InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
Texas AG issues CID to video streaming company
On February 18, the Texas attorney general issued two Civil Investigative Demands (CIDs) to a video streaming company that focus on the company’s potential facilitation of human trafficking and child privacy violations, as well as other potential unlawful conduct. According to the CIDs, the company allegedly violated section 140A.002, Civil Racketeering Related to Trafficking of Persons, of the Texas Civil Practice and Remedies Code. The CID orders to company to: (i) provide answers and documents in response to the CID; (ii) preserve documents and/or other data which relate to the subject matter or requests of the CID; and (iii) consult the AG prior to processing or making copies of hard-copy documents or electronically stored information in response the CID.
FCC proposes record $45 million fine against robocaller
On February 18, the FCC released a proposed $45 million fine against a lead generator accused of conducting an illegal robocall campaign that made false claims about the Covid-19 pandemic to induce consumers into purchasing health insurance. This is the FCC’s largest ever proposed robocall fine to date. According to the FCC, the lead generator violated the TCPA by placing 514,467 robocalls to cellphones and landlines without subscribers’ prior express consent or an emergency purpose. The Florida-based lead generator allegedly purchased lists of phone numbers from third-party vendors and acquired phone numbers from consumers seeking health insurance quotes online, “without clearly disclosing that, by providing contact information, the consumers would be subject to robocalls.” It then left prerecorded voice messages marketing insurance plans sold by companies that had hired the lead generator. Many of these robocalls, the FTC claimed, were also unlawfully made to consumers on the Do Not Call Registry. FCC Chairwoman Jessica Rosenworcel issued a statement announcing that, in addition to the record fine, the Commission also established a new partnership with 16 state attorneys general in order to share information and resources to mitigate robocalls.
Agencies defeat states’ valid-when-made challenge
On February 8, the U.S. District Court for the Northern District of California granted cross-motions for summary judgment in favor of the OCC and FDIC (see here and here), upholding their respective rules which clarify that interest charges that are permissible when a loan is originated “shall not be affected by the sale, assignment, or other transfer of the loan.” The judgments resolve lawsuits brought by several state attorneys general in 2020, challenging both the OCC’s final rule on “Permissible Interest on Loans that are Sold, Assigned, or Otherwise Transferred” (known also as the valid-when-made rule) and the FDIC’s final rule which clarified that under the Federal Deposit Insurance Act (FDIA), whether interest on a loan is permissible is determined at the time the loan is made and is not affected by the sale, assignment, or other transfer of the loan.
In the OCC matter, the states’ argued that the agency’s valid-when-made rule (which effectively reversed the U.S. Court of Appeals for the Second Circuit’s 2015 Madden v. Midland Funding decision, and was covered by InfoBytes here) impermissibly preempts state law, is contrary to the plain language of section 85 (and section 1463(g)(1)), and contravenes the judgment of Congress, which declined to extend preemption to nonbanks. Moreover, the states contended that the OCC failed to give meaningful consideration to the commentary received regarding the rule, essentially enabling “‘rent-a-bank’ schemes.” The OCC countered that its rule does not preempt state law but rather “merely interprets” banks’ authority to charge interest. (Covered by InfoBytes here.) The court agreed with the OCC, holding that the OCC was interpreting the scope of 12 U.S.C. § 85, not determining whether to preempt state laws, and therefore was not required to follow the procedures set forth in 12 U.S.C. § 25b as the states alleged, including consulting with the CFPB. Applying the Chevron framework, the court upheld the OCC’s interpretations of the National Bank Act and Home Owners’ Loan Act. Acting Comptroller of the Currency Michael J. Hsu issued a statement following the decision, in which he emphasized that while the court’s order “affirmed the validity of the OCC’s rule,” the “legal certainty should be used to the benefit of consumers and not be abused.” He added that the agency “is committed to strong supervision that expands financial inclusion and ensures banks are not used as a vehicle for ‘rent-a-charter’ arrangements.”
In the FDIC matter, the states argued, among other things, that the FDIC did not have the power to issue the final rule under 12 U.S.C. § 1831d, and asserted that while the FDIC may issue “regulations to carry out” the provisions of the FDIA, it cannot issue regulations that would apply to nonbanks. The states also claimed that the rule’s extension of state law preemption would facilitate evasion of state law by enabling “rent-a-bank” schemes. The FDIC countered that the states’ arguments misconstrue the rule, which does not regulate nonbanks, does not interpret state law, and does not preempt state law. Rather, the FDIC argued that the rule clarifies the FDIA by “reasonably” filling in “two statutory gaps” surrounding banks’ interest rate authority. (Covered by InfoBytes here.) The court rejected the states’ argument that the FDIC exceeded its authority, and held that under Chevron, the agency’s interpretation of 12 U.S.C. § 1831d is not unreasonable. In upholding the FDIC’s interpretation, the court stated that the final rule “does not purport to regulate either the transferee’s conduct or any changes to the interest rate once a transaction is consummated.”
