Skip to main content
Menu Icon
Close

InfoBytes Blog

Financial Services Law Insights and Observations

Filter

Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.

  • Ex-NFL players no longer part of CFPB, New York suit on high-cost loans

    Courts

    On June 27, the CFPB and New York attorney general filed an amended complaint in the U.S. District Court for the Southern District of New York, removing references to a New Jersey-based finance company’s arrangements with seven former NFL players in an action concerning whether the company and its affiliates (collectively, “defendants”) mischaracterized high-cost loans as assignments of future payment rights. As previously covered by InfoBytes, the agencies filed a lawsuit in 2017 claiming, among other things, that the defendants misled World Trade Center attack first responders and professional football players in selling expensive advances on benefits to which they were entitled and mischaracterized extensions of credit as assignments of future payment rights, thereby misleading their victims into repaying far more than they received. Specifically, the initial filing in 2017 alleges that the defendants (i) used “confusing contracts” to prevent the individuals from understanding the terms and costs of the transactions; (ii) lied to the individuals by telling them the companies could secure their payouts more quickly; (iii) misrepresented how quickly they would receive payments from the companies, and (iv) collected interest at an illegal rate. The amended complaint removes all references to defendants’ arrangements with the ex-NFL players, but maintains claims related to financing deals signed with first responders to the World Trade Center attack.

    The court issued an order on June 28 accepting the agencies’ unopposed motion to file the amended complaint to “remove references to NFL player consumers and to remove allegations in Count VIII” related to alleged violations of New York General Obligations Law § 13-101 concerning personal injury claims. No additional details on the reasons for the removals are provided.

    The amended complaint follows a March order issued by the district court (covered by InfoBytes here) in which it ruled that the CFPB could proceed with its 2017 enforcement action. In 2020, the U.S. Court of Appeals for the Second Circuit vacated the district court’s 2018 order (covered by InfoBytes here), which had dismissed the case on the grounds that the Bureau’s single-director structure was unconstitutional, and that, as such, the agency lacked authority to bring claims alleging deceptive and abusive conduct by the company. The 2nd Circuit remanded the case to the district court, determining that the U.S. Supreme Court’s ruling in Seila Law LLC v. CFPB (holding that the director’s for-cause removal provision was unconstitutional but severable from the statute establishing the Bureau, as covered by a Buckley Special Alert) superseded the 2018 ruling. 

    Courts State Issues CFPB State Attorney General Enforcement New York UDAAP Deceptive Abusive

  • FINRA fines firm $2.8 million for faulty trade confirmations

    Federal Issues

    On June 29, the Financial Industry Regulatory Authority (FINRA) entered into a Letter of Acceptance, Waiver, and Consent (AWC), which ordered a New York-based member firm to pay $2.8 million to settle allegations that it sent customers inaccurate trade confirmations. According to FINRA, from November 2008 through the present, the firm allegedly sent customers roughly “270 million confirmations that inaccurately disclosed the firm’s execution capacity, the customer’s price, the market center of execution, or whether the trade was executed at an average price.” FINRA attributed the inaccuracies to 11 underlying issues, including technology issues, a drafting error, and a misunderstanding of regulatory guidance that allegedly went undetected for at least five years. Additionally, FINRA claimed that from at least November 2008 through March 2020, the firm failed to establish and maintain a supervisory system, including written procedures, to achieve compliance with the confirmation requirements, and claimed this alleged failure “persisted even though, by mid-2017, [the firm] was aware due to FINRA examinations of multiple systemic issues resulting in tens of millions of inaccurate confirmations.” Rather than implementing a “reasonable” supervisory system, FINRA contended that the firm took a year to set up a system and procedures that monitored only whether confirmations were delivered, not whether they were accurate. The firm neither admitted nor denied the findings set forth in the AWC agreement but accepted and consented to the entry of FINRA’s findings and censure and agreed to certify within 120 days that it corrected the identified issues.

    Federal Issues FINRA Enforcement Disclosures

  • FTC sues national retailer for allegedly facilitating money transfer fraud

    Federal Issues

    On June 28, the FTC filed a complaint against a national retailer for allegedly allowing its money-transfer services to facilitate fraud. The complaint alleges the retailer knew about the role money transfer services play in scams but failed to properly secure the services offered at its stores, thus allowing money to be sent to “domestic and international fraud rings.” According to the FTC, at least 226,679 complaints totaling more than $197 million were received by several money transfer services companies about fraud-induced money transfers that were sent from or received at one of the retailer’s stores between January 1, 2013 and December 31, 2018. An investigation by the FTC purportedly revealed that the retailer’s practices allegedly harmed consumers by, among other things, (i) allowing the payout of suspicious money transfers, which allowed scammers to retrieve fraud proceeds at one of the retailer’s stores; (ii) failing to have in place a written anti-fraud policy or consumer protection program until November 2014; (iii) allowing cash pickups for large payments, often through the use of fake IDs; (iv) failing to display or provide materials warning consumers about potential frauds; (v) failing to effectively train or retrain employees; and (vi) allowing money transfers to be used for telemarketing purchases, which are prohibited under the Telemarketing Sales Rule (TSR) due to the high risk of fraud.

