InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
OFAC authorizes certain transactions to aid Syrian earthquake disaster relief
On February 9, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) issued Syria General License (GL) 23 to authorize, for 180 days, all transactions related to earthquake relief efforts that would ordinarily be prohibited by the Syrian Sanctions Regulations (SySR). Specifically, authorizations under GL 23 include “the processing or transfer of funds on behalf of third-country persons to or from Syria in support of” transactions related to earthquake relief efforts in the country. Additionally, “U.S. financial institutions and U.S. registered money transmitters may rely on the originator of a funds transfer with regard to compliance” for transactions related to earthquake relief efforts in Syria, provided that the financial institution does not know or have reason to know that the funds transfer is not related to such efforts. GL 23 does not permit any transactions prohibited under the SySR related to the importation of petroleum or petroleum products of Syrian origin into the U.S., or any transactions involving persons “whose property and interests in property are blocked pursuant to the SySR, other than persons who meet the definition of the term Government of Syria, as defined in section 542.305(a) of the SySR, unless separately authorized.” Additionally, OFAC advised financial institutions and others who may be engaged in disaster relief activities for Syria to contact OFAC directly to seek specific licenses or guidance should they believe their activities are not covered by existing authorizations or exemptions.
Fed cautions banks regarding crypto risks
On February 10, Federal Reserve Board Governor Christopher J. Waller gave a speech on the cryptocurrency ecosystem and digital assets before attendees at the Global Interdependence Center Conference: Digital Money, Decentralized Finance, and the Puzzle of Crypto. Waller provided a broad overview of digital assets and digital ledger technologies and briefly discussed the use of smart contracts in peer-to-peer trading, as well as their potential to automate the execution of certain transactions in non-crypto-assets such as securities transactions. He also highlighted risks associated with another emerging technology—tokenization—which, he explained, “when combined with data vaults to securely store personal information, can be used to trade objects in a way that protects one’s identity from being exploited for profit.” Waller commented that these potential applications could also “lead to substantial productivity enhancements in other industries” beyond the crypto ecosystem.
Waller went on to express support for prudent innovation but expressed concerns about banks engaging in activities that expose them to a heightened risk of fraud, scams, and legal uncertainties. “As with any customer in any industry, a bank engaging with crypto customers would have to be very clear about the customers’ business models, risk-management systems, and corporate governance structures to ensure that the bank is not left holding the bag if there is a crypto meltdown,” Waller stated. “And banks considering engaging in crypto-asset-related activities face a critical task to meet the ‘know your customer’ and ‘anti-money laundering’ requirements, which they in no way are allowed to ignore.”
Agencies release hypothetical scenarios for 2023 bank stress tests
On February 9, the Federal Reserve Board and the OCC released hypothetical economic scenarios for use in the upcoming stress tests for covered institutions. The Fed released supervisory scenarios, which include baseline and severely adverse scenarios. According to the Fed, the stress test evaluates large banks’ resiliency by estimating losses, net revenue, and capital levels under hypothetical recession scenarios that extend two years into the future. The Fed’s stress test also features for the first time “an additional exploratory market shock to the trading books of the largest and most complex banks” to help the agency better assess the potential of multiple scenarios in order to capture a wider array of risks in future stress test exercises. The OCC also released the agency’s scenarios for covered banks and savings associations, which will be used during supervision and will assist in the assessment of a covered institution’s risk profile and capital adequacy.
FTC provides 2022 ECOA summary to CFPB
On February 9, the FTC announced it recently provided the CFPB with its annual summary of activities related to ECOA enforcement, focusing specifically on the Commission’s activities with respect to Regulation B. The summary discussed, among other things, the following FTC enforcement, research, and policy development initiatives:
- Last June, the FTC released a report to Congress discussing the use of artificial intelligence (AI), and warning policymakers to use caution when relying on AI to combat the spread of harmful online conduct. The report also raised concerns that AI tools can be biased, discriminatory, or inaccurate, could rely on invasive forms of surveillance, and may harm marginalized communities. (Covered by InfoBytes here.)
- The FTC continued to participate in the Interagency Task Force on Fair Lending, along with the CFPB, DOJ, HUD, and federal banking regulatory agencies. The Commission also continued its participation in the Interagency Fair Lending Methodologies Working Group to “coordinate and share information on analytical methodologies used in enforcement of and supervision for compliance with fair lending laws, including the ECOA.”
