InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
White House presses regulators on framework for digital assets
On September 16, the White House published a comprehensive framework for the responsible development of digital assets, calling on federal regulators to “provide innovative U.S. firms developing new financial technologies with regulatory guidance, best-practices sharing, and technical assistance.” The framework follows an executive order (E.O.) issued by the Biden administration in March (covered by InfoBytes here), which outlined the first “whole-of-government” strategy for coordinating a comprehensive approach to ensuring responsible innovation in digital assets policy. Consistent with the E.O.’s deadline, nine reports have been submitted to President Biden to date that “call on agencies to promote innovation by kickstarting private-sector research and development and helping cutting-edge U.S. firms find footholds in global markets.” The reports also “call for measures to mitigate the downside risks, like increased enforcement of existing laws and the creation of commonsense efficiency standards for cryptocurrency mining.”
Among other things, the reports (i) direct the Federal Reserve Board to continue its research and experimentation on issuing a central bank digital currency, and request the creation of a U.S. Treasury Department-led interagency working group to support Fed efforts; (ii) encourage the SEC and CFTC to “aggressively pursue investigations and enforcement actions against unlawful practices in the digital assets space”; (iii) urge the CFPB and FTC to address consumer complaints related to unfair, deceptive, or abusive practices in the crypto space; (iv) encourage agencies to issue guidance and rules for addressing current and emergent risks in the digital asset ecosystem; (v) urge agencies and law enforcement to take joint measures to address digital asset risks impacting consumers, investors, and businesses; and (vi) encourage agencies to share data on consumers’ digital asset complaints. To promote access to safe and affordable financial services, the administration said it plans to explore how crypto-related technologies can bolster financial inclusion, and will encourage the adoption of instant payment systems, weigh recommendations for creating a federal framework for non-bank payment service oversight, and prioritize efforts to improve cross-border payment efficiency. Additionally, the administration said it is exploring the possibility of amending the Bank Secrecy Act and other related statutes to “explicitly” apply to digital asset exchanges and non-fungible token platforms, and is considering a legislative request to toughen penalties for unlicensed money transmitters and give the DOJ more jurisdictional digital asset prosecution authority.
The Treasury released three reports addressing the future of money and payment systems, consumer and investor protection, and illicit finance risks in response to the E.O. The reports, The Future of Money and Payments, Crypto-Assets: Implications for Consumers, Investors, and Businesses, and Action Plan to Address Illicit Financing Risks of Digital Assets call on regulators to mitigate crypto-related risks to consumers, investors, and businesses. “Innovation is one of the hallmarks of a vibrant financial system and economy,” Treasury Secretary Janet Yellen said. “But as we have learned painfully from the past, innovation without appropriately addressing the impact of these developments can result in significant disruptions and harm to the financial system and individuals, especially our more vulnerable populations.” The reports examine the future of digital assets and offer recommendations to address consumer and investor protection concerns, combat illicit finance risks, and improve the payments system to support a more competitive, efficient, and inclusive landscape.
The same day, the DOJ also released a report in response to the E.O. The Role Of Law Enforcement In Detecting, Investigating, And Prosecuting Criminal Activity Related To Digital Assets examines ways illicit actors exploit digital asset technologies and addresses challenges posed by digital assets to criminal investigations. The report provides recommendations to further enhance law enforcement’s ability to address digital asset crimes, such as strengthening criminal penalties and extending the statutes of limitations for crimes involving digital assets from five to ten years, and identifies three priorities: (i) “expanding to virtual asset service providers the laws preventing employees of financial institutions from tipping off suspects to ongoing investigations”; (ii) “strengthening the law criminalizing the operation of unlicensed money transmitting businesses”; and (iii) “extending the statute of limitations of certain statutes to account for the complexities of digital assets investigations.” The DOJ also launched the Digital Asset Coordinator Network, which will serve as the agency’s primary source for obtaining and disseminating information related to digital assets crimes.
