Wiley Consumer Protection Download (December 21, 2020)
Regulatory Announcements
Significant Enforcement Actions
Upcoming Comment Deadlines and Events
More Analysis from Wiley
Welcome to Wiley’s update on recent developments and what’s next in consumer protection at the Consumer Financial Protection Bureau (CFPB) and Federal Trade Commission (FTC). In this newsletter, we analyze recent regulatory announcements, recap key enforcement actions, and preview upcoming deadlines and events. We also include links to our articles, blogs, and webinars with more analysis in these areas. We understand that keeping on top of the rapidly evolving regulatory landscape is more important than ever for businesses seeking to offer new and ground-breaking technologies. Please reach out if there are other topics you’d like to see us cover or for any additional information.
To listen to our recent webinar Federal Consumer Protection Priorities in 2021: Reading the Tea Leaves on demand, please click here.
To subscribe to this newsletter, click here.
Regulatory Announcements
CFPB Issues Final Rule on Debt Collection Consumer Disclosures. On December 18, the Consumer Financial Protection Bureau (CFPB) issued a Final Rule to implement Fair Debt Collection Practices Act (FDCPA) requirements regarding certain consumer disclosures. Specifically, the Rule outlines detailed disclosures that a debt collector must provide to consumers about a consumer’s debt and rights in the debt collection process at the outset of collection communications. Additionally, the Rule requires debt collectors to take measures to disclose the existence of a debt to consumers orally, in writing, or electronically before reporting debt information to a consumer reporting agency, and prohibits collectors from suing or threatening to sue a consumer to collect a time-barred debt, which is defined as a debt for which the applicable statute of limitations has passed. This Final Rule follows the CFPB’s recently released final rule on debt collection communications, issued last month, which we summarized here.
FTC Issues Orders to Nine Social Media and Video Streaming Service Companies Regarding Collection and Use of Personal Information. On December 14, the Federal Trade Commission (FTC) announced that it was issuing nine orders under Section 6(b) of the Federal Trade Commission Act (FTC Act). Section 6(b) of the FTC Act authorizes the agency to conduct studies that do not have a specific law enforcement purpose. The FTC’s orders are being sent to Amazon.com, Inc., ByteDance Ltd., Discord Inc., Facebook, Inc., Reddit, Inc., Snap Inc., Twitter, Inc., WhatsApp Inc., and YouTube LLC. The companies will have 45 days to respond to the orders from the date that they receive them. The FTC is seeking information from the companies regarding how they collect and track personal demographic information, determine which advertisements and content are displayed to consumers, and apply algorithms and data analytics to certain consumers, among other things. Our analysis of the orders is here.
CFPB Issues Two Final Rules on Access to Mortgage Credit. The CFPB issued two final rules related to Qualified Mortgage (QM) loans on December 10. The first final rule, the General QM Final Rule, replaces the current requirement for General QM loans which prohibits a consumer’s debt-to-income ratio from exceeding 43% with the limit based on the pricing of the loan. The CFPB’s second final rule creates a new category of loans called Seasoned QM loans. Under the Seasoned QM Final Rule, a loan must be a first-lien, fixed-rate loan with no balloon payments and meet certain product restrictions to qualify as Seasoned QM. Both rules will take effect 60 days after publication in the Federal Register, and the General QM Final Rule will have a mandatory compliance date of July 1, 2021.
CFPB Releases Report on Implementing Dodd-Frank Small Business Lending Data Collection Requirement. On December 15, the CFPB issued a Panel Report as part of its rulemaking process under Section 1071 of the Dodd-Frank Wall Street Reform and Consumer Protection Act (Dodd-Frank Act). The panel that released the report included representatives from the CFPB, the Office of Advocacy of the Small Business Administration, and the Office of Management and Budget. The panel consulted with representatives from small entities that were likely to be directly affected by the Section 1071 data collection requirement. The small entity representatives requested that that the CFPB issue implementation and guidance materials to assist small financial institutions in complying with a future Section 1071 rule.
Significant Enforcement Actions
FTC Sues Travel Emergency Services Provider for Failing to Adequately Secure Consumer Data. On December 16, the FTC filed an administrative complaint against SkyMed International, Inc. (SkyMed) for failing to take reasonable measures to secure the personal information of consumers that had signed up for its emergency travel membership plans. Specifically, the FTC alleges that SkyMed left a cloud database containing the membership records of 130,000 consumers unsecured. A security researcher exposed that the information in the database could be located and accessed by any internet users. The FTC also alleges that SkyMed deceived consumers by displaying a Health Information Portability and Accountability Act (HIPAA) compliance certification on its webpage for five years when no government agency had examined SkyMed’s practices for compliance with HIPAA. The FTC’s Proposed Settlement requires SkyMed to, among other things, send a notice to impacted consumers detailing the data exposed by the breach.
