Skip to main content
Menu Icon
Close

InfoBytes Blog

Financial Services Law Insights and Observations

Filter

Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.

  • CFPB says servicers should suggest sales over foreclosures for some borrowers

    Federal Issues

    On January 20, the CFPB encouraged mortgage servicers to advise homeowners struggling to pay their mortgages that a traditional sale may be better than foreclosure. The Bureau reported that due to the Covid-19 pandemic many homeowners are facing foreclosure, especially consumers who were delinquent when the pandemic began. The Bureau pointed out that while foreclosure rates are relatively low compared to pre-pandemic levels, mortgage data from November 2022 shows an increase of 23,400 foreclosure starts. “Often, the mortgage servicer’s phone representatives are the first line of communication with homeowners,” the Bureau said, reminding servicers to provide training to their representatives so they are prepared to provide information to equity-positive homeowners about selling their home as a potential option. “Of course, conversations about selling the home cannot substitute for the Regulation X requirement that mortgage servicers present all available loss mitigation alternatives to borrowers,” the Bureau stated, explaining that Appendix MS-4(B) to Regulation X contains sample language that can be used to inform homeowners of the option to sell their home. Additionally, the Bureau advised servicers to refer homeowners to HUD-approved housing counseling agencies to discuss their options.

    Federal Issues CFPB Consumer Finance Mortgages Servicing Mortgages Foreclosure Covid-19 Regulation X

  • Company to pay $45 million to SEC, states for unregistered crypto-lending product

    Securities

    On January 19, the SEC charged a Cayman Islands digital asset firm for allegedly failing to register the offer and sale of its retail crypto-asset lending product. According to the SEC’s cease-and-desist order, the company’s product allowed U.S. investors to tender certain crypto assets with the company, which were then deposited in interest-yielding accounts and used by the company to generate income and fund interest payments to investors.

    The SEC maintained that the company’s product was marketed as an opportunity for investors to earn interest on their crypto assets, and that company actions “included staking, lending, and engaging in arbitrage on purportedly ‘decentralized’ finance platforms; investing in certain crypto assets; loaning funds to retail and institutional borrowers; and entering into options and swap contracts with respect to the crypto assets tendered”— resulting in the company acquiring $2.7 billion in assets from approximately 112,000 investors. The SEC found that because the product qualified as a security and did not qualify for an exemption from registration under the Securities Act of 1933, the company was required to register its offer and sale of the product, which it failed to do.

    The company did not admit or deny the SEC’s findings, but agreed to pay $22.5 million to the SEC, and said it would stop offering and selling the unregistered lending product to U.S. investors. The SEC considered remedial actions promptly taken by the company, as well as its cooperation with Commission staff in determining the settlement amount. The SEC reported that the company voluntarily stopped offering its product to new U.S. investors and ceased paying interest on new funds added to existing accounts after the SEC announced charges against a different company that offered a similar crypto investment product. The company also announced that the product would stop being offered in certain states and that it was phasing out all of its products and services in the U.S.

    The company also agreed to pay another $22.5 million to state regulators from California, Kentucky, Maryland, New York, Oklahoma, South Carolina, Vermont, and Washington in a parallel action claiming the company offered interest-earning accounts without first registering the investment products as securities. According to the announcement, the company allegedly failed to comply with state securities registration requirements, and, among other things, deprived investors “of critical information and disclosures necessary to understand the potential risks of the [product].”

    Securities SEC Enforcement Digital Assets Consumer Lending Cryptocurrency State Issues Securities Act

  • SEC awards whistleblowers approximately $18 million

    Securities

    On January 19, the SEC announced three whistleblower awards totaling approximately $18 million to claimants who provided information and assistance that led to a successful enforcement action. According to the redacted order, the first whistleblower voluntarily provided detailed and significant information that prompted the opening of an investigation into a fraudulent scheme and had a significant impact on the overall success of the enforcement action. The whistleblower’s assistance saved staff time and resources, the SEC said, adding that the second and third whistleblowers voluntarily provided timely information later in the investigation that also significantly contributed to the enforcement action’s success.

