InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
DOJ announces crackdown on fraud networks targeting consumer accounts
On December 15, in conjunction with the DOJ’s Consumer Protection Branch efforts to crack down on fraud, the DOJ unsealed two cases against groups that allegedly stole money from consumer accounts with financial institutions. According to the DOJ, the groups used “deceptive tactics” to cover the fraud, and in the two cases, the Department is seeking “temporary restraining orders and the appointment of receivers to stop defendants from dissipating assets.”
The first case (in the U.S. District Court for the Southern District of Florida) involves a group that allegedly committed bank and wire fraud and stole millions from consumers and small businesses by repeatedly creating sham companies. According to the complaint, since at least 2017, the defendants operated fraud schemes disguised as legitimate online marketing service providers by fabricating websites, forging consumer authorizations for charges, and establishing a “customer service” call center to handle complaints. The defendants allegedly obtained bank account information from individuals and small businesses without permission and utilized payment processors to make unauthorized debits to accounts. The DOJ claims that, to carry out the fraud, the defendants used remotely created checks, which are created remotely by a payee using the account holder’s information but without their signature. The second case (in the U.S. District Court for the Eastern District of California) bears many similarities to the first case, including the type of alleged fraud scheme. Both cases also involve the use of “microtransactions,” which are low-dollar fake transactions designed to artificially lower the apparent rate of return or rejected transactions. The defendants in the second case in particular allegedly gathered large deposits from their merchant clients and used those funds to initiate microtransactions that appeared as if they were payments for the merchants’ goods and services. Essentially, according to the Department’s complaint, the merchants paid themselves: the funds initially paid to the defendants were returned to the merchants as microtransactions, while the defendants allegedly collected a percentage of the transactions as service fees.
FSOC report highlights AI, climate, banking, and fintech risks; CFPB comments
On December 14, the Financial Stability Oversight Counsel released its 2023 Annual Report on vulnerabilities in financial stability risks and recommendations to mitigate those risks. The report was cited in a statement by the Director of the CFPB, Rohit Chopra, to the Secretary of the Treasury. In his statement, Chopra said “[i]t is not enough to draft reports [on cloud infrastructure and artificial intelligence], we must also act” on plans to focus on ensuring financial stability with respect to digital technology in the upcoming year. In its report, the FSOC notes the U.S. banking system “remains resilient overall” despite several banking issues earlier this year. The FSOC’s analysis breaks down the health of the banking system for large and regional banks through review of a bank’s capital and profitability, credit quality and lending standards, and liquidity and funding. On regional banks specifically, the FSOC highlights how regional banks carry higher exposure rates to all commercial real estate loans over large banks due to the higher interest rates.
In addition, the FSOC views climate-related financial risks as a threat to U.S. financial stability, presenting both physical and transitional risks. Physical risks are acute events such as floods, droughts, wildfires, or hurricanes, which can lead to additional costs required to reduce risks, firm relocations, or can threaten access to fair credit. Transition risks include technological changes, policy shifts, or changes in consumer preference which can all force firms to take on additional costs. The FSOC notes that, as of September 2023, the U.S. experienced 24 climate disaster events featuring losses that exceed $1 billion, which is more than the past five-year annual average of 18 events (2018 to 2022). The FSOC also notes that member agencies should be engaged in monitoring how third-party service providers, like fintech firms, address risks in core processing, payment services, and cloud computing. To support this need for oversight over these partnerships, the FSOC cites a study on how 95 percent of cloud breaches occur due to human error. The FSOC highlights how fintech firms face risks such as compliance, financial, operational, and reputational risks, specifically when fintech firms are not subject to the same compliance standards as banks.
Notably, the FSOC is the first top regulator to state that the use of Artificial Intelligence (AI) technology presents an “emerging vulnerability” in the U.S. financial system. The report notes that firms may use AI for fraud detection and prevention, as well as for customer service. The FSOC notes that AI has benefits for financial instruction, including reducing costs, improving inefficiencies, identifying complex relationships, and improving performance. The FSOC states that while “AI has the potential to spur innovation and drive efficiency,” it requires “thoughtful implementation and supervision” to mitigate potential risks.
