troutman.com 2017 Consumer Financial Services Year in Review & a Look Ahead Consumer Financial Services Practice January 2018 Troutman Sanders LLP 2 Table of Contents Executive Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 About Us . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 Consumer Class Actions . . . . . . . . . . . . . . . . . . . . . . . . . . 4 Credit Reporting and Consumer Reporting . . . . . . . . . . . . . . . 8 Background Screening . . . . . . . . . . . . . . . . . . . . . . . . . . 12 Bankruptcy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .16 Debt Collection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 Payment Processing and Cards . . . . . . . . . . . . . . . . . . . . . 23 Mortgage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25 Auto Finance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28 Regulatory Landscape . . . . . . . . . . . . . . . . . . . . . . . . . . 31 Telephone Consumer Protection Act . . . . . . . . . . . . . . . . . . 37 Cybersecurity and Privacy . . . . . . . . . . . . . . . . . . . . . . . . 40 Consumer Financial Services Law Monitor . . . . . . . . . . . . . . 45 Consumer Financial Services Webinar Series . . . . . . . . . . . . . 45 2017 was a transformative year for the consumer financial services world. As we navigate an unprecedented volume of industry regulation and forthcoming changes from the Trump Administration, Troutman Sanders is uniquely positioned to help its clients find successful resolutions and stay ahead of the compliance curve. In this report, we share developments on consumer class actions, background screening, bankruptcy, credit reporting and consumer reporting, debt collection, payment processing and cards, mortgage, auto finance, the consumer finance regulatory landscape, cybersecurity and privacy, and the Telephone Consumer Protection Act (“TCPA”). By remaining up-to-date on the latest industry trends and regulatory developments, Troutman Sanders is a trusted resource, relied on by our clients to help tackle issues today while preparing for what lies ahead. Executive Summary 2017 Consumer Financial Services Year in Review and a Look Ahead 3 About Us Troutman Sanders’ Consumer Financial Services practice consists of more than 70 attorneys across the nation. They have extensive experience in the areas of litigation, regulatory enforcement and compliance. Our trial attorneys have litigated thousands of individual and class action lawsuits involving cutting-edge issues across the country, and our regulatory and compliance attorneys have handled numerous 50-state investigations and nationwide compliance analyses. Our attorneys work together in a multi-disciplinary manner to bring a higher level of specialized knowledge, practical guidance, and valuable advice to our clients. This results-driven collaboration offers seamless legal services to effectively and efficiently resolve clients’ problems by addressing the many perspectives that may arise for a single legal issue before it turns into a larger problem, or that may lead to compliance solutions and regulatory strategies arising out of contentious litigation. We are recognized in litigation relating to consumer claims and our lawyers have significant experience representing clients in consumer class actions in matters involving the Fair Credit Reporting Act (“FCRA”), Fair Debt Collection Practices Act (“FDCPA”), and state law debt collection claims, Telephone Consumer Protection Act (“TCPA”), Truth in Lending Act (“TILA”), Real Estate Settlement Procedures Act (“RESPA”), West Virginia Consumer Credit Protection Act (“WVCCPA”), Unfair and Deceptive Acts and Practices (“UDAP”) statutes, and Unfair, Deceptive and Abusive Acts and Practices (“UDAAP”), mortgage foreclosures, mortgage lending and servicing, Electronic Funds Transfer Act (“EFTA”), Electronic Signatures in Global and National Commerce Act (“E-SIGN”), Equal Credit Opportunity Act (“ECOA”) and state law equivalent statutes, Fair and Accurate Credit Transactions Act (“FACTA”), Federal and State Odometer Acts, FTC Holder Rule, Home Affordable Modification Program (“HAMP”), Home Owner’s Equity Protection Act (“HOEPA”), Home Warranties, Magnuson-Moss Warranty Act, Mortgage Foreclosures, Mortgage Lending and Servicing, Privacy, Racketeer Influenced Corrupt Organizations Act (“RICO”), and the Servicemembers Civil Relief Act (“SCRA”). Our regulatory enforcement team is prepared to respond to CFPB oversight inquiries, civil investigative demands (CIDs), audit, supervision, examination and enforcement actions, including the request for production of privileged and highly confidential information that the CFPB routinely demands to gauge compliance and procedures. Our enforcement team has spent years handling similar claims and CID, audit, supervision, examination and enforcement proceedings. We are also well equipped to handle FTC investigations concerning a variety of matters, including consumer privacy and data security breaches. At Troutman Sanders, we can move seamlessly from negotiation to litigation, if and when requested, with a team of highly skilled litigators with extensive experience in regulatory enforcement litigation matters. Our team regularly advises and prepares our clients proactively for compliance matters to avoid costly government audits, investigations, fines, litigation, or damage to brand and reputation. Our compliance lawyers have handled a variety of matters for our clients including facilitating compliance audits, both onsite and off-site, performing due diligence reviews, drafting training and compliance manuals and policies, and conducting multi-state analyses of state and federal laws. Lawyers in each of our Consumer Financial Services team’s core areas – litigation, regulatory enforcement, and compliance – work together to recommend creative approaches that efficiently address our clients’ needs. By limiting the resources spent on fighting legal battles, our clients can concentrate on growing and expanding their businesses. troutman.com 4 Spokeo’s Continued Impact In 2016, the Supreme Court issued its decision in Spokeo, Inc. v. Robins, wherein the court considered whether Congress may confer Article III standing by authorizing a private right of action based on the violation of a federal statute alone (the Fair Credit Reporting Act (FCRA)), despite a plaintiff having suffered no “real world” harm. Numerous class actions brought under various consumer protection statutes were dismissed in 2017 based on the Supreme Court’s decision in Spokeo. For instance, in May, the Fourth Circuit unanimously dismissed a nearly $12 million FCRA class action judgment against a national consumer reporting agency, finding that the plaintiff, Michael T. Dreher, lacked Article III standing to bring his claims. In June, J. Crew beat a Fair and Accurate Credit Transactions Act (“FACTA”) class action after the United States District Court for the District of New Jersey held that the plaintiff did not plead a concrete injury stemming from J. Crew’s printing of either four or six digits on a customer receipt, rather than just the last five as permitted by FACTA. In August, the United States District Court for the Northern District of Illinois refused to certify a TCPA class action field against PTZ Insurance Agency, Ltd., holding that many of the putative class matters had agreed to receive communications via telephone, and thus, would not have suffered a “concrete injury” sufficient to confer Article III standing. Other decisions have applied Spokeo at the class certification stage to hold that class certification was not possible when individualized inquiry would be required to demonstrate class member standing. For example, in Britts v. Steven Van Lines, Inc., the Northern District of Ohio recently denied class certification, holding that the assessment of whether each class member was sufficiently injured under Spokeo was individualized. 2018 will likely see a significant number of decisions addressing the contested impact (or lack thereof) of Spokeo on putative class actions. To be sure, numerous other decisions have found standing for the plaintiff and members of the putative class, and issues of Article III standing continue to receive substantial (and often divergent) judicial treatment. Regardless, Spokeo continues to be a key defense tactic for defendants attempting to obtain a dismissal of a putative class action or to defeat class certification. Limits of Personal Jurisdiction Further Defined by Supreme Court On June 19, 2017, the Supreme Court issued its decision in Bristol-Myers Squibb Co. v. Superior Court of Ca., 137 S. Ct. 1773 (2017), further limiting where a defendant can be sued. The Bristol-Myers Squibb (“BMS”) litigation involved hundreds of claims filed in California relating to injuries caused by Plavix, a bloodthinning drug, mostly involving plaintiffs who did not reside in California, did not take Plavix in California, and who otherwise had no connection to the state. Indeed, 592 of the nearly 700 plaintiffs resided in states other than California. The only connection BMS had to California relating to Plavix was that it sold the product there generally. BMS moved to quash service of summons on the Consumer Class Actions Class actions have continued to dominate court dockets, with thousands of new filings occurring in 2017. Based on the attractive statutory damages available under these statutes, the plaintiffs’ bar shows no sign of slowing down. While the total number of class actions helps to illustrate the high risk to regulated companies, there have been a number of developments this year that lend support to the defense of these cases. 2017 Consumer Financial Services Year in Review and a Look Ahead 5 nonresidents’ claims based on lack of personal jurisdiction. The California Supreme Court affirmed the lower courts’ decisions denying BMS’ motion, holding that the California courts had specific jurisdiction to entertain the nonresidents’ claims. On appeal, the Supreme Court reversed. “For specific jurisdiction, a defendant’s general connections with the forum are not enough.” The Supreme Court found that “[w]hat is needed – and what is missing here – is a connection between the forum and the specific claims at issue.” The Court held: “The relevant plaintiffs are not California residents and do not claim to have suffered harm in that State. In addition ... all the conduct giving rise to the nonresidents’ claims occurred elsewhere. It follows that the California courts cannot claim specific jurisdiction.” Although the Bristol-Myers decision does not directly implicate class actions, Justice Sotomayor foreshadowed in her dissent the potential application: “The Court today does not confront the question whether its opinion here would also apply to a class action in which a plaintiff injured in the forum State seeks to represent a nationwide class of plaintiffs, not all of whom were injured there.” No court has yet applied the decision to class certification issues, but it is inevitable that the issue will be raised in future litigation. Supreme Court Limits Plaintiffs’ Rights to Immediately Appeal Denial of Class Certification In Microsoft Corp. v. Baker, the Supreme Court considered options for plaintiffs who are denied class certification by a district court to gain appellate review of the district court’s order. Traditionally, appellate courts can only review “final decisions of the district courts” under 28 U.S.C. § 1291. Orders on class certification are not “final decisions” and thus not immediately appealable. Rather, the case will proceed on the named plaintiff’s individual claims. The practical reality, however, is that adjudication of the individual claims often makes no sense without class relief because the costs and fees associated with a trial would dwarf the possible recovery from any particular individual’s claim. Rule 23(f) of the Federal Rules of Civil Procedure permits appeal of class certification decisions but only if the court of appeals agrees that it is appropriate for the appeal to proceed. The appellate courts will generally consider whether the certification decision turns on a novel or unsettled question of law or whether the decision on certification is likely dispositive of the litigation. If the court of appeals denies the Rule 23(f) motion, a plaintiff must litigate the individual claims or agree to settle or dismiss the lawsuit. In Baker, the district court denied the plaintiffs’ motion for certification and the Ninth Circuit Court of Appeals subsequently denied the plaintiffs’ Rule 23(f) permission to appeal. In an attempt to circumvent these rules, the plaintiffs then stipulated to a voluntary dismissal of their claims so they could obtain a purported final appealable judgment. On appeal, the Supreme Court faced the issue of whether “federal courts of appeals have jurisdiction under § 1291 and Article III of the Constitution to review an order denying class certification ... after the named plaintiffs have voluntarily dismissed their claims with prejudice.” The Court answered in the negative. Specifically, the Court held “that the voluntary dismissal essayed by respondents does not qualify as a ‘final decision’ within the compass of § 1291. The tactic would undermine § 1291’s firm finality principle, designed to guard against piecemeal appeals, and subvert the balanced solution Rule 23(f) put in place for immediate review of class-action orders.” Troutman Sanders LLP 6 The Circuits Split Over Ascertainability The Sixth and Second circuits took different approaches to the implied ascertainability requirement of Rule 23(b)(3) classes. In Sandusky Wellness Center, LLC v. ASD Specialty Healthcare, Inc., No. 16-3741 (6th Cir. July 11, 2017), the Sixth Circuit upheld a denial of certification because of the difficulties in identifying class members. However, in In re Petrobras Securities, No. 16-1914 (2d Cir. July 7, 2017), the Second Circuit expressly declined to adopt a heightened ascertainability requirement. The Sandusky Wellness Center case concerned tens of thousands of faxes that allegedly failed to include a properly worded opt-out notice. The defendant sent the fax to 53,502 recipients, but only 40,343 had actually received it. The plaintiff had waited three years to file suit, and by that time the logs that could have been used to identify fax recipients had been destroyed. Additionally, the plaintiff could not propose any alternative for identifying class members other than individual affidavits testifying to receipt. Furthermore, determining which recipients had consented to receive the fax would have required “manually cross-checking 450,000 potential consent forms against the 53,502 potential class members.” In upholding the denial of certification, the court found that the benefits of affording TCPA cases class treatment “do not always outweigh the difficulties of managing a proposed class.” The Second Circuit intertwined the ascertainability and predominance argument, ultimately concluding that the plaintiff failed to meet its burden for both. In particular for ascertainability, the court concluded that determining class membership from individual affidavits “may not even be possible.” Relying on precedent, the court concluded that soliciting individual affidavits “was not an ascertainable way to identify class members.” Conversely, in In re Petrobras Securities, the district court certified a class of individuals who had acquired certain notes in “domestic transactions” in a case alleging violations of the Exchange Act and the Securities Act. The defendant tried to defeat certification on the basis that determining who had purchased the notes in domestic transactions would be administratively unfeasible. The court rejected this argument, instead concluding “that a freestanding administrative feasibility requirement is neither compelled by precedent nor consistent with Rule 23.” As such, ascertainability only requires that “a class be defined using objective criteria that establish a membership with definite boundaries.” Applying this doctrine, the court determined that ascertainability did not impede certification. The court discussed the circuit split before “declining to adopt an administrative feasibility requirement.” In taking the teeth out of the ascertainability requirement, the court stated that the “modest threshold will only preclude certification if a proposed class definition is indeterminate in some fundamental way.” These two cases highlight the split among the circuits in how much effect they will give the ascertainability requirement. The Short Life of the CFPB’s Ban on Class Action Waivers On July 10, 2017, the Consumer Financial Protection Bureau issued a rule that would have had a significant impact on many financial services companies. The rule banned class action waivers in arbitration provisions for covered entities. The CFPB had been exploring the rule since 2010 when Congress, with the passage of the Dodd-Frank Act, gave it the authority to promulgate regulations that would impose conditions on arbitration agreements for consumer financial services or products. On May 5, 2016, the CFPB announced the proposed rules and allowed a period of public comment before making the rule final more than a year later. The rule prohibited a provider from relying on an arbitration agreement with respect to any aspect of a class action that concerns any covered consumer financial product or service. Despite the many years in the making, the rule lasted less than four months, never taking effect. On July 25, 2017, the House of Representatives voted to repeal the rule under the Congressional Review Act. On October 24, 2017, the Senate approved the repeal in a party-line vote. Opponents of the rule argued that it hurt business, while proponents claimed that it was necessary for consumers to seek redress of harms in court. Finally, on November 1, 2017 Consumer Financial Services Year in Review and a Look Ahead 7 2017, President Trump signed the resolution passed by Congress, officially killing the rule. Arbitration remains a cost-effective and favored way of resolving disputes. The Ninth Circuit Opens the Door to Successive Attempts at Certification In Resh v. China Agritech, Inc., 857 F.3d 994 (9th Cir. 2017), the Ninth Circuit considered whether the pendency of an earlier uncertified class action tolls the statute of limitations for subsequent class claims. The plaintiff alleged that the defendant overstated its revenue, resulting in artificially inflated stock prices. Previously, two other proposed class actions had been filed against the defendant, but the court had denied certification in both. The named plaintiff in the instant action had been an unnamed class member in the two uncertified actions. The district court dismissed the proposed class action as timebarred, because the prior two class actions did not toll the statute of limitations for proposed class claims. However, the plaintiff challenged this ruling, arguing that the proposed class actions tolled the statute of limitations for their class claims. Under American Pipe & Construction Co. v. Utah, 414 U.S. 538 (1974), and Crown Cork & Seal Co. v. Parker, 462 U.S. 435 (1985), a pending putative class action tolls the statute of limitations for individual claims of the putative class members. If the court denies certification, putative class members may still bring individual actions. However, in the Ninth Circuit, as in many other jurisdictions, this tolling did not apply to future class claims. The decision in Resh reverses Ninth Circuit precedent and allows unnamed class members to bring successive class actions. The court concluded that “permitting future class action named plaintiffs, who were unnamed class members in previously uncertified classes, to avail themselves of American Pipe tolling would advance the policy objectives that led the Supreme Court to permit tolling in the first place.” The court called concerns about repetitive litigation overstated because potential plaintiffs “have little to gain from repeatedly filing new suits” and at some point plaintiffs’ attorneys “will be unwilling to assume the financial risk in bringing successive suits.” This issue is now the subject of a substantial circuit split, with the Eleventh Circuit taking the opposite view on numerous occasions (e.g., Ewing