According to a Wall Street Journal report, Facebook has agreed to remove age, gender, and zip code targeting for housing, employment, and credit-related advertisements as part of a settlement of a lawsuit filed by the National Fair Housing Alliance, the Communications Workers of America, and other plaintiffs.

While Facebook reportedly did not permit advertisers to target specifically by race, it did allow advertisers to use “ethnic affinity” criteria.  Facebook is reported to also be placing other restrictions on advertisers.  For example, geographic targets will need to have a minimum 15-mile radius from any specific address or city center and the “Lookalike Audience” tool, which lets advertisers try to find Facebook users who resemble customers they already know, will not incorporate factors such as age, religious views, or Facebook Group membership. 

While it is highly debatable whether the Equal Credit Opportunity Act or other fair lending laws apply to social media advertising of this nature, regulators take the position that they do, and they sometimes explore these issues in examinations.  It therefore is critically important for companies to be mindful of fair lending risk when formulating their social media and other advertising plans.



The New York Department of Financial Services has filed a memorandum of law opposing the OCC’s motion to dismiss the NYDFS’s second lawsuit seeking to block the OCC’s issuance of special purpose national bank (SPNB) charters to fintech companies.

In its motion to dismiss, the OCC argued that the court lacks subject matter jurisdiction over the NYDFS’s claims because (1) the NYDFS cannot have standing to sue until the OCC approves an application for an SPNB charter because only then could the NYDFS suffer an injury in fact, and (2) the OCC has not yet received an application for an SPNB charter or granted a charter, thus making the matter not ripe for judicial review.  The OCC also argued that the NYDFS’s claims are time-barred because it can no longer challenge the OCC’s regulation (12 C.F.R. section 5.20(e)(1)) interpreting the term “business of banking” in the National Bank Act and that the NYDFS’s complaint fails to state a claim because the OCC’s regulation is entitled to deference.

In opposing the motion to dismiss, the NYDFS argues:

  • Even if it has not yet suffered actual injury, it has standing because injury to NYDFS is “imminent” as a result of the OCC’s decision to accept applications for SPNB charters.
  • The OCC’s public announcement that it will accept applications for SPNB charters and has taken substantial steps towards issuing such charters makes the matter ripe for judicial review.
  • Because the NYDFS is challenging the OCC’s July 31, 2018 decision to issue SPNB charters and the OCC has admitted that it has never relied on its regulation to issue national bank charters to non-depository institutions, the NYDFS’s action accrued on July 31, 2018 and is not time-barred.
  • The OCC’s interpretation of the business of banking is not entitled to deference because it constitutes “a manifestly unreasonable interpretation of the NBA.”

Based on arguments substantially similar to those it made in moving to dismiss the NYDFS’s lawsuit, the OCC also filed a motion to dismiss the second lawsuit filed by the Conference of State Bank Supervisors (CSBS) to block the OCC from issuing SPNB charters.  In addition to filing a brief opposing the OCC’s motion to dismiss based on arguments substantially similar to those made by the NYDFS, the CSBS filed an alternative motion for leave to conduct jurisdictional discovery.


On March 7, 2019, the DOJ announced the largest coordinated sweep of elder fraud cases to date. Joined by the FBI and other federal and state partners, the DOJ held a press conference detailing the results of the coordinated effort. Coordinated law enforcement actions in the past year, they said, resulted in criminal cases against more than 260 defendants who victimized more than 2 million Americans, most of them elderly. In each case, the offenders allegedly engaged in financial schemes that targeted or largely affected seniors. Losses are estimated to have exceeded more than $750 million. The DOJ released an interactive list of the elder fraud cases.

The sweep was primarily focused on the threat posed by technical-support fraud, an increasingly common form of elder fraud in which criminals trick victims into giving remote access to their computers under the guise of providing technical support. The DOJ partnered with the FBI, U.S. Postal Inspection Service, the Department of Homeland Security, state Attorneys General and the U.K.’s City of London Police to investigate and prosecute perpetrators of technical-support fraud.

