On March 7, 2019, the DOJ announced the largest coordinated sweep of elder fraud cases to date. Joined by the FBI and other federal and state partners, the DOJ held a press conference detailing the results of the coordinated effort. Coordinated law enforcement actions in the past year, they said, resulted in criminal cases against more than 260 defendants who victimized more than 2 million Americans, most of them elderly. In each case, the offenders allegedly engaged in financial schemes that targeted or largely affected seniors. Losses are estimated to have exceeded more than $750 million. The DOJ released an interactive list of the elder fraud cases.

The sweep was primarily focused on the threat posed by technical-support fraud, an increasingly common form of elder fraud in which criminals trick victims into giving remote access to their computers under the guise of providing technical support. The DOJ partnered with the FBI, U.S. Postal Inspection Service, the Department of Homeland Security, state Attorneys General and the U.K.’s City of London Police to investigate and prosecute perpetrators of technical-support fraud.

Since many of those prosecuted as a part of the elder fraud sweep cases – including technical-support fraud and mass mailing elder fraud cases – allegedly involved transnational criminal organizations, the DOJ and Postal Inspection Service worked with numerous countries to secure evidence and extradite defendants. The sweep also took comprehensive action against the money mule network that facilitates foreign-based elder fraud. The DOJ defines a money mule as “someone who transfers money acquired illegally in person, through the mails, or electronically, on behalf of others.” With assistance from the Secret Service and Homeland Security, the FBI and Postal Inspection Service took action against over 600 alleged money mules. Additionally, the sweep benefited from assistance from foreign law enforcement partners.

The sweep also had a public education campaign focused on technical-support fraud. The DOJ coordinated with the FTC and State Attorneys General in designing and disseminating messaging material intended to warn consumers and businesses. Public education outreach is being conducted by various state and federal agencies, to educate seniors and prevent further victimization.

The coordinated effort reflects the increasing focus of federal and state regulators on elder financial abuse. In February, the CFPB’s Office of Financial Protection for Older Americans issued a report providing guidance to financial institutions on combating elder abuse. As we have previously observed, elder financial abuse prevention can be viewed as falling within a financial institution’s general obligation to limit unauthorized use of customer accounts as well as its general privacy and data security responsibilities. Thus, a financial institution that fails to proactively implement an elder financial abuse prevention program risks regulatory investigation. Additionally, a depository institution subject to CFPB supervision should expect CFPB examiners to look at its program for preventing elder financial abuse. Further, many states have laws that address elder financial abuse, in some instances requiring mandatory reporting, without providing protection to the bank, while in others including providing immunity for banks who implement transaction holds when staff members observe financial exploitation.

Less than a week after warning subpoena and CID recipients to take their obligation to respond “seriously,” the FTC took aim at perceived inadequacies in compliance reports submitted pursuant to FTC consent orders and litigated judgments. In its March 11, 2019 blog post, the FTC’s Bureau of Competition alleges that “some Respondents are not taking seriously their responsibility to provide detailed and timely” compliance reports that demonstrate compliance with the obligations imposed in FTC Orders.

In an effort to curb this perceived trend of inadequate compliance reporting, the FTC is introducing the following new model language that will be included in future FTC orders:

“Each compliance report shall contain sufficient information and documentation to enable the Commission to determine independently whether Respondents are in compliance with the Order. Conclusory statements that Respondents have complied with their obligations under the Order are insufficient. Respondents shall include in their reports, among other information or documentation that may be necessary to demonstrate compliance, a full description of the measures Respondents have implemented or plan to implement to ensure that they have complied or will comply with each paragraph of the Order; a description of all substantive contacts or negotiations for the divestitures and the identities of all parties contacted, and such supporting materials shall be retained and produced later if needed.”

The FTC explains that it intends this new language to clarify, not change, the requirements for compliance reporting.

The FTC also reminds respondents that each compliance report must include a “meaningful level of data” and appropriate documentation to demonstrate substantive compliance with the FTC’s order. If a report lacks adequate detail or support, the FTC may require the respondent to submit a supplemental report. Misleading or incomplete reports are more serious and can constitute independent violations of the order that may result in further enforcement action or contempt penalties. The FTC warns respondents to “plan ahead” to ensure they can satisfy their compliance reporting requirements.

