Financial Services Law

Regulators Keep Their Feet on the Gas in Actions Against Auto Lenders; NY AG Latest to Bring Suit

Why it matters

The automotive industry is continuing to face heavy scrutiny from regulators. On the heels of a Federal Trade Commission operation and new oversight from the Consumer Financial Protection Bureau, the New York Attorney General's Office announced a deal with three auto dealers in the state totaling almost $14 million. AG Eric Schneiderman alleged that the three companies sold consumers add-on products such as identity theft protection services and credit repair without disclosing the costs and fees, with some customers paying up to an additional $2,000. In some instances, the dealers misrepresented that the products were free or deceived consumers about the source of the charges, Schneiderman added. To settle the case, the auto dealers agreed to pay $13.5 million in restitution to consumers plus another $325,000 in penalties, fees, and costs to the state. Keeping the pressure on, the Attorney General said another 11 dealerships will soon be facing a similar lawsuit. Add-on products are an important source of dealer revenue, and regulatory scrutiny of these products, including by the CFPB in connection with auto financing, will present challenges for dealers.

Detailed discussion

Car dealerships were the subject of an investigation by New York Attorney General Eric Schneiderman in an effort to halt the alleged practice of "jamming," or unlawfully charging consumers for hidden purchases.

During the review, the AG's Office focused on the practices of three jointly owned dealerships that claim to be the largest combined Honda dealership in the country, made up of Paragon Motors of Woodside, Inc. (Paragon Honda), Worldwide Motors, Ltd. (Paragon Acura), and Civic Center Motors Ltd. (White Plains Honda).

Between 2010 and 2014, the Paragon dealerships used deceptive sales tactics, the AG alleged, by charging consumers for "after sale" items and credit repair services without their knowledge or by misrepresenting the services were free. The dealerships—which estimated they sell or lease approximately 1,000 new and used vehicles each month—would sell credit repair or identity theft protection services purchased from third party Credit Forget, Inc. (CFI) to those customers.

Also part of the AG's investigation, CFI's operations were halted pursuant to a consent order obtained by Schneiderman's office. The Paragon dealerships sold the service contracts purchased from CFI to consumers at a higher price, the AG said, violating a prohibition found in both state and federal law against charging upfront fees for "credit repair" services that promise to help consumers improve or restore their credit. "Every time Paragon charged a consumer for these services they violated state and federal laws banning upfront fees for these services," the Attorney General said.

In a typical transaction, a customer would meet with a "Finance & Insurance Manager" at a Paragon dealership after working with a salesperson to select a car. The manager would attempt to sell the customer additional products ranging from extended warranties to credit repair services, Schneiderman alleged. The Attorney General's investigation revealed that Paragon charged some consumers without permission and concealed the charges; other customers were told the services were free and then charged for them.

The Paragon dealerships also added after-sale items (such as Lo-Jack or tire protection) without disclosing what the charges were for, bundling the cost of the items into the sale price and not separately itemizing them, according to the allegations. And consumers did not always receive the required disclosures about their rights to cancel the credit repair services contract or, despite negotiating purchase and lease terms in Spanish, were only provided with contracts and documents in English.

To settle the charges, the Paragon dealerships agreed to pay $6 million for a restitution fund to be distributed to customers with CFI contracts. Each of the estimated 15,000 customers will also receive a $500 "settlement card" that can be used at one of the Paragon dealerships for the purchase or lease of any new or used vehicle, certain services or maintenance (oil changes or tire rotations, for example), or accessories including windshield wipers and mats. Total restitution is expected to reach $13.5 million.

In addition to the monetary component, the deal also includes injunctive relief, prohibiting the Paragon dealerships from selling, offering to sell, or marketing credit repair and identity theft services in connection with the sale or lease of a vehicle; any after-sale products or services may not be sold without material terms—including price—disclosed verbally and in writing. The dealerships are banned from misrepresenting the price of a vehicle in final lease or sale contracts, must provide translated documents for customers who need them, and are prohibited from failing to provide customers with a sale or lease agreement that "clearly and conspicuously" itemizes each after-sale product or service and its price.

