InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
District Court approves $1.8 million overdraft settlement
On January 14, the U.S. District Court for the Central District of California granted final approval to a $1.8 million class action settlement to resolve allegations that a credit union (defendant) improperly charged members overdraft and insufficient fund fees (NSF). The class members alleged they had wrongfully incurred more than one NSF fee on the same transaction when it was reprocessed again after initially being returned for insufficient funds. The class also alleged that the defendant’s contracts did not authorize such charges. The settlement allocated $715,500 to class members who were charged certain fees between May 2016 and October 2020, and $874,500 to class members who were charged certain fees between May 2016 and February 2020. The amount allocated to each class member is based on the former fees assessed against them. As part of the nearly $1.8 million settlement, the defendant must pay $1.59 million in cash, and must waive roughly $176,000 in uncollected at-issue fees.
States reach $1.85 billion settlement with student loan servicer
On January 13, a coalition of attorneys general from 38 states and the District of Columbia reached a $1.85 billion settlement with one of the nation’s largest student loan servicers, resolving allegations that it engaged in misconduct when servicing student loans. The settlement, subject to court approval, brings to an end multistate litigation and investigations into the allegations that the servicer steered borrowers into costly forbearances and expensive repayment plans rather than helping borrowers find affordable income-driven repayment (IDR) plans. The servicer denies violating any consumer financial laws or causing borrower harm, as stated in a separate press release, but has agreed to maintain servicing practices to support borrower success.
Under the terms of the settlement, the servicer has agreed to cancel more than $1.7 billion in private student loan balances owed by roughly 66,000 borrowers. An additional $95 million in restitution payments of about $260 each will also be sent to approximately 357,000 federal student loan borrowers, and the servicer will also pay approximately $142.5 million to the signatory AGs. The settlement also requires the servicer to make several reforms, including explaining the benefits of IDR plans and offering estimated income-driven payment options to borrowers prior to placing them into deferment or discretionary forbearance. The servicer is also required to notify borrowers about the Department of Education’s Public Service Loan Forgiveness limited waiver opportunity (covered by InfoBytes here), implement changes to its payment-processing procedures to limit certain fees for late payments or entering forbearance status, and improve communications informing borrowers of their rights and obligations.
District Court grants preliminary approval of class action settlement against national bank
On January 10, the U.S. District Court for the District of Maryland granted preliminary approval of a settlement in a class action against a national bank (defendant) for allegedly participating in a kickback scheme with a title company (company). According to the memorandum in support of plaintiffs’ unopposed motion for preliminary approval of the settlement, the class action complaint alleged that over a six year period the company paid the defendant for the referral of residential mortgage loans, refinances, and reverse mortgages for title and settlement services in violation of RESPA. Further, the plaintiffs alleged that the company and defendant falsified borrowers’ HUD-1 settlement statements and other documents, and misrepresented the defendant’s efforts to “choose a qualified attorney, title agent or title insurance company to search title and conduct [the borrower's] closing.” While agreeing to the class action settlement, the defendant disputes plaintiffs’ allegations and denies that it is liable for any of the claims in the complaint. Under the terms of the preliminarily approved settlement agreement, the defendant will pay approximately $1.2 million in settlement benefits to class members, a $1,500 service award to both lead plaintiffs, and up to $325,000 in attorneys’ fees and $17,500 in expenses to class counsel.
OFAC reaches $5.2 million settlement with Hong Kong company for apparent Iranian sanctions violations
On January 11, the U.S. Treasury Department’s Office of Foreign Assets Control announced a $5.2 million settlement with a Hong Kong, China-based company for allegedly processing certain transactions related to goods of Iranian origin through U.S. financial institutions in violation of the Iranian Transactions and Sanctions Regulations (ITSR). According to OFAC’s web notice, from August 2016 through May 2018, certain company employees violated company-wide policies and procedures by causing the company to purchase Iranian-origin goods from a supplier in Thailand for resale to buyers in China. Under the terms of the trading arrangement, the company made 60 separate U.S. dollar payments from its bank in Hong Kong to the Thai supplier’s banks in Thailand, transferring a total of $75.6 million. Each of these payments were allegedly “processed and settled through multiple U.S. financial institutions, including the U.S. correspondent banks of the Hong Kong and Thai banks.” Due to the noncompliant employees’ misconduct, the funds transfer instructions omitted references to Iran. As a result, U.S. financial institutions were unable to flag the transfers as violating the ITSR, which would have “caused them to reject and report each of these U.S. dollar denominated funds transfers.”
