InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
SEC awards whistleblowers approximately $18 million
On January 19, the SEC announced three whistleblower awards totaling approximately $18 million to claimants who provided information and assistance that led to a successful enforcement action. According to the redacted order, the first whistleblower voluntarily provided detailed and significant information that prompted the opening of an investigation into a fraudulent scheme and had a significant impact on the overall success of the enforcement action. The whistleblower’s assistance saved staff time and resources, the SEC said, adding that the second and third whistleblowers voluntarily provided timely information later in the investigation that also significantly contributed to the enforcement action’s success.
U.S. messaging service fined €5.5 million for GDPR violations
On January 19, the Irish Data Protection Commission (DPC) announced the conclusion of an inquiry into the data processing practices of a U.S.-based messaging service’s Ireland operations and fined the messaging service €5.5 million. The investigation was part of a broader GDPR compliance inquiry prompted by a May 25, 2018 complaint from a German data subject.
The DPC noted that in advance of the date on which the GDPR became effective (May 25, 2018), the U.S. company updated its terms of service and notified users that, to continue accessing the messaging service, they would need to accept the updated terms by clicking “agree and continue.” The complainant asserted that, in doing so, the messaging service forced users to consent to the processing of their personal data for service improvement and security.
The company claimed that when a user accepted the updated terms of service, the user entered into a contract with the company. The company therefore maintained that “the processing of users’ data in connection with the delivery of its service was necessary for the performance of that contract, to include the provision of service improvement and security features, so that such processing operations were lawful by reference to Article 6(1)(b) of the GDPR (the ‘contract’ legal basis for processing).” The complainant argued that, contrary to the company’s stated intention, the company was “seeking to rely on consent to provide a lawful basis for its processing of users’ data.”
The DPC issued a draft decision that was submitted to its EU peer regulators (Concerned Supervisory Authorities or “CSAs”). The DPC concluded that the company was in breach of its GDPR transparency obligations under Articles 12 and 13(1)(c), and stated that users had “insufficient clarity as to what processing operations were being carried out on their personal data.” With respect to whether the company was obliged to rely on consent as its legal basis in connection with the delivery of the service (including for service improvement and security purposes), the DPC disagreed with the complainant’s “forced consent” argument, finding that the company was not required to rely on user consent as providing a lawful basis for its processing of their personal data.
Noting that DPC had previously imposed a €225 million fine against the company last September for breaching its transparency obligations to users about how their information was being disclosed over the same time period (covered by InfoBytes here), the DPC did not propose an additional fine. Six of the 47 CSAs, however, objected to the DPC’s conclusion as to the “forced consent” aspect of its decision, arguing that the company “should not be permitted to rely on the contract legal basis on the basis that the delivery of service improvement and security could not be said to be necessary to perform the core elements of what was said to be a much more limited form of contract.”
The dispute was referred to the European Data Protection Board (EDPB), which issued a final decision on January 12, where it found that, “as a matter of principle, [the company] was not entitled to rely on the contract legal basis as providing a lawful basis for its processing of personal data for the purposes of service improvement and security,” and that in doing so, the company contravened Article 6(1) of the GDPR.
The DPC handed down a €5.5 million administrative fine and ordered the company to bring its processing operations into compliance with the GDPR within a six-month period. Separately, the EDPB instructed the DPC “to conduct a fresh investigation” that would span all of the company’s processing operations to determine whether the company is in compliance with relevant GDPR obligations regarding the processing of personal data for behavioral advertising, marketing purposes, the provisions of metrics to third parties, and the exchange of data with affiliated companies for the purpose of service improvements.
The DPC challenged the EDPB’s decision, stating that the board “does not have a general supervision role akin to national courts in respect of national independent authorities, and it is not open to the EDPB to instruct and direct an authority to engage in open-ended and speculative investigation.” The DPC suggested that it is considering bringing an action before the Court of Justice of the European Union to “seek the setting aside of the EDPB’s direction.”
FDIC announces Georgia disaster relief
On January 20, the FDIC issued FIL-05-2023 to provide regulatory relief to financial institutions and help facilitate recovery in areas of Georgia affected by severe storms, straight-line winds, and tornadoes on January 12. The FDIC acknowledged the unusual circumstances faced by institutions affected by the storms and encouraged institutions to work with impacted borrowers to, among other things: (i) extend repayment terms; (ii) restructure existing loans; or (iii) ease terms for new loans, provided the measures are done “in a manner consistent with sound banking practices.” Additionally, the FDIC noted that institutions “may receive favorable Community Reinvestment Act consideration for community development loans, investments, and services in support of disaster recovery.” The FDIC will also consider regulatory relief from certain filing and publishing requirements and instructs institutions to contact the Atlanta Regional Office for consideration.
OCC revises Comptroller’s Licensing Manual
On January 19, the OCC announced an updated version of the “Branches and Relocations” booklet of the Comptroller’s Licensing Manual. According to Bulletin 2023-04, the revised booklet replaces booklet of the same title issued in October 2019. The revised booklet, among other things: (i) reflects recent updates to 12 CFR 5 and other regulations, as applicable; (ii) removes references to outdated guidance and provides current references; and (iii) makes other minor modifications and corrections throughout.
