InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
FTC Announces Settlement with Operator of Online Tax Preparation Service Over Privacy and Security Allegations
On August 29, the FTC issued a press release announcing a settlement with the operator of a Georgia-based online tax preparation service to resolve allegations that the company failed to implement adequate security procedures to protect client information in violation of several federal privacy and security rules, including the Federal Trade Commission Act and the Gramm-Leach-Bliley Act’s Privacy Rule (Regulation P) and Safeguards Rule. In its complaint, the FTC alleged that the company violated the Safeguards Rule, which requires financial institutions under FTC jurisdiction toprotect customer information by developing, implementing, and maintaining a comprehensive information security program that satisfies certain requirements. The complaint alleged that, because the company failed to implement these requirements and did not have in place adequate risk-based authentication measures, hackers were able to conduct a “list validation attack” between October 2015 and December 2015, which gave them full access to nearly 9,000 customer accounts. Hackers then used the acquired information to engage in tax identity theft. In addition, the FTC alleges that the company failed to notify customers of the list validation attack or alterations until a user called in January 2016 to report suspicious activity, and failed to delivery privacy notices to customers as required by the Privacy Rule.
Under the terms of the decision and order, the company, among other things, is required for 10 years to obtain biennial independent third-party assessments to address the effectiveness of the company’s security programs and safeguard measures to “certify that [the company’s] security program(s) is operating with sufficient effectiveness to provide reasonable assurance that the security, confidentiality, and integrity of personal information is protected and has operated throughout the reporting period.”
The agreement with the FTC will be subject to public comment for 30 days through September 29, at which point the FTC will decide whether to make the proposed consent order final.
Mortgage Company, Real Estate Services Companies Reach $17 Million Class Action Settlement for Alleged RESPA Violations
On August 25, a national mortgage company and a real estate services family of companies (Defendants) together entered into a $17 million settlement to end a putative class action lawsuit accusing them of arranging kickbacks for unlawful referrals of title services in violation of the Real Estate Settlement Procedures Act (RESPA). The complaint, filed in 2015 in the U.S. District Court for the Central District of California, accused Defendants—along with various affiliates—of violating RESPA by allegedly facilitating the exchange of unlawful referral fees and kickbacks through an affiliated business arrangement, while also directing various banks to refer title insurance and other settlement services to a subsidiary in the real estate services family of companies without informing customers of the relationship between the entities. According to a memorandum in support of the motion seeking preliminary approval of the settlement, the real estate services family of companies was “obligated to refer their customers exclusively to [the mortgage company] for mortgage loans, and, in return, [the mortgage company] was required to refer all settlement services back to [the real estate services enterprise’s] subsidiaries.” While a federal judge dismissed the first and second amended complaints “on the basis that Plaintiffs failed to plead sufficient facts for equitable tolling of RESPA’s one-year statute of limitations,” the same judge denied Defendants’ motion to dismiss a third amended complaint because “Defendants’ contention regarding equitable tolling for the statute of limitations was ‘better resolved in either a motion for summary judgment or trial.’” A fourth amended complaint, filed in July 2017, amended certain claims and added additional class plaintiffs, well after settlement discussions had started.
A stipulation of settlement was filed alongside the motion for preliminary approval, in which Defendants continued “to deny each and all of the claims and contentions alleged in the [a]ction . . . [but] have concluded that the further conduct of the [a]ction against them would be protracted and expensive.” Furthermore, the stipulation noted that “substantial amounts of time, energy and resources have been and, unless this [s]ettlement is made, will continue to be devoted to the defense of the claims asserted in the [a]ction.” The proposed settlement class consists of more than 32,000 transactions related to borrowers who closed on mortgage loans originated by the mortgage company between approximately November 2014 through November 2015, and who paid any title, escrow or closing related charges to the real estate services companies. The proposed settlement stipulates that Defendants must pay $17 million into a settlement fund to be used to provide cash payments to class members, as well as a portion that will go towards class counsel attorney fees and litigation expenses pending court approval.
District Court Dismisses CFPB Lawsuit Against Payment Processors, Cites “Blatant Disregard” for Discovery Order
On August 25, a federal judge in the U.S. District Court for the Northern District of Georgia filed an order dismissing claims brought by the CFPB against four payment processors for allegedly engaging in an illegal robocall phantom debt collection operation involving certain payment processors and a telephone broadcast service provider (defendants). (See previous InfoBytes coverage here.) According to a complaint filed in 2015, the defendants “knew, or should have known” that the debt collectors were contacting millions of consumers in an attempt to collect debt that consumers did not owe or that the collectors were not authorized to collect by using threats, intimidation, and deceptive techniques in violation of the Consumer Financial Protection Act and the Fair Debt Collection Practices Act.
