InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
Washington State passes new health data privacy measures
On April 27, the Washington State governor signed HB 1155 to enact the My Health My Data Act—a comprehensive health privacy law that provides broad restrictions on the use of consumer health data. The Act is intended to cover health data not covered by the Health Insurance Portability and Accountability Act. The Act defines a regulated entity as any legal entity that conducts business in the state of Washington or engages with Washington residents that (alone or jointly with others) “determines the purpose and means of collecting, processing, sharing, or selling of consumer health data.” Government agencies, tribal nations, and contracted service providers that process such data on behalf of a government agency are exempt. The Act increases privacy protections, and outlines several requirements, such as (i) entities must maintain a consumer health data privacy policy that clearly and conspicuously discloses the categories of health data collected and specifies how the data will be used, collected, and shared (including with third parties and affiliates); (ii) entities must obtain consent from consumers prior to collecting, sharing, and selling their health data; (iii) entities are restricted from geofencing particular locations to collect and sell data; and (iv) entities are required to develop specific privacy disclosures. Consumers are also empowered with the right to have their health data deleted. The Act outlines numerous compliance elements relating to access restrictions, replying to consumers, and processor requirements. The Act also specifies the types of information and documents for which the Act is not applicable. In addition, the Act provides a private right of action to consumers and grants the state attorney general enforcement authority as well.
The Act is effective July 23. Regulated entities must comply by March 31, 2024, except for certain provisions applicable to small businesses that have until June 30, 2024 to comply.
OFAC sanctions Iranian senior officials for wrongfully detaining U.S. nationals
On April 27, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) announced sanctions, pursuant to Executive Order 14078, against four senior officials of Iran’s Islamic Revolutionary Guard Corps Intelligence Organization (IRGC-IO). The IRGC-IO was concurrently designated by the State Department for its involvement in the hostage-taking or wrongful detention of U.S. nationals in Iran. OFAC also implemented the State Department’s designation of Russia’s Federal Security Service as well as the IRGC-IO for their role in wrongfully detaining U.S. nationals abroad. As a result of the sanctions, all property and interests in property of the designated persons that are in the United States or in the possession or control of U.S. persons must be blocked and reported to OFAC. Additionally, “any entities that are owned, directly or indirectly, individually or in the aggregate, 50 percent or more by one or more blocked persons are also blocked.” OFAC’s announcement further noted that its regulations “generally prohibit” U.S. persons from participating in transactions with designated persons unless exempt or otherwise authorized by a general or specific license. Financial institutions and persons that engage in certain transactions with the designated persons may themselves be exposed to sanctions or subject to enforcement.
OFAC, Turkey sanction terrorist financing facilitators
On May 2, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) announced, pursuant to Executive Order 13224, a joint action with the Republic of Turkey to designate two financial facilitators of Syria-based terrorist groups. The terrorist groups have both been sanctioned by the U.S. and the United Nations. The action demonstrates OFAC’s continued cooperation with Turkey to restrict the financing of terrorist groups that perpetuate violence and instability throughout the region. According to the announcement, the Turkish Ministry of Treasury and Finance and the Turkish Ministry of Interior concurrently implemented an asset freeze against the sanctioned individuals. As a result of the sanctions, all property interests belonging to the sanctioned individuals and entities that are in the U.S. or in the possession or control of U.S. persons are blocked and must be reported to OFAC, as well as “any entities that are owned, directly or indirectly, 50 percent or more by them, individually, or with other blocked persons.” U.S. persons are generally prohibited from engaging in any dealings involving the property interests of blocked or designated persons, and persons that engage in certain transactions with the designated individuals may themselves be exposed to sanctions. OFAC further stated that it “can prohibit or impose strict conditions on the opening or maintaining in the United States of a correspondent account or a payable-through account of a foreign financial institution that knowingly conducted or facilitated any significant transaction on behalf of a Specially Designated Global Terrorist.”
SEC orders crypto ATM operator to pay $3.9 million for selling unregistered tokens
On April 28, the SEC settled with a cryptocurrency ATM operator for allegedly selling unregistered tokens in order to raise money to expand its bitcoin ATM network. Described as a “token sale,” the SEC claimed the respondents in total raised crypto assets during an initial coin offering valued at roughly $3.65 million. According to the SEC, the company offered and sold its token as investment contracts, which qualified it as a security since investors would have reasonably expected to obtain future profits from the token’s rise in value based upon the respondents’ efforts. By offering and selling securities without having on file a registration statement with the SEC or qualifying for an exemption, the respondents violated Sections 5(a) and 5(c) of the Securities Act, the SEC said. Additionally, one of the respondents and its CEO were also accused of violating Section 17(a) of the Securities Act and Section 10(b) of the Exchange Act and Rule 10b-5 by making materially false and misleading statements and engaging in other fraudulent conduct connected to the offer and sale of the token. The respondents neither admitted nor denied the SEC’s findings, but agreed to pay a collective $3.92 million civil penalty and said they would cease and desist from committing violations of the Securities Act and the Securities Exchange Act. One of the individual respondents also received a three-year officer and director ban.
