InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
OFAC sanctions arms facilitator for attempted North Korea-Russia deals
On March 30, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) announced sanctions, pursuant to Executive Order 13551, against a Slovakian national for attempting to facilitate arms deals between Russia and the Democratic People’s Republic of Korea (DPRK) to aid Russia’s war against Ukraine. “Schemes like the arms deal pursued by this individual show that Putin is turning to suppliers of last resort like Iran and the DPRK,” Secretary of the Treasury Janet L. Yellen said. “We remain committed to degrading Russia’s military-industrial capabilities, as well as exposing and countering Russian attempts to evade sanctions and obtain military equipment from the DPRK or any other state that is prepared to support its war in Ukraine.”
As a result of the sanctions, all property and interests in property of the sanctioned individual that are in the United States or in the possession or control of U.S. persons must be blocked and reported to OFAC, as well as “any entities that are owned, directly or indirectly, 50 percent or more by one or more blocked persons.” Persons that engage in certain transactions with the designated individual may themselves be exposed to sanctions, and “any foreign financial institution that knowingly facilitates a significant transaction or provides significant financial services for the individual designated today could be subject to U.S. correspondent or payable-through account sanctions.”
FinCEN looks at business email threat in real estate
On March 30, FinCEN released a Financial Trend Analysis examining threat patterns and trends identified in Bank Secrecy Act (BSA) data relating to business email compromise (BEC) in the real estate sector during 2020 and 2021. According to the analysis, BEC attackers target businesses and financial institutions that routinely conduct large wire transfers and rely on email for communication about these wires. FinCEN explained in its announcement that attackers “may obtain unauthorized access to networks and systems to misappropriate confidential and proprietary information,” noting in its analysis that “[p]erpetrators typically compromise a key email account by using computer intrusions or social engineering and send an email that fraudulently directs funds to criminal-controlled accounts” where many times “the victim is tricked into thinking a legitimate email from a trusted person or entity is directing them to make a payment.” According to the Federal Bureau of Investigation’s Internet Crime Compliant Center, BEC incidents resulted in more than $43 billion in worldwide losses between June 2016 and December 2021.
FinCEN’s analysis found that attackers most commonly impersonated title and closing entities and personnel, and that 1,767 incidents involved initial domestic transfers of fraudulent funds to accounts at U.S. depository institutions (151 incidents involved initial transfers of fraudulent funds to international institutions). Additionally, the analysis found that 83 of the 2,103 reported real estate-related BEC incidents involved convertible virtual currency.
FinCEN reiterated that financial institutions, real estate sector entities, and the public “may all play an important role in protecting the U.S. financial system from [real estate] BEC attacks through awareness of actions to detect and mitigate attacks, information sharing mechanisms that can prevent attacks, and various ways to report incidents when they occur.” FinCEN further encouraged these entities to “[a]ssess the vulnerability of their business processes with respect to BEC and consider actions to ‘harden’ or increase the resiliency of their processes and systems against email fraud schemes.” This includes understanding quantifiable risks associated with the authentication of participants involved in communications, the authorization of transactions, and the communication of information and changes about transactions. Additionally, entities should “[a]dopt a multi-faceted transaction verification process—as well as training and awareness-building—to identify and evade spear phishing attempts.” FinCEN emphasized that “[i]dentifying fraudulent transaction payment instructions before payments are issued is essential to preventing and reducing unauthorized transactions.”
SEC awards whistleblowers more than $12 million
On March 31, the SEC announced awards totaling more than $12 million to two whistleblowers whose information and assistance led to a successful SEC enforcement action. According to the redacted order, the first whistleblower prompted the opening of the investigation and provided information on violations that would otherwise have been difficult to detect, including by identifying key witnesses and helping enforcement staff understand complex fact patterns and issues concerning the matters under investigation. This information was also used to create an investigative plan and craft initial document requests. Citing the first whistleblower’s persistent efforts to remedy the issues, and the fact that the information was received several years before the second whistleblower’s information, the SEC said the first whistleblower will receive more than $9 million. The second whistleblower will receive $3 million for submitting important information “as a percipient witness” during the course of the investigation on topics that went beyond what the first whistleblower had been able to provide.
