Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
On May 28, the Hawaii Supreme Court vacated summary judgment in favor of a national bank, ruling that the “bank seeking to foreclose on a mortgage and note” did not meet its “burden of establishing that the borrower defaulted under the terms of the agreements.” The bank sought a judicial foreclosure of the borrower’s residence and submitted a ledger in order to prove the borrower had defaulted. However, the state’s Supreme Court determined that the Intermediate Court of Appeals erred in affirming the lower court’s order because the bank failed to explain how to read the entries. According to the Supreme Court, the ledger was “ambiguous” and presented “genuine issues of material fact” as to whether the bank was entitled to bill the borrower for lender-placed insurance and whether the borrower “actually owed the amounts that forced her into the alleged default” when the bank “apparently redirected her payments to cover the cost of lender-placed insurance.”
On June 1, the U.S. Court of Appeals for the Fifth Circuit determined that a “global payment services company” does not qualify as a bank under U.S. tax code, 26 U.S.C. § 581. According to the opinion, the company described its activities to the IRS in 2008 as “banking” while referring to its products as “financial services” despite making no meaningful changes to its business from prior years when it described itself as a “nondepository credit intermediation” business and its services as “money/wire transfers.” Because companies who claim bank status receive certain significant tax benefits, the company—which had invested billions of dollars in asset-backed securities, including mortgage-backed securities—deducted losses it incurred during the Great Recession against ordinary income. However, according to the opinion, nonbanks are only permitted “to deduct losses on securities to the extent they offset capital gains, which [the company] did not have during the relevant years.” The IRS disagreed with the company’s deductions, determined it was not a bank, and assessed tens of millions of dollars in tax deficiencies. The company unsuccessfully challenged the IRS in tax court, and, following a first appeal resulting in a remand, the tax court again concluded that the company was not a bank “because it neither accepts deposits nor makes loans.”
On appeal, the 5th Circuit affirmed the tax court’s decision, stating that it only needed to address the “deposit” requirement and holding that because customers do not deposit money with the company for safekeeping “the most basic feature of a bank is missing.” The appellate court explained that therefore, under the tax code, the company was not entitled to deduct from its taxes “large losses it incurred in writing off mortgage-backed securities during the Great Recession.”
On June 1, the U.S. Court of Appeals for the Eleventh Circuit held that an insurance firm is not required to pay a $60.4 million TCPA judgment arising out of a Florida-based insurance broker’s marketing campaign accused of sending unsolicited text messages and phone calls to consumers. The broker sought coverage against a class action which alleged, among other things, that “by sending the text messages at issue. . . , Defendant caused Plaintiffs and the other members of the Classes actual harm and cognizable legal injury [including] . . . invasions of privacy that result from the sending and receipt of such text messages.” In response, the insurance firm asserted that the policy did not cover invasion of privacy claims such as those brought in the class action against the broker. Subsequently, the broker settled the suit and assigned all of its rights against its insurer to the plaintiffs, who attempted to enforce the judgment against the insurance firm. The 11th Circuit found that the broker’s insurance policy excluded coverage of certain actions that would prompt a lawsuit, including claims of invasion of privacy. The appellate court also concluded that the TCPA class action arose out of an “invasion of privacy” because the class complaint specifically alleged that the broker “intentionally invaded the class members’ privacy and sought recovery for those invasions.”
However, one of the judges dissented from the ruling, opining that the policy the insurance firm wrote to the broker is “ambiguous as to whether it refers to the common-law tort called ‘invasion of privacy,’” noting that “in other words, if it could reasonably be so interpreted—then we must interpret it to refer only to that tort.” The judge also noted that it is “unclear to me why any party to an insurance policy would ever allow coverage to be dictated by the conclusory terms and labels that a plaintiff might later choose to include in her complaint.”
