Newsletter December 4, 2023

Wiley Consumer Protection Download (December 4, 2023)

December 4, 2023

Regulatory Announc ements
Recent Enforcement Actions
Upcoming Comment Deadlines and Events
More Analysis from Wiley

Welcome to Wiley’s update on recent developments and what’s next in consumer protection at the Consumer Financial Protection Bureau (CFPB) and Federal Trade Commission (FTC). In this newsletter, we analyze recent regulatory announcements, recap key enforcement actions, and preview upcoming deadlines and events. We also include links to our articles, blogs, and webinars with more analysis in these areas. We understand that keeping on top of the rapidly evolving regulatory landscape is more important than ever for businesses seeking to offer new and groundbreaking technologies. Please reach out if there are other topics you’d like to see us cover or for any additional information.

To subscribe to this newsletter, click here.

Regulatory Announcements

FTC Holds November Virtual Open Commission Meeting. On November 16, the FTC held a virtual Open Commission Meeting where it discussed (1) a Voice Cloning Challenge Announcement (Challenge Announcement) and (2) a Presentation on Public Comments on Business Practices of Cloud Computing Providers (Presentation). As discussed during the meeting and in the Announcement, the Voice Cloning Challenge is designed to encourage the development of multidisciplinary solutions to protect the public from fraud perpetrated through cloned voices. Participants can enter submissions between January 2 and 14, 2024, and each submission must address at least one of three intervention points: (1) prevention or authentication; (2) real-time detection or monitoring; or (3) post-use evaluation. The Announcement specifies that the FTC and a panel of external judges will consider the submissions, and the FTC has set up a website explaining further details of the Challenge.

The Presentation summarized issues raised in comments in response to the Commission’s Request for Information on Cloud Computing Providers, and in the FTC’s public panel discussion on cloud computing. The Presentation focused on four main themes: (1) competition; (2) single points of failure; (3) security; and (4) generative artificial intelligence’s (AI) reliance on cloud computing. FTC staff stated that they will continue to watch the cloud computing provider market closely.

CFPB Director Chopra Testifies Before Senate Committee on Banking, Housing, and Urban Affairs. On November 30, CFPB Director Rohit Chopra testified before the U.S. Senate Committee on Banking, Housing, and Urban Affairs in a hearing titled, “The Consumer Financial Protection Bureau’s Semi-Annual Report to Congress.” During the hearing, Director Chopra stated that the CFPB “has reached important milestones on critical priorities, including personal financial data rights and credit reporting, while continuing to enforce the law and deliver results for consumers and law-abiding businesses.” Director Chopra also noted that the CFPB “is sharpening its focus on the evolving patterns of household debt” given that “Americans now owe more than $17 trillion in household debt,” including $1 trillion in total outstanding credit card debt. He further stated the return to repayment for federal student loans “continues to be an area of concern for many borrowers, causing families to reallocate funds toward student loans after a three-year pause.” Director Chopra noted that the CFPB will be carefully monitoring the practices of loan servicers.

FTC Testifies Before House Judiciary Subcommittee. On November 30, FTC Director of the Office of Congressional Relations Jeanne Bumpus testified before the U.S. House Judiciary Committee (the Committee) in a hearing titled “Compliance with Committee Oversight.” Ms. Bumpus testified that the FTC “is committed to accommodating the Committee’s requests for information, consistent with our obligation to safeguard the independence, integrity, and effectiveness of the [FTC]’s vital work.” She also noted that the FTC has received numerous requests from the Judiciary Committee and has responded with documents and productions and testimony.

FTC Announces Omnibus Resolution Authorizing the Use of Compulsory Process in Nonpublic Investigations Involving Purported AI Products and Services. On November 21, the FTC announced that it approved an omnibus resolution that authorizes the use of compulsory process in nonpublic investigations involving products and services that use or claim to be produced using AI or claim to detect its use. According to the FTC’s announcement, the omnibus resolution “will streamline FTC staff’s ability to issue civil investigative demands (CIDs), which are a form of compulsory process similar to a subpoena, in investigations relating to AI, while retaining the Commission’s authority to determine when CIDs are issued.” The announcement further specifies that the resolution will be in effect for 10 years.

