InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
OFAC sanctions drug network
On October 19, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) announced sanctions pursuant to Executive Order 14059 against an individual and a drug trafficking organization, two Mexican nationals and members of the designated drug trafficking organization, and three Mexico-based transportation companies. According to OFAC, the designated network evolved into a sophisticated network that is involved in the importation and transport of multi-ton quantities of illicit drugs from Mexico to the U.S. OFAC noted that the designations are the result of OFAC’s ongoing collaboration with Homeland Security Investigations San Diego Strike Force Group, U.S. Customs and Border Protection’s National Targeting Center, and the Government of Mexico. As a result of the sanctions, all property and interests in property belonging to the sanctioned entities in the U.S. are blocked and must be reported to OFAC. Additionally, “any entities that are owned, directly or indirectly, 50 percent or more by one or more blocked persons are also blocked.” OFAC also noted that “persons that engage in certain transactions with the individuals and entities designated today may themselves be exposed to sanctions or subject to an enforcement action.”
OFAC sanctions Russian military technology procurement network
On October 19, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) announced sanctions pursuant to Executive Order 14024 against a Russian military technology procurement network for allegedly procuring military and sensitive dual-use technologies from U.S. manufacturers and supplying them to Russian end-users. The individual and his two companies are designated as part of a joint action with the DOJ and FBI and highlights the U.S. government’s on-going “efforts to hinder Russia’s ability to wage its war of aggression in Ukraine, including by holding accountable those who support Russia’s military by disrupting its illicit defense and technology procurement networks around the world.” The action builds upon an October 14 alert issued by OFAC and the Department of Commerce’s Bureau of Industry and Security and the Department of State, which details the impact of international sanctions and export controls (covered by InfoBytes here). The alert followed the convergence of top officials representing ministries of finance and other government agencies from 33 countries who met to discuss the effects of international sanctions and export controls on Russia’s military-industrial complex and critical defense supply chains.
As a result of the sanctions, all property and interests in property belonging to the sanctioned persons that are in the U.S. or in the possession or control of U.S. persons are blocked and must be reported to OFAC. Further, “any entities that are owned, directly or indirectly, 50 percent or more in the aggregate by one or more of such persons are also blocked.” U.S. persons are prohibited from engaging in any dealings involving the property or interests in property of blocked or designated persons, unless exempt or authorized by a general or specific OFAC license.
The same day, the DOJ (with the support of the Department’s Task Force KleptoCapture) unsealed indictments against nearly a dozen individuals and several entities, including the sanctioned Russian national and his two companies, accused of scheming to export military technologies to Russia.
Treasury releases CFIUS Enforcement and Penalty Guidelines
On October 20, the U.S. Treasury Department released CFIUS Enforcement and Penalty Guidelines to provide the public with information on how the Committee on Foreign Investments in the United States (CFIUS) assesses violations of laws and regulations on transaction parties. The guidelines inform the public about how CFIUS—which is tasked with identifying and mitigating certain national security risks related to foreign investments—assesses whether to impose a penalty or take other enforcement action for a violation of a party’s obligation, as well as factors that CFIUS considers when making such a determination. “The vast majority of those who come before CFIUS abide by their legal obligations and work collaboratively with the Committee to mitigate any national security risks arising from the transaction; however, those who fail to comply with CFIUS mitigation agreements or other legal obligations will be held accountable,” Assistant Secretary of the Treasury for Investment Security Paul Rosen stressed. “Today’s announcement sends a clear message: Compliance with CFIUS mitigation agreements is not optional, and the Committee will not hesitate to use all of its tools and take enforcement action to ensure prompt compliance and remediation, including through the use of civil monetary penalties and other remedies.”
Special Alert: Fifth Circuit finds CFPB funding unconstitutional — Now what?
The Fifth Circuit ruled last night in CFSA v. CFPB that the Consumer Financial Protection Bureau’s funding structure is unconstitutional, triggering a potential wave of implications discussed below.
The holdings
A panel of three Fifth Circuit judges unanimously held that the CFPB funding structure created by Congress violated the Appropriations Clause of the Constitution, which provides that “no money shall be drawn from the Treasury, but in Consequence of Appropriations made by Law.” It ruled that, although the CFPB spends money pursuant to a validly enacted statute, the structure violates the Appropriations Clause because the CFPB obtains its funds from the Federal Reserve (not the Treasury), the CFPB maintains funds in a separate account, the Appropriations Committees do not have authority to review the agency’s expenditures, and the bureau exercises broad authority over the economy. The court rejected the bureau’s arguments that the funding structure was necessarily constitutional because it was created by and subject to Congress, and distinguished other agencies that are funded outside of the annual appropriations process.
