Last Week, This Morning

December 22, 2025

Below you will find several key developments in the financial services industry, including related developments in information privacy and data security, from the past week. We add an "Amicus Brief(ly)1" comment to each item, where we briefly (see what we did there?) note for friends (and again?) of CounselorLibrary the important takeaways from the developments outlined in the email. Our legal reporters - CARLAW, HouseLaw, InstallmentLaw, PrivacyLaw, and BizFinLaw - provide more comprehensive, real-time updates of federal and state laws, regulations, litigation, and other industry items of interest. For a personal guided tour and free trial of any of these legal reporters, please contact Michael Willer at 614-855-0505 or mwiller@counselorlibrary.com.

Please note that we will not deliver "Last Week, This Morning" next week due to the holidays. The next email will be delivered to your inbox on Monday, January 5. We wish you a very happy holiday season!

FTC Announces Proposed Consent Order with Company over Alleged Security Failures that Resulted in Theft of $186 Million from Customers

On December 16, the Federal Trade Commission announced that it entered into a consent order with a company that allegedly violated the Federal Trade Commission Act by failing to implement adequate data security measures, leading to a major security breach in which hackers stole $186 million in cryptocurrencies from the company's customers. According to the FTC, the company has recovered less than half of the money that the hackers stole.

According to a complaint drafted by the FTC's Bureau of Consumer Protection, the company, which uses a software program that allows customers to transfer digital assets back and forth between different blockchains, prominently advertised the security of its services but nevertheless failed to use secure coding practices, implement processes for receiving and addressing vulnerability reports and responding to security incidents, and use widely known technologies that might have helped mitigate the losses. Specifically, the FTC alleged that, in June 2022, the company introduced inadequately tested code that included a significant vulnerability. Just over a month later, hackers began exploiting the vulnerability, and the company allegedly failed to respond to the attack promptly because of its inadequate security and incident response measures, even though it allegedly had been warned about the dangers of inadequate testing and the need to ensure that it had adequate staff and security in place.

Under the proposed order settling the allegations set forth in the FTC's complaint, the company will be prohibited from making misrepresentations about its security practices and will be required to:

  • establish, implement, and maintain a comprehensive information security program that is designed to protect customers' financial assets against loss from theft or other unauthorized access;
  • obtain initial and biennial assessments by an independent third party;
  • provide annual certifications of its compliance with the proposed order; and
  • return to affected customers all recovered money that has not already been returned.

The consent order will be subject to public comment for 30 days after publication in the Federal Register, which is expected shortly, and thereafter the FTC will decide whether to make the proposed consent order final.

Amicus Brief(ly): Data privacy and security are of paramount importance not just because of the law but also for customer retention. Who wants to provide personal information to a company that does not lock it down? Add the fact that the alleged security failures in this case involved financial assets, and it seems like FTC action was a matter of "when," not "if." The outcome may not satisfy customers who lost their crypto assets to hackers and think the custodian of those assets should endure a fine that sends a message. The proposed consent order does not include a separate financial penalty, just a requirement that the provider make restitution to customers out of the money it has recovered. Other than the assessment and certification requirements, the order simply requires the provider to adopt and maintain an information security program that it should have already had.

CFPB Releases FDCPA Annual Report

The Consumer Financial Protection Bureau recently released its annual report on the Fair Debt Collection Practices Act, summarizing certain activities carried out by the CFPB and other federal agencies relating to debt collection during 2024.

The report provides an overview of consumer complaints concerning debt collection that were submitted to the CFPB in 2024. The report found that the CFPB received approximately 207,800 debt collection complaints in 2024, seven percent of the total amount of complaints received that year. Companies responded to approximately 97 percent of the debt collection complaints sent to them for review and response. When looking at debt collection complaints by category of debt, the report found that credit card debt was the most complained about category (18% of complaints) after the "I do not know" category (45% of complaints), which presumably is selected when a consumer does not know the type of debt that is allegedly being collected. The issue that consumers complained about the most was that debt collectors attempted to collect debts that consumers allegedly did not owe. Apparently, this has been the most predominant issue for consumers since the CFPB began accepting debt collection complaints in 2013. Consumers also commonly complained that written notifications about debt failed to disclose that they were attempts to collect a debt and failed to provide enough information for consumers to verify the debt or the account in question.

