InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
SEC awards more than $28 million to seven whistleblowers
On December 22, 2023, the SEC announced awards totaling more than $28 million to seven whistleblowers whose information and assistance led to a successful SEC enforcement action. According to the redacted order, five of the whistleblowers provided significant information early in the investigation, participated in voluntary interviews, provided supporting documents to SEC staff, and identified key witnesses. The SEC also added that the whistleblowers made several attempts to internally report their concerns to company management. Two whistleblowers provided significantly less information than the other five later into the investigation, but still qualified for a percentage of the monetary sanctions collected in the covered action. Creola Kelly, Chief of the SEC’s Office of the Whistleblower, stated that “[t]hese whistleblowers provided valuable information and substantial assistance that played a critical role in the SEC returning millions of dollars to harmed investors.”
One claimant’s whistleblower award application was denied because they did not communicate directly with the SEC staff responsible for the Covered Action Investigation and none of the information provided by the claimant was forwarded to the responsible staff. As such, the claimant did not provide original information that led to the successful enforcement action.
Payments to whistleblowers are made out of an investor protection fund, established by Congress, which is financed entirely through monetary sanctions paid to the SEC by securities law violators.
NYDFS releases guidance on risk management
On December 21, 2023, NYDFS released guidance for managing significant financial and operational risks associated with climate change for New York State-regulated banking and mortgage institutions. The guidance emphasized the importance of ensuring operational resiliency which is “the ability to deliver operations, including critical operations and core business lines, through a disruption from any hazard.” Regulated organizations are encouraged to consider three key areas: 1) understanding climate-related financial risks; 2) prioritizing operational resilience; 3) and complying with consumer protection laws when adjusting risk frameworks for climate-related risks. The NYDFS categorizes climate-related financial risks as either physical risks, like hurricanes, floods, and wildfires, or transition risks from policy, regulations, adoption of new technologies, consumer, and investor preferences, and changing liability risks which can directly and indirectly affect financial institutions.
Regulated organizations are urged to consider potential impacts on at-risk communities while adapting their risk management approaches. NYDFS suggests they maintain reasonable, risk-based business strategies to prevent unnecessary market disruptions and comply with consumer protection laws and fair lending considerations at all times. The guidance suggests institutions also maintain fair lending practices while managing climate-related financial risks, and further suggests not divesting from low-income communities to manage risk.
The NYDFS has not set a timeline for implementation of the Guidance expectations as it would like “to provide regulated organizations with sufficient opportunity to integrate consideration of climate-related financial and operational risks into their governance frameworks, organizational structures, business strategies and risk management processes in a proportionate manner.” To offer an overview of these documents and highlight key feedback themes, NYDFS has scheduled a webinar for January 11, 2024, at 11:30 am ET. Interested parties can register for the webinar via the provided link. The Department also made additional resources available to aid organizations in implementing measures to tackle climate-related risks.
Washington Appeals Court overturns ruling for collector
On December 26, 2023, the Court of Appeals of the State of Washington overturned a ruling in favor of a collection agency. In the initial action, the collection agency sued an individual over a medical debt that was assigned to the agency. The individual filed counterclaims against the collection agency alleging violations of the Washington Consumer Protection Act (CPA), the Washington Collection Agency Act (CAA), and the FDCPA. Each counterclaim centered on the legitimacy of the debt owed since the individual had not been screened for charity care as required by law. The individual was granted charity care that assisted with paying 75 percent of the owed debt and the collection agency accepted the payment. Later, the collection agency sought to enforce a supposed settlement agreement. The trial court granted the collection agency’s motion for summary judgment and dismissed the individual’s counterclaims and denied the collection agency’s motion to enforce settlement. As a result, the dismissal of the individual’s counterclaims was reversed, the denial of the collection agency’s motion to enforce the settlement agreement was upheld, and the case was sent back to the trial court for further proceedings in line with the court's findings.
District Court affirms FDCPA case dismissal
On December 21, 2023, the U.S. District Court for the District of Oregon affirmed the dismissal of an FDCPA case after it granted a debt collector’s motion to dismiss in March 2023 because the plaintiff’s claims were filed outside of the one-year statute of limitations. The plaintiff contended that the court made a clear error by dismissing their claim as untimely without considering the potential impact of equitable tolling on the limitations period. The court held that the plaintiff's request for reconsideration based on equitable tolling was not raised in response to the defendant’s motion to dismiss and was declined. Plaintiff also referenced a new legal precedent, set earlier this year, arguing that it impacts the timing of their claims under the FDCPA. However, the court found this reference untimely and unrelated to the original motion. As previously covered in InfoBytes, the referenced case established that both serving and filing a lawsuit could be independent violations of the FDCPA, depending on certain conditions. However, in this case, where service occurred after filing, the court determined that it did not constitute a new FDCPA violation. Therefore, the court denied the plaintiff's motion for reconsideration based on this precedent.
Agencies update the Uniform Rules of Practice and Procedure
On December 28, 2023, the Fed, OCC, FDIC, and NCUA published a final rule amending the Uniform Rules of Practice and Procedure to recognize the use of electronic communications and enhance the efficiency and equity of administrative hearings. The agencies have implemented measures recognizing the role of electronic communications across all facets of administrative proceedings. Among other things, the final rule (i) defines “electronic signature” in the Uniform Rules; (ii) codifies permitting electronic service and filings for administrative actions; (iii) allows for remote depositions; (iv) includes Equal Access to Justice Act procedures based on the 2019 Administrative Conference of the United States Model Rule; (v) adds provisions on when parties must pay civil money penalties; (vi) adds specific provisions pertaining to the forfeiture of a national bank, federal savings association, or federal branch or agency charter or franchise due to certain money laundering or cash transaction violations; (vii) modifies the discovery rules to recognize electronic documents and allow for electronic production; (viii) establishes new rules for expert and hybrid fact-expert witnesses; and (ix) consolidates the Uniform Rules and Local Rules for national banks and federal savings associations.
