InfoBytes
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
Federal Reserve and New York DFS Take Action Against Canadian Bank for Deficiencies Relating to AML Compliance
On November 10, the Federal Reserve and the New York DFS announced an enforcement action against a Canadian bank for alleged deficiencies relating to its BSA/AML compliance program. In order to resolve the allegations, the bank agreed to prepare various written policies and procedures, including (i) a written plan that provides for a sustainable governance framework, including improving the management information systems reporting of compliance with BSA/AML requirements, OFAC regulations, and State Regulations; (ii) a revised written BSA/AML compliance program; (iii) a revised written program for conducting customer due diligence; (iv) a written program that ensures that any suspicious activity is timely reported; and (v) a written plan to improve compliance with OFAC regulations. All policies must be submitted for approval within 60 days of the agreement’s issuance date.
New York DFS Submits Letter to Federal Regulators Regarding Potential Cybersecurity Regulations
On November 9, the New York DFS sent a letter to federal regulators and other interested parties, including the CFPB, Federal Reserve Board, and the OCC, regarding potential new regulations aimed at increasing cybersecurity efforts within the financial sector. The letter references recent DFS reports that covered key findings from surveys given to regulated banking organizations on their cybersecurity programs, costs, and future plans. The reports raised the following concerns: (i) the speed of technological change and the increasingly sophisticated nature of threats; (ii) third-party service providers tend to have access to sensitive information and companies’ IT systems, providing potential hackers with a point of entry; and (iii) the “scale and breadth of the most recent breaches and incidents.” In light of these concerns, the DFS asserts that it would be beneficial to coordinate with state and federal regulators to “develop a comprehensive [cybersecurity] framework that addresses the most critical issues, while still preserving the flexibility to address New York-specific concerns.” According to the letter, the DFS expects to propose regulations requiring entities to set specific requirements in areas such as: (i) cybersecurity policies and procedures; (ii) third-party service provider management; (iii) cybersecurity personnel and intelligence, including implementing mandatory cybersecurity training programs; and (iv) notice of cybersecurity breaches.
FinCEN Issues Final Civil Money Penalty Against U.S.-based Casino Over BSA Violations
On November 6, FinCEN issued a final assessment of civil money penalty against a Las Vegas-based casino and its branch offices for violating the BSA by failing to develop and implement a sufficient AML program and report suspicious activity in connection with its private gaming areas. As FinCEN previously announced on September 8, the terms of the assessment require the casino to pay an $8 million civil monetary penalty, hire an independent auditor to test its BSA/AML compliance program, and conduct a look-back review of all transactions through branch offices in Asia and California for recordkeeping and reporting compliance. FinCEN’s final assessment follows approval on October 19 of the settlement from the Bankruptcy Court for the Northern District of Illinois, as the casino remains a debtor in its bankruptcy case.
SEC Announces Bryan Bennett as Head of Los Angeles Exam Program
On November 5, the SEC announced Bryan Bennett as head of its Los Angeles examination program. Bennett will oversee examiners, accountants, and attorneys based in Southern California, Nevada, Arizona, Hawaii, and Guam. Bennett joined the SEC in 2008 and was later named manager, leading various teams in the investment adviser and investment company examination program. In January 2015, the SEC named Bennett the assistant director of the Los Angeles examination program. Prior to joining the SEC, Bennett was a litigator in private practice.
D.C. District Court Rules in Favor of Anonymity When Challenging a CFPB Civil Investigative Demand
Recently, the District Court for the District of Columbia issued an opinion recognizing a company’s right to maintain privacy when challenging a CFPB Civil Investigative Demand (CID). John Doe Company No. 1 v. CFPB, No. 1:15-cv-1177 (D.D.C. Oct. 16, 2015). After receiving a CID from the Bureau, the Plaintiffs requested that the CFPB allow counsel to be present at a voluntary investigative hearing; the Plaintiffs’ request and subsequent petition to the CFPB were denied. On July 22, 2015, Plaintiffs filed a complaint against the CFPB seeking a temporary restraining order (TRO) and a motion to seal the case, arguing that sealing was appropriate because (i) CFPB investigations are normally nonpublic; and (ii) sealing the case would protect Plaintiffs from the harm that an ongoing investigation would cause if it were disclosed to the public. The court applied a six-factor test established by the D.C. Circuit in United States v. Hubbard to determine whether the court records should be released, considering the need for public access to the documents, the strength of the property and privacy interests involved, the possibility of prejudice against the Plaintiffs, and other factors. In a “compromise [to maximize] the amount of information available to the public while still protecting the privacy interest Plaintiffs assert,” the court ruled to unseal the case but ordered Plaintiffs to file redacted versions of all files pertaining to the case, omitting the names of Plaintiffs and “any other information reasonably likely to lead to the disclosure of Plaintiffs’ identities.”
