InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
CSBS releases nonbank cybersecurity examination tools
On August 9, the Conference of State Bank Supervisors (CSBS) released two new tools used by state examiners to assess nonbank financial services companies’ cyber preparedness. Developed by a multi-state team of cybersecurity examination experts, the Baseline Nonbank Cybersecurity Exam Program and the Enhanced Nonbank Cybersecurity Exam Program provide nonbanks the opportunity to improve their cybersecurity posture and better prepare for cybersecurity exams conducted by state examiners. The “Baseline” program is geared toward exams of “smaller, noncomplex, low-risk institutions,” and “is targeted for use by examiners with or without specialized IT and cybersecurity knowledge.” The “Enhanced” program includes all of the Baseline procedures as well as additional procedures to provide a “more in-depth review for larger, more complex institutions or for those where concerns are raised during exams.” The program is intended for use by examiners with specialized IT and cybersecurity knowledge.
“Supervisory clarity is essential to increasing industry awareness and making our financial system more resilient to cyber-attacks,” CSBS Senior Vice President of Nonbank Supervision Chuck Cross said in the announcement. “The Nonbank Cybersecurity Exam Procedures released today provide nonbank institutions additional optional tools to guard against cyber-attacks, data breaches or lapses in management oversight in this crucial area.”
CSBS announced that it intends to provide additional tools tailored to the needs of smaller nonbank financial institutions in the coming months.
Minnesota fines debt collector for violating earlier consent order
Recently, the Minnesota Department of Commerce issued a consent order assessing $20,000 in fines to a debt collector accused of violating a 2020 consent order. The state previously entered into a consent order with the debt collector, in which it agreed to cease and desist from violating the FDCPA and state law after it was found to have, among other things, commingled funds and allowed agents to work from unlicensed branch locations. The state later found that the debt collector allegedly continued to violate state and federal law by collecting on payday loans from unlicensed lenders and failing to provide meaningful disclosures on telephone calls or register several of its agents as debt collectors in the state. As a result, the state ordered the debt collector to pay the stayed portion of the 2020 fine ($19,000), as well as a $25,000 civil penalty of which $24,000 is stayed. If the stay has not been lifted by December 31, 2025, the remaining portion of the civil penalty will be vacated provided the debt collector does not commit any further violations.
Special Alert: NYDFS fines trading platform for BSA/AML, transaction monitoring, and cybersecurity lapses
The New York Department of Financial Services and a trading platform on Aug. 1 entered into a consent order to resolve deficiencies identified during a 2019 examination and a subsequent investigation by the department’s enforcement section. The consent order focused on deficiencies related to Bank Secrecy Act and anti-money-laundering compliance, transaction monitoring, cybersecurity, and related New York certifications of compliance. The company will pay a $30 million civil monetary penalty and retain an independent consultant that will assist with remediating the issues highlighted in the order and report to NYDFS on remediation progress.
The consent order has far-reaching implications for all financial services companies that come under the jurisdiction of the NYDFS.
The trading platform is a wholly owned subsidiary of a financial services company that offers U.S.-based retail investors the ability to trade stocks, options, and crypto currency on a commission-free basis through its broker-dealer subsidiary. The trading platform is licensed by the NYDFS to engage in virtual currency and money transmitter businesses in New York. Of primary concern for the NYDFS was the platform’s alleged reliance on its parent company’s compliance and cybersecurity programs through enterprisewide systems that the NYDFS found to be inadequate. Additionally, according to NYDFS, the platform allegedly had few to no qualified personnel or management involved in overseeing those programs, which NYDFS has implicitly indicated cannot be outsourced.
States create Anti-Robocall Litigation Task Force
On August 2, the Utah attorney general joined the nationwide Anti-Robocall Litigation Task Force, which investigates and takes legal action against telecommunications companies responsible for bringing the majority of foreign robocalls into the U.S. According to the Utah AG's press release, the Task Force is a bipartisan nationwide effort of 50 attorneys general who have a joint goal of cutting down on illegal robocalls. Twenty civil investigative demands have already been issued by the Task Force to several gateway providers and other entities allegedly responsible for most foreign robocall traffic. According to a press release issued by the Delaware AG, “the Task Force will focus on the bad actors throughout the telecommunications industry to help reduce the number of robocalls that consumers receive and benefit the companies that are following the rules.”