Since many of those prosecuted as a part of the elder fraud sweep cases – including technical-support fraud and mass mailing elder fraud cases – allegedly involved transnational criminal organizations, the DOJ and Postal Inspection Service worked with numerous countries to secure evidence and extradite defendants. The sweep also took comprehensive action against the money mule network that facilitates foreign-based elder fraud. The DOJ defines a money mule as “someone who transfers money acquired illegally in person, through the mails, or electronically, on behalf of others.” With assistance from the Secret Service and Homeland Security, the FBI and Postal Inspection Service took action against over 600 alleged money mules. Additionally, the sweep benefited from assistance from foreign law enforcement partners.

The sweep also had a public education campaign focused on technical-support fraud. The DOJ coordinated with the FTC and State Attorneys General in designing and disseminating messaging material intended to warn consumers and businesses. Public education outreach is being conducted by various state and federal agencies, to educate seniors and prevent further victimization.

The coordinated effort reflects the increasing focus of federal and state regulators on elder financial abuse. In February, the CFPB’s Office of Financial Protection for Older Americans issued a report providing guidance to financial institutions on combating elder abuse. As we have previously observed, elder financial abuse prevention can be viewed as falling within a financial institution’s general obligation to limit unauthorized use of customer accounts as well as its general privacy and data security responsibilities. Thus, a financial institution that fails to proactively implement an elder financial abuse prevention program risks regulatory investigation. Additionally, a depository institution subject to CFPB supervision should expect CFPB examiners to look at its program for preventing elder financial abuse. Further, many states have laws that address elder financial abuse, in some instances requiring mandatory reporting, without providing protection to the bank, while in others including providing immunity for banks who implement transaction holds when staff members observe financial exploitation.

The parties in Madden v. Midland Funding, LLC. have filed a joint motion with the New York federal district court seeking preliminary approval of a class settlement.

The plaintiffs’ class action complaint in Madden alleged that a debt buyer, which had purchased the plaintiffs’ charged-off credit card debt from a national bank, violated the Fair Debt Collection Practices Act (FDCPA) by falsely representing the amount of interest it was entitled to collect.  The complaint also alleged violations of New York usury law.  In an unexpected outcome, the Second Circuit held that the purchaser of charged-off debt from a national bank does not inherit the preemptive interest rate authority of the national bank under Section 85 of the National Bank Act (NBA).  Accordingly, the debt buyer could be subject to the usury limitations provided by state law.  In June 2016, the U.S. Supreme Court denied the defendants’ petition for certiorari.

The proposed Settlement Class would be defined as:

All persons residing in New York who were sent a letter by Defendants attempting to collect interest in excess of 25% per annum regarding debts incurred for personal, family, or household purposes, whose cardholder agreements: (i) purport to be governed by the law of a state that, like Delaware’s, provides no usury cap; or (ii) select no law other than New York.  This class comprises two subclasses [with one subclass for claims arising out of New York usury law violations during a specified period and the other subclass for claims arising out of FDCPA violations during a specified period.]

The settlement provides for three main forms of relief:

  • $555,000 in monetary relief
  • $9,250,000 in balance reduction relief/credits
  • Ongoing compliance of defendants’ policies and practices with applicable law regarding collection of interest on settlement class member accounts

We continue to urge the OCC to confront true lender and Madden risks directly.  This could (and should) be accomplished through adoption of a rule: (1) providing that loans funded by a bank in its own name as creditor are fully subject to Section 85 and other provisions of the National Bank Act for their entire term; and (2) emphasizing that banks that make loans are expected to manage and supervise the lending process in accordance with OCC guidance and will be subject to regulatory consequences if and to the extent that loan programs are unsafe or unsound or fail to comply with applicable law.  (The rule should apply in the same way to federal savings banks and their governing statute, the Home Owners’ Loan Act.)  In other words, it is the origination of the loan by a supervised bank (and the attendant legal consequences if the loans are improperly originated), and not whether the bank retains the predominant economic interest in the loan, that should govern the regulatory treatment of the loan under federal law.


In this week’s podcast, we review the four key focus areas of the 2015 diversity and inclusion standards adopted by the Offices of Minority and Women Inclusion at the CFPB and other federal financial regulators, identify issues regulated entities should consider in addressing those areas and deciding whether to conduct D&I self-assessments, and discuss the evolving Congressional and regulatory D&I landscape since 2015, including recent letters sent to regulated entities regarding D&I efforts and self-assessments and D&I benefits for letter recipients to consider.

Click here to listen to the podcast.