D.C. reaches nearly $4 million settlement with online lender to resolve usury allegations
On February 8, the District of Columbia attorney general announced a nearly $4 million settlement with an online lender to resolve allegations that lender marketed high-costs loans carrying interest rates exceeding D.C.’s interest rate cap. As previously covered by InfoBytes, the AG filed a complaint in 2020, claiming the lender violated the District of Columbia Consumer Protection Procedures Act (CPPA) by offering two loan products to D.C. residents carrying annual percentage rates (APR) ranging between 99-149 percent and 129-251 percent. Interest rates in D.C., however, are capped at 24 percent for loans with the rate expressed in the contract (loans that do not state an express interest rate in the contract are capped at six percent), and licensed money lenders that exceed these limits are in violation of the CPPA. According to the AG, the lender—who allegedly never possessed a money lending license in D.C.—violated the CPPA by (i) unlawfully misrepresenting it was allowed to offer loans in D.C. and failing to disclose or adequately disclose that its loans contain APRs in excess of D.C. usury limits; (ii) engaging in unfair and unconscionable practices through misleading marketing efforts; and (iii) violating D.C. usury laws.
Under the terms of the settlement, the company is required to (i) pay at least $3.3 million in restitution to refund alleged interest overcharges to D.C. borrowers; (ii) provide more than $300,000 in debt forgiveness to D.C. borrowers who would have paid future interest amounts in connection with an outstanding loan balance; and (iii) pay $450,000 to the District. According to the announcement, the company has also agreed that it “will not on its own, or working with third parties such as out of state banks, engage in any act or practice that violates the CPPA in its offer, servicing, advertisement, or provision of loans or lines of credit to District consumers.” The company is also prohibited from charging usurious interest rates, must delete negative credit information associated with its loans and lines of credit, and may not represent that it can offer loans or lines of credit in D.C. without first obtaining a D.C. money lender license.
Georgia reaches settlement with rent-to-own company over deceptive business practices
On February 8, the Georgia attorney general announced a settlement with a rent-to-own company accused of allegedly engaging in deceptive sales and marketing practices and violating the FDCPA. While the company did not admit to the allegations, it agreed to pay $145,590 in civil money penalties, with an additional $170,910 due if the company violates any of the settlement terms. The company is also required to (i) ensure its advertising, sales, and marketing practices comply with the Georgia Fair Business Practices Act and the Georgia Lease-purchase Agreement Act; (ii) refrain from engaging in harassing and unlawful debt collection practices; and (iii) verify debts are accurate before placing them with a third-party collection agency. “Our office takes seriously allegations of deceptive business practices, and companies that take advantage of our citizens will be held accountable,” the AG stated.
Colorado releases guidance on data privacy and security in advance of CPA implementation
On January 28, the Colorado attorney general issued prepared remarks and guidance on data security best practices in advance of the implementation of the Colorado Privacy Act (CPA). As covered by a Buckley Special Alert, the CPA was enacted last July to establish a framework for personal data privacy rights and provides consumers with numerous rights, including the right to access their personal data, opt-out of certain uses of personal data, make corrections to personal data, request deletion of personal data, and obtain a copy of personal data in a portable format. The Colorado AG has enforcement authority for the CPA, which does not have a private right of action. The CPA is effective July 1, 2023 with certain opt-out provisions taking effect July 1, 2024.
AG Phil Weiser stated that, by this fall, his office will post a formal Notice of Proposed Rulemaking, including a proposed set of model rules, with the goal of adopting a final rule roughly a year from now. AG Weiser also outlined best practices that will be weighed in determining whether a company is acting reasonably to safeguard sensitive information. Notably, the AG’s office will first evaluate whether a company has identified the types of data it collects and established a system for storing and managing that data (including disposal procedures). Considerations will then be made as to whether the company has a written information security policy and a written data incident response plan. The AG’s office will also examine a company’s practices for monitoring vendors’ data security measures. AG Weiser also referenced the recently released Data Security Best Practices guidance, which outlines key steps companies should take to protect consumer data, including ways to adopt information security and incident response policies, train employees on mitigating and responding to cybersecurity attacks, and notify appropriate parties in the event of a data breach, among other topics.
