I’m thrilled to announce that Bedard Law Group is the new sponsor for the Compliance Digest. Bedard Law Group, P.C. – Compliance Support – Defense Litigation – Nationwide Complaint Management – Turnkey Speech Analytics. And Our New BLG360 Program – Your Low Monthly Retainer Compliance Solution. Visit www.bedardlawgroup.com, email John H. Bedard, Jr., or call (678) 253-1871.
Every week, AccountsRecovery.net brings you the most important news in the industry. But, with compliance-related articles, context is king. That’s why the brightest and most knowledgable compliance experts are sought to offer their perspectives and insights into the most important news of the day. Read on to hear what the experts have to say this week.
Judge Denies Motion to Certify Class in FDCPA Case Over Missing Disclosure in Email
If you’re like me, you have copied and pasted the wrong information into an email or document more times than you can count. The defendant in a Fair Debt Collection Practices Act case finds itself lucky after a Magistrate Court judge in California ruled that inadvertently copying and pasting the request for an admission as its response does not satisfy the numerosity requirement of certifying a class action and denied the plaintiff’s motion for certification. More details here.
WHAT THIS MEANS, FROM BRENT YARBOROUGH OF MAURICE WUTSCHER: It is somewhat odd to see the issue of numerosity turn on the interpretation of a single request for admission. Usually, there is more of a factual record from which the court can determine whether the plaintiff’s proposed class contains a sufficient number of members. According to the court record, the defendant is out of business and the defendant’s attorneys were permitted to withdraw from the case after the motion for class certification was briefed. A company cannot represent itself in federal court, so it is possible that the court will strike the defendant’s answer and enter a default judgment in favor of the individual plaintiff if the defendant does not retain new counsel.
THE COMPLIANCE DIGEST IS SPONSORED BY:
CFPB Announces Open Banking Rule as Banking Industry Retaliates with Lawsuit
The Consumer Financial Protection Bureau yesterday announced the final rule aimed at giving consumers more control over their personal financial data. The rule, part of the CFPB’s broader push toward “open banking,” requires financial institutions to allow consumers to transfer their data to other providers for free. The rule aims to spur competition, lower costs, and improve services across the banking, credit, and payments markets. It was immediately met with a lawsuit, filed by a pair of financial services organizations. More details here.
WHAT THIS MEANS, FROM LAURIE NELSON OF PAYMENTVISION: This is indeed a pivotal case that brings to light key regulatory and legal shifts in the financial sector, particularly considering the recent Supreme Court decision overturning the Chevron Doctrine. The Chevron Doctrine historically granted agencies like the CFPB considerable leeway in interpreting statutes; with its overturn, regulatory agencies could face more stringent judicial scrutiny when defending the scope of their authority. This change could make it easier for industry groups to challenge regulations they believe exceed an agency’s mandate, as the CFPB is accused of doing here.
For financial institutions, the stakes are high. The open banking rule pushes them to facilitate consumer data portability, which would increase competition but also introduces potential risks. Data breaches and compliance costs are significant concerns, especially for smaller institutions that may lack the resources to implement robust data protection or navigate complex regulatory changes effectively. Industry advocates argue that without a secure framework for data sharing, consumer data could be compromised, thereby eroding trust in the financial system.
For the CFPB, this rule represents a move toward modernized consumer protection that aligns with digital transformation trends. Still, if the lawsuit succeeds, it could reshape not only the rule in question but also future regulatory efforts. Financial technology companies, which rely on data access to innovate and offer consumer-centric services, also have a stake in this outcome, as tighter restrictions could stymie growth and reduce data-driven innovation.
Overall, this case is one to watch closely as it may redefine the balance of power between regulators, the financial industry, and consumers—and set new parameters for agency authority in the years to come.
California Appeals Court Overturns Dismissal of FDCPA Case
A California Appeals Court has overturned a lower court’s dismissal of a Fair Debt Collection Practices Act case, ruling that even a mistaken attempt to collect a debt from the wrong person can be subject to liability. More details here.
