InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
States reach $1.85 billion settlement with student loan servicer
On January 13, a coalition of attorneys general from 38 states and the District of Columbia reached a $1.85 billion settlement with one of the nation’s largest student loan servicers, resolving allegations that it engaged in misconduct when servicing student loans. The settlement, subject to court approval, brings to an end multistate litigation and investigations into the allegations that the servicer steered borrowers into costly forbearances and expensive repayment plans rather than helping borrowers find affordable income-driven repayment (IDR) plans. The servicer denies violating any consumer financial laws or causing borrower harm, as stated in a separate press release, but has agreed to maintain servicing practices to support borrower success.
Under the terms of the settlement, the servicer has agreed to cancel more than $1.7 billion in private student loan balances owed by roughly 66,000 borrowers. An additional $95 million in restitution payments of about $260 each will also be sent to approximately 357,000 federal student loan borrowers, and the servicer will also pay approximately $142.5 million to the signatory AGs. The settlement also requires the servicer to make several reforms, including explaining the benefits of IDR plans and offering estimated income-driven payment options to borrowers prior to placing them into deferment or discretionary forbearance. The servicer is also required to notify borrowers about the Department of Education’s Public Service Loan Forgiveness limited waiver opportunity (covered by InfoBytes here), implement changes to its payment-processing procedures to limit certain fees for late payments or entering forbearance status, and improve communications informing borrowers of their rights and obligations.
New York AG alerts companies on “credential stuffing” cyberattacks
On January 5, the New York attorney general issued a report, which highlights the results of an investigation into “credential stuffing.” The investigation discovered over 1.1 million online accounts compromised in cyberattacks at 17 well-known companies. The report, Business Guide for Credential Stuffing Attacks, details attacks, which involve repeated, automated attempts to access online accounts using usernames and passwords stolen from other online services, and provides recommendations on how business can protect themselves. Through credential stuffing, which is one of the most common forms of cyberattacks, offenders utilize automated software to reuse stolen usernames and passwords, relying on the human tendency to reuse the same credentials to access various online accounts and platforms. The AG’s office launched the investigation “in light of the growing threat of credential stuffing,” and monitored several online communities dedicated to credential stuffing. According to the report, the office discovered thousands of posts that had customer login credentials that were tested by hackers in a credential stuffing attack and found that the information could be used to access other accounts. From these posts, the office compiled credentials to compromised accounts at seventeen companies, which consisted of online retailers, restaurant chains, and food delivery services, and collected credentials for over 1.1 million customer accounts, all of which seemed to have been compromised. After alerting the companies regarding the compromised accounts and urging them to investigate and take protective action, every company did so. The report recommended that businesses maintaining online accounts have a data security program, including effective safeguards for protecting customers from credential stuffing attacks in four areas: (i) defending against credential stuffing attacks; (ii) detecting a credential stuffing breach; (iii) preventing fraud and misuse of customer information; and (iv) responding to a credential stuffing incident. Specifically, three safeguards considered to be “highly effective” at defending against credential stuffing attacks were bot detection services, multi-factor authentication, and password-less authentication. The report also recommended that companies require reauthentication at the time of a purchase. Additionally, “[b]usinesses should have a written incident response plan that includes processes for responding to credential stuffing attacks” and notification to affected parties.
New York AG settlement cancels debt
On December 29, the New York attorney general announced a settlement with a New York-based off-campus private student housing provider (respondent) for allegedly deceiving hundreds of students, primarily at a New York state college, since 2019. According to the assurance of discontinuance, the respondent, among other things: (i) routinely collected interested students’ information; (ii) persuaded students to sign leases without first determining certain qualifications; (iii) denied students access to housing; (vi) alleged students owed thousands in rent; and (v) referred students to debt collectors. The respondent also allegedly charged students excess rent and fees and disclosed to some students that they could get out of their lease if they found another student to take it over, but then unlawfully charged a $300 “delegation” fee. The respondent allegedly at times permitted some students to prepay rent if it believed they did not meet certain qualification criteria, in violation of state rent laws, and charged certain students excessive late fees for each month of rent that was not timely paid. The terms of the settlement cancels more than $200,000 in improper debts, recovers $65,958 in restitution, and imposes a $50,000 civil penalty on the respondent. The settlement also prohibits the respondent from committing fraudulent and predatory practices in the future.
