InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
FTC, Federal, State, and International Partners Announce Crackdown on Tech Support Scams
On May 12, the FTC, along with federal, state and international law enforcement partners, announced new enforcement actions in its “Operation Tech Trap” program. The program is designed to crack down on tech support scams that, among other things, deceive consumers into believing their computers are infected with viruses and malware and then charge them for unnecessary repairs. According to FTC, its Operation Tech Trap partners have brought 29 law enforcement actions against deceptive tech support operations in the last year. Among the four new complaints announced on May 12, the FTC has already been granted temporary restraining orders in three of the cases to stop the tech support companies’ deceptive practices, freeze their assets, and appoint a temporary receiver to take control of them.
The FTC also announced a settlement in a pending action brought by the FTC and the Attorneys General of Connecticut and Pennsylvania against two defendants who allegedly participated in deceptive acts and practices in connection with the advertising, marketing, and sale of computer security or technical support products and services. Under the terms of the settlement, the defendants are subject to a money judgment in excess of $27 million. The stipulated final order has been entered by the U.S. District Court for the Eastern District of Pennsylvania. In addition to the FTC and state cases, DOJ brought federal criminal charges against seven individuals, two of whom have entered guilty pleas, for their participation in an international “Tech Support Scam.” Moreover, with respect to its international efforts, Operation Tech Trap is working with authorities in India to crack down on tech support scammers, and have also instituted consumer and business education outreach initiatives with Australia and Canada.
CFPB, DOJ Argue Against State AGs Request to Redirect Unused Consumer Redress Funds
On May 10, the CFPB filed a brief and the DOJ filed a separate “Statement of Interest of the United States of America” opposing a request by the Attorneys General of Connecticut, Indiana, Kansas, and Vermont (State AGs) to intervene in a CFPB lawsuit to address the distribution of unclaimed settlement funds.
As previously reported in InfoBytes, in December 2014 the CFPB sued a telecommunications company over allegations that it violated Dodd-Frank and the Consumer Financial Protection Act by knowingly allowing third-party aggregators to bill unauthorized charges to its wireless telephone customers and failing to respond to consumer complaints for nearly a decade. Under the terms of the 2015 Stipulated Final Judgment and Order, the company was required to set aside $50 million for consumer redress. The consumer claims period expired with approximately $15 million remaining unclaimed, and the State AGs sought to have those funds deposited with the National Association of Attorneys General to be used for “consumer protection purposes.” Specifically, in their January 3 Memorandum in Support of Joint Motion to Intervene to Modify Stipulated Final Judgment and Order, the State AGs asked that, “[a]ny funds not used for such equitable relief will be deposited . . . with the National Association of Attorneys General”—instead of being deposited in the Treasury as disgorgement—to be used to “train, support and improve the coordination of the state consumer protection attorneys charged with enforcement of the laws prohibiting the type of unfair and deceptive practices alleged by the CFPB in this [a]ction.”
In its memorandum opposing the joint request to intervene, the CFPB countered that although the redress plan provides that the Bureau may, in consultation with certain states and the FCC, apply unused redress funds to “other equitable relief reasonably related to the Complaint’s allegations,” it has not proposed doing so and any undistributed amounts are to be directed to the Treasury. The DOJ supported the CFPB’s position, arguing that the State AGs’ motion is untimely because that the States were “well aware of this action” over 18 months before filing their motion. The DOJ further asserted that “beyond being consulted by the CFPB if remaining funds were to be devoted to further equitable relief, the Consent Order afforded the States no role with respect to distribution of the remaining Redress Amount funds.”
New York AG Announces Settlement with Virginia Developer for Violating Servicemembers Civil Relief Act
On May 10, New York Attorney General Eric T. Schneiderman announced that a Virginia-based company has agreed to pay $69,000 to settle allegations that, among other things, it violated the Servicemembers Civil Relief Act (SCRA) by unlawfully charging fees to servicemembers who terminated their residential leases early. Under the provisions of the SCRA, servicemembers and their families are allowed to terminate leases early without penalty if they are deployed, receive orders for permanent change of station, or their military service is honorably terminated. According to the Attorney General’s office, the company—which owns a community of townhomes in close proximity to Fort Drum and actively markets its housing to servicemembers and their families—also violated New York law by including “numerous unconscionable provisions” in its lease agreements, and advertising amenities that were either not included in the rent, or unavailable. Under the terms of the settlement, the company must pay more than $59,000 to over 125 servicemembers, reform its lease and other business practices to comply with New York law, and pay a civil money penalty of $10,000 to the State.
