Can You Hear Me Now? Important Considerations for Avoiding Penalties under the TCPA after ACA International

Can You Hear Me Now? Important Considerations for Avoiding Penalties under the TCPA after lACA Internationa In a previous blog post, we examined the “mixed bag” result of the D.C. Circuit Court of Appeals opinion in ACA International v. Federal Communications Commission. The ACA International decision narrowed the scope of potential liability for businesses under the Telephone Consumer Protection Act (TCPA) by striking down inconsistent and overly broad portions of the Federal Communications Commission’s (FCC) guidance regarding the definition of an automated telephone dialing system (ATDS). Prior FCC orders’ extraordinarily broad interpretation of an ATDS had the effect of encompassing smartphones within the provisions of the TCPA, resulting in potential liability for texts and phone calls from ordinary consumers. The D.C. Circuit’s decision to invalidate the FCC’s guidance without providing lower courts with a clearer ATDS definition has spawned confusion and uncertainty among district courts, and created more questions than answers.

After overturning several inconsistent portions of the prior FCC orders, the ACA International court acknowledged that numerous questions remain regarding the proper interpretation of the TCPA, including, among others:

Whether the definition of a “random or sequential number generator” includes a scenario where a business uses software to auto-dial from a list of phone numbers (known as “predictive dialers”), such as in the case of debt collectors, as opposed to generating random phone numbers;
Whether a predictive dialer would qualify as an ATDS in a scenario where a list of numbers is generated separately from a separate device and loaded into the predictive dialer; and
Whether a call must actually be made using the automated-dialing technology in order to trigger the TCPA, or whether the equipment must simply have the capacity to do so.

Only two federal appeals courts have issued opinions since ACA International was decided in March of this year. In King v. Time Warner Cable Inc., the Second Circuit Court of Appeals’ view of “capacity” under the TCPA focused on whether a dialing system has “the present capacity to function as an autodialer by generating random or sequential telephone numbers and dialing those numbers” without additional modifications, regardless of whether the auto-dialing capabilities were used for the offending call. The Third Circuit Court of Appeals reached a similar conclusion in Dominguez on Behalf of Himself v. Yahoo, Inc., concluding that courts should analyze the extent of modification necessary to obtain autodialing capabilities. Dominguez tracked the analysis in ACA International, in which the D.C. Circuit appeared to draw a distinction between a device that could obtain the ability to generate and dial random numbers based on “flipping of a switch” versus a “top-to-bottom reconstruction of the equipment.” This issue is one of the few for which ACA International provided specific guidance.

The meaning of the phrase “random or sequential number generator” and whether that applies to predictive dialers is not addressed in King or Dominguez. The Second Circuit explicitly left such “complicated questions” to be addressed by the district court upon remand.

King and Dominguez serve as recent evidence that the TCPA continues to pose significant risks to unwary businesses in the aftermath of ACA International. The D.C. Circuit’s refusal to provide guidance to lower courts will likely result in continued uncertainty for the foreseeable future. In this environment, pertinent policies and procedures and dialing software capabilities must be continually reassessed to ensure their compliance with both evolving case law and future FCC guidance, including:

Automation – Businesses should consider available options for software that requires human intervention to dial consumers’ phone numbers and does not possess the capacity to generate random phone numbers, either currently or with slight modification.
Controls – Businesses should ensure that consumers’ cell phones are flagged to avoid auto-dialed and pre-recorded calls to their cell phones. It is important to note that companies can still be held liable for calls to consumers’ home phones if the consumer is charged for the call (known as the TCPA’s “call-charged provision”).
Consent – Consent is an absolute defense, and the status of the consumers’ consent to receive phone calls should be monitored at all times. The ACA International decision reinforced that consumers can revoke consent “through any reasonable means” expressing a desire to cease communications, which presumably includes oral revocation but involves a “totality of the facts and circumstances” analysis. If the consumer revokes his/her consent, businesses should terminate auto-dialed and pre-recorded messages to that consumer immediately. In most jurisdictions, written consent can be established through a business relationship in which the consumer provides his/her cell phone number in conjunction with that relationship.

A proactive compliance approach is the best defense against the potentially calamitous consequences of failing to promptly respond and adapt to the shifting TCPA landscape.

ICO and Cryptocurrency Enforcement Update

By Steve Snyder on September 14, 2018 Posted in Blockchain, Digital Currency / Cryptocurrency, SEC

ICO and Cryptocurrency Enforcement Update September 11, 2018, was a big day for Initial Coin Offering (ICO) and crypto-related enforcement activity. In the Eastern District of New York, Judge Raymond Dearie issued an order neglecting to dismiss an indictment against Maksim Zaslavskiy for securities fraud relating to Zaslavisky’s involvement with an ICO for “REcoin” and another referred to as “Diamond.” This case originated with a civil complaint filed almost a year ago in September 2017, which was stayed pending the criminal case filed in January 2018. Meanwhile, FINRA filed a complaint against Timothy Ayre for “attempt[ing] to attract public investment in his worthless public company, ‘Rocky Mountain Ayre,’” which purportedly touted “the first minable coin backed by marketable securities.” And rounding it out, the SEC issued back-to-back orders regarding the resolution of enforcement actions against TokenLot LLC and Crypto Asset Management LP. The following is a brief summary of each of these developments.

