Recent changes in agendas and leadership at the federal level are prompting companies offering financial products and services to question what consumer protection enforcement will look like on the road ahead. There has been significant discussion about the increasing role of state regulators, including state attorneys general, in filling the perceived void that may be left by agencies like the Consumer Financial Protection Bureau (CFPB). Many state regulators have indicated that they are ready to step up enforcement, and a number already are doing so; however, this does not mean that the industry should shift its focus exclusively to the states.
The Federal Trade Commission (FTC), which once dominated the playing field on many consumer protection issues, is reclaiming a prominent role. By way of example, prior to the CFPB’s inception, the FTC took a series of enforcement actions that significantly reshaped mortgage servicing well before the CFPB codified its rules. However, passage of the Dodd–Frank Act, Pub. L. No. 111-203, § 929-Z, 124 Stat. 1376, 1871 (2010) (codified at 15 U.S.C. § 78o), and creation of the CFPB made the FTC’s role in the federal consumer protection landscape seem uncertain at times for companies offering financial products and services. Under Dodd-Frank, the FTC retained its authority to enforce numerous consumer protection laws and to enforce CFPB rules applicable to entities within the FTC’s jurisdiction (see 15 U.S.C. § 1607(c)), including most providers of financial services that are not banks, thrifts, or federal credit unions. Yet, on certain issues, the FTC seemed to cede enforcement authority to the CFPB, which also acquired many of the commission’s most seasoned consumer protection lawyers.
With a five-member bipartisan commission that includes Rohit Chopra, who previously was student loan ombudsman at the CFPB, the FTC’s consumer protection efforts are picking up steam. Financial services companies subject to FTC jurisdiction and their service providers should be aware of potential consumer protection enforcement priorities for 2019 and beyond.
Although banks are not subject to the FTC’s consumer protection jurisdiction, an uptick in the FTC’s consumer protection enforcement efforts could have significant implications on their ability to establish and maintain relationships with nonaffiliated third parties subject to the FTC’s consumer protection jurisdiction. More specifically, an increase in FTC enforcement efforts could (1) alter how banks use third-party service providers to support key operations, (2) increase the level of oversight of participants in bank partnerships, and (3) increase the risk of enforcement actions by the prudential banking regulators or the Department of Justice for failing to adequately mange third-party relationships. In addition, more broadly, actions taken by the FTC may serve as guideposts for federal and state regulators that do have jurisdiction over banks.
Consumer Protection Agenda under Chairman Simons
The FTC has escalated enforcement over the past year in a number of areas that are relevant to financial services companies and their service providers. While continuing to bring enforcement actions under its general Unfair or Deceptive Acts or Practices (UDAP) authority, the FTC’s consumer protection agenda appears to include significant focus on: (1) financial technology (fintech) companies, especially those involved in lending and payment-related services; (2) privacy and data security; (3) debt collection; and (4) the treatment of military personnel and families. The FTC also has brought cases utilizing a third-party liability theory of sorts, including holding companies liable for not properly guarding against or preventing the conduct of alleged bad actors.
These areas of focus may be driven in part by the type of consumer complaints the FTC receives most frequently. In 2018, imposter scams, debt collection, and identity theft were the of consumer complaints filed with the FTC. Recently, the FTC announced that it will be making its consumer complaint data more accessible by releasing its aggregated data on a quarterly instead of annual basis. It also will publish “Consumer Protection Data Spotlight[s],” which will “take a deep dive into the data to illuminate important stories [the FTC] is hearing from consumers.” This increased transparency into complaint data could lead to more investigatory and enforcement activity.
The FTC also has made clear that it intends to collaborate with other regulators, including the CFPB and the state attorneys general. Indeed, in February 2019, the FTC and the CFPB reauthorized their memorandum of understanding regarding sharing information and coordinating certain law enforcement activities. And in March 2019, Chairman Simons advocated for increased collaboration with state attorneys general, noting that such collaboration is critical to the FTC’s mission.
UDAP. UDAP has been a centerpiece of the FTC’s enforcement agenda for years. The FTC has stepped up its UDAP enforcement generally, including actions brought by the FTC in the last year that involve cryptocurrencies and data breaches discussed below.
The FTC has emphasized that ensuring advertising is truthful and not misleading is one of its core missions. In April 2018, the FTC filed a UDAP-related complaint alleging that an online lender’s claim that its loans had “no hidden fees” was deceptive because consumers were charged origination fees. In October, the FTC brought an enforcement action against an online student loan refinancer for alleged misrepresentations regarding how much borrowers have saved through refinancing student loans, as well as alleged misrepresentations of when customers would pay more under various refinancing options. These lawsuits may be precursors to other similar actions that the FTC may take in reviewing advertising and marketing materials.
