InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
OFAC sanctions Russians for election influence
On June 23, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) announced sanctions, pursuant to Executive Order 14024, against two individuals for attempting to conduct “global malign influence operations,” including efforts to influence a U.S. local election. According to OFAC, the designated individuals are Russian Federal Security Service officers who operate as part of a mission that provokes anti-government and anti-democratic positions designed to undermine faith in democratic principles, weaken U.S. diplomatic connections, and exploits societal divisions in an effort to expand Russia’s influence. OFAC said one of the individuals directed more than six U.S. co-conspirators, including two who ran in local U.S. elections, to report on the activities of political groups. OFAC designated the two individuals “for having acted or purported to act for or on behalf of, directly or indirectly, the Government of the Russian Federation.” The designated individuals were also recently indicted by the DOJ as well as by the U.S. Attorney’s Office for the Middle District of Florida. In a parallel action announced the same day, the EU released its Eleventh Package of sanctions against Russia. The Eleventh Package added, among other things, over 100 individuals and entities subject to asset freezes, a new anti-circumvention tool to restrict the trade of sanctioned goods, and 87 new entities to the list of those directly supporting Russia’s military and industrial complex in the war against Ukraine.
As a result of these sanctions, all property and interests in property belonging to the sanctioned persons that are in the U.S. or in the possession or control of U.S. persons are blocked and must be reported to OFAC. Further, “any entities that are owned, directly or indirectly, individually or in the aggregate, 50 percent or more by one or more blocked persons are also blocked.” U.S. persons are prohibited from engaging in any dealings involving the property or interests in property of blocked or designated persons, unless exempt or authorized by a general or specific OFAC license. Additionally, OFAC warned that financial institutions and other persons that engage in certain transactions or activities with the sanctioned persons may themselves be exposed to sanctions or be subject to an enforcement action.
EU court says banks must meet GDPR obligation on data processing
On June 22, the Court of Justice of the European Union (CJEU) issued a judgment concluding that banks are not exempt from providing information upon request about when and why an individual’s data was accessed. However, banks are not necessarily required to name the people who accessed the data, the CJEU said. The Administrative Court of Eastern Finland issued a request for a preliminary ruling in an action seeking clarification on individuals’ rights when requesting information on data processing. The press release explained that a bank employee (who was also a customer of the bank) discovered that other bank employees consulted his personal data on several occasions. Doubting the lawfulness of these consultations, the now-former employee asked the bank for information on who accessed his data, the exact dates of the consultations, and the reasons why his data had been processed. The bank explained that it had consulted his data to check for a possible conflict of interest, but refused to disclose the employees’ identities, reasoning that this information “constituted the personal data of those employees.” A request made by the former employee to Finland’s Data Protection Supervisor’s Office to order the bank to provide him with the requested information was rejected, so the former employee brought an action before the Administrative Court of Eastern Finland, asking the Court of Justice to interpret Article 15 of the General Data Protection Regulation (GDPR).
The CJEU clarified, among other things, that while the GDPR gives individuals the right to access information about why and when their data was accessed (including information relating to consultation operations carried out on the former employee’s personal data), it does not grant a right to know who accessed the information when following a controller’s instructions “unless that information is essential in order to enable the data subject effectively to exercise the rights conferred on him[.]” The CJEU acknowledged, however, that a “balance will have to be struck between the rights and freedoms in question” and that “[w]herever possible, means of communicating personal data that do not infringe the rights or freedoms of others should be chosen.” Furthermore, the CJEU determined that the fact that the controller is a bank, and that the former employee was both an employee of the bank and a customer, “has, in principle, no effect on the scope of the right conferred on that data subject.”
Florida enacts commercial financing disclosure requirements
On June 23, the Florida governor signed HB 1353 (the “Act”), creating the Florida Commercial Financing Disclosure Law and imposing several requirements on commercial financing providers and brokers. The Act defines a “provider” as “a person who consummates more than five commercial financing transactions with a business located in [Florida] in any calendar year.” The definition “also includes a person who enters into a written agreement with a depository institution to arrange a commercial financing transaction between the depository institution and a business via an online lending platform administered by the person.” The Act clarifies, however, the “fact that a provider extends a specific offer for a commercial financing transaction on behalf of a depository institution may not be construed to mean that the provider engaged in lending or financing or originated that loan or financing.” A “commercial financing transaction” is defined broadly and means a secured or unsecured commercial loan, an account receivable purchase transaction, or a commercial open-end credit plan.