- The FTC initiated an enforcement action last April against an Illinois-based multistate auto dealer group for allegedly adding junk fees for unwanted “add-on” products to consumers’ bills and discriminating against Black consumers. In October, the FTC initiated a second action against a different auto dealer group and two of its officers for allegedly engaging in deceptive advertising and pricing practices and discriminatory and unfair financing. (Covered by InfoBytes here and here.)
- The FTC engaged in consumer and business education on fair lending issues, and reiterated that credit discrimination is illegal under federal law for banks, credit unions, mortgage companies, retailers, and companies that extend credit. The FTC also issued consumer alerts discussing enforcement actions involving racial discrimination and disparate impact, as well as agency initiatives centered around racial equity and economic equality.
CFPB urges Supreme Court review of 5th Circuit decision
The CFPB recently filed a reply brief in its petition for a writ of certiorari asking the U.S. Supreme Court to review whether the U.S. Court of Appeals for the Fifth Circuit erred in holding that the Bureau’s funding structure violates the Appropriations Clause of the Constitution, and to consider the appellate court’s decision to vacate the agency’s 2017 final rule covering “Payday, Vehicle Title, and Certain High-Cost Installment Loans” (Payday Lending Rule or Rule) on the premise that it was promulgated at a time when the Bureau was receiving unconstitutional funding. (Covered by InfoBytes here.)
Last month, the respondents filed an opposition brief urging the Supreme Court to deny the Bureau’s petition on the premise that the 5th Circuit’s decision does not warrant review—“let alone in the expedited and limited manner that the Bureau proposes”—because the appellate court correctly vacated the Payday Lending Rule, which, according to the respondents, has “multiple legal defects, including but not limited to the Appropriations Clause issue.” (Covered by InfoBytes here.) The respondents also maintained that the case “is neither cleanly presented . . . nor ripe for definitive resolution at this time,” and argued that the Supreme Court could address the validity of the Payday Lending Rule without addressing the Bureau’s funding issue. Explaining that the 5th Circuit’s decision “simply vacated a single regulation that has never been in effect,” the respondents claimed that the appellate court should have addressed questions about the Rule’s validity before deciding on the Appropriations Clause question. The respondents filed a cross-petition for writ of certiorari arguing that if the Supreme Court decides to hear the case, it should vacate the rule based on the unconstitutional removal restriction, and because it exceeds the Bureau’s statutory authority since “the prohibited conduct falls outside the statutory definition of unfair or abusive conduct.”
In its reply brief, the Bureau challenged the respondents’ assertion that the agency’s funding was “unprecedented,” noting that the respondents “cannot meaningfully distinguish the CFPB’s funding from Congress’s longstanding and concededly valid practice of funding agencies from standing sources outside annual spending bills.” The Bureau also argued that the respondents failed to rehabilitate the appellate court’s disruptive remedy and could not justify the district court’s failure to conduct a severability analysis. Even if any unconstitutional features could be severed, that would not justify the “extraordinarily disruptive remedy of automatic vacatur” of the Payday Lending Rule, the Bureau said. Furthermore, the Bureau contended that the respondents offered no sound basis for declining to review the appellate court’s decision in the current Supreme Court term.
According to the Bureau, the decision “carries immense legal and practical consequences that override any interest in ‘further percolation’” and “has already affected more than half of the Bureau’s 22 active enforcement actions” where five have been stayed and motions for relief are pending in seven other courts. Emphasizing that the 5th Circuit’s decision “threatens the validity of virtually all past CFPB actions, including numerous regulations that are critical to consumers and the financial industry,” the Bureau stressed that the proper course would be to grant its petition, set the case for argument in April, and add the additional questions raised by respondent in their cross-petition.
California’s privacy agency finalizes CPRA regulations
On February 3, the California Privacy Protection Agency (CPPA) Board voted unanimously to adopt and approve updated regulations for implementing the California Privacy Rights Act (CPRA). The proposed final regulations will now go to the Office of Administrative Law, who will have 30 working days to review and approve or disapprove the regulations. As previously covered by InfoBytes, the CPRA (largely effective January 1, 2023, with enforcement delayed until July 1, 2023) was approved by ballot measure in November 2020 to amend and build on the California Consumer Privacy Act (CCPA). In July 2022, the CPPA initiated formal rulemaking procedures to adopt proposed regulations implementing the CPRA, and in November the agency posted updated draft regulations (covered by InfoBytes here and here).
