Skip to main content
Menu Icon
Close

InfoBytes Blog

Financial Services Law Insights and Observations

Filter

Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.

  • OCC warns of crypto-asset and cybersecurity risks facing the federal banking system

    On December 8, the OCC released its Semiannual Risk Perspective for Fall 2022, which reports on key risks threatening the safety and soundness of national banks, federal savings associations, and federal branches and agencies. The OCC reported that, in the aggregate, banks “remain well capitalized” and have “ample liquidity and sound credit quality, although macroeconomic headwinds are a concern.” The OCC highlighted interest rate, operational, compliance, and credit risks as key risk themes. Observations include: (i) the rising rate environment has adversely impacted bank investment portfolios; (ii) operational risk, including evolving cyber risk, is elevated, with “threat actors continuing to target the financial services industry with ransomware and other attacks”; (iii) compliance risk remains heightened as banks navigate significant regulatory changes; and (iv) credit risk in commercial and retail loan portfolios remains moderate and demonstrates resiliency, “but signs of potential weakening in some segments warrant careful monitoring.”

    The report discussed emerging risks related to innovation and the adoption of new products and services, including crypto-assets. Highlighting risks arising from banks’ expansion into digital offerings and the “heightened” threat of fraud risk associated with innovative peer-to-peer payment platforms, the OCC noted that banks should be “clearly communicating risks, educating customers on potential scams, and enhancing internal fraud monitoring capabilities” to mitigate threats and protect consumers. The report noted that “[b]anks may require additional or different controls to safeguard against fraud, financial crimes, violations of Bank Secrecy Act, anti-money laundering, and Office of Foreign Assets Control (BSA/AML/OFAC) requirements, and consumer protection or fair lending laws, or operational errors,” and should “maintain comprehensive operational resilience frameworks commensurate with the size and complexity of products, services, and operations being supported.”

    The OCC reiterated the importance of taking a “careful and cautious approach” toward banks’ engagement with the crypto-related firms. Recent events in the crypto market have also “revealed a high degree of interconnectedness between certain crypto participants through a variety of opaque lending and investing arrangements,” which has led to “a high risk of contagion among connected parties.” The report noted that national banks and federal savings associations interested in engaging in crypto-asset activities should discuss the activities with their supervisory office before engaging the activities. Some activities may require a supervisory non-objection under OCC Interpretive Letter #1179.

    The report cited risks related to cybersecurity and partnerships with fintech and other third parties. The OCC said it is applying a “heightened supervisory focus” to its scrutiny of banks’ oversight of third-party relationships and flagged an upward trend in ransomware attacks targeting banks’ service providers and other third parties. Partnering with fintechs to support operations or provide opportunities for customers to enter the digital asset market can “increase the risk of unfair or deceptive acts or practices because of the coordination, communication, and disclosure challenges involved in these partnerships,” the report said, adding that “[u]nclear or arbitrary partnership agreements may result in implementation breakdowns, untimely resolution of issues, or failure to deliver products or services as intended, and may result in significant customer remediation.” The OCC cautioned that banks must “conduct appropriate due diligence” before entering a partnership with a third party. “The scope and depth of due diligence, as well as ongoing monitoring and oversight of the third party’s performance, should be commensurate with the nature and criticality of the proposed activity.”

    The report also discussed forthcoming climate risk management guidelines applicable to banks with more than $100 billion in total consolidated assets. As previously covered by InfoBytes, the OCC, Federal Reserve Board, and the FDIC announced they intend to issue final interagency guidance to promote consistency.

    Bank Regulatory Federal Issues Digital Assets Privacy, Cyber Risk & Data Security OCC Risk Management Cryptocurrency Supervision Third-Party Risk Management Fintech Financial Crimes Climate-Related Financial Risks

  • Senators ask federal agencies about banks’ ties to crypto firms

    Federal Issues

    On December 7, Senators Elizabeth Warren (D-MA) and Tina Smith (D-MN) sent letters to the heads of the Federal Reserve Board, FDIC, and OCC seeking information on how the agencies assess risks associated with banks’ relationships with cryptocurrency firms. The senators expressed concerns related to recent revelations that “crypto may be more integrated into the banking system than regulators are aware.” The senators asked the agencies a series of questions, including (i) whether the regulators plan to conduct a review of crypto firms’ relationships with banks; (ii) the names of regulated banks engaged in crypto-related activities, such as providing crypto custody services and acting as nodes to verify customer payments; and (iii) the estimated total dollar volume for each specific activity per bank. The responses were requested by December 21.

