July 21, 2021 will mark the 10th anniversary of the CFPB opening for business.  It will also mark the 10th anniversary of our blog, Consumer Finance Monitor, which we intentionally launched on the CFPB’s first day.

In our two-part webinar, we will review the Bureau’s significant initiatives to date and share our thoughts on the Bureau’s likely direction throughout the Biden Administration.  In Part I, we will take a close look at the Bureau’s major regulatory initiatives during its first 10 years, how it has responded to the rapid change in technology, and what we expect going forward.  Part II will be devoted to supervisory and enforcement activities.

Part I will be held  on Monday, July 26, 2021 from 2:00 p.m. to 4:00 p.m. ET and will focus on the Bureau’s completed, pending, and potential regulatory actions dealing with:

  • Mortgage origination and servicing
  • Prepaid cards
  • Debt collection
  • Small dollar lending
  • Overdrafts
  • Small business lending
  • Consumer access to financial information
  • Technology developments and what we expect going forward
  • Arbitration

Part II be held on Tuesday, August 3, 2021 from 12:00 p.m. to 1:30 p.m. ET and will focus on the Bureau’s past, ongoing, and potential supervisory and enforcement activities concerning:

  • Supervision of “larger participants,” including the industries that may be future candidates for “larger participant” supervision
  • Fair lending
  • Unfair, deceptive, or abusive acts or practices
  • Credit cards
  • Debt collection
  • Credit reporting
  • Student lending and servicing
  • Mortgage origination and servicing
  • Debt relief
  • Military Lending Act and service member issues

Click here to register.

On June 29, 2021, the CFPB and the Attorney General of the State of Georgia filed a proposed order in connection with a joint lawsuit they filed a day earlier in federal district court in Georgia against Maryland-based debt-relief and credit-repair company Burlington Financial Group (“Burlington”) and three individual owners and executives.  In the lawsuit, the CFPA and Georgia AG alleged that Burlington offered to provide debt-relief and credit-repair services to consumers throughout the United States through telemarketing and telephone sales but instead used deceptive tactics to defraud consumers.

The CFPB and Georgia AG claimed that the defendants violated the Telemarketing and Consumer Fraud and Abuse Prevention Act, the Telemarketing Sales Rule, and the Consumer Financial Protection Act by, inter alia, falsely promising to help their customers reduce their credit-card debts and improve their credit scores.  The complaint identifies numerous misleading schemes initiated by the defendants, including misrepresenting material aspects of the debt-relief and credit-repair services that Burlington offered, sold or provided to customers; misleading customers on the promised results and, in some instances, not providing the promised services at all; and misleading customers on expected results by failing to track Burlington’s own results, thereby precluding the defendants from having any way of knowing whether Burlington had achieved the promised results.  The CFPB and Georgia AG alleged that the defendants’ tactics often left their customers “with increased debts, impaired credit scores, and, in some instances, exposed to creditor lawsuits and bankruptcy.”

The proposed order provides for a total civil money penalty of $150,001, of which $15,000 will be remitted to the State of Georgia, and a judgment for redress of at least $30 million to be suspended upon payment of the $150,001 civil money penalty.  It would also permanently ban the defendants from telemarketing any consumer financial product or service and from offering, marketing, selling, or providing any financial-advisory, debt-relief, or credit-repair service.


The CFPB has released the Summer 2021 edition of its Supervisory Highlights.  The report, which contains 48 pages of supervisory observations, discusses the Bureau’s examinations in the areas of auto servicing, consumer reporting, debt collection, deposits, fair lending, mortgage origination and servicing, private student loans, payday lending, and student loan servicing that were completed between January 1, 2020 and December 31, 2020 (which was the last full year of Kathleen Kraniger’s tenure as CFPB Director).

Key findings by CFPB examiners are described below. 

Auto servicing.

