InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
Crypto platform reaches $1.2 million settlement on alleged compliance failures
On May 1, NYDFS issued a consent order against a cryptocurrency trading platform for engaging in alleged violations of the state’s cybersecurity regulation (23 NYCRR Part 500). According to the consent order, during examinations conducted in 2018 and 2020, NYDFS identified multiple alleged deficiencies in the respondent’s cybersecurity program, as required by both the cybersecurity regulation and the state’s virtual currency regulation (23 NYCRR Part 200). Following the examinations, NYDFS initiated an investigation into the respondent’s cybersecurity program. The Department concluded that the respondent failed to conduct periodic cybersecurity risk assessments “sufficient to inform the design of the cybersecurity program,” and failed to establish and maintain an effective cybersecurity program and implement a reviewed and board-approved written cybersecurity policy. Moreover, NYDFS claimed the respondent’s policies and procedures were not customized to meet the company’s needs and risks. Under the terms of the consent order, the respondent must pay a $1.2 million civil monetary penalty and submit quarterly progress reports to NYDFS detailing its remediation efforts.
State appeals court says electronic bank statement constituted notice of new terms
On May 4, the Colorado Court of Appeals held that a plaintiff had constructive notice of updated terms and conditions in her membership agreement with a defendant credit union, which included an arbitration agreement with an opt-out provision. Plaintiff entered into a finance agreement with an auto dealer, which assigned the agreement to the defendant. To complete the assignment, the plaintiff opened a savings account and signed an agreement, in which she consented to receiving and accepting statements, notices, and disclosures electronically. A few years later, the defendant updated its membership agreement’s terms to include the arbitration provision and sent notices to members with their monthly bank statements. Plaintiff received an email with information about the updates and was given an opportunity to opt-out of the arbitration provision in writing within 30 days. Records show that the plaintiff received the email but did not open it. Defendant filed a motion to dismiss plaintiff’s class action complaint and compel arbitration, but the district court concluded that the plaintiff did not have actual or constructive notice of the arbitration agreement. In reversing the district court’s ruling, the Court of Appeals wrote “we do not deem the notice as being buried or hidden in [defendant’s] email, or the surrounding information as cluttering the screen to the extent that a reasonable person would be distracted from the important notice about the ‘updated ... Membership and Account Agreement.’” The Court of Appeals also disagreed with plaintiff’s argument that her “express and affirmative consent” was required for the defendant to add the arbitration provision to the terms, stating that “[u]nder the totality of the circumstances, [plaintiff] is deemed to have assented to the addition of the arbitration agreement” as she was constructively notified of the change, did not exercise her right to opt out, and continued to use her account.
While concurring with the majority, one of the judges questioned whether the “current ‘reasonable person’ standard that courts use for constructive notice is outdated given the economic realities of the digital age.” The judge asked whether the monthly bank statement has “significantly diminished in importance” or is becoming obsolete since consumers are able to check bank account balances and transactions “at any time and from any location.”
Fed and Illinois regulator take action against bank on capital and management
On May 4, the Federal Reserve Board announced an enforcement action against an Illinois state-chartered community bank and its holding company related to alleged deficiencies identified in recent examinations. While the written agreement (entered into by the parties at the end of April) does not outline the specific deficiencies, it notes that the bank and the holding company have started taken corrective action to address the issues identified by the Federal Reserve Bank of St. Louis (FRB) and the Illinois Department of Financial and Professional Regulation (IDFPR). Among other things, the holding company’s board of directors must take appropriate steps to fully use its financial and managerial resources to ensure the bank complies with the written agreement and any other supervisory action taken by the bank’s federal or state regulator. The board is also required to submit a written plan to the FRB and the IDFPR describing actions and measures it intends to take to strengthen board oversight of the management and operations of the bank. The bank is required to submit a written plan outlining its current and future capital requirements and must notify the FRB and the IDFPR within 30 days after the end of any calendar quarter in which its capital ratios fall below the minimum ratios specified within the approved capital plan. Additionally, the bank is prohibited from taking on debt, redeeming its own stock, or paying out dividends or distributions without the prior approval of state and federal regulators.
District Court dismisses FTC’s privacy claims in geolocation action
On May 4, the U.S. District Court for the District of Ohio issued two separate rulings in a pair of related disputes between the FTC and a data broker. The disputes center around accusations made by the FTC last August that the data broker violated Section 5 of the FTC Act by unfairly selling precise geolocation data from hundreds of millions of mobile devices which can be used to trace individuals’ movements to and from sensitive locations (covered by InfoBytes here). The FTC sought a permanent injunction to stop the data broker’s practices, as well as additional relief. The data broker, upon learning that the FTC planned to filed a lawsuit against it, filed a preemptive lawsuit challenging the agency’s authority.
