Operation Chokepoint Yields Deals With Two California Banks
Why it matters
A pair of settlements between the Department of Justice (DOJ) and two California banks recently demonstrated that Operation Chokepoint is alive and well. CommerceWest Bank agreed to pay $4.9 million to the DOJ over charges of Bank Secrecy Act and Financial Institutions Reform, Recovery, and Enforcement Act violations in connection with a third party processor and just a few days later, the agency announced Plaza Bank will pay $1.225 million for similar allegations. Both banks facilitated consumer fraud by allowing payment processors to make millions of dollars of unauthorized withdrawals from consumer accounts, the DOJ said. In addition to the million-dollar fines, both banks are subject to a “strict regime” of underwriting and monitoring oversight. “[W]e will hold financial institutions accountable when they choose unlawfully to look the other way while fraudsters use the bank’s accounts to steal millions of dollars from American consumers,” Acting Assistant Attorney General Benjamin C. Mizer of the DOJ’s Civil Division said in a statement. The agency’s initiative—an effort to limit certain lenders and merchants from access to consumers by cutting off their relationships with entities like check cashers and nonbank financial service providers—has been controversial, facing criticism from both industry and lawmakers, who have expressed concern that the operation may be having a negative impact on lawful companies as well. Despite the introduction of legislation to halt the program and a dearth of successes since the DOJ announced an action against a North Carolina bank resulting in a $1.2 million settlement for facilitating fraudulent transactions, the two successful resolutions signal that the agency is continuing its efforts and Operation Chokepoint remains a concern for financial institutions.
Irvine-based CommerceWest Bank was the first to reach a deal with the Department of Justice (DOJ).
According to the federal complaint, the bank ignored clear warning signs and knowingly facilitated consumer fraud by allowing V Internet to make millions of dollars of unauthorized withdrawals from consumer bank accounts on behalf of fraudulent merchants for approximately two and one-half years.
Telemarketers operating a scam and a company that charged consumers an unauthorized “loan referral fee” for payday loans were among the merchants. V Internet actually took the reins in the payday loan referral scheme, the DOJ said, operating as the payment processor and sole merchant for a six-month period in 2013.
Indicators like an abnormally high rate of rejected transactions (roughly 50 percent)—some including sworn affidavits in which victims stated the withdrawals were unauthorized—did not result in any action by CommerceWest. Instead, the bank “ignored clear warning signs that V Internet and its merchants were defrauding consumers,” the DOJ alleged. Other banks also complained and tried to warn CommerceWest.
Despite all of these red flags, the bank did not file any Suspicious Activity Reports (SARs) or terminate V Internet, but blocked transactions against accounts at the complaining banks. When a CommerceWest official determined in May 2013 that the third party processor’s transactions were fraudulent and unauthorized, the bank still did not decide to terminate V Internet until early July and even then, allowed the company a 30-day period to wind down its processing activity.
“Only when the department notified CommerceWest that it intended to seek an emergency injunction did CommerceWest immediately terminate V Internet’s ability to access victims’ checking accounts,” the DOJ said.
The agency’s complaint, filed concurrently with a consent decree, accused the company of willful violations of the Bank Secrecy Act for failing to file the required SARs. A criminal charge was deferred pursuant to the consent decree, under which CommerceWest admitted its wrongdoing, gave up any claims to the almost $3 million seized from V Internet’s bank accounts at CommerceWest, and agreed to provide cooperation in other investigations.
In addition, the DOJ alleged that the bank violated the anti-fraud provisions of the Financial Institutions Reform, Recovery and Enforcement Act (FIRREA). The civil settlement includes a $1 million civil money penalty paid to the U.S. Treasury, a $1 million forfeiture to the U.S. Postal Inspection Service (USPIS) Consumer Fraud Fund, and “a strict regime” of underwriting and monitoring “designed to prevent future consumer fraud by third-party payment processors.” In addition CommerceWest agreed to a five year period of additional reporting, monitoring and recordkeeping for the Department of Justice.