The Act establishes parameters for qualifying commercial transactions and outlines numerous exemptions, including federally insured depository institutions; transactions secured by real property, a lease, or a certain purchase money obligations; transactions of at least $50,000 where the recipient is a motor vehicle dealer or rental company (or an affiliate of such company); providers licensed as money transmitters in any state; and commercial financing transactions greater than $500,000.
Specifically, at or prior to consummation of a commercial financing transaction, a provider must (i) disclose the terms of the transaction as specified within the Act; (ii) outline the manner and frequency of the payments, including a description of the methodology used to calculate any variable payment amount and the circumstances that may cause a payment amount to vary; and (iii) disclose any costs or discounts associated with prepayment. Disclosures must be in writing and may be based on an example of a transaction that could occur under the agreement. The Act further specifies that only one disclosure is required for each commercial financing transaction. Subsequent disclosures are not required as a result of a modification, forbearance, or change to a consummated commercial financing transaction.
The Act also defined a “broker” as “a person who, for compensation or the expectation of compensation, arranges a commercial financing transaction or an offer between a third party and a business in [Florida] which would, if executed, be binding upon that third party.” The definition excludes “a provider and any individual or entity whose compensation is not based or dependent upon the terms of the specific commercial financing transaction obtained or offered.” In addition, the Act outlines prohibited conduct and establishes unique broker requirements. Specifically, a broker may not “[a]ssess, collect, or solicit an advance fee from a business to provide services as a broker” (a business may pay for actual services required to apply for a commercial financing transaction), and may not make any false or misleading representations when engaging in the offering or sale of its brokering services.
The Act explicitly prohibits a private right of action, but instead grants the Florida attorney general exclusive enforcement authority. The AG may seek fines of $500 per incident (not to exceed $20,000 for all aggregated violations). Fines will increase to $1,000 per incident (not to exceed $50,000 for all aggregated violations) for continued violations following receipt of written notice or a prior violation.
The Act takes effect on July 1.
FTC notifies online marketplaces on INFORM compliance
On June 20, the FTC sent 50 letters to online marketplaces nationwide notifying them of their obligation to comply with the INFORM Consumers Act (the “Act”) set to take effect on June 27. The Act “imposes obligations on online marketplaces regarding the collection, verification, safeguarding, and disclosure of certain identifying information of ‘high-volume third party sellers’ that sell, offer to sell, or contract to sell new or unused consumer products in the United States through marketplaces’ platforms.” The Act also requires that online marketplaces make reporting of certain suspicious marketplace activity available. The letter warns that the FTC will enforce the Act to its fullest extent, and therefore encourages online vendors to prepare for the Act’s imposition, including by communicating with and informing third party sellers about the information the Act requires to be collected, verified, and disclosed. The FTC also emphasizes the civil penalties for violations of the Act, which are north of $50,000, in the letter. According to the FTC, the Act is designed to protect consumers from unsafe, stolen, and counterfeit goods by verifying the identity of their third-party sellers and simplifying the avenues for consumers to report suspicious activity.
Yellen discusses development banks in Paris speech
On June 23, U.S. Treasury Secretary Janet L. Yellen attended the Summit for a New Global Financing Pact in Paris, during which she delivered remarks on the continuing evolution of global financial architecture. Yellen first touched upon an initiative to evolve multilateral development banks’ (MDBs) ability to tackle global challenges, including climate change, pandemics, poverty, and conflicts. She highlighted a recent achievement handled by a broad coalition of shareholders, which, according to Yellen, has the potential to unlock as much as $50 billion in additional lending capacity over the next decade and may lead to MDBs, as a system, unlocking “$200 billion in new lending capacity over the same timeframe through balance sheet measures that are either already under implementation or being deliberated.” Yellen also touched upon other initiatives relating to debt and macroeconomic stability, as well as private capital mobilization, during the summit.
CFPB puts spotlight on “banking deserts” in the south
On June 21, the CFPB published a data spotlight, titled Banking and Credit Access in the Southern Region of the U.S., addressing banking and credit access, particularly mortgage lending, in in the south (Alabama, Arkansas, Georgia, Louisiana, Mississippi, North Carolina, South Carolina, Tennessee). Considering the prevalence of “banking deserts” in the south, the report seeks to identify gaps and opportunities to increase financial access in the region. The report also includes a comparative analysis of rural and nonrural areas. For example, in rural communities and communities of color, the Bureau reports that “even though 23 percent of the population lives in a rural county, only 14 percent of home purchase loans in 2021 went to those areas. Between 2018 and 2021, only 9 percent of home purchase loans went to Black rural borrowers in the region, even though they represent 24 percent of the region’s rural population.” Moreover, the report notes that home loan applications from rural southerners are more likely to be denied than in the rest of the country. The Bureau also states that mortgage interest rates further set the rural south apart, as they tend to be higher, on average, than interest rates nationally. The Bureau’s initial analysis shows that credit scores alone do not explain these lower levels of lending.