The court first dismissed the data broker’s preemptive bid to block the FTC’s enforcement action, ruling that the data broker has not identified any “viable cause of action” to support its request for injunctive relief. The court explained that injunctive relief is a “drastic remedy” that is only available if no other legal remedy is available. However, the data broker possesses an “adequate remedy at law,” the court said, “because it can seek dismissal of, and otherwise directly defend against, the FTC’s enforcement action.”
With respect to the FTC’s action, the court granted the data broker’s motion to dismiss the FTC’s complaint, but gave the agency leave to amend. The court agreed with the data broker that the FTC’s complaint lacks sufficient allegations to support its unfairness claim under Section 5 of the FTC Act. While the court disagreed with the data broker’s assertion that it did not have “fair notice that its sale of geolocation data without restrictions near sensitive locations could violate Section 5(a) of the FTC Act” or that the FTC had to allege a predicate violation of law or policy to state a claim, the court determined that the FTC failed to adequately allege that the data broker’s practices created “a ‘significant risk’ of concrete harm.” Moreover, the court found that “the purported privacy intrusion is not severe enough to constitute ‘substantial injury’ under Section 5(n).” The court noted, however that some of the deficiencies may be cured through additional factual allegations in an amended complaint.
Indiana enacts Money Transmission Modernization Act
On May 4, the Indiana governor signed SB 458, which repeals current Indiana code governing the licensing and regulation of money transmitters by the Department of Financial Institutions. The bill adds a new chapter codifying the Money Transmission Modernization Act, and outlines provisions to be administered by the Department’s Division of Consumer Credit. Among other things, the Act is designed to eliminate unnecessary regulatory burden and ensure states are able to coordinate in all areas of regulation, licensing, and supervision. The Act will also enforce compliance with applicable state and federal laws, standardize activities subject to or exempt from licensing, and modernize safety and soundness requirements to protect customer funds, while also supporting innovation and competitive business practices. The Act defines terms, outlines exemptions, and establishes authorities for the director who many enter into agreements with other government officials or regulatory agencies/associations to improve efficiencies and reduce regulatory burden. The Department is also granted authority to interpret and enforce the chapter, promulgate rules and regulations, and recover administrative and enforcement costs.
With respect to licensing provisions, the director is authorized to report complaints received concerning licensees, as well as significant or recurring violations, to the Nationwide Multi-State Licensing System and Registry (NMLS), and may use NMLS for all aspects of licensing, including applications, surety bonds, reporting, background checks, credit checks, fee processing, and examinations. Moreover, the director may also “participate in multistate supervisory processes established between states and coordinated through the Conference of State Bank Supervisors, the Money Transmitter Regulators Association, and the affiliates and successors of either organization, for all licensees that hold licenses in Indiana and other states,” including entering into agreements to coordinate and share information.
The Act outlines licensing application procedures, as well as licensees’ rights, reporting and recordkeeping requirements, examination processes for outside vendors that provide services normally undertaken by the licensee, criminal penalties, surety bonds, permissible investments, authorized delegate provisions, and explains how the Act applies to licensees issued a license under the current statute, among other things. Additionally, licensees are required to pay all costs reasonably incurred in connection with an examination of the licensee or the licensee’s authorized delegate. The Act’s provisions take effect January 1, 2024.
EU court says non-material damages in unlawful data processing may be eligible for compensation
On May 4, the Court of Justice of the European Union (CJEU) issued a judgment concluding that while not every infringement of the EU’s data protection law gives rise, by itself, to a right to compensation, non-material damage resulting from unlawful processing of data can be eligible for compensation. The CJEU reviewed questions posed by the Austrian Supreme Court on whether a mere infringement of the GDPR is sufficient to confer the right to compensation for individuals suffering non-material damages, and whether such compensation is possible only if the non-material damage suffered reaches a certain degree of seriousness. The Austrian Supreme Court also asked the CJEU to clarify what the EU-law requirements are when determining the amount of damages.
The CJEU clarified that the General Data Protection Regulation (GDPR) does not set thresholds for the “seriousness” of damages needed to confer a right to compensation. “[I]t is clear that the right to compensation provided for by the GDPR is subject to three cumulative conditions: infringement of the GDPR, material or non-material damage resulting from that infringement and a causal link between the damage and the infringement,” the court said in the announcement. Limiting the right to compensation to non-material damage that reaches a certain threshold requirement would be contrary to the broad conception of “damage” outlined in EU law, the CJEU explained, pointing out that obtaining compensation based on a certain threshold would result in different outcomes depending on a court’s assessment. Moreover, the CJEU emphasized that because the GDPR does not contain any rules governing the assessment of damages, it is up to the each member state’s legal system to prescribe detailed rules for actions intended to safeguard individual’s rights under the GDPR, as well as the criteria for determining the amount of compensation, provided the determination complies with the principles of equivalence and effectiveness. The CJEU explained in its ruling that “an infringement of the GDPR does not necessarily result in damage, and [] that there must be a causal link between the infringement in question and the damage suffered by the data subject in order to establish a right to compensation.”
