InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
FCC acts to stop international robocalls
On May 19, the FCC unanimously adopted proposed rules to ensure gateway providers that channel international call traffic comply with STIR/SHAKEN caller ID authentication protocols and validate the identity of the providers whose traffic they are routing to help weed out robocalls. As part of the agency’s robocall mitigation efforts, the proposed rules would require gateway providers to (i) “develop and submit traffic mitigation plans to the Robocall Mitigation Database”; (ii) “apply STIR/SHAKEN caller ID authentication to all unauthenticated foreign-originated Session Initiation Protocol (SIP) calls with U.S. North American Numbering Plan (NANP) numbers”; and (iii) “respond to traceback requests in 24 hours, block calls where it is clear they are conduits for illegal traffic, and implement ‘know your upstream provider’ obligations.”
“Gateway providers serve as a critical choke-point for reducing the number of illegal robocalls received by American consumers,” the FCC stated in its announcement. “The new rules require gateway providers to participate in robocall mitigation, including blocking efforts, take responsibility for illegal robocall campaigns on their networks, cooperate with FCC enforcement efforts, and quickly respond to efforts to trace illegal robocalls to their source.” Non-compliance may cause a gateway provider to lose its ability to operate. The FCC also announced it is requesting further comments on a proposal to expand robocall mitigation requirements to intermediate providers in the U.S. and not just gateway providers. The agency will also decide whether anti-robocall and spoofing rules should also apply to these intermediate providers, as they are currently not required to certify with the Robocall Mitigation Database.
Requiring domestic entry points to use STIR/SHAKEN, register in the Robocall Mitigation Database, and comply with traceback requests from the FCC and law enforcement will help the agency “figure out where these junk calls are originating from overseas,” FCC Chairwoman Jessica Rosenworcel said in a statement. “These measures will help us tackle the growing number of international robocalls. Because we can’t have these scam artists multiplying abroad and hiding from our regulatory reach. We also can’t have them hiding from our state counterparts.” To aid efforts, the FCC announced that to date 36 states have signed memoranda of understanding with the agency to share resources and information to reduce robocalls.
Arizona obtains $1.6 million in restitution from debt collection operation
On May 10, the Arizona attorney general announced it filed a stipulated consent judgment in the Superior Court of Arizona against a defendant, the owner and manager of a debt collection operation. The AG’s original action was part of the FTC’s “Operation Corrupt Collection”—a nationwide enforcement and outreach effort established by the FTC, CFPB, and more than 50 federal and state law enforcement partners to target illegal debt collection practices (covered by InfoBytes here).
According to the AG’s press release announcing the consent judgment, the defendant’s debt collection operation allegedly called consumers and made false claims and threats to convince people to pay debts the operation had no authority to collect. The complaint contended that employees frequently used spoofing software to reinforce claims that they were law enforcement officers, government officials, process servers, and law firm personnel to intimidate consumers into paying the alleged debts, and told consumers to immediately respond or be held in contempt of court. Employees also allegedly threatened to file lawsuits, garnish wages and tax returns, place liens on homes and car titles, freeze bank accounts, send law enforcement to consumers’ homes and/or places of employment, and arrest consumers.
Under the terms of the consent judgment, the defendant is required to pay more than $1.6 million in consumer restitution and up to $900,000 in civil penalties, and is permanently enjoined, restrained and prohibited from participating in the debt collection industry. Court approval of the stipulated judgment is pending.
States urge Biden to forgive student debt
On May 2, a coalition of state attorneys general, led by New York Attorney General Letitia James, announced that they are urging President Biden to cancel all outstanding federal student loan debt. In the letter, the AGs argue that full cancellation of student debt is necessary to address: the (i) enormity of the debt owed; (ii) effects of the Covid-19 pandemic; (iii) “systemically flawed repayment and forgiveness system”; and (vi) disproportionate impact on the borrowers’ debt burden, among other things. The AGs further noted that using resources to help individuals who have been “tricked” into forbearance plans, suing contractors who “bungle critical processes,” and protecting consumers from “aggressive” and “predatory” for-profit colleges have provided the AGs with a “deep understanding of the systemic challenges” facing federal student loan borrowers. The AGs stated that President Biden has authority to act under the Higher Education Act, and that such action “would benefit millions of borrowers and be one of the most impactful racial and economic justice initiatives in recent memory.”
