On January 30, the FTC and the DOJ announced that a Michigan-based debt buyer had agreed to pay a $2.5 million civil penalty to settle allegations of misconduct in connection with the company’s debt collection activities. The FTC alleged that the debt buyer violated the FTC Act, the Fair Debt Collection Practices Act, and the Fair Credit Reporting Act by, among other things, (i) misrepresenting without substantiation that consumers owed a debt, (ii) failing to disclose that certain time-barred debt did not have to be repaid, (iii) knowingly providing false information to credit reporting agencies, and (iv) failing to investigate disputes raised by credit reporting agencies. In addition to paying the civil penalty, the company must address the failures and misconduct alleged by the FTC. For example, it must inform consumers when a debt is too old to be legally enforceable. Further, the company is prohibited from engaging in certain conduct, such as placing debt on consumer credit reports without notifying the consumer. Concurrent with the announcement, the FTC released a publication to help consumers understand their rights with regard to time-barred debt.
On January 17, New Jersey enacted a 2010-2011 session bill, A2565, to modernize the state’s title recordation laws to permit the use of electronic documents and to reorganize and streamline the state’s recordation requirements. Given that the federal E-sign Act and the New Jersey Uniform Electronic Transactions Act both authorize the acceptance of electronic alternatives to paper documents and encourage the development of systems that accept electronic documents, the bill updates state law to, for example, (i) broaden the definition of “document” and “recorded” to allow for electronic recordation; (ii) delete statutory references to separate sets of books or separate databases for different kinds of documents; (iii) remove requirements for marginal notation of documents; and (iv) require development of standard formats for electronic documents.
Recently, the Standards and Procedures for Electronic Records and Signatures version 2.0 (SPeRS 2.0) was released. This new version of SPeRS reflects current e-commerce business practices and updates applicable electronic record and signature case law and federal regulatory developments since SPeRS was originally published in 2003. The update also examines nationwide developments in the evolving area of electronic notarization laws. SPeRS is a technology-neutral set of guidelines and strategies for industry use in designing and implementing systems for electronic transactions under the federal Electronic Signatures in Global and National Commerce Act (ESIGN) and state adoptions of the Uniform Electronic Transactions Act (UETA). SPeRS 2.0 updates the groundbreaking guidance contained in SPeRS 1.0, developed by a broad cross-section of leading financial service companies and trade associations. More information about SPeRS is available at www.spers.org.
Third Circuit Upholds District Court’s Order Enjoining Full Enforcement of New Jersey Gift Card Escheat Law
Recently, the U.S. Court of Appeals for the Third Circuit affirmed the district court’s decision to enjoin New Jersey from fully applying and enforcing its gift card escheat law. N.J. Retail Merchs. Assoc. v. Sidamon-Eristoff, No. 10-4551, 2012 WL 19385 (3d Cir. Jan. 5, 2012). Retailers challenged the constitutionality of a 2010 amendment to New Jersey’s unclaimed property statute that provided for the custodial escheat of store valued cards (SVCs or gift cards). Under New Jersey’s Chapter 25, SVCs are presumed to be abandoned after two years of inactivity and issuers are required to transfer to the state the remaining value on the SVCs at the end of the two-year abandonment period. In addition, issuers are required to obtain the name and address of the purchaser or owner of each SVC issued or sold and, at a minimum, maintain a record of the zip code of the owner or purchaser, and there is a presumption that the address of the owner or purchaser is the same as the address of the place where the SVC was purchased or issued. This latter provision has the effect of causing unused funds to escheat to New Jersey, rather than to the state where the card issuer is domiciled, when the last known address of the purchaser is unknown. In response to challenges under the Supremacy Clause, the Due Process Clause, the Commerce Clause, the Contract Clause, and the Takings Clause of the U.S. Constitution, the Third Circuit upheld the district court’s preliminary injunction enjoining the retroactive application of Chapter 25 to SVCs redeemable for merchandise or services that were issued before Chapter 25’s enactment. It also upheld the district court’s preliminary injunction enjoining the prospective enforcement of the place-of-purchase presumption. The court, however, declined to prospectively enjoin the data collection provision or the two-year abandonment provision, finding that SVC issuers failed to show a reasonable likelihood of success on the merits of these claims and that the data collection provision is severable from the place-of-purchase provision.
On January 27, the U.S. Attorney General officially introduced a special unit that will coordinate federal and state government investigations into residential mortgage-backed securities (RMBS). The unit is being co-chaired by multiple senior officials from the Department of Justice (DOJ) and the Securities and Exchange Commission (SEC), as well as New York Attorney General Eric Schneiderman. It will consist of at least fifty-five DOJ attorneys and other investigative staff, and will include the active participation by numerous additional federal and state entities, including the Consumer Financial Protection Bureau. According to a memorandum issued by Attorney General Holder, the working group will focus on, among other things, (i) alleged misrepresentations concerning the quality of mortgages backing the RMBS; (ii) alleged failures by trustees to manage adequately the assets within securitized pools of loans; and (iii) alleged failures by RMBS sponsors to repurchase problematic loans or remit loan proceeds to RMBS trusts. In his remarks introducing the new unit, Attorney General Holder noted that civil subpoenas recently have been issued to eleven financial institutions in connection with this new group’s efforts.
