InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
CFTC shuts down illegal trading platform
The U.S. District Court for the Northern District of California recently granted the CFTC’s motion for default judgment in an action accusing a decentralized autonomous organization of violating the Commodity Exchange Act (CEA) by operating an illegal trading platform and unlawfully acting as a futures commission merchant. (See also CFTC press release here.) The CFTC maintained that the organization’s platform and its blockchain-based software “protocol” enables users to engage in retail commodity transactions but does not provide protections or other requirements mandated under the statute. In addition to unlawfully offering leveraged and margined retail commodity transactions outside of a registered exchange, the organization is charged with failing to comply with Bank Secrecy Act obligations applicable to future commission merchants, including implementing a customer information program or conducting know your customer procedures. The default judgment requires the organization to shutter its website and remove its content from the internet, and orders permanent trading and registration bans. The organization also must pay a $643,542 civil money penalty and is enjoined from future violations of the CEA.
District Court says MLA’s statute of limitations begins upon discovery of facts
The U.S. District Court for the Eastern District of Virginia recently granted an installment lender’s motion to dismiss, ruling that most of the class members’ claims are time-barred by the Military Lending Act’s (MLA) two-year statute of limitations. Plaintiffs are active duty servicemembers who entered into installment loans with the defendant. Claiming four violations of the MLA, plaintiffs alleged the defendant (i) extended loans with interest rates exceeding the MLA’s 36 percent interest rate cap; (ii) extended loans that involved roll overs of prior loans; (iii) required plaintiffs to agree to repayment by allotment (with a backup preauthorized electronic fund transfer) as a condition to receiving a loan; and (iv) required plaintiffs to provide a security interest in their bank accounts as a condition for receiving a loan. Plaintiff sought to certify a class covering the five years preceding the date the complaint was filed. Defendant moved to dismiss, arguing that plaintiffs have only been harmed by technical violations of the MLA and did not suffer a concrete injury. Plaintiffs countered that the defendant’s MLA violations caused them to sustain injuries from making payments, including interest payments, “on loans that were ‘void from [their] inception’ [] due to their unlawful refinancing, allotment, and security interest requirements.”
The court reviewed a significant issue raised by the parties’ differing interpretations of the MLA’s statute of limitations and its applicability to plaintiffs’ loans. Specifically, the parties disagreed as to whether “discovery by the plaintiff of the violation,” which triggers the two-year limitations period, requires that a plaintiff only discover the facts constituting the basis for the violation, as argued by the defendant, or instead requires that a plaintiff also know that the MLA was violated, as the plaintiffs argued. While acknowledging that the text in question is inconclusive, the court stated that since the MLA “does not require ‘discovery’ of both the ‘violation’ and ‘liability’ but only the ‘violation that is the basis for such liability,’ the text appears to support the interpretation that only discovery of the violative conduct is required, and
not discovery of the actionability of that conduct.” The court also reviewed other federal statutory discovery rules where other courts “have consistently found that ‘discovery’ requires that a plaintiff have knowledge only of the facts constituting the violation and not the legal implications of those facts.” Relying on this, as well as other court interpretations, the court determined that “the two-year limitations period is triggered when a plaintiff discovers the facts
constituting the basis for the MLA violation and not when the plaintiff recognizes that these facts
support a legal claim.” Thus, the court found that most of the loans underlying the claims are time-barred.
However, for loans that fell within the applicable limitations period, the court granted defendant’s motion to dismiss for failure to state a claim, concluding, among other things, that a creditor is not prohibited from taking a security interest in a plaintiff’s bank account by way of a preauthorized electronic fund transfer provided the military annual percentage rate does not exceed the allowable 36 percent (a claim, the court noted, plaintiffs dismissed and did not otherwise address). Moreover, the court determined that plaintiffs failed to allege that the defendant was a “creditor” under the narrower definition used by the MLA in its refinancing and roll-over prohibition or that the defendant’s “characterization of the convenience of repayment by allotment amounted to a misrepresentation or concealment of facts giving rise to plaintiffs’ MLA claim.”
