Skip to main content
Menu Icon
Close

InfoBytes Blog

Financial Services Law Insights and Observations

Filter

Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.

  • House Oversight seeks info from digital asset exchanges, financial regulators

    Federal Issues

    On August 30, the Subcommittee on Economic and Consumer Policy of the House Committee on Oversight and Reform announced that Representative Raja Krishnamoorthi (D-IL), Chair of the Subcommittee, sent letters to the U.S. Treasury Department, SEC, CFTC, and FTC, in addition to five digital asset exchanges, requesting information on how they are combating cryptocurrency-related fraud and scams. According to his letters, Chairman Krishnamoorthi is “concerned about the growth of fraud and consumer abuse linked to cryptocurrencies.” He further added that “[t]he lack of a central authority to flag suspicious transactions in many situations, the irreversibility of transactions, and the limited understanding many consumers and investors have of the underlying technology make cryptocurrency a preferred transaction method for scammers.” In the letters to the federal agencies, he stated that “the federal government has been slow to curb cryptocurrency scams and fraud,” and that “[e]xisting federal regulations do not comprehensively or clearly cover cryptocurrencies under all circumstances.” In one of the letters to the digital asset exchanges, Krishnamoorthi noted that “cryptocurrency exchanges must themselves act to protect consumers conducting transactions through their platforms.” The letters requested that all recipients provide information to the subcommittee outling “steps they are taking to combat cryptocurrency-related fraud and scams and additional actions that are needed to protect Americans” in order to “help Congress understand what they are doing to protect consumers and inform legislative solutions to bring stability to the digital asset industry.”

    Federal Issues Fintech Digital Assets U.S. House Department of Treasury SEC CFTC FTC

  • Treasury caps Russian oil sales; OFAC guidance coming soon

    Financial Crimes

    On September 2, the U.S. Treasury Department announced that G7 Finance Ministers confirmed their joint intention to implement a price cap on Russian-origin crude oil and petroleum products. According to the statement, G7 countries, along with other allies and partners, “plan to prohibit the provision of services that enable maritime transportation of such oil and products unless purchased at or below a price level determined by the coalition of countries adhering to and implementing the price cap.” Secretary of the Treasury Janet L. Yellen issued a statement commending the action. She noted that the price cap will “help deliver a major blow for Russian finances and will both hinder Russia’s ability to fight its unprovoked war in Ukraine and hasten the deterioration of the Russian economy,” while also maintaining supplies to global energy markets by keeping Russian oil flowing at lower prices.

    In conjunction with the announcement, OFAC said it plans to publish preliminary guidance on implementing the price cap later this month. The guidance will provide a high-level overview of the mechanism, including how U.S. persons can comply in advance of formal guidance and legal implementation which will be issued at a later date.

    Financial Crimes Of Interest to Non-US Persons Department of Treasury OFAC G7 Russia Ukraine Ukraine Invasion

  • Temporary exemptions under CCPA/CPRA for human resource and business-to-business data set to expire January 1, 2023

    Privacy, Cyber Risk & Data Security

    The California legislative session ended on August 31, foreclosing any chance of the legislature extending temporary exemptions under the California Consumer Privacy Act (CCPA)/California Privacy Rights Act (CPRA) related to human resource and business-to-business data, set to expire January 1, 2023. The legislature proposed several bills throughout the legislative session that would have extend the exemptions, but all of them stalled. In a last-ditch effort, a California assembly member proposed amendments to AB 1102 that would have extended the exemptions to January 1, 2025 if adopted during the August 31 floor session.

