HUD OIG Report Could be Precursor to Increased Partial Claim Reimbursement Demands

HUD OIG Report Could be Precursor to Increased Partial Claim Reimbursement DemandsOn September 21, 2018, the Department of Housing and Urban Development (“HUD”)’s Office of Inspector General (“OIG”) completed a review of HUD’s partial claims program. In many ways, the title of the OIG audit report, “HUD Did Not Have Adequate Controls To Ensure That Partial Claim Notes for FHA Loans Were Properly Tracked for Future Collection,” speaks for itself. As OIG reports typically drive process changes within HUD program offices, FHA mortgagees may need to brace for increased partial claim reimbursement demands, which typically total tens of thousands of dollars per loan.

A partial claim is a loss mitigation tool that allows lenders to advance funds on behalf of borrowers to reinstate a delinquent FHA-insured mortgage. The partial claim defers the repayment of mortgage principal through an interest-free subordinate mortgage that is not due until the first mortgage is paid off. HUD has strict guidelines requiring lenders to provide HUD with partial claims notes and mortgages within specific timeframes; failure to comply with those guidelines results in the lender being required to reimburse HUD for the total value of the partial claim plus the incentive fee (a “bonus” paid to the lender for each eligible loan that the lender enrolls in the partial claims program).

The OIG audited HUD’s partial claims program from January 1, 2013, until August 31, 2017, a timeframe that accounted for 407,984 partial claims totaling $11.7 billion. The OIG reviewed 695 of those partial claims at random and found that 421 (60.6%) contained deficiencies in the boarding process, i.e. entering the partial claims into HUD’s SMART system, and 394 (56.7%) contained deficiencies in HUD’s tracking of partial claims documents. For many of these deficient partial claims, the mortgage documents were either missing or had not been properly recorded before being sent to HUD.

In light of the error rate of tracking partial claim collateral documents, the OIG recommended that HUD reach out to lenders to obtain the missing documents or get them re-recorded, and also recommended that HUD require reimbursement for any loans for which the missing documents could not be obtained. The OIG report also recommended that HUD develop and implement additional controls to ensure these problems do not persist, meaning compliance by lenders will likely be under a microscope going forward.

In the last eighteen months, FHA mortgagees have seen an uptick in HUD making partial claim reimbursement demands from lenders that failed to strictly comply with HUD’s guidelines to timely provide HUD with the partial claims documents. This OIG report indicates that HUD will likely continue to aggressively pursue partial claims reimbursements from lenders who failed to comply with the guidelines, and may begin to pursue such reimbursements even more aggressively. In light of the report, FHA mortgagees would be well-advised to consider their potential liability and exposure from historic partial claim filings, ensure their current partial claims procedures strictly comply with HUD’s requirements, and consider all options when responding to a partial claim reimbursement demand from HUD.

Hold the Phone: Ninth Circuit Ruling Means Your Smartphone Is an Auto-Dialer

Hold the Phone: Ninth Circuit Ruling Means Your Smartphone Is an Auto-DialerCan your phone store telephone numbers and dial them? If so, it’s an “automatic telephone dialing system” under the Telephone Consumer Protection Act (TCPA), said the Ninth Circuit Court of Appeals last week. The opinion in Marks v. Crunch San Diego creates a circuit split on the issue and highlights the difficulty courts have in applying statutory language from a pre-smartphone world to the technological capacity of the devices that half of you are using right now to read these words.

The facts of Marks are simple enough: Marks received three promotional text messages from Crunch Fitness gym over an 11-month period. The messages were sent from a system called Textmunication, which can store telephone numbers and send text messages to stored numbers. Seeking to represent a class, Marks sued under the TCPA, which generally prohibits the use of an auto-dialer to send such promotional text messages without the recipient’s consent. Crunch moved for summary judgment, saying that the Textmunication system was not an auto-dialer because it did not have a random or sequential number generator, and was not configured in a way that would permit this capacity to be added. The district court granted Crunch’s motion.

The Ninth Circuit reversed after analyzing language in the TCPA that the panel found to be “ambiguous on its face.” That finding was important because, the Marks court explained, a court can use “canons of statutory construction, legislative history, and the statute’s overall purpose to illuminate Congress’s intent” if language is ambiguous. The TCPA provision at issue says that a device is an auto-dialer if it has “the capacity (A) to store or produce telephone numbers to be called, using a random or sequential number generator, and (B) to dial such numbers.” Guided by its analysis of the TCPA’s overall statutory scheme, the Marks court explained “that the statutory definition of [an auto-dialer] is not limited to devices with the capacity to call numbers produced by a ‘random or sequential number generator,’ but also includes devices with the capacity to dial stored numbers automatically.” Thus, the panel concluded, the TCPA says it’s an auto-dialer if a device can (A) store telephone numbers to be called, or (B) produce telephone numbers to be called, using a random or sequential number generator. In other words, if your phone can store telephone numbers and dial them automatically, it’s an auto-dialer.

