InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
OFAC sanctions wildlife trafficking organized crime group
On October 7, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) announced sanctions pursuant to Executive Order 13581 against a Malaysian national, a wildlife trafficking transnational criminal organization, and a Malaysian company for trafficking endangered wildlife and engaging in poaching. According to OFAC, the Malaysian individual specializes in transporting rhino horn, ivory, and pangolins from Africa, generally utilizing routes through Malaysia and Laos and onward to consumers in Vietnam and China. OFAC noted that the designations were made in collaboration with the U.S. Fish and Wildlife Service, the State Department, and the DOJ. As a result of the sanctions, all property and interests in property belonging to the sanctioned targets that are in the U.S. or in the possession or control of U.S. persons are blocked and must be reported to OFAC. Further, “any entities that are owned 50 percent or more by one or more designated persons” are blocked. U.S. persons are prohibited from engaging in any dealings involving the property or interests in property of blocked or designated persons.
OCC releases bank supervision operating plan for FY 2023
On October 6, the OCC’s Committee on Bank Supervision released its bank supervision operating plan for fiscal year 2023. The plan outlines the agency’s supervision priorities and highlights several supervisory focus areas including: (i) strategic and operational planning; (ii) operational resiliency; (iii) third-party oversight and risk management; (iv) credit risk management with a focus on new products, areas of highest growth, and portfolios representing concentrations; (v) allowances for credit losses (ACL), including instances where ACL processes use third-party modeling techniques; (vi) interest rate risk; (vii) liquidity risk management; (viii) consumer compliance management systems with a focus on how programs are disclosed in relation to UDAP and UDAAP statutes; (ix) Bank Secrecy Act/AML compliance; (x) fair lending risks; (xi) Community Reinvestment Act strategies and the potential for modernization rulemaking; (xii) new products and services in areas such as payments, fintech, and digital assets; and (xiii) climate-change risk management. The plan will be used by OCC staff to guide the development of supervisory strategies for individual national banks, federal savings associations, federal branches and agencies of foreign banking organizations, and certain identified third-party service providers subject to OCC examination.
The OCC will provide updates about these priorities in its Semiannual Risk Perspective, as InfoBytes has previously covered here.
OCC announces updated FFIEC cyber resource guide
On October 6, the OCC announced that the Federal Financial Institutions Examination Council (FFIEC) issued an update to the FFIEC Cybersecurity Resource Guide for Financial Institutions. According to the OCC, the 2022 FFIEC Cybersecurity Resource Guide for Financial Institutions provides a list of voluntary programs and actionable initiatives that are intended to help financial institutions meet their security control objectives and respond to cyber incidents. The 2022 guide rescinds and replaces the 2018 guide, and applies to a wide range of financial institutions including community banks. Highlights of the guidance include: (i) updated resource links for the Assessment, Exercise, Information Sharing, and Response and Reporting categories; and (ii) new ransomware specific resources.
CFPB blogs about challenging inaccurate appraisals
On October 6, the CFPB released a blog post regarding mortgage borrowers’ ability to challenge inaccurate appraisals through the reconsideration of value process (ROV). Among other things, the CFPB explained that “[a] lender’s reconsideration of value process must ensure that all borrowers have an opportunity to explain why they believe that a valuation is inaccurate and the benefit of a reconsideration to determine whether an adjustment is appropriate.” As required under the Equal Credit Opportunity Act Valuations Rule, the Bureau explained that some lenders include information regarding how to request a ROV in appraisals and other home valuations. The Bureau further noted that when lenders provide clear, plain-language notice of ROV opportunities to borrowers, lenders help ensure that their ROV process is nondiscriminatory. Lenders that do not have a clear and consistent method to ensure that borrowers can seek a ROV may risk violating federal law. The Bureau added that it has taken steps to implement legal requirements to limit bias in algorithmic appraisals, and that regulators are also providing more oversight over the activities of the Appraisal Foundation.
SEC files charges against crypto-asset seminar operation
On September 19, the SEC filed a complaint against a two individuals and the companies they controlled (collectively, “defendants”) in the U.S. District Court for the Southern District of Texas for allegedly operating an on-going fraudulent and unregistered crypto-asset offering targeting Latino investors. According to the SEC, the defendants allegedly raised more than $12 million from over 5,000 investors who paid for seminars to learn how to build wealth through crypto-asset trading. However, the SEC claimed that one of the individual defendants—who founded the company and actually had no education or training in investments or crypto assets—used the seminars to solicit investors to give their money to the company and then supposedly used the funds to conduct crypto asset and foreign exchange trading. In total, the SEC alleged the individual defendants made roughly $2.7 million in Ponzi payments, diverting nearly $8 million for their own personal use. The complaint charges the defendants with violating, or aiding and abetting violations of, the antifraud provisions of the Securities Act of 1933, the Securities Exchange Act of 1934, and the Securities Act. The company’s founder is also charged with violating the Investment Advisers Act of 1940. The complaint seeks a permanent injunction against the defendants, civil penalties, disgorgement of ill-gotten gains with prejudgment interest, and bars. The SEC stated in its announcement that, at the Commission’s request, the court issued a temporary restraining order to stop the offering, in addition to temporary orders freezing assets and granting additional emergency relief.
