Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
On May 10, the FDIC announced that an Oregon-based bank has agreed to settle allegations of unfair and deceptive practices in violation of Section 5 of the FTC Act related to a wholly owned subsidiary’s debt collection practices for commercial equipment financing. According to the FDIC, the subsidiary unfairly and deceptively charged various undisclosed collection fees—such as collection call and letter fees and third-party collection fees—to borrowers with past due accounts. The FDIC additionally claimed that some of the subsidiary’s collection practices were also unfair and deceptive, including (i) placing excessive and sequential collection calls to borrowers even after requests were made to stop the calls; (ii) disclosing borrowers’ debt information to third parties; and (iii) telling borrowers that their commercial debt would be reported as delinquent to the consumer reporting agencies (CRAs), even though its policy and practice was to not report such delinquencies to the CRAs. Under the terms of the settlement order, the bank, which does not admit nor deny the violations, will voluntarily pay approximately $1.8 million in restitution to affected borrowers.
On May 10, the U.S. District Court for the Southern District of Texas ordered a defendant hospitality company to reimburse a national bank and its payment processor (collectively, “plaintiffs”) for $20 million in assessments levied against the plaintiffs by two payment brands following a data breach announced by the defendant in 2015. An investigation into the data breach determined that the defendant failed to require two-factor authentication on its remote access software, which contributed to the data breach and violated the payment brands’ security guidelines. The bank paid roughly $20 million to the payment brands and asked the defendant to indemnify it for the assessments. The defendant refused, arguing that its agreement with the bank was not breached because the payment brands’ rules “distinguish between actual and potential data comprises.” Moreover, the defendant stressed that “[b]ecause no evidence indicates that the attackers used the cardholder information” it was not obligated to indemnify the bank. However, the plaintiffs claimed that under the agreement, the defendant agreed to indemnify the bank “if its failure to comply with the brands’ security guidelines, or the compromise of any payment instrument, results in assessments, fines, and penalties by the payment brands.” The plaintiffs filed suit and moved for partial summary judgment on a breach of contract claim. In granting the plaintiffs’ motion for partial summary judgment, the court determined that the hospitality company is contractually obligated to cover the costs, ruling that actual data compromise is not necessary to trigger the agreement’s indemnification guidelines and that the bank does not need to show that the attackers used the payment information.
On May 11, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) announced sanctions pursuant to Executive Order 13224 against seven individuals in connection with Hizballah and its financial firm, which is used by Hizballah to direct the terrorist organization’s financial involvements and to access the international financial system. According to OFAC, one of the sanctioned individuals, who serves as the Chief of Hizballah’s Central Finance Unit, has “acted or purported to act for or on behalf of, directly or indirectly, Hizballah.” The other sanctioned individuals have “acted or purported to act for or on behalf of, directly or indirectly, [the financial firm].” As a result of the sanctions, all property and interests in property belonging to the sanctioned persons, and “any entities that are owned, directly or indirectly, 50 percent or more” by them that are subject to U.S. jurisdiction are blocked and must be reported to OFAC. OFAC notes that its regulations generally prohibit U.S. persons from participating in transactions with these persons, which include “any property or interests in property of designated or otherwise blocked persons.”
On May 11, the U.S. Senate passed S.J. Res. 15 by a vote of 52 - 47 to invoke the Congressional Review Act and provide for congressional disapproval and invalidation of the OCC’s “True Lender Rule.” Issued last year, the final rule amended 12 CFR Part 7 to state that a bank makes a loan when, as of the date of origination, it either (i) is named as the lender in the loan agreement or (ii) funds the loan. The final rule also clarified that if “one bank is named as the lender in the loan agreement and another bank funds the loan, the bank that is named as the lender in the loan agreement makes the loan.” (Covered by InfoBytes here.) In applauding the passage of the resolution, Senator Chris Van Hollen (D-MD), who introduced S.J. Res. 15, stated that “strik[ing] down the ‘Rent-A-Bank’ rule will help prevent predatory lenders from ripping off consumers by charging loan-shark rates under deceptive terms.” He noted that the legislation has support from a broad array of stakeholder and consumer protection groups, including a bipartisan group of state attorneys generals and the Conference of State Bank Supervisors, as previously covered by InfoBytes here.
Ranking member of the Senate Banking Committee, Senator Pat Toomey (R-PA) countered, however, that “[w]ithout the rule, the secondary market for these loans would be disrupted, which, again, disproportionately harms lower-income borrowers.” He further added that “[v]oting in favor of the CRA is a direct assault on fintech. It will make it harder for Congress to legislate here. It will make it harder for regulators to issue guidance and rules that promote fintech. Courts will see it as Congress buying into the notion that fintechs are ‘predatory’ lending. And it will scare away state legislatures from promoting fintech.”