    Securities SEC Enforcement Whistleblower Investigations

  • U.S. messaging service fined €5.5 million for GDPR violations

    Privacy, Cyber Risk & Data Security

    On January 19, the Irish Data Protection Commission (DPC) announced the conclusion of an inquiry into the data processing practices of a U.S.-based messaging service’s Ireland operations and fined the messaging service €5.5 million. The investigation was part of a broader GDPR compliance inquiry prompted by a May 25, 2018 complaint from a German data subject.

    The DPC noted that in advance of the date on which the GDPR became effective (May 25, 2018), the U.S. company updated its terms of service and notified users that, to continue accessing the messaging service, they would need to accept the updated terms by clicking “agree and continue.” The complainant asserted that, in doing so, the messaging service forced users to consent to the processing of their personal data for service improvement and security. 

    The company claimed that when a user accepted the updated terms of service, the user entered into a contract with the company. The company therefore maintained that “the processing of users’ data in connection with the delivery of its service was necessary for the performance of that contract, to include the provision of service improvement and security features, so that such processing operations were lawful by reference to Article 6(1)(b) of the GDPR (the ‘contract’ legal basis for processing).” The complainant argued that, contrary to the company’s stated intention, the company was “seeking to rely on consent to provide a lawful basis for its processing of users’ data.”

    The DPC issued a draft decision that was submitted to its EU peer regulators (Concerned Supervisory Authorities or “CSAs”). The DPC concluded that the company was in breach of its GDPR transparency obligations under Articles 12 and 13(1)(c), and stated that users had “insufficient clarity as to what processing operations were being carried out on their personal data.” With respect to whether the company was obliged to rely on consent as its legal basis in connection with the delivery of the service (including for service improvement and security purposes), the DPC disagreed with the complainant’s “forced consent” argument, finding that the company was not required to rely on user consent as providing a lawful basis for its processing of their personal data.

    Noting that DPC had previously imposed a €225 million fine against the company last September for breaching its transparency obligations to users about how their information was being disclosed over the same time period (covered by InfoBytes here), the DPC did not propose an additional fine. Six of the 47 CSAs, however, objected to the DPC’s conclusion as to the “forced consent” aspect of its decision, arguing that the company “should not be permitted to rely on the contract legal basis on the basis that the delivery of service improvement and security could not be said to be necessary to perform the core elements of what was said to be a much more limited form of contract.”

    The dispute was referred to the European Data Protection Board (EDPB), which issued a final decision on January 12, where it found that, “as a matter of principle, [the company] was not entitled to rely on the contract legal basis as providing a lawful basis for its processing of personal data for the purposes of service improvement and security,” and that in doing so, the company contravened Article 6(1) of the GDPR.

    The DPC handed down a €5.5 million administrative fine and ordered the company to bring its processing operations into compliance with the GDPR within a six-month period. Separately, the EDPB instructed the DPC “to conduct a fresh investigation” that would span all of the company’s processing operations to determine whether the company is in compliance with relevant GDPR obligations regarding the processing of personal data for behavioral advertising, marketing purposes, the provisions of metrics to third parties, and the exchange of data with affiliated companies for the purpose of service improvements.

    The DPC challenged the EDPB’s decision, stating that the board “does not have a general supervision role akin to national courts in respect of national independent authorities, and it is not open to the EDPB to instruct and direct an authority to engage in open-ended and speculative investigation.” The DPC suggested that it is considering bringing an action before the Court of Justice of the European Union to “seek the setting aside of the EDPB’s direction.”

    Privacy, Cyber Risk & Data Security Of Interest to Non-US Persons Ireland Enforcement Consumer Protection EU GDPR

  • FDIC announces Georgia disaster relief

    On January 20, the FDIC issued FIL-05-2023 to provide regulatory relief to financial institutions and help facilitate recovery in areas of Georgia affected by severe storms, straight-line winds, and tornadoes on January 12. The FDIC acknowledged the unusual circumstances faced by institutions affected by the storms and encouraged institutions to work with impacted borrowers to, among other things: (i) extend repayment terms; (ii) restructure existing loans; or (iii) ease terms for new loans, provided the measures are done “in a manner consistent with sound banking practices.” Additionally, the FDIC noted that institutions “may receive favorable Community Reinvestment Act consideration for community development loans, investments, and services in support of disaster recovery.” The FDIC will also consider regulatory relief from certain filing and publishing requirements and instructs institutions to contact the Atlanta Regional Office for consideration.