Zaslavskiy – 17CR147 (E.D.N.Y.)

Summary: The defendant was indicted for securities fraud and conspiracy to commit securities fraud in relation to both REcoin and Diamond. Defendant brought a motion to dismiss alleging that REcoin and Diamond did not involve securities and that the securities laws are unconstitutionally vague as applied.

Detail: REcoin was purportedly a cryptocurrency backed by real estate holdings, and Diamond was purportedly backed by diamonds. The court’s order contained two separate analyses relating to the defendant’s conduct, with the court noting that the “Indictment charges a straightforward scam.” This characterization presumably relates to the allegation that despite the names and representations, defendant never purchased any real estate or diamonds to back the purported cryptocurrencies. The court first analyzed whether a reasonable jury could find that REcoin and Diamond were investment contracts. In concluding yes, the court was careful to note that the ultimate question of whether REcoin and Diamond were investment contracts was a fact-specific question left to the ultimate fact-finder. Nevertheless, the court analyzed them with the Howey analysis (see Howey, 328 U.S. 293 (1946)). The court found that a reasonable jury could conclude for both REcoin and Diamond that (1) investors invested money, (2) in a common enterprise, and (3) the investors expected profits solely from the managerial efforts of defendant and his co-conspirators.

A second analysis focused on the question of whether U.S. securities laws are unconstitutionally vague as applied to defendant’s conduct. The court notes that the defendant attempted to frame the question as whether the laws were vague when applied to cryptocurrencies, but the court declined to opine so broadly, limiting its analysis to defendants’ conduct without apparently reaching the question of whether REcoin or Diamond were properly classified as cryptocurrencies. In its analysis the dourt found that the defendant failed to demonstrate that a person of ordinary intelligence would not have had sufficient notice that the charged conduct was proscribed. This is perhaps the most interesting aspect of the ruling as it cites Howey as making “it reasonably clear at the relevant time that [the charged] conduct was criminal.” In supporting that conclusion the court cited established case law delineating the meaning of “investment contract.” However, the court also noted some guidance relating to cryptocurrency, citing an SEC Report from late July 2017, a Wall Street Journal article from January 2018, and a public SEC statement from December 2017. Defendant’s purportedly criminal conduct started in January 2017 and ended in October 2017, a few months after the SEC report and before the other materials cited. Also, the quote from the January 2018 Wall Street Journal article that the court includes in a parenthetical merely says “some products that are labeled as virtual currencies have characteristics that make them securities.” The mentions of cryptocurrency leave some room for additional guidance as it is unclear if the court would view REcoin or Diamond as improperly labeled cryptocurrencies, or whether they were properly labeled cryptocurrencies and nevertheless securities. Instead, the court seems to consider the question of whether REcoin or Diamond were properly labeled cryptocurrencies as moot because they were schemes, as alleged, which “fall within the ordinary concept of a security.”

Conclusion: The court denied the motion to dismiss, and the case will proceed to trial.

FINRA – Timothy Tilton Ayre (CRD No. 2091556)

Summary: According to the complaint, Ayre made material omissions and false statements regarding his “worthless public company, Rocky Mountain Ayre, Inc.” (RMTN) in violation of the Exchange Act and FINRA Rule 2020. Ayre subsequently is alleged to have acquired rights to a digital token “HempCoin” and packaged it as a security offering. FINRA further alleges he did not file a registration with the SEC, and no sales were exempt from registration. He also is alleged to have sold convertible debt in RMTN without registering the sale. These offers and sales of unregistered securities violated the Securities Act and FINRA Rule 2010 according to the allegation. FINRA claims jurisdiction over Ayre due to his prior registration as a broker-dealer.

Detail: Ayre’s case has some interesting aspects as outlined in the following allegations from the complaint. RMTN was traded over the counter and quoted on OTCM’s Pink Market. RMTN was a rebrand of Ayre’s company ATI, which was a holding company that owned a bistro at the time of the change. The complaint cites the HempCoin website and the statement “Hemp coin is the First Minable Coin Backed by Marketable Securities,” saying it “made clear that the cryptocurrency was a security.” The “Marketable Securities” referred to in the HempCoin statement are shares in “RMTN,” and presumably the conclusion in the statement that HempCoin was a security is predicated on Ayre saying it was “backed” by RMTN. This is echoed in a later section relating to the cause of action for unlawful sales of an unregistered security, where the complaint affirmatively states that “Ayre created a security when he purchased the rights to HempCoin and ‘backed’ the cryptocurrency with shares of RMTN. . . .” The complaint also describes a litany of improper actions purportedly taken by Ayer unrelated to whether HempCoin is a security. Ayer is alleged to have made material misstatements and omissions in public filings about RMTN, including misstatements about the business itself (that it was acquiring “fast-growing food and hospitality and, manufacturing and retail businesses”), failure to disclose the terms of the HempCoin Asset Purchase Agreement, and inflating the company’s disclosed assets.