The FDCPA report also includes a summary of the agency's recent supervisory activities related to consumer debt collection. Some of the violations found during supervisory examinations of larger participant debt collectors include:

  • failure to provide debt validation notices to consumers within five days of the initial communication with the consumer in connection with the collection of a debt when such validation information was not provided in the initial communication;
  • use of false, deceptive, or misleading representations in connection with the collection of a debt by: (1) using a business, company, or organization name other than the debt collector's true name, and (2) failing to disclose in communications with consumers that the debt collector is attempting to collect a debt and that any information obtained will be used for that purpose;
  • communicating with consumers at inconvenient or unusual times or places, including sending payment reminder emails to consumers before 8 a.m. and continuing phone conversations with consumers after being informed by the consumer that it was an inconvenient time or place to talk;
  • harassing, oppressive, or abusive conduct, including verbally abusive language during debt collection calls with consumers or placing an excessive amount of collection phone calls to consumers after being specifically asked to stop;
  • failure to cease communications through a specific medium after the consumer requested that the debt collector not use that medium to communicate; and
  • failure to disclose in subsequent communications with consumers that the communication is from a debt collector, including in communications from service providers acting on behalf of debt collectors.
Amicus Brief(ly): Not much news in this year's report, but that is what we expected. Specifically, the new-look CFPB is not inclined to dream up new FDCPA violations, but it appears to have unearthed a lot of the usual complaints from consumers and usual concerns that the industry wrestles with consistently. For example, the "right customer, right amount" complaint that the Bureau reports as the single-most common complaint since it opened the complaint portal also showed up as a primary reason for writing Regulation F. The goal of the CFPB's complaint portal is to make it easier for debt collectors and consumers to communicate using the method most comfortable for the consumer, in the hopes that establishing a communication channel allows the consumer to raise concerns about the alleged debt with the debt collector early. It is important to note that the complaint portal does not assess the validity of consumer complaints, so the number of actual cases of mistaken identity or pursuit of the wrong amount in collection may be less than the numbers reported by the CFPB. Either way, the FDCPA report identifies the "hot topics" in debt collection, providing debt collectors and servicers with a form of compliance checklist to make sure they have strong policies and procedures in place to address these common collection issues.

OCC Files Amicus Brief in Colorado DIDMCA Opt-Out Case

On December 16, the Office of the Comptroller of the Currency filed an amicus brief with the U.S. Court of Appeals for the Tenth Circuit in the case of National Association of Industrial Bankers v. Weiser in support of the plaintiffs' petition for rehearing en banc. On November 10, the Tenth Circuit lifted a district court's preliminary injunction that enjoined Colorado from enforcing its 2023 legislation in which the state exercised its right to opt out of the Depository Institutions Deregulation and Monetary Control Act of 1980.

DIDMCA is a federal law that is intended to place state-chartered banks on equal footing with national banks with respect to the rate of interest they may charge on loans. Through Section 1831d of DIDMCA, Congress preempted state laws that capped interest at lower rates and gave state banks access to the same interest rates set for national banks. However, under Section 1831d, any state can opt out of this national standard for "loans made in such State."

The plaintiffs in Weiser - three trade groups - filed a complaint in Colorado federal court challenging the state's opt-out legislation, which was intended to enforce Colorado's interest rate caps on loans made by out-of-state banks to Colorado borrowers. The plaintiffs argued that Colorado's opt-out for "loans made in such State" encompasses only loans made by state banks located in Colorado. The district court granted the trade groups a preliminary injunction, but the Tenth Circuit lifted that injunction last month. The Tenth Circuit held that "loans made in such State" refers to loans in which either the lender or the borrower is located in the opt-out state. According to the Tenth Circuit, because Colorado opted out of Section 1831d, that statute no longer preempts Colorado's interest-rate cap for loans made by out-of-state banks to Colorado borrowers. Therefore, the Tenth Circuit concluded that "[w]ithout Section 1831d's preemptive force, the rationale for the preliminary injunction falls apart. We have no basis under Section 1831d to enjoin [Colorado] from enforcing Colorado's interest-rate caps."

The OCC's brief argues that the Tenth Circuit's decision "undermines the benefits of the federal interest rate framework that Congress granted to state banks and places them at a significant competitive disadvantage compared to national banks." The OCC's brief states that, "[i]n reversing the issuance of the District Court's injunction against the Defendants, the panel accepted Colorado's expansive reading [of its opt-out right under DIDMCA]. Its holding, if left in place, will almost certainly lead to a decision on the merits that fundamentally alters the application of this federal interest-rate framework for state banks. Such an outcome would inject uncertainty into the framework, undermine the benefits that Congress has sought to provide to state banks in DIDMCA, and create significant challenges for state banks that wish to lend across state lines. This outcome would also advantage national banks over state banks, which is inconsistent with Congress's expressly codified competitive-equality goals. As a result, the panel decision threatens to diminish the vibrancy of the dual banking system and to harm consumers by reducing their access to credit across the country."