OFAC sanctions arms dealers for supporting Burma’s military regime
On October 6, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) announced sanctions pursuant to Executive Order 14014 against three individuals and one entity connected to Burma’s military regime. According to OFAC, the sanctions target persons who profit from the regime’s oppressive actions, including support networks and war profiteers that enable weapons procurement for the military regime. The same day, the State Department also designated the former Burma police chief and deputy Home Affairs minister under Section 7031(c) of the Department of State, Foreign Operations, and Related Programs Appropriations Act, 2022, for his involvement in “gross violations of human rights.” As a result of the sanctions, all property and interests in property belonging to the sanctioned persons subject to U.S. jurisdiction are blocked and must be reported to OFAC. Additionally, “any entities that are owned, directly or indirectly, 50 percent or more by one or more blocked persons are also blocked.” U.S. persons are generally prohibited from engaging in any dealings involving the property or interests in property of blocked or designated persons unless authorized by a general or specific OFAC license, or are otherwise exempt.
OFAC sanctions North Korean fuel procurement network
On October 7, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) announced sanctions pursuant to Executive Order 13810 against two individuals and three entities for engaging in activities related to the exportation of petroleum to the Democratic People’s Republic of Korea (DPRK), which directly support the development of DPRK weapons programs and its military. OFAC’s actions build upon other U.S. government actions taken against one of the sanctioned individuals and entities, including criminal charges for conspiring to evade economic sanctions of the DPRK and conspiring to launder money. As a result of the sanctions, all property and interests in property of the sanctioned persons subject to U.S. jurisdiction are blocked and must be reported to OFAC. OFAC noted that its regulations generally prohibit U.S. persons from participating in transactions with the designated persons, including transactions transiting the U.S. OFAC’s announcement further warned that any foreign financial institution that knowingly facilitates significant transactions or provides significant financial services for any of the designated persons may be subject to U.S. correspondent account or payable-through account sanctions. Additionally, persons that engage in certain transactions with the designated persons may themselves be exposed to designations.
CFTC files charges against operators of unregistered digital asset exchange
On October 3, the CFTC filed a complaint against an individual and the four companies he controlled (collectively, “defendants”) in the U.S. District Court for the Southern District of Florida for allegedly operating a digital asset exchange that offered futures transactions on a platform other than a designated contract market. The defendants are also charged with attempting to manipulate the price of the exchange’s native token. According to the CFTC, the defendants used web-based solicitation to obtain customers even though the individual defendant was aware that such participation subjected the exchange to U.S. regulation. The CFTC also claimed that, in addition to allegedly violating certain registration and regulatory requirements, the defendants attempted to artificially inflate the price of the exchange’s “native currency.” Among other things, the defendants are also accused of failing to implement an effective AML program, know-your-customer procedures, or a customer information program to verify the identifies of the customers who purchased the digital assets. The complaint charges the defendants with violations of the Commodity Exchange Act (CEA), and seeks full restitution, disgorgement of ill-gotten gain, civil penalties, permanent trading and registration bans, and a permanent injunction against further CEA violations.
Colorado releases draft Colorado Privacy Act rules
On September 29, the Colorado attorney general published proposed draft Colorado Privacy Act (CPA) rules with the Colorado Department of Regulatory Agencies. (See Colorado Register here.) As covered by a Buckley Special Alert, the CPA was enacted last July to establish a framework for personal data privacy rights. The CPA provides consumers with numerous rights, including the right to access their personal data, opt-out of certain uses of personal data, make corrections to personal data, request deletion of personal data, and obtain a copy of personal data in a portable format. The CPA is effective July 1, 2023 with certain opt-out provisions taking effect July 1, 2024. Under the CPA, the AG has enforcement authority for the law, which does not have a private right of action. The AG also has authority to promulgate rules to carry out the requirements of the CPA and issue interpretive guidance and opinion letters, as well as the authority to develop technical specifications for at least one universal opt-out mechanism.
Pre-rulemaking considerations were released in April, where the AG’s office stated that it planned to adopt a principle-based model for the state’s rulemaking approach, rather than a prescriptive one (covered by InfoBytes here). Comments received on the pre-rulemaking considerations, as well as feedback received during two public listening sessions, were considered when drafting the proposed rules. The AG’s office explained that when considering feedback it sought to clarify the CPA, simplify compliance, and ensure consumer privacy rights granted by the statute are protected, while also attempting to create a legal framework that “does not overly burden technological innovation” while operating in conjunction with other national, state, and international data privacy laws.