Servicers were found to have engaged in unfair practices in violation of the CFPA UDAAP prohibition by:

  • Adding and maintaining charges for collateral protection insurance (CPI) premiums as a result of deficient processes when consumers had adequate insurance in place, with some servicers causing additional injury by applying refunds of CPI charges to principal instead of returning the amounts directly to consumers.
  • Collecting or attempting to collect CPI premiums after repossession, even though no actual insurance protection was provided for those periods.
  • Posting payments to the wrong account or posting certain payments as principal-only payments instead of periodic installment payments, resulting in late fees and additional interest.
  • Accepting loan payoff amounts that included overcharges for optional products (as a result of the method used to calculate refunds), after telling consumers that they owed the larger amount.

Servicers were found to have engaged in deceptive practices in violation of the CFPA UDAAP prohibition by representing on their websites that payments would be applied in a specified order (as between principal, interest and fees) and subsequently applying payments in a different order.

Consumer reporting.

Consumer reporting companies (CRCs) were found to have violated the FCRA by:

  • Not complying with the FCRA requirement to follow reasonable procedures to assure maximum accuracy of information in consumer report as a result of continuing to include information that was provided by unreliable furnishers (i.e. furnishers who had responded to disputes in ways that suggested they were no longer sources of reliable, verifiable information about consumers).  In particular, the CFPB stated that the furnishers’ failure to respond to disputes, or deleting all disputed tradelines, or validating all disputes, should have alerted the CRCs that the furnishers’ information was unreliable.
  • Not complying with the FCRA 3-business day requirement for placing a security freeze on a consumer’s credit report after receiving the consumer’s freeze request.
  • Not complying with the FCRA 4-business day requirement to block the reporting of information that the consumer identifies as information resulting from an alleged identity theft.

Auto loan furnishers were found to have violated the FCRA requirement to promptly notify CRCs of furnished information determined to be inaccurate or incomplete by failing to send updated or corrected information to CRCs after making a determination that furnished information was no longer accurate.

Mortgage furnishers were found to have violated the Regulation V requirement to conduct reasonable investigations of direct disputes as a result of maintaining procedures that instructed employees to (1) verify that consumers’ signatures matched the signature on file and, (2) if they did not match, to send a letter to the borrower stating that the information provided in the dispute did not match the furnishers’ records and take no further steps to investigate the dispute.  Interestingly, however, the discussion of how the furnishers resolved this issue included the statement that the furnishers adopted policies and procedures to reasonably identify disputes that were “frivolous or irrelevant” because they originated from a credit repair organization.

Debt collection.  Debt collectors were found to have violated the FDCPA by:

  • Communicating with consumers at their places of employment during work hours when the collector knew or should have known that calls during work hours were inconvenient to the consumers.
  • Communicating with third parties other than those permitted by the FDCPA and, when communicating with third parties for the purpose of acquiring location information, disclosing the name of the debt collector to third parties who had not expressly requested the collector’s name.
  • Continuing to attempt to collect a debt from the consumer after receiving a written request from the consumer to cease further communications.
  • Harassing consumers by emphasizing multiple times to consumers who had stated they were unable to make or complete payment arrangements that the collector would place a note in the account system stating that the consumer was refusing to make a payment.
  • Threatening to report to CRCs that consumers owed debts that the collectors knew or should have known were disputed, resulted from identity theft, and were not owed by the consumers and reporting such debts to CRCs without reporting that the debts were disputed.
  • Falsely representing to consumers the impact on their credit files  of paying off their debts, such as telling the consumer the debt would no longer impact their credit profile once paid.
  • Entering inaccurate information regarding state interest rate caps in an automated system, resulting in overcharges to consumers.
  • Sending wage garnishment orders to consumers’ employers by mistake, despite having received completed applications from the consumers to consolidate their debts which should have stopped the garnishment process based on standard procedures.
  • Sending validation notices that did not include required information.


Financial institutions were found to have violated Regulation E by:

  • Failing to comply with provisional credit requirements for disputed transactions.
  • Failing to complete investigations of disputes and make a determination within the applicable time periods.
  • Failing to conduct reasonable investigations of disputes by denying claims solely because the consumers had previously conducted business with the merchant.
  • Failing to refund associated fees and credit interest when resolving disputes in the consumer’s favor.
  • Failing to comply with overdraft opt-in requirements, including by failing to advise consumers of their right to revoke an opt-in to overdraft services as part of their opt-in confirmation and failing to retain evidence of having obtained affirmative consent to opt into overdraft services.

