InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
11th Circuit lifts a receivership and asset freeze of $85 million
On November 4, the U.S. Court of Appeals for the Eleventh Circuit affirmed in part and vacated in part a district court’s order, finding that portions of the district court’s decision could not stand under the U.S. Supreme Court’s April ruling in AMG Capital Management v. FTC. The Court held in that case that Section 13(b) of the FTC Act “does not authorize the Commission to seek, or a court to award, equitable monetary relief such as restitution or disgorgement.” (Covered by InfoBytes here). According to the 11th Circuit’s opinion, in 2019, the FTC alleged that individuals associated with multiple limited liability companies engaged in unfair or deceptive business practices in violation of 15 U.S.C. § 45(a). The FTC also filed a motion for a temporary restraining order the same day against the corporate defendants, seeking to freeze their assets, place the entities into a receivership, and enjoin all the parties from materially misrepresenting their services or from releasing consumer information obtained through the limited liability company. The district court granted the motion for a temporary restraining order in full in December 2019, and in January 2020, the district court granted a preliminary injunction against the limited liability company, extending the asset freeze, receivership, and injunction for the duration of the lawsuit.
On appeal, the 11th Circuit affirmed those parts of the preliminary injunction enjoining the appellants from misrepresenting their services and releasing consumer information. The panel upheld the portion of the order that enjoined one of the investor entities and its principal, who was the former chairman of the corporate defendant’s board, from misrepresenting services on allegedly deceptive websites or releasing any customer information allegedly gathered through the websites. While the appeal was pending, however, the Court held in AMG Capital Management that 15 U.S.C. § 53(b) does not allow an award of “equitable monetary relief such as restitution or disgorgement,” leading the 11th Circuit to reverse the asset freeze and receivership aspects of the preliminary injunction. Additionally, the 11th Circuit noted that the principal from one of the entities “was individually responsible for the actions of [the corporate defendants],” and “likely knew that [the corporate defendants] made over eighty million dollars in two years selling 'guides' on government services, and it almost beggars belief that he would be completely unaware of how [the corporate defendants’] websites were raising that quantity of money.”
CFPB affirms name-only matching practices violate FCRA
On November 4, the CFPB issued an advisory opinion to express its interpretation that credit reporting companies, including tenant and employment screening companies, are in violation of the FCRA if they engage in the practice of matching consumer records solely by name. According to the Bureau, the use of name-only matching procedures (without the use of other personally identifying information such as address, date of birth, or Social Security number) does not assure maximum possible accuracy of consumer information. The Bureau emphasized that there is a heightened risk of mistaken identity from name-only matching among Hispanic, Black, and Asian communities due to less surname diversity among those populations as compared to the White population. “When background screening companies and their algorithms carelessly assign a false identity to applicants for jobs and housing, they are breaking the law,” Director Rohit Chopra stated. “Error-ridden background screening reports may disproportionately impact communities of color, further undermining an equitable recovery.” The advisory opinion affirms consumer reporting companies’ obligation to use reasonable procedures to assure maximum possible accuracy, and “does not create a safe harbor to use insufficient matching procedures involving multiple identifiers.” Other practices, such as combining a name with date of birth, could also lead to cases of mistaken identity, the Bureau warned. The Bureau will work closely with the FTC to eliminate illegal conduct in the background screening industry, while the FTC may be able to take actions against unfair or deceptive conduct not covered by the CFPA. The Bureau further emphasized that violating the FCRA can lead to civil penalties, restitution, damages, and other relief.
Chopra issued a statement on the Bureau’s intention to curb false identity matching, pointing out that name-only matching is just one example of an inadequate procedure and that nothing in the advisory opinion “suggests that the responsibility to follow reasonable procedures to assure maximum possible accuracy can be met with a thoughtless application of any particular loose matching criteria, even if more than names alone are matched.” He also warned companies they should not try to evade their FCRA responsibilities “by issuing a disclaimer that their report might not be matched to the right person.” Chopra further noted that the Bureau will support the FTC in its work to monitor business models that rely on harvesting and monetizing personal data, as well as big tech companies and lesser-known data brokers that traffic data and consumer reports.
10th Circuit affirms TCPA statutory damages as uninsurable
On November 2, the U.S. Court of Appeals for the 10th Circuit affirmed a district court’s decision that under Colorado law, an insurance company (plaintiff) had no duty to indemnify and defend its insured against TCPA claims seeking statutory damages and injunctive relief. According to the appellate opinion, the states of California, Illinois, North Carolina, and Ohio sued a satellite television company for telemarketing violations of the TCPA (TCPA lawsuit). The TCPA lawsuit sought statutory damages of up to $1,500 per alleged violation and injunctive relief. The satellite company submitted a claim to its insurer for defense and indemnity of the TCPA claims pursuant to existing policies. The plaintiff filed a complaint seeking a declaratory judgment that it need not defend or indemnify the satellite company in the TCPA lawsuit. The district court, relying on ACE American Insurance Co. v. DISH Network (covered by InfoBytes here), determined that, under ACE, the claim for statutory damages in the telemarketing complaint sought a penalty and therefore was “uninsurable as a matter of Colorado public policy,” and that the policies did not cover the complaint’s claim for injunctive relief because, as in ACE, they did not cover the costs of preventing future violations. Additionally, the district court determined that “the allegations did not potentially fall within the Policies’ definitions of ‘Bodily Injury’ or ‘Property Damage.’” The 10th Circuit affirmed the district court’s rulings, concluding that no coverage existed.