- Definitions. The proposed rules add new terms aside from those already set forth in the CPA. These include terms related to biometric data and identifiers (including behavioral characteristics), bona fide loyalty programs, data brokers, automated processing, publicly available data, opt-out purposes and mechanisms, sensitive data inferences, and solely automated processing. The term “sensitive data inferences” indicates an individual’s racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis, sex life or sexual orientation, or citizenship or citizenship status. Controllers must obtain consent to process sensitive data inferences unless they meet specific requirements. Additionally, controllers must comply with certain retention and deletion requirements for this type of information.
- Disclosures. The proposed rules provide that disclosures, notifications, and other communications to consumers must be clear, accessible, and understandable, and must be available in the languages in which the controller would ordinarily do business, as well as be accessible to consumers with disabilities (online notices should generally follow recognized industry standards such as version 2.1 of the Web Content Accessibility Guidelines).
- Consumer personal data rights. The proposed rules outline requirements for submitting data rights requests, including through online and in-person methods, and requires controllers to use reasonable data security measures when exchanging information. Among other things, requests should be easy to execute, require a minimal number of steps, and not require a consumer to create a new user account. Notably, a data rights request method does not have to be specific to Colorado, provided it “clearly indicates which rights are available to Colorado consumers.” Controllers must also provide instructions on how to appeal a data rights request decision.
- Opt-out rights and mechanisms. Under the proposed rules, controllers must cease processing a consumer’s personal data for opt-out purposes as soon as feasibly possible but no later than 15 days after the request is received (authorized agents may exercise a consumer’s opt-out right provided certain criteria is met). A record of opt-out requests and responses also must be maintained. Clear and conspicuous opt-out methods must be provided in a controller’s privacy notice, as well as in a readily accessible location outside the privacy notice “at or before the time” the personal data is processed for opt-out purposes. The proposed rules also provide that the Colorado Department of Law will maintain a public list of universal opt-out mechanisms that have been recognized by the AG’s office as meeting the required standards. The proposed rules also provide details for deployment, and state that ease of use, implementation, and detection, among other factors will be considered when determining which universal opt-out mechanisms will be recognized. Additionally, the proposed rules state that a universal opt-out mechanism may also be a “do not sell list” that controllers query in an automated manner.
- Right of access, and right to correction, deletion, and data portability. The proposed rules outline controller requirements for handling consumers’ requests to access, correct, or delete their personal data, as well as instructions for complying with data portability requests. The proposed rules also consider instances where personal data may be corrected more quickly and easily through account settings than through the data rights review process.
- Data minimization. Under the proposed rules, controllers would be required to “specify the express purposes” for which personal data is collected and processed in a manner that is “sufficiently unambiguous, specific, and clear.” Controllers must also consider each processing activity to determine whether it meets the requirement to use only the minimum personal information necessary, adequate, or relevant for the express purpose.
- Data protection assessments. The proposed rules provide a list of 18 elements for controllers to include when assessing whether a processing activity presents a “heightened risk of harm,” including the specific purpose of the processing activity, procedural safeguards, alternative processing activities, discrimination harms, and the dates the assessment was reviewed and approved. The proposed rules also require that these assessments be revisited and updated at least annually in certain instances for fairness and disparate impact. Assessments are required for activities conducted after July 1, 2023, and are not retroactive.
- Profiling. Under the proposed rules, controllers are obligated to clearly inform consumers when their personal data is being used for profiling. Consumers must also have the right to opt out of profiling in connection with decisions that result in legal or similar effects on consumers, and controllers that engage in profiling must provide additional disclosures in their privacy notices. A controller may deny a consumer’s request to opt out if there is human involvement in the automated processing, but is required to provide additional notice in such cases.
The proposed rules also contain provisions addressing requirements for refreshing consent, how data right requests impact loyalty programs and the disclosures that are required for these programs, and how a consumer’s right to delete might impact a controller’s ability to provide program benefits.
Comments on the proposed rules will be accepted between October 10 and February 1, 2023. On February 1, a proposed rulemaking public hearing will be held to hear testimony from stakeholders.
CFPB seeks comments on mortgage refinance and forbearance standards
On September 27, the CFPB issued a notice in the Federal Register requesting input from the public regarding (i) the availability of refinance loans for borrowers with smaller mortgage loan balances, and (ii) options for mortgage forbearance. Specifically, the Bureau sought ways to: (i) “facilitate mortgage refinances for consumers who would benefit from refinancing, especially consumers with smaller loan balances”; and (ii) “reduce risks for consumers who experience disruptions in their financial situation that could interfere with their ability to remain current on their mortgage payments.” The Bureau also noted that some stakeholders have suggested that changes to the Bureau’s ability-to-repay/qualified mortgage rule (ATR–QM rule) may play a role in facilitating beneficial refinances through targeted and streamlined programs, noting that the current rule references “frictions” in the refinance process tied to QM standards. Comments are due by November 28.