WHAT THIS MEANS, FROM JESSICA KLANDER OF BASSFORD REMELE: The consumer claimed the agency sued the wrong person, as the debt belonged to someone else with a different birth date and Social Security number. The agency argued that their mistake should prevent liability and that the consumer should have recognized the error from the incorrect address in the pleadings. The Court of Appeals dismissed the agency’s arguments, emphasizing that filing a lawsuit falsely accusing someone of owing money has serious legal consequences. Since the agency failed to establish a “bona fide error” defense, the case was sent back for further proceedings. This case highlights the critical need to verify a debtor’s identity before starting a collection action, as even a mistake can lead to an FDCPA claim.
NY DFS Releases Guidance to Address AI-Related Cybersecurity Risks
The New York Department of Financial Services has released new guidance addressing the risks associated with artificial intelligence in the financial services industry, specifically to do with cybersecurity. More details here.
WHAT THIS MEANS, FROM HEATH MORGAN OF MARTIN GOLDEN LYONS WATTS MORGAN: On October 16, 2024, the New York State Department of Financial Services (DFS) issued a letter to stakeholders addressing the cybersecurity risks posed by artificial intelligence (AI). This guidance highlights the need to understand and assess AI-related cybersecurity threats within the existing framework of the DFS Cybersecurity Regulation (23 NYCRR Part 500).
Key risks identified include AI-enabled social engineering, enhanced cyber-attacks, and vulnerabilities stemming from third-party vendors and sources. The letter encourages regulated entities to update their risk assessments to incorporate AI-specific threats and to enhance their incident response and business continuity plans. The letter stresses the importance of senior leadership oversight in managing AI-related risks and recommends implementing robust controls, such as advanced access controls, improved vendor management policies, and AI-focused cybersecurity training for employees.
While the guidance does not introduce new regulatory requirements, it serves as a crucial tool for organizations to evaluate their cybersecurity strategies in light of evolving AI adoption.
If you have heard me speak on AI before, you have heard me speak about the need for industry members should continue establish an AI policy, and AI Committee, and an AI risk assessment process. This letter falls right into the category of conducting a risk assessment for any technology used within your company that utilizes AI. This is an important area that it is important for our industry to get right and any interested companies are free to reach out to me for a free checklist of creating an AI policy, establishing an AI Committee, and conducting and AI risk assessment.
Apple, Goldman Sachs Fined $89M by CFPB for Mishandling Card Disputes
The Consumer Financial Protection Bureau yesterday announced an enforcement action against Apple and Goldman Sachs for mishandling consumer disputes and misleading users of the Apple Card. The financial penalties include a $45 million civil money penalty for Goldman Sachs, a $25 million penalty for Apple, and at least $19.8 million in redress to consumers. The CFPB’s findings highlight significant customer service breakdowns that affected hundreds of thousands of Apple Card users. More details here.
WHAT THIS MEANS, FROM JOSHUA HOWELL OF TROUTMAN PEPPER: The consent orders entered against Apple and Goldman Sachs illustrate the CFPB’s continued focus on ensuring that consumer financial services providers have the infrastructure and procedures in place to process disputes. Despite the sophistication of Apple and Goldman, in the tech and financial sectors, respectively, it appears that neither entity was prepared to handle the volume of consumer disputes that predictably ensued following the roll out of Apple Card.
CFPB Issues Guidance Over ‘Unchecked Surveillance’ of Workers
The Consumer Financial Protection Bureau is taking aim at employers using invasive technologies and third-party consumer reports to track and make decisions about workers. With new guidance issued yesterday, the CFPB warns that companies must comply with the Fair Credit Reporting Act when using such tools. More details here.
WHAT THIS MEANS, FROM LESLIE BENDER OF EVERSHEDS SUTHERLAND: The Fair Credit Reporting Act (the “FCRA”) applies to modern resources employers use to make any employment decisions – including background dossiers, algorithmic scopes, and any other third-party reports, says the Consumer Financial Protection Bureau (“CFPB”). Employers of all types must adhere to the FCRA’s requirements when using any information obtained from third parties if they use that information to hire, promote, demote, retain, reassign or make any other hiring decision. Reasons the CFPB in its new Circular 2024-06, these vendors or third-party providers of this information are “consumer reporting agencies,” and as such, their work and any employer use of their reports are regulated by the FCRA. To re-align with the FCRA’s original goals and purpose, the CFPB has taken the position that individuals are entitled to transparency in knowing what information is or has been collected about them, what it says, and how it is being used to make employment-related decisions.
