InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
FTC reports on efforts to combat cross-border fraud and ransomware attacks
On October 20, the FTC published two reports outlining its efforts to protect consumers against cross-border fraud and ransomware attacks.
In the first report, the FTC described the US SAFE Web Act (SAFE WEB), passed in 2006, as an “indispensable” tool to combat cross-border fraud and protect consumers in an increasingly global and digital economy. For example, the report noted that since SAFE WEB was passed, the FTC has used the law in myriad ways: issuing more than 140 civil investigative demands on behalf of 21 foreign agencies from eight countries; engaging in 148 staff exchanges to build cooperation with foreign counterparts; and sharing confidential information from FTC files with 43 law enforcement agencies in twenty different countries. The report also indicated that SAFE WEB has allowed the FTC to pursue and stop harmful conduct in the US and defend against challenges to its jurisdictional authority over foreign companies targeting American consumers. Notably, SAFE WEB helped the FTC (i) shut down a real estate investment scam that took in more than $100 million (the largest such scheme the FTC has ever targeted); (ii) cooperate with privacy authorities in Canada and the United Kingdom to pursue actions against an online dating site that deceived consumers and failed to protect the account and profile information of more than 36 million individuals; (iii) and work with foreign law enforcement agencies to stop fraudulent money transfers to certain money transfer companies located in Spain in connection with a Nigerian email scam. The FTC recommends that Congress permanently reauthorize SAFE WEB to preserve the agency’s ability to fight cross-border fraud.
In the second report, the FTC discussed its work to target ransomware and other cyber-attacks. The FTC highlighted its longstanding data security enforcement program, which seeks to ensure that businesses engage in reasonable practices to protect the data of their customers. Moreover, the RANSOMWARE Act refers specifically to China, Russia, North Korea, and Iran. The report stated that although the FTC has taken data security-related enforcement actions involving connections to China and Russia, the FTC has had limited interactions with government agencies in China, Russia, North Korea, and Iran. The report included several recommendations for Congress, including making SAFE WEB permanent, amending a provision in the FTC act which would restore the FTC’s ability to provide refunds to harmed consumers, and enacting privacy and data security legislation which would be enforceable by the FTC. The FTC also urged businesses to take steps to safeguard customer data, including retaining information only so long as there is a legitimate business need, restricting access to sensitive data, and storing personal information securely and protecting it during transmission.
CFPB releases education ombudsman’s annual report
On October 20, the CFPB Education Loan Ombudsman published its annual report on consumer complaints submitted between September 1, 2022, and August 31, 2023. The report is based on approximately 9,284 student loan complaints received by CFPB regarding federal and private student loans. Roughly 75 percent of complaints were related to federal student loans while the remaining 25 percent concerned private student loans. Overall, the report found underlying issues in student loan servicing that threaten borrowers’ ability to make payments, achieve loan cancellation, or receive other protections to which they are entitled under federal law. The report indicated that challenges and risks facing federal student loan borrowers include customer service problems, errors related to basic loan administration, and problems accessing loan cancellation programs. Similarly, private borrowers face issues accessing loan cancellation options, misleading origination tactics, and coercive debt collection practices related to private student loans.
The Ombudsman’s report advised policymakers, law enforcement, and industry participants to consider several recommendations: (i) ensuring that federal student loan borrowers can access all protections intended for them under the law; (ii) ensuring that loan holders and servicers of private student loans do not collect debt where it may no longer be legally owed or previously discharged; and (iii) using consumer complaints to develop policies and procedures when they reveal systemic problems.