Financial institutions were found to have violated Regulation DD by disclosing to consumers, through automated systems available account balance amount that included potential discretionary overdraft credit and by failing to correctly disclosed on periodic statements the amount of overdraft fees incurred by the consumer during the statement cycle.

Fair lending.

  • HMDA.  CFPB examiners found widespread errors within 2018 HMDA loan application registers of several financial institutions.  In several examinations that identified such errors, the root causes were deficiencies in the institutions’ compliance management systems.
  • Redlining. CFPB examiners found that a lender violated the ECOA and Regulation B by engaging in acts or practices directed at prospective applicants that would have discouraged reasonable people in minority neighborhoods in Metropolitan Statistical Areas (MSAs) from applying for credit.  The lender was prioritized for a redlining examination because an initial analysis of HMDA and U.S. census data showed that the lender received significantly fewer applications from majority-minority and high-minority neighborhoods relative to other peer lenders in the MSA. These differences relative to the lender’s peer lenders were confirmed by examiners in subsequent, in-depth analyses.  Evidence of communications that would have discouraged reasonable people on a prohibited basis from applying to the lender for a mortgage loan included: (1) direct marketing materials that only featured models appearing to be non-Hispanic white, (2)open house marketing materials that only included headshots of mortgage professionals appearing to be non-Hispanic white, and (3) locating nearly all offices in majority non-Hispanic white areas.

Mortgage origination.

Lenders were found to have violated Regulation Z by:

  • Compensating loan originators differently based on product type, specifically lower compensation for bond program loans subject to state Housing Finance Agency requirements, and higher compensation for construction loans.
  • For a simultaneous purchase of lender and owner title insurance policies, disclosing the lender’ title insurance premium at the discounted rate and the owner’s title insurance at the full premium on the Loan Estimate.

Lenders were found to have engaged in deceptive practices in violation of the CFPA UDAAP prohibition by using:

  • A waiver provision in a rider to a security deed that provided that borrowers who signed the agreement waived all of their rights to notice or judicial hearing before the lender exercised its right to nonjudicially foreclose on the property.  This practice was deemed deceptive because a reasonable consumer could understand the provision to waive the consumer’s right under Regulation X to sue over a loss mitigation notice violation in the nonjudicial foreclosure context.
  • A security agreement for cooperative units that required borrowers to agree to a waiver, in the event of default, of any equity or right of redemption. This practice was deemed deceptive in light of the Regulation Z provision prohibiting the interpretation of dwelling-secured contracts to bar federal claims because the waiver language would likely mislead a consumer into believing that by signing the agreement they waived their right to bring any claim in court, including federal claims.

Mortgage servicing.

Servicers were found to have violated Regulation X by:

  • Failing to apply foreclosure protections on the date that outstanding loss mitigation application information was received, which rendered the application “facially-complete.”  Instead of applying the foreclosure hold on the date the information was received, the servicer only did so after an internal analysis of that information, which caused a delay of more than a day, during which a foreclosure filing occurred.
  • Making the first notice or filing for foreclosure before fully evaluating borrowers’ appeals.
  • Having a process in place for directing foreclosure counsel to stop all legal filings only after the servicer had sent borrowers the notice acknowledging receipt of a complete loss mitigation application.  Such a process violates Regulation X because the notice of complete application can be sent up to five days after receipt of the application, whereas the foreclosure protections apply on the date that a complete loss mitigation application is received.
  • Including in the estimated disbursements for an annual escrow analysis a full year of private mortgage insurance (PMI) disbursements despite knowing that PMI would be charged for only part of the year.

