InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
States seek to invalidate OCC true lender rule
On January 5, the New York attorney general, along with the attorneys general from six other states and the District of Columbia filed a complaint against the OCC in the U.S. District Court for the Southern District of New York challenging the OCC’s “true lender” final rule. As previously covered by InfoBytes, in October 2020, the OCC issued a final rule addressing when a national bank or federal savings association is the “true lender” in the context of a partnership between a bank and a third party to provide certainty about key aspects of the legal framework that applies. The final rule amends 12 CFR Part 7 to state that a bank makes a loan when it, as of the date of origination, (i) is named as the lender in the loan agreement, or (ii) funds the loan. The complaint argues, among other things, that the OCC exceeded its statutory authority, and “acted in a manner contrary to centuries of case law [and] the OCC’s own prior interpretation of the law.” The attorneys general reject the OCC’s contention that the final rule is intended to address “‘ambiguity’ in provisions of three federal banking statutes that generally authorize National Banks to make loans,” and instead argue that the rule seeks to preempt state usury law and “infringe on the States’ historical police powers and facilitate predatory lending.” The complaint seeks a declaratory judgment that the OCC violated the Administrative Procedures Act and requests the court set aside the final rule as unlawful.
State AGs reach $2 million settlement to resolve data breach
On December 18, state attorneys general from Connecticut, Indiana, Kentucky, Michigan, New Jersey, New York and Oregon announced a $2 million settlement with an online retailer concerning allegations that the retailer failed to promptly and adequately respond to a 2019 data breach that compromised more than 22 million consumers’ personal information. According to the Assurance of Voluntary Compliance, the retailer failed to detect a data breach that allowed an unidentified attacker to obtain information including Social Security numbers and tax identification numbers. After learning about the vulnerability from a third-party security researcher, the retailer issued a patch to remediate the vulnerability and required users to reset passwords on their customer accounts. However, the AGs claim that the retailer took nearly six months to conduct a full investigation into whether its user database had been breached, and, after determining that users’ personal information was for sale on the dark web, later began notifying affected users of the breach.
In addition to paying $2 million to the AGs, which is partially suspended due to the retailer’s financial condition, the retailer—who has not admitted to the alleged violations—has agreed to (i) develop and implement a comprehensive information security program; (ii) design an incident response and data breach notification plan to encompass preparation, detection and analysis, containment, eradication, and recovery; (iii) ensure personal information safeguards and controls are in place, such as encryption, segmentation, penetration testing, risk assessment, password management, logging and monitoring, personal information deletion, and account closure notification; and (iv) ensure third-party security assessments occur biennially for the next five years.
New York attorney general instructs law enforcement on eviction role
On January 7, the New York Attorney General James issued guidance for the state’s Sheriffs’ Association regarding law enforcement’s role in the eviction process during the Covid-19 public health crisis. The guidance reminds law enforcement that tenants may provide a declaration of hardship at any point in the eviction process to obtain an automatic stay of eviction until May 1. The guidance further notes that upon receipt of such a declaration law enforcement are prohibited from evicting the tenant and occupants and must notify the court.
Court enters nearly $90 million default judgment against student debt-relief defendants
On December 15, the U.S. District Court for the Central District of California entered a default judgment and order against two companies (collectively, “default defendants”) for their role in a student loan debt-relief operation. As previously covered by InfoBytes, the CFPB, along with the Minnesota and North Carolina attorneys general, and the Los Angeles City Attorney (together, the “states”), announced an action against the student loan debt relief operation (defendants) for allegedly deceiving thousands of student-loan borrowers and charging more than $71 million in unlawful advance fees. The complaint alleged that the defendants violated the Consumer Financial Protection Act, the Telemarketing Sales Rule, and various state laws by charging and collecting improper advance fees from student loan borrowers prior to providing assistance and receiving payments on the adjusted loans. In addition, the complaint asserts that the defendants engaged in deceptive practices by misrepresenting (i) the purpose and application of fees they charged; (ii) their ability to obtain loan forgiveness; and (iii) their ability to actually lower borrowers’ monthly payments. In September, the court entered final judgments against four of the defendants (covered by InfoBytes here), which included a suspended monetary judgment of over $95 million due to the defendants’ inability to pay.
The new default order enters a $55 million judgment against one of the defaulting defendants and requires the defaulting defendant to pay a $30 million civil money penalty with $50,000 of that sum going directly to each of the states. Additionally, the court entered a judgment of over $165,000 to the other defaulting defendant and total civil money penalties of $2.5 million, with $10,000 going to each of the states directly and an additional $1.25 million to California. The judgment also, among other things, permanently bans the defaulting defendants from telemarketing any consumer financial product or service and from selling any debt-relief service.
CFPB and Arkansas AG settle with company for failing to provide risk-based pricing notices
On December 11, the CFPB and the Arkansas attorney general announced a proposed settlement with a Utah-based home-security and alarm company for allegedly failing to provide proper notices under the FCRA. According to the complaint filed in the U.S. District Court for the Eastern District of Arkansas, the company allows consumers to defer payment for the alarm and security-system equipment over the life of a long-term contract, and therefore extends credit to its customers. The company—in extending credit to its customers—allegedly obtained and used consumers’ credit scores to determine the amount of activation fees it would charge for its products and services, and then charged consumers who had lower credit scores higher fees without providing those consumers with required risk-based pricing notices. Under the FCRA and implementing regulation, Regulation V, companies are required to provide notice to consumers if a consumer receives less favorable credit terms based on a review of his or her credit report. Under the proposed settlement, the company is required to pay a $600,000 civil money penalty, of which $100,000 will be offset provided the company pays that amount to settle related litigation with the State of Arkansas that is currently pending in state court. The company will also be required to provide proper risk-based pricing notices under the FCRA.