7th Circuit: Time and money in responding to second verification request confers standing under FDCPA
On June 7, the U.S. Court of Appeals for the Seventh Circuit held that spending time and money to send a second verification request is enough to confer standing under the FDCPA. Plaintiff’s defaulted credit card debt was purchased by one of the defendants and placed with a collection agency. A letter providing details about the debt, including the original creditor, current creditor, and a validation notice, was sent to the plaintiff. Within the required 30-day timeframe, plaintiff sent a letter to the collection agency requesting validation of the debt. However, instead of receiving a response from the agency, plaintiff received another letter from one of the defendants that provided information on the debt and informed her that it had initiated a review of the inquiry it had received. The second letter also included a validation notice, which confused the plaintiff and resulted in her spending time and money ($3.95) to request validation again. Plaintiff filed suit accusing the defendants of violating the FDCPA and asserting that the second letter would lead a consumer to believe that they must re-dispute the debt. According to the plaintiff, the letter, among other things, used false, deceptive, misleading, and unfair or unconscionable means to collect or attempt to collect a debt. The defendants moved to dismiss for lack of standing, arguing that while the letter may have confused and alarmed the plaintiff, it did not cause her to initiate “any action to her detriment on account of her confusion.” The district court granted defendants’ motion to dismiss, ruling that the time and money spent on sending the second validation request did not rise to the level of detriment required for standing under the FDCPA, and that, moreover, it provided plaintiff with another opportunity to dispute the debt if she failed to properly do so the first time.
Disagreeing with the dismissal, the 7th Circuit wrote that the second postage fee (albeit modest in size) is the type of harm that Congress intended to protect consumers from when it enacted the FDCPA. “Money damages caused by misleading communications from the debt collector are certainly included in the sphere of interests that Congress sought to protect,” the appellate court stated, explaining that the second letter caused the plaintiff “to suffer a concrete detriment to her debt-management choices in the form of the expenditure of additional money to preserve rights she had already preserved.”
11th Circuit revises data breach negligence claim
The U.S. Court of Appeals for the Eleventh Circuit recently reversed the dismissal of a negligence claim brought against a Georgia-based airport retailer, determining that a company of its size and sophistication “could have foreseen being the target of a cyberattack.” Plaintiff, who used to work for the defendant, filed suit alleging the defendant failed to protect thousands of current and former employees’ sensitive personally identifiable information (PII), including Social Security numbers, from an October 2020 ransomware attack. Bringing claims for negligence and breach of implied contract on behalf of class members, plaintiff contended that not only should the defendant have protected the PII, but it also took several months for the defendant to notify affected individuals. A notice provided by the company claimed the attack only affected an internal, administrative system, but according to the plaintiff, the attacker uploaded the PII to third-party servers. Plaintiff was later informed that an unknown party used his Social Security number to file pandemic-related unemployment assistance claims under his name in Rhode Island and Kentucky. Plaintiff challenged that the defendant should have taken steps before the hack to better protect the information and that the alleged “harms he suffered were a foreseeable result of [defendant’s] inadequate security practices and its failure to comply with industry standards appropriate to the nature of the sensitive, unencrypted information it was maintaining.” The district court disagreed and granted defendant’s motion to dismiss for failure to state a claim. Plaintiff appealed, arguing that “the district court demanded too much at the pleadings stage.”
On appeal, the 11th Circuit concluded, among other things, that the plaintiff could not have been expected to plead details about the defendant’s private data security policies. “We cannot expect a plaintiff in [this] position to plead with exacting detail every aspect of [defendant’s] security history and procedures that might make a data breach foreseeable, particularly where ‘the question of reasonable foreseeability of a criminal attack is generally for a jury’s determination rather than summary adjudication by the courts,’” the appellate court wrote, noting that plaintiff had sufficiently pled the existence of a special relationship as well as a foreseeable risk of harm. However, the 11th Circuit affirmed dismissal of plaintiff’s claim for breach of implied contract, stating that he failed to allege any facts showing that the defendant agreed to be bound by a data retention or protection policy.
A few days later, the 11th Circuit issued an opinion saying class members in a different action should be allowed to amend their data breach negligence claim in light of the appellate court’s decision discussed above. The 11th Circuit wrote that the decision in the aforementioned case “undermined” the dismissal of plaintiff’s negligence claim alleging a defendant warehousing company allowed a data breach to occur because it failed to take appropriate measures to secure its network. Class members in this case also alleged their PII was improperly accessed during a ransomware attack. The appellate court agreed with class members’ contention that the defendant had failed to address a newly created legal standard for data breach negligence claims in its motion to dismiss: “Indeed, the plaintiffs would have been hard-pressed to predict that they might need to amend their complaint to add more specific foreseeability allegations in response to [defendant’s] renewed motion to dismiss,” the appellate court wrote, reversing the denial of the motion for leave to amend.
