InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
FDIC issues December 2023 enforcement actions
On January 26, the FDIC released a list of administrative enforcement actions taken against banks and individuals in December 2023. During that month, the FDIC made public 12 orders consisting of “four orders of termination of deposit insurance; three orders terminating consent orders; two consent orders; one order terminating supervisory prompt corrective action directive; one order of prohibition from further participation; one order to pay a civil money penalty (CMP); and one Decision and Order to Prohibit from Further Participation and Assessment of Civil Money Penalty.”
Included is a consent order with a Mississippi-based bank for alleged Bank Secrecy Act violations, along with violations of a previous consent order from 2020, imposing a $600,000 civil money penalty. Also included is a consent order with a Kentucky-based bank, alleging the bank engaged in “unsafe or unsound banking practices and violations of law or regulation” relating to, among other things, the Bank Secrecy Act. The bank neither admitted nor denied the allegations but agreed to create a written plan to recover its losses from the bank’s relationship with a third-party loan program, to reduce the bank’s risk position in the program, and to stop granting any extensions of credit through adversely classified or criticized loans related to the third-party loan program. The consent order additionally requires the bank’s board to assess the sufficiency of the bank’s allowance for credit losses (ACL), ensuring the establishment of an appropriate ACL and to uphold and accurately report it. Specifically, “management shall review updated credit risk metrics and loss data for the third-party loan programs referenced in the ROE and ensure appropriate provisions to the ACL relative to this information.”
CFPB reflects on 2023 enforcement actions; states upcoming enforcement goals
On January 29, the CFPB released a blog post on its enforcement actions from 2023, as well as its outlook for 2024. In 2023, the CFPB reportedly filed 29 enforcement actions and resolved six final orders on previously filed lawsuits. Compensation-wise, the Bureau required entities to pay approximately $3.07 billion in compensation to consumers and nearly $500 million in civil money penalties. The CFPB highlights some key enforcement actions from 2023, such as helping protect servicemembers from loan exploitation, as previously covered in Infobytes here, and taking action against the alleged illegal junk advance fees from credit repair services, also covered in Infobytes here.
Looking forward to 2024, the CFPB stated its intent to increase its capacity. The Bureau’s outlook falls in line with previous comments from a CFPB representative in an FTC panel, covered by InfoBytes here. The blog post provides greater detail, outlining the Bureau’s plans to hire more technology experts to help enforce the law against emerging technologies, as well as expanding its enforcement capacity by adding more attorneys, analysts, paralegals, and economists, among others.
SEC rejects petition to amend the “no admit/no deny policy”
On January 30, the SEC rejected a nonprofit’s 2018 rulemaking petition that requested an amendment to Rule 202.5(e) under Commission Rule of Procedure 192(a), which outlines the terms for the Commission's acceptance of settlements in enforcement actions. Specifically, the rule prohibits settlements imposing sanctions if a defendant can publicly deny the Commission's allegations.
The rejection letter emphasizes the SEC’s authority to investigate securities law violations and initiate enforcement actions, saying that considering the request “could undermine confidence in the Commission’s enforcement program.” The SEC highlights its reliance on consent judgments and the contractual nature of settlements, as well as the potential implications of the proposed amendment on the SEC’s settlement process, adding that “it could undermine confidence in the Commission’s enforcement program.” SEC Chair Gary Gensler said in a statement supporting the decision that “a settlement that allows the denial of wrongdoing undermines the value provided by the recitation of the facts, and it muddies the message to the public.”
The Commission has decided not to amend Rule 202.5(e), affirming that the rule is a valid exercise of its authority in pursuing enforcement actions and settling cases. The policy allows the SEC to retain the option of seeking legal remedies if a defendant publicly denies allegations after settling. The letter also emphasizes that the constitutional and statutory arguments presented in the petition lack merit and conflict with established legal precedent regarding the waiver of rights in civil settlements. The Commission underscores the importance of the “no-deny” provision in preserving its ability to challenge public denials in court and rejects the notion that settling defendants can later deny allegations without consequence.
