InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
FTC, Florida file complaint against grant funding operation
On June 27, the FTC and the Florida attorney general filed a complaint against a Florida-based grant funding company and its owner (collectively, “defendants”) alleging that the defendants violated the Consumer Protection Act, the FTC Act, and the Florida Deceptive Unfair Trade Practices Act. According to the complaint, the defendants deceptively marketed grant writing and consulting services to minority-owned small businesses by, among other things, (i) promising grant funding that did not exist and/or was never awarded; (ii) misleading customers about the status of grant awards; and (iii) failing to honor a “money-back guarantee” and suppressing customer complaints. The complaint also alleged that the owner relied on funds that she acquired through the federal Paycheck Protection Program Covid-19 stimulus program to start the company. The U.S. District Court for the Middle District of Florida issued a restraining order with asset freeze, appointment of a temporary receiver, and other equitable relief order against the defendants, which also prohibits them from engaging in grant funding business activities.
FTC finalizes action against e-commerce platform for data breach cover up
On June 24, the FTC announced a final decision and order against two limited liability companies (respondents) accused of allegedly failing to secure consumers’ sensitive personal data and covering up a major breach. As previously covered by InfoBytes, the respondents—former and current owners of an online customized merchandise platform—allegedly violated the FTC Act by, among other things, misrepresenting that they implemented reasonable measures to protect customers’ personal information against unauthorized access and misrepresenting that appropriate steps were taken to secure consumer account information following security breaches. The complaint further alleged that respondents failed to apply readily available protections against well-known threats or adequately respond to security incidents, which resulted in the respondents’ network being breached multiple times. Under the terms of the final settlement, one of the respondents is required to pay $500,000 to victims of the data breaches. The other respondent is required to provide notice to consumers impacted by a 2019 data breach. Among other things, the order prohibits respondents from misrepresenting their privacy and security measures and requires that respondents implement comprehensive information security programs that are assessed by an independent third party.
Fed announces enforcement actions against Minnesota and Arkansas state banks
On June 21, the Federal Reserve Board released civil penalty orders against two state banks, both relating to alleged violations of the National Flood Insurance Act (NFIA) and its implementing regulation, Regulation H. The first civil penalty order, against a Minnesota-based bank, assessed a $4,950 penalty for an alleged pattern or practice of violations of Regulation H but does not specify the number or the precise nature of the alleged violations. The second civil penalty order, against an Arkansas-based bank, assessed a $13,950 penalty for an alleged pattern or practice of violations of Regulation H without specifying the number or precise nature of the alleged violations. The maximum civil money penalty under the NFIA for a pattern or practice of violations is $2,000 per violation.
States reach $1.25 million data breach settlement with cruise line
On June 22, a coalition of state attorneys general from 45 states and the District of Columbia announced a $1.25 million settlement with a Florida-based cruise line, resolving allegations that it compromised the personal information of employees and consumers as a result of a data breach. According to the announcement, in March 2020 the company publicly reported that the breach involved an unauthorized actor gaining access to certain employee email accounts. The breach notifications sent to the AGs' offices stated the company first became aware of suspicious email activity in late May of 2019, approximately 10 months before it reported the breach. An ensuing multistate effort focused on the company’s email security practices and compliance with state breach notification statutes. The announcement explained that “’unstructured’ data breaches, like the [company’s] breach, involve personal information stored via email and other disorganized platforms” and that “[b]usinesses lack visibility into this data, making breach notification more challenging and causing further risks for consumers with the delays.”
Under the terms of the settlement, the company has agreed to provisions designed to strengthening its email security and breach response practices, including, among other things: (i) implementing and maintaining a breach response and notification plan; (ii) requiring email security training for employees; (ii) instituting multi-factor authentication for remote email access; (iii) requiring the use of strong, complex passwords, password rotation, and secure password storage for password policies and procedures; (iv) maintaining enhanced behavior analytics tools to log and monitor potential security events on the company’s network; and (v) undergoing an independent information security assessment, consistent with past data breach settlements.
Special Alert: DOJ settles claims of algorithmic bias
On June 21, the United States Department of Justice announced that it had secured a “groundbreaking” settlement resolving claims brought against a large social media platform for allegedly engaging in discriminatory advertising in violation of the Fair Housing Act. The settlement is one of the first significant federal actions involving claims of algorithmic bias and may indicate the complexity of applying “disparate impact” analysis under the anti-discrimination laws to complex algorithms in this area of increasingly intense regulatory focus.
SEC settles allegations regarding robo-adviser service
On June 13, the SEC announced a settlement with three subsidiaries of a financial services holding company (collectively, “respondents”) regarding their robo-adviser service. The order, which the respondents consented to without admitting or denying the findings, imposes a civil money penalty of $135 million and a total of $52 million in disgorgement. The order also provides that the respondents must cease and desist from committing or causing any future violations of the antifraud provisions in the Investment Advisers Act.