States request extension of PSLF forgiveness waiver
On July 29, a coalition of state attorneys general sent a letter to President Biden and Department of Education Secretary Miguel Cardona, requesting the extension of the deadline for individuals to file claims under the Public Service Loan Forgiveness (PSLF) program. As previously covered by InfoBytes, in October 2021, the Department announced several significant changes to its PSLF program, including that approximately 22,000 borrowers with consolidated loans (including loans previously ineligible) may be immediately eligible to have their loans forgiven automatically, and another 27,000 borrowers could have their balances forgiven if they are able to certify additional periods of public service employment. According to the AGs, “it is critically important to extend the waiver at least until new PSLF regulations take effect and to grandfather in waiver benefits for borrowers who miss administrative deadlines.” The AGs also asked the Biden administration to count all forbearance periods toward loan forgiveness, rather than making exceptions for servicemembers and longer periods of forbearance for everyone else. The letter stated that “[f]ailure to automatically count periods of forbearance toward loan forgiveness ignores pervasive and well-established servicing problems and inappropriately shifts the burden to borrowers to identify and prove that they were victims of servicer misconduct.” The AGs urged the Biden administration “to exercise its authority to synchronize the One-Time Adjustment and Limited PSLF Waiver into a unified adjustment policy.” The letter specifically stated that the “simplest way of doing so may be to incorporate certain critical aspects of the waiver into the One-Time Adjustment, including that qualifying employment at the time of forgiveness is not necessary and that consolidations (whether of FFEL or Direct Loans) occurring prior to the completion of the One-Time Adjustment do not negate past qualifying employment periods for PSLF.”
NYDFS imposes $30 million fine against trading platform for cybersecurity, BSA/AML violations
On August 2, NYDFS announced a consent order imposing a $30 million fine against a trading platform for alleged violations of the Department’s Virtual Currency Regulation (23 NYCRR Part 200), Money Transmitter Regulation (3 NYCRR Part 417), Transaction Monitoring Regulation (3 NYCRR Part 504), Cybersecurity Regulation (23 NYCRR Part 500), and for failing to maintain adequate Bank Secrecy Act/anti-money laundering (BSA/AML) obligations. According to a Department investigation, the platform’s BSA/AML compliance program contained significant deficiencies, including an inadequate transaction monitoring system. Among other things, the platform failed to timely transition its manual system to an automated transaction monitoring system, which was unacceptable for a program of its size, customer profiles, and transaction volumes, and did not devote sufficient resources to adequately address risks. The Department also found “critical failures” in the platform’s cybersecurity program, which failed to address operational risks, and that specific policies within the program did not fully comply with several provisions of the Department’s cybersecurity and virtual currency regulations. According to the press release, pursuant to NYDFS’s Transaction Monitoring Regulation and Cybersecurity Regulation, companies should only file a Certificate of Compliance with the Department if their programs are fully compliant with the applicable regulation.
In light of the program’s deficiencies, NYDFS stated that the platform’s 2019 certifications to the Department attesting to compliance with these regulations should not have been made and thus violated the law. The platform also “failed to comply with the Supervisory Agreement by failing to promptly notify the Department of (a) actual or material potential actions, proceedings, or similar process that were or may have been instituted against [the platform] or any affiliated entity by any regulatory body or governmental agency; and (b) of the receipt by [the platform], or any affiliated entity, of any subpoena from any regulatory body or governmental agency in which [the platform], or any affiliated entity, was the target of the investigation.” NYDFS determined that in addition to the penalty, the platform will be required to retain an independent consultant that will perform a comprehensive evaluation of its compliance with the Department’s regulations and the platform’s remediation efforts with respect to the identified deficiencies and violations.
A Buckley Special Alert is forthcoming.