ID verifier to pay $28.5 million to settle BIPA allegations
On May 5, the U.S. District Court for the Northern District of Illinois preliminarily approved an amended class action settlement in which an identification verification service provider agreed to pay $28.5 million to settle allegations that it violated the Illinois Biometric Information Privacy Act (BIPA). According to the plaintiffs, the defendant collected, stored, and or used class members’ biometric data without authorization when they uploaded photos and state IDs on a mobile app belonging to one of the defendant’s customers. After the court denied the defendant’s move to compel arbitration and determined the plaintiff had standing to pursue his BIPA claims, the parties entered into settlement discussions without the defendant admitting any allegations or liability. The court certified two classes: (i) Illinois residents who uploaded photos to the defendant through the app or website of a financial institution (class members will receive $15.7 million); and (ii) Illinois residents who uploaded photos through a non-financial institution (class members will receive $12.8 million). A final approval hearing will determine attorney’s fees and expenses and incentive awards.
OFAC announces new Sudan E.O., issues and amends several sanctions general licenses and FAQs
The U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) recently announced several sanctions-related actions, including President Biden’s new Executive Order (E.O.) Imposing Sanctions on Certain Persons Destabilizing Sudan and Undermining the Goal of a Democratic Transition. The E.O. expands the scope of a 2006 Executive Order following the determination that recent events in Sudan “constitute[] an unusual and extraordinary threat to the national security and foreign policy of the United States.” The E.O. outlines specific prohibitions and provides that all property and interests in property that are in the U.S. or that later come in the U.S., or that are in the possession or control of any of the identified U.S. persons must be blocked and may not be transferred, paid, exported, withdrawn, or otherwise dealt in. Concurrently, OFAC issued a new FAQ clarifying which sanctions authorities are applicable to Sudan and the Sudanese government.
OFAC also issued Venezuela-related General License (GL) 42, which authorizes certain transactions related to the negotiation of settlement agreements with the IV Venezuelan National Assembly and certain other entities. The authorized transactions must relate to debt owed by the Venezuelan government, Petróleos de Venezuela, S.A., or any entity owned, directly or indirectly, 50 percent or more. GL 42 does not authorizes transactions involving the Venezuelan National Constituent Assembly convened by Nicolas Maduro or the National Assembly seated on January 5, 2021. OFAC also released three new related FAQs and one amended FAQ.
Additionally, OFAC released cyber-related GL 1C, which authorizes certain transactions with Russia’s Federal Security Service that would normally be prohibited by the Weapons of Mass Destruction Proliferators Sanctions Regulations, and issued three amended cyber-related FAQs. A few days later, OFAC issued Russia-related GL 8G, which authorizes certain transactions related to energy that would otherwise be prohibited by E.O. 14024, involving certain entities, including Russia’s central bank. OFAC clarified that GL 8G does not authorize prohibited transactions related to (i) certain sovereign debt of the Russian Federation; (ii) the “opening or maintaining of a correspondent account or payable-through account for or on behalf of any entity subject to Directive 2 under E.O. 14024, Prohibitions Related to Correspondent or Payable-Through Accounts and Processing of Transactions Involving Certain Foreign Financial Institutions”; and (iii) or “[a]ny debit to an account on the books of a U.S. financial institution of the Central Bank of the Russian Federation,” among others.
OFAC announces drug cartel sanctions
On May 9, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) announced sanctions, pursuant to Executive Order 14059, against four individuals involved in the fentanyl trade, along with two related Mexico-based entities. According to OFAC, the sanctioned persons are part of a Sinaloa Cartel network responsible for trafficking a significant portion of fentanyl and other drugs into the United States. OFAC coordinated with the Mexican government, the FBI, the DEA, and Homeland Security to take this action. As a result of the sanctions, all property and interests in property belonging to the sanctioned individuals and entities subject to U.S. jurisdiction are blocked and must be reported to OFAC. U.S. persons are also generally prohibited from engaging in any dealings involving the property or interests in property of blocked or designated persons. Additionally, OFAC warned that “persons that engage in certain transactions with the individuals and entities designated today may themselves be exposed to sanctions or subject to an enforcement action.”
FDIC announces Florida disaster relief
On May 5, the FDIC issued FIL-22-2023 to provide regulatory relief to financial institutions and help facilitate recovery in areas of Florida affected by severe storms, tornados, and flooding from April 12 to 14. The FDIC acknowledged the unusual circumstances faced by affected institutions and encouraged those institutions to work with impacted borrowers to, among other things: (i) extend repayment terms; (ii) restructure existing loans; or (iii) ease terms for new loans, provided the measures are done “in a manner consistent with sound banking practices.” Additionally, the FDIC noted that institutions “may receive favorable Community Reinvestment Act consideration for community development loans, investments, and services in support of disaster recovery.” The FDIC will also consider regulatory relief from certain filing and publishing requirements and instructed institutions to contact the Atlanta Regional Office if they expect delays in making filings or are experiencing difficulties in complying with publishing or other requirements.