State Attorneys General

Consumer financial services companies are hopeful that the Supreme Court’s pending decision in Timbs v. Indiana will provide a Constitutional basis for challenging fines and penalties levied by state attorneys general and regulators.  The Supreme Court heard oral argument on November 28 on the issue of whether the Excessive Fines Clause has been (or should be) made applicable to the states through the Fourteenth Amendment.

Petitioner Tyson Timbs pled guilty to dealing a controlled substance and received a six-year sentence of mixed home detention and probation.  In addition, Timbs agreed to pay fines and court costs.  At the time of his conviction, the State of Indiana allowed a maximum fine of $10,000 for the underlying offense.  However, several months after Timbs’ sentencing, the State filed a case seeking civil forfeiture of a vehicle worth approximately $40,000 that Timbs drove at the time of his arrest.  After an evidentiary hearing on the State’s request, the Indiana trial court determined the forfeiture was grossly disproportionate to the underlying crime and therefore unconstitutional under the Eighth Amendment’s Excessive Fines Clause.  On appeal, the Indiana Supreme Court unanimously reversed on the basis that the U.S. Supreme Court has not held that the Excessive Fines Clause applies to the states.

The questions posed by the justices at oral argument suggest a consensus among the bench that the Excessive Fines Clause of the Eighth Amendment is applicable to the states under the Fourteenth Amendment.  However, the questions during oral argument suggest some disagreement on the scope of the rights protected by the Excessive Fines Clause.

Many state attorneys general and state regulators have heightened their supervisory and enforcement activity over consumer financial services companies in the wake of a perceived slackening of enforcement at the federal level, particularly from the Bureau of Consumer Financial Protection.  The industry is hopeful that a Timbs v. Indiana decision applying the Eighth Amendment Excessive Fines Clause against the states could provide significant protection from fines and penalties sought by states.

Last month, Troutman Sanders reported on the proposed TRACED Act which would instruct the Federal Communications Commission to engage in rulemaking to protect consumers from receiving unwanted calls and text messages from unauthenticated phone numbers.  FCC Chairman Ajit Pai tweeted his approval for the bill, but the FCC is not waiting on Congress to fight robocalls.  On November 21, it released its final report and order on creating a reassigned numbers database.

According to the FCC’s press release, the final draft of the report and order would create a comprehensive database to enable callers to verify whether a telephone number has been permanently disconnected, and is therefore eligible for reassignment, before calling that number, thereby helping to protect consumers with reassigned numbers from receiving unwanted robocalls.

More specifically, this proposal changes the existing federal regulatory scheme by:

  • Establishing a single, comprehensive reassigned numbers database that will enable callers to verify whether a telephone number has been permanently disconnected, and is therefore eligible for reassignment, before calling that number;
  • Establishing a minimum aging period of 45 days before permanently disconnected telephone numbers can be reassigned;
  • Requiring that voice providers that receive North American Numbering Plan numbers and the Toll Free Numbering Administrator report on a monthly basis information regarding permanently disconnected numbers; and
  • Selecting an independent third-party administrator, using a competitive bidding process, to manage the reassigned numbers database.

Pai announced the items tentatively included on the agenda for the December Open Commission Meeting scheduled for Wednesday, December 12. Considering that robocalls are the number one basis of complaints filed with the FCC and the speed in which the issue has been addressed, it will come as no surprise if the proposal is passed at the meeting.

Troutman Sanders will continue to monitor this and related FCC’s rulemaking decisions.

The Minnesota Department of Commerce recently entered into a consent order with collection agency Range Credit Bureau, Inc. regarding its compliance practices.

The Commissioner found numerous regulatory and compliance infractions, including the company’s ongoing failure to file an Unclaimed Property report with the state for funds owed to a customer whom the company could not locate; failure to implement an appropriate compliance management system; failure to establish background check procedures for the company’s individual collectors; and the company’s unlicensed collection activity in Minnesota and other states.

The order emphasizes the importance of strong internal compliance policies and systems.  Significantly, the Department of Commerce found violations not only for Range Credit’s collection activities, but also for its practices with respect to non-collections laws, such as background checks and state escheat obligations.

In addition to a monetary penalty of $50,000 (with $10,000 stayed, reducing the actual penalty to $40,000), the Consent Order requires Range Credit to take specific, compliance-oriented actions, including:

  • Developing and implementing a Compliance Management System (“CMS”), which includes a written Compliance Program.  The Compliance Program is required to address obligations for debt collection activities under state and federal law and include policies to prevent violations of consumer protection laws, a training program, a CMS monitoring system, and a complaint monitoring system.
  • Developing and implementing a background check policy; and
  • Completing an internal audit of all unclaimed funds and reporting the funds to the state.