Arriving at this conclusion required some grammatical gymnastics. In the Ninth Circuit’s formulation, the statutory phrase “to be called” modifies both telephone numbers that are stored and telephone numbers that are produced. So far, so good. But the statute has an additional limiting phrase after “to be called,” set off by a comma: “using a random or sequential number generator.” Unlike “to be called,” the Ninth Circuit applied this second limiting phrase to only one of the things that comes before it. In effect, the comma before “using” causes the phrase to jump over “telephone numbers to be called” and modify “produce,” but not “store” – even though “telephone numbers to be called” is the object of both “store” and “produce.” That is a lot of work for a comma to do!

For those doing business with customers in the states covered by the Ninth Circuit, the immediate significance of the Marks decision is to highlight how careful everyone must be before sending an unconsented-to text, including those of us who have phones that can store and dial telephone numbers. But for companies defending TCPA class actions in the Ninth Circuit, all is not necessarily lost. For example, if some of the calls or texts at issue were made without the auto-dialer functionality, consider raising a typicality defense. A text sent by a person typing numbers into a phone – even if the device fits the statutory definition of an auto-dialer – causes a different kind of harm than a text sent by a machine that sent thousands of texts at once, even if both communications technically violate the TCPA. Also, if the class is a putative (b)(3) class and the class definition includes calls or texts to reassigned numbers, consider challenging commonality or predominance: the reasonableness of the caller’s belief that it had consent to call or text likely must be determined on an individual basis.

The Marks decision also sets up a circuit split on the auto-dialer issue. Earlier this year, the D.C. Circuit in ACA, Int’l v. FCC struck down the 2015 FCC rule interpreting the TCPA, in part because of the rule’s expansive definition of auto-dialer. The D.C. Circuit warned that such a broad definition – which was pretty close to “can store telephone numbers and dial them” – would make “nearly every American … a TCPA-violator-in-waiting, if not a violator-in-fact” because “every uninvited communication from a smartphone infringes federal law.”

If the FCC engages in additional rulemaking on the auto-dialer issue, FCC Chairman Ajit Pai, who dissented from the 2015 rule on the same grounds articulated by the D.C. Circuit, will preside over the process.

Federal Appeals Court Holds that Landlord May Be Liable for Deliberate Indifference to Tenant-on-Tenant Discrimination

Federal Appeals Court Holds that Landlord May Be Liable for Deliberate Indifference to Tenant-on-Tenant DiscriminationThe United States Court of Appeals for the Seventh Circuit recently addressed a matter of first impression regarding landlord liability under the Fair Housing Act (FHA): whether a landlord may be liable under the FHA for failing to address tenant-on-tenant discrimination. The court answered with a resounding “yes,” holding that the FHA creates liability where a landlord has actual notice of harassment based on protected status and chooses not to take reasonable steps within their power to stop the harassment. According to Lambda Legal, who brought the lawsuit, “the court has now put all landlords on notice that they have an obligation to take action to stop known harassment.” The effects of this decision will be felt nationwide and will certainly spark additional litigation against landlords and property-management companies.

Martha Wetzel moved into Glen Saint Andrew Living Community after Judy Kahn, her partner of 30 years, died. Wetzel’s tenancy at Glen Saint Andrew was governed by a lease agreement that guaranteed three meals served in a central location, access to the community room, and use of the laundry facilities. The agreement also conditioned Wetzel’s tenancy on refraining from “activity that [St. Andrew] determines unreasonably interferes with the peaceful use and enjoyment of the community by other tenants” or “a direct threat to the health and safety of other individuals.”

Wetzel alleges that she spoke openly to tenants and staff about her sexual orientation. According to Wetzel, she “was talking to the ladies and getting to know people, and they were talking about their children” when she volunteered that she raised a son with Judy Kahn. “They were shocked that I had a partner who was a woman . . . I could feel it.” According to the complaint, Wetzel’s fellow tenants responded with verbal and physical abuse. For instance, one resident “told Wetzel that he reveled in the memory of the Orlando massacre[,]” and another told her that “homosexuals will burn in hell.” One resident “rammed his walker into Wetzel’s scooter forcefully enough to knock her off a ramp,” and another “bashed her wheelchair into a dining table that Wetzel occupied, flipping the table on top of Wetzel.” In yet another instance, Wetzel was struck from behind hard enough to throw her from her scooter, causing her to suffer a “bump on her head and a black eye.”

Wetzel reported the abuse to Glen Saint Andrew’s staff, who “told Wetzel not to worry about the harassment, dismissed the conduct as accidental, denied Wetzel’s accounts, and branded her a liar.” Wetzel also alleged that Glen Saint Andrew took steps to retaliate against her by “relegate[ing] [her] to a less desirable dining room location . . . barr[ing] her from the lobby except to get coffee and halt[ing] her cleaning services, thus depriving her of access to areas specifically protected in the Agreement.” Glen Saint Andrew also purportedly accused her of smoking in her room and withheld the customary rent reminder in an apparent effort to manufacture a justification for her eviction. Ultimately, Wetzel filed a lawsuit against Glen Saint Andrew and several individual defendants, claiming that they violated the FHA by failing to “ensure a non-discriminatory living environment and retaliat[ing] against her for complaining about sex-based harassment.”