HUD proposes streamlined AFFH rule
Recently, HUD announced plans to publish a notice of proposed rulemaking (NPRM) entitled “Affirmatively Furthering Fair Housing” (AFFH). The new rule will update a 2015 final rule that was intended to implement the Fair Housing Act’s statutory mandate that HUD ensure that recipients of its funding work to further fair housing, which was repealed by the Trump administration. In 2021, the Biden administration published an interim final rule to restore certain definitions and certifications to its regulations implementing the Fair Housing Act’s requirement to affirmatively further fair housing (covered by InfoBytes here). “This proposed rule is a major step towards fulfilling the law’s full promise and advancing our legal, ethical, and moral charge to provide equitable access to opportunity for all,” HUD Secretary Marcia L. Fudge said in an announcement.
The NPRM incorporates much of the 2015 AFFH rule and will streamline the required fair housing analysis for states, local communities, and public housing agencies. Program participants would be required to ensure protected classes have equitable access to affordable housing opportunities, by, for example, submitting an equity plan to HUD every five years. HUD-accepted equity plan analysis, goals, and strategies would then be incorporated into program participants’ subsequent planning documents. Program participants would also be required to conduct and submit annual progress evaluations. Both the equity plans and annual progress evaluations would be made available online.
HUD further explained that the NPRM is intended to simplify required fair housing analysis, increase transparency for public review and comment, improve compliance oversight, provide a process for regular progress evaluations, and enhance accountability, among other things. Comments on the NPRM are due April 24. HUD’s quick reference guide provides additional information.
CFTC commissioner discusses crypto exchange’s collapse
On January 18, CFTC Commissioner Christy Goldsmith Romero spoke before the Wharton School and the University of Pennsylvania Carey Law School on lessons learned from the recent bankruptcy of a cryptocurrency exchange, calling the collapse a “violation of trust.” Specifically, Goldsmith Romero mentioned that the digitization of financial services and products brought convenience but also a presumed trust in crypto exchanges with name recognition, which was violated by the collapse. She pointed to the collapsed exchange’s reliance on the name recognition it made through marketing campaigns and explained that such advertising “played up the exchange’s safety and convenience for people that may be new to crypto.”
Goldsmith Romero urged Congress to avoid permitting newly-regulated crypto exchanges to self-certify products for listing under the current process that limits CFTC oversight. She stressed it “is critical to institute guardrails against regulatory arbitrage," including prohibiting self-certification.
Goldsmith Romero also called on lawyers, accountants, compliance professionals, and other gatekeepers to “step up and call for compliance, controls, and other governance.” She expressed that these gatekeepers failed their “essential duties” to protect crypto customers and market integrity, and noted that they have allowed “the promise of riches and the company’s marketing pitch to silence their objections to obvious deficiencies.” Ultimately, Goldsmith Romero advised that “[s]ound custody practices and strong cybersecurity are necessary to restore trust and protect customers.”
FTC takes action against eye surgery provider
On January 19, the FTC announced an action against an Ohio-based eye surgery provider (respondent) concerning allegations that it engaged in “bait-and-switch” advertising. According to the FTC’s complaint, the respondent engaged in deceptive business practices by marketing eye surgery for $250, yet only 6.5 percent of patients who received consultations qualified for that price. According to the FTC, despite the advertising claims, for consumers with less than near-normal vision the company typically quoted a price between $1,800 and $2,295 per eye. The FTC also alleged that respondent neglected to tell consumers up-front that the promotional price was per-eye.
Under the terms of the decision and order (which was granted final approval on March 15) the respondent must, among other things, pay $1.25 million in redress to harmed customers. Additionally, the respondent is banned from using deceptive business practices and is required to make certain clear and conspicuous disclosures when advertising the surgery at a price or discount for which most consumers would not qualify. Specifically, such disclosures must include whether the price is per eye, the price most consumers pay per eye, and any requirements or qualifications needed to get the offered price or discount.
The Commission voted to issue the administrative complaint and accepted the consent agreement 3-1. Commissioner Christine S. Wilson issued a dissenting statement, arguing that there are “no clear rules” regarding the qualifications of eye surgery referenced in the complaint. She stated that she is “concerned that requiring the inclusion of specific medical parameters in advertisements, when those parameters could be either over- or under-inclusive depending upon the results of the consultation, could be more confusing than helpful.”
FinCEN prohibits engagement with virtual currency exchange connected to Russian finance
On January 18, the Financial Crimes Enforcement Network (FinCEN) issued its first order pursuant to section 9714(a) of the Combating Russian Money Laundering Act to identify a Hong Kong-registered global virtual currency exchange operating outside of the U.S. as a “primary money laundering concern” in connection with Russian illicit finance. FinCEN announced that the virtual currency exchange offers exchange and peer-to-peer services and “plays a critical role in laundering Convertible Virtual Currency (CVC) by facilitating illicit transactions for ransomware actors operating in Russia.” A FinCEN investigation revealed that the virtual currency exchange facilitated deposits and funds transfers to Russia-affiliated ransomware groups or affiliates, as well as transactions with Russia-connected darknet markets, one of which is currently sanctioned and subject to enforcement actions that have shuttered its operations. The investigation also found that the virtual currency exchange failed to meaningfully implement steps to identify and disrupt the illicit use and abuse of its services, and lacked adequate policies, procedures, or internal controls to combat money laundering and illicit finance.