According to the CPPA’s final statement of reasons, the proposed final regulations (which are substantially similar to the version of the proposed regulations circulated in November) address comments received by stakeholders, and include the following modifications from the initial proposed text:
- Amending certain definitions. The proposed changes would, among other things, modify the definition of “disproportionate effort” to apply to service providers, contractors, and third parties in addition to businesses, as such term is used throughout the regulations, to limit the obligation of businesses (and other entities) with respect to certain consumer requests. The term is further defined as “when the time and/or resources expended to respond to the request significantly outweighs the reasonably foreseeable impact to the consumer by not responding to the request,” and has been modified “to operationalize the exception to complying with certain CCPA requests when it requires ‘disproportionate effort.’” The proposed changes also introduce the definition of “unstructured” personal information, which describes personal information that could not be retrieved or organized in a predefined manner without disproportionate effort on behalf of the business, service provider, contractor, or third party as it relates to the retrieval of text, video, and audio files.
- Outlining restrictions on how a consumer’s personal information is collected or used. The proposed changes outline factors for determining whether the collection or processing of personal information is consistent with a consumer’s “reasonable expectations.” The modifications also add language explaining how a business should “determine whether another disclosed purpose is compatible with the context in which the personal information was collected,” and present factors such as the reasonable expectation of the consumer at the time of collection, the nature of the other disclosed purpose, and the strength of the link between such expectation and the nature of the other disclosed purpose, for assessing compatibility. Additionally, a section has been added to reiterate requirements “that a business’s collection, use, retention, and/or sharing of a consumer’s personal information must be ‘reasonably necessary and proportionate’ for each identified purpose.” The CPPA explained that this guidance is necessary for ensuring that businesses do not create unnecessary and disproportionate negative impacts on consumers.
- Providing disclosure and communications requirements. The proposed changes also introduce formatting and presentation requirements, clarifying that disclosures must be easy to read and understandable and conform to applicable industry standards for persons with disabilities, and that conspicuous links for websites should appear in a similar manner as other similarly-posted links, and, for mobile applications, that conspicuous links should be accessible in the business’ privacy policy.
- Clarifying requirements for consumer requests and obtaining consumer consent. Among other things, the proposed changes introduce technical requirements for the design and implementation of processes for obtaining consumer consent and fulfilling consumer requests, including but not limited to “symmetry-in-choice,” which prohibits businesses from creating more difficult or time consuming paths for more privacy-protective options than paths to exercise a less privacy protective options. The modifications also provide that businesses should avoid choice architecture that impairs or interferes with a consumer’s ability to make a choice, as “consent” under the CCPA requires that it be freely give, specific, informed, and unambiguous. Moreover, the statutory definition of a “dark pattern” does not require that a business “intend to design a user interface to have the substantial effect of subverting or impairing consumer choice.” Additionally, businesses that are aware of, but do not correct, broken links and nonfunctional email addresses may be in violation of the regulation.
- Amending business practices for handling consumer requests. The revisions clarify that a service provider and contractor may use self-service methods that enable the business to delete personal information that the service provider or contractor has collected pursuant to a written contract with the business (additional clarification is also provided on a how a service provider or contractor’s obligations apply to the personal information collected pursuant to its written contract with the business). Businesses can also provide a link to resources that explain how specific pieces of personal information can be deleted.
- Amending requests to correct/know. Among other things, the revisions add language to allow “businesses, service providers, and contractors to delay compliance with requests to correct, with respect to information stored on archived or backup systems until the archived or backup system relating to that data is restored to an active system or is next accessed or used.” Consumers will also be required to make a good-faith effort to provide businesses with all necessary information available at the time of a request. A section has also been added, which clarifies “that implementing measures to ensure that personal information that is the subject of a request to correct remains corrected factors into whether a business, service provider, or contractor has complied with a consumer’s request to correct in accordance with the CCPA and these regulations.” Modifications have also been made to specify that a consumer can request that a business disclose their personal information for a specific time period, and changes have been made to provide further clarity on how a service provider or contractor’s obligations apply to personal information collected pursuant to a written contract with a business.