CFPB Settles with Mortgage Servicer For Interfering with Consumer Attempts to Avoid Foreclosure. On December 18, the CFPB issued a Consent Order against Seterus, Inc. (Seterus) based on the agency’s finding that Seterus violated the Consumer Financial Protection Act of 2010 (CFPA) and Regulation X. Specifically, the CFPB alleges that Seterus’ actions impeded or deprived borrowers of a reasonable opportunity to get loss mitigation applications completed and evaluated. The Consent Order requires Kyanite Services, Inc. (Kyanite), which is Seterus’ successor in interest, to pay $4,932,525 in total redress to consumers. Moreover, the Consent Order requires Kyanite to pay a $500,000 civil monetary penalty.
Mortgage Analytics Company Settles with FTC Over Vendor Security Practices. On December 15, the FTC announced that Ascension Data & Analytics, LLC (Ascension) would be required to implement a data security program as part of a Proposed Settlement resolving allegations that the company failed to ensure that one of its vendors was adequately securing consumer data under the Gramm-Leach Bliley Act’s Safeguards Rule. Specifically, the FTC’s complaint alleged that OpticsML, which Ascension hired to perform text recognition scanning for mortgage documents, stored the documents without any protections to block unauthorized access. The Proposed Settlement requires that Ascension, among other things, report future data breaches to the FTC within 10 days of notifying federal or government agencies.
CFPB and Arkansas Attorney General Settle with Home Alarm Company for Using Credit Scores without Adequate Notice. The CFPB and the Arkansas Attorney General announced a Proposed Stipulated Final Judgement with Alder Holdings, LLC (Alder) on December 11 for failing to provide proper notices under the Fair Credit Reporting Act (FCRA). FCRA and its implementing regulations require companies to give notice to consumers when they give consumers less favorable credit terms based on a review of their credit reports. The CFPB’s complaint alleges that Alder, a home alarm company, charged consumers with lower credit scores higher activation fees without adequate notice. If entered by the U.S. District Court for the Eastern District of Arkansas, the settlement would require that Alder pay a $600,000 civil penalty.
FTC Settles with Payment Processor on Allegations of Facilitating Fraud. On December 10, the FTC announced that Complete Merchant Solutions, LLC (Complete) settled a complaint in the U.S. District Court for the District of Utah alleging that it processed millions of dollars in consumer credit card payments for schemes that Complete knew or should have known were defrauding consumers. Specifically, the FTC’s complaint alleges that Complete ignored “clear red flags” of fraudulent conduct, including high rates of chargebacks by consumers, use of multiple merchant accounts to reduce chargeback rates, submission of sham chargeback reduction plans, and the use of merchant accounts to process payments for products and services that the merchant did not obtain approval from the bank holding the accounts. The settlement proposal requires Complete to pay $1.5 million to the FTC.
Tenant Background Report Provider Settles Alleged Violations of the FCRA with FTC. On December 8, the FTC announced a Proposed Settlement with AppFolio, Inc. (AppFolio) that requires the tenant background provider to pay $4.25 million to settle allegations that it violated the FCRA. The FCRA requires companies providing tenant background reports to follow reasonable procedures to ensure the “maximum possible accuracy” of the reports and to avoid providing obsolete information. Specifically, the complaint, which was filed by the U.S. Department of Justice on behalf of the FTC in the U.S. District Court for the District of Columbia, alleges that AppFolio violated FCRA by failing to implement reasonable procedures to ensure that criminal and eviction records received from third-party providers were accurate before including such information in its tenant background reports.
CFPB Sues Debt Collector for Alleged Violations of the FDCPA and the CFPA. On December 9, the CFPB filed a complaint against BounceBack, Inc. (BounceBack) in the U.S. District Court for the Western District of Missouri for purported violations of the FDCPA and the CFPA. Specifically, the CFPB’s complaint alleges that BounceBack, in the course of administering a bad-check pretrial diversion program, used district attorney letterheads to improperly threaten more than 19,000 consumers with prosecution if they did not pay the check amount or enroll and pay for a financial education course. Bounceback allegedly also did not reveal to consumers that Bounceback, and not the district attorneys, sent the letters. The CFPB alleges that these practices were deceptive under both the FDCPA and the CFPA.