On June 4, the CFPB released eight new FAQs regarding compliance with the Electronic Fund Transfer Act (EFTA) and Regulation E. Highlights from the FAQs are listed below:
- As explained by the commentary to Regulation E, unauthorized electronic funds transfers (EFTs) include transfers by a person who obtained an access device from a consumer through fraud or robbery. “Similarly, when a consumer is fraudulently induced into sharing account access information with a third party, and a third party uses that information to make an EFT from the consumer’s account, the transfer is an unauthorized EFT under Regulation E.”
- “If a third party fraudulently induces a consumer to share account access information,” subsequent EFTs initiated using that information are not excluded from the definition of an unauthorized EFT under the exclusion for transfers initiated by persons who “furnished the access device to the consumer’s account by the consumer.”
- Financial institutions cannot consider a consumer’s negligence when determining liability for unauthorized EFTs under Regulation E because it establishes “the conditions in which consumers may be held liable for unauthorized transfers, and its commentary expressly states that negligence by the consumer cannot be used as the basis for imposing greater liability than is permissible under Regulation E.”
- Financial institutions cannot rely on a consumer agreement that “includes a provision that modifies or waives certain protections granted by Regulation E, such as waiving Regulation E liability protections if a consumer has shared account information with a third party” when determining whether the EFT was unauthorized and what liability provisions apply. The EFTA “includes an anti-waiver provision stating that ‘[n]o writing or other agreement between a consumer and any other person may contain any provision which constitutes a waiver of any right conferred or cause of action created by [EFTA].’”
- Less protective rules do not change a financial institution’s Regulation E obligations, even if private network rules and other agreements provide additional consumer protections beyond Regulation E.
- “A financial institution must begin its investigation promptly upon receipt of an oral or written notice of error and may not delay initiating or completing an investigation pending receipt of information from the consumer.”
- “If a consumer has provided timely notice of an error under 12 CFR § 1005.11(b)(1) and the financial institution determines that the error was an unauthorized” EFT, Regulation E’s liability protections under Section 1005.6 would apply. “Depending on the circumstances regarding the unauthorized EFT and the timing of the reporting, a consumer may or may not have some liability for the unauthorized EFT.”
FTC alleges subscription service failed to provide access to paid-for services or secure personal data
On June 7, the FTC announced a complaint and proposed consent order against the operators of a movie subscription service to settle allegations that the respondents denied subscribers access to paid-for services and failed to secure subscribers’ personal information. The FTC alleges in its complaint that the respondents violated the FTC Act by employing multiple tactics to prevent subscribers from using the advertised services, including by (i) invalidating subscribers’ passwords while deceptively claiming to have “detected suspicious activity or potential fraud” on the subscribers’ accounts; (ii) imposing a deceptive ticket verification program, which required subscribers to submit photos of physical movie ticket stubs within a certain timeframe in order to view future movies or risk having their subscriptions cancelled; and (iii) using undisclosed financial thresholds known as “trip wires” to block certain subscribers after they reached certain viewing thresholds based on their monthly cost to the company. The FTC also alleged the respondents violated the Restore Online Shoppers’ Confidence Act, by failing to (i) disclose all material terms before obtaining consumers’ billing information; or (ii) obtain consumers’ express informed consent before charging them. Furthermore, the respondents allegedly failed to take reasonable measures to protect subscribers’ personal information, including storing personal data such as financial information and email addresses in unencrypted form and failing to restrict who could access the data, which lead to a data breach in 2019.
An analysis of the FTC’s proposed consent order notes that the respondents are prohibited from misrepresenting their services and must establish a comprehensive information security program that requires them—and any businesses controlled by the respondents —to implement and annually test and monitor safeguards and take steps to address security risks. The respondents must also obtain biennial third-party assessments of its information security program, notify the FTC of any future data breaches, and annually certify that it is complying with the order’s data security requirements. The FTC noted that because certain respondents have filed for bankruptcy, the order does not include monetary relief.
