InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
Biden issues executive order on EU-U.S. privacy shield replacement
On October 7, President Biden signed an Executive Order on Enhancing Safeguards for United States Signals Intelligence Activities (E.O.) to address the facilitation of transatlantic data flows between the EU and the U.S. The E.O. outlines commitments the U.S. will take under the EU-U.S. Data Privacy Framework, which was announced in March as a replacement for the invalidated EU-U.S. Privacy Shield. As previously covered by InfoBytes, the Court of Justice of the EU (CJEU) issued an opinion in the Schrems II case (Case C-311/18) in July 2020, holding that the EU-U.S. Privacy Shield did not satisfy EU legal requirements. In annulling the EU-U.S. Privacy Shield, the CJEU determined that because the requirements of U.S. national security, public interest, and law enforcement have “primacy” over the data protection principles of the EU-U.S. Privacy Shield, the data transferred under the EU-U.S. Privacy Shield would not be subject to the same level of protections prescribed by the GDPR.
Among other things, the E.O. bolsters privacy and civil liberty safeguards for U.S. signals intelligence-gathering activities, and establishes an “independent and binding mechanism” to enable “qualifying states and regional economic integration organizations, as designated under the E.O., to seek redress if they believe their personal data was collected through U.S. signals intelligence in a manner that violated applicable U.S. law.” Specifically, the E.O. (i) creates further safeguards for how the U.S. signals intelligence community conducts data transfers; (ii) establishes requirements for handling personal information collected through signals intelligence activities and “extends the responsibilities of legal, oversight, and compliance officials to ensure that appropriate actions are taken to remediate incidents of non-compliance”; (iii) requires the U.S. signals intelligence community to make sure policies and procedures reflect the E.O.’s new privacy and civil liberty safeguards; (iv) establishes a multi-layer review and redress mechanism, under which the Civil Liberties Protection Officer in the Office of the Director of National Intelligence (CLPO) is granted the authority to investigate complaints of improper collection and handling of personal data and may issue binding decisions on whether improper conduct occurred and what the appropriate remediation should be; (v) directs the U.S. attorney general to establish a Data Protection Review Court (DPRC) to independently review CLPO decisions, thereby serving as the second level of the E.O.’s redress mechanism (see DOJ announcement here); and (vi) calls on the Privacy and Civil Liberties Oversight Board to review U.S. signals intelligence community policies and procedures to ensure they are consistent with the E.O.
North Carolina issues enforcement order against debt collection operation
On October 10, the North Carolina attorney general announced a consent judgment with the president and CEO of two debt collection companies (collectively, “defendants”). According to the AG, in 2019, the AG sued the defendants for allegedly engaging in illegal debt collection practices. The AG alleged that from 2012 to 2018, the CEO used his debt collection companies to buy unpaid consumer debt from a national corporation that sells rent-to-own household furniture, appliances, and electronics. Since 2018, he allegedly collected or attempted to collect on these unpaid debts from North Carolina consumers, even though he did not have the correct registration or permits to operate in the state. The AG further noted that the defendants allegedly sent customers simulated court notices that were not from the court and claimed they had committed a criminal violation by failing to return rented property. When consumers contacted the companies they received debt collection threats. The defendants also filed criminal complaints in several counties that resulted in actual criminal summonses being issued against customers. Among other things, the defendants are ordered to forgive the debts of 20,000 individuals, refund 650 consumers, and pay fines. The defendants are also permanently banned from collecting debts in North Carolina, and are required to report compliance to the AG’s office.
NYDFS announces fair lending settlement with indirect auto lender
On October 6, NYDFS announced a settlement with a New York State-licensed bank to resolve allegations that the bank violated New York Executive Law § 296-a while engaged in indirect automobile lending. NYDFS alleged that the bank’s practices resulted in minority borrowers paying higher interest rates than non-Hispanic white borrowers regardless of their creditworthiness. According to the announcement, the bank allegedly “failed to effectively monitor automobile dealers from which [the bank] agreed to purchase loans, thereby allowing the dealers to charge members of protected classes more in discretionary dealer markups than borrowers identified as non-Hispanic White.” Under the terms of the consent order, the bank agreed to pay a $950,000 civil money penalty to the state, as well as restitution to eligible borrowers impacted during the period of January 1, 2017 through March 31, 2022. The bank also agreed to undertake fair lending compliance remediation efforts to increase its monitoring of dealers participating in its indirect auto lending program to precent discriminatory markups in the future.