2nd Circuit addresses preclusion standard in dismissal of RMBS actions
On April 26, the U.S. Court of Appeals for the Second Circuit upheld the dismissal of three residential mortgage-backed securities lawsuits tied to losses incurred during the 2008 financial crisis. The plaintiffs, issuers of collateralized debt obligations secured by RMBS certificates, sued several trust entities in separate lawsuits over the losses. According to the opinion, the district courts in each action assumed the plaintiffs had Article III standing but determined that they “were precluded from relitigating the issue of prudential standing” due to a related case they had previously brought against a different bank.
The 2nd Circuit explained that the district court in the related case had determined that the plaintiffs lacked standing because they had “conveyed all right, title, and interest in the RMBS certificates”—including the full power to file lawsuits—to third parties when issuing their notes, which were secured by certificates in RMBS trusts, among other assets. Following the decision, the third parties reassigned the litigation rights associated with the RMBS certificates back to the plaintiffs, but the court granted summary judgment in favor of the bank, holding that the plaintiffs lacked both Article III and prudential standing. The 2nd Circuit “affirmed on the ground that the assignments were champertous and that [p]laintiffs thus lacked prudential standing,” assuming but not deciding the issue of Article III standing.
With respect to the current lawsuits, the district court premised its dismissal on the finding that the plaintiffs were precluded from relitigating the issue of prudential standing by the holding in the related action. “In resolving an issue of first impression in this Circuit, we join the [9th] Circuit in concluding that the district courts permissibly bypassed the question of Article III standing to address issue preclusion, which offered a threshold, non-merits basis for dismissal,” the appellate court wrote. “In short, we fully agree with the district courts that [p]laintiffs were not entitled to a second bite at the prudential-standing apple after the [related] action. The district courts therefore did not err in taking this straightforward, if not ‘textbook,’ path to dismissal.”
FTC obtains permanent ban against debt relief operators
On May 1, three individuals accused of allegedly participating in a credit card debt relief scheme agreed to court orders permanently banning them from telemarketing and selling debt relief products and services. As previously covered by InfoBytes, last November the FTC filed a lawsuit claiming the defendants and their affiliated companies violated the FTC Act and the Telemarketing Sales Rule by using telemarketers to pitch their deceptive scheme, in which they falsely claimed to be affiliated with a particular credit card association, bank, or credit reporting agency, and promised they could improve consumers’ credit scores after 12 to 18 months. The defendants also allegedly misrepresented that the upfront fee, which in some cases was as high as $18,000, was charged to consumers’ credit cards as part of the overall debt that would be eliminated, and therefore would not actually have to be paid. Without admitting or denying the allegations, the defendants agreed to the court orders (available here, here, and here) imposing numerous conditions, including (i) a permanent ban on advertising, selling, or assisting in any debt relief product or service or participating in telemarketing; (ii) a broad prohibition forbidding defendants from deceiving consumers about any other products or services they sell or market; and (iii) the surrender of certain property interests and assets that will be used to provide restitution to affected consumers. The orders impose a total monetary judgment of approximately $17.5 million, for which each defendant is jointly and severally liable, to be satisfied by defendants’ surrender of certain assets and subject to a partial suspension of the remainder of the judgment pursuant to defendants’ truthfulness regarding their financial status and ability to pay.
OFAC adds more sanctions linked to timeshare fraud
On April 27, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) announced sanctions, pursuant to Executive Order 14059, against seven individuals and 19 Mexican companies connected to timeshare fraud on behalf of the Cartel de Jalisco Nueva Generacion (CJNG). The CJNG—a Mexico-based organization responsible for trafficking a significant proportion of illicit fentanyl and other drugs that enter the U.S.—is also designated under E.O. 14059. OFAC explained that timeshare fraud often targets older U.S. citizens to scam victims of their life savings and is an important revenue stream for the group’s criminal enterprise. The designations build on sanctions imposed on several other companies in April (covered by InfoBytes here) and continue OFAC’s efforts to disrupt CJNG’s timeshare fraud network.