New Jersey reaches $495 million RMBS settlement with Swiss bank
On October 17, the New Jersey attorney general’s office announced it had reached a $495 million agreement in principle with a Swiss bank to resolve allegations related to its residential mortgage-backed securities (RMBS) practices leading up to the 2008 financial crisis. The AG stated that if finalized, the settlement will be one of the state’s largest civil monetary recoveries in history. According to the AG, the bank violated New Jersey’s securities laws by making material misrepresentations about the risks of the RMBS in offering documents, including by purportedly failing to disclose to investors material defects about the underlying mortgages. The announcement further stated that the bank allegedly sold the RMBS through registration statements, prospectuses, and other offering materials that contained fraudulent representations about the quality of the underlying loans, and allegedly “failed to disclose to investors the wholesale abandonment of underwriting guidelines designed to ensure that the mortgage loans underlying its securities trusts were made in accordance with appropriate lending guidelines; that numerous loan originators had poor track records of defaults and delinquencies; and that some loan originators had even been suspended from doing business with [the bank].” While neither admitting nor denying the allegations, the bank agreed to pay a $100 million civil monetary penalty and will provide approximately $300 million in restitution for affected investors. The bank is also permanently enjoined from future violations of state securities laws.
OFAC issues finding of violation to entity for sanctions violations
On October 14, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) announced the issuance of a Finding of Violation to an international financial entity in Puerto Rico, for violations of the Venezuelan Sanctions Regulations (VSR), and the Reporting, Penalties and Procedures Regulations (RPPR). According to the web notice, OFAC claimed that the entity engaged in three transactions totaling approximately $50,000 in violation of VSR, failed to maintain full and accurate records related to the handling of the blocked accounts in violation of RPPR, and failed to report the blocked accounts accurately. In determining the Finding of Violation, OFAC considered aggravating factors, including that the entity failed to exercise a minimal degree of caution or care when it (i) engaged in transactions involving blocked property without obtaining an OFAC license, even though senior managers at the bank were aware an OFAC license was needed; and (ii) failed to maintain relevant records associated with the bank’s handling of the blocked property, which may have impaired its ability to provide full and accurate information to OFAC. OFAC also considered various mitigating factors, including that the entity has not received a penalty notice from OFAC in the preceding five years, it voluntarily self-disclosed the alleged violations, and it has taken numerous remedial measures.
NYDFS reaches $4.5 million settlement over cybersecurity violations
On October 18, NYDFS announced a $4.5 million settlement with a licensed health insurance company for alleged violations of the Department’s Cybersecurity Regulation (23 NYCRR Part 500), which contributed to the exposure of consumers’ sensitive non-public information (NPI). According to NYDFS, a bad actor gained access to a shared email mailbox in 2020 via a phishing attack. This mailbox, NYDFS said, allegedly contained more than six years’ worth of consumer NPI. An NYDFS investigation found that the company allegedly, among other things, failed to implement multi-factor authentication throughout its email environment, did not limit user access privileges (thus allowing nine employees to share login credentials to the compromised mailbox), and failed to implement sufficient data retention and disposal procedures. NYDFS asserted that the cybersecurity event may have been avoided or limited in scope if these security controls had been implemented. Furthermore, the company’s alleged failure to conduct an adequate risk assessment as required by 23 NYCRR Part 500, prevented it from being able to identify the user access privilege and data disposal risks associated with the mailbox that was impacted by the phishing attack. Consequently, the company’s cybersecurity certifications for calendar years 2018 - 2021 were improper, NYDFS said.
Under the terms of the consent order, the company is required to pay a $4.5 million civil money penalty and must conduct a comprehensive cybersecurity risk assessment of its information systems. NYDFS recognized the company’s cooperation throughout the investigation and commended its ongoing and completed remediation efforts, including “devoting significant financial and other resources to enhance its cybersecurity program” and making “changes to its policies, procedures, systems, and governance structures.”
