InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
Senators ask Treasury, White House for answers on North Korea’s crypo-crime funding
On August 4, Senators Elizabeth Warren (D-MA), Tim Kaine (D-VA), and Chris Van Hollen (D-MD) sent a letter to the White House National Security Advisor and the Treasury Department’s Under Secretary for Terrorism and Financial Intelligence regarding their concerns over North Korea’s use of cyberattacks and cryptocurrency theft to skirt international sanctions and embargos. The letter urges the Treasury to provide details on its plan to stop North Korea from using digital assets to evade sanctions and continue with the development of nuclear weapons and ballistic missiles. The senators noted that a UN report found that in 2016, “North Korea exhibited a ‘clear shift’ to attacking cryptocurrency exchanges for the purposes of ‘generating financial revenue’” that is difficult to trace and subject to less government oversight. The letter highlights the effects of the cyberattacks, including how they have generated about $2 billion, which is then used to fund the North Korean military. The extent of the cybercrime and cryptocurrency thefts show its use is “key” to the regime’s survival, and notes that the regime has a workforce of thousands of IT workers who operate out of many different countries. The senators asked for a response to their five questions by August 16.
GAO calls for enhanced oversight of blockchain, alternative data
On August 8, the U.S. Government Accountability Office (GAO) released letters sent to the OCC, SEC, FDIC and the Fed to provide an update on GAO’s “priority open recommendations” for each regulator. Priority open recommendations refer to suggestions from GAO to bank regulators that have the potential for cost savings, elimination of mismanagement, fraud, and abuse, or addressing high-risk or duplication issues. GAO suggested that all four agencies follow its recommendation to coordinate oversight of blockchain technology. GAO referenced recent “volatility, bankruptcies, and instances of fraud in the crypto asset markets” and underscored the dangers to consumers and investors without safeguards. GAO suggests regulators jointly establish a formal coordination method to promptly identify and address risks tied to blockchain.
For the three banking regulators in particular—the OCC, FDIC, and Fed—GAO noted that in 2011 it recommended that the three banking regulators implement noncapital triggers for early regulatory intervention tied to risky banking practices, but that such triggers had not yet been implemented. GAO also suggested that banking regulators and the “communicate the appropriate use of alternative data in the underwriting process with banks that engage in third-party relationships with fintech lenders.”
GAO’s letter to the Fed restated GAO’s 2016 recommendation that the Fed design “a process to communicate information about the uncertainty surrounding post-stress capital ratio estimates” and “articulate tolerance levels for key risks identified through sensitivity testing and for the degree of uncertainty in the projected capital ratios.” GAO also recommended that the Fed revisit its “prompt corrective action framework” by “adopting noncapital triggers that would require early and forceful regulatory actions tied to unsafe banking practices.”
Dubai to facilitate personal data transfers with California-based entities
On August 9, the Dubai International Financial Centre Authority (DIFC) Commissioner of Data Protection issued a “first-of-its-kind” adequacy decision, declaring California’s data protection regime as “substantially equivalent and low risk.” The DIFC deemed the California Consumer Privacy Act (CCPA) of 2018, as amended by the California Privacy Rights Act of 2020, equivalent to DIFC’s DP Law 2020—opening the door to facilitate personal data transfers between DIFC and California-based entities without the need to apply additional contractual measures. The DIFC further noted that CCPA Regulations provide procedures, guidance, and clarity on the requirements of the CCPA and highlighted the key aspects of CCPA, including (i) concepts and definitions; (ii) breach notification requirements; (iii) enforcement authority; (iv) notifications to the commissioner; and (v) commissioner authority and objectives. The DIFC’s decision outlines nine observations regarding California’s data protection regime that informed its adequacy decision. In its press release, the DIFC noted that the CCPA “gives consumers control and protection over personal data collected by businesses” and limits data collection and processing to what is fair, lawful, and necessary. The DIFC added that this adequacy decision sets a precedent for Dubai to build “similar relationships with various US states and the US privacy framework in the future.”
Governor Hochul unveils statewide cybersecurity strategy for New York
On August 9, Governor Hochul announced New York’s first-ever statewide cybersecurity strategy to protect the state’s digital infrastructure from cyber threats. The cybersecurity strategy articulates a set of high-level objectives and agency roles and responsibilities, as well as outlines how existing and planned initiatives will be weaved together in a unified approach. The central principles of the strategy are unification, resilience, and preparedness, with a focus on state agencies working together with local governments to strengthen the entire state’s defenses. Included in the plan was a $600 million commitment to improve cybersecurity, including (i) a $90 million investment for cybersecurity in Fiscal Year 2024; (ii) $500 million to enhance healthcare information technology; and (iii) $7.4 million for law enforcement entities to expand their cybercrime capabilities.
