InfoBytes
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
FFIEC Releases Cybersecurity Assessment Tool
As previously covered in InfoBytes, on June 30, the FFIEC released a Cybersecurity Assessment Tool (Assessment) to provide a “repeatable and measurable process” for financial institutions to measure their cybersecurity readiness. The Assessment aims to help financial institutions determine their cybersecurity preparedness and make informed decisions regarding their risk management practices. In addition to the Assessment, the FFIEC also released an executive overview, a user’s guide, a pre-recorded webinar, a glossary of terms, and appendices to assist financial institutions in understanding supervisory expectations, increasing awareness of cybersecurity risks, and assessing and mitigating the threats facing their institutions. As an interagency body representing the Fed, FDIC, OCC, CFPB, and the NCUA, the FFIEC prescribes uniform principles, standards, and reporting forms for the federal examination of financial institutions, and makes recommendations to promote uniformity in the supervision of financial institutions.
OFAC Releases Guidance on the Continuation of Certain Temporary Sanctions Relief Under the JPOA
On June 30, the P5 + 1, European Union, and Iran agreed to extend the Joint Plan of Action for seven days, furthering negotiations to reach a solution to reduce Iran’s nuclear program. In conjunction with the announcement of the seven day extension, OFAC published Guidance on the Continuation of Certain Temporary Sanctions Relief Implementing the Joint Plan of Action, as Extended. The guidance continues the JPOA sanctions relief period, provided in November 2014 as implemented via Guidance, FAQs, and Statement of Licensing Policy, from June 30 through July 7, 2015.
Federal Banking Agencies Issue Final Flood Insurance Rule
On June 22, the federal banking agencies issued a joint final rule that modifies the mandatory purchase of flood insurance regulations to implement some provisions of the Biggert-Waters and Homeowner Flood Insurance Affordability Acts. Notable highlights include that the final rule, among other things: (i) expands escrow requirements for lenders who do not qualify for a small lender exception, (ii) clarifies the detached structure exemption, (iii) introduces new and revised sample notice forms and clauses relating to the escrow requirement and the availability of private flood insurance, and (iv) clarifies the circumstances under which lenders and servicers may charge borrowers for lender-placed flood insurance coverage. The escrow provisions and sample notice forms will become effective on January 1, 2016, and all other provisions will become effective October 1, 2015. The agencies reminded that the escrow provisions in effect on July 5, 2012, the day before Biggert-Waters was enacted, will remain in effect and be enforced through December 31, 2015.
The agencies also indicated that they plan to address Biggert-Waters’ private flood insurance provisions through a separate rulemaking.
OCC Releases Semiannual Report Highlighting Key Risks Facing National Banks and Federal Savings Associations
Today, the OCC announced the release of its semiannual report, Semiannual Risk Perspective for Spring 2015, highlighting key risk areas affecting national banks and federal savings associations. Based on 2014 year-end data, the report identifies issues that pose a potential threat to the safety and soundness of banks and thrifts. It also sets forth the OCC’s supervisory priorities for the next 12 months, including, among others, (i) cybersecurity awareness and preventative controls, (ii) Bank Secrecy Act/Anti-Money Laundering compliance, (iii) fair access to credit, and (iv) underwriting practices, particularly with respect to leveraged loans, indirect auto lending, HELOCs, and credit related to the oil and gas sector. The report also notes declining revenues and profitability overall in OCC-supervised institutions.
FTC Resolves Claims Against Auto Dealers Based on Alleged Deceptive Advertising
On June 29, the FTC filed two administrative complaints and issued proposed orders against two Las Vegas auto dealers to resolve allegations that they engaged in misleading advertising practices that misrepresented the purchase price or leasing offers of their vehicles, as well as the amount actually due at signing. In addition, the FTC also contends that the auto dealers failed to disclose other key information in its advertisements, such as the need for a security deposit, whether a down payment was required, and the terms of repayment. Under the proposed consent orders, the FTC will require both dealerships to refrain from misrepresenting the actual cost to purchase or lease a vehicle, and to comply with requirements of the Consumer Leasing Act and the Truth in Lending Act. No monetary judgment is proposed for either auto dealership.
Mobile App Developer Settles with FTC and New Jersey AG Over Virtual Currency Mining
On June 29, a mobile app developer entered into an agreement with the FTC and the New Jersey AG to settle allegations that the developer engaged in deceptive and unfair practices by marketing its rewards app, called “Prized,” as being free of malicious software, also known as “malware.” However, according to the FTC, the true purpose of the mobile app was to uploaded malware onto consumers’ mobile devices capable of mining virtual currencies for the software developer. This process allegedly reduced the battery life of consumers’ devices and caused consumers to burn through their monthly data plans. Under terms of settlement, the developer and accompanying mobile app are (i) prohibited from creating and distributing malicious software, and (ii) required to pay $50,000 to the state of New Jersey, with $5,200 due immediately, and the remaining $44,800 payable if the developer fails to comply with the terms of the consent order or the New Jersey Consumer Fraud Act within three years of the order.
