Skip to main content
Menu Icon
Close

InfoBytes Blog

Financial Services Law Insights and Observations

Filter

Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.

  • CFPB fines bank $10 million over garnishment practices

    Federal Issues

    On May 4, the CFPB announced a consent order against a national bank for allegedly engaging in unfair and deceptive acts or practices in violation of the CFPA by processing out-of-state garnishment orders against its customers’ bank accounts. According to the consent order, since August 2011, the respondent allegedly garnished approximately 3,700 out-of-state accounts. Customers whose accounts were garnished paid at least $592,000 in garnishment fees, the CFPB contended. The respondent allegedly, among other things, misrepresented to customers that their rights to have certain funds exempted from garnishment were governed by the law of the issuing court’s state when, actually, in most states, customers’ own state laws applied. The respondent also allegedly unfairly required customers to “direct” it not to contest garnishment orders and to waive the bank’s liability for its actions regarding the out-of-state garnishment orders, which prevented customers from pursuing legal claims against the respondent for improperly handling garnishment notices. Additionally, the respondent allegedly deceptively represented to customers that since they signed a deposit agreement that included broad language directing respondent not to contest the legal process, customers waived their right to hold the respondent liable for improperly responding to garnishment notices. Under the terms of the consent order, the respondent must, among other things: (i) refund $592,000 in garnishment-related fees to harmed customers; (ii) establish a compliance plan designed to ensure that its garnishment-related conduct pertaining to out-of-state garnishment notices and state exemptions complies with all applicable federal consumer financial laws; (iii) cease communicating to customers that they have purportedly waived any rights regarding garnishment notices as a result of entering into respondent’s deposit agreement; and (iv) pay a $10 million civil penalty to the Bureau.

    Federal Issues CFPB Consumer Finance CFPA UDAAP Enforcement Unfair Deceptive

  • Remittance provider denies CFPB allegations

    Federal Issues

    On May 2, a global payments provider recently sued by the New York attorney general and the CFPB responded to allegations claiming the “repeat offender” violated numerous federal and state consumer financial protection laws in its handling of remittance transfers. As previously covered by InfoBytes, the complaint claimed the defendant, among other things, (i) violated the Remittance Rule requirements by repeatedly failing “to provide fund availability dates that were accurate, when the Rule required such accuracy”; (ii) “repeatedly ignored the Rule’s error-resolution requirements when addressing notices of error from consumers in New York, including in this district, and elsewhere;” and (iii) failed to establish policies and procedures designed to ensure compliance with money-transferring laws, in violation of Regulation E. The complaint further asserted that the defendant violated the CFPA “by failing to make remittance transfers timely available to designated recipients or to make refunds timely available to senders,” and that the defendant failed to adopt and implement a comprehensive fraud prevention program mandated by a 2009 FTC order for permanent injunction (covered by InfoBytes here).

    The defendant refuted the charges, calling the allegations “false, inflammatory and misleading.” According to the defendant, “before the CFPB filed its lawsuit against the Company on April 21, 2022, [it] had never before been subject to any enforcement action by the CFPB, nor had [it] ever been publicly accused of violating any of the laws or regulations under the CFPB’s purview.” The defendant also took issue with the Bureau’s suggestion that it had “uncovered widespread and systemic issues involving ‘substantial’ consumer harm,” contending that “data from the CFPB’s own consumer complaint portal strongly suggest otherwise. For example, a search of the CFPB’s Consumer Complaint Database shows that in the nine years that the Remittance Rule has been in place, only 351 complaints were made to the CFPB against [the defendant] for failing to deliver money when promised. These complaints represent 0.0001% of the over 325 million transactions subject to the Remittance Rule that [the defendant] processed during that time period. In New York, the total number of complaints in the CFPB Database for that time period was 28, approximately three per year. There have simply never been widespread or systemic violations by [the defendant] of the Remittance Rule.” 

