On April 30, the U.S. District Court for the Central District of California held that Section 1747.08 of the Song-Beverly Credit Card Act, which prohibits retailers from requiring personal information as a condition to completing credit card transactions, does not apply to online purchase transactions in which the merchandise is shipped or delivered to the customer. Ambers v. Buy.com, No. 13-196, slip op. (C.D. Cal. Apr. 30, 2013). The ruling extends a recent holding by the California Supreme Court in Apple Inc. v. Sup. Ct. Los Angeles, which held that the Song-Beverly provisions do not apply when the item purchased is downloaded via the Internet. In this case, the customer claimed on behalf of a putative class whose claims could total $500 million that Apple created a standard that applies the Song-Beverly protections whenever the retailer has “some mechanism” to verify the customer’s identity. The plaintiff argued that the retailer’s request as part of the purchase transaction for a phone number in addition to the shipping address violated the statutory privacy protection. The court reasoned that as explained in Apple, the state legislature intended to allow retailers to verify that a person making a card purchase is authorized to do so, and stated that the shipping address alone would not work as an anti-fraud mechanism because a person who buys merchandise online may direct shipments to addresses not related to the credit card billing address. As such, the court held that Song-Beverly privacy protection does not apply to online purchases where the merchandise is being shipped or delivered, and granted the retailer’s motion to dismiss.

On April 15, the U.S. District Court for the Northern District of California dismissed a putative class action in which the named plaintiff brought a breach of contract claim and other common law and statutory claims after the issuer stopped providing the cardholder an interest free grace period on new charges because the cardholder transferred a balance from another card account as part of an interest free balance transfer offer and did not immediately pay off that transferred balance. Barton v. Capital One Bank (USA), N.A., No. 12-5412, slip op. (N.D. Cal. Apr. 16, 2013). Applying Virginia law, the court held that while some cardholders may have accepted the offer and transferred balances “without realizing that, because it would cause them to begin carrying a post-due balance each month, it would deprive them of the grace period they had previously enjoyed,” the agreement was clear that “carrying a post-due balance — whatever its source — terminated cardmembers’ rights to the 25-day grace period.” For the same reason, the court held the cardholder’s claim that the issuer violated the CARD Act’s requirement that a “creditor shall not change the terms governing the repayment of any outstanding balance” similarly failed. The court also held that the cardholder failed to allege any contractual discretion to support her claim of breach of good faith and dismissed her claim under California’s Unfair Competition Law.

On March 28, the CFPB released tens of thousands of consumer complaints related to mortgages, student loans, bank accounts and services, other consumer loans, and credit cards. Credit reporting complaints, will be released in the near future. The expanded database is a live database that is updated daily. It includes one million data points, covering approximately 450 companies, and allows users to track, sort, search, and download information. The CFPB has made the data available in formats that allow developers to build applications, conduct analyses, and perform research, and the database includes functionality to let users build their own visualizations, charts and graphs, and embed the data on other websites or share it through social media. The CFPB is encouraging consumers, analysts, developers, data scientists, civic hackers, and companies that serve consumers, to analyze, augment, and build on the public database to develop ways for consumers to access the complaint data or “mash it up” with other public data sets. The CFPB also released a fact sheet about the database, which provides some summary analysis of the data, as well as a “snapshot” report that provides information about the CFPB’s complaint handling process and additional summary presentation of the data. The CFPB also held a field hearing to review the complaint database and solicit public feedback. Consumer groups participating in the event repeatedly stressed the need for more specific data, including the full narrative description of complaints submitted by consumers, while industry representatives continued to caution the regulator about risks associated with unverified data.

On March 28, the CFPB published a final rule to remove from Regulation Z a limitation on fees charged prior to credit card account opening. Effective immediately, the rule amends a restriction adopted by the Federal Reserve Board in April 2011, which expanded the 2009 Credit CARD Act fee limitation on certain fees charged during the first year after the account is opened to include fees charged  prior to account opening. The CFPB rule eliminates the limitations on fees charged prior to account opening, and covers only those fees charged during the first year after account opening. The rule responds to a legal challenge to restricting the amount of fees charged prior to account opening, which resulted in a court issuing a preliminary injunction to halt the implementation of the Federal Reserve Board’s broader application of the fee limit.

On February 14, the PCI Security Standards Council, the open global forum responsible for setting payment security standards, issued guidelines for merchants on the factors and risks they must address to protect card data when using mobile devices. The guidance addresses the three main risks associated with mobile payment transactions: account data entering the device, account data residing in the device, and account data leaving the device. The guidance also (i) provides recommended measures for merchants regarding the physical and logical security of mobile devices used for payment acceptance, and (ii) recommendations regarding the different components of the payment acceptance solution, including the hardware, software, the use of the payment acceptance solution, and the relationship with the customer. The PCI Security Standards Council also recently released guidance for securing payment card data in cloud environments, and guidance regarding security for payment transactions conducted over the Internet.