The defendants moved to dismiss, asserting that the FHA does not make a landlord liable for tenant-on-tenant harassment unless the landlord’s inaction was caused by discriminatory animus, and that – to the extent that Wetzel’s lawsuit relied on 42 U.S.C. § 3604(b) – this section does not apply to harassment claims brought by a tenant already occupying her home (post-acquisition harassment claims). The trial court agreed with the defendants and dismissed Wetzel’s claims. Wetzel appealed to the Seventh Circuit Court of Appeals.

Recognizing that the text of the FHA itself does not contain a test for landlord liability, the Seventh Circuit looked to Title VII, which governs employment discrimination, and Title IX, which governs discrimination in education. Under Title VII, an employer may be liable when its own negligence is the cause of prohibited harassment. Similarly, courts interpreting Title IX have held that school districts may be liable for student-on-student harassment when the district decides to remain idle even though it has actual knowledge of the harassment. The Seventh Circuit, therefore, reasoned that, because Title VII and IX are functionally equivalent to the FHA, the FHA must likewise allow liability for deliberate indifference to harassment: “Wetzel may be in [uncharted] territory . . . the Supreme Court’s interpretation of analogous anti-discrimination statutes satisfies us that her claim against St. Andrew is covered by the Act.”

The court also rejected Glen Saint Andrews’ arguments premised on Wetzel’s post-acquisition harassment claims. Specifically, the court recognized that 42 U.S.C. § 3604(b) protects individuals against discrimination in the “provision of services or facilities in connection” with the “terms, conditions, or privileges of sale or rental.” Here, the court held that Wetzel’s allegations that her fellow tenants’ harassment “impeded her from eating the meals she had paid for at the dining hall, visiting the lobby and other common spaces, and obtaining access to the laundry room” were sufficient to assert a post-acquisition claim because these actions deprived Wetzel of services and facilities to which she was entitled. The court also relied on the common law of property, which affords tenants the privilege of using the “totality of the rented premises.” Finally, the court rejected Glen Saint Andrews’ contention that Wetzel’s retaliation claim required allegations of discriminatory animus because, under well-settled law within the Seventh Circuit, the only claim under the FHA that requires intentional discrimination is an interference claim.

Although the Seventh Circuit’s admittedly “broad” reading of the FHA increases the risk of liability for landlords and property management companies, there are two important questions the Wetzel court left open that could limit the decision’s reach. First, while the court held that landlords are liable for deliberate indifference to tenant-on-tenant discrimination when they have actual notice, the court said nothing about constructive notice. On this issue, though, the U.S. Department of Housing and Urban Development (HUD) regulations hold landlords responsible for deliberate indifference when they “knew or should have known of the discrimination”  See 24 C.F.R. § 100.7(a)(1)(iii) (emphasis added).

Second, the Wetzel case involves an assisted living facility that provides various services to its tenants, and where the staff has a heightened level of responsibility over tenants’ wellbeing. This fact made it easier for the court to draw a comparison to Title IX, which applies to educational institutions. It is not altogether clear how a court would apply this analysis to other types of facilities.

Nevertheless, landlords and property management companies would be well-served to review their policies relating to harassment complaints, and provide training sessions with staff members regarding both their internal policies and the requirements of the FHA.

Can You Hear Me Now? Important Considerations for Avoiding Penalties under the TCPA after ACA International

Can You Hear Me Now? Important Considerations for Avoiding Penalties under the TCPA after lACA InternationaIn a previous blog post, we examined the “mixed bag” result of the D.C. Circuit Court of Appeals opinion in ACA International v. Federal Communications Commission. The ACA International decision narrowed the scope of potential liability for businesses under the Telephone Consumer Protection Act (TCPA) by striking down inconsistent and overly broad portions of the Federal Communications Commission’s (FCC) guidance regarding the definition of an automated telephone dialing system (ATDS). Prior FCC orders’ extraordinarily broad interpretation of an ATDS had the effect of encompassing smartphones within the provisions of the TCPA, resulting in potential liability for texts and phone calls from ordinary consumers. The D.C. Circuit’s decision to invalidate the FCC’s guidance without providing lower courts with a clearer ATDS definition has spawned confusion and uncertainty among district courts, and created more questions than answers.

After overturning several inconsistent portions of the prior FCC orders, the ACA International court acknowledged that numerous questions remain regarding the proper interpretation of the TCPA, including, among others:

  • Whether the definition of a “random or sequential number generator” includes a scenario where a business uses software to auto-dial from a list of phone numbers (known as “predictive dialers”), such as in the case of debt collectors, as opposed to generating random phone numbers;
  • Whether a predictive dialer would qualify as an ATDS in a scenario where a list of numbers is generated separately from a separate device and loaded into the predictive dialer; and
  • Whether a call must actually be made using the automated-dialing technology in order to trigger the TCPA, or whether the equipment must simply have the capacity to do so.

