InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
California AG takes action against casino for AML violations
On November 5, the California attorney general filed an administrative accusation with the California Gambling Control Commission against a California casino for violating the Bank Secrecy Act’s (BSA) anti-money laundering provisions. The action, which follows a federal investigation, alleges that the casino “overlooked, neglected, or was willfully blind to accusations and actions taken against other casinos for violations of the BSA and for failing to maintain adequate Anti Money Laundering (AML) programs.” The casino had previously entered into a Non-Prosecution Agreement with the U.S. Attorney’s Office for the Central District of California, accepted responsibility for “failing to properly file reports for a foreign national who conducted millions of dollars in cash transactions at the casino,” and agreed to pay $500,000 and undergo an increased review of its AML compliance program to prevent future violations, according to a DOJ press release. The California AG now seeks to hold the casino and its owners responsible for state law violations.
District Court grants MTD in CFPB, NY AG debt collector case
On October 27, the U.S. District Court for the Western District of New York denied a motion to dismiss an action brought by the CFPB and the New York attorney general against the operators of a debt-collection scheme, rejecting the defendants’ argument that they did not have fraudulent intent and their actions were taken for legitimate reasons. As previously covered by InfoBytes in April, the CFPB and the AG filed a complaint against the defendants for allegedly transferring ownership of his $1.6 million home to his wife and daughter for $1 shortly after he received a civil investigative demand and learned that the Bureau and the AG were investigating his debt-collection activities. The complaint further alleged that the transfer of the property was a fraudulent transfer under the FDCPA and made with the intent to defraud (a violation of the New York Debtor and Creditor Law), and that the owner-defendant “removed and concealed assets in an effort to render the Judgment obtained by the Government Plaintiffs uncollectable.” In 2019 the Bureau and the AG settled with the debt collection operation to resolve allegations that the defendants established and operated a network of companies that harassed and/or deceived consumers into paying inflated debts or amounts they may not have owed (covered by InfoBytes here).
The court denied the defendants’ motion to dismiss, concluding that the CFPB and AG raised sufficient allegations that the debtor’s transfers and mortgage on his property were knowingly fraudulent. The court determined that fraudulent intent under the FDCPA may be determined by several factors, sometimes called “badges of fraud,” including whether “‘the transfer or obligation was to an insider,’ ‘the debtor retained possession or control of the property transferred after the transfer,’ ‘before the transfer was made or obligation was incurred, the debtor had been sued or threatened with suit,’ ‘the value of the consideration received by the debtor was reasonably equivalent to the value of the asset transferred or the amount of the obligation incurred,’ and ‘the transfer occurred shortly before or shortly after a substantial debt was incurred.’” The court held it was reasonable to infer that the defendant was aware “that he would likely face civil prosecution” and judgments “would be beyond his ability to pay.” The court noted that the defendant engaged in transferring a personally significant asset—his $1.6 million residence—to two insiders for nominal consideration, which was considered to be “highly unusual.” Additionally, the defendant alleged that he continued to “’reside at and exercise control over’ the property and is now unwilling or unable to pay off the judgment,” which indicated the conveyance was also part of a sham divorce. Further, the court noted that “the complaint plausibly alleges that the mortgage ‘was not granted in good faith’ and was ‘made with the intent to make it appear that the Property was encumbered.’”
9th Circuit denies bid to block Arizona’s dealer data privacy law
On October 25, the U.S. Court of Appeals for the Ninth Circuit affirmed a district court’s order denying a motion for preliminary injunction against enforcement of an Arizona statute designed to strengthen privacy protections for consumers whose data is collected by auto dealers. Under the Dealer Law, database providers are prohibited from limiting access to dealer data by dealer-authorized third parties and are required to create a standardized framework to facilitate access. The plaintiffs—technology companies that license dealer management systems (DMS)—sued the Arizona attorney general and the Arizona Automobile Dealers Association in an attempt to stop the Dealer Law from taking effect. The plaintiffs contended that the Dealer Law is preempted by the Copyright Act because it gives dealers the right to access plaintiff’s systems and create unlicensed copies of its dealer management system, application programming interfaces, and data compilations. The plaintiffs further claimed the Dealer Law is a violation of the U.S. Constitution’s contracts clause.