What are the practical implications of this FCRA/employment circular?
First, companies that compile and distribute these dossiers must ensure the “accuracy and integrity” of the information in these dossiers and, further, that any company wishing to acquire them has a “permissible purpose.” If these entities also fall within California’s broadly defined “data brokers” category, they also should have registered as such in California in anticipation of California’s Delete Act taking effect on or about January 1, 2026. Any employer who regularly provides, upon request, dossiers or background information to other prospective employers on a regular basis about current or former employees – may inadvertently be “consumer reporting agencies” as a result and subject to the FCRA.
Second, the individuals whose information has been compiled into these reports are entitled to know if any information in the report may be used by an employer who is planning to take adverse action such as refuse to hire, demote, or any other negative employment-related decision based upon the contents of the report. Individuals will be entitled to receive FCRA adverse action notices and to know what report is being used that may contain negative information about them.
Third, individuals are entitled to dispute all or a portion of the information in these reports. Employers using these reports must become familiar with the FCRA’s adverse action rules and may need to implement practices to assure they are complying with them.
Fourth, the CFPB circular takes a very broad view of “reports.” These may include results of monitoring workers, remote work monitoring, third party technologies including artificial intelligence that track / assess / evaluate workers, records or neural or other biometric information about workers collected from wearables or other sources. In a production environment, measures of time or even emotions during customer or sales contacts for example by a voice analytics tool, driving habits measured by a tool that can geoposition an employee and potentially record how frequently the driving employee observes speed limits, information systems’ reporting around activities like employees’ turnaround times for completing tasks, time spent on- and off- task, web browsing, even keystroke frequency – if and when sold or sourced to employers by third-party data vendors may be subject to the CFPB’s caution about full transparency in employers’ collection, use and decisioning using this information. All of these reports and this surveillance data could be regarded by the CFPB as consumer reports and subject to the FCRA.
Fifth, companies that provide evaluative services on employees’ potential and who “assemble” or “evaluate” consumer information either directly or indirectly by using that information to train an algorithm that produces scores or predictions about an employee’s or potential employee’s job skills (or suitability for a position) may also be subject to the FCRA. An example might be an app or other tool an employer uses to track an employee who drives or travels as part of their job responsibilities.
There is tension between the subject matter of the new CFPB Circular 2024-06 and a number ofkey privacy and information security priorities. Open are questions about how and when data, reports or information may be compiled for “know your customer” purposes or workplace safety purposes. Businesses may want to take stock not only of their internal processes and reasons for acquiring dossiers or other background information on existing or prospective hires – but may also want to balance the amount and method for collecting that information against those business reasons for obtaining and using that information. Have employees been asked for their permission for that information to be collected or used in employment decisions? Despite an employer’s best efforts, is the employer testing the outcome of its use of what the CFPB calls “surveillance information” to assure the employer is not inadvertently running afoul of other antidiscrimination or similar laws and regulations. Bottom line says the CFPB, an employer using any of these dossiers, algorithmic scores, or other reports that are in essence “consumer reports” about job candidates or employees, must adhere to the FCRA.
Judge Denies Motion to Compel Defendant to Turn Over Info About Debt Collection Activities
Most days, when it comes to writing about legal rulings, I tend to stick to rulings that are considered dispositive — where a motion to dismiss or motion for summary judgment or motion for judgment on the pleadings are ruled on — motions that can bring a case to an end. Today’s case is a little different. Consider it a palette cleanser. A different type of ruling that I don’t write about too often. I imagine that we’ll return to our regularly scheduled legal updates tomorrow. More details here.
WHAT THIS MEANS, FROM DAVID SHAVER OF SURDYK DOWD & TURNER: Magistrate Judge Barbara L. Major’s Order in Garcia v. Navy Federal Credit Union is a worthwhile read for counsel and agencies alike who have to deal with responding to discovery requests in litigation. In Garcia, NFCU’s counsel did a good job of making specific and particularized objections to broad and (arguably) burdensome discovery requests. Had NFCU’s counsel fallen back on boilerplate objections or objections that were less tailored to the specific discovery requests being made, the result here could have been different and far more information/documentation might have been ordered to be produced. Because the scope of discovery is typically quite broad, boilerplate objections will never take you very far and an agency’s interests will be better served by taking time, up front, to consider carefully what is being asked and how it fits into the broader discovery puzzle. If there is an applicable objection, make it and make it specific so it has a better chance of withstanding scrutiny if challenged later on.
