InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
SEC charges communications company with accounting control failure
On June 18, the SEC issued a cease-and-desist order (order) against a Delaware-based business communication and marketing service provider (respondent) to settle allegations of cybersecurity controls violations related to a 2021 ransomware attack.
According to the order, the SEC alleged respondent did not have adequate controls to ensure cybersecurity incidents were reported to its management and did not respond to alerts indicating unusual network activity in a timely manner. Among other allegations, the order contended that respondent relied on a third-party vendor to review and escalate the large volume of alerts issued by its cybersecurity detection systems but did not implement procedures or controls to effectively confirm that the vendor’s review and escalation of alerts were consistent with the respondent’s expectations. The order noted that respondent cooperated with the investigation, reported the cybersecurity incident promptly, and took steps to enhance its cybersecurity technology and controls. Without admitting the SEC’s allegations, respondent agreed to a $2,125,000 civil money penalty.
Notably, in addition to alleged violation of Exchange Act Rule 13a-15(a) requiring public companies to maintain disclosure controls and procedures designed to ensure timely disclosure of incidents in compliance with the Commission’s rules, the order also alleged that respondent’s failure to design effective procedures to ensure escalation and timely decisions regarding potential security incidents violated Section 13(b)(2)(B) of the Securities Exchange Act of 1934. Section 13(b)(2)(B) required covered companies to “devise and maintain a system of internal accounting controls sufficient to provide reasonable assurances, among other things, that access to company assets was permitted only in accordance with management’s general or specific authorization.”
In a statement responding to the order, SEC Commissioners Pierce and Uyeda took issue with the Commission’s application Section 13(b)(2)(B). Specifically, the commissioners argued that the requirement to maintain internal accounting controls ensuring “that access to company assets” must be authorized by management and was intended to protect the accuracy of corporate transactions for the use and disposition of assets in transactions. They noted that “[w]hile [respondent’s] computer systems constitute an asset in the sense of being corporate property, computer systems are not the subject of corporate transactions,” and that faulting respondent’s internal accounting controls in the context of a ransomware attack “breaks new ground with its expansive interpretation of what constitutes an asset under Section 13(b)(2)(B)(iii).”
Tennessee amends its Consumer Protection Act
Recently, the Governor of Tennessee signed into law HB 2711 (the “Act”) which amends, among other things, the state’s Consumer Protection Act. In particular, the Act establishes the factors that a court may consider when determining a civil penalty for violation of the Consumer Protection Act. The court may consider (i) the defendant’s participation in the attorney’s general complaint resolution process; (ii) and the defendant’s restitution efforts prior to the action; (iii) whether there was good or bad faith; (iv) injury to the public; (v) one’s ability to pay; (vi) the public’s interest in eliminating the benefits derived by the violator; and (vii) the state’s interest. Additionally, the Act expands its protection of elderly people to “specially targeted consumers” which includes persons who are at least 60 years old, persons under 18, and current and former military service members. Persons who are found to have targeted specially targeted consumers can be liable for penalties up to $10,000. Furthermore, the Act makes other changes such as procedural requirements for actions brought by the attorney general. The Act is effective immediately.
FTC issues NPRM to extend TSR coverage for inbound calls on elder fraud
On April 16, the FTC published an NPRM for the Telemarketing Sales Rule (TSR) in the Federal Register to extend the TSR’s coverage to inbound telemarketing calls by consumers to include technical support service – i.e., calls that consumers would make in response to an advertisement. The FTC noted this extension of the TSR would allow the FTC to “obtain stronger relief,” such as civil penalties and consumer redress, when consumers would be affected by tech support scams. The FTC argued that this proposed expansion of the TSR would be necessary given the rise in consumer complaints regarding tech support scams, explaining that consumer complaints rose from 40,000 complaints in 2017 to nearly 115,000 complaints in 2021. Additionally, the FTC explained that in 2018, consumers reported losses totaling over $55 million from these scams and noted that the scams disproportionately affected consumers over 60 years old. The proposed rule would define technical support services as a program or service that would be marketed to repair, maintain or improve the performance and security of electronic devices. The FTC explained that this broad definition will be necessary because scammers purport to offer such services as they evolve with changes to technology and consumer behavior; additionally, scammers would aim to profit from a consumer’s problems or unfamiliarity with technology. In sum, the proposed rule would add “tech support services” to the list of categories excluded from the TSR exemptions for inbound calls, specifically when such calls are in response to an advertisement “through any medium”; this exclusion will also extend to inbound calls in response to “a direct mail solicitation” including email. The FTC will seek comments on its proposed rule, including on nine specific questions, and comments must be received by June 17.