Massachusetts AG Announces Settlement with Student Loan Debt Relief Company
On April 28, Massachusetts Attorney General Maura Healey announced a settlement with a student loan debt relief company to resolve allegations that the company charged consumers illegal upfront fees to receive debt relief assistance and falsely led customers to believe it was affiliated with the federal government. According to the Attorney General’s office, this is the fourth in a series of enforcement actions brought against student loan debt relief companies in the state. Under the terms of the April settlement, the company is required to refund $6,500 to 18 affected borrowers, must agree to discontinue providing student loan services, and is prohibited from selling or disseminating Massachusetts customer information collected. Previously in 2015 and 2016, Healey announced settlements with three debt relief companies, bringing the overall recovery total to-date to more than $260,000. In November 2015, the state launched the Student Loan Assistance Unit to assist borrowers unable to repay their loans (see previous InfoBytes summary).
Nevada AG Issues Advisory Opinion Finding Assignment of a Retail Installment Sales Contract Does Not Subject Assignee to Licensure or Regulation Under Ch. 675 of the NV Code
Last month, the Office of the Attorney General for the State of Nevada (OAG) issued an Advisory Opinion[1] finding that a retail seller financing its own sales pursuant to the retail installment sales contract (RISC) provisions found in Chapter 97 of the Nevada Revised Statutes (NRS), but which is otherwise not engaging in lending activity, is not required to secure a lender’s license under Chapter 675 of the NRS. In reaching this conclusion, the OAG references another opinion[2]it had issued earlier this year concerning retail installment lending, and noted that “[w]hen a retail seller finances its own sales pursuant to the provisions of Chapter 97, but otherwise engages in no lending activity, the retailer's business activity is governed exclusively by the provisions of Chapter 97” (emphasis added). In light of this earlier holding, the OAG reasoned as follows:
[W]hen a person purchases or takes an assignment of a RISC pursuant to the provisions of Chapter 97 of the NRS, the person’s acceptance of the assignment does not subject the person to regulation or licensure under NRS Chapter 675. Assuming that the person is not independently engaged in lending activity subject to licensure and regulation under NRS Chapter 675, the person’s financing activity is governed exclusively by the provisions of NRS Chapter 97. To the extent that a vehicle dealer adopts the contractual terms of the form RISC as prescribed by the Commissioner in accordance with Chapter 97, the vehicle dealer is permitted to assign the RISC to a financial institution. Although it applies in general terms to certain types of lending activity, NRS Chapter 675 does not specifically abrogate the exclusive provisions of Chapter 97 that govern the parties to a RISC made and assigned pursuant to Chapter 97.
Notably, the Opinion was issued in response to a request from the Commissioner of the Financial Institutions Division of the Nevada Department of Business and Industry (NDBI), seeking a “formal opinion” regarding certain indirect vehicle financing transactions that use the form retail installment contract prescribed for use in the sale of vehicles pursuant to NRS 97.299. Specifically, the Commissioner sought an opinion addressing “[w]hether a financial institution that purchases Retail Installment Sales Contracts ("RISC[ s ]") from motor vehicle dealers in the State of Nevada (i.e. engages in indirect financing) is required to be licensed pursuant to Chapter 675 of the NRS[.]” The Commissioner also requested clarification addressing “[w]hether NRS Chapter 675 requires such a financial institution to have an in-state physical presence[.]”
Federal Regulators Enter Settlement Agreement with Former Chief Compliance Officer Following AML Program Investigation
On May 4, FinCEN and the U.S. Attorney’s Office for the Southern District of New York announced a $250,000 settlement with the former chief compliance officer of an international money transfer company over allegations that he failed to report suspicious activity and knowingly participated in the company’s failure to maintain an effective anti-money laundering program. The settlement resolves a lawsuit filed in December of 2014 against the defendant, in which the district court dismissed the defendant’s motion to dismiss, ruling that the Bank Secrecy Act’s (BSA) general civil penalty provision, § 5321(a)(1), could subject a partner, director, officer, or employee of a financial institution to civil penalties for violations of any provision of the BSA or its regulations, excluding the specifically excepted provisions, and that because § 5318(h) was not listed as one of those exceptions, “the plain language of the statute provides that a civil penalty may be imposed on corporate officers and employees like [the defendant], who was responsible for designing and overseeing [the company's] AML program.” U.S. Dep’t of Treasury v. Haider, No. 15-cv-01518, WL 107940 (Dist. Ct. Minn. Jan. 8, 2016). (See previous InfoBytes summary.) In the stipulation and order of settlement and dismissal, the defendant (i) accepted responsibility for failing to further investigate consumer fraud reports; (ii) is required to pay $250,000 to the Department of the Treasury; and (iii) is banned for three years from performing compliance functions for other U.S.-based money transmitters. Notably, in February 2016, the money transfer company agreed to pay $13 million to settle claims from 49 states and the District of Columbia over charges that it transferred money to third parties that were defrauding customers. As part of the company’s settlement, it was required to ensure its agents attend mandatory compliance training, enhance its comprehensive anti-fraud compliance program, and implement a hotline system for employees to report noncompliance.