    According to the amendments, the CPRA recognized that various rights afforded to consumers under the CCPA and CPRA are not suited to the employment context, and as such, clarified that the CPRA “does not apply to personal information collected by a business about a natural person in the course of the natural person acting within the employment context, including emergency contact information, information necessary to administer benefits, or information collected in the course of business to business communications or transactions.” The amendments attempted to extend the exemption for “personal information that is collected and used by a business solely within the context of having an emergency contact on file, administering specified benefits, or a person’s role or former role as a job applicant to, an employee of, owner of, director of, officer of, medical staff member of, or an independent contractor of that business.” The amendments also proposed extending certain exemptions related to “personal information reflecting a communication or a transaction between a business and a company, partnership, sole proprietorship, nonprofit, or government agency that occurs solely within the context of the business conducting due diligence or providing or receiving a product or service.” Although the amendments did not address the reason for the extension for the business exemption, they stated that while the legislature and advocates continue to engage in discussions concerning the enactment of “robust and implementable privacy protections tailored to the employment context,” extending the exemptions would provide temporary protections around worker monitoring while giving businesses more time to enact these protections. However, the amendments were not adopted, and the exemptions will expire as originally intended on January 1, 2023.

    As previously covered by InfoBytes, the CPRA (largely effective January 1, 2023, with enforcement delayed until July 1, 2023) was approved by ballot measure in November 2020 to amend and build on the CCPA. In July, the California Privacy Protection Agency initiated formal rulemaking procedures to adopt proposed regulations implementing the CPRA (covered by InfoBytes here). CPPA Executive Director Ashkan Soltani said he expects the rulemaking process to extend into the second half of the year.

    Privacy, Cyber Risk & Data Security State Issues State Legislation CCPA CPRA CPPA Agency Rule-Making & Guidance Consumer Protection

  • 11th Circuit says one-year statutory notice period cannot be varied

    Courts

    On August 26, the U.S. Court of Appeals for the Eleventh Circuit vacated and remanded a district court’s summary judgment in favor of a bank after determining that the plaintiff-appellants’ claim for statutory repayment is not time-barred. Plaintiffs (Venezuelan citizens residing in Venezuela) maintained personal and commercial bank accounts at a Florida branch of the bank. According to the plaintiffs, a bank employee changed the email account associated with the bank accounts to a new fraudulent email. Identity thieves were later able to bypass security measures on the account, gave correct answers to security questions, and sent documents with signatures that matched ones the bank had on file, resulting in roughly $850,000 being transferred out of one of the accounts. Plaintiffs contended they were locked out of their accounts and struggled to contact the bank for months without success. After eventually regaining access to their accounts, plaintiffs discovered the stolen money and sued for a variety of claims, including fraud, negligence, and breach of contract. They also claimed that the bank was required to refund them for the fraudulent wire transfers under Florida Statutes § 670.202. The bank argued, among other things, that the plaintiffs’ claims were time-barred because they failed to notify the bank about the alleged fraud within 30 days of receiving a bank statement. Plaintiffs responded that the Florida Statutes provide a one-year time period to notify a bank of an unauthorized wire transfer and stated that the time-period could not be modified by agreement. The district court entered summary judgment for the bank, concluding “that the one-year period was modifiable and that the parties had modified it.” The district court also determined that because the bank’s procedures were “commercially reasonable” and followed “in good faith” it was not liable to the plaintiffs to repay the wire transfers.

    On appeal, the 11th Circuit held that the plaintiffs were still within their statutory one-year notification period when they notified the bank of the fraudulent wire transfers, and rejected the bank’s argument that it could shorten the notification period to 30 days. The 11th Circuit, in rejecting the bank’s argument determined that it cannot “shift the loss of an unauthorized order to the customer during the statutorily determined period,” adding that “if the one-year statutory notice period could be varied, then banks could insist that customers sign contracts that make the time to demand a refund of a fraudulent payment a day (or even less). That would impair the account holder’s right to a refund and defeat Florida’s intent that banks—not account holders— bear the risk of a fraudulent transfer for the first year following the transfer. And there’s no limiting principle in the text for how short banks could make the statutory refund period.” Pointing out that the bank was unable to identify a limiting principal at oral argument, the appellate court concluded that “if banks could modify the one-year period, there’s no principled way to draw the line as to how short of a refund period is too short.” On remand, the 11th Circuit also instructed the district court to review whether the bank’s security procedures are “commercially reasonable.”

