On February 12, seven industry trade associations co-authored a letter to Congress regarding anticipated data breach legislation. The letter urges Congress to protect its constituents from the impact of identity theft and financial fraud resulting from data breaches by (i) considering a national data security and breach standard; (ii) recognizing the existing fraud protection standards (e.g., HIPAA and GLBA) and having them serve as a model for sectors where there are none; and (iii) encouraging shared responsibility between entities, including costs. The letter is the latest effort among the industry to lobby Congress in passing legislation to combat increasing data breaches and fraud.
State AGs Urge Card Companies to Advance Consumer Protection by Implementing Chip and PIN Technology
On November 16, nine state attorneys general sent a letter urging leading card brands to expedite the implementation of chip and PIN technology in the United States. The letter summarizes research connected to recent data breaches, stating “individuals whose credit or debit cards were breached in the past year were nearly three times more likely to be an identity fraud victim.” Addressing concern that PIN technology would be burdensome or confusing to consumers, the AGs maintain that many consumers are accustomed to financial transactions that rely on PIN technology, such as transactions involving debit cards, and point to a November 2014 poll that indicated cardholders were supportive of chip and PIN technology. The AGs emphasize that PIN technology is “nothing new” and is considered the “gold standard” for payment card security, noting that countries around the world have seen a dramatic decrease in fraud since implementing the technology. Finally, while the letter stresses that chip and PIN technology would better protect both consumers and businesses from data breaches, it does not suggest that the technology be legally mandated at the federal or state level: “[T]his letter calls upon you as good corporate citizens to voluntarily expedite the implementation of existing technology that offers the most substantial security benefits, and to continue to adapt and improve security as quickly as possible as technology advances.”
On November 10, 2014, the Supreme Court denied Douglas Whitman’s petition for a writ of certiorari in Whitman v. United States, No. 14-29; Justice Antonin Scalia, joined by Justice Clarence Thomas, issued a brief statement specifically highlighting their view of the role that the doctrine of lenity should play in the interpretation of criminal statutes. Whitman asked the high court to review his 2012 conviction for securities fraud and conspiracy under the Securities Exchange Act of 1934. The Second Circuit appeared to defer to the SEC’s interpretation of ambiguous language in the Act—according to Justice Scalia, such an approach would disregard the “many cases . . . holding that, if a law has both criminal and civil applications, the rule of lenity governs its interpretation in both settings.” Justice Scalia further noted that it was the exclusive province of the legislature to create criminal laws, and to defer to the SEC’s interpretation of a criminal statute would “upend ordinary principles of interpretation.” Justice Scalia’s approach may indicate potential adjustments in the ongoing effort to strike the right balance between the due process rights of targets of enforcement actions to know what the law prohibits, and deference to enforcement agencies to interpret federal statutes flexibly. BuckleySandler discussed the tension between lenity and Chevron deference earlier this year in a January 16 article, Lenity, Chevron Deference, and Consumer Protection Laws.
On October 14, the ABA submitted a petition to the FCC requesting that it exercise its statutory authority to allow financial institutions to send consumers certain security and fraud alerts without the consumers’ prior consent. Specifically, the consumers would receive alerts regarding: (i) transactions suggesting a risk of identity theft or fraud; (ii) potential security breaches involving personal information; (iii) preventative steps consumers can take to decrease their chances of falling victim to security breaches, in addition to steps they can take to remedy harm already caused by a breach; and (iv) actions required to receive a receipt for money transfers. The petition notes that the most effective way to ensure that consumers receive these important messages is through automated texts and calls to mobile devices and accordingly requests that the FCC allow for an exemption to the Telephone Consumer Protection Act to ensure that customers receive security and fraud notifications in a timely manner.
On May 21, the FTC proposed to prohibit the use of certain payment methods it believes are favored by “fraudulent telemarketers.” The FTC’s proposed rule would amend the Telemarketing Sales Rule (TSR) to prohibit telemarketers from (i) using remotely created unsigned checks and payment orders to directly access consumer bank accounts, and (ii) receiving payment through “cash-to-cash” money transfers and “cash reload” mechanisms. The FTC explained that allegedly fraudulent telemarketers rely on such payment methods because they are largely unmonitored and provide fewer consumer fraud protections. The proposed rule also would (i) expand the TSR’s ban on telemarketing “recovery services” in exchange for an advance fee and (ii) clarify various other provisions of the TSR. The FTC is accepting public comments on the proposal through July 29, 2013.
Yesterday, the FTC released guidance for mobile and other online advertisers. The new guidance, “.com Disclosures: How to Make Effective Disclosures in Digital Advertising,” adapts and expands prior FTC guidance to account for a decade’s worth of additional experience with online marketing practices, consumers’ increasing use of smartphones, and merchants’ increasing use of social media marketing.
The new guidance highlights several key considerations for businesses as they develop advertisements for online and mobile media:
- The same consumer protection laws – e.g. UDAP – that apply to commercial activities in other media apply online and in the mobile marketplace.
- Limitations and qualifying information should be incorporated into any underlying claim, rather than provided as a separate disclosure qualifying the claim.
