InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
New York eases eligibility requirements for rental assistance
On December 18, New York Governor Cuomo issued Executive Order 83, which, among other things, eliminates the requirement for tenants to provide proof that they were contributing more than 30 percent of gross monthly income towards rent prior to March 2020 in order to receive rental assistance pursuant to the Covid-19 Rent Relief Act.
CFPB finalizes debt collection disclosure rules
On December 18, the CFPB issued a final rule amending Regulation F, which implements the Fair Debt Collection Practices Act, clarifying the information debt collectors must provide to consumers at the outset of collection communications and providing a model validation notice containing such information. (See also the Bureau’s Executive Summary.) The final rule also prohibits debt collectors from bringing or threatening to bring legal action against a consumer to collect time-barred debt, and requires debt collectors to take certain actions before furnishing information about a consumer’s debt to a consumer reporting agencies (CRA). Among other things, the final rule addresses the following:
- Validation notice. The final rule clarifies that debt collectors may provide “clear and conspicuous” debt validation notices in writing or electronically when commencing debt collection communications. Validation notices must include a statement indicating that the communication is from a debt collector, along with additional information such as itemization-related information, the current amount of debt, consumer protection information, and information for consumers who may choose to dispute the debt or take other actions. The final rule also outlines optional content that debt collectors may choose to include while retaining the safe harbor for using the model notice, provided that “the optional content is no more prominent than the required content.” The final rule also revises the definition of “consumer” used in a separate final rule issued by the Bureau at the end of October (covered by InfoBytes here). The December final rule’s definition now includes both living and deceased consumers.
- Safe harbor for model validation notices. Debt collectors who choose to use the model validation notice are in compliance with the final rule’s content requirements. Additionally, the use of a model validation notice would not be considered a violation of the prohibition on conduct that “overshadows” a consumer’s rights during the validation period. The final rule outlines additional safe harbors, and provides examples where a safe harbor generally will not apply. Notably, the safe harbor does not cover validation notice delivery methods and timing requirements.
- Translations. Debt collectors who choose to provide validation notices in other languages must also include an English-language notice in the same communication.
- Credit reporting. The final rule requires debt collectors to either speak to a consumer in person, send an email or letter, or try to speak with a consumer by telephone before furnishing any information to a CRA. Communications sent via email or letter will require a 14 day waiting period to allow for a “reasonable period of time” to receive a notice of undeliverability.
- Time-barred debt. The final rule prohibits debt collectors from suing or threatening to sue consumers when attempting to collect time-barred debt. Proofs of claim filed in connection with a bankruptcy proceeding are not included in this prohibition.
The final rule takes effect November 30, 2021.
More information from Buckley on the details of the newest debt collection final rule will be available soon.
FTC settles with company for data security lapses
On December 16, the FTC announced a settlement with a Nevada-based travel emergency services provider, resolving allegations that the company violated the FTC Act by failing to implement a comprehensive security program to ensure the security of personal consumer information, including sensitive health information. According to the complaint, the company collected personal information from customers who signed up for membership plans and allegedly stored the unencrypted personal information on an unsecured cloud database, which could be accessed by anyone on the internet. The company also allegedly failed to perform vulnerability and penetration testing or conduct periodic risk assessments, and failed to monitor for unauthorized access to its network. In addition, the FTC claims that the company, once it was informed that its data was unsecure, represented that it immediately conducted an investigation and determined “[t]here was no medical or payment-related information visible and no indication that the information has been misused.” However, the FTC alleges that the company failed to, among other things, “examine the actual information stored in the cloud database, identify the consumers placed at risk by the exposure, or look for evidence of other unauthorized access to the database.” Instead, after confirming that the data was online and publicly accessible, the company deleted the database, the FTC claims.
The proposed settlement requires the company to, among other things, maintain safeguards to protect personal information, implement a comprehensive data security program, and undergo biennial assessments conducted by third party on the effectiveness of its program. The company is also prohibited from misrepresenting how it collects, maintains, secures, discloses, or deletes personal data, as well as whether it has been endorsed by or participates in any government- or third-party sponsored privacy or security program. The company will also be required to send a notice to affected consumers about its response to the security incident.
