InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
Ohio Enacts Consumer Installment Loan Act
On June 13, Ohio Governor John R. Kasich signed into law S.B. 24, the Ohio Consumer Installment Loan Act (CILA). According to a blog post on the Ohio senate majority caucus’ website, CILA aims to “clarify Ohio's installment lending laws to help eliminate confusion for consumers and lenders as well as simplify the role of industry regulators.” CILA applies to loans that, among other requirements, exceed a term of six months, generally require equal monthly payments, are not secured by real property, are not covered by any other Ohio loan laws, and have a maximum interest rate of 25 percent (or 28 percent for an open-end loan). CILA also provides for regulation and lender licensing by the state’s Division of Financial Institutions in the Department of Commerce. The law goes into effect on July 1.
Judge Issues Ruling Ordering Unused Consumer Redress Funds to be Deposited in the Treasury
On June 20, a federal judge in the U.S. District Court for the Southern District of New York ordered that leftover funds from a $50 million settlement must be transferred to the Treasury, ultimately ruling against a memorandum filed by the Attorneys General of Connecticut, Indiana, Kansas, and Vermont (State AGs) that sought to redirect the remaining $15 million to be used to “train, support and improve the coordination of the state consumer protection attorneys charged with enforcement of the laws prohibiting the type of unfair and deceptive practices alleged by the CFPB in this [a]ction.” (See previous InfoBytes summary here.) Notably, the judge stated, “the State AGs’ proposal does not reflect the [settling] parties' true intent . . . Nowhere in the Final Judgment or the Redress Plan is there any language supporting the State AGs’ view that leftover funds should broadly aid consumers.” The judge opines further that “[c]ondoning an unintended use of the settlement funds—in the absence of any other equitable relief reasonably related to the allegations of the Complaint—would be tantamount to misappropriating funds that otherwise should be in the public fisc.” The judge further noted that had the State AGs’ memorandum been granted, it would “permit State actors . . . to hijack a significant portion of the settlement funds under the guise of ‘consumer protection,’ all for the purpose of underwriting a project that principally benefits the States.”
Bipartisan Coalition of State Attorneys General File Petition to the FCC Seeking Broadband Consumer Protections
On June 19, New York Attorney General Eric T. Schneiderman announced a petition filed on behalf of a bipartisan coalition of 35 state attorneys general to jointly oppose a cable and telecommunications industry petition, which is intended to stop state and local authorities from enforcing state consumer protection laws and leave the regulating of broadband disclosure requirements to the authority of the FCC. In seeking a declaratory ruling from the FCC, the industry groups request confirmation and clarification on federal regulatory requirements governing broadband speed disclosures, and further assert that “national, uniform rules [are] particularly important” once the FCC launches procedures to implement a “national ‘light-touch framework.’” In response to the petition, the FCC filed a public notice for comment on May 17. The state attorneys general, in responding to the request, claim the petition “asks the FCC to convert a limited safe harbor from FCC’s own enforcement, into blanket federal and state immunity for fixed and wireless broadband companies from liability for false statements contained in advertisements and marketing.” Furthermore, they assert that the industry groups are seeking a ruling that exceeds the FCC’s authority, is “procedurally improper,” and would “upend the longstanding dual federal-state regulation of deceptive practices in the telecommunications industry—which would leave consumers across the country without the basic state protections from unfair and deceptive business practices.”
15 State Attorneys General Clarify Data Breach Notification Laws
On June 5, 15 state attorneys general issued a joint letter to an e-commerce hosting company refuting the company’s assertion in its FAQ provided to online retailers that they are not obligated to notify customers of a data breach in situations where credit card CVV numbers were not disclosed. According to claims made by the attorneys general, the company erroneously stated that, pursuant to the identified states’ data breach notification laws, “there is no obligation to notify in those states . . . if your customers’ CVV data was not exposed.” The attorneys general argued that this is incorrect and stated, “[t]he CVV number does not have to be disclosed to trigger our states’ notification obligations.” The letter noted as an example, New York General Business Law § 899-aa(1)(b)(3), which stipulates that companies must provide notification of a data breach to affected customers when a credit or debit card number plus “any required security code, access code, or password” that would permit access to the account is obtained by an unauthorized party. The attorneys general stated that a CVV code is not a required access code because the card can be used without it. The company is required to provide clarification regarding its FAQ to affected client retailers.