New York expands access to PSLF program
On September 15, the New York governor signed S.8389-C/A. 9523-B , which amends the Public Service Loan Forgiveness (PSFL) program statewide. Among other things, the legislation: (i) adds clarifying legal definitions, such as “certifying employment,” “employee,” “full-time,” “public service employer,” “public service loan forgiveness form,” and “public service loan forgiveness program”; (ii) establishes a standard hourly threshold for full-time employment at thirty hours per week for the purposes of accessing PSLF; and (iii) permits public service employers to certify employment on behalf of individuals or groups of employees directly with the U.S. Department of Education. The legislation is effective immediately.
California amends GAP disclosure legislation
On September 13, the California governor signed AB 2311, which amends provisions regarding vehicle finance disclosures. The bill establishes provisions to govern the offer, sale, provision, or administration, in connection with a conditional sale contract, of a guaranteed asset protection waiver (GAP waiver). Specifically, the bill requires creditors to automatically refund the unearned portion of a GAP waiver if a consumer pays off or otherwise terminates their auto loan early. The bill prohibits: (i) conditioning the extension of credit, the term of credit, or the terms of a conditional sale contract upon the purchase of a GAP waiver; and (ii) the sale of a GAP waiver pursuant to certain provisions where the loan-to-value ratio exceeds the maximum loan-to-value ratio of the GAP waiver. The bill, among other things, authorizes the buyer to recover three times the amount of any GAP charges paid. The bill is effective January 1, 2023.
10th Circuit: Payday lender must pay $38.4 million restitution order
On September 15, the U.S. Court of Appeals for the Tenth Circuit affirmed the CFPB’s administrative ruling against a Delaware-based online payday lender and its founder and CEO (respondents/petitioners) regarding a 2015 administrative enforcement action that alleged violations of the Consumer Financial Protection Act (CFPA), TILA, and EFTA. As previously covered by InfoBytes, in 2015, the CFPB announced an action against the respondents for alleged violations of TILA and the EFTA, and for engaging in unfair or deceptive acts or practices. Specifically, the CFPB alleged that, from May 2008 through December 2012, the online lender (i) continued to debit borrowers’ accounts using remotely created checks after consumers revoked the lender’s authorization to do so; (ii) required consumers to repay loans via pre-authorized electronic fund transfers; and (iii) deceived consumers about the cost of short-term loans by providing them with contracts that contained disclosures based on repaying the loan in one payment, while the default terms called for multiple rollovers and additional finance charges. The order required the respondents to pay $38.4 million as both legal and equitable restitution, along with $8.1 million in penalties for the company and $5.4 million in penalties for the CEO.
According to the opinion, between 2018 and 2021, the U.S. Supreme Court issued four decisions, Lucia v. SEC (covered by InfoBytes here), Seila Law v. CFPB (covered by a Buckley Special Alert here), Liu v. SEC (covered by InfoBytes here), and Collins v. Yellen (covered by InfoBytes here), which “bore on the Bureau’s enforcement activity in this case,” by “decid[ing] fundamental issues such as the Bureau’s constitutional authority to act and the appointment of its administrative law judges (‘ALJ’).” The decisions led to intermittent delays and restarts in the Bureau’s case against the petitioners. For instance, the opinion noted that two different ALJs decided the present case years apart, with their recommendations separately appealed to the Bureau’s director. The CFPB’s director upheld the decision by the second ALJ and ordered the lender and its owner to pay the restitution, and a district court issued a final order upholding the award. The petitioners appealed.
On appeal, the petitioners made three substantive arguments for dismissing the director’s final order. The petitioners argued that under Seila, the CFPB’s structure was unconstitutional and therefore the agency did not have authority to issue the order. The appellate court disagreed, stating that it is “to use a ‘scalpel rather than a bulldozer’ in remedying a constitutional defect,” and that “because the Director’s actions weren’t unconstitutional, we reject Petitioners’ argument to set aside the Bureau’s enforcement action in its entirety.”