California investigating loyalty programs for CCPA compliance
On January 28, the California attorney general announced an “investigative sweep” of businesses operating loyalty programs in the state. The California Consumer Privacy Act (CCPA), which became effective January 1, 2020, requires businesses that offer financial incentives in exchange for personal information, including loyalty programs, to provide consumers with a notice that clearly describes the material terms of the financial incentive program before consumers opt-in. (See InfoBytes coverage of the CCPA here.) Notices of noncompliance were sent to several businesses whose loyalty programs allegedly violated the CCPA, including data brokers, marketing companies, businesses handling children’s information, media outlets, and online retailers. Businesses have 30 days to cure or fix the alleged violation and come into compliance with the law before the initiation of an enforcement action. “I urge all businesses in California to take note and be transparent about how you’re using your customer’s data,” Attorney General Rob Bonta stated in the announcement. “My office continues to fight to protect consumer privacy, and we will enforce the law.”
States reach $1.85 billion settlement with student loan servicer
On January 13, a coalition of attorneys general from 38 states and the District of Columbia reached a $1.85 billion settlement with one of the nation’s largest student loan servicers, resolving allegations that it engaged in misconduct when servicing student loans. The settlement, subject to court approval, brings to an end multistate litigation and investigations into the allegations that the servicer steered borrowers into costly forbearances and expensive repayment plans rather than helping borrowers find affordable income-driven repayment (IDR) plans. The servicer denies violating any consumer financial laws or causing borrower harm, as stated in a separate press release, but has agreed to maintain servicing practices to support borrower success.
Under the terms of the settlement, the servicer has agreed to cancel more than $1.7 billion in private student loan balances owed by roughly 66,000 borrowers. An additional $95 million in restitution payments of about $260 each will also be sent to approximately 357,000 federal student loan borrowers, and the servicer will also pay approximately $142.5 million to the signatory AGs. The settlement also requires the servicer to make several reforms, including explaining the benefits of IDR plans and offering estimated income-driven payment options to borrowers prior to placing them into deferment or discretionary forbearance. The servicer is also required to notify borrowers about the Department of Education’s Public Service Loan Forgiveness limited waiver opportunity (covered by InfoBytes here), implement changes to its payment-processing procedures to limit certain fees for late payments or entering forbearance status, and improve communications informing borrowers of their rights and obligations.
New York AG alerts companies on “credential stuffing” cyberattacks
On January 5, the New York attorney general issued a report, which highlights the results of an investigation into “credential stuffing.” The investigation discovered over 1.1 million online accounts compromised in cyberattacks at 17 well-known companies. The report, Business Guide for Credential Stuffing Attacks, details attacks, which involve repeated, automated attempts to access online accounts using usernames and passwords stolen from other online services, and provides recommendations on how business can protect themselves. Through credential stuffing, which is one of the most common forms of cyberattacks, offenders utilize automated software to reuse stolen usernames and passwords, relying on the human tendency to reuse the same credentials to access various online accounts and platforms. The AG’s office launched the investigation “in light of the growing threat of credential stuffing,” and monitored several online communities dedicated to credential stuffing. According to the report, the office discovered thousands of posts that had customer login credentials that were tested by hackers in a credential stuffing attack and found that the information could be used to access other accounts. From these posts, the office compiled credentials to compromised accounts at seventeen companies, which consisted of online retailers, restaurant chains, and food delivery services, and collected credentials for over 1.1 million customer accounts, all of which seemed to have been compromised. After alerting the companies regarding the compromised accounts and urging them to investigate and take protective action, every company did so. The report recommended that businesses maintaining online accounts have a data security program, including effective safeguards for protecting customers from credential stuffing attacks in four areas: (i) defending against credential stuffing attacks; (ii) detecting a credential stuffing breach; (iii) preventing fraud and misuse of customer information; and (iv) responding to a credential stuffing incident. Specifically, three safeguards considered to be “highly effective” at defending against credential stuffing attacks were bot detection services, multi-factor authentication, and password-less authentication. The report also recommended that companies require reauthentication at the time of a purchase. Additionally, “[b]usinesses should have a written incident response plan that includes processes for responding to credential stuffing attacks” and notification to affected parties.
New York AG settlement cancels debt
On December 29, the New York attorney general announced a settlement with a New York-based off-campus private student housing provider (respondent) for allegedly deceiving hundreds of students, primarily at a New York state college, since 2019. According to the assurance of discontinuance, the respondent, among other things: (i) routinely collected interested students’ information; (ii) persuaded students to sign leases without first determining certain qualifications; (iii) denied students access to housing; (vi) alleged students owed thousands in rent; and (v) referred students to debt collectors. The respondent also allegedly charged students excess rent and fees and disclosed to some students that they could get out of their lease if they found another student to take it over, but then unlawfully charged a $300 “delegation” fee. The respondent allegedly at times permitted some students to prepay rent if it believed they did not meet certain qualification criteria, in violation of state rent laws, and charged certain students excessive late fees for each month of rent that was not timely paid. The terms of the settlement cancels more than $200,000 in improper debts, recovers $65,958 in restitution, and imposes a $50,000 civil penalty on the respondent. The settlement also prohibits the respondent from committing fraudulent and predatory practices in the future.