Welcome to Wiley’s update on recent developments and what’s next in consumer protection at the Consumer Financial Protection Bureau (CFPB) and Federal Trade Commission (FTC). In this newsletter, we analyze recent regulatory announcements, recap key enforcement actions, and preview upcoming deadlines and events. We also include links to our articles, blogs, and webinars with more analysis in these areas. We understand that keeping on top of the rapidly evolving regulatory landscape is more important than ever for businesses seeking to offer new and ground-breaking technologies. Please reach out if there are other topics you’d like to see us cover or for any additional information.
Check out Wiley’s Biden Administration Resource Center for insights on the shifting legal and policy landscape under the 46th President.
Supreme Court to Review Federal District Court Jurisdiction Over Challenges to FTC Administrative Enforcement Actions. On January 24, the U.S. Supreme Court granted certiorari in Axon Enterprise, Inc. v. FTC. The Petition for Writ of Certiorari, filed by Axon Enterprise, Inc. (Axon), asks the Court to consider whether federal district courts have jurisdiction to hear a challenge to the constitutionality of an FTC administrative enforcement action. In this case, Axon had sought to challenge the constitutionality of an FTC administrative proceeding in district court without needing to wait to appeal from an administrative decision.
FTC Notes That Revised Health Breach Notification Rule Covers Certain Apps, Sensors, and Trackers. On January 21, the FTC announced that it released two new compliance guides on the Health Breach Notification Rule, which can be found here and here. Among other things, the guides clarify that certain apps, sensors, and trackers that collect personal health information may be subject to the agency’s revised Health Breach Notification Rule if they are not subject to the Health Insurance Portability and Accountability Act (HIPAA). The Revised Health Breach Notification Rule “requires [covered] vendors of personal health records and related entities to notify consumers following a breach involving unsecured information. In addition, if a service provider to one of these entities has a breach, it must notify the entity, which in turn must notify consumers.”
CFPB Announces That It Will Begin Investigating Colleges’ Lending Practices. On January 20, the CFPB announced that it will begin examining the lending practices of post-secondary schools, including for-profit colleges, that provide direct private loans to students. The CFPB stated that it is concerned about the borrower experience with regards to institutional loans due to past alleged issues. In addition, the CFPB noted that it will be examining general lending terms, and also reviewing whether schools: place enrollment restrictions on students that are late on loan payments; withhold transcripts due to late payments; accelerate payments after a student withdraws from a program; refuse to issue refunds for early program withdrawals; and maintain lending relationships that may pose higher risks to student borrowers.
CFPB Blog Post States That Agency Will “Closely Monitor” Whether Algorithmic Decisioning Tools Consider Religion as a Lending Eligibility Factor. On January 14, the CFPB published a blog post stating that it is “concerned that some financial companies are unlawfully considering religion when making decisions on financial products.” The post notes that the Equal Credit Opportunity Act (ECOA) prohibits discrimination based on religious beliefs and that ECOA covers both family and household lending products as well as small business loans. The agency also stated an intention to “more closely monitor the use of algorithmic decision tools,” claiming that they are “often ‘black boxes’ with little transparency.”
CFPB Releases Report on Diversity and Inclusion in Financial Services Industry. On January 19, the CFPB Office of Minority and Women Inclusion (OMWI) released a report examining publicly available diversity and inclusion information published by financial institutions to assess commitments to diversity and inclusion. The financial industry analysis contained in the report was conducted to support the statutorily-mandated diversity and inclusion self-assessment process established under the Financial Institutions Reform, Recovery, and Enforcement Act. The report surveyed the following financial industries: depository lending; student loans; mortgages; credit and consumer reporting; debt collection; payday loans, title loans, and personal loans; money transfer services and virtual currencies; vehicle loans; and credit cards. In announcing the report, the agency indicated that the data will “allow the CFPB to set reasonable standards for the kinds of diversity and inclusion programming that can be expected of large, mid-size, and small institutions.”
CFPB Letter Suggests Agency Could Revisit 2020 Guidance on Earned Wage Access Products. On January 18, the CFPB sent a letter to consumer groups, stating that the agency may need to “provide greater clarity” on how the Truth in Lending Act (TILA) applies to earned wage access products. Earned wage access products are services that allow consumers to access money that they have earned before their scheduled payday. TILA requires covered lenders to make certain disclosures to consumers regarding borrowing costs. In a November 30, 2020 Advisory Opinion, the CFPB found that earned wage access products – specifically those where no fee, voluntary or otherwise, is charged or collected – are exempt from the TILA. In the January 18 letter, the CFPB clarified that the Advisory Opinion did not apply to earned wage access products where a fee, even if nominal, is collected and that the advisory opinion does not address whether such products would be “credit” under other statutes.