According to the order, however, the CFPB displayed a “blatant disregard” for the court’s instructions when asked repeatedly to identify the factual bases for its claims, and willfully failed to present a knowledgeable 30(b)(6) witness during depositions. As examples of “willful disregard,” the court noted that the CFPB’s approach was to first “bury the Defendants in so much information that [they] cannot possibly identify, with any reasonable particularity, what supports the CFPB’s claims,” and second, to “assert privilege objections to questions that the Court … repeatedly ordered to be answered.” The court also indicated that Bureau witnesses relied on “memory aids”—which the court characterized as “scripts”—to provide answers to the defendants’ questions and were unable to testify beyond what was stated on the memory aids. This behavior made the court “not optimistic that reopening the depositions would be fruitful.” As a result, the court dismissed the defendants from the action, granting sanctions under Rule 37, which permits “a district court [to] impose sanctions upon a party for failure to comply with a discovery order,” which may include striking pleadings in whole or in part.
Report: California-Based Ride Sharing Company Facing DOJ Scrutiny
On August 29, the Wall Street Journal reported that a California-based ride sharing company is facing scrutiny from the DOJ, which has taken preliminary steps to investigate potential FCPA violations at the company. The company has expanded into more than 70 countries. A company spokesman confirmed the DOJ’s inquiry. The Wall Street Journal report stated that it was unclear whether DOJ would open a formal investigation.
President Trump Imposes Additional Venezuelan Sanctions
On August 24, President Trump announced the issuance of new sanctions against Venezuela. Executive Order 13808 “Imposing Additional Sanctions with Respect to the Situation in Venezuela,” adds additional restrictions to those declared in Executive Order 13692. The sanctions prohibit transactions related to the following:
- “new debt with a maturity of greater than 90 days” in conjunction with the Venezuelan state-owned oil and natural gas company (state-owned company);
- “new debt with a maturity of greater than 30 days, or new equity, of the Government of Venezuela, other than debt” in conjunction with the state-owned company;
- “bonds issued by the Government of Venezuela prior to the effective date of this order”;
- “dividend payments or other distributions of profits to the Government of Venezuela from any entity owned or controlled, directly or indirectly, by the Government of Venezuela;
- “[t]he purchase, directly or indirectly, by a [U.S.] person or within the [U.S.], of securities from the Government of Venezuela, other than securities qualifying as new debt with a maturity of less than or equal to 90 days [for state-owned company debt] or 30 days [for other Government of Venezuela debt].”
On August 25, OFAC also issued four General Licenses containing additional provisions: (i) General License 1 imposes a wind-down period through September 24, 2017 for contracts and other agreements that were effective prior to the Executive Order's effective date; (ii) General License 2 authorizes certain transactions involving a specifically listed holding company; (iii) General License 3 authorizes dealings in certain specified Government of Venezuela-related bonds that would otherwise be prohibited; and (iv) General License 4 allows new debt transactions related to “the provision of financing for, and other dealings in new debt related to the exportation or reexportation, from the [U.S.] or by a U.S. person . . . of agricultural commodities, medicine, medical devices, or replacement parts and components for medical devices,” provided compliance with the outlined requirements and limitations. OFAC also published answers to several related frequently asked questions concerning the additional sanctions.
Eleventh Circuit Rules Credit Reporting Agency Did Not Willfully Violate FCRA
In an August 24 opinion, the U.S. Court of Appeals for the Eleventh Circuit held that a credit reporting agency had not interpreted the Fair Credit Reporting Act (FCRA) in an “objectively unreasonable” manner when it included in a plaintiff’s credit report that the plaintiff was an authorized user of her parents’ delinquent credit card account. In doing so, the appellate court upheld the Georgia district court’s decision to dismiss the class action lawsuit over allegations that two credit reporting agencies failed to take reasonable precautions to ensure the accuracy of the plaintiff’s credit score. The appellate court concluded that including the information was a reasonable interpretation of the FCRA obligation to “follow reasonable procedures to assure the maximum possible accuracy” of the reported information—meaning the report must be technically accurate. Because this interpretation was not objectively unreasonable, the plaintiff could not plead that the violations were willful.
The case concerned a plaintiff who was designated as an authorized user of her parents’ credit card when they became ill. After the plaintiff’s parents died, the account went into default, and the credit card company reported the default to consumer reporting agencies listing the consumer as an authorized user, which caused her credit score to drop by 100 points. The credit card company—responding to the plaintiff’s complaint over the inaccurate information—interceded in the matter with the credit reporting agencies. The information was expunged from the plaintiff’s report and her credit score returned to its prior level. The plaintiff then filed a consumer class action complaint in 2015, contending that the consumer reporting agencies had violated their duty under the FCRA when they failed to take reasonable precautions to ensure the accuracy of her credit score.
At issue, the appellate court opined, was which interpretation should be applied when determining “maximum possible accuracy,” which, depending on differing court opinions, might mean (i) making certain that any included information is “technically accurate,” or (ii) ensuring the information is not only technically accurate but also not misleading or incomplete. The appellate court asserted that while the first interpretation was a less exacting reading of the FCRA, the plaintiff failed to cite any judicial precedents or agency interpretive guidance advising that reporting authorized user information was a violation. Further, the plaintiff failed to show that the credit reporting agency reported false information.