    Bank Regulatory Federal Issues FDIC Disaster Relief Consumer Finance

  • OCC revises Comptroller’s Licensing Manual

    On January 19, the OCC announced an updated version of the “Branches and Relocations” booklet of the Comptroller’s Licensing Manual. According to Bulletin 2023-04, the revised booklet replaces booklet of the same title issued in October 2019. The revised booklet, among other things: (i) reflects recent updates to 12 CFR 5 and other regulations, as applicable; (ii) removes references to outdated guidance and provides current references; and (iii) makes other minor modifications and corrections throughout.

    Bank Regulatory Federal Issues Licensing OCC Comptroller's Licensing Manual

  • HUD proposes streamlined AFFH rule

    Agency Rule-Making & Guidance

    Recently, HUD announced plans to publish a notice of proposed rulemaking (NPRM) entitled “Affirmatively Furthering Fair Housing” (AFFH). The new rule will update a 2015 final rule that was intended to implement the Fair Housing Act’s statutory mandate that HUD ensure that recipients of its funding work to further fair housing, which was repealed by the Trump administration. In 2021, the Biden administration published an interim final rule to restore certain definitions and certifications to its regulations implementing the Fair Housing Act’s requirement to affirmatively further fair housing (covered by InfoBytes here). “This proposed rule is a major step towards fulfilling the law’s full promise and advancing our legal, ethical, and moral charge to provide equitable access to opportunity for all,” HUD Secretary Marcia L. Fudge said in an announcement.

    The NPRM incorporates much of the 2015 AFFH rule and will streamline the required fair housing analysis for states, local communities, and public housing agencies. Program participants would be required to ensure protected classes have equitable access to affordable housing opportunities, by, for example, submitting an equity plan to HUD every five years. HUD-accepted equity plan analysis, goals, and strategies would then be incorporated into program participants’ subsequent planning documents. Program participants would also be required to conduct and submit annual progress evaluations. Both the equity plans and annual progress evaluations would be made available online.

    HUD further explained that the NPRM is intended to simplify required fair housing analysis, increase transparency for public review and comment, improve compliance oversight, provide a process for regular progress evaluations, and enhance accountability, among other things. Comments on the NPRM are due April 24. HUD’s quick reference guide provides additional information.

    Agency Rule-Making & Guidance HUD Discrimination Consumer Finance Fair Lending Fair Housing Fair Housing Act

  • CFTC commissioner discusses crypto exchange’s collapse

    Federal Issues

    On January 18, CFTC Commissioner Christy Goldsmith Romero spoke before the Wharton School and the University of Pennsylvania Carey Law School on lessons learned from the recent bankruptcy of a cryptocurrency exchange, calling the collapse a “violation of trust.” Specifically, Goldsmith Romero mentioned that the digitization of financial services and products brought convenience but also a presumed trust in crypto exchanges with name recognition, which was violated by the collapse. She pointed to the collapsed exchange’s reliance on the name recognition it made through marketing campaigns and explained that such advertising “played up the exchange’s safety and convenience for people that may be new to crypto.”

    Goldsmith Romero urged Congress to avoid permitting newly-regulated crypto exchanges to self-certify products for listing under the current process that limits CFTC oversight. She stressed it “is critical to institute guardrails against regulatory arbitrage," including prohibiting self-certification.

    Goldsmith Romero also called on lawyers, accountants, compliance professionals, and other gatekeepers to “step up and call for compliance, controls, and other governance.” She expressed that these gatekeepers failed their “essential duties” to protect crypto customers and market integrity, and noted that they have allowed “the promise of riches and the company’s marketing pitch to silence their objections to obvious deficiencies.” Ultimately, Goldsmith Romero advised that “[s]ound custody practices and strong cybersecurity are necessary to restore trust and protect customers.”

    Federal Issues Digital Assets CFTC Cryptocurrency

  • FTC takes action against eye surgery provider

    Federal Issues

    On January 19, the FTC announced an action against an Ohio-based eye surgery provider (respondent) concerning allegations that it engaged in “bait-and-switch” advertising. According to the FTC’s complaint, the respondent engaged in deceptive business practices by marketing eye surgery for $250, yet only 6.5 percent of patients who received consultations qualified for that price. According to the FTC, despite the advertising claims, for consumers with less than near-normal vision the company typically quoted a price between $1,800 and $2,295 per eye. The FTC also alleged that respondent neglected to tell consumers up-front that the promotional price was per-eye.