CFPB Settles with Debt Collector for Engaging in Deceptive Practices. On December 8, the CFPB announced a Consent Order against RAB Performance Recoveries, Inc. (RAB), a debt collector purchasing and collecting consumer debts from debt brokers, for allegedly threatening to sue and suing consumers when it did not have a legal license to do so. Specifically, the CFPB found that RAB misrepresented that it had a legal right to recover payments from consumers through judicial processes in Connecticut, New Jersey, and Rhode Island in violation of the FDCPA and CFPA. The Consent Order requires RAB to pay a $204,000 civil money penalty.
FTC and Other Law Enforcement Agencies Announce Nationwide Crackdown on Deceptive Income Schemes. On December 14, the FTC and 19 federal, state, and local law enforcement partners announced a nationwide sweep focused on scams targeting consumers with false promises of income and financial independence. Titled Operation Income, the enforcement crackdown includes more than 50 enforcements against operators of work-from-home and employment scams, pyramid schemes, investment scams, bogus coaching courses, and others than result in costs to consumers in the thousands of dollars.
FTC Releases Consumer Tips for Avoiding COVID-19 Vaccine Scams. On December 8, the FTC released a new consumer education blog post with the National Association of Attorneys General that provides tips on how to recognize vaccine scams. The blog post notes that until a COVID-19 vaccine distribution plan is available, emails, calls, and texts claiming early access to vaccines are scams. The FTC notes that consumers should report any scams to the agency here, or they can file a complaint with the relevant state attorney general here.
Upcoming Comment Deadlines and Events
FTC Solicits Input on Risk-Based Pricing Rule. Comments are due December 22 on the FTC’s Notice of Proposed Rulemaking (NPRM) regarding the Duties of Creditors Regarding Risk-Based Pricing Rule, as part of its regular review of all agency regulations. Risk-based pricing involves modifying the cost or other terms of credit offered or extended to a particular consumer based on the consumer’s nonpayment risk. The Risk-Based Pricing Rule, which is implemented pursuant to the FCRA, requires that an entity provide a risk-based pricing notice to a consumer when using a consumer report to extend credit on terms that are materially less favorable than the most favorable terms available to a substantial portion of borrowers. The FTC is proposing to amend the Risk-Based Pricing Rule to reflect the Commision’s authority under the Dodd-Frank Act.
Agencies Seek Comment on the Role of Supervisory Guidance. Comments are due January 4 on an NPRM issued by the Office of the Comptroller of the Currency, the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, the National Credit Union Administration, and the CFPB (collectively, the Agencies) that would codify the 2018 Interagency Statement Clarifying the Role of Supervisory Guidance (the 2018 Statement). In codifying the 2018 Statement, the NPRM would confirm that the Agencies intend to respect the limits of administrative law in carrying out supervisory responsibilities. Accordingly, supervisory guidance does not create binding legal obligations for the public.
FTC Seeks Research Presentations for PrivacyCon 2021. The FTC issued a call for research presentations on a wide array of privacy and security issues as part of its sixth PrivacyCon, which will be held on July 27, 2021. The FTC is seeking research on issues such as the evolution of privacy and security risks; privacy and security issues related to working from home; the costs and benefits of privacy and security; the effectiveness of consumer privacy and security disclosures; algorithmic bias and fairness in algorithms; and privacy-enhancing technologies for consumers. Research presentations are due April 9, 2021, and more information about submitting presentations can be found here.
More Analysis from Wiley
Wiley Wins Three Law360 ‘Practice Group of the Year’ Awards for 2020
Wiley Receives Diversity & Flexibility Alliance 'Tipping the Scales' Recognition
CFPB Publishes Final Rule on Debt Collection Practices
Privacy in Focus: Top 4 Areas to Watch in 2021 in AI Legal and Regulatory Risks
Privacy in Focus: Post-Schrems II: The European Union Provides Guidance on Data Transfers
Privacy in Focus: GDPR-Like Privacy Rights May Get a Little Closer to Home
DHS Advisory Committee Issues Report on Biometrics
New Guidance on AI Regulations as Federal Agencies Plan Transition to a New Administration
FCC Clarifies That Government Contractors Must Obtain Prior Express Consent Under the TCPA
Robocall Update: New Call Authentication Order and Obligations, Explained
New IoT Cybersecurity Drafts From NIST Will Impact the Ecosystem
DHS and Cyber: What Should Companies Expect?
Legal 500 US Recognizes Wiley’s Telecom, Media & Technology Practice as Tier 1. Read more here.
Download Disclaimer: Information is current as of December 21, 2020. This document is for informational purposes only and does not intend to be a comprehensive review of all proceedings and deadlines. Deadlines and dates are subject to change. Please contact us with any questions.