EU Commission, Council, and Parliament agree on details of AI Act
On December 9, the EU Commission announced a political agreement between the European Parliament and the European Council regarding the proposed Artificial Intelligence Act (AI Act). The agreement is provisional and is subject to finalizing the text and formal approval by lawmakers in the European Parliament and the Council. The AI Act will regulate the development and use of AI systems, as well as impose fines on any non-compliant use. The object of the law is to ensure that AI technology is safe and that its use respects fundamental democratic rights while balancing the need to allow businesses to grow and thrive. The AI Act will also create a new European AI Office to ensure coordination, transparency, and to “supervise the implementation and enforcement of the new rules.” According to this EU Parliament press release, powerful foundation models that pose systemic risks will be subject to specific rules in the final version of the AI Act based on a tiered classification.
Except with foundation models, the EU AI Act adopts a risk-based approach to the regulation of AI systems, classifying these into different risk categories: minimal risk, high-risk, and unacceptable risk. Most AI systems would be deemed as minimal risk since they pose little to no risk to citizens’ safety. High-risk AI systems would be subject to the heaviest obligations, including certifications on the adoption of risk-mitigation systems, data governance, logging of activity, documentation obligations, transparency requirements, human oversight, and cybersecurity standards. Examples of high-risk AI systems include utility infrastructures, medical devices, institutional admissions, law enforcement, biometric identification and categorization, and emotion recognition systems. AI systems deemed “unacceptable” are those that “present a clear threat to the fundamental rights of people” such as systems that manipulate human behaviors, like “deep fakes,” and any type of social scoring done by governments or companies. While some biometric identification is allowed, “unacceptable” uses include emotional recognition systems at work or by law enforcement agencies (with narrow exceptions).
Sanctions for breach of the law will range from a low of €7.5 million or 1.5 percent of a company’s global total revenue to as high as €35 million or 7 percent of revenue. Once adopted, the law will be effective from early 2026 or later. Compliance will be challenging (the law targets AI systems made available in the EU), and companies should identify whether their use and/or development of such systems will be impacted.
California’s new mortgage servicer during a “state of emergency” to be effective
Recently, California enacted SB 455 to address mortgage servicing during a state of emergency. SB 455 will require a mortgage servicer (transferring a mortgage secured by a property within a proclaimed emergency zone) to provide the new servicer with written records between the borrower and the old servicer on the borrower’s election to use insurance proceeds to repair or replace property damaged by a disaster. Additionally, SB 455 prevents the new servicer from disregarding any prior written agreements between the original servicer and the borrower regarding property repairs that were approved by the owner of the promissory note. The SB 455 bill will be effective January 1, 2024.
District Court partially dismisses TCPA claims
On December 12, the U.S. District Court for the Northern District of Illinois partially granted a culinary school’s motion to dismiss claims concerning unwanted calls to enroll in cooking classes. According to the memorandum opinion and order, the plaintiff filed suit after the culinary school called her over 30 times, even though she had requested the school to place her on a do-not-call list. The plaintiff claimed the school violated the Telephone Consumer Protection Act (TCPA) by making unwanted calls and leaving prerecorded messages on her cell phone.
According to the court, any calls made to a cell phone cannot violate § 227(b)(1)(B) because the court reasoned that “a cellular phone and a residential phone are not the same thing,” and that § 227(b)(1)(B) of the TCPA expressly covers “residential telephone line[s],” but not cellular telephone services. Regarding the plaintiff’s claim under § 227(b)(1)(A) of the TCPA, although the school argued there was not enough proof that the calls were prerecorded, including because some of the calls came from different states, the court disagreed and provided examples of why the calls could have been prerecorded. The court consequently denied the school’s motion to dismiss the plaintiff’s § 227(b)(1)(A) claim.
Agencies extend Regulation O relief for some companies controlled by funds
On December 15, the Fed, FDIC, and the OCC announced the issuance of an interagency statement to further extend the “Extension of the Revised Statement Regarding Status of Certain Investment Funds and their Portfolio Investments for Purposes of Regulation O and Reporting Requirements under Part 363 of FDIC Regulations.” The original statement was issued on December 22, 2022, with an expiration of January 1, 2024. The new interagency statement effectively extends the prior no-action position (covered by InfoBytes here) until either January 1, 2025 or the effective date of amendments to Regulation O that addresses the treatment of extensions of credit by a bank to fund complex–controlled portfolio companies that are bank insiders.
The agencies noted that they will refrain from acting against banks extending credit to complex-controlled portfolio companies that would otherwise violate Regulation O, provided the company controls (directly or indirectly) less than 15 percent of the bank’s voting securities (or 20 percent under certain circumstances) and does not plan to place representatives or exercise a controlling influence over the bank. Additionally, the agencies will not pursue action against insured depository institutions for failing to report credit extensions that would violate Regulation O but fall under the interagency statement’s coverage. The agencies explained how credit extensions must be on “substantially the same terms as those prevailing for comparable transactions with unaffiliated third parties” and may not “involve more than normal risk of repayment or present other unfavorable features.”
