InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
FinCEN provides timing on CTA rulemaking
On October 12, FinCEN acting Director Himamauli Das provided timelines on recent agency efforts to combat financial crime. Speaking during the ACAMS AML Conference, Das pointed to actions taken by bad actors to hide assets behind shell/front companies and evade U.S. sanctions, and highlighted measures, including beneficial ownership information reporting, suspicious activity reporting, and geographic targeting, designed to combat illicit activity. Das also provided an update on recent rulemakings mandated by the Corporate Transparency Act (CTA), including (i) the beneficial ownership reporting rule (which takes effect January 1, 2024, and is covered by InfoBytes here); (ii) the access rule, which would establish protocols for accessing the beneficial ownership database by law enforcement and financial institutions (FinCEN is currently working on the notice of proposed rulemaking and expects to issue it in the near term); and (iii) the Customer Due Diligence rule, which Das said will be revised “no later than one year after the effective date of the reporting rule” as required by the CTA. He added that FinCEN is also developing an “infrastructure to build a secure and confidential database that meets the highest security standards” to ensure only authorized users can access information. This system is expected to be operational by the time the beneficial ownership reporting rule takes effect. Additionally, FinCEN will, among other things, develop guidance and educational materials to assist companies when preparing their beneficial ownership information reports and will continue to regularly update its dedicated resource page on this subject.
Bank agrees to pay $1.8 billion to settle RMBS bond insurance claims
On October 7, a national bank announced in a regulatory filing that it has agreed to pay $1.84 billion to settle claims brought by a bond insurer concerning policies provided on residential mortgage-backed securities before the 2008 financial crisis. According to the regulatory filing, the agreement will “resolve all pending [bond insurer] lawsuits” (containing damages claims of more than $3 billion) against the bank and its subsidiaries, will cause all pending litigation to be dismissed with prejudice, and will release the bank and its subsidiaries from “all outstanding claims” related to bond insurance policies for certain securitized pools of residential mortgage loans.
District Court partially dismisses FDCPA suit concerning disputed debt
On October 5, the U.S. District Court for the District of Arizona partially granted a defendant’s motion to dismiss in an FDCPA suit, which alleged that the defendant furnished information to the credit reporting agencies (CRAs) that did not belong to the plaintiff. According to the order, the plaintiff noticed that the defendant was reporting a collection account to the CRAs for a debt he did not recognize. He called the defendant who was unable to locate the plaintiff through his personal identifiers. The defendant told the plaintiff that the debt reporting on the plaintiff’s credit report was a medical debt and was owed by a third party with a different name and a different social security number. After the defendant confirmed that the debt did not belong to him, the plaintiff submitted a dispute to the CRA challenging the defendant’s reporting of the debt and requested that the defendant and the CRA remove the debt from his report. The CRA notified the defendant of the plaintiff’s dispute within five days of receiving the dispute. The defendant allegedly continued to report the debt as belonging to the plaintiff to the CRA, and did not request that the CRA note on the plaintiff’s credit report that the debt was disputed by the plaintiff. The plaintiff claimed that the defendant violated the FDCPA, contending that his “credit score has decreased as a result of [the defendant’s] erroneous credit reporting, which has frustrated [the plaintiff’s] ability to obtain credit.” The plaintiff also alleged that he suffered emotional distress and anxiety.
The defendant argued that it did not violate the FDCPA because it was the CRA that connected the underlying debt to the plaintiff’s credit report. The defendant also argued that the plaintiff did not provide the defendant with an appropriate period of time to mark the debt as disputed before filing the suit in question. The court found that the plaintiff had stated a claim upon which relief could be granted, explaining, among other things, that the defendant “does not point to any authority that, to state a claim under § 1692e(8), reporting of a debt must be to a credit report as opposed to any third party.” However, the court dismissed the § 1692f claim on the ground that the underlying conduct was already covered in the 1692e(8) claim.
