InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
FTC permanently bans payment processor from debt relief processing
On November 8, the FTC announced the permanent ban of a payment processor from processing debt relief payments and ordered payment of $500,000 in consumer redress. According to the FTC’s complaint, the payment processor and its owner (collectively, “defendants”) allegedly processed roughly $31 million in consumer payments on behalf of a student loan debt relief operation charged by the FTC in 2019 for allegedly engaging in deceptive practices when marketing and selling their debt relief services. As previously covered by InfoBytes, the FTC claimed the operators (i) charged borrowers illegal advance fees; (ii) falsely claimed they would service and pay down their student loans; and (iii) obtained borrowers’ credentials in order to change consumers’ contact information and prevent communications from loan servicers. The FTC alleged the defendants processed payments from tens of thousands of consumers even though they were aware of numerous issues with the scheme and had received complaints from consumers and banks. The FTC further alleged that the defendants continued to process payments until the FTC took enforcement action against the operation.
Under the terms of the settlement, the defendants are permanently prohibited from processing payments for debt relief services and student loan entities and are banned from processing payments for any merchant unless there is a signed, written contract. The defendants are also required to screen prospective high-risk clients to determine whether such clients are, or are likely to be, engaging in deceptive or unfair activities. In addition, the settlement imposes a $27.5 million judgment against the defendants, which is largely suspended following the payment of $500,000, due to the defendants’ inability to pay the full amount.
Illinois enacts the Protecting Household Privacy Act
Earlier this year, the Illinois governor signed HB 2553 to create the Protecting Household Privacy Act. Among other things, the act specifies when state law enforcement agencies may acquire and use data from household electronic devices. The act defines “household electronic data” as information or input provided by a person to a household electronic device that is capable of facilitating electronic communications. (A “household electronic device” excludes personal computing devices and digital gateway devices.) The act generally prohibits law enforcement agencies from obtaining household electronic data “or direct[ing] the acquisition of household electronic data from a private third party.” Exceptions to this prohibition include when a law enforcement agency first obtains a warrant, an emergency situation arises, or the owner of the household electronic device lawfully consents to the acquisition of the data. The act also states that it shall not “be construed to require a person or entity to provide household electronic data to a law enforcement agency,” except as provided under certain provisions outlined in Section 15. The act further requires entities disclosing household electronic data to “take reasonable measures to ensure the confidentiality, integrity, and security of any household electronic data during transmission to any law enforcement agency, and to limit any production of household electronic data to information responsive to the law enforcement agency request.” Additionally, the act outlines information retention limits, which provide, among other things, that if a law enforcement agency obtains household electronic data and does not file criminal charges, it must destroy the data within 60 days unless subject to certain circumstances. The act is effective January 1, 2022.
Kansas AG fines companies for unlawful data disposal
On November 1, the Kansas attorney general ordered three national companies that manage business documents to pay fines totaling nearly $500,000 for the alleged unlawful disposal of records containing consumers’ personal information. According to the Kansas AG, the companies violated the Kansas Consumer Protection Act and the Wayne Owen Act by repeatedly disposing of records in unsecured trash receptacles without “rendering the personal information unreadable or undecipherable.” By engaging in these actions, the AG stated, the companies failed to comply with the requirements that companies implement and maintain reasonable policies and procedures and exercise reasonable care to protect personal information from unauthorized access and use, and take reasonable steps to destroy records containing personal information when they are no longer needed. Under the terms of the consent judgments (see here, here, and here), the companies must pay the fine, implement measures to ensure the proper disposal of documents, conduct employee training on the proper handling and disposal of personal information, and evaluate their information security programs and policies to ensure personal information is protected.
California AG takes action against casino for AML violations
On November 5, the California attorney general filed an administrative accusation with the California Gambling Control Commission against a California casino for violating the Bank Secrecy Act’s (BSA) anti-money laundering provisions. The action, which follows a federal investigation, alleges that the casino “overlooked, neglected, or was willfully blind to accusations and actions taken against other casinos for violations of the BSA and for failing to maintain adequate Anti Money Laundering (AML) programs.” The casino had previously entered into a Non-Prosecution Agreement with the U.S. Attorney’s Office for the Central District of California, accepted responsibility for “failing to properly file reports for a foreign national who conducted millions of dollars in cash transactions at the casino,” and agreed to pay $500,000 and undergo an increased review of its AML compliance program to prevent future violations, according to a DOJ press release. The California AG now seeks to hold the casino and its owners responsible for state law violations.
