InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
New York AG releases guide for businesses to protect consumer’s personal information
On April 19, the New York attorney general released a data security guide to help businesses adopt effective data security measures for protecting state residents’ personal information. The guide outlines recommendations for preventing data breaches and securing personal information, and discusses recent data security failures. Recommendations include (i) implementing strong controls for secure authentication; (ii) encrypting sensitive customer information; (iii) ensuring third-party vendors use appropriate, reasonable data security measures to safeguard customer information; (iv) maintaining inventories of assets and locations that contain customer information; (v) implementing effective safeguards to prevent “credential stuffing” attacks where usernames and passwords stolen from other online services are used in an attempt to log in to a customer’s online account; and (vi) notifying customers quickly and accurately when a data breach occurs. The guide is drawn from the AG’s experience in investigating and prosecuting data breaches.
OFAC sanctions Nicaraguan judicial officials
On April 19, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) announced sanctions, pursuant to Executive Order 13851, as amended, against three Nicaraguan judicial officials involved in human rights abuses intended to oppress citizens who oppose the current Nicaraguan president’s regime. The sanctions block all property and interests in property subject to U.S. jurisdiction belonging to the sanctioned persons and require such property, as well as “any entities that are owned, directly or indirectly, 50 percent or more by one or more blocked persons,” to be reported to OFAC. U.S. persons are also generally prohibited from engaging in any dealings involving the property or interests in property of blocked or designated persons unless they are exempt from OFAC regulations or authorized by a general or specific license issued by OFAC, OFAC warned.
OFAC sanctions network supporting Iran’s military programs
On April 19, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) announced sanctions, pursuant to Executive Order 13382, against one individual and six entities involved in a sanctions evasion network responsible for procuring electronic components for Iran’s military programs, including goods and technology used in unmanned aerial vehicles. The sanctions target the head of a previously U.S.-designated Iranian company, as well as its Iran-, Malaysia-, Hong Kong-, and PRC-based front companies and suppliers. OFAC’s action also updates the Specially Designated Nationals and Blocked Persons List to include an alias and fictious company names used by the designated company in its procurement efforts. The sanctions block all property and interests in property subject to U.S. jurisdiction belonging to the sanctioned persons and require such property, as well as “any entities that are owned, directly or indirectly, 50 percent or more by one or more blocked persons,” to be reported to OFAC. U.S. persons are also generally prohibited from engaging in any dealings involving the property or interests in property of blocked or designated persons, OFAC said, warning that persons that engage in certain transactions with the designated individuals or entities may themselves be exposed to sanctions. Moreover, “any foreign financial institution that knowingly facilitates a significant transaction or provides significant financial services for any of the individuals or entities designated today pursuant to E.O. 13382 could be subject to U.S. sanctions.”
CFPB: ECOA prohibits discrimination in any aspect of a credit transaction
On April 14, the CFPB filed a statement of interest saying ECOA’s prohibition on discrimination applies “to any aspect of a credit transaction,” and therefore covers every aspect of a borrower’s dealings with a creditor, not just specific loans terms such as the interest rate or fees.
The case, which is currently pending in the U.S. District Court for the Southern District of Florida, concerns a putative class of Black students enrolled at a for-profit nursing school who took out credit in the form of federal and private student loans to pay for the program. Plaintiffs alleged that the school adopted new policies while they were enrolled that increased the time and money it would take to complete the program, and asserted the program was intentionally targeted to individuals on the basis of race “with the understanding that they were highly likely to require an extension of credit to pay for the program.” Plaintiffs claimed the school violated ECOA by engaging in “reverse redlining” and brought other claims under state and federal law. The school moved to dismiss, arguing that the plaintiffs failed to specify any aspect of any credit transaction that is discriminatory based on race or another protected class under ECOA, and failed to identify any specific loan term that was unfair or predatory (based on race or otherwise), the Bureau said in a corresponding blog post.