    Federal Issues State Issues CFPB Enforcement New York State Attorney General Consumer Finance CFPA Remittance Rule Repeat Offender Regulation E FTC

  • SEC to expand crypto asset and cyber unit team

    Securities

    On May 3, the SEC announced it will nearly double the size of its Crypto Assets and Cyber Unit within the Division of Enforcement. “By nearly doubling the size of this key unit, the SEC will be better equipped to police wrongdoing in the crypto markets while continuing to identify disclosure and controls issues with respect to cybersecurity,” SEC Chair Gary Gensler stated. Since the unit’s inception, more than 80 enforcement actions have been brought against actors related to fraudulent and unregistered crypto asset offerings and platforms, resulting in monetary relief totaling more than $2 billion. The unit has also “brought numerous actions against SEC registrants and public companies for failing to maintain adequate cybersecurity controls and for failing to appropriately disclose cyber-related risks and incidents.” The expanded unit will focus on investigations related to: crypto asset offerings, crypto asset exchanges, crypto asset lending and staking products, decentralized finance platforms, non-fungible tokens, and stablecoins.

    Securities Digital Assets Cryptocurrency Privacy/Cyber Risk & Data Security Enforcement

  • 5th Circuit: CFPB enforcement may proceed but funding questions remain

    Courts

    On May 2, the U.S. Court of Appeals for the Fifth Circuit issued an en banc decision vacating a district court’s interlocutory decision denying the plaintiff payday lenders’ motion for judgment on the pleadings, and holding that the CFPB can continue its enforcement action against a Mississippi-based payday lending company subject to further order of the district court. As previously covered by InfoBytes, the CFPB filed a complaint against two Mississippi-based payday loan and check cashing companies for allegedly violating the CFPA’s prohibition on unfair, deceptive, or abusive acts or practices. In March 2018, a district court denied the payday lenders’ motion for judgment on the pleadings, rejecting the argument that the structure of the Bureau is unconstitutional and that the agency’s claims violate due process. The 5th Circuit agreed to hear an interlocutory appeal on the constitutionality question. And, prior to the U.S. Supreme Court’s ruling in Seila Law LLC v. CFPB, a divided panel held that the CFPB’s single-director structure is constitutional, finding no constitutional defect with allowing the director of the Bureau to only be fired for cause (covered by InfoBytes here).

    The 5th Circuit voted sua sponte to rehear the case en banc and issued an opinion in which the majority vacated the district court’s opinion as contrary to Seila Law. The majority did not, however, direct the district court to enter judgment against the Bureau because, though the Supreme Court had found that the director’s for-cause removal provision was unconstitutional, it was severable from the statute establishing the Bureau (covered by a Buckley Special Alert). The majority determined that the “time has arrived for the district court to proceed” and stated it “place[s] no limitation on the matters that that court may consider, including, without limitation, any other constitutional challenges.”

    In dissent, several judges issued an opinion arguing that the case should be dismissed because the agency’s funding structure violates the Constitution’s separation of powers and “is doubly removed from congressional review.” The dissenting judges explained that the Bureau is not subject to the Congressional appropriations process for its budget, unlike most federal agencies, but rather receives its funding directly from the Federal Reserve Board. This budgetary process was intended to ensure full independence from Congress and prevent future congresses from using budget cuts to influence the Bureau’s agenda and priorities. The dissenting judges argued, however, that such a structure violates the Appropriations Clause of the Constitution. “The CFPB’s double insulation from Article I appropriations oversight mocks the Constitution’s separation of powers by enabling an executive agency to live on its own in a kingly fashion,” the dissent stated. “The Framers warned that such an accumulation of powers in a single branch of government would inevitably lead to tyranny. Accordingly, I would reject the CFPB’s novel funding mechanism as contravening the Constitution’s separation of powers. And because the CFPB funds the instant prosecution using unconstitutional self-funding, I would dismiss the lawsuit.”

    Courts CFPB Enforcement Fifth Circuit Appellate Single-Director Structure Payday Lending CFPA UDAAP Seila Law Funding Structure

  • FDIC releases March enforcement actions

    On April 29, the FDIC released a list of administrative enforcement actions taken against banks and individuals in March. During the month, the FDIC issued 13 orders consisting of “six orders terminating consent order, one order to pay civil money penalty, five Section 19 orders, and one order of termination of insurance.” Among the orders is a civil money penalty imposed against a Kentucky-based bank related to alleged violations of the Federal Deposit Insurance Act for allegedly “deceptively advertising interest rates and fees for residential mortgage loans as the lowest on the market, with a promise of a ‘best rate guarantee,’ comparative shopping for such rates, and lower rates due to the bank’s fee structure.” The order requires the payment of a $425,000 civil money penalty.