On June 7, Freddie Mac announced a new cap, or limit, on the purchase of certain single-family mortgages secured by investment properties and second homes to 7 percent of total single-family mortgage acquisitions. For July, Freddie Mac updated the requirements for investment property and second home mortgages to state that if a seller sells more than five mortgages secured by second homes and/or investment properties, the seller’s delivery of such mortgages may not, by the measure of the aggregate unpaid principal balance (UPB) of a mortgage, exceed 6.5 percent “of the total UPB for all [m]ortgages sold during that month.” After July, the cap will be set at 6 percent. The announcement also noted that the cap “is intended to be temporary” and may be revised as needed.
On June 3, President Biden issued a memo designating the “fight against corruption” as a top priority in preserving national security in the United States. The memo notes, among other things, that corruption not only corrodes public trust and development efforts, it also decreases global gross domestic product by an estimated two to five percent. In establishing “countering corruption as a core United States national security interest,” the memo highlights that the Biden administration will “lead efforts to promote good governance; bring transparency to the United States and global financial systems; prevent and combat corruption at home and abroad; and make it increasingly difficult for corrupt actors to shield their activities.” This includes efforts that will significantly bolster the ability of the U.S. government to, among other things: (i) boost the ability of key executive departments and agencies to encourage fair governance; (ii) counter illicit finance in the U.S. and foreign financial systems; (iii) hold corrupt individuals accountable; (iv) “strengthen the capacity of civil society, media, and other oversight and accountability actors to conduct research and analysis on corruption trends”; (v) coordinate with international partners to counteract strategic corruption; and (vi) encourage partnerships with the private sector and civil society. The memo further points out that an interagency review must take place within 200 days of the date of the memo, and a report and recommendations will be submitted to the president for further direction and action.
On June 2, the SEC announced whistleblower awards to two individuals totaling nearly $23 million for information and assistance provided in multiple successful enforcement actions. According to the redacted order, the SEC awarded the first whistleblower nearly $13 million for submitting a whistleblower tip that led to the initiation of the investigations. The second whistleblower received approximately $10 million for submitting a tip that contributed to the investigation, but according to the SEC, the whistleblower “unreasonably delayed by waiting several years to report the conduct.” The SEC noted that both whistleblowers provided substantial voluntary assistance in the investigation, including participating in interviews and identifying key individuals and systems involved in the investigations.
Earlier on May 27, the SEC announced that it awarded a whistleblower more than $4 million for voluntarily providing information that prompted the SEC to open an investigation leading to a successful enforcement action. According to the redacted order, the whistleblower provided substantial information to SEC investigative staff, identified key players, provided helpful information and documents, and cooperated with investigative staff. The SEC, however, determined a second claimant to be ineligible for an award, concluding, among other things, that the claimant “provided no information that was used in or otherwise contributed to the Covered Action” nor any “unique information or insight,” which would have led to the success of the enforcement action.
The SEC has awarded more than $928 million to 166 individuals since issuing its first award in 2012.
On June 2, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) announced sanctions pursuant to Executive Order 13818 against three individuals for their extensive roles in corruption in Bulgaria and their networks, which encompasses 64 entities. According to the announcement, this is the single largest action targeting corruption to date. Andrea Gacki, Director of OFAC, noted that the U.S. joins Bulgarians in “promoting accountability for corrupt officials who undermine the economic functions and democratic institutions.” Additionally, “any entities that are owned, directly or indirectly, 50 percent or more by one or more blocked persons are also blocked.” The sanctions also generally prohibit U.S. persons from engaging in any dealings involving the property or interests in property of designated or otherwise blocked persons.
On June 1, the U.S. Treasury Department’s Office of Foreign Assets Control issued Venezuela-related General License (GL) 8H, which authorizes transactions involving Petróleos de Venezuela, S.A. (PdVSA) necessary for the limited maintenance of essential operations in Venezuela or the wind down of operations in Venezuela for certain entities that would otherwise be prohibited by Executive Order 13850, as incorporated into the Venezuela Sanctions Regulations. (Covered by InfoBytes here.) Effective June 1, GL 8H replaces GL 8G, which was issued November 2020.