The statement of interest addressed two questions concerning ECOA’s applicability raised in the school’s motion to dismiss. First, the Bureau refuted the school’s argument that in order to state a claim for discriminatory targeting under ECOA, the plaintiff must allege that the individual (i) is a member of a protected class; (ii) applied and qualified for a loan; (iii) the loan was made on “grossly unfavorable terms”; and (iv) the lender intentionally targeted the plaintiff for unfair loans or gave more favorable terms to others. Calling this contention “mistaken,” the Bureau explained that to state a claim under ECOA, “a plaintiff need allege only facts to plausibly suggest that a defendant discriminated on a prohibited basis with respect to an aspect of a credit transaction; they need not allege the elements of a prima facie case, which is an evidentiary standard and not a pleading requirement.” The Bureau pointed to allegations showing that the school allegedly targeted Black students by, among other things, engaging in race-targeted advertising and marketing, enrolling a disproportionate number of Black students as compared to the surrounding neighborhoods’ populations, and making a greater percentage of loans in majority Black census tracts, as examples of discriminatory targeting.
Second, the Bureau disagreed with the school’s assertion that plaintiffs failed to identify any aspects of the credit transactions that were discriminatory based on race, or any specific loans terms that were allegedly unfair or predatory. Emphasizing that even if the loan terms are not themselves unfair or predatory, plaintiffs may proceed with a discriminatory targeting claim because ECOA prohibits discrimination “with respect to any aspect of a credit transaction,” which encompasses more than just the loan terms in a contract, the Bureau explained. According to the Bureau, the plaintiffs alleged discrimination in relation to multiple aspects of their credit transactions with the school and have accordingly stated a claim under ECOA.
CFPB Director Rohit Chopra issued a statement emphasizing that courts have consistently upheld that discriminatory targeting violates ECOA when a company targets consumers on a prohibited basis for harmful and predatory loans. The Bureau will continue to work with the DOJ, federal agencies, and the states to ensure lenders that engage in discriminatory targeting are held accountable, Chopra said.
SEC opens comment period on defining “exchange”
On April 14, the SEC reopened the comment period on proposed amendments to the statutory definition of “exchange” under Exchange Act rule 3b-16, which now includes systems that facilitate the trading of crypto asset securities. (See also SEC fact sheet here.) The comment period was reopened in response to feedback requesting information about how existing rules and the proposed amendments would apply to systems that trade crypto asset securities and meet the proposed definition of an exchange, or to trading systems that use distributed ledger or blockchain technology, including such systems characterized as decentralized finance (DeFi). The SEC also provided supplement information and economic analysis for systems that would now fall under the new, proposed definition of exchange. The reopened comment period allows an opportunity for interested persons to analyze and comment on the proposed amendments in light of the supplemental information. Comments are due 30 days after publication in the Federal Register.
“[G]iven how crypto trading platforms operate, many of them currently are exchanges, regardless of the reopening release we’re considering today,” SEC Chair Gary Gensler said. “These platforms match orders of multiple buyers and sellers of crypto securities using established, non-discretionary methods. That’s the definition of an exchange—and today, most crypto trading platforms meet it. That’s the case regardless of whether they call themselves centralized or decentralized.” He added that crypto-market investors must receive the same protections that the securities laws afford to all other markets. Commissioners Mark T. Uyeda and Hester M. Peirce voted against reopening the comment period. Uyeda cautioned against expanding the definition of an “exchange” in an “ambiguous manner,” saying it could “suppress further beneficial innovation.” Peirce also dissented, arguing that the proposal stretches the statutory definition of an “exchange” beyond a reasonable reading in an attempt to “reach a poorly defined set of activities with no evidence that investors will benefit.”
