Financial Services Law

Add-On Products Add up to $63M Settlement With FDIC

Why it matters

Credit card add-on products were the subject of a recent enforcement action brought by the Federal Deposit Insurance Corporation (FDIC) against Comenity Bank of Delaware and Comenity Capital Bank in Utah. The two wholly owned subsidiaries of Comenity LLC offered co-branded credit cards with various retailers featuring payment protection and debt cancellation add-on products that allowed consumers to receive benefit payments for life events such as involuntary unemployment. But the FDIC said the banks ran afoul of Section 5 of the Federal Trade Commission (FTC) Act by deceiving consumers with material misrepresentations about the refund process and the conditions for receiving a gift card or other incentives to enroll in the products. The banks also promised consumers they would not be charged a fee if an account had no balance—and then charged a fee in those circumstances, the FDIC said. The settlement requires the banks to pay a civil money penalty of $2 million and provide restitution of $53 million (Comenity Bank) and $450,000 and $8.5 million (Comenity Capital). In addition, the banks must ensure future compliance with Section 5 of the FTC Act. The action continues the trend of regulatory enforcement actions targeting credit card add-on products, following a $16 million FDIC deal with Merrick Bank over the marketing and servicing of its products last September and a record-setting $772 million agreement between Bank of America and the Consumer Financial Protection Bureau in April 2014.

Detailed discussion

Add-on products proved to be a costly addition to the product line for a pair of banks in a recent settlement with the Federal Deposit Insurance Corporation (FDIC).

Comenity Bank of Delaware and Comenity Capital Bank of Utah, both wholly owned subsidiaries of Ohio-based Comenity LLC, offered co-branded credit cards with various retailers across the country.

The cards featured "Account Assure" and "Account Assure Pro," payment protection and debt cancellation add-on products that allowed consumers to request certain benefit payments for life events such as disability or unemployment. But the marketing and servicing of these products violated Section 5 of the Federal Trade Commission (FTC) Act (FTC), the FDIC alleged.

Between January 2008 and September 2014, the banks represented to consumers that they would not be charged a fee for the products if their balance remained at $0, but the institutions charged them anyway, the regulator said. Material misrepresentations and omissions were made regarding the refund process if a customer cancelled the product within the first 30 days; similarly, customers were misled about the conditions for receiving a gift card or account statement credit offered as an incentive for enrolling in the products.

To settle the charges of unfair and deceptive acts, the banks reached a deal with the FDIC. The financial institutions agreed to correct the violations of law and ensure future compliance with Section 5 of the FTC Act with the establishment of "a comprehensive, written, sound, risk-based" Compliance Program that will institute detailed operating procedures and controls designed to prevent violations of consumer protection laws, complete with a training program, internal monitoring process, and an independent third-party audit.

As part of the settlement, each of the banks stipulated to the issuance of a Consent Order, Order for Restitution, and Order to Pay Civil Money Penalty. Under the FDIC orders, Comenity Bank will pay a civil money penalty (CMP) of $2 million and provide restitution of approximately $53 million to harmed consumers. Comenity Capital Bank will pay a CMP of $450,000 and provide restitution of approximately $8.5 million to harmed consumers.

To read the Consent Order in In the Matter of Comenity Bank, click here.

To read the Consent Order in In the Matter of Comenity Capital Bank, click here.

back to top

"Phantom" Debt Collectors Actually Sued by FTC, Banned From Business

Why it matters

The operators of a scam that processed more than $5.2 million in payments from consumers for payday loans that were not owed to the operators are now banned from the debt collection business, the Federal Trade Commission (FTC) announced. In 2012, the agency filed a complaint against California-based Broadway Global Master Inc., In-Arabia Solutions, and a related individual, alleging that the defendants employed callers that harassed consumers into paying fake debts. Some of the calls even impersonated law enforcement officials or claimed to be from the "Federal Crime Unit of the Department of Justice" to intimidate consumers, the FTC said. In less than two years, the defendants' operations made more than 2.7 million calls to at least 600,000 different phone numbers across the country and collected more than $5.2 million. The individual defendant pleaded guilty to mail and wire fraud in a separate criminal proceeding and was sentenced to one year in prison. To settle the FTC action, the defendants agreed to a ban from the debt collection business, a prohibition on misrepresentations about any products or services, and a judgment of over $4.3 million, suspended upon payment of $608,500.

Detailed discussion

The debts collected by Kirit Patel and two companies under his control, Broadway Global Master Inc. and In-Arabia Solutions Inc., allegedly were not real, but the regulatory action against them certainly was.