In calculating the settlement amount, OFAC considered the following aggravating factors: (i) the noncompliant employees omitted Iranian country of origin references from all relevant transactional documents over a period of two years, despite knowing and having been advised repeatedly that this conduct violated the ITSR and company policy; (ii) the noncompliant employees “had actual knowledge about the [supplier’s] relation to Iran”; (iii) the company’s actions conferred significant economic benefits to Iran, specifically with respect to Iran’s petrochemical sector; and (iv) the company “is a sophisticated offshore trading and cross-border trade financing company with ready access to experience and expertise in international trade, investment, financing, and sanctions compliance.”
OFAC also considered various mitigating factors, including that (i) the company repeatedly reminded noncompliant employees not to make U.S. dollar payments in connection with Iran-related business transactions; (ii) senior management and compliance personnel were unaware of the violations due to the concealment of the information internally; (iii) the company has not received a penalty notice from OFAC in the preceding five years; and (iv) the company voluntarily self-disclosed the apparent violations, cooperated with OFAC’s investigation, and has undertaken significant remedial measures to ensure sanctions compliance.
Supreme Court vacates $10 million judgment in light of TransUnion ruling
On January 10, the U.S. Supreme Court issued a short summary disposition granting a petition for a writ of certiorari filed by a lender and an appraisal management company. Rather than hearing arguments in the case, the Court immediately vacated the judgment against the defendants and ordered the U.S. Court of Appeals for the Fourth Circuit to reexamine its decision in light of the Court’s ruling in TransUnion v. Ramirez (which clarified the type of concrete injury necessary to establish Article III standing, and was covered by InfoBytes here).
As previously covered by InfoBytes, in March 2021, a divided 4th Circuit affirmed a district court’s award of over $10 million in penalties and damages based on a summary judgment that an appraisal practice common before 2009 was unconscionable under the West Virginia Consumer Credit and Protection Act. During the appeal, the defendants argued that summary judgment was wrongfully granted and that the class should not have been certified since individual issues predominated over common ones, but the appellate court majority determined, among other things, that there was not a large number of uninjured members within the plaintiffs’ class because plaintiffs paid for independent appraisals and “received appraisals that were tainted.”
The defendants argued in their petition to the Court that the 4th Circuit’s “fundamentally unjust” holding could not stand in the wake of TransUnion, which ruled that every class member must be concretely harmed by an alleged statutory violation in order to have Article III standing. According to the defendants, the divided panel “affirmed the class certification and the class-wide statutory-damages award, because the class members all faced the same risk of harm: the appraisers had been ‘exposed’ to the supposed procedural error, and the class members paid for the appraisals, even though the court ‘cannot evaluate whether’ any harm ever materialized.”
DFPI enters into a settlement with a rent-to-own furniture provider
On January 10, the California Department of Financial Protection and Innovation (DFPI) announced a settlement with a Los Angeles-based rent-to-own furniture provider for allegedly failing to comply with the Karnette Rental-Purchase Act (Karnette Act) in connection with its subscription agreements. This settlement constitutes the first action against a rent-to-own firm for violating the California Consumer Financial Protection Law (CCFPL). According to the settlement, in addition to charging excessive late fees, the company failed to: (i) disclose whether the property subject to the rental-purchase agreement is new or used; (ii) clearly and conspicuously provide the Karnette Act’s mandated contractual disclosures; and (iii) adhere to the Karnette Act’s prescribed formula for calculating the maximum cash price, among other things. As part of the settlement, the company must desist and refrain from violating the CCFPL, refund customers late fee overcharges, offer its rent-to-own products and services in compliance with the Karnette Act and applicable consumer laws, and report on its activities semi-annually to the DFPI. According to DFPI Commissioner Clothilde V. Hewlett, the consent order “reminds California businesses and consumers that the DFPI will be exercising its expanded authority under the new law.”