    Federal Issues Bank Regulatory Digital Assets U.S. Senate Cryptocurrency Federal Reserve FDIC OCC

  • Senators request information from California bank on its relationship with collapsed crypto exchange

    Federal Issues

    On December 5, Senators Elizabeth Warren (D-MA), John Kennedy (R-LA), and Roger Marshall (R-KS) asked the CEO of a California-based bank for information regarding its relationship with several cryptocurrency firms founded by the CEO of a now-collapsed crypto exchange. In their letter, the senators pressed the CEO for an explanation for why the bank failed to monitor for and report suspicious transactions to the Financial Crimes Enforcement Network, and asked for information about how deposits it was holding on behalf of the collapsed exchange and related firm were being handled. The senators stressed that the bank has a legal responsibility under the Bank Secrecy Act to maintain an effective anti-money laundering program that may have flagged suspicious activity. “Your bank's involvement in the transfer of [the collapsed exchange’s] customer funds to [the related firm] reveals what appears to be an egregious failure of your bank’s responsibility to monitor for and report suspicious financial activity carried out by its clients,” the letter said. The senators asked the bank to respond to a series of questions by December 19.

    Federal Issues U.S. Senate Digital Assets Cryptocurrency Bank Secrecy Act Financial Crimes FinCEN

  • FinCEN’s Das discusses agency’s priorities

    Financial Crimes

    On December 6, FinCEN acting Director Himamauli Das spoke before the ABA/ABA Financial Crimes Enforcement Conference about how FinCEN is addressing new threats, new innovations, and new partnerships, in addition to its efforts to implement the AML Act. Das first began by speaking about beneficial ownership requirements of the Corporate Transparency Act (CTA). He noted that a final rule was issued in September, which implemented the beneficial ownership information reporting requirements (covered by InfoBytes here). He also stated that a second rulemaking, concerning access protocols to the beneficial ownership database by law enforcement and financial institutions, may be released before the end of the year, and that work is currently underway on a third rulemaking concerning revisions to the customer due diligence rule. With regard to anti-corruption, Das noted that the agency has been working with the Biden administration, and highlighted three alerts issued by FinCEN in 2022 that highlight “the risks of sanctions and export controls evasion by Russian actors, including through real estate, luxury goods, and other high-value assets.” Das explained that the alerts “complement ongoing U.S. government efforts to isolate sanctioned Russians from the international financial system.”

    Transitioning into discussing effective AML/CFT programs, Das said that the “AML Act’s goal of a strengthened, modernized, and streamlined AML/CFT framework will ultimately play out over a series of steps as we implement all of the provisions of the AML Act.” He then described how the AML Act requires FinCEN to work with the FFIEC and law enforcement agencies to establish training for federal examiners in order to better align the examination process. He further noted that the AML/CFT priorities and their incorporation into risk-based programs as part of the AML Program Rule are “crucial” for providing direction to examiners on approaches that improve outcomes for law enforcement and national security.

    Das also highlighted the digital asset ecosystem as a key priority area for FinCEN and acknowledged that the area has seen “continuing evolution” since 2013 and 2019, when the agency released its latest related guidance documents on the topic. Das explained that FinCEN is taking a “close look” at the elements of its AML/CFT framework applicable to virtual currency and digital assets to determine whether additional regulations or guidance are necessary, which “includes looking carefully at decentralized finance and its potential to reduce or eliminate the role of financial intermediaries that play a critical role in our AML/CFT efforts.”

    Financial Crimes Department of Treasury FinCEN Digital Assets Of Interest to Non-US Persons Decentralized Finance Customer Due Diligence Corporate Transparency Act FFIEC Examination Anti-Money Laundering Combating the Financing of Terrorism

  • 9th Circuit revives data breach class action against French cryptocurrency wallet provider