    According to the complaint, the retailer “is well aware that telemarketing and other mass marketing frauds, such as ‘grandparent’ scams, lottery scams, and government agent impersonator scams, induce people to use [the retailer’s] money transfer services to send money to domestic and international fraud rings. Nevertheless, [the retailer] has continued processing fraud-induced money transfers at its stores—funding telemarketing and other scams—without adopting policies and practices that effectively detect and prevent these transfers.”

    The complaint seeks a permanent injunction, monetary relief, civil penalties, restitution, and other relief for each violation of the FTC Act and the TSR. The FTC also requests the “rescission or reformation of contracts, the refund of money, the return of property, the payment of damages, public notification, or other relief necessary to redress injury to consumers damages.”

    The retailer issued a press release following the FTC’s announcement, stating that it considers the agency’s claims to be “misguided and legally flawed,” and that the civil lawsuit “was approved by the FTC by the narrowest of margins after Chair Lina Khan refused [the retailer] the due process of hearing directly from the company.” The retailer noted that the FTC’s decision comes after DOJ declined to pursue the case in court. Among other thing, the retailer contended that because it maintains robust anti-fraud measures there is no need for injunctive relief requiring the retailer to change its practices. The retailer pointed to the U.S. Supreme Court’s ruling in AMG Capital Management LLC v. FTC, which limited the FTC’s ability to obtain monetary relief in federal court (covered by InfoBytes here), to argue that the FTC “pivoted their focus in this case after AMG to a distorted interpretation of the TSR to effectively try and hold [the retailer] strictly liable for money transfers that third-party criminals reportedly persuaded some consumers to send.” The retailer added that “[s]witching their main legal theory to the TSR is an obvious attempt to get around the Supreme Court’s ruling in AMG.”

    Federal Issues FTC Enforcement FTC Act Telemarketing Sales Rule Money Service / Money Transmitters Fraud

  • NYDFS imposes $5 million fine against cruise line for cybersecurity violations

    Privacy, Cyber Risk & Data Security

    On June 24, NYDFS announced a consent order imposing a $5 million fine against a group of Florida-based cruise lines for alleged violations of the state’s Cybersecurity Regulation (23 NYCRR Part 500). According to a Department investigation, the companies were subject to four cybersecurity incidents between 2019 and 2021 (including two ransomware attacks). The companies determined that unauthorized parties gained access to employee email accounts, and that, through a series of phishing emails, the parties were able to access email and attachments containing personal information belonging to the companies’ consumers and employees. NYDFS claimed that although the companies were aware of the first cybersecurity event in May 2019, they failed to notify the Department as required under 23 NYCRR Part 500 until April 2020. The investigation further showed that the companies allegedly failed to implement multi-factor authentication and did not provide adequate cybersecurity training for their personnel. NYDFS determined that in addition to the penalty, since the companies were licensed insurance producers in the state at the time of the cybersecurity incidents they would be required to surrender their insurance provider licenses.

    The settlement follows a $1.25 million data breach settlement reached with 45 states and the District of Columbia on June 22 (covered by InfoBytes here).

    Privacy/Cyber Risk & Data Security State Issues NYDFS State Regulators Enforcement Settlement Data Breach 23 NYCRR Part 500

  • FDIC releases May enforcement actions

    On June 24, the FDIC released a list of 14 public enforcement actions taken against banks and individuals in May. These orders consist of “two consent orders, one modification of an 8(e) prohibition order, three orders to pay civil money penalty, three orders of prohibition, two section 19 orders, and one order of prohibition from further participation and order to pay, one order terminating amended supervisory prompt corrective action directive, and one order of termination of insurance.” Included is an order to pay a civil money penalty imposed against a Texas-based bank related to alleged violations of the Flood Disaster Protection Act. Among other things, the FDIC claimed that the bank failed “to obtain flood insurance or obtain an adequate amount of insurance coverage, at or before loan origination, for all structures in a flood zone, including multiple structures,” and failed “to force-place flood insurance, after loan origination, when the insurance on buildings securing the loan” was insufficient or nonexistent. The order assessed a $2,000 civil money penalty.

    The FDIC also issued a consent order against a Utah-based bank based on alleged unsafe or unsound banking practices relating to the Bank Secrecy Act. The bank neither admitted nor denied the alleged violations but agreed to, among other things, “increase its oversight of the Bank's compliance with the BSA” and “conduct a comprehensive assessment of BSA/AML staffing needs.”