Industries Corporation v. Bob Wines Nursery, Inc.). In the meantime, this decision increases the exposure for defendants in the Ninth Circuit. Likewise, it will increase pressure to settle with putative classes. In late 2017, the Supreme Court granted certiorari to consider the issue. Conclusion Class actions will continue to dominate the dockets of courts across the country. The decisions above demonstrate the evolving nature of the law surrounding class actions on multiple dimensions. Keeping abreast of the developments in class action jurisprudence is essential to mounting the best defense when faced with a such a highexposure lawsuit. troutman.com 8 Class Action Exposure 2017 saw the largest FCRA jury verdict in history in Ramirez v. TransUnion, No. 3:12-cv-00632 (N.D. Cal.), where a jury found TransUnion willfully violated the FCRA and awarded statutory and punitive damages totaling more than $60 million. The case is discussed in more detail in the Background Screening portion of this report. In addition to the many FCRA litigation developments, in May 2017, Rep. Barry Loudermilk (R-Ga.) introduced H.R. 2359, the FCRA Liability Harmonization Act, which would cap class action damages in FCRA claims at $500,000 or one percent of the defendant’s net worth, whichever is less, and eliminate punitive damages. These changes would align the FCRA with numerous other consumer protection laws already in place, such as the Truth in Lending Act, the Fair Debt Collection Practices Act, the Equal Credit Opportunity Act, and the Electronic Funds Transfer Act. Hearings were held by the House Subcommittee on Financial Institutions and Consumer Credit in September. The resolution has not gained progress since. Identity Theft Claims Continue to Present High Risk Exposure Identity theft issues also continued to play a role in credit reporting litigation. The Ninth Circuit upheld a $430,000 jury verdict on an FCRA claim related to an auto finance company’s alleged failure to investigate an identity theft claim in Seungtae Kim v. BMW Fin. Servs. Na LLC, 2017 U.S. App. LEXIS 13860 (9th Cir. July 31, 2017). Kim alleged he suffered damage to his credit and emotional distress as a result of the company’s failure to adequately investigate his claims of identity theft. The jury awarded $250,000 to cover damage to Kim’s credit and $150,000 in emotional distress damages under California’s Identity Theft Law. The jury also awarded a $30,000 civil penalty under the same statute. In the underlying suit, Kim claimed that in 2013, he learned that the credit bureaus were reporting a delinquency on a car loan account that Kim never opened. Kim filed a police report, but the bureaus refused to correct their records, and the auto finance company claimed Kim did not have a valid identity theft claim. At trial, the district court denied the defense’s motion for judgment as a matter of law and the Ninth Circuit affirmed, finding that the evidence that Kim was denied credit by three lenders as a result of the credit reporting and was not denied credit after the tradeline was removed was sufficient to allow a reasonable jury to infer harm as to Kim’s credit reputation. During oral argument in the Ninth Circuit, Judge Harry Pregerson indicated that he expects similar suits will be filed against companies as a result of customer service issues. He questioned the company’s attorney, asking, “Have you ever tried to call one of these companies when you have a legitimate claim to try to talk to somebody? Try it sometime. You’ll spend half your life. You end up talking to someone 10,000 miles away.” In another notable decision, Wood v. Credit One Bank, No. 3:15-cv-594 (E.D. Va. Sept. 21, 2017), a federal district court in the Eastern District of Virginia granted summary judgment to a plaintiff on a claim that a lender violated the FCRA by failing to conduct a “reasonable” investigation of a credit reporting dispute – an issue normally reserved for a jury. Credit Reporting and Consumer Reporting The credit reporting industry endured another busy legal year, with the number of lawsuits filed under the Fair Credit Reporting Act growing and regulatory actions continuing apace. Developments impacted entities that fall into all levels of the credit reporting ecosystem – furnishers, users, and consumer reporting agencies (“CRAs”). 2017 Consumer Financial Services Year in Review and a Look Ahead 9 This case illustrates the difficulty creditors have in managing the legal risks in furnishing information to consumer reporting agencies. It also illustrates the particularly high risks creditors face in handling claims of identity theft, and the risks they run when they fail to take advantage of multiple disputes to address a problem. Credit One’s reporting policies were central to the Court’s decision. The decision included a detailed analysis of the types of codes Credit One used to describe the status of an account in dispute. In granting summary judgment, the Court focused on Credit One’s use of the Compliance Condition Code of “XH,” holding that “[b]y reporting a CCC of XH when Wood was continuing to dispute the accuracy of Credit One’s reporting, Credit One ‘create[d] a materially misleading impression,’ that the Account was not in dispute.” As a result, the Court held that a reasonable juror could find that Credit One’s actions were willful because, considering its practice of never reporting when a consumer disagrees with the results of an investigation and relying on findings from prior investigations, it intended to not report the ongoing dispute involving Wood’s account. Credit Reporting Relating to Accounts Involved in a Chapter 13 Bankruptcy 2017 saw an uptick in FCRA litigation against both CRAs and furnishers involving bankruptcies, particularly Chapter 13 cases involving the reporting of account information while the bankruptcy is active (post-plan confirmation) and after the case is closed (post-discharge). The Consumer Data Industry Association’s Credit Reporting Resource Guide provides Metro 2 standards for furnishers. When reporting during a Chapter 13 bankruptcy but prior to the discharge, the Guide indicates an account should be reported to reflect the terms of the Chapter 13 plan. However, in practice, this can prove to be difficult depending on the specifics of the plan. Plaintiffs’ attorneys have used the standards in the Guide as a basis to allege that a failure to report an account based on the terms of the plan results in inaccurate credit reporting. Thus far, courts have rejected these claims. In the Northern District of California, plaintiffs tried unsuccessfully to argue that the legal effect of a Chapter 13 confirmation plan binds the debtor and creditor and that a CRA that reports a historically accurate pre-confirmation debt or delinquency violates the FCRA. Courts have rejected this theory finding that although rights and obligations of parties are modified during a Chapter 13 bankruptcy plan, the original debt still exists prior to confirmation and a bankruptcy filing does not erase that obligation. In addition, courts have noted that despite a plan being in place, many debtors fail to make the required payments under the plan and original terms are ultimately reinstated. To be viable, it appears claims asserted on the theory of non-compliance with the CDIA Guide when reporting an account in bankruptcy must specify inaccuracies in the reporting, such as inaccurate amounts past due or the account being reported as charged off or in collections. Similarly, plaintiffs’ lawyers continue to file suits involving claims for reporting of accounts in which the consumer obtained a discharge in bankruptcy, particularly over the issue of whether the discharge applies to an account and how that determination affects the reporting of the tradeline. Most decisions on this issue have been favorable and issued by district courts within the Ninth Circuit, particularly in the Northern District of California. For example, courts have ruled that plaintiffs must plead and prove actual damages resulting from alleged violations of the FCRA, such that naked assertions of emotional distress and diminished credit are insufficient with regard to an account involved in a bankruptcy. Nonetheless, the high volume of filings continues, particularly in California, Georgia, and Nevada, as the CRAs and furnishers struggle to weigh the costs of fighting these lawsuits against the costs of settlement. Dispute Coding Continues to Perplex Furnishers How to stay on the right side of the FCRA when it comes to the use of Compliance Condition Codes (CCCs) to mark accounts as disputed has become less clear in 2017. This technical and obscure point of credit reporting is emerging as a controversial and risky area for furnishers. The 2017 version of the Guide introduced new changes to its recommended standard. According to the new Guide, CCCs “should not be reported in response to a consumer dispute investigation request from the consumer reporting agencies” except in certain situations where it is required by the Fair Debt Collection Practices Act. But nearly every circuit Troutman Sanders LLP 10 court that has addressed the use (or non-use) of CCCs has taken a different position, and several cases decided this year continue the trend: There can be liability under the FCRA for failing to report an account as disputed if doing so makes the reported information misleading. For example, federal district courts in the Eastern District of Virginia, Northern District of Georgia, and District of Colorado all issued opinions which held that a furnisher’s failure to indicate an account is disputed (such as through the use of CCCs) can render the credit reporting information materially misleading in violation of the FCRA. In sum, although the Guide is considered by regulators and others as the industry standard for credit reporting, data furnishers should be wary of following its guidance on the use of CCCs as more and more opinions are inconsistent with its guidance. Regulatory Enforcement Actions Against Furnishers of Information In addition to issues regarding how certain credit information should be reported, furnishers also continued to face regulatory actions regarding the accuracy of information reported. 2017 saw an enforcement action against one of the nation’s largest banks for alleged failures related to information provided for checking account screening reports. The CFPB claimed that the bank failed to provide accurate information to certain screening companies which use the information to determine whether a consumer can open a bank account. Under the FCRA, banks that supply information for checking account screening reports are required to have proper processes in place for reporting accurate information. This regulatory action resulted in the CFPB ordering the bank to pay a $4.6 million penalty. The CFPB also required the bank to implement necessary changes to its policies to prevent future legal violations. The enforcement action required the bank to: (1) ensure accurate information is reported; (2) inform consumers of investigation outcomes related to disputes; and (3) provide consumers with contact information of the consumer reporting agency that provides information used to deny an application for a deposit account. Banks were not the CFPB’s only target in 2017 with respect to accuracy issues. In November, Conduent, Inc., a business process outsourcing company, agreed to pay a $1.1 million penalty to the CFPB in connection with an action alleging that Conduent used flawed software that resulted in more than one million erroneous reports being filed with credit rating agencies in 2016. According to the CFPB, Conduent used flawed software to file information about auto loan borrowers with credit reporting agencies. The problem allegedly stemmed from changes made to Conduent’s software that automatically generates reports on auto loan borrowers and their repayment efforts. In addition to the penalty, Conduent agreed to inform its clients of the errors and hire a consultant to review its reporting process. Continued Developments in Permissible Purpose Litigation Courts across the nation – but particularly federal courts in the Ninth Circuit – have continued to address the issue of “permissible purposes” to obtain consumer credit reports under the FCRA. The plaintiffs’ bar has been especially active in bringing class action lawsuits against banks, mortgage servicers, and credit card companies, alleging impermissible pulls of credit reports after a consumer has received a bankruptcy discharge. Virtually all courts to address the merits of this issue, or the willfulness analysis under the FCRA, have determined that post-discharge soft pulls do not violate (or willfully violate) the statute – pointing to the ongoing business relationship between the consumer and lender, including in the form of a still-existing property and lien interest. See, e.g., Vanamann v. Nationstar Mortg. LLC, No. 2:15-cv00906, 2017 U.S. Dist. LEXIS 41472, at *11 (D. Nev. Mar. 22, 2017); Farrin v. Nationstar Mortg., LLC, No. 15-cv-102, 2016 U.S. Dist. LEXIS 149755, at *28 (D.N.H. Oct. 28, 2016) (granting summary judgment on willfulness grounds); Saumweber v. Green Tree Servicing, LLC, No. 13-cv-03628, 2015 U.S. Dist. LEXIS 65175, at *13-14 (D. Minn. May 19, 2015) (same); Godby v. Wells Fargo Bank, N.A., 599 F. Supp. 2d 934, 944 (S.D. Ohio 2008) (same); Radney v. Bayview Loan Servicing, LLC, No. 15 C 4075, 2016 U.S. Dist. LEXIS 164872, at *4 (N.D. Ill. 2016) (granting motion to dismiss); Germain v. Bank of Am., N.A., No. 13-cv-676, 2014 U.S. Dist. LEXIS 158874, at *6 (W.D. Wis. Nov. 7, 2014) (defendant had a permissible purpose under the FCRA to obtain plaintiff’s consumer report because plaintiff continued to be 2017 Consumer Financial Services Year in Review and a Look Ahead 11 in a credit relationship and “account” with defendant after plaintiff’s discharge). The Ninth Circuit may finally address the issue in 2018 in Vanamann. Threshold Issues Regarding Interpretation of the FCRA Still Up for Debate In Pedro v. Equifax, Inc., 868 F.3d 1275 (11th Cir. 2017), the United States Court of Appeals for the Eleventh Circuit affirmed the dismissal of a putative class action against TransUnion, holding that TransUnion was not objectively unreasonable in its reading of the Fair Credit Reporting Act. The plaintiff, Kathleen Pedro, was an authorized user on her parents’ credit card but allegedly had no responsibility for the card’s debts. When Pedro’s parents passed away, the account went into default and Pedro subsequently learned her credit score had diminished because of TransUnion listing her parents’ credit account – with a notation that she was an authorized user – on her credit report. The Court found TransUnion did not willfully or recklessly violate the FCRA when it listed Pedro’s deceased parents’ delinquent credit card even though she was not financially responsible for the debts, because the information was true. The Eleventh Circuit held that TransUnion’s interpretation of the FCRA was objectively reasonable, stating TransUnion could have reasonably concluded that reporting Pedro’s parents’ account was permissible because the information was “technically accurate.” The Court noted there are two general approaches to “maximum possible accuracy,” with some courts requiring only technical accuracy and others requiring that the reporting also not be misleading. The court concluded that TransUnion was not unreasonable in relying on technical accuracy in interpreting its obligations as they applied to Pedro. Fourth Circuit Reverses and Dismisses $12 Million FCRA Class Action Judgment Finally, companies faced with credit reporting lawsuits did not shy away from challenging consumers’ standing to bring actions under Article III of the Constitution. In one of the most significant post-Spokeo decisions, the Fourth Circuit unanimously reversed and dismissed a nearly $12 million FCRA class action judgment, finding that plaintiff Michael T. Dreher lacked Article III standing to bring his claims. The decision provided much needed clarity from the Fourth Circuit on the viability of “informational injuries” post-Spokeo. Dreher’s complaint alleged that a national consumer reporting agency violated FCRA § 1681g when it identified a defunct credit card company, rather than the name of the current servicer, as the source of a tradeline on Dreher’s credit report. The district court granted Dreher summary judgment on his willfulness claim and instead of trying the case to a jury, the parties stipulated to an award of $170 in statutory damages for each class member. On August 26, 2015, the district court entered a final judgment totaling more than $11.7 million. The national consumer reporting agency appealed to the Fourth Circuit. Reversing the district court and applying the Supreme Court’s 2016 decision in Spokeo Inc. v. Robins, 136 S. Ct. 1540 (2016), the Fourth Circuit emphasized the concept that a statutory violation “divorced from any real world effect” does not confer standing. Taking a page from Spokeo, the Court’s opinion acknowledged that, while not necessarily fatal to his claim, Dreher had not proposed a common law analogue for his FCRA injury. There was also no traditional right of action comparable to Dreher’s claimed injury. Finding Dreher was left only with a bare statutory violation, the Fourth Circuit reversed the district court’s ruling and remanded the case for dismissal, putting the proverbial nail in the coffin on Dreher’s claim under FCRA 1681g and the accompanying $11.7 million judgment. troutman.com 12 Two Significant Verdicts Highlight Trial Risks While trials in FCRA cases remain rare, two verdicts against consumer reporting agencies are noteworthy. In June, a federal jury in California found that TransUnion violated the FCRA when reporting information from the Office of Foreign Asset Control terror watch list database. The jury found TransUnion had willfully violated the statute and awarded statutory and punitive damages totaling more than $60 million in what appears to be the largest FCRA verdict in history. In that case, Ramirez v. TransUnion, the plaintiff alleged TransUnion sold credit reports that contained searches of the OFAC database that erroneously identified him as someone else on that list, barring him from being able to access credit opportunities. The jury found TransUnion willfully failed to follow FCRA-mandated “reasonable procedures” to assure “maximum possible accuracy,” and that it also failed to properly provide written disclosures of OFAC results and consumer notices of FCRA rights. For a class of just over 8,000 consumers, the jury awarded $984 each in statutory damages and $6,353 each in punitive damages. TransUnion filed multiple post-trial motions seeking relief from the judgment, all of which were denied. It then filed a timely appeal to the Court of Appeals for the Ninth Circuit, which remains pending. TransUnion has vowed to continue challenging the verdict. Another notable pro-plaintiff FCRA verdict came down in late 2016, but motions practice continued well into 2017. In Williams v. First Advantage LNS Screening, the consumer plaintiff alleged that First Advantage violated the FCRA when preparing employment-related background checks and twice reported records belonging to another person on Williams’ background report. He sued and went to trial on an individual claim. In October 2016, the jury found that First Advantage willfully violated the FCRA, awarding Williams $250,000 in compensatory damages and $3.3 million in punitive damages. Throughout 2017, First Advantage continued to challenge the verdict, including through a motion for a new trial, which was denied in March 2017. The case is now on appeal to the Court of Appeals for the Eleventh Circuit, with First Advantage again seeking to reverse the verdict entirely or reduce the award of damages. An appellate decision is expected in 2018. Ramirez and Williams both serve as stark reminders that the stakes in any FCRA action can be significant, particularly in the face of punitive damages. Ninth Circuit Issues Major Decision on Disclosure/Authorization Forms Another major development in 2017 was the Ninth Circuit’s decision in Syed v. M-I, LLC, a putative class action against a California employer. The Ninth Circuit held that the prospective employer willfully violated the FCRA by including a liability waiver in its background check disclosure form. During the application process, the employer provided a form to the plaintiff labeled “PreBackground Screening 2017 was another busy year for background screening and other Fair Credit Reporting Act (“FCRA”) litigation, with a variety of noteworthy events. Some – such as major verdicts and appellate opinions against the industry – provided valuable lessons in risk areas. Others, including continued application of the Supreme Court’s decision in Spokeo, Inc. v. Robins, helped narrow the specter of FCRA litigation risk. The stakes in any FCRA action can be significant, particularly in the face of punitive damages. 