InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
OFAC settles with Danish company for routing prohibited financial transactions though a U.S. bank
On December 30, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) announced a more than $4.3 million settlement with a multinational Danish manufacturer to resolve allegations that its wholly owned United Arab Emirates (UAE)-based subsidiary directed customers in Iran, Syria, and Sudan to make payments to its bank account at the UAE branch of a U.S. financial institution. According to OFAC’s enforcement release, between November 2013 and August 2017, the subsidiary sold products to customers in Sudan, Syria, and Iran. Customers were instructed to remit payments to at least three accounts at banks located in the UAE, including the parent company’s U.S. branch account. OFAC further contended that the subsidiary used third-party payers to make five transfers (disguising the originator or beneficiary of the transactions) from its U.S. branch account to parties in Syria and Iran, which prevented the bank’s transactional screen filters from stopping the payments. The total value of all the transfers was roughly $16,959,683, OFAC said, claiming that by causing a U.S. financial institution to facilitate prohibited financial transactions and export financial services, the parent company violated the Iranian, Syrian, and Sudanese sanctions regulations.
While OFAC found no evidence that the parent company willfully engaged third-party payers to evade sanctions, it determined that the subsidiary “was aware since at least 2011 that using a U.S. financial institution to send or receive payments related to sanctioned jurisdictions could be prohibited.” Moreover, the subsidiary allegedly received communications from the parent company and various financial institutions regarding concerns flagged in its banking activity but continued to use the U.S. branch account to collect payments from customers in sanctioned jurisdictions. These alleged violations, OFAC stated, occurred primarily due to deficiencies in the parent company’s global sanctions compliance program.
OFAC noted that while the parent company disclosed the alleged violations, the agency was already in possession of the relevant information and therefore the submission did not qualify as a voluntary self-disclosure. However, OFAC considered various mitigating factors, including that the parent company had not received a penalty notice from OFAC in the preceding five years, and the parent company took quick action to determine the root causes of the alleged conduct and undertook significant remedial measures to prevent future violations.
Providing context for the settlement, OFAC stated that the “enforcement action highlights the risks to multinational companies, including to non-U.S. entities, that involve the U.S. financial system in commercial activity involving an OFAC- sanctioned country, region, or person,” and emphasized that “[c]ommercial activity that might not otherwise violate OFAC regulations—such as the sale of non-U.S. goods by a non-U.S. person to an entity in an OFAC-sanctioned country—can nonetheless cause a violation when the financial transactions related to that activity are processed through or involve U.S. financial institutions.”
Arizona AG: Earned wage access products are not loans
Recently, the Arizona attorney general issued an opinion confirming that earned wage access (EWA) products are not considered consumer loans under Arizona law, and that persons who make, procure, or advertise an EWA product are not subject to licensure as a consumer lender by the Arizona Department of Insurance and Financial Institutions. The opinion concluded that an EWA product offered as a no-interest, no-fee, non-recourse product does not fall within the definition of “consumer loan” under Arizona Revised Statutes § 6-601(7).
First, a fully non-recourse EWA product “represents a payment of wages already earned by the employee” and “does not allow recourse against the employee in the event the provider is unable to recoup all or some portion of the advance,” the opinion explained. The opinion added that a fully non-recourse EWA product is one in which “the provider obtains no legal or contractual right to repayment against the employee, does not engage in any debt collection activities with regard to any unpaid balance, does not sell or assign any unpaid balance to a third party, and does not report non-payment to any consumer credit reporting agency.”
Second, and independently, the AG opined that an EWA product is not a consumer loan so long as the provider does not impose a “finance charge,” as that term is defined by A.R.S. § 6-601(11). Specifically, “a non-recourse EWA product that requires repayment only of the principal balance is not a 'loan.'” While the Consumer Lenders Act (CLA) “does not expressly state that the obligation to repay principal is not a “finance charge,” requiring repayment of principal is self-evidently not an amount payable incident to or as a condition of a consumer lender loan.”