Remittance provider denies CFPB allegations
On May 2, a global payments provider recently sued by the New York attorney general and the CFPB responded to allegations claiming the “repeat offender” violated numerous federal and state consumer financial protection laws in its handling of remittance transfers. As previously covered by InfoBytes, the complaint claimed the defendant, among other things, (i) violated the Remittance Rule requirements by repeatedly failing “to provide fund availability dates that were accurate, when the Rule required such accuracy”; (ii) “repeatedly ignored the Rule’s error-resolution requirements when addressing notices of error from consumers in New York, including in this district, and elsewhere;” and (iii) failed to establish policies and procedures designed to ensure compliance with money-transferring laws, in violation of Regulation E. The complaint further asserted that the defendant violated the CFPA “by failing to make remittance transfers timely available to designated recipients or to make refunds timely available to senders,” and that the defendant failed to adopt and implement a comprehensive fraud prevention program mandated by a 2009 FTC order for permanent injunction (covered by InfoBytes here).
The defendant refuted the charges, calling the allegations “false, inflammatory and misleading.” According to the defendant, “before the CFPB filed its lawsuit against the Company on April 21, 2022, [it] had never before been subject to any enforcement action by the CFPB, nor had [it] ever been publicly accused of violating any of the laws or regulations under the CFPB’s purview.” The defendant also took issue with the Bureau’s suggestion that it had “uncovered widespread and systemic issues involving ‘substantial’ consumer harm,” contending that “data from the CFPB’s own consumer complaint portal strongly suggest otherwise. For example, a search of the CFPB’s Consumer Complaint Database shows that in the nine years that the Remittance Rule has been in place, only 351 complaints were made to the CFPB against [the defendant] for failing to deliver money when promised. These complaints represent 0.0001% of the over 325 million transactions subject to the Remittance Rule that [the defendant] processed during that time period. In New York, the total number of complaints in the CFPB Database for that time period was 28, approximately three per year. There have simply never been widespread or systemic violations by [the defendant] of the Remittance Rule.”
Connecticut legislature passes consumer data privacy bill
Recently, the Connecticut legislature passed SB 6, which would enact provisions related to consumer data privacy and online monitoring. Highlights of the bill include:
- Applicability. The bill will apply to a controller that conducts business in the state or produces products or services for consumer residents that, during the preceding calendar year, “controlled or processed the personal data of not less than seventy-five thousand consumers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction” or “controlled or processed the personal data of not less than twenty-five thousand consumers and derived more than twenty-five per cent of their gross revenue from the sale of personal data.” Certain entities and types of data are exempt from the bill’s requirements, including state governmental entities; nonprofits; higher education institutes; national security associations registered under the Securities Exchange Act of 1934; financial institutions or data subject to federal privacy disclosure requirements; hospitals; certain types of health information subject to federal health privacy laws; consumer reporting agencies, furnishers, and consumer report users of information involving personal data bearing on a consumer’s credit; personal data regulated by certain federal regulations; and air carriers. Additionally, a controller and processor will be considered to be in compliance with the bill’s parental consent obligations provided it complies with verifiable parental consent mechanisms under the Children’s Online Privacy Protection Act.
- Consumer rights. Under the bill, consumers will be able to, among other things, (i) confirm whether their personal data is being processed and access their data; (ii) correct inaccuracies; (iii) delete their data; (iv) obtain a copy of personal data processed by a controller; and (v) opt out of the processing of their data for targeted advertising, the sale of their data, or profiling to assist solely automated decisions. A consumer may designate another person to serve as his or her authorized agent to opt out of the processing of such consumer’s personal data.
