InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
FinCEN renews and expands real estate GTOs
On October 26, FinCEN renewed and expanded its Geographic Targeting Orders (GTOs). The GTOs require U.S. title insurance companies to identify the natural persons behind shell companies that pay “all cash” (i.e., the transaction does not involve external financing) for residential real estate in certain counties within the following major metropolitan areas: “Boston; Chicago; Dallas-Fort Worth; Las Vegas; Los Angeles; Miami; New York City; San Antonio; San Diego; San Francisco; Seattle; the District of Columbia, Northern Virginia, and Maryland (DMV) area; as well as the City and County of Baltimore; the County of Fairfield, Connecticut; and the Hawaiian islands of Honolulu, Maui, Hawaii, and Kauai.” FinCEN also expanded the geographic coverage of the GTOs to counties encompassing Houston and Laredo, Texas, after the agency—in conjunction with law enforcement partners—identified the regions as presenting greater risks for illicit finance activity through non-financed purchases of residential real estate. The purchase amount threshold remains set at $300,000 for residential real estate purchased in the covered areas, with the exception of the City and County of Baltimore for which the purchase threshold is $50,000. The renewed GTOs take effect October 27 and end April 24, 2023. The effective period for the newly added areas begins on November 25.
FinCEN FAQs regarding the GTOs are available here.
OFAC sanctions individuals and entities connected to Russia’s corruption in Moldova
On October 26, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) announced sanctions pursuant to Executive Orders 13818 and 14024 against nine individuals and 12 entities in an attempt to counter the Russian Federation’s “persistent malign influence campaigns and systemic corruption in Moldova.” Included among the sanctioned persons are “oligarchs widely recognized for capturing and corrupting Moldova’s political and economic institutions and those acting as instruments of Russia’s global influence campaign, which seeks to manipulate the United States and its allies and partners, including Moldova and Ukraine,” OFAC said in the announcement. Notably, the designations also include a former Moldovan government official “who engaged in state capture by exerting control over and manipulating key sectors of Moldova’s government, including the law enforcement, electoral, and judicial sectors.” As a result of the sanctions, all property and interests in property belonging to the sanctioned persons that are in the U.S. or in the possession or control of U.S. persons are blocked and must be reported to OFAC. Further, “any entities that are owned, directly or indirectly, individually or in the aggregate, 50 percent or more by one or more blocked persons are also blocked.” U.S. persons are prohibited from engaging in any dealings involving the property or interests in property of blocked or designated persons, unless exempt or authorized by a general or specific OFAC license. Additionally, OFAC warned that financial institutions and other persons that engage in certain transactions or activities with the sanctioned persons may themselves be exposed to sanctions or be subject to an enforcement action.
EU Court of Justice says controllers of personal data must take reasonable steps to inform third parties when consumer consent is withdrawn
On October 27, the European Court of Justice (ECJ) held that controllers of personal data must take reasonable steps to inform other controllers when a data subject withdraws consent. The decision stems from a request made by a subscriber to a Belgian telecommunications provider to not have his information included in the public telephone directories and directory inquiry services published by the company and other third parties. The controller pulled the subscriber’s information from the public record, but re-added the information to the directories after it received an update to the subscriber’s data that was not noted as being confidential. The subscriber submitted multiple requests for his data to be removed and submitted a complaint with the Belgian Data Protection Authority. The Data Protection Authority ordered the company to take remedial action and fined it €20,000 for infringing several provisions of the General Data Protection Regulation (GDPR). The controller appealed, “arguing that the consent of the subscriber is not required for the purposes of the publication of his or her personal data in the telephone directories, rather the subscribers must themselves request not to be included in those directories under an ‘opt-out’ system. In the absence of such a request, the subscriber concerned may in fact be included in those directories.” The Data Protection Authority contended, however, that the privacy and electronic communications directive “requires the ‘consent of subscribers’ within the meaning of the GDPR in order for the providers of directories to be able to process and pass on their personal data.”