7th Circuit: Time and money spent responding to second verification request is sufficient for standing
On June 7, the U.S. Court of Appeals for the Seventh Circuit held that spending time and money to send a second verification request is enough to confer standing under the FDCPA. Plaintiff’s defaulted credit card debt was purchased by one of the defendants and placed with a collection agency. A letter providing details about the debt, including the original creditor, current creditor, and a validation notice, was sent to the plaintiff. Within the required 30-day timeframe, plaintiff sent a letter to the collection agency requesting validation of the debt. However, instead of receiving a response from the agency, plaintiff received another letter from one of the defendants that provided information on the debt and informed her that it had initiated a review of the inquiry it had received. The second letter also included a validation notice, which confused the plaintiff and resulted in her spending time and money ($3.95) to request validation again. Plaintiff filed suit accusing the defendants of violating the FDCPA and asserting that the second letter would lead a consumer to believe that they must re-dispute the debt. According to the plaintiff, the letter, among other things, used false, deceptive, misleading, and unfair or unconscionable means to collect or attempt to collect a debt. The defendants moved to dismiss for lack of standing, arguing that while the letter may have confused and alarmed the plaintiff, it did not cause her to initiate “any action to her detriment on account of her confusion.” The district court granted defendants’ motion to dismiss, ruling that the time and money spent on sending the second validation request did not rise to the level of detriment required for standing under the FDCPA, and that, moreover, it provided plaintiff with another opportunity to dispute the debt if she failed to properly do so the first time.
Disagreeing with the dismissal, the 7th Circuit wrote that the second postage fee (albeit modest in size) is the type of harm that Congress intended to protect consumers from when it enacted the FDCPA. “Money damages caused by misleading communications from the debt collector are certainly included in the sphere of interests that Congress sought to protect,” the appellate court stated, explaining that the second letter caused the plaintiff “to suffer a concrete detriment to her debt-management choices in the form of the expenditure of additional money to preserve rights she had already preserved.”
11th Circuit revises data breach negligence claim
The U.S. Court of Appeals for the Eleventh Circuit recently reversed the dismissal of a negligence claim brought against a Georgia-based airport retailer, determining that a company of its size and sophistication “could have foreseen being the target of a cyberattack.” Plaintiff, who used to work for the defendant, filed suit alleging the defendant failed to protect thousands of current and former employees’ sensitive personally identifiable information (PII), including Social Security numbers, from an October 2020 ransomware attack. Bringing claims for negligence and breach of implied contract on behalf of class members, plaintiff contended that not only should the defendant have protected the PII, but it also took several months for the defendant to notify affected individuals. A notice provided by the company claimed the attack only affected an internal, administrative system, but according to the plaintiff, the attacker uploaded the PII to third-party servers. Plaintiff was later informed that an unknown party used his Social Security number to file pandemic-related unemployment assistance claims under his name in Rhode Island and Kentucky. Plaintiff challenged that the defendant should have taken steps before the hack to better protect the information and that the alleged “harms he suffered were a foreseeable result of [defendant’s] inadequate security practices and its failure to comply with industry standards appropriate to the nature of the sensitive, unencrypted information it was maintaining.” The district court disagreed and granted defendant’s motion to dismiss for failure to state a claim. Plaintiff appealed, arguing that “the district court demanded too much at the pleadings stage.”
On appeal, the 11th Circuit concluded, among other things, that the plaintiff could not have been expected to plead details about the defendant’s private data security policies. “We cannot expect a plaintiff in [this] position to plead with exacting detail every aspect of [defendant’s] security history and procedures that might make a data breach foreseeable, particularly where ‘the question of reasonable foreseeability of a criminal attack is generally for a jury’s determination rather than summary adjudication by the courts,’” the appellate court wrote, noting that plaintiff had sufficiently pled the existence of a special relationship as well as a foreseeable risk of harm. However, the 11th Circuit affirmed dismissal of plaintiff’s claim for breach of implied contract, stating that he failed to allege any facts showing that the defendant agreed to be bound by a data retention or protection policy.