Only two federal appeals courts have issued opinions since ACA International was decided in March of this year. In King v. Time Warner Cable Inc., the Second Circuit Court of Appeals’ view of “capacity” under the TCPA focused on whether a dialing system has “the present capacity to function as an autodialer by generating random or sequential telephone numbers and dialing those numbers” without additional modifications, regardless of whether the auto-dialing capabilities were used for the offending call. The Third Circuit Court of Appeals reached a similar conclusion in Dominguez on Behalf of Himself v. Yahoo, Inc., concluding that courts should analyze the extent of modification necessary to obtain autodialing capabilities. Dominguez tracked the analysis in ACA International, in which the D.C. Circuit appeared to draw a distinction between a device that could obtain the ability to generate and dial random numbers based on “flipping of a switch” versus a “top-to-bottom reconstruction of the equipment.” This issue is one of the few for which ACA International provided specific guidance.

The meaning of the phrase “random or sequential number generator” and whether that applies to predictive dialers is not addressed in King. The Second Circuit explicitly left such “complicated questions” to be addressed by the district court upon remand. In Dominguez, meanwhile, the Third Circuit affirmed summary judgment in favor of the defendant on the basis that the defendant’s automated text messaging system did not qualify as an ATDS because it lacked the ability to generate and dial random or sequential numbers.

King and Dominguez serve as recent evidence that the TCPA continues to pose significant risks to unwary businesses in the aftermath of ACA International. The open questions contemplated by ACA International will likely result in continued uncertainty for the foreseeable future. In this environment, pertinent policies and procedures and dialing software capabilities must be continually reassessed to ensure their compliance with both evolving case law and future FCC guidance, including:

  • Automation – Businesses should consider available options for software that requires human intervention to dial consumers’ phone numbers and does not possess the capacity to generate random phone numbers, either currently or with slight modification.
  • Controls – Businesses should ensure that consumers’ cell phones are flagged to avoid auto-dialed and pre-recorded calls to their cell phones. It is important to note that companies can still be held liable for calls to consumers’ home phones if the consumer is charged for the call (known as the TCPA’s “call-charged provision”).
  • Consent – Consent is an absolute defense, and the status of the consumers’ consent to receive phone calls should be monitored at all times. The ACA International decision reinforced that consumers can revoke consent “through any reasonable means” expressing a desire to cease communications, which presumably includes oral revocation but involves a “totality of the facts and circumstances” analysis. If the consumer revokes his/her consent, businesses should terminate auto-dialed and pre-recorded messages to that consumer immediately. In most jurisdictions, written consent can be established through a business relationship in which the consumer provides his/her cell phone number in conjunction with that relationship.

A proactive compliance approach is the best defense against the potentially calamitous consequences of failing to promptly respond and adapt to the shifting TCPA landscape.

ICO and Cryptocurrency Enforcement Update

ICO and Cryptocurrency Enforcement UpdateSeptember 11, 2018, was a big day for Initial Coin Offering (ICO) and crypto-related enforcement activity. In the Eastern District of New York, Judge Raymond Dearie issued an order neglecting to dismiss an indictment against Maksim Zaslavskiy for securities fraud relating to Zaslavisky’s involvement with an ICO for “REcoin” and another referred to as “Diamond.” This case originated with a civil complaint filed almost a year ago in September 2017, which was stayed pending the criminal case filed in January 2018. Meanwhile, FINRA filed a complaint against Timothy Ayre for “attempt[ing] to attract public investment in his worthless public company, ‘Rocky Mountain Ayre,’” which purportedly touted “the first minable coin backed by marketable securities.” And rounding it out, the SEC issued back-to-back orders regarding the resolution of enforcement actions against TokenLot LLC and Crypto Asset Management LP. The following is a brief summary of each of these developments.

Zaslavskiy – 17CR147 (E.D.N.Y.)

Summary: The defendant was indicted for securities fraud and conspiracy to commit securities fraud in relation to both REcoin and Diamond. Defendant brought a motion to dismiss alleging that REcoin and Diamond did not involve securities and that the securities laws are unconstitutionally vague as applied.

Detail: REcoin was purportedly a cryptocurrency backed by real estate holdings, and Diamond was purportedly backed by diamonds. The court’s order contained two separate analyses relating to the defendant’s conduct, with the court noting that the “Indictment charges a straightforward scam.” This characterization presumably relates to the allegation that despite the names and representations, defendant never purchased any real estate or diamonds to back the purported cryptocurrencies. The court first analyzed whether a reasonable jury could find that REcoin and Diamond were investment contracts. In concluding yes, the court was careful to note that the ultimate question of whether REcoin and Diamond were investment contracts was a fact-specific question left to the ultimate fact-finder. Nevertheless, the court analyzed them with the Howey analysis (see Howey, 328 U.S.  293 (1946)). The court found that a reasonable jury could conclude for both REcoin and Diamond that (1) investors invested money, (2) in a common enterprise, and (3) the investors expected profits solely from the managerial efforts of defendant and his co-conspirators.