2017 Consumer Financial Services Year in Review and a Look Ahead 13 employment Disclosure Release.” It stated that the employer would obtain Syed’s credit history and that other information could be collected and used to make a decision on his employment application. The form also included a waiver that discharged, released, and indemnified the “prospective employer…, their agents, servants, employees, and all parties that rely on this release and/or the information obtained with this release from any and all liability and claims arising by reason of the use of this release and dissemination of information that is false and untrue if obtained by a third party without verification.” The district court dismissed the allegations of a willful FCRA violation. The Ninth Circuit reversed and, surprisingly, found not only that Syed had stated a claim, but that M-I’s use of the disclosure form was a willful violation of the FCRA as a matter of law. The court held the FCRA’s disclosure requirement was unambiguous and that including a liability waiver could not be supported by any reasonable interpretation of the statute. After a rehearing petition was filed by M-I, the Ninth Circuit issued an amended opinion, ruling that Syed also had Article III standing based upon the allegations of harm in the operative complaint. The United States Supreme Court recently denied the cert petition filed by M-I. While litigation over the contents of a background check disclosure form is nothing new – nor is litigation about a release of liability in particular – Syed marks the first appellate-level pronouncement that liability releases in consumer report disclosures constitute a willful violation of the FCRA. Syed serves as a sobering reminder that all employers should take a close look at their preemployment disclosure forms. What on the surface may appear to be a minor wording variation from the disclosure language stated in the FCRA could result in a class action lawsuit, and one that some courts – including now any court in the Ninth Circuit – could find to be a willful violation. Courts across the country continue to be divided on the issue of disclosure / authorization forms, including consumer standing to bring such claims. Lower Courts Continue to Cite and Parse Spokeo Decision In June 2016, the United States Supreme Court in Spokeo held that an FCRA plaintiff must satisfy Article III standing requirements in alleging a concrete and particularized injury to the plaintiff, which could include a risk of injury. The result of Spokeo was a raft of district court decisions attempting to find the contours of its holding and, in some instances, dismissing claims from federal court. In 2017, we continued to see courts grapple with Spokeo. First, the Spokeo case itself was remanded to the Ninth Circuit for further consideration of whether that plaintiff had sufficiently alleged a harm to satisfy Article III in light of the Supreme Court’s holding. Earlier this year, the Ninth Circuit ruled that he had. The case has now been remanded to the district court for further proceedings. However, on December 4, 2017, the defendant filed a second cert petition to the Supreme Court, which was placed on the docket as Case No. 17-806. A decision on that petition remains pending. Second, district courts have continued to use Spokeo to keep some claims out of federal court: • Meyers v. Nicolet Restaurant of De Pere, LLC, 843 F.3d 724 (7th Cir. 2016) (FACTA). The plaintiff consumer lacked Article III standing to file a putative class action against a restaurant for violating FACTA by printing the expiration date of his credit card on the receipt, because he failed to allege a sufficiently concrete injury. Meyers discovered the violation immediately and no one else saw the non-compliant receipt. The district court erred in denying Meyers’ motion for class certification instead of dismissing the case for lack of jurisdiction. • Nokchan v. Lyft, Inc., No. 15-cv-3008, 2016 U.S. Dist. LEXIS 138582 (N.D. Calif. Oct. 5, 2016). An employer provided an FCRA release form that included extraneous information and failed to inform the plaintiff consumer of their rights. Violation of FCRA’s stand-alone requirement did not constitute concrete harm. Troutman Sanders LLP 14 • Bultemeyer v. CenturyLink, Inc., No. 2:14-cv2530, 2017 U.S. Dist. LEXIS 25831 (D. Ariz. Feb. 15, 2017). A cable company obtained a consumer’s credit report without their permission. The court rejected Bultemeyer’s claim that the FCRA creates a substantive right to privacy. • Dilday v. DIRECTV, LLC, No. 3:16-cv-996, 2017 U.S. Dist. LEXIS 47195 (E.D. Va. March 29, 2017). A cable provider obtained a consumer’s credit report with no permissible purpose and no business relationship. The court applied the recent Fourth Circuit decision in Beck v. McDonald to rule that invasion of purported right to privacy – by itself – is insufficient to show concrete harm. • Kamal v. J. Crew Group, Inc., No. 2:15-cv190, 2017 U.S. Dist. LEXIS 86222 (D.N.J. June 6, 2017) (FACTA). Clothing retailer J. Crew printed extra, impermissible credit card digits on customer receipts. The court applied Spokeo and held there was no privacy interest implicated by the conduct and no risk of any real future harm, making the claims insufficient to survive an Article III challenge. Third, as predicted in our 2016 year-in-review, we have seen many FCRA cases filed in the first instance in state court. State courts, which have concurrent FCRA jurisdiction, often adhere to lesser standing requirements, permitting claims that might otherwise not survive in federal court, and shielding those claims from removal. That trend has engendered new fights as parties seek to clarify (or limit) state court standing: • In July 2017, for example, the Missouri Court of Appeals affirmed dismissal of a putative FCRA class action against an employer based on an application of Spokeo, effectively holding that its state-court standing rules were coextensive with federal court, or at least insofar as the application of Spokeo is concerned. • On December 5, 2017, the Court of Appeals of Ohio affirmed dismissal of a putative FCRA class claim against Ohio State University on the basis that the plaintiffs lacked standing to assert their no-injury, statutory claim in Ohio state court. The state appellate court declined to adopt a “statutory standing” doctrine in Ohio that would allow standing for a federal statutory claim without the existence of an alleged injuryin-fact. Ultimately, “[t]o the extent the ‘statutory standing’ doctrine constitutes an exception to the traditional principles of standing in Ohio,” the Ohio appellate court declined “to extend that exception to this circumstance involving the application of a federal statute.” • In Miles v. The Company Store, Inc., et al., No. 16-CVS-2346 (Alamance Cnty, N.C. Sup. Ct. Nov. 16, 2017), the named plaintiff in a putative FACTA class action alleged that the defendants generated and provided a copy of a receipt revealing the first six digits and the last four digits of the credit card plaintiff used to make a purchase, in violation of 15 U.S.C. §§ 1681(c)(g)(1). Yet, the plaintiff did not allege the receipt was seen by anyone other than himself or that he suffered identity theft or faced an increased risk of the same. Relying on federal cases that cited Spokeo, North Carolina Superior Court Judge Richard S. Gottlieb ruled that the allegations did not confer standing for the plaintiff to bring suit in North Carolina state court. Similar fights – and attempts by defendants to invoke the protections of Spokeo in state court – are likely to arise as FCRA cases wind their way through state courts. Spokeo continues to result in divergent outcomes across federal and, increasingly, state courts. It is an often-invoked opinion for defendants trying to dispose of cases on procedural grounds, with many plaintiffs resorting to state court, a tactic that itself is leading to new challenges and developments. Spokeo continues to result in divergent outcomes across federal and, increasingly, state courts. 2017 Consumer Financial Services Year in Review and a Look Ahead 15 Increased Litigation Against Wholesalers and Public Record Vendors Finally, 2017 saw an increase in FCRA/background screening lawsuits against data wholesalers and public record vendors, as opposed to direct-to-enduser consumer reporting agencies. Wholesalers and public record vendors have traditionally not been the subject of extensive litigation, partly because the term “wholesaler” is not used in the FCRA. Whether a wholesaler is classified as a CRA subject to the FCRA generally depends on whether it acts to “assemble” or “evaluate” the data that it transmits to third parties. That analysis, in turn, frequently depends on whether the wholesaler is acting as a “mere conduit” of information from other sources, or whether it has “assembled or evaluated” the data in question. Compare Lewis v. Ohio Prof’l Elec. Network LLC, 190 F. Supp. 2d 1049, 1056 (S.D. Ohio 2002) with Adams v. LexisNexis Risk & Info. Analytics Group, Inc., 2010 U.S. Dist. LEXIS 47123, at *17 (D.N.J. May 12, 2010). Even if such entities are classified as CRAs, there is a potential defense based on the unmatched nature of the information returned. No appellate court has ruled on whether the FCRA’s various requirements apply to wholesalers. While some district courts have answered that question in the negative, at least one court has ruled otherwise. In Wilson v. The Source for Public Data, 4:12-cv-185 (S.D. Tex. 2013) (Dkt. No. 36), the court held that the return of public records by a wholesale vendor in response to search criteria input by a background screening company was not “inaccurate,” and that the background screening company “did not purchase a [consumer] report, but instead purchased access to Defendant’s website in order to conduct its own search”. Other cases taking this approach include Farmer v. Phillips Agency, Inc., 285 F.R.D. 688, 703 (N.D. Ga. 2012); and Jones v. Sterling Infosystems, Inc., 317 F.R.D. 404 (S.D.N.Y. 2016). A contrasting approach was taken in Kelly v. Bus. Info. Grp., Inc., No. 15-6668, 2016 U.S. Dist. LEXIS 177171 (E.D. Pa. Dec. 22, 2016). troutman.com 16 Bankruptcy On May 15, 2017, the United States Supreme Court reversed an Eleventh Circuit decision and held that a debt buyer was not liable under the Fair Debt Collection Practices Act for filing proofs of claim in bankruptcy on debts that had become timebarred but were not extinguished under state law. Background In Johnson v. Midland, the Eleventh Circuit revisited the issue of whether debt collectors violate the FDCPA when filing proofs of claims in bankruptcy cases based on consumer debts with expired statutes of limitations. The Eleventh Circuit affirmed its prior decision in Crawford v. LVNV Funding, LLC, 758 F.3d 1254 (11th Cir. 2014), concluding that when a “creditor is also a ‘debt collector’ as defined by the FDCPA, the creditor may be liable under the FDCPA for ‘misleading’ or ‘unfair’ practices when it files a proof of claim on a debt that it knows to be time-barred, and in doing so ‘creates the misleading impression to the debtor that the debt collector can legally enforce the debt.’” The Opinion The majority’s opinion analyzed the FDCPA application in two parts. Justice Breyer, writing for the Court, first analyzed whether the filing of a proof of claim that is time-barred on its face is “false, deceptive or misleading.” The Court noted first that under the Bankruptcy Code, a “claim” is defined as a “right to payment,” and relevant state law usually determines whether a person has such a right. In this case, Alabama law, “like the law of many states, provides that a creditor has a right to payment of a debt even after the limitations period has expired.” The opinion specifically rejects the consumer’s attempt to redefine “claim” to require a claim be enforceable. The Court noted “the word ‘enforceable’ does not appear in the Code’s definition of ‘claim.’” Moreover, Section 502(b)(1) “says that, if a ‘claim’ is unenforceable,’ it will be disallowed. It does not say that an ‘unenforceable’ claim is not a claim.” The Court relied on the presence of the Chapter 13 trustee and his or her understanding that “a proof of claim is a statement by the creditor that he or she has a right to payment subject to disallowance (including disallowance based upon, and following, the trustee’s objection for untimeliness)” to conclude that filing a claim on a time-barred debt is neither misleading nor deceptive. The Court then turned to whether assertion of a time-barred claim is “unfair” or “unconscionable” under the FDCPA. In concluding that such activity is neither, the Court distinguished claims administration in bankruptcy proceedings from ordinary state court collection litigation. The Court found that unlike a collection case, in bankruptcy the consumer initiates the judicial proceeding, aided by the benefit of a bankruptcy trustee who “bears the burden of investigating claims and pointing out that a claim is stale.” The Court was troubled about the potential slippery slope of adopting Johnson’s argument that would transform untimeliness from an affirmative defense that must be raised by the debtor or trustee to an absolute bar. Creating an exception to the affirmative defense approach, the Court noted, “would require defining the boundaries of” such an exception, including whether such an exception was limited to facially time-barred claims or whether other affirmative defenses would be affected. “The law has long treated unenforceability of a claim (due to the expiration of the limitations period) as an affirmative defense. And we see nothing misleading or deceptive in the filing of a proof of claim that, in effect, follows the code’s similar system.” In a dissent joined by Justices Ginsburg and Kagan, Justice Sotomayor disagreed with many of the justifications of the majority. In response to the majority’s view that the Chapter 13 trustees can serve as gatekeepers in the proof of claim administration, the dissent noted that time-barred claims have “deluged” the courts and “overworked trustees.” The dissent noted the application of the opinion was limited to Chapter 13 cases and left open the possibility of legislative action if 2017 Consumer Financial Services Year in Review and a Look Ahead 17 Congress wanted to amend the FDCPA to prohibit filing of time-barred debt. The opinion settled an issue that has led to tremendous litigation (and divergence) throughout the country: A creditor can no longer face FDCPA liability for filing a proof of claim in a Chapter 13 case solely on the basis that the statute of limitations has expired. Creditors should take note, however, that the proof of claim in Johnson was accurate and clear on its face that the limitations period had run and that the debt had not been extinguished under state law. Creditors filing proofs of claim on stale debts should take care that the debt has not been extinguished under state law and that the proof of claim sets forth the basis for the claim clearly and accurately. Changes to the Federal Rules of Bankruptcy Procedure Went into Effect December 1, 2017 The Supreme Court approved changes to the federal bankruptcy rules effective December 1, 2017. Most, but not all, of the changes affect rules governing consumer cases under Chapters 7, 12, and 13. For example, the new rules modify the deadline for filing proofs of claim in Chapter 7, 12, and 13 cases, shorten the time for debtors to object to claims, and attempt to standardize Chapter 13 plans across the country. New Bankruptcy Rule 3002 shortens the time within which a creditor must file a proof of claim in a Chapter 7, 12, or 13 case to 70 days after the order for relief (typically, the filing of the bankruptcy petition). The former rule allowed claims to be filed within 90 days after the first date set for a meeting of creditors, which in turn must be held within a “reasonable time” after the order for relief. Under the new rule, a mortgage servicer must file its proof of claim with the attachments prescribed by Official Form 410A (detailing monthly payments and other critical data) by the 70-day mark, but can have an additional 90 days to file written evidence of the indebtedness giving rise to the claim and proof of perfection of the security interest. New Rules 3012 and 3015 are designed to speed up plan confirmation, but will require creditors to review plans early and to take action if they disagree with the debtor’s valuation of their claim. Under these new rules, the amount of a secured claim listed in the plan are binding on the claimholder even if the holder files a contrary proof of claim or the debtor schedules that claim in a different manner and regardless of whether an objection to the claim has been filed. In addition, objections to Chapter 12 and 13 plans must now be filed at least seven days before the date set for the confirmation hearing. These changes mean that creditors must act promptly if they disagree with the debtor’s proposed valuation of the collateral. Failure to do so could result in the undervaluation of a claimant’s collateral, and in the case of the holders of second-priority mortgages, the potential stripping of the unsecured portion of those liens. Finally, new Rules 3015 and 3015.1 attempt to implement a national standard Chapter 13 bankruptcy plan, and require all courts to either use the official plan form or adopt a local form that highlights any local standard or nonstandard plan provisions. Despite hopes for a uniform national approach, it appears that many jurisdictions across the country have opted out and adopted a local version. For example, the Eastern District of Virginia, the Western, Middle and Eastern Districts of North Carolina, Northern and Middle Districts of Georgia, Central District of California, and Middle District of Florida have each implemented local versions of the official form. Creditors will thus need to review plans for local differences. However, under Rule 3015.1, local plan forms must call attention to nonstandard provisions and they must be placed at the end of the plan so that creditors can find them easily. Troutman Sanders LLP 18 Debt Collection With the Supreme Court up to full strength now that Justice Neil Gorsuch has been sworn in, 2017 saw key cases limiting the scope and application of the Fair Debt Collection Practices Act with respect to the statutory definition of who is a “debt collector” under the Act as well as the application of the FDCPA in the bankruptcy context. While both decisions have been welcomed in the industry, several issues in the collection letter sphere, including ongoing disputes over language regarding current balances, pre- and post-judgment interest, and tax consequences continue to yield mixed results at the district court level as they await resolution in the Courts of Appeal. Supreme Court Refuses to Extend the Scope of the FDCPA to Debt Buyer Consumer Finance Company Last summer, the United States Supreme Court issued a significant decision written by Justice Gorsuch in Henson v. Santander Consumer USA, Inc., drastically restricting the universe of companies subject to potential liability under the FDCPA. In a unanimous decision authored by Justice Gorsuch, the Court held that companies that buy defaulted debts are not “debt collectors” under the FDCPA because they are not, by definition, “collect[ing] or attempt[ing] to collect…debts owed or due…another,” under 15 U.S.C. §1692a(6). The upshot of the decision is that companies that purchase debts—as opposed to just the servicing or collection rights