InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
Large bank agrees to proposed settlement agreement; to be decided in February
On November 27, 2023, a large Canadian bank agreed to pay $15.9 million to accountholders in a proposed settlement agreement stemming from a class action suit in which the bank allegedly charged improper non-sufficient fund (NSF) fees. NSF fees are charges by a financial institution when they decline to make a payment from an accountholder’s account after determining the account lacks sufficient funds. Plaintiffs alleged that from February 2, 2019, to November 27, 2023, the bank charged accountholders multiple NSF fees on a single attempted transaction. In the agreement, the bank continues to deny liability. While an agreement has been reached between the two parties, the agreement has yet to be approved by the courts. A hearing has been scheduled for February 13, 2024, in the Ontario Superior Court of Justice to approve the settlement and award the payouts. Accountholders will receive their payouts, “estimated to be in the range of approximately $88 CAD,” deposited directly to their account with the bank. Under the proposed settlement agreement, the representative plaintiff will receive an honorarium of $10,000. As previously covered by InfoBytes, the FDIC warned that supervised financial institutions that charge multiple NSF fees on re-presented unpaid transactions may face increased regulatory scrutiny and litigation risk.
SEC charges DAO for unregistered sale of crypto smart yield bonds
On December 22, 2023, the SEC announced a settlement with a decentralized autonomous organization (DAO) and a second settlement with its founders. The SEC alleged that the DAO failed to register with the Commission for its offering and sale of structured crypto-asset securities. The SEC additionally charged the organization for operating certain pools as unregistered investment companies. According to the SEC, the organization compared its structured crypto-asset securities to asset-backed securities and marketed them to the public. Furthermore, investors could acquire “senior” or “junior” interest which could be pooled and used to generate returns. The orders state that the structured crypto-asset securities attracted significant investments, totaling over $509 million, with fees paid to the organization by investors based on investment size and chosen yield.
SEC awards more than $28 million to seven whistleblowers
On December 22, 2023, the SEC announced awards totaling more than $28 million to seven whistleblowers whose information and assistance led to a successful SEC enforcement action. According to the redacted order, five of the whistleblowers provided significant information early in the investigation, participated in voluntary interviews, provided supporting documents to SEC staff, and identified key witnesses. The SEC also added that the whistleblowers made several attempts to internally report their concerns to company management. Two whistleblowers provided significantly less information than the other five later into the investigation, but still qualified for a percentage of the monetary sanctions collected in the covered action. Creola Kelly, Chief of the SEC’s Office of the Whistleblower, stated that “[t]hese whistleblowers provided valuable information and substantial assistance that played a critical role in the SEC returning millions of dollars to harmed investors.”
One claimant’s whistleblower award application was denied because they did not communicate directly with the SEC staff responsible for the Covered Action Investigation and none of the information provided by the claimant was forwarded to the responsible staff. As such, the claimant did not provide original information that led to the successful enforcement action.
Payments to whistleblowers are made out of an investor protection fund, established by Congress, which is financed entirely through monetary sanctions paid to the SEC by securities law violators.
CFPB, DOJ sue developer over predatory lending
On December 20, the CFPB and the DOJ issued a press release announcing the filing of a complaint against four affiliated Texas-based entities (collectively, the “developer”) alleging bait-and-switch land sales and predatory financing. The agencies claim the developer violated ECOA and FHA by targeting thousands of Spanish-speaking borrowers with predatory seller financing. The complaint also alleges the developer misrepresented or omitted material information regarding the seller-financed flood-prone lots having “the infrastructure necessary to connect water, sewer, and electrical services pre-installed,” and regarding flood risk. The complaint also claims that the developer did not provide purchasers with a property report before the purchaser entered into the subject agreement. Further, according to the complaint, the developer marketed the lots primarily in Spanish, but required borrowers to sign important transactional documents written in English only. The action also includes claims brought under other laws and regulations. Notably, this is the first federal court lawsuit the CFPB has brought under the Interstate Land Sales Full Disclosure Act of 1968 (ILSA).