Although this announcement was made by the FTC’s Bureau of Competition, which is responsible for policing antitrust violations, compliance reporting is a common requirement in many FTC orders, including those arising from enforcement actions brought by the FTC’s Bureau of Consumer Protection. But even if the Bureau of Consumer Protection does not adopt similar language in its orders, the FTC’s post should serve as a warning to respondents to FTC orders to remain mindful of their compliance reporting obligations.

The FTC has issued its 2018 Consumer Sentinel Network Data Book. The report summarizes consumer complaints stored in the Consumer Sentinel Network, a secure online database.

For 2018, imposter scams top the list of reported complaint categories, accounting for 18% of the almost 3 million consumer reports summarized in the Data Book. Debt collection—which had crowned the list in 2017—falls to second, with 16% of all reports. Identity theft is third, with 15%.

The Data Book also provides several observations related to the general complaint categories, including the following:

  • There were more than 535,000 imposter scams reported, with almost 20% of the reported incidents resulting in a monetary loss. Nearly half of these reported scams involved government imposters that falsely claimed to be from the IRS, Social Security Administration, other government agency to get victims to turn over money and/or personal information.
  • Debt collection reports (including reports regarding, e.g., repeated calls, false representations of amount or status of a debt, failure to send written notice of a debt, false threats of suit, use of profanity, failure to identify as a debt collector, etc.) declined by 24% from 2017.
  • Credit card fraud was the most common type of identity theft report. The FTC received over 167,000 reports from people who claimed that their information was either misused on an existing account or used to open a new credit card account.The Data Book also separately analyzes reports made by military consumers, including active duty service members, military dependents, inactive reserve members, and veterans. Of 122,519 total reports by military consumers, imposter scams top the list at 29% of the reports, followed by identity theft at 23%. In contrast to the general population, however, debt collection reports account for only about 5% of the total reports by military consumers.
  • Additionally, the Data Book provides state-by-state breakdowns and comparisons. Florida, Georgia, Nevada, Delaware, and Tennessee had the highest fraud reports per capita. Georgia, Nevada, California, Florida, and Texas had the highest identity theft reports per capita.  Notably, the Data Book’s summary excludes reports related to the National Do Not Call Registry and reports about unsolicited commercial email.

While the FTC releases its annual Data Book to the public, only law enforcement organizations—including the CFPB and state attorney generals—can access the Consumer Sentinel Network database itself. This database houses reports from numerous sources, including consumer complaints made through sources including, among others: the FTC’s call center or websites, such as IdentityTheft.gov, a resource for identity theft victims, and Econsumer.gov, a site designed to promote cross-border information sharing regarding internet fraud; Better Business Bureaus for 100 different regions; PrivacyStar, a service that identifies who is calling and why; the CFPB; Publishers Clearing House; Microsoft Corporation Cyber Crime Center; and state law enforcement agencies.

The Data Book acknowledges that it is based on “the unverified reports filed by consumers.” Nevertheless, its summaries and the Consumer Sentinel Network are intended to assist law enforcement “to spot trends, identify questionable business practices and targets, and enforce the law.” Thus, as we have previously observed, minimizing the number of consumer complaints made to the FTC, CFPB, BBB, and other consumer watchdogs is an essential first step to avoid ending up on a regulator’s radar.

The FTC and CFPB have reauthorized their memorandum of understanding.  According to the FTC’s press release, “the agreement reflects the ongoing coordination between the two agencies under the terms of the Consumer Financial Protection Act, and is designed to coordinate efforts to protect consumers and avoid duplication of federal law enforcement and regulatory efforts.”

The first MOU, signed in 2012, had an initial term of three years, and was reauthorized in 2015 for an additional three-year term.  Although some definitional and organizational changes were made to the new MOU, it does not appear to have any material substantive differences from the 2015 MOU.  However, unlike the prior two MOUs which each had a three-year term, the new MOU provides that it “will remain in effect unless superseded by the signed, mutual agreement of the agencies.”

 

 

The FTC has proposed amendments to its 2003 Safeguards Rule and 2000 Privacy Rule, applicable to financial institutions under the Gramm Leach Bliley Act (GLBA).  The proposed changes are informed by the FTC’s enforcement experience and are intended to keep pace with technological developments.