Attorney General Schneiderman didn't stop with the Paragon dealerships. A Generation Kia operation in Long Island settled with the AG's Office for $41,000 over similar charges related to CFI contracts sold to consumers, and Schneiderman announced that he served notice of his intent to sue 11 additional dealerships located throughout New York, with the investigation ongoing.

To read AG Schneiderman's announcement about the settlement, click here.

To read the consent order in New York v. Credit Forget It, click here.

back to top

Fraudulent Transfers Get an Update in California

Why it matters

With the enactment of the Uniform Voidable Transaction Act (UVTA) to supersede the Uniform Fraudulent Transfer Act (UFTA), California has put a fresh spin on the law of fraudulent transfers in the state. California's version of the statute departs somewhat from the proposed uniform version and will result in some significant changes. Gone is the archaic terminology that applied the pejorative label of "fraud" to certain perfectly innocent transactions; instead, the more neutral term "voidable" was adopted. The bill also tweaked the burden of proof in making and defending a claim for relief under the act as well as the choice of law governing a determination under the statute. Signed by Governor Jerry Brown earlier this month, the UVTA will take effect January 1, 2016.

Detailed discussion

The Uniform Fraudulent Transfer Act (UFTA) has governed most states, including California, in actions relating to fraudulent transfers for decades. But in an effort to modernize the statute, the Uniform Law Commission drafted the Uniform Voidable Transaction Act (UVTA).

Passed overwhelmingly by the state legislature, the new act was signed into law by Governor Jerry Brown in July and will take effect January 1, 2016.

Most notably, the UVTA dispenses with the "fraudulent" label in favor of the more neutral term "voidable." Beyond the moral significance, this amendment dovetails with another change: the lowering of the burden of proof in a lawsuit under the new act. Going forward, the previous standard of "clear and convincing" evidence used in some states has been replaced with a uniform "preponderance of the evidence" burden of proof. This change will be a mixed blessing for lenders: good news when trying to pursue fraudulent transfer actions but bad news when a lender is on the receiving end.

Practitioners must also adjust to a change in the choice of law. Previously, the UFTA did not specify which state's law would apply to a particular fraudulent transfer lawsuit. But the UVTA establishes that the law of the state where the debtor was located at the time of the transfer will govern the lawsuit. This tweak has major significance for California lenders with regard to other provisions of the UVTA that the legislature refused to adopt, potentially bringing them into lawsuits they never counted on.

California declined to adopt multiple provisions of the proposed uniform act, including those related to Series Organizations, a relatively new form of business organization that cannot yet be formed under California law. The legislature also elected not to include provisions that would allow a creditor to recover certain so-called insider preferences, or payments received by another creditor on a legitimate debt if the creditor is an "insider" of the debtor.

However, when combined with the choice of law provision, a California lender might find itself subject to the laws of the state where its out-of-state borrower is located—and then face a lawsuit in that state to recover an insider preference even though California does not authorize that kind of a claim.

The definitional provisions in the UVTA contribute to the situation of lenders being the target of an insider preference lawsuit. While the term "insider" may evoke images of close relatives and corporate officers and directors of a borrower, the definition of the term in the UVTA (and the UFTA) is far broader than that.

With regard to debtors who are corporations and partnerships, the definition of "insider" includes "a person in control" of a debtor. So if a lender, perhaps in a workout situation, is alleged to have exercised excessive control over a debtor's operations, another creditor could argue that the lender has become a "person in control" of that debtor subject to the foreign state's preference laws. Under the new choice of law provisions, a California lender could now be faced with a lawsuit in another state, seeking to recover loan payments that the lender received.

To read the Uniform Voidable Transactions Act, click here.

back to top

FFIEC Releases Cybersecurity Assessment Tool

Why it matters

As anticipated, the Federal Financial Institutions Examination Council (FFIEC) released its Cybersecurity Assessment Tool, providing a process for financial institutions' management to gauge their institution's readiness in the face of increasing cybersecurity threats.

While the FFIEC noted that use of the Assessment Tool is voluntary, the release materials include an Overview for Chief Executive Officers and Boards of Directors, signaling that that regulators expect top-level management to ensure that their institutions systematically assess and manage cybersecurity risks. Further, several banking agencies plan to use the Assessment Tool in future regulatory exams.