Republicans seek answers from OCC on bank-fintech partnerships
On October 11, House Financial Services Committee Ranking Member Patrick McHenry (R-NC), joined by Republican members of the Task Force on Financial Technology, sent a letter to acting Comptroller of the Currency Michael J. Hsu asking for clarification on the OCC’s position regarding bank-fintech partnerships. The lawmakers asserted that the OCC previously “worked to provide banks and their customers with a clear understanding of the regulatory and supervisory expectations surrounding emerging products and services,” as well as how to properly assess risk, but contended that leadership under the current administration has not continued to do so. Citing the importance of innovation to the U.S. economy and the impact new financial products and services can have on costs, inclusion, and competition, the letter expressed concerns related to the potential for further uncertainty surrounding these partnerships and the resulting consequences for consumers. “Technological innovation fostered by fintech partnerships has enabled banks to reach segments of the population that may have been left behind and increase customer engagement,” the lawmakers wrote, expressing their belief that the benefits from these partnerships far outweigh the risks. “Much of this innovation has been driven by industry newcomers that have developed a novel product or business model. When properly regulated, these partnerships can provide greater financial inclusion, spur technological innovation, and foster competition that ultimately benefits consumers.”
Referring to an action taken by President Biden in June 2021, which repealed the OCC’s “true lender” rule pursuant to the Congressional Review Act (covered by InfoBytes here), the lawmakers asked the OCC whether it anticipates fintech partnerships ending as a result of potential regulatory changes, and questioned how the agency plans to “ensure that examiners do not discourage innovation through fintech partnerships” or “impose unreasonable burdens on banks and fintechs.” The letter also asked the OCC to respond to a series of questions, including, among other things, how it plans to determine the acceptable terms for bank-fintech partnerships, how it intends to analyze fintechs that are helping to bring the banking business into the digital era, and how examiners will evaluate a bank’s assessments of third parties’ cybersecurity risk management and resilience capabilities and whether such evaluations will “be carefully tailored to the actual risk posed by the particular bank-fintech partnership.”
OFAC, FinCEN take action against virtual currency exchange
On October 11, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC), together with the Financial Crimes Enforcement Network (FinCEN), announced two settlements for more than $24 million and $29 million, respectively, with a Washington state-based virtual currency exchange. According to OFAC’s announcement, this is the agency’s largest virtual currency enforcement action to date, and represent the first parallel actions taken by FinCEN and OFAC in this space.
OFAC settlement. OFAC’s web notice stated that between March 28, 2014 and December 31, 2017, the exchange operated 1,730 accounts that processed 116,421 virtual currency-related transactions totaling roughly $263,451,600.13, in apparent violation of OFAC sanctions against Cuba, Ukraine, Iran, Sudan, and Syria. Specifically, due to alleged deficiencies in the exchange’s sanctions compliance procedures, the exchange failed to prevent persons located in the sanctioned jurisdictions from using its platform to engage in more than $263,000,000 worth of virtual currency-related transactions. OFAC claimed that while the IP addresses and physical address information collected on each customer at onboarding should have given the exchange reason to know that the persons were located in jurisdictions subject to sanctions, the exchange did not “screen customers or transactions for a nexus to sanctioned jurisdictions.” Rather, the exchange only screened transactions for hits against lists including OFAC’s List of Specially Designated Nationals and Blocked Persons. In arriving at the settlement amount of $24,280,829.20, OFAC considered various aggravating factors, including that the exchange did not exercise due caution or care for its sanctions compliance obligations and conveyed economic benefit to persons located in jurisdictions subject to OFAC sanctions, thus causing harm to the integrity of multiple sanctions programs. OFAC also considered various mitigating factors, including that the exchange provided substantial cooperation throughout the investigation, most of the transactions were for a relatively small amount and represented a small percentage when compared to the exchange’s annual volume of transactions, and the exchange has undertaken remedial measures intended to minimize the risk of recurrence of similar conduct.