Recognizing that the virtual currency exchange “poses a global threat by allowing Russian cybercriminals and ransomware actors to launder the proceeds of their theft,” FinCEN acting Director Himamauli Das emphasized that “[a]s criminals and criminal facilitators evolve, so too does our ability to disrupt these networks.” He warned that FinCEN will continue to leverage the full range of its authorities to prohibit these institutions from gaining access to and using the U.S. financial system to support Russian illicit finance. Effective February 1, covered financial institutions are prohibited from engaging in the transmittal of funds from or to the virtual currency exchange, or from or to any account or CVC address administered by or on behalf of the virtual currency exchange. Frequently asked questions on the action are available here.
Concurrently, the DOJ announced that the founder and majority owner of the virtual currency exchange was arrested for his alleged involvement in the transmission of illicit funds. Charged with conducting an unlicensed money transmitting business and processing more than $700 million of illicit funds, the DOJ said the individual allegedly “knowingly allowed [the virtual currency exchange] to become a perceived safe haven for funds used for and resulting from a variety of criminal activities,” and was aware that the virtual currency exchange’s accounts “were rife with illicit activity and that many of its users were registered under others’ identities.” While the virtual currency exchange claimed it did not accept users from the U.S., it allegedly conducted substantial business with U.S.-based customers and advised users that they could transfer funds from U.S. financial institutions.
Deputy Secretary of the Treasury Wally Adeyemo issued a statement following the announcement, noting that the action “is a unique step that has only been taken a handful of times in Treasury’s history for some of the most egregious money laundering cases, and is the first of its kind specifically under new authorities to combat Russian illicit finance.” He reiterated that the action “sends a clear message that we are prepared to take action against any financial institution—including virtual asset service providers—with lax controls against money laundering, terrorist financing, or other illicit finance.”
Credit union to pay $558,000 in cyber fraud case
On January 12, the U.S. District Court for the Eastern District of Virginia ruled that a credit union (defendant) is responsible for $558,000 in compensatory damages for processing a payment order that was allegedly induced through fraud by the beneficiary, but later rescinded its decision to award punitive damages. According to the initial opinion and order, in October 2018, the plaintiff received a “spoofed” email from an unknown third party claiming to be one of the plaintiff’s suppliers. The email instructed the plaintiff to change its banking remittance information for the supplier. However, unknown to the plaintiff, the new banking information contained in the email belonged to an individual who had opened a personal account with the defendant months prior. The order stated that from October to November in 2018, the plaintiff made four payments to the individual’s account held by the defendant, identifying the supplier as the beneficiary. The plaintiff sued alleging that the defendant failed to “comport with basic security standards that resulted in the unlawful diversion of funds.” According to the opinion and order, the court found that Virginia Commercial Code required the defendant to reject the deposits if it knew there was a discrepancy between the intended beneficiary and the account receiving the deposit. The court further wrote that the defendant did not have a duty to “proactively” discover a discrepancy, but found that “the evidence at trial illustrated that [the defendant] did not maintain reasonable routines for communicating significant information to the person conducting the transaction. If [the defendant] had exercised due diligence, the misdescription would have been discovered during the first [] transfer.” Additionally, the court stated the defendant did have “actual knowledge” of the fraud because “the transfers generated real-time warnings that the name of the intended beneficiary [] did not match the name of the owner of the account receiving the [deposits].” The court awarded the plaintiff $558,000 in compensatory damages and $200,000 in punitive damages. However, the court rescinded the punitive damage award stating that the plaintiff has not provided sufficient evidence to support punitive damages.
NYDFS issues check-cashing fee regulations
On January 18, NYDFS announced that it has adopted an updated check cashing regulation. As previously covered by InfoBytes, NYDFS issued a proposed check cashing regulation in June 2022, following an emergency regulation announced in February 2022, that halted annual increases on check-cashing fees and locked the current maximum fee set last February at 2.27 percent (covered by InfoBytes here). The regulation establishes a new fee methodology that evaluates the needs of licensees and consumers who use check cashing services. Two tiers of fees for licensed check cashers are recommended: (i) the maximum fee that a check casher may charge for a public assistance check issued by a federal or state government agency (including checks for Social Security, unemployment, retirement, veteran’s benefits, emergency relief, housing assistance, or tax refunds) is set at 1.5 percent; and (ii) the maximum fee a check casher is permitted to charge for all other checks, drafts, or money orders is $1 or 2.2 percent, whichever is greater. According to NYDFS Superintendent Adrienne Harris, “the existing fee methodology wasn’t just outdated, but inappropriate and punitive to consumers.” She further noted that “[c]heck cashers should not be entitled to automatic, annual fee increases.”