Two days later, the DOJ announced a similar deal with another California institution, Plaza Bank.
From July 2007 to mid-2010, the bank knowingly permitted a third-party processor to facilitate illegal withdrawals from consumer accounts in spite of warning signs like rejected transaction rates above 50 percent, hundreds of consumer complaints and sworn affidavits, and inquiries from other banks and law enforcement.
Plaza’s chief compliance official raised concerns about the red flags but was “brushed aside,” by the chief operating officer who also happened to a part owner of the payment processor, the DOJ said. New management that arrived in June 2009 after the bank’s sale failed to change the status quo until “more than a thousand consumer complaints about unauthorized withdrawals reached Plaza, hundreds of thousands of transactions were returned, and tens of millions of additional dollars had been withdrawn from consumer accounts.”
To settle the charges, Plaza Bank agreed to a permanent injunction reforming its practices and payment of $1.225 million (divided between a $1 million penalty paid to the U.S. Treasury and a forfeit of $225,000 to the USPIS Consumer Fraud Fund). Like CommerceWest, Plaza is also subject to a “strict regime” of extended underwriting and monitoring, as well as the implementation of policies regarding disclosure of conflicts of interest by senior executives and board members.
In both cases, the penalties imposed likely will impede any strategic plans and operations that the banks may have in the immediate future.
To read the complaint, consent decree, and deferred prosecution agreement in U.S. v. CommerceWest Bank, click here.
To read the complaint and consent decree in U.S. v. Plaza Bank, click here.
back to top
Lawmakers Consider Regulation of Data Brokers
Why it matters
Could the data broker industry become subject to regulation for the first time? If a new bill passes Congress, the answer could be yes. Originally introduced by former Sen. Jay Rockefeller (D-W.Va.), the Data Broker Accountability and Transparency Act returned to Congress backed by Sens. Edward Markey (D-Mass.), Richard Blumenthal (D-Conn.), Sheldon Whitehouse (D-R.I.), and Al Franken (D-Minn.), with the Senators framing the issue under the current hot topic of privacy. “Data brokers seem to believe that there is no such thing as privacy,” Sen. Markey said in a statement, calling for a need to “shed light on this ‘shadow’ industry,” a sentiment echoed by co-sponsor Sen. Franken. “I believe Americans have a fundamental right to privacy, including the right to determine whether information about their personal lives should be available for sale to the highest bidder,” Sen. Franken said in a statement. The measure faces an uncertain future in Congress, however, given pushback from the industry, division along party lines, and being overshadowed by other privacy-related issues like data breach notification and cyber threat information sharing.
The Data Broker Accountability and Transparency Act has returned to Congress. The bill would establish federal oversight for the collection, retention, and use of consumer information in the data broker industry.
Regulation of data brokers was a pet issue for former Sen. Jay Rockefeller (D-W.Va.), who launched a Senate investigation of the industry. Based on his findings that data brokers “operate behind a veil of secrecy” and “collect a huge volume of detailed information on hundreds of millions of consumers,” he introduced a version of the legislation last year before he retired. The proposal never made it to the floor for a vote.
Reintroduced by Sens. Edward Markey (D-Mass.), Richard Blumenthal (D-Conn.), Sheldon Whitehouse (D-R.I.), and Al Franken (D-Minn.), the DATA Act defines a “data broker” broadly to encompass “a commercial entity that collects, assembles, or maintains personal information concerning an individual who is not a customer or an employee of that entity in order to sell the information or provide third party access to the information.”
The law would allow consumers to stop the use and sale of their information by data brokers and create a mechanism to correct information. The Federal Trade Commission (FTC)—which conducted its own study of the industry last year calling for greater transparency and an increase in consumer control—would be tasked with crafting regulations to establish a centralized website for consumers with a list of covered data brokers and information about their rights. Enforcement authority would also be granted to the FTC, with civil penalties of up to $16,000 per violation for noncompliance.