This consent order highlights that regulators are considering not only whether a company or a collector holds a proper license, but also head-to-toe compliance practices.

In March 2018, the Predatory Lending Unit of the Virginia Attorney General Office’s Complaint against online lender Future Income Payments (“FIP”) began with the words of Sir Walter Scott: “what a tangled web we weave when we first practice to deceive.”[1] The lawsuit charged FIP with disguising unlawful loans – in excess of 183% per annum – through using “sales terminology” in an attempt to evade Virginia’s consumer lending laws.[2] On November 15, this web was untangled and resulted in a $50 million judgment against FIP including:

  • $20,098,160 in debt forgiveness for borrowers;
  • $31,740,000 as a civil penalty;
  • $414,474 in restitution;
  • $198,000 for costs and attorneys’ fees;
  • Injunctive relief preventing FIP from further violating the Virginia Consumer Protection Act; and
  • Declaratory relief that FIP’s agreements with Virginia consumers are usurious and illegal.

This swift action embodies Attorney General Mark Herring’s recent effort to vigorously enforce Virginia’s lending laws. In 2015, Herring established the Predatory Lending Unit, proclaiming the unit it to be the “first-of-its-kind,”[3] predicated upon investigating and prosecuting “suspected violations of state and federal consumer lending statutes, including laws concerning payday loans, title loans, consumer finance loans, mortgage loans, mortgage servicing, and foreclosure rescue services.”[4]

Since its creation, the Predatory Lending Unit has filed lawsuits and settled claims against at least five other online lenders alleged to be offering loans in excess of Virginia’s 12% interest ceiling.[5][6] These lawsuits have resulted in the recovery of more than $22 million in consumer relief.[7] Additionally, Herring’s Predatory Lending Unit intervened on behalf of a Virginia class action against CashCall, an online tribal lender.[8] Six days after Herring intervened, the matter was settled, resulting in 17,046 Virginians receiving $9,435,000 in consumer restitution and the forgiveness of more than $5,900,000 in outstanding debt.[9]

The Complaint against FIP indicates that the Predatory Lending Unit is keeping a keen eye on private litigation and other state regulatory efforts against online lenders with a nationwide footprint. Specifically, the Complaint detailed class actions filed in California, Florida, Alabama, and Massachusetts, along with regulatory settlements by the Massachusetts Attorney General and the New York Department of Financial Services — all against FIP. Even more, the Complaint quoted language from a Consumer Financial Protection Bureau action against FIP, emphasizing the underlying policy against usurious loans. See Complaint at p.4 (quoting CFPB v. Future Income Payments, LLC, No. SACV 17-00303-JLS (C.D. Cal. May 17, 2017), ECF No. 47) (“In the past few years, the income stream market has come under sharp scrutiny for allegedly marketing loans at undisclosed, exorbitant interest rates to vulnerable populations, including veterans and the elderly.”).

In light of the Predatory Lending Unit’s broad license to prosecute violations of Virginia’s lending laws, coupled with their cognizant awareness of independent private and regulatory actions, more regulatory enforcement and litigation in matters involving consumer lending should be expected from the Virginia Attorney General. Lenders must tread carefully and ensure their business practices comply with Virginia law.


[1] See Commonwealth of West Virginia ex rel. Mark R. Herring v. Future Income Payments, LLC et al., available at

[2] Id.

[3] Virginia Attorney General Press Release, “Attorney General Herring Launching Effort to Combat Predatory Lending, (March 26, 2015), available at

[4] Virginia Attorney General Press Release, ” Herring Warns Virginians About Dangers of Predatory Loans,” (March 7, 2017), available at

[5] See Virginia Code § 6.2-303.