In 2012, the Federal Trade Commission (FTC) filed a federal court complaint against Patel and the two companies, charging them with violations of Section 5 of the FTC Act for tricking consumers into paying debts they did not owe. After somehow obtaining consumer information from payday loan applications, the agency said the defendants demanded several hundred dollars at a time.

The defendants used harassing tactics and obscene language, the agency said, repeatedly calling consumers and impersonating law enforcement agents or claiming to be from nonexistent government agencies such as the "Federal Crime Unit of the Department of Justice." One consumer told the agency that a caller threatened to have her children taken away if she did not pay while another reported that the defendants contacted her neighbors.

Over the course of just two years, the defendants processed more than $5.2 million in payments from consumers on purported payday loan debts they did not owe and in many cases did not have the money to pay, the FTC said, having made more than 2.7 million calls to over 600,000 phone numbers nationwide.

The California federal court judge halted the defendants' operations and froze their assets. In a separate criminal proceeding brought by the Department of Justice (DOJ), Patel pleaded guilty to mail and wire fraud charges and was sentenced to a one-year prison term.

To settle the FTC's action, the defendants agreed to a permanent ban from the debt collection business, whether directly or through an intermediary. They also promised not to make future misrepresentations about any product or service, profit from the personal information of customers, and properly dispose of customer information.

The settlement order imposed a judgment of over $4.3 million. Based on the defendants' inability to pay, the amount was suspended upon payment of $608,500, which the FTC said would be used for consumer redress.

To read the stipulated order in FTC v. Broadway Global Master, Inc., click here.

back to top

SEC Ramps up Cybersecurity Scrutiny With Examination Priorities and an Enforcement Action

Why it matters

Signaling that it will continue to increase its scrutiny of firms' cybersecurity readiness, the Office of Compliance, Inspections and Examinations of the Securities and Exchange Commission (SEC) issued a Risk Alert emphasizing that upcoming examinations of registered broker-deals and investment advisers will include review and testing of firms' data security controls. The Risk Alert lists key areas that examiners will review and includes a sample document request list.

Separately, just a few days later, the SEC confirmed its focus on cybersecurity by announcing a settlement with a St. Louis-based investment adviser who it charged with failing to establish appropriate cybersecurity policies and procedures.

The message to covered entities is loud and clear: Broker-dealers and investment advisers must have appropriate practices, policies, and procedures in place with respect to cybersecurity. Other firms subject to SEC scrutiny, such as public reporting companies, should also note the agency's increasing attention to data security issues preparedness.

Detailed discussion

Cybersecurity continues to be a major focus for the Securities and Exchange Commission (SEC). The SEC sponsored a roundtable emphasizing the importance of cybersecurity last year, which was followed by a Risk Alert announcing a series of examinations aimed at identifying cybersecurity risks and assessing preparedness in the securities industry.

The SEC shared key findings from those exams in a report published earlier this year. The SEC also announced that cybersecurity compliance and controls would be part of its 2015 Examination Priorities.

Building on this momentum, on September 15, 2015, the agency's Office of Compliance, Inspections and Examinations issued a new Risk Alert providing guidance for its next round of cybersecurity examinations. The examination initiative will focus on broker-dealers' and investment advisors' readiness to protect client data. The exam will focus on six key areas:

  • Governance and Risk Assessment. Are firms periodically evaluating cybersecurity risks and are their controls and risk assessment processes tailored to their business? In addition to asking these questions, examiners will review the level of communication to, and involvement of, senior management and boards of directors.
  • Access Rights and Controls. Failure to address even basic controls—such as neglecting to update access rights after a personnel or system change, for example—presents the risk of a data breach. Firms should be prepared to explain how they control access to various systems or data with the use of user credentials, authentication, and authorization methods, as well as the controls associated with other means of access, such as customer logins, passwords, network segmentation, and remote access.
  • Data Loss Prevention. SEC examiners will assess how firms monitor the volume of content transferred outside of the firm by its employees or through third parties, whether via e-mail attachments or uploads. The exam will review how firms monitor for the potential of unauthorized transfers and verify the authenticity of a customer request to transfer funds.
  • Vendor Management. "Some of the largest data breaches over the last few years may have resulted from the hacking of third-party vendor platforms," the SEC noted. As a result, examiners may consider the firm's practices and controls related to vendors (due diligence with regard to selection, monitoring and oversight, and contract terms) and how vendor relationships fit into the firm's ongoing risk assessment.
  • Training. To avoid a data breach resulting from unintentional employee actions (lost laptops or opening an attachment from an unknown source, for example), the training of employees and vendors "can be the firm's first line of defense," the SEC said. The agency will evaluate how training is tailored to specific job functions and if response to cyber incidents is integrated into regular training.
  • Incident Response. Finally, the second round of cybersecurity exams will assess "whether firms have established policies, assigned roles, assessed system vulnerabilities, and developed plans to address possible future events," including a determination of which firm data, assets, and services require the most protection to help minimize the harm caused by an attack, the SEC said.