FinCEN settlement. According to FinCEN’s press release, an investigation found that from February 2014 through December 2018, the exchange failed to maintain an effective AML program, resulting in its inability to appropriately address risks associated with its products and services, including anonymity-enhanced cryptocurrencies. The exchange also failed to effectively monitor transactions on its trading platform, and relied “on as few as two employees with minimal anti-money laundering training and experience to manually review all of the transactions for suspicious activity, which at times were over 20,000 per day.” FinCEN claimed that the exchange conducted more than 116,000 transactions valued at over $260 million with persons located in jurisdictions subject to OFAC sanctions, including those operating in Iran, Cuba, Sudan, Syria, and the Crimea region of Ukraine, and failed to file suspicious activity reports (SARs) between February 2014 and May 2017. The exchange also “failed to file SARs on a significant number of transactions involving sanctioned jurisdictions, including the processing of over 200 transactions that involved $140,000 worth of virtual assets—nearly 100 times larger than the average withdrawal or deposit on the Bittrex platform—and 22 transactions involving over $1 million worth of virtual assets,” FinCEN said in its announcement. Under the terms of the consent order, the exchange—which admitted to willfully violating the Bank Secrecy Act (BSA) and its implementing regulations—will pay a $29,280,829.20 civil money penalty. FinCEN stated it will credit the $24,280,829.20 the exchange has agreed to pay for the OFAC violations.
During remarks delivered at the Association of Certified Anti-Money Laundering Specialists, Under Secretary for Terrorism and Financial Intelligence Brian Nelson discussed, among other topics, Treasury’s efforts to counter illicit finance. Nelson highlighted the aforementioned settlements, stressing that failing to comply with BSA/AML requirements and SARs filing obligations “are not something that companies focused on growth can simply put off to a later day.” He also emphasized that Treasury will continue to strengthen ties with interagency partners and international counterparts to identify and pursue potential violations.
Biden outlines aggressive approach for strengthening U.S. cybersecurity
On October 11, President Biden outlined actions for strengthening and safeguarding the nation’s cybersecurity. In addition to stressing the importance of improving cybersecurity and resilience measures for critical infrastructure owners and operators, the Biden administration outlined additional priorities that focus on (i) strengthening the federal government’s cybersecurity requirements; (ii) countering ransomware attacks, including by making it more difficult for criminals to move illicit money; (iii) collaborating with allies and partners to build collective cybersecurity, develop coordinated responses, and develop cyber deterrence; (iv) imposing costs on and sanctioning malicious cyber actors; (v) implementing internationally-accepted cyber “rules of the road”; (vi) strengthening cyber-education efforts; (vii) developing quantum-resistant encryption algorithms to protect privacy in digital systems such as online banking; and (viii) establishing research centers and workforce development programs under the National Quantum Initiative to protect investments, companies, and intellectual property and prevent harm as technology in this space continues to develop.
Biden issues executive order on EU-U.S. privacy shield replacement
On October 7, President Biden signed an Executive Order on Enhancing Safeguards for United States Signals Intelligence Activities (E.O.) to address the facilitation of transatlantic data flows between the EU and the U.S. The E.O. outlines commitments the U.S. will take under the EU-U.S. Data Privacy Framework, which was announced in March as a replacement for the invalidated EU-U.S. Privacy Shield. As previously covered by InfoBytes, the Court of Justice of the EU (CJEU) issued an opinion in the Schrems II case (Case C-311/18) in July 2020, holding that the EU-U.S. Privacy Shield did not satisfy EU legal requirements. In annulling the EU-U.S. Privacy Shield, the CJEU determined that because the requirements of U.S. national security, public interest, and law enforcement have “primacy” over the data protection principles of the EU-U.S. Privacy Shield, the data transferred under the EU-U.S. Privacy Shield would not be subject to the same level of protections prescribed by the GDPR.
Among other things, the E.O. bolsters privacy and civil liberty safeguards for U.S. signals intelligence-gathering activities, and establishes an “independent and binding mechanism” to enable “qualifying states and regional economic integration organizations, as designated under the E.O., to seek redress if they believe their personal data was collected through U.S. signals intelligence in a manner that violated applicable U.S. law.” Specifically, the E.O. (i) creates further safeguards for how the U.S. signals intelligence community conducts data transfers; (ii) establishes requirements for handling personal information collected through signals intelligence activities and “extends the responsibilities of legal, oversight, and compliance officials to ensure that appropriate actions are taken to remediate incidents of non-compliance”; (iii) requires the U.S. signals intelligence community to make sure policies and procedures reflect the E.O.’s new privacy and civil liberty safeguards; (iv) establishes a multi-layer review and redress mechanism, under which the Civil Liberties Protection Officer in the Office of the Director of National Intelligence (CLPO) is granted the authority to investigate complaints of improper collection and handling of personal data and may issue binding decisions on whether improper conduct occurred and what the appropriate remediation should be; (v) directs the U.S. attorney general to establish a Data Protection Review Court (DPRC) to independently review CLPO decisions, thereby serving as the second level of the E.O.’s redress mechanism (see DOJ announcement here); and (vi) calls on the Privacy and Civil Liberties Oversight Board to review U.S. signals intelligence community policies and procedures to ensure they are consistent with the E.O.
