InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
White House orders DOJ and CFPB to better protect citizens’ sensitive personal data
On March 1, the White House released Executive Order 14117 (E.O.) titled “Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern” to issue safeguards against Americans’ private information. The E.O. was preceded by the White House’s Fact Sheet which included provisions to protect Americans’ data on their genomic and biometric information, personal health, geolocation, finances, among others. The E.O. shared how this data can be used by nefarious actors such as foreign intelligence services or companies and could enable privacy violations. Under the E.O., President Biden ordered several agencies to act but primarily called on the DOJ. The president directed the DOJ to issue regulations on protecting Americans’ data from being exploited by certain countries. The White House also directed the DOJ to issue regulations to protect government-related data, specifically citing protections for geolocation information and information about military members. Lastly, the DOJ was directed to work with DHS to prevent certain countries’ access to citizens’ data through commercial means and the CFPB was encouraged to “[take] steps, consistent with CFPB’s existing legal authorities, to protect Americans from data brokers that are illegally assembling and selling extremely sensitive data, including that of U.S. military personnel.”
A few days before, the DOJ released its fact sheet detailing its proposals to implement the White House’s E.O., focusing on national security risks and data security. The fact sheet highlighted that our current laws leave open lawful access to vast amounts of Americans’ sensitive personal data that may be purchased and accessed through commercial relationships. In response to the E.O., the DOJ plans to release future regulations “addressing transactions that involve [Americans’] bulk sensitive data” that pose a risk of access by countries of concern. The countries of concern include China (including Hong Kong and Macau), Russia, Iran, North Korea, Cuba, and Venezuela. The DOJ will also release its Advance Notice of Proposed Rulemaking (ANPRM) to provide details of the proposal(s) and to solicit comments.
2nd Circuit: Court upholds dismissal of whistleblower suit alleging Iran sanctions violations
On October 27, the U.S. Court of Appeals for the Second Circuit denied a petition for a panel rehearing en banc in a False Claims Act (FCA) suit that was dismissed in 2020. The whistleblower suit, filed in 2019, alleged violations of the U.S.’s sanctions on Iran by exchanging foreign currency for U.S. dollars on behalf of Iranian and related terrorist entities. In July 2020, the whistleblower suit was dismissed after the court agreed with U.S. Attorney for the Southern District of New York’s motion to dismiss because the compliant was “legally deficient as it is premised on an incorrect legal theory of liability that is inconsistent with both the FCA and the law regarding civil forfeiture.” The plaintiff appealed to the 2nd Circuit arguing that the district court needed to hold a hearing; however, the 2nd Circuit found the suit had been properly dismissed and that the judge considered extensive briefing before making the determination of the dismissal.
FTC reports on efforts to combat cross-border fraud and ransomware attacks
On October 20, the FTC published two reports outlining its efforts to protect consumers against cross-border fraud and ransomware attacks.
In the first report, the FTC described the US SAFE Web Act (SAFE WEB), passed in 2006, as an “indispensable” tool to combat cross-border fraud and protect consumers in an increasingly global and digital economy. For example, the report noted that since SAFE WEB was passed, the FTC has used the law in myriad ways: issuing more than 140 civil investigative demands on behalf of 21 foreign agencies from eight countries; engaging in 148 staff exchanges to build cooperation with foreign counterparts; and sharing confidential information from FTC files with 43 law enforcement agencies in twenty different countries. The report also indicated that SAFE WEB has allowed the FTC to pursue and stop harmful conduct in the US and defend against challenges to its jurisdictional authority over foreign companies targeting American consumers. Notably, SAFE WEB helped the FTC (i) shut down a real estate investment scam that took in more than $100 million (the largest such scheme the FTC has ever targeted); (ii) cooperate with privacy authorities in Canada and the United Kingdom to pursue actions against an online dating site that deceived consumers and failed to protect the account and profile information of more than 36 million individuals; (iii) and work with foreign law enforcement agencies to stop fraudulent money transfers to certain money transfer companies located in Spain in connection with a Nigerian email scam. The FTC recommends that Congress permanently reauthorize SAFE WEB to preserve the agency’s ability to fight cross-border fraud.