[6] Virginia Attorney General Press Release, “Attorney General Herring Reaches Settlement with Internet Lender,” (October 25, 2017), available at; Virginia Attorney General Press Release, “Attorney General Herring Sues Allied Title Lending, LLC for Making Open-End Credit Loans to Violate Consumer Statutes,” (September 13, 2017), available at; Virginia Attorney General Press Release, “Attorney General Herring Reaches Settlement with Open-End Credit Plan Internet Lender Worth More Than $3 Million,” (November 30, 2017), available at; Virginia Attorney General Press Release, “Virginia Consumers to Receive $2.7 Million in Relief from Settlement with Internet Lender,” (February 7, 2018), available at


[8] See Attorney General of Virginia Intervenor-Complaint here:

[9] Virginia Attorney General Press Release, “CashCall to Refund Millions to Virginia Consumers Over Illegal Online Lending Scheme,” (January 31, 2017), available at

In an ominous sign, Americans’ total debt hit another record high, rising to $13.5 trillion in the last quarter, as student loan delinquencies jumped, according to Reuters. Specifically, flows of student debt into serious delinquency of 90 or more days rose to 9.1 percent in the third quarter from 8.6 percent in the previous quarter, reported the Federal Reserve Bank of New York, propelling the biggest jump in the overall U.S. delinquency rate in seven years.  

Total household debt, driven by $9.1 trillion in mortgages, now stands $837 billion higher than its previous peak in 2008, just as the Great Recession took hold and induced massive deleveraging across the United States. In fact, indebtedness has risen steadily for more than four years and sits more than 21% above its 2013 low point, and the $219 billion rise in total debt in the quarter that ended on September 30 amounts to the biggest jump since 2016. 

“The new charts in our report help to better understand how the debt and repayment landscape have shifted in the years following the Great Recession,” Donghoon Lee, research officer at the New York Fed, announced in a press release published on November 16. “Older borrowers now hold a larger share of total outstanding debt balances, while the shares held by younger borrowers have contracted and shifted toward auto loans and student loans.”

On November 16, Sen. John Thune (R-S.D.), the current chairman of the Senate Commerce Committee, and Ed Markey (D-Mass.), a member of the committee and the author of the Telephone Consumer Protection Act, unveiled the Telephone Robocall Abuse Criminal Enforcement and Deterrence Act (“TRACED Act”). Among other things, this bill would require carriers to eventually implement “an appropriate and effective call authentication framework” and instructs the Federal Communications Commission to engage in rulemaking to protect consumers from receiving unwanted calls and text messages from unauthenticated phone numbers.

According to its proponents, an “ever increasing number … of robocall scams” prompted this bill. Indeed, one report touted by Markey estimated the number of spam calls will grow from 29% of all phone calls this year to 45% of all calls next year.

In its current form, the TRACED Act gives regulators more time to find scammers, increases civil forfeiture penalties for those caught, promotes call authentication and blocking adoption, and brings relevant federal agencies and state attorneys general together to address impediments to criminal prosecution of robocallers who intentionally flout laws.

More specifically, this act makes the following changes to the existing federal regulatory scheme:

  • Broadens the authority of the FCC to levy civil penalties of up to $10,000 per call for those who intentionally violate telemarketing restrictions.
  • Extends the window for the FCC to catch and take civil enforcement action against intentional violations to three years after a robocall is placed. Under current law, the FCC has only one year to do so. The FCC has told the committee that “even a one-year longer statute of limitations for enforcement” would improve enforcement against willful violators.
  • Brings together the Department of Justice, FCC, Federal Trade Commission, Department of Commerce, Department of State, Department of Homeland Security, the Consumer Financial Protection Bureau, and other relevant federal agencies, as well as state attorneys general and other non-federal entities, to identify and report to Congress on improving deterrence and criminal prosecution at the federal and state level of robocall scams.
  • Requires providers of voice services to adopt call authentication technologies, enabling a telephone carrier to authenticate consumers’ phone numbers prior to initiating any call.
  • Directs the FCC to initiate a rulemaking to help protect subscribers from receiving unwanted calls or texts from callers using unauthenticated numbers.

Announcing the TRACED Act, neither senator minced their words. “The TRACED Act targets robocall scams and other intentional violations of telemarketing laws so that when authorities do catch violators, they can be held accountable,” Thune said in a statement. He continued: “Existing civil penalty rules were designed to impose penalties on lawful telemarketers who make mistakes. This enforcement regime is totally inadequate for scam artists and we need do more to separate enforcement of carelessness and other mistakes from more sinister actors.” Markey added: “As the scourge of spoofed calls and robocalls reaches epidemic levels, the bipartisan TRACED Act will provide every person with a phone much needed relief. It’s a simple formula: call authentication, blocking, and enforcement, and this bill achieves all three.”

Troutman Sanders will continue to monitor this and related legislative proposals.