District Court rules FCRA allegation filed before expiration of 30-day investigation period is not ripe
On October 14, the U.S. District Court for the District of South Carolina adopted a magistrate judge’s report and recommendation to grant summary judgment in favor of a defendant accused of violating the FCRA. According to the plaintiff’s amended complaint, the plaintiff opened a loan with the defendant and later entered into a modified agreement that reduced his monthly payments and the future projected balance. He later noticed that his credit report showed (i) the reported balance for his account to be higher than it should have been under the terms of the modified agreement, and (ii) three months of late payments. The plaintiff filed a dispute with the credit reporting agency (CRA) arguing, among other things, that the balance was being misstated. The plaintiff filed another dispute with the CRA regarding the late payments. Plaintiff filed the instant action before the end of the 30-day investigation period for disputes regarding the late payments. The magistrate judge recommended summary judgment be granted to defendant related to claims alleging violation of Section1681s-2b for both (i) the claim predicated on the restated balance, and (ii) the claim predicted on the late payments, but for different reasons. The “late payment” claim “was not ripe when the action was filed” because the 30-day investigation period had not yet expired when the plaintiff filed his amended complaint. For the “restated balance” claim, the magistrate judge’s report found that the parties had a genuine legal dispute over their interpretations of the modified agreement—whether the balance due should be reduced at the time of the modification agreement or at the end of the modification term, which was not a factual inaccuracy: “the Report found violations of 15 U.S.C. 1681a-2(b) must be based on factual inaccuracies, not legal disputes, and as Plaintiff bases his claim on a legal dispute, he cannot prevail on his FCRA claim.” This district court agreed noting that the plaintiff did not appear to object to the legal determination that “as a matter of a law a violation of a §1681s-2(b) could not be based on a legal dispute over the terms of a contract[.]” The report also noted that the plaintiff failed to demonstrate that he is entitled to actual damages—a requirement for a negligent violation of the FCRA—nor did he show that the defendant willfully violated the FCRA in order to be entitled to statutory or punitive damages. The district court agreed with the report and recommendations and dismissed the case with prejudice.
FDIC proposes amendments to its guide on supervisory appeals process
On October 18, the FDIC Board of Directors announced it is soliciting further public comments on proposed amendments to its Guidelines for Appeals of Material Supervisory Determinations. The notice follows an action taken by the Board earlier in May, which restored the Supervision Appeals Review Committee (SARC) as the final level of review in the agency’s supervisory appeals process (covered by InfoBytes here). While the revised guidelines took effect immediately, the FDIC solicited comments on the changes. In response to comments received, the proposed amendments would add the agency’s ombudsman to the SARC as a non-voting member, and the ombudsman would be responsible for monitoring the supervision process after a financial institution submits an appeal. The proposed amendments would also require that materials considered by the SARC be shared with both parties to the appeal (subject to applicable legal limitations on disclosure), and allow financial institutions to request a stay of material supervisory determination while an appeal is pending. Additionally, the division director would be given the discretion to grant a stay or grant a stay subject to certain conditions. Comments on the proposed amendments are due within 30 days of publication in the Federal Register.
FDIC raises deposit insurance assessment rates
On October 18, the FDIC Board of Directors approved the adoption of a final rule to increase the initial base deposit insurance assessment rate schedules uniformly by two basis points beginning with the first quarterly assessment period of 2023. (See also FDIC fact sheet here.) The FDIC said that after considering comments and updated analysis and projections, the increase in assessment rates was adopted without change from when it was proposed in June (covered by InfoBytes here). The FDIC emphasized that the increased assessment revenue is intended to increase the likelihood that the reserve ratio of the Deposit Insurance Fund (DIF) reaches the statutory minimum of 1.35 percent by the mandated deadline of September 30, 2028, while also reducing the likelihood that the FDIC would need to consider a potentially pro-cyclical assessment rate increase where it raises assessments when banking and economic conditions may be less favorable. This increase “is projected to have an insignificant effect on institutions’ capital levels, is estimated to reduce income slightly by annual average of 1.2 percent, and should not impact lending or credit availability in any meaningful way,” the FDIC said. Concurrently, the FDIC maintained the Designated Reserve Ratio for the DIF at two percent for 2023.
Acting Chairman Martin J. Gruenberg stressed that it “is better to take prudent but modest action earlier in the statutory 8-year period to reach the minimum reserve ratio, than to delay and potentially have to consider a pro-cyclical assessment increase.” CFPB Director and FDIC Board Member Rohit Chopra also chimed in, saying that while he voted in favor of finalizing the deposit insurance rate increase, there are a number of changes that must be made over the long term to deposit insurance assessment policies. These include (i) finding ways for banks that pose the most risk to the DIF “to pay more, relative to smaller institutions where the likelihood of large losses to the Fund are tiny”; (ii) building a framework to ensure assessment rate changes are countercyclical where premiums are adjusted “upward and downward based on economic conditions, recent industry profits, and other appropriate indicators”; and (iii) developing “a framework that relies less on ad-hoc adjustments and more on a systematized formula” based on specific quantitative factors.