The Brussels Court of Appeal referred questions to the ECJ for a preliminary ruling after determining that there are no specific rules “concerning the withdrawal by a subscriber of his or her statement of wishes or of that ‘consent.’” The ECJ determined that controllers of personal data must get consumers’ informed consent before publishing their information in a public directory. Further, the ECJ determined that such consent can be extended to any subsequent processing of data by third parties, provided the data is processed for the same purpose to which the consumer consented. However, consumers can withdraw consent at any time, and controllers are required to make reasonable efforts to notify third parties, including search engine providers, that are making use of that subscriber’s information of the withdrawal. Notably, the ECJ concluded that if various controllers rely on the single consent of a data subject, “it is sufficient, in order for that person to withdraw such consent, that he or she contacts any one of the controllers.”
CISA releases new cybersecurity performance goals
Recently, the Cybersecurity and Infrastructure Security Agency (CISA) released a new report outlining baseline cross-sector cybersecurity performance goals (CPGs) for all critical infrastructure sectors. The report follows a July 2021 national security memorandum issued by President Biden, which required CISA to coordinate with the National Institute of Standards and Technology (NIST) and the interagency community to create fundamental cybersecurity practices for critical infrastructure, primarily to help small- and medium-sized organizations improve their cybersecurity efforts. The CPGs were informed by existing cybersecurity frameworks and guidance, as well as real-world threats and adversary tactics, techniques, and procedures observed by the agency and its partners. CISA noted in the report that the CPGs are not comprehensive but instead “represent a minimum baseline of cybersecurity practices with known risk-reduction value broadly applicable across all sectors, and will be followed by sector-specific goals that dive deeper into the unique constraints, threats, and maturity of each sector where applicable.” Organizations may choose to voluntarily adopt the CPGs in conjunction with broader frameworks like the NIST Cybersecurity Framework. “The CPGs are a prioritized subset of IT and operational technology (OT) cybersecurity practices that critical infrastructure owners and operators can implement to meaningfully reduce the likelihood and impact of known risks and adversary techniques,” CISA said in its announcement.
District Court stays CFPB payday action following 5th Circuit decision
On October 31, the U.S. District Court for the Northern District of Texas stayed an enforcement action filed by the CFPB against a defendant Texas-based payday lender until after the U.S. Court of Appeals for the Fifth Circuit issues its mandate in CFSA v. CFPB. As previously covered by a Buckley Special Alert, a three-judge panel unanimously held in CFSA that the CFPB’s funding structure created by Congress violated the Appropriations Clause of the Constitution. The parties filed a joint motion saying there was “good cause” to pause further proceedings in the litigation, explaining that the “agreed stay pending issuance of the mandate in CFSA will promote efficient resolution of the case, as the final decision in CFSA will control the resolution of key issues presented in [defendant’s] pending motion to dismiss.” One of the arguments raised in the defendant’s motion to dismiss centers around the assertion that the Bureau’s complaint should be dismissed because the agency’s funding structure violates the Constitution’s separation of powers.
In July, the Bureau sued the defendant for allegedly engaging in illegal debt-collection practices and allegedly generating $240 million in reborrowing fees from borrowers who were eligible for free repayment plans, in violation of the CFPA (covered by InfoBytes here). According to the Bureau, the defendant allegedly “engaged in unfair, deceptive, and abusive acts or practices by concealing the option of a free repayment plan to consumers who indicated that they could not repay their short term, high-cost loans originated by the defendant.” The defendant also allegedly attempted to collect payments by unfairly making unauthorized electronic withdrawals from over 3,000 consumers’ bank accounts.