    Courts State Issues Fraud Appellate Eleventh Circuit Privacy, Cyber Risk & Data Security

  • District Court denies request to reverse summary judgment in FDIA suit

    Courts

    On August 29, the U.S. District Court for the Eastern District of Pennsylvania denied a consumer plaintiff’s request to reconsider its summary judgment order against him in a Federal Deposit Insurance Act (FDIA) suit. According to the opinion, the plaintiff accrued debt to a federally-insured, state-chartered bank, which had then assigned that debt to defendants, who were not state-chartered, federally-insured banks. The plaintiff’s debt included interest charges that had accrued at an annual rate between 24.99 percent and 25.99 percent, which the plaintiff argued could not be collected by defendants because the interest exceeded the six percent allowed under Pennsylvania's usury law. The court ruled in favor of the defendants, relying on a recently promulgated FDIC rule that determined that state usury laws are preempted by section 27 of the FDIA in cases where state usury law interferes with state-chartered, federally-insured banks' ability to make loans or when they interfere with a state-chartered, federally-insured bank’s assignee’s efforts to collect on those loans. The plaintiff requested the reconsideration of the district court's summary judgment decision and filed a notice of appeal to the U.S. Court of Appeals for the Third Circuit. In his motion for reconsideration, the plaintiff argued that the court’s previous summary judgment decision was “erroneous” because: (i) the 3rd Circuit held in In re: Community Bank of Northern Virginia that “the FDIA unambiguously excludes non-bank purchasers of debt from its coverage and that deference to the FDIC’s contrary interpretation would, therefore, be inappropriate”; (ii) the FDIC’s rule cannot apply to his debts because such an application would be impermissibly retroactive; and (iii) LIPL fits within the FDIC rule’s exception for “licensing or regulatory requirements.”

    The court denied the plaintiff’s motion for reconsideration, holding that the plaintiff “failed to identify an appropriate basis for reconsideration,” as the consumer’s arguments are “either a new argument that could have been presented before judgment was entered or a reprisal of an argument that the Court addressed in its original decision.” The court further noted that it would be “inappropriate for the Court to grant a motion to reconsider under either of those circumstances.” The court went on to determine that the new arguments advanced by the plaintiff were unpersuasive in any event, finding that the 3rd Circuit had not held section 27 of the FDIA to be unambiguous in its meaning and that application of the FDIC’s rule did not create an impermissible retroactive effect.

    Courts State Issues Interest Deposit Insurance Usury Third Circuit Appellate Federal Deposit Insurance Act Pennsylvania Consumer Finance

  • District Court dismisses ransomware suit alleging negligence

    Courts

    On August 30, the U.S. District Court for the Northern District of Indiana granted a software company defendant’s motion to dismiss, ruling that a healthcare system nonprofit (the “nonprofit”) and its insurer (collectively, “plaintiffs”) had not plausibly alleged that the defendant’s 2020 ransomware attack caused it to incur expenses that were compensable injuries. According to the opinion, the nonprofit, which possesses personally identifiable information (PII) records, executed two contracts with the defendant “to help consolidate its existing databases into one system of records and protect this sensitive data.” According to the first agreement, the defendant agreed to maintain servers holding the health nonprofit’s donor and patient data, including PII. In the second agreement, the defendant agreed to, among other things, comply with its obligations as a “business associate” under HIPAA, HITECH, and any implementing regulations.

    According to the plaintiffs’ complaint, a third party allegedly hacked into the defendant’s systems and deployed ransomware in February 2020, which gained access to the PII that the health nonprofit stored with the defendant; however, the cybercriminals were unable to block the defendant from accessing its own systems. The defendant was said to have learned about the cyber-attack May 2020 and waited until July 2020 to notify the nonprofit. The plaintiffs alleged that the data breach occurred because of the defendant’s failure to reasonably safeguard their database of PII. The plaintiffs also claimed that “’had [the defendant] maintained a sufficient security program, including properly monitoring its network, security, and communications, it would have discovered the cyberattack sooner or prevented it altogether.’” Following the breach, the plaintiffs alleged that they incurred remediation damages that included “various expenses, which included credit monitoring services and call centers, legal counsel, computer systems recovery, and data recovery and data migration services.” The plaintiffs filed suit, alleging breach of contract, negligence, gross negligence, negligent misrepresentation, fraudulent misrepresentation, and breach of fiduciary duty. The defendant argued that the plaintiffs do not adequately explain how the breach caused their remediation damages, warranting dismissal.