Bank to pay Fed, NYDFS almost $30 million for deficient third-party risk management practices
On October 19, the Fed and NYDFS announced an enforcement action against a New York-based bank for alleged violations of consumer identification rules and deficient third-party risk management practices. NYDFS Superintendent Adrienne A. Harris stated that the bank failed to prevent a “massive, ongoing fraud” related to its prepaid card program. According to the Fed’s cease-and-desist order, illicit actors managed to open prepaid card accounts through a third-party, and moved hundreds of millions of dollars of direct deposit payroll payments and state unemployment benefits through the accounts. The Fed’s order requires the bank to, among other things, improve its oversight, create a new product review program, enhance its customer identification program, and submit a plan to enhance its third-party risk management program. The bank’s plan must include (i) policies and procedures to ensure third-party service providers are complying with federal and state law; (ii) a third-party risk management oversight program; (iii) policies and procedures to ensure the bank’s Chief Compliance Officer has sufficient resources to properly access the bank’s prepaid card program and is adequately staffed; and (iv) a comprehensive identity theft prevention program. The Fed also requires the bank to pay a civil money penalty of approximately $14.5 million. Under NYDFS’s consent order, the bank agreed to pay an additional $15 million civil monetary penalty, and to submit remediation and program reporting.
CSBS offers guidance for licensees to prepare for NMLS renewal
On October 24, CSBS released tips for licensees to prepare for NMLS renewal. As previously covered by InfoBytes, NMLS announced it will be rolling out a new version of its mortgage call report which will include new requirements for many licensees. Kelly O'Sullivan, the chair of the NMLS Policy Committee and deputy commissioner of the Montana Division of Banking and Financial Institutions, advises licensees to proactively update their information in NMLS and make use of available training and resources to address their queries before the renewal period begins. This is particularly crucial for those individuals who typically only engage with NMLS during the license renewal phase.
CSBS recommended five essential tips for licensees:
- Licensees should log into NMLS and thoroughly review and update their profile record to ensure accuracy;
- Licensees should reset their NMLS password in advance to have a current password ready for accessing NMLS when needed;
- Licensees should provide and maintain a current email address to receive essential updates from NMLS during the renewal process;
- Licensees should review state-specific renewal requirements, as state agencies typically begin publishing details, including deadlines and fees, in September;
- Licensees are encouraged to take advantage of the free, on-demand renewal training resources provided by CSBS to become familiar with the renewal process.
CFPB announces civil money penalty against nonbank, alleges EFTA and CFPA violations
On October 17, the CFPB announced an enforcement action against a nonbank international money transfer provider for alleged deceptive practices and illegal consumer waivers. According to the consent order, the company facilitated remittance transfers through its app that required consumers to sign a “remittance services agreement,” which included a clause protecting the company from liability for negligence over $1,000. The Bureau alleged that such waiver violated the Electronic Fund Transfer Act (EFTA) and its implementing Regulation E, including Subpart B, known as the Remittance Transfer Rule, by (i) requiring consumers sign an improper limited liability clause to waive their rights; (ii) failing to provide contact and cancellation information in disclosures, and other required terms; (iii) failing to provide a timely receipt when payment is made for a transfer; (iv) failing to develop and maintain required policies and procedures for error resolution; (v) failing to investigate and determine whether an error occurred, possibly preventing consumers from receiving refunds or other remedies they were entitled to; and (vi) failing to accurately disclose exchange rates and the date of fund availability. The CFPB further alleged that the company’s representations regarding the speed (“instantly” or “within seconds”) and cost (“with no fees”) of its remittance transfers to consumers were inaccurate and constituted violations of CFPA. The order requires the company to pay a $1.5 million civil money penalty and provide an additional $1.5 in consumer redress. The company must also take measures to ensure future compliance.
SEC announces 2024 examination priorities, excludes ESG
On October 16, the SEC’s Division of Examinations announced that its 2024 examination priorities will focus on key risk factors related to information security and operational resiliency, crypto assets and emerging financial technology, regulation systems compliance and integrity, and anti-money laundering. SEC registrants, including investment advisers, investment companies, broker dealers, self-regulatory organizations, clearing agencies, and other market participants are reminded of their obligations to address, manage, and mitigate these key risks. Notably, ESG was a “significant focus area[]” in 2022 (covered by InfoBytes here) and 2023, but it is not directly mentioned in the 2024 examination priorities.