Massachusetts targets trading platform for aggressive tactics
On December 16, the enforcement section of the Massachusetts Securities Division filed an administrative complaint against a broker-dealer online trading platform alleging the company violated various state laws by using “aggressive tactics” to gain inexperienced investors. According to the complaint, the company, among other things, (i) used advertising techniques, including using young actors, to target younger individuals (with a median customer age around 31 years old) with little to no investment experience; (ii) failed to implement policies and procedures that were “[r]easonably [d]esigned to [p]revent and [r]espond to [o]utages and [d]isruptions on its [t]rading [p]latform,” resulting in nearly 70 outages throughout 2020; (iii) used “gamification strategies,” such as confetti raining down on the screen after a trade or requiring customers to “tap” a fake debit card to increase their position on the waitlist, to “lure customers into consistent participation” with the platform; and (iv) failed to review and supervise, in accordance with its own procedures, the approval of options trading accounts. The complaint asserts that the company’s tactics failed to adhere to the fiduciary conduct standard required of broker-dealers in the state of Massachusetts since the adoption of amendments in March, with enforcement beginning on September 1. Massachusetts is seeking an injunction, restitution, disgorgement, and administrative fines.
OFAC sanctions entities supporting the sale of Iranian petrochemicals
On December 16, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) announced sanctions pursuant to Executive Order 13846 against four entities for facilitating the export of Iranian petrochemical products on behalf of a previously designated petrochemical company. According to OFAC, the designated entities—China- and United Arab Emirates-based companies—have allegedly provided the previously designated company “with critical shipping services or conducted financial transactions on” its behalf, which has enabled the previously designated company to “continue brokering and moving Iranian petrochemical exports.” As a result of the sanctions, all property and interests in property of the designated persons subject to U.S. jurisdiction are blocked, and any “entities that are owned, directly or indirectly, 50 percent or more by such persons, are also blocked.” OFAC noted that its regulations “generally prohibit” U.S. persons from participating in transactions with the designated persons. OFAC further warned foreign financial institutions that knowingly facilitating significant transactions or providing significant support to the designated persons may subject them to sanctions and could sever their access to the U.S. financial system.
Court enters nearly $90 million default judgment against student debt-relief defendants
On December 15, the U.S. District Court for the Central District of California entered a default judgment and order against two companies (collectively, “default defendants”) for their role in a student loan debt-relief operation. As previously covered by InfoBytes, the CFPB, along with the Minnesota and North Carolina attorneys general, and the Los Angeles City Attorney (together, the “states”), announced an action against the student loan debt relief operation (defendants) for allegedly deceiving thousands of student-loan borrowers and charging more than $71 million in unlawful advance fees. The complaint alleged that the defendants violated the Consumer Financial Protection Act, the Telemarketing Sales Rule, and various state laws by charging and collecting improper advance fees from student loan borrowers prior to providing assistance and receiving payments on the adjusted loans. In addition, the complaint asserts that the defendants engaged in deceptive practices by misrepresenting (i) the purpose and application of fees they charged; (ii) their ability to obtain loan forgiveness; and (iii) their ability to actually lower borrowers’ monthly payments. In September, the court entered final judgments against four of the defendants (covered by InfoBytes here), which included a suspended monetary judgment of over $95 million due to the defendants’ inability to pay.
The new default order enters a $55 million judgment against one of the defaulting defendants and requires the defaulting defendant to pay a $30 million civil money penalty with $50,000 of that sum going directly to each of the states. Additionally, the court entered a judgment of over $165,000 to the other defaulting defendant and total civil money penalties of $2.5 million, with $10,000 going to each of the states directly and an additional $1.25 million to California. The judgment also, among other things, permanently bans the defaulting defendants from telemarketing any consumer financial product or service and from selling any debt-relief service.
Court enters judgments against multiple defendants in CFPB debt-relief action
On December 15, the U.S. District Court for the Central District of California entered final judgment against two defendants (defendants) and a default judgment against another defendant (defaulting defendant) in an action brought by the CFPB alleging the defendants (and others not subject to these judgments) charged thousands of customers approximately $11.8 million in upfront fees in violation of the Telemarketing Sales Rule (TSR). As previously covered by InfoBytes, in July, the CFPB filed a complaint against the defendants, one other company, its two owners, and four attorneys, alleging the companies would market its debt-relief services to customers over the phone, encouraging those with private loans to sign up with an attorney to reduce or eliminate their student debt. The businesses allegedly charged the fees before the customer had made at least one payment on the altered debts, in violation of the TSR’s prohibition on requesting or receiving advance fees for debt-relief service or, for certain defendants, the TSR’s prohibition on providing substantial assistance to someone charging the illegal fees. In August, the court approved stipulated final judgments with one of the owners of the other company and three of the attorneys. In December, the court entered a default judgment against the other company and another owner (previous InfoBytes coverage available here).
The final judgment permanently bans the defendants from engaging in any debt-relief service or telemarketing of any consumer financial product or service. Additionally, the court entered a suspended judgment of over $11 million in redress, which will be satisfied by a payment of $5,000 (due to an inability to pay) and each defendant is required to pay a civil money penalty of $1 to the Bureau. Liability for nearly $5 million was entered by default judgment against the defaulting defendant and a civil monetary penalty in the amount of $5 million.