    The district court found that the plaintiffs failed to adequately plead causation for each of their claims, noting that “without any allegations explaining why they had to spend these amounts, the court is left to speculate how [the defendant’s] breaches caused [the health nonprofit’s] remediation damages.” The district court additionally determined that the plaintiffs’ negligence and contract claims must also fail because “harm caused by identity information exposure, coupled with the attendant costs to guard against identity theft did not constitute a compensable injury under either a negligence claim or a contract claim brought pursuant to Indiana law.” The district court also found that the plaintiffs’ negligence claims are barred under Indiana’s economic loss rule because it did not point to an independent duty outside of contract. The plaintiffs were, however, given leave to amend their complaint and attempt to remedy its deficiencies.

    Courts Privacy, Cyber Risk & Data Security Ransomware Consumer Protection Data Breach State Issues Indiana

  • FDIC updates risk management, consumer compliance examination policies

    Recently, the FDIC updated Section 2.1 of its Risk Management Manual of Examination Policies related to capital. The FDIC noted that since capital adequacy assessments are central to the supervisory process, examination staff “evaluate all aspects of a financial institution’s risk profile and activities to determine whether its capital levels are appropriate and in compliance with minimum regulatory requirements.” This includes examining a financial institution’s capital ratios, risk-weighted assets, regulatory capital requirements, community bank leverage ratios, capital adequacy (including liquidity, earnings, and market risk), and adherence to laws and regulations. The FDIC also announced updates to the Privacy—Telephone Consumer Protection Act section within its Consumer Compliance Examination Manual (CEM). The CEM includes supervisory policies and examination procedures for FDIC examination staff evaluating financial institutions’ compliance with federal consumer protection laws and regulations.

    Bank Regulatory Federal Issues Agency Rule-Making & Guidance FDIC Compliance Examination Risk Management Supervision

  • RHS finalizes changes to Single-Family Housing Guaranteed Loan Program

    Agency Rule-Making & Guidance

    On August 31, the Rural Housing Service (RHS) issued a final rule in the Federal Register announcing changes to the Single-Family Housing Guaranteed Loan Program (SFHGLP). The final rule, among other things, updates the requirements for federally supervised lenders, minimum net worth and experience for non-supervised lenders, approved lender participation requirements, handling of applicants with delinquent child support payments, and builder credit requirements. Specifically, the rule establishes that lenders not supervised by federal banking agencies must have “a minimum adjusted net worth of $250,000, or at least $50,000 in working capital plus one percent of the total volume in excess of $25 million in guaranteed loans originated, serviced or purchased during the lender’s prior fiscal year, up to a maximum $2.5 million.” The final rule also requires one or more lines of credit with a minimum aggregate of $1 million, and clarifies that lenders must meet applicable requirements in order to begin and continue participation in the SFHGLP. The final rule is effective November 29.

    Agency Rule-Making & Guidance Rural Housing Service Lending

  • DOJ weighs in on FDIC chair’s powers

    Federal Issues

    Recently, the assistant attorney general for the DOJ’s Office of Legal Counsel opined that the chairperson of the FDIC cannot prevent a majority of the agency’s Board of Directors from presenting items for a vote and decision. The DOJ’s opinion follows a December 2021 conflict among members of the FDIC Board of Directors related to a joint request for information seeking public comment on revisions to the FDIC’s framework for vetting proposed bank mergers. Shortly after the announcement was issued, the FDIC released a statement disputing that any action had been approved. FDIC board member, and CFPB Director, Rohit Chopra released a follow-up statement challenging the view that only the FDIC chairperson has the right to raise matters for discussion in Board meetings, and called for “immediate[]” resolution of the conflict, stating that “[a]bsent a return to legal reality and constructive engagement, board members will need to take further steps to exercise independence from management and to ensure sound governance of the [FDIC].” (Covered by InfoBytes here.)