According to the report, examiners plan to increase their engagement to support the evolving market and new regulatory requirements. Regarding information security and operational resiliency, examiners will focus on registrants’ procedures surrounding “internal controls, oversight of third-party vendors (where applicable), governance practices, and responses to cyber-related incidents, including those related to ransomware attacks.” Additionally, regarding crypto assets and emerging fintech, examiners will focus on registrants’ business practices involving compliance practices, risk disclosures, and operational resiliency practices. The SEC also mentioned in the “Crypto Assets and Emerging Financial Technology” section of the report that it will assess registrant preparations for the recently adopted rule for broker dealer transactions that shortens the standard settlement cycle to one business day (previously two days) after the trade, which has a compliance date of May 28, 2024. Among other things, the SEC will also focus on whether registrants’ regulation systems compliance and integrity are “reasonably designed” to ensure the security of its systems, including physical security of the systems housed in data centers.
SEC chair Gary Gensler said that the Division of Examinations plays an important role in “protecting investors and facilitating capital formation,” adding that the commission will focus on “enhancing trust” in the changing markets.
Healthcare clearinghouse settles for $1.4M over data breach
On October 17, a healthcare clearinghouse reached a $1.4 million settlement with a coalition of 33 state attorneys general for allegedly exposing the protected health information of approximately 1.5 million consumers. As a health care clearinghouse, the company facilitates transactions between health care providers and insurers. The states began investigating the company in 2019, when the U.S. Department of Health and Human Services discovered that personal health information maintained by the company was available through search engines, which appeared to be the result of a coding error by the company. According to the states, after the company was alerted to the breach, it delayed notification to impacted customers for over three months and sent notices to impacted consumers that were vague and confusing. Under the settlement, in addition to the $1.4 million payment, the company agreed to overhaul its data security and breach notification practices. The multistate coalition was led by the Indiana Attorney General’s Office.
CSBS announces release of NMLS MCR Version 6 in Q1 2024
On October 13, 2023, the Conference of State Bank Supervisors (CSBS) announced the Nationwide Multistate Licensing System & Registry (NMLS) will be rolling out a new version of its Mortgage Call Report (MCR). In an effort to standardize mortgage company data at the state level, and minimize the amount of reporting outside the system, NMLS will be launching an updated version of the MCR, Version 6 (FV6) on March 16, 2024.
Licensees will see three main improvements in Version 6:
- FV6 eliminates standard and expanded forms and consolidates them into one form. All servicers will complete the servicer schedule and all lenders will complete the lender schedule. Lenders and servicers will file financials quarterly, and brokers will file financials annually.
- Commercial and consumer lending licensees will complete a separate state-specific form, removing the obligation to report mortgage information.
- The revision of line-item definitions will improve the overall quality of the data and help implement more completeness and accuracy checks.
FV6 will go into effect for all data collected on transactions dated on and after January 1, 2024. Additionally, NMLS will provide companies with the XML specifications no later than October 23. CSBS estimates that approximately 24,000 brokers, lenders, and servicers will experience reduced requirements, and approximately 3,100 lenders will have additional filing requirements.
The Mortgage Bankers Association sent a letter to CSBS in July, raising concerns with the new version, including (i) the lack of technical specifications needed for full consideration of the proposal and its implementation; and (ii) the significant expansion and burden of reporting requirements on smaller filers resulting from the replacement of standard and expanded forms in favor of the new and more detailed FV6. CSBS noted mortgage industry concerns surrounding the timing of the rollout of FV6 ahead of Q1 2024, and shared that details for leniency to the filing deadline will be provided in future communications. NMLS will provide regular updates on the Mortgage Call Report page, targeted learning opportunities and Q&A sessions.
Visit here for additional guidance on FV6 from APPROVED.