FTC Open Commission Meeting Focuses on Identity Theft. On January 20, the FTC held an Open Commission Meeting featuring a presentation by FTC staff on identity theft fraud. The presentation was given by the staff Identity Theft Program Manager, who noted that the FTC received 1.3 million identity theft reports from consumers in 2021, with credit card fraud being the most common form reported. The presentation noted how the FTC partners with government agencies (including the Department of Labor and the U.S. Small Business Administration), the private sector, and nonprofits to combat identity theft.
CFPB Issues Compliance Bulletin on Medical Debt Collection. On January 13, the CFPB announced the release of a bulletin and policy guidance (Bulletin) “to remind debt collectors of their obligation to comply with the Fair Debt Collection Practices Act’s (FDCPA) prohibition on false, deceptive, or misleading representations or means in connection with the collection of any debt and unfair or unconscionable means to collect or attempt to collect any debt.” The Bulletin also reminded consumer reporting agencies and information furnishers of their accuracy and dispute resolution obligations under the Fair Credit Reporting Act, and to report any medical debts owed in accordance with the No Surprises Act.
Significant Enforcement Actions
FTC Sends Cease-and-Desist Letters to Additional Marketers of COVID-19 Products and Therapies. On January 19, the FTC announced that it sent more than 20 cease-and-desist letters to companies for allegedly marketing unproven products or therapies to treat or prevent COVID-19. The letters urged the companies to immediately stop making the claims and to notify the Commission within 48 hours about the specific actions they have taken to address the agency’s concerns or face potential action, including civil penalties. The letters warned of potential violations of the COVID-19 Consumer Protection Act, which prohibits deceptive acts or practices in connection with the novel coronavirus. In a subsequent blog post, the FTC noted that unlike past COVID-19 cease-and-desist letters, these letters were also sent to the social media platforms that the advertisers allegedly use to convey their claims.
CFPB Bans Payment Processor from Multiple Consumer Financial Industries for Violating Industry Order. On January 18, the CFPB announced that it reached a settlement with BrightSpeed Solutions, Inc. (BrightSpeed) after the company allegedly processed payments for companies that offered fraudulent products and services. As we explained in our March 2021 Newsletter, many of BrightSpeed’s clients and companies allegedly provided antivirus software and technical support services to consumers, particularly older adults, in violation of the Consumer Financial Protection Act of 2010 (CFPA), and the Telemarking and Consumer Fraud and Abuse Prevention Act (Telemarketing Act) and its implementing rule, the Telemarketing Sales Rule (TSR). The CFPB’s proposed stipulated final judgment and order would prohibit BrightSpeed from participating or assisting others in payment processing, consumer lending, deposit taking, debt collection, telemarketing, and financial advisory services. The order would also impose a $500,000 civil money penalty.
FTC Requires to Small Business Credit Report Provider to Overhaul Credit Reporting Process and Issue Refunds. On January 13, the FTC announced that it reached a settlement with Dun & Bradstreet (D&B) to resolve a complaint that the company allegedly failed to provide businesses with a clear, consistent, and reliable process to fix incomplete or inaccurate information appearing on their credit reports, while deceptively claiming that affected businesses could resolve credit report errors if they purchased the company’s CreditBuilder Line products. Additionally, the FTC alleged that D&B violated the FTC Act by deceptively pitching CreditBuilder Line products to new businesses, and to businesses unfamiliar with D&B, through misleading claims that the affected business needed to purchase a CreditBuilder Line product in order to “complete” its credit file. The FTC’s proposed order requires D&B to make changes to the firm’s operations. Moreover, D&B would be required to provide refunds to certain businesses that purchased the company’s products.