ACA International Sues NYC Over New Debt Collection Regs
ACA International on Friday sent out an alert to its members letting them know that the association, on behalf of one of its members, has filed a lawsuit seeking to block the enactment of debt collection rules that are slated to go into effect in New York City in December. The suit, filed against New York City Mayor Eric Adams, the city’s Department of Consumer and Worker Protection, and DCWP Commissioner Vilda Vera Mayuga, argues that the new rule, which is set to take effect on December 1, violates the Constitution and is preempted by federal and state law. More details here.
WHAT THIS MEANS, FROM NABIL FOSTER OF BARRON & NEWBURGER: If this seems like “déjà vu”, you are not alone. A word to the wise, whether or not “wicked this way comes,” the truth is that “out of these convertites, There is much matter to be heard and learn’d.”
Way back in 2020, New York City Department of Consumer Affairs (“DCA”) proposed amendments to NYC’s debt collection rules to add a language preference for each consumer and additional reporting obligations to the DCA. The effective date for those rule amendments was postponed a few times after certain segments of the ARM industry snapped into action. Those 2020 DCA regulations eventually became effective, and everyone had more time to make the necessary adjustments to comply. Without getting too specific, the consensus is that this latest surge regulation amendments are complicated. But when did any “new” regulation not appear to be complicated?
The suit filed against the NYC DCA will certainly slow the rollout of the next wave of regulations in NYC and this suit will bring attention to the inconsistencies and contradictions within those proposed rules. We can only hope that much is learned from these civil controversies, such that future regulatory discussions between the DCA and the ARM industry will result in rule amendments that are fair and free from contradictions.
Judge Orders Non-Party Collection Operations to Share Info in FDCPA Case Over Whether Defendants Meet Definition of Debt Collector
A Magistrate Court judge in Utah has partially granted a plaintiff’s motion to compel several collection operations to comply with subpoenas in a Fair Debt Collection Practices Act case in which the defendants are attempting to argue they do not meet the statute’s definition of a debt collector. The ruling, delivered by Judge Daphne A. Öberg, found that while most of the plaintiff’s requests were valid and relevant, some limitations were necessary to avoid undue burdens on the non-party collection operations. More details here.
WHAT THIS MEANS, FROM LORI QUINN OF MESSER STRICKLER BURNETTE: Plaintiff brought an action against Defendant’s a collection law firm and an individual attorney from that firm alleging they wrongfully attempted to collect a debt that was owed by a different person despite the same name. Plaintiff claimed that Defendant was a “debt collector” under the FDCPA. Defendants argued they did not qualify as debt collectors as defined under the FDCPA. Plaintiff served subpoenas on non-parties seeking documents Plaintiff deemed relevant to show Defendants were debt collectors.
Then nonparties parties filed oppositions to the motions to compel arguing the documents sought subpoenas were irrelevant, unduly burdensome, the documents were sought for use in other cases, the documents were more appropriately sought from named defendants, the subpoenas violate Rule 45 geographical limits, the FDCPA bars disclosure of some of the information and the subpoenas require them to create documents.
Plaintiff argued the documents were necessary to show the Defendants were debt collectors as defined under the FDCPA. The Court found “for the most part” the documents are relevant to the claims and defenses in the action dissuaded by nonparties arguments that it was unduly burdensome, sought for use in other cases, that the subpoena’s violated Rule 45. Ultimately, the Court granted Plaintiff’s motions but allowed non-parties to redact other debtors’ names, case numbers and payment amounts and could not require the non-parties to create spreadsheets that don’t already exist.
I’m thrilled to announce that Bedard Law Group is the new sponsor for the Compliance Digest. Bedard Law Group, P.C. – Compliance Support – Defense Litigation – Nationwide Complaint Management – Turnkey Speech Analytics. And Our New BLG360 Program – Your Low Monthly Retainer Compliance Solution. Visit www.bedardlawgroup.com, email John H. Bedard, Jr., or call (678) 253-1871.