    Privacy, Cyber Risk & Data Security

    On December 1, the U.S. Court of Appeals for the Ninth Circuit affirmed in part and reversed in part a district court’s dismissal of a putative class action brought against a French cryptocurrency wallet provider and its e-commerce vendor for lack of personal jurisdiction. As previously covered by InfoBytes, plaintiffs—customers who purchased hardware wallets through the vendor’s platform between July 2017 and June 2020—alleged violations of state-level consumer protection laws after a 2020 data breach exposed the personal contact information of thousands of customers. Plaintiffs contended, among other things, that when the breach was announced in 2020, the wallet provider failed to inform them that their data was involved in the breach, downplayed the seriousness of the attack, and did not disclose that the attack on its website and the vendor’s data theft were connected. The district court held that it did not have jurisdiction over the French wallet provider, and ruled, among other things, that the plaintiffs did not establish that the wallet provider “expressly aimed” its activities towards California in a way that would establish specific jurisdiction, and “did not cause harm in California that it knew was likely to be suffered there.” The district court further held that the fact that the vendor was headquartered in California at the time the breach occurred was not sufficient to establish general jurisdiction because the vendor moved to Canada before the class action was filed. “Courts have uniformly held that general jurisdiction is to be determined no earlier than the time of filing of the complaint,” the district court wrote, dismissing the case with prejudice.

    On appeal, the 9th Circuit concluded that dismissal was improper because the French wallet provider’s contracts with California were sufficient to establish jurisdiction under the “purposeful availment” framework. The appellate court explained that because the French wallet provider sold roughly 70,000 wallets in the state, collected California sales tax, and shipped wallets directly to California addresses, the “facts suffice to establish purposeful availment because [the French wallet provider’s] contacts with the forum cannot be characterized as ‘random, isolated, or fortuitous.’” However, the 9th Circuit limited the claims to only those brought by California residents under the state’s consumer protection laws. A forum-selection clause in the French wallet provider’s privacy policy and terms of use documents provided that disputes would be subject to the exclusive jurisdiction of French courts, the appellate court said, which was enforceable except with respect to the class claims of California residents brought under California law “because it violated California public policy against waiver of consumer rights under California’s Consumer Legal Remedies Act.”

    The 9th Circuit also determined that the district court abused its discretion in disallowing any jurisdictional discovery concerning the defendant e-commerce vendor. Explaining that the e-commerce vendor employs more than 200 people who work remotely from California, including a data-protection officer (DPO) who may have played a role related to the data breach, the appellate court wrote that “[b]ecause more facts are needed to determine whether those activities support the exercise of jurisdiction, we reverse the district court’s denial of jurisdictional discovery with respect to the DPO’s role and responsibilities and his relationship to [the e-commerce vendor], which processed and stored the data.”

    Privacy, Cyber Risk & Data Security Courts Data Breach Appellate Ninth Circuit Class Action State Issues California Of Interest to Non-US Persons Canada Digital Assets Cryptocurrency France

  • NYDFS proposes virtual currency firms to pay supervision fees

    Recently, NYDFS announced it is seeking public comment on a proposed rule establishing how certain licensed virtual currency businesses would be assessed for the costs of their supervision and examination. According to NYDFS, the proposed regulation establishes a provision in the state budget granting NYDFS new authority to collect supervisory costs from virtual currency businesses that are licensed pursuant to the Financial Services Law, and will permit NYDFS “to continue adding top talent to its virtual currency regulatory team.” The proposed regulation states that it will apply only to licensed persons engaged in virtual currency business activity and that the fees will only cover the costs and expenses associated with NYDFS's oversight of each licensee. Specifically, the draft regulation states that a licensee's total annual assessment fee will be the “sum of its supervisory component and its regulatory component” and that each licensee will be billed five times per fiscal year. According to the regulation, there will be four quarterly fees, each approximately 25 percent of the anticipated annual amount, and a final fee based on the actual total operating cost for the fiscal year. Comments on the proposed regulation are due March 20.

    Licensing State Issues Agency Rule-Making & Guidance Digital Assets New York NYDFS Virtual Currency Supervision

  • NY passes crypto mining bill

    State Issues

    On November 22, the New York governor signed AB 7389, which establishes a moratorium on cryptocurrency mining operations that use proof-of-work authentication methods to validate blockchain transaction. Among other things, the bill also establishes a section on the moratorium on air permit issuance and renewal that states that the state cannot approve a new application, or issue a new permit, for an electric generating facility that utilizes carbon-based fuel and that provides behind-the-meter electric energy consumed or utilized by cryptocurrency mining operations that use proof-of-work authentication methods to validate blockchain transactions. The bill is effective immediately.

