Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
On September 12, the CFTC issued an order against an Illinois-based futures commission merchant imposing a $1.5 million fine for allegedly failing to protect its systems from cybersecurity threats and not alerting its customers in a reasonable timeframe after a breach occurred. According to the order, the CFTC claims the merchant failed to adequately implement and comply with cybersecurity policies and procedures as well as a written information systems security program, and “policies and procedures related to customer disbursements by its employees.” The CFTC contends that because of these failures the merchant’s email system was breached, which allowed access to customer information and convinced the merchant’s customer service specialist to mistakenly wire $1 million in customer funds. While the merchant approved reimbursement of the funds shortly after discovery, instituted measures to prevent additional fraudulent transfers, and notified regulators the same day, the CFTC alleges it failed to disclosure the breach or the fraudulent wire in a timely manner to current or prospective customers. Under the terms of the order, the merchant must pay a civil money penalty of $500,000 plus post-judgment interest, as well as restitution of $1 million. The merchant’s previous reimbursement of customer funds when the fraud was discovered was credited against the restitution amount.
On September 18, the FTC issued its comment letter to the CFPB’s Notice of Proposed Rulemaking (NPRM) amending Regulation F, to implement the Fair Debt Collection Practices Act (FDCPA) (the “Proposed Rule”). As previously covered by InfoBytes, on May 7, the CFPB issued the Proposed Rule, which covers debt collection communications and disclosures and addresses related practices by debt collectors. The FTC is generally in support of the Proposed Rule, and the Commission voted unanimously to approve the submission of the comment. In addition to summarizing the FTC’s legal authority and efforts to protect consumers from unlawful debt collection practices (such as enforcement actions, workshops, and outreach) the comment letter addresses several topics covered in the Proposed Rule. In particular, the FTC supports the Proposed Rule’s provisions on passive collections, decedent debt, and time and place restrictions. Other highlights of the letter include:
- Validation notices. The FTC supports the proposed changes to validation notices, which mandate more information to be provided to the consumer about the debt and the rights the consumer has associated with that debt. The comment letter encourages the CFPB to consider the benefits and risks with regard to the safe harbor for emailed validation notices in initial communications, noting it is important that debt collectors use email addresses that are current and also, that the emails are not sent to unauthorized third parties.
- Time-barred debts. The FTC supports the proposed prohibition on collectors threatening or bringing legal action against consumers to collect on debts that they know or should know are time-barred. However, the comment letter notes that consideration should be given to whether requiring the showing that the collector knew or should have known about the age of the debt is a potential unnecessary additional burden on law enforcement agencies.
- Prohibitions on the sale or transfer of certain debts. The FTC supports the proposed prohibition on selling, transferring, or placing for collection a debt that the collector knows or should know has been paid or settled, discharged in bankruptcy, or has been the subject of an identity theft report. The comment letter requests that the CFPB consider adding to this prohibition additional categories of debt that are “more squarely associated with phantom debt collection, including, for example, debts that are counterfeit or fictitious.”
- Communications media. The FTC supports the proposed requirement that a debt collector include—in emails, text messages and other electronic communications—an option for the consumer to opt-out of communications through that particular medium. The comment letter encourages the CFPB to consider requiring collectors to provide a direct, simple, electronic mechanism to quickly exercise this opt-out right.
- Restrictions on disclosures to third parties. The FTC supports the proposed definition of “limited-content messages” but encourages the CFPB to consider ways to minimize the likelihood that third parties would recognize limited-content messages as being associated with a debt collection and notes that allowing for these messages during live calls poses heightened risk for disclosure of the debt.
- Telephone call frequency limits. The FTC supports the proposed restrictions on call frequency and notes that these protections should apply to calls that “may not cause a traditional ring,” including ringless voicemail messages. Additionally, the FTC supports the application of the protections to limited-content messages and location information calls to third parties.
On September 18, the SEC announced it filed a lawsuit in the U.S. District Court for the Central District of California against a digital platform and its owner (collectively, “defendants”) for raising over $14 million in an unregistered initial coin offering (ICO) in violation of Section 5 of the Securities Act of 1933 and for acting as unregistered brokers for other digital asset offerings in violation of Section 15 of the Securities Exchange Act of 1934. The SEC contends the defendants claimed to investors that their tokens would increase in value upon trading and that ICO token holders would be able to swap them for other tokens on the platform, at an average of a 75 percent discount. The SEC notes that the tokens had experienced “a precipitous loss in value” since issuance, averaging roughly 1/20th of the average purchase price during the offering. Moreover, the SEC alleges the defendants acted as a broker for other ICOs, raising over $650 million for their clients. The SEC’s suit seeks a permanent injunction, disgorgement of profits plus interest, and civil penalties.