Vermont Governor Enacts Law Including Blockchain Application
On June 8, Vermont Governor Phil Scott signed into law legislation (S. 135), which would, among other things, allow for broader business and legal application of blockchain technology to promote economic development. Additionally, S. 135 requires the Center for Legal Innovation at Vermont Law School, the Commissioner of Financial Regulation, the Secretary of Commerce and Community Development, and the Vermont Attorney General to prepare a joint report for the General Assembly on “findings and recommendations,” as well as policy proposals and “measurable goals and outcomes” concerning “potential opportunities and risks presented by developments in financial technology.” The new law follows the passage of House Bill 868 last June, which defined blockchain as “a mathematically secured, chronological, and decentralized consensus ledger or database,” and formally recognized blockchain-notarized documents as having legal bearing in a court of law.
As previously reported in InfoBytes, Arizona recently enacted a similar law (AZ H.B. 2417) recognizing blockchain signatures and smart contracts under state law.
FTC Obtains Multiple Judgments Against California and Florida-Based Robocall Operations
The FTC recently entered judgments against robocalling operations based in California and Florida who engaged in activities that violated, among other things, the Telemarketing Sales Rule (TSR) and the Telemarketing Consumer Fraud and Abuse Prevention Act.
California Default Judgments. On June 2, the FTC announced a California federal district court judge approved default judgments against an individual and each of the nine corporations for which he was an “actual or de facto owner, officer or manager” (Defendants). According to the FTC’s complaint, over a period spanning approximately seven years, the Defendants allegedly initiated—or helped to initiate—“billions” of illegal robocalls without receiving written permission from consumers. Many of the calls made were to numbers on the Do Not Call (DNC) Registry to “induce the purchase of goods or services” such as auto warranties, home security systems, or search engine optimization services. Violations of the TSR cited include knowingly assisting and facilitating telemarketers engaged in abusive practices. According to the terms of the default judgments, the individual has been assessed a $2.7 million penalty, and the Defendants are permanently banned from all telemarketing activities.
Florida Consent Order. On June 5, the FTC and the Florida Attorney General entered eight stipulated orders against Orlando-based individuals and companies—18 Defendants in total—who violated the TSR, Telemarketing and Consumer Fraud and Abuse Prevention Act, and Florida’s Telemarketing and Consumer Fraud and Abuse Act for, among others things, using robocalls to sell credit card interest rate reduction programs, in addition to calling numbers on the DNC Registry. According to the joint complaint, the Defendants allegedly engaged in the following violations: (i) offered debt relief programs but failed to provide promised services; (ii) misrepresented their affiliations with consumers’ banks or credit card companies; (iii) unfairly authorized charges without obtaining consent; (iv) received fees prior to providing debt relief services; (v) failed to transmit telemarketer information; (vi) used prerecorded messages to “induce the purchase of goods or services”; and (vii) failed to make oral disclosures. The stipulated orders settle charges against all Defendants and require that they stop the “allegedly illegal conduct.” Some of the Defendants have also been issued financial penalties. Furthermore, the FTC entered a $4.8 million judgment against 12 Defendants identified as the primarily parties for the scam. This amount represents the full amount of consumer harm caused. All stipulated orders can be accessed through the FTC press release.
New York AG Settles Charges with Tech Company Over WiFi Lock Vulnerabilities
On May 22, New York Attorney General Eric T. Schneiderman announced that a Utah-based tech company agreed to settle allegations that, among other things, its wireless doors and padlocks failed to protect consumers’ personal information, leaving consumers vulnerable to hacking and theft. This action marks the first time the Attorney General’s office has taken legal action against a wireless security company for failing to protect private data. Results from an August 2016 study, conducted by independent security researchers, reveal that the tech company’s Bluetooth-enabled locks “transmitted passwords between the locks and the user’s smartphone . . . without encryption” and also contained “weak default passwords.” Both issues allowed perpetrators to intercept passwords and undo the locks. Under the terms of the settlement, the company agreed to reform its data security practices and implement a comprehensive security program.
U.S. Retailer Settles States’ Investigation Over 2013 Data Breach, Fined $18.5 Million in Settlement
On May 23, a major U.S. retailer reached an $18.5 million settlement with 47 states and the District of Columbia to resolve the states’ investigation into the retailer’s 2013 data breach, which affected more than 41 million customer payment card accounts and exposed contact information for more than 60 million customers. According to multiple state attorneys general, this represents the largest multistate data breach deal to date. According to the states’ investigation, the November 2013 security breach occurred when cyberattackers accessed the retailer’s customer service database to install malware that was able to capture consumers’ personal information, including full names, telephone numbers, email and mailing addresses, payment card numbers, expiration dates, CVV1 codes, and encrypted debit PINs. Under the terms of the Assurance of Voluntary Compliance, the retailer agreed to do the following, including:
- develop, implement, and maintain a comprehensive Information Security Program (Program) and required safeguards;
- employ an executive or officer with information security experience responsible for executing the Program and advising the CEO and Board of Directors of security-related issues;
- develop and implement risk-based policies and procedures for auditing vendor compliance with the Program;
- maintain and support software on its network for data security purposes;
- maintain appropriate encryption policies, particularly as they pertain to cardholder and personal information data;
- segment its cardholder data environment from the rest of its computer network;
- undertake steps to control access to its network, including implementing password rotation policies and two-factor authentication;
- deploy and maintain a file integrity monitoring solution; and
- hire a third-party to conduct a comprehensive security assessment.