A second analysis focused on the question of whether U.S. securities laws are unconstitutionally vague as applied to defendant’s conduct. The court notes that the defendant attempted to frame the question as whether the laws were vague when applied to cryptocurrencies, but the court declined to opine so broadly, limiting its analysis to defendants’ conduct without apparently reaching the question of whether REcoin or Diamond were properly classified as cryptocurrencies. In its analysis the dourt found that the defendant failed to demonstrate that a person of ordinary intelligence would not have had sufficient notice that the charged conduct was proscribed. This is perhaps the most interesting aspect of the ruling as it cites Howey as making “it reasonably clear at the relevant time that [the charged] conduct was criminal.” In supporting that conclusion the court cited established case law delineating the meaning of “investment contract.” However, the court also noted some guidance relating to cryptocurrency, citing an SEC Report from late July 2017, a Wall Street Journal article from January 2018, and a public SEC statement from December 2017. Defendant’s purportedly criminal conduct started in January 2017 and ended in October 2017, a few months after the SEC report and before the other materials cited. Also, the quote from the January 2018 Wall Street Journal article that the court includes in a parenthetical merely says “some products that are labeled as virtual currencies have characteristics that make them securities.” The mentions of cryptocurrency leave some room for additional guidance as it is unclear if the court would view REcoin or Diamond as improperly labeled cryptocurrencies, or whether they were properly labeled cryptocurrencies and nevertheless securities. Instead, the court seems to consider the question of whether REcoin or Diamond were properly labeled cryptocurrencies as moot because they were schemes, as alleged, which “fall within the ordinary concept of a security.”

Conclusion: The court denied the motion to dismiss, and the case will proceed to trial.

FINRA – Timothy Tilton Ayre (CRD No. 2091556)

Summary: According to the complaint, Ayre made material omissions and false statements regarding his “worthless public company, Rocky Mountain Ayre, Inc.” (RMTN) in violation of the Exchange Act and FINRA Rule 2020. Ayre subsequently is alleged to have acquired rights to a digital token “HempCoin” and packaged it as a security offering. FINRA further alleges he did not file a registration with the SEC, and no sales were exempt from registration. He also is alleged to have sold convertible debt in RMTN without registering the sale. These offers and sales of unregistered securities violated the Securities Act and FINRA Rule 2010 according to the allegation. FINRA claims jurisdiction over Ayre due to his prior registration as a broker-dealer.

Detail: Ayre’s case has some interesting aspects as outlined in the following allegations from the complaint. RMTN was traded over the counter and quoted on OTCM’s Pink Market. RMTN was a rebrand of Ayre’s company ATI, which was a holding company that owned a bistro at the time of the change.  The complaint cites the HempCoin website and the statement “Hemp coin is the First Minable Coin Backed by Marketable Securities,” saying it “made clear that the cryptocurrency was a security.” The “Marketable Securities” referred to in the HempCoin statement are shares in “RMTN,” and presumably the conclusion in the statement that HempCoin was a security is predicated on Ayre saying it was “backed” by RMTN. This is echoed in a later section relating to the cause of action for unlawful sales of an unregistered security, where the complaint affirmatively states that “Ayre created a security when he purchased the rights to HempCoin and ‘backed’ the cryptocurrency with shares of RMTN. . . .”  The complaint also describes a litany of improper actions purportedly taken by Ayer unrelated to whether HempCoin is a security. Ayer is alleged to have made material misstatements and omissions in public filings about RMTN, including misstatements about the business itself (that it was acquiring “fast-growing food and hospitality and, manufacturing and retail businesses”), failure to disclose the terms of the HempCoin Asset Purchase Agreement, and inflating the company’s disclosed assets.

Relief Requested: The complaint seeks a finding that the respondent willfully violated the Exchange Act in making material misrepresentations and omissions, violated FINRA Rule 2010 with negligent misrepresentations, and violated the Securities Act for the offer and sale of unregistered securities and for making private security transactions.

SEC – TokenLot LLC (33-10543)

Summary: Respondents acted as unregistered broker-dealers by operating a website allowing investors to buy digital tokens such as Bitcoin, Ether, and others (secondary sales), and by facilitating investment in nine ICOs.

Resolution: Respondents consent to cease-and-desist, agree to “develop and execute a plan to refund ICO’s proceeds,” “refund[] investors’ payments for certain secondary market sales,” pay approximately $500,000 to the SEC in disgorgement, and are barred from association with any broker, dealer, etc.

SEC – Crypto Asset Management, LP (CAM) (33-10544)

Summary: Respondents formed CAM for the purpose of managing Crypto Asset Fund, LLC (CAF), a pooled investment vehicle investing in digital assets. CAM violated the Securities Act through unregistered sales of securities through interstate commerce, unregistered sale of interest in an investment company, and obtaining money by means of untrue statement of material fact or omission. The latter was predicated on CAM’s statement that CAF was the “first regulated crypto asset fund in the United States.” CAM remediated by making a rescission offering, disclosing prior misstatements, and began offering securities pursuant to Regulation D Rule 506(c) exemption from registration.

Resolution: Respondents were censured and order to pay a penalty in the amount of $200,000 to the SEC.

CalCoPA – Does It Apply to Your Organization?

As discussed in Part 1, the California Consumer Privacy Act of 2018 (CalCoPA) is a game-changing privacy act that sets a new bar for consumer privacy rights in the U.S. The primary reason it differs from existing legislation is that it goes beyond merely having to provide assurances or notices and requires organizations to be prepared to respond to individual requests with disclosures regarding consumers’ data collection and use.