New York Supreme Court Appellate Division says repurchase obligations not limited to defaulted loans
On September 17, the New York Supreme Court, Appellate Division, affirmed a trial court’s decision to grant partial summary judgment in favor of four residential mortgage-backed securities (RMBS) trusts (plaintiffs) on breach of contract allegations related to pooling and servicing agreement (PSA) repurchase obligations. The appellate court also concluded that the trial court correctly denied a motion for summary judgment filed by the seller of the mortgage loans (defendant). At issue were PSAs—entered between the plaintiffs and the defendant—containing a “repurchase protocol,” which dictate that the defendant is required to “cure, substitute, or repurchase” any defective loans “within 120 days of the earlier of the discovery by the defendant . . . or [the defendant’s] receipt of written notice from any party of a breach of any representation or warranty in the PSAs which ‘materially and adversely affects’ the interest of certificateholders in any mortgage loan.” The trial court denied the defendant’s motion for summary judgment, which, among other things, sought dismissal of claims related to the defective loans that the defendant argued were not specifically identified in timely breach notices. According to the appellate court, the trial court had correctly held that the trustee had delivered “timely presuit letters” concerning the defective loans that were placed in the trusts and had provided sufficient “notice that the breaches plaintiffs were investigating might uncover additional defective loans for which claims would be made.” The appellate court also agreed with the trial court’s decision to grant the plaintiffs’ motion for partial summary judgment to the extent that it sought a ruling that a breach that “materially and adversely” affects the certificateholders’ interest—as outlined in the repurchase protocol—is not limited to loans in default, but also “applies to any breach that ‘materially increased a loan’s risk of loss.’” Further, the appellate court also concurred with the trial court’s decision to grant the plaintiffs’ motion for partial summary judgment and deny the defendant’s motion concerning the use of statistical sampling to prove breach of contract claims for both liability and damages. However, both courts agreed that the defendant will have an opportunity to raise those arguments if it chooses to challenge the sample size or the loans chosen as part of the sample.
On September 18, the SEC announced the approval of final revisions to the Volker Rule (the Rule) to simplify and tailor compliance with Section 13 of the Bank Holding Company Act’s restrictions on a bank’s ability to engage in proprietary trading and own certain funds. As previously covered by InfoBytes, the final revisions were approved by the OCC and FDIC at the end of August, and the Federal Reserve Board is expected to adopt the changes in the near future. In approving the revisions, Chairman Jay Clayton stated that the SEC collaborated with the other federal regulatory agencies to ensure the changes would “effectively implement statutory mandates without imposing undue burdens on participants in our markets, including imposing unnecessary costs or reducing access to capital and liquidity.” Chairman Clayton emphasized that the revisions draw on the agencies’ “collective experience in implementing the rule and overseeing compliance in our complex marketplace over a number of years.”
Earlier, on September 16, the CFTC announced a 3-2 vote to approve the final revisions. Commissioner Tarbert stated that the final revisions would provide banking entities and their affiliates with “greater clarity and certainty about what activities are permitted under” the Rule as well as reduce compliance burdens. In voting against the approval, Commissioner Behnam issued a dissenting statement expressing, among other things, concerns about “narrowing the scope of financial instruments subject to the  Rule,” which would limit the Rule’s scope “so significantly that it no longer will provide meaningful constraints on speculative proprietary trading by banks.” Commissioner Berkovitz also dissented, arguing that the revisions “will render enforcement of the [R]ule difficult if not impossible by leaving implementation of significant requirements to the discretion of the banking entities, creating presumptions of compliance that would be nearly impossible to overcome, and eliminating numerous reporting requirements.” Commissioner Berkovitz also criticized the rulemaking process that led to the final revisions, arguing that a number of the changes were not adequately discussed in the notice of proposed rulemaking process, including amendments to the “accounting prong” and the rebuttable presumption of proprietary trading.