The Risk Alert noted that examiners may review additional areas based on risks identified in the course of their examinations.

To help firms prepare, the Risk Alert includes an appendix with a sample information and documents request list, which includes such things as board minutes and briefing materials, policies related to data mapping and data classification, vendor contracts, written training guidance or materials, and any information about cybersecurity insurance coverage, including claims filed related to cyber events.

A week after issuing the Risk Alert, the SEC announced the settlement of an enforcement action against an investment adviser that arose out of a security breach. The SEC found that St. Louis-based R.T. Jones Capital Equities Management violated the SEC's "safeguards rule" by failing to adopt any written policies and procedures to ensure the security and confidentiality of clients' personally identifiable information. According to the SEC, the firm failed to conduct periodic risk assessments, use a firewall to protect its web server, encrypt client information or establish procedures for responding to a cybersecurity incident.

A breach of the firm's third-party-hosted web server in 2013 compromised the personally identifiable information of approximately 100,000 individuals, including clients and potential clients, the SEC charged. A forensic firm retained by R.T. Jones traced the breach to mainland China. While the intruder is believed to have gained full data on the firm's server, the intruder destroyed the log files for the period of the intrusion so the extent of the intruder's activities is unknown. R.T. Jones has received no indication that any client has suffered financial harm as a result of the cyber attack.

In an order, the SEC found that R.T. Jones violated Rule 30(a) of the agency's Regulation S-P. Although the firm neither admitted nor denied the SEC's findings, it agreed to pay a $75,000 penalty and to cease and desist from future violations as well as an SEC censure.

"As we see an increasing barrage of cyber attacks on financial firms, it is important to enforce the safeguards rule even in cases like this when there is no apparent financial harm to clients," Marshall S. Sprung, Co-Chief of the SEC Enforcement Division's Asset Management Unit, said in a statement. "Firms must adopt written policies to protect their clients' private information and they need to anticipate potential cybersecurity events and have clear procedures in place rather than waiting to react once a breach occurs."

To read the SEC's Risk Alert, click here.

To read the order in In the Matter of R.T. Jones Capital Equities Management, click here.

back to top

DOJ: Individual Accountability Key in Corporate Wrongdoing

Why it matters

Individuals are on the hot seat with the release of a memorandum from the Department of Justice (DOJ) emphasizing the importance of holding individuals liable for corporate wrongdoing. The "Individual Accountability for Corporate Wrongdoing" set forth six "key steps" for the government's new policy centered on accountability for the individuals alleged to have perpetrated corporate misconduct intended "to deter future activity, incentivize change in corporate behavior, hold the right parties responsible for their actions, and promote public confidence in the judicial system." The steps include a requirement that in order to qualify for any cooperation credit, corporations must provide to the DOJ all relevant facts relating to the individuals responsible for the misconduct and explain that criminal and civil corporate investigations should focus on individuals from the inception, and note that the government will not release culpable individuals from civil or criminal liability when resolving a matter with a corporation. It remains to be seen whether the DOJ's new policy regarding individual accountability for corporate misconduct will be effective. Deputy Attorney General Sally Quillian Yates, the author of the memo, recognized this potential. "We make these changes recognizing the challenges that they may present," she said in a speech at the New York University School of Law following the release of the memo. "Some corporations may decide, for example, that the benefits of consideration for cooperation with DOJ are not worth the costs of coughing up the high-level executives who perpetrated the misconduct. Less corporate cooperation could mean fewer settlements and potentially smaller overall recoveries by the government. In addition, individuals facing long prison terms or large civil penalties may be more inclined to roll the dice before a jury and consequently, we could see fewer guilty pleas. Only time will tell. But if that's what happens, so be it. Our mission here is not to recover the largest amount of money from the greatest number of corporations; our job is to seek accountability from those who break our laws and victimize our citizens. It's the only way to truly deter corporate wrongdoing."

Detailed discussion

Taking a sharp turn from prior policy, Deputy Attorney General Sally Quillian Yates issued an internal memo presenting the Department of Justice's (DOJ) policy on holding individuals accountable for corporate wrongdoing.