The petitioners also argued that the enforcement action violated their due-process rights by denying the CEO additional discovery concerning the statute of limitations. The petitioners claimed that they were entitled to a “new hearing” under Lucia, and that the second administrative hearing did not rise to the level of due process prescribed in that case. The appellate court determined that there was “no support for a bright-line rule against de novo review of a previous administrative hearing," nor did it see a reason for a more extensive hearing. Moreover, the petitioners “had a full opportunity to present their case in the first proceeding,” the 10th Circuit wrote. The appellate court further rejected the company’s argument regarding various evidentiary rulings, including permitting evidence about the company’s operational expenses, among other things. The appellate court also concluded that the CFPA’s statute of limitations commences when the Bureau either knows of a violation or, through reasonable diligence, would have discovered the violation. Therefore, the appellate court rejected the argument “that the receipt of consumer complaints triggered the statute of limitations.”
The petitioners also challenged the remedies order, claiming they were not allowed “to present evidence of their good-faith reliance on counsel (as to restitution and civil penalties) and evidence of their expenses (as to the Director’s residual disgorgement order).” The appellate court rejected that challenge, holding that the director properly considered all factors, including good faith, and rejected the petitioners’ challenge to the ALJ’s recommended civil penalties.
The 10th Circuit affirmed the district court’s order of a $38.4 million restitution award, rejecting the petitioners’ various challenges and affirming the director’s order.
OCC announces Alaska and Puerto Rico disaster relief
On September 19, the OCC issued proclamations (see here and here) permitting OCC-regulated institutions, at their discretion, to close offices affected by flooding in Alaska and Hurricane Fiona in Puerto Rico “for as long as deemed necessary for bank operation or public safety.” The proclamation directs institutions to OCC Bulletin 2012-28 for further guidance on actions they should take in response to natural disasters and other emergency conditions. According to the 2012 Bulletin, only bank offices directly affected by potentially unsafe conditions should close, and institutions should make every effort to reopen as quickly as possible to address customers’ banking needs.
CFPB examines relationship between high vehicle costs and loan performance
On September 19, the CFPB published a blog post exploring the potential relationship between high vehicle costs and changes in auto loan characteristics and performance, particularly with respect to consumers with near-prime or subprime credit scores. The Bureau reported that the average vehicle price increased over the past two years, particularly throughout 2021, and that data from the Bureau’s Consumer Credit Panel showed that an increase in the size of newly originated auto loans coincided with a spike in vehicle price. The blog post also highlighted a recent Federal Reserve Bank of New York report, which found that higher vehicle prices are a significant factor driving larger loan amounts. “The dollar value of outstanding auto loans increased by $33 billion between the first and second quarters of 2022 to $1.5 trillion outstanding,” the report said, noting that the increase “is due in large part to larger loan originations rather than by an increase in the number of loans.” The Bureau also reported that recent data has shown that delinquency rates, especially for low-income borrowers, has increased over the past year. While the Bureau said it cannot fully infer that the end of pandemic-related stimulus policies or inflationary pressures are possible explanations for the rise in delinquency rates, the agency said it “cannot ignore the relationship between larger loan amounts and increasing interest rates to consumer’s monthly budgets and some consumers’ struggle to stay current on their loans.” The Bureau stressed, however, that while current data provides insight into broad indicators, it “lacks the granularity to isolate specific economic trends or to fully explore the impact on subsets of consumers.” The agency said it will continue to seek data that allows for better visibility in this market and will remain focused on ensuring that the auto lending market is fair, transparent, and competitive.
