Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
On September 17, the California attorney general announced a settlement with a technology company that operates a fertility-tracking mobile app to resolve claims that security flaws put users’ sensitive personal and medical information at risk in violation of state consumer protection and privacy laws. According to the complaint filed in the Superior Court for the County of San Francisco, the company’s app allegedly failed to adequately safeguard and preserve the confidentiality of medical information by, among other things, (i) allowing access to user information without the user’s consent, by failing to “authenticate the legitimacy of the user to whom the medical information was shared”; (ii) allowing a password-change vulnerability to permit unauthorized access and disclosure of information stored in the app without the user’s consent; (iii) making misleading statements concerning implemented security measures and the app’s ability to protect consumers’ sensitive personal and medical information from unauthorized disclosure; and (iv) failing to implement and maintain reasonable security procedures and practices.
Under the terms of the settlement, the company—which does not admit liability—is required to pay a $250,000 civil penalty and incorporate privacy and security design principles into its mobile apps. The company must also obtain affirmative authorization from users before sharing or disclosing sensitive personal and medical information, and must allow users to revoke previously granted consent. Additionally, the company is required to provide ongoing annual employee training concerning the proper handling and protection of sensitive personal and medical information, in addition to training on cyberstalking awareness and prevention. According to the AG’s press release, the settlement also includes “a first-ever injunctive term that requires [the company] to consider how privacy or security lapses may uniquely impact women.”
On September 15, the CFPB filed a complaint and proposed stipulated judgment against a trust, along with three banks acting in their capacity as trustees to the trust, for allegedly providing substantial assistance to a now defunct for-profit educational institution in engaging in unfair acts and practices in violation of the Consumer Financial Protection Act. The Bureau asserted that the trust owned and managed private loans for students attending the defunct institution, even though the trust “allegedly knew or was reckless in not knowing that many student borrowers did not understand the terms and conditions of those loans, could not afford them, or in some cases did not even know they had them.” The Bureau alleged that the defunct institution induced students to take out loans through several unfair practices, including “using aggressive tactics, and in some cases, gaining unauthorized access to student accounts to sign students up for loans without permission.” These loans, the Bureau contended, carried default rates well above what was expected for student loans. According to the Bureau, the trust was allegedly actively involved in the servicing, managing, and collection of these student loans.
If approved by the court, the Bureau’s proposed settlement would require the trust to (i) cease collection efforts on all outstanding loans owned and managed by the trust; (ii) discharge all outstanding loans owned and managed by the trust; (iii) ask all consumer reporting agencies to delete information related to the trust’s loans; and (iv) notify all affected consumers of these actions. The Bureau estimated that the total amount of loan forgiveness is roughly $330 million.
This settlement is the third reached by the Bureau in relation to the defunct institution’s private loan programs. In 2019, the defunct institution reached a settlement with the Bureau (covered by InfoBytes here), which required the payment of a $60 million judgment. Additionally, the Bureau entered into another settlement in 2019 with a different company that managed student loans for the defunct institution’s students, which required the loan management company to comply with similar requirements as the trust (covered by InfoBytes here).
On September 11, the New York attorney general announced one of the nation’s largest debt collectors will pay $600,000 in restitution to student loan borrowers and will make significant changes to its debt collection practices in order to resolve allegations that it made false, misleading, and deceptive statements in lawsuits and in communications with borrowers. According to the AG, the debt collector, among other things, (i) filed complaints that falsely identified trusts, which hold the defaulted loans, as the borrower’s “original creditor,” when in fact, the trusts are the assignees of the original financial institutions that originated the loans; (ii) filed various misleading sworn affidavits; (iii) filed complaints that represented borrowers applied for loans from a “servicing agent” when, in fact, borrowers never dealt with the entity; (iv) filed lawsuits beyond the applicable three-year statute of limitations; and (v) threatened legal action against borrowers even though the trusts “could not or would not sue because the statute of limitations for suing on the debt had expired.”