FTC Sends Annual Letter to CFPB on Debt Collection Activities. On November 16, the FTC announced that it had sent its annual letter to the CFPB summarizing its efforts to protect consumers in the debt collection area, as required by the Dodd-Frank Wall Street Reform and the Consumer Protection Act. The letter highlights various FTC actions taken under the Fair Debt Collection Practices Act (FDCPA) and the FTC Act, including: filing complaints against RCG Advances and American Future Systems alleging that the companies engaged in unfair debt collection practices; issuing more than $1.27 million in refunds to consumers following settlements related to debt collection practices; halting collections of millions of dollars in debt related to allegedly unlawful financing and sales practices; and providing English and Spanish FTC Act and FDCPA educational materials for consumers and small businesses.

FTC Sends Warning Letters to Two Trade Associations and Online Influencers Regarding Advertisements Promoting the Consumption of Aspartame or Sugar. On November 15, the FTC sent warning letters to AmeriBev, the Canadian Sugar Institute, and dozens of social media influencers regarding social media posts that the agency asserts “may be deceptive or unfair in violation of the FTC Act.” According to the letters, the posts may have, among other things, failed to disclose a material connection between the influencers and the trade associations. The FTC’s Guides Concerning the Use of Endorsements and Testimonials in Advertising (which we summarized here) require that paid endorsements clearly and conspicuously disclose “material connections between themselves and their endorsers.” The letters also attach the FTC’s Notice of Penalty Offenses Concerning Deceptive or Unfair Conduct around Endorsements and Testimonials (which we summarized here). Each letter requests that the recipients contact agency staff within 15 days and detail any actions taken to address FTC staff concerns.

FTC Issues FY 2023 Financial Report. On November 16, the FTC issued its FY 2023 Agency Financial Report to Congress. The Report, which is required by the Office of Management and Budget (OMB), includes the agency’s audited financial statements, and the Office of the Inspector General’s assessment of the FTC’s accomplishments and opportunities for performance improvements. According to the Report, the financial audit “did not identify any material weaknesses, significant deficiencies, or instances of non-compliance with internal controls, financial systems, or laws and regulations.” OMB also identified four management and performance challenges for the FTC: (1) securing information systems and networks from destruction, data loss, or compromise; (2) addressing challenges to FTC litigation; (3) successfully managing merger transactions; and (4) combatting increasingly sophisticated imposter scams and enhancing the public’s awareness of them.

Recent Enforcement Actions

CFPB Settles With Online Lender for Allegedly Deceptive Loan Practices. On November 15, the CFPB filed a consent order and stipulation against Enova International, Inc. for alleged violations of the Consumer Financial Protection Act. The CFPB alleges that the company withdrew money from consumer accounts without proper permissions and failed to accurately communicate loan extensions grants and terms to consumers. The CFPB also alleges that Enova violated a 2019 consent order by failing to provide the agreed upon authorizations to consumers before initiating reoccurring electronic fund transfers from their accounts. The company has agreed to pay a $15 million civil money penalty.

FTC Settles Allegations of Deceptive Marketing and Business Practices With Four Individuals. On November 15, the FTC filed a stipulated order in the U.S. District Court for the Central District of California against Darcy Michael Wedd, Fraser Robert Thompson, Erdolo Levy Eromo, and Michael Pajaczkowski. In 2014, the FTC sued ten individual defendants for allegedly using fake websites to obtain consumers’ cell phone numbers and subsequently adding monthly subscription fees to consumers’ phone bills without their consent. Six of the defendants settled in 2015, and the outstanding cases against Wedd, Thompson, Eromo, and Pajaczkowski were put on hold until the related criminal charges were resolved in July 2023. These trials resulted in criminal sentences against all four defendants. In this matter, the defendants have agreed to injunctive relief.