The FTC has issued its 2018 Consumer Sentinel Network Data Book. The report summarizes consumer complaints stored in the Consumer Sentinel Network, a secure online database.

For 2018, imposter scams top the list of reported complaint categories, accounting for 18% of the almost 3 million consumer reports summarized in the Data Book. Debt collection—which had crowned the list in 2017—falls to second, with 16% of all reports. Identity theft is third, with 15%.

The Data Book also provides several observations related to the general complaint categories, including the following:

  • There were more than 535,000 imposter scams reported, with almost 20% of the reported incidents resulting in a monetary loss. Nearly half of these reported scams involved government imposters that falsely claimed to be from the IRS, Social Security Administration, other government agency to get victims to turn over money and/or personal information.
  • Debt collection reports (including reports regarding, e.g., repeated calls, false representations of amount or status of a debt, failure to send written notice of a debt, false threats of suit, use of profanity, failure to identify as a debt collector, etc.) declined by 24% from 2017.
  • Credit card fraud was the most common type of identity theft report. The FTC received over 167,000 reports from people who claimed that their information was either misused on an existing account or used to open a new credit card account.The Data Book also separately analyzes reports made by military consumers, including active duty service members, military dependents, inactive reserve members, and veterans. Of 122,519 total reports by military consumers, imposter scams top the list at 29% of the reports, followed by identity theft at 23%. In contrast to the general population, however, debt collection reports account for only about 5% of the total reports by military consumers.
  • Additionally, the Data Book provides state-by-state breakdowns and comparisons. Florida, Georgia, Nevada, Delaware, and Tennessee had the highest fraud reports per capita. Georgia, Nevada, California, Florida, and Texas had the highest identity theft reports per capita.  Notably, the Data Book’s summary excludes reports related to the National Do Not Call Registry and reports about unsolicited commercial email.

While the FTC releases its annual Data Book to the public, only law enforcement organizations—including the CFPB and state attorney generals—can access the Consumer Sentinel Network database itself. This database houses reports from numerous sources, including consumer complaints made through sources including, among others: the FTC’s call center or websites, such as, a resource for identity theft victims, and, a site designed to promote cross-border information sharing regarding internet fraud; Better Business Bureaus for 100 different regions; PrivacyStar, a service that identifies who is calling and why; the CFPB; Publishers Clearing House; Microsoft Corporation Cyber Crime Center; and state law enforcement agencies.

The Data Book acknowledges that it is based on “the unverified reports filed by consumers.” Nevertheless, its summaries and the Consumer Sentinel Network are intended to assist law enforcement “to spot trends, identify questionable business practices and targets, and enforce the law.” Thus, as we have previously observed, minimizing the number of consumer complaints made to the FTC, CFPB, BBB, and other consumer watchdogs is an essential first step to avoid ending up on a regulator’s radar.

The FTC and CFPB have reauthorized their memorandum of understanding.  According to the FTC’s press release, “the agreement reflects the ongoing coordination between the two agencies under the terms of the Consumer Financial Protection Act, and is designed to coordinate efforts to protect consumers and avoid duplication of federal law enforcement and regulatory efforts.”

The first MOU, signed in 2012, had an initial term of three years, and was reauthorized in 2015 for an additional three-year term.  Although some definitional and organizational changes were made to the new MOU, it does not appear to have any material substantive differences from the 2015 MOU.  However, unlike the prior two MOUs which each had a three-year term, the new MOU provides that it “will remain in effect unless superseded by the signed, mutual agreement of the agencies.”



The Federal Financial Institutions Examination Council (FFIEC)—the interagency body tasked with setting uniform principles and standards for the examination of financial institutions by federal regulators, including the Consumer Financial Protection Bureau—has adopted a Policy Statement designed to streamline the information presented in examination reports (“ROE”). While the agencies represented by the FFIEC will make any individual adjustments deemed necessary for their existing ROE guidance, financial institutions should be aware of the new format outlined in the Policy Statement which sets forth minimum expectations for what should be included in all ROEs.