The FTC also used its UDAP authority to file a lawsuit against an online payday lending company and its owner who allegedly marketed payday loans using false loan disclosures that did not accurately describe the true cost of the loans. According to the FTC, despite informing customers that they would be charged only a one-time finance fee, the payday company made multiple withdrawals from customers’ bank accounts, assessing a new finance fee each time. This resulted in the customers paying more for the loans than they agreed to pay. In addition to the FTC’s civil case, the United States Attorney’s Office for the Southern District of New York obtained a criminal conviction against the owner of the payday company and its attorney, and a penalty of $528 million against a bank, for violations of the Bank Secrecy Act, including failing to timely report suspicious banking activities. This lawsuit demonstrates how the FTC is working with other enforcement agencies, but also how entities (such as banks) that are not under the FTC’s jurisdiction still can be brought into related proceedings.
The FTC also recently has taken UDAP actions in connection with credit cards and student loans. In December 2017, it filed a suit alleging that the defendants violated the FTC Act and the Telemarketing Sales Rule by misrepresenting that they could reduce credit-card interest rates and save consumers money, but failing to disclose that consumers could also be required to pay a range of additional bank fees totaling one percent to three percent of their credit-card debt. In October 2017, it announced “Operation Game of Loans,” the first coordinated federal-state law-enforcement initiative targeting deceptive student loan debt-relief scams.
Fintech companies. The FTC remains focused on protecting consumers that use various forms of financial technology and ensuring that “market participants offering these exciting new products  keep in mind important consumer protection principles as they continue to innovate for consumers’ benefit.” Indeed, Chairman Simons recently stated that one of the FTC’s priorities is “policing the financial marketplace.” Of interest to the FTC are mobile payments, with a focus on the Electronic Funds Transfer Act, marketplace lending, cryptocurrencies, and money transmitters.
The FTC’s recent enforcement action against the recently acquired subsidiary of a worldwide payment systems company indicates that fintechs, especially those in the payments and lending space, may be in the crosshairs of the FTC’s broader agenda. The commission alleged that the subsidiary failed to disclose to users of its peer-to-peer payment service that transfers of funds to external bank accounts were subject to review and could be frozen or removed, and that it misrepresented the extent to which accounts were protected by “bank-grade security systems.” The FTC’s emphasis in this case is consistent with its more general focus on data privacy and security and sends a strong signal that it is willing to rely on its UDAP authority to protect fintech customers.
The commission also has stated that money transmitters have a responsibility to implement controls and procedures to ensure that criminals are not using their services to defraud consumers. In one example, the FTC alleged that a money transmitter was aware that its system was being used for fraud-induced money transfers, but failed to undertake measures to detect and prevent such transfers, such as terminating agents and locations involved in high levels of fraudulent transactions or imposing more robust ID requirements to receive transfers. In another example, the FTC brought an enforcement action in November 2018 against another money transmitter for failing to comply with a prior order to implement a comprehensive fraud prevention program that requires it to “promptly investigate, restrict, suspend, and terminate high-fraud agents.” Here again, the FTC’s enforcement activity is focused on the role of third parties in failing to prevent the illegal conduct of others.
In addition, the proliferation of cryptocurrency is driving the FTC to take action on consumer protection as it relates to this relatively new medium of exchange. Although the FTC’s efforts to date have focused primarily on consumer education, a recent UDAP enforcement action against a cryptocurrency promoter may be a sign of what is to come. The case involved four individuals who allegedly promoted deceptive money-making schemes involving cryptocurrencies through websites, YouTube videos, social media, and conference calls. Exchanges, brokers, wallet providers, and other participants in cryptocurrency markets should keep abreast of the FTC’s activity in this space because enforcement action may move faster than regulation.
Privacy and data security. FTC Chairman Joseph Simons told Congress in July that “privacy and data security top the list of [its] consumer protection priorities . . . .” The FTC has brought more than 500 such cases, and over the course of the past year has taken actions related to data breaches, privacy violations under the Gramm-Leach-Bliley Act, and international privacy frameworks.
The FTC has brought privacy and data security cases against or is currently investigating:
- A leading ride-sharing company, alleging that the company failed to reasonably secure sensitive consumer data stored in the cloud.
- A lead-generation business, alleging that the company misled consumers into completing loan applications and sold those applications, which included consumers’ personal data, to unscrupulous third parties.