    Under the terms of the decision and order (which was granted final approval on March 15) the respondent must, among other things, pay $1.25 million in redress to harmed customers. Additionally, the respondent is banned from using deceptive business practices and is required to make certain clear and conspicuous disclosures when advertising the surgery at a price or discount for which most consumers would not qualify. Specifically, such disclosures must include whether the price is per eye, the price most consumers pay per eye, and any requirements or qualifications needed to get the offered price or discount.

    The Commission voted to issue the administrative complaint and accepted the consent agreement 3-1. Commissioner Christine S. Wilson issued a dissenting statement, arguing that there are “no clear rules” regarding the qualifications of eye surgery referenced in the complaint. She stated that she is “concerned that requiring the inclusion of specific medical parameters in advertisements, when those parameters could be either over- or under-inclusive depending upon the results of the consultation, could be more confusing than helpful.”

    Federal Issues FTC Enforcement Advertisement UDAP Deceptive

  • FinCEN prohibits engagement with virtual currency exchange connected to Russian finance

    Financial Crimes

    On January 18, the Financial Crimes Enforcement Network (FinCEN) issued its first order pursuant to section 9714(a) of the Combating Russian Money Laundering Act to identify a Hong Kong-registered global virtual currency exchange operating outside of the U.S. as a “primary money laundering concern” in connection with Russian illicit finance. FinCEN announced that the virtual currency exchange offers exchange and peer-to-peer services and “plays a critical role in laundering Convertible Virtual Currency (CVC) by facilitating illicit transactions for ransomware actors operating in Russia.” A FinCEN investigation revealed that the virtual currency exchange facilitated deposits and funds transfers to Russia-affiliated ransomware groups or affiliates, as well as transactions with Russia-connected darknet markets, one of which is currently sanctioned and subject to enforcement actions that have shuttered its operations. The investigation also found that the virtual currency exchange failed to meaningfully implement steps to identify and disrupt the illicit use and abuse of its services, and lacked adequate policies, procedures, or internal controls to combat money laundering and illicit finance.

    Recognizing that the virtual currency exchange “poses a global threat by allowing Russian cybercriminals and ransomware actors to launder the proceeds of their theft,” FinCEN acting Director Himamauli Das emphasized that “[a]s criminals and criminal facilitators evolve, so too does our ability to disrupt these networks.” He warned that FinCEN will continue to leverage the full range of its authorities to prohibit these institutions from gaining access to and using the U.S. financial system to support Russian illicit finance. Effective February 1, covered financial institutions are prohibited from engaging in the transmittal of funds from or to the virtual currency exchange, or from or to any account or CVC address administered by or on behalf of the virtual currency exchange. Frequently asked questions on the action are available here.

    Concurrently, the DOJ announced that the founder and majority owner of the virtual currency exchange was arrested for his alleged involvement in the transmission of illicit funds. Charged with conducting an unlicensed money transmitting business and processing more than $700 million of illicit funds, the DOJ said the individual allegedly “knowingly allowed [the virtual currency exchange] to become a perceived safe haven for funds used for and resulting from a variety of criminal activities,” and was aware that the virtual currency exchange’s accounts “were rife with illicit activity and that many of its users were registered under others’ identities.” While the virtual currency exchange claimed it did not accept users from the U.S., it allegedly conducted substantial business with U.S.-based customers and advised users that they could transfer funds from U.S. financial institutions. 

    Deputy Secretary of the Treasury Wally Adeyemo issued a statement following the announcement, noting that the action “is a unique step that has only been taken a handful of times in Treasury’s history for some of the most egregious money laundering cases, and is the first of its kind specifically under new authorities to combat Russian illicit finance.” He reiterated that the action “sends a clear message that we are prepared to take action against any financial institution—including virtual asset service providers—with lax controls against money laundering, terrorist financing, or other illicit finance.”

    Financial Crimes Of Interest to Non-US Persons FinCEN Department of Treasury DOJ Digital Assets Anti-Money Laundering Russia Enforcement Virtual Currency Illicit Finance Peer-to-Peer

Pages

Upcoming Events