The Act was Amended last week to add some explicit preemptions and to extent the timetable for the California Attorney General to promulgate rules and procedures governing opt-out to the sale of personal information and for making and responding to the requests for disclosures discussed below, among other things. It is likely that CalCoPA will be amended again, but nevertheless organizations should not delay in considering its impact. Although the act references January 1, 2020, affected organizations should start considering its implications as soon as possible. January 1, 2020, is the date that consumers can “request a business to disclose the categories and specific pieces of personal information that it collects about the consumer, the categories of sources from which that information is collected, the business purposes for collecting or selling the information, and the categories of 3rd parties with which the information is shared.” An important point is that those disclosures must cover the preceding 12 months. In other words, as of January 1, 2019, affected organizations must have made what could be significant changes to the way they process and track data to insure they can comply with the disclosure requirements.

At a high level the disclosures will have to cover essentially all the details as to what information is collected from and about a consumer for the preceding 12 months, as well as essentially all the details as to what information about a consumer was sold to other entities in the preceding 12 months. We will not get into the specifics on those disclosures here, because we first need to address the critical threshold question that you should be asking—will my organization be subject to CalCoPA?

Figure 1 shows a quick reference flow chart to tell if your organization is subject to CalCoPA. Although the decision points are fairly straightforward, some elaboration is necessary.

The first point of note is that CalCoPA only applies to entities operated for “profit or financial benefit” of owners or shareholders. If your organization fits that description you have to consider whether you collect personal information about California residents and do business in California. Although the act uses the term “consumer” throughout, it defines consumer to mean California resident. However, the location of the consumer during the collection is not limited so if you collect personal information from a California resident in any context it could be applicable.

While the precise delineation of “doing business in California” is not provided, there are other California regulations that have provided a definition. One that may be a good reference point is from the California Corporations Code that defines “doing business” as “transact[ing] intrastate business,” which is further specified as “entering into repeated and successive transactions of its business in [California].” Given that CalCoPA is a privacy law, one might expect the protection to be broadly construed such that this doing business requirement may not provide much limitation. California could construe this act’s “doing business” to mean not much more than entering into transactions where a California consumer’s personal information is obtained and where the transaction involves either the consumer, the organization, or possibly some other aspect of the transaction physically located in California. An example of a situation that is likely safely excluded is if the organization only interacts with California consumers in a physical location outside of California, such as a brick and mortar store in another state. However, such a store that then ships store purchases to residents back in California may be in a gray area until further guidance is available.

If your organization does (or may) collect California residents’ personal information and does business in California, CalCoPA will only apply if one or more of three thresholds are met: your organization (1.) has reasonably large annual revenue (>$25,000,000), (2.) processes (receives, buys, sells, shares) personal information for over 50,000 consumers annually, or (3.) derives over half of its revenue from selling consumers’ personal information. Keep in mind that “consumer” here is still limited to California residents. So the first category relates to the size of the company only, while the other two relate to how much California consumer information the company handles on a gross and relative scale, respectively.

One important twist involves the second threshold, which in full states: “(B) Alone or in combination, annually buys, receives for the business’ commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices.” Unpacking the definitions of personal information, which includes a large number of categories including identifiers such as Internet Protocol (IP) addresses, and the defintion of “device,” which is “any physical device capable of connecting to the Internet,” suggests this threshold should be studied carefully as it may be the lowest bar for many companies. The full list of categories of personal information are listed below, but consider that merely collecting the IP address of separate devices could make this threshold fairly easy to meet.

Organizations should quickly get a handle on whether CalCoPA will apply to them, or if it may in the future in view of evolving business developments. If so, they should begin to make the changes necessary to insure the ability to comply with the requests for records starting on January 1, 2019.

DEFINITION OF PERSONAL INFORMATION:

(1) “Personal information” means information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. Personal information includes, but is not limited to, the following:

(A) Identifiers such as a real name, alias, postal address, unique personal identifier, online identifier Internet Protocol address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers.

(B) Any categories of personal information described in subdivision (e) of Section 1798.80.

(C) Characteristics of protected classifications under California or federal law.

(D) Commercial information, including records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.

(E) Biometric information.

(F) Internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding a consumer’s interaction with an Internet Web site, application, or advertisement.

(G) Geolocation data.

(H) Audio, electronic, visual, thermal, olfactory, or similar information.

(I) Professional or employment-related information.

(J) Education information, defined as information that is not publicly available personally identifiable information as defined in the Family Educational Rights and Privacy Act (20 U.S.C. section 1232g, 34 C.F.R. Part 99).

(K) Inferences drawn from any of the information identified in this subdivision to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, preferences, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.