The assurance of discontinuance requires the debt collector to stop identifying the trusts as the original creditor and to cease using misleading language in communications with borrowers. In addition, the debt collector must (i) provide enhanced staff training; (ii) stop filing lawsuits beyond the statute of limitations, and voluntarily dismiss all wrongfully-filed lawsuits; (iii) voluntarily release “all pending garnishments, levies, liens, restraining notices, attachments, or any other judgment enforcement mechanism” obtained as a result of judgments obtained in wrongfully-filed lawsuits where the statute of limitations has expired; (v) take steps to vacate any judgment obtained in any of these wrongfully-filed lawsuits; and (vi) pay restitution to certain borrowers or to the state to be disbursed as appropriate.
On September 8, the U.S. District Court for the Central District of California entered a stipulated final judgment against two additional defendants in an action brought by the CFPB, the Minnesota and North Carolina attorneys general, and the Los Angeles City Attorney alleging a student loan debt relief operation deceived thousands of student-loan borrowers and charged more than $71 million in unlawful advance fees. As previously covered by InfoBytes, the complaint alleged that the defendants violated the Consumer Financial Protection Act, the Telemarketing Sales Rule, and various state laws by charging and collecting improper advance fees from student loan borrowers prior to providing assistance and receiving payments on the adjusted loans. Four defendants settled in August, with a total suspended judgment of over $95 million due to the defendants’ inability to pay and total payments of $90,000 to Minnesota, North Carolina, and California, and $1 each to the CFPB, in civil money penalties.
The new final judgment holds the two relief defendants liable for nearly $7 million in redress; however, the judgment is suspended based on an inability to pay. The defendants are not subject to any civil money penalties, but are required to relinquish certain assets and submit to certain reporting requirements.
On September 8, the CFPB and the New York attorney general jointly filed a lawsuit against a debt collection operation based near Buffalo, New York. The defendants include five companies, two of their owners, and two of their managers (collectively, “defendants”). According to the complaint, filed in the U.S. District Court for the Western District of New York, the defendants violated the Consumer Financial Protection Act, FDCPA, and various New York laws by using illegal tactics to induce consumer payments, such as (i) threatening arrest and imprisonment; (ii) claiming consumers owed more debt than they actually did; (iii) threatening to contact employers about the existence of the debt; (iv) harassing consumers and third parties by using “intimidating, menacing, or belittling language”; and (v) failing to provide debt verification notices.
The lawsuit seeks consumer redress, disgorgement, civil money penalties, and injunctive relief against the defendants.
On August 31, the Massachusetts attorney general announced an action against a national auto lender for allegedly making unfair and deceptive auto loans and engaging in unfair debt collection practices. According to the complaint, since 2013, the auto lender allegedly made “high-risk high-interest subprime” loans to Massachusetts borrowers who the lender “knew or should have known were unable to repay their loans,” in violation of the Massachusetts Consumer Protection Act. Additionally, the attorney general asserts that consumers were subject to “hidden finance charges,” which resulted in consumers’ actual interest rates being higher than the state’s usury ceiling of 21 percent. Moreover, the lender’s collection employees allegedly “harassed” consumers in default by calling them “as often as eight times a day,” when state law limits collection calls to no more than two calls per week, sent improper repossession notices, and failed to use the correct fair market value when calculating deficiency amounts. Lastly, the attorney general argues that the lender used “false or misleading statements” concerning the characteristics of the loans packaged and securitized to investors.
The attorney general is seeking a permanent injunction, restitution, and civil penalties.
On August 26 and 28, the U.S. District Court for the Central District of California entered two final judgments (see here and here) against four of the defendants in an action brought by the CFPB, the Minnesota and North Carolina attorneys general, and the Los Angeles City Attorney alleging a student loan debt relief operation deceived thousands of student-loan borrowers and charged more than $71 million in unlawful advance fees. As previously covered by InfoBytes, the complaint alleged that the defendants violated the Consumer Financial Protection Act, the Telemarketing Sales Rule, and various state laws by charging and collecting improper advance fees from student loan borrowers prior to providing assistance and receiving payments on the adjusted loans. In addition, the complaint asserts the defendants engaged in deceptive practices by misrepresenting (i) the purpose and application of fees they charged; (ii) their ability to obtain loan forgiveness; and (iii) their ability to actually lower borrowers’ monthly payments.