Detailed discussion

Noting the "increasing volume and sophistication of cyber threats," the FFIEC, which consists of the Consumer Financial Protection Bureau, the Federal Deposit Insurance Corporation, the Board of Governors of the Federal Reserve System, the National Credit Union Administration, the Office of the Comptroller of the Currency, and the State Liaison Committee, released its highly anticipated Cybersecurity Assessment Tool on June 30, 2015.

Based on a pilot program in which the FFIEC evaluated 500 community financial institutions' preparedness to mitigate cyber risks, the Assessment Tool consists of a series of matrices that enable an institution to gauge its cybersecurity preparedness. To help navigate the Assessment Tool, the FFIEC provided a User's Guide, an Overview for Chief Executive Officers and Boards of Directors, a Glossary, and additional resources.

The Office of the Comptroller of the Currency and the Board of Governors of the Federal Reserve System have announced that they plan to use the Assessment Tool in examinations beginning as early as late 2015. The FDIC intends to discuss the use of the Assessment Tool with institution management during regulatory exams.

The Assessment Tool consists of two parts: an Inherent Risk Profile and analysis of the financial institution's Cybersecurity Maturity. "Upon completion of both parts, management can evaluate whether the institution's inherent risk and preparedness are aligned," the FFIEC explained.

In Part 1, the Inherent Risk Profile, a financial institution determines its overall risk profile based on five categories: technologies and connection devices; delivery channels; online/mobile products and technology services; organizational characteristics; and external threats. Using descriptions of activities, a financial institution will determine which of the five levels of risk it falls into, ranging from least to minimal to moderate to significant to most inherent risk. After assessing each of the services, products, and activities, "management can review the results and determine the institution's overall inherent risk profile."

In Part 2, the Cybersecurity Maturity analysis, a financial institution considers its readiness based on five domains: cyber risk management and oversight; threat intelligence and collaboration; cybersecurity controls; external dependency management; and cyber incident management and resilience. Management evaluates whether its institution's behaviors, practices and processes can support cybersecurity preparedness for each domain by determining which of the Assessment Tool's declarative statements best fit the institution's current practices. For example, in the fifth domain—cyber incident management and resilience—the assessment factors include incident resilience planning and strategy; detection, response, and mitigation; and escalation and reporting.

Once both parts of the Assessment Tool are complete, management can review the relationship between the Inherent Risk Profile and the Cybersecurity Maturity results for each domain to determine whether they align. No single expected level exists for an institution, the FFIEC notes, although in general, "as inherent risk rises, an institution's maturity levels should increase."

The Assessment Tool's results can then help management identify what actions may be necessary to either decrease risk or heighten maturity.

Because financial institutions' Inherent Risk Profile and Cybersecurity Maturity levels will change over time, management should reevaluate the institution using the Assessment Tool periodically, the FFIEC suggests, particularly when making new connections or launching new products. In addition, the FFIEC plans to update the Assessment Tool "as threats, vulnerabilities, and operational environments evolve."

To access the Cybersecurity Assessment Tool and the other additional resources released by the FFIEC, click here.

The Office of the Comptroller of the Currency will host a webinar discussing the Assessment Tool for midsize and community banks on July 30, 2015, from 2:00 p.m. to 3:30 p.m. (ET). Click here for more information.

back to top

Class Is in Session: The FTC Launches New Data Security Initiative

Why it matters

The Federal Trade Commission (FTC) kicked off a new educational initiative to provide guidance to businesses in the area of data security. Based on the lessons learned from more than 50 of the agency's data security cases, the FTC's "Start With Security" brochure offers 10 "key steps" to effective data security. To promote the initiative, the agency will host conferences across the country, beginning with a September 9 event in San Francisco and followed by a November 5 gathering in Austin, Texas. "Although we bring cases when businesses put data at risk, we'd much rather help companies avoid problems in the first place," said Director of the FTC's Bureau of Consumer Protection Jessica Rich. The guidance is illustrated by various FTC actions and provides "plain language explanations of the security principles at play."

Detailed discussion

To provide guidance to businesses in the area of data security, the Federal Trade Commission (FTC) has launched a new initiative.