for loans in default—have a solid defense to FDCPA claims. In Henson, the plaintiffs alleged their debt was purchased after the debt was already in default. Plaintiff Ricky Henson argued that the purchaser was thus a debt collector, while the buyer asserted that it was not covered by the FDCPA since it was collecting the debt on its own behalf and not for another entity. The district court agreed with Santander, and Henson appealed. The Fourth Circuit affirmed the dismissal of Henson’s claims, holding the consumers had not alleged that Santander was acting as a debt collector under the FDCPA because, under the plain language of the statute, a debt collector must attempt to collect a debt “for another,” not for itself as Santander did after it purchased the debt at issue. Henson appealed to the Supreme Court. Before addressing the issue, the Court emphasized the limited scope of its review, which specifically excluded two of the three statutory definitions of “debt collector” under § 1692a(6) of the FDCPA, namely: (1) entities “engaged in any business the principal purpose of which is the collection of any debts;” and (2) entities collecting their own debts, but “using any name other than [their] own” to do so. Having thus limited the scope of its decision, the Court proceeded to focus entirely on whether Santander was a “debt collector” under § 1692a(6)’s remaining statutory definition, anyone “who regularly collects or attempts to collect…debts owed or due… another.” Thus, in the words of the Court, “[a]ll that remains in dispute is how to classify individuals and entities who regularly purchase debts originated by someone else and then seek to collect those debts for their own account.” This definition, by its plain terms, limits debt collectors to those regularly seeking to collect debts “owed…another.” The Court disagreed with Henson’s interpretation that the word “owed” referred to the past tense, thus excluding loan originators but including debt purchasers. Instead, the Court concluded, because past participles like “owed” are routinely used as adjectives to describe the present state of a thing, the language “owed … another” in the definition of a debt collector plainly incorporates both currently and formerly owing another. In other words, it does not matter “how a debt owner came to be a debt owner – whether the owner originated the debt or came by it only through a later purchase. All that matters is whether the target of the lawsuit regularly seeks to collect debts for its own account or does so for ‘another.’” The Court also pointed out that “contextual cues” supported Santander’s reading of the statute because Congress drew a distinction in several 2017 Consumer Financial Services Year in Review and a Look Ahead 19 portions of the statute, including the very definitional section being discussed, between persons originating the debt and persons to whom a debt is “owed” currently. However, Congress drew no such distinction in § 1692a(6), instead opting to define a debt collector simply as one who collects a debt on behalf of another. Moving on to policy, the Court found Henson’s arguments unconvincing. While Henson was correct that Congress likely did not envision a business of purchasing defaulted debt at the time it passed the FDCPA in 1977, the Court rejected Henson’s invitation to engage in speculation. “[I]t is never our job to rewrite a constitutionally valid statutory text under the banner of speculation about what Congress might have done had it faced a question that, on everyone’s account, it never faced.” Even if the Court were to consider Congress’ possible take on the debt buying industry, “the speculation [Plaintiffs] urge upon us is far from unassailable.” To be sure, a reasonable legislator would likely “wonder whether a large financial institution like [Defendant] is any more or less likely to engage in abusive conduct than another large financial institution like [the originator of Plaintiffs’ debt].” On balance, the statutory text was plain and unambiguous as to the definition of a “debt collector,” and the Court refused to usurp Congress’ role to amend the statute. The Court’s decision may bring some clarity for financial services companies that acquire debts after they are in default, for example, in connection with a merger or portfolio sale, and will almost certainly have a favorable impact on that portion of the industry going forward. The decision will likely prove less useful to companies whose “principal purpose” is the collection of debts, however, although the Court’s decision does not close the door on further developments to that statutory definition of “debt collector” as well. Current Balance Litigation Continues In the lower courts, the ongoing litigation over so-called “current balance” language in collection letters continues, with the leading case being Avila v. Riexinger & Associates, LLC., 817 F. 3d 72 (2d Cir. 2016). In Avila, the plaintiff consumer alleged interest was accruing on her account at a rate equivalent to 500% per year, and the collection notices she received from the defendant failed to disclose that the balance might increase due to interest and fees. Id. at 74. The Second Circuit held that a reasonable consumer could be “misled into believing that she could pay her debt in full by payment in the amount listed on the notice” when interest and fees continued to accrue after receipt of the notice. Id. at 76. The Court recommended that “safe harbor” language be inserted in those instances where the collection notices did not sufficiently inform the consumer that the balance due on the notice may continue to increase due to interest and fees. Id. However, the Court further held that a debt collector would not violate the FDCPA for failing to disclose that interest and fees may accrue if the letter clearly stated that the holder of the debt will accept payment of the amount in the notice as full satisfaction of the debt. Id. Following Avila, the Eastern District of New York decided Dick v. Enhanced Recovery Co. LLC No. 15- cv-2631, 2016 U.S. Dist. LEXIS 135789 (E.D.N.Y. Sept. 28, 2016). There, the Court rejected the plaintiff’s expansive reading of Avila by holding “there is no requirement that every statement in a debt collection notice include an extra assurance that the fact stated will not change in the future. Id. at *5. The Southern District of New York then decided Taylor v. Financial Recovery Services, Inc. 252 F. Supp. 3d 344 (S.D.N.Y. 2017), appeal docketed, No. 17-1650 (2d Cir. May 22, 2017). In this case, the plaintiffs received multiple collection letters from a debt collector offering settlements on each claim and providing the current balance in multiple locations within each letter. The letters did not reference whether interest and fees would accrue. The Court granted summary judgment to the collector, holding that the collection notices were not false, misleading, or deceptive as a matter of law. Id. Since the balances were accurate on the letters, the Court found it was “irrelevant” whether the balances in fact accrued interest and fees after being referred to the collector. Id. at *345. Furthermore, the Court troutman.com 20 pointed out that the statements were not misleading because the balances owed were stated numerous times within each letter and the balances remained the same in successive letters. Id. On September 29, 2017, the court followed with Derosa v. CAC Financial Corp., No. 2:16-cv-1472, 2017 U.S. Dist. LEXIS 162415 (E.D.N.Y. Sept. 29, 2017), appeal docketed, No. 17-3189 (2d Cir. Oct. 4, 2017), in which the plaintiff received multiple collection letters from a debt collector, each letter referencing the same balance. Derosa claimed the letters failed to inform him whether interest and fees would accrue on the account. The Derosa court took the same approach as the Taylor court and granted summary judgment to the defendant, deciding two outstanding issues: (1) that when a balance is “static”, the debt collector need not disclose whether the balance might increase by interest and fees; and (2) that collection letters not breaking down principal, interest, and fees where the balance remains “static” were not deceptive to the least sophisticated consumer. The court stated that the letters were not false or misleading and that the least sophisticated consumer would clearly understand that what was owed because the balance appears multiple times not only in the same letter but in subsequent letters as well. Derosa is also on appeal to the Second Circuit. The Derosa court observed that arguments brought by Derosa were “the ‘kind of bizarre or idiosyncratic’ interpretation that the court must not adopt when considering debt collection language under the FDCPA”. The court in Taylor further observed that “only a consumer in search of an ambiguity and not the least sophisticated consumer would interpret the letters to mean that interest was accruing.” In Islam v. American Recovery Services, Inc., No. 2:17-cv-4228-BMC, 2017 U.S. Dist. LEXIS 180415 (E.D.N.Y. Oct. 31, 2017), the Court held that a collection letter with the term “current balance” and no reference to whether the balance may increase due to interest or fees could be read by the least sophisticated consumer that the balance, whether dynamic or static, may increase over time and therefore violates the framework set out by the Second Circuit in Avila. The court found that by using the term “as of the date of this letter”, which implies “current” when referencing the balance in its collection letters, a debt collector was subtly incentivizing a debtor to make immediate payment on a debt, regardless of whether the balance remained static in subsequent collection letters. The court further held that even though subsequent letters reflect the same static balance in multiple places, that alone would not absolve the collector from FDCPA liability. At best, it would limit the collector’s damages. This case is a shift from Derosa and Taylor, both taking a polar opposite position on the inclusion of a disclaimer if interest and fees are not accruing. Also, this is the first case where the court has denied relief to the collector on summary judgment. Pre-Judgment and Statutory Interest Litigation While plaintiffs’ attorneys have continued to challenge current account balance language in collection letters, they are also attacking the adequacy of balances by arguing that letters failing to disclose that pre-judgment interest is accruing on an account violates the FDCPA. Recently, these theories have fallen flat in the Second Circuit. For example, in Cruz v. Credit Control, LLC., No. 2:17-cv1994, 2017 U.S. Dist. LEXIS 186125 (E.D.N.Y. Nov. 8. 2017), the plaintiff alleged the debt collector violated § 1692e of the FDCPA for failing to disclose in a demand letter that statutory pre-judgment interest would accrue on her account under 23 N.Y. C.P.L.R. § 5001. In granting the collector’s motion to dismiss, the Court held that as a matter of law, pre-judgment interest under § 5001 was not considered part of the “amount of the debt” if no request for relief of prejudgment interest had been made upon the Court. The Court recognized that until there was a petition for judgment to the court, any such disclosure in a debt collection letter that informed a consumer of the possibility of pre-judgment interest under § 5001 would mislead the least sophisticated consumer. See also Altieri v. Overton, Russell, Doerr, & Donovan, No.1:17-cv-303, 2017 U.S. Dist. LEXIS 188971 (N.D.N.Y. Nov. 15, 2017) (same). In a slightly different context, the Seventh Circuit, in Aker v. Americollect, Inc., 854 F.3d 397 (7th Cir. Apr. 13, 2017), found a defendant could add 5% statutory interest to a debt without first obtaining a judgment, based on specific provisions of Wisconsin law. In Aker, the Court noted that Wis. Stat. §426.104(4) (b) creates a safe harbor for those who act in ways 2017 Consumer Financial Services Year in Review and a Look Ahead 21 approved by the Administrator of Wisconsin’s Department of Financial Institutions. Id. at 399. The debt collectors sent the Administrator a letter asking if they were entitled to add 5% interest to debts created by the provision of medical services. The Administrator requested further information, which the debt collectors provided, and the collectors never heard back. The debt collectors argued that because the absence of a response within 60 days of a request was equivalent to approval, the silence entitled them to add the statutory interest under the safe harbor provision. The Seventh Circuit agreed finding that because the plaintiff’s debts arose under state contract law, “the controlling question is whether state law allows a demand for interest before the debt has been reduced to judgment. Until the Administrator says something more, or a state court lifts the safe harbor under §426.104(4)(b) (and in addition rules that §138.04 does not by itself allow the debt collectors’ practice), neither state nor federal law forbids dunning letters that demand 5% interest from debtors in Wisconsin.” Tax Consequence Language Continues to be Litigated Another hot button issue in FDCPA litigation in 2017 involved language about the potential tax consequences consumers may face when they settle debts. Many debt collectors include tax consequence language in settlement letters to inform debt collectors that settlements forgiving debt may result in tax consequences even though there is no requirement for collectors to do so. The continued litigation over such language serves as a warning that if a collector chooses to use the language, careful review is required as courts have been inconsistent in their treatment of tax consequence language. In Moses v. LTD Financial Services I, Inc., No. 16-cv05190, 2017 U.S. Dist. LEXIS 125583 (N.D. Ill. Aug. 9, 2017), the Northern District of Illinois granted summary judgment to a debt collector who included 1099-C language in its collection letter stating: “IRS requires certain amounts that are discharged as a result of the cancellation of debt to be reported on a Form 1099-C. You will receive a copy of the Form 1099-C if one is required to be filed with the IRS.” Id. at *2. The Court found the 1099-C language did not affirm a discharge definitely would be reported to the IRS and instead stated that it might occur, a true statement, and leaving open the possibility that reporting would not be required. Id. at *10. In Dunbar v. Kohn Law Firm SC, No. 17-cv-88, 2017 U.S. Dist. LEXIS 69906 (E.D. Wis. May 5, 2017), the Court held that the language “this settlement may have tax consequences” did not violate the FDCPA. The Court distinguished cases holding differently by noting that “[i]n each of the cases cited by Dunbar in her amended complaint the debt collector represented something as being certain to happen when it was merely a possibility. In contrast, the letter sent to Dunbar stated only that a “settlement may have tax consequences[.]” Id. at *8. The Court noted that even if the “circumstances were such that she would not actually realize any tax consequences does not render the defendants’ statement misleading. The statement was phrased contingently and encompassed situations where tax consequences would not result.” Id. at *16. In reaching its decision, the Court relied on Scaturro v. Northland Grp., Inc., 2017 U.S. Dist. LEXIS 44015, at *2-3 (E.D.N.Y. Jan. 9, 2017), wherein the Eastern District of New York held that the following language did not violate the FDCPA because there was no possibility that this was misleading, in part because the amount of debt owed was less than $600: Whenever $600.00 or more in principal of a debt is discharged as a result of settling a debt for less than the balance owing, the creditor may be required to report the amount of the debt discharged to the Internal Revenue Service on a 1099C form, a copy of which would be mailed to you by the creditor. If you are uncertain of the legal or tax consequences, we encourage you to consult your legal or tax advisor. Thus, based on the plain language of the notice, there was no possibility that anything would be reported to the IRS. Id. at *10-11. Troutman Sanders LLP 22 Not all tax consequence language is acceptable, however. In Broderick v. Viking Client Services, Inc., No. 17-cv-1827, 2017 U.S. Dist. LEXIS 157425 (D.N.J. Sept. 26, 2017), a New Jersey District Court denied a motion to dismiss on a letter that included the language “The Internal Revenue Service (IRS) requires financial institutions to annually report to the IRS discharges of debt in the amount of $600 or greater. If the Settlement amount that you agreed to pay results in a discharge of $600 or more of the account principal balance due on the account, the creditor may be required to report that amount to the IRS via IRS Form 1099C. A copy of this will be provided by the creditor.” The Court found the allegations sufficient to state a claim because “the IRS reporting language can be confusing to the least sophisticated consumer. The first sentence of the above quoted language can be read as a definitive reporting requirement, while the second makes reporting seem like a potential, but not definite, occurrence. Additionally, the IRS reporting language fails to explain, in clear terms, whether the entire forgiven amount (including interest), or merely the stated principal balance, would be reported to the IRS if reporting is required.” Id. at *11; see also Disla v. Northstar Location Servs., LLC, No. 16-cv-4422, 2017 U.S. Dist. LEXIS 99718, *2, (D.N.J. June 27, 2017) (denying motion to dismiss based on use of language “Whenever $600.00 or more of a debt is forgiven as a result of settling a debt for less than the balance owed, it may be considered taxable income. Barclays Bank Delaware is required to report the amount of the debt forgiven to the Internal Revenue Service on form 1099C, a copy of which will be mailed to you. If you are uncertain of the consequences, consult your tax advisor.”). 