- Controllers’ and processors’ responsibilities. Under the bill, controllers will be responsible for responding to consumers’ requests within 45 days (an additional 45-day extension may be requested under certain circumstances). Responses to consumers’ requests must be provided free of charge, unless the request is “manifestly unfounded, excessive or repetitive,” in which case a controller may charge a reasonable administrative fee or decline to act on the request (a controller bears the burden of explaining the denial and must also establish an appeals process, including a method through which a consumer may submit a complaint to the state attorney general). Among other things, controllers must “[l]imit the collection of personal data to what is adequate, relevant and reasonably necessary in relation to the purposes for which such data is processed, as disclosed to the consumer” and are required to implement data security protection practices “appropriate to the volume and nature of the personal data at issue” and conduct data protection assessments for processing activities that present a heightened risk of harm to consumers. Controllers may not process personal data in violation of federal and state laws that prohibit unlawful discrimination against consumers and must provide an effective mechanism for consumers to revoke consent that is at least as easy as the method used to provide consent. Controllers must cease processing data within 15 days of receiving a revocation request. The bill also requires controllers to provide privacy notices to consumers disclosing certain information regarding data collection and sharing practices (including sharing with third parties), and if the controller sells a consumer’s personal data to third parties or engages in targeted advertising, the controller must disclose how consumers may exercise their rights under the bill. Controllers also will be prohibited from processing sensitive personal data without first presenting a consumer with the opportunity to opt out. The bill further specifies requirements for processing de-identified data or pseudonymous data. Data processors must adhere to a controller’s instructions and enter into contracts with clearly specified instructions for processing personal data.
- Private right of action and state attorney general enforcement. The bill explicitly prohibits a private right of action. Instead, it grants the state attorney general exclusive authority to enforce the law. The attorney general may also require a controller to disclose any data protection assessments relevant to an investigation. A violation of the bill’s provisions will constitute an unfair trade practice.
- Right to cure. Upon discovering a potential violation of the bill, the attorney general (during the period beginning July 1, 2023 through December 31, 2024) must provide a controller or processor written notice of violation. The controller or processor then has 60 days to cure the alleged violation before the attorney general can file suit. Beginning on January 1, 2025, the attorney general, when determining whether to provide a controller or processor the opportunity to cure an alleged violation, may consider the number of violations, the controller/processor’s size and complexity, the nature and extent of the processing activities, the substantial likelihood of public injury, and the safety of persons or property.
If enacted in its current form, the bill would take effect July 1, 2023.
New York AG settles with student loan servicer for alleged PSLF and IDR failures
On April 27, the New York attorney general announced a settlement with a national student loan servicer, resolving allegations that it failed to properly manage student loans and administer the Public Service Loan Forgiveness (PSLF) program by inaccurately counting loan payments, improperly denying applications, and not processing applications in a timely manner. As previously covered by InfoBytes, the New York AG filed a complaint against the defendant in 2019 alleging violations of the CFPA and New York law, whereby the defendant, among other things, (i) failed to accurately count borrower’s PSLF-qualifying payments; (ii) failed to provide timely explanations to borrowers for PSLF payment count determinations; (iii) failed to process income driven repayment (IDR) plan paperwork accurately and timely; and (iv) lacked clear policies and procedures for addressing errors, resulting in inconsistent treatment of borrowers.
Under the terms of the settlement, the defendant is required to automatically review nearly 10,000 accounts of New York borrowers for various potential errors, including incorrect information provided about PSLF or IDR eligibility and inaccurate monthly payment charges, among other things. In addition, more than 300,000 current New York residents may be eligible to have their accounts reviewed at no cost to them. The defendant is required to send out notices to borrowers within 30 days. Borrower relief may include crediting of undercounted payments, refunds of overpayments, interest, monetary payments, and modifications to past payments to designate them as PSLF-qualifying. The defendant will implement enhanced quality assurance review procedures designed to identify errors.
