InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
District Court dismisses EFTA claims over prepaid debit card fraud
On August 11, the U.S. District Court for the District of Maryland dismissed a putative class action alleging violations of the EFTA and state privacy and consumer protection laws brought against a national bank on behalf of consumers who were issued prepaid debit cards providing pandemic unemployment benefits. The named plaintiff—a self-employed individual who did not qualify for state unemployment insurance but who was eligible to receive temporary Pandemic Unemployment Assistance (PUA) benefits—alleged that he lost nearly $15,000 when an unauthorized user fraudulently used a prepaid debit card containing PUA funds that were intended for him. The court dismissed the class claims with respect to the EFTA and Regulation E, finding that the Covid-19 pandemic was a “qualified disaster” under applicable law and regulations (i.e. PUA payments were “qualified disaster relief payments”), and that as such, the payments satisfied the CFPB’s official interpretation of Regulation E and were excluded from the definition of a “prepaid account.” The court further explained that while relevant CFPB regulations define an “account” to include a prepaid account, Regulation E excludes “any ‘account that is directly or indirectly established through a third party and loaded only with qualified disaster relief payments.’” Because the prepaid debit card in question was established through a third party and was loaded only with PUA funds, it did not meet the definition of a “prepaid account” and therefore fell outside the EFTA’s definition of a covered account. The court also disagreed with the plaintiff’s contention that PUA payments were authorized by Congress in the CARES Act due to the public health emergency rather than a disaster.
OCC updates bank accounting guidance
On August 15, the OCC released an annual update to its Bank Accounting Advisory Series (BAAS). (See also OCC Bulletin 2022-20.) Intended to address a variety of accounting topics relevant to national banks and federal savings associations and to promote consistent application of accounting standards and regulatory reporting among OCC-supervised banks, the BAAS reflects updates that clarify accounting standards issued by the Financial Accounting Standards Board related to, among other things, (i) “the amortization of premiums on debt securities with a call option over a preset period”; and (ii) “lessors’ classification of certain leases with variable lease payments.” The 2022 edition also includes answers to frequently asked questions from industry and bank examiners. The OCC notes that the BAAS does not represent OCC rules or regulations but rather “represents the Office of the Chief Accountant’s interpretations of generally accepted accounting principles and regulatory guidance based on the facts and circumstances presented.”
5th Circuit overturns decision in FDCPA suit
On August 15, the U.S. Court of Appeals for the Fifth Circuit overturned a district court’s grant of class certification in an FDCPA case, ruling that the plaintiff lacked standing. According to the opinion, the plaintiff incurred a debt after failing to pay her utility bills. The city hired a law firm who tried to collect the debt by sending the plaintiff a form letter demanding payment. Her debt had become delinquent four years and one day before the defendant sent its letter, which, under Texas law is “unenforceable.” The plaintiff filed suit against the law firm alleging that it had violated the FDCPA by making a misrepresentation in connection with an attempt to collect her debt. The plaintiff also sought to represent a class of Texas consumers who received the same form letter from the defendant regarding their time-barred debts. The district court rejected the defendant’s claim that the plaintiff lacked standing to bring suit, holding “that the violation of the plaintiff’s statutory rights under the FDCPA constituted a concrete injury-in-fact because those rights were substantive, not procedural.” The district court also “maintained that [the plaintiff’s] confusion qualified as a concrete injury-in-fact.”
On the appeal, the 5th Circuit reversed, finding that the plaintiff did not suffer a concrete injury and therefore lacked standing. The court held that the Supreme Court’s ruling in TransUnion v. Ramirez (covered by InfoBytes here) foreclosed the plaintiff’s theories that a violation of statutory rights under the FDCPA or accidentally paying a time-barred debt are concrete injuries. The appellate court noted that consulting with an attorney and not making a payment is not a concrete injury under Article III, stating that it is “not aware of any tort that makes a person liable for wasting another’s time.”
States stress importance of CRA modernization
On August 5, a coalition of 15 state attorneys general submitted a comment letter in support of the joint notice of proposed rulemaking (NPRM) issued by the FDIC, OCC, and Federal Reserve Board (collectively, “agencies”) regarding modernizing the Community Reinvestment Act (CRA). As previously covered by InfoBytes, the NPRM, among other things, would update how CRA activities qualify for consideration, where CRA activities are considered, and how CRA activities are evaluated. According to the letter, the NPRM is “a marked improvement over prior proposals that some of the agencies set out in the last several years.” The AGs noted that the final rule “must ensure that all members of our communities are fully served by financial institutions” and urged the agencies to continue to strengthen it. The AGs further encouraged the agencies to focus on: (i) ensuring the NPRM “vindicates CRA’s core purpose to address racial inequalities”; (ii) increasing the regulatory bar so “that banks are taking meaningful action to meet low- and moderate income (LMI) community needs; and (iii) “[l]everaging incentives to encourage affordable housing development for LMI communities without displacement.” Additionally, the AGs suggested that the NPRM “should be modified to ensure that this once-in-a-generation modernization effort gives the regulators the tools they need to carry out CRA’s imperative—that financial institutions be required to address the needs of our most vulnerable communities—in our States and across the Nation.” The AGs also noted that some states “expressed concern that the widening racial wealth gap stemming from historical redlining would be exacerbated by an uneven pandemic recovery.” Specifically, the letter stated that “two-and-a-half years into the COVID-19 crisis, the States face an affordable and accessible housing crisis, increased homelessness and housing insecurity, and historic levels of inflation that disproportionally threaten low-income communities and communities of color.” The AGs stated that CRA regulatory reform “can be a key element of addressing these problems.”