In the second report, the FTC discussed its work to target ransomware and other cyber-attacks. The FTC highlighted its longstanding data security enforcement program, which seeks to ensure that businesses engage in reasonable practices to protect the data of their customers. Moreover, the RANSOMWARE Act refers specifically to China, Russia, North Korea, and Iran. The report stated that although the FTC has taken data security-related enforcement actions involving connections to China and Russia, the FTC has had limited interactions with government agencies in China, Russia, North Korea, and Iran. The report included several recommendations for Congress, including making SAFE WEB permanent, amending a provision in the FTC act which would restore the FTC’s ability to provide refunds to harmed consumers, and enacting privacy and data security legislation which would be enforceable by the FTC. The FTC also urged businesses to take steps to safeguard customer data, including retaining information only so long as there is a legitimate business need, restricting access to sensitive data, and storing personal information securely and protecting it during transmission.
FFIEC updates BSA/AML examination manual
On August 2, the Federal Financial Institutions Examination Council (FFIEC) updated its Bank Secrecy Act/Anti-Money Laundering (BSA/AML) Examination Manual, which provides examiners with instructions for assessing a bank or credit union’s BSA/AML compliance program and adherence to BSA regulatory requirements. The revisions include updates to the following sections:
- Special Information Sharing Procedures to Deter Money Laundering and Terrorist Activity
- Due Diligence Programs for Correspondent Accounts for Foreign Financial Institutions
- Due Diligence Programs for Private Banking Accounts
- Prohibition on Correspondent Accounts for Foreign Shell Banks; Records Concerning Owners of Foreign Banks and Agents for Service of Legal Process
- Summons or Subpoena of Foreign Bank Records; Termination of Correspondent Relationship; Records Concerning Owners of Foreign Banks and Agents for Service of Legal Process
- Reporting Obligations on Foreign Bank Relationships with Iranian-Linked Financial Institutions
The FFIEC noted that the “updates should not be interpreted as new instructions or as a new or increased focus on certain areas,” but rather are intended to “provide information and considerations related to certain customers that may indicate the need for bank policies, procedures, and processes to address potential money laundering, terrorist financing, and other illicit financial activity risks.” In addition, the Manual itself does not establish requirements for financial institutions, which are found in applicable statutes and regulations but rather reinforce the agency’s risk-focused approach to BSA/AML examinations.
FinCEN updates jurisdictions with AML/CFT/CPF deficiencies
On June 29, FinCEN announced that the Financial Action Task Force (FATF) issued a public statement updating its lists of jurisdictions with strategic deficiencies in anti-money laundering (AML), countering the financing of terrorism (CFT), and countering the financing of proliferation of weapons of mass destructions (CPF). FATF’s statements include (i) Jurisdictions under Increased Monitoring, “which publicly identifies jurisdictions with strategic deficiencies in their AML/CFT/CPF regimes that have committed to, or are actively working with, the FATF to address those deficiencies in accordance with an agreed upon timeline,” and (ii) High-Risk Jurisdictions Subject to a Call for Action, “which publicly identifies jurisdictions with significant strategic deficiencies in their AML/CFT/CPF regimes and calls on all FATF members to apply enhanced due diligence, and, in the most serious cases, apply counter-measures to protect the international financial system from the money laundering, terrorist financing, and proliferation financing risks emanating from the identified countries.”