2017 Consumer Financial Services Year in Review and a Look Ahead 23 Key Trends Regulatory developments continued to drive the payment industry in 2017, specifically those Rules issued by the CFPB. Though the Prepaid Rule was issued by the CFPB in late 2016, its effects continued to be felt throughout 2017. The Arbitration Rule, though invalided by Congress, also threatened to change drastically the consumer contracts prevalent in the industry. In addition, the CFPB continued to focus on issues related to redlining by lenders – the practice of intentionally discouraging prospective applicants in minority neighborhoods from applying for credit. Private sector companies had a measure of success against the Bureau in 2017. Despite the CFPB’s visibility, district courts nonetheless ruled against the CFPB in individual cases, one going so far as to strike the CFPB’s counts against a payment processor when the court found the CFPB violated a discovery order. Another court dismissed a case brought against a payment processor by the CFPB. However, a number of companies continued to struggle with data security issues that resulted from external payment processors. In 2018, look for the Consumer Financial Protection Bureau to continue its scrutiny of fair credit access for underserved communities. With Congress’s invalidation of the Arbitration Rule, the CFPB likely will look for other avenues to protect consumers. Litigation and Regulatory Highlights In February, the CFPB ordered payment card companies MasterCard and UniRush to pay $10 million in restitution and a $3 million fine related to service breakdowns that left customers unable to access their funds. According to the CFPB, MasterCard and UniRush denied consumers access to their funds because UniRush did not accurately transfer all of its accounts to MasterCard when it switched payment processors. In addition, the CFPB claimed that UniRush delayed processing customers’ direct deposits during the service transfer or failed to process their deposits at all. The parties entered into a consent order to resolve the issues, brought to the CFPB’s attention by 830 complaints from customers. The CFPB also announced a $107 million settlement against Orion Processing LLC. The CFPB contended that the bankrupt company engaged in a debt-relief scheme that cost consumers millions. Specifically, the CFPB alleged that the company targeted consumers with large debts and promised them that their debt relief business would negotiate affordable repayment plans on their behalf. In addition to the $107 million settlement, the company was ordered to pay a $20 million civil penalty. In early spring, the CFPB announced that it would delay the effective date of the Prepaid Card Rule. The CFPB originally designated October 1, 2017 as the Rule’s effective date, but the CFPB proposed a six-month delay, citing industry members’ concerns. The Rule was also subject to Congressional efforts to invalidate the measure. Republicans offered bills to submit the Rule to a vote of disapproval under the Congressional Review Act. However, the Prepaid Rule did not suffer the same fate as the Arbitration Rule and remains valid. In July 2017, the CFPB announced that it was seeking public comments on proposed updates to its Prepaid Rule. The updates to the Rule would require prepaid card issuers to adjust their requirements for resolving errors on unregistered accounts and Payment Processing and Cards The Consumer Financial Protection Bureau again played a significant role in 2017, with assists from the Federal Trade Commission and state attorneys general. Consumers also filed suit against companies in the payment industry. Rulemaking, however, proved to be the chief area of activity in the payment processor space. troutman.com 24 provide more flexibility for credit cards that are linked to digital wallets. In the private sector, fast casual restaurant Chipotle disclosed a data security breach related to its payment processor network. The restaurant’s information security team detected unauthorized activity on the network that supports its payment processing in April 2017 and disclosed its findings in its Form 10-Q. In response to the breach, Chipotle noted that it implemented additional security enhancements and recommended that consumers monitor their payment card statements. The CFPB also reached out to the top retail credit card companies in June 2017 and encouraged them to use more transparent promotions, based on its concern that temporary promotions like deferred interest promotions can possibly surprise consumers with high interest rate charges once the promotion ends. The CFPB suggested to companies that, instead, they should adopt zero percent interest rate promotions. This arrangement would not charge interest retroactively if the balance is not paid off by the end of the promotional period, but would only charge interest on the remaining balance, making it easier for consumers to understand the promotion. It also would not require the same “robust compliance management systems” that need to be in place with deferred-interest promotions. In September 2017, the Department of Justice authorized a real-time payment system which allowed for immediate transfers between financial institutions. The system was proposed by The Clearing House Payments Co., LLC, a joint venture between twenty-four U.S. banks. In authorizing the system, the DOJ acknowledged that while collaboration between competitors can harm competition, they were optimistic that this venture would have a pro-competitive impact, noting that many countries already have similar systems in place. Finally, a judge in the Southern District of New York relied on the U.S. Supreme Court’s reasoning in Spokeo to dismiss a class action alleging violation of the Fair and Accurate Credit Transactions Act (“FACTA”). The court found that the plaintiff could not prove that the defendant restaurant’s disclosure of the plaintiff’s credit card’s expiration date on her receipt harmed the plaintiff, as potential thieves would need the full credit card number to engage in fraudulent transfers. Payment Processor Settles TCPA Putative Class Action for $9M In November 2017, a Texas-based payment processor agreed to pay $9 million to settle a putative class action brought under the Telephone Consumer Protection Act (TCPA) in the Northern District of California. According to the plaintiffs, Pivotal Payments, Inc. failed to ensure that a third party it hired to make marketing calls on its behalf complied with the TCPA, which prohibits telemarketing calls to cellular telephone numbers without call recipients’ prior express written consent. Pivotal Payments allegedly included a provision in its contract with the marketing firm that mandated TCPA compliance. However, the marketing firm allegedly violated the contract by calling cell phone numbers without first obtaining the recipients’ prior express consent. Although Pivotal Payments initially filed a third-party complaint against the marketing firm seeking indemnification, it voluntarily dismissed such claims less than a month later. After more than a year of discovery, Pivotal Payments and the putative class of more than 1.9 million members agreed to settlement terms. Pivotal Payments agreed to pay $9 million to settle the TCPA claims. Class members each are expected to receive between $20 and $60. The settlement fund will also pay for an incentive award to the named plaintiff ($25,000), settlement administration costs (approximately $50,000), and class-action attorneys’ fees and costs (approximately $2.25 million). 2017 Consumer Financial Services Year in Review and a Look Ahead 25 CFPB Issues New Rules Addressing Unintended Consequences of the 2016 Mortgage Servicing Final Rule On October 4, 2017, the Consumer Financial Protection Bureau issued an interim final rule amending a provision of Regulation X relating to the timing for mortgage servicers to communicate with borrowers regarding foreclosure alternatives. Concurrently, the CFPB proposed a rule regarding timing requirements for periodic statements provided to borrowers who are in bankruptcy. Both the interim final rule and the proposed rule address concerns over unintended consequences of the 2016 Mortgage Servicing Final Rule (“2016 Rule”) and altered the mortgage servicing rules under Regulation X (implementing RESPA) and Regulation Z (implementing TILA). The 2016 Rule requires mortgage servicers to send “early intervention notices” to delinquent borrowers, which are written notices informing borrowers of loss mitigation options. Such notices are required even if the borrower requests for all communications from the servicer cease pursuant to the FDCPA. However, if the borrower has requested that all communications cease, the servicer may only send an early intervention notice once every 180 days. When such requirement is read in conjunction with other timing provisions of Regulation X, a servicer would be required to send each subsequent early intervention notice on exactly the 180th day following the previous notice, which could cause significant difficulty in compliance, especially in cases where the 180th day falls on a weekend or holiday. The CFPB issued the interim final rule to address this potential hardship. The interim final rule provides mortgage servicers a 10-day window following the 180th day to provide the subsequent early intervention notice. The interim final rule went into effect on the same day as the relevant portions of the 2016 Rule – October 19, 2017. Recognizing that certain provisions of the 2016 Rule are unnecessarily complicated and may be subject to varying interpretations, the CFPB also issued a proposed rule amending the 2016 Rule to clarify the timing for mortgage servicers to transition providing modified or unmodified periodic statements and coupon books relating to a consumer’s bankruptcy case. The proposed rule will go into effect on April 19, 2018, the date that the relevant provisions of the 2016 Rule take effect. The CFPB’s changes are intended to clear up confusion about when to provide periodic statements with important loan information to borrowers in bankruptcy. While the rule changes are minor, mortgage servicers should expect to enjoy additional clarity and guidance in complying with the notice and timing requirements facing them in 2018. Consumers Cannot Skirt RESPA’s Clear Requirement In 2017, the best defense to a RESPA claim was often the statute itself. Consumer protection statutes are frequently construed liberally. However, in Bivens v. Bank of America, the Eleventh Circuit took a practical approach to the plaintiff’s RESPA claim and ultimately determined that a loan servicer’s duty to respond was not triggered when Bivens sent his request to the wrong address. 868 F.3d 915 (11th Cir. 2017). In Bivens, the loan servicer directed consumers to send all written requests to a specified address. The Eleventh Circuit concluded that “all written requests,” included qualified written requests under RESPA. Indeed, the Court determined that “all written requests” was “more accessible language” than the regulation required. The Court Mortgage In 2017, mortgage lenders and servicers continued to prepare for the implementation of TILA-RESPA and various mortgage servicing rule amendments. Lenders also closely followed the CFPB continuing to tweak its guidance on other areas of regulatory compliance, including data collection under the Home Mortgage Disclosure Act. While the Supreme Court did not issue any decisions that directly impact the day-to-day operations of mortgage servicers, a number of other appellate courts did, and those rulings are reviewed below. Troutman Sanders LLP 26 noted, however, that if a loan servicer designates an exclusive address, this address must be clear to a reasonable borrower. The Court rejected Biven’s argument that the loan servicer was required to establish a separate and exclusive office for the purpose of processing qualified written requests. Taking a similar approach, in Mejia v. Ocwen Loan Servicing, LLC, the Eleventh Circuit declined to read into the regulation that a telephone number must be included in a response to a request for the identity of the owner or assignee of a loan. In Mejia, the plaintiff consumer alleged that the loan servicer did not provide an adequate response to his request under Regulation X because it failed to include a phone number for the investor of the subject loan. Regulation X requires a loan servicer to respond within 10 business days after it receives a request for the identity of the owner of the loan, and the loan servicer’s response must include an address or other relevant contact information. The parties disagreed over whether “relevant contact information” included a telephone number. In the end, the Court declined to narrow its analysis to this one statutory requirement. Instead the Court looked to other parts of Regulation X and determined that because other parts of the regulation specifically require disclosure of a telephone number, the fact that this requirement was “conspicuously missing” meant that “relevant contact information” did not include a telephone number. The Eleventh Circuit Places Limits on Actual Damages Under RESPA In Baez v. Specialized Loan Servicing, LLC, the Eleventh Circuit Court of Appeals recognized that, while actual damages under RESPA may be broad, they are limited nonetheless. Counsel for Baez sent Specialized Loan Servicing a request for information pursuant to Regulation X and RESPA, seeking certain information. Baez alleged that the received response failed to satisfy the requirements of Regulation X and RESPA and she sued for actual damages. The actual damages she sought were a few dollars in postage incurred when sending the initial request and attorneys’ fees incurred reviewing the allegedly defective response. The District Court entered judgment in favor of Specialized Loan Servicing because it determined that Baez failed to allege a causal connection between the actual damages suffered and any RESPA violation. Specifically, the postage cost was admittedly incurred when sending the request for information and therefore, this “damage” was sustained regardless of the servicer’s response. Similarly, the flat fee arrangement between Baez and her counsel was such that there was no added cost for her representation due to any deficient response. The Eleventh Circuit stressed that actual damages must be a result of the loan servicer’s noncompliance and that a plaintiff must present evidence to establish a causal link between the servicer’s noncompliance and the plaintiff’s damages. The Eleventh Circuit’s opinion, however, should be viewed with cautious optimism for two reasons. First, the Court left open the possibly that actual damages may include both pecuniary and non-pecuniary losses, stating we “assume, but do not decide, that plaintiffs can recover both pecuniary losses and nonpecuniary losses under RESPA.” Second, the Court discussed whether RESPA would allow recovery for an alleged informational injury, such as where a loan servicer’s deficient response prevented a plaintiff from taking action. Because Baez did not properly reserve this issue for appeal, the Court declined ruling on this point. The Court, however, citing Spokeo, advised that even if a plaintiff brought a claim for informational injuries, she must still establish standing. Ultimately, these two issues are likely to produce further litigation in 2018. Updates in SCRA litigation In Sibert v. Wells Fargo, the Fourth Circuit, in a 2-1 decision, affirmed the District Court’s ruling that because the plaintiff incurred his mortgage obligation during his military service, the obligation was not subject to Servicemembers Civil Relief Act (“SCRA”) protection. While serving in the U.S. 2017 Consumer Financial Services Year in Review and a Look Ahead 27 Navy, Sibert obtained a loan secured by his house. Soon thereafter, Sibert was discharged and the lender began foreclosure proceedings. Before the foreclosure sale was held, Sibert reenlisted in the U.S. Army. The Sibert decision turned on the timing of these events. SCRA provides protection to servicemembers’ obligations on real or personal property only when the obligation originated before the period of the servicemember’s military service. Essentially, SCRA was designed to ensure that servicemembers do not suffer financial disadvantages as a result of military service. Of course, if an obligation is incurred while the individual is in the military, then this concern is not triggered, as was the case in Sibert. The majority’s opinion was explicit in stating that “[the SCRA] provides protection to only those obligations that originate before the servicemember enters the military service.” In light of the Sibert decision, timing remains a crucial consideration when determining whether SCRA protections are implicated or not. Spokeo in the Mortgage Litigation World In 2017, Spokeo continued to rein in claims from consumers unable to demonstrate that they had suffered an injury in fact. Spokeo emphasized that plaintiffs must allege an “injury in fact” showing both a “concrete” and a “particularized” harm in order to have standing under Article III. A “bare procedural violation,” without more, will not satisfy the “concrete” requirement. In Meeks v. Ocwen Loan Servicing LLC, the Eleventh Circuit dismissed Meeks’ RESPA claim, which alleged that the loan servicer did not adequately confirm receipt of his request for information. The Court held that, under Spokeo, there was no injury in fact because Meeks had undisputed actual knowledge of receipt of the request, although he disputed that the response’s form was sufficient to meet Regulation X’s requirements. Similarly, in Yeager v. Ocwen Loan Servicing LLC, the plaintiffs’ only claim was that the loan servicer failed to provide a notice of debt validation by the statutory deadline set forth in the FDCPA. The Yeagers alleged a notice delay of 13 days and nothing more. The District Court for the Middle District of Alabama reasoned that because the Yeagers presented no evidence that this delay in any way undermined the statutory goals of the FDCPA, “Spokeo’s common-sense principle dictates that this delay, unaccompanied by any harm or material risk of harm, does not ‘entail a degree of risk sufficient to meet the concreteness requirement.’” Undoubtedly, courts will continue to clarify the effect of Spokeo in 2018. troutman.com 28 Federal Regulators Step Back There is no doubt that federal regulators and federal law are in retreat. In July, the House of Representatives voted to repeal the Consumer Financial Protection Bureau’s arbitration rule, which would have banned class action waivers in arbitration provisions for covered entities. The rule was a long-standing initiative of the CFPB and not only would have barred class action arbitration waivers in the financial services industry, but would have required covered entities that use pre-dispute arbitration agreements to submit certain records relating to arbitral and court proceedings to the CFPB. The Senate followed the House’s lead and also voted to repeal the rule in October by a narrow, party-line vote. President Trump readily signed the measure on November 1, marking the end of a chief initiative of the Richard Corday-led CFPB. The failure of the arbitration rule was quickly followed by the November 15, 2017 announcement by Cordray, appointed by President Obama to head the CFPB, of his early departure from the Bureau. Cordray’s departure was long anticipated and readily cheered by both Congressional Republicans and President Trump, who soon named Mick Mulvaney, Director of the Office of Management and Budget, as Interim Director. Mulvaney has been openly critical of the Bureau in the past, and his ascension to the post of Director signals a new course for the CFPB. Yet Mulvaney’s appointment has not come without controversy, either, as Democrats contend that the proper head of the Bureau is Leandra English, who served as Deputy Director under Cordray. A federal judge recently denied a temporary restraining order requested by Democrats to prevent Mulvaney from taking the helm of the Bureau. The CFPB faced another setback in December, when the Government Accountability Office found that a bulletin issued by the Bureau qualified as a rule and should have been submitted for Congressional review. Bulletin 2013-02 was long a sore subject in the auto lending industry, as it targeted dealer markups using “disparate impact” discrimination theories. Many indirect lenders contended that they should not be penalized for unintentional discrimination by dealers. Many also attacked the methodology used to provide disparate impact. In March 2017, Senator Pat Toomey (R-Pa.) asked the GAO, Congress’ investigative wing, to determine whether the financial guidance issued by the Bureau in 2013 qualified as a “rule.” The GAO concluded that the guidance did qualify as a rule, even though Bulletin 2013-02 is not legally binding. The GAO’s finding renders the bulletin a nullity until it is properly submitted to Congress, an outcome that is increasingly unlikely with Mulvaney leading the Bureau. Even before the GAO’s ruling, however, the CFPB appeared to be taking a step back from the indirect auto lending space. The Bureau issued its fair lending priorities at the end of 2016 and indirect auto lending was not mentioned among its initiatives. Instead, they highlighted redlining, mortgage and student loan servicing, and small business lending. Many suspected that this signaled a step back from the Bureau’s previous track on the industry. Meanwhile, the industry looks forward with good reason to serious regulatory relief from the Telephone Consumer Protection Act, a major thorn in the side of auto finance. A key decision may come from the D.C. Court of Appeals at any moment, scaling back the Federal Communications Commission’s aggressive interpretations of the TCPA made while under Democratic control. Meanwhile, as with the CFPB, control of the FCC has passed to Commissioners who have a definite deregulatory bent. The FCC has authority to issue rules under and make definitive interpretations of the TCPA, and industry looks forward to regulatory relief from the FCC as well. The trend at the federal level is deregulation. Auto Finance 2017 saw continuation of a major transition in motor vehicle finance’s legal environment. Federal regulators and law are stepping back, while state regulators and law are stepping forward. Future trouble in the auto finance industry may be focused on state regulators – particularly state attorneys general, who are poised to act. 2017 Consumer Financial Services Year in Review