Amicus Brief(ly): We are on the edge of our seats waiting for the outcome of this pending case that has big implications for state bank lending, including loans made through bank partnerships. The plaintiffs, and the OCC in support, lay out for the Tenth Circuit the understanding that most of us had about the impact of a Section 521 opt-out when only Iowa and Puerto Rico had opted out of the state-chartered bank interest rate exportation provisions. The pending decision from the Tenth Circuit will almost certainly see an appeal from the side that does not prevail. With more states considering opt-outs like Colorado's, an appeal could queue up a landmark U.S. Supreme Court case with far-ranging impacts on interstate bank lending. We are here for it.
Massachusetts AG Reaches $4.65 Million Settlement with Mortgage Loan Servicer

On December 17, the Massachusetts Attorney General's Office announced that it reached a $4.65 million settlement with a Delaware-based servicer of residential mortgage loans secured by nearly 24,000 properties in Massachusetts, resolving allegations that the servicer committed unfair and deceptive acts or practices in violation of the Massachusetts Consumer Protection Act and violated the commonwealth's home ownership preservation law, foreclosure prevention law, debt collection regulations, and COVID-19 foreclosure and eviction moratorium.

Specifically, the AG alleged that the mortgage loan servicer:

  • sent letters to borrowers stating that they must cure their defaulted loans in only 33 days, when the law allows for a 90-day right to cure period under G.L. c. 244, § 35A;
  • failed to take reasonable steps to avoid preventable foreclosures as required by G.L. c. 244, § 35B, including, among other things, by: (1) failing to notify borrowers of their right to pursue a loan modification prior to foreclosure, (2) failing to timely respond to borrowers' loan modification applications, (3) failing to provide borrowers with a written assessment of their loan modification applications, (4) failing to, within five days of receipt of loan modification applications, send missing document letters identifying any additional information that is required in order to complete its assessment, and (5) requiring borrowers to pay an up-front down payment as a precondition to obtaining or entering into an otherwise affordable loan modification or modification trial plan without subjecting the up-front payment demand to an affordability analysis;
  • failed to provide debt validation notices to defaulted borrowers within five days of the initial collection communication and initiated more than two collection communications to borrowers within a 7-day period, in violation of the debt collection regulations; and
  • failed to provide accurate information and the required relief to borrowers who were financially impacted by the COVID pandemic.
Amicus Brief(ly): The active Massachusetts AG imposed a fairly large penalty on the servicer in this case as a result of what appear to be unforced errors. As always, it is important to note that the servicer denies the allegations and is entering into the Assurance of Discontinuance for settlement purposes only. Accepting the allegations as true, though, at least for the purpose of compliance takeaways, it looks like the servicer needed a system of tracking law changes and/or monitoring or auditing servicing practices for compliance with Massachusetts law. The required cure period should be well known to Massachusetts mortgage loan servicers, as should the loss mitigation procedures and the limitations in the AG's debt collection regulation. We can take this outcome as a reminder to tune up and audit compliance management systems in 2026 to make sure we are not missing the low-hanging fruit.

Credit Repair Company Settles Claims Concerning Allegedly Unlawful "Piggybacking" Practices

The administrator of the Colorado Credit Services Organization Act recently entered into a stipulation and final order with a company that provides credit repair services to consumers. The company allegedly claimed to help consumers improve their credit scores by paying individuals with good credit ("account owners") to permit consumers with poor or no credit to be added as authorized users to those individuals' credit card accounts - a practice known as "piggybacking." The company allegedly made unsubstantiated or misleading representations about the benefits of this practice, including stating on its website that "[o]ne of the best methods for potentially improving your credit score is buying authorized user tradelines." The company also claimed that authorized users could "share the credit history" of the account owners even though authorized users were expressly prohibited from using any of the credit available to the account owners and prohibited from contacting the account owners or the account owners' creditors. The administrator also alleged that the company failed to provide disclosures required under state law.

Under the order, the company has agreed to cease providing credit repair services to Colorado consumers and pay the state $20,000 in penalties.

Amicus Brief(ly): The industry should cheer this result. The "piggybacking" practice can wreak havoc on credit scores and underwriting models that rely on accurate data for approve/decline decisions and terms of credit. Credit repair organizations should not be promoting that deceptive consumer practice. Colorado has been one of the most active states in consumer financial protection over the past several years, sometimes overdoing it to the industry's detriment. But the outcome of the regulator's investigation in this case is an encouraging resistance to a deceptive consumer practice with potentially dramatic consequences for the system.
1 For the unfamiliar, an “Amicus Brief” is a legal brief submitted by an amicus curiae (friend of the court) in a case where the person or organization (the “friend”) submitting the brief is not a party to the case, but is allowed by the court to file the brief to share information or expertise that bears on the issues in the case.