Relief Requested: The complaint seeks a finding that the respondent willfully violated the Exchange Act in making material misrepresentations and omissions, violated FINRA Rule 2010 with negligent misrepresentations, and violated the Securities Act for the offer and sale of unregistered securities and for making private security transactions.

SEC – TokenLot LLC (33-10543)

Summary: Respondents acted as unregistered broker-dealers by operating a website allowing investors to buy digital tokens such as Bitcoin, Ether, and others (secondary sales), and by facilitating investment in nine ICOs.

Resolution: Respondents consent to cease-and-desist, agree to “develop and execute a plan to refund ICO’s proceeds,” “refund[] investors’ payments for certain secondary market sales,” pay approximately $500,000 to the SEC in disgorgement, and are barred from association with any broker, dealer, etc.

SEC – Crypto Asset Management, LP (CAM) (33-10544)

Summary: Respondents formed CAM for the purpose of managing Crypto Asset Fund, LLC (CAF), a pooled investment vehicle investing in digital assets. CAM violated the Securities Act through unregistered sales of securities through interstate commerce, unregistered sale of interest in an investment company, and obtaining money by means of untrue statement of material fact or omission. The latter was predicated on CAM’s statement that CAF was the “first regulated crypto asset fund in the United States.” CAM remediated by making a rescission offering, disclosing prior misstatements, and began offering securities pursuant to Regulation D Rule 506(c) exemption from registration.

Resolution: Respondents were censured and order to pay a penalty in the amount of $200,000 to the SEC.

CalCoPA – Does It Apply to Your Organization?

By Steve Snyder and Erin Jane Illman on September 5, 2018 Posted in Compliance, Cybersecurity, Data Privacy, State Law Developments

As discussed in Part 1, the California Consumer Privacy Act of 2018 (CalCoPA) is a game-changing privacy act that sets a new bar for consumer privacy rights in the U.S. The primary reason it differs from existing legislation is that it goes beyond merely having to provide assurances or notices and requires organizations to be prepared to respond to individual requests with disclosures regarding consumers’ data collection and use.

The Act was Amended last week to add some explicit preemptions and to extent the timetable for the California Attorney General to promulgate rules and procedures governing opt-out to the sale of personal information and for making and responding to the requests for disclosures discussed below, among other things. It is likely that CalCoPA will be amended again, but nevertheless organizations should not delay in considering its impact. Although the act references January 1, 2020, affected organizations should start considering its implications as soon as possible. January 1, 2020, is the date that consumers can “request a business to disclose the categories and specific pieces of personal information that it collects about the consumer, the categories of sources from which that information is collected, the business purposes for collecting or selling the information, and the categories of 3rd parties with which the information is shared.” An important point is that those disclosures must cover the preceding 12 months. In other words, as of January 1, 2019, affected organizations must have made what could be significant changes to the way they process and track data to insure they can comply with the disclosure requirements.

At a high level the disclosures will have to cover essentially all the details as to what information is collected from and about a consumer for the preceding 12 months, as well as essentially all the details as to what information about a consumer was sold to other entities in the preceding 12 months. We will not get into the specifics on those disclosures here, because we first need to address the critical threshold question that you should be asking—will my organization be subject to CalCoPA?

Figure 1 shows a quick reference flow chart to tell if your organization is subject to CalCoPA. Although the decision points are fairly straightforward, some elaboration is necessary.

The first point of note is that CalCoPA only applies to entities operated for “profit or financial benefit” of owners or shareholders. If your organization fits that description you have to consider whether you collect personal information about California residents and do business in California. Although the act uses the term “consumer” throughout, it defines consumer to mean California resident. However, the location of the consumer during the collection is not limited so if you collect personal information from a California resident in any context it could be applicable.

While the precise delineation of “doing business in California” is not provided, there are other California regulations that have provided a definition. One that may be a good reference point is from the California Corporations Code that defines “doing business” as “transact[ing] intrastate business,” which is further specified as “entering into repeated and successive transactions of its business in [California].” Given that CalCoPA is a privacy law, one might expect the protection to be broadly construed such that this doing business requirement may not provide much limitation. California could construe this act’s “doing business” to mean not much more than entering into transactions where a California consumer’s personal information is obtained and where the transaction involves either the consumer, the organization, or possibly some other aspect of the transaction physically located in California. An example of a situation that is likely safely excluded is if the organization only interacts with California consumers in a physical location outside of California, such as a brick and mortar store in another state. However, such a store that then ships store purchases to residents back in California may be in a gray area until further guidance is available.