and a Look Ahead 29 State Regulators Step Forward In direct response to events at the federal level, state attorneys general have essentially announced an intent to become more active as gaps are created in regulation by the federal pullback. Soon after President Trump’s election, New York Superintendent of Financial Services Maria T. Vullo announced in a statement that her agency would continue to actively oversee banks and other financial institutions. New Mexico Attorney General Hector Balderas directed his aides to identify areas where policies enacted by the Trump regime could harm New Mexico. Others also predicted that attorneys general would step into the vacuum created by the retreat of the feds. For instance, New York Attorney General Eric Schneiderman is expected to have an enhanced role in protecting consumers moving forward. Further, many attorneys general have made private remarks indicating they intend to redouble their efforts in the consumer protection arena. “State attorneys general are now more permanent pieces on the chessboard of national policy development and implementation,” Chris Janikowski, a Republican strategist, said in an interview with the New York Times following President Trump’s election. “And they are not mere pawns.” In particular, there have been open discussions in state Attorneys General meetings about the need to form a mortgage-crisis-like multistate taskforce to focus on the auto lending and servicing market, particularly the subprime market. Often, a number of attorneys general will come together to investigate a company for alleged violations of state law. These multistate investigations often result in high-dollar, high-profile settlements. While discussions between the A.G.s and their target can break off into individualized litigation, the most common conclusion is the negotiation of a consent order or assurance of voluntary compliance, coupled with a monetary payment to the states. As federal regulators – most notably the CFPB – steps back from regulatory activity, it is increasingly likely that attorneys general will work together to investigate alleged violations of state consumer protection law. Meanwhile individual state attorneys general continue to announce individual settlements in the auto financing space, a sure fingerprint of a high degree of interest and focus on the market. A couple of state enforcement actions may be harbingers of what may be coming. In June, Florida Attorney General Pam Bondi announced a settlement with a Jacksonville car dealership, its financing arm, and its president relating to allegations that the dealership engaged in misleading business and sales practices. The consent agreement required the dealership to provide more than $5 million in debt forgiveness to affected consumers. In September, the Massachusetts A.G.’s office filed a complaint against a used car dealer, accusing the dealership of using predatory practices in its sale of allegedly defective vehicles. The A.G. contended that JD Byrider sold allegedly defective vehicles with high cost loans to Massachusetts consumers in the “JD Byrider Program,” which bundled the vehicle sale, financing, and repair in one transaction. According to the A.G., consumers did not know that JD Byrider priced its cars at more than double their retail value and allegedly forced consumers to finance their purchase at an annual percentage rate of 19.95 percent, regardless of their credit qualifications. In addition, the complaint asserted that the “JD Byrider Program” finance contract required consumers to agree to an extended service contract with a fixed price of approximately $1,300. Because this service contract was bundled into the “JD Byrider Program,” consumers often were forced to pay 20 percent interest on the service contract as well, according to the complaint. The A.G. further alleged that consumers could only get the benefit of the service contract by using a JD Byrider service center. Finally, New York A.G. Schneiderman announced two settlements with motor vehicle dealer groups providing over $900,000 in restitution to approximately 6,400 consumers in the state. The settlements also required the dealers to pay $135,000 in penalties and costs to the state for the unlawful sale of credit repair and identity theft protection services to consumers who bought or leased vehicles. According to Schneiderman, the dealerships unlawfully sold “after-sale” credit repair and identity theft protection services that often added considerably to the purchase price of the vehicle. The A.G. contended that consumers were often unaware that they had purchased these services, with many believing that the services were free. Troutman Sanders LLP 30 For those A.G.s who are particularly active, there is always an interplay between their investigations and the plaintiffs’ bar. As many consumerfacing companies know, state attorney general investigations often go hand-in-hand with class action litigation and often concern the same claims. Many members of the plaintiffs’ bar watch for attorney general investigations and, likewise, many members of state A.G.’s offices watch for significant class litigation. In addition, a portend of investigation into the auto lending area was released in October, when the National Consumer Law Center issued a report regarding product add-ons in automobile sales. The report highlighted the mark-ups in add-on products, specifically GAP insurance and window etching. The report almost certainly landed on the desks of A.G.s around the country, and its ripple effects likely will be felt for the next few years, both in consumer class litigation and investigatory actions. Though the CFPB likely has stepped out of the indirect lending spotlight for the foreseeable future, state A.G.s have shown a willingness to step in. 2017 Consumer Financial Services Year in Review and a Look Ahead 31 Consumer Financial Protection Bureau – New Leadership In late 2017, the CFPB began a leadership shuffle that will transform the agency. Richard Cordray, the CFPB’s first director, resigned his post effective November 25. “It has been one of the great joys of my life to have had the opportunity to serve as the first director of the Consumer Bureau,” Cordray said in his resignation letter to President Trump. Cordray’s tenure at the CFPB was praised by some and criticized by others. Senator Elizabeth Warren, a champion of the agency, complimented Cordray’s leadership, arguing that he “forced the biggest financial institutions to return $12 billon directly to the people they cheated” and “held big banks accountable.” But President Trump called the CFPB under Cordray “a total disaster.” The Wall Street Journal editorial board echoed the President, asserting that Cordray “spent his ignoble five years as director targeting politically unpopular industries” and said that “American business breathed a small sigh of relief” after he announced his resignation. As of early December, President Trump had not yet nominated Corday’s permanent replacement, but had named Mick Mulvaney, Director of the White House’s Office of Management and Budget, as the Acting Director of the CFPB. The nomination of Mulvaney as Acting Director came after a last-minute effort by Cordray to appoint Leandra English, his former chief of staff, to the position. The U.S. District Court for the District of Columbia, however, preliminarily rejected English’s legal challenge to Mulvaney’s leadership. Mulvaney, who now appears secure in his temporary leadership position, is certain to implement a radically different policy agenda than his predecessor, as he has been a frequent critic of the CFPB. Ongoing Constitutional Challenge The CFPB’s leadership shuffle is playing out while a constitutional challenge to its leadership structure is still pending in the D.C. Circuit Court of Appeals. In October 2016, a panel of the D.C. Circuit issued a decision in PHH Corp. v. CFPB, holding that the CFPB’s status as an independent agency headed by a single director, who may only be removed for cause, violates Article II of the Constitution. The CFPB then petitioned the Court for rehearing en banc, and in February 2017, the Court granted the request. The en banc oral argument was held in May 2017, but as of our publication date, the Court has not issued a decision. Legislative Developments In June 2017, the House of Representatives passed the Financial Choice Act (H.R. 10), which, if passed by the Senate and signed into law, would repeal many of the reforms enacted in the Dodd-Frank Act and would reshape the CFPB. The Financial Choice Act would rename the CFPB the Consumer Law Enforcement Agency; make the CFPB’s director removable at will by the President; subject the CFPB to the congressional appropriations process; eliminate the CFPB’s unfair, deceptive, and abusive acts or practices (“UDAAP”) enforcement authority; and make significant changes to the CFPB’s rulemaking process. Senate Majority Leader Mitch McConnell (R-Ky.), however, has indicated that the Financial Choice Act is unlikely to pass in the Senate. Arbitration Rule As previously noted, the CFPB issued a final rule banning covered entities from including class-action waivers in arbitration provisions and requiring them to provide information to the CFPB regarding any Regulatory Landscape The regulatory landscape changed significantly during the past year. This newsletter highlights significant recent developments and emerging trends at the Consumer Financial Protection Bureau, at the Federal Trade Commission, and among state attorneys general. troutman.com 32 efforts to compel arbitration. The Arbitration Rule was scheduled to take effect in March 2018, but Republicans in Congress invoked the Congressional Review Act and passed a resolution to scrap it. On November 1, President Trump signed the resolution, which not only nullified the CFPB’s Arbitration Rule but also barred regulators from issuing any substantially similar regulation unless authorized by Congress to do so. Payday Lending Rule In October 2017, the CFPB issued a final rule to govern underwriting of certain personal loans with short-term structures (i.e., payday, automobile title, and deposit-advance loans) or balloon-payment structures, as well as lenders’ payment withdrawal practices for these loans and some other installment loan products. For short-term and balloon-payment personal loans, the Payday Lending Rule would require lenders to choose between two ability-to-repay underwriting methodologies and to report and obtain information about a consumer’s financial obligations and borrowing history from certain consumer reporting agencies that must register with the CFPB. For all covered loans, the Payday Lending Rule would limit certain repeated payment withdrawal attempts from a consumer’s transaction account and require lenders to provide disclosures when making certain withdrawal attempts. Unless Congress passes a resolution under the Congressional Review Act to scrap the Payday Lending Rule, it will become effective twenty-one months after November 17, 2017, the date it was published in the Federal Register. Enforcement Actions The CFPB’s enforcement priorities are determined, to some extent, by consumer complaints, with more consumer complaints leading to more enforcement actions. In its most recent Semi-Annual Report, the CFPB broke down the percentage of consumer complaints it received in the last year by product type. Those percentages were as follows: debt collection (30%); credit reporting (19%); mortgage (16%); bank account or service (10%); credit card (9%); student loan (7%); consumer loan (6%); payday loan (1%); prepaid card (0.8%); money transfer (0.7%); and other financial service (0.7%). Consistent with this breakdown of consumer complaints, the CFPB’s 2017 enforcement actions have especially targeted mortgage loan originators and servicers, small-dollar and payday loan originators and servicers, auto and student loan originators and servicers, and debt relief and credit repair companies. Supervision According to the CFPB’s most recent Supervisory Highlights, the CFPB continues to focus its supervisory efforts on (1) banks that the CFPB believes may be deceiving consumers about checking account and overdraft fees; (2) credit card companies that the CFPB believes may be may be deceiving consumers about the cost and availability of pay-by-phone options; (3) auto lenders that the CFPB believes may be wrongfully repossessing vehicles; (4) debt collectors that the CFPB believes may be improperly communicating about debt; (5) mortgage companies that the CFPB believes may be failing to follow the “Know Before You Owe” mortgage disclosure rules; and (6) mortgage servicers that may be failing to follow the CFPB’s servicing rules. Federal Trade Commission – New Leadership On January 13, 2017, FTC Chairwoman Edith Ramirez, a Democrat, announced her resignation. The FTC’s press release noted that, under Ramirez’s leadership, “the FTC brought nearly 400 law enforcement actions covering a range of consumer protection issues” and “secured billions of dollars in redress for harmed consumers.” In a statement included in the press release, Ramirez said that leading the FTC had been “the honor of a lifetime.” Shortly after Ramirez announced her resignation, 2017 Consumer Financial Services Year in Review and a Look Ahead 33 President Trump named Commissioner Maureen Ohlhausen, a Republican, as the FTC’s Acting Chairwoman. Subsequently, in October, President Trump nominated Joseph Simons, a former director of the FTC’s Bureau of Competition, to be the next chairman of the FTC, and nominated Rohit Chopra and Noah Phillips to fill two empty Commission seats. As a seasoned antitrust attorney with experience both in and out of government, Simons was welcomed by industry groups as a reasonable and qualified nominee. Chopra, who at the time of his nomination was a senior fellow at the Consumer Federation of America, where he focused on consumer finance issues, was previously the Assistant Director of the CFPB. A longtime ally of Sen. Warren, he is expected to be a proponent of aggressive enforcement actions. Phillips was Chief Counsel to Senator John Cornyn at the time of his nomination. He is expected to be a moderating force on the Commission. Enforcement Priorities Like the CFPB, the FTC’s enforcement priorities are largely shaped around consumer complaints, with more consumer complaints leading to more enforcement actions. In its most recent Consumer Sentinel Network Data Book, the FTC broke down the percentage of consumer complaints it received in the past year by category: debt collection (28%); imposter scams (13%); identity theft (13%); telephone and mobile services (10%); banks and lenders (5%); prizes, sweepstakes, and lotteries (5%); shop-at-home and catalog sales (4%); autorelated complaints (3%); credit bureaus, information furnishers, and report users (2%); and television and electronic media (2%). As in years past, Florida, Georgia, and Michigan were the top three states for fraud and other complaints, while Michigan, Florida, and Delaware had the most identify-theft complaints. Shortly after being named acting chair of the FTC, Ohlhausen outlined the FTC’s enforcement priorities at the ABA’s biennial Consumer Protection Conference. Ohlhausen said that she would refocus the agency on its “bread-and-butter fraud enforcement mission,” giving particular attention to instances of fraud targeting vulnerable populations, including the elderly and military personnel. Consistent with that theme, she also said that the FTC would focus on acts or practices producing “concrete consumer injury” as opposed to speculative harms. Weeks later, Ohlhausen appointed Thomas Pahl as the acting director of the FTC’s Bureau of Consumer Protection. Pahl elaborated on Ohlhausen’s enforcement priorities, specifically addressing the FTC’s consumer financial services enforcement efforts. In an article published by the ABA, Pahl said that the FTC would continue its “strong and sustained enforcement against bad actors that harm consumers of financial services” and specifically called out “abusive debt collectors (such as ‘phantom’ debt collectors), unscrupulous payday lenders, and fraudulent debt-relief operations.” Going further, Pahl said the FTC would “also target entities that support the ecosystem of fraud,” including “money-transfer companies, payment processors and platforms, loan lead generators, and others that directly participate in another’s fraud or provide substantial support while ignoring obvious warning signs.” Data Privacy & Security The FTC brought several data security enforcement actions in 2017. In January, the FTC filed an enforcement action against Taiwan-based computer networking equipment manufacturer D-Link Corporation and its U.S. subsidiary, alleging that inadequate security measures taken by the company left its wireless routers and Internet cameras vulnerable to hackers and put American consumers’ privacy at risk. In August, the FTC settled an enforcement action against transportation technology company Uber Technologies. According to the FTC’s complaint, Uber failed to live up to its claims that it closely monitored employee access to consumer and driver data and that it deployed reasonable Troutman Sanders LLP 34 measures to secure personal information stored on a third-party cloud provider’s servers. As part of the settlement with the FTC, Uber agreed not to misrepresent its data security practices and also agreed to implement a comprehensive privacy program to address privacy risks related to its new and existing products. In November, the FTC announced that it had approved a final order settling claims arising out of a data breach at Georgia-based tax preparation firm TaxSlayer, LLC. According to the FTC’s complaint, TaxSlayer failed to provide adequate privacy notices and implement adequate data-security safeguards. As part of the settlement with the FTC, TaxSlayer agreed to change its privacy notices and datasecurity safeguards, and to have a third party audit its compliance program at least once every two years for the next ten years. Social Media Influencers In September 2017, the FTC settled its firstever complaint against individual social media influencers. The FTC alleged that Trevor “TmarTn” Martin and Thomas “Syndicate” Cassell, who are widely followed in the online gambling community, deceptively endorsed an online gambling service that they jointly owned. The order settling the FTC’s charges prohibits Martin, Cassell, and the company they jointly own from misrepresenting that any endorser is an independent user or ordinary consumer of a product or service. It also requires clear and conspicuous disclosures of any unexpected material connections with endorsers. The settlement is a strong signal that the FTC will enforce its Endorsement Guides, which provides guidance to media influencers and marketers about advertising practices. Student Loan Scams In October 2017, the FTC and the attorneys general of eleven states and the District of Columbia announced a nationwide crackdown on student loan debt relief scams. The nationwide initiative, which the FTC called “Operation Game of Loans,” involved thirty-six separate enforcement actions. Seven of those were filed by the FTC, with the remainder filed by the attorneys general of Colorado, Florida, Illinois, Kansas, Maryland, North Carolina, North Dakota, Oregon, Pennsylvania, Texas, Washington, and the District of Columbia. According to the FTC, the targets of the enforcement initiative falsely promised to help reduce or forgive student loan debts, pretending to be affiliated with the government or loan servicers, and collected over $95 million in illegal upfront fees. State Attorneys General – New Leadership Like the CFPB and FTC, the state attorneys general community saw new leaders emerge in 2017. There was only one election: Mark Herring, a Democrat, was reelected as the Attorney General of Virginia. Three offices were vacated and filled by appointees. Republican Steve Marshall was appointed Attorney General of Alabama, filling a seat left vacant when former Attorney General Luther Strange was appointed to the Senate. Republican Gordan MacDonald was appointed Attorney General of New Hampshire, filling a seat left vacant when former Attorney General Joseph Foster retired. Additionally, Republican Mike Hunter was appointed Attorney General of Oklahoma, filling a seat left vacant when former Attorney General Scott Pruitt was appointed Director of the U.S. Environmental Protection Agency. With those leadership changes, there are currently twenty-two Democratic attorneys general and twenty-nine Republican attorneys general in office. However, with thirty-two states scheduled to have attorney general elections in 2018, we expect to see more new faces in late 2018 and early 2019. Filling the Gap As the Trump Administration took charge of the federal executive branch, Democratic state attorneys general promised to oppose the new administration’s de-regulatory efforts. New York Attorney General Eric Schneiderman led the charge. Shortly after Donald Trump was elected, Schneiderman said he was “deeply troubled by reports that the presidential transition is considering ways to eviscerate some of the most basic consumer and investor protection laws in the country” and had conferred with other attorneys general about filling any regulatory gaps created by the Trump Administration. 