New Jersey settles CFA and HIPAA violations following 2019 data breach
On December 15, the acting New Jersey attorney general and the Division of Consumer Affairs reached a settlement with three New Jersey-based medical providers for allegedly violating the New Jersey Consumer Fraud Act and the federal Health Insurance Portability and Accountability Act (HIPAA) by failing to adequately safeguard patient data. The settlement resolved allegations that patients’ personal and protected health information, including health records, driver’s license numbers, Social Security numbers, financial account numbers, and payment card numbers, were exposed when several employee email accounts were compromised in a 2019 data breach. The AG additionally contended that while notifying clients of the initial data breach, the defendants “improperly disclosed patient data when a third-party vendor improperly mailed notification letters intended for 13,047 living patients by addressing the letters to those patients’ prospective next-of-kin.” Federal and state law require medical providers to implement appropriate safeguards to protect consumers’ sensitive health and personal information and identify potential threats—measures, the AG alleged, the defendants failed to take. Without admitting to any violation of law, the defendants agreed to the terms of the consent order and will pay $353,820 in penalties and $71,180 in attorneys’ fees and investigative costs. The defendants will also adopt additional comprehensive privacy and security measures to safeguard consumers’ protected information and will obtain a third-party assessment of their policies and practices related “to the collection, storage, maintenance, transmission, and disposal of patient data.”
New Mexico settles with technology company over COPPA violations
On December 13, the New Mexico attorney general announced a settlement in two federal court cases filed against a multinational technology company both of which resolve allegations against the company under the federal Children’s Online Privacy Protection Act (COPPA) and other state consumer protection laws. According to one complaint, the company allegedly violated COPPA and the New Mexico Unfair Practice Act by collecting the personal information of minors and the mining of student emails in connection with the use of the company’s educational tools. In a separate complaint, among other things, the company’s mobile ad platform permitted a third-party game developer to collect the personal data of minors without “verifiable parental consent.” According to the AG, under the terms of the settlement, the company must, among other things: (i) fund a new initiative to promote education, privacy, and safety for children across New Mexico and work with the AG to identify recipients of these funds; (ii) “provide[] school administrators with tools to protect minor students from improper collection of their personal data, including age-based access settings to ensure that minor children’s data is protected from unauthorized collection and disclosure”; (iii) monitor app developers that mislabel their child-directed apps; and (iv) require apps to implement age screening measures which ensure that these apps do not collect information from children.
States say FHA must require servicers to comply with Covid-19 loss mitigation options
On December 21, a coalition of attorneys general from 20 states and the District of Columbia sent a letter to the FHA urging the agency to address mortgage servicers’ alleged failure to adequately implement Covid-19 recovery loss mitigation options for eligible borrowers. As previously covered by InfoBytes, FHA issued Mortgagee Letter 2021-18 in July, which required mortgage servicers to offer a zero-interest subordinate lien option to eligible homeowners who can resume their existing mortgage payments under the “COVID-19 Recovery Standalone Partial Claim” option. For borrowers that are unable to resume their monthly mortgage payments, FHA established the “COVID-19 Recovery Modification” option, which extended the term of a mortgage to 360 months at market rate and targeted a 25 percent principal and interest reduction for all eligible borrowers. At the time, FHA informed servicers that they could start offering the options as soon as operationally feasible but were required to use the new options within 90 days.
The AGs alleged in their letter that several servicers of FHA-insured loans are reportedly failing to adequately implement these Covid-19 relief programs, and are instead “routinely sending borrowers letters that fail to include the Covid-19 Recovery Modification as an available option, are requiring paperwork and imposing qualifications that are not necessary under the FHA’s guidelines, and are instructing borrowers during customer-service phone calls that this option does not exist.” The AGs expressed deep concerns over these reports and requested that FHA take immediate action to ensure that FHA’s loss mitigation options, including the Covid-19 Recovery Modification, are fully implemented, and that borrowers receive accurate, up-to-date information. The AGs asked that FHA-approved lenders and servicers be required to demonstrate that they are taking affirmative actions to implement these Covid-19 relief options and requested training for all customer service staff to ensure borrowers receive the necessary information.
New York AG warns mortgage servicers of obligation to help homeowners affected by Covid-19
On December 13, New York Attorney General Letitia James sent a letter warning mortgage servicers operating in the state of their obligation to help homeowners impacted by the Covid-19 pandemic. The letter, which was also sent to mortgage industry trade associations, reiterated that mortgage servicers are expected to comply with New York law and federal regulations and guidelines when providing long-term relief to affected homeowners. James also announced “that the Office of the Attorney General’s (OAG) Mortgage Enforcement Unit (MEU) will be helping to oversee the distribution of New York state’s Homeowner Assistance Fund (HAF) announced last week by New York Governor Kathy Hochul.” According to the letter, HAF funds “may be used to pay off arrears or reduce mortgage principal so that homeowners can qualify for an affordable loan modification.” However, James stressed that these funds “must supplement rather than replace the mortgage industry’s own efforts,” adding that mortgage servicers must “play their part by offering homeowners all available loss mitigation options before that homeowner seeks an outside HAF grant, in order to help the program save as many homes as possible.” MEU will contact the mortgage industry, including New York legal services and housing counseling agencies, to provide additional information on the HAF application process. MEU will also be responsible for reviewing HAF applications to determine whether homeowners have been presented all available and affordable loan modification options.