Servicers were found to have engaged in a deceptive practice in violation of the CFPA UDAAP prohibition by representing to borrowers, who had submitted a repeat loss mitigation application, that they would not initiate a foreclosure until a specified date.  However, because repeat loss mitigation applications are excluded from coverage under the loss mitigation procedures and foreclosure protections of Regulation X, foreclosures were initiated prior to the date provided in the communications

Payday lending. Lenders were found to have engaged in deceptive practices in violation of the CFPA UDAAP prohibition by:

  • Sending collection letters to delinquent borrowers stating an intent to sue if the consumer did not repay the loan when the lenders, in fact, had not decided prior to sending the letters that they would sue if borrowers did not pay, and in most cases did not sue borrowers who did not pay.
  • Falsely representing on storefronts and in photos on proprietary websites that they would not check a consumer’s credit history when, in fact, the lenders used consumer reports in determining whether to extend credit.
  • Presenting fee-based refinance options to struggling borrowers while withholding information about contractually available no-cost repayment plan options.

Private student loan origination.   Entities were found to have engaged in deceptive practices in violation of the CFPA UDAAP prohibition as a result of the net impression created by marketing materials that advertised rates “as low as” X%, disclosed certain conditions to obtain that rate, and omitted that a borrower’s rate would depend on creditworthiness.

Student loan servicing. Servicers were found to have engaged in deceptive practices in violation of the CFPA UDAAP prohibition by providing Federal Family Education Loan Program (FFELP) borrowers inaccurate information about eligibility for the Public Service Loan Forgiveness (PSLF) program.  Such practices included:

  • Representing to FFELE borrowers that they could submit their employer certification forms (ECF) to receive a determination on whether their employers are eligible for PSLF when under PSLF program guidelines, FFELP borrowers who submit an ECF before consolidating into a Direct Loan will be rejected without any determination about employer eligibility.
  • Advising FFELP borrowers that their loans could not become eligible for PSLF.
  • Informing borrowers interested in the PSLF program that they were only eligible if their employer was a non-profit.
  • For consumers whose accounts were automatically placed into a natural disaster forbearance, failing to unenroll consumers from forbearances upon their request and failing to reenroll consumers in auto-debit programs when forbearances ended.
  • Failing to waive or refund overcharges assessed following loan transfers that resulted in income-based repayment plans not being honored.
  • Failing to follow borrowers’ explicit standing instructions on payment allocation.

As required by the Anti-Money Laundering Act (“AML Act”), the Financial Crimes Enforcement Network (“FinCEN”) issued on June 30, 2021 the first government-wide list of priorities for anti-money laundering and countering the financing of terrorism (“AML/CFT”) (the “Priorities”).  The Priorities purport to identify and describe the most significant AML/CFT threats facing the United States.  The Priorities have been much-anticipated because, under the AML Act, regulators will review and examine financial institutions in part according to how their AML/CFT compliance programs incorporate and further the Priorities, “as appropriate.”

Unfortunately, and as we will discuss, there is a strong argument that FinCEN has prioritized almost everything, and therefore nothing.

The Priorities and Their Utility.  The Priorities, listed according to FinCEN “[i]n no particular order,” are as follows:

  • Corruption;
  • Cybercrime;
  • Domestic and international terrorist financing;
  • Fraud;
  • Transnational criminal organizations;
  • Drug trafficking organizations;
  • Human trafficking and human smuggling; and
  • Proliferation financing.

In its press release, FinCEN hailed the Priorities as “a significant milestone in FinCEN’s efforts to improve the efficiency and effectiveness of the nation’s AML/CFT regime and to foster greater public-private partnerships[.]” Indeed, the regulated industry has been pushing for years for greater feedback and guidance from regulators and law enforcement on the usefulness of BSA filings.  According to FinCEN, “coupled with the Department of the Treasury’s 2020 Illicit Finance Strategy and 2018 National Risk Assessment, the Priorities aim to help covered institutions assess their risks, tailor their AML programs, and prioritize their resources.”

However, the collective Priorities are so broad and so numerous that it is difficult to imagine a crime or suspicious activity that is not somehow captured by one or more of the eight Priorities, or at least arguably so (and financial institutions often will be in the position of having to guess and make inferences which generally lean towards cautiously assuming that a given set of circumstances falls into one of the Priorities).  Accordingly, they provide little guidance to financial institutions attempting to figure out how to focus their limited compliance resources.  Although the purpose of the Priorities was to enable financial institutions to allocate existing compliance resources more appropriately, the Priorities, as announced, implicitly suggest that financial institutions really need to invest more overall compliance resources, to cover everything.