The majority of the terms last five years.
States involved issued press releases announcing their portions of the settlement. California Attorney General Xavier Becerra stated that California will be receiving more than $1.4 million from the settlement, the largest share of any state. Illinois, which co-led the investigation with the state of Connecticut, will receive more than $1.2 million from the settlement, according to Attorney General Lisa Madigan, who stated, “Today’s settlement . . . establishes industry standards for companies that process payment cards and maintain secure information about their customers.” Connecticut Attorney General George Jepsen noted that the retailer “deserves credit for its actions in response to this breach, including its cooperation with our investigation and negotiations that led to this settlement. I'm also hopeful that this settlement will serve to inform other companies as to what is expected of them in terms of the security of their consumers' information.”
Florida Attorney General Rolls Out Military Consumer Protection Program; CFPB Publishes Annual Servicemember Report
On May 17, Attorney General Pam Bondi announced a new consumer protection program designed to spread awareness and help prevent deceptive business practices affecting military and veteran communities. The Military and Veterans Assistance Program (MVAP) will provide resources and information to consumers on emerging scams and other consumer protection related issues, as well as encourage open communication among local, state, and federal partners to help ensure complaints are handled appropriately.
On May 16, the CFPB’s Office of Servicemember Affairs (OSA) published its fifth annual servicemember report, The Office of Servicemember Affairs: Charting our course through the military lifecycle, and a follow-up blog post outlining the work the office has conducted over the past five years and the work it intends to do in the future. The structure of the report—designed to be presented within the construct of the “military lifecycle”—presents the ways that “many common and some uniquely-military consumer issues . . . fit within that continuum.” Under the Dodd-Frank Act, OSA monitors servicemember complaints about consumer financial products or services and coordinates with the efforts of federal and state agencies to improve measures and provide assistance. As of April 1, 2017, the OSA reports that it has handled approximately 74,800 complaints submitted by servicemembers, veterans, and their families since July 2011, of which 42 percent related to debt collection, 18 percent to mortgages, and 11 percent to credit reporting. In total, the OSA claims it has provided approximately $3.3 million in monetary relief to military consumers who submitted complaints to the CFPB.
Company Accused of Bilking 9/11 First Responders Out of Millions of Dollars Says CFPB Action Unlawful
On May 15, a New Jersey-based finance company and its affiliated parties filed a motion to dismiss allegations that it scammed first responders to the World Trade Center attack and NFL retirees with high-cost loans. As previously covered in InfoBytes, the CFPB and the New York Attorney General’s office (NYAG) claimed the defendants engaged in deceptive and abusive acts by misleading consumers into selling expensive advances on benefits to which they were entitled by mischaracterizing extensions of credit as assignments of future payment rights, thereby causing the consumers to repay far more than they received. The defendants’ motion to dismiss was prompted, in part, by the recent PHH v. CFPB decision in which the court held that the CFPB’s single director leadership structure is unconstitutional and, thus, that the agency must operate as an executive agency supervised by the President. Here, the defendants argue, the complaint issued against them is a “prime example of how the unchecked authority granted to the CFPB leads to administrative overreach that has a profound effect on the businesses and individuals the agency targets.”
In response to the claims that they mischaracterized credit, the defendants assert that the complaint is “based on the erroneous theory that—despite clear contractual terms and the weight of legal authority to the contrary—these transactions are not true sales, but instead are ‘extensions of credit’ under the Consumer Financial Protection Act [(CFPA)], and therefore the [defendants] deceived consumers by labeling the agreements as sales.” The CFPA defines an extension of “credit” as “the right granted by a creditor to a debtor to defer payment of debt or to incur debt and defer its payment.” In this instance, the defendants contend, there is no debt, no repayment obligation, and no “right granted to defer payment of a debt” because the consumers are the sellers of the asset.
The defendants argue that (i)“the CFPB’s unprecedented structure violates fundamental constitutional principles of separation of powers, and the CFPB should be struck down as an unconstitutional administrative agency”; (ii) because these transactions do not fall into the CFPA’s definition of credit, the case lacks a federal cause of action; and (iii) “each cause of action in the [c]omplaint individually fails to state a claim for relief, including because the Government is flat out wrong in its contention that the underlying settlement proceeds are not assignable.”