    Bank Regulatory Federal Issues FDIC Flood Insurance Flood Disaster Protection Act Bank Secrecy Act Anti-Money Laundering Enforcement

  • FTC, Florida file complaint against grant funding operation

    Federal Issues

    On June 27, the FTC and the Florida attorney general filed a complaint against a Florida-based grant funding company and its owner (collectively, “defendants”) alleging that the defendants violated the Consumer Protection Act, the FTC Act, and the Florida Deceptive Unfair Trade Practices Act. According to the complaint, the defendants deceptively marketed grant writing and consulting services to minority-owned small businesses by, among other things, (i) promising grant funding that did not exist and/or was never awarded; (ii) misleading customers about the status of grant awards; and (iii) failing to honor a “money-back guarantee” and suppressing customer complaints. The complaint also alleged that the owner relied on funds that she acquired through the federal Paycheck Protection Program Covid-19 stimulus program to start the company. The U.S. District Court for the Middle District of Florida issued a restraining order with asset freeze, appointment of a temporary receiver, and other equitable relief order against the defendants, which also prohibits them from engaging in grant funding business activities.

    Federal Issues State Issues FTC Enforcement State Attorney General Florida Covid-19 FTC Act Deceptive UDAP

  • FTC finalizes action against e-commerce platform for data breach cover up

    Federal Issues

    On June 24, the FTC announced a final decision and order against two limited liability companies (respondents) accused of allegedly failing to secure consumers’ sensitive personal data and covering up a major breach. As previously covered by InfoBytes, the respondents—former and current owners of an online customized merchandise platform—allegedly violated the FTC Act by, among other things, misrepresenting that they implemented reasonable measures to protect customers’ personal information against unauthorized access and misrepresenting that appropriate steps were taken to secure consumer account information following security breaches. The complaint further alleged that respondents failed to apply readily available protections against well-known threats or adequately respond to security incidents, which resulted in the respondents’ network being breached multiple times. Under the terms of the final settlement, one of the respondents is required to pay $500,000 to victims of the data breaches. The other respondent is required to provide notice to consumers impacted by a 2019 data breach. Among other things, the order prohibits respondents from misrepresenting their privacy and security measures and requires that respondents implement comprehensive information security programs that are assessed by an independent third party.

    Federal Issues Privacy/Cyber Risk & Data Security FTC Enforcement Data Breach FTC Act Deceptive UDAP

  • Fed announces enforcement actions against Minnesota and Arkansas state banks

    On June 21, the Federal Reserve Board released civil penalty orders against two state banks, both relating to alleged violations of the National Flood Insurance Act (NFIA) and its implementing regulation, Regulation H. The first civil penalty order, against a Minnesota-based bank, assessed a $4,950 penalty for an alleged pattern or practice of violations of Regulation H but does not specify the number or the precise nature of the alleged violations. The second civil penalty order, against an Arkansas-based bank, assessed a $13,950 penalty for an alleged pattern or practice of violations of Regulation H without specifying the number or precise nature of the alleged violations. The maximum civil money penalty under the NFIA for a pattern or practice of violations is $2,000 per violation.

    Bank Regulatory Federal Reserve Flood Insurance Enforcement National Flood Insurance Act Regulation H

  • States reach $1.25 million data breach settlement with cruise line

    State Issues

    On June 22, a coalition of state attorneys general from 45 states and the District of Columbia announced a $1.25 million settlement with a Florida-based cruise line, resolving allegations that it compromised the personal information of employees and consumers as a result of a data breach. According to the announcement, in March 2020 the company publicly reported that the breach involved an unauthorized actor gaining access to certain employee email accounts. The breach notifications sent to the AGs' offices stated the company first became aware of suspicious email activity in late May of 2019, approximately 10 months before it reported the breach. An ensuing multistate effort focused on the company’s email security practices and compliance with state breach notification statutes. The announcement explained that “’unstructured’ data breaches, like the [company’s] breach, involve personal information stored via email and other disorganized platforms” and that “[b]usinesses lack visibility into this data, making breach notification more challenging and causing further risks for consumers with the delays.”

    Under the terms of the settlement, the company has agreed to provisions designed to strengthening its email security and breach response practices, including, among other things: (i) implementing and maintaining a breach response and notification plan; (ii) requiring email security training for employees; (ii) instituting multi-factor authentication for remote email access; (iii) requiring the use of strong, complex passwords, password rotation, and secure password storage for password policies and procedures; (iv) maintaining enhanced behavior analytics tools to log and monitor potential security events on the company’s network; and (v) undergoing an independent information security assessment, consistent with past data breach settlements.

    State Issues Enforcement State Attorney General Data Breach Settlement Privacy/Cyber Risk & Data Security

  • Special Alert: DOJ settles claims of algorithmic bias

    Federal Issues

    On June 21,  the United States Department of Justice announced that it had secured a “groundbreaking” settlement resolving claims brought against a large social media platform for allegedly engaging in discriminatory advertising in violation of the Fair Housing Act. The settlement is one of the first significant federal actions involving claims of algorithmic bias and may indicate the complexity of applying “disparate impact” analysis under the anti-discrimination laws to complex algorithms in this area of increasingly intense regulatory focus.

    Federal Issues DOJ Special Alerts Fair Housing Act Algorithms Advertisement Enforcement Settlement Disparate Impact Discrimination

Pages

Upcoming Events