A few days later, the 11th Circuit issued an opinion saying class members in a different action should be allowed to amend their data breach negligence claim in light of the appellate court’s decision discussed above. The 11th Circuit wrote that the decision in the aforementioned case “undermined” the dismissal of plaintiff’s negligence claim alleging a defendant warehousing company allowed a data breach to occur because it failed to take appropriate measures to secure its network. Class members in this case also alleged their PII was improperly accessed during a ransomware attack. The appellate court agreed with class members’ contention that the defendant had failed to address a newly created legal standard for data breach negligence claims in its motion to dismiss: “Indeed, the plaintiffs would have been hard-pressed to predict that they might need to amend their complaint to add more specific foreseeability allegations in response to [defendant’s] renewed motion to dismiss,” the appellate court wrote, reversing the denial of the motion for leave to amend.
District Court puts hold on CFPB’s $2.7 billion request in telemarketer case
On June 7, the U.S District Court for the District of Utah denied the CFPB’s motion for an award of monetary and injunctive relief, assessment of civil money penalties, and final judgment in an action taken against a group of Utah-based credit repair telemarketers and their affiliates (collectively, “defendants”). As previously covered by InfoBytes, the CFPB sued the defendants in 2019 for allegedly committing deceptive acts and practices in violation of the Telemarketing Sales Rule (TSR) and the Consumer Financial Protection Act (CFPA) by charging consumers a fee for credit repair services when they signed up for the services through telemarketing, and then monthly thereafter. Certain defendants also allegedly made false and misleading claims guaranteeing, or ensuring the high-likelihood, that loans or rent-to-own housing offers would be available through affiliates after signing up for credit repair services when the products were not available. In March, the court granted the Bureau’s motion for partial summary judgment, ruling in favor of the agency on claims that the defendants violated the TSR’s prohibitions against charging upfront fees for credit repair services.
According to the June 7 order, the Bureau asked the court to award more than $2.7 billion in monetary relief, justifying the amount as “either a ‘refund of moneys’ or, alternatively, as legal (as opposed to equitable) ‘restitution.’” The Bureau also requested civil money penalties of $35.2 million and $17.6 million against different defendants, as well as extensive injunctive relief. Defendants argued that the maximum civil money penalty should fall within the range of $1 and $17.6 million as their alleged conduct “did not merit the maximum Tier 1 penalty,” and that, in any event, “the Tier 1 daily limit in the statute should apply to the aggregate penalty amount imposed on all [d]efendants collectively.” Defendants also asked the court to deny the requested injunction or clarify its requirements.
In denying the Bureau’s motion, the court wrote that “outstanding issues of fact” preclude it from entering the agency’s requested relief at this time. “Given the existence of these factual disputes, the court finds it will be most efficient to consolidate further discussions of relief with final pretrial proceedings,” the court said, denying the agency’s request without prejudice.
District Court: Plaintiff failed to prove damages in RESPA suit
The U.S. District Court for the Northern District of Texas recently granted summary judgment in favor of a defendant mortgage servicer related to alleged RESPA violations. Plaintiff obtained a refinanced loan that was serviced by the defendant. Plaintiff later sued the defendant after becoming frustrated by receiving repeated calls suggesting he refinance the loan. Once litigation commenced, the defendant began sending the monthly mortgage statements to plaintiff’s counsel. In 2021, plaintiff sent a request for information to the defendant seeking a range of monthly billing statements, which the defendant allegedly only partially provided. Plaintiff’s attorney further claimed to have received an escrow review statement from the defendant referencing an escrow surplus check that the plaintiff also claimed not to have received. The plaintiff claimed violation of RESPA by pointing to the defendant’s alleged failure to adequately respond to his requests for statements or to provide the surplus check. The defendant moved for summary judgment, arguing that neither the facts nor the law supported the plaintiff’s claims.