CFPB finalizes Section 1071 rule on small business lending data
On March 30, the CFPB released its final rule implementing Section 1071 of the Dodd-Frank Act. Consistent with Section 1071, the final rule will require financial institutions to collect and provide to the Bureau data on lending to small businesses, defined as an entity with gross revenue under $5 million in its last fiscal year, which the Bureau will ultimately publish. (See also an executive summary here.)
As explained in a corresponding fact sheet, the final rule is intended to foster transparency and accountability by requiring financial institutions—both traditional banks and credit unions, as well as non-banks—to collect and disclose data about small business loan recipients’ race, ethnicity, and gender, as well as geographic information, lending decisions, and credit pricing. The credit application information will be compiled in a comprehensive, publicly available database to help policymakers, borrowers, and lenders better address economic development needs and adapt to future challenges. The final rule also contains a sample data collection form that lenders can, but are not required to, use to collect applicants’ demographic data, and while small businesses are given the option not to provide this information, lenders must not discourage applicants from supplying this data (as explained in more detail in an accompanying policy statement). The Bureau also released a report detailing user testing research used to learn about lenders’ likely experience in filling out the sample data collection form, as well as a report describing the agency’s methodology for estimating how many lenders will be required to report under the final rule and for producing cost estimates associated with implementing the final rule.
The final rule contains important changes from the proposed rule issued in September 2021 (covered by a Special Alert here). Explaining that these changes are designed to make the final rule more effective and easier to follow, the Bureau stated that larger lenders will be required to collect and report data earlier than small lenders. The reporting requirements begin once a lender originates at least 100 covered small business loans in each of the two prior calendar years—a threshold that “accounts for more than 95 percent of small-business loans by banks and credit unions,” the Bureau said in its press release, noting that it was raised from the originally proposed 25-loans-per-year threshold.
While the final rule is effective 90 days after publication in the Federal Register, lenders will follow a tiered compliance date structure:
- Lenders that originate at least 2,500 covered small business loans in both 2022 and 2023, must begin collecting data on October 1, 2024.
- Lenders that originate at least 500 covered small business loans in both 2022 and 2023, must begin collecting data on April 1, 2025.
- Lenders that originate at least 100 covered small business loans in both 2022 and 2023 must begin collecting data on January 1, 2026.
- Lenders that did not originate at least 100 covered small business loans in both 2022 and 2023, but subsequently originated at least 100 transactions in two consecutive calendar years may begin collecting data no earlier than January 1, 2026.
- Lenders that originate between 100 and 500 small business loans in both 2024 and 2025, must begin collecting data on January 1, 2026.
Other changes from the proposal include allowing applicants to self-identify demographic information, including race and ethnicity, rather than requiring loan officers to make the determination. The final rule also now includes an exclusion for mortgage loans that must be reported under HMDA, and suggests that under the federal regulators’ forthcoming Community Reinvestment Act (CRA) reporting requirements, data submitted under the Bureau’s final rule will satisfy relevant CRA requirements. Additionally, financial institutions and other third parties will be allowed to develop services and technologies to assist lenders with collecting and reporting data. The Bureau noted that it is working on a supplementary proposal that would, if finalized, give more compliance time for small lenders that are already successful in meeting the needs of the local communities they serve.
CFPB Director Rohit Chopra commented that the final rule’s impact “will be in the comprehensive data that it produces, which can be used by lenders, borrowers, and the broader public to achieve better credit outcomes for small businesses and communities across the country.”
FHFA expands deferral policies for hardships
On March 29, FHFA announced enhanced payment deferral policies for borrowers facing financial hardships. Under the newly enhanced policies, Fannie Mae and Freddie Mac will allow borrowers to defer up to six months of mortgage payments, enabling borrowers “to keep the same monthly mortgage payment by moving past-due amounts to the end of the loan as a non-interest bearing balance, due and payable at maturity, sale, refinance, or payoff.” Fannie and Freddie will work with servicers to implement the enhanced payment deferral policies, which carry a voluntary adoption date of July 1, and a mandatory adoption date of October 1.