On January 29, a credit card holder filed a putative class action against a card issuer that funds consumer retail credit accounts for customers of a major retail chain, alleging that the issuer violated the Telephone Consumer Protection Act in attempting to collect on the card holder’s credit card debt. Complaint, French v. Target Nat’l Bank, No. 13-233 (S.D. Cal. filed Jan. 29, 2013). The named plaintiff claims that after she fell behind on her payments, the issuer began making numerous calls daily to her personal cell phone, a number she claims not to have provided to the issuer. The issuer allegedly used an “automatic telephone dialing system” to make the calls, which the card holder claims continued even after she notified the issuer that it was not authorized to contact her on her cellular phone, and asked that the calls cease. The card holder alleges that in doing so, the issuer violated the TCPA, which requires express written consent from a consumer prior to receiving calls from an automated dialing system or an artificial or prerecorded voice. On behalf of the proposed class, the card holder is seeking $500 in statutory damages for each and every alleged negligent violation, and treble damages for each alleged knowing or willful violation. The suit is the latest in a growing number of cases to be filed in recent years, particularly in California, and highlights a significant litigation risk for card issuers and debt collectors.

On December 19, the CFPB issued a notice and request for information about the impact of the Credit Card Accountability Responsibility and Disclosure Act of 2009 (CARD Act or Act) on the consumer credit card market. The request seeks information about: (i) how the CARD Act has changed the substantive terms and conditions of credit card agreements, (ii) the effectiveness of disclosure of terms, fees, and other expenses of credit card plans, (iii) the adequacy of protections against unfair or deceptive acts or practices relating to credit card plans, and (iv) whether the Act has affected the cost and availability of credit, the safety and soundness of any credit card issuers, the use of risk-based pricing, or the innovation of new products. The CFPB explained that it will use the data gathered to prepare a publicly available report to Congress on the state of the consumer credit card market, and to inform future policy decisions regarding credit cards. The CFPB will accept comments for 60 days following publication of the notice in the Federal Register.

On November 20, the U.S. District Court for the Northern District of California dismissed a putative class action that claimed, among other allegations, that Google violated an implied contract to handle certain users’ credit card information in accordance with the Payment Card Industry Security Standards.  Frezza v. Google, Inc., Case No. 12-CV-00237-RMW, 2012 WL 5877587 (N.D. Ca. Nov. 20, 2012). The named plaintiffs alleged that they submitted credit card information when they bought Google Tags, which display advertisements in search results as part of a promotion. The plaintiffs claim that entering their credit card information into Google’s billing system established an implied contract requiring that Google handle such information responsibly, which the plaintiffs allege is in accordance with the Data Security Standards promulgated by the Payment Card Industry Security Standards Council. The court found that Google did not make any indication that it adopted the DSS recommendations when dealing with plaintiffs, and that Google had not violated any implied contract to handle its customers’ credit card information responsibly when it retained credit card data after the plaintiffs cancelled their subscriptions to Google Tags. The court also dismissed the plaintiffs’ breach of contract claims and other claims made under California statutes.

This week the Supreme Court denied petitions for a writ of certiorari in two banking-related appeals. In Cummings v. Doughty, No. 12-351, the petitioners, a bank and its CEO, asked the Supreme Court to determine whether the safe harbor established by the Annunzio-Wylie Anti-Money Laundering Act provides absolute (versus qualified) immunity from claims that arise from the submission of a suspicious activity report (SAR). The petitioners were appealing a Louisiana state court holding, which the state appellate courts declined to review, that denied petitioners immunity under the Act after the CEO reported a bank president for possible suspicious activity. The bank president claimed that the petitioners lacked a good faith basis to report him and, therefore, could not receive absolute immunity. The petitioners argued that the First Circuit and the Second Circuit have held, based on the plain language of the Act, that financial institutions have absolute immunity from any cause of action relating to the submission of a SAR, while the Eleventh Circuit has held that the Act only grants qualified immunity. The Supreme Court declined to remedy the apparent circuit split.

