Litigation against banks and other financial services firms is always evolving. This mid-year 2025 update discusses trends from recent case filings and decisions and highlights the importance of awareness of new legal theories, robust compliance programs, and proactive risk management.
Data Privacy and Cyber Incident Litigation
Data privacy and cybersecurity incidents and related litigation continue to be a significant threat to banks. The number of data incidents and lawsuits filed per incident both continue to increase, and ransomware complaints are also surging, coinciding with a 64 percent increase in ransomware attacks targeting banks in 2023 alone, according to a 2024 Bloomberg study. Additional developments in this area include the following:
- Bank response to Securities Exchange Commission "Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure Rule." In 2023, the SEC implemented a rule requiring public companies, including banks, to disclose material cyber incidents within four business days. On May 22, 2025, a coalition of banking trade associations petitioned the SEC to rescind this rule, arguing it harms customers by requiring public companies to prematurely disclose cyber incidents even if the vulnerability is ongoing and risks creating a chilling effect on candid internal communications and external information sharing.
- Video Privacy Protection Act (VPPA) Litigation. The 1988 VPPA prohibits any "video tape service provider" from disclosing personally identifiable information without consent. Plaintiff firms are increasingly citing the VPPA to sue companies with websites and mobile applications that have video content, claiming violations when companies share consumer information with third parties. Circuit courts are split on the scope of the VPPA, with the Second Circuit embracing a broad reading in October 2024 in Salazar v. NBA, No. 23-1147 (2nd Cir. Oct. 15, 2024), and the Sixth Circuit rejecting that interpretation in April 2025 in Salazar v. Paramount Global, No. 23-5748 (6th Cir. Apr. 3, 2025). While the law remains unsettled, financial firms need to be careful about video content on their websites, such as product videos and testimonials, which may "track" viewers and/or link to other websites or applications.
- Pixel Litigation. Banks across the country are increasingly facing lawsuits for allegedly using technology firms like Google or Facebook to track and record customers' interactions with webpages and online ads. These suits claim that "pixels" and other tracking technologies send user data to third parties. In a positive development for banks, in June 2025 a federal court in New Jersey dismissed without prejudice a complaint alleging that a bank improperly used pixels to collect information about visitors to the bank's website and transmit that information to Facebook without notice of consent. Banks can mitigate the risks of these claims by understanding whether their marketing teams are using third-party services to track web page interactions and reviewing their disclosures to make sure the use of any such services is disclosed.
Overdraft and NSF Fee Litigation
Litigation surrounding overdraft and non-sufficient funds (NSF) fees continues, though the pace of class action filings has slowed in 2024 and 2025 compared to prior years. Key theories include:
- Authorize Positive, Settle Negative: Plaintiffs assert claims based on banks' assessment of overdraft fees on transactions authorized when customers had sufficient funds in their accounts even though the customers had insufficient funds at the time of posting and settlement due to other transactions.
- Available vs. Ledger Balance: Plaintiffs allege that banks used customers' available balance – including pending debit holds – and charged overdraft fees when the customers had a sufficient ledger balance to cover the transactions.
- Multiple NSF Fees: Plaintiffs allege that banks have breached their account agreements by charging more than one return item fee on check and ACH transactions that are presented to and returned by banks more than once.
- Regulation E: Plaintiffs claim that banks' opt-in form to assess overdraft fees on one-time debit and ATM transactions did not comply with Regulation E by failing to provide a clear description of when customers can expect to be assessed overdraft fees.
One explanation for the decrease in class action lawsuits regarding overdraft and NSF fees is that cases are now moving to private arbitration due to class action waivers and mandatory arbitration provisions in customer agreements. Banks should continue to compare their fee practices against customer disclosures to ensure clarity, ensure disclosures account for the risk of mass arbitration, and monitor and respond promptly to customer complaints. Notably in May 2025, the Consumer Financial Protection Bureau eliminated dozens of regulatory guidance documents, including two that had been relied on by plaintiffs in these cases, 2024-05 Improper Overdraft Opt-In Practices and 2022-06 Surprise Overdraft Fees.
Debt Collection and Consumer Protection
Litigation related to debt collection and credit reporting is generally on the rise. According to Web Recon, LLC, while Fair Debt Collection Practices Act (FDCPA) cases are down 9.1 percent from January through May 2025 compared to the same time period last year, Fair Credit Reporting Act (FCRA) cases are up 12.6 percent over the same period, and Telephone Consumer Protection Act (TCPA) are up substantially – by 39.4 percent.