On appeal, the 9th Circuit agreed that the plaintiffs were not entitled to a preliminary injunction. The appellate court concluded that the Dealer Law was not preempted by the Copyright Act, because, among other things, the plaintiffs could comply with the Dealer Law without having to create a new copy of its software to process third-party requests. Moreover, the 9th Circuit noted that even if the plaintiffs had to create copies of their DMS on their servers to process third-party requests, they failed to established that those copies would infringe their reproduction right, and the copies the plaintiffs took objection to “would be copies of its own software running on its own servers and not shared with anyone else.” The appellate court further held that the Dealer Law was not a violation of the U.S. Constitution’s contracts clause because, among other things, plaintiffs did not show that complying with the Dealer Law prevented them from being able to keep dealer data confidential. “Promoting consumer data privacy and competition plainly qualify as legitimate public purposes,” the appellate court wrote. “[Plaintiffs] point[] out that the Arizona Legislature did not make findings specifying that those were the purposes motivating the enactment of the statute, but it was not required to do so. The purposes are apparent on the face of the law.”
District Court approves non-party settlement in student debt-relief action
On October 20, the U.S. District Court for the Central District of California approved a settlement with two non-parties in an action brought by the CFPB, the Minnesota and North Carolina attorneys general, and the Los Angeles City Attorney, alleging a student loan debt relief operation deceived thousands of student-loan borrowers and charged more than $71 million in unlawful advance fees. As previously covered by InfoBytes, the complaint asserted that the defendants violated the CFPA, the Telemarketing Sales Rule, and various state laws. Amended complaints (see here and here) also added new defendants and included claims for avoidance of fraudulent transfers under the FDCPA and California’s Uniform Voidable Transactions Act, among other things. A stipulated final judgment and order was entered against the named defendant in July (covered by InfoBytes here), which required the payment of more than $35 million in redress to affected consumers, a $1 civil money penalty to the Bureau, and $5,000 in civil money penalties to each of the three states. The court also previously entered final judgments against several of the defendants, as well as a default judgment and order against two other defendants (covered by InfoBytes here, here, here, and here). The most recent settlement resolves a dispute between a court-appointed receiver and the two non-parties. The settlement requires the non-parties to pay $675,000 to the receiver.
States, consumer advocates urge agencies to explicitly disavow rent-a-bank schemes
On October 18, consumer advocates and several state attorneys general and financial regulators responded to a request for comments issued by the OCC, Federal Reserve Board, and the FDIC on proposed interagency guidance designed to aid banking organizations in managing risks related to third-party relationships, including relationships with fintech-focused entities. (See letters here and here.) As previously covered by InfoBytes, the proposed guidance addressed key components of risk management, such as (i) planning, due diligence and third-party selection; (ii) contract negotiation; (iii) oversight and accountability; (iv) ongoing monitoring; and (v) termination. Consumer advocates and the states, however, expressed concerns that the agencies’ proposed guidance does not “highlight the significant risks associated with high-cost lending involving third-party relationships,” and does not include measures to prevent banks from entering into nonbank lending partnerships (e.g. “rent-a-bank schemes”).
According to the consumer advocates’ letter, the agencies’ guidance “should unequivocally declare that it is inappropriate for a bank to rent out its charter to enable attempted avoidance of state consumer protection laws, in particular interest rate and fee caps, or state oversight through licensing regimes.” The consumer advocates stated that they are aware of six FDIC-supervised banks involved in rent-a-bank schemes with nonbank lenders making allegedly illegal high-cost loans, and urged the FDIC to take immediate, “overdue” action to put an end to them. Among other things, the consumer advocates said the new guidance should explicitly specify: (i) that a bank’s involvement in lending that exceeds state interest rate limits with a nonbank is a “critical activity”; (ii) that lending partnerships involving loans exceeding a fee-inclusive 36 percent annual percentage rate (APR) “pose especially high risks”; and (iii) that in instances where a loan exceeds the Military Lending Act’s 36 percent APR, the federal banking supervisor will directly examine the third-party partner and charge the bank for the cost of the examination.
The states wrote in their letter that “experience teaches us that, in the absence of an explicit disavowal of rent-a-bank schemes, the [p]roposed [g]uidance invites continued abuse of banks’ interest exportation rights, to the considerable detriment of state regulation, consumer protection, and banks’ safety and soundness.” The states strongly encouraged the agencies to “explicitly disavow rent-a-bank schemes.”