The finalized settlements suspend a total judgment of over $95 million due to the defendants’ inability to pay, and requires the two defendants who settled on August 26, to pay a total of $75,000 to Minnesota, North Carolina, and California, and $1 each to the CFPB, in civil money penalties, and the two defendants who settled on August 28, to pay a total of $15,000 to the respective states and $1 to the CFPB in civil money penalties. In addition to the monetary penalties, the defendants are required to relinquish certain assets and submit to certain reporting and recordkeeping requirements. All four defendants neither admit nor deny the allegations, as part of the settlements.
On August 20, eight state attorneys general—from California, Illinois, Massachusetts, Minnesota, New Jersey, New York, North Carolina, and the District of Columbia—filed an action in the U.S. District Court for the Northern District of California challenging the FDIC’s valid-when-made rule. As previously covered by InfoBytes, the FDIC’s final rule clarifies that, under the Federal Deposit Insurance Act (FDIA), whether interest on a loan is permissible is determined at the time the loan is made and is not affected by the sale, assignment, or other transfer of the loan (details on the effect of the rule can be found in Buckley’s Special Alert on the issuance of the OCC’s similar rule).
In the complaint—which follows a similar action filed in July by three of the same attorneys general against the OCC for issuing a final rule designed to effectively reverse the Second Circuit’s 2015 Madden v. Midland Funding decision (previously covered here)—the attorneys general argue, among other things, that the FDIC does not have the power to issue the rule, asserting that the FDIC has the power to issue “‘regulations to carry out’ the provisions of the FDIA,” but not regulations that would apply to non-banks. Moreover, the attorneys general assert that the rule’s extension of state law preemption would “facilitate evasion of state law by enabling “rent-a-bank” schemes.” Finally, the complaint states that the FDIC failed to explain its consideration of evidence contrary to its assertions, including evidence demonstrating that “consumers and small businesses are harmed by high interest-rate loans, and thus that Madden is likely to have been beneficial rather than harmful.” The complaint requests the court to declare that the FDIC violated the Administrative Procedures Act in issuing the rule and hold the rule unlawful.
On August 19, the Pennsylvania attorney general announced it had entered into an Assurance of Voluntary Compliance with a national bank to end the bank’s “aggressive” debt collection practices. According to the AG, the bank allegedly filed collection lawsuits against individuals with unpaid auto loans “in a district justice court in Warren, Pennsylvania despite the fact that most of the defendants in those actions were consumers who purchased their vehicles in another part of the state and merely had their vehicle installment contract assigned to [the bank].” After obtaining judgments, the bank also allegedly violated Pennsylvania law by sending post-judgment letters that threatened further legal action, including a sheriff’s sale of an individual’s vehicle. These alleged misrepresentations constituted an unfair or deceptive debt collection act or practice, the AG stated. The bank did not admit to the violations, but agreed to modify its collection practices to, among other things, (i) strike all existing judgments entered between 2013 and the effective date of the agreements in a magisterial district court that the consumer did not reside in at the time the vehicle was purchased or the action commenced, or that was not where the vehicle was purchased; (ii) issue a credit to the deficiency balance on any amount that was paid as a result of a judgment; (iii) refund any remaining amounts once the deficiency balance has been reduced to $0; and (iv) pay $15,000 in monetary relief.
