Alston & Bird Consumer Finance Blog

Gramm Leach Bliley Act (GLBA)

Alston & Bird Adds Consumer Finance Partner Aldys London in Washington, D.C.

Alston & Bird has strengthened and expanded its capabilities for advising companies on state and federal consumer finance regulatory compliance issues with the addition of partner Aldys London in the firm’s Washington, D.C. office. Her clients include mortgage companies, consumer finance and FinTech companies, secondary market investors, real estate companies, home builders, insurance companies, banks, and other financial institutions and settlement service providers.

“It’s a pleasure to welcome Aldys, who brings deep experience and a sterling reputation for counseling consumer financial service entities as they navigate complex regulatory issues, including licensing, the intersection of state and federal regulatory compliance, and key approvals for transactions,” said Nanci Weissgold, Alston & Bird partner and co-chair of the firm’s Financial Services & Products Group. “With our shared emphasis on collaboration and excellent service, we are confident that she will successfully draw on our firm’s vast resources and expertise to benefit her clients.”

London provides advice on state licensing for mortgage lenders and related service providers, mortgage brokers, FinTech companies, lead generators, servicers, debt collectors, and investors. She is well versed in federal registration and licensing requirements imposed by the SAFE Act, as well as state laws and regulations concerning fees, disclosures, loan documentation, interest rates, privacy, advertising, data breach, and telemarketing.  Her practice also covers seeking and maintaining approvals from state and federal agencies and GSEs.  She is adept at federal laws governing real estate mortgage transactions, including preemption, privacy, fair lending and consumer protection.

In addition, London assists a variety of consumer financial services companies in obtaining regulatory approvals for complex acquisitions, mergers, and asset transfer transactions. She performs due diligence reviews for proposed acquisitions and IPOs, reviews and prepares policies and procedures, conducts regulatory compliance audits of financial institutions, and assists with structuring and developing compliance and training programs. She also assists clients with responses to regulatory audits and investigations by state and federal regulators.

“Clients rely on Aldys’ sound counsel because of her technical rigor and thorough understanding of the consumer finance market,” said Stephen Ornstein, Alston & Bird partner and co-leader of the firm’s Consumer Financial Services Team. “Her legal skills, combined with her excellent business sense and ability to develop strong relationships, make her a valuable asset to our firm and our clients.”

Alston & Bird’s Consumer Financial Services Team focuses on the regulation of consumer credit and real estate, with a broad emphasis on origination, servicing, and secondary mortgage market transactions. This team addresses the compliance challenges of major Wall Street financial institutions, federal- and state-chartered depository institutions, hedge funds, private equity funds, national mortgage lenders and servicers, mortgage insurers, due diligence companies, ancillary service providers, and others.

FTC Announces Settlement with Mortgage Broker for Publishing Personal Information about Consumers

A&B ABstract:

On January 7, 2020, the Federal Trade Commission (FTC) announced a complaint and settlement against California mortgage broker Mortgage Solutions FCS, doing business as Mount Diablo Lending, and its owner, Ramon Walker, (collectively, Mortgage Solutions).  The FTC’s complaint (Complaint) alleged that in response to negative Yelp reviews posted by applicants and customers, the company publicly posted sensitive personal information, including financial information, about those individuals gleamed that it gleaned from mortgage applications and credit report.  Specifically, according to the Complaint, that information included sources of income, payment and credit histories, taxes, family relationships and health. The FTC alleged that Mortgage Solutions’ actions violated the Fair Credit Reporting Act (FCRA), the Gramm Leach Bliley Act (GLBA) and Section 5 of the FTC Act. As part of the settlement, Mortgage Solutions will pay a $120,000 civil penalty for violating the FCRA.