S.J. Res. 15 now heads to the House of Representatives for consideration.
On May 7, the U.S. District Court for the Southern District of New York granted a Missouri-based accounts receivable management company’s (defendant) motion for judgment on the pleadings concerning alleged FDCPA violations. The defendant stated in a collection letter that the plaintiff’s account would be placed with an attorney “for possible legal action” if repayment could not be arranged. The letter also listed two addresses—a physical office address at the top left of the letter and a P.O. Box at the top left of a detachable payment coupon at the bottom of the letter. The plaintiff alleged the letter violated Sections 1692e and 1692g of the FDCPA, claiming that the least sophisticated consumer could read the letter and think that legal action was “imminent,” which would ultimately overshadow the 30-day period to dispute the validity of the debt. The court disagreed, however, concluding that even the least sophisticated consumer would not think the use of the words “if” and “possible” in the letter in question meant that legal action was imminent. Moreover, the court ruled that the inclusion of two different addresses in the letter would not confuse anyone about where to send a dispute notification. Specifically, the validation notice in the letter informed the plaintiff that the defendant would assume the debt to be valid unless its office was notified of a dispute and the letter provided only one office address.
On May 6, the U.S. District Court for the Central District of California preliminarily approved a revised class action settlement concerning allegations that a mortgage servicer charged borrowers a $15 convenience fee for making mortgage payments over the phone. The plaintiff filed a class action complaint in 2019 against the servicer alleging, among other things, that the servicer’s assessment of the convenience fee breached her mortgage agreement and violated the FDCPA, California’s Rosenthal Fair Debt Collection Practices Act, and California’s Unfair Competition Law. The parties reached a settlement in 2020, but the court denied approval, expressing concerns with several aspects of the settlement, including the adequacy of the settlement fund, anticipated attorneys’ fees and incentive award requests, and proposed notice to potential class members. Under the terms of the revised settlement, the servicer will be required to pay approximately $3.3 million into a settlement fund, which will be distributed to class members according to the proportional amount of the pay-to-pay fees charged to each borrower within the class period. Additionally, the named plaintiff agreed to seek an incentive award not to exceed $5,000, and attorneys’ fees and expenses will be capped at 25 percent of the settlement fund.
On April 26, the CFPB denied a petition by a title lending company to set aside a civil investigative demand (CID) issued by the Bureau in February. The CID requested information from the company to determine, among other things, whether “consumer-lending companies or title-loan companies, in connection with the extension of credit, servicing of loans, processing of payments, or collection of debt, have made false or misleading representations” to consumers. On February 25, the company had petitioned the Bureau to set aside the CID, arguing, in part, that (i) the Bureau failed to provide the company “‘with fair notice as to the nature of the Bureau’s investigation,” as required under section 1052(c)(2) of the Consumer Financial Protection Act (CFPA); (ii) the CID did not enable the company to adequately assess “the relevance or the burdensomeness of the individual requests”; and (iii) part of the Bureau’s investigation related to the company’s sale of non-filing insurance (NFI), which is a particular concern “because NFI is a topic that appears to be completely outside of the Bureau’s authority,” as the CFPA does not authorize the Bureau to regulate the business of insurance.
The Bureau rejected the company’s request to set aside or modify the CID, finding that: (i) the Bureau notified the company that it is investigating conduct in connection with the extension of credit, servicing of loans, processing of payments, or collection of debt’ as potential violations of §§ 1031 and 1036 of the CFPA, the Truth in Lending Act, the Military Lending Act, as well as a prior consent order to which the company is still subject; (ii) the company’s defenses are premature at the investigative stage, even if they “could be raised in defense against the potential legal claims contemplated by the CID”; (iii) although the company complained about the purported “vagueness of the description of the subjects of the investigation” and “whether all of the potential violations applied to the [c]ompany or only a portion,” the Bureau is not required to identify the subject of law enforcement investigations in its CIDs; and (iv) the notification at issue is “far more specific” than the notification of purpose in a different matter referenced by the company, and “identifies the precise conduct under investigation while expressly noting the conduct was committed ‘in connection with the extension of credit, servicing of loans, processing of payments, or collection of debt.’”
On May 7, the U.S. District Court for the Central District of California entered two default judgments totaling more than $34.1 million in an action by the CFPB against a mortgage lender and several related individuals and companies (collectively, “defendants”) for alleged violations of the Consumer Financial Protection Act (CFPA), Telemarketing Sales Rule (TSR), and Fair Credit Reporting Act (FCRA). Settlements have already been reached with the chief operating officer/part-owner of one of the defendant companies, as well as certain other defendants (covered by InfoBytes here, here, and here).