- A social-media provider and a major credit-reporting agency for data breaches.
The FTC has brought several recent enforcement actions related to the GLBA’s privacy provisions, which it had regularly enforced prior to the creation of the CFPB. Recent cases against TaxSlayer (Nov. 2017) and a global online payment systems company (May 2018) may signal a recommitment to challenging such conduct.
The FTC also has been actively enforcing the EU-US Privacy Shield Framework, which was designed to facilitate transatlantic transfers of personal data. Although the Privacy Shield Framework is a voluntary mechanism, the FTC is responsible for enforcing its provisions for any organizations that commit to comply. The FTC brought three separate cases enforcing the Privacy Shield in November 2018 alone.
Last year, the FTC established a privacy and data security task force to “better understand the markets for consumer information, incentives for the various parties in that marketplace, and how to quantify costs and benefits of different actions that the FTC or others could take.” The commission said it wanted to deepen its understanding of the “economics of privacy,” which includes studying consumer preferences and the relationship between access to consumer information and innovation. It also held an Information Injury Workshop in December 2017 during which it developed a taxonomy for information injury: loss of opportunity, economic loss, social detriment, and loss of liberty. Although the FTC has yet to provide further guidance regarding the types of injury, its mere acknowledgment that injury goes beyond economic loss suggests that it could broaden its assessment of injury.
Most recently, Chairman Simons expressed the need for privacy and data security legislation that would give the FTC expanded authority. While the FTC has broad authority under Section 5 of the FTC Act to address consumer harms related to privacy and data security, Chairman Simons has described Section 5 as “an imperfect tool” to address those concerns. Instead, the FTC supports data security legislation that would provide the agency with (1) the ability to seek civil penalties to effectively deter unlawful conduct; (2) jurisdiction over non-profits and common carriers; and (3) the authority to issue implementing rules under the Administrative Procedure Act as appropriate.
Moreover, on March 5, 2019, the FTC requested comments on proposed amendments to the GLBA Safeguards Rule and the Privacy Rule. Andrew Smith, Director of the FTC’s Bureau of Consumer Protection, said the aim of the proposal is to “provide more certainty to businesses.” He also said that it “shows that, where we have rulemaking authority, we will exercise it as necessary to keep up with the marketplace trends and respond to technological developments.” The Safeguard Rule proposal is modeled in part on the New York State Department of Financial Services Cybersecurity Rule and includes proposed changes such as (1) designation of a Chief Information Security Officer; (2) elaborating on the existing risk assessment requirement, including requiring a written report; (3) requiring encryption of customer data, both at rest and in transit; (4) implementing access control protocols aimed to prevent unauthorized users from accessing customer information; (5) mandating the use of multi-factor authentication to access customer data; (6) requiring the establishment of incident response plans or data security response plans in the event of an incident; and (7) elevating cyber governance to a board-level issue and requiring periodic reports to an organization’s board of directors or other governing bodies. These proposed rulemakings and the FTC’s advocacy for enhanced data security legislation highlights the agency’s focus on privacy and cybersecurity issues.
Debt collection. Debt collection matters are at the core of the FTC’s enforcement priorities. In 2018 alone, the FTC filed or resolved 7 cases against 52 defendants and obtained more than $58.9 million in judgments. For example, on September 7, 2018, it settled with the operators of a company that allegedly used false claims and threats to get consumers to pay debts, including debts that the company did not have authority to collect or that the consumers did not owe. And on February 4, 2019, the FTC filed a complaint against 10 companies and six individuals who allegedly used deceptive and threatening tactics to collect phantom debt that the consumers did not owe.
Although the conduct in question in this case appears extreme, the FTC could expand its enforcement efforts to include entities under its jurisdiction that employ service providers engaging in illegal conduct. That could entail reviewing vendor-management policies, procedures, and practices related to debt collection, and pursuing enforcement actions based on a company’s failure to monitor a vendor.
More relevant to those not under FTC jurisdiction, if a financial service company’s debt collectors are engaging in acts that draw the focus of the FTC, this could lead prudential regulators or others that do have jurisdiction over banks to focus on the bank’s vendor management policies, procedures, and practices. Indeed, the FTC already has taken steps to work together with other regulators on debt collection enforcement matters. The FTC and CFPB announced in March 2018 joint efforts to police debt collectors and in February 2019 reauthorized their memorandum of understanding that continues collaboration between the two agencies on this issue. They also issued an annual report to Congress in March 2019 on their collective actions to combat illegal debt collection practices under their shared responsibilities under the FDCPA. The two agencies are likely to pursue greater collaboration on debt collection going forward.