2017 Consumer Financial Services Year in Review and a Look Ahead 35 Massachusetts Attorney General Maura Healey also promised to step in to fill any gaps created by the Trump Administration. In a fundraising appeal, she argued that the administration “plans to roll back much of the progress we’ve made in Massachusetts and as a nation.” She also promised that state attorneys general would be “the first line of defense against illegal action by the federal government,” noting that she would not “hesitate to take Donald Trump to court if he carries out his unconstitutional campaign promises.” State attorneys general also took steps to ramp up their regulatory and enforcement efforts. For instance, in November 2016, Virginia Attorney General Herring announced that his office had expanded and reorganized its Consumer Protection Section. Also, in July 2017, Pennsylvania Attorney General Josh Shapiro announced the creation of a “Consumer Financial Protection Unit,” and appointed Nicholas Smyth, a former CFPB lawyer, as the Assistant Director of that unit. “Predatory” Lending State attorneys general continued to focus on prosecuting “predatory” lenders. In early 2017, Florida Attorney General Pam Bondi, Virginia Attorney General Herring, and Georgia Attorney General Chris Carr each reached multi-million dollar settlements with CashCall, Inc., and Western Sky, LLC, who were involved in a tribal lending operation that allegedly violated each state’s usury and licensing laws. In October, Pennsylvania Attorney General Josh Shapiro filed suit against Navient, a student loan servicer formerly part of Sallie Mae, alleging that the company provided loans to students with poor credit who attended colleges with low graduation rates. Shapiro asserted that low graduation rates indicated the borrowers likely would not complete their degrees and would be unable to repay the loans. The lawsuit also asserted that Navient incentivized its employees to encourage borrowers to enter into forbearance agreements, which caused more interest to accrue on the borrowers’ accounts. The suit by Shapiro mirrors a suit brought against Navient by Washington Attorney General Bob Ferguson, Illinois Attorney General Lisa Madigan, and the CFPB earlier in the year. Data Security and Privacy Noteworthy this year were settlement agreements reached between state attorneys general and companies due to data breaches. In January, New York Attorney General Eric Schneiderman announced that he had reached a settlement agreement with Acer Service Corporation, after Acer suffered a data breach that involved over 35,000 credit card numbers and the personal information of 2,500 residents of the state. According to Schneiderman, the breach occurred due to Acer’s website having numerous security vulnerabilities. As part of the settlement, Acer paid $115,000 in penalties and agreed to improve its data security. In May, a settlement agreement was reached between Target Corporation and attorneys general from forty-seven states. Under the settlement, Target paid $18.5 million to states based on an investigation of the company’s 2013 data breach. The settlement was the largest multistate data breach deal ever reached, with the data breach allegedly affecting more than 60 million customers and with stolen data including customers’ names, telephone numbers, email addresses, mailing addresses, payment card numbers, and card PINs. Most notably this year was the fallout from the Equifax data breach. The breach, which occurred in May, compromised the personal information of 145.5 million people. In response, Massachusetts AG Maura Healey filed an enforcement action against the company in September. In November, Uber revealed that it had fallen victim to a data breach in 2016, but paid the hackers $100,000 to delete the data that was stolen and to keep the breach a secret. Hackers were able to collect the names, addresses, and phone numbers of millions of passengers who use Uber, and Uber drivers had their driver license numbers compromised. In response to the data breach announcement, attorneys general from five states – Massachusetts, New York, Illinois, Connecticut, and Missouri – have announced they are launching investigations into the company. Opioid Suits This year, state attorneys general also focused on combating the opioid epidemic by filing lawsuits troutman.com 36 against various pharmaceutical manufacturers and distributers, and drugstore chains. In June, a bipartisan group of state attorneys general from Massachusetts, Texas, Illinois, and Pennsylvania announced they would be investigating the marketing and sales practices of companies that manufacture opioid drugs. In July, Missouri filed suit against three pharmaceutical companies for allegedly misrepresenting the truth about the addictive nature of opioids. In September, a coalition of forty-one state attorneys general served five opioid manufacturers with subpoenas demanding the release of documents and information related to their distribution practices. New York Attorney General Eric Schneiderman announced the coalition and the serving of the subpoenas during a press conference, where he pointed out that about 80% of heroin users begin with prescription opioids, according to the National Institutes of Health. 2017 Consumer Financial Services Year in Review and a Look Ahead 37 Yet there may soon be some relief to defendants facing TCPA lawsuits. The United States District Court for the District of Columbia is currently considering challenges to multiple pillars to the Federal Communication Commission’s prior interpretations of the TCPA that have helped fuel the TCPA as a major litigation threat. The D.C. Circuit decision could trim the scope of the TCPA and, in turn, defendants’ liability under the Act. Certain court decisions this year have also helped to provide some reprieve to defendants facing TCPA lawsuits. For example, the Second Circuit in the Reyes matter issued a favorable decision for defendants regarding a consumer’s ability to revoke contractual consent, and a series of cases involving LiveVox have taken the view that “human intervention” means that a telephone system is not regulated by the TCPA as an “automatic telephone dialing system.” TCPA is the Second Most Common Consumer Protection Lawsuit The number of TCPA lawsuits has grown dramatically over the past seven years. In 2010, only 266 lawsuits were filed based on claims of TCPA violations, compared to 4,163 such lawsuits in 2016. In 2017, the TCPA became the second most commonly litigated federal consumer protection statute, surpassing the Fair Credit Reporting Act, with over 3,700 lawsuits filed by October 31. A large portion of those lawsuits were class actions. For instance, in October, 295 TCPA lawsuits were filed, with 71 (24.1%) of those being class actions. Record-Breaking Treble Damages Ordered Against Dish Network On May 22, 2017, in Krakauer v. Dish Network LLC, Judge Catherine C. Eagles in the Middle District of North Carolina, trebled the jury’s finding of $20.5 million in statutory TCPA damages against Dish Network, for a total of more than $61 million in damages. In a strongly-worded opinion, the Court held that Dish knew its vendor – SSN – was continuously violating the law and that Dish “repeatedly looked the other way” when it came to SSN’s TCPA compliance. In holding Dish responsible for SSN’s knowing or willful violations of the TCPA, the Court sustained the “well-established” rule that “at a minimum, a principal is liable for the willful acts of his agent committed within the scope of the agent’s actual authority.” In so ruling, however, the Court also stated that the result would be the same even if one were only to look at the willfulness of Dish’s conduct – being that Dish knew that SSN had committed many TCPA violations over the years. In short, because Dish knew or should have known that SSN was violating the TCPA, Dish’s conduct was deemed a knowing and willful violation of the TCPA. The Court concluded that treble damages were appropriate “because of the need to deter Dish from future violations and the need to give appropriate weight to the scope of the violations. The evidence shows that Dish’s TCPA compliance policy was decidedly two-faced.” Dish disregarded warnings and made false promises to forty-six state attorneys general, and the Court noted that the case “involves a sustained and ingrained practice of violating the law.” The Court also ruled that merely instructing vendors to comply with the law and to scrub their do-not-call lists is not sufficient. Dish was unable to show that it took any steps to comply with the TCPA, and the Court was disturbed by Dish’s unresponsiveness to consumer complaints and its lack of oversight relating to telemarketing functions performed by SSN. Dish’s failure to monitor SSN’s compliance or to Telephone Consumer Protection Act Lawsuits filed under the Telephone Consumer Protection Act remain a favorite of federal court plaintiffs. With statutory damages ranging from $500 to $1,500 per call or text message, damages can quickly accumulate, especially in class actions that may involve many thousands of calls. Companies in a wide array of industries have faced multi-million dollar judgments and settlements in TCPA cases this year, most notably a $61 million judgment against Dish Network in a class action. Troutman Sanders LLP 38 take disciplinary action against SSN coupled with its awareness of SSN’s disregard for other instructions from Dish about telemarketing compliance led the Court to its finding of willfulness. An Illinois federal judge also ordered Dish to pay $280 million to the federal government and the states of California, Illinois, North Carolina, and Ohio for violations of state and federal do-not-call laws, including the TCPA. The district court’s $280 million penalty constitutes the largest ever for violations of telemarketing laws. These judgments against Dish Network make perfectly clear that a company’s liability (possibly in the hundreds of millions of dollars) may well encompass the full spectrum of all employees, vendors and third parties that provide any services on a company’s behalf. Both state attorneys general and class action plaintiffs’ lawyers will aggressively pursue companies based on the conduct of such third parties. Litigants Anxiously Await D.C. Circuit’s Decision in ACA International On October 19, 2016, the D.C. Circuit heard oral arguments in ACA International, et al. v. FCC, appealing a 2015 declaratory order issued by the FCC. The landmark July 2015 declaratory order was the result of the FCC’s recent expansive interpretation of the TCPA. The order expanded the reach of the TCPA in multiple ways and significantly increases risks for businesses of all types that attempt to contact consumers by telephone. Among other things, the 2015 order cast a wide net in interpreting what technologies constitute an automatic telephone dialing system (“ATDS”) and the means by which a consumer may revoke consent. ACA International challenged the FCC’s 2015 Omnibus TCPA Order on multiple grounds. Surprisingly, the case has been pending for more than a year without a word from the D.C. Circuit. In light of the dramatic impact that the D.C. Circuit’s decision may have on the TCPA landscape, defendants across the country have sought stays of TCPA cases pending the Court’s ruling, arguing that ACA International will clarify the law, streamline the proceedings, and conserve parties’ and courts’ resources. These motions have been met with varying degrees of success depending on the jurisdiction. Once a decision is ultimately issued by the D.C. Circuit, these litigants will undoubtedly need to re-evaluate their claims and defenses and adjust their litigation strategies accordingly. The FCC’s composition has shifted dramatically since the 2015 Order. Ajit Pai, who noted that the 2015 Order was “flatly inconsistent with the TCPA,” is now the Commission’s Chairman after being appointed by President Trump in January 2017. Pai was confirmed by the U.S. Senate for an additional five-year term as FCC Chairman in October. With the change in leadership, some believe that the FCC may reconsider at least a portion of the 2015 Order once the D.C. Circuit issues a ruling. Second Circuit Issues Favorable Revocation Decision for Defendants In June, the U.S. Court of Appeals for the Second Circuit gave a major boost to companies defending suits under the TCPA when it ruled that the right to revoke consent to receive calls was not absolute. In Reyes v. Lincoln Automotive Financial Services, the Second Circuit held that “the TCPA does not permit a party who agrees to be contacted as part of a bargained-for exchange to unilaterally revoke that consent, and we decline to read such a provision into the act.” As a result, if the parties’ contract contains a provision granting a party the right to place calls to a telephone number, then that right cannot be unilaterally revoked by the called party. The court’s ruling may be significant in reducing litigation risk associated with outbound calling, as many consumer contracts contain such provisions. The Second Circuit noted that neither prior circuit court decisions nor the FCC had resolved the issue of whether a consumer providing consent as part of a contract could revoke. The Reyes Court held that under well-established common law understanding of “consent,” if it is bargained for, supported by consideration, and embodied in a contract, it cannot be unilaterally withdrawn. The Court further held that the plain meaning of the TCPA should prevail over contrary policy arguments. LiveVox Cases Illustrate Human Intervention Defense The most recent and perhaps leading cases on the interplay between human intervention and the definition of an ATDS after the FCC’s July 2015 2017 Consumer Financial Services Year in Review and a Look Ahead 39 Declaratory Ruling are the cases involving LiveVox’s Human Call Initiator (“HCI”). HCI is one of LiveVox’s human-initiated calling systems. Each call initiated from HCI must be initiated by a human “clicker agent.” To make a call, the clicker agent must confirm in a dialogue box that a call should be launched to a particular telephone number. HCI will not initiate the call unless the clicker agent confirms that the call should be made by clicking the dialogue box. If a call is answered by the intended recipient, the clicker agent refers the call to a “closer agent” who speaks with the consumer. The clicker agent is able to view a “real time dashboard” which enables the clicker agent to determine whether any closer agents are available and the number of calls in progress, and provides other call information. In order for a call to be launched in HCI, there must be a closer agent available to take the call. The clicker agent is able to control when to make calls based on the information viewable in the dashboard. In four district court decisions – Pozo v. Stellar Recovery Collection Agency, Inc.; Schlusselberg v. Receivables Performance Management, LLC; Smith v. Stellar Recovery, Inc.; and Arora v. Transworld Systems Inc. – the courts granted summary judgment in favor of the defendants, holding that the HCI system is not an autodialer and as such the defendants did not violate the TCPA. Specifically, in Pozo, the District Court for the Middle District of Florida stated, “Ultimately, ‘the key feature of an ATDS is the capacity to dial numbers without human intervention.’” Accordingly, “[d]ialing systems which require an agent to manually initiate calls do not qualify as autodialers under the TCPA.” Additionally, “dialing systems which require agents to use an electronic ‘point and click’ function to initiate calls are not autodialers because human intervention is required to initiate the calls. …[B]ecause HCI requires intervention from its human clicker agents to make every call, HCI cannot be an autodialer.” While these courts all held that HCI is not an ATDS, in measuring the risk that a company may face in the TCPA context, it is important to note that if a circuit court or another district court finds that the HCI is an ATDS, then everything could change. Given the fact that the FCC’s definition of an ATDS may change after ACA International, it is certainly not set in stone that all courts would reach the same conclusion as these district courts. Looking Ahead The coming year may see marked transformation of the TCPA landscape. The ACA International decision has the potential to dramatically alter the key issues at the heart of TCPA lawsuits. The FCC’s new composition may prove to be the catalyst for revising the FCC’s 2015 Order. Regardless, 2018 will at the very least provide more definite guidance on the issues currently at the forefront of TCPA litigation. While these issues are being considered, we expect the TCPA to continue to be a central source of plaintiffs’ individual and class-wide consumer protection claims in 2018. As illustrated by Dish Network, federal regulators may also place more attention on companies engaged in outbound dialing. Companies should take notice of the TCPA requirements and ensure compliance now to avoid later high stakes TCPA litigation. troutman.com 40 New Legislation, Regulations, and Industry Guidance Autonomous Vehicles In September 2017, the Department of Transportation released its updated policy framework, “Automated Driving Systems (ADS): A Vision for Safety 2.0,” which replaces its 2016 Federal Automated Vehicle Policy. The 2017 guidance offers a path forward for the safe deployment of Automated Driving Systems (“ADSs”). Also in September 2017, the U.S. House of Representatives passed H.R. 3388 (the SELF DRIVE Act). Among other things, the Act preempts state standards for the design and construction of automated driving systems and raises the potential number of self-driving cars that a manufacturer can put on the road. The Fight over Data Privacy Regulations in Broadband Last August, in FTC v. AT&T Mobility, the Ninth Circuit rejected an activity-based interpretation of “common carrier” in favor of a status-based interpretation. 