Irish Data Protection Commission fines U.S. social networking company for violating GDPR
On December 15, the Irish Data Protection Commission (Commission) announced a final decision was reached in a General Data Protection Regulation (GDPR) investigation into a U.S.-based social networking tech company’s actions related to a 2019 data breach that affected users across the European Union. The final decision, published by the European Data Protection Board (EDPA), imposes a €450,000 fine against the company, and resolves an investigation in which the Commission alleged the company violated Articles 33(1) and 33(5) of the GDPR by failing to provide notice about the breach within a 72-hour period and by neglecting to adequately document the breach. According to the Commission, this inquiry is the first “dispute resolution” Article 65 decision (draft decision) under the GDPR, and marks the first decision issued against a “big tech” company. According to the final decision, “a number of concerned supervisory authorities raised objections” to aspects of the draft decision, taking issue, among other things, with the size of the proposed fine, which was originally set between €135,000 and €275,000. The EDPA determined that the objections were “relevant and reasoned” and instructed the Commission to increase the fine to ensure “it fulfils its purpose as a corrective measure and meets the requirements of effectiveness, dissuasiveness and proportionality” established under the GDPR.
8th Circuit vacates FDCPA judgment against debt buyer
On December 14, the U.S. Court of Appeals for the Eighth Circuit vacated a $4,000 judgment in favor of a consumer in an FDCPA action against a debt buyer (defendant), concluding that while the defendant qualifies as a debt collector, the actions of the subsequent debt collector cannot be imputed to the defendant. According to the opinion, the defendant brought a collection action against a consumer, which was dismissed by the district court after the consumer retained an attorney and the defendant failed to respond to the consumer’s dismissal motion. The defendant subsequently hired a collection agency to collect on the debt but failed to inform the collection agency that the consumer had previous retained an attorney. After the collection agency sent a settlement offer to the consumer, the consumer filed an action against the defendant alleging violations of the FDCPA and the Arkansas Fair Debt Collection Practices Act (AFDCPA) for contacting her directly when she was represented by an attorney. The district court granted partial summary judgment in favor of the consumer, concluding, among other things, that the defendant (i) qualified as a debt collector under federal and state law; (ii) the defendant was acting as an agent of the collection agency; and (ii) the defendant is liable for the violations arising out of the collection agency’s contact with the consumer. The consumer accepted a $4,000 offer of judgment, and the district court entered final judgment.
On appeal, the 8th Circuit agreed that the defendant qualified as a debt collector under the FDCPA and the AFDCPA, but determined that the consumer “did not present sufficient evidence to establish that [the collection agency]’s actions may be imputed to [the defendant] as a matter of law.” Specifically, the appellate court concluded that in order to establish the defendant’s liability under the FDCPA, the consumer needed to show that the defendant was responsible for the collection agency’s action. Because it was established that the collection agency did not know that the consumer was represented by an attorney, the appellate court noted that the consumer “cannot prevail against [the defendant] on a theory of vicarious liability,” and instead, must prove that an agency relationship existed for direct liability. Because the consumer failed to put into evidence an agreement between the defendant and the collection agency and the district court failed to address the agency relationship, the appellate court concluded the district court erred in granting partial summary judgment and vacated the $4,000 judgment and remanded the case.
Agencies proposes SAR filing exemptions
On December 15, the FDIC issued a proposed rule (with accompanying Financial Institution Letter FIL-114-2020), which would amend the agency’s Suspicious Activity Report (SAR) regulation to permit additional, case-by-case, exemptions from SAR filing requirements. The proposed rule would allow the FDIC, in conjunction with the Financial Crimes Enforcement Network (FinCEN), to grant supervised institutions exemptions to SAR filing requirements when developing “innovative solutions to meet Bank Secrecy Act (BSA) requirements more efficiently and effectively.” The FDIC would seek FinCEN’s concurrence with an exemption when the exemption request involves the filing of a SAR for potential money laundering, violations of the BSA, or other unusual activity covered by FinCEN’s SAR regulation. The proposal allows the FDIC to grant the exemption for a specified time period and allows the FDIC to extend or revoke the exemption if circumstances change. The proposal is intended to reduce the regulatory burden on supervised financial institutions that are likely to leverage existing or future technologies to report suspicious activity in a different and innovative manner. Comments on the proposed rule must be submitted within 30 days of publication in the Federal Register.
The OCC also issued a proposal that would similarly allow the OCC to issue exemptions from SAR filing requirements to support national banks or federal savings associations developing innovative solutions intended to meet BSA requirements more efficiently and effectively.