HUD and DOJ Challenge Facebook’s Advertising Platforms under the Fair Housing Act

HUD and DOJ Challenge Facebook’s Advertising Platforms under the Fair Housing ActThe U.S. Department of Housing and Urban Development (HUD) has filed an administrative complaint against Facebook alleging discriminatory advertising in violation of the Fair Housing Act (FHA). HUD alleges that housing advertisers can use Facebook’s advertising tools and algorithms to exclude applicants based on protected categories such as race, sex, or national origin. Four days after the HUD complaint was filed, the U.S. Attorney for the Southern District of New York filed a Statement of Interest in support of a separate federal lawsuit in which the National Fair Housing Alliance (NFHA) alleges Facebook allows housing advertisers to discriminate against certain protected classes. The NHFA litigation, as well as the actions of HUD and the Justice Department, could have far-reaching implications for financial institutions, lenders, real-estate brokers, property managers, and any other organization advertising real estate over social media. Moreover, these filings signal that HUD and the Justice Department will not be shy about applying Title VIII protections to emerging technologies, such as big data.

In 2016, ProPublica issued a report claiming that housing advertisers could use Facebook’s advertising platforms to exclude users based on protected categories. Following this report, NFHA, a non-profit dedicated to eliminating housing discrimination, began its own investigation of Facebook’s advertising platform. Two years later, NFHA and three other public interest groups filed a complaint in the United States District Court for the Southern District of New York alleging that Facebook’s advertising platform violated the FHA and the New York City Human Rights Law.

The NFHA lawsuit targets housing advertisers’ ability to “exclude” or “include” certain categories of users while using Facebook’s advertising tools. For instance, plaintiffs allege that in 2016, NFHA created an advertisement for a fictitious apartment using Facebook’s “Ad Manager” platform. NFHA then purportedly used Facebook’s “exclude” function to exclude “African-Americans” and “Hispanics” from the advertisement’s audience. NFHA also allegedly used Facebook’s “boost” capability to amplify its posts advertising the fake apartment by sending the post to some users while excluding others who fell within certain protected categories. In 2018, NFHA alleges it conducted a second investigation after Facebook announced it would no longer allow housing, credit, and employment advertisers to exclude users based on racial categories. During this second investigation, NFHA alleges it was still able to create ads and “boost” posts that excluded individuals based on race, sex, family status, and disability status. The plaintiffs seek a declaration that Facebook’s advertising policies violate the FHA and the New York City Human Rights Act, an injunction, compensatory and punitive damages, and attorneys’ fees.

Five months after the NFHA plaintiffs filed their lawsuit, HUD filed a “me-too” administrative complaint alleging similar conduct against Facebook. According to HUD, Facebook allows housing advertisers to discriminate by, among other things, “showing ads only to men or only to women[,]” “showing ads only to users whom Facebook categorizes as interested in the ‘Christian Church,’ ‘Jesus,’ ‘Christ’ or the ‘Bible[,]’” and “drawing a red line around majority-minority zip codes and not showing ads to users who live in these zip codes.” According to the HUD complaint, “[t]he alleged policies and practices of Facebook violate the Fair Housing Act based on race, color, religion, sex, familial status, national origin and disability.”

Finally, on August 17, 2018, the Justice Department – through the U.S. Attorney for the Southern District of New York – filed a statement of interest in support of the NFHA plaintiffs. Specifically, the Justice Department filed its Statement of Interest in response to Facebook’s motion to dismiss, which argued, in part, that Facebook was “merely an interactive computer service” and therefore was immunized from FHA liability by the Communications Decency Act. In the Statement of Interest, the Justice Department rejected Facebook’s characterization, asserting that “[b]y allegedly collecting user data, collating user data, and classifying its users based in part upon protected characteristics, Facebook participates in the ‘mak[ing],’ of an ‘advertisement’ ‘that indicates any preference, limitation, or discrimination.’”

While the NFHA suit and the recent filings by HUD and the Justice Department address alleged publisher liability and do not directly relate to the advertisers themselves, housing advertisers should pay close attention to this litigation. Social media advertising has become an integral part of businesses marketing to consumers and, as illustrated by this litigation, data-driven, targeted marketing likely will create new and unexpected avenues for liability. Moreover, HUD and the Justice Department’s apparent interest in how the FHA applies to social media marketing suggests agencies and regulators may start scrutinizing how housing advertisers use big data and targeted advertising to market and sell housing.

CFPB Student Loan Ombudsman Abruptly Resigns in Protest

CFPB Student Loan Ombudsman Abruptly Resigns in Protest In another move reflecting the Consumer Financial Protection Bureau’s (CFPB) shifting focus on student lending, the CFPB’s Student Loan Ombudsman announced his resignation on August 27, 2018. In his resignation letter, Seth Frotman, who served as the Student Loan Ombudsman for the past three years, criticized reforms implemented by the CFPB’s current leadership and charged the CFPB leadership with “abandoning” student lending consumers.

Frotman’s resignation comes three months after the CFPB announced organizational changes eliminating the Office of Students and Younger Consumers, which investigated student loan problems. The CFPB announced that the Office of Students and Younger Consumers was being folded into the CFPB’s financial education office, signaling a shift from investigation to education.

In his resignation letter, Frotman criticized the current CFPB leadership’s “sweeping changes” to the CFPB’s oversight of the student lending industry and identified areas of tension with the Department of Education. Frotman alleged that the current CFPB leadership “folded to political pressure” from the Department of Education to reduce its oversight and enforcement of the student lending industry. As an example of reduced oversight, Frotman alleged that the CFPB leadership suppressed publication of a report critical of “the nation’s largest banks.” Frotman also claimed that senior leadership at the CFPB silenced criticism of the Department of Education’s “attempts to preempt state consumer laws.”