Special Alert: Disparate Impact Under the Equal Credit Opportunity Act After Inclusive Communities
On June 25, the Supreme Court in Texas Department of Housing and Community Affairs v. Inclusive Communities Project, Inc. held that disparate-impact claims are cognizable under the Fair Housing Act (FHA). The Court, in a 5-4 decision, concluded that the FHA permits disparate-impact claims based on its interpretation of the FHA’s language, the amendment history of the FHA, and the purpose of the FHA.
Applicability to ECOA
When certiorari was granted in Inclusive Communities, senior officials from the CFPB and DOJ made clear that they would continue to enforce the disparate impact theory under the Equal Credit Opportunity Act (ECOA) even if the Supreme Court held that disparate-impact claims were not cognizable under the FHA. It is reasonable to expect that the Court’s decision will embolden the agencies, as well as private litigants, to assert even more aggressively the disparate impact theory under ECOA.
But just as the federal officials had stated that they would continue to assert disparate impact under ECOA if Inclusive Communities invalidated disparate impact under the FHA, lenders still have a number of arguments that the Inclusive Communities Court’s analysis does not apply to ECOA, given the material differences between the text and history of the FHA and ECOA. First, the Court principally based its textual arguments on the use of “otherwise make unavailable” in Section 804 of the FHA—a section that applies to the sale and rental of housing but not to lending. The Court stated that this effects-based language “is of central importance” to its analysis. Although the Court also stated that it had construed statutory language similar to FHA Section 805—which applies to lending—the discussion of Section 805 is so brief as to suggest it was merely an afterthought. The Court repeatedly states its textual analysis focused on the text “otherwise make unavailable.” But ECOA contains no similar effects-based language.
Second, the Court’s analysis of the FHA’s amendment history is inapplicable to ECOA. The Court focused principally on three provisions which it characterized as “exemptions” from disparate-impact liability, and concluded that such exemptions made sense only if Congress were acknowledging the validity of disparate impact claims. But ECOA contains no similar “exemptions” from disparate-impact liability that might otherwise lead to the conclusion disparate impact is cognizable under ECOA.
Finally, while the Court also notes that disparate-impact claims are “consistent with the FHA’s central purpose,” this justification appears merely to support the Court’s textual and historical arguments. The Court has repeatedly cautioned that a statute’s purpose does not trump its text. Whatever similarities may exist between the purpose of the FHA and ECOA, the material textual and historical differences weigh heavily against treating the two statutes the same for disparate-impact purposes.
Burden Shifting Framework
Even if the Inclusive Communities analysis could apply to ECOA, the Court’s emphasis on rigorous application of the three-step burden-shifting framework to analyze disparate impact claims—and protect against “abusive disparate-impact claims” —is likely to impose significant burdens on regulators and plaintiffs seeking to bring disparate impact claims under ECOA. The Court’s articulation of the steps in the burden-shifting framework are materially different—and more friendly to lenders—than those applied by federal agencies (e.g., in HUD’s disparate impact rule). While it is possible that the government and private plaintiffs will argue that the burden shifting framework outlined in Inclusive Communities applies only to the FHA, the Court’s reasoning supports applying the same framework to other civil rights laws—including ECOA.
First, the Court has reaffirmed the significant burden plaintiffs must bear in satisfying the first step of the burden-shifting framework: establishing a prima facie case. The Court noted that a “robust causality requirement” must be satisfied to show that a specific policy caused a statistical disparity to “protect[] defendants from being held liable for racial disparities they did not create.” “[A] disparate-impact claim that relies on a statistical disparity must fail if the plaintiff cannot point to a defendant’s policy or policies causing that disparity.” The Court emphasized that “prompt resolution of these cases [by courts] is important.” This, when taken together with the Court’s decision in Wal-Mart Stores, Inc. v. Dukes, may make maintaining a disparate impact claim under ECOA particularly difficult when addressing such practices as discretionary pricing (e.g., dealer markup in the auto finance context).
Second, with respect to the second step of the framework, the Court explained that “[g]overnmental or private policies are not contrary to the disparate-impact requirement unless they are ‘artificial, arbitrary, and unnecessary barriers.’” The Court noted that this is critical to ensure that defendants “must not be prevented from achieving legitimate objectives.” Specifically, the Court endorsed the importance of considering “practical business choices and profit-related decisions that sustain a vibrant and dynamic free-enterprise system” in determining whether a company’s policy is supported by a legitimate business justification. The Court further explained that “entrepreneurs must be given latitude to consider market factors,” as well as other “objective” and “subjective” factors.