New York takes action on cryptocurrency lending platforms
On October 18, the New York attorney general ordered two unregistered cryptocurrency lending platforms to immediately cease their activities in the state and directed three additional platforms to provide information about their activities and products. The AG clarified that most virtual currency lending products “fall squarely within any of several categories of ‘security’ under the Martin Act,” and therefore platforms must comply with the Martin Act’s registration requirements unless exempt. According to the AG, the virtual currency lending products identified in these actions “promise a fixed or variable rate of return to investors, and claim to deliver those returns by, among other things, trading with, or further lending those virtual assets.” As such, the products are securities under the Martin Act, particularly those that accept virtual currencies in exchange for a rate of return. The press release provided a redacted version of a cease letter sent to one of the two unregistered platforms, which stated that platforms engaging in unregistered activity have committed a fraudulent practice under the Martin Act and may face civil remedies. The platform is ordered to cease the alleged activity within 10 days or explain why the AG should not take further action. A different redacted letter requested information about the recipient’s products, where it operates, how the platform uses deposited virtual currency, whether U.S. dollars can be deposited or withdrawn from the platform, all financial institutions that are used, and whether the companies accept tethers, among other things. The letter also requested examples of agreements, contracts, and risk disclosures, as well as due diligence policies and procedures. These letters follow other actions taken recently by the AG against cryptocurrency trading platforms and token issuers (see e.g. InfoBytes here and here).
New Jersey settles CFA and HIPAA matter with fertility clinic
On October 12, the New Jersey attorney general and the Division of Consumer Affairs announced an action against a healthcare provider alleging that the defendant violated the New Jersey Consumer Fraud Act, the federal Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule, and the HIPAA Security Rule by removing administrative and technological safeguards for protected health information (PHI) and electronic PHI (ePHI). The settlement resolves allegations that the defendant’s data breach allowed instances, between August 2016 and January 2017, of unauthorized access to the defendant’s network, which permitted at least one intruder to access consumer ePHI. Among other things, the defendant’s alleged violations include failing to: (i) ensure the confidentiality, integrity, and availability of ePHI; (ii) implement a mechanism to encrypt ePHI; (iii) review and modify security measures; (iv) implement proper procedures for creating, changing, and safeguarding passwords; and (v) implement verification procedures. According to the consent order, the defendant must pay $412,300 in civil penalties and $82,700 in investigative costs and attorney fees. The defendant is also required to implement extensive reforms to its data security system and encryption protocols to protect clients' PHI and prevent future breaches.
Colorado reaches agreement with financial institution to refund $1.68 million in unused GAP fees
On September 27, the Colorado attorney general announced that a financial institution has agreed to refund approximately $1.68 million to Colorado borrowers after allegedly failing to return guaranteed automobile protection (GAP) fees that were improperly retained by the financial institution. Under Colorado law, lenders are required to automatically refund borrowers any unearned GAP payments if a borrower prepays a loan prior to maturity or a vehicle is repossessed before the loan is paid off. Under the terms of the assurance of discontinuance, the financial institution (without admitting or denying liability) has agreed to comply with all legal obligations and issue refunds to affected borrowers. The financial institution will also pay $75,000 to the AG as reimbursement for costs. The AG noted that the financial institution voluntarily provided information concerning GAP payments to Colorado borrowers, fully cooperated in good faith, and has “committed to a robust oversight system to ensure” future compliance. The AG also noted that a separate credit union is currently determining the amount of GAP refunds it owes to consumers.
Student loan servicer agrees to produce requested records
On September 28, the Colorado attorney general announced that a Pennsylvania-based student loan servicer responsible for handling the federal Public Service Loan Forgiveness (PSLF) program has agreed to comply with a state law requiring consumer protection oversight. As previously covered by InfoBytes, the AG sued the servicer in May for allegedly failing to comply with state law when asked to provide certain documentation related to the servicer’s handling of the PSLF program during the Covid-19 pandemic. The servicer allegedly refused to produce the requested materials and only provided certain limited documents regarding non-government owned loans related to its business line. Under the terms of the assurance of discontinuance, the servicer (while denying any liability) has agreed to produce the requested records in compliance with the Colorado Student Loan Equity Act.
Massachusetts investigating data breach
On September 14, the Massachusetts attorney general announced the launch of an investigation to determine if an international wireless carrier had proper safeguards in place to protect consumer and mobile device information after a major data breach that allegedly compromised personally-identifying information of more than 50 million people. According to the carrier’s announcement, in July, the carrier experienced a breach where personally-identifying information, such as names, drivers’ license information, Social Security numbers, and addresses, among other things, of approximately 13.1 million current customers and 40 million former and prospective customers were compromised. According to the AG, the office is also investigating the circumstances of the breach and the steps the company is taking to address it and notify consumers. The AG urged affected consumers to take precautions “to ensure their information is safe, and to prevent identity theft and fraud” as the carrier continues to contact individuals. She also encouraged customers to utilize the free theft protection services being offered by the carrier, such as scam and account take-over protection for their cell phones, and to take precautionary steps, such as placing a credit freeze on credit reports.