By: Ashley Taylor, David Anthony, Stephen Piepgrass and Ryan Strasser

The Virginia Consumer Protection Act (VCPA), Virginia Code § 59.1-196 et seq., represents the Virginia General Assembly’s effort to enact a sweeping and potent remedial tool to protect consumers from exploitation by a business where the consumer has engaged in a “consumer transaction” with that business. Where a violation of the VCPA has occurred, the statute authorizes both consumers and the Virginia attorney general to enforce its prohibitions and to seek various forms of relief.

In recent years, the Virginia Office of the Attorney General has ramped up its VCPA enforcement efforts. In perhaps a harbinger of things to come, Virginia Attorney General Mark Herring filed a complaint on March 6, 2018, under the VCPA in Commonwealth ex rel. Herring v. Future Income Payments LLC f/k/a Pensions, Annuities and Settlements LLC, in the Circuit Court for the City of Hampton. Attorney General Herring asserts a single claim in the case — that the corporate defendant violated the VCPA.

To read more click here for the VBA Fall 2018 Journal



New Jersey Attorney General Gurbir S. Grewal and the New Jersey Division of Consumer Affairs have filed a complaint against luxury used-car dealership 21st Century Auto Group, Inc. and its owner, Dmitry Zeldin, accusing the dealership of violations of state consumer protection laws.  According to the Office of the Attorney General, 21st Century fails to disclose to consumers that certain vehicles have incurred prior damage and also advertises vehicles after they are sold in a “bait and switch” operation.

The A.G.’s Office prosecuted 21st Century and Zeldin five years ago on allegations of the same practices.  In 2014, the parties entered into a settlement agreement, with the dealership agreeing to pay a penalty of $130,000 and make widespread changes to its business practices.  The agreement also prohibited the dealership from engaging in unfair or deceptive acts or practices in the future.  However, the Division of Consumer Affairs reported that it continued to receive complaints about 21st Century following the settlement agreement.

“Businesses can’t just sign a settlement agreement and then go right back to the same dishonest practices that got them into trouble in the first place,” Grewal said in a statement. “They must abide by the reforms set forth in the agreement, especially those requiring them to stop deceiving customers.”

The complaint features new allegations against 21st Century, including the assertion that the dealership sold “gray market cars” – vehicles that are intended for distribution outside of the United States and do not necessarily meet safety and emissions standards required under federal law.  The complaint alleges other violations, including:

  • conducting credit checks without a consumer’s knowledge or authorization;
  • failing to conspicuously post the total selling price of used motor vehicles;
  • submitting false financial information to a lending institution;
  • misrepresenting that certain used motor vehicles advertised and/or offered for sale were covered by a warranty;
  • failing to refund monies paid by consumers after they cancelled the sales transaction;
  • advertising used motor vehicles on the 21st Century Auto Group website at a price much lower than the price posted on the vehicle at the dealership location;
  • failing to disclose to a consumer prior to purchase that a used motor vehicle had sustained major flood damage; and
  • representing that, as part of a negotiated deal, they will make certain repairs to a used motor vehicle and then, after the sale is consummated, failing to do so.

The case is Gurbir S. Grewal, et al. v. 21st Century Auto Group, Inc., et al., pending in the Superior Court of New Jersey, Chancery Division, Union County.


In the fall of 2017, the New York Times documented the existence of laws in nineteen jurisdictions which allow for the revocation of government-issued professional licenses if a holder defaults on a student loan. Pleas for reform soon swamped states.

In Texas, whose next regular legislative session will begin on January 8, 2019, promises were issued from some of its most conservative legislators. “Next session the Legislature needs to address this issue head on and ensure that Texans who can’t pay student loans aren’t further crippled by government actions,” the conservative House Freedom Caucus, chaired by Rep. Matt Schaefer (R-Tex.) from Tyler, said in a statement released on April 4.

Meanwhile, in Tennessee, two modest reforms were passed (and one signed) in April. Approved by the Tennessee Senate and House on March 19 and April 2, respectively, and signed by the Governor on April 18, the first creates a medical hardship exemption for certain licensed professionals who are late or default on their student loan payments. The second, passed by both houses as of April 24, reduces the fee (from $350 to $180) to expunge the public record of defendants who had charges dismissed due to completing a pretrial diversion program.