On September 18, the CFPB announced changes to its Consumer Complaint Database (CCDB), stating that it would continue the publication of consumer complaints, data fields, and narrative descriptions. As previously covered by InfoBytes, in March 2018, the Bureau issued a Request for Information (RFI) seeking feedback on potential changes that could be implemented to the Bureau’s public reporting of consumer complaint information, including the data fields provided in the CCDB. In June 2018, then-acting Director, Mick Mulvaney, noted the Bureau was in the process of reviewing whether or not the CCDB would continue to be publicly available (covered by InfoBytes here.) The Bureau noted that it received nearly 26,000 comments from a wide array of stakeholders in response to the RFI and after considering all input, the decision was made to continue the “publication of complaints with enhanced data and context that will benefit consumers and users of the database while addressing many of the concerns raised.” Specifically, the CCDB will now (i) more prominently acknowledge that the CCDB is not a statistical sample of consumers’ experiences in the marketplace; (ii) highlight the availability of answers to common financial questions to help inform consumers before they submit a complaint; and (iii) highlight consumers’ ability to contact the financial institution directly. Additionally, in the coming months the Bureau plans to, among other things, explore the expansion of a company’s ability to respond publicly to individual complaints in the database and look for additional ways to put complaint data in context, such as incorporating product or service market share and company size.
California Legislature passes several amendments to the California Consumer Privacy Act and other privacy-related bills
Lawmakers in California last week amended the landmark California Consumer Privacy Act (CCPA or the Act), which confers significant new privacy rights to California consumers concerning the collection, use, disclosure, and sale of their personal information by covered businesses, service providers, and third parties. While the amendments, which California Governor Gavin Newsom must sign by October 13, leave the majority of the consumer’s rights intact, certain provisions were clarified — including the definition of “personal information” — while other exemptions were added or clarified regarding the collection of certain data that have a bearing on financial services companies.
This Special Alert provides an overview and status update of CCPA-related and other privacy bills that were recently considered by the California legislature.
* * *
Click here to read the full special alert.
If you have any questions about the CCPA or other related issues, please visit our Privacy, Cyber Risk & Data Security practice page, or contact a Buckley attorney with whom you have worked in the past.
On September 17, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) announced a $4,000,000 settlement with a London-based commercial bank for 72 alleged violations of the Sudanese Sanctions Regulations (SSR). The settlement resolves allegations that between September 2010 and August 2014, the bank processed 72 bulk funding payments totaling $190,700,000 related to Sudan, which involved transactions processed to or through U.S. financial institutions in apparent violation of the SSR, which prohibits U.S. persons, including U.S. financial institutions, from processing such transactions. OFAC notes that it lowered the penalty to $4,000,000 from the proposed $228,840,000, in light of the bank’s operating capacity and the fact that it represented that it ceased the conduct at issue.
In arriving at the settlement amount, OFAC considered various mitigating factors including that (i) OFAC has not issued a violation against the bank in the five years preceding the earliest date of the transactions at issue; (ii) the bank fully cooperated with the investigation into the alleged violations, including by entering into a statute of limitations tolling agreement and agreeing to extend the agreement; (iii) the bank provided significant investigative leads regarding a foreign financial institution that hosted an account involved in processing the transactions; and (iv) the bank undertook several remedial measures in response to the alleged violations, such as exiting the Sudanese market in 2014, hiring new senior management, and implementing improvements to its compliance program.
OFAC also considered various aggravating factors, including that (i) the bank exhibited “reckless disregard for U.S. sanctions regulations when it entered the Sudanese market; (ii) the bank ignored warning signs that it may have been violating U.S. law; and (iii) several of the bank’s senior managers were aware of and involved in the conduct giving rise to the alleged violations.
On September 17, NYDFS announced that Winston Berkman-Breen has been appointed as the agency’s first-ever Student Advocate and Director of Consumer Advocacy. Prior to joining NYDFS, Berkman-Breen was a Justice Catalyst Fellow and Staff Attorney with the Consumer Protection Unit at the New York Legal Assistance Group, where he represented low-income New York consumer borrowers in state and federal court against lenders and debt collectors. In his new role with NYDFS, Berkman-Breen “will advocate on behalf of students and serve as a liaison between DFS and New York consumers with concerns,” including reviewing and analyzing complaint data from student borrowers to recommend appropriate action by the regulator.
On September 17, the DOJ and the CFPB filed a brief with the U.S. Supreme Court arguing that the for-cause restriction on the president’s authority to remove the Bureau’s single Director violates the Constitution’s separation of powers. The brief was filed in response to a petition for a writ of certiorari by a law firm, contesting the May decision by the U.S. Court of Appeals for the Ninth Circuit, which held that (i) the Bureau’s single-director structure is constitutional, and that (ii) the district court did not err when it granted the Bureau’s petition to enforce a law firm’s compliance with a 2017 civil investigative demand (CID) (previously covered by InfoBytes here). The brief cites to a DOJ filing in opposition to a 2018 cert petition, which also concluded that the Bureau’s structure is unconstitutional by infringing on the president’s responsibility to ensure that federal laws are faithfully executed, but urged the Court to deny that writ as the case was a “poor vehicle” for the constitutionality consideration (previously covered by InfoBytes here).