In the Policy Statement, the FFIEC explicitly rescinds and replaces the 1993 Interagency Policy Statement on the Uniform Core Report of Examination. The Policy Statement is the latest in a series of FFIEC announcements related to their Examination Modernization Project which was launched to identify and assess ways to improve the effectiveness, efficiency and quality of examination processes, particularly through the use of technology, and to reduce unnecessary regulatory burden on community financial institutions. The Policy Statement list of minimum expectation for ROEs includes:

  • Identifying information about the institution and agency;
  • A statement on the confidentiality of information;
  • Conclusions presented in the order of importance;
  • A brief narrative on the financial institution’s condition and risk profile, including assigned regulatory component and composite ratings;
  • A discussion of the adequacy of the financial institution’s risk management practices;
  • Prominent notice of any issues of supervisory concern or warranting corrective action; and
  • Signatures of the board of directors acknowledging receipt and review.

As with the recent FFIEC’s guidance regarding Home Mortgage Disclosure Act rules (as discussed in our prior blog post), the Policy Statement is an important resource for financial institutions interacting with the FFIEC member agencies.

On March 6, 2019, a California subprime auto lender, California Auto Finance, agreed to enter into a consent order with the Justice Department related to allegations that it repossessed vehicles in violation of the Servicemembers Civil Relief Act (SCRA). Under the terms of the consent order, which is still subject to court approval, California Auto Finance must pay $50,000 in civil penalties to the government and $30,000 in compensation to one individual servicemember – the highest amount the Department has ever recovered for one servicemember. The lender also agreed to implement procedures to ensure SCRA compliance in the future.

The Justice Department initiated the investigation after receiving a complaint in November 2016 from United States Army Private Andrea Starks alleging that California Auto Finance repossessed her vehicle without a court order from her grandmother’s home on the first day of her military training. As a result of the investigation, the Justice Department determined that California Auto Finance did not have SCRA compliance policies in place and had also improperly repossessed the vehicle of another servicemember, U.S. Army Specialist Omar Martinez, during his first month of military training. Because of the repossession’s impact on Specialist Martinez’ credit, he was unable to purchase a new car and had to rely on rideshares and taxis for over a year. According to a Justice Department press release, California Auto Finance reached a private settlement with Private Starks. As part of the consent order, it agreed to pay Specialist Martinez $30,000.

The Consent Order signals the Justice Department’s continued interest in enforcing the SCRA and safeguarding the rights of military members under the Trump Administration. Since 2011, the Justice Department has obtained over $469 million in monetary relief for over 119,000 servicemembers through its enforcement of the SCRA. Attorney General Eric Dreiband for the Department of Justice’s Civil Rights Division stated: “We will continue to vigorously pursue lenders who fail to take the simple steps necessary to determine, before repossessing a car, whether it belongs to a servicemember. Servicemembers who are going through basic training or another kind of military service should not have to worry that their cars will be repossessed with no court supervision during their time of service to our country.

The FTC has proposed amendments to its 2003 Safeguards Rule and 2000 Privacy Rule, applicable to financial institutions under the Gramm Leach Bliley Act (GLBA).  The proposed changes are informed by the FTC’s enforcement experience and are intended to keep pace with technological developments.

The Safeguards Rule requires financial institutions to have a comprehensive information security program.  The proposed rule amendment will more clearly define the requirements for such information security programs.  Some of the proposed changes to the Safeguards Rule include:

  • Encryption of all consumer data,
  • Implementing access controls to prevent unauthorized users from accessing consumer information;
  • Implementing multifactor authentication to access consumer data, and
  • Requiring periodic reports submitted to the boards of directors to ensure compliance.

The proposed amendments to the Safeguards Rule will better align the rule with prevailing cyber security standards, such as the NY DFS cybersecurity regulations and the NIST framework.  The amendments are also designed to ensure that non-bank financial technology entities, fintechs, are subject to cybersecurity standards similar to those that banks are subject to under the FFIEC interagency guidelines.

Further, the Commission proposes to expand the definition of “financial institution” in both the Privacy Rule and the Safeguards Rule to include companies engaged in activities “incidental to financial activities.”  The expansion includes “finders” or those who charge a fee to connect consumers looking for a loan to a lender.

While the proposed changes to the Safeguards Rule and Privacy Rule will provide more clarity for certain GLBA covered entities regarding the contours of their information security programs, the proposed expansion of the definition of financial institution may not be greeted with open arms by the companies not currently covered by the Safeguards Rule and the Privacy Rule.