CFPB Sues Debt Holding Company and Its Owners for Allegedly Illegal Debt Collection Practices. On January 10, the CFPB announced that it filed suit in the U.S. District Court for the Western District of New York against Craig Manseth, Jacob Adamo, Darren Turco, United Debt Holding LLC (UDH), JTM Capital Management, LLC (JTM), and United Holding Group, LLC (UHG) for allegedly violating the Consumer Financial Protection Act of 2010 (CFPA) and the FDCPA. All three companies are debt collectors that buy debt portfolios from creditors, or other debt sellers, and then place the portfolios with or sell them to other collection companies. The CFPB alleges that UHG, UDH, and JTM and their owners conducted “business as usual” with debt collectors despite receiving evidence that these debt collectors made false threats including that consumers faced lawsuits, arrest, or criminal charges imminently if debts were not settled. The complaint also alleges that the debt collectors made misrepresentations by telling consumers that their credit reports would improve or worsen depending on whether they paid their debts, though they did not actually furnish information to credit reporting agencies regarding the debts.
Recent Congressional Hearings
Cleaning Up Cryptocurrency: The Energy Impacts of Blockchains. On January 20, the U.S. House Energy and Commerce Committee held a hearing titled “Cleaning Up Cryptocurrency: The Energy Impacts of Blockchains.” The witness list, opening statements, and a recording of the hearing are available here.
Upcoming Comment Deadlines and Events
FTC Seeks Comment on Proposal to Further Amend Safeguards Rule to Include Incident Reporting Requirement for Covered Financial Institutions. Comments are due February 7 on a supplemental notice of proposed rulemaking to require reporting of certain security incidents to the FTC by covered companies within 30 days of discovery. Specifically, the proposed additional amendment to the Safeguards Rule would require financial institutions to report defined “security events” to the FTC if a determination has been made that consumer information has been misused, or is reasonably likely to be misused, in an event affecting at least 1,000 consumers.
FTC Seeks Comment on Petitions for Rulemaking. Comments are due January 26 on petitions for rulemaking filed by Accountable Tech and the Institute for Policy Integrity. The Accountable Tech petition asks the agency to promulgate rules to prevent what it calls “surveillance advertising,” or the practice of displaying ads to individual consumers based on inferences about their interests, demographics, or other characteristics based on their activities over time. The Institute for Policy Integrity, meanwhile, asks the FTC to regulate “drip pricing,” which it defines as “the practice of advertising only part of a product’s price upfront and revealing additional charges later as consumers go through the buying process.”
FTC Seeks Comment on Business and Government Impersonation Fraud. Comments are due February 22 on an Advance Notice of Proposed Rulemaking (ANPRM) proposing a rule targeting business and government impersonation fraud, which we describe in greater detail here. The ANPRM specifically targets business and government impersonation fraud committed via telephone calls, text messages, and other forms of communication.
FTC Hosts Identity Theft Awareness Week. The FTC’s Identity Theft Awareness Week will take place from January 31 to February 4. The FTC will also host an event on January 25 that will feature FTC and Department of Veterans Affairs staff. At the event, agency staff will discuss identity theft and privacy issues impacting veterans and their families.
More Analysis from Wiley
Privacy in Focus: ‘An Avalanche of Rulemakings’ – The FTC Gears Up for an Active 2022
Privacy in Focus: Steps to Take in 2022 To Prepare for New State Privacy Laws
Privacy in Focus: 2022 Cyber Watch List: A look at 2021 and What’s to Come in the Year Ahead
Podcast: Why the FTC Matters for Fintech
Privacy in Focus: White House Seeks to Develop AI Bill of Rights and Calls for Feedback on Use of Biometric Data
FTC Commences Rulemaking Targeting Business and Government Impersonation Fraud
Podcast: Artificial Intelligence Can Do Really Dumb Things With Personal Information
American Bar Association Webinar: Crypto at a Crossroads: Crypto and Privacy
FTC Releases Detailed Information Security Requirements and Proposes Breach Notification for Financial Institutions
Duane Pozza Discusses FTC’s Updated Safeguards Rule
Privacy in Focus: Data Transfers from the EU – Further Guidance Issued
Duane Pozza Discusses Emerging Regulatory Approach to Crypto and DeFi
Privacy in Focus: Latest Changes at FTC Will Drive Federal Action on Privacy, Data Security, and AI
Privacy in Focus: FTC Policy Statement Signals Increasing Scrutiny on the Protection of Sensitive Personal Health Information
Privacy in Focus: AI Risk Management Framework Is Among Emerging Federal Initiatives on AI
Legal 500 US Recognizes Wiley’s Telecom, Media & Technology Practice as Tier 1. Read more here.
Download Disclaimer: Information is current as of January 24, 2022. This document is for informational purposes only and does not intend to be a comprehensive review of all proceedings and deadlines. Deadlines and dates are subject to change.