As previously covered by InfoBytes, the Bureau filed a complaint in 2020 claiming the defendants violated the FCRA by, among other things, illegally obtaining consumer reports from a credit reporting agency for millions of consumers with student loans by representing that the reports would be used to “make firm offers of credit for mortgage loans” and to market mortgage products, but instead, the defendants allegedly resold or provided the reports to companies engaged in marketing student loan debt-relief services. The defendants also allegedly violated the TSR by charging and collecting advance fees for their debt-relief services. The CFPB further claimed that the defendants violated the TSR and CFPA when they used telemarketing sales calls and direct mail to encourage consumers to consolidate their loans, and falsely represented that consolidation could lower student-loan interest rates, improve borrowers’ credit scores, and change their servicer to the Department of Education.
The May 7 default judgment entered against the student loan debt-relief companies requires the collective payment of more than $19.6 million in consumer redress and more than $11.3 million in civil money penalties to the Bureau. The companies are also permanently enjoined from offering or providing debt-relief services or from using or obtaining consumer reports for any purpose. Moreover, the companies and any associated individuals may not disclose, use, or benefit from consumer information contained in or derived from prescreened consumer reports for use in marketing debt-relief services.
A second default judgment was entered the same day against one of the individual defendants. The judgment requires the individual defendant to pay a more than $3.2 million civil money penalty and permanently enjoins him from providing debt relief services or from using or obtaining prescreened consumer reports for any purpose.
On May 6, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) published FAQ 893 clarifying that prohibitions under Executive Order (E.O.) 13959, “Addressing the Threat from Securities Investments that Finance Communist Chinese Military Companies,” do not apply to a previously listed company. Specifically, OFAC explained that following a May 5 court order preliminarily enjoining the implementation of E.O. 13959 against the company, the E.O.’s prohibitions will not apply pending further order of the court.
On May 6, the U.S. District Court for the Eastern District of Pennsylvania ruled that a defendant nationwide convenience store chain must face certain claims filed by a group of financial institutions as a result of a 2019 data security incident that allegedly compromised consumers’ credit and debit card information. The financial institutions, in bringing claims for negligence, negligence per se, and declaratory and injunctive relief, asserted, among other things, that the defendant’s “deficient security measures and vulnerable point-of-sale systems led to a data breach that went undetected for almost nine months.” The court ruled that the negligence and declaratory and injunctive relief claims can proceed, but dismissed without prejudice the financial institution’s negligence per se claim so that it can be repleaded under a claim for general negligence. In allowing the negligence claim to survive, the court dismissed the defendant’s argument that the claim should be dismissed under the economic loss doctrine, which bars recovery in tort resulting from an alleged breach of duty under a contract between the parties. The court pointed out that the financial institutions’ claims are protected by a narrow exception to the economic loss doctrine under Pennsylvania law for breach of a common law duty “independent of any potential contractual relationship,” including “the duty to maintain and protect sensitive data with reasonable care.” The court wrote that “the [i]nstitutions have set forth a plausible negligence claim based on the argument that [the defendant] owed them an independent duty in light of” the Pennsylvania Supreme Court’s 2018 ruling in Dittman v. UPMC, which held that the duty “exists independently from any contractual obligations between the parties.” The court further stated that dismissing the declaratory and injunctive relief claims at this stage would curtail the court’s “broad equity powers to fashion the most complete relief possible.”
As previously covered by InfoBytes, in February, consolidated class members filed an unopposed motion for preliminary approval of a settlement agreement with the defendant, which would provide monetary relief to class members totaling up to $9 million, plus $3.2 million for attorneys’ fees and expenses and class representative service awards. The defendant would also be required take additional measures for a period of two years to prevent future unauthorized intrusions.
- Jonice Gray Tucker to discuss “How the new administration sets the tone for 2021” at the American Conference Institute Legal, Regulatory and Compliance Forum on Fintech & Emerging Payment Systems
- Sherry-Maria Safchuk to discuss UDAAP in consumer finance at an American Bar Association webinar
- Jeffrey P. Naimon to discuss "What to expect: The new administration and regulatory changes" at the Mortgage Bankers Association Legal Issues and Regulatory Compliance Conference
- Jonice Gray Tucker to discuss “The future of fair lending” at the Mortgage Bankers Association Legal Issues and Regulatory Compliance Conference
- Steven R. vonBerg to discuss "LO comp challenges" at the Mortgage Bankers Association Legal Issues and Regulatory Compliance Conference
- Michelle L. Rogers to discuss "Major litigation" at the Mortgage Bankers Association Legal Issues and Regulatory Compliance Conference
- Michelle L. Rogers to discuss “The False Claims Act today” at the Federal Bar Association Qui Tam Section Roundtable