A financial technology firm and its CEO have agreed to pay $104 million to resolve the FTC's allegation that they misled consumers into providing sensitive personal and financial information, which was later sold without ensuring compliance with the FTC Act. The company's business model involved generating loan "leads" through internet advertisements and offering those leads with the accompanying sensitive information to a sequential list of potential purchasers until the leads are sold. The fintech firm made no loans itself, yet several common consumer financial protection failures put it out of business.

According to the FTC allegation, the firm operated 38 websites where it promised to find lenders with favorable loan terms for the consumers. Through the websites, the firm lured consumers to provide their personal and financial information in loan applications which the defendants then sold as "leads" to anyone who was willing to pay for such information.

Blue Global, LLC failed on two common fronts in consumer finance. First, it failed to enforce its policies against its business partners. For example, Blue Global policies required that lead purchasers agree not to remarket consumer information, and agree to use consumer information only in a manner consistent with consumers' specific intent in providing the information. Notwithstanding its policies, however, the firm allowed potential purchasers full access to unredacted consumer information even when the purchasers did not agree to the privacy conditions. Second, the firm failed to conduct or take action on diligence into its business partners. Blue Global sold applications without regard to the lending capability of the purchasers, terms of the loans, or whether the purchaser would secure application information. Due to the firm's lack of enforcement effort and disregard for data privacy, about 98 percent of the loan applications were sold to non-lenders.

Attention to compliance might have saved the firm from a $104 million order. The FTC noted in its complaint that Blue Global could have taken steps such as redacting consumer information and obtaining consumers' consent to legitimately carry out its business. While privacy policies existed, someone needed to ensure that the company followed them. As seen in this case, fintech firms have significant regulatory exposure even when they are not directly engaging in the lending business. As fintech firms make significant investments in their technologies, they will be best advised to pay special attention to legal compliance to protect their investments.

To view the FTC's Complaint and proposed Stipulated Order, please click here.

The author would like to acknowledge the contributions of Stephen Choi, summer associate from The George Washington University Law School, in the preparation of the article.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.