11th Circuit lifts a receivership and asset freeze of $85 million
On November 4, the U.S. Court of Appeals for the Eleventh Circuit affirmed in part and vacated in part a district court’s order, finding that portions of the district court’s decision could not stand under the U.S. Supreme Court’s April ruling in AMG Capital Management v. FTC. The Court held in that case that Section 13(b) of the FTC Act “does not authorize the Commission to seek, or a court to award, equitable monetary relief such as restitution or disgorgement.” (Covered by InfoBytes here). According to the 11th Circuit’s opinion, in 2019, the FTC alleged that individuals associated with multiple limited liability companies engaged in unfair or deceptive business practices in violation of 15 U.S.C. § 45(a). The FTC also filed a motion for a temporary restraining order the same day against the corporate defendants, seeking to freeze their assets, place the entities into a receivership, and enjoin all the parties from materially misrepresenting their services or from releasing consumer information obtained through the limited liability company. The district court granted the motion for a temporary restraining order in full in December 2019, and in January 2020, the district court granted a preliminary injunction against the limited liability company, extending the asset freeze, receivership, and injunction for the duration of the lawsuit.
On appeal, the 11th Circuit affirmed those parts of the preliminary injunction enjoining the appellants from misrepresenting their services and releasing consumer information. The panel upheld the portion of the order that enjoined one of the investor entities and its principal, who was the former chairman of the corporate defendant’s board, from misrepresenting services on allegedly deceptive websites or releasing any customer information allegedly gathered through the websites. While the appeal was pending, however, the Court held in AMG Capital Management that 15 U.S.C. § 53(b) does not allow an award of “equitable monetary relief such as restitution or disgorgement,” leading the 11th Circuit to reverse the asset freeze and receivership aspects of the preliminary injunction. Additionally, the 11th Circuit noted that the principal from one of the entities “was individually responsible for the actions of [the corporate defendants],” and “likely knew that [the corporate defendants] made over eighty million dollars in two years selling 'guides' on government services, and it almost beggars belief that he would be completely unaware of how [the corporate defendants’] websites were raising that quantity of money.”
District Court grants SEC motion for default judgment
On November 2, the U.S. District Court for the Middle District of Georgia granted the SEC’s motion for default judgement in its suit accusing a Georgia-based investment firm and three of its officers of defrauding investors out of approximately $3 million. In July, the SEC filed a complaint against the defendants for allegedly defrauding investors through a prime bank scheme by falsely promising that their funds would remain in a purported escrow account and earn lucrative returns without any risk of loss, which violated the antifraud provisions of Section 17(a) of the Securities Act of 1933 and Section 10(b) of the Securities Exchange Act of 1934 and Rule 10b-5 thereunder. In its memorandum of law in support of its motion for default judgment, the SEC alleged that none of the defendants filed answers or responsive pleadings with the district court and had “engaged in egregious misconduct, acted with scienter, failed to admit their wrongdoing, were thoroughly dishonest with authorities, and have not demonstrated their financial means.” The district court granted the motion, approved permanent injunctions barring the defendants from committing future violations of securities laws, and required the defendants to return the investors' money with interest, in addition to the profits obtained through the alleged scheme. According to the order, the defendants are required to pay approximately $2.7 million total in disgorgement, exclusive of prejudgment interest, and pay a civil penalty of approximately $192,000.
NYDFS provides affiliate cybersecurity program guidance
Recently, NYDFS issued an industry letter to regulated entities advising that a covered entity may adopt the cybersecurity program of an affiliate. New York’s Cybersecurity Regulation (23 NYCRR Part 500) requires regulated entities (Covered Entities) to implement risk-based cybersecurity programs to protect their information systems as well as the nonpublic information maintained on them. (See continuing InfoBytes coverage on 23 NYCRR Part 500 here.) Specifically, 23 NYCRR Part 500 allows “Covered Entities to adopt ‘the relevant and applicable provisions’ of the cybersecurity program of an affiliate provided that such provisions satisfy the requirements of the Cybersecurity Regulation.” NYDFS is also permitted to fully examine the adopted portions of the affiliate’s cybersecurity program to ensure compliance, even if that affiliate is not covered or regulated by NYDFS otherwise. Covered Entities are reminded that while they may adopt an affiliate’s cybersecurity program in whole or in part, the Covered Entity may not delegate compliance responsibility to the affiliate, and is responsible for ensuring it cybersecurity program complies with 23 NYCRR Part 500, “regardless of whether its cybersecurity program is its own or was adopted in whole or in part from an affiliate.” Additionally, a Covered Entity’s compliance obligations are the same whether it adopts an affiliate’s cybersecurity program or implements its own cybersecurity program. Among other things, Covered Entities are required to provide, upon request, all “documentation and information” related to their cybersecurity programs, including evidence that an adopted affiliate’s cybersecurity program meets the requirements of 23 NYCRR Part 500. At a minimum, NYDFS requires access to an affiliate’s “cybersecurity policies and procedures, risk assessments, penetration testing and vulnerability assessment results, and any third party audits that relate to the adopted portions of the cybersecurity program of the affiliate.” NYDFS also explained that foreign bank branches and representative offices often have head offices located outside the U.S. that are not directly regulated by NYDFS. For these entities, all documentation and information relevant to the adopted portions of their head offices’ cybersecurity programs must be provided to NYDFS examiners to evaluate the Covered Entities’ compliance with 23 NYCRR Part 500.