9th Circuit affirms TCPA dismissal
On August 8, the Ninth Circuit affirmed a district court’s dismissal of a cause of action under the TCPA, wherein the plaintiff alleged that the defendant sent her three mass marketing text messages that utilized “prerecorded voice[s]” even though there was no audible component. Under the TCPA, it is unlawful “to make any call (other than a call made for emergency purposes or made with the prior express consent of the called party) using…an artificial or prerecorded voice” to a cell phone. In affirming the dismissal, the 9th Circuit reasoned that the ordinary meaning of “voice” encompasses only audible sounds, and that the context of the statute confirmed the ordinary meaning. Specifically, it noted that Congress defined “caller identification information” as “information regarding the origination of a call made using a voice service or a text message sent using a text messaging service.” The court reasoned that if Congress intended “voice” to include inaudible text messages, the term “text message” would be surplusage and “Congress would have written the statute in a manner contrary to a basic canon of statutory interpretation.” The 9th Circuit went on to reject plaintiff’s remaining arguments, including plaintiff’s legislative history and FCC deference arguments because the statute was unambiguous.
Plaintiffs file suit challenging Biden’s latest student debt relief plan
On August 4, two nonprofit entities filed a lawsuit against the federal government aimed at blocking the Biden administration’s recent effort to provide debt relief to student borrowers. The administration’s efforts were implemented in response to the Supreme Court’s June 30 decision striking down the DOE’s student loan debt relief program that would have canceled between $10,000 and $20,000 in debt for certain student borrowers (covered by InfoBytes here). The lawsuit, filed in the U.S. District Court for the Eastern District of Michigan, targets the administration’s efforts to credit borrowers participating in the Public Service Loan Forgiveness (PSLF) plan and Income-Driven Repayment (IDR) plan by providing credit for periods when loans were in forbearance or deferment, which would affect more than 804,000 borrowers, forgiving approximately $39 billion in loan payments, according to the DOE.
As an initial matter, plaintiffs assert that they are injured by the administration’s actions because, as 501(c)(3) nonprofit organizations, they benefit from the PSLF program by allowing them to “attract and retain borrower-employees who might otherwise choose higher-paying employment with non-qualifying employers in the private sector.” Thus, according to plaintiffs, cancellation of PSLF loans would reduce the incentive for borrowers to work at public service employers and the decision “unlawfully deprives [PSLF] employers of the full statutory benefit to which they are entitled under PSLF.”
Plaintiffs accuse the administration of putting the plan on an “accelerated schedule apparently designed to evade judicial review.” The plaintiffs assert that the DOE lacks authority to classify “non-payments as payments,” and that the statutes for the PSLF and IDR programs require actual payments to qualify for forgiveness under each plan. The suit brings four claims against the administration: (i) violation of the Appropriation Clause of the U.S. Constitution by canceling debt that Congress did not authorize; (ii) violation of the Administrative Procedure Act (APA) by issuing a final agency decision without appropriate statutory authority; (iii) violation of the APA by taking an arbitrary and capricious agency action by failing to “explain why [DOE] has changed its policy from not crediting non-payments during periods of loan forbearance to crediting such payments for purposes of PSLF and IDR forgiveness” and “entirely fail[ing] to consider the cost to taxpayers of crediting periods of forbearance toward PSLF and IDR forgiveness,” among other reasons; and (iv) violation of the APA by failing to undertake notice-and-comment procedures in implementing the changes.
CFPB files reply brief supporting its constitutional structure
On August 3, the CFPB filed a Reply Brief in support of its request to overturn the Fifth Circuit’s decision in Community Financial Services Association of America v. Consumer Financial Protection Bureau, in which the 5th Circuit found that the CFPB’s funding structure violated the Constitution’s Appropriations Clause (covered by InfoBytes here, here, and here, and in a firm article here).
In its Reply Brief, the CFPB argues that Congress did not violate the Appropriations Clause by failing to specify a specific dollar amount to fund the CFPB because “the Appropriations Clause contains no dollar-amount requirement.” In support of that argument, the CFPB points to the Founders’ appropriation of funds for the Post Office and the National Mint where they did not decide the specific amounts of annual funding, the funding structure for the OCC and the Federal Reserve Board, and to current federal appropriations for Social Security payments and unemployment assistance.