FTC orders companies and individuals to turn over millions
On January 17, the FTC announced two proposed settlements against an independent sales organization and its owners (collectively, “defendants”) for allegedly participating in deceptive and unfair acts and practices. The FTC alleges the defendants violated FTC Act, the Business Opportunity Rule, the Cooling-Off Rule, and the Consumer Review Fairness Act by targeting Spanish-speaking consumers with “false or unfounded earnings claims and other deceptive promises,” relating to business opportunities. According to the complaint, defendants sold business opportunities to Spanish-speaking consumers that used unsubstantiated earnings claims to convince consumers to pay thousands of dollars for its products and services. The complaint also alleged that although defendants’ marketing and sales were conducted largely in Spanish, the company’s purchase agreements that outline the cancellation policy were often provided exclusively in English. Additionally, the complaint alleged that defendants frequently rejected consumers’ refund requests as untimely, and when consumers reported the defendants to law enforcement or the Better Business Bureau, defendants offered partial refunds to those consumers contingent upon their withdrawal of their complaints and agreement to refrain from posting negative reviews about defendants.
The proposed stipulated order, among other things, would (i) permanently ban the defendants from offering any business coaching on ecommerce or real estate; (ii) require the defendants to support their claims about how much consumers can earn using any product or service that the defendants market or sell; (iii) prohibit the defendants from repeating the unlawful practices that formed the basis for the complaint; (iv) require defendants to pay $29,175,000 and surrender all funds and assets of the receivership entities and those additionally listed; and (v) identify repayment obligations of various financial institutions and require the identified financial institution to remit the balance of each identified account to the Commission. The defendants neither admitted nor denied any of the allegations in the complaint.
Bank to pay $18 million for violating a whistleblower protection rule
On January 16, the SEC accepted a global financial services firm’s offer of settlement to resolve allegations of violations of the whistleblower protection rule, which prohibits any action that might impede an individual from communicating with the SEC about securities law violations. According to the SEC, from March 2020 through July 2023, the firm asked clients to sign a confidential release if they were issued a credit or settlement from the firm of more than $1,000. The release required clients to “promise[] not to sue or solicit others to institute any action or proceeding against [respondent] arising out of events concerning the [a]ccount.” The SEC claimed that at least 362 clients have signed the release since 2020. In connection with the settlement, the firm agreed to be censured, to cease and desist further violations of the rule, and to pay an $18 million civil money penalty.
Texas resolves securities fraud case with decentralized finance lending platform
Recently, a decentralized finance crypto lending platform and its owners (respondents) entered into a settlement agreement with a Texas regulatory agency, resolving an emergency cease-and-desist action brought in June 2023. The Texas State Securities Board alleged that respondents committed securities fraud in connection with the offers and sales of investments, falsely denied the platform’s impending bankruptcy, and “secretly” transferred customer funds to a crypto exchange, as well as offered unregistered securities. Under the terms of the settlement, respondents have agreed to, among other things, (i) inform clients of its plan for asset return within seven days of the settlement and provide a seven-day window for clients to withdraw assets through the app; (ii) continue to provide customer support to prior customers; (iii) pay an administrative fine; and (iv) cease-and-desist from selling unregistered securities in the state without admitting or denying the allegations. Texas also agreed to dismiss its emergency cease-and-desist order as part of the settlement.
Colorado Attorney General fines debt collector $500,000 for collecting on illegal loans
On January 16, the Colorado State Attorney General (AG) reached a settlement agreement with a third-party debt collection company that is ordered to pay $500,000 to the State. The company previously contracted to collect debt from consumers on behalf of unlicensed lending entities associated with Native American tribes, or Tribal Lending Entities (TLEs). According to the settlement agreement, none of the TLEs were licensed Colorado lenders and all of their loan agreements with consumers contained finance charge terms that exceeded the Uniform Consumer Credit Code’s 12 percent finance charge cap on unlicensed lenders—with most having interest rates that exceeded 500 percent APR and some up to 900 percent APR. The AG alleged that, between 2017 and 2022, the company violated the Colorado Fair Debt Collection Practices Act by using “unfair or unconscionable means” to collect on defaulted TLE-issued loans by representing to consumers that the entire loan balance was owed to the TLEs, that the company was legally authorized to collect the payments, and that consumers were legally obligated to pay the full amount. The company denies that its conduct violated any state law and otherwise denies all allegations of wrongdoing. Along with the penalty, the company will be barred from collecting on any debt where the loan’s APR exceeded the 12 percent cap and will provide the State with a list of affected consumers within 30 days.