FTC, DFPI win MSJ against a fraudulent mortgage relief operation
On February 13, the FTC and California Department of Financial Protection (DFPI) announced that the U.S. District Court for the Central District of California granted their motion for summary judgment against several companies and owners that the agencies alleged were operating a fraudulent mortgage relief operation. As previously covered by InfoBytes, the FTC and DFPI filed a joint complaint against the defendants in September 2022 alleging that the defendants violated the FTC Act, the FTC’s Mortgage Assistance Relief Services Rule (the MARS Rule or Regulation O), the Telemarking Sales Rule, the Covid-19 Consumer Protection Act, and the California Consumer Financial Protection Law. In granting the motion for summary judgment, the court found the defendants violated all five laws. According to the motion, the defendants falsely represented that they could lower homeowners’ interest rates and reduce the principal balances, but, after taking the payment upfront, rarely delivered any agreed-upon services. The defendants also allegedly made misleading claims during telemarketing calls with homeowners regarding home foreclosure and mortgage payments, among other claims, including with homeowners with numbers on the national Do Not Call registry.
The court ordered the defendants to pay approximately $16 million in restitution and $3 million in civil penalties. Further, the court ordered that the defendants are subject to a (i) permanent ban on advertising, promoting, offering for sale, or selling, or assisting others in those acts, any debt relief product or service and all telemarketing; and (ii) prohibition against making misrepresentations or unsubstantiated claims regarding products or services.
Agencies adjust civil money penalties for 2024
Recently, the CFPB, NCUA, FDIC, FTC, and OCC provided notice in the Federal Register of adjustments to the maximum civil money penalties due to inflation pursuant to the Federal Civil Penalties Inflation Adjustment Act of 1990, as amended by the Debt Collection Improvement Act of 1996 and further amended by the Federal Civil Penalties Inflation Adjustment Act Improvements Act of 2015. Each notice or final rule (see CFPB here, FDIC here, OCC here, FTC here, and NCUA here) adjusts the maximum civil money penalties available and documents the inflation-adjusted maximum amounts associated with the penalty tiers for each type of violation within a regulator’s jurisdiction. For violations occurring on or after November 2, 2015, the OCC’s adjusted maximum penalties go into effect as of January 8; the CFPB and FDIC’s adjustments go into effect January 15; and the FTC and NCUA’s adjustments go into effect January 10.
NCUA to reinstate civil money penalties for late call reports
Recently, the National Credit Union Administration (NCUA) announced it will reinstate assessing civil money penalties for credit unions that fail to submit a call report (NCUA Form 5300) in a timely manner. The call report program was suspended after December 2019 during the Covid-19 pandemic. “The December 2023 Call Report will be the first reporting cycle under the reinstated program and will be due by 11:59:59 p.m. Eastern time, January 30, 2024.” The NCUA states it will send a reminder to credit unions with outstanding call reports a week before their deadline. The NCUA will also consider extenuating circumstances, including the size and good faith of the credit union, the gravity of the violation, the history of previous violations, and other matters like natural disasters or incapacitation of key employees.
CFPB imposes $15 million penalty on lender for violating 2019 order
On November 15, the CFPB announced a consent order against a Chicago-based small-dollar lender for allegedly violating a 2019 order and by independently violating the CFPA. According to the 2019 consent order, the respondent allegedly withdrew funds from consumers’ bank accounts without permission and failed to honor loan extensions. Specifically, the respondent replaced consumers’ bank account information used to pay for existing loans with separate account information supplied by a “lead generator.” Respondent allegedly debited consumers’ payments through the accounts provided by the lead generator, instead of the consumers’ originally saved payment method. The 2019 order, among other things, (i) barred the respondent from making or initiating electronic fund transfers without valid authorization; (ii) barred the respondent from failing to honor loan extensions; (iii) required the respondent to pay a $3.8 million civil money penalty. In its most recent order, the CFPB alleged that through an investigation of the respondent’s compliance with the 2019 order, the respondent continued the same unauthorized withdrawals and canceled loan extensions. The Bureau also alleged that the respondent failed to disclose that making a partial payment could cancel a loan extension and misrepresent associated fees, and they failed to provide consumers copies of signed authorizations. The respondent also allegedly provided inaccurate due dates, misrepresented skipping payments, and misrepresented loan amounts. The respondent released a statement on the enforcement action, highlighting its cooperation with the CFPB, and internal technical issues.