The opinion noted, however, that a provider “may also receive revenue through services ancillary to providing an EWA product without converting the EWA product into a “loan” under the CLA, such as by requesting a voluntary gratuity, charging a fee for expedited transfer of an EWA payment, or earning interchange revenue for processing a card payment. As long as the provider does not condition the provision of an EWA product on the “receipt of any such ancillary revenue” or impose fees or charges that fall within the CLA’s definition of “finance charge,” the EWA product will not meet the CLA’s definition of a “consumer loan.”
The opinion referred to guidance issued by other regulators who have drawn similar conclusions that an EWA product is not a loan so long as the program meets specific criteria. Such references include the 2020 CFPB advisory opinion on EWA products. As previously covered by InfoBytes, the Bureau’s advisory opinion addressed uncertainty as to whether EWA providers that meet short-term liquidity needs that arise between paychecks “are offering or extending ‘credit’” under Regulation Z, which implements TILA. The advisory opinion stated that “‘a Covered EWA Program does not involve the offering or extension of ‘credit,’” and noted that the “totality of circumstances of a Covered EWA Program supports that these programs differ in kind from products the Bureau would generally consider to be credit.” The Arizona AG opinion highlighted the Bureau’s conclusion that EWA products do not involve debt because “a Covered EWA Program facilitates employees’ access to wages they have already earned, and to which they are already entitled, and thus functionally operate[] like an employer that pays its employees earlier than the scheduled payday.”
Last January, CFPB General Counsel Seth Frotman issued a letter in response to concerns raised by consumer advocates (covered by InfoBytes here), stressing that the CFPB’s 2020 advisory opinion “is limited to a narrow set of facts—as relevant here, earned wage products where no fee, voluntary or otherwise, is charged or collected.” Frotman noted, however, that due to “repeated reports of confusion caused by the advisory opinion due to its focus on a limited set of facts,” he planned to recommend that the CFPB director consider ways to provide greater clarity on these issues. He emphasized that the advisory opinion did not purport to interpret whether covered EWA products would be “credit” under other statutes other than TILA, such as the CFPA or ECOA, or whether they would be considered credit under state law.
NYDFS revises proposed amendments to third-party debt collection rules
In December, NYDFS released revised proposed amendments to 23 NYCRR 1, which regulates third-party debt collectors and debt buyers. NYDFS first issued a proposed amendment to 23 NYCRR 1 in December 2021 (covered by InfoBytes here), which factored in findings from NYDFS investigations that revealed instances of abusive and deceptive debt collection practices, as well as consumer debt collection complaint data. The first proposed amendment, among other things, is intended to enhance consumer protections by increasing transparency, requiring heightened disclosures, reducing misleading statements about consumer debt obligations, and placing stricter limits on debt collection phone calls than those currently imposed under federal regulations. The revised proposal, among other things, also include the following requirements:
- A debt collector must send written notification within five days after the initial communication with a consumer that clearly and conspicuously contains validation information as required under Regulation F. Debt collectors are prohibited from using the charge-off date as the itemization date for the alleged debt unless it is a revolving or open-end credit account. Instead, debt collectors should use the last payment date as the itemization date if available.
- Written notifications must be clear and conspicuous and also include the following, in addition to validation information: (i) the reference date relied upon to determine the itemization date; (ii) for revolving or open-end credit accounts, an account number (or a truncated version of the account number) associated with the debt on the last payment date or the last statement date if no payment has been made; (iii) the merchant brand, affinity brand, or facility name, if any, associated with the debt; (iv) the date and amount of the last payment or a statement noting that no payment was made, if available; (v) the applicable statute of limitations expressed in years for debt that has not been reduced to judgment; (vi) information on a debt that has been reduced to a judgment, if applicable; and (vii) notice that a consumer has the right to dispute the validity of a debt and instructions on how to submit a dispute.