    The DOJ wrote in the opinion that “[t]here is no general or specific source of authority in the [Federal Deposit Insurance Act (FDIA)] that can be read as permitting the Chairperson to prevent a majority of the Board from exercising its statutory responsibilities or otherwise making decisions for the FDIC.” The opinion stated that the FDIA gives the Board “broad governance and decision-making authority” and clarified that while the “power to present matters for Board vote and decision is not explicitly addressed by the Act[,] . . . the Board, not the Chairperson, has the authority to determine how the FDIC should exercise its substantive powers.” Furthermore, the opinion emphasized that the FDIA authorizes the Board to “prescribe bylaws ‘regulating the manner in which its general business may be conducted’ and to prescribe ‘such rules and regulations as it may deem necessary.’” According to the opinion, nothing in the FDIA “can be read as authorizing the Chairperson to prevent a majority of the Board from presenting items to the Board for a vote and decision, and, as far as we are aware, no one has ever taken the position that the [FDIA] authorizes the Chairperson to do so.”

    While the opinion emphasized that it does not have the authority “to provide more than a general response,” it stated that the FDIC Bylaws mirror the FDIA in providing that “[t]he management of the [FDIC] shall be vested in the Board of Directors, which shall have all powers specifically granted by the provisions of the [FDIA] and other laws of the United States and such incidental powers as shall be necessary to carry out the powers so granted.” The opinion agreed with the current Board majority’s interpretation “that the delegations of authority to the Chairperson in the Bylaws are best understood as preserving the power of a Board majority to present items for Board decision and vote.” The DOJ noted, however, “that the current Board majority’s understanding of its Bylaws may not be the only possible interpretation,” and pointed out that the FDIC Bylaws can be amended “to eliminate any uncertainty about questions such as the one at issue here.”

    The DOJ’s opinion prompted a critical response from House Financial Services Committee Ranking Member Patrick McHenry (R-NC), who said that the “newly released opinion from the Office of Legal Counsel does not change the fact that Democrats’ power grab at the FDIC upended an 88-year tradition of considering the Chair’s agenda on a collegial basis” and pledged that “House Republicans will not be deterred from our investigations into the lawless tactics of rogue Democrat regulators.”

    Federal Issues DOJ FDIC Bank Regulatory Federal Deposit Insurance Act Agency Rule-Making & Guidance Bank Mergers

  • FHFA to review Federal Home Loan Banks system

    Federal Issues

    On August 31, FHFA announced it plans to conduct a comprehensive review of the Federal Home Loan Banks (FHLBanks) starting this fall. “FHFA’s regulated entities function as a reliable source of liquidity and funding for housing finance and community investment,” FHFA Director Sandra L. Thompson said, noting that “[a]s the Federal Home Loan Banks approach their centennial, FHFA will conduct a comprehensive review to ensure they remain positioned to meet the needs of today and tomorrow.” FHFA will host two public listening sessions as well as a series of regional roundtable discussions to review the mission, membership eligibility requirements, and operational efficiencies of the FHLBanks, the statement said. Additionally, FHFA will receive input from stakeholders on the FHLBanks’ role or potential role in addressing housing finance, community and economic development, affordability, and other related issues.

    The kick-off listening session will be held in Washington, D.C., on September 29. FHFA seeks feedback in six key areas: (i) FHLBanks’ general mission and purpose in a changing marketplace; (ii) the organization, operational efficiency, and effectiveness of FHLBanks; (iii) FHLBanks’ role in promoting affordable, sustainable, equitable, and resilient housing and community investment; (iv) ways to address the unique needs of rural and financially vulnerable communities; (v) member products, services and collateral requirements; and (vi) membership eligibility and requirements.

    Federal Issues FHFA Federal Home Loan Banks

Pages

Upcoming Events