OFAC settles with money services business for Cuba sanctions violations
On January 3, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) announced a $91,172 settlement against a registered money services business for allegedly processing payment transactions for guests traveling to Cuba "for reasons outside of OFAC’s authorized categories” and failing to maintain certain required records associated with Cuba-related transactions. These actions, OFAC, stated, allegedly violated the Cuban Assets Control Regulations (CACR). According to OFAC’s web notice, as the company scaled up its traveler services in Cuba, its technology platforms were allegedly unable to manage the associated sanctions risks, which led to the alleged violations. Among other things, OFAC maintained that the company used a manual process to screen hosts and guests for potential sanctions issues until it began using a customized IP blocking system. Additionally, the company’s alleged recordkeeping violations were primarily attributed to technical defects involving an older version of the company’s mobile application that could be used for Cuba-related travel without “maintain[ing] complete functionality for [g]uests to make an attestation regarding their reason for travel to Cuba.”
In arriving at the settlement amount, OFAC considered various aggravating factors, including, among other things, that the company is a large, sophisticated U.S.-based technology company, and that its alleged violations followed a 2015 foreign policy change with respect to Cuba, as well as associated changes to the CACR, which maintained certain specified restrictions. OFAC also considered various mitigating factors, including that the company (i) did not receive a penalty notice or finding of violation in the past five years preceding the earliest transaction giving rise to this settlement; (ii) conducted a comprehensive review of its sanctions compliance program, voluntarily reported its findings to OFAC, and substantially cooperated with the investigation; and (iii) undertook significant remedial measures to ensure sanctions compliance.
OFAC settles with bank for alleged NKSR and Foreign Narcotics Kingpin Sanctions Regulations violations
On December 23, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) announced a roughly $115,005 settlement of two cases with a Delaware-based bank for allegedly processing transactions in violation of the North Korea Sanctions Regulations (NKSR) and the Foreign Narcotics Kingpin Sanctions Regulations. According to OFAC’s web notice, in the first matter, between December 2016 and August 2018, the bank processed 1,479 transactions totaling $382,685, and maintained nine accounts on behalf of five employees of the North Korean Mission to the United Nations without a license from OFAC. Additionally, the bank allegedly often misidentified North Korea or did not properly complete the citizenship field in the customer profiles, which resulted in failing to flag the accounts. The web notice explained that “[u]nder the [NKSR], a general license authorizing certain transactions with the North Korean Mission to the United Nations specifies that it does not authorize U.S. financial institutions to open and operate accounts for employees of the North Korean mission. It further specifies that U.S. financial institutions are required to obtain OFAC specific licenses to operate accounts for such persons.” According to the web notice, since the bank did not obtain a specific license to offer these services, its conduct resulted in apparent violations.
In arriving at the settlement amount of $105,238, OFAC considered various aggravating factors, including, among other things, that the bank (i) failed to use due caution or care in processing the 1,479 transactions, which was in violation of the NKSR for over a year; (ii) “had reason to know that it maintained accounts for North Korean nationals because at account opening, the account holders of all nine accounts presented to [the bank] North Korean passports”; and (iii) “is a large and commercially sophisticated financial institution with a global presence.” OFAC also considered various mitigating factors, including, among other things, that the bank (i) “enhanced its controls for identifying government officials of sanctioned countries”; and (ii) “updated its operating procedures to specify that reviews of customers in or affiliated with sanctioned jurisdictions must be escalated.”