- Debt collectors must inform consumers of available language access services and are required to record the consumer’s language preference, if other than English, in the written notification.
- Unless affirmatively requested by the consumer, required disclosures may not be made exclusively by electronic communication. Additionally, a debt collector may communicate with a consumer exclusively through electronic communication only if: (i) the consumer has voluntarily provided contact information for electronic communication; (ii) the consumer has given revocable consent in writing to receive electronic communication from the debt collector in reference to a specific debt (electronic signatures constitute written consent); (iii) the debt collector retains the written consent for six years or until the debt is discharged, sold, or transferred (whichever is longer); and (iv) all electronic communications include clear and conspicuous disclosures regarding revoking consent.
- Communications sent in the form of a pleading in a civil action will not be considered an initial communication for the purposes of these amendments.
- Debt collectors must provide substantiation of debt within 45 days.
- Debt collectors may not communicate or attempt to communicate excessively with a consumer. Specifically, debt collectors are limited to one completed phone call and three attempted phone calls per seven-day period per alleged debt. Telephone calls more than these limits may be permitted when required by federal or state law, or when made in response to the consumer’s request to be contacted and in the manner indicated by the consumer, if any.
Comments are due February 13. The amendments are scheduled to take effect 180 days after the notice of adoption is published in the State Register.
National bank to pay $2 million in mortgage fee violation class action
On December 19, the U.S. District Court for the Central District of California granted final approval of a settlement in a $2 million class action resolving allegations that a national bank violated California’s Rosenthal Fair Debt Collection Practices Act (RFDCPA) and Unfair Competition Law (UCL). According to the order for preliminary approval, the plaintiff class alleged that the bank improperly charged and collected transaction fees when processing mortgage payments. The district court certified the class, which included “all persons who have or had a California address, and at any time between June 1, 2016 and the date of the Court’s order preliminarily approving the settlement, paid at least one transaction fee to [the defendant] for making a payment on a residential mortgage loan serviced by [the defendant] by telephone, IVR, or the internet.” The district court determined that the settlement agreement was “reasonable and adequate.” The two class representatives who filed the suit were awarded $1,500 each, and their attorneys were awarded $499,000 in fees.
FDIC issues November enforcement actions
On December 30, the FDIC released a list of orders of administrative enforcement actions taken against banks and individuals in November. The FDIC made public nine orders consisting of “two consent orders; two orders terminating deposit insurance; three orders to pay civil money penalties; one order terminating consent order; and one Section 19 order.” Among the orders is a civil money penalty against a Wisconsin-based bank related to violations of the Flood Disaster Protection Act. The FDIC determined that the bank had engaged in a pattern or practice of violations that included the bank’s failure to: (i) obtain adequate flood insurance on the building securing a designated loan at the time of loan origination; (ii) obtain adequate flood insurance at the time of the origination; (iii) notify borrowers that the borrower should obtain flood insurance where a determination had been made that flood insurance had lapsed or a loan was not covered with the required amount of insurance; (iv) provide borrowers with a Notice of Special Flood Hazard and Availability of Federal Disaster Relief Assistance when making, increasing, extending or renewing a loan; and (v) provide borrowers with a Notice of Special Flood Hazard and Availability of Federal Disaster Relief Assistance within a reasonable time before the completion of the transaction. The order requires the payment of a $39,000 civil money penalty.
The FDIC also issued a civil money penalty against an Oregon-based bank for allegedly violating Section 8(a) of RESPA “by entering into mortgage lead generation arrangements with the operator of a real estate website and the operator of an online loan marketplace that were used to facilitate and disguise referral payments for mortgage business.” The FDIC also determined that the bank violated the FTC Act “by making deceptive and misleading representations in three of the bank’s prescreened offers of credit” and violated the FCRA “by obtaining the consumer reports of former loan clients with recent credit inquiries without a legally permissible purpose.” The order requires the payment of a $425,000 civil money penalty.