Discussion

The Complaint, filed in the U.S. District Court for the Northern District of California by the U.S. Department of Justice on behalf of the FTC, alleges that between June 2015 and August 2016, defendant Walker published or caused to be published responses to negative consumer reviews about Mortgage Solutions’ services that appeared on the consumer review website, Yelp.com, that were publicly viewable on Yelp’s page for Mount Diablo Lending.  The Complaint also alleges that required privacy notices provided to customers were inadequate and were not followed, and that the company’s information security program was inadequate.   A summary of the FTC’s complaint counts follows:

Violations of the FCRA: 

The Complaint alleges that Mortgage Solutions impermissibly used consumer reports in violation of the FCRA.  According to the Complaint, some of the personal information that Mortgage Solutions publicly posted about consumers was information contained in consumer reports it obtained.  The FCRA allows use of consumer reports only for the permissible purposes identified in section 604(a) of the FCRA; however, public dissemination – such as Mortgage Solutions’ posting of consumers’ information on Yelp.com – is not a permissible purpose

Violation of the GLBA Privacy Rule (Regulation P): 

The Complaint alleges that Mortgage Solutions failed to provide a clear, conspicuous and accurate privacy notice and impermissibly disclosed non- public personal information about some of its customers in violation of the GLBA Privacy Rule.  The Privacy Rule requires, among other things, that a financial institution provide annually a clear and conspicuous notice to customers that accurately reflects the financial institution’s privacy policies and practices, including its security policies and practices.

According to the Complaint, from October 2012 until April 2018, Mortgage Solutions disseminated a privacy notice that omitted or misstated significant information. Among other things, the notice indicated that the only personal information collected by Mortgage Solutions is customers’ Social Security numbers and that Mortgage Solutions did not share this personal information with any third party for any reason. In fact, the company collected myriad types of sensitive personal information, including income information, credit histories, and dates of birth.  The Complaint further alleges that Mortgage Solutions’  posting of customer information on Yelp.com caused the privacy notice to be inaccurate, and additionally violated the Privacy Rule

Violation of the GLBA Safeguards Rule:

The Complaint alleges that  Mortgage Solutions failed for a period of time to develop and implement an information security program, and when it did implement a program, it fell short of regulatory standards.  The Safeguard’s Rule requires financial institutions to implement a comprehensive written “information security program” containing reasonable administrative, technical, and physical safeguards. It further requires that financial institutions regularly test or otherwise monitor the effectiveness of the safeguards’ key controls, systems, and procedures.

According to the Complaint, Mortgage Solutions did not have an information security program until September 2017 (in spite of being in business since at least 2012), and when it did finally implement a plan, the plan made no provision for regularly testing or assessing its own effectiveness.  Further, according to the complaint, Diablo failed to engage in such regular testing or assessment.

Violation of Section 5 of the FTC Act: 

The Complaint alleges that publicly posting consumers’ personal information was deceptive and unfair under Section 5 of the FTC Act.

Relief:

In addition to paying a $120,000 civil penalty, the terms of the settlement prohibit Mortgage Solutions from misrepresenting its privacy and data security practices; misusing credit reports; and improperly disclosing personal information to third parties. It also must implement a comprehensive data security program designed to protect the personal information it collects and obtain third-party assessments of its information security program every two years. Finally, the company must designate a senior corporate manager responsible for overseeing the information security program to certify compliance with the order every year.

Takeaways

The FTC is continuing to assert its authority against financial institutions within its jurisdiction, including its general authority to prevent unfair and deceptive acts or practice under the FTC Act, and its authority with respect to the FCRA and GLBA.

In addition, this case represents the FTC’s latest effort to crack down on companies who attempt to restrict or retaliate against consumers negative public reviews on social media and other public websites.  In 2019 the FTC announced five cases alleging violations of the Consumer Review Fairness Act, which bans form contract provisions that restrict a consumer’s ability to post reviews about a seller’s goods, services, or conduct. Those cases challenged illegal “confidentiality” or “non-disparagement” clauses that sometimes threatened consumers with financial penalties for posting reviews.