District Court grants MTD in CFPB, NY AG debt collector case
On October 27, the U.S. District Court for the Western District of New York denied a motion to dismiss an action brought by the CFPB and the New York attorney general against the operators of a debt-collection scheme, rejecting the defendants’ argument that they did not have fraudulent intent and their actions were taken for legitimate reasons. As previously covered by InfoBytes in April, the CFPB and the AG filed a complaint against the defendants for allegedly transferring ownership of his $1.6 million home to his wife and daughter for $1 shortly after he received a civil investigative demand and learned that the Bureau and the AG were investigating his debt-collection activities. The complaint further alleged that the transfer of the property was a fraudulent transfer under the FDCPA and made with the intent to defraud (a violation of the New York Debtor and Creditor Law), and that the owner-defendant “removed and concealed assets in an effort to render the Judgment obtained by the Government Plaintiffs uncollectable.” In 2019 the Bureau and the AG settled with the debt collection operation to resolve allegations that the defendants established and operated a network of companies that harassed and/or deceived consumers into paying inflated debts or amounts they may not have owed (covered by InfoBytes here).
The court denied the defendants’ motion to dismiss, concluding that the CFPB and AG raised sufficient allegations that the debtor’s transfers and mortgage on his property were knowingly fraudulent. The court determined that fraudulent intent under the FDCPA may be determined by several factors, sometimes called “badges of fraud,” including whether “‘the transfer or obligation was to an insider,’ ‘the debtor retained possession or control of the property transferred after the transfer,’ ‘before the transfer was made or obligation was incurred, the debtor had been sued or threatened with suit,’ ‘the value of the consideration received by the debtor was reasonably equivalent to the value of the asset transferred or the amount of the obligation incurred,’ and ‘the transfer occurred shortly before or shortly after a substantial debt was incurred.’” The court held it was reasonable to infer that the defendant was aware “that he would likely face civil prosecution” and judgments “would be beyond his ability to pay.” The court noted that the defendant engaged in transferring a personally significant asset—his $1.6 million residence—to two insiders for nominal consideration, which was considered to be “highly unusual.” Additionally, the defendant alleged that he continued to “’reside at and exercise control over’ the property and is now unwilling or unable to pay off the judgment,” which indicated the conveyance was also part of a sham divorce. Further, the court noted that “the complaint plausibly alleges that the mortgage ‘was not granted in good faith’ and was ‘made with the intent to make it appear that the Property was encumbered.’”
CFPB resolves UDAAP allegations with debt collection company
On November 1, the U.S. District Court for the Western District of Missouri ordered a Missouri-based company to pay a $30,000 civil money penalty to resolve allegations that it used district-attorney letterhead to threaten consumers with criminal prosecution. As previously covered by InfoBytes, the CFPB filed a complaint against the company claiming it allegedly engaged in deceptive and otherwise unlawful debt collection acts and practices in the course of operating “bad-check pretrial-diversion programs on behalf of more than 90 district attorneys’ offices throughout the United States.” The complaint claimed that the company not only failed to include required FDCPA disclosures in the letters it sent to consumers, it also failed to identify itself in the letters and did not inform consumers that it was a debt collector and not a district attorney. Moreover, in most cases the company did not refer cases for prosecution, even if the check writer failed to respond to the collection letter, did not pay the alleged outstanding debt and fees, or failed to complete the financial-education course. Under the terms of the settlement, the company is, among other things, permanently banned from engaging in debt collection activities and is prohibited from disclosing, using, or benefiting from customer information obtained before the order’s effective date in connection with a Pre-Trial Bad Check Diversion Program. Additionally, the company may not “attempt to collect, sell, assign, or otherwise transfer any right to collect payment from any consumer who purchased or agreed to purchase services or products in connection” with the company’s program. The company is ordered to pay more than $1.4 million in redress to harmed consumers; however, full payment of this amount is suspended upon satisfaction of certain obligations due to the company’s financial condition. The $30,000 penalty also reflects the company’s limited ability to pay.
SEC awards $2 million to whistleblower
On October 29, the SEC announced that it awarded a whistleblower more than $2 million for providing information and assistance leading to a successful SEC enforcement action, as well as an action by the DOJ. According to the redacted order, the whistleblower voluntarily provided the same original information to the SEC and the DOJ, which prompted the opening of the investigations, as well as extensive ongoing assistance throughout the investigations. According to the SEC, the whistleblower had previously received an award for contributing to an SEC enforcement action based on the same information that supported the award for the related action, and was eligible for this award as a result of the recent amendments clarifying the types of actions that may be considered “related” under the whistleblower rules.
The SEC has awarded approximately $1.1 billion to 224 individuals since issuing its first award in 2012.