CFPB Reports on Underserved Consumers' Use of Mobile Financial Services
On November 5, the CFPB published a report titled "Mobile Financial Services" to summarize the results of its June 2014 Request for Information on the opportunities and challenges associated with the use of mobile financial services (MFS) by traditionally underserved consumers. With 44% of unbanked individuals owning a smartphone, the report notes that MFS has the potential to be a promising tool for underbanked and unbanked consumers to manage their finances. According to the report, consumers using MFS save time and money because they can check their balances any time and have access to certain tools that help them manage their money. The report highlights mobile Remote Deposit Capture as particularly attractive to unbanked consumers because it allows them to take a picture of and deposit checks remotely, reducing the limitations of branch hours and locations. Additional key takeaways from the report include: (i) MFS would likely be most effective for underserved consumers if paired with consultative or assistance services; (ii) privacy and security concerns remain a significant risk; and (iii) digital access and digital financial literacy need improvement, such as enhancing affordable access to technology and educating consumers and intermediaries about safe and effective use of the technology.
FCC Settles with Company Over Alleged Data Protection Failures
On November 5, the FCC resolved its first ever data security action against a cable company with a $595,000 settlement. According to the FCC, the company did not have adequate data security measures in place for employees and contractors with access to the company’s electronic data systems. In 2014, the company’s electronic data systems were breached by a third party who, by pretending to be from the company’s IT department, convinced a customer service representative and a contractor to enter their account information into a fake website. The third party hacker allegedly used the information to gain access to customers’ personally identifiable information, subsequently sharing the information with another hacker and posting the information on social media sites. The cable company did not use the FCC’s breach-reporting portal to report the breaches. In addition to the civil money penalty, the settlement requires the company to: (i) identify and notify all customers affected by the breach and provide them with one year of free credit report monitoring; (ii) designate a senior corporate manager who is a certified privacy professional; (iii) conduct privacy risk assessments; (iv) implement a written information security program; (v) maintain reasonable oversight of third party vendors and implement multi-factor authentication; (vi) implement a more robust data breach response plan; (vii) provide privacy and security training to third party vendors and employees; and (viii) regularly file compliance reports with the FCC.
Massachusetts AG Settles with Auto Lender Over Alleged "Excessive" Interest Rate Charges
On November 5, Massachusetts AG Maura Healey announced a settlement with a national auto lender to resolve allegations that the lender charged excessive interest rates on subprime auto loans. The company agreed to provide over $5 million – approximately $11,000 per consumer – in relief to those affected by its alleged practice of charging consumers excessive interest rates as a result of including fees from an add-on GAP insurance product. Under the terms of the assurance and discontinuance, the company will (i) eliminate the alleged excessive interest on certain loans as a result of the GAP fee; and (ii) forgive outstanding interest on loans. In addition, the company must pay $150,000 to Massachusetts and perform supervised audits of its existing loan portfolio to ensure that no additional consumers were overcharged because of GAP fees.
Federal Reserve Chair Janet Yellen Delivers Semi-Annual Report on Supervision and Regulation
On November 4, Federal Reserve Chair Janet Yellen testified before the House Committee on Financial Services. The topic of Chair Yellen’s testimony was “the lessons of the financial crisis and how we have transformed our regulatory and supervisory approach.” She explained that, prior to the crisis, the Fed’s “primary goal was to ensure the safety and soundness of individual financial institutions” and that, since the crisis, the Fed’s aim has been to regulate and supervise “in a manner that promotes the stability of the financial system as a whole.” Yellen went on to explain that the regulatory approaches adopted to address both large financial institutions and companies and community banks have been different. According to Yellen, with respect to the large financial institutions, the Fed’s approach is “oriented toward both the safety and soundness of the individual firms, and the stability of the financial system as a whole." With respect to community banks, Chair Yellen noted that the Fed’s supervisory approach is risk based: “[i]n supervising these institutions, we follow a risk-focused approach that aims to target examination resources to higher-risk areas of each bank’s operations and to ensure that banks maintain risk-management capabilities appropriate to their size and complexity.”
Bank Settles with DOJ for $81.6 Million for Failing to Timely File Payment Change Notices for Homeowners in Bankruptcy
On November 5, the DOJ announced a proposed settlement with a bank for allegedly violating bankruptcy rules by not providing homeowners with required notices that would have allowed them to challenge the accuracy of increased mortgage rates. According to the DOJ, the bank acknowledged that, from December 1, 2011 to March 31, 2015, it failed to (i) file payment change notices (PCNs) 21 days before adjusting a debtor’s monthly mortgage payment, as required by federal regulations; and (ii) perform timely escrow analyses. Under the settlement, the bank will be required to pay over $80 million in restitution to homeowners in bankruptcy that were affected by its actions and will be required to update its internal procedures to prevent further violations, including improving its employee training and its quality control processes to ensure that PCNs are filed within the appropriate timeframe. The settlement was filed in the U.S. Bankruptcy Court for the District of Maryland and is subject to court approval.