If your organization does (or may) collect California residents’ personal information and does business in California, CalCoPA will only apply if one or more of three thresholds are met: your organization (1.) has reasonably large annual revenue (>$25,000,000), (2.) processes (receives, buys, sells, shares) personal information for over 50,000 consumers annually, or (3.) derives over half of its revenue from selling consumers’ personal information. Keep in mind that “consumer” here is still limited to California residents. So the first category relates to the size of the company only, while the other two relate to how much California consumer information the company handles on a gross and relative scale, respectively.

One important twist involves the second threshold, which in full states: “(B) Alone or in combination, annually buys, receives for the business’ commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices.” Unpacking the definitions of personal information, which includes a large number of categories including identifiers such as Internet Protocol (IP) addresses, and the defintion of “device,” which is “any physical device capable of connecting to the Internet,” suggests this threshold should be studied carefully as it may be the lowest bar for many companies. The full list of categories of personal information are listed below, but consider that merely collecting the IP address of separate devices could make this threshold fairly easy to meet.

Organizations should quickly get a handle on whether CalCoPA will apply to them, or if it may in the future in view of evolving business developments. If so, they should begin to make the changes necessary to insure the ability to comply with the requests for records starting on January 1, 2019.

DEFINITION OF PERSONAL INFORMATION:

(1) “Personal information” means information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. Personal information includes, but is not limited to, the following:

(A) Identifiers such as a real name, alias, postal address, unique personal identifier, online identifier Internet Protocol address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers.

(B) Any categories of personal information described in subdivision (e) of Section 1798.80.

(D) Commercial information, including records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.

(E) Biometric information.

(F) Internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding a consumer’s interaction with an Internet Web site, application, or advertisement.

(G) Geolocation data.

(H) Audio, electronic, visual, thermal, olfactory, or similar information.

(I) Professional or employment-related information.

(J) Education information, defined as information that is not publicly available personally identifiable information as defined in the Family Educational Rights and Privacy Act (20 U.S.C. section 1232g, 34 C.F.R. Part 99).

(K) Inferences drawn from any of the information identified in this subdivision to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, preferences, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.

HUD and DOJ Challenge Facebook’s Advertising Platforms under the Fair Housing Act

By A. Michelle Canter, Heather Howell Wright and Christopher K. Friedman on September 4, 2018 Posted in Fair Lending, FinTech, HUD

HUD and DOJ Challenge Facebook’s Advertising Platforms under the Fair Housing Act The U.S. Department of Housing and Urban Development (HUD) has filed an administrative complaint against Facebook alleging discriminatory advertising in violation of the Fair Housing Act (FHA). HUD alleges that housing advertisers can use Facebook’s advertising tools and algorithms to exclude applicants based on protected categories such as race, sex, or national origin. Four days after the HUD complaint was filed, the U.S. Attorney for the Southern District of New York filed a Statement of Interest in support of a separate federal lawsuit in which the National Fair Housing Alliance (NFHA) alleges Facebook allows housing advertisers to discriminate against certain protected classes. The NHFA litigation, as well as the actions of HUD and the Justice Department, could have far-reaching implications for financial institutions, lenders, real-estate brokers, property managers, and any other organization advertising real estate over social media. Moreover, these filings signal that HUD and the Justice Department will not be shy about applying Title VIII protections to emerging technologies, such as big data.

In 2016, ProPublica issued a report claiming that housing advertisers could use Facebook’s advertising platforms to exclude users based on protected categories. Following this report, NFHA, a non-profit dedicated to eliminating housing discrimination, began its own investigation of Facebook’s advertising platform. Two years later, NFHA and three other public interest groups filed a complaint in the United States District Court for the Southern District of New York alleging that Facebook’s advertising platform violated the FHA and the New York City Human Rights Law.

The NFHA lawsuit targets housing advertisers’ ability to “exclude” or “include” certain categories of users while using Facebook’s advertising tools. For instance, plaintiffs allege that in 2016, NFHA created an advertisement for a fictitious apartment using Facebook’s “Ad Manager” platform. NFHA then purportedly used Facebook’s “exclude” function to exclude “African-Americans” and “Hispanics” from the advertisement’s audience. NFHA also allegedly used Facebook’s “boost” capability to amplify its posts advertising the fake apartment by sending the post to some users while excluding others who fell within certain protected categories. In 2018, NFHA alleges it conducted a second investigation after Facebook announced it would no longer allow housing, credit, and employment advertisers to exclude users based on racial categories. During this second investigation, NFHA alleges it was still able to create ads and “boost” posts that excluded individuals based on race, sex, family status, and disability status. The plaintiffs seek a declaration that Facebook’s advertising policies violate the FHA and the New York City Human Rights Act, an injunction, compensatory and punitive damages, and attorneys’ fees.

Five months after the NFHA plaintiffs filed their lawsuit, HUD filed a “me-too” administrative complaint alleging similar conduct against Facebook. According to HUD, Facebook allows housing advertisers to discriminate by, among other things, “showing ads only to men or only to women[,]” “showing ads only to users whom Facebook categorizes as interested in the ‘Christian Church,’ ‘Jesus,’ ‘Christ’ or the ‘Bible[,]’” and “drawing a red line around majority-minority zip codes and not showing ads to users who live in these zip codes.” According to the HUD complaint, “[t]he alleged policies and practices of Facebook violate the Fair Housing Act based on race, color, religion, sex, familial status, national origin and disability.”