Third, the Court emphasized that before rejecting a “business justification,” a court “must determine that a plaintiff has shown that there is an available alternative practice that has less disparate impact and serves the entity’s legitimate needs.” (internal quotations and alterations omitted). Significantly, and in contrast to previous interpretations by federal agencies, the Court clarified that the plaintiff bears the burden of showing a less discriminatory alternative in the third step of the burden-shifting framework.
The Court cautioned that a rigorous application of the burden-shifting framework is necessary to prevent disparate-impact liability from supplanting nondiscriminatory private choice: “Were standards for proceeding with disparate-impact suits not to incorporate at least the safeguards discussed here, then disparate-impact liability might displace valid governmental and private priorities, rather than solely removing artificial, arbitrary, and unnecessary barriers. And that, in turn, would set our Nation back in its quest to reduce the salience of race in our social and economic system.” (internal citations and alterations omitted).
DOJ Assistant AG Caldwell Delivers Remarks at the ABA's National Institute on Bitcoin and Other Digital Currencies
Today, Assistant Attorney General Leslie Caldwell delivered remarks at the ABA’s National Institute on Bitcoin and Other Digital Currencies. Speaking on the DOJ Criminal Division’s approach to the developing landscape of virtual currency, Caldwell acknowledged the legitimate uses of virtual currencies, such as having the ability to lower costs for brick and mortar businesses and its potential to promote a more efficient online marketplace, while also addressing the Department’s concern for the criminal activity surrounding virtual currencies, noting, “virtual currency facilitates a wide range of traditional criminal activities as well as sophisticated cybercrime schemes.” Citing recent actions against various individuals and groups involved in criminal activities that “sought to exploit decentralized systems such as Bitcoin” – specifically, Silk Road and Ross Ulbricht; and Carl Force and Shaun Bridges, both involved in the Baltimore Silk Road Task Force – Caldwell stressed that there are “many exchanges that don’t concern themselves with following the law.” She explained that the primary legal bases for enforcement are money services business, money transmission, and anti-money laundering statutes, as well as state money transmitter licensing laws and, in some states like New York, virtual-currency specific licensing requirements. Caldwell also noted the Department’s partnership with FinCEN, summarizing its involvement in the Ripple Labs resolution to show that “compliance and remediation can lead to a more favorable resolution of criminal investigations.” Further, Caldwell observed that while there is no “one-size-fits-all” compliance program, the adherence to regulations and state licensing laws by those involved in virtual currency businesses will reduce liability and complying with anti-money laundering guidelines will allow “the legitimate use of virtual currency to grow and be responsive to infiltration and abuse by criminal elements.”
FinCEN Fines MSB and Its Owner for Alleged BSA Violations
Today, FinCEN announced the assessment of a civil money penalty against a Los Angeles-based Money Services Business (MSB) and its owner for alleged violations of the Bank Secrecy Act (BSA). During a 2011 examination of the MSB, FinCEN determined that, from October 1, 2010 through the present, the MSB knowingly violated the BSA by failing to (i) establish and ensure ongoing compliance with an adequate AML program; (ii) provide adequate training; and (iii) conduct independent testing of its compliance program. In addition, the MSB violated the BSA’s reporting requirements by failing to “file required currency transaction reports (“CTRs”) on all of its reportable transactions during the examination scope period,” and continued to file untimely CTRs even after the examination scope period ended on March 31, 2011. Finally, FinCEN expressed concern over the MSB owner’s failure to disclose that the MSB “frequently exchanged check for cash with another MSB, an arrangement known as ‘wholesaling’ or ‘bulk check cashing.’” According to the assessment document, the MSB’s owner, who was also the designated AML compliance officer, participated in the BSA violations by failing to accept his responsibility to “ensure that [an] AML program was in place, was effective, and was followed.” To resolve FinCEN’s allegations, the MSB and its owner admitted to violating the BSA program and its reporting requirements and will pay a civil money penalty of $60,000.
Fed Governor Discusses Payment Security
On June 25, Federal Reserve Governor Jerome Powell delivered remarks at a payments conference hosted by the Federal Reserve Bank of Kansas to discuss improvements to the U.S. payments system. Specifically, Powell advised that payment system participants must work together to improve the payment system, stating “[A]t a minimum, banks, merchants, and other institutions that process or store sensitive financial information need to keep their hardware and software current to the latest industry standards.” He noted that the Federal Reserve has established two task forces regarding the U.S. payment system, one geared towards faster payments and the other geared towards payment security. Powell cited the use of EMV chip cards and tokenization technology as examples of effective payment security measures. In addition, Powell discussed the importance of proactive efforts to implement preventative measures to prepare for potential cyber-attacks or data breaches.