California proposes modifying CCPA regs again
On December 10, the California Department of Justice (Department) released a fourth set of proposed modifications to the regulations implementing the California Consumer Privacy Act (CCPA). As previously covered by InfoBytes, on October 12, the Department released a third set of proposed modifications to the regulations that went into effect on August 14. The Department noted that it received around 20 comments in response to the third set of proposed modifications and the fourth set of proposed modifications is to address those comments and/or to clarify and conform the proposed regulations to existing law. Highlights of the proposed modifications include:
- Amending Section 999.306, subd. (b)(3), to clarify that a business that sells (previously proposed as “collects”) personal information collected from consumers in the course of interacting with them offline shall inform consumers of their right to opt-out of the sale of their personal information by an offline method.
- The addition of Section 999.315, subd. (f), which identifies a uniform “opt-out button” to be used in addition to posting the notice of right to opt-out or used in conjunction with a “Do Not Sell My Personal Information” link.
Additionally, the Department provided notice that it added new documents and information to the rulemaking file, which was relied upon when adopting the proposed regulations.
Comments on the proposed modifications are due on December 28 by 5:00 p.m.
New Jersey charges MCA provider with deceptive practices
On December 8, the New Jersey attorney general announced an action against a merchant cash advance provider, its parent company, and six other associated entities (collectively, “defendants”) alleging the defendants violated the New Jersey Consumer Fraud Act (CFA) and the General Advertising Regulations through the marketing and transacting of their merchant cash advance (MCA) product. (The defendants are currently facing similar allegations from the FTC, covered by InfoBytes here.) According to the complaint, the defendants engaged in “unconscionable business practices, deceived consumers, and/or made false or misleading statements” by marketing and advertising an MCA product, which was allegedly structured as a short-term, high-cost loan. New Jersey argues that the MCA contracts contain terms that “eliminate the distinctions between loans (with fixed regular payments over a defined term) and legitimate MCAs (with variable payments tied to actual receivables and an undefined term).” New Jersey asserts that traditionally, MCA’s do not have a finite repayment term and thus, the fixed repayment period was the equivalent of a loan to its customers. Moreover, the agreements’ “fixed daily payments extracted from Consumers’ accounts have little to no relation to the businesses’ receivables.” Additionally, New Jersey asserts that the defendants allegedly engaged in unconscionable collection practices, including requiring consumers to sign, in their individual capacity and on behalf of their business, an Affidavit of Confessions of Judgment to obtain the MCA, which would allow judgment against both the Consumer’s business assets and personal assets in the event of a purported default. New Jersey is seeking a permanent injunction, civil penalties, restitution, and disgorgement.
Notably, the New Jersey complaint follows a recent enforcement action against a merchant cash advance provider in California (covered by InfoBytes here), where the California Department of Financial Protection and Innovation (DFPI) found, in apparent contrast to the New Jersey action, that MCA agreements with an indefinite repayment period, among other things, operate as a loan equivalent by, placing the “risk of repayment on the merchant by leaving the repayment period open until fully repaid (with fees and interest).”
Special Alert: Federal and state authorities take significant actions to address mortgage servicing concerns
On December 7, the Consumer Financial Protection Bureau, Multi-State Mortgage Committee of state mortgage banking regulators, and every state attorney general took actions against a large nonbank mortgage company for alleged violations pertaining to both mortgage origination and servicing practices that took place largely between January 2012 and December 31, 2015. The Special Inspector General for the Troubled Asset Relief Program also provided assistance as part of the government’s efforts. The settlement will result in approximately $85 million in remediation to consumers, the majority of which has been paid, and $6 million in fees and penalties. The Department of Justice, through its U.S. Trustee Program, also reached settlements with this mortgage company, as well as two national banks, pertaining to alleged violations of the bankruptcy code. Those three bankruptcy settlements will result in approximately $117 million of refunds and credits to impacted borrowers.
Maryland AG obtains $2.6 million in student debt relief
On November 16, the Maryland attorney general announced that it obtained over $2.6 million in debt relief from a third-party debt buyer for approximately 1,200 former students of a defunct Maryland-based for-profit college. In its press release, the AG alleged that the for-profit college offered “low-quality programs at a price significantly higher than comparable programs at Maryland’s public institutions.” According to the AG, due to the college’s high tuition, students had little choice but to take out loans issued by the college itself. After the college permanently closed, a court-appointed receiver sold the rights to collect the loans to a third-party debt buyer. The AG took the position that, because the college abruptly closed and failed to provide its students with the services promised, the loans should have been canceled rather than sold. To resolve the dispute, the AG and the third-party debt buyer entered into a settlement. Under the terms of the settlement, the third-party debt buyer agreed to cease collection on any of the outstanding loans and to refund approximately 75 percent of the payments collected from the students after it bought the loan portfolio. Furthermore, the debt buyer agreed to remove trade lines relating to the loans from the student’s credit reports.
CFPB, Colorado AG to host innovation office hours
On November 16, the CFPB and Colorado attorney general announced that they will host joint, virtual office hours on December 2, as part of the American Consumer Financial Innovation Network (covered by InfoBytes here). The office hours will provide innovators the opportunity to discuss issues related to financial technology, innovative products or services, and other matters related to financial innovation. Those interested need to request a virtual session by November 23 and should include details on what they would like to discuss at the meeting.