Finally, on August 17, 2018, the Justice Department – through the U.S. Attorney for the Southern District of New York – filed a statement of interest in support of the NFHA plaintiffs. Specifically, the Justice Department filed its Statement of Interest in response to Facebook’s motion to dismiss, which argued, in part, that Facebook was “merely an interactive computer service” and therefore was immunized from FHA liability by the Communications Decency Act. In the Statement of Interest, the Justice Department rejected Facebook’s characterization, asserting that “[b]y allegedly collecting user data, collating user data, and classifying its users based in part upon protected characteristics, Facebook participates in the ‘mak[ing],’ of an ‘advertisement’ ‘that indicates any preference, limitation, or discrimination.’”

While the NFHA suit and the recent filings by HUD and the Justice Department address alleged publisher liability and do not directly relate to the advertisers themselves, housing advertisers should pay close attention to this litigation. Social media advertising has become an integral part of businesses marketing to consumers and, as illustrated by this litigation, data-driven, targeted marketing likely will create new and unexpected avenues for liability. Moreover, HUD and the Justice Department’s apparent interest in how the FHA applies to social media marketing suggests agencies and regulators may start scrutinizing how housing advertisers use big data and targeted advertising to market and sell housing.

CFPB Student Loan Ombudsman Abruptly Resigns in Protest

By Grant A. Premo on August 30, 2018 Posted in CFPB, Federal Agencies, Regulatory Supervision, Student Loan Servicing

CFPB Student Loan Ombudsman Abruptly Resigns in Protest In another move reflecting the Consumer Financial Protection Bureau’s (CFPB) shifting focus on student lending, the CFPB’s Student Loan Ombudsman announced his resignation on August 27, 2018. In his resignation letter, Seth Frotman, who served as the Student Loan Ombudsman for the past three years, criticized reforms implemented by the CFPB’s current leadership and charged the CFPB leadership with “abandoning” student lending consumers.

Frotman’s resignation comes three months after the CFPB announced organizational changes eliminating the Office of Students and Younger Consumers, which investigated student loan problems. The CFPB announced that the Office of Students and Younger Consumers was being folded into the CFPB’s financial education office, signaling a shift from investigation to education.

In his resignation letter, Frotman criticized the current CFPB leadership’s “sweeping changes” to the CFPB’s oversight of the student lending industry and identified areas of tension with the Department of Education. Frotman alleged that the current CFPB leadership “folded to political pressure” from the Department of Education to reduce its oversight and enforcement of the student lending industry. As an example of reduced oversight, Frotman alleged that the CFPB leadership suppressed publication of a report critical of “the nation’s largest banks.” Frotman also claimed that senior leadership at the CFPB silenced criticism of the Department of Education’s “attempts to preempt state consumer laws.”

Frotman has worked at the CFPB since its inception in 2011 and was designated as the Student Lending Ombudsman in 2016. Frotman previously served on the Senate Committee on Health, Education, Labor, and Pensions and was the Deputy Chief of Staff for U.S. Rep. Patrick Murphy, D-Pa.

The position of Student Lending Ombudsman was created by the Dodd-Frank Act to review and attempt to resolve borrower complaints and make recommendations to various executive branch officers and congressional committees. The Secretary of the Treasury, Stephen Mnuchin, has the power to designate the Student Lending Ombudsman.

Kathy Kraninger—the current nominee to head the CFPB—is awaiting a confirmation vote in the Senate to replace the CFPB’s Acting Director Mick Mulvaney. Kraninger currently serves under Mulvaney at Office of Management and Budget and is widely expected to continue with Mulvaney’s reforms to the CFPB, including as it relates to student lending oversight.

Potential Bank Customer Data Exposed through Fiserv Platform Flaw

By Erin Jane Illman, Steve Snyder and Lesley Smith DeRamus on August 28, 2018 Posted in Compliance, Cybersecurity, Data Privacy, Identity Theft / Privacy, Vendor Management

Potential Bank Customer Data Exposed through Fiserv Platform Flaw

Security researchers and cybersecurity experts recently discovered a weakness in Fiserv’s web platform, which may have exposed the personal and financial details of customers across hundreds of internet banking sites. The flaw involved a messaging platform used by Fiserv to send account alerts to customers of Fiserv-affiliated banks. These alerts can be set up to notify the customer of certain events, such as when a balance passes a threshold. Someone noticed that the alert was provided in the form of a link to a web page having a numeric event identifier in the web address, like 17835. They found that by changing the number they could access an alert for another customer. So, for example, by simply changing 17835 to 17836 and leaving the rest of the web address the same, the user could access an alert for another customer. This would show the user another customer’s email address, phone number, and the last four digits of the customer’s bank account number in addition to allowing the user to view and even edit alerts setup by the other customer. The user could even edit the email address or phone numbers where the other customer’s alerts would be sent. Fiserv has reportedly addressed this flaw by making the messages no longer sequential, replacing the event identifier number with a pseudo-random string of characters.