Recognizing that the more than one million Covid-19 payment deferrals completed by Fannie and Freddie during the pandemic helped borrowers stay in their homes, FHFA Director Sandra L. Thompson said the agency is making the payment deferral policies a key part of its standard loss mitigation toolkit that is available to all borrowers with eligible hardships.
HUD announces Mississippi disaster relief
On March 28, HUD announced disaster assistance for areas in Mississippi impacted by severe storms, straight-line winds, and tornadoes beginning March 24 to March 25. The disaster assistance follows President Biden’s major disaster declaration on March 26. According to the announcement, HUD is providing immediate foreclosure relief, making various FHA mortgage insurance available to disaster victims, and providing information on housing providers, as well as HUD-approved housing counseling agencies, among other measures. Specifically, HUD is providing an automatic 90-day moratorium on foreclosures of FHA-insured home mortgages for covered properties, as well as a 90-day extension granted automatically for home equity conversion mortgages, effective March 26. It is also making various FHA insurance options available to victims whose homes require repairs or were destroyed or severely damaged. HUD’s Section 203(h) program allows borrowers from participating FHA-approved lenders to obtain 100 percent financing, including closing costs, for homes that require “reconstruction or complete replacement.” HUD’s Section 203(k) loan program enables individuals to finance the repair of their existing homes or to include repair costs in the finance of a home purchase or a refinance of a home through a single mortgage. HUD is also allowing administrative flexibilities to community planning and development grantees, as well as to public housing agencies and Tribes.
District Court allows prerecorded-voice-based claims to proceed
On March 23, the U.S. District Court for the Western District of New York partially granted a defendant debt collector’s motion for summary judgment in an action concerning the alleged use of an automated telephone dialing system (autodialer) to collect unpaid medical debt. Plaintiff claimed the defendant repeatedly called his cell phone using an autodialer and left messages using a prerecorded voice message even after he asked the defendant to stop. These actions, the plaintiff said, violated the FDCPA and the TCPA. In partially granting the defendant’s motion for summary judgment, the court found that the plaintiff’s TCPA claims concerning the alleged use of an autodialer were “no longer viable” following the U.S. Supreme Court’s ruling in Facebook v. Duguid (covered by a Special Alert), which narrowed the definition of autodialer under the TCPA, resulting in the law only covering equipment that generates numbers randomly and sequentially.
Although both parties agreed that the Facebook decision does not affect plaintiff’s prerecorded-voice-based-claims (which are distinct from claims based on the use of an autodialer), the parties disputed how the defendant came to possess the plaintiff’s cell phone number. The defendant maintained that the hospital that treated the plaintiff provided the cell phone number; however, the plaintiff contended that he did not recall providing his number to the hospital. The court reviewed, among other things, whether the plaintiff expressly consented to receiving calls—prerecorded or not. Under the TCPA, “[p]roviding one’s phone number to an entity constitutes consent for that entity to use the number to collect a debt, so long as ‘such number was provided during the transaction that resulted in the debt [being] owed,’” the court explained, adding that the burden is on the defendant to demonstrate that the plaintiff consented to receiving the calls that allegedly used a prerecorded voice.
A purported hospital intake form submitted by the defendant that included the plaintiff’s cell phone number did not indicate that “it was filled out by, or includes information provided only by, [the plaintiff],” the court said, also writing that “this document merely demonstrates that whenever the document was typed, [the hospital] had [plaintiff’s] phone number from some source.” This is not sufficient to indicate that the plaintiff consented to be contacted, the court ruled, holding that the defendant was not entitled to summary judgment based on its express consent affirmative defense. As a result, the court allowed the prerecorded-voice-based-claims to proceed to trial.