Frotman has worked at the CFPB since its inception in 2011 and was designated as the Student Lending Ombudsman in 2016. Frotman previously served on the Senate Committee on Health, Education, Labor, and Pensions and was the Deputy Chief of Staff for U.S. Rep. Patrick Murphy, D-Pa.

The position of Student Lending Ombudsman was created by the Dodd-Frank Act to review and attempt to resolve borrower complaints and make recommendations to various executive branch officers and congressional committees. The Secretary of the Treasury, Stephen Mnuchin, has the power to designate the Student Lending Ombudsman.

Kathy Kraninger—the current nominee to head the CFPB—is awaiting a confirmation vote in the Senate to replace the CFPB’s Acting Director Mick Mulvaney. Kraninger currently serves under Mulvaney at Office of Management and Budget and is widely expected to continue with Mulvaney’s reforms to the CFPB, including as it relates to student lending oversight.

Potential Bank Customer Data Exposed through Fiserv Platform Flaw

Potential Bank Customer Data Exposed through Fiserv Platform Flaw

Security researchers and cybersecurity experts recently discovered a weakness in Fiserv’s web platform, which may have exposed the personal and financial details of customers across hundreds of internet banking sites. The flaw involved a messaging platform used by Fiserv to send account alerts to customers of Fiserv-affiliated banks. These alerts can be set up to notify the customer of certain events, such as when a balance passes a threshold. Someone noticed that the alert was provided in the form of a link to a web page having a numeric event identifier in the web address, like 17835. They found that by changing the number they could access an alert for another customer. So, for example, by simply changing 17835 to 17836 and leaving the rest of the web address the same, the user could access an alert for another customer. This would show the user another customer’s email address, phone number, and the last four digits of the customer’s bank account number in addition to allowing the user to view and even edit alerts setup by the other customer. The user could even edit the email address or phone numbers where the other customer’s alerts would be sent. Fiserv has reportedly addressed this flaw by making the messages no longer sequential, replacing the event identifier number with a pseudo-random string of characters.

KrebsOnSecurity made this discovery public today. Data security breaches are key risk areas for businesses, and an effective breach management process can help minimize that risk. While there are still many unanswered questions, we anticipate many banks and financial services organizations who utilize the Fiserv platform may receive questions from customers, users, investors and, possibly, regulators. Organizations who may be at risk should consider engaging their Incident Response Team to review any abnormal log-ins and conduct an internal investigation. In addition, organizations should review their vendor services agreements (including those with Fiserv) to determine who is ultimately responsible for data security incidents.

If you have any questions about the Fiserv platform flaw or data incident response, please contact one of the attorneys in the Privacy, Security and Innovation team at Bradley.

OCC: Fintechs May Now Apply for Bank Charters

OCC: Fintechs May Now Apply for Bank ChartersThe Office of the Comptroller of the Currency announced, in a highly anticipated decision, that it would begin to consider special-purpose charter applications from fintech entities. This move, which has been the subject of months of industry speculation, came mere hours after the Department of the Treasury endorsed a national charter for fintech companies. This development will allow fintech firms to opt in to a national regulatory scheme rather than the current state law regulation in this market sector.

The OCC’s decision was the subject of a great deal of resistance from state regulators while it was under consideration, and the decision was criticized heavily by state regulators immediately following Tuesday’s announcement. Regulators from New York and California, in particular, described the move as a “regulatory train wreck in the making” and “not authorized under the National Bank Act.”

The OCC’s decision, however, appears focused upon increasing marketplace innovation and inclusivity. Commissioner Joseph Otting released a statement applauding the potential for increased consumer choice, adding that “Providing a path for Fintech companies to become national banks can make the federal banking system stronger by promoting economic growth and opportunity, modernization and innovation and competition.” The Bureau of Consumer Financial Protection’s (BCFP) acting director Mick Mulvaney also issued unprecedented comments on the decision. Mulvaney stated “We welcome the important steps taken by our fellow agencies to promote innovation. Success will be determined by how well U.S. regulators coordinate their efforts. We look forward to working with our State and Federal partners to ensure American global leadership in the Fintech space for years to come.”

Observers believe that chartering qualified fintech companies as national banks will also have significant public policy benefits. The national bank charter provides a framework of uniform standards and supervision; applying this framework to qualified fintech companies may level the playing field with regulated institutions. In addition, applying the OCC’s uniform supervision over national banks, including fintech companies, will assist in promoting consistency in the application of laws and regulations across the country and in promoting the fair treatment of consumers.

While this is a significant development, it will require fintech companies to carefully consider whether they can meet the application requirements, as well as consider what institutional changes they may need to accomplish to comply with OCC supervision. Under the strict parameters set forth by the OCC, fintech companies have significant decisions ahead regarding whether to seek this special-purpose charter. As government at all levels becomes more active in the fintech space, fintech companies need to consider how and when they engage with all levels of government to ensure that their business is understood and their interests protected.

LexBlog