InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
New York Considering Virtual Currency Regulations; Issues Subpoenas to Bitcoin-Associated Companies
On August 12, New York Department of Financial Services (NY DFS) Superintendent Benjamin Lawsky issued a notice of inquiry about the “appropriate regulatory guidelines that [the NY DFS] should put in place for virtual currencies.” The NY DFS notes the emergence of Bitcoin and other virtual currency as the catalyst for its inquiry and states that it already has “conducted significant preliminary work.” That preliminary work includes 22 subpoenas the NY DFS reportedly issued last week to companies associated with Bitcoin. The NY DFS is concerned that virtual currency exchangers may be engaging in money transmission as defined in New York. Under existing New York law, and the laws of a majority of other states, companies engaged in money transmission must obtain a license, post collateral, submit to periodic examinations, and comply with anti-money laundering laws. However, the NY DFS also suggests that regulating virtual currency under existing money transmission rules may not be the most beneficial approach. Instead, it is considering “new guidelines that are tailored to the unique characteristics of virtual currencies.” The NY DFS notice does not provide any timeline for further action on these issues.
New York Announces Agreement to Resolve Alleged International Sanctions Violations
On June 20, New York announced a consent order with the New York branch of a foreign bank to resolve charges that the bank — over a five year period that ended more than five years ago — violated Bank Secrecy Act, Anti-Money Laundering and international sanctions rules by stripping from wire transfer messages information that could have been used to identify government and privately owned entities in Iran, Sudan, and Myanmar, and entities on the Specially Designated Nationals list issued by the OFAC and moving billions of dollars through New York on their behalf. The order requires the bank to pay a $250 million penalty, conduct a compliance review, and revise written compliance and management oversight plans. The compliance review must be conducted by an independent consultant that will be subject to the new DFS code of conduct for bank consultants described in a prior Byte. This is at least the second time in the last year that New York has taken a major action against a domestic branch of a foreign bank related to money laundering and international sanctions violations. In a previous instance, federal authorities followed with substantial civil and criminal penalties related to the same conduct.
New York Signals Crackdown on Bank Consultants with Substantial Fine, Temporary Ban
On June 18, New York announced an agreement with a bank consulting firm in connection with the firm’s work for a state-regulated bank alleged to have engaged in deceptive and fraudulent misconduct on behalf of client Iranian financial institutions in violation of anti-money laundering and sanctions rules. An investigation conducted by the New York Department of Financial Services (DFS) found that the consultant (i) failed to demonstrate autonomy and removed a recommendation aimed at rooting out money laundering from a written final report submitted to the DFS, and (ii) violated New York Banking Law § 36.10 by disclosing confidential information of other consulting firm clients to the bank. To resolve that investigation, the consulting firm agreed to (i) a voluntary one-year suspension from consulting work at any DFS-regulated institution, (ii) pay a $10 million penalty, and (iii) adopt a new code of conduct. The DFS intends for the code of conduct to serve as “a new model that will govern independent consulting firms that seek to be retained or approved by DFS.” The code of conduct states, among other things: (i) the financial institution and consultant must disclose all prior work by the consultant for the institution in the previous three years, (ii) the engagement letter must require that the ultimate conclusions and judgments will be that of the consultant based upon the exercise of its own judgment, (iii) the consultant and institution must submit a work plan for the engagement and timeline for completion of work, (iv) the DFS and the consultant must have ongoing communication, including outside the presence of the institution, and (v) the consultant must implement numerous record keeping, training, reporting, and other policies and procedures.
Alabama Clarifies Supervision Authority Over Bank Affiliates, Service Providers
On May 23, Alabama enacted a bill that clarifies the Alabama Banking Department’s authority to examine subsidiaries and affiliates of state banks and bank holding companies when the Banking Superintendent believes such a company is not operating in compliance with state laws or safe and sound banking practices. The bill, HB 529, also grants the Banking Department authority to examine bank service companies on the same as-needed basis. Finally, the bill clarifies the Superintendent’s right to promulgate regulations and adds bank holding companies in as an entity that may rely on interpretations of banking laws and regulations. The bill took effect immediately.
