InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
FTC Settles with Operators of Alleged Credit Repair Scheme
On August 4, the FTC announced a settlement with a California-based company and its employees for allegedly violating the FTC Act and the Credit Repair Organizations Act. According to the associated complaint filed by the FTC in March 2015, the defendants operated a bogus credit repair scheme targeting Spanish-speaking consumers. The FTC alleged that the company and the four named employees deceived consumers with false representations that the company was affiliated with the FTC and false promises that they could repair consumers' credit reports and guarantee that the consumer would have a credit score of 700 or higher within six months or less for a fee of approximately $2,000. The FTC’s final orders against the individuals and the Company (i) hold the defendants jointly and severally liable for a $2.4 million monetary judgment; (ii) prohibit the defendants from selling or advertising credit repair services to consumers, and from deceiving consumers about any good or service they are selling, and (iii) bar the defendants from benefiting, through sale or otherwise, from having customers’ personal information. The final orders were approved by the Commission in a 5-0 vote and filed in the U.S. District Court for the Central District of California, Western Division on July 30 and August 3.
Comptroller Talks Interest Rate, Compliance, and Cybersecurity Risks Facing Financial Institutions
On July 24, OCC Comptroller Curry delivered remarks before the New England Council in Boston, MA regarding the risks that financial institutions face today. Rising interest rates and regulatory compliance were two of the three risks discussed. Curry emphasized that the inevitable rise in interest rates could greatly affect loan quality, particularly loans that were not carefully underwritten to begin with, and that ”[l]oans that are typically refinanced, such as leveraged loans,” would be particularly severely affected. Recognizing the impact that Dodd-Frank continues to have on banks, Curry said that financial institutions face two categories of risk from new regulations: (i) “banks run afoul of the new regulations, possibly damaging their reputations and subjecting themselves to regulatory penalties”; and (ii) banks devote their time and money to regulatory compliance, rather than putting those resources toward serving their customers and communities. The final and “perhaps the foremost risk facing banks today,” according to Curry, is cyber threats. Curry outlined the agency’s efforts to curtail cyber intrusion in the banking industry, highlighting the June 30 release of its Semiannual Risk Assessment and the creation of a Cybersecurity and Critical Infrastructure Working Group, which was designed to (i) increase cybersecurity awareness; (ii) promote best practices; and (iii) strengthen regulatory oversight of cybersecurity readiness. Curry noted, however, that information-sharing is just as important as self-assessment and supervisory oversight: “We strongly recommend … that financial institutions of all sizes participate in the Financial Services Information Sharing and Analysis Center, a non-profit information-sharing forum established by financial services industry participants to facilitate the sharing of physical and cyber threat and vulnerability information.” Collaboration among banks of all sizes and non-bank providers, Curry stated, can be a “game-changer” in more ways than one: “By promoting the discovery of common interests and common responses to the risks that you face in your businesses and we all face together, you provide an invaluable service to New England and to the United States.”
DOJ Announces Charges Against Two Florida Men for Operating Underground Bitcoin Exchange
On July 21, U.S. Attorney for the Southern District of New York Preet Bharara, along with the Assistant Director-in-Charge of the New York Field Office of the FBI and the Special Agent-in-Charge of the New York Field Office of the United States Secret Service, announced the unsealing of criminal complaints filed against Anthony R. Murgio and Yuri Lebedev. According to the complaints, since at least late 2013, the two men and their co-conspirators illegally ran a money transfer operation called Coin.mx, which allowed customers to exchange cash for bitcoins for a fee. Murgio's and Lebedev’s allegedly illegal money transfer operation involved exchanging cash for people whom they believed may be engaging in criminal activity, as well as allowing victims of “ransomware” attacks to trade cash for bitcoins. During these “ransomware” attacks, cybercriminals would “electronically block access to a victim’s computer system until a sum of ‘ransom’ money, typically in bitcoins, [was] paid to them.” In an attempt to evade detection, Murgio, Lebedev, and their co-conspirators operated through “Collectables Club,” a fake front-company. Also in an attempt to avoid detection, Murgio obtained beneficial control of a New Jersey-based federal credit union, then placed Lebedev and others on the Board of Directors so that Coin.mx’s operations could be transferred to the credit union. The individuals used the credit union as a “captive bank for their unlawful business,” until at least early 2015, at which point, the NCUA discovered the illegal activity and forced the credit union to “cease engaging in such activity,” but Murgio “thereafter found new, overseas payment processing channels for his unlawful business.” Murgio and Lebedev are each being charged with one count of conspiracy to operate an unlicensed money transmitting business, and one count of operating an unlicensed money transmitting business. Each of these charges carries a maximum prison sentence of five years. Murgio also was charged with one count of money laundering and one count of willful failure to file a suspicious activity report. These additional charges carry maximum prison sentences of 20 years and 5 years, respectively.