Fed governor outlines CBDC risks
On April 18, Federal Reserve Governor Michelle W. Bowman cautioned that the risks of creating a U.S. central bank digital currency (CBDC) may outweigh the benefits for consumers. Bowman said the Fed continues to engage in exploratory work to understand how a CBDC could potentially improve payment speeds or better financial inclusion, and noted that the agency is also trying to understand how new potential forms of money like CBDCs and other digital assets could play a larger role in the economy. In prepared remarks delivered before Georgetown University’s McDonough School of Business Psaros Center for Financial Markets and Policy, Bowman raised several policy considerations relating to privacy, interoperability and innovation, and the potential for “unintended effects” on the banking system should a CBDC be adopted. She also commented that due to the upcoming rollout of the agency’s FedNow Service in July (covered by InfoBytes here), real-time retail payments will happen without the introduction of a CBDC. With respect to privacy, Bowman cautioned that any CBDC “must ensure consumer data privacy protections embedded in today’s payment systems continue and are extended into future systems.” She added that “[i]n thinking about the implications of CBDC and privacy, we must also consider the central role that money plays in our daily lives, and the risk that a CBDC would provide not only a window into, but potentially an impediment to, the freedom Americans enjoy in choosing how money and resources are used and invested.”
OFAC designates evasion network supporting Hizballah financier
On April 18, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) announced sanctions, pursuant to Executive Order 13224, as amended, against a “vast international money laundering and sanctions evasion network” comprised of 52 individuals and entities in Lebanon, the United Arab Emirates, South Africa, Angola, Côte d’Ivoire, the Democratic Republic of the Congo, Belgium, the United Kingdom, and Hong Kong. The designated network assisted a Hizballah financier and Specially Designated Global Terrorist (previously sanctioned by OFAC in 2019) in evading U.S. sanctions by facilitating the payment, shipment, and delivery of goods and services, including cash, diamonds, art, and luxury goods, for the benefit of the sanctioned individual who used the funds to finance the Hizballah financier and his lifestyle, OFAC said, explaining that the network used shell companies and fraudulent schemes to disguise the Hizballah financier’s role in the financial transactions. Under Secretary of the Treasury for Terrorism and Financial Intelligence Brian E. Nelson warned in the announcement that “[l]uxury good market participants should be attentive to these potential tactics and schemes, which allow terrorist financiers, money launderers, and sanctions evaders to launder illicit proceeds through the purchase and consignment of luxury goods.” Treasury has issued warnings on money laundering and terrorist financing risks associated with the trade of works of art in a February 2022 report and an October 2020 art advisory (covered by InfoBytes here and here).
As a result of the sanctions, all property and interests in property belonging to the sanctioned persons that are in the U.S. or in the possession or control of U.S. persons are blocked and must be reported to OFAC. “[A]ny entities that are owned, directly or indirectly, 50 percent or more by one or more blocked persons are also blocked.” U.S. persons are also generally prohibited from engaging in any dealings involving the property or interests in property of blocked or designated persons. OFAC warned that “persons that engage in certain transactions with the persons designated today may themselves be exposed to sanctions or subject to an enforcement action.” Additionally, “any foreign financial institution that knowingly facilitates a significant transaction or provides significant financial services for any of the targets designated today pursuant to E.O. 13224, as amended, could be subject to U.S. sanctions.”
The action by Treasury was taken in coordination with the Department of Homeland Security, the Department of State’s Rewards for Justice program, and the United Kingdom. The same day, the DOJ unsealed a nine-count indictment charging the Hizballah financier and eight co-defendants with conspiring to evade terrorism-related sanctions. According to the DOJ, despite being sanctioned and prohibited from engaging in transactions with U.S. persons, the Hizballah financier and the other co-defendants used a complex web of business entities to conduct money laundering transactions involving valuable artwork and diamond-grading services.
DFPI says escrow trust accounts are not stored value under MTA
The California Department of Financial Protection and Innovation recently released a new opinion letter covering aspects of the California Money Transmission Act (MTA) and the Escrow Act related to persons engaging in business as an escrow agency within the state. The redacted opinion letter examines a request from the inquiring company for confirmation that it does not require either an internet escrow agent license or a money transmitter license in the state of California in connection with its proposed business model (details on the model have been omitted). DFPI responded that under the Escrow Law, “it is unlawful for any person to engage in business as an escrow agent within this state except by means of a corporation duly organized for that purpose licensed by the commissioner as an escrow agent.” The definition of an “internet escrow agent,” DFPI explained, was added to Financial Code section 17003, subdivision (b) to mean “any person engaged in the business of receiving escrows for deposit or delivery over the Internet.” DFPI concluded that based on the facts asserted within the request, the inquiring company has not demonstrated that its proposed model is exempt from the Escrow Law.