James’ announcement stated that mortgages servicers are also expected to comply with streamlined modification programs offered by various federal agencies, Fannie Mae, and Freddie Mac, and must also “provide comparable relief (pursuant to New York state Banking Law § 9-x and New York’s mortgage servicing regulations) to homeowners whose mortgages are owned by private investors through private label securities or by banks in their own portfolios.” Mortgage servicers should also prepare for surges in requests for assistance, and will be held responsible for staffing shortages and poor customer communications, James warned. She noted in her letter that the OAG is “currently investigating whether certain servicers of privately-owned mortgages have failed to offer homeowners the forbearance relief and post-forbearance modifications required by New York Banking Law § 9-x,” and emphasized that the OAG “will continue to monitor compliance and initiate enforcement actions against individual mortgage servicers as needed to protect New York homeowners.”
California sentences student loan debt relief scammers
On December 6, the California attorney general announced the sentencing of four individuals involved in a student loan assistance scam and related computer crimes. According to the AG, the individuals’ now-defunct company presented “itself as a legitimate source of help and feigned association with the U.S. Department of Education (ED) in order to gain the trust of distressed student loan borrowers and access their personal information.” Company employees “were directed to access and disrupt student loan borrower account data, as well as create new student borrower accounts while posing as the borrowers,” which violated the state’s computer crime laws the AG stated. Borrowers were convinced to pay fees of up to $1,300 in monthly payments in order to participate in the company’s loan payment reduction programs, which offered loan deferment and income-driven repayment. However, many of the borrowers were unaware that these payment reduction programs were already offered free of charge by the Department of Education. Moreover, borrowers did not know that their monthly payments were not a subscription service or applied towards their federal student loans, but were rather payments on a high interest loan. The AG contended that borrowers were purportedly required to continue making these payments even if they attempted to cancel the company’s services, and that “to facilitate the scam, the defendants used the Federal Student Aid website to illegally access student borrower records housed in computer systems belonging to ED.” In additional to their sentences of up to 180 days in prison, community service and probation, the individuals were ordered to pay restitution to harmed borrowers.
Chopra wants states to enforce federal consumer protection laws
On December 7, in a speech before the National Association of Attorneys General (NAAG) meeting, CFPB Director Rohit Chopra discussed the importance state partnerships play in enforcing consumer financial protection laws. In addressing the dangers of federal preemption over state consumer protection measures, Chopra highlighted data covering the 2007-2009 mortgage crisis, in which a 2010 study from the University of North Carolina claimed that “the OCC’s 2004 preemption in markets directly contributed to the sub-prime mortgage crises” and “resulted in deterioration in the quality of, and increase in the default risk for, mortgages originated by OCC lenders in states with strong anti-predatory lending laws.” Chopra warned that while Congress has limited the OCC’s ability to impact state consumer protection enforcement, actions that attempt to preempt stronger state consumer protection laws are “fundamentally wrong.”
To combat this, Chopra said he is considering changes that would expand state attorney general authority to enforce many federal consumer protection laws, including the Consumer Financial Protection Act (CFPA), which prohibits unfair, deceptive, and abusive practices, particularly in situations where “federal protections are stronger than state statutes.” These changes would allow states to pursue action, provided notice is given to the Bureau before filing a complaint. Chopra said he is also exploring ways to provide states more access to remedies available under the CFPA, such as civil money penalties that states could “use to bolster deterrence” in addition to access of the Bureau’s victim relief fund to provide compensation to affected consumers in state enforcement actions (the fund is currently only available in actions involving the Bureau). In the meantime, Chopra stated the Bureau is reviewing notifications from states so the agency can join actions as appropriate.
Chopra also repeated his warning about reining in repeat offenders and reiterated the need for “exploring all possible remedies,” including those directed at senior management and executive levels, to address recidivism and reshape behavior and incentives. Chopra cautioned that companies cannot be allowed “to weave in and out of state and federal regulatory oversight” and that the Bureau and the states need to “look after one another’s orders.” He stated that the Bureau intends to alert states when it “find[s] their orders are being flouted.”
Nebraska creates Consumer Affairs Response Team
On December 2, the Nebraska attorney general launched the Consumer Affairs Response Team (CART) to help state residents address complaints and identify scams related to a wide range of consumer-related issues, such as fraud, identity theft, scams, and unfair and deceptive business practices. CART will accept complaints after a consumer has first made a “good-faith-effort” to resolve any issues directly with a business. If CART determines that the consumer’s complaint falls within its authority, it will engage in the dispute resolution process by facilitating communications between the consumer and the business. CART was created after the AG’s office discovered a 65 percent increase in identity theft reports as well as a 27 percent increase in fraud and other types of consumer scams.