In addition, collaboration efforts are extending to the states as well. In November 2018, for example, the FTC and the New York Attorney General’s Office sued a New York-based debt collection company for allegedly deceiving people in a manner that led to them paying more money than they purportedly owed.
Military and veterans. The FTC also has identified fraud targeting military personnel as a priority. Although the FTC does not have enforcement authority under the Servicemembers Civil Relief Act, it can bring actions under its general UDAP authority as well as under the authority granted in other statutes, including TILA, EFTA, FCRA, and FDCPA. In 2017 alone, the FTC received more than 114,000 consumer complaints from service members, their dependents, military retirees, and veterans, with the top complaints related to imposter scams, identity theft, and debt collection.
The FTC last year established a military-specific task force and already has brought a number of cases related to debt collection and mortgage debt relief targeting service members and veterans. See FTC v. BAM Fin., LLC, No. 8:15-cv-01672-JVS-DFM (C.D. Cal.) (unlawful collection practices); FTC v. Mortg. Inv’rs Corp. of Ohio, Inc., No. 8:13-cv-1647 (M.D. Fla.) (unlawful telemarketing and advertising of veterans home loan refinance services). It also has brought cases alleging deceptive practices in the sale of automobile add-on products.
Another area of increased focus will be the implementation of rules related to credit monitoring for active military personnel. As part of the Economic Growth, Regulatory Relief, and Consumer Protection Act, the FTC is required to implement rules requiring credit-reporting agencies to provide free, online credit-monitoring services to active duty military personnel. In November, the FTC issued a notice of proposed rulemaking, 83 Fed. Reg. 57693 (Nov. 16, 2018), soliciting comments on the proposed rule.
Although consumer protection priorities under the Trump administration are different from those under the Obama administration, this does not mean that all federal enforcement agencies are standing down.
- The FTC has reiterated its commitment to taking enforcement action in the privacy and data security space, and has brought a number of actions that allege UDAP violations and violations of specific privacy statutes. Companies would be well-served to review their policies, procedures, and practices related to data breaches as well as general compliance with privacy laws to ensure that there are no gaps.
- The FTC and the CFPB have identified debt collection as a top enforcement priority. Debt collectors and those who hire third parties to collect debt on their behalf should examine their practices and ask themselves whether they have adequate policies, procedures, and practices in place to monitor and rapidly correct infractions, even those that occur by their third-party collectors.
- The FTC appears focused on legal issues related to mobile payments, marketplace lending, cryptocurrencies, and money transmitters, and will scrutinize fintechs if compliance with the spirit and letter of consumer protection is called into question.
- Issues facing service members are a priority for the FTC. Companies serving military consumers should assess their policies, practices, and procedures in connection with service members, with a particular eye toward conduct that could be alleged to violate UDAP, among other laws that may provide protections for members of the military.
- With respect to UDAP, more broadly, there is little doubt that it will remain a central legal vehicle for FTC claims. Matters of interest to the FTC include alleged misrepresentations or deception in advertising as well as fraud. Companies should review their advertising and other consumer-facing materials, as well as origination and servicing practices, for UDAP risk.
The FTC has been rather active over the last year obtaining hundreds of millions of dollars in settlements. Financial services companies and their service providers should keep a watchful eye on FTC’s enforcement agenda.
 Order Preliminarily Approving Stipulated Final Judgment, U.S. v. Fairbanks Cap. Corp. Fairbanks Cap. Holding, & Basmajian, No. 03-12219 (D. Mass. Nov. 21, 2003), modified by, U.S. v. Select Portfolio Serv., No. 03-12219-DWP (D. Mass. Sept. 4, 2007); Consent Decree, FTC v. EMC Mortgage Corp., No. 4:08-cv-338 (E.D. Tex. Sept. 9, 2008).
 See generally 12 C.F.R. §§ 1024 and 1026.
 FTC v. LendingClub Corp., No. 3:18-cv-02454 (N.D. Cal. Apr. 25, 2018).
 The GLBA Safeguards Rule requires a financial institution to develop, implement, and maintain a comprehensive information security program. The Privacy Rule requires a financial institution to inform customers about its information-sharing practices and allow customers to opt out of having their information shared with certain third parties.
 While the vote to submit the Privacy Rule for publication was 5-0, the vote to submit the Safeguards Rule was 3-2 with Commissioners Phillips and Wilson dissenting.