Consumer groups like the Center for Digital Democracy and Consumer Watchdog praised the proposal, while FTC Commissioner Julie Brill expressed her “strong support.” Data brokers are “collecting a lot of deeply sensitive and personal information from consumers and using it to profile them,” Brill told the Pittsburgh Post-Gazette, explaining that regulation of the industry would enhance consumer trust.
The Direct Marketing Association spoke out against the measure, calling it unnecessary in part because of self-regulation by the industry, which makes efforts to improve transparency to consumers. “That kind of transparency is happening every day, in terms of self-regulation in the marketplace,” Rachel Thomas, vice president of government affairs for the group, said to PCWorld. “There’s not a business in America that’s not dependent on the responsible flows of data about consumers.”
To read the Data Broker Accountability and Transparency Act, click here.
back to top
CFPB Releases Arbitration Study; Is Regulation Far Behind?
Why it matters
The Consumer Financial Protection Bureau (CFPB) released its long-awaited study of arbitration clauses in consumer finance agreements, reporting that based on its research, such provisions have the effect of restricting consumer relief for disputes with financial service providers. “Tens of millions of consumers are covered by arbitration clauses, but few know about them or understand their impact,” Bureau Director Richard Cordray said. “Our study found that these arbitration clauses restrict consumer relief in disputes with financial companies by limiting class actions that provide millions of dollars in redress each year.” The biggest question remains: what happens next? The Bureau noted in a press release about the study that the Dodd-Frank Wall Street Reform and Consumer Protection Act provides the CFPB with the power to issue regulations on the use of arbitration clauses in consumer finance markets (outside of mortgage contracts, which the statute specifically prohibits), “if the Bureau finds that doing so is in the public interest and for the protection of consumers, and if findings in such a rule are consistent with the results of the Bureau’s study.” Cordray revealed no specific plans, stating, “Now that our study has been completed, we will consider what next steps are appropriate,” but proposed rules that if adopted would severely restrict or possibly even prohibit arbitration clauses in connection with consumer financial products and services seem inevitable, and could potentially affect the use of arbitration clauses in other consumer contexts.
In 2012, the Consumer Financial Protection Bureau (CFPB) initiated a study of arbitration clauses in consumer contracts as mandated by the Dodd-Frank Wall Street Reform and Consumer Protection Act. The Bureau collected court data and agreements from six different markets: credit cards, checking accounts, prepaid cards, payday loans, private student loans, and mobile wireless contracts to study the terms, conditions, and impact of the arbitration provisions on consumers.
Specifically, the report includes analysis of almost 850 consumer finance agreements and a review of more than 1,800 consumer finance arbitration disputes and over 3,400 individual federal court lawsuits over a three-year period, as well as 42,000 credit card cases filed in selected small claims courts in 2012.
In addition, researchers considered about 420 federal court settlements of consumer financial class action lawsuits over five years and greater than 1,100 state and federal public enforcement actions. To top it off, to evaluate the “knowledge and understanding” of consumers regarding arbitration and other dispute resolution mechanisms, the CFPB conducted a national survey of 1,000 credit card-holding consumers.
The Bureau’s conclusion: The arbitration clauses serve to inhibit consumers’ attempts to seek relief, at least in comparison to class action litigation. “[V]ery few consumers individually seek relief through arbitration or the federal courts, while millions of consumers are eligible for relief each year through class action settlements,” according to the study. Other findings include:
- Scope. In the consumer finance markets studied, “tens of millions” of consumers are covered by arbitration clauses. In the credit card industry, issuers that use arbitration clauses make up 53 percent of the market share; examining checking accounts, the Bureau found that although just 8 percent of banks and credit unions feature such provisions, that accounts for 44 percent of insured deposits. In the other markets, 92 percent of prepaid card agreements are subject to arbitration clauses, 86 percent of private student loan agreements include an arbitration provision, 99 percent of payday loan agreements in California and Texas include them, and 88 percent of mobile wireless contracts feature arbitration.