Not surprisingly, considering its passage of a Student Loan Bill of Rights in November 2017 (over the governor’s veto), another state—Illinois—appears to have made the most concrete progress in recent days. In particular, a specific proposal, embodied in Senate Bill 2439, filed on January 30 by Sen. Scott M. Bennett (D-Ill.) of Champaign, gained traction in the spring of 2018. Sponsored by Democrats and Republicans, this bill would eliminate language from the Civil Administrative Code of Illinois requiring the Illinois Department of Professional Regulation to deny licenses or renewals to “any person who has defaulted on an educational loan” unless that person is performing satisfactorily under a repayment plan. Via further textual extirpation, it would abrogate IDPR’s power to suspend or revoke a license for failure to make satisfactory repayments on delinquent or defaulted loans. If enacted, it would stop regulatory directives and referrals between the IDPR, the Illinois Student Assistance Commission (“ISAC”), and other licensing agencies and boards with respect to student loan delinquencies and defaults.

Attorneys general from thirty-one states have signed a letter urging Congress to scrap a proposed federal breach notification law that was introduced by Rep. Blaine Lukemeyer (R-Mo.) and Rep. Carolyn Maloney (D-N.Y.) in an effort to create a national data breach notification and security standard.  The proposed law, known as the Data Acquisition and Technology Accountability and Security Act (the “Draft Bill”), if passed, would require covered entities to, among other things:

  1. Conduct preliminary investigations of data breaches – If a covered entity believes that a breach of data security containing personal information occurred, the covered entity would be required to conduct an immediate investigation (“Preliminary Investigation”) to determine, among other thing, if personal information has or is likely to have been acquired without authorization.
  2. Notify agencies in the event of reasonable risk – If, after conducting the Preliminary Investigation, a covered entity determines that there is a reasonable risk that the data breach resulted in or will result in identity theft, fraud, or economic loss to consumers, the covered entity would be required to notify certain governmental entities, such as the Secret Service, the Federal Bureau of Investigation, and other agencies, if the data breach involved personal information relating to 5,000 or more consumers.
  3. Notify consumers in the event of harm – If, after conducting the Preliminary Investigation, a covered entity determines that there is a reasonable risk that a data breach resulted in identity theft, fraud, or economic loss to consumers, the covered entity would be required to notify all impacted consumers.

With respect to state enforcement rights, the Draft Bill indicates that state attorneys general may bring civil actions against covered entities for certain violations of the Draft Bill, provided that: (1) the covered entity is not a financial institution, and (2) the attorney general provides prior written notice of any action to the FTC and provides the FTC with a copy of its complaint, except in certain circumstances where such notice may not be feasible.  Additionally, the Draft Bill indicates that the FTC shall have the right to intervene in all state actions and that no state attorney general can bring an action against a covered entity if the FTC has already done so.

Lastly, and likely most controversially, Section 6 of the Draft Bill indicates that the act would “preempt any law, rule, regulation, requirement, standard, or other provision having the force and effect of any law of any state … with respect to securing information from unauthorized access or acquisition, including notification of unauthorized access or acquisition of data … .”

So, what is the big deal?  Having a national data breach notification law is a good thing, right?  Well, no … not according to the thirty-two attorneys general who signed the letter to Congress released on March 19.  As explained by these attorneys general, there are several issues of concern with the draft bill, including that it:

  1. “[T]otally preempts all state data breach and data security laws that require notice to consumer and state attorneys general of data breaches,” which would include the states’ consumer data breach notification laws that, as of March 28, 2018, have been enacted by all fifty states.
  2. “Allows entities suffering breaches to determine whether to notify consumers of a breach based on their own judgment of whether there is ‘a reasonable risk’ that the breach of data security has resulted in identity theft, fraud, or economic loss to any consumers.”  This, as they noted, is insufficient and too late, and will result in less transparency to consumers as fewer notifications to consumers will be sent.  It also permits entities that have suffered a data breach to notify consumers after the harm to them has occurred, which limits consumers’ opportunity to take proactive steps to protect themselves from identity theft before it happens.
  3. Fails to acknowledge the fact that data breaches come in all sizes by only addressing large, national breaches affecting 5,000 or more consumers, and prevents attorneys general from learning of or addressing breaches that are smaller in scale but nonetheless victimize residents in their states.
  4. Places consumer reporting agencies and financial institutions out of states’ enforcement reach, which would prevent State attorneys general from pursuing these companies after a security incident.

Considering themselves to be the “chief consumer protection officials” in their respective states, the attorneys general note that there is a place for both state and federal agencies to protect consumers’ personal information, and therefore, recommend that the Draft Bill not preempt state data security and breach notification laws.