"Start With Security" includes tips in the form of a 10-step publication as well as a series of conferences to be held by the agency across the country. First stop: San Francisco in September, followed by Austin in November. Each event will have a slightly different focus, with the inaugural conference focused on start-ups and developers to discuss issues like security by design, strategies for secure development, common security vulnerabilities, and vulnerability response.

The FTC drew 53 of its data security cases to develop 10 key steps to effective data security. "The document is designed to provide an easy way for companies to understand the lessons learned from those previous cases," the agency explained. A new, one-stop website consolidating the Commission's data security information was established at www.ftc.gov/datasecurity.

The first step: start with security. "Factor it into the decisionmaking in every department of your business—personnel, sales, accounting, information technology, etc.," the agency advises. Don't collect personal information that isn't necessary, hold on to information only as long as a legitimate business need exists, and don't use personal information when it's not necessary.

Once data has been collected, be careful with it, the agency recommends in step two, and control access to data sensibly. Put controls in place, such as separate user accounts to limit access to the places where personal data is stored. Administrative access should be limited, a lesson learned from an action taken against Twitter after the Commission asserted that almost all of Twitter's employees had administrative control over Twitter's system, including the ability to reset user account passwords, view users' nonpublic tweets, and send tweets on users' behalf.

Companies should require secure passwords and authentication, the FTC urges in step three. Insist on complex and unique passwords, store passwords securely (consider two-factor authentication, for example), guard against brute force attacks (by suspending or disabling user credentials after a certain number of unsuccessful login attempts), and protect against authentication bypass.

Storing sensitive data can be a business necessity, the FTC acknowledges. But store it securely and protect it during transmission, the agency recommends in step four. Information should remain secure throughout its life cycle, and businesses should adopt industry-tested and accepted methods of security.

In step five, the agency suggests that businesses segment their networks and monitor who is trying to get in and out. Tools like firewalls can limit access between computers on the network as well as the Internet, and intrusion detection and prevention tools can keep an eye on a network for malicious activity. In a case against DSW, the FTC alleged that DSW failed to sufficiently limit computers from one in-store network from connecting to computers on other in-store and corporate networks, allowing hackers to use one in-store network to connect to and access other in-store and corporate networks. "Not every computer in your system needs to be able to communicate with every other one," the FTC advises.

With an increasingly mobile workforce, businesses should secure remote access to their networks. Don't activate a remote login account for a business client without first assessing the business's security, the FTC explains in step six, a lesson illustrated by the Premier Capital Lending case in which the FTC alleged that the company activated a remote login account for a client without assessing the business's security, allowing hackers to access consumer's personal information. Install antivirus programs and place sensible access limits on third-party access, the FTC suggests.

Step seven addresses the development of new products. Apply sound security practices from the very beginning through development, design, testing, and rollout, the FTC stressed, from engineers trained in secure coding to verifying that privacy and security features adopted actually work to testing for common vulnerabilities.

A subject of much concern: third parties. To ensure that service providers implement reasonable security measures, step eight instructs businesses to make security standards part of contracts with vendors—and then verify compliance, building oversight into the process. Upromise faced an enforcement action from the FTC when it allegedly failed to verify that a service provider implemented a collection program of consumers' browser information that was consistent with Upromise's privacy and security policies, the agency noted.

In step nine, the agency recommends that businesses adopt procedures to keep security current and address vulnerabilities that may arise. "Securing your software and networks isn't a one-and-done deal," the FTC explained. "It's an ongoing process that requires you to keep your guard up." Apply updates and patches as they are issued and keep an ear to the ground for credible security warnings, perhaps with a dedicated e-mail address to receive and address vulnerability reports in order to flag issues for security staff.

Finally, the guidance provided a reminder to secure paper, physical media and devices. Even in the digital age, physical safety remains an important consideration, the agency said, so don't leave sensitive files in boxes in the garage or lying around the office. Devices should also be protected (don't leave laptops, backup tapes, or external hard drives with sensitive information in cars, particularly if the devices are unencrypted) and when disposing of sensitive data, businesses should do so in a secure fashion—shredding or burning physical documents or wiping devices—instead of tossing them in a dumpster.

To read the "Start With Security" guidance, click here.

back to top