In the most recent order, the respondent, without admitting nor denying the CFPB’s allegations, agreed to pay a $15 million civil money penalty and refund affected consumers. The respondent also agreed to stop providing certain types of consumer loans for seven years (beginning in 2022) and to reform its executive compensation agreements and policies to ensure that compensation accounts for executives’ compliance with consumer financial protection laws, including the Consent Order. The respondent must conduct an annual compensation review and provide a report of the review to the CFPB.
NYDFS settles with bank for compliance failures
On September 29, NYDFS announced a settlement with a South Korean-based bank’s American subsidiary to resolve allegations of repeated violations of AML requirements, the Bank Secrecy Act (BSA), and New York law. According to the consent order, the respondent was repeatedly examined seven times in less than 10 years by DFS and entered into a consent order with the FDIC in 2017 for BSA/AML compliance, among other things. DFS claims that respondents violated (i) New York Banking Law § 44 by conducting their business in an unsafe and unsound manner; (ii) 3 NYCRR § 116.2 by failing to maintain an effective AML compliance program; and (iii) 23 NYCRR § 504.4 by incorrectly certifying compliance with Part 504. To resolve the claims, the respondent agreed to pay a $10 million civil money penalty, and write a written plan detailing improvements to its compliance policies and procedures, among other things.
Bank enters into settlement agreement with SEC for charging advisory fees
On August 25, the SEC entered into a settlement agreement with a national bank that requires the bank to pay a $35 million civil penalty for overcharging more than 10,900 investment advisory accounts over $26.8 million in advisory fees. According to the order, the bank and its predecessors agreed to reduce standard advisory fee rates for certain clients when clients agreed to open accounts at the bank via handwritten or typed notes and changes on the clients’ standard investment advisory agreements; however, these reduced rates were not entered into the bank’s billing systems when setting up client accounts. As a result, the clients were overcharged advisory fees for years, because the bank also failed to adopt policies and procedures to prevent overbilling.
The agreement “underscores the need for firms growing their businesses through acquisition to ensure that their growth does not come at the expense of client protection,” said the Director of the SEC’s Enforcement Division, Gurbir S. Grewel. He further noted that “[i]nvestment advisers must adopt and implement policies and procedures to ensure that they honor their agreements with all of their clients, including legacy clients of predecessor firms.”
In addition to the $35 million civil penalty, the bank also paid affected accountholders approximately $40 million to reimburse clients for the overcharging. The bank did not admit or deny the SEC’s charges set forth in the agreement.
OCC revises civil money penalty manual
On November 29, the OCC announced revisions to its civil money penalty (CMP) manual. Specifically, the OCC revised the CMP matrix, which is a tool used to guide the OCC’s decision making in assessing CMPs. The revised CMP matrix, applicable to OCC-regulated institutions, allows for sufficient differentiation among varying levels of misconduct or by institution size, and includes updated mitigating factors to provide a stronger incentive for banks to fully address underlying deficiencies. The OCC also announced a revised Policies and Procedures Manual (PPM) for assessing CMPs. This version replaces the November 13, 2018, version conveyed by OCC Bulletin 2018-41, “OCC Enforcement Actions: OCC Enforcement Action Policies and Procedures Manuals.” Highlights of the PPM include, among other things; (i) revised mitigating factors of self-identification, remediation or corrective action, and restitution: (ii) increased scoring weight of mitigating factors; and (iii) a revised table titled “Suggested Action Based on Total Matrix Score and Total Assets of Bank.” The OCC further noted that the CMP matrix is not a substitute for sound supervisory judgment, and said the OCC may depart from the matrix suggestions when appropriate and when based on the specific facts and circumstances of each matter. The OCC will begin using the revisions on January 1, 2023.