With respect to banking access, the data spotlight highlights the association between the presence of a bank branch and access to necessary financial services—a common concern reported from stakeholders from the south. The Bureau reports that with only 3.6 branches per 10,000 people in the south (as compared to 5.0 branches per 10,000 people nationally), financial services access is limited, particularly when combined with inaccessible online banking due to limited broadband. The report also highlights how small businesses employ nearly half of the region’s workforce; thus, small business lending is a crucial resource to the south. In support of small business lending, the report references resources for business owners to leverage. (As previously covered by InfoBytes, when the Small Business Lending Rule goes into effect, the Bureau believes that it will provide “visibility” into small business lending.) The report further includes a reminder that “lenders have the ability to create Special Purpose Credit Programs, which enable the development of directed lending programs to reach historically underserved populations.” The Bureau goes on to state that even when branch locations are present, top barriers include minimum balance requirements, distrust of banks, high fees, and barriers to meeting identification requirements.
A second report, the Consumer Finances in Rural Areas of the Southern Region, was also published the same day. The report analyzes southern consumer financial profiles, compared to other geographies, including credit scores, financial distress, medical debt, and other debt categories. Among other things, the report highlights the unique position of mortgage borrowers from the rural south. Findings include that the share of chattel loans (for which the land underneath the home is not used as collateral) is seven times higher in the rural south than in other parts of the country. These borrowers are reportedly more venerable to both repossession and rent hikes or eviction. Also, student loan borrowers in the rural south tend to have lower monthly payments and delinquent balance amounts than the respective national averages, but given the area’s lower median incomes, borrowers in this region face a much higher student loan debt burden. Other findings include that rural southerners are less likely to have a credit card or an outstanding mortgage, which is partially reflective of the lower likelihood of successfully taking out credit, even within credit score tiers. According to the report, rural southerners are also more likely to pay higher interest rates on average and are more likely to have medical collections, with medical collections as the most common type of delinquency. These findings, the Bureau says, are an attempt to provide a “starting point” to better understand the financial situations, needs, and challenges of consumers in the south.
Texas is most recent state to enact comprehensive privacy legislation
On June 18, the Texas governor signed HB 4 to enact the Texas Data Privacy and Security Act (TDPSA) and establish a framework for controlling and processing consumer personal data in the state. Texas follows California, Colorado, Connecticut, Virginia, Utah, Iowa, Indiana, Tennessee, and Montana in enacting comprehensive consumer privacy measures. Earlier this month, Florida also enacted privacy legislation, but the requirements focus on specific digital controllers with global gross annual revenues of more than $1 billion.
The TDPSA applies to a person that conducts business in the state or produces products or services consumed by state residents, processes or sells personal data, and is not a small business as defined by the U.S. Small Business Administration, except to the extent that it sells sensitive data which requires consumer consent. Unlike other states, there is no data-processing volume threshold. The TDPSA only protects consumers acting in an individual or household capacity and does not cover individuals acting in a commercial or employment context. Additionally, the TDPSA provides several exemptions, including financial institutions or data governed by the Gramm-Leach-Bliley Act and certain other federal laws, nonprofit organizations, higher education institutions, covered entities governed by the Health Insurance Portability and Accountability Act, and certain utility companies.
Highlights of the TDPSA include:
- Consumers’ rights. Under the TDPSA, consumers will be able to access their personal data; confirm whether their data is being processed; correct inaccuracies; request deletion of their data; obtain a copy of their data in a portable format; and opt out of the processing of their data for targeted advertising, the sale of their data, or certain profiling.
