InfoBytes
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
SEC Penalizes Investment Adviser over Inadequate Cyber-Risk Program Prior to Data Breach
On September 22, the SEC ordered a Missouri-based investment adviser to pay a $75,000 penalty, settling allegations that the investment adviser failed to implement required written cybersecurity policies and procedures prior to a data breach affecting the firm’s clients. According to the SEC, in July 2013, the investment adviser’s third party-hosted web server was hacked by a then unknown source compromising the personally identifiable information of more than 100,000 individuals. Subsequent investigations determined that the breach originated in China, and, to date, the firm’s clients have suffered no financial injury. In addition to the $75,000 penalty, the firm was censured and agreed to cease and desist from committing or causing any future violations of the Safeguards Rule.
To coincide with the announcement, the SEC also issued an Investor Alert, “Identity Theft, Data Breaches, and Your Investment Accounts,” which provides actions retail investors can take to protect their investment accounts in the event of a data breach or identity theft.
CFPB Spotlights Mortgage Complaints in Latest Monthly Report
On September 22, the CFPB published the third volume of its monthly consumer complaints report, examining mortgage complaints received through its complaint database. In its latest snapshot report, the CFPB revealed that it has received more than 190,000 mortgage complaints as of September 1, 2015, making mortgage the most-complained-about financial product. Specifically, the report finds that ongoing questions persist with respect to (i) how consumers can prevent foreclosure; (ii) how and when to make payments when mortgage loans are transferred to a different servicer; and (iii) how to ensure accurate payment on mortgage loans. According to the CFPB, as of September 1, 2015, over 700,000 complaints have been handled since the consumer complaint database’s inception.
CFPB Publishes Final Rule Amending Various Annual Dollar Threshold Adjustments
On September 21, the CFPB issued a final rule amending certain dollar thresholds for provisions implementing amendments in Regulation Z, which implements the Truth in Lending Act (TILA), under the CARD Act, HOEPA, and ATR/QM. The CFPB is required to adjust based on the annual percentage change reflected in the Consumer Price Index in effect on June 1, 2015. For 2016, the minimum interest charge disclosure threshold will remain unchanged. Permissible penalty amounts will remain $27 for the first late payment; however, for each subsequent violation within the following six months, the allowed penalty amount will decrease from $38 to $37. Similarly, the CFPB is adjusting the combined points and fees trigger-threshold for compliance with HOEPA to $1,017. Lastly, to satisfy the underwriting requirements under the ATR/QM rule, a covered transaction will not be considered a QM unless the combined points and fees do not exceed 3 percent of the total loan amount for a loan greater than or equal to $101,749; $3,052 for a loan amount greater than or equal to $61,050 but less than $101,749; 5 percent of the total loan amount for a loan greater than or equal to $20,350 but less than $61,050; $1,017 for a loan amount greater than or equal to $12,719 but less than $20,350; and 8 percent of the total loan amount for a loan amount less than $12,719.
The rule becomes effective on January 1, 2016.
NYDFS Approves Virtual Currency Firm's Application: First Company to Receive BitLicense
On September 22, NYDFS Acting Superintendent Anthony Albanese announced that the New York Department of Financial Services (NYDFS) granted its first BitLicense from its current applicant pool. In June 2015, the NYDFS finalized the BitLicense framework, requiring existing virtual currency companies to apply by August 10. Via blog post, the first licensee acknowledged receiving the license. To date, the NYDFS has received 25 BitLicense applications and, according to Albanese, “will continue to move forward on evaluating and approving additional BitLicenses.”