Additionally, the FDIC issued a consent order against a Tennessee-based bank alleging the bank engaged in “unsafe or unsound banking practices relating to weaknesses in capital, asset quality, liquidity, and earnings.” The bank neither admitted nor denied the allegations but agreed, among other things, that its board would “increase its participation in the affairs of the bank by assuming full responsibility for the approval of the bank’s policies and objectives and for the supervision of the bank’s management, including all the bank’s activities.” The bank also agreed to maintain a Tier 1 Leverage Capital ratio equal to or greater than 8.50 percent and a Total Capital ratio equal to or greater than 11.50 percent. The FDIC also issued a consent order against a New Jersey-based bank claiming the bank engaged in “unsafe or unsound banking practices relating to, among other things, management supervision, Board oversight, weaknesses in internal controls, interest rate sensitivity, and earnings.” The bank neither admitted nor denied the allegations but agreed, among other things, that it would retain a third-party consultant “to develop a written analysis and assessment of the bank’s board and management needs (Board and Management Report) for the purpose of ensuring appropriate director oversight and providing qualified management for the bank.”
FHFA issues model risk management guidance
On December 21, FHFA issued guidance to Freddie Mac, Fannie Mae, the Federal Home Loan Banks (FHLBanks), and the Office of Finance on its model risk management framework. According to the bulletin, the purpose of the guidance—formatted as Frequently Asked Questions—“is to provide supplemental guidelines that will address some of the gaps in [FHFA’s 2013 Model Risk Management guidance] prompted by changes in model-related technologies and questions generated from the expanded use of complex models by the FHLBanks.” “The supplemental guidance also addresses model documentation, the communication of model limitations, model performance tracking, on-top adjustments, challenger models, model consistency, and internal stress testing.”
FCC proposes $300 million fine against auto warranty scam robocaller
On December 21, the FCC announced a nearly $300 million fine against an auto warranty scam robocall campaign for TCPA and Truth in Caller ID Act violations, “which is the largest robocall operation the FCC has ever investigated.” According to the announcement, the two individuals in charge of the operation ran a complex robocall sales lead generation scheme, which was designed to sell vehicle service contracts that were deceptively marketed as car warranties. This “scheme made more than 5 billion robocalls to more than half a billion phone numbers during a three-month span in 2021, using pre-recorded voice calls to press consumers to speak to a ‘warranty specialist’ about extending or reinstating their car’s warranty.” As previously covered by InfoBytes, in July, the FCC took initial action by ordering “phone companies to stop carrying traffic regarding a known robocall scam marketing auto warranties.” The FCC noted that the operation is also the target of an ongoing investigation by the FCC’s Enforcement Bureau and a lawsuit by the Ohio attorney general. The Ohio AG filed a complaint against multiple companies for participating in an alleged unwanted car warranty call operation (covered by InfoBytes here). The complaint, filed in the U.S. District Court for the Southern District of Ohio, alleged that the 22 named defendants “participated in an unlawful robocall operation that bombarded American consumers with billions of robocalls.” In addition to the fine, among other things, the individuals who allegedly ran the operations are prohibited from making telemarketing calls pursuant to FCC actions.
FTC orders card company to let merchants use other debit networks
On December 23, the FTC ordered a payment card company to stop blocking merchants from using competing debit payment networks. According to an agency investigation, the company allegedly violated provisions of the Durbin Amendment, which requires “banks to enable at least two unaffiliated networks on every debit card, thereby giving merchants a choice of which network to use for a given debit transaction,” and “bars payment card networks from inhibiting merchants from using other networks.” The FTC claimed that the company’s policy requires the use of a token when a cardholder loads a company-branded debit card into an ewallet. Ewallets are used to make online and in-app transactions, the FTC explained, adding that because competing networks cannot access the company’s token vault, merchants are dependent on the company to convert the token to process ewallet transactions using company-branded debit cards. Moreover, since the company allegedly did not provide conversion services to competing networks for remote ewallet debit transactions, the FTC asserted that it is impossible for merchants to route their ewallet transactions on other payment networks.