"Crime is crime," Yates said in a speech at New York University School of Law the day after the "Individual Accountability for Corporate Wrongdoing" was released. "And it is our obligation at the Justice Department to ensure that we are holding lawbreakers accountable regardless of whether they commit their crimes on the street corner or in the boardroom. In the white-collar context, that means pursuing not just corporate entities, but also the individuals through which these corporations act."

Described as a combination of new measures reflecting "policy shifts" with existing "best practices that are already employed by many federal prosecutors," the steps outlined in the memo will be applied to both criminal and civil investigations conducted by the DOJ.

1. In order to qualify for any mitigating cooperation credit with the DOJ in a corporate investigation, corporations must provide the Department with all relevant facts relating to the individuals responsible for the misconduct. "Companies cannot pick and choose what facts to disclose," Yates wrote in the memo. "That is, to be eligible for any credit for cooperation, the company must identify all individuals involved in or responsible for the misconduct at issue, regardless of their position, status or seniority, and provide to the Department all facts relating to that misconduct." The extent of cooperation credit will vary depending on factors such as the diligence, thoroughness, and speed of the internal investigation and the timeliness of the cooperation, among others. The memo also noted that there may be instances where the company's continued cooperation with respect to individuals will be necessary even after corporate liability has been resolved.

2. The DOJ will focus on individuals from the inception of any criminal or civil corporate investigation. According to the memo, this will accomplish multiple goals. "First, we maximize our ability to ferret out the full extent of corporate misconduct," Yates explained. "Because a corporation only acts through individuals, investigating the conduct of individuals is the most efficient and effective way to determine the facts and extent of any corporate misconduct. Second, by focusing our investigation on individuals, we can increase the likelihood that individuals with knowledge of the corporate misconduct will cooperate with the investigation and provide information against individuals higher up the corporate hierarchy. Third, by focusing on individuals from the very beginning of an investigation, we maximize the chances that the final resolution of an investigation uncovering the misconduct will include civil or criminal charges against not just the corporation but against culpable individuals as well."

3. Routine communication between criminal and civil attorneys handling corporate investigations should be standard. Recognizing the importance of parallel development of civil and criminal proceedings, the DOJ said that decisions about pursuing an investigation or not to file charges against an individual require conversation between civil and criminal counterparts. "Coordination in this regard should happen early, even if it is not certain that a civil or criminal disposition will be the end result for the individuals or the company," the memo said.

4. When resolving an investigation with a corporation, the DOJ will not release culpable individuals from civil or criminal liability or provide immunity for individual officers or employees except under "extraordinary circumstances" or in the case of "approved departmental policy" (such as the Antitrust Division's Corporate Leniency Policy). If a settlement is reached with a corporation prior to reaching resolution with the individual wrongdoers, the ability to pursue the individuals criminally or civilly must be preserved, with any release of criminal or civil liability required to be personally approved in writing by the relevant Assistant Attorney General or U.S. Attorney.

5. In a related point, the memo explained that DOJ attorneys will not resolve matters with a corporation absent a "clear plan" to resolve related individual criminal or civil matters prior to expiration of the applicable statute of limitations, with declinations as to such individuals memorialized and approved by the relevant U.S. Attorney or Assistant AG. Tolling agreements should be the rare exception in corporate investigations, Yates added, and all efforts should be made to resolve the matter against culpable individuals before the limitations period expires.

6. In deciding whether to pursue civil action against an individual in a corporate investigation, DOJ civil attorneys must focus on factors beyond just the individual's ability to pay. The "twin aims" of returning the maximum amount of purloined funds to the "public fisc" on the one hand and individual accountability and deterrence on the other may at times conflict, the agency acknowledged, but the fact that an individual may not have sufficient funds to satisfy a judgment should not control the decision of whether to pursue civil action against him or her. Any assessment must also take into account factors "such as the individual's misconduct and past history and the circumstances relating to the commission of the misconduct, the needs of the communities we serve, and federal resources and priorities," Yates wrote. "Although in the short term certain cases against individuals may not provide as robust a monetary return on the Department's investment, pursuing individual actions in civil corporate matters will result in significant long-term deterrence."

To read the DOJ's memo on "Individual Accountability for Corporate Wrongdoing," click here.

To read Deputy General Yates' remarks at the NYU School of Law, click here.

This article originally appeared in Corporate Investigations & White Collar Defense Newsletter on September 21, 2015. Please click here to read the full issue.

back to top