Connecticut issues money transmitter advisory
Recently, the Connecticut Department of Banking (Department) issued an advisory on money transmission, providing general guidance on what types of activities and entities must be licensed. According to the advisory, transmission can occur whenever “a person takes possession or control of monetary value belonging to another person” and holds it for a period of time, or transmits it to a third party. The Department noted that “[t]he increased use of technology to enable immediate payment mechanisms, as well as the explosion of virtual currency, has caused significant disruption to traditional money transmission systems.” The Department also acknowledged that many consumers do “not realize or understand the regulatory landscape that applies” to using money transmitters. Among other things, the advisory listed entities that traditionally provide transmission services like bill payers, payroll processors, and issuers and sellers of prepaid cards and money orders. The advisory also discussed Connecticut’s license application and penalties for unlicensed transmission, explaining that licensure goes through the Nationwide Multistate Licensing System and involves disclosing pertinent information concerning all “control persons.”
Republicans allege CFPB “collusion” with states
On July 28, House Financial Services Committee Ranking Member Patrick McHenry (R-NC) and two other Republican members sent a letter to CFPB Director Rohit Chopra, expressing their concerns that the Bureau has been “colluding” with states to “intimidate companies by conspiring with state agencies to pursue duplicative enforcement actions” in the financial services industry. The letter recognizes that state AGs “may enforce the CFPA in cases where the CFPB has not,” but argues that “the statute does not allow for a state attorney general to become a party to an existing CFPB enforcement action.” As previously covered by InfoBytes, the Bureau issued an interpretive rule in May addressing states’ authority to bring enforcement actions for violations of federal consumer financial protection laws, including the CFPA. The representatives argue that although the CFPB has a duty to enforce the CFPA and protect consumers from predatory and discriminatory practices, the Bureau’s interpretive rule is “akin to deputizing state attorneys general to enforce the CFPA on behalf of the CFPB – something Congress did not authorize.” The letter concludes with a request for documents and information from the Bureau by August 12, including (i) the legal authority that allows the CFPB to “recruit state attorneys general to join existing CFPB actions"; (ii) any “safeguards” the CFPB has in place to avoid “redundant and duplicative state actions”; and (iii) “all documents and communications between offices of state attorneys general and the CFPB since October 12, 2021” and “all information regarding complaints filed in a judicial court received by the CFPB pursuant to 12 USC § 5552.”
Massachusetts AG orders company to pay $230,000 for data breach
On July 21, the Massachusetts AG announced that a Rhode Island-based job placement service company must pay a $230,000 settlement to resolve allegations that it failed to implement the proper security programs, which led to a data breach. According to the assurance of discontinuance (AOD), the company was breached in December 2020 after an employee was a victim to a phishing email, resulting in a compromise of credentials that allowed hackers to access personal data of users. The AG alleged that the company violated Massachusetts data privacy laws by failing to have a written information security program (WISP) in place during or prior to the data breach. Under the terms of the settlement, the company is required to pay $230,000 in penalties, come into compliance with state laws, continue to implement and maintain a WISP, and continue to train its employees on the importance of personal information security.
FCC orders phone companies to block car warranty scammers
On July 21, the FCC announced it is ordering phone companies to stop carrying traffic regarding a known robocall scam marketing auto warranties. The FCC noted that the operation is also the target of an ongoing investigation by the FCC’s Enforcement Bureau and a lawsuit by the Ohio Attorney General. As previously covered by InfoBytes, the Ohio AG filed a complaint against multiple companies for participating in an alleged unwanted car warranty call operation. The complaint, filed in the U.S. District Court for Southern District of Ohio, alleged that the 22 named defendants “participated in an unlawful robocall operation that bombarded American consumers with billions of robocalls.” The FCC’s order follows its announcement of actions taken to decrease robocalls, including sending cease and desist letters to several carriers in an attempt “to cut off a flood of possibly illegal robocalls marketing auto warranties targeting billions of consumers.” The announcement also noted that the FCC has authorized “all U.S.-based voice service providers to cease carrying any traffic originating from the [named] operation consistent with FCC regulations,” as detailed in the notice.