The New York State Department of Financial Services (DFS) has announced that it has entered into a consent order with an online payday loan lead generator and its chief executive officer (CEO) (collectively, respondents) to settle charges that they marketed payday loans despite knowing that the loans violated New York's usury laws.
DFS also alleges that the respondents misrepresented to consumers that their personal information was secure, even though the respondents sold the information to payday lenders and lead aggregators without requiring them to protect the information. The DFS describes the action as the Department's ''first action to require a company to implement consumer data security measures to its future collection of consumers' personal information.'' The consent order requires the respondents to pay a $1 million penalty, cease payday loan lead generation activities in New York, and provide new consumer disclosures.
According to the consent order, the respondents advertised and solicited customers for payday and installment loans through websites they operated. Consumers were referred by the respondents to a network of payday lenders, lead aggregators, and other third parties that provided or marketed various financial products or services (lead buyers). The respondents would share with lead buyers personal consumer information captured by their websites from consumers submitting online applications, such as names, addresses, Social Security numbers, dates of birth, and bank account numbers.
The consent order states that the respondents assured consumers that the information on their websites ''stays safe'' and represented on their websites' home pages and on different pages of their online loan application that protecting consumers' personal information was ''at the top of our priority list'' and such information was ''completely protected 24/7 GUARANTEED.'' It further states that, despite these representations, the company did not take any protective measures when sharing consumers' personal information with third parties and sold the information to lead buyers under the terms of agreements that did not require them to protect such information. According to the consent order, the respondents received complaints from customers claiming that, after submitting online applications, they received phone calls and other communications seeking to collect on loans they had not taken out or obtain advance payments to secure loans that were never issued.
In connection with the consent order's requirement for the respondents to cease lead generation activity for financial products or services that do not comply with New York law, they must include statements in advertising for products or services that do not comply with New York law that such services are unavailable to New York residents. They must also take various steps to ensure that they do not collect personal information from New York consumers for the purpose of making referrals to providers or marketers of financial products or services that are not compliant with New York law. For example, the respondents must require a consumer to enter a ZIP code before any personal information can be submitted online and disable their websites from accepting applications from consumers entering a New York ZIP code.
To accept personal information of New York consumers in connection with referrals to providers or marketers of financial products or services that are New York-compliant, the respondents must provide a specified notice stating that the company ''does not guarantee'' the security of personal information sold to or shared with third parties. It must also follow security protocols for such information that include certain specified components. In addition, the company must pay damages to any New York consumer who suffered identity theft traceable to a data security breach of the company's systems or the sharing or sale of the consumer's personal information with a person or entity whom the respondents knew or should have known would not take reasonable steps to protect the information.
This action is noteworthy for two reasons. First, like the Consumer Financial Protection Bureau's (CFPB) pending case against a company for servicing payday loans, the action is another example of a regulator attempting to cut off online payday lenders by attacking their partners and affiliates. Second, although the DFS frames the violation as a misrepresentation, it essentially holds the respondents responsible for the data security measures of its business partners.
Earlier this month, the CFPB announced its first data security enforcement action. Although data security issues have primarily been the domain of the Federal Trade Commission (FTC) since the 1990s, the actions of the DFS and CFPB signal that data security is becoming a focus for an expanding group of regulators.
Members of Ballard Spahr's Consumer Financial Services and Privacy and Data Security Groups regularly advise financial institutions on the increasing intersection between consumer financial services laws, privacy and data security issues, and third-party risk management. We assist to evaluate, operationalize, and monitor new and existing products and services to ensure that financial institutions are regularly meeting their privacy and data security obligations in a rapidly evolving regulatory landscape. We regularly counsel financial institutions when engaging with federal agencies, such as the CFPB and the FTC, and with state regulators such as the DFS, New York Attorney General, and New York City Department of Consumer Affairs.
The firm's White Collar Defense/Internal Investigations Group represents clients across a range of industries, including financial institutions, in government investigations ranging from regulatory actions and state and federal grand juries to search warrants and warrantless searches. Our attorneys have substantial experience in handling litigation with the New York County District Attorney, DFS, and the New York Attorney General.