Of note, the appellate court determined the plaintiff had shown an “injury in fact” and had standing to sue based on the following reasons: (i) reporting inaccurate credit information “has a close relationship to the harm caused by the publication of defamatory information,” which has a long provided basis as a cause of action; (ii) a concrete injury was allegedly sustained due to time spent resolving the problems resulting from the credit inaccuracies; and (iii) the plaintiff was affected personally because her credit score fell due to the reported information.
FDIC Releases List of Enforcement Actions Taken Against Banks and Individuals in July 2017
On August 25, the FDIC released its list of 24 orders of administrative enforcement actions taken against banks and individuals in July. The FDIC issued consent orders against three banks, including one alleging “unsafe or unsound banking practices relating to [b]ank management and directors, capital maintenance, liquidity, credit administration, third-party risk management, audit, interest rate risk, and strategic and profit planning.”
Ten enforcement actions identified by the FDIC related to unsafe or unsound banking practices and breaches of fiduciary duty leading to financial loss, including seven removal and prohibition orders and three assessments of civil money penalties. Also on the list are four Section 19 orders, which allow applicants to participate in the affairs of an insured depository institution after having demonstrated “satisfactory evidence of rehabilitation,” and seven terminations of consent orders.
There are no administrative hearings scheduled for September 2017. The FDIC database containing all 24 of its enforcement decisions and orders may be accessed here.
Federal Reserve Board Amends Policy on Payment System Risk
On August 25, the Board of Governors of the Federal Reserve System (Board) published in the Federal Register an amendment to Part II of its Policy on Payment System Risk (PSR Policy) in order to “conform to enhancements to the Reserve Banks’ same-day automated clearinghouse (ACH) service.” Posting rules set forth in the PSR Policy govern the times that credits and debits are posted to institutions’ accounts at the Federal Reserve Banks and determine an institution’s intraday account balance and whether the institution has incurred a negative balance (i.e., a “daylight overdraft”).
Changes to the PSR Policy include the following:
- An ACH derived returns function to enable institutions to generate returns via FedLine Web using information from the forward ACH items received through FedACH. The function is intended for institutions that lack the ability to generate returns on their own. Because the derived returns function uses information not available until the day after the processing day for forward ACH items, the Reserve Banks will provide users of the function an interim solution: a same-day paper return option for same-day forward entries greater than $10,000.
- Clarification of posting times for paper returns and paper notifications of change of prior-dated items. Because these items are manually processed by Reserve Bank staff during normal business hours, the Board has announced that posting will now only occur at 5:00 p.m. The PSR Policy has been modified to remove the 8:30 a.m. posting time. However, depending on when the Reserve Banks receive FedLine Webs returns and FedLine Web notifications of change, these items will continue to be posted at 8:30 a.m. and 5:00 p.m.
Details regarding amendments to the “Procedures for Measuring Daylight Overdrafts,” including specific details corresponding to the 8:30 a.m., 1:00 p.m., and 5:30 p.m. transaction posting times, are also included in the Board’s policy statement.
OFAC Settles Alleged Iran Sanction Violations with Singapore-Based Oilfield Services Company
On August 24, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) announced that it had reached a $415,350 settlement with a Singaporean oilfield services company for an alleged 55 violations of Iran sanctions regulations. OFAC asserted that the company “exported or attempted to export 55 orders of oil rig supplies from the [U.S.] to Singapore and the United Arab Emirates, and then re-exported or attempted to re-export these supplies to four separate oil rigs located in Iranian territorial waters” from approximately October 2011 through February 2013. OFAC alleged that each instance of this conduct, which the company did not voluntarily self-disclose, violated OFAC’s Iranian Transactions and Sanctions Regulations. Had the company not settled, OFAC determined that civil monetary penalties ranged from approximately $923,000 to $13.75 million. In establishing the penalty, OFAC considered that the company: (i) failed to act with an appropriate level of caution by exporting goods to oil rigs located in Iranian territorial waters; (ii) aided the development of Iran's energy resources; (iii) “is a large, sophisticated company with 14 offshore drilling rigs doing business throughout the world;” and (iv) “did not have an OFAC compliance program in place at the time of the transactions.” As for mitigating factors, OFAC determined that: (i) the company has no prior sanctions history with OFAC; (ii) the company took remedial action by implementing an OFAC compliance program; and (iii) the company cooperated with the investigation and entered into a tolling agreement with OFAC.
HUD Releases Mortgagee Letter Providing Home Equity Conversion Mortgage Servicing Implementation Guidance
On August 24, HUD published Mortgagee Letter 2017-11, which provides directions for FHA-approved mortgagees to implement certain servicing policy changes outlined in the Federal Housing Administration: Strengthening the Home Equity Conversion Mortgage Program Final Rule (HECM Final Rule), published in the Federal Register in January 2017. The HECM Final Rule’s servicing requirements (including the additional guidance set forth in Mortgagee Letter 2017-11), will take effect for all FHA case numbers assigned on or after September 19, 2017. The Mortgagee Letter furnishes additional details on the following areas of servicing policy included in the HECM Final Rule: (i) “Default for Unpaid Property Charges”; (ii) “Sale of Property Securing a Due and Payable HECM”; and (iii) “Cash for Keys Incentive and Relocation Incentive.”