Virginia establishes program to implement CDFI fund
On March 26, the Virginia governor signed HB 1411, which codifies the Virginia Community Development Financial Institutions Fund and creates the Virginia Community Development Financial Institutions Program to carry out the purposes of the fund. Among other things, the program will provide grants and loans to community development financial institutions (CDFIs) and other similar entities in order to fund small businesses, housing development and rehabilitation projects, and community revitalization real estate projects. Qualified recipients must emphasize microfinancing (defined as financing to small businesses in amounts of $100,000 or less) when using program funds. The Department of Housing and Community Development will oversee the fund and the program and is required to report annually on the fund’s use and impact. HB 1411 is effective July 1.
Virginia and Kentucky enact requirements for auto renewals
Recently, Virginia and Kentucky enacted measures relating to automatic renewal offers and continuous service offers.
HB 1517 was signed by the Virginia governor on March 27 to amend the Consumer Protection Act in the Virginia code. The amendments provide that all businesses offering automatic renewals or continuous service offers that include a free trial lasting longer than 30 days are required to notify consumers of their option to cancel the free trial within 30 days of the end of the trial period. Providing this notice will avoid obligating a consumer to pay for the goods or services. Failing to timely notify a consumer is a violation of the Virginia Consumer Protection Act. Additionally, a business also violates the statute should it fail “to disclose the total cost of a good or continuous service [] to a consumer, including any mandatory fees or charges, prior to entering into an agreement for the sale of any such good or provision of any such continuous service.” HB 1517 is effective July 1.
SB 30 was signed by the Kentucky governor on March 23 to amend state law by adding sections addressing the termination of automatic renewal offers and continuous service officers. Among other things, the new sections define several terms, including “automatic renewal,” “automatic renewal offer terms,” “clear and conspicuous,” “consumer,” and “continuous service.” Businesses are required to provide clear and conspicuous automatic renewal or continuous service offer terms to consumers before the subscription or purchase agreement is fulfilled. Business also must obtain affirmative consent before charging a consumer’s credit or debit account or a consumer’s account with a third party. Additionally, businesses must (i) provide an acknowledgement that includes the terms, the cancellation policy, and information regarding how to cancel in a manner that can be retained by the consumer; (ii) give consumers appropriate mechanisms for cancellation; (iii) provide users who accept an automatic renewal or continuous service online the opportunity to terminate in the same medium; and (iv) provide a notice regarding material term changes. SB 30 outlines exemptions (including contracts entered into prior to the effective date), and states that first-time violators must “provide a prorated refund for the contract subject to an automatic renewal provision from the start of the most recent term to the date on which the business was notified of and corrects the error.” The state attorney general also may bring an action for injunctive and monetary relief against businesses that either fail to provide a prorated refund or where it is a business’s second or subsequent violation. SB 30 is effective January 1, 2024.
Wyoming to issue stable tokens
On March 17, the Wyoming governor signed SF 127 enacting the Wyoming Stable Token Act, creating the Wyoming stable token commission, and authorizing the issuance of stable tokens in the state. Under the Act, a Wyoming stable token is “a virtual currency representative of and redeemable for one (1) United States dollar held in trust by the state of Wyoming” that may only be issued in exchange for a USD. Stable tokens will be issued by the Wyoming stable token commission—created by the Act and to be comprised of no more than four virtual currency/fintech subject matter experts. The commission is authorized to, among other things, (i) establish “the means used to issue, maintain and manage the Wyoming stable tokens and the manner of and requirements for redemption”; (ii) select which financial institutions will manage the stable tokens, and make and enter into contracts and arrangements for such services; (iii) seek rulings and other guidance from federal agencies related to the provisions outlined in the Act; (iv) prior to issuing any such tokens, issue a comprehensive report to a select committee overseeing blockchain, financial technology, and digital innovation technology, among others, on all actions taken under the Act; and (v) promulgate rules and regulations as necessary to administer the Act and ensure compliance. The Act also outlines criteria relating to liability limitations and requires that the commission endeavor to issue at least one Wyoming stable token no later than December 31.