breached their cardholder agreements when it changed the classification of cryptocurrency acquisitions from “purchases” to “cash advances” between January 23 and February 2, 2018. Plaintiffs contended that this change subjected cardholders to higher interest rates and transaction fees in violation of their cardholder agreements. Moreover, the plaintiffs claimed that the bank’s failure to clearly and conspicuously disclose the different types of transactions and varying rates, as well as its failure to provide advance notice of significant changes in its account terms and accurate disclosures in periodic account statements, violated TILA and Regulation Z.
The bank countered that no breach of contract occurred because cryptocurrency acquisitions are “cash-like transactions” that, under the cardholder agreement, are properly classified as cash advances. Specifically, the bank stated that because cryptocurrency can be a “medium of exchange, a measure of value, or a means of payment” under the definition of “cash,” it is therefore “cash-like.”
The court concluded that the plaintiffs offered a reasonable argument that purchases of cryptocurrency did not constitute cash advances. Plaintiffs argued that the contractual term “cash-like”—which was used in the cardholder agreement to describe a cash advance—referred only to financial instruments formally tied to physical, government-issued “fiat” currency, such as checks, money orders, and wire transfers. “Because, as plaintiffs plausibly allege, cryptocurrency does not imbue its holder with a legal right to any government-issued currency, acquisitions of cryptocurrency could not be classified as a cash-like transaction,” the court stated. As such, “[b]ecause plaintiffs have identified a reasonable interpretation of ‘cash-like transactions’ that would exclude purchases of cryptocurrency, the breach of contract claim survives the motion to dismiss.” The court also allowed plaintiffs’ “clear and conspicuous” disclosure claim under TILA to survive because the contract was not clear that purchases of cryptocurrency would result in cash advance fees. However, the court dismissed the plaintiffs’ remaining TILA claims, finding that (i) the bank did not change the contract terms themselves, but rather their application; and (ii) the periodic account statements did not inaccurately convey what the plaintiffs owed to the bank for those particular periods of time.
On August 1, the CFPB published in the Federal Register the final rule amending Regulation Z, which implements the Truth in Lending Act (TILA), including as amended by the Credit Card Accountability Responsibility and Disclosure Act of 2009 (CARD Act), the Home Ownership and Equity Protection Act of 1994 (HOEPA), and the Dodd-Frank Wall Street Reform and Consumer Protection Act’s ability-to-repay and qualified mortgage (ATR/QM) provisions. The CFPB is required to make annual adjustments to dollar amounts in certain provisions in Regulation Z, and has based the adjustments on the annual percentage change reflected in the Consumer Price Index in effect on June 1, 2019. The following thresholds will be effective on January 1, 2020:
- For open-end consumer credit plans under TILA, the threshold for disclosing an interest charge will remain unchanged at $1.00;
- For open-end consumer credit plans under the CARD Act amendments, the adjusted dollar amount for the safe harbor for a first violation penalty fee will increase from $28 to $29, and the adjusted dollar amount for the safe harbor for a subsequent violation penalty fee will increase from $39 to $40;
- For HOEPA loans, the adjusted total loan amount threshold for high-cost mortgages will be $21,980, and the adjusted points and fees dollar trigger for high-cost mortgages will be $1,099; and
- The maximum thresholds for total points and fees for qualified mortgages under the ATR/QM rule will be: (i) 3 percent of the total loan amount for loans greater than or equal to $109,898; (ii) $3,297 for loan amounts greater than or equal to $65,939 but less than $109,898; (iii) 5 percent of the total loan amount for loans greater than or equal to $21,980 but less than $65,939; (iv) $1,099 for loan amounts greater than or equal to $13,737 but less than $21,980; and (v) 8 percent of the total loan amount for loan amounts less than $13,737.
On July 29, a national bank announced a data breach affecting approximately 100 million individuals in the United States and approximately six million in Canada. According to the announcement, the incident occurred on July 19 when an unauthorized individual obtained personal information of credit card customers and people who had applied for credit card products. The bank noted that no credit card account numbers or log-in credentials were compromised and over 99 percent of social security numbers were not compromised. The largest category of information accessed was consumer and small business information from applications submitted from 2005 through early 2019, including names, addresses, zip codes/postal codes, phone numbers, email addresses, dates of birth, and self-reported income.