The Safeguards Rule requires financial institutions to have a comprehensive information security program.  The proposed rule amendment will more clearly define the requirements for such information security programs.  Some of the proposed changes to the Safeguards Rule include:

  • Encryption of all consumer data,
  • Implementing access controls to prevent unauthorized users from accessing consumer information;
  • Implementing multifactor authentication to access consumer data, and
  • Requiring periodic reports submitted to the boards of directors to ensure compliance.

The proposed amendments to the Safeguards Rule will better align the rule with prevailing cyber security standards, such as the NY DFS cybersecurity regulations and the NIST framework.  The amendments are also designed to ensure that non-bank financial technology entities, fintechs, are subject to cybersecurity standards similar to those that banks are subject to under the FFIEC interagency guidelines.

Further, the Commission proposes to expand the definition of “financial institution” in both the Privacy Rule and the Safeguards Rule to include companies engaged in activities “incidental to financial activities.”  The expansion includes “finders” or those who charge a fee to connect consumers looking for a loan to a lender.

While the proposed changes to the Safeguards Rule and Privacy Rule will provide more clarity for certain GLBA covered entities regarding the contours of their information security programs, the proposed expansion of the definition of financial institution may not be greeted with open arms by the companies not currently covered by the Safeguards Rule and the Privacy Rule.

The FTC has sent its annual letter to the CFPB reporting on the FTC’s activities related to compliance with the Equal Credit Opportunity Act and Regulation B.

The FTC has authority to enforce the ECOA and Reg. B as to nonbank providers within its jurisdiction.  However, like several of the FTC’s prior letters on its ECOA activities, the letter on 2018 activities does not describe any 2018 FTC ECOA enforcement activity and only contains information about the FTC’s research and policy development efforts and educational initiatives.  (In December 2018, a group of Democratic Senators sent a letter to the FTC calling on it “to improve its enforcement actions and aggressively police predatory practices at car dealerships.”)

With respect to research and policy development, the letter discusses the following initiatives:

  • Hearings on algorithms, artificial intelligence, and predictive analytics.  In 2018, the FTC began a series of public hearings called “FTC Hearings on Competition and Consumer Protection in the 21st Century.”  One of the hearings looked at competition and consumer protection issues associated with the use of alogorithms, AI, and predictive analytics in business decisions and conduct.  The FTC notes that panelists discussed how issues of fairness, bias, and discrimination could impact the use of such technologies and whether current legal protections such as the ECOA were adequate to address those issues.
  • Auto buyer study.  In 2018, the FTC continued work on a qualitative study of consumers experiences in buying and selling automobiles at dealerships.  The FTC believes the results of the study will provide meaningful information about consumers’ experiences and help focus FTC initiatives, including consumer education about the purchase and financing process and business education to foster compliance with laws enforced by the FTC, such as the FTC Act and ECOA.
  • ECOA in the military.  In 2018, the FTC’s Military Task Force continued to work on military consumer protection issues. Other FTC initiatives to assist military consumers included a training program for servicemembers and their families that included a discussion of ECOA/Reg. B protections.
  • Interagency fair lending task force. The FTC continues to be a member of the Interagency Task Force on Fair Lending along with the CFPB, DOJ, HUD, and the federal banking agencies.

With regard to the FTC’s consumer and business educational initiatives, the FTC states that in 2018, it “engaged in efforts to provide education on important issues, including those related to credit transactions to which Regulation B applies or relates.”  By way of example, the FTC references a blog post about the need to provide financial education to servicemembers.

 

 

 

The Federal Trade Commission announced that a planned workshop in Washington, D.C. aimed at examining consumer protection issues related to the online event ticket marketplace has been rescheduled for June 11, 2019 due to the government shutdown.  (The workshop’s original date was March 27.)

The workshop will feature opening remarks by FTC Commissioner Rebecca Kelly Slaughter and will bring together a variety of stakeholders, including industry representatives, consumer advocates, trade associations, academics and government officials, to discuss certain practices in the online event ticket marketplace.  The FTC has indicated that the online event ticket industry has been a frequent topic of consumer and competitor complaints, with the issues arising in connection with online ticket sales frequently involving practices that prevent consumers from obtaining tickets, mislead consumers about price or availability, or mislead consumers about the entity from which they are purchasing.   (In April 2018, the U.S. Government Accountability Office issued a report titled “Event Ticket Sales: Market Characteristics and Consumer Protection Issues.”)