- Data controllers’ responsibilities. Data controllers under the TDPSA will be responsible for, among other things: (i) responding to consumer requests within 45 days (unless extenuating circumstances arise) and providing requested information free of charge; (ii) establishing a process to allow consumer appeals after a controller’s refusal to take action on a consumer’s request; (iii) providing at least two methods for consumers to exercise their rights; (iv) limiting the collection of data to what is adequate, relevant, and reasonably necessary for a specified purpose; (v) securing personal data from unauthorized access; (vi) establishing easy opt-out methods that require consumers to affirmatively and freely choose to opt out of any processing of their personal data; (vii) processing data in compliance with state and federal anti-discrimination laws; (viii) obtaining consumer consent in order to process sensitive data; (ix) providing clear and reasonably accessible privacy notices; and (x) conducting and retaining data protection assessments and ensuring deidentified data cannot be associated with a consumer. The TDPSA also sets forth obligations relating to contracts between a controller and a processor, including ensuring that contracts between a controller and a processor do not waive or limit consumer data rights.
- No private right of action. The TDPSA explicitly prohibits a private right of action. Instead, it grants the state attorney general excusive authority to enforce the law.
- Right to cure. Upon discovering a potential violation of the TDPSA, the attorney general must give the data controller notice. The data controller then has 30 days to cure the alleged violation before the attorney general can file suit and seek up to $7,500 for each violation, as well as injunctive relief, attorney’s fees, and other expenses.
The TDPSA takes effect July 1, 2024, except for certain provisions relating to methods for submitting consumer requests, which shall take effect January 1, 2025.
CFPB, FTC, and consumer advocates ask 7th Circuit to review redlining dismissal
The CFPB recently filed its opening brief in the agency’s appeal of a district court’s decision to dismiss the Bureau’s claims that a Chicago-based nonbank mortgage company and its owner violated ECOA by engaging in discriminatory marketing and consumer outreach practices. As previously covered by InfoBytes, the Bureau sued the defendants in 2020 alleging fair lending violations predicated, in part, on statements made by the company’s owner and other employees during radio shows and podcasts. The agency claimed that the defendants discouraged African Americans from applying for mortgage loans and redlined African American neighborhoods in the Chicago area. The defendants countered that the Bureau improperly attempted to expand ECOA’s reach and argued that ECOA “does not regulate any behavior relating to prospective applicants who have not yet applied for credit.”
In dismissing the action with prejudice, the district court applied step one of the Chevron framework (which is to determine “whether Congress has directly spoken to the precise question at issue”) when reviewing whether the Bureau’s interpretation of ECOA in Regulation B is permissible. The court concluded, among other things, that Congress’s directive does not apply to prospective applicants.
In its appellate brief, the Bureau argued that the long history of Regulation B supports the Bureau’s interpretation of ECOA, and specifically provides “that ‘[a] creditor shall not make any oral or written statement, in advertising or otherwise, to applicants or prospective applicants that would discourage on a prohibited basis a reasonable person from making or pursuing an application.” While Congress has reviewed ECOA on numerous occasions, the Bureau noted that it has never challenged the understanding that this type of conduct is unlawful, and Congress instead “created a mandatory referral obligation [to the DOJ] for cases in which a creditor has unlawfully ‘engaged in a pattern or practice of discouraging or denying applications for credit.’”
Regardless, “even if ECOA’s text does not unambiguously authorize Regulation B’s prohibition on discouraging prospective applicants, it certainly does not foreclose it,” the Bureau wrote, pointing to two perceived flaws in the district court’s ruling: (i) that the district court failed to recognize that Congress’s referral provision makes clear that “discouraging . . . applications for credit” violates ECOA; and (ii) that the district court incorrectly concluded that ECOA’s reference to applicants “demonstrated that Congress foreclosed prohibiting discouragement as to prospective applicants.” The Bureau emphasized that several courts have recognized that the term “applicant” can include individuals who have not yet submitted an application for credit and stressed that its interpretation of ECOA, as reflected in Regulation B’s discouragement prohibition, is not “arbitrary, capricious, or manifestly contrary to the statute.” The Bureau argued that under Chevron step two (which the district court did not address), Regulation B’s prohibition on discouraging prospective applicants from applying in the first place is reasonable because it furthers Congress’ efforts to prohibit discrimination and ensure equal access to credit.
Additionally, the FTC filed a separate amicus brief in support of the Bureau. In its brief, the FTC argued that Regulation B prohibits creditors from discouraging applicants on a prohibited basis, and that by outlawing this type of behavior, it furthers ECOA’s purpose and prevents its evasion. In disagreeing with the district court’s position that ECOA only applies to “applicants” and that the Bureau cannot proscribe any misconduct occurring before an application is filed, the FTC argued that the ruling violates “the most basic principles of statutory construction.” If affirmed, the FTC warned, the ruling would enable creditor misconduct and “greenlight egregious forms of discrimination so long as they occurred ‘prior to the filing of an application.’”