- Marketing materials that may be viewed on a variety of platforms, including handheld devices, should be designed so that required disclosures are effectively delivered on all of the platforms.
- Required disclosures must be clear and conspicuous, as determined by numerous factors.
- If a disclosure is necessary to prevent an advertisement from being deceptive, unfair, or otherwise violative of a FTC rule, and it is not possible to make the disclosure clearly and conspicuously, then that ad should not be disseminated.
To meet the clear and conspicuous standard, Read more…
On December 4, President Obama signed a bill, H.R. 6131, that extends through December 2020, a law that enhances the FTC’s ability to address cross-border fraud, and particularly to fight spam, spyware, and Internet fraud and deception. Originally passed in December 2006 and set to expire in December 2013, the U.S. SAFE WEB Act amended the FTC Act to include within the definition of “unfair or deceptive acts or practices” certain acts or practices involving foreign commerce. Further, the law authorizes the FTC to (i) disclose certain privileged or confidential information to foreign law enforcement agencies, and (ii) provide investigative assistance to a foreign law enforcement agency pursuing violations of laws prohibiting fraudulent or deceptive commercial practices or other practices substantially similar to practices prohibited by laws administered by the FTC without requiring that the conduct identified constitute a violation of U.S. laws.
Eleventh Circuit Holds Bank Security Procedure Insufficient to Provide Safe Harbor from Liability for Fraudulent Wire Transfer
On November 27, the U.S. Court of Appeals for the Eleventh Circuit held that a bank may be liable for an allegedly fraudulent in-person wire transfer because it failed to implement a commercially reasonable security procedure to verify the authenticity of the wire transfer order and to detect transmission or content errors. Chavez v. Mercantil Commercebank N.A., No. 11-15804, 2012 WL 5907151 (11th Cir. Nov. 27, 2012). The plaintiff, a Venezuelan resident who opened an account at a Florida bank, elected a security procedure under the account’s Funds Transfer Agreement that provided only that the bank require written authorization by him in order to process any orders for the account. The plaintiff sued the bank for lost funds, claiming that the bank allowed an unauthorized individual to initiate a fraudulent in-person wire transfer of funds out of the account. The district court granted summary judgment in favor of the bank, holding that state law creates a safe harbor that relieves banks of liability for fraudulent payment orders if the bank and the customer agree to a commercially reasonable security procedure and the bank follows that procedure in good faith. The appellate court held that the agreed-upon security procedure was not in fact a security procedure as defined by statute. The court explained that state law disavows security procedures that require only a comparison of a signature on a payment order with an authorized specimen signature of the customer. In this case, the security procedure required written authorization, but was silent as to how the bank was to verify that authorization, i.e., it did not even require that the signature be compared to one on file. The court held that because the bank and the account holder did not agree to a security procedure, the bank could not seek safe harbor protection and reversed the district court’s order. One judge dissented from the majority opinion and argued that the Funds Transfer Agreement encompassed both the required and discretionary security procedures, which, taken together, were commercially reasonable and followed in good faith, therefore affording the bank safe harbor protection.
On October 9, the U.S. Attorney for the Southern District of New York and the U.S. Department of Housing and Urban Development (HUD) announced a civil fraud suit against a mortgage lender alleged to have falsely certified loans under the FHA’s Direct Endorsement Lender Program. The suit, filed in coordination with the Financial Fraud Enforcement Task Force (FFETF), claims that from May 2001 through October 2005, the lender regularly and knowingly engaged in reckless origination and underwriting of FHA loans, while certifying to HUD that those loans met the FHA Direct Endorsement Lender Program requirements and were therefore eligible for FHA insurance. Further, the suit alleges that the lender failed to conduct adequate quality control, failed to comply with HUD self-reporting requirements, and later attempted to cover up its reporting failures. The government claims that it was required to pay, and will continue to have to pay, FHA benefits on defaulted loans that contained material violations, and seeks treble damages and penalties under the False Claims Act, as well as Financial Institutions Reform, Recovery, and Enforcement Act penalties. The government also seeks compensatory damages under the common law theories of breach of fiduciary duty, gross negligence, negligence, unjust enrichment, and payment under mistake of fact. This suit follows the settlements earlier this year of several other cases involving similar claims. One other similar suit is currently pending.
On October 9, the DOJ, HUD, the FTC, and the FBI announced the results of the Distressed Homeowner Initiative, a year-long national effort to coordinate federal and state investigation and prosecution of alleged mortgage fraudsters. The Initiative was carried out under the Mortgage Fraud Working Group of the FFETF. Between October 1, 2011 and September 30, 2012, the unit’s work resulted in 285 criminal indictments and informations against 530 defendants. The announcement described many of the Working Group’s investigative tactics, including undercover operations, and explained the reasons behind the Working Group’s focus on Southern California. The Working Group expects more enforcement actions to result from ongoing investigations, and the FFETF has several other active working groups, including the Residential Mortgage-Backed Securities Working Group that recently sued a major bank over alleged fraudulent misrepresentations and omissions in the sale of RMBS to investors.