On August 14, the California attorney general announced that the Office of Administrative Law (OAL) approved the final regulations under the California Consumer Privacy Act (CCPA). As previously covered by InfoBytes, the CCPA—enacted in June 2018 (covered by a Buckley Special Alert) and amended several times—became effective January 1. While the regulation package was under review by the OAL, the California attorney general made certain “nonsubstantial changes” and “changes without regulatory effect” to the CCPA regulations, which are outlined here (Buckley created redline available here). Under the OAL’s regulations, changes are considered “nonsubstantial” if they clarify without materially altering the requirements, rights, responsibilities, conditions, or prescriptions contained in the original text. Changes are considered to be “without regulatory effect” if they involve renumbering or relocating a provision, revising structure, syntax, grammar or punctuation, and, subject to certain conditions, making a provision consistent with statute.
Among others, the following nonsubstantial changes were made to the final regulations:
- The shorthand phrase “Do Not Sell My Info” was removed from several sections in order for the language to track the statute (i.e. “Do Not Sell My Personal Information”).
- The severability provision, formerly in Section 999.341 was deleted as unnecessary. This provision previously stated: “If any article, section, subsection, sentence, clause or phrase of these regulations contained in this Chapter is for any reason held to be unconstitutional, contrary to statute, exceeding the authority of the Attorney General, or otherwise inoperative, such decision shall not affect the validity of the remaining portion of these regulations.” (formerly § 999.341).
Additionally, the following requirements were deleted from the regulations at this time, although the California attorney general has indicated that these provisions may be resubmitted “after further review and possible revisions”:
- The requirement, formerly in Section 999.305(a)(4), that the business notify and obtain explicit consent from a consumer to use the consumer’s personal information for a purpose materially different than those disclosed in the notice at collection.
- The requirement, formerly in Section 999.306(b)(2), that a business that substantially interacts with consumers offline must provide a notice to the consumer offline to facilitate their awareness of the right to opt-out.
- The requirement in Section 999.315(c) that the business’s methods for submitting the request to opt-out must “be easy for consumers to execute” and “require minimal steps to allow the consumer to opt-out.”
- The provision, formerly in Section 999.326(c), permitting a business to deny a request from an authorized agent if the agent fails to submit proof of authorization from the consumer.
The final regulations became effective on August 14, 2020.
- Daniel P. Stipano to discuss "Making customers whole: Trends in remediation and restitution expectations" at the American Bar Association Business Law Virtual Section Meeting
- Jonice Gray Tucker to discuss "Fairness gone viral: Fair lending considerations for financial institutions amid Covid-19" at the American Bar Association Business Law Virtual Section Meeting
- Daniel P. Stipano to discuss "High standards: Best practices for banking marijuana-related businesses" at the ACAMS AML & Anti-Financial Crime Conference
- Daniel P. Stipano to discuss "Wait wait ... do tell me! Where the panelists answer to you" at the ACAMS AML & Anti-Financial Crime Conference
- Matthew P. Previn and Walter E. Zalenski to discuss "Is valid when made ... valid?" at the Women in Housing & Finance Partner Series webinar
- Warren W. Traiger and Caroline K. Eisner to discuss "CRA modernization and the OCC final rule" at CBA Live
- Daniel R. Alonso to discuss "Transnational corruption: A chat with former U.S. federal prosecutors in New York" at Marval Live Talks
- Sherry-Maria Safchuk and Lauren Frank to discuss "New CFPB interpretation on UDAAP" at a California Mortgage Bankers Association Mortgage Quality and Compliance Committee webinar
- Thomas A. Sporkin to discuss "Managing internal investigations and advanced government defense" at the Securities Enforcement Forum
- Daniel R. Alonso to discuss "Independent monitoring in the United States" at the World Compliance Association Peru Chapter IV International Conference on Compliance and the Fight Against Corruption
- Jonice Gray Tucker to discuss "The future of fair lending" at the Mortgage Bankers Association Regulatory Compliance Conference
- Michelle L. Rogers to discuss "Major litigation" at the Mortgage Bankers Association Regulatory Compliance Conference
- Kathryn L. Ryan to discuss "Pandemic fallout – Navigating practical operational challenges" at the Mortgage Bankers Association Regulatory Compliance Conference
- Jonice Gray Tucker to discuss "Consumer financial services" at the Practising Law Institute Banking Law Institute