California enacts licensing requirements for digital asset businesses, regulation of crypto kiosks
On October 13, the California Governor signed AB 39, which will create a licensing requirement for businesses engaging in digital financial asset business activity. Crypto businesses will need to apply for a license with California’s Department of Financial Protection and Innovation (DFPI). The bill, among other things, (i) empowers DFPI to conduct examinations of a licensee; (ii) defines “digital financial asset” as “a digital representation of value that is used as a medium of exchange, unit of account, or store of value, and that is not legal tender, whether or not denominated in legal tender, except as specified”; (iii) empowers DFPI to conduct enforcement actions against a licensee or a non-licensed individual who engages in crypto business with, or on behalf of, a California resident for up to five years after their activity; (iv) allows DFPI to assess civil money penalties of up to $20,000 for each day a licensee is in material violation of the law, and up to $100,000 for each day an unlicensed person is in violation; and (v) requires licensees to provide certain disclosures to California clientele, such as when and how users may receive fees and charges, and how they are calculated. The new law exempts most government entities, certain financial institutions, most people who solely provide connectivity software, computing power, data storage or security services, and people engaging with digital assets for personal, family, household or academic use or whose digital financial asset business activity is reasonably expected to be valued at no more than $50,000 per year. In September of last year, the California Governor vetoed a similar bill because creating a licensing framework was “premature” considering conflicting efforts.
Also effective on July 1, 2025 is SB 401, which was also enacted on October 13. SB 401 establishes regulations for crypto kiosks under the DFPI’s authority. It will, among other things, prohibit kiosk operators from accepting or dispensing more than $1,000 in a single day to or form a customer via a kiosk. Operators would be required to furnish written disclosures detailing the transaction's terms and conditions as well as transaction details. Kiosk operators will also be obligated to provide customers with a receipt for any transaction at their kiosk, including both the amount of a digital financial asset or USD involved in a transaction and, in USD, any fees, expenses, and charges collected by the kiosk operator. Finally, operators will be required to provide DFPI with a list of all its crypto kiosks in California, and such list will be made public.
Payments processor fined $20 million by State Money Transmission Regulators and State AGs
On October 16, a national payment processor entered into two settlement agreements totaling $20 million with 44 state and territory money transmission regulators and 50 state and territory attorneys general to resolve issues stemming from alleged erroneous payment transactions. The alleged erroneous payments involved the mistaken initiation of payments on behalf of almost 480,000 mortgage borrowers, with the total amount at issue totaling nearly $2.4 billion.
According to the settlement entered into between the payment processor and the money transmission regulators, who were working through the Multi-State Money Service Business Examination Taskforce, the mistaken payments resulted from a breakdown of internal data security controls that allowed customer data intended for use in the testing of processing code to trigger actual payments. The payment processor, who regularly provided payment processing services to a large residential mortgage lending and servicing company, was using actual customer mortgage payment data for test purposes. As alleged in the settlement, it was determined that in the process of conducting testing on processing code to optimize the payment processors’ payment platform, more than 1.4 million payment entries were unintentionally and erroneously processed. This erroneous payment processing was said to be primarily the result of “circumvention of internal data security controls and a lack of segregation between internal production and testing environments.”
The settlement reached with the money transmission regulators requires the payment processor to maintain a comprehensive risk and compliance program and to provide regular reporting to a state regulator monitoring committee to ensure the adequacy of its risk management programs.
Under the terms of the settlement with the money transmission regulators, the payment processor is required to pay a total of $10 million, with approximately $9.5 million of that total being shared evenly by each participating state, with the remaining roughly $500,000 being used to cover the administrative costs of the investigating states. Under the agreement with the state attorneys general, the payment processor is required to pay an additional $10 million to the various participating states and territories. These amounts are in addition to the $25 million fine previously agreed to in the CFPB Consent Order, bringing the total amount to be paid by the payment processor to $45 million.