CFPB Finalizes Rule Allowing Small Creditors to Increase Lending in Rural and Underserved Areas
On September 21, the CFPB issued a final rule, amending certain mortgage rules and comments relating to lending activities by small creditors in rural and underserved areas. Initially proposed in January 2015, the final rule, among other things (i) increases the loan origination limit for determining eligibility for small-creditor status from 500 loans to 2,000 non-portfolio loans; (ii) includes the assets of the creditor’s affiliates, which regularly make covered transactions, in calculation of the creditor’s assets to determine whether the creditor is within the $2 billion threshold for small-creditor status; (iii) restores the one-year look back period in place of the three-year look back period for the time period that determines whether a creditor is operating predominantly in rural or underserved areas; (iv) revises escrow exemptions to prevent creditors from losing eligibility for the escrow exemptions as a result of escrow accounts before the effective date of the rule; (v) broadens the definition of “rural” to include (a) counties that meet the current definition of rural county, and (b) census blocks that are not in an urban area (as defined by the Census Bureau); (vi) adds safe harbor provisions to facilitate the determination of “rural” by permitting automated address search tools provided by the CFPB and the Census Bureau; and (vii) extends the temporary two-year transition period, which permits certain small creditors to make balloon-payment qualified mortgages and balloon-payment high-cost mortgages (whether or not they operate predominantly in rural or underserved areas), to include applications received by April 1, 2016.
The final rule will take effect on January 1, 2016.
CFTC Issues Cease and Desist Order to Unregistered Bitcoin Options Trading Platform, States Bitcoin and Other Virtual Currencies are Commodities
On September 17, the Commodity Futures Trading Commission (CFTC) issued an Order against an unregistered San Francisco-based bitcoin options trading platform and its CEO for alleged violations of the Commodity Exchange Act (CEA) and CFTC Regulations. According to the Order, from March 2014 to at least August 2014, the company and its CEO operated an online website that allowed for the trading or processing of swaps between buyers and sellers of bitcoin options contracts. For the first time, bitcoin and other virtual currencies “are encompassed in the definition and properly defined as commodities,” making them subject to the same regulations as options or swaps. According to the CFTC, the company operated without being properly registered as a swap execution facility or designated contract market, violating the CEA and CFTC regulations. The CFTC’s Director of Enforcement Aitan Goelman noted, “While there is a lot of excitement surrounding Bitcoin and other virtual currencies, innovation does not excuse those acting in this space from following the same rules applicable to all participants in the commodity derivatives markets.” The Order did not impose any monetary sanctions on the company, but required the company to cease and desist any action violating the CEA and CFTC regulations and to cooperate in future investigations conducted by the CFTC or other governmental agencies.
OFAC Updates Cuban Assets Control Regulations Easing Sanctions on Cuba
On September 18, OFAC issued a final rule amending the Cuban Assets Control Regulations (CACR) to reflect policy changes previously announced by the Obama administration. With respect to financial transactions, the amendments, among other things, (i) permit certain additional persons subject to U.S. jurisdiction to open and maintain bank accounts in Cuba to use for authorized purposes; (ii) removes limitations on donative remittances to Cuban nationals, on certain authorized remittances that authorized travelers may carry to Cuba, and on the amount of remittances that a Cuban national permanently resident in Cuba who is departing from the U.S. may carry to Cuba; (iii) adds a new general license authorizing remittances from Cuba and Cuban nationals to the United States; (iv) adds a new general license authorizing the unblocking and return of certain previously blocked remittances and funds transfers in certain circumstances; and (v) authorizes U.S. depository institutions to maintain accounts for Cuban nationals while the Cuban-national account holder is located outside the United States, provided that the account holder may only access the account while lawfully present in the United States, and removes a cap on payments from blocked accounts held by Cuban nationals in the United States in a nonimmigrant status to use for living expenses. The amendments also relax restrictions previously set forth in the telecommunications and internet sector, on travel between the U.S. and Cuba, and other various activities. Revisions to the CACR take effect on September 21, 2015.
At the same time, OFAC published a set of new and revised FAQs addressing the changes set forth in the updated CACR.