- Arbitration results. A review of case data over a two-year period across six markets revealed that 1,847 arbitration disputes were filed, with consumers initiating about 600 of the cases. According to the CFPB, arbitrators awarded consumers a combined total of less than $175,000 in damages and under $190,000 in debt forbearance while consumers were ordered to pay $2.8 million to companies they did business with.
- Individual court actions. Turning to litigation, the study revealed that consumers filed 3,462 individual lawsuits between 2010 and 2012 about consumer finance disputes. After analyzing all the cases filed in four markets and “a random sample” of credit card cases, the study found consumers received just under $1 million. On average, 1,200 individual federal lawsuits were filed per year.
- Class actions. Based on its research, the Bureau reported that about 32 million consumers are eligible for relief from a consumer finance class action settlement. Over the five-year period studied, at least 160 million class members were eligible, with settlements totaling $2.7 billion in cash, in-kind relief, and attorney’s fees and expenses. The study added that “these figures do not include the potential value to consumers of class action settlements requiring companies to change their behavior.”
- Arbitration = barrier. While the CFPB found it “rare” that a financial institution tried to force an individual lawsuit into arbitration, the more common efforts to block class action litigation means that arbitration clauses can “act as a barrier” to entry. When facing a consumer class action, credit card issuers that made use of an arbitration clause invoked the provision to block the suit 65 percent of the time, according to the Bureau’s research.
- Price impact. The study analyzed an industry claim that arbitration clauses lower prices for consumers because the company can avoid class actions. After looking at changes in the total cost of credit paid by consumers of some credit card companies that eliminated arbitration clauses—and other companies that continued to use their arbitration provisions—the CFPB said it “found no statistically significant evidence that the companies that eliminated their arbitration clauses increased their prices or reduced access to credit” in relation to companies that maintained their use of such clauses.
- Consumer awareness. According to the Bureau, more than 75 percent of consumers were unaware whether they were subject to an arbitration clause pursuant to an agreement with their financial service providers, and less than 7 percent understood that the clause limited their ability to sue in court.
Reaction to the report was decidedly mixed.
Consumer groups praised the study, which Public Justice Executive Director Paul Bland said “shows that corporate American has been lying to the public about forced arbitration.” “This study changes everything,” he added. “The CFPB can and should use its authority to turn things around.” David Seligman, a staff attorney at the National Consumer Law Center, agreed. “In my view, and in the view of consumer advocates, this study is incredibly thorough,” he said. “The CFPB has much of the information it needs to act, and to act quickly.”
Industry presented a different perspective on the study and arbitration clauses generally, which are “an important tool for the customers of financial institutions that helps keep costs down and keeps financial products, including credit cards and checking accounts, affordable,” Richard Foster, senior vice president of legal and regulatory affairs for the Financial Services Roundtable, said.
Richard Hunt, president and CEO of Consumers Bankers Association, agreed in a statement. “For nearly 90 years, arbitration has allowed consumers quick and easy access to an affordable option for dispute resolution,” he said. “As a last resort, if legal recourse is necessary, arbitration has proven to be the best path forward because it is mutually beneficial to all parties—both consumers and lenders.”
To read a fact sheet on the report, click here.
To read the full report, click here.