KrebsOnSecurity made this discovery public today. Data security breaches are key risk areas for businesses, and an effective breach management process can help minimize that risk. While there are still many unanswered questions, we anticipate many banks and financial services organizations who utilize the Fiserv platform may receive questions from customers, users, investors and, possibly, regulators. Organizations who may be at risk should consider engaging their Incident Response Team to review any abnormal log-ins and conduct an internal investigation. In addition, organizations should review their vendor services agreements (including those with Fiserv) to determine who is ultimately responsible for data security incidents.

If you have any questions about the Fiserv platform flaw or data incident response, please contact one of the attorneys in the Privacy, Security and Innovation team at Bradley.

OCC: Fintechs May Now Apply for Bank Charters

By Andrew J. Narod, Jennifer L. Galloway, Erin Jane Illman and J. David Stewart III on August 1, 2018 Posted in CFPB, FinTech, OCC, Small-Dollar Lending

OCC: Fintechs May Now Apply for Bank Charters The Office of the Comptroller of the Currency announced, in a highly anticipated decision, that it would begin to consider special-purpose charter applications from fintech entities. This move, which has been the subject of months of industry speculation, came mere hours after the Department of the Treasury endorsed a national charter for fintech companies. This development will allow fintech firms to opt in to a national regulatory scheme rather than the current state law regulation in this market sector.

The OCC’s decision was the subject of a great deal of resistance from state regulators while it was under consideration, and the decision was criticized heavily by state regulators immediately following Tuesday’s announcement. Regulators from New York and California, in particular, described the move as a “regulatory train wreck in the making” and “not authorized under the National Bank Act.”

The OCC’s decision, however, appears focused upon increasing marketplace innovation and inclusivity. Commissioner Joseph Otting released a statement applauding the potential for increased consumer choice, adding that “Providing a path for Fintech companies to become national banks can make the federal banking system stronger by promoting economic growth and opportunity, modernization and innovation and competition.” The Bureau of Consumer Financial Protection’s (BCFP) acting director Mick Mulvaney also issued unprecedented comments on the decision. Mulvaney stated “We welcome the important steps taken by our fellow agencies to promote innovation. Success will be determined by how well U.S. regulators coordinate their efforts. We look forward to working with our State and Federal partners to ensure American global leadership in the Fintech space for years to come.”

Observers believe that chartering qualified fintech companies as national banks will also have significant public policy benefits. The national bank charter provides a framework of uniform standards and supervision; applying this framework to qualified fintech companies may level the playing field with regulated institutions. In addition, applying the OCC’s uniform supervision over national banks, including fintech companies, will assist in promoting consistency in the application of laws and regulations across the country and in promoting the fair treatment of consumers.

While this is a significant development, it will require fintech companies to carefully consider whether they can meet the application requirements, as well as consider what institutional changes they may need to accomplish to comply with OCC supervision. Under the strict parameters set forth by the OCC, fintech companies have significant decisions ahead regarding whether to seek this special-purpose charter. As government at all levels becomes more active in the fintech space, fintech companies need to consider how and when they engage with all levels of government to ensure that their business is understood and their interests protected.

Administration Seeks to Up the Bar for Student Loan Forgiveness Based on Fraud

By Keith S. Anderson on July 30, 2018 Posted in Fair Lending, Student Loan Servicing

Administration Seeks to Up the Bar for Student Loan Forgiveness Based on Fraud The Trump administration is looking to stiffen the criteria for borrowers to obtain forgiveness of their student loans based on fraud. If enacted, this higher criteria would mark a significant shift for students who seek forgiveness under the established borrower defense claim.

According to Secretary of Education Betsy DeVos, the Department of Education’s “commitment and our focus has been and remains on protecting students from fraud. The regulations proposed today accomplish that by laying out clear rules of the road for higher education institutions to follow and holding institutions, rather than hardworking taxpayers, accountable for making whole those students who were harmed by an institution’s deceptive practices.”

The proposed Institutional Accountability regulations would, among other things:

Require students to be in default before they could apply for the loan forgiveness
Require students to show that the school had an “intent to deceive” or exhibited reckless disregard for the truth.
Replace a state standard for adjudicating claims with a federal standard to expedite review of student claims
Facilitate collection of evidence to decide claims and ensure the Secretary of Education can recoup losses from the institutions where there are successful borrower defense claims.
Reduce the time to file a borrower defense application from six years to three years.
Would allow schools to use arbitration agreements during enrollment, which previously resulted in the loss of federal funding.
Encourage students to seek remedies directly from the schools that committed the misrepresentation

The Obama administration established the “borrower defense” to allow student loan forgiveness if a school misled students or engaged in other misconduct, but the borrower was only required to show that the school had engaged in false advertising. The proposed requirements, however, would establish a higher test to show that the misrepresentation was done intentionally or with “reckless disregard of the truth.” Additionally, the Obama-era rule allowed for forgiveness of a group all at once if the school was shown to be clearly fraudulent, but the new rule would consider each application on a case-by-case basis.