On January 25, the CFPB, the Department of Defense, the FTC, and the New York Attorney General announced a partnership to develop the Repeat Offenders Against Military (ROAM) Database to track enforcement actions against entities or individuals engaged in consumer financial frauds against military personnel, veterans, and their families. The database, which should be available by mid-February, will compile publicly available information about completed civil and criminal legal actions and will be accessible and searchable by state attorneys general, U.S. Attorneys, and Judge Advocates from all branches of the armed services. The Consumer Protection Committee of the National Association of Attorneys General already has sent a letter to state attorneys general asking them to populate the new database with their enforcement action information. The FTC noted that the ROAM database will complement its Consumer Sentinel Network, which collects and provides wide access to consumer complaints, including those related to the frauds against servicemembers and their families.
On January 25, the European Union Commission officially released a proposed Regulation designed to update and replace the 1995 Data Protection Directive and national laws issued under that directive. This proposal is designed as a regulation rather than a directive, allowing it to take effect without national implementing legislation. Instead, the proposal will be submitted to the European Parliament and member states for adoption and would become effective two years after adoption. Notably, the proposed Regulation contains a “right to be forgotten” provision, which provides individuals the right, under certain circumstances, to seek the erasure of personal data and a halt to further dissemination of such data. Other provisions of the Regulation would (i) require explicit data subject consent for processing, where previously consent could be inferred in some cases; (ii) require data breaches to be reported to the national supervisory authority and, in certain cases, to the data subject; and (iii) provide data subjects the right to file complaints with national data protection authorities and seek judicial remedies, including damages, for violations of the Regulation. An earlier unofficial draft of this regulation was reported in InfoBytes, December 23, 2011. The two proposals are substantially similar, though the officially released version does lower the limits for penalties under the Regulation.
On January 26, the Financial Industry Regulatory Authority (FINRA) issued Regulatory Notice 12-05, notifying institutions of an increase in reports of customer funds being stolen through improper access to customer email accounts and unauthorized electronic instructions to transfer or withdraw funds. FINRA urged firms to review policies and procedures to ensure protection of customer funds, particularly in cases where the request for funds and transmittal are handled electronically. FINRA recommends that policies and procedures include methods for confirming the identity of the requestor, as well as a system to identify and respond to “red flags.” Concurrent with the regulatory notice, FINRA issued an alert to investors warning about the increased account breach activity and providing tips for protecting account information and funds.
On January 24, the OCC published a proposed rule to implement annual capital-adequacy stress tests for national banks and federal savings associations with total consolidated assets of more than $10 billion. The rule is substantially similar to a recent FDIC stress test proposal for FDIC-insured state nonmember banks and state-chartered savings associations. (See InfoBytes, January 20, 2012). The Dodd-Frank Act requires these stress tests to aid regulators in assessing risk presented by an institution’s capitalization and help ensure the institution’s financial stability. Under the proposal, the OCC would annually provide covered institutions with at least three sets of conditions – baseline, adverse, and severely adverse – that must be used in conducting an annual stress test. The tests would include calculations showing, for each quarter-end within a defined planning horizon, (i) estimates of revenues, (ii) potential losses, (iii) loan loss provisions, and (iv) potential impact on regulatory capital levels and ratios. Covered institutions also would be required to establish an oversight and documentation system to ensure that stress testing procedures are effective. Stress test results would have to be submitted to the OCC and the Federal Reserve Board by January 5 of each year, and a summary would have to be released to the public within ninety days thereafter. The OCC would plan to provide covered institutions with the scenarios at least two months before the January 5 deadline. The OCC is accepting public comment on the rule through March 26, 2012.
On January 24, the U.S. Court of Appeals for the Third Circuit affirmed a district court holding that printing of partial expiration dates does constitute a Fair and Accurate Credit Transactions Act (FACTA) violation, but held that the merchant, in this case, did not willfully violate FACTA by printing a portion of credit card expiration dates on customer receipts. Long v. Tommy Hilfiger U.S.A., Inc., No. 11-1554, 2012 WL 180874 (3rd Cir. Jan. 24, 2012). The consumer alleged, on behalf of a putative nationwide class, that the merchant’s practice of printing receipts that included the expiration month, but not year, willfully violated FACTA’s prohibition against printing “more than the last five digits of a credit card number or the expiration date upon any receipt provided” at the time of a transaction. On appeal, the court considered two questions: (i) whether the consumer properly alleged a FACTA violation, and (ii) whether the merchant’s alleged conduct constituted a willful violation of FACTA. The court held that FACTA prohibits printing of partial expiration dates, and that therefore plaintiff did properly allege a FACTA violation. The court explained that “expiration date” is not defined in the law, and found that “the most natural reading of the phrase” prohibits merchants from printing any of the numbers that appear in the expiration date field on a credit or debit card. If Congress had intended to allow partial expiration dates, the court stated, it would have used language similar to that used with regard to partial credit card numbers. However, the court held that the consumer could not recover statutory damages of $100 to $1,000 per violation, punitive damages, and attorneys fees, because the merchant’s action was not willful. Relying on a standard set in Safeco Insurance Company of America v Burr, 551 U.S. 47 (2007), the court held that the merchant’s interpretation that the statute permits partial expiration dates was not “objectively unreasonable”, because the statute does not provide a definition for “expiration date” and the interpretation has some foundation in the statutory text. According to the court, although the merchant’s interpretation of FACTA was wrong, it did not constitute a willful violation of the law.