U.S. Senators Introduce Automobile-Focused Cybersecurity Legislation
On July 21, Senators Blumenthal (D-CT) and Markey (D-MA) introduced legislation, the Security and Privacy in Your Car Act (“SPY Car" Act), that would protect drivers’ privacy while allowing them to remain connected to the growing technological advances in the automobile industry. In addition to directing the National Highway Traffic Safety Administration (NHTSA) and the FTC to develop federal cybersecurity and privacy standards that would secure motor vehicles manufactured for sale in the United States and protect drivers, the SPY Car Act seeks to establish a rating system, or “cyber dashboard,” that “informs consumers about how well the vehicle protects drivers’ security and privacy” beyond the minimum standards potentially set by the NHTSA and the FTC. The requirements that motor vehicles: (i) be equipped with reasonable measures to protect against hacking attacks; (ii) maintain the ability to reasonably secure data collected within electronic systems; and (iii) be equipped with capabilities to immediately detect, report, and stop attempts to intercept driving data or control the vehicle, are among the cybersecurity standards outlined in the SPY Car Act. In regards to privacy standards, the legislation proposes the following: (i) transparency, such that owners or lessees are explicitly aware of the collection, transmission, retention, and use of driving data; (ii) consumer choice, allowing owners or lessees to opt out of data collection and retention without losing access to other features, such as key navigation; and (iii) marketing prohibition, which would ban companies from using personal driving information for advertising purposes without obtaining the affirmative express consent of the owner or lessee. The introduction of the SPY Car Act follows Senator Markey’s 2015 Tracking & Hacking: Security & Privacy Gaps Put American Drivers at Risk report, which showed gaps in the auto industry’s ability to prevent hackers from accessing internet-connected features in vehicles.
Treasury Deputy Secretary Raskin Delivers Remarks on Cybersecurity in the Financial Sector
On July 14, Deputy Secretary of the Treasury Sarah Bloom Raskin delivered remarks at the American Bankers Association Summer Leadership meeting in Baltimore. Speaking on cybersecurity and cyber-resiliency in banking and the financial sector generally, Raskin’s remarks continued her December 2014 remarks in Austin at the Executive Leadership Cybersecurity Conference regarding three main areas, including (i) baseline protections, (ii) information sharing, and (iii) response recovery. According to Raskin, since December the growing number of cyberattacks – including against health insurers and the federal government’s Office of Personnel Management – has made the government and public more mindful of the serious threat posed by cyberattacks. Accordingly, cybersecurity has seen a “profoundly positive cultural change,” moving beyond just the purview of IT specialists. Deputy Secretary Raskin’s most recent remarks added 10 follow-up questions for banks and financial entities to consider, including whether cybersecurity is incorporated into the bank’s governance systems, security controls are tailored to specific cyber risks presented (as opposed to a “one-size fits all” approach), enhanced controls are implemented and adequate training provided, and basic “cyber hygiene” practices (including multi-factor authentication) are followed. Raskin also emphasized the need to appropriately tailor cyber risk insurance.
FinCEN Issues Geographic Targeting Order to Combat Stolen Identity Tax Refund Fraud in South Florida
On July 13, FinCEN issued a Geographic Targeting Order (GTO) requiring check cashers in two South Florida counties to strengthen identification requirements for customers cashing certain Federal tax refund checks. According to FinCEN, Miami-Dade and Broward Counties have become a haven for criminals who, using stolen identities, file fraudulent Federal tax returns and then cash the refund checks at a local check casher. Effective August 3 through January 30, 2016, the GTO will require check cashers located in those counties to obtain additional identifying information from customers seeking to cash Federal tax refund checks (including refund anticipation loan checks from third parties) that exceed $1,000. Issued in coordination with the IRS and the U.S. Attorney’s Office for the Southern District of Florida, the GTO will require customers to provide the following: (i) a valid government-issued identification; (ii) a digital photograph at the time of the transaction; (iii) a valid phone number; and (iv) a thumbprint. The GTO is intended to put a “roadblock in the path of those who would steal another person’s identity,” making it more difficult for the criminals to evade anti-money laundering controls and “reap the rewards of their actions.”