Under the terms of the proposed order, the company will be required to (i) provide other payment networks with customer account information in order to process ecommerce debit payments, and prohibit any efforts that may prevent other networks from serving as token service providers; (ii) provide notice to affected persons; (iii) provide 60-days advance written notice to the FTC before launching any pilot programs or new debit products that would require merchants to route electronic debit transactions only to the company; (iv) file regular compliance reports with the FTC; and (v) notify the FTC of any events that may affect compliance with the order.
DFPI modifies proposed regulations for complaints and inquiries under the CCFPL
On December 22, the California Department of Financial Protection and Innovation (DFPI) released modifications to proposed regulations for implementing and interpreting certain sections of the California Consumer Financial Protection Law (CCFPL) related to consumer complaints and inquiries. As previously covered by InfoBytes, DFPI issued a notice of proposed rulemaking (NPRM) last May to implement Section 90008 subdivisions (a) and (b) of the CCFPL, which authorize DFPI to promulgate rules establishing reasonable procedures for covered persons to provide timely responses to consumers and DFPI concerning consumer complaints and inquiries, as well as subdivision (d)(2)(D), which “permits covered persons to withhold nonpublic or confidential information, including confidential supervisory information, in response to a consumer request to the covered person for information regarding a consumer financial product or service.”
After considering comments received on the NPRM, changes proposed by the DFPI include the following:
- Amended definitions. The proposed regulations will not apply to, in addition to consumer reporting agencies and student loan servicers, a person or entity already exempt from the CCFPL under Section 90002. The definition of “complaint” is amended to include “an oral or written expression of dissatisfaction from a complainant regarding a specific issue or problem with a financial product or service.” Additionally, “complainant” is amended to also provide that a consumer must have been a resident of California at the time of the act, omission, decision, condition, or policy giving rise to the complaint. The proposed regulations also outline several categories that are not included in the definition of “complaint” or “inquiry.”
- Complaint procedure updates. The proposed regulations outline requirements for covered persons related to consumer disclosures and written communications covering the complaint process. The proposed regulations also require covered persons to accept all complaints, whether written or oral, provided the complaint includes a reason for filing the complaint and sufficient information to identify the complainant.
- Restrictions. Covered persons shall not (i) “[r]equest personal identifying information beyond what is reasonably necessary to identify the complainant and to send correspondence”; (ii) “[r]equest financial information unrelated to the specific complaint of the consumer:” or (iii) impose a time limit for filing a complaint that is shorter than one year from the time the complainant discovers the act, omission, decision, condition, or policy that is the subject of the complaint (if a time limit is imposed it must be stated in the required consumer disclosures).
- Complaint acknowledgements. For every complaint received, covered persons must send the complainant a written acknowledgement of receipt that is postmarked or otherwise shows that acknowledgement was sent within five business days after receiving the complaint. Within 15 business days after receiving a complaint, a covered person must provide a final decision on all issues. If additional time is required, a covered person must provide the complainant with a written update within three business days after the initial 15-business day period ends.
- Inquiry response requirements. Covered persons are required to develop and implement written policies and procedures to implement the regulations’ inquiry requirements, and must also respond to all issues raised by an inquiry within 10 business days. Covered persons must retain copies of all written inquiries and written responses for at least three years from the time the written response was issued.
- Reporting requirements. Covered persons must submit an annual complaint report to DFPI for each financial product or service offered or provided that will be made available to the public with limited exceptions. Each report shall include information regarding all complaints received by the covered person during the reporting period, and must be filed electronically with the Consumer Financial Protection Division no later than 60 business days after the end of each calendar year.
Comments on the proposed modifications are due January 20 (extended from January 13).