SEC proposes new rules for clearing agencies
On September 14, the SEC announced a proposed rule regarding risk management practices for central counterparties in the U.S. Treasury Department market. Among other things, the proposed rule would update the membership standards required of covered clearing agencies for the Treasury market with respect to a member’s clearance and settlement of specified secondary market transactions. Specifically, the proposal would require that clearing agencies in the U.S. Treasury market adopt policies and procedures designed to require their members to submit for clearing certain specified secondary market transactions, which would include: “all repurchase and reverse repurchase agreements collateralized by U.S. Treasury securities entered into by a member of the clearing agency; all purchase and sale transactions entered into by a member of the clearing agency that is an interdealer broker; and all purchase and sale transactions entered into between a clearing agency member and either a registered broker-dealer, a government securities broker, a government securities dealer, a hedge fund, or a particular type of leveraged account.” According to a statement by SEC Chair Gary Gensler, the proposed rule would “reduce risk across a vital part of our capital markets in both normal and stress times.” The SEC also released a Fact Sheet providing more information on the proposal. Comments are due 60 days after publication in the Federal Register.
OFAC issues sanctions, general licenses, and FAQs on Russia’s invasion of Ukraine
On September 15, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC), in coordination with the Departments of Commerce and State, announced sanctions against 22 individuals and two entities connected to Russia’s invasion of Ukraine. According to OFAC, the designated persons include multiple individuals who have furthered the Government of the Russian Federation’s objectives in Ukraine, both prior to and during Russia’s invasion of Ukraine in 2022. Also included among those designated is a neo-Nazi paramilitary group that has aided Russia’s military in Ukraine, and two of the group’s senior leaders. As a result of the sanctions, all property and interests in property belonging to the sanctioned individuals and entities subject to U.S. jurisdiction are blocked and must be reported to OFAC. Additionally, “any entities that are owned, directly or indirectly, 50 percent or more by one or more blocked persons are also blocked.” OFAC further noted that “transactions by U.S. persons or within (or transiting) the United States that involve any property or interests in property of designated or blocked persons are prohibited unless authorized by a general or specific license issued by OFAC, or exempt,” which “include the making of any contribution or provision of funds, goods, or services by, to, or for the benefit of any blocked person and the receipt of any contribution or provision of funds, goods, or services from any such person.”
The same day, OFAC issued Russia-related General License (GL) 51, authorizing the wind down of transactions involving the Limited Liability Company Group of Companies Akvarius, and GL 52, which relates to journalistic activities and the establishment of news bureaus. According to the GL 51, “all transactions ordinarily incident and necessary to the wind down of any transaction involving Limited Liability Company Group of Companies Akvarius (Aquarius), or any entity in which Aquarius owns, directly or indirectly, a 50 percent or greater interest, that are prohibited by Executive Order (E.O.) 14024,” are authorized as of October 15, subject to certain qualifications. According to GL 52, “news reporting organizations that are U.S. persons, and individual U.S. persons who are journalists or broadcast or technical personnel, are authorized to engage in certain transactions where such transactions are ordinarily incident and necessary to such U.S. persons’ journalistic activities or to the establishment or operation of a news bureau and are prohibited” by E.O. 14024, subject to certain qualifications.
Additionally, OFAC published several frequently asked questions clarifying “Russian Harmful Foreign Activities Sanctions,” which include guidance on the use of the National Payment Card System (NSPK) or the Mir National Payment System given the broad sanctions imposed on Russia’s financial system this year.
CISA urges companies to take action to combat malicious cyber activity
On September 14, the Cybersecurity and Infrastructure Security Agency, along with several other federal agencies and international partners, released a joint cybersecurity advisory (CSA) highlighting continued malicious cyber activity taken by advanced persistent threat actors affiliated with the Iranian Government’s Islamic Revolutionary Guard Corps (IRGC). The CSA recommended that companies continually test their security programs to protect against longstanding online threats that may arise from IRGC-affiliated actors known for exploiting vulnerabilities for ransom operations. “Our unified purpose is to drive timely and prioritized adoption of mitigations and controls that are most effective to reducing risk to all cyber threats,” CISA said in its announcement. Under Secretary of the Treasury for Terrorism and Financial Intelligence Brian E. Nelson added that the U.S. Treasury Department “is dedicated to collaborating with other U.S. government agencies, allies, and partners to combat and deter malicious cyber-enabled actors and their activities, especially ransomware and cybercrime that targets economic infrastructure.” He noted that the CSA provides information on specific tactics, techniques, and procedures used by IRGC-affiliated actors, and advised both the public and private sector to use the information to strengthen cybersecurity resilience and reduce the risk of ransomware incidents. Organizations are encouraged to review a 2021 Treasury advisory, which highlights the sanctions risks associated with ransomware payments and provides steps for companies to take to mitigate the risk of being a victim of ransomware (covered by InfoBytes here).