FTC temporarily halts business opportunity scheme
On December 19, the FTC announced that the U.S. District Court for the Eastern District of Pennsylvania granted a temporary restraining order against a business opportunity scheme for allegedly engaging in deceptive acts. The court’s order barred the defendants from making misrepresentations about any business or money-making opportunity and froze the defendant’s assets. According to the FTC’s complaint, the business opportunity scheme violated the FTC Act’s prohibition of “unfair or deceptive acts or practices in or affecting commerce” and the Telemarketing Sales Rule by, among other things, (i) making misrepresentations regarding earnings from their products and services; (ii) furnishing “success coaches” with marketing materials to be used for new member recruitment, thus providing the means for the commission of deceptive acts or practices; (iii) making misrepresentations regarding profitability to persuade consumers to pay for membership, digital products, and marketing packages; (iv) making misrepresentations regarding material aspects of an investment opportunity; and (v) facilitating outbound calls that deliver prerecorded messages to encourage consumers to purchase its products, also known as robocalls. Beyond the temporary restraining order and asset freeze, the FTC is seeking a permanent injunction and other equitable relief.
DOJ announces crackdown on fraud networks targeting consumer accounts
On December 15, in conjunction with the DOJ’s Consumer Protection Branch efforts to crack down on fraud, the DOJ unsealed two cases against groups that allegedly stole money from consumer accounts with financial institutions. According to the DOJ, the groups used “deceptive tactics” to cover the fraud, and in the two cases, the Department is seeking “temporary restraining orders and the appointment of receivers to stop defendants from dissipating assets.”
The first case (in the U.S. District Court for the Southern District of Florida) involves a group that allegedly committed bank and wire fraud and stole millions from consumers and small businesses by repeatedly creating sham companies. According to the complaint, since at least 2017, the defendants operated fraud schemes disguised as legitimate online marketing service providers by fabricating websites, forging consumer authorizations for charges, and establishing a “customer service” call center to handle complaints. The defendants allegedly obtained bank account information from individuals and small businesses without permission and utilized payment processors to make unauthorized debits to accounts. The DOJ claims that, to carry out the fraud, the defendants used remotely created checks, which are created remotely by a payee using the account holder’s information but without their signature. The second case (in the U.S. District Court for the Eastern District of California) bears many similarities to the first case, including the type of alleged fraud scheme. Both cases also involve the use of “microtransactions,” which are low-dollar fake transactions designed to artificially lower the apparent rate of return or rejected transactions. The defendants in the second case in particular allegedly gathered large deposits from their merchant clients and used those funds to initiate microtransactions that appeared as if they were payments for the merchants’ goods and services. Essentially, according to the Department’s complaint, the merchants paid themselves: the funds initially paid to the defendants were returned to the merchants as microtransactions, while the defendants allegedly collected a percentage of the transactions as service fees.
Fed enters into written agreement with Ohio bank
On December 19, the Federal Reserve Board announced a written agreement with an Ohio state-chartered bank and its holding company to address certain deficiencies identified during a recent examination of the bank. Under the agreement, the bank and its holding company agreed to: (i) use the bank’s resources as a “source of strength”; (ii) submit a written plan to enhance board oversight and management; (iii) conduct a third-party assessment of the bank’s staff; (iv) submit an enhanced written investment policy that includes “periodic analysis of the investment portfolio, including, but not limited to the assessment of market risk, credit risk, interest rate risk, and liquidity risk of the underlying investments”; (v) improve the bank’s investment portfolio management and interest rate risk management practices; (vi) implement an enhanced liquidity risk management program; and (vii) submit a written plan regarding sufficient capital (among other corrective actions).
CFPB fines and shuts down debt collector for alleged FDCPA, FCRA violations
On December 15, the CFPB announced a consent order against a Pennsylvania-based nonbank medical debt collection company for alleged violations of the FCRA and FDCPA. According to the order, the company failed to (i) establish and implement reasonable written policies and procedures for ensuring the accuracy and integrity of information furnished to consumer reporting agencies; (ii) conduct reasonable investigations into direct and indirect consumer disputes about furnished information; (iii) report direct dispute investigation results to consumers; and (iv) indicate disputed items when furnishing information to reporting agencies. The company also allegedly lacked a reasonable basis for debt-related representations made to consumers and engaged in collection activities after receiving a written dispute within 30 days of the consumer’s receipt of a debt validation notice but before obtaining and mailing a verification of the debt.