Additionally, the OCC has revised its specific administrative practice and procedure regulations to harmonize rules for national banks and federal savings associations. Furthermore, adjustments were made to the OCC’s regulations on organization and operations to encompass service of process considerations.
The rule is effective April 1, 2024.
OCC announces CRA bank asset-size threshold adjustments for 2024
On December 26, 2023, the OCC announced revisions to the asset-size thresholds used to define small and intermediate small banks and savings associations under the Community Reinvestment Act (CRA). Effective January 1, 2024, a small bank or savings association will mean an institution that, as of December 31 of either of the past two years, had assets of less than $1.564 billion. An intermediate small bank or savings association will mean an institution with assets of at least $391 million as of December 31 of both of the prior two years, and less than $1.564 billion as of December 31 of either of the prior two years. As previously covered by InfoBytes, the Fed and the FDIC also announced joint annual adjustments to the CRA asset-size thresholds used to define “small bank” and “intermediate small bank.”
IOSCO publishes nine recommendations on decentralized finance
On December 19, 2023, the International Organization of Securities Commissions (IOSCO) published a report on decentralized finance to address market integrity and investor protection. The report includes nine policy recommendations for decentralized financial regulators to follow. Decentralized finance structures include financial products and arrangements that use a distributed ledger or blockchain technology. IOSCO’s policy recommendations on decentralized finance complement a similar report on crypto and digital asset markets, as written about on InfoBytes, here. The policy recommendations are as follows: (i) regulators should analyze decentralized finance products, services, and activities in its jurisdiction; (ii) regulators should identify the persons or entities that could be subject to its regulatory framework; (iii) regulators should use frameworks to regulate and address risks arising from decentralized finance consistent with IOSCO standards; (iv) regulators should require responsible persons to address conflicts of interest; (v) regulators should require responsible persons to address material risks, including operational and technological ones; (vi) regulators should require responsible persons to disclose information clearly to users and investors; (vii) regulators should apply comprehensive powers to decentralized financial services to detect and enforce violations under law; (viii) regulators should cooperate and share information with other regulators and authorities; and (ix) regulators should seek to understand how decentralized finance products are linked to the crypto-asset market as well as traditional finance markets. The final section of the report summarized the feedback garnered from 45 stakeholders on eight categories.
FTC sues for-profit university for deceptive and illegal practices
On December 27, 2023, the FTC filed a suit in the U.S. District Court of Arizona against a for-profit university for allegedly deceiving students, misrepresenting the university as a nonprofit entity, and committing telemarking abuses. The FTC sued under the FTC Act and Telemarketing Sales Rule (TSR). The complaint alleges that the university in question is a for-profit institution operating as a publicly traded entity, but nonetheless marketed itself as a “nonprofit” university. The complaint further alleges that the university misled students about the cost of its “accelerated” doctoral programs and used abusive telemarketing calls to try to boost enrollment. According to the FTC, the university called those who requested not to be called by the university, as well as consumers on the National Do Not Call Registry. The FTC asserts five claims against the university. The first two counts allege violations of Section 5(a) of the FTC Act for deceptive representations about its non-profit status and for falsely advertising its doctoral programs. The last three counts allege violations of the TSR predicated on deceptive telemarketing acts or practices, contacting those who have requested to not be contacted, and calling people on the National Do Not Call Registry.
FCC adopts updated data breach notification rules
On December 21, 2023, the FCC announced it adopted an updated data breach notifications rule. The rule was formerly designed to protect consumers against pretexting, “a practice in which a scammer pretends to be a particular customer or other authorized person to obtain access to that customer’s call detail or other private communications records.” As previously covered by InfoBytes, the FCC promulgated its notice of proposed rulemaking in January 2023. The rule has been updated to expand the data breach notification requirements to, among other things: (i) cover different categories of personally identifiable information that carriers hold; (ii) expand the definition of “breach” to cover unintended disclosures of consumer information, except in situations where such information is obtained in good faith by an employee or representative of a carrier or telecommunications relay service (“TRS”) provider, and where there’s no improper use or further disclosure of that information; (iii) require TRS providers and carriers to notify the FCC, FBI, and U.S. Secret Service as soon as practicable and no later than seven business days after the reasonable determination of a breach; (iv) no longer require TRS providers and carriers to notify consumers of a data breach if they reasonably determine no harm to consumers is reasonably likely; and (v) no longer require carriers to follow a mandatory waiting period to notify consumers of a breach. FCC Chairwoman Jessica Rosenworcel said in her statement that the update to the data breach policy is the first in 16 years and that under the Communications Act, “carriers have a duty to protect the privacy and security of consumer data.” The rule was adopted on December 13, 2023.
FDIC proposes revisions to call reports
On December 27, 2023, the FDIC published its proposed revisions to the reporting forms and instructions for Call Reports and the FFIEC 002 report in a financial institution letter under the auspices of the FFIEC. Call Reports are also known as Consolidated Reports of Condition and Income, a set of financial reporting standards that banks in the U.S. must file with a regulatory agency. The proposed revisions are currently open for public comment until February 26, 2024.
The changes affect Call Reports FFIEC 031, FFIEC 041, and FFIEC 051, as well as the Report of Assets and Liabilities of U.S. Branches and Agencies of Foreign Banks (FFIEC 002). The FFIEC’s proposed changes encompass reporting on (i) loans to non-depository financial institutions, (ii) structured financial products, and (iii) long-term debt requirements. The proposed changes are found in more detail in the Federal Register, and state detailed revisions for each FFIEC form. The changes will go into effect on June 30, 2024.