In the second matter, according to the web notice, the bank allegedly maintained accounts for a U.S. resident who was on OFAC’s SDN List. The bank did not block the account and disclose to OFAC until after the fifth high-confidence sanctions screening alert was generated because the previous alerts had a “match on full name DOB and geographical location.” The bank’s fraud unit, unaware of the sanctions-related reason for account closure, then credited one of the individual’s accounts, which caused it to be re-opened. The notice reported that the failure to correctly identify the individual as a person on the SDN List was the result of human error and a breakdown in the bank’s sanctions compliance procedures. Further, “[i]n addition to incorrectly dispositioning these alerts, [the bank’s] analysts contravened [the bank’s] procedures which require alerts to be escalated if a match occurs in first and last name and any additional information field.” Such conduct resulted in 145 apparent violations of the Foreign Narcotics Kingpin Sanctions Regulations.
In arriving at the settlement amount of $9,766, OFAC considered various aggravating factors, including, among other things, that the bank (i) “failed to exercise due caution or care for U.S. economic sanctions requirements by incorrectly adjudicating high-confidence sanctions screening alerts four times over four years, despite full date-of-birth and first and last name matches”; (ii) permitted $35,514.13 in transactions by an individual on the SDN List; and (iii) “is a large and sophisticated financial institution with a global presence.” OFAC also considered various mitigating factors, including, among other things, that the bank did not appear to have had actual knowledge of the conduct that led to the apparent violations, and represented that it has terminated this conduct and has undertaken remedial measures.
New Jersey settles CFA and HIPAA violations following 2019 data breach
On December 15, the acting New Jersey attorney general and the Division of Consumer Affairs reached a settlement with three New Jersey-based medical providers for allegedly violating the New Jersey Consumer Fraud Act and the federal Health Insurance Portability and Accountability Act (HIPAA) by failing to adequately safeguard patient data. The settlement resolved allegations that patients’ personal and protected health information, including health records, driver’s license numbers, Social Security numbers, financial account numbers, and payment card numbers, were exposed when several employee email accounts were compromised in a 2019 data breach. The AG additionally contended that while notifying clients of the initial data breach, the defendants “improperly disclosed patient data when a third-party vendor improperly mailed notification letters intended for 13,047 living patients by addressing the letters to those patients’ prospective next-of-kin.” Federal and state law require medical providers to implement appropriate safeguards to protect consumers’ sensitive health and personal information and identify potential threats—measures, the AG alleged, the defendants failed to take. Without admitting to any violation of law, the defendants agreed to the terms of the consent order and will pay $353,820 in penalties and $71,180 in attorneys’ fees and investigative costs. The defendants will also adopt additional comprehensive privacy and security measures to safeguard consumers’ protected information and will obtain a third-party assessment of their policies and practices related “to the collection, storage, maintenance, transmission, and disposal of patient data.”
FTC settles with mortgage analytics company
On December 22, the FTC announced the final approval of a settlement with a mortgage industry data analytics firm (defendant) for allegedly failing to develop, implement, and maintain a comprehensive information security program and ensure third-party vendors are capable of implementing and maintaining appropriate safeguards for customer information in violation of the Gramm-Leach Bliley Act’s Safeguards Rule. As previously covered by InfoBytes, in December 2020, the FTC alleged that a vendor hired by the defendant stored the unencrypted contents of mortgage documents on a cloud-based server without any protections to block unauthorized access, such as requiring a password. According to the FTC, because the vendor did not implement and maintain appropriate safeguards to protect customer information, the cloud-based server containing the data was improperly accessed approximately 52 times. The FTC claimed, among other things, that the defendant failed to adequately vet its third-party vendors and never took formal steps to evaluate whether the vendors could reasonably protect the sensitive information. Moreover, the defendant’s contracts allegedly did not require vendors to implement appropriate safeguards, nor did the defendant conduct risk assessments of its vendors.
The settlement requires the defendant to, among other things, implement a comprehensive data security program and undergo biennial assessments conducted by a third party on the effectiveness of its program. Additionally, the defendant must report any future data breaches to the FTC no later than 10 days after it provides notice to any federal, state, or local government entity.
FTC Commissioner Rebecca Kelly Slaughter provided a lone dissenting statement.