The consent order permanently bans the company from involvement or aid in debt collection, purchasing or selling of any debts, or any consumer reporting activities. The company must also request credit reporting agencies to delete all collection accounts previously reported by the company. Additionally, the company is obligated to pay a $95,000 civil money penalty and must display on its website information that informs consumers about the option to file a complaint with the CFPB.
CFPB orders bank to pay $6.2 million; alleges overdraft fees violate CFPA, EFTA
On December 7, the CFPB announced a consent order against a Virginia-based bank, alleging it engaged in deceptive acts and practices and failed to comply with Regulation E. According to the CFPB, the bank did not comply with Regulation E because it did not provide appropriate written disclosures before enrolling customers in its overdraft service and imposing overdraft fees. The CFPB alleged that under the bank’s procedures, branch employees would provide oral disclosures and obtain oral consent but did not provide customers with the required written consent form under Regulation E until the end of the account-opening process. According to the CFPB, while the bank changed its practices partway through the period covered by the consent order, the disclosures it provided were still inadequate. The bank allegedly “requested that new customers orally specify their enrollment decision before providing them with adequate written notice describing the [opt-in] service,” which thereby allegedly breached the Electronic Fund Transfer Act.
The CFPB also alleged the bank committed deceptive actions or practices when marketing opt-in overdraft services to consumers via telephone. Specifically, the CFPB alleged that the bank did not provide its customer service representatives with a script, which resulted in representatives failing to clearly differentiate between transactions covered by the bank’s standard versus its opt-in overdraft protection service. The CFPB asserted that these statements qualified as “representations and omissions of key information were likely to mislead consumers,” and that as a result, the Bank did not comply with the CFPA and Regulation E.
The consent order imposes a $1.2 million civil money penalty and requires the bank to refund at least $5 million to affected consumers. The consent order also requires the bank to obtain a new overdraft enrollment decision from affected consumers before charging overdraft fees. Moreover, the bank must also create and implement a comprehensive compliance plan to ensure its overdraft program complies with all applicable laws. Finally, the consent order requires the bank to monitor compliance, maintain records, and inform the CFPB of any changes or developments that could impact its compliance responsibilities in the consent order.
EU court clarifies conditions for imposing GDPR fines
On December 5, the Court of Justice of the European Union (CJEU) issued a judgment clarifying the conditions under which a General Data Protection Regulation (GDPR) fine can be imposed on data controllers. The judgment is in response to two cases involving GDPR fines: (i) a German case in which a real estate company was fined for allegedly storing personal data for tenants for longer than necessary, and (ii) a Lithuanian case in which a government health center was fined in connection to the creation of an app that registered and tracked people exposed to Covid-19.
In the judgment, the CJEU clarified that a data controller can only face an administrative fine under the GDPR for intentional or negligent violations—that is, violations for which a data controller was aware or should have been aware of “the infringing nature of its conduct,” regardless of their knowledge of the specific violation. The judgment also held that for a legal person, it is not necessary for the violation to be committed by its “management body,” nor does that body need to have knowledge of the specific violation. Instead, the legal person is accountable for violations committed by its representatives, directors, or managers, and those acting on their behalf within the business scope. Additionally, imposing an administrative fine on a legal entity as a data controller does not require prior identification of a specific person responsible for the violation.
The judgment also addressed administrative fines for operations involving multiple entities. The CJEU noted that a controller may have a fine imposed upon it for actions undertaken by its processor. The court also clarified that a joint controller relationship arises from the two or more entities participating in determining the purpose and means for processing, and “does not require that there be a formal arrangement between the entities in question.”
To calculate the amount of an administrative fine under the GDPR, the supervisory authority must consider the notion of an “undertaking” under competition law. The maximum fine must be based on the percentage of the total worldwide annual turnover of the particular undertaking in the preceding business year.