- In the FDCPA context, litigants and courts continue to grapple with Article III standing to bring suit. For example, in Six v. IQ Data International, 129 F.4th 630 (9th Cir. Feb. 24, 2025), the Ninth Circuit held that a consumer's alleged receipt of a debt verification letter after the consumer instructed that all communications be sent to his attorney was a concrete injury that could support Article III standing. By contrast, in Thomas v. LVNV Funding, LLC, 132 F.4th 992 (7th Cir. Mar. 21, 2025), the Seventh Circuit held that a debt collector's failure to timely notify a credit reporting agency that an alleged debt was disputed was not a concrete injury that could support Article III standing.
- As for FCRA, the courts continue to impose burdens on "furnishers" of consumers' credit information (which include financial institutions) to the credit reporting agencies. The Fourth Circuit held in Roberts v. Carter-Young Inc., 131 F.4th 241 (4th Cir. 2025), that furnishers must investigate consumers' disputes that are based on information that is objectively and readily verifiable, regardless of whether the dispute involves legal or factual issues. This standard mirrors the standard adopted by the Second Circuit in Sessa v. Trans Union, LLC, 74 F.4th 38 (2d Cir. 2023). Expect litigants to continue to fight about whether information is objectively and readily verifiable.
- A recent Supreme Court decision may lead to even more TCPA litigation. On June 20, 2025, the Court decided McLaughlin Chiropractic Associates, Inc. v. McKesson Corp., No. 23-1226, holding that the Hobbs Act does not bind district courts in civil enforcement proceedings to a federal agency's interpretation of a statute. The Hobbs Act, which provides for pre-enforcement judicial review of Federal Communications Commission orders, had been interpreted as barring district courts from disagreeing with the FCC's interpretation of a statute in an order. The Court held that the interpretation was incorrect. Instead, courts should interpret statutes such as the TCPA under ordinary principles of statutory interpretation, affording appropriate respect to the agency's interpretation. With this ruling, the FCC's prior orders interpreting the TCPA may now be subject to questioning in future cases, which suggests we may see more cases filed.
As legal theories and interpretations evolve, banks' best prevention to avoid these types of claims remains a strong compliance program, including adherence to both federal and state law. Robust disclosures, reliable record retention, and clear customer communications are critical aspects of a bank's defense.
Mass Arbitrations
Mass arbitration continues to be an evolving issue for financial institutions. Mass arbitration originated as a response to class action waivers. This tactic involves aggregating numerous claims into individual arbitrations, which require costly per-case filing fees and are designed to pressure companies to settle. In 2024, arbitration providers like AAA and JAMS amended their rules to address the rising volume of mass arbitrations by modifying fee structures and requiring more information from claimants.
The AAA mass arbitration rules automatically apply if there are 25 similar cases against the same respondent. The AAA rules introduced the concept of a Global Mediator to facilitate early resolution, as well as an expanded Process Arbitration stage to handle pre-merits disputes on a global basis. The pre-case fees are also lower. By contrast, the new JAMS rules only apply when they are part of a pre-existing arbitration agreement. The JAMS rules define mass arbitration as at least 75 similar demands. Similar to the AAA rules, the JAMS rules incorporate a process phase to address ways to streamline or vet cases before they proceed. Finally, there is a different fee structure, which generally means that fees are lower.
Financial institutions can adapt to these trends by amending contracts to deter mass arbitration abuses, such as requiring robust notices of claims, setting out basic standards for each claimant to meet, mandating an early resolution phase, and for banks that use JAMS as their provider, expressly invoking the new mass arbitration rules. Some banks are also adding contract provisions requiring bellwether or batched arbitrations, requirements to conduct pre-filing diligence, and fee shifting in the case of frivolous claims. Notably, the Ninth Circuit ruled in Wells Fargo's favor in 2024 when a plaintiff's law firm sought to challenge the AAA's mass arbitration protocols, which resulted in a process arbitrator's requiring the firm's clients to provide information about their accounts, and ultimately 3,500 of 3,900 claims were dismissed without prejudice for failure to meet that standard. Mosley v. Wells Fargo & Co., No. 23-55478 (9th Cir. Mar. 7, 2024). Much remains in flux in the mass arbitration context, and we will continue to track these developments as they unfold.
If you have questions about any of these updates and how they may affect your company, please reach out to Kristine L. Roberts or any member of Baker Donelson's Financial Services Litigation Group.