CFPB Issues Proposed Rule Seeking to Amend Procedures for Disclosing Certain Confidential Information

On August 24, the CFPB published a proposed rule seeking to amend procedures used by persons in the public domain to obtain information from the CFPB under the Freedom of Information Act, the Privacy Act of 1974 and legal proceedings. In part, the proposal also seeks to revise the 2013 final rule related to the “exchange of confidential supervisory information (CSI) with certain agencies.” Specifically, the CFPB proposes to remove the standard for sharing CSI, thereby utilizing the same standard for sharing information that is not considered CSI and giving the CFPB the discretion to disclose CSI to another agency “to the extent that the disclosure of the information is relevant to the exercise of the [agency’s] statutory or regulatory authority.” Among other things, if accepted, the proposal may allow the CFPB to establish a CSI sharing regime to include state attorneys general and other agencies without supervisory power. Comments are due by October 24, 2016.

LinkedInFacebookTwitterGoogle+Share

FTC Bans New York Debt Collector; Resolves 2015 “Operation Collection Protection” Action

On August 24, the FTC, in coordination with New York AG Schneiderman, announced that it issued a final order banning a debt collector and his four companies from the debt collection business. According to the order, the defendants engaged in deceptive and abusive debt collection practices in violation of the FTC Act, the Fair Debt Collection Practices Act, and New York General Business Law. The final order resolves a 2015 Operation Collection Protection action alleging, among other things, that the defendants “regularly threatened, pressured, and harassed consumers into paying debts [they] did not owe,” continuing to “collect on these fake debts even after the supposed creditor notified them that the debts were bogus.” The final order imposes a judgment of more than $18.4 million, which will be partially suspended due to the defendants’ inability to pay. AG Schneiderman and the FTC issued a separate order to the owner’s ex-wife, imposing a $418,000 judgment, which also will be partially suspended.

LinkedInFacebookTwitterGoogle+Share

Massachusetts AG and Division of Banks Seek Input on Debt Collection and Industry Regulation

On September 22, the Massachusetts Division of Banks (the Division) and AG Healey’s office will host an informational session to discuss the current state of debt collection and industry regulation in Massachusetts. The Division and AG Healey seek responses to questions regarding how the debt collection industry has changed in recent years; the industry’s organizational structure; licensing requirements for debt collectors and debt buyers; law firm involvement in debt collection activities; notification requirements regarding whether a debt has been sold; debt collection issues, including litigation-related problems, that consumers and industry members face; and how changes in federal laws and regulations governing debt collection practices should be reflected in Massachusetts’s regulations. Written responses and comments to the Division are due by October 21, 2016.

LinkedInFacebookTwitterGoogle+Share

State Attorneys General Issue Letter in Support of CFPB’s Proposed Arbitration Rule

On August 12, Massachusetts AG Healey, alongside 17 other state attorneys general, sent a letter to CFPB Director Cordray in support of the agency’s proposed rule seeking to impose restrictions on the use of mandatory pre-dispute arbitration clauses by covered providers of certain consumer financial products and services. Although the letter supports the CFPB’s proposed rule, it encourages the CFPB to consider regulations that would prohibit such clauses outright. According to the letter, class action litigation would provide consumers with “real and meaningful benefits,” such as monetary and injunctive relief through settlements, and may further spur industry-wide reforms as well as regulatory and legislative action. The letter further supports the CFPB’s “effort to increase transparency in the arbitration process by requiring covered entities to submit initial claim filings and written awards in arbitration proceedings to the Bureau,” and encourages the agency to (i) publish the information publicly on its website; (ii) enforce timing obligations for reporting the information; and (iii) establish strict penalties, including fines and loss of arbitration privileges, against entities that do not comply with the reporting requirements.

LinkedInFacebookTwitterGoogle+Share

New York AG Schneiderman Announces $100,000 Settlement Over Data Security Practices

On August 5, New York AG Schneiderman announced that an online retailer will pay $100,000 in penalties to settle allegations that its weak security practices led to a data breach that potentially exposed more than 25,000 credit card numbers and cardholder data. According to AG Schneiderman, after a third party accessed the retailer’s website on August 7, 2014, a merchant bank notified the retailer on June 5, 2015 that customers’ credit card accounts were showing fraudulent charges. The retailer subsequently hired a company to conduct a forensic investigation, during which malware was found on and subsequently removed from the retailer’s website. AG Schneiderman contends that the retailer violated various sections of the New York State General Business Law by failing to notify its customers or law enforcement of the breach and by misrepresenting the safety and security of its website, also in breach of Executive Law § 63(12). In addition to the $100,000 penalty, the settlement requires that the retailer (i) conduct thorough and efficient investigations of future data security breaches; (ii) promptly notify New York law enforcement and affected customers of data security breaches; (iii) “maintain reasonable security policies and procedures designed to protect the personal information of consumers in accordance with New York State General Business laws”; (iv) remediate security vulnerabilities on its websites; and (v) train its employees with the most current data security practices.

LinkedInFacebookTwitterGoogle+Share