North Carolina issues enforcement order against debt collection operation
On October 10, the North Carolina attorney general announced a consent judgment with the president and CEO of two debt collection companies (collectively, “defendants”). According to the AG, in 2019, the AG sued the defendants for allegedly engaging in illegal debt collection practices. The AG alleged that from 2012 to 2018, the CEO used his debt collection companies to buy unpaid consumer debt from a national corporation that sells rent-to-own household furniture, appliances, and electronics. Since 2018, he allegedly collected or attempted to collect on these unpaid debts from North Carolina consumers, even though he did not have the correct registration or permits to operate in the state. The AG further noted that the defendants allegedly sent customers simulated court notices that were not from the court and claimed they had committed a criminal violation by failing to return rented property. When consumers contacted the companies they received debt collection threats. The defendants also filed criminal complaints in several counties that resulted in actual criminal summonses being issued against customers. Among other things, the defendants are ordered to forgive the debts of 20,000 individuals, refund 650 consumers, and pay fines. The defendants are also permanently banned from collecting debts in North Carolina, and are required to report compliance to the AG’s office.
NYDFS announces fair lending settlement with indirect auto lender
On October 6, NYDFS announced a settlement with a New York State-licensed bank to resolve allegations that the bank violated New York Executive Law § 296-a while engaged in indirect automobile lending. NYDFS alleged that the bank’s practices resulted in minority borrowers paying higher interest rates than non-Hispanic white borrowers regardless of their creditworthiness. According to the announcement, the bank allegedly “failed to effectively monitor automobile dealers from which [the bank] agreed to purchase loans, thereby allowing the dealers to charge members of protected classes more in discretionary dealer markups than borrowers identified as non-Hispanic White.” Under the terms of the consent order, the bank agreed to pay a $950,000 civil money penalty to the state, as well as restitution to eligible borrowers impacted during the period of January 1, 2017 through March 31, 2022. The bank also agreed to undertake fair lending compliance remediation efforts to increase its monitoring of dealers participating in its indirect auto lending program to precent discriminatory markups in the future.
District Court rules in favor of debt collectors in FDCPA, FCRA dispute
On October 7, the U.S. District Court for the Eastern District of Pennsylvania granted defendants’ motion for summary judgment in an FDCPA, FCRA action. According to the opinion, the plaintiff took out a $20,000 loan but never made any payments on the loan. The charged off loan was assigned to the defendant debt purchaser, and a written notice was sent to the plaintiff who requested validation of the debt. The defendant loan servicer provided the account information to the plaintiff and later began furnishing the information to the consumer reporting agencies (CRAs). The plaintiff sued alleging the defendants violated sections 1681s-2(a) and 1681s-2(b) of the FCRA, as well as multiple sections of the FDCPA. Under section 1681s-2(b), a furnisher who has been notified by a CRA of a consumer dispute is required to conduct a reasonable investigation and follow certain procedures. The court noted, however, that these obligations are only triggered if the furnisher received such notice. In this instance, there is no record showing that any CRA reported the plaintiff’s dispute to the defendants, the court said, adding that, moreover, section 1681s-2(a) does not include a private right of action. With respect to the plaintiff’s FDCPA claims, the court determined that, among other things, (i) the plaintiff failed to provide evidence supporting the majority of his claims; (ii) section 1692g does not require the defendants to verify the plaintiff’s account by providing documentation bearing his signature or providing the contractual agreement governing the debt (in this instance, the defendant loan servicer met the minimal requirements by providing an account summary report); and (iii) that nothing in section 1692g requires a debt collector to respond to a dispute within 30 days—this timeframe only applies to when a debtor must dispute a debt, not to the debt collector’s period to provide verification, the court wrote.