FinCEN’s announcement also informed members that FATF added Cameroon, Croatia, and Vietnam it its list to the list of Jurisdictions Under Increased Monitoring and advised jurisdictions to apply enhanced due diligence proportionate to the risks. FATF did not remove any jurisdictions from the list. Additionally, the announcement suggests that money service businesses refer to FinCEN’s Guidance on compliance obligations to employ adequate measures against money laundering and the financing of terrorism posed by their foreign relationships. Also noted in the announcement is that the list of high-risk jurisdictions subject to a call for action, remains the same. FinCEN reminded in the announcement that U.S. financial institutions are still broadly prohibited from engaging in transactions or dealings with Iran, and they should continue to refer to existing FinCEN and Office of Foreign Assets Control guidance on engaging in financial transactions with Burma. With respect to high-risk jurisdictions subject to a call for action — the Democratic People’s Republic of Korea and Iran — “financial institutions must comply with the extensive U.S. restrictions and prohibitions against opening or maintaining any correspondent accounts, directly or indirectly, for North Korean or Iranian financial institutions,” FinCEN said, adding that “[e]xisting U.S. sanctions and FinCEN regulations already prohibit any such correspondent account relationships.”
Split 9th Circuit: Nevada’s medical debt collection law is not preempted
The U.S. Court of Appeals for the Ninth Circuit recently issued a split decision upholding a Nevada medical debt collection law after concluding the statute was neither preempted by the FDCPA or the FCRA, nor a violation of the First Amendment. SB 248 took effect July 1, 2021, in the wake of the Covid-19 pandemic, and requires debt collection agencies to provide written notification to consumers 60 days “before taking any action to collect a medical debt.” Debt collection agencies are also barred from taking any action to collect a medical debt during the 60-day period, including reporting a debt to a consumer reporting agency.
Plaintiffs, a group of debt collectors, sued the Commissioner of the Financial Institutions Division of Nevada’s Department of Business and Industry after the bill was enacted, seeking a temporary restraining order and a preliminary injunction. In addition to claiming alleged preemption by the FDCPA and the FCRA, plaintiffs maintained that SB 248 is unconstitutionally vague and violates the First Amendment. The district court denied the motion, ruling that none of the arguments were likely to succeed on the merits.
In agreeing with the district court’s decision, the majority concluded that SB 248 is not unconstitutionally vague with respect to the term “before taking any action to collect a medical debt” and that any questions about what constitute actions to collect a medical debt were addressed by the statute’s implementing regulations. With respect to whether SB 248 violates the First Amendment, the majority held that debt collection communications are commercial speech and thus not subject to strict scrutiny. As to questions of preemption, the majority determined that SB 248 is not preempted by either the FDCPA or the FCRA. The majority explained that furnishers’ reporting obligations under the FCRA do not include a deadline for when furnishers must report a debt to a CRA and that the 60-day notice is not an attempt to collect a debt and therefore does not trigger the “mini-Miranda warning” required in a debt collector’s initial communication stating that “the debt collector is attempting to collect a debt.”
The third judge disagreed, arguing, among other things, that the majority’s “position requires setting aside common sense” in believing that the FDCPA does not preempt SB 248 because the 60-day notice is not an action in connection with the collection of a debt. “The only reason that a debt collector sends a Section 7 Notice is so that he can later start collecting a debt,” the dissenting judge wrote. “It is impossible to imagine a situation where a debt collector would send such a notice except in pursuit of his goal of ultimately obtaining payment for (i.e., collecting) the debt.” The dissenting judge further argued that by delaying the reporting of unpaid debts, SB 248 conflicts with the FCRA’s intention of ensuring credit information is accurately reported.
OFAC clarifies impact of sanctions on humanitarian assistance and trade
On June 14, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) issued a Fact Sheet for “Provision of Humanitarian Assistance and Trade to Combat COVID-19.” The Fact Sheet, among other things, highlights Treasury’s humanitarian-related or other general licenses (GL) issued to support people impacted by Covid-19 across Iran, Venezuela, North Korea, Syria, Cuba, and Russia. Relatedly, OFAC issued Iran-related GL N-2, Venezuela-related GL 39B, and Syria-related GL 21B to authorize transactions and activities related to the prevention, diagnosis, or treatment of Covid-19, as well as several amended FAQs.