According to the FTC’s original announcement, the workshop will look at the current state of the online event ticket marketplace, shed light on industry-wide advertising and pricing issues, and explore ways to address deception beyond traditional law enforcement.  The topics that will be covered include:

  • Primary market ticketing: transparency and lack of ticket availability; ticket bots and the Better Online Ticket Sales Act (BOTS Act).
  • Resale ticket market: disclosures of pricing, fees, and speculative tickets; consumer confusion regarding search engine advertisements and websites of resellers versus official primary ticket sellers.

Ballard Spahr partner Scott Pearson will be participating in a panel addressing these and other ticketing issues at a Sports Lawyers Association event in Brooklyn, New York on February 25, 2019.  The panel will be followed by the Nets-Spurs game.  For information about the event, click here.

 

 

At the end of last week, the Federal Trade Commission (FTC) and the Department of Veterans Affairs (VA) announced that they have entered into a Memorandum of Agreement (MOA) “to provide mutual assistance in the oversight and enforcement of laws pertaining to the advertising, sales, and enrollment practices of institutions of higher learning and other establishments that offer training for military education benefits recipients.”

Pursuant to 38 U.S.C. section 3696, the Secretary of Veterans Affairs is prohibited from approving the enrollment of a veteran eligible for military education benefits “in any course offered by an institution which utilizes advertising, sales, or enrollment practices of any type which are erroneous, deceptive, or misleading either by actual statement, omission, or intimation.”  Section 3696 also requires the VA Secretary to enter into an agreement with the FTC “to utilize, where appropriate, its services and facilities, consistent with its available resources, in carrying out investigations and making the Secretary’s determinations [whether an institution has used erroneous, deceptive or misleading practices.]”  The agreement must provide for referrals to the FTC where the VA believes an institution is engaging in erroneous, deceptive or misleading advertising, sales, or enrollment practices and the FTC “in its discretion will conduct an investigation and make preliminary findings.”

The MOA is intended to implement the requirements of Section 3696.  It provides that the VA can request that the FTC investigate an institution approved for the enrollment of veterans eligible for military education benefits and that, when making a referral, the VA’s Director of Education Services must “provide a written explanation of the basis for his or her belief that the institution subject to the referral is utilizing or has utilized, advertising, sales, or enrollment practices of any type that are deceptive.  Upon receiving a referral, the FTC’s Director of the Bureau of Consumer Protection (Director) must evaluate the information provided by the VA and “in his or her discretion, determine whether acceptance of the referral is consistent with the Commission’s existing investigative, enforcement, and resource priorities.”  The MOA lists factors the Director can consider in determining whether to accept a referral, such as “whether the violations allegedly occurred on a regular and ongoing basis” and “the nature and amount of consumer injury at issue and the number of consumers affected.”

The MOA also provides that:

  • The FTC’s acceptance or rejection of a referral is not to be construed as a decision by the FTC on the merits of the referral and a rejection of a referral may not be the sole basis on which the VA determines whether an institution is engaging in erroneous, deceptive or misleading advertising, sales, or enrollment practices.
  • If the FTC accepts a referral, the Director must direct the FTC staff to conduct an investigation and prepare preliminary findings.  For purposes of the MOA, “preliminary findings” means “either a nonpublic analysis prepared by FTC staff or an administrative or federal district court complaint approved by the Commission and which contains the FTC’s allegations regarded the referred institution’s practices.”
  • The FTC’s preliminary findings are intended to be used by the VA in deciding whether or not to approve an eligible veteran’s enrollment in an institution because the institution is engaging in erroneous, deceptive or misleading advertising, sales, or enrollment practices.  However, the MOA provides that the FTC’s preliminary findings “are not a determination by the Commission as to whether the institution has been or is violating Section 5 of the FTC Act, an order finalized thereunder, or any other laws enforced by the FTC.”
  • The MOA does not require the FTC, or limit the FTC’s authority, to investigate whether educational institutions or others have violated [Section 5 of the FTC Act] by committing unfair or deceptive sales, advertising, or enrollment practices, or any other laws enforced by the FTC” and the FTC can use materials obtained pursuant to the MOA when carrying out investigations under the FTC Act and other laws.

Tomorrow, December 18, from 12 p.m. to 1 p.m. ET, Ballard attorneys will hold a webinar focusing on the FTC: “New Enforcement Actions by the Old Sheriff in Town: Recent Developments at the Federal Trade Commission.”  For more information and to register, click here.