Fed’s OIG report on CFPB says training improvements needed to meet enforcement goals
Recently, the Office of Inspector General of the Federal Reserve Board released a report assessing the CFPB’s process for conducting enforcement investigations. The report makes two key recommendations. First, noting that the CFPB has not met its stated goal to file or settle 65 percent of its enforcement actions within two years, the OIG recommended that the CFPB Office of Enforcement incorporates the timing expectations for key steps in the enforcement process into the tracking and monitoring of matters. In addition, the Office of the Inspector General also recommended improvements to enforcement staff training on document maintenance and retention requirements for the CFPB’s matter management system. The report states that the recommendations were accepted by the CFPB, with a follow-up to ensure full implementation.
FTC bans data aggregator company from selling consumer data
On January 18, the FTC issued a complaint against a digital platform and data aggregator (the company) and ordered the company to no longer sell or license precise location data, among other requirements. As previously covered by InfoBytes, the FTC’s order followed a recent FTC decision against a data broker in which the FTC alleged the data broker’s contracts were “insufficient to protect consumers from the substantial injury” caused by location data collection as consumers visited sensitive locations, such as churches, healthcare facilities, and schools.
In this case, the company obtained large amounts of personal data on consumers’ demographic data, movements, and purchasing history and retained that information for five years. The company had applications and third-party apps that have been downloaded over 390 million times, leading to about 100 million unique devices sending location data each year to the company. Like the previous FTC order, this FTC order alleged the company collected sensitive information on where consumers live, work, and worship; where their children went to school; where they received medical treatment; and if they attended rallies or demonstrations. The FTC alleged that the company cross-references consumers’ data location histories with points of interest to advertisers, including offering a push notification about a product when a consumer is located near a store that sells that product.
The FTC alleged the company failed to notify users that consumers’ location data is used for targeted advertising. Additionally, the FTC alleged the company retains consumer data “longer than reasonably necessary” which the FTC argues could lead to future consumer injury. According to the FTC, these allegations constitute deceptive or unfair practices as prohibited by Section 5(a) of the FTC Act. Under the order, the company must not materially misrepresent how the company collects or uses consumers’ location data, the company must not sell or license location data, and the company must implement a sensitive location data program as proscribed by the order. The company must also delete all historical location data for all consumers which does not affirmatively consent to the continued retention of such data. The company neither admits nor denies any of these allegations.
Student loan servicer fined $1.8 million by Massachusetts Attorney General
On January 11, the Massachusetts Attorney General (AG) announced a $1.8 million settlement with a student loan servicer, to resolve allegations that the company did not properly communicate Income-Driven Repayment (IDR) plan renewals to borrowers. According to the settlement, IDR plans are a “helpful tool for managing unaffordable federal student loan debt and avoiding the consequences of default… [and respondent] is required to follow specific procedures intended to ensure that borrowers are able to successfully navigate the enrollment and annual recertification processes required for IDR.” The AG alleged that the respondent violated state law by sending written notices that did not meet regulatory requirements and failed to send required notices.
Under the terms of the settlement, respondent will (i) pay $1.8 million; (ii) include certain disclosures in renewal notice correspondence to borrowers; (iii) comply with requirements for FFELP loans owned by the DOE and enrolled in certain repayment plans; (iv) clearly disclosure to certain borrowers that failure to timely provide certain information about income or family size will result in increased monthly payments; and (v) retain copies of each written communication that it sends to borrowers regarding their IDR plans. The student loan servicer enters into this agreement for settlement purposes only (without admission).