CFPB, New York sue remittance provider
On April 21, the CFPB and New York attorney general filed a complaint against a remittance provider (defendant) for allegedly violating the Electronic Funds Transfer Act and its implementing Regulation E and the Remittance Rule (the Rule) and the Consumer Financial Protection Act (CFPA), among various consumer financial protection laws. The Bureau’s announcement called the defendant a “repeat offender” citing that in 2018, the FTC filed a motion for compensatory relief and modified order for permanent injunction against the defendant, which alleged that it failed to adopt and implement a comprehensive fraud prevention program mandated by the 2009 order (covered by InfoBytes here). The CFPB complaint alleges that from October 2018 through 2022, the defendant: (i) violated the Remittance Rule requirements by repeatedly failing “to provide fund availability dates that were accurate, when the Rule required such accuracy”; (ii) “repeatedly ignored the Rule’s error-resolution requirements when addressing notices of error from consumers in New York, including in this district, and elsewhere;” and (iii) failed to establish policies and procedures designed to ensure compliance with money-transferring laws, in violation of Regulation E. The complaint further noted that the defendant’s “own assessments of consumers’ complaints showed that the dates Defendants disclosed to consumers, repeatedly, were wrong,” and that the defendant “found multiple delays in making funds available to designated recipients, including delays that constituted errors under the Rule,” among other things. Finally, the Bureau claims that the defendant violated the CFPA “by failing to make remittance transfers timely available to designated recipients or to make refunds timely available to senders.” The Bureau’s complaint seeks consumer restitution, disgorgement, injunctive relief, and civil money penalties. According to a statement released by CFPB Director Rohit Chopra, "the remittance market is ripe for reinvention, and the CFPB will be examining ways to increase competition and innovation for the benefit of both families and honest businesses, while also avoiding creating a new set of harms."
Colorado seeks comments on privacy rulemaking; draft regulations to come this fall
Recently, the Colorado attorney general released pre-rulemaking considerations for the Colorado Privacy Act (CPA). The considerations seek informal public input on any area of the CPA, including those “that need clarification, consumer concerns, anticipated compliance challenges, impacts of the CPA on business or other operations, cost concerns, and any underlying or related research or analyses.” As covered by a Buckley Special Alert, the CPA was enacted last July to establish a framework for personal data privacy rights and provides consumers with numerous rights, including the right to access their personal data, opt-out of certain uses of personal data, make corrections to personal data, request deletion of personal data, and obtain a copy of personal data in a portable format. The CPA is effective July 1, 2023 with certain opt-out provisions taking effect July 1, 2024. Under the CPA, the AG has enforcement authority for the law, which does not have a private right of action. The AG also has authority to promulgate rules to carry out the requirements of the CPA and issue interpretive guidance and opinion letters. Finally, the AG has authority to develop technical specifications for at least one universal opt-out mechanism.
The AG’s office stated that it plans to adopt a principle-based model for the state’s rulemaking approach rather than a prescriptive one, and outlined five principles intended to help implement the CPA:
- rules should protect consumers and help consumers understand and exercise their rights;
- rules should clarify ambiguities as necessary to promote compliance and minimize unnecessary disputes;
- rules should facilitate efficient and expeditious compliance by ensuring processes are simple and straightforward for consumers, controllers and processors, and enforcement agencies;
- rules should facilitate interoperability and allow the CPA to function alongside protections and obligations created by other state, national, and international frameworks; and
- rules should not be unduly burdensome so to as to prevent the development of adaptive solutions to address challenges presented by advances in technology.
The pre-rulemaking considerations laid out several questions for input related to topics addressing universal opt-out mechanisms, consent for processing consumer data in specific circumstances, dark patterns, data protection assessments that screen for heightened risk of harm, the effects of profiling on consumers, opinion letters and interpretive guidance, offline and off-web data collection, and differences and similarities between the CPA and laws in other jurisdictions. A formal notice of rulemaking and accompanying draft regulations will be issued this fall. Comments may be submitted through the AG’s portal here.