FTC Settles With Prison Communications Service Provider After Data Breach. On November 16, the FTC filed a complaint and agreed to an order against Global Tel*Link and two of its subsidiaries. The FTC alleges that the defendants violated the FTC Act by failing to maintain adequate cybersecurity measures to prevent bad actors from accessing data stored in the cloud. The defendants agreed to implement an information security program, notify consumers of the breach, and offer credit monitoring and identify protection services to affected consumers.

FTC and California Attorney General Settle With DNA Testing Company for Allegedly Deceptive Advertising. On November 20, the FTC and California Attorney General filed a complaint and proposed stipulated order in the U.S. District Court for the Central District of California against CRI Genetics, LLC for alleged violations of the FTC Act, California’s Unfair Competition Law, and California’s False Advertising Law. The FTC and California AG allege in the complaint that CRI Genetics misrepresented the accuracy of its tests by claiming its algorithms were patented and its reports were more accurate than other major DNA testing companies. The complaint also alleges that CRI Genetics posted fake reviews and used other deceptive marketing tactics to convince consumers to purchase its product. The defendants will pay a $700,000 fine, in addition to injunctive relief.

CFPB Settles With Auto-Financing Corporation for Allegedly Withholding Refunds and Impacting Consumers’ Credit Reports. On November 20, the CFPB filed a stipulation and consent order against Toyota Motor Credit Corporation for alleged violations of the Consumer Financial Protection Act (CFPA) and Fair Credit Reporting Act (FCRA). The CFPB alleges that the company did not provide consumers sufficient methods to cancel product bundles, delayed and withheld refunds from consumers for payments made on void add-ons or canceled service agreements, and failed to remedy incorrect data sent to consumer reporting companies. The company has agreed to pay $48 million in consumer redress and a $12 million penalty to the CFPB.

CFPB and Eleven States Settle with Online Software Training Program for Allegedly Misrepresenting Student Loan Policies. On November 20, the CFPB, California Department of Financial Protection and Innovation, and the attorneys general of Washington, Oregon, Delaware, Minnesota, Illinois, Wisconsin, Massachusetts, North Carolina, South Carolina, and Virginia filed a stipulated order against Prehired LLC in the U.S. Bankruptcy Court for the District of Delaware. In July 2023, the CFPB and state agencies filed a complaint alleging that Prehired misled consumers by failing to disclose that income-share loans needed to be repaid regardless of the consumer’s success in securing a job after the program and misrepresenting the amount of debt consumers owed. Prehired has agreed to refund consumers $4.2 million, cancel all outstanding income-share loans, and permanently shut down its operations.

CFPB Settles with National Bank for Allegedly Misreporting Mortgage Applicant Demographic Information. On November 28, the CFPB filed a consent order and stipulation against Bank of America for alleged violations of the Home Mortgage Disclosure Act (HMDA). The CFPB alleges that the company failed to collect and report demographic information from its mortgage applicants in violation of HMDA. The company has agreed to pay a $12 million civil money penalty.

Upcoming Comment Deadlines and Events

FTC Seeks Research Presentations for PrivacyCon 2024. Research presentations for the FTC’s annual PrivacyCon event are due December 6 and may be submitted here. The FTC announced that PrivacyCon 2024 will be particularly focused on: automated systems and AI; health-related “surveillance;” children’s and teen’s privacy; deepfakes and voice clones; worker “surveillance;” and advertising practices. PrivacyCon 2024 will take place virtually on March 6, 2024, and the agenda will be posted here prior to the event. Members of the public wishing to attend the event may visit the FTC’s website at www.ftc.gov to access the live webcast.