A prime example of this problem is the inclusion of “fraud” as a Priority.  This Priority is not specific, like “securities fraud,” or “e-mail compromise scheme fraud” – it’s just “fraud,” with no qualification. As prosecutors employing the federal mail fraud and wire fraud statutes can tell you, just about any illicit activity can be characterized as a fraud.  Indeed, the Priorities state that:

. . . . fraud – such as bank, consumer, health care, securities and investment, and tax fraud – is believed to generate the largest share of illicit proceeds in the United States.  Health care fraud alone is estimated to generate proceeds of approximately $100 billion annually.  Increasingly, fraud schemes are internet-enabled, such as romance scams, synthetic identity fraud, and other forms of identity theft.  Proceeds from fraudulent activities may be laundered through a variety of methods, including transfers through accounts of offshore legal entities, accounts controlled by cyber actors, and money mules.

The fraud section goes on to discuss the dangers of cyber- and COVID-19-related fraud schemes, as well as foreign actors using the U.S. financial system to influence political campaigns and gain illicit access to U.S. technology and trade secrets.  None of this is wrong, of course.  It’s just that it is not really a “priority,” particularly when considered in the context of the other seven, unranked Priorities, because a priority by definition involves selection and sometimes painful choices.  But it seems like, to date, FinCEN just could not bring itself to exclude any illicit activity from the Priorities, perhaps because it was concerned that doing so would suggest that the excluded criminal behavior wasn’t bad or important, or perhaps because every government agency consulted by FinCEN when compiling the Priorities lobbied for the importance of their particular focus.

FinCEN will propose implementing regulations in the coming months (and is required to do so by the AML Act within 180 days of having issued the Priorities), so it is possible that the regulations will provide better and more specific guidance to financial institutions.  Given the already-existing breadth of the eight Priorities, that goal looks challenging.  One possible approach to providing guidance by making choices would be to rank the Priorities, rather than give them all equal status.

The Priorities do recognize that “not every Priority will be relevant to every covered institution, but each covered institution should, upon the effective date of future regulations to be promulgated [within 180 days] in connection with these Priorities, review and incorporate, as appropriate, each Priority based on the institution’s broader risk-based program.”  The practical result here appears to be that financial institutions are still mainly on their own when pursuing their already-ongoing AML/CFT programs, and the importance of financial institutions performing prescient risk assessments and fine-tuning AML transaction monitoring, based on the typical factors such as the relevant customers, geographies, business lines, etc., has become even greater.  The risk posed by the Priorities for financial institutions is that regulators who find a problem during an examination will decide that the problem – whatever it is – invariably is captured by a Priority and will punish the financial institution more. The purpose of the Priorities was to help financial institutions, and enhance the quality of their BSA monitoring and filings, not expose them to more regulatory risk.

When publishing the Priorities, FinCEN also issued related statements to both banks and non-bank financial institutions, noting that covered institutions are not required to make any immediate changes to their AML programs to respond to the Priorities, and that regulators will not examine any covered institution for the incorporation of the Priorities into AML programs until regulations have been promulgated.  “Nevertheless, in preparation for any new requirements when those final rules are published, covered institutions may wish to start considering how they will incorporate the AML/CFT Priorities into their risk-based AML programs.”  FinCEN will update these Priorities at least once every four years, again as required by the AML Act.