On January 24, the Department of Housing and Urban Development (HUD) published a final rule to enhance the Federal Housing Administration (FHA) Lender Insurance process. Under the final rule, (i) Lender Insurance mortgagees (mortgagees who have authority to insure mortgages on HUD’s behalf) must meet stricter performance standards to gain and maintain their approval status as an entity that can insure mortgages on HUD’s behalf; (ii) HUD may require indemnification for “serious and material” violations of FHA origination requirements and for fraud and misrepresentation; (iii) Lender Insurance mortgagees must demonstrate a two-year seriously delinquent and claim rate at or below 150 percent of the aggregate rate for the states in which they operate; (iv) FHA may monitor lender performance on an ongoing basis, and (v) HUD-approved lenders created through corporate restructuring have a new process for seeking Lender Insurance authority. The final rule follows an October 2010 proposed rule (see InfoBytes, October 15, 2010), and makes certain changes to the proposal including to (i) clarify that HUD reviews of Lender Insurance mortgagee performance will be “ongoing”, as opposed to “continual”; (ii) require indemnification of HUD when the mortgagee “knew or should have known” that fraud or misrepresentation occurred; (iii) clarify that automatic termination of Lender Insurance authority can result only from institutional and not branch activity; and (iv) provide a reinstatement process closely modeled on the existing reinstatement process regarding origination approval agreements or Direct Endorsement authority.
On January 24, the CFPB announced a third round of testing of prototype mortgage closing forms as part of its Know Before You Owe campaign. In this round, the CFPB asks the public to compare two versions of its prototype closing forms and consider how each works with the prototype initial disclosure form the CFPB previously developed. The CFPB asks consumers to consider certain specific questions, including whether changes to loan terms or costs are easily identifiable from initial disclosure to closing. The CFPB also seeks comment on whether the disclosures are easy for lenders and settlement agents to use and explain. As with prior rounds of testing, the CFPB will travel to local communities to review the forms with the public. A fourth and final round of testing is expected next month.
On January 24, the House Oversight Subcommittee on TARP, Financial Services, and Bailouts of Public and Private Programs held a hearing to receive testimony from newly appointed CFPB Director Richard Cordray. Committee members (i) sought the Director’s interpretation of the term “abusive” as it is used in the Dodd-Frank Act, (ii) requested more transparency into the CFPB’s planned regulatory actions, and (iii) requested CFPB action to mitigate the impacts of its regulations on small and community institutions. Mr. Cordray declined to offer a definition of “abusive”, relying instead on the statutory language. The Director did state that abusive practices that are not also either “unfair or deceptive”, likely would be addressed on a “facts and circumstances” basis rather than through an “abstract” regulatory definition. He did not rule out using “abusive practices” as the basis of an enforcement action prior to issuing any further guidance or rulemaking. The Director committed to consider following the SEC’s model of periodically publishing a regulatory agenda. He also explained that the CFPB will consider and address impacts of its regulatory actions on community banks and financial institutions with under $10 billion in assets.
On January 20, the U.S. District Court for the Eastern District of California dismissed a putative class action brought on behalf of California residents against a company that lost multiple server drives containing personal and medical information. Whitaker v. Health Net of Cal., Inc. No. 11-910, 2012 WL 174961 (E.D. Cal. Jan. 20, 2012). The named plaintiff alleged that the loss of the drives and personal information violated California’s Confidentiality of Medical Information Act. Relying on Ninth Circuit decisions in Krottner v. Starbucks Corp., 628 F.3d 1139 (9th Cir. 2010) and Ruiz v. Gap Inc., No. 09-15971, 380 F. Appx. 689 (9th Cir. May 28, 2010), the plaintiff argued that the threat of harm naturally stems from a loss of data alone. The court held, however, that there is a difference between theft and loss of data. Unlike those prior cases in which personal data was obtained by hacking or data breach, loss of data does not present any actual or immediate harm, only conjectural or hypothetical harm. The court held that the plaintiff lacked standing and dismissed the case with leave to amend because the possibility of harm is not sufficient to meet the constitutional injury-in-fact standard.
On January 23, the CFPB and the FTC announced that the agencies had entered into a memorandum of understanding (MOU) to facilitate coordination of the agencies’ consumer financial rulemaking, enforcement, and supervision activities. The MOU establishes regular meetings between the two entities, as well as processes for providing notice of enforcement activities. Under the MOU, the CFPB and the FTC will be able to share consumer complaint information, and the FTC can request CFPB examination reports and confidential supervisory information.