On July 27, the Federal Reserve Board issued a final rule that amends Regulation II. The rule allows a debit issuer that is subject to the interchange fee standards to charge—in addition to interchange fees—a fraud-prevention fee to defray costs associated with implementing policies and procedures that reduce fraudulent electronic debit transactions. The fee cannot exceed one cent per transaction, unchanged from the Federal Reserve’s interim final rule on this issue. The final rule details fraud-prevention program requirements that an issuer must meet in order to charge the fee. An issuer charging such a fee must annually review and update its fraud-prevention program and notify its payment card networks that it complies with the rule’s fraud prevention standards. The rule takes effect October 1, 2012.
On July 11, four former bank officers and two of their former customers were indicted in the U.S. District Court for the Eastern District of Virginia on eighteen counts of fraud. Indictment, United States v. Woodard, No. 12-105 (E.D. Va.). The indictment alleges that in the run-up to the financial crisis, the bank more than doubled its assets primarily through brokered deposits, while the directors administered a lending program that violated industry standards and the bank’s internal controls. In connection with the financial crisis, the indictment states, the bank’s loan portfolio deteriorated and the directors conspired to conceal the institution’s financial condition. Ultimately, the bank failed, leaving the federal government insurance fund to cover approximately $260 million in deposits, the indictment claims. In addition to the criminal charges, the U.S. Attorney is seeking forfeiture of the defendants’ assets. Other bank officers, employees, and customers already have pled guilty to related charges.
On July 12, the DOJ announced a settlement with a national bank to resolve allegations that the bank engaged in a pattern or practice of discrimination against qualified African-American and Hispanic borrowers in its mortgage lending from 2004 through 2009. Pursuant to a consent decree awaiting approval by the U.S. District Court for the District of Columbia, the bank will pay $125 million in compensation to wholesale borrowers who, the DOJ alleges, were steered into subprime mortgages or who paid higher fees and rates because of their race or national origin, and $50 million in direct down payment assistance to borrowers in communities identified by the DOJ as having large numbers of discrimination victims. In addition to the combined $175 million payment, the bank also agreed to separately compensate individual African-American and Hispanic borrowers identified through an internal review of its retail mortgage lending operations. Finally, the agreement will subject the bank to other compliance, training, recordkeeping, and monitoring requirements. In addition to resolving the federal allegations, the consent decree resolves a fair lending suit based on similar allegations brought by the Illinois Attorney General. The DOJ’s Fair Lending Unit in the Civil Rights Division’s Housing and Civil Enforcement Section worked with the U.S. Attorney’s Office for the District of Columbia and the Illinois Attorney General to obtain this agreement. The Fair Lending unit was established in 2010, and since that time has filed a complaint in or resolved 19 matters, a pace far surpassing that of previous years. This matter also is the most recent to be concluded under President Obama’s Financial Fraud Enforcement Task Force, an interagency effort to investigate and prosecute financial crimes.
Oklahoma Updates Uniform Consumer Credit Code. On May 1, Oklahoma enacted House Bill 2742, which amends the state’s Uniform Consumer Credit Code. The bill increases the dollar threshold for transactions exempt from the Code from $45,000 to $50,000 and requires that the threshold be adjusted annually henceforth. With regard to mortgages particularly, the bill (i) expands the language required to be included in the disclosure statement, (ii) requires that the creditor mail the disclosure statement at least seven business days before the transaction, and (iii) requires the creditor to send a new statement at least three days before closing if the interest rate changes. It further requires that (i) a consumer cannot be charged any fee prior to receipt of the statement, except for a fee to obtain a credit report; and (ii) a consumer can waive the disclosure statement timing requirements. The law also increases the penalties for violations of the mortgage disclosure statement or right to rescind rules and requires that, within 30 days of the sale or transfer of a mortgage loan, the new creditor must notify the borrower that the loan has been transferred and provide contact and other relevant information.
Georgia Enacts Mortgage-Related Bills. On May 1, Georgia enacted two mortgage-related bills. House Bill 110 permits local jurisdictions to create vacant and foreclosed property registries and establishes uniform requirements for such registries. The law takes effect July 1, 2012. House Bill 237 expands the state’s mortgage fraud law to cover the foreclosure process.
New York Extends Temporary Mortgage Servicer Rules. On May 2, the New York Department of Financial Services published an extension of its emergency rules to implement the 2008 Mortgage Lending Reform Law. The rules will remain in effect through July 11, 2012, unless further extended or permanently adopted.
On April 23, the Financial Crimes Enforcement Network (FinCEN) released an update on mortgage loan fraud suspicious activity reports (SARs) for 2011. The report indicates that mortgage fraud SARs increased 31 percent in 2011 compared to 2010, a spike that FinCEN states is directly attributable to mortgage repurchase demands and special filings generated by several institutions. Based on a sample analysis, FinCEN found that in 40 percent of cases resulting in a SAR, the institution turned down the subject’s loan application, short sale request, or debt elimination because of the suspected fraud, indicating improvement in mortgage lending due diligence. Among other things, the report highlights short sales, appraisals, and identity theft as new fraud patterns in 2011 SARs.