Fed enters into written agreement with Ohio bank
On December 19, the Federal Reserve Board announced a written agreement with an Ohio state-chartered bank and its holding company to address certain deficiencies identified during a recent examination of the bank. Under the agreement, the bank and its holding company agreed to: (i) use the bank’s resources as a “source of strength”; (ii) submit a written plan to enhance board oversight and management; (iii) conduct a third-party assessment of the bank’s staff; (iv) submit an enhanced written investment policy that includes “periodic analysis of the investment portfolio, including, but not limited to the assessment of market risk, credit risk, interest rate risk, and liquidity risk of the underlying investments”; (v) improve the bank’s investment portfolio management and interest rate risk management practices; (vi) implement an enhanced liquidity risk management program; and (vii) submit a written plan regarding sufficient capital (among other corrective actions).
OCC issues cease-and-desist order to NY bank
On December 14, the OCC released a list of recent enforcement actions taken against national banks, federal savings associations, and individuals that are or were affiliated with such entities. Included is a cease-and-desist order against an upstate New York bank for allegedly engaging in unsafe or unsound practices, including on the bank’s corporate governance, capital planning, interest rate risk management, liquidity risk management, and reports of condition.
Under the order, the bank must appoint a compliance committee to take corrective action, submit a three-year strategic plan to establish objectives for the bank’s risk profile, earnings performance, growth, and balance sheet mix, among other areas, and maintain a capital ratio of at least 15 percent, a common equity tier 1 capital of at least equal to 14 percent, and a leverage ratio of at least ten percent. The order also requires the bank to create an interest rate risk program and a third-party risk management program.
CFPB fines and shuts down debt collector for alleged FDCPA, FCRA violations
On December 15, the CFPB announced a consent order against a Pennsylvania-based nonbank medical debt collection company for alleged violations of the FCRA and FDCPA. According to the order, the company failed to (i) establish and implement reasonable written policies and procedures for ensuring the accuracy and integrity of information furnished to consumer reporting agencies; (ii) conduct reasonable investigations into direct and indirect consumer disputes about furnished information; (iii) report direct dispute investigation results to consumers; and (iv) indicate disputed items when furnishing information to reporting agencies. The company also allegedly lacked a reasonable basis for debt-related representations made to consumers and engaged in collection activities after receiving a written dispute within 30 days of the consumer’s receipt of a debt validation notice but before obtaining and mailing a verification of the debt.
The consent order permanently bans the company from involvement or aid in debt collection, purchasing or selling of any debts, or any consumer reporting activities. The company must also request credit reporting agencies to delete all collection accounts previously reported by the company. Additionally, the company is obligated to pay a $95,000 civil money penalty and must display on its website information that informs consumers about the option to file a complaint with the CFPB.
District Court grants motion to dismiss in FDCPA case regarding an undated Model Validation Notice
On December 5, the U.S. District Court for the Southern District of New York granted a debt collection agency (the defendant) a motion to dismiss an individual’s (plaintiff’s) complaint. The case considers whether an undated Model Validation Notice (MVN) is a material detail that provides standing to sue under the FDCPA. An MVN is a form provided by the CFPB in Appendix B of the Debt Collection Rule to assist debt collection agencies in complying with FDCPA notice and disclosure requirements. However, the CFPB provides an undated MVN, so many debt collectors who use this template fail to provide a date when sending a debt collection letter to individuals, leading to a recipient’s confusion when the debt collector writes “today” or “now.”
In this case, the plaintiff alleges that the undated collection letter suggests the defendant “withheld a material term from [p]laintiff which made it confusing for him to understand the nature of the subject debt.” The plaintiff did not pay the debt, and instead, he alleged that he suffered damages from the defendant’s “suspicious, misleading, deceptive, unfair, and unconscionable actions.”
Before addressing the merits of the plaintiff’s claims, the court applied Article III standing to determine if the plaintiff had a basis to sue. The court considered whether the plaintiff had suffered a “concrete, particularized injury” in receiving an undated letter from the defendant and concluded that the plaintiff did not suffer harm as a result of this act under Article III because “[t]ime and money spent due to concern and confusion are not concrete harms.” The court held the plaintiff had no standing to bring this action and granted the defendant’s motion to dismiss the plaintiff’s claims. The court, however, gave the plaintiff the opportunity to file an amended complaint.