FTC issues warning regarding false money-making claims
On October 26, the FTC announced that it is putting businesses on notice that pitch money-making ventures that deceive or mislead consumers regarding potential earnings. According to the announcement, the FTC utilized its Penalty Offense Authority to remind businesses of the law and deter them from breaking it by sending a Notice of Penalty Offenses to over 1,100 companies. The notice puts these businesses on notice that they may incur significant civil penalties if they or their representatives make claims regarding money-making opportunities that run counter to FTC administrative cases. The Notice of Penalty Offenses permits the FTC to seek civil penalties against a company that engages in conduct it knows is unlawful and has been determined to be unlawful in an FTC administrative order, other than a consent order. The FTC added that the Notice highlighted a number of practices that the FTC determined to be unfair or deceptive in prior administrative actions. In general, the cases determined that it was unlawful to make false, misleading, or deceptive representations regarding the profits or earnings that may be anticipated by a participant in a money-making opportunity, including representations that participants will make a profit. The Notice also outlined other practices that the FTC has decided to be unfair or deceptive, such as falsely telling consumers they do not need experience to earn income or that they must act immediately to participate. Companies receiving the Notice also received a copy of the recently issued Notice of Penalty Offenses concerning endorsements and testimonials, as companies frequently use testimonials to advertise money-making opportunities. The FTC also pointed out that “[a] recipient’s presence on this list does not in any way suggest that it has engaged in deceptive or unfair conduct.”
FTC increases dark patterns enforcement
On October 28, the FTC announced a new enforcement policy statement warning companies against using illegal dark patterns that could “trick or trap consumers into subscription services” which are sometimes used by sellers in automatic renewal subscriptions, continuity plans, free-to-pay or free-to-pay conversions, and pre-notification plans. According to the FTC, the agency is enhancing its enforcement due to increasing complaints about the financial harms caused by deceptive sign-up tactics, including unauthorized charges or continuous billing that is impossible to cancel. The policy statement, among other things, “puts companies on notice that they will face legal action if their sign-up process fails to provide clear, up-front information, obtain consumers’ informed consent, and make cancellation easy.” According to the enforcement policy statement, businesses are required to follow three requirements, or be subject to law enforcement action: (i) disclose clearly and conspicuously all material terms of the product or service; (ii) receive the consumer’s express informed consent prior to charging them for a product or service; and (iii) provide easy and simple cancellation to the consumer.
FTC updates Safeguards Rule for financial institutions
On October 27, the FTC announced a final rule updating the Safeguards Rule to strengthen data security protections for consumer financial information following widespread data breaches and cyberattacks. The final rule follows a 2019 notice of proposed rulemaking (covered by InfoBytes here) and makes the following modifications to the existing rule:
- Adds specific criteria financial institutions must undertake when conducting a risk assessment and implementing an information security program, including provisions related to access controls, data inventory and classification, authentication, encryption, disposal procedures, and incident response, among others. The final rule also adds measures to ensure employee training and service provider oversight are effective.
- Requires financial institutions to designate a single qualified individual to oversee the information security program. Periodic reports must also be made to an institution’s board of directors or governing bodies.
- Provides an exemption from requirements related to written risk assessments, incident response plans, and annual reporting to the board of directors, for financial institutions that collect information on fewer than 5,000 consumers.
- Expands the definition of “financial institution” to include “entities engaged in activities that the Federal Reserve Board determines to be incidental to financial activities.” Included in the definition are “finders” (i.e. companies that bring together buyers and sellers of products or services that fall within the scope of the Safeguards Rule).
- Adds several definitions and related examples into the Safeguards Rule itself instead of incorporating them through a reference from a related FTC rule.
Provisions of the final rule under Section 314.5 are effective one year after the date of publication in the Federal Register. The remainder of the provisions are effective 30 days following publication.
Additionally, the FTC issued a supplemental notice of proposed rulemaking seeking comments on a proposal to further amend the Safeguards Rule to require financial institutions to report security events to the Commission where a determination has been made that consumer information has been misused, or is reasonably likely to be misused, in an event affecting at least 1,000 consumers. Comments are due 60 days after publication in the Federal Register.
The FTC also announced a final rule adopting largely technical changes to its authority under the Privacy of Consumer Financial Information Rule (Privacy Rule) under the Gramm-Leach-Bliley Act, which requires financial institutions to inform consumers about their information-sharing practices and allow consumers the ability to opt out of having their information shared with certain third parties. The Privacy Rule is amended to revise the rule’s scope, modify the definitions of “financial institution” and “federal functional regulator,” and update requirements pertaining to annual customer privacy notices. The FTC noted that these changes align the Privacy Rule with changes made under Dodd-Frank and the FAST Act.