Other observations.  A few specific comments regarding the Priorities still are in order.  The Priorities list corruption – with an emphasis on foreign corruption – as the first Priority, in its list of seeming equals.   This placement appears to be a nod to President Biden’s June 3, 2021 National Security Study Memorandum entitled Memorandum on Establishing the Fight Against Corruption as a Core United States National Security Interest.  It reveals—as the title might suggest—that the administration views “countering corruption as a core United States national security interest.”  Certainly, financial transactions promoting corruption by foreign kleptocrats and human rights abusers are terrible – but not a significant real-world AML risk, relatively speaking, for the vast majority of “financial institutions” covered by the BSA that do not represent major international institutions.  Rather, the most pernicious real-world threat with almost universal application appears to be the second Priority – cybercrime, in all of its innumerable variations.  But after describing the ills posed by “traditional” cybercrimes, such as business email compromise schemes and the growing threat of ransomware attacks, the Priorities then pivot and discuss cryptocurrency and how it can be used to facilitate the funding of a broad variety of illicit conduct (including financial crime in general).  Regardless, the Priorities here serve a reminder – hopefully unnecessary at this point – of the critical need for any institution’s AML compliance department and cyber- and  privacy-security personnel to communicate and work together.  Finally, the Priorities also include domestic terrorism, which certainly is a serious problem.  However, because there is literally no list of identified domestic terrorist (contra lists published by OFAC regarding sanctioned foreign actors), and because associated financial transactions can be mundane, detecting such illicit financial activity generally will be difficult if not impossible for financial institutions.

If you would like to remain updated on these issues, please click here to subscribe to Money Laundering Watch. To learn more about Ballard Spar’s Anti-Money Laundering Team, please click here.

On June 25, a group of collection agencies, law firms, and industry associations filed a lawsuit against the Nevada State Commissioner requesting the Court declare invalid Nevada Senate Bill 248, which regulates medical debt collection.  The new law took effect on July 1, 2021.  Nevada enacted the new law last month.

The complaint alleges that the bill is preempted by the Fair Debt Collection Practices Act, the Fair Credit Reporting Act, and Nevada Rev. Stat. § 649.332.  It further alleges that the new law is impermissibly and unconstitutionally vague and violates the First Amendment, Fourteenth Amendment, and the Supremacy Clause of the U.S. Constitution.  The complaint seeks preliminary and permanent injunctive relief to stop enforcement of the law.

The court has set the hearing for oral argument on the emergency motion for temporary restraining order and motion for preliminary injunction for July 27, 2021.  It thus appears that Nevada Senate Bill 248, having taken effect as scheduled on July 1, 2021 , will remain in effect until at least until July 27th.

Pursuant to the authority set forth in Section 205 of Senate Bill 1202, Connecticut’s Banking Commissioner signed an order that permits individuals engaged in certain licensable activity on behalf of certain consumer credit licensees to work from remote office locations not licensed as branch office locations.  The order, available here, extends the previous no-action position of the Commissioner and is effective July 1, 2021.

The order applies to individuals working on behalf of persons licensed in Connecticut as:

  • Consumer collection agencies;
  • Debt adjusters;
  • Debt negotiators;
  • Mortgage brokers, mortgage correspondent lenders or mortgage lenders;
  • Mortgage servicers;
  • Sales finance companies;
  • Small loan companies; and
  • Student loan servicers.

Any residential or non-commercial location in the United States where an individual engages in authorized activity on behalf of a licensee, other than a location licensed as a main office or branch office as defined in Section 36a-485, may be considered a remote office location.

Any licensee that conducts business from a remote office location must conform to specified standards, including:

  • Maintaining accurate records that identify the dates of authorized remote office activity, the location of each remote office, and the individuals authorized to conduct business at each such office;
  • Implementing policies and procedures to ensure reasonable supervision over its remote office activities;
  • Ensuring that no records of licensable activity are maintained at the remote office location;
  • Ensuring that any individual working from the remote office location is licensed under Title 36a to conduct such remote office activity, as applicable;
  • Not meeting with members of the public at such remote office location or holding such location out as an office to members of the public;
  • For any licensed individual conducting business from a remote office location, designating a licensed branch office or main office location as the location of business on the system;
  • Ensuring that consumer and licensee information and records remain accessible for regulatory oversight and examination; and
  • Establishing safeguards concerning personal information and data security at the remote office location, consistent with existing requirements and applicable state and federal law, including but not limited to, utilizing a VPN or comparable system, and ensuring appropriate updates, patches, or other alternations to maintain the security of all devices used at remote locations.