California adopts “first-in-nation” act to safeguard children’s online data and privacy
On September 15, the California governor signed into law the California Age-Appropriate Design Code Act (the Act), calling it the “first-in-nation” bill to protect children’s online data and privacy. AB 2273 establishes new legal requirements for businesses that provide online products and services that are “likely to be accessed by children” under 18 years of age based on certain factors. These factors include whether the feature is: (i) “directed to children,” as defined by the Children’s Online Privacy Protection Act (COPPA); (ii) “determined, based on competent and reliable evidence regarding audience composition, to be routinely accessed by a significant number of children”; (iii) advertised to children; (iv) is substantially similar to, or the same as, an online service, product, or feature routinely accessed by a significant number of children; (v) designed to appeal to children; or (vi) determined to be, based on internal company research, significantly accessed by children. Notably, in contrast to COPPA, the Act more broadly defines “child” as a consumer who is under the age of 18 (COPPA defines “child” as an individual under 13 years of age).
The Act also outlines specific requirements for covered businesses, including:
- Businesses must configure all default privacy settings offered by the online service, product, or feature to one that offers a high level of privacy, “unless the business can demonstrate a compelling reason that a different setting is in the best interests of children”;
- Businesses must “concisely” and “prominently” provide clear privacy information, terms of service, policies, and community standards suited to the age of the children likely to access the online service, product, or feature;
- Prior to offering any new online services, products, or features that are likely to be accessed by children before July 1, 2024, businesses must complete a Data Protection Impact Assessment (DPIA) on or before the same date. Businesses must also document any “risk of material detriment to children” that arises from the DPIA, create a mitigation plan, and, upon written request, provide the DPIA to the state attorney general;
- Businesses must “[e]stimate the age of child users with a reasonable level of certainty appropriate to the risks that arise from the data management practices of the business or apply the privacy and data protections afforded to children to all consumers”;
- Should an online service, product, or feature allow a child’s parent, guardian, or any other consumer to monitor the child’s online activity or track the child’s location, businesses must provide an obvious signal to the child when the child is being monitored or tracked;
- Businesses must “[e]nforce published terms, policies and community standards established by the business, including, but not limited to, privacy policies and those concerning children”; and
- Businesses must provide prominent, accessible, and responsive tools to help children (or their parents/guardians) exercise their privacy rights and report concerns.
Additionally, covered businesses are prohibited from using a child’s personal information (i) in a way that the business knows, or has reason to know, is materially detrimental to a child’s physical health, mental health, or well-being; or (ii) for any reason other than a reason for which the personal information was collected, unless a business can show a compelling reason that using the personal information is in the “best interests of children.” The Act also places restrictions on profiling, collecting, selling, or sharing children’s geolocation data, or using dark patterns to encourage children to provide personal information beyond what is reasonably expected.
The Act also establishes the California Children’s Data Protection Working Group, which will study and report to the legislature best practices for implementing the Act, and will also, among other things, evaluate ways to leverage the expertise of the California Privacy Protection Agency in the long-term development of data privacy policies that affect the privacy, rights, and safety of children online. The state attorney general is tasked with enforcing the Act and may seek an injunction or civil penalty against any business that violates its provisions. Violators may be subject to a penalty of up to $2,500 per affected child for each negligent violation, and up to $7,500 per affected child for each intentional violation; however, businesses may be provided a 90-day cure period if they have achieved “substantial compliance” with the Act’s assessment and mitigation requirements.
The Act takes effect July 1, 2024.