FTC says ISPs provide limited protections for consumer data
On October 21, the FTC reported that internet service providers (ISPs) are able to gather and share large pools of sensitive consumer data while providing limited privacy protections. According to an FTC staff report, ISPs’ data collection and use practices allow them to monitor and record their customers’ every online move, granting them the ability to collect large amounts of information without their customers’ knowledge. The FTC launched the internet privacy study in 2019 under Section 6(b) of the FTC Act and analyzed information from six major ISPs, which comprise roughly 98 percent of the mobile internet market. Three advertising affiliates associated with the ISPs were also asked to provide information on their data collection and use practices. The report found, among other things, that ISPs typically collect and share more customer information than is necessary to provide ISP services. According to the report, some ISPs collected personal information to market products and services, serve targeted ads on behalf of third parties, or share insights into customers’ behaviors with other businesses. The report also found that customers are often placed into categories by “race, ethnicity, sexual orientation, economic status, political affiliations, or religious beliefs,” and that ISPs often share real-time location data with third parties.
Additionally, the report found that while several ISPs tell customers their personal information will not be sold, the companies’ privacy notices obscure other ways personal data can be used, transferred, or monetized by other parties, and “often bury[] such disclosures in the fine print of their privacy policies.” The report further explained that many customers are often confused about how to opt-out of or limit ISPs’ data collection, adding that while several ISPs promise to retain data only for as long as needed for a business reason, the definition of what constitutes a “business reason” varies widely.
Chair Lina M. Khan issued separate remarks, emphasizing that the report’s finding are “striking” and “underscore deficiencies of the ‘notice-and-consent’ framework for privacy, especially in markets where users face highly limited choices among service providers.”
FTC settles with companies involved with alleged deceptive investment training company
On October 21, the FTC announced a proposed settlement with the funder and servicer (collectively, “defendants”) of payment plans utilized by consumers to pay for investment “trainings” from a professional trader education company (company). Under the proposed settlement, the funder is required to offer debt forgiveness to company consumers who have debt held by the funder. According to the complaint, the defendants allegedly violated the FTC Act by, among other things, facilitating the company’s deceptive scheme by underwriting, funding, and servicing its retail installment contracts. According to the announcement, in September 2020, the FTC settled with the company and, as part of that settlement, the company was required to offer debt forgiveness to consumers who owed it money. The settlement, however, did not cover consumers whose debt was held by the funder. The funder is also required to give these consumers notice of the offer of debt forgiveness and allow 45 days to request forgiveness from the funder. Additionally, the proposed settlement requires the defendants to utilize adequate due diligence when screening prospective covered clients, monitor covered clients, and investigate consumer complaints.
District Court approves order permanently banning defendants from making robocalls
On October 21, the U.S. District Court for the Middle District of Florida issued an order approving a permanent injunction and $6.4 million civil money penalty against the remaining participants in a cruise line telemarketing operation allegedly aimed at marketing free cruise packages to consumers. In January, the FTC filed a complaint against the defendants (two individuals and five companies they controlled, including the cruise line) for their alleged involvement in the telemarketing operation. As previously covered by InfoBytes, the complaint asserted violations of the FTC Act and the Telemarketing Sales Rule. The same day the complaint was filed, the FTC announced that it had entered into two settlement agreements—one with a call center and two individuals, and one with an additional individual—for their roles in the telemarketing operation. The court’s October order follows a recent FTC announcement (covered by InfoBytes here), indicating it had reached an agreement with the defendants who neither admitted nor denied the allegations. The court’s order requires the individual defendants to cooperate with any future FTC investigations and to disclose “the contents of their auto-dialed, telemarketing, or pre-recorded telephone communications and records or other information pertaining to [the] autodialed, telemarketing, or pre-recorded telephone communications.” The order also suspends the $6.4 million civil money penalty after the two individual defendants each pay $50,000 to the Treasury Department.
FTC reports on older adult fraud
On October 18, the FTC issued its annual report to Congress on protecting older adults. Among other things, the report, Protecting Older Consumers, 2020-2021, A Report of the Federal Trade Commission, evaluates fraud trends impacting older adults and provides details on enforcement actions and efforts to combat scams related to the Covid-19 pandemic. According to the report, there were more than 334,000 fraud reports filed by consumers age 60 or older totaling more than $600 million in losses. While the FTC found that older adults were the least likely of any age group to report fraud monetary losses, older adults tended to report losing substantially more money than younger age groups. Older adults were also more likely to report financial losses related to tech support scams, prize, lottery or sweepstake scams, friend or family impersonation, and romance scams. Additionally, as online shopping has increased, the report noted that losses attributed to online shopping fraud among older adults rose sharply during the second quarter of 2020 and remained far higher than pre-pandemic levels in early 2021. The report also discussed significant FTC enforcement actions taken to protect older adults, as well as outreach and education efforts focusing on fraud prevention.