NY AG Schneiderman Releases Guidance on Student Loan Cancellation
On April 21, New York Attorney General Eric T. Schneiderman released guidance for eligible individuals who attended certain programs operated by a group of for-profit post-secondary education California-based colleges. The colleges—which ceased operations in 2015—allegedly made misrepresentations about the employment success of graduates of certain programs and used “false promises of career success to lure students, leaving many with enormous debt and few job prospects.” As a result, students who enrolled in those programs during specified time periods are eligible for the discharge of their federal student loans. It is estimated that up to 3,000 students in New York are eligible for federal loan cancellations based on the findings of an investigation conducted by the U.S. Department of Education (DOE). New York joins 43 other states and the District of Columbia in an outreach effort to assist students in submitting loan cancellation applications. If a student’s application is approved by the DOE, the loan(s) will be cancelled and payments previously made will be refunded.
CFPB Releases Updates to Rulemaking Ex Parte Policy
On April 18, the CFPB issued a release revising its Policy on Ex Parte Presentations in Rulemaking Proceedings. The Policy, originally posted on the Bureau’s website on August 16, 2011, generally requires public disclosure of ex parte communications made to the CFPB’s decision-making staff about pending rules. Per the release, the Bureau asserts that the updates are based on feedback from the public as well as the Bureau’s experiences in implementation and are intended to ensure “fairness and transparency in [the Bureau’s] rulemaking proceedings while also encouraging candid input from state entities.” The majority of the revisions are non-substantive and serve to “clarify the Policy’s provisions and requirements, ensure consistency in terminology . . ., make technical amendments, and facilitate compliance with the procedures in the Policy.” However, the revision includes two key updates. First, it adds an exemption for state entities, similar to the exemption that exists for Federal agencies. These state entities include state attorneys general or their equivalents, state bank regulators, and “state agencies that license, supervise, or examine consumer financial products or services.” The Bureau states that due to the sometimes sensitive nature of the communications from the entities, it “believes that these entities are likely to provide more frank and robust feedback if communications are not subject to the disclosure requirements of the Policy.” A second key update to the Policy specifies that outside parties no longer bear responsibility for both sending ex parte communications to the Bureau and posting them to regulations.gov. Rather, stakeholders are instructed to send communications directly to the Bureau, and Bureau staff will post the communications to the public docket. The updated Policy also extends the time period for outside parties to summarize meetings and presentations from three to ten business days.
California Joins 49 States and the District of Columbia in Settlement with Global Money Services Business
On April 12, California Attorney General Xavier Becerra announced that California has joined a multistate settlement between state attorneys general from 49 states and the District of Columbia and a global money services business to resolve allegations that scammers used the company’s wire transfer services to defraud consumers (see previous InfoBytes post). Under the terms of the settlement, California consumers who made a wire transfer during the period of January 1, 2004 through January 19, 2017, may be eligible for a share of more than $65 million in refunds. As previously covered in InfoBytes, on January 19 of this year, the global money services business entered into a Deferred Prosecution Agreement with the DOJ and FTC requiring, among other things, the business to pay $586 million in refunds to consumers to settle allegations that the company had failed to maintain an effective anti-money laundering program and aided and abetted wire fraud.
New Mexico Enacts Data Breach Notification Act
On April 6, New Mexico Governor Susana Martinez signed into law the Data Breach Notification Act (H.B. 15), making New Mexico the 48th state to pass a data breach notification law. Under the new law—which is scheduled to take effect on June 16—companies are now required to notify any New Mexico residents (and in certain circumstances consumer reporting agencies and the state’s attorney general) following the discovery of a “security breach” involving that resident’s “personal identifying information.” The Act—which unanimously cleared both New Mexico’s House and Senate—also establishes standards for the secure storage and disposal of data containing personal identifying information and provides for civil penalties for violations.
According to the Act, “personal identifying information” consists of an individual’s first name or first initial and last name in combination with any one or more of the following data elements: (i) Social Security number; (ii) driver's license number or government issued identification number; (iii) account number, credit card, or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account; or (iv) biometric data. As with many other states’ breach notice laws, the term “security breach” is defined as “the unauthorized acquisition of unencrypted computerized data, or of encrypted computerized data and the confidential process or key used to decrypt the encrypted computerized data, that compromises the security, confidentiality or integrity of personal identifying information maintained by a person.” However, notice to affected residents is not required if the entity “determines that the security breach does not give rise to a significant risk of identity theft or fraud.” The Act also sets out the required contents of, and methods for providing, notification—which generally must be made no later than 45 days after the breach was discovered—including substitute methods if certain criteria are met. Certain entities, including those subject to GLBA or HIPAA, are exempt from the requirements of the Act.
Notably, the Act does not provide its citizens with a private right of action, but rather charges the state’s attorney general with enforcing the Act through legal actions on behalf of affected individuals. The Act provides for the issuance of injunctive relief and/or damages for actual losses including consequential financial losses. For knowing or reckless violations of the Act, a Court also may impose civil penalties of $25,000, or in the case of a failure to notify, a penalty of $10 per instance up to a maximum penalty of $150,000.