Although consumer advocates have sharply criticized the proposal as making it more difficult for victims of fraud, the department responded that it is only proposing stronger requirements to document the fraud and that “if a student has actually been defrauded, it is not harder at all to receive loan relief,” according to Department of Education Deputy Press Secretary Sara Broadwater. The department reiterated that it seeks to protect both the borrowers as victims of fraud as well as taxpayers who pay for fraudulent loan forgiveness claims.

According to one source, about 140,000 student loan borrowers have applied for forgiveness under the borrower defense rule in the past three years. Most fraud claims to the Deptarment of Education relate to for-profit schools, which receive approximately 15 percent of the government’s financial aid.

The proposed regulations are open for public comment over the next 30 days to allow the Education Department to finalize the rule by November 1. The new rules would go into effect in July 2019. Stay tuned in the coming months as both industry and consumer advocates provide reaction to the proposals.

BCFP Enters Consent Order with Small Dollar Lender

By Lee Gilley and J. Riley Key on July 24, 2018 Posted in CFPB, Payday Lending, Small-Dollar Lending, TILA, UDAAP

BCFP Enters Consent Order with Small Dollar Lender Triton Management Group, Inc. (Triton) and several related companies entered into a consent order with the Bureau of Consumer Financial Protection (Bureau) in which Triton agreed to a $1 civil money penalty, $500,000 in consumer redress, and injunctive relief. Triton is a financial services company that originates, purchases, services, and collects on short-term secured and unsecured loans. Triton operates over 100 locations in Alabama, Mississippi, and South Carolina.

The Highlights

The Bureau alleged that Triton engaged in deceptive conduct under the Consumer Financial Protection Act (CFPA) by providing misleading disclosures regarding the finance charge paid on auto title loans originated at one of six Mississippi locations. Mississippi law requires auto title loans to have a term of not more than 30 days, but allows for repeated extensions of the repayment period every 30 days provided certain conditions are met. Triton, in its loan documents, provided the finance charge and total cost of the loan associated with a one-month period, but provided a 10-month payment schedule. The Bureau contended that this 10-month payment schedule was the presumptive payment schedule and that Triton failed to disclose the actual finance charge associated with the 10-month payment schedule.

The Bureau further alleged that the failure to provide the finance charge associated with the 10-month payment schedule violated the Truth in Lending Act (TILA) because it did not clearly reflect the terms of the legal obligations between the parties.

The Bureau also indicated that Triton violated TILA’s advertising restrictions by posting three in-store advertisements that included the payment amount for certain loans without disclosing the annual percentage rate. TILA requires advertisements with certain trigger terms, including the payment amount, to include other mandatory information such as the annual percentage rate.

The Bureau identified $1,522,298 in interest payments made directly or indirectly by consumers that exceeded the amount of the finance charges stated in the disclosures. However, it agreed to reduce the amount of consumer redress to $500,000 based on Triton’s financial condition. The company’s financial condition is also the likely reason that the Bureau only assessed a $1 penalty.

Impacted Industries

The Triton consent order has implications for virtually all financial services companies. While the loans at issue were short-term auto loans, the CFPA and the cited provisions of TILA apply to virtually all financial services companies.

What It Means

First, financial services companies should take note of the interplay between federal and state legal requirements. While it is impossible to be certain, it appears Triton’s efforts to comply with state law contributed to the inaccurate finance charge disclosures. While the tangled relationship between state and federal law can create compliance challenges, attempts to comply with state law do not excuse violations of federal law.

Second, financial services companies should pay close attention to their disclosures, especially disclosures regarding the amount of money paid by consumers. The post-Cordray Bureau may be less inclined to push the envelope, but this consent order indicates that the Bureau will require companies to refund payments of amounts that are not clearly disclosed. For Triton, the consumer loans made at just six of its more than 100 locations led to a potential exposure of over $1.5 million in consumer repayments—which could have been substantially higher had the Bureau imposed more than a nominal monetary penalty.

Third, financial services companies must closely monitor their advertising materials. The Bureau may have foregone an enforcement action if the three in-store advertisements were the only allegation at issue. That said, the Bureau clearly decided that the presence of only three in-store advertisements warranted mention in this consent order.