    State Issues Digital Assets State Legislation New York Cryptocurrency Climate-Related Financial Risks Blockchain

  • Brown urges Yellen to coordinate efforts to combat crypto risks

    Federal Issues

    On November 30, Senator Sherrod Brown (D-OH) sent a letter urging Treasury Secretary Janet Yellen to join forces on drafting legislation that will “create authorities for regulators to have visibility into, and otherwise supervise, the activities of the affiliates and subsidiaries of crypto asset entities.” Recognizing the “troubling risks” within the crypto asset markets and pointing to the recent collapse of a major crypto exchange, Brown suggested that Treasury develop a broad framework for all crypto assets to ensure risks “are contained and do not spillover into traditional financial markets and institutions.” Copying the heads of the SEC, CFTC, Federal Reserve Board, NCUA, CFPB, FDIC, and OCC, Brown encouraged the agencies to enforce existing laws as well as supervisory and regulatory authorities in order to “take on the significant noncompliance with current law among crypto asset firms and minimize, if not eliminate, the opportunities for regulatory arbitrage.” Brown further asked the regulators to “assess the impact of vertical integration in crypto asset markets,” and to coordinate efforts to improve entity and crypto-asset disclosures, market integrity, and transparency.

    Federal Issues Digital Assets U.S. Senate Department of Treasury Cryptocurrency Fintech

  • Senator launches inquiry into crypto exchanges’ consumer protection measures

    Federal Issues

    On November 28, Senator Ron Wyden (D-OR) sent letters to the six largest cryptocurrency exchanges requesting information about their finances, internal controls, and how customers’ funds are used. The inquiry follows the recent bankruptcy of a major crypto exchange accused of engaging in widespread mismanagement and misusing customers’ funds. Wyden asked the exchanges to respond to a series of questions related to, among other things, (i) the number of subsidiaries that fall under an exchange’s umbrella; (ii) whether customer assets are segregated from corporate or institutional assets; (iii) the treatment of customers’ funds; (iv) safeguards for preventing market manipulation; (v) the use of customer data for proprietary trading purposes; (vi) debt-to-asset and debt-to equity ratios, balance sheets, reserves, and audit procedures; (vii) insurance coverage; and (viii) steps taken by the exchanges to work with other crypto companies to develop protections for investors and customers. Senator Wyden further announced, “As Congress considers much-needed regulations for the crypto industry, I will focus on the clear need for consumer protections along the lines of the assurances that have long existed for customers of banks, credit unions and securities brokers.”

    Federal Issues Digital Assets U.S. Senate Cryptocurrency Consumer Finance Consumer Protection

  • CFPB denies crypto lender’s petition to set aside CID

    Federal Issues

    On November 22, the CFPB denied a petition by a cryptocurrency lender to set aside a civil investigative demand (CID) issued by the Bureau last December. According to the Bureau, the lender (which states on its website that it is licensed by various state regulators to engage in consumer lending and money transmitting) and its affiliates market a range of products, including interest-accruing accounts and lines of credit. The CID informed the lender that a company representative was required to provide oral testimony at an investigational hearing into whether the lender's conduct is subject to federal consumer financial law, whether the lender had violated the Consumer Financial Protection Act and Regulation E, and whether an enforcement action would be in the public interest.

    The lender petitioned the Bureau in March to modify or set aside the CID, arguing, among other things, that the Bureau lacks authority to investigate its Earn Interest Product because the SEC had previously made clear in a different matter (covered by InfoBytes here) that interest-bearing crypto lending products like the lender’s Earn Interest Product are securities. Accordingly, the lender contended that the Earn Interest Product fell outside of the Bureau’s jurisdiction. Furthermore, the lender asserted that in light of the SEC’s action, it stopped offering its Earn Interest Product to new U.S. customers and “began working to implement other changes by which current users would no longer earn interest on new funds in their Earn Interest Product accounts.”

    In rejecting the lender’s arguments, the Bureau said that lender “is trying to avoid answering any of the Bureau’s questions about the Earn Interest Product (on the theory that the product is a security subject to SEC oversight) while at the same time preserving the argument that the product is not a security subject to SEC oversight. This attempt to have it both ways dooms [the lender’s] petition from the start.” The Bureau also emphasized that unresolved facts related to the lender’s Earn Interest Product make it impossible to determine whether any of the challenged conduct is subject to an exclusion from the Bureau’s authority under the CFPA or an exemption to Regulation E. The Bureau further noted that courts have established that the recipient of a CID cannot challenge an agency investigation by contesting facts that the agency might find, at least in situations “where the investigation is not patently outside the agency’s authority.”

    Federal Issues CFPB Enforcement CID Digital Assets Cryptocurrency CFPA Regulation E

Pages

Upcoming Events