Court Dismisses California AG's First Suit Against Mobile Application Provider Under Online Privacy Protection Act
On May 9, the Superior Court of California dismissed California Attorney General Kamala Harris’ first suit against a company for allegedly failing to comply with the state’s Online Privacy Protection Act. California v. Delta Air Lines Inc., No. 12-526741, Order (Cal. Sup. Ct. May 9, 2013). The state alleged that since at least 2010, Delta Airlines operated a mobile application that allows customers to, for example, check-in online for an airplane flight, view reservations for air travel, or rebook cancelled or missed flights. The AG claimed that the Delta application collects substantial personally identifiable information without providing a privacy policy. The suit sought an injunction and penalties of up to $2,500 for each violation. Reportedly, the court determined that the suit was preempted by the federal Airline Deregulation Act, which prohibits states from regulating certain airline functions, including, according to Delta and the court, the mobile application at issue in this case. The suit against Delta was filed after the AG sent letters to Delta and numerous other mobile application developers and providers advising those entities of their alleged noncompliance with state privacy law, and forms part of a broader enforcement effort by the AG with regard to online and mobile privacy.
State Attorneys General Look Into Recent Data Breach Incident
On May 1, the Connecticut Attorney General, George Jepsen, and the Maryland Attorney General and NAAG President, Douglas Gansler, sent a letter to representatives of a “daily deals” website that recently disclosed a data security incident, seeking additional information about the event. The company publicly reported the incident and stated that no financial information was obtained by the hackers. Nevertheless, the AGs presented numerous information requests, including requests for (i) a detailed timeline of the incident, (ii) the number of individuals affected in each state, (iii) the categories and types of compromised information, (iv) a description of how the company determined that no financial information was compromised, and (v) information about how the company stores, connects, protects, and monitors the various customer data in its possession. Although those experiencing a security breach are often required under state laws to provide this type of information to a state AG, the public release of an AG information request and the joint issuance of a request by multiple state AGs has been less common.
CSBS Releases Annual Report
On May 2, the CSBS released its 2012 annual report, which aggregates and reviews the organization’s activities in the prior year, identifies future goals for the organization, and outlines specific priorities for 2013. The paper also incorporates more focused reports on past and future activities by various CSBS divisions and boards, including a report from the Policy and Supervision Division that reviews bank supervision, consumer protection and non-bank supervision, and legislative and regulatory policy, including the CSBS positions on community bank regulatory relief and federal proposed capital rules.
Delaware Amends Abandoned and Unclaimed Property Self-Disclosure Program
Recently, Delaware enacted HB 2, which amends the state's voluntary self-disclosure program for abandoned and unclaimed property. Among other things, the bill creates additional incentives for holders of such property to report it to the state and resolve claims. Specifically, holders of such property that disclosure before June 30, 2013 will have up to one additional year to enter into an agreement and make payment.
NMLS Announces 2013 Annual Conference
On December 18, the NMLS announced that its fifth Annual Conference and Training will be held February 26 – March 1, 2013, in San Antonio, Texas. The Conference allows companies that manage financial services licenses or registration through NMLS to hear directly from state and federal policymakers regarding the NMLS system and regulatory and compliance developments.
CSBS Joins with Federal Authorities to Combat Corporate Account Takeover
On December 7, the Conference of State Bank Supervisors announced a joint effort with the U.S. Secret Service (Secret Service) and the Financial Services-Information Sharing and Analysis Center (FS-ISAC) to assist financial institutions in adopting best practices to reduce the risks of corporate account takeover, a form of identity theft where cyber criminals gain control of a business’ bank account by stealing credentials and then initiate fraudulent wire and ACH transactions. The recommended practices were developed by a task force formed by the Texas Banking Commissioner and the Secret Service. Using in part the contributions from leading data security and audit firms that serve the community banking industry, the practices expand upon the “Protect, Detect, and Respond” framework developed by the Secret Service, the FBI, the Internet Crime Complaint Center, and FS-ISAC.