Massachusetts settles with financial company
On April 13, the Massachusetts attorney general announced a settlement with a California-based finance company (defendant) resolving allegations that it violated Massachusetts law by purchasing and collecting on dog leases – which are illegal in Massachusetts. The settlement also alleges that the company engaged in illegal debt collection practices such as calling debtors too frequently while attempting to collect on the leases. Under the terms of the settlement, the defendant must pay over $930,000, which includes $175,000 in restitution to approximately 200 consumers, and a $50,000 fine. The defendant is prohibited from collecting on any active leases involving dogs in Massachusetts and must transfer full ownerships of the dogs to the consumers. The defendant must also cancel any outstanding amount owed on the leases, totaling approximately $700,000.
The Massachusetts AG has been investigating financial companies who originate or purchase dog leases – calling the practice “exploitive” because it uses “dogs as emotional leverage” over debtors – and encouraged consumers who are victims of dog leases to call the AG’s office or to file a complaint online.
States urge CFPB to prohibit mortgage servicers from charging convenience fees
On April 11, a coalition of state attorneys general, led by Illinois Attorney General Kwame Raoul, announced that they are urging the CFPB to prohibit mortgage servicers from charging convenience fees, which the AGs also referred to as “junk fees” or “pay-to-pay” fees. As previously covered by InfoBytes, the CFPB announced an initiative to reduce “exploitative” fees charged by banks and financial companies and requested comments from the public on fees that are associated with consumers’ bank accounts, prepaid or credit card accounts, mortgages, loans, payment transfers, and other financial products that are allegedly not subject to competitive processes that ensure fair pricing. In the letter, the AGs expressed their support for the Bureau’s request for information on the various fees imposed on consumers generally, but called attention to a specific type of fees imposed by mortgage servicers – the “pay-to-pay fees” – which, notwithstanding that consumers can pay using numerous free mechanisms, the AGs find to be “unfair and abusive” to consumers. The AGs called the fees “particularly insidious in the mortgage industry” because, unlike other markets in which such fees are imposed, “homeowners have no choice in their mortgage servicer.” Because of the nature of the secondary mortgage market, homeowners’ expectations of entering into a long-term relationship with their originating institution are misplaced and they cannot know in advance or determine which company will service their loans – even if they choose to refinance. The AGs also warned that the choice to make payments by an alternative method with no fee (such as online or by check instead of over the phone) may be illusory in the face of pending payment posting deadlines and threatened late fees. In such scenarios, the AGs asserted that the convenience fee operates as an alternative late fee “cheaper, but with a shorter grace period, and in contravention to the contractual terms in most mortgages that outline the specific amount and timing” of late fees. The AGs also took umbrage to mortgage servicers charging fees for the very service they are expected to perform, stating that “[t]he most basic function of a mortgage servicer is to accept payments. The concept that a servicer ought to be able to impose an additional charge for performing its core function is fundamentally flawed.”
Ultimately, the AGs suggested that the Bureau prohibit mortgage servicers from imposing convenience fees on consumers, but, alternatively, the AGs encouraged the Bureau to prohibit servicers from charging convenience fees that exceed the actual cost of processing a borrower’s payment. Furthermore, the AGs requested that the Bureau require servicers to fully document their costs supporting the imposition of convenience fees.
The same day, a group of AGs from 16 Republican-led states released a letter, arguing that more federal oversight would be “duplicative or unwarranted,” given that states already regulate many fees for consumer financial products and services. According to the letter, the AGs noted that “state legislatures and regulators have carefully weighed consumer protection interests and the open and transparent operation of markets in a manner intended to deliver the maximum benefit to the interests of their states,” and argued that they “are much better positioned to understand and assess the diverse interests of their states.” In addition, the letter argued that the Bureau has “limited authority to regulate” fees in consumer financial services markets. The AGs mentioned that the Bureau “may seek to use its authority to prohibit unfair, deceptive or abusive acts or practices to regulate fees,” but considered it “unclear” “that fees disclosed in accordance with state or federal law, in some cases authorized by state law, and agreed to by a consumer in writing constitute ‘unfair, deceptive or abusive’ fees, notwithstanding the CFPB’s characterization of some fees as ‘not meaningfully avoidable or negotiable” at the time they are assessed.’” The letter further characterized the Bureau’s approach as “uncooperative,” “top-down,” and “an unfounded expansion of its authority” that may infringe upon state law.