District Court rules in favor of debt collectors in FDCPA, FCRA dispute
On October 7, the U.S. District Court for the Eastern District of Pennsylvania granted defendants’ motion for summary judgment in an FDCPA, FCRA action. According to the opinion, the plaintiff took out a $20,000 loan but never made any payments on the loan. The charged off loan was assigned to the defendant debt purchaser, and a written notice was sent to the plaintiff who requested validation of the debt. The defendant loan servicer provided the account information to the plaintiff and later began furnishing the information to the consumer reporting agencies (CRAs). The plaintiff sued alleging the defendants violated sections 1681s-2(a) and 1681s-2(b) of the FCRA, as well as multiple sections of the FDCPA. Under section 1681s-2(b), a furnisher who has been notified by a CRA of a consumer dispute is required to conduct a reasonable investigation and follow certain procedures. The court noted, however, that these obligations are only triggered if the furnisher received such notice. In this instance, there is no record showing that any CRA reported the plaintiff’s dispute to the defendants, the court said, adding that, moreover, section 1681s-2(a) does not include a private right of action. With respect to the plaintiff’s FDCPA claims, the court determined that, among other things, (i) the plaintiff failed to provide evidence supporting the majority of his claims; (ii) section 1692g does not require the defendants to verify the plaintiff’s account by providing documentation bearing his signature or providing the contractual agreement governing the debt (in this instance, the defendant loan servicer met the minimal requirements by providing an account summary report); and (iii) that nothing in section 1692g requires a debt collector to respond to a dispute within 30 days—this timeframe only applies to when a debtor must dispute a debt, not to the debt collector’s period to provide verification, the court wrote.
SEC accuses crypto companies of $37 million scheme
On September 30, the SEC filed a complaint in the U.S. District Court for the Southern District of Florida against two cryptocurrency companies and their principals (collectively, “defendants”) claiming that they falsely promised investors that their cryptocurrency was backed by a $10 billion gold bullion investment. According to the complaint, the SEC alleged that between May 2018 and January 2019, the defendants “made material misrepresentations and omissions to investors while they were offering and selling [a crypto asset that the companies owned and controlled] in a series of news and press releases issued to the public." The releases falsely claimed that one of the cryptocurrency companies had acquired and received title to $10 billion in gold bullion and intended to back each token that was owned and controlled by the companies issued and sold to investors with $1.00 worth of this gold. One of the companies claimed to have acquired the gold through a purchase transaction with one of the principles and his company. The defendants also misrepresented that independent accounting firms had performed an “audit” of the gold and verified its existence. In reality, the gold acquisition transaction was a sham. The SEC’s complaint alleged violations of anti-fraud and securities registration provisions of the federal securities laws. The SEC is seeking permanent injunctive relief, disgorgement plus prejudgment interest, civil penalties and officer-and-director bars against the individual defendants.
Hsu says regulators should coordinate efforts to mitigate crypto risks
On October 11, acting Comptroller of the Currency Michael J. Hsu delivered remarks before DC Fintech Week 2022, discussing the importance of identifying and monitoring cryptocurrency risks to protect consumers and the financial system. Among other things, Hsu noted that crypto “is an immature industry based on an immature technology.” He added that the industry still needs to deal with “the unabating volume of scams, hacks, and fraud.” Hsu voiced his concerns about integrating crypto into the traditional financial system without a more “accurate and complete” view of the risks. He noted that “[t]he largest crypto players today want to provide an increasingly broad range of services seamlessly under one roof for their customers.” Hsu pointed out that even though commingling crypto activities could “offer convenience for consumers and cost savings for crypto firms, conflicts abound and the riskiest activity threatens the whole bundle.” He warned that banks looking “to engage in crypto activities may want to carefully consider the scope of what they want to do, start with what can be most readily risk managed, and impose gates, through limits and other controls, to prevent uncontrolled expansion and growth into higher-risk activities.”
Hsu also delivered remarks before the Harvard Law School and Program on International Financial Systems Roundtable on Institutional Investors and Crypto Asset, discussing the need for clarifying supervisory expectations related to crypto activities and the role of regulators to ensure safety and soundness while promoting responsible innovation. Hsu said that regulators should coordinate efforts to write rules that help mitigate risks associated with digital assets. He emphasized that the term “don’t chase” for financial regulators means “not lowering our standards when dealing with crypto.” He further pointed out that “[s]haring information with peer agencies and seeking a common understanding of the risks and opportunities in the space can help ensure that regulatory standards remain high and the playing field stays level.” Hsu concluded by reiterating that he is a “crypto skeptic,” stating that his “skepticism of crypto stems from a frustration that the most promising innovations have been crowded out by hype and a fixation on trading,” and said that “[p]rogrammability, composability, and tokenization hold promise.”