Nevada Courts Provide Additional Guidance on HOA Super Priority Lien Law for Lenders

By Stephen Parsley and R. Aaron Chastain on July 19, 2018 Posted in Foreclosure, HOA Super Priority Liens, State Law Developments

As we’ve discussed on this blog before, Nevada’s courts remain a battleground for lenders seeking to establish that their security interests were not eliminated by homeowners’ association foreclosure sales under NRS 116. In recent weeks, the Ninth Circuit and Supreme Court of Nevada have issued new opinions providing more guidance to ultimately resolve those issues. Lenders now have more support for two of their strongest arguments. First, for loans owned by Fannie Mae and Freddie Mac, the Nevada Supreme Court held that the security interests could not have been extinguished by a homeowners’ association’s foreclosure sale due to the preemptive effect of the Housing and Economic Recovery Act (HERA), even if the loan had been placed into a securitized trust. Second, the court reaffirmed its recognition of the doctrine of tender, holding that under longstanding blackletter law, a lender’s unconditional offer to pay the full superpriority amount of the association’s lien caused that lien to be discharged, and protected the lender’s security interest in the ensuing association foreclosure sale. On the other hand, the Nevada Supreme Court also issued a decision in favor of association-sale purchasers, holding that an association’s sale of the right to receive payment from a delinquent homeowner’s account to a third party did not deprive the association of standing to foreclose upon its lien.

First, HERA seems to be the lenders’ strongest arguments, and both the Ninth Circuit and the Nevada Supreme Court have consistently ruled in favor of lenders on that point. In 2017, the Ninth Circuit endorsed the argument in Berezovsky v. Moniz, holding that HERA’s so-called “Federal Foreclosure Bar” barred NRS 116 sales from extinguishing deeds of trust securing loans owned by Fannie Mae and Freddie Mac. In March 2018, the Supreme Court of Nevada reached the same conclusion in Saticoy Bay LLC Series 9641 Christine View v. Fannie Mae.

On June 25, 2018, the Ninth Circuit issued its second major opinion on HERA in FHMLC v. SFR Investments Pool 1, rejecting an argument made by SFR (the purchaser at the association’s sale and a frequent player in the litigation) that the Federal Foreclosure Bar did not apply to loans that had been securitized. The court held that the securitization of a loan did not prevent the Federal Housing Finance Agency (FHFA) from succeeding to ownership of that loan when it became conservator of Fannie Mae and Freddie Mac. To the contrary, the court wrote that HERA “confers additional protections upon [Fannie and Freddie’s] securitized mortgage loans” (emphasis original). The court also rejected SFR’s argument that FHFA deprived it of a property right without due process. The court wrote that NRS 116 “does not mandate … vestment of rights in purchasers at HOA foreclosures sales” and so held that purchasers “lac[k] a legitimate claim of entitlement.”

Purchasers will probably continue to seek to challenge the application of HERA, even after the FHLMC decision, possibly by challenging specific evidence offered in support of the lender’s position that Fannie Mae or Freddie Mac owned the loan at the time of the association’s foreclosure sale. But both the Ninth Circuit and the Nevada Supreme Court have consistently rejected every argument the purchasers have raised to date; after FHMLC, it looks like that streak will continue.

Second, the Nevada Supreme Court recently addressed another one of the lenders’ strongest arguments: that a lender or servicer’s pre-foreclosure offer to pay the association’s superpriority lien extinguished that lien, and thereby protected the lender’s security interest in the association’s foreclosure sale. On April 27, the Nevada Supreme Court issued its opinion in Bank of America, N.A. v. Ferrell Street Trust, which reaffirmed the underlying validity of the lenders’ tender arguments, even if it did not address every issue. In Ferrell Street Trust, the court made several pro-lender statements about the law of tender: (1) Tender is sufficient to discharge the lien and preserve the lender’s interest; (2) an unjustified rejection of valid tender does not prevent the lien from being discharged; (3) the tendering party does not have to deposit a rejected payment into escrow to “keep the tender good;” and (4) an “unconditional offer to pay” is valid tender. The court reversed the district court’s grant of summary judgment for the purchaser and remanded the case for further development with proper application of the tender doctrine.

Ferrell Street Trust was an unpublished, non-binding decision and did not purport to resolve every issue concerning the application of the tender doctrine in HOA sale cases. While it is helpful in noting that the underlying premise of the tender argument appears to be valid and well-grounded in the law, we will have to wait for a more comprehensive published decision (which could come at any time) for the final word on tender.

Finally, in West Sunset 2050 Trust v. Nationstar Mortgage, LLC, the Nevada Supreme Court ruled against lenders’ interest in a case that involved an unusual, though not unique, fact pattern. In West Sunset, a third party had entered into a factoring agreement with the homeowners’ association, under which the third party received the right to any recovery by the association against a homeowner’s delinquent account. After the association foreclosed, the servicer challenged the validity of the foreclosure sale, arguing that the factoring agreement had severed the lien from the underlying debt and thereby made the lien unenforceable. The Nevada Supreme Court rejected this argument, holding that the agreement did not affect the relationship between the association and the homeowner—and thus, by extension—could not be challenged by the party with a security interest on the homeowner’s property. The court concluded with a note that it is “disinclined to so interfere with HOA’s financing practices” absent a policy rationale.

The latest trio of decisions provides some more clarity to the Nevada landscape, although—as we’ve reported for years now—there are still issues to be decided. The application of HERA seems nearly unassailable at this point, however, representing a significant victory for lenders’ interests. We will continue to monitor the courts in hopes of a similar comprehensive victory on the tender issue.