Remote office activities must comply with all applicable requirements under state and federal law and remain subject to the Commissioner’s investigation and examination authority.  The order states that, “[i]f at any time the Commissioner finds that any individual or licensee is violating the requirements of this order or other applicable laws or regulations, the Commissioner may restrict the ability of an individual or licensee to conduct activities from a remote office location pursuant to the provisions of Title 36a.”  Presumably, this authority is in addition to any existing authorities already available to the Commissioner in connection with a violation of an order of the Commissioner or a violation of applicable law or regulation already set forth in Title 36a.

Note:  We thank Jaeyoung Choi, a student at American University Law School and Ballard Spahr summer associate, who co-authored this blog post.

Phil Yannella, Ballard Spahr litigation partner and Practice Leader of Ballard’s Privacy & Data Security Group, recently authored a treatise on data breach and privacy litigation.  The book, Cyber Litigation: Data Brach, Data Privacy & Digital Rights, is published by Thomson Reuters and is available now for purchase.  The publication of CyberLitigation comes at an important moment as the U.S. is in the midst of a huge surge in data breaches, particularly ransomware attacks.  In 2020, U.S. companies publicly reported 3,950 data breaches, according to the Verizon Data Breach Investigations Report − a number that likely understates the total number of breaches, as many breaches are not reported.  Despite renewed focus by the U.S. government on stopping hackers, and widespread efforts by U.S. companies to harden their security through encryption, multi-factor authentication, and shifting to cloud-based applications, the pace of data breaches has not slowed down in 2021.

As breaches have increased, so too has litigation.  At the current pace, over 1200 data breach or privacy lawsuits, most of them class actions, will be filed this year.  Much of the new litigation is driven by statutes, such as the California Consumer Privacy Act (CCPA), the Illinois Biometric Information Privacy Act (BIPA), and state wiretap laws that provide for statutory damages.

Ballard Privacy & Data Security Partners Kim Phan and Greg Szewczyk are contributing authors.

In addition to data privacy and data breach litigation, this book addresses other kinds of emerging cyber claims such as website accessibility claims, webscraping claims, disputes under the Payment Card Industry (PCI) data security standards, and cyber-coverage disputes.  The common link among these kinds of cyber-litigation is that they all involve the collection, access, sharing, protection, or use of online information.  The book is available for purchase here.

After announcing several years ago that it intended to pick up with fair lending enforcement in the indirect auto finance market where the CFPB left off, the New York Department of Financial Services has announced two consent orders with smaller, New York-chartered banks based on the allegation that allowing auto dealers to negotiate the retail prices of retail installment contracts resulted in a disparate impact on the basis of race and national origin.

For readers who followed the CFPB’s efforts in this area, the allegations in these consent orders will be very familiar.  The DFS asserted that the practice of allowing dealer “discretion” in setting retail interest rates resulted in statistically significant differences in pricing, disadvantaging Hispanic and African-American consumers, with differences ranging from 20 to 59 basis points.  The consent orders do not specify the analytical method used to arrive at these disparity figures.

But despite the familiar allegations, there are a couple of notable points about these two consent orders.  First, they represent the first effort by a state regulator to pursue the dealer finance charge issue against an assignee of retail installment contracts that we are aware of.  Even if the CFPB is reluctant to pick this theory up again after the Congressional disapproval of its bulletin on indirect auto finance, the NYDFS’ interest in this issue could significantly impact auto finance companies subject to the agency’s jurisdiction.

Moreover, the forward-looking relief in one of the consent orders goes well beyond that required in the CFPB’s consent orders on this subject.  One of the target banks had exited the indirect auto finance business in 2017, but for the other bank that was still operating, the consent order required the bank to adopt a flat-fee pricing model, with no exceptions.  This extreme step seems to us to be tantamount to forcing the bank out of the indirect auto business; there were well-publicized examples of auto finance companies adopting flat fees during the period of the CFPB’s consent orders, and those flat-fee models, according to industry data, caused a dramatic reduction in those companies’ market shares, and the flat fee models were later abandoned.