Upon discovery of the breach, the bank fixed the vulnerability that allowed for the individual to gain access and worked with the federal authorities, resulting in the arrest of the person allegedly responsible. The bank will notify and make free credit monitoring and identity protection available to those affected.
On July 29, the FTC and the Ohio attorney general announced temporary restraining orders and asset freezes issued by the U.S. District Court for the Western District of Texas against a payment processor and a credit card interest-reduction telemarketing operation (see here and here). According to the FTC, the payment processor defendants allegedly violated the FTC Act, the Telemarketing Sales Rule (TSR), and various Ohio laws by, among other things, generating and processing remotely created payment orders or checks that allowed merchants—including deceptive telemarketing schemes—the ability to withdraw money from consumers’ bank accounts. The FTC asserted that the credit card interest-reduction defendants deceptively promised consumers significant credit card interest rate reductions, along with “a 100 percent money back guarantee if the promised rate reduction failed to materialize or the consumers were otherwise dissatisfied with the service.” However, the FTC claimed that most customers never received the promised rate reduction, were refused refund requests, and often received collection or lawsuit threats. Additionally, the credit card interest-reduction defendants allegedly violated the TSR by charging advance fees, failing to properly identify the service in telemarketing calls, and failing to pay to access the FTC’s National Do Not Call Registry.
On June 7, the U.S. Court of Appeals for the 6th Circuit affirmed a lower court’s ruling that an agreement between a Texas-based merchant and a payment processor did not require the merchant to pay millions of dollars in damage-control costs related to two card system data breaches. After the data breaches, the payment processor withheld routine payment card transaction proceeds from the merchant, asserting that the merchant was responsible for reimbursing the amount that the issuing banks paid to cardholders affected by the breaches. However, the merchant refused to pay the payment processor, relying on a “consequential damages waiver” contained in the agreement.
The payment processor argued that, under the agreement’s indemnification clause and provision covering third-party fees and charges, the merchant retained liability for assessments passed down from the card brands’ acquiring bank. The district court, however, granted summary judgment to the merchant, finding that the merchant was not liable for the card brands’ assessments. The court further ruled that the payment processor materially breached the agreement when it diverted funds to reimburse itself.
On review, the 6th Circuit agreed with the lower court that the assessments “constituted consequential damages” and that the agreement exempted consequential damages from liability under a “conspicuous limitation” to the indemnification clause. According to the 6th Circuit, the “data breaches, resulting reimbursement to cardholders, and levying of assessments, though natural results” of the merchant’s failure to comply with the Payment Card Industry's Data Security Standards, “did not necessarily follow from it.” In addition, the appellate court agreed with the district court’s holding that third-party fees and charges in the contract refer to routine charges associated with card processing services rather than liability for a data breach. The appellate court also concurred that the payment processor’s decision to withhold routine payment card transactions, constituted a material breach of the agreement.
- Daniel P. Stipano to discuss “Beneficial Ownership: You have questions – We have quick answers” at the ABA/ABA Financial Crimes Enforcement Conference
- Moorari K. Shah to discuss "Legal & regulatory issues – Next wave of regulatory policy" at the Marketplace Lending & Alternative Financing Summit
- Daniel P. Stipano to discuss "Risk management in enforcement actions: Managing risk or micromanaging it" at an American Bar Association webinar
- Kari K. Hall and Christopher M. Walczyszyn to speak on the "Understanding updates to Regulation CC to ensure effective check processing" at a National Association of Federal Credit Unions webinar
- Daniel P. Stipano to discuss "ACAMS Moneylaundering.com Year-End Compliance Review and 2020 Outlook" at an ACAMS webinar
- APPROVED Webcast: Periodic reporting made easier
- Daniel P. Stipano to discuss "A 20/20 view on 2020’s legislative and regulatory outlook" at the ACAMS Anti-Financial Crime and Public Policy Conference