7th Circuit affirms dismissal of NSF fees action
On October 25, the U.S. Court of Appeals for the Seventh Circuit affirmed a district court’s ruling dismissing a putative class action alleging an internet credit union improperly charged account holders non-sufficient funds (NSF) fees. Plaintiff claimed she signed an account agreement with the credit union, which required the use of a ledger-balance method when assessing NSF fees, and that only one NSF fee is permitted per transaction. According to the plaintiff, the credit union breached its contract by charging her a $25 NSF fee when she attempted to pay a $6,000 bill, even though her account’s ledger balance was $6,670.94 at the time. She further claimed the credit union charged multiple NSF fees for the same item. The credit union maintained, however, that the contract allowed it to use the “available-balance method” to assess such fees instead. The opinion explained that the ledger-balance method calculates a balance based on posted debits and deposits (and does not incorporate transactions until they are settled), whereas the available-balance method considers holds on deposits and transactions that have been authorized but not yet settled when calculating a customer’s balance. The district court granted the credit union’s motion to dismiss, rejecting the plaintiff's account balance theory by “explaining that ‘the plain, unambiguous language states that a member needs sufficient available funds’ and reasoning that [plaintiff’s] proposed reading would render [the contract’s] use of the word ‘available’ meaningless.” The district court also maintained that the plural use of the word “fees” permitted the credit union to charge multiple fees when a merchant presented the same transaction more than once.
On appeal, the 7th Circuit agreed with the district court that the agreement did not prohibit the credit union from “charging multiple NSF fees for a transaction that is presented and rejected several times.” While recognizing that the credit union “could have drafted the [a]greement more clearly than it did,” the appellate court determined that the credit union never promised “not to use the available-balance method to assess NSF fees or not to charge multiple fees when a transaction is presented to it multiple times,” and upheld the dismissal of plaintiff’s breach-of-contract claim.
FDIC releases September enforcement actions
On October 28, the FDIC released a list of administrative enforcement actions taken against banks and individuals in September. During the month, the FDIC made public 12 orders consisting of “two consent orders, five orders of prohibition, two orders to pay a civil money penalty, two orders of termination of insurance, and one section 19 order.” The FDIC also publicly released an order to pay a civil money penalty taken against an Illinois-based bank related to alleged violations of the Flood Disaster Protection Act and the National Flood Insurance Act for failure to follow lender placement flood insurance procedures in 13 instances. The order requires the payment of an $11,625 civil money penalty.
FFIEC updates 2018 Cybersecurity Resource Guide for Financial Institutions
On October 27, the FDIC issued FIL-50-2022 related to recent updates made to the Federal Financial Institutions Examination Council’s (FFIEC) 2018 Cybersecurity Resource Guide for Financial Institutions. The FFIEC guide is designed to assist financial institutions in meeting their security control objectives and preparing to respond to cyber incidents. The FFIEC guide includes updates to certain references as well as new ransomware-specific resources to address the ongoing threat of ransomware incidents.
OCC to establish Office of Financial Technology
On October 27, the OCC announced it intends to establish an Office of Financial Technology early next year that will build on and incorporate the agency’s Office of Innovation (established in 2016 and covered by InfoBytes here). Intended to strengthen the OCC’s expertise and ability to adapt to a rapidly evolving banking landscape, the Office of Financial Technology will provide strategic leadership, vision, and perspective for the agency’s financial technology activities and related supervision. The new office will be led by a chief financial technology officer who will be a deputy comptroller reporting to the senior deputy comptroller for bank supervision policy. “Financial technology is changing rapidly and bank-fintech partnerships are likely to continue growing in number and complexity. To ensure that the federal banking system is safe, sound, and fair today and well into the future, we need to have a deep understanding of financial technology and the financial technology landscape,” acting Comptroller of the Currency Michael J. Hsu said. “The establishment of this office will enable us to be more agile and to promote responsible innovation, consistent with our mission.”
CFPB seeks additional public input on big tech payment platforms
On October 31, the CFPB announced it will reopen the public comment period for 30 days on a 2021 notice and request for comment related to the Bureau’s inquiry into big tech payment platforms. In October 2021, the Bureau issued orders to six large U.S. technology companies seeking information and data on their payment system business practices to inform the agency as to how these companies use personal payments data and manage data access to users (covered by InfoBytes here). The Bureau is inviting additional comments to broaden its understanding of the risks consumers face and potential policy solutions on topics related to, among other things, “companies’ acceptable use policies and their use of fines, liquidated damages provisions, and other penalties.” A notice will be published in the Federal Register with additional details on the public comment period in the coming days.