835 F.3d 993 (9th Cir. 2016). Previously, the telecommunications industry was considered regulated by the FCC only when it engaged in “traditional common carrier activities.” The FTC argued that when an otherwise common carrier was engaged in “non-common carrier activities”—such as acting as an internet service provider (or “ISP”)—the FCC did not have jurisdiction, so the FTC was free to step in. The Ninth Circuit rejected this dichotomy. The FCC has filed an amicus brief in the FTC’s appeal of AT&T Mobility, supporting the FTC’s challenge of the court’s status-based definition of “common carrier.” The FCC and FTC argue that a status-based definition will potentially allow ISPs to operate without regulatory supervision. It is unclear whether the FTC would actively police the data practices of ISPs. The FTC has been relatively quiet with respect to cross-device tracking practices, suggesting it will take a passive stance in regulating broadband carriers and ISPs. The FTC’s regulatory powers are also more limited than those of the FCC. Where the FCC is tasked with the responsibility of regulating common carriers under the Telecommunications Act, the FTC is only given the power to prohibit “unfair and deceptive acts” under Title 5 of the FTC Act. Meanwhile, 11 state legislatures have introduced privacy bills. Cities, too, have attempted to issue their own codes. Threatened with patchwork-regulation due to the flurry of state and local activity, some ISPs have requested that federal regulators step back in to prevent confusion. NIST Prepares for IoT and Autonomous Technologies The National Institute of Standards and Technology (NIST) recently released its fifth draft version of NIST Special Publication 800-53, Security and Privacy Controls for Information Systems and Organizations (“Draft Version 5”) for public comment. The primary stated purpose of the publication is to assist in the design of privacy and security controls. Although there will likely be changes, we do not expect Draft Version 5 to change drastically. Therefore, like Troutman Sanders, companies should familiarize themselves with the supplemental recommendations. NIST also released a “Version 2 discussion draft” of its Publication 800-37. Like Draft Version 5, the draft revision to Publication 800-37 provides a number of measures organizations should undertake and document in order to demonstrate due diligence in the selection of organizational security and privacy controls. The NIST expects to finalize revisions by March 2018. Cybersecurity and Connected Medical Devices In September, the FDA issued its “nonbinding recommendations” for addressing premarket cybersecurity vulnerabilities in connected medical devices, entitled “Design Considerations and Premarket Submission Recommendations for Interoperable Medical Devices.” The Guidance applies to interoperable devices that have the ability to exchange and use information through an electronic interface with another medical/nonmedical product, system, or device. The Guidance Cybersecurity and Privacy 2017 Consumer Financial Services Year in Review and a Look Ahead 41 represents the FDA’s recommendations to its own staff regarding the medical device community’s responsibilities. New York’s Cybersecurity Regulation (23 NYCRR Part 500) Effective March 1, 2017, New York’s Superintendent of Financial Services promulgated 23 NYCRR Part 500, a regulation establishing cybersecurity requirements for financial services companies, including the development of a cybersecurity program. Under the new regulation, Covered Entities had a 180-day transitional period to become compliant (by August 28, 2017), unless otherwise specified. Although NYDFS extended the initial period for filing a Notice of Exemption to October 30, 2017, several additional compliance deadlines loom in 2018: • February 15, 2018 – Covered Entities are required to submit the first certification under 23 NYCRR 500.17(b) on or prior to this date. • March 1, 2018 – One-year transitional period ends. Covered Entities are required to be in compliance with the requirements of sections 500.04(b), 500.05, 500.09, 500.12, and 500.14(b) of 23 NYCRR Part 500. • September 3, 2018 - 18-month transitional period ends. Covered Entities are required to be in compliance with the requirements of sections 500.06, 500.08, 500.13, 500.14(a), and 500.15 of 23 NYCRR Part 500. FTC Revises COPPA Guidance In June 2017, the FTC issued a revised Children’s Online Privacy Protection Act (“COPPA”) “Six-Step Compliance Plan for Your Business,” intended to cover new business models, new products, and new methods of obtaining parental consent. For example, the revisions state COPPA applies to voice-activated devices and connected toys, and approves knowledge-based authentication questions and using facial recognition for obtaining parental consent. New State Legislation on E-commerce and Biometrics As with many other states, Nevada responded to the FCC’s repeal of FCC 16-148 by tightening its own laws on e-commerce in Nevada Senate Bill 538. In May 2017, Washington became the third state to regulate the collection and use of “biometric information,” i.e., data generated by an individual’s biological characteristics, such as fingerprints, voiceprints, and retinas. 2017 Wa. ALS 299. Unlike Illinois’ Biometric Information Privacy Act, the Washington law does not provide for a private right of action. Other states such as New Hampshire, Alaska, Connecticut, and Montana are also considering bills regulating the use of biometrics. Evolving Case Law More than a year after the landmark Spokeo, Inc. v. Robins case, U.S. circuit courts remain divided on data breach and privacy litigation, leaving litigants likely to reach disparate results on Spokeo-based motions to dismiss. Data Breach Litigation: Beyond Spokeo Even where plaintiffs had Article III standing, courts in the Third, Eighth, Ninth, Eleventh, and D.C. circuits still found grounds to dismiss claims based on the economic loss rule and the implausibility or insufficiency of damages allegations. Similarly, courts in the Second, Fourth, and Fifth circuits, where data beach litigation has been less frequent, have been more stringent on plaintiffs and have outright dismissed claims based on allegations of “future harm” as insufficient. Yet, plaintiffs have started exploring new theories of liability for data breaches. Earlier this year, plaintiffs successfully defeated motions to dismiss in two separate cases in the Third and Sixth circuits, arguing that because the FCRA requires consumer reporting agencies to assure that “consumer reports” are delivered only to the intended recipients, implicit in such a requirement is a security obligation. That theory has not been followed by other district courts. Relatedly, in March of 2017, Smith v. Triad of Alabama, a case involving a data breach of records on fewer than 1,000 patients, became the first data breach litigation to receive class certification. Troutman Sanders LLP 42 With regard to business-to-business breach litigation, 2017 has presented a mix of cases. Notably, in SELCO Comm. Credit Union v. Noodle & Co., the district court dismissed the complaint by a plaintiff credit union as barred by the economic loss rule, even though there was no privity of contract between the credit union and the defendant. In Community Bank of Trenton v. Schnuck Markets, the district court dismissed the action against the supermarket chain, finding that while other courts had found a duty of care between plaintiff banks and defendants, those decisions were made under different states’ laws. In USAA Fed. Savings Bank v. PLS Fin. Serv., the district court refused to find any general duty of care to secure PII for the defendant check processor, acknowledging it was deviating from precedence involving large retail breaches. Data Misuse Litigation: Where Technicalities Matter Compared to data breach cases, there is arguably even greater disparity among data misuse cases. In several actions this year involving web and online tracking and aggregation, dismissal of the cases turned on close readings and application of defendants’ respective terms and conditions and privacy policies as well as the specific details of consumers’ use of and interaction with the applications and websites at issue, and the nature of the information actually collected. These considerations also raised concerns regarding individualized issues relating to consumers’ actual use and users’ consent that resulted in the denial of multiple motions for class certification. In Pavone v. Meyerkord & Meyerkord, LLC, a plaintiff brought a putative class action alleging that the defendants violated the Driver’s Privacy Protection Act (“DPPA”) by providing accident reports to law firms on behalf of law enforcement agencies. Troutman Sanders represented defendants LexisNexis Risk Solutions Inc. and iyeTek, LLC, and defeated class certification, with the Court holding “that whether crash reports contain personal information from a motor vehicle record is an individualized inquiry that would predominate over questions common to the class.” The Seventh Circuit denied the plaintiff’s petition for leave to appeal the decision. See also Whitaker v. Appriss (granting the defendant summary judgment, holding that “name, address, and driver’s license number written down or scanned from a driver’s license handed over by the license-holder isn’t ‘personal information, from a motor vehicle record,’ protected by the DPPA.”). With respect to privacy laws governing the disclosure of consumer information, the Eleventh Circuit finally resolved the appeal of Perry v. Cable News Network, Inc. (“CNN”), which involved allegations that CNN violated the Video Privacy Protection Act (“VPPA”) by disclosing information to third parties about individuals’ use of CNN’s mobile application. The circuit court affirmed dismissal of the action, finding that the plaintiff was not a “subscriber” (statutory “consumer”) under the VPPA because there was no “ongoing commitment or relationship with CNN” other than the download of its mobile application. With respect to cases on IoT tracking and aggregation, there were a handful of notable decisions this year involving audio, geolocation, and facial tracking technologies wherein courts seemed to diverge on the level of specificity of the allegations required to maintain such claims. In Satchell v. Sonic Notify, Inc., a plaintiff brought a putative class action against a sports team, a mobile application developer, and an audio beacon developer, alleging multiple claims under the Federal Wiretap Act for purported “listening to” and recording of private communications using the Golden State Warriors mobile application and its integrated audio beacon technology. Troutman Sanders represented the mobile application developer and, in November of 2017, obtained dismissal with prejudice of all claims asserted against the mobile application developer for failure to sufficiently allege how the developer unlawfully intercepted and recorded any consumer communications. The Court denied the codefendants’ respective motion to dismiss in its entirety, finding adequate factual allegations of interception as to both the sports team and the beacon developer. 2017 Consumer Financial Services Year in Review and a Look Ahead 43 Product Liability Litigation With the future of technology now focused on connected home devices and autonomous vehicles, two other 2017 decisions are particularly noteworthy in the product liability space. In FTC v. D-Link Systems, the court dismissed the FTC’s unfair practices claims against the manufacturer for alleged cyber vulnerabilities in its connected home cameras, finding that the FTC had failed to allege actual substantial harm to consumers. In Flynn v. FCA US LLC (Fiat), the court denied the car manufacturer’s motion to dismiss for lack of Article III standing, finding that, although none of the plaintiffs’ vehicles may have been hacked, they plausibly alleged damages to the extent they overpaid for their vehicles in light of certain cyber vulnerabilities. On the other hand, the court also held that the economic loss rule barred most of the plaintiffs’ claims, leaving essentially unjust enrichment claims. Developments in Regulatory Enforcement From expanding the definition of “personal information” to prohibiting certain types of thirdparty behavioral advertising, regulators have taken increasingly aggressive stances on privacy practices in 2017. Federal Trade Commission The FTC remains the most active cop on the privacy block. This is especially true with the FCC recently announcing its withdrawal from privacy enforcement in broadband. In February 2017, Vizio agreed to pay $2.2 million to the FTC for allegedly collecting the viewing histories of 11 million smart televisions without the end-users’ consent. As part of the consent decree, Vizio was required to delete data previously collected, prominently disclose and obtain affirmative express consent, implement a comprehensive data privacy program, and participate in biennial assessments. In a concurring opinion that nearly read like a dissenting opinion, new Trump-appointee and Acting Chairman Maureen Ohlhausen indicated that “under our statute (the FTC Act), we cannot find a practice unfair based primarily on public policy. Instead, we must determine whether the practice causes substantial injury.” In July 2017, the FTC entered into a $104 million settlement with Blue Global, a loan lead generator, over allegations that the company induced customers to fill out online applications for loans and then sold the PI to “virtually anyone.” The FTC charged that, in reality, Blue Global sold very few loan applications to lenders, and instead sold the applications to the first buyer willing to pay for them. Notably, it is unclear which of the FTC’s statements and policies promulgated by the Obama Administration will survive under the Trump Administration. Acting Chairman Maureen Ohlhausen has commented that the FTC should focus on cases where there is “substantial consumer injury,” including cases where there are allegations of “informational injury.” Dept. of Health and Human Services / Office of Civil Rights In 2017, the OCR/HHS continued to aggressively pursue covered entities and their business associates under HIPAA-HITECH. Of particular note, St. Joseph Medical Center of Illinois was fined $475,000 for allegedly failing to timely notify of a breach; a small, for-profit pediatric clinic was fined $31,000 for not having a business associate agreement; and CardioNet, a wireless health services provider, paid $2.5 million for allegedly failing to secure ePHI for its mobile device services (the deal is the first time the OCR reached a settlement with a wireless services provider). Food and Drug Administration and Financial Industry Regulatory Authority In addition to issuing guidance on securing connected medical devices, the FDA recently took action on St. Jude pacemakers to ensure patients were checking in with their doctors for firmware updates, thereby making the devices less vulnerable to hacking. Similarly, FINRA issued three orders to its brokerdealer members with significant fines near or exceeding $1 million, with more apparently to come. State Attorneys General State attorneys general have been particularly troutman.com 44 aggressive in enforcing proper online privacy practices, with New York now taking the lead. Organizations doing business in New York, New Jersey, and Massachusetts need to take heed of the state regulators’ increased action. As a sample: In April 2017, the Massachusetts Attorney General entered into a settlement agreement with Copley Advertising, which provided real-time advertising intelligence by using geo-fencing. The AG alleged that the geo-fencing practice, which was implemented in the vicinity of reproductive clinics, violated consumer protection laws. In May 2017, the New York Attorney General and Safetech Products entered into a settlement whereby the connecting doors and padlocks manufacturer agreed to better use encryption and to secure its wireless communications. The AG had alleged that the company did not use encryption in its transmissions and that its password protocols were poor. Notable International Developments Schrems 2.0 and the Future of EU-U.S. Data Flows Thousands of applicants have now come to rely on the EU-U.S. Privacy Shield Program as a means of demonstrating “adequate safeguards” to protect the personal information of European data subjects. However, it is unclear whether the program can survive unchanged as it ends its first year. European authorities are already arguing for the program to be “temporary.” In light of President Trump’s ascension, EU Data Protection Supervisor Giovanni Buttarelli stated, “Something more robust needs to be conceived … . We should work in two tracks.” Additionally, in reviewing the EU-Canada airline passenger data-sharing pact, the Court of Justice for the European Union (“CJEU”) departed from “adequacy” language and scrutinized Canada’s pact step-by-step, focusing on the EU principles of necessity, proportionality, and retention. The Revised Draft ePrivacy Regulation While the Global Data Privacy Regulation (“GDPR”) has received substantial press, drafts of the complementary ePrivacy Regulation has received less attention. It would be a grave mistake for an organization with substantial e-commerce activities to ignore these developments. A proposed draft of the EU’s ePrivacy Regulation (the “ePrivacy Reg”) was released in January 2017 (and subsequently updated in September). Intended to supplement the GDPR and repeal Directive 2002/58/EC generally, the ePrivacy Reg will have significant consequences for device manufacturers and software developers in IoT, autonomous cars, and augmented reality. In particular, the ePrivacy Regulation does three things: one, it provides general limits on the use and storage of “electronic data”; two, it limits end-user data collection through “terminal equipment”; and three, it specifies software privacy settings. Significantly, the provisions mandate that the specified settings on terminal equipment shall apply to “terminal equipment placed on the market” and therefore would apply extra-territorially. On the other hand, Article 10 limits the requirement to the import and retail phase, without specific obligations to keep supporting the device and its software once it has been sold. Many commerce-minded critics point out that the ePrivacy Reg is not IoT-development-friendly because it requires affirmative consent after disclosure in an environment where “operators don’t always know how the data will be used until after the fact.” Furthermore, critics note that the “centralized” consent model envisioned for IoT is not currently possible given the unmanageable plethora of donot-track signals without anyone to unite them. China’s “Network Security Law” – One Year Later On November 7, 2016, China enacted its Cybersecurity Law, which became effective on June 1, 2017. Within it, a “Network Information Security” section sets forth requirements for the protection of the personal information of Chinese data subjects. One year after its passage, predictions that the law was to be used primarily for political purposes have thus far proven true. Since the law took effect, over 40% of the enforcement actions were to remove “politically harmful contents,” and less than 3% were for protecting the “rights and interests” of the “internet user.” For more information and further analysis on these and related 2017 cyberspace and privacy developments, please see Data Privacy: The Current Legal Landscape. 2017 Consumer Financial Services Year in Review and a Look Ahead 45 The Consumer Financial Services Law Monitor blog offers timely updates regarding the financial services industry to inform you of recent changes in the law, upcoming regulatory deadlines and significant judicial opinions that may impact your business. We report on several sectors within the consumer financial services industry, including payment processing and prepaid cards, debt buying and debt collection, credit reporting and data brokers, background screening, cybersecurity, online lending, mortgage lending and servicing, auto finance, and state AG, CFPB and FTC developments. With a monthly readership of more than 2000 industry professionals, we aim to be your go to source for news in the consumer financial services industry. Email firstname.lastname@example.org to join our mailing list to receive periodic updates or visit the blog at www.cfslawmonitor.com. Consumer Financial Services Law Monitor Consumer Financial Services Webinar Series Our complimentary webinar series offers monthly CLE programming related to a variety of consumer financial services topics, including: • Cybersecurity and Privacy • Telephone Consumer Protection Act (TCPA) • Fair Credit Reporting Act (FCRA) • Fair Debt Collection Practices Act (FDCPA) • Fair Housing Act (FHA) • Mortgage Litigation and Servicing • Bankruptcy • Background Screening • Electronic Funds Transfer Act (EFTA) • State Attorneys General Investigations • Consumer Financial Protection Bureau (CFPB) Enforcement and Regulatory Guidance • Federal Trade Commission (FTC) Enforcement and Regulatory Guidance • Case Law Updates including Spokeo We are very interested in ensuring that we deliver the best webinar content to help you navigate the most complex business issues including litigation, regulatory enforcement matters, and compliance. Email email@example.com to submit topic suggestions.