U.S. Attorney General Discusses DOJ's Global Cybercrime Initiatives at Europol
On September 16, U.S. Attorney General Loretta Lynch addressed the European Cybercrime Center at Europol, where she highlighted recent and planned DOJ initiatives related to global cybercrime and cyber threat efforts and stressed the DOJ’s commitment to information-sharing with international law enforcement authorities. Lynch noted that the U.S. and the European Union recently signed an “Umbrella” Data Privacy and Protection Agreement aimed at strengthening the countries’ ability to take on crime and terrorism while protecting personal privacy. In addition, Lynch revealed that the DOJ intends to temporarily assign a U.S. attorney from the DOJ’s Criminal Division to work alongside European authorities to enhance collaboration and information-sharing.
Imaging Company Offers $1.6 Million to Settle FCPA Investigation
Analogic Corp., a manufacturer of airport security equipment, offered the SEC $1.6 million to settle the agency’s FCPA investigation of the company, according to a company press release. The company previously reported that the DOJ and SEC had “substantially” completed their investigations of potential bribery involving transactions by the company’s Danish subsidiary, BK Medical ApS. The transactions at issue involved distributors paying BK Medical more than was owed, and then BK Medical transferring the excess money to third parties identified by the distributors. At the time of its 2011 disclosure of the potentially problematic transactions, the company stated that it had not ascertained the ultimate beneficiaries or purpose of the transfers. According to the company it had not yet engaged in similar settlement discussions with the DOJ or Danish government.
Federal District Court Articulates Criteria for Effective Presentation of Electronic Contracts
In Berkson v. Gogo LLC, 2015 WL 1600755 (E.D. NY 2015), the Eastern District of New York denied a motion to dismiss and compel arbitration filed by an in-flight wifi provider. The provider was accused in a class action suit of duping customers into signing up for a monthly service without their knowledge. The plaintiffs alleged that the graphics and text of the website misled them to believe that they were purchasing only a single month of use, while concealing that the agreement was actually a subscription agreement for monthly services and a recurring monthly charge. At issue in the motion to dismiss was the enforceability of two separate agreements used to enroll customers, and in particular terms in those agreements related to mandatory arbitration and exclusive venue, which the defendant sought to invoke. The first contract presented a “Clickwrap” agreement—whereby the consumer checked a box presented next to the phrase “I accept the terms of use.” The second contract presented a “Signwrap” agreement—whereby the consumer clicked a sign-in button presented below a statement indicating that by signing in, the consumer agreed to the “terms of use.” In both instances, the phrase “terms of use” was a hyperlink presented in plaintext that would take the consumer to the contract terms, if clicked. Also in both cases, the actual button used to enroll customers was considerably larger than the hyperlink and presented in color. The plaintiffs argued that the agreements should not be enforced because the website pages on which they appeared were designed so that the terms were deliberately hidden and were never seen or agreed to by them.
As part of its analysis, the court reviewed a number of prior judicial decisions involving electronic consumer contracts, which closely scrutinized the manner in which agreement terms are disclosed to consumers on electronic platforms. The court also reviewed a number of empirical studies analyzing viewing and reading behavior (including eye tracking patterns) where consumers were presented with materials on a computer screen. The court concluded that in general an electronically presented agreement will be enforceable if (i) the website presenting the agreement puts a reasonably prudent user on inquiry notice of the terms of the contract; (ii) the user is encouraged by the design and content of the website and webpage to examine any agreement terms that are made available via a hyperlink; and (iii) the link to the agreement is placed where the user is likely to see it.
The court also observed that in this case the agreements qualified as “contracts of adhesion”, and so should also not be enforced unless it could be demonstrated that the user was, by virtue of the design of the agreement pages on the website, given adequate warning of adverse terms in the agreements, such as mandatory arbitration or exclusive venue.
Based on its analysis and review of the web pages presenting the agreements at issue, the court denied the defendant’s motion, concluding that the Signwrap agreement was unenforceable because the design and content of the web page did not make the agreement readily and obviously available, and its importance was obscured by the process (which involved clicking a button labeled “sign in,” rather than one labeled “accept” or “I agree”), and the defendant had not demonstrated that the Clickwrap agreement actually required the consumer to check the “I agree” box before enrolling the consumer in monthly services. The court also noted that the plaintiffs were not given an opportunity to retain a copy of the agreement, nor was one automatically provided to them.