As a result of the sanctions, all property and interests in property of the designated persons located in the U.S. or held by U.S. persons are blocked and must be reported to OFAC. Further, “any entities that are owned, directly or indirectly, individually or in the aggregate, 50 percent or more by one or more blocked persons are also blocked.” U.S. persons are generally prohibited from engaging in any dealings involving the property or interests in property of blocked or designated persons unless authorized by an OFAC-issued general or specific license, or exempt. OFAC further warned that “U.S. persons may face civil or criminal penalties for violations of E.O. 14059 and the Kingpin Act.”
FinCEN highlights use of BSA reporting data
On April 25, FinCEN released its year-in-review for FY 2022. The annual summary provided insights into the agency’s efforts to support law enforcement and national security agencies, as well as statistics from Bank Secrecy Act (BSA) filings. FinCEN reported that BSA data was used to advance several law enforcement missions, including in 36.3 percent of active complex financial crimes investigations, 27.5 percent of active public corruption investigations, and 20.6 percent of active international terrorism investigations. Additionally, FinCEN noted that in FY 2022 there were over 7,600 Section 314(b)-registered financial institutions. Section 314(b) of the USA PATRIOT Act allows registered entities to share information about financial activity with one another to help entities of all sizes identify and report suspicious activity. FinCEN further reported that 92 percent of domestic law enforcement agencies that query BSA data “find the resulting financial intelligence valuable to the detection and deterrence of illicit activity.”
FDIC announces Oklahoma disaster relief
On April 28, the FDIC issued FIL-22-2023 to provide regulatory relief to financial institutions and help facilitate recovery in areas of Oklahoma affected by severe storms, straight-line winds, and tornados from April 19 to 20. The FDIC acknowledged the unusual circumstances faced by affected institutions and encouraged those institutions to work with impacted borrowers to, among other things: (i) extend repayment terms; (ii) restructure existing loans; or (iii) ease terms for new loans, provided the measures are done “in a manner consistent with sound banking practices.” Additionally, the FDIC noted that institutions “may receive favorable Community Reinvestment Act consideration for community development loans, investments, and services in support of disaster recovery.” The FDIC will also consider regulatory relief from certain filing and publishing requirements and instructed institutions to contact the Dallas Regional Office if they expect delays in making filings or are experiencing difficulties in complying with publishing or other requirements.
CFPB proposal would apply ATR requirements to PACE financing
On May 1, the CFPB announced a proposed rule which would prescribe ability-to-repay (ATR) rules to residential Property Assessed Clean Energy (PACE) financing and apply TILA’s civil liability provisions for violations. The proposal, required by Section 307 of the Economic Growth, Regulatory Relief, and Consumer Protection Act, would amend Regulation Z to address how TILA applies to PACE transactions to account for the unique nature of PACE loans. PACE loans are designed to finance clean energy improvements on a borrower’s home and are secured by that residence. The Bureau explained that the loans are repaid through a borrower’s property tax payments, which increase over time and which remain with the property even if the borrower sells the property.
If finalized, the proposed rule would require lenders to assess a borrower’s ability to repay a PACE loan and would (i) clarify an existing exclusion to Regulation Z’s definition of credit relating to tax liens and tax assessments to provide that this specific exclusion “applies only to involuntary tax liens and involuntary tax assessments”; (ii) make several adjustments to PACE financing loan estimate and closing disclosure requirements, including providing new model forms specifically designed for PACE transactions, and exempting PACE transactions from the requirement to establish escrow accounts for certain higher-priced mortgage loans and from the requirement to provide periodic statements; (iii) prescribe ATR requirements for residential PACE financing that account for the unique nature of these transactions; (iv) provide that a PACE transaction is not a qualified mortgage; (v) extend TILA Section 130’s ATR requirements and liability provisions to any “PACE company” with substantial involvement in making credit decisions for a PACE transaction; and (vi) clarify how PACE and non-PACE mortgage creditors should consider pre-existing PACE transactions when originating new mortgage loans.
The proposed effective date is at least one year after the final rule is published in the Federal Register (“but no earlier than the October 1 which follows by at least six months Federal Register publication”), with the possibility of a further extension to ensure compliance with a TILA timing requirement. Comments on the proposed rule are due July 26 or 30 days after publication in the Federal Register, whichever is later.
To accompany the proposed rule, the Bureau released several fast facts breaking down and clarifying proposed coverage and the suggested changes. The Bureau also released a data point report documenting research findings on PACE financing in California and Florida from July 2014 through June 2020. Among other things, the report found that PACE loans create an increase in negative credit outcomes for borrowers, particularly with respect to mortgage delinquency. Additionally, PACE borrowers were more likely to have higher interest rates and increased credit card balances and were more likely to live in census tracts with higher percentages of Black and Hispanic residents relative to the average for their states. The report noted that “PACE outcomes improved significantly in California after that State began requiring PACE companies to consider ability to pay before making a loan.”