In contrast to the December brief, the DOJ now asserts that the present case is a “suitable vehicle for resolving the important question,” noting that only the constitutional question was presented to the Court and the 9th Circuit has stayed its CID mandate until final disposition of the case with the Court. Moreover, the government argues that until the Court resolves the constitutionality question of the Bureau’s structure, “those subject to the agency’s regulation or enforcement can (and often will) raise the issue as a defense to the Bureau’s efforts to implement and enforce federal consumer financial law.” While the Bureau previously defended the single-director structure to the 9th Circuit, the brief notes that since the May decision was issued, “the Director has reconsidered that position and now agrees that the removal restriction is unconstitutional.”
On the same day, Director Kraninger sent letters (here and here) to House Speaker Nancy Pelosi (D-Calif.) and Senate Majority Leader Mitch McConnell (R-Ky.) supporting the argument that the for-cause restriction on the president’s authority to remove the Bureau’s single Director, violates the Constitution’s separation of powers. Kraninger notes that while she is urging the Court to grant the pending petition for certiorari to resolve the constitutionality question, her position on the matter “does not affect [her] commitment to fulfilling the Bureau’s statutory responsibilities” and that should the Court find the structure unconstitutional, “the [Consumer Financial Protection Act] should remain ‘fully operative,’ and the Bureau would ‘continue to function as before,’ just with a Director who “may be removed at will by the [President.]’”
- Amanda R. Lawrence to discuss "Data privacy litigation" at the Mortgage Bankers Association Regulatory Compliance Conference
- Brandy A. Hood to discuss "How to ace your TRID exam" at the Mortgage Bankers Association Regulatory Compliance Conference
- Katherine L. Halliday to discuss "UDAP, UDAAP & the Map rule compliance basics" at the Mortgage Bankers Association Regulatory Compliance Conference
- Daniel P. Stipano to discuss "Lessons learned from recent enforcement actions and CMPs" at the ACAMS AML & Financial Crime Conference
- Daniel P. Stipano to discuss "Assessing the CDD final rule: A year of transitions" at the ACAMS AML & Financial Crime Conference
- Jonice Gray Tucker to discuss "HMDA data is out, now what?" at the Mortgage Bankers Association Regulatory Compliance Conference
- Melissa Klimkiewicz to discuss "Navigating FHA rules and regs" at the Mortgage Bankers Association Regulatory Compliance Conference
- Jeffrey P. Naimon to discuss "Washington regulatory overview" at the Mortgage Bankers Association Regulatory Compliance Conference
- Daniel P. Stipano to discuss "Consenting views: Achieving positive outcomes from consent order recovery" at the ACAMS AML & Financial Crime Conference
- APPROVED Webcast: Preparing for 2020 license renewals
- Kathryn L. Ryan to discuss "The state’s role in fintech: Providing an industry framework for innovation" at Lend360
- Daniel P. Stipano to discuss "AML developments: The latest trends, challenges and opportunities" at the American Conference Institute Financial Crime Executive Roundtable
- Marshall T. Bell and Jeffrey P. Naimon to discuss "Truth in lending" at the American Bar Association National Institute on Consumer Financial Services Basics
- Amanda R. Lawrence and Michael A. Rome to discuss "California Consumer Privacy Act compliance" at the Capital Area Compliance Roundtable
- Daniel P. Stipano to discuss "Lessons learned from recent enforcement actions" at the Institute of International Bankers Risk Management and Regulatory Examination/Compliance Seminar
- Daniel P. Stipano to discuss "Customer identification program/customer due diligence/enhanced due diligence" at a National Association of Federal Credit Unions webinar
- Jonice Gray Tucker to discuss "MCCA's blueprint for selling & buying - A pitch workshop for outside counsel" at the Minority Corporate Counsel Association Creating Pathways to Diversity Conference
- Kathryn L. Ryan and Moorari K. Shah to discuss "Today's regulatory environment - Are you in the know?" at the Equipment Leasing and Finance Association Annual Convention
- Kathryn L. Ryan and Tim Lange to discuss "Temporary authority to operate - Are you prepared? Hear what the states are doing" at the RegList Annual Workshop
- Jonice Gray Tucker to discuss "Fintech regulatory developments, crypto-assets, blockchain and digital banking, and consumer issues" at the Practising Law Institute Banking Law Institute
- Amanda R. Lawrence to discuss "How to balance a successful (and stressful) career with greater personal well-being" at the American Bar Association Women in Litigation Joint CLE Conference