back to top
Privacy Bills Abound in Congress
Why it matters
From the President to Senators to Representatives, everyone in Washington, D.C. appears to be focused on privacy-related issues. Continuing his focus on cybersecurity, President Barack Obama signed an executive order intended to promote information sharing in the private sector about cyber threats just a few days after Sen. Tom Carper (D-Del.) introduced the Cyber Threat Sharing Act of 2015. Industry response to the order was cautiously optimistic. President and CEO of the American Bankers Association Frank Keating said the order “will help the business community and government agencies share critical threat information more effectively,” adding that lawmakers must craft a measure that “gives businesses legal certainty that they have a safe harbor against frivolous lawsuits when voluntarily sharing and receiving threat indicators and countermeasures in real time and taking actions to mitigate cyber attacks.” The President also presented a discussion draft of his Consumer Privacy Bill of Rights to lukewarm reaction; Sen. Robert Menendez (D-N.J.) responded with his version, the Commercial Privacy Rights Act, which encompassed data security regulations, a data breach notification provision, and additional protections for children’s privacy. A House bill, the Data Security and Breach Notification Act, soon joined the party. Clearly, privacy and data security remains a hot topic for both the President and Congress. With so many proposals floating around the Capitol, the chances of passing a particular piece of legislation remain unclear.
Over the last few weeks, President Barack Obama has made cybersecurity issues a key focus. While attending the White House’s Summit on Cybersecurity and Consumer Protection held at Stanford University, he signed an executive order encouraging information sharing and increased cooperation between private entities and the government. “There’s only one way to defend American from these cyber threats, and that is through government and industry working together, sharing appropriate information as true partners,” President Obama said.
Under the auspices of the order, the Secretary of the Department of Homeland Security (DHS) “shall strongly encourage” the development and formation of Information Sharing and Analysis Organizations, or ISAOs, organized by sector, region, or in response to emerging threats or vulnerabilities.
The “Promoting Private Sector Cybersecurity Information Sharing” order is intended “to encourage the voluntary formation of such organizations, to establish mechanisms to continually improve the capabilities and functions of these organizations, and to better allow these organizations to partner with the Federal Government on a voluntary basis.”
ISAOs may include members from both the public and private sectors and exist as for-profit or nonprofit entities. Overseeing the ISAOs: The National Cybersecurity and Communications Integration Center (NCCIC) of DHS, which “shall engage in continuous, collaborative, and inclusive coordination” with the groups with regard to information sharing.
DHS would also be tasked with selecting a private entity to establish “a common set of voluntary standards or guidelines for the creation and functioning” of ISAOs under the order, in consultation with other federal agencies and through an open and competitive process. The standards themselves “shall further the goal of creating robust information sharing related to cybersecurity risks and incidents,” according to the order, “to create deeper and broader networks of information sharing nationally, and to foster the development and adoption of automated mechanisms for the sharing of information.”
Those entities that self-certify the ISAO’s best practices are provided with liability protection for sharing cyber threat information with the ISAO.
Lawmakers have also climbed aboard the cybersecurity bandwagon, with Sen. Tom Carper (D-Del.) introducing S. 456, the Cyber Threat Sharing Act of 2015. Similar to the President’s information sharing proposal, the bill would direct the DHS to select a private entity to identify best practices for ISAOs.
Importantly for businesses, the proposed law would provide liability protections to entities that voluntarily share lawfully obtained indicators with either the NCCIC or an ISAO that has self-certified it has adopted the best practices identified by the DHS-selected private entity. Information shared could not be used as evidence in a regulatory action against the company and privacy protections included in the measure would require businesses to attempt to minimize identifying information using anonymization and the destruction of data.
On a separate front in the battle over privacy, the President also released his long-promised Consumer Privacy Bill of Rights, intended to provide baseline privacy protections for consumers in the commercial context.
Pursuant to the measure, covered entities would be required to provide consumers with concise and easy to understand notice about privacy and security practices as well as “reasonable means to control the processing of personal data about them in proportion to the privacy risk to the individual and consistent with context.”
The proposal would require companies that process personal data “in a manner that is not reasonable in light of context” to conduct a privacy risk analysis and take reasonable steps to mitigate any identified privacy risks—at a minimum, providing in-context notice about the “unreasonable” personal data practices as well as “a mechanism for control that is reasonably designed to permit individuals to exercise choice to reduce such privacy risk.”
In addition, companies would be required to delete or de-identify personal data within a reasonable time after the purposes for which the personal data were first collected are fulfilled and establish information security controls in line with accepted practices.