The plaintiff eventually conceded that there is no private right of action under RESPA’s escrow payment regulation and withdrew the claim. The court also took issue with his claim that the defendant failed to adequately respond to his request for information. Even if the defendant failed to adequately respond, the plaintiff could not plead or prove actual damages, the court said. “Neither party disputes that RESPA requires plaintiffs to plead and prove actual damages from an alleged violation,” the court wrote. “Instead, they focus their arguments on the sufficiency of the alleged damages. [Defendant] alleges that [plaintiff] provides no evidence to demonstrate how he suffered damages from the fact that it provided only three of the fourteen requested monthly statements.” Plaintiff tried to argue he was owed monetary damages due to being deprived of the escrow surplus funds and by being unfairly assessed convenience fees when making payments through the defendant’s online portal. He further claimed he suffered medical and mental anguish. However, the court concluded that evidence presented by the defendant refuted these claims (the convenience fee claim, the court said, could not be connected to the RESPA claim) and said plaintiff also failed to support his claims of medical and mental anguish. Further, plaintiff failed to present evidence supporting his claim for statutory damages, the court said, finding no genuine dispute of material fact in the record.
6th Circuit: Single RVM confers standing
The U.S. Court of Appeals for the Sixth Circuit recently held that receiving one ringless voicemail (RVM) was enough to confer standing upon a plaintiff under the TCPA. In that case, plaintiff asserted he received several RVMs to his cell phone but never consented to receiving the messages. He filed a putative class action suit for violations of the TCPA, alleging the defendant used an automated telephone dialing system (autodialer) to deliver multiple RVMs to his cell phone advertising its services. According to the plaintiff, the RVMs tied up his phone line, cost him money, and invaded his privacy. During discovery, an expert concluded that only one of the 11 voicemails plaintiff claimed to have received was from the defendant. The defendant moved to dismiss, arguing the plaintiff lacked standing because he did not suffer a concrete injury. The district court granted defendant’s motion, ruling that receiving a single RVM did not constitute a concrete harm sufficient for Article III standing, because, among other things, plaintiff could not recall what he was doing when the RVMs were sent, he was not charged for the RVM, the RVM did not tie up his phone line, and he spent a very small amount of time reviewing the message.
On appeal, the 6th Circuit noted that it had not previously considered whether receiving a single RVM for commercial purposes is sufficient to confer standing under the TCPA. To determine whether an intangible harm—such as receiving an unsolicited RVM—rises to the level of concrete injury, the appellate court reviewed U.S. Supreme Court rulings on standing. “[Plaintiff’s] receipt of an unsolicited RVM bears a close relationship to the kind of injury protected by the common law tort of intrusion upon seclusion; and his claimed harm directly correlates with the protections enshrined by Congress in the TCPA,” the 6th Circuit wrote, reversing and remanding the district court’s judgment and stating that “[plaintiff] suffered a concrete injury in fact sufficient for Article III standing purposes.”
District Court preliminarily approves $2.7 million FCRA settlement
On June 1, the U.S. District Court for the Eastern District of California preliminarily approved a class action settlement, which would require a corporate defendant to pay $2.7 million to resolve allegations that it provided false information on credit reports to auto dealers. The defendant sells credit reports to auto dealers to help dealers manage their regulatory compliance obligations, the order explained, noting that one of these obligations prohibits dealers from engaging in business with anyone designated on the U.S. Treasury Department’s Office of Foreign Assets Control’s (OFAC) Specially Designated Nationals (SDN) list. The SDN list is comprised of persons and entities owned or controlled by (or acting for or on behalf of) a targeted company, or non-country specific persons, who are prohibited from conducting business in the U.S. The defendant would flag a consumer as an “OFAC Hit” if it matched a name on the SDN list.
The order explained that when using a “similar name” algorithm script to run the consumer’s name against the SDN list to check for a match, the defendant only ran first and last names and did not input other available information such as birth dates and addresses. The lead plaintiff filed a putative class action pleading claims under the FCRA and California’s Consumer Credit Reporting Agencies Act, alleging his name inaccurately came up as an OFAC hit on a credit report sold to an auto dealer. In turn, the plaintiff was denied credit and suffered emotionally, later learning that the defendant incorrectly matched him with an SDN. According to class members, the defendant failed to follow reasonable procedures to assure maximum possible accuracy when matching consumer information and failed to provide, upon request, all information listed in a consumer’s file. Moreover, the lead plaintiff claimed the defendant failed to investigate the disputed OFAC-related information sold to the dealer. The defendant moved for summary judgment on the premise that it was not acting as a consumer reporting agency and that OFAC check documents were not consumer reports, but the court denied the motion and later certified the class. If finalized, the settlement would provide $1,000 to each of the class members, attorneys fees and costs, and a service award to the lead plaintiff.