The Bureau then argues that even if there was a specific dollar amount requirement, that requirement is nonetheless satisfied because “Congress fixed the CFPB’s maximum annual funding.” According to the Bureau, the fact that it has the discretion to ask for less than the maximum authorized is commonplace and “[t]o this day, Congress routinely appropriates sums ‘not to exceed’ a particular amount;’ that phrase appears more than 400 times in the Consolidated Appropriations Act, 2022.”
The Bureau then aims to refute plaintiff’s arguments that the Appropriations Clause requires time-limited funding laws and imposes special rules for law enforcement agencies. The Bureau argues that the fact that the Constitution includes a specific restriction limiting Congress from funding the army for more than two years dictates that by negative implication there is no such prohibition of a standing appropriation for a different appropriation.
Finally, the Bureau argues that its combination of features is not as unique as CFSA contends, and that even if the Supreme Court ultimately finds the funding structure unconstitutional vacating the Payday Lending Rule is an inappropriate remedy because the 5th Circuit failed “to consider whether the defect it perceived could be cured by severing portions of Section 5497.”
Judge stays CFPB, NY AG lawsuit against auto lender
On August 7, the U.S. District Court for the Southern District of New York granted a defendant’s motion to stay a lawsuit against an alleged predatory auto lender until the Supreme Court determines the constitutionality of the CFPB’s funding in a separate lawsuit (CFSA Case; covered by InfoBytes here).
The CFPB and the New York Attorney General (AG) brought the complaint in January, accusing the lender of UDAAP and TILA violations that involved tricking consumers into loans financing used cars with high interest rates (typically above 22 percent) and add-on products they could not afford. The CFPB and AG alleged the dealers affiliated with the company (i) engaged in deceptive conduct; (ii) used high pressures sales tactics; (iii) pressured consumers into unaffordable auto loans; (iv) pressured family and friends to cosign the loans; (v) withheld prices of vehicles; and (vi) misrepresented key financial terms of the purchase, violating the CFPB, the Martin Act, and fraud and UDAP statutes, among other allegations.
In its decision, the district court reasoned that the stay awaiting the Supreme Court’s decision would (i) allow for clarity and guidance on the legal issues at hand and it may help the defendant avoid unnecessary litigation costs; and (ii) promote judicial efficiency and minimize the possibility of conflicts with other courts. Furthermore, the court determined that although it would be in the public interest to enforce consumer protection laws, the potential harm to the public caused by the stay is outweighed by the benefit to consumers “in proceeding in a streamlined fashion.” The order requires the parties to file a joint letter updating the court by the earlier of November 3 or one week after a major development in the CFSA case.
Tech giant denied summary judgment in private browsing lawsuit
On August 7, the U.S. District Court for the Northern District of California entered an order denying a multinational technology company’s motion for summary judgment on claims that the company invaded consumers’ privacy by tracking the consumers’ browsing history in the company’s private browsing mode. After reviewing the company’s disclosed general terms of service and privacy notices and disclosures, the court found that the company never explicitly told users that it would be collecting their data while browsing in private mode. Without evidence that the company explicitly told users of this practice, the court concluded that it could not “find as a matter of law that users explicitly consented to the at-issue data collection,” and therefore, could not grant the company’s motion for summary judgment.
Plaintiffs, who are account holders (Class 1 for Incognito users and Class 2 for users of other private browsing modes), brought a class action suit against the company for the “surreptitious interception and collection of personal and sensitive user data” while the users were in a “private browsing mode.” Along with invasion of privacy, intrusion upon seclusion, and breach of contract, plaintiffs asserted violations of (i) the Federal Wiretap Act; (ii) The California Invasion of Privacy Act; (iii) Comprehensive Data Access and Fraud Act; and (iv) California’s Unfair Competition Law.
The court previously denied the defendant’s two motions to dismiss.
OCC issues guidance regarding purchased loans
On August 8, the OCC issued new guidance regarding the applicability of the legal lending limit (LLL) to purchased loans. The guidance clarifies that “all loans and extensions of credit made by banks are subject to the LLL” and explains that “[w]hether a loan that a bank purchases is attributable to the seller under the LLL regulation depends on specific facts and circumstances.” The OCC then further explains, that in evaluating purchased loans, loans will be attributed to a seller if the bank has direct or indirect recourse to the seller, which can be explicit or implied. Explicit recourse is established through a written agreement and implied recourse can be established though the bank’s course of dealing with the seller. For example, the OCC noted that if a seller routinely “substituted or repurchased loans or refilled or replenished a reserve account even when the contract did not require those actions” that would be sufficient to establish implied recourse.