Enforcement powers are granted to the Federal Trade Commission (FTC) (with the potential for up to $25 million in civil penalties under certain circumstances) but the agency was not granted rule-making authority. Instead, industries would develop their own codes of conduct enforced by the agency and covered entities that comply with the code would be provided with a safe harbor.
The proposal managed to unite those on both sides of the privacy debate in general unhappiness, with claims that it both went too far and didn’t do enough. Even the FTC expressed reservations, with a spokesperson for the agency calling it “a good starting point for further discussion.”
Within a week, Sen. Robert Menendez (D-N.J.) responded with the Commercial Privacy Rights Act of 2015.
The bill—which features general privacy protections as well as specific provisions for children and a section on data breach notification—applies to entities under the FTC’s supervision, 501(c) non-profits, and common carriers under the Communications Act, that “collect, use, transfer, or store” covered information of more than 5,000 individuals during a consecutive 12-month period would be subject to the Act’s requirements.
“Covered information” is more narrowly defined in the Act than the White House proposal as “personally identifiable information” and “unique identifier information,” as well as an individual’s name, e-mail address, physical address, telephone number, Social Security number, and biometric data. Other data—like precise geographic location—is covered when paired with one of the types of personal information.
The bill makes “unauthorized use” of such information potentially actionable, defining the term as use of covered information for any purpose not authorized by the individual.
Rulemaking authority would be granted to the FTC to establish recognized security practices (proportional to the size and type of the entity) consistent with industry norms and existing FTC guidance. Covered entities would be responsible for implementing such practices and the bill mandates privacy by design throughout the data life cycle.
Transparency is key under the bill, with the FTC also tasked with establishing rules for the collection, use, transfer, and storage of covered information. If a covered entity made material changes to any relevant information policies, it would be required to provide prior notice. The measure incorporates the principle of data minimization, limiting retention of information to the necessary time period. Consumers would be granted the right to access their covered information and a procedure for correcting any errors.
Importantly, the Act not only features a safe harbor for self-regulatory programs but also exempts entities to the extent they are subject to provisions of enumerated federal laws like the Gramm-Leach-Bliley Act, the Fair Debt Collection Practices Act, and the Fair Credit Reporting Act, among others.
Enforcement would be led by the FTC pursuant to Section 5 of the Federal Trade Commission Act, with supplementary enforcement by state attorneys general. No private right of action was provided in the bill. Civil damages would be available for up to $33,000 per day or per individual with a maximum of a $6 million penalty.
The bill would also strengthen children’s privacy protections under the Children’s Online Privacy Protection Act and features a data breach notification provision that sets forth the circumstances under which a covered entity must provide notice to consumers, the FTC, third parties, service providers, and credit reporting agencies of a data security failure. Exemptions exist if the company concludes “there is no reasonable risk of identity theft, fraud, or other unlawful conduct.”
In the House, Reps. Peter Welch (D-Vt.) and Marsha Blackburn (R-Tenn.) introduced the Data Security and Breach Notification Act, the latest proposal in the long line of privacy legislation.
The bill covers entities that “acquire, maintain, store, sell or otherwise use personal information in electronic form” to maintain “reasonable security measures and practices” as appropriate for the size and complexity of the business. A breach would trigger “a reasonable and prompt investigation” to determine the risk that identity theft, economic loss, economic harm, or financial harm could result to consumers.
If the investigation finds in the affirmative, the company has 30 days to notify consumers.
The Act would preempt all state and federal data security laws currently in place, with enforcement power granted to state attorneys general (with the ability to recover up to $2.5 million per violation) as well as the FTC. No private cause of action was created and companies already subject to federal data security and notification regimes would be exempt.
To read President Obama’s remarks at Stanford University, click here.
To read the President’s executive order, click here.
To read the proposed Consumer Privacy Bill of Rights of 2015, click here.
To read the Data Security and Breach Notification Act, click here.
back to top