Several consumer advocacy groups, including the National Fair Housing Alliance and the American Civil Liberties Union, also filed an amicus brief in support of the Bureau. The consumer advocates warned that “[i]nvalidating ECOA’s longstanding prohibitions against pre-application discouragement would severely limit the Act’s effectiveness, with significant consequences for communities affected by redlining and other forms of credit discrimination that have fueled a racial wealth gap and disproportionately low rates of homeownership among Black and Latino households.” The district court’s position would also affect non-housing credit markets, such as small business, auto, and personal loans, as well as credit cards, the consumer advocates said, arguing that such limitations “come at a moment when targeted digital marketing technologies increasingly allow lenders to screen and discourage consumers on the basis of their protected characteristics, before they can apply.”
Anti-ISIS coalition emphasizes international cooperation
On June 16, the Counter ISIS Finance Group (CIFG) of the Global Coalition to Defeat ISIS released a joint statement by the CIFG co-leads (the US, Italy, and Saudi Arabia), which coordinates efforts to isolate the Islamic State of Iraq and Syria (ISIS) from the international financial system and eliminate its revenue sources. CIFG held its eighteenth meeting on June 7, and during the meeting attendees discussed ISIS’s presence in Africa and partner countries presented on actions taken to disrupt ISIS financing. The presentations also “demonstrated how coordinated action and information-sharing among states, non-governmental organizations (NGOs), and the private sector amplify the impact of law enforcement investigations, targeted sanctions, prosecutions, and other measures against ISIS financing networks.” The CIFG co-leads also mentioned that international cooperation has been vital in disrupting ISIS transactions outside of the formal financial system especially, amongst other things, amid the increasing use of virtual assets and mobile payment systems. CIFG members and observers are seeking, among other things: (i) support from counterterrorism partners, NGOs, and the private sector to increase information sharing; (ii) cooperation from countries prone to exploitation by ISIS financers; (iii) to assist vulnerable jurisdictions in their efforts against money laundering and terrorism financing; (iv) to urge Global Coalition members, particularly in Africa, to support their military to combat ISIS insurgency; and (v) to assist in a risk-based approach to implementing effective regulations, especially in the case of mobile payment platforms and virtual asset service providers. With a focus on international cooperation, CIFG members said they will continue to closely work with counterterrorism partners to disrupt ISIS funding sources and methods.
OFAC settles with international financial institution
On June 20, the U.S Treasury Department’s Office of Foreign Assets Control (OFAC) announced a settlement with a Latvia-based bank—a subsidiary of an international financial institution headquartered in Sweden—to resolve potential civil liability stemming from OFAC’s Crimea sanctions. According to OFAC’s web notice, in 2015 and 2016, a shipping industry client of the Latvia-based subsidiary bank made 386 transactions totaling over $3 million through its e-banking platform from a Crimea-based IP address to persons in Crimea, which were processed through U.S. correspondent banks. OFAC alleges that in 2016, the client attempted to make a payment to a U.S. correspondent bank from a Crimea-based IP address, but after the payments were rejected and the bank was reassured by the client that the transactions did not involve Crimea, the bank rerouted the payment through a different U.S. correspondent bank. OFAC alleges that the bank had client onboarding information that the client had a physical presence in Crimea, so the bank had reason to know that the transactions in fact involved Crimea. OFAC also accused the bank of not integrating the client’s IP data into its sanctions screening processes.
In arriving at the $3.4 million settlement amount, OFAC considered, among other things, that the bank willfully violated U.S. sanctions by not self-disclosing the violations, which is required as a third party. According to the OCC, the bank failed to exercise due caution or care in neglecting to account for the client’s presence in Crimea, and instead solely relied on the client’s reassurances when it possessed contradictory information. OFAC also claimed that the bank had many customers in Crimea, and therefore had reason to know the origin of the payments it was processing. OFAC also considered several mitigating factors, including that: (i) the bank has not received a penalty notice from OFAC in the preceding five years; (ii) the bank and the financial institution took remedial action; and (iii) the bank and the financial institution cooperated with OFAC’s requests for information.
OFAC said that this action “demonstrates the importance of implementing and maintaining effective, risk-based sanctions compliance controls, especially for sophisticated financial institutions operating in proximity to high-risk regions.” OFAC added that this case also demonstrates the importance of undertaking reasonable efforts to investigate red flags. Finally, OFAC noted that this matter underscores the importance of remaining vigilant against efforts by entities based in Crimea, Russia, and other high-risk countries seeking to evade sanctions and elude compliance controls.