Fed to roll out new bank application filing system at the end of October
On October 6, the Federal Reserve Board announced that the current bank application filing system will be replaced with a new, upgraded cloud-based system known as FedEZFile later this month. The Fed stated that while the substantive requirements of the applications will remain the same, the new system will make the filing process more intuitive. Paper applications and communications will also be minimized. Under the system, applicants will be provided real-time status tracking, two-way messaging, and the ability to digitally sign documents. A webinar on the new system is forthcoming.
FINRA alerts firms about rising ACATS fraud
On October 6, FINRA issued Regulatory Notice 22-21, alerting member firms to the rising trend of fraudulent account transfers of customer accounts using the Automated Customer Account Transfer Service (ACATS)—an automated system that facilitates the transfer of customer account assets from one member firm to another. FINRA explained that “ACATS fraud is related to the growing threat of new accounts being opened online or through mobile applications using stolen or synthetic identities,” and may occur when the identity of a legitimate customer of a carrying member is stolen by a bad actor to open a brokerage account online or through a mobile app at a receiving member. Bad actors, FINRA warned, may open a new account using stolen information only or through a combination of stolen and false information, and will try to move the ill-gotten assets to an external account at a different financial institution. FINRA reminded members of regulatory obligations that may apply to ACATS fraud, including know-your-customer rules, Bank Secrecy Act/AML requirements, and the Identity Theft Red Flags Rule.
Treasury requests feedback on cyberinsurance
On October 7, the U.S. Treasury Department published its Annual Report on the Insurance Industry, as required by the Dodd-Frank Act. The report discussed the U.S. insurance industry’s financial performance and its financial condition for the year ending December 31, 2021, and provided a domestic outlook for the industry for 2022. The report also summarized the Federal Insurance Office’s (FIO) activities and addressed certain matters affecting the domestic and international insurance industry.
Earlier, Treasury issued a request for input in the Federal Register on a potential federal insurance response to catastrophic cyber incidents. According to Treasury, “the comments will inform FIO’s work in responding to a recommendation by the U.S. Government Accountability Office that FIO and the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency jointly assess the extent to which the risks to U.S. critical infrastructure from catastrophic cyberattacks warrant a federal insurance response.” The request stated that cyber insurance is a significant risk transfer mechanism, and that the insurance industry has an important role to play in strengthening cyber hygiene and building resiliency. Comments are due November 14.
FSB reports on stablecoins and crypto-asset activities
Recently, Financial Stability Board (FSB) Chair Klaas Knot sent a letter to the G20 Finance Ministers and Central Bank Governors concerning global financial stability, followed by the release of two FSB reports. The letter stated that “turmoil in crypto-asset markets has validated many of the FSB’s concerns about crypto assets,” and noted that the “‘crypto winter’ has reinforced [its] assessment of existing structural vulnerabilities.” The letter expressed concerns that the risks crypto assets pose to financial stability are "likely to come back to the fore sooner rather than later.” Knot stated that the FSB’s report on stablecoins expanded recommendations for the regulation of stablecoins, which are digital tokens that aim to maintain a one-on-one value with less volatile assets such as the euro or dollar. In the stablecoin report, the FSB stated that most existing stablecoins would not meet its recommendations at present, and would require “significant improvements” to their governance, risk management, stabilization mechanisms and disclosures. Knot also discussed the FSB's report on crypto-asset activities and markets, which focuses on regulatory, supervisory, and oversight issues relating to crypto-assets to help ensure safe innovation. The report noted that “[c]orrelations between crypto-asset prices and mainstream equity indices have been steadily increasing since year-end 2021 and peaked in May 2022, when the market stress began.” The letter further described that in 2020, G20 Leaders endorsed the Roadmap for Enhancing Cross-border Payments to address the frictions that payments currently face, and thereby achieve faster, cheaper, more transparent and more inclusive cross-border payment services. As previously covered by InfoBytes, Knot stated that the recent FSB report on the roadmap presents “priorities for this new phase of the work, and proposes an intensified public-private sector collaboration to take this forward.” In regard to cyber risks, he stated that cyber-risk safeguards are important due to rapidly growing cyber incidents. He further stated that the FSB “is working to promote a resilient global financial system in the near term and over the longer run, supporting policymakers in the G20 to foster stronger, equitable and inclusive growth.”