We will be watching for more developments from NYDFS on this issue.  But if the Department is intent on forcing auto finance companies into a flat-fee-only pricing model, it may compel companies with a larger indirect auto business to litigate one of these cases because of the overwhelming business implications of adopting such a model.

The final step in the demise of the OCC’s true lender rule occurred yesterday with President Biden signing the resolution under the Congressional Review Act (CRA) overturning the rule that was passed by the House and Senate.

On August 9, 2021, from 12:00 p.m. to 1:00 p.m. ET, Ballard Spahr will hold a webinar, “Congress Overrides the OCC’s True Lender Rule: What Are the Risks for Banks and Their Loan Program Nonbank Partners?”  Click here to register.

Pursuant to the CRA, the enactment of a disapproval measure precludes the OCC from subsequently reissuing the rule or adopting a new rule that is substantially the same as the disapproved rule unless “the reissued or new rule is specifically authorized by a law enacted after the date of the joint resolution disapproving the original rule.”  The Congressional override of the rule also renders moot the lawsuit filed by a group of state attorneys general in January 2021 seeking to set aside the rule.

On June 29, Florida Governor DeSantis signed into law CS/SB 1120 which amends Florida law to impose new limits on the use of “automatic dialers.”  The law is effective today, July 1.

The new law prohibits the use of an “automated system” to make “telephonic sales call” without the prior express written consent of the “called party.”  A “telephonic sales call” is defined as “a telephone call, text message, or voicemail transmission to a consumer for the purpose of soliciting a sale of any consumer goods or services, soliciting an extension of credit for consumer goods or services, or obtaining information that will or may be used for the direct solicitation of a sale of consumer goods or services or an extension of credit for such purposes.”  “Consumer goods or services” is defined as “real property or tangible or intangible personal property that is normally used for personal, family, or household purposes, including, but not limited to, any such property intended to be attached to or installed in any real property without regard to whether it is so attached or installed, as well as cemetery lots and timeshare estates, and any services related to such property.”  The “called party” is defined as “a person who is the regular user of the telephone number that receives a telephonic sales call.”

Surprisingly, “automated system” is not a defined term in the new law.  However, the law’s prohibitory language refers to telephonic sales calls that involve “an automated system for the selection or dialing of telephone numbers or the playing of a recorded message when a connection is completed to a number called.”  Thus, the systems that can qualify as an “automated system” for purposes of the new Florida law are not limited to equipment that would qualify as an automatic telephone dialing system (ATDS) under the federal Telephone Consumer Protection Act (TCPA).  The TCPA defines an ATDS as “equipment which has the capacity (A) to store or produce telephone numbers to be called, using a random or sequential number generator; and (B) to dial such numbers.”  In Facebook v. Duguid, the U.S. Supreme Court held that automatic dialing technology only qualifies as an ATDS if it has the capacity to store numbers “using a random or sequential number generator” or produce numbers “using a random or sequential number generator.”

In addition to covering a broader range of equipment than the TCPA, the new Florida law’s prohibition on using automated systems is not limited to calls to cellular phones.  Also, under the new law, to obtain a consumer’s “prior express written consent” to receive calls made using an automated system, a company must provide a specified disclosure and satisfy other requirements.

The new law does not expressly limit its coverage to calls made to consumers located in Florida and instead broadly prohibits “a person” from making calls using automated systems without the consumer’s consent.  However, the law contains a rebuttable presumption that any call to a number with a Florida area code is to a Florida residence or to a person in Florida at the time of the call.  This would suggest that the law is only intended to cover calls to Florida consumers.

The statute contains a number of exemptions, including an exemption for a “supervised financial institution or parent, subsidiary, or affiliate thereof operating within the scope of supervised activity.”

The statute also includes other limitations on telemarketing calls, including prohibitions on making commercial telephone solicitations before 8 a.m. or after 8 p.m. (in the called person’s time zone), making more than three commercial telephone solicitations from any number to a person over a 24-hour period on the same subject matter or issue, and using technology to conceal the caller’s true identity.

The new law includes a private right of action for violations and provides for the greater of actual damages or $500, which can be trebled for willful or knowing violations.