 

The FTC recently issued a paper outlining key takeaways from its December 2017 workshop examining injuries consumers may suffer from privacy and data security incidents.  

The paper indicates that the FTC convened the workshop to better understand consumer injury for the following two purposes:

  • To allow the FTC to effectively weigh the benefits of governmental intervention against its costs when making policy determinations 
  • To identify acts or practices that “cause or are likely to cause substantial injury” for purposes of bringing an enforcement action under the FTC Act for an “unfair” act or practice 

The paper discusses the examples of informational injuries given by participants.  These examples involve injuries that may result from medical identity theft, doxing (i.e. the deliberate and targeted release of private information about an individual with the intent to harass or injure), exposure of personal information, and erosion of trust (i.e. consumers’ loss of trust in the ability of businesses to protect their data).  The paper also reports that “there was some discussion of whether the definition of injury should include risk of injury [from certain practices]” and shares opposing arguments made by participants.  

The issue of whether informational injuries that may result from alleged statutory violations are sufficient to provide a consumer in a private action with Article III standing under the U.S. Supreme Court’s Spokeo standard continues to be litigated.  In Spokeo, the Supreme Court indicated that, to satisfy the “injury-in-fact” requirement for Article III standing, a plaintiff must show that he or she suffered “an invasion of a legally protected interest” that is both “concrete” and “particularized.”  To be particularized, an injury must affect the plaintiff “in a personal and individual way.”  To be concrete, an injury must “actually exist;” it must be “real.”  However, the Supreme Court also acknowledged that intangible injuries can satisfy the concrete injury standard and that in some cases an injury-in-fact can exist by virtue of a statutory violation.  (The Spokeo standard does not apply to government enforcement actions.)

 

 

On July 26, 2018, the FTC testified before two subcommittees of the U.S. House Committee on Oversight and Government Reform regarding the FTC’s continued focus on payment processors. Andrew Smith, the Director of the FTC’s Bureau of Consumer Protection testified before the House Subcommittees on National Security and Government Operations about the FTC’s anti-fraud program and the 25 actions taken by the FTC against payment processors since 1996. 15 of the 25 cases were filed in the last 10 years.

While lawsuits against payment processors represent a small number of the total cases filed by the FTC, the FTC testified that it views the payment processor’s role as “an integral part” of the agency’s anti-fraud program because their services may facilitate fraudulent schemes. Specifically, the FTC explained that on multiple occasions, the payment processor was identified as an enforcement target because it provided services for multiple entities that were parties to other FTC, SEC or state actions.

The FTC relies on two key legal theories in bringing claims against payment processors. The first theory is that the payment processor allegedly engages in unfair conduct under Section 15(n) of the FTC Act, 15 U.S.C. § 45(n), by allegedly facilitating fraud. The second theory is that the payment processor allegedly violates the FTC’s Telemarketing Sales Rule in two ways. First, the FTC may allege that the payment processor was “assisting and facilitating” a violation of the Rule by providing services to another entity that the processor knows or consciously avoids knowing is violating the Rule. Second, the FTC may allege that the payment processor has engaged in “credit card laundering” by submitting a credit card transaction to the credit card network when the transaction is not between the cardholder and the actual merchant, such as when a shell company is used to hide the identity of the true merchant.

The FTC is not alone in attempting to pursue payment processors for allegedly facilitating consumer fraud. In 2015, the CFPB filed suit against alleged “phantom debt” collectors and various companies alleged to have provided services to the debt collectors, including payment processors. The CFPB claimed that the payment processors facilitated the alleged scheme by enabling the debt collectors to accept credit and debit card payments by engaging in deficient underwriting and failing to appropriately monitor the debt collectors’ accounts, such as by ignoring signs of fraud, such as high chargeback volumes. Last year, the court dismissed the CFPB’s claims against the payment processors as a discovery sanction for failure to produce a knowledgeable witness for deposition, although the case remains pending against the other parties.

The FTC’s testimony indicates that payment processors will continue to remain a potential target in the FTC’s ongoing anti-fraud program. In particular, any payment processor that provides services to a merchant (or multiple merchants) alleged by the FTC, SEC, or other federal or state regulator to have engaged in consumer fraud could itself come under scrutiny by the FTC.