CFPB Releases NPRM to Implement Rules Under Section 1033 of the CFPA. Comments are due December 29 on the CFPB’s Notice of Proposed Rulemaking (NPRM) to implement rules under Section 1033 of the Consumer Financial Protection Act (CFPA). Section 1033 of the CFPA requires consumer financial services providers to make information in the possession of the provider available to consumers when the information concerns the financial product or service that the consumer obtained from the provider. If adopted, the rules proposed in the NPRM would require both depository and non-depository financial institutions to make available to both consumers and authorized third parties certain data related to consumers’ financial transactions and financial accounts; establish privacy obligations for third parties accessing consumers’ data; provide standards for third-party data access; and promote industry standards for such access. The NPRM proposes to use the definitions for “financial institution” under Regulation E and “card issuer” under Regulation Z. This would effectively open both banks and nonbanks that offer a variety of services – from deposit accounts to digital wallets – to Section 1033’s consumer data sharing requirements.

FTC Seeks Comment on “Junk Fees” and Proposes Fee Disclosure Requirements. Comments are due January 8, 2024 on the FTC’s Trade Regulation Rule on Unfair or Deceptive Fees NPRM. The NPRM broadly addresses two practices: (1) fee disclosures after a consumer sees an initial base price, and (2) “practices that misrepresent the nature and purpose of fees or charges.” The proposed rule would define both as unfair and deceptive practices, which would enable the FTC to seek civil penalties for violations. Among other things, the NPRM proposes to require businesses to disclose a “Total Price” in any offer, display, or advertisement that contains an amount a consumer must pay and do so more prominently than other pricing information. It also proposes a preemptive disclosure requirement which would require businesses to disclose, clearly and conspicuously and before the consumer consents to pay, the nature and purpose of any amount the consumer may pay that is excluded from the “Total Price,” including shipping charges, government charges, optional fees, voluntary gratuities, and invitations to tip.

CFPB Proposes to Define and Supervise Larger Participants in Market for General-Use Digital Consumer Payment Apps. Comments are due January 8, 2024, on the CFPB’s Notice of Proposed Rulemaking (NPRM) proposing to define larger participants in the market for “general-use digital consumer payment applications.” The Consumer Financial Protection Act (CFPA) authorizes the CFPB to define larger participants in markets for consumer financial products or services, and to supervise larger nonbank-covered entities subject to the law to assess compliance with federal consumer financial laws, obtain information about such entities’ activities and compliance systems and procedures, and detect and assess risks to consumers and consumer financial markets.

The NPRM defines the general-use digital consumer payment app market to include “providers of funds transfer and wallet functionalities through digital applications for consumers’ general use in making payments to other persons for personal, family, or household purposes.” The NPRM notes that this definition includes “‘digital wallets,’ ‘payment apps,’ ‘funds transfer apps,’ ‘person-to-person payment apps,’ ‘P2P apps,’ and the like.” Additionally, the NPRM proposes a test to determine whether a nonbank entity is a larger participant in the general-use digital consumer payment app market – (1) the entity must provide general-use digital consumer payment apps with an annual volume of at least five million consumer payment transactions; and (2) the entity must not be a small business concern based on the Small Business Administration’s applicable size standard. If adopted, the proposals in the NPRM would permit entities to dispute whether they qualify as a larger participant in the general-use digital payment app market.

FTC Amends Safeguards Rule to Include Breach Reporting Requirement for Non-Bank Financial Institutions. The FTC’s amendments to its Gramm-Leach-Bliley Act (GLBA) Safeguards Rule will take effect on May 13, 2024. The amendments will require covered “financial institutions” to notify the FTC of certain data breaches involving the information of at least 500 consumers within 30 days of the discovery of the event. The Safeguards Rule applies to certain covered non-bank financial institutions, which include, for example, mortgage brokers, motor vehicle dealers, and many financial technology companies. The Safeguards Rule currently requires these entities to develop, implement, and maintain a comprehensive information security program to safeguard customer information. While the amendments do not require covered companies to issue separate breach notifications to consumers, the FTC has stated that it intends to publish notification reports in a publicly available database.