OFAC sanctions network supporting Iran’s missile and military programs
On June 6, the U.S. Treasury Department’s Office of Foreign Assets Control announced sanctions, pursuant to Executive Order 13382, against seven individuals and six entities in Iran, China, and Hong Kong for supporting Iran’s ballistic missile program. These sanctions build on OFAC’s March 30, 2022, designations against other supporters of the Iran-based missile program (covered by InfoBytes here) in an effort to target weapons of mass destruction proliferators and their supporters. OFAC explained that the designated individuals and entities have done business with and supported the procurement of critical parts and technology for Iran’s ballistic missile development.
As a result of the sanctions, all property and interests in property belonging to the sanctioned individuals and entities that are in the U.S. or in the possession or control of U.S. persons are blocked and must be reported to OFAC. Further, “any entities that are owned, directly or indirectly, 50 percent or more by one or more blocked persons are also blocked.” U.S. persons are generally prohibited from engaging in any dealings involving the property or interests in property of blocked or designated persons. Persons that engage in certain transactions with the designated individuals or entities may themselves be exposed to sanctions, and “any foreign financial institution that knowingly facilitates a significant transaction or provides significant financial services for any of the individuals or entities designated today pursuant to E.O. 13382 could be subject to U.S. sanctions.”
OFAC sanctions Iranian tech company and employees
On June 2, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) announced sanctions, pursuant to Executive Order 13846, against an Iran-based technology company, two senior employees, and an affiliate based in the UAE. According to OFAC, the sanctioned persons and entities partook in facilitating the Iranian regime’s censorship of the internet in Iran. The technology company is a key partner in Iran’s development of the National Information Network, which, OFAC states is, “a countrywide intranet that is being used to disconnect the Iranian people from the global internet.” As a result of the sanctions, all property and interests in property belonging to the sanctioned individuals and entities subject to U.S. jurisdiction are blocked and must be reported to OFAC. U.S. persons are also generally prohibited from engaging in any dealings involving the property or interests in property of blocked or designated persons. Additionally, OFAC warned that “persons that engage in certain transactions with the individuals and entities designated today may themselves be exposed to sanctions or subject to an enforcement action.” Also, OFAC noted that unless an exception applies, any foreign financial institution that knowingly takes part in a significant transaction or provides significant financial services for any of the persons designated could also be subject to U.S. sanctions.
In conjunction with the sanctions, OFAC issued several Iran-related general licenses (see General License P).
OFAC sanctions target IRGC
On June 1, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) designated members and affiliates of Iran’s Islamic Revolutionary Guard Corps and its external operations arm, the IRGC-Qods Force (IRGC-QF), pursuant to Executive Order 13224, for participating in a series of plots against former U.S. officials, dual U.S. and Iranian nationals, and Iranian dissidents.
The following were specifically designated: (i) two operatives designated “for having acted for or on behalf of, directly or indirectly, the IRGC-QF”; (ii) an IRGC-QF official designated “for acting or on behalf of the IRGC-QF”; and (iii) a dual Iranian and Turkish national designated “for having materially assisted, sponsored, or provided financial, material, or technological support for, or goods or services to or in support of, the IRGC-QF” by using his Turkey-based airline to support the IRGC-QF covert operations. (The airline is separately designated.)
As a result of the sanctions, all property and interests in property of the individuals and entities named above, and of any entities that are owned, directly or indirectly, 50 percent or more by them, individually, or with other blocked persons, that are in the U.S. or in the possession or control of U.S. persons, must be blocked and reported to OFAC. OFAC’s announcement further noted that its regulations “generally prohibit” U.S. persons from participating in transactions with designated persons unless exempt or otherwise authorized by a general or specific license. The prohibitions include the making or receiving of any contribution of funds, goods, or services to or for the benefit of those persons.