In Parks v. MBNA America Bank, N.A., No 12-359, the Supreme Court denied review of a California Supreme Court decision that held that the National Bank Act preempts state requirements that certain disclosures accompany preprinted or “convenience checks” provided by a credit card issuer to its cardholders. The plaintiff filed suit on behalf of a putative class after he used such checks and was assessed finance charges that were greater than those that he would have been assessed had he used his credit card instead. He alleged that California law requires certain disclosures to be provided with the checks, including those related to convenience checks. In June, the California Supreme Court held the specific disclosure obligations imposed by the state law at issue, including precise language and placement of the disclosures, exceeded any federal law requirements and is preempted as an obstacle to the broad grant of power given to national banks by the NBA to conduct the business of banking.

On November 20, the European Parliament adopted a nonbinding resolution calling for the development of common rules and standards for personal credit and debit card payments. The resolution explains that such rules would bring the card payment market “closer to its full potential and efficiency.” The Members of Parliament called on the European Commission to develop the legislative proposals needed to extend the current single Euro payments area (SEPA) regulation, which governs euro credit and direct debit transactions among banks, to the market for card, internet and mobile payments, but cautioned that lawmakers should avoid regulating the internet and mobile payment market too heavily, so as not to hinder its growth and innovation. The resolution also claims that current fees for handling card payments are high relative to the costs they need to cover, but does not call for caps. Finally, the resolution states that minimum security requirements for card, internet and mobile payments should be the same in all EU member states.

On November 1, the FTC announced that courts have granted temporary restraining orders in five cases in which the FTC alleged that the defendants placed automated calls to consumers to make allegedly deceptive “no-risk” offers to substantially reduce the consumers’ credit card interest rates in exchange for an upfront fee. The telemarketers claimed to be calling from the consumers’ credit card company, or otherwise used the generic “Cardholder Services” title to suggest a relationship with a bank or credit card company, the FTC says. Each complaint alleges that the defendants violated the FTC Act by misrepresenting that consumers who buy their services will have their credit card interest rates reduced substantially and will save thousands of dollars as a result. Four of the five complaints also charge that the defendants violated the FTC Act by making other misrepresentations, such as promises of faster debt payoff. The FTC also charges that the defendants violated the Telemarketing Sales Rule (TSR) by misrepresenting their services, calling numbers on the Do Not Call Registry, making illegal robocalls, and collecting up-front fees. The FTC coordinated with multiple state entities, including the attorneys general of Arizona and Arkansas and the Florida Department of Agriculture and Consumer Services, each of which took separate actions against other companies for similar alleged activities.

On November 1, the CFPB launched a database of college credit card agreements in effect during 2011 and released an annual report to Congress on such agreements. The database provides copies of all 2011 agreements and presents other information submitted by card issuers for each agreement, including total payments, total open accounts, and new accounts opened in 2011. The report presents summary information about the data reflected in the database and identifies some trends from 2009-2011. For example, the report notes that (i) the total number of college card agreements declined from 2010 to 2011, (ii) issuers added 26 new agreements in 2011, and (iii) the majority of agreements were between issuers and an organization affiliated with an institution of higher education (such as an alumni association) or an institution of higher learning.

The CFPB today released its first periodic Supervisory Highlights publication, along with an updated examination manual and a bulletin about the Bureau’s examination appeals process.

The Supervisory Highlights report describes the CFPB’s supervisory activity from July 2011 through September 2012, including with regard to credit cards, credit reporting, and mortgages, and “signal[s] to all institutions the kinds of activities that should be carefully scrutinized.” During its first year of conducting exams, the CFPB states that it has found compliance management system deficiencies, including with regard to fair lending compliance programs and oversight of affiliate and third-party service providers.  The report also reviews nonpublic actions taken to enforce compliance with the CARD Act and FCRA,  and identifies several areas of concern for mortgage originators.

Bulletin 2012-07 details the CFPB supervisory appeals process, and addresses confidentiality and the role of the CFPB Ombudsman.  Finally, the updated Supervision and Examination Manual incorporates the various procedures issued since the manual first was published in October 2011, e.g. the payday lending and consumer reporting exam procedures.  The updated manual also includes new references to the Code of Federal Regulations to reflect the republishing of federal consumer finance law regulations under the CFPB’s authority.

On October 17, the CFPB proposed a rule to amend the current Regulation Z requirement that credit card issuers consider an applicant’s independent ability to pay regardless of age. The current regulation, as amended by the Federal Reserve Board, and which took effect October 1, 2011, has received criticism from members of Congress and other stakeholders that the rule limits access to credit for stay-at-home spouses and partners. The CFPB’s proposed revision would remove the ability to pay requirement for consumers who are twenty-one and older and permit issuers to consider income to which such consumers have a “reasonable expectation of access.” The proposed rule would not change the independent ability to pay requirement for individuals under the age of twenty-one. Comments on the proposed rule will be accepted for sixty days following publication in the Federal Register.