- Amending opt-out preference signals. The proposed changes clarify that the requirement to process opt-out preference signals applies only to businesses that sell or share personal information. Language has also been added to explain that “the opt-out preference signal shall be treated as a valid request to opt-out of sale/sharing for any consumer profile, including pseudonymous profiles, that are associated with the browser or device for which the opt-out preference signal is given.” When consumers do not respond to a business’s request for more information, a “business must still process the request to opt-out of sale/sharing” to ensure that “a business’s request for more information is not a dark pattern that subverts consumer’s choice.” Additionally, business should not interpret the absence of an opt-out preference signal as a consumer’s consent to opt-in to the sale or sharing of personal information.
- Amending requests to opt-out of sale/sharing. The revisions, among other things, clarify that, at a minimum, a business shall allow consumers to submit requests to opt-out of sale/sharing through an opt-out preference signal and through one of the following methods—an interactive form accessible via the “Do No Sell or Share My Personal Information” link, the Alternative Opt-out Link, or the business’s privacy policy. The revisions also make various changes related to service provider, contractor, and third-party obligations.
- Clarifying requests to limit use and disclosure of sensitive personal information. The regulations require businesses to provide specific disclosures related to the collection, use, and rights of consumers for limiting the use of personal sensitive information in certain cases, including, among other things, requiring the use of a link to “Limit the Use of My Sensitive Personal Information” and honoring any limitations within 15 business days of receipt. The regulations also provide specific enumerated business uses where the right to limit does not apply, including to ensure physical safety and to prevent, detect, and investigate security incidents.
The proposed final regulations also clarify when businesses must provide a notice of right to limit, modify how the alternative opt-out link should be presented, provide clarity on how businesses should address scenarios in which opt-out preference signals may conflict with financial incentive programs, make changes to service provider, contractor, and third party obligations to the collection of personal information, as well as contract requirements, provide clarity on special rules applicable to consumers under 16-years of age, and modify provisions related to investigations and enforcement.
Separately, on February 10, the CPPA posted a preliminary request for comments on cybersecurity audits, risk assessments, and automated decisionmaking to inform future rulemaking. Among other things, the CPPA is interested in learning about steps it can take to ensure cybersecurity audits are “thorough and independent,” what content should be included in a risk assessment (including whether the CPPA should adopt the approaches in the EU GDPR and/or Colorado Privacy Act), and how “automated decisionmaking technology” is defined in other laws and frameworks. The CPPA noted that this invitation for comments is not a proposed rulemaking action, but rather serves as an opportunity for information gathering. Comments are due March 27.
Treasury official warns Turkish companies on engaging with Russian entities
On February 3, Under Secretary of the Treasury for Terrorism and Financial Intelligence, Brian E. Nelson, met with the Banks Association of Turkey to discuss international sanctions actions against Russia for its war against Ukraine. Nelson highlighted global illicit finance challenges and stressed the importance of addressing weaknesses within the financial system “to root out financial crime, shine light on the financial shadows that illicit actors exploit, and work toward a more equitable and inclusive global economy.” Nelson commented on potential areas for cooperation between Turkish banks and the broader international finance community, pointing to opportunities for the U.S. and Turkey to work together to mitigate anti-money laundering vulnerabilities in the real estate sector. He also focused on Russia’s “abuse of the global financial system to fund” its war in Ukraine as a main factor in international cooperation for preventing Russia from circumventing sanctions and financial controls “in dozens of countries, including [Turkey].” While Nelson recognized Turkey’s reliance on Russian energy and agriculture, he said that “the marked rise over the past year in non-essential Turkish exports or re-exports to Russia makes the Turkish private sector particularly vulnerable to reputational and sanctions risks.” Engaging with sanctioned Russian entities puts Turkish banks and businesses “at risk of sanctions and a potential loss of access to G7 markets and correspondent relationships,” Nelson stressed, calling upon Turkish financial institutions to conduct “enhanced due diligence” in all transactions with Russian entities and individuals—especially within vulnerable sectors.