FCC Announces $3.5 Million Settlement with Carriers to Resolve Consumer Privacy Investigation
On July 9, the FCC announced a $3.5 million settlement with carriers TerraCom, Inc. and YourTel America, Inc. to resolve an investigation into the exposure of personal information of over 300,000 of their customers online via unprotected servers used by their vendors to store customer information. The exposed information included names, addresses, Social Security numbers, driver’s licenses, and other pieces of sensitive information that were viewable by anyone with access to a search engine. Section 222(a) of the Communications Act imposes on carriers a duty to protect the confidentiality of “proprietary information of… customers” and the FCC Enforcement Bureau viewed this incident as a violation of that duty, as well as its duty under Section 201(b) to employ “just and reasonable” data security practices to protect the confidentiality of consumers’ proprietary information. Under the settlement, TerraCom and YourTel are required to (i) designate a senior corporate manager with certified privacy expertise, (ii) conduct a privacy risk assessment, (iii) put in place a written information security program and data breach response plan, (iv) maintain “reasonable oversight” of third-party vendors, and (v) offer privacy and security training. FCC-regulated entities should review their privacy and data security practices to ensure that they are taking appropriate steps to protect their customers’ proprietary information.
White House Provides Update on 2015 Cybersecurity Initiatives
On July 9, the White House released a fact sheet regarding the Administration’s 2015 cybersecurity efforts “both domestic and international, to improve our cyber defenses, enhance our response capabilities, and upgrade our incident management tools.” More specifically, these include (i) supporting the private sector; (ii) enhancing federal cybersecurity; (iii) developing new policies and capabilities to identify, defend against, and counter malicious cyber actors; and (iv) engaging internationally. Among the private sector achievements is new legislative proposals; the Department of Defense and Department of Homeland (DHS) opening offices in Silicon Valley; and the increase in information sharing between the private sector and government, including DHS’s initiative to develop an automated system for sharing cyber threat indicators. The federal achievements include continual cross-agency efforts to improve how the government conducts background investigations. The new policy achievements includes imposing financial sanctions on those participating in malicious cyber-enabled activities threatening national security, strengthening national defense, and creating new cybersecurity laws. Finally, the international accomplishments include the President’s efforts to bolster international commitments and law enforcement, and to strengthen the country’s global leadership role in cybersecurity.
DOJ Deputy Assistant AG Delivers Testimony at Senate Subcommittee Hearing Regarding Cyber Crime
On July 8, the DOJ’s Deputy Assistant AG, David Bitkower, delivered his testimony before the Senate Judiciary Subcommittee on Crime and Terrorism’s hearing entitled, “Cyber Crime: Modernizing Our Legal Framework for the Information Age.” Bitkower’s testimony focused on two of President Obama’s earlier 2015 legislative proposals regarding the security of online privacy for American citizens and businesses. The first proposal, with an emphasis on the “insider threat,” seeks to amend a provision of the Computer Fraud and Abuse Act (CFAA) – the primary statute the DOJ uses to charge computer crime cases – to ensure that corrupt employees using their authority to access sensitive data for personal gain are not immune from federal punishment. Bitkower noted that recent judicial decisions have impeded the government’s ability to prosecute cases where “serious violations and invasions of privacy” were prevalent. The second legislative proposal would enhance the DOJ’s ability to combat botnets, the networks of computers that are infected with malware and used by criminals to steal personal information, evade detection, and hold computers and computer systems for ransom. The proposed legislation would broaden the categories of crimes committed with botnets that can be enjoined by courts, which, under the current law, are mostly limited financial crimes.
NAAG Urging Congress to Refrain From Passing Federal Data Breach Legislation Preempting State Authority
On July 7, as Congress considers proposed legislation on data breach notification and security, the National Association of Attorneys General (NAAG) sent a letter to leaders of both houses of Congress urging them to refrain from passing federal data breach and identity theft laws that would preempt states’ authority to enforce their own legislation, or pass legislation that exceeds federal standards. The 47 state attorneys general argued that “preempting state law would make consumers less protected than they are right now” because (i) states are closer to people affected consumers and can better respond to their concerns; (ii) states are “better equipped to quickly adjust to the challenges presented by a data-driven economy”; (iii) although helpful for a national data breach, a single federal agency would be unable to “respond effectively” to the large number of smaller data breaches that “have a large impact in a particular state or region”; and (iv) “with the increasing speed rate of technological developments,” states need the ability to surpass minimal and continually obsolete federal requirements. Accordingly, the state attorneys general asserted it was “crucial” that they “maintain their enforcement authority under their states’ laws, and that any legislation be tailored to ensure complementary enforcement authority.”