    Bank Regulatory Federal Issues FDIC Enforcement Mortgages FDI Act

  • Connecticut legislature passes consumer data privacy bill

    Privacy, Cyber Risk & Data Security

    Recently, the Connecticut legislature passed SB 6, which would enact provisions related to consumer data privacy and online monitoring. Highlights of the bill include:

    • Applicability. The bill will apply to a controller that conducts business in the state or produces products or services for consumer residents that, during the preceding calendar year, “controlled or processed the personal data of not less than seventy-five thousand consumers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction” or “controlled or processed the personal data of not less than twenty-five thousand consumers and derived more than twenty-five per cent of their gross revenue from the sale of personal data.” Certain entities and types of data are exempt from the bill’s requirements, including state governmental entities; nonprofits; higher education institutes; national security associations registered under the Securities Exchange Act of 1934; financial institutions or data subject to federal privacy disclosure requirements; hospitals; certain types of health information subject to federal health privacy laws; consumer reporting agencies, furnishers, and consumer report users of information involving personal data bearing on a consumer’s credit; personal data regulated by certain federal regulations; and air carriers. Additionally, a controller and processor will be considered to be in compliance with the bill’s parental consent obligations provided it complies with verifiable parental consent mechanisms under the Children’s Online Privacy Protection Act.
    • Consumer rights. Under the bill, consumers will be able to, among other things, (i) confirm whether their personal data is being processed and access their data; (ii) correct inaccuracies; (iii) delete their data; (iv) obtain a copy of personal data processed by a controller; and (v) opt out of the processing of their data for targeted advertising, the sale of their data, or profiling to assist solely automated decisions. A consumer may designate another person to serve as his or her authorized agent to opt out of the processing of such consumer’s personal data.
    • Controllers’ and processors’ responsibilities. Under the bill, controllers will be responsible for responding to consumers’ requests within 45 days (an additional 45-day extension may be requested under certain circumstances). Responses to consumers’ requests must be provided free of charge, unless the request is “manifestly unfounded, excessive or repetitive,” in which case a controller may charge a reasonable administrative fee or decline to act on the request (a controller bears the burden of explaining the denial and must also establish an appeals process, including a method through which a consumer may submit a complaint to the state attorney general). Among other things, controllers must “[l]imit the collection of personal data to what is adequate, relevant and reasonably necessary in relation to the purposes for which such data is processed, as disclosed to the consumer” and are required to implement data security protection practices “appropriate to the volume and nature of the personal data at issue” and conduct data protection assessments for processing activities that present a heightened risk of harm to consumers. Controllers may not process personal data in violation of federal and state laws that prohibit unlawful discrimination against consumers and must provide an effective mechanism for consumers to revoke consent that is at least as easy as the method used to provide consent. Controllers must cease processing data within 15 days of receiving a revocation request. The bill also requires controllers to provide privacy notices to consumers disclosing certain information regarding data collection and sharing practices (including sharing with third parties), and if the controller sells a consumer’s personal data to third parties or engages in targeted advertising, the controller must disclose how consumers may exercise their rights under the bill. Controllers also will be prohibited from processing sensitive personal data without first presenting a consumer with the opportunity to opt out. The bill further specifies requirements for processing de-identified data or pseudonymous data. Data processors must adhere to a controller’s instructions and enter into contracts with clearly specified instructions for processing personal data.
    • Private right of action and state attorney general enforcement. The bill explicitly prohibits a private right of action. Instead, it grants the state attorney general exclusive authority to enforce the law. The attorney general may also require a controller to disclose any data protection assessments relevant to an investigation. A violation of the bill’s provisions will constitute an unfair trade practice.
    • Right to cure. Upon discovering a potential violation of the bill, the attorney general (during the period beginning July 1, 2023 through December 31, 2024) must provide a controller or processor written notice of violation. The controller or processor then has 60 days to cure the alleged violation before the attorney general can file suit. Beginning on January 1, 2025, the attorney general, when determining whether to provide a controller or processor the opportunity to cure an alleged violation, may consider the number of violations, the controller/processor’s size and complexity, the nature and extent of the processing activities, the substantial likelihood of public injury, and the safety of persons or property.

    If enacted in its current form, the bill would take effect July 1, 2023.