Colorado releases second draft of Colorado Privacy Act rules
On December 21, the Colorado attorney general released a second set of draft rules for the Colorado Privacy Act (CPA). As previously covered by a Buckley Special Alert, the CPA was enacted in July 2021 to establish a framework for personal data privacy rights. The CPA, which is effective July 1, 2023 with certain opt-out provisions taking effect July 1, 2024, provides consumers with numerous rights, including the right to access their personal data, opt-out of certain uses of personal data, make corrections to personal data, request deletion of personal data, and obtain a copy of personal data in a portable format. Under the CPA, the AG has enforcement authority for the law, which does not have a private right of action. The AG also has authority to promulgate rules to carry out the requirements of the CPA and issue interpretive guidance and opinion letters, as well as the authority to develop technical specifications for at least one universal opt-out mechanism. The first set of draft rules was issued last September and published by the Secretary of State on October 10 (covered by InfoBytes here).
The second set of draft rules seeks to address concerns raised through public comments as well as feedback received during three stakeholder sessions. The AG seeks specific input on questions related to (i) clarifications to definitions; (ii) the use of IP addresses to verify consumer opt-out requests; (iii) implementation of a universal opt-out mechanism; (iv) controller obligations related to meaningful privacy notices; and (v) bona fide loyalty programs. Among other things, the modifications would:
- Clarify definitions. The modifications add, delete, and amend several definitions, including those related to “biometric identifiers,” “commercial product or service,” “controller,” “employee,” “employer,” “employment records,” “noncommericial purpose,” “personal data,” “process,” “processor,” “profiling,” and terms involving automated processing.
- Amend purpose-based privacy notices. The modifications remove the requirement that privacy notices be purpose-based, and will instead require that the processing purpose and type of personal data processed be connected in a way that provides consumers a meaningful understanding of how their personal data will be used. The AG seeks feedback on ways the draft rules can “be made interoperable with California’s privacy notice requirements, while still considering the CPA’s purpose specification, secondary use requirements, and ensuring that a consumer has a meaningful understanding of the way their personal data will be used when they interact with a controller.” Feedback is also requested on whether controllers “who have updated their privacy policies to comply with California’s privacy notice requirements anticipate making a separate policy for Colorado, updating a California specific privacy notice to include Colorado or other state requirements, or revising the main privacy policy/notice to meet Colorado and other non-California state requirements[.]”
- Update universal opt-out mechanism. The modifications grant controllers six months from the date a universal opt-out mechanism is recognized by the AG to begin complying with that new mechanism. An initial public list of approved opt-out mechanisms will be published no later than January 1, 2024, and will be updated periodically.
- Clarify security measures and duty of care. The modifications provide additional details about the duty to safeguard personal data, and will require controllers to, among other things, consider “[a]pplicable industry standards and frameworks,” and the sensitivity, amount, and original source of the personal data when identifying reasonable and appropriate safeguards. The modifications also include provisions related to the processing of sensitive data inferences and specifies deletion requirements.
- Reduce data protection assessment requirements. The modifications reduce the information that must be included in a controller’s data protection assessment.
- Clarify privacy notice changes. The modifications clarify when a controller must notify a consumer of “substantive or material” changes to its data processing that trigger updates to its privacy notice. The modifications emphasize that disclosure of a new processing purpose in a privacy policy alone does not constitute valid consent.
- Address refreshing of consumer consent. The modifications provide that consumer consent must be refreshed when a consumer has not interacted with the controller in the last 12 months, and (i) the controller is processing sensitive personal information; or (ii) is processing personal data for secondary data use that involves profiling for a decision that could result “in the provision or denial of financial or lending services, housing, insurance, education enrollment or opportunity, criminal justice, employment opportunities, health-care services, or access to essential goods or services.” However, controllers will not be required to refresh consent in situations where consumers have the ability to update their own opt-out preferences at any time.
Comments on the second set of draft rules are due February 1. If the formal rulemaking hearing on the proposed rules (scheduled for February 1) extends beyond that date, comments must be received on or before the last day of the hearing.