District Court issues judgment against student debt relief operation
On June 10, the U.S. District Court for the Central District of California entered a stipulated final judgment and order against an individual defendant who participated in a deceptive debt-relief operation. As previously covered by InfoBytes, in 2019, the Bureau, along with the Minnesota and North Carolina attorneys general, and the Los Angeles City Attorney (together, the “states”), announced an action against the student loan debt relief operation for allegedly deceiving thousands of student-loan borrowers and charging more than $71 million in unlawful advance fees. In the third amended complaint, the Bureau and the states alleged that since at least 2015, the debt relief operation violated the CFPA, TSR, FDCPA, and various state laws by charging and collecting improper advance fees from student loan borrowers prior to providing assistance and receiving payments on the adjusted loans. In addition, the Bureau and the states claimed that the debt relief operation engaged in deceptive practices by, among other things, misrepresenting: (i) the purpose and application of fees they charged; (ii) their ability to obtain loan forgiveness for borrowers; and (iii) their ability to actually lower borrowers’ monthly payments. Moreover, the debt relief operation allegedly failed to inform borrowers that it was their practice to request that the loans be placed in forbearance and also submitted false information to student loan servicers to qualify borrowers for lower payments.
Under the terms of the final judgment, in addition to various forms of injunctive relief, the individual defendant must pay a $1 civil money penalty to the Bureau and $5,000 each to Minnesota, North Carolina, and California. The individual defendant is also “liable, jointly and severally, in the amount of $95,057,757, for the purpose of providing redress to Affected Consumers,” although his obligation to pay this amount is “suspended based on [his] inability to pay.”
CFPB settles with student-loan debt relief company
On June 9, the CFPB filed a stipulated final judgment and order in the U.S. District Court for the Southern District of California resolving allegations that the operator of a student-loan debt relief company engaged in unfair debiting of consumer accounts, in violation of the CFPA. According to the complaint, in 2016, the defendant founded a student debt relief company, which “did not solicit new consumers, but instead obtained student-loan account and billing information for hundreds of former [student debt relief operation] consumers without the knowledge or consent of those consumers.” As previously covered by InfoBytes, in 2016, the CFPB filed a consent order against a San Diego-based student debt relief operation for alleged violations of the CFPA, the TSR, and Regulation P by deceiving borrowers into paying fees for federal loan benefits and misrepresenting to consumers that it was affiliated with the Department of Education. The CFPB alleged that the defendant led a debt collection scheme by withdrawing $39 per month, and collecting hundreds of thousands of dollars in total fees from student borrowers’ bank accounts, without authorization, after previously obtaining their names and account information from the former student loan debt relief business. According to the CFPB, “under this scheme, [the defendant’s] company had unlawfully debited more than $240,000 from hundreds of student borrowers’ accounts.” Under the terms of the settlement, the defendant is permanently banned from engaging in debt relief services and must pay a $175,000 penalty to the CFPB.
FTC bans MCA providers, returns $2.7 million to consumers
On June 6, the FTC obtained a stipulated court order permanently banning a company and owner from participating in the merchant cash advance and debt collection industries. As previously covered by InfoBytes, last June the FTC filed an amended complaint against two New York-based small-business financing companies and a related entity and individuals (including the settling defendants), claiming the defendants engaged in deceptive and unfair practices by, among other things, misrepresenting the terms of their merchant cash advances, using unfair collection practices, deceiving consumers about personal guarantees, forcing consumers and businesses to sign confessions of judgment, providing less funding than promised due to undisclosed fees, and making unauthorized withdrawals from consumers’ accounts. Under the terms of the stipulated order, the settling defendants are required to pay a more than $2.7 million monetary judgment to go towards refunds for harmed consumers and must vacate any judgments against former customers and release any liens against their customers’ property. The announcement notes that the settling defendants are also “prohibited from misleading consumers about any key facts about any good or service, including any fees, the total cost of the product, and other facts that reflect their deceptions in this case.”
Earlier in January, a stipulated order was entered against two other defendants (covered by InfoBytes here), which permanently banned them from participating in the merchant cash advance and debt collection industries and required the payment of a $675,000 monetary judgment.
FTC shares 2021 enforcement report with CFPB
On June 3, the FTC announced that it submitted its 2021 Annual Financial Acts Enforcement Report to the CFPB. The report covers FTC enforcement activities regarding the Truth in Lending Act (TILA), the Consumer Leasing Act (CLA), and the Electronic Fund Transfer Act (EFTA). Highlights of the enforcement matters covered in the report include, among other things:
- Automobile Credit and Leasing. The report discussed the FTC’s July 2021 settlement with the owners of car dealerships in Arizona and New Mexico (collectively, “defendants”) resolving claims that the defendants misrepresented consumer information on finance applications and misrepresented financial terms in advertisements in violation of TILA and CLA (covered by InfoBytes here).
- Payday Lending. The report highlighted the FTC’s settlement against a payday lending enterprise for allegedly overcharging consumers millions of dollars, deceiving them about the terms of their loans, and failing to make required loan disclosures. According to the report, the owners and operators of the settling entities are banned from making loans or extending credit, nearly all debt held by the company will be deemed paid in full, and the companies involved are being liquidated, with the proceeds to be used to provide redress to consumers harmed by the company.
- Credit Repair and Debt Relief. The report discussed the FTC’s settlement with the operators of a student loan debt relief scheme, who were charged with falsely promising consumers the company could lower or eliminate student loan balances, illegally imposing upfront fees for credit repair services, and signing consumers up for high-interest loans to pay the fees without making required loan disclosures in violation of TILA. The order bans the defendants from providing debt relief services and collecting any further payments from consumers who purchased the services, and requires the defendants to return money to be used to refund consumers.
Additionally, the report addressed the FTC’s research and policy efforts and highlighted the FTC’s Military Task Force’s work on military consumer protection issues.