    Privacy/Cyber Risk & Data Security State Issues State Legislation Connecticut Consumer Protection COPPA State Attorney General Enforcement

  • CFPB enters proposed final judgment in TSR and CFPA violation suit

    Federal Issues

    On April 29, the CFPB filed a proposed stipulated final judgment and order in the U.S. District Court for the Central District of California resolving allegations that a student loan debt relief business and a general debt-settlement company, along with their owner and CEO (collectively, “defendants”), engaged in wrongful fee-charging practices and deceptive telemarketing. As previously covered by InfoBytes, the CFPB filed a complaint against the defendants for allegedly violating the Telemarketing Sales Rule (TSR) and the Consumer Financial Protection Act (CFPA) by charging illegal advance fees and using deceptive tactics to induce consumers to sign up for services. According to the complaint, from 2015 to the present, the defendants allegedly charged consumers upfront fees for the debt-relief company to file paperwork with the Department of Education to obtain loan consolidation, loan forgiveness, or income-driven repayment plans. Some consumers paid the upfront fee using a third-party financing company and paid an APR between 17 and 22 percent. The CFPB also alleged that the defendants required some consumers to pay the fee in installments into a trust plan, which carried a $6 monthly banking fee paid to the administrator of the trust accounts. The Bureau alleged that the defendants failed to provide the proper disclosures under the TSR. Moreover, the complaint asserted that from 2019 to the present, the defendants violated the CFPA by representing to consumers that they were turned down for a loan in order to pitch the company’s settlement services. Under the terms of the proposed settlement, the student loan debt relief business and the general debt-settlement company are permanently banned from engaging in debt relief services, and the CEO is banned for five years.

    The CEO is also required to pay a civil monetary penalty of $30,000 to the CFPB.

    Federal Issues CFPB Enforcement Student Lending Department of Education Telemarketing Sales Rule CFPA Debt Relief

  • FTC settles with VoIP service provider for TSR violations

    Federal Issues

    On April 26, the FTC announced the filing of a proposed consent order with a Voice over Internet Protocol (VoIP) service provider, a related company, and the company’s owner (collectively, “defendants”) for allegedly “help[ing] scammers blast millions of illegal robocalls.” In the complaint the FTC claims that the defendants violated Section 5(a) of the FTC Act, the Telemarketing Act, and the TSR by continuing to provide VoIP services to customers despite “knowing or consciously avoiding knowing” the customers were: (i) using the services to place calls to numbers on the FTC’s Do Not Call (DNC) Registry; (ii) delivering prerecorded messages; and (iii) displaying spoofed caller ID services to callers involved in scams related to credit card interest rate reduction, tech support, and the Covid-19 pandemic.

    According to the announcement, this is the third such action by the FTC against VoIP service providers during the past two years. Under the terms of the consent order, the defendants are (i) banned from assisting and facilitating abusive telemarketing practices, including the use of VoIP services; (ii) prohibited from further violations of the TSR or assisting others in doing so; (iii) banned from providing services or assigning telephone numbers without employing automated procedures to block calls from unassigned or invalid numbers; and (iv) required to ensure that they do not provide VoIP to suspected telemarketers. The proposed order also provides for a $3 million civil money penalty that is suspended due the company’s inability to pay.

    Federal Issues FTC Enforcement Telemarketing Sales Rule FTC Act VoIP

  • OCC issues consent order against digital asset bank for AML deficiencies

    On April 21, the OCC issued a consent order against the first federally-chartered bank focused on cryptocurrencies, just 15 months after granting the institution a national bank charter for purposes of taking custody of cryptocurrency. The consent order alleged failure to adopt and implement a compliance program that adequately covers required BSA/AML program elements. In January 2021, the OCC granted conditional approval to convert the bank’s charter to a national association with the “enforceable condition of approval” that the bank would, among other things, meet BSA/AML requirements.

    Bank Regulatory Federal Issues OCC Enforcement Bank Compliance Anti-Money Laundering Bank Secrecy Act SARs

  • SEC awards $6 million to whistleblowers

    Securities

    On April 25, the SEC announced awards totaling nearly $6 million to two groups of whistleblowers whose information and assistance led to a successful SEC enforcement action. According to the redacted order, the first group of whistleblowers provided the SEC with key documents that led the staff to seek additional documents from the respondent, and the second group provided firsthand accounts of the misconduct at issue. Both groups, which consisted of five individuals, provided ongoing assistance throughout the investigation.

    The SEC has awarded approximately $1.2 billion to 268 individuals since issuing its first award in 2012.

    Securities SEC Whistleblower Enforcement

Pages

Upcoming Events