DFPI further considered whether the inquiring company’s proposed model meets the definition of stored value under the MTA, and whether it qualifies for several exemptions under the statute. DFPI explained that the transactions under consideration are not considered “stored value under the definition in Financial Code section 2003, subdivision (x), because they do not represent a claim against the issuer; rather, the money comes under [the inquiring company’s] possession and control and therefore must be placed in an escrow trust account. “An escrow trust account is not the same as stored value,” DFPI said, adding that since the transaction is not stored value, it is unnecessary to address the remaining arguments regarding the MTA.
North Dakota establishes requirements for residential mortgage servicers
On April 12, the North Dakota governor signed HB 1068, which outlines provisions relating to residential mortgage loan servicers. The Act provides that a person may not engage in residential mortgage loan servicing in the state without being licensed by the commissioner. This applies to servicers, subservicers, or a mortgage servicing rights investor. “A person engages in residential mortgage loan servicing in the state if the borrower resides in North Dakota,” the Act explains. Exempt from licensure are financial institutions, state or federal housing finance agencies, institutions chartered by the farm credit administration, and not-for-profit mortgage servicers. The Act outlines application and fee requirements and specifies financial conditions for applicants and licensees. Large mortgage servicers must also abide by certain corporate governance conditions, including the establishment of a board of directors responsible for oversight and compliance monitoring. These licensees must also obtain external audits and establish risk management programs.
The Act outlines prohibited acts and practices and grants authority to the Department of Financial Institutions to promulgate rules and regulations to enforce the law and power to carry out the provisions, including through orders and injunctions. The commissioner will also oversee the licensure process, including provisions concerning the expiration, renewal, revocation, suspension, and surrender of licenses, and may issue orders suspending and removing residential mortgage loan servicer officers and employees. The commissioner may also conduct investigations and examinations and impose civil money penalties of not more than $100,000 for each occurrence and $1,000 per day for each day that the violation continues after issuance of an order. Licensees may appeal by filing a written notice within 20 days after the assessment of a civil money penalty. The Act is effective August 1.
FTC, DOJ sue payment processor for tech support scams
On April 17, the DOJ filed a complaint on behalf of the FTC against several corporate and individual defendants for violating the FTC Act and the Telemarketing Sales Rule (TSR) by allegedly engaging in credit card laundering for tech support scams. (See also FTC press release here.) According to the complaint, since at least 2016, the defendants—a payment processing company and several of its subsidiaries, along with the company’s CEO and chief strategy officer—worked with telemarketers who made misrepresentations to consumers about the performance and security of their computers through the use of deceptive pop ups in order to sell technical support scams. Defendants’ involvement included assisting and facilitating the illegal sales and laundering the credit card charges through their own merchant accounts (thus giving the scammers access to the U.S. credit card network) where defendants received a commission for each charge. The complaint maintained that the defendants “engaged in this activity even though it and its officers knew or consciously avoided knowing that its tech support clients were engaged in deceptive telemarketing practices.”
The proposed court orders (see here, here, and here) each impose monetary judgments of $16.5 million and (i) prohibit the defendants from engaging in credit card laundering through merchant accounts; (ii) require the defendants to screen and monitor any high-risk clients and take action if clients should charge consumers without authorization or violate the TSR; and (iii) prohibit the defendants from engaging in payment processing or assisting tech support companies that engage in false or unsubstantiated telemarketing or advertising. According to the DOJ’s announcement the defendants will be required to pay a combined total of $650,000 in consumer redress. This payment will result in the suspension of the total monetary judgment of $49.5 million due to the defendants’ inability to pay.