OFAC, UK announce joint sanctions on Russia-based cybercrime gang
On February 9, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC), in coordination with the UK, announced sanctions against seven individuals who allegedly are involved in a Russia-based cybercrime gang and are associated with the development or deployment of a range of ransomware strains designed to steal financial data. (See also UK’s announcement here.) The sanctions, taken pursuant to Executive Order (E.O.) 13694 as amended by E.O. 13757, represent the first sanctions of their kind for the UK, and come as a result of a partnership between OFAC and the U.K.’s Foreign, Commonwealth, and Development Office, the UK National Crime Agency, and His Majesty’s Treasury—all of which serve to disrupt Russian cybercrime and ransomware. “Cyber criminals, particularly those based in Russia, seek to attack critical infrastructure, target U.S. businesses, and exploit the international financial system,” Treasury Under Secretary Brian E. Nelson said in the announcement, stressing that “international cooperation is key to addressing Russian cybercrime.” Referring to an action taken by FinCEN last month, which identified a Russia-based virtual currency exchange “as a ‘primary money laundering concern’ in connection with Russian illicit finance” (covered by InfoBytes here), OFAC reiterated that the U.S. and UK are “committed to using all available authorities and tools to defend against cyber threats.” The designations follow other joint sanctions actions taken by the two countries and reflect findings that sanctions are most effective in coordination with international partners, OFAC said.
As a result of the sanctions, all property and interests in property belonging to the sanctioned individuals that are in the U.S. or in the possession or control of U.S. persons are blocked and must be reported to OFAC. U.S. persons are generally prohibited from engaging in any dealings involving the property or interests in property of blocked or designated persons. Persons that engage in certain transactions with the designated individuals may themselves be exposed to sanctions, and “any foreign financial institution that knowingly facilitates a significant transaction or provides significant financial services for any of the individuals or entities designated today could be subject to U.S. correspondent or payable-through account sanctions.”
OFAC sanctions 9 companies for involvement in Iranian petrochemicals and petroleum
On February 9, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) announced sanctions, pursuant to Executive Order 13846, against six Iran-based petrochemical manufacturers or their subsidiaries, as well as three firms located in Malaysia and Singapore, for their involvement in the sale and shipment of petroleum and petrochemicals on behalf of a previously designated company. According to the announcement, the designations follow sanctions imposed by OFAC last November against 13 companies in multiple jurisdictions for their involvement in the sale of Iranian petrochemicals and petroleum products to buyers in East Asia on behalf of sanctioned Iranian petrochemical brokers (covered by InfoBytes here). As a result of the sanctions, all property and interests in property belonging to the sanctioned persons subject to U.S. jurisdiction are blocked and must be reported to OFAC. Additionally, “any entities that are owned, directly or indirectly, 50 percent or more by one or more blocked persons are also blocked.” U.S. persons are also generally prohibited from engaging in any dealings involving the property or interests in property of blocked or designated persons. Persons that engage in certain transactions with the individuals or entities designated today may themselves be exposed to sanctions or subject to enforcement. Additionally, OFAC warned that “any foreign financial institution that knowingly facilitates a significant transaction or provides significant financial services for any of the individuals designated today could be subject to U.S. sanctions.”
District Court approves $1.95 million TCPA settlement
On February 7, the U.S. District Court for the Eastern District of Missouri granted final approval to a $1.95 million settlement in a class action TCPA suit concerning allegations that a defendant debt collection company placed calls to consumers’ cell phones through the use of an artificial or prerecorded voice without first obtaining consumers’ prior express consent. The plaintiff also claimed that the defendant allegedly repeatedly delivered artificial or prerecorded voice messages to wrong or reassigned cell phone numbers that did not belong to the intended recipient. According to the plaintiff, the defendant continued to place calls to his cell phone even after he informed a company representative that it had the wrong number and that he did not know the individual the defendant was attempting to reach. The plaintiff sued alleging violations of Section 227(b)(1)(A)(iii) of the TCPA. While denying all liability alleged in the lawsuit, the defendant agreed to the terms of the settlement agreement, which defines class members as “[a]ll persons in the United States who (a) received a call from [the defendant] between December 16, 2017 and July 7, 2022 on their cellular telephone, (b) with an artificial or prerecorded voice, (c) for which [the defendant’s] records contain a ‘WN’ designation and an ‘MC’ and/or ‘MD’ notation.” The defendant is required to establish a $1.95 million settlement fund, pay $650,00 in attorneys’ fees and $10,477 in costs and expenses, and pay a $10,000 incentive award to the named plaintiff.