OFAC sanctions Liberian officials
On August 15, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) announced sanctions pursuant to Executive Order 13818 against two Liberian government officials under the Global Magnitsky Human Rights Accountability Act. According to OFAC, the sanctioned individuals are involved in ongoing public corruption in Liberia, and the sanctions are intended “to target[] perpetrators of serious human rights abuse and corruption around the world.” As a result, all property, and interests in property of the designated individuals and entities, “and of any entities that are owned, directly or indirectly, 50 percent or more by them, individually, or with other blocked persons, that are in the United States or in the possession or control of U.S. persons, must be blocked and reported to OFAC.” U.S. persons are generally prohibited from engaging in transactions with the designated persons. OFAC further warned that engaging in certain transactions with the designated individuals entails risk of sanctions.
SEC files charges in brokerage hacking case
On August 15, the SEC filed a complaint against 18 individuals and entities (collectively, “defendants”) in the U.S. District Court for the Northern District of Georgia for allegedly engaging in a fraudulent scheme in which online retail brokerage accounts were hacked and improperly used to purchase microcap stocks. According to the SEC, the defendants collectively acquired substantial shares of the common stock of two public microcap companies. After obtaining the shares, some defendants conspired with other unknown parties to subject various retail brokerage accounts, held by third-party investors, to online account takeover attacks. The hacked accounts then were forced to make large purchases of the companies’ common stock, thereby artificially inflating the trading price and volume of the stocks. The defendants then sold the shares they had acquired at the inflated prices, generating approximately $1.3 million in proceeds and creating substantial profits for the defendants. The complaint also noted that throughout the scheme, some defendants repeatedly took steps to conceal their beneficial ownership of the company’s shares by, among other things, failing to file with the Commission certain beneficial ownership reports required by law. The SEC’s complaint alleges violations of anti-fraud and beneficial ownership reporting provisions of the federal securities laws, specifically, the Securities Act of 1933 and the Securities Exchange Act of 1934. The complaint seeks a permanent injunction against the defendants, disgorgement of ill-gotten gains, plus interest, penalties, bars, and other equitable relief. According to the SEC Director of Division of Enforcement, the case “illustrates the critical importance of cybersecurity and of our ongoing efforts to protect retail investors from cyber fraud.”
CFTC alleges crypto promoter’s digital asset trading scheme violates CEA
On August 12, the CFTC filed charges against an individual and his two Ohio-based cryptocurrency promotion companies for allegedly violating the Commodity Exchange Act and Commission regulations by soliciting more than $1 million in a digital asset trading scheme. The complaint alleged that the defendants made false and misleading statements in their solicitations to customers, including profit guarantees and claims concerning the individual defendant’s supposed success as a digital asset trader. According to the complaint, customers were guaranteed that they would not lose their initial investment and would be able to withdraw their initial investment and alleged profits at any time; however, defendants allegedly refused to allow existing customers to withdraw these funds, stopped communicating with customers, and manufactured excuses as to why funds were not returned. The complaint also contended, among other things, that the defendants omitted material facts, including that the defendants “misappropriated customer funds to pay purported profits to other customers in a manner akin to a Ponzi scheme,” misappropriated customer funds to pay for the individual defendant’s lifestyle, and commingled customer funds with personal bank and digital asset trading accounts. The CFTC seeks: (i) restitution for defrauded investors; (ii) disgorgement; (iii) civil monetary penalties; (iv) permanent registration and trading bans; and (v) a permanent injunction from future violations.
New York proposes new cybersecurity reporting requirements for financial institutions
Recently, NYDFS released proposed second amendments to New York’s Cybersecurity Regulation (23 NYCRR Part 500), which would, if adopted, require a financial institution’s senior officer or board of directors to approve the entity’s cybersecurity policy. Entities would also be required to disclose whether their directors have expertise in overseeing security risks or whether they rely on third-party cyber consultants. Among other things, the proposed amendments would require cybersecurity executives to provide directors timely alerts of significant cyber issues or events and provide annual reports to the board on cyber risks and defenses as well as on plans for remediating identified inadequacies. Additional requirements include: (i) multi-factor authentication for all privileged accounts (except for service accounts), as well as for “remote access to the network and enterprise and third-party applications from which nonpublic information is accessible”; (ii) limitations on asset and data retention management; (iii) training and monitoring of email to prevent unauthorized access; and (iv) incident response, business continuity, and disaster recovery plans.
The proposed amendments also contain provisions related to ransomware, including measures which would require entities to notify NYDFS within 72 hours of any unauthorized access to privileged accounts or deployment of ransomware within a “material” part of the entity’s information system. Entities would also be directed to alert the Department within 24 hours of making a ransom payment to a hacker—similar to a ransomware payment disclosure mandate included within the “Cyber Incident Reporting for Critical Infrastructure Act of 2022” covering critical infrastructure (covered by InfoBytes here). Within 30 days, entities would also be required to explain the reasons that necessitated the ransomware payment, what alternatives to payment were considered, all diligence performed to find payment alternatives, and all diligence performed to ensure compliance with applicable OFAC rules and regulations including federal sanctions implications.
Comments on the proposed amendments are due August 18.
See continuing InfoBytes coverage on 23 NYCRR Part 500 here.
District Court grants final approval of data breach settlement
On August 9, the U.S. District Court for the Western District of North Carolina granted final approval of a class action settlement resolving allegations that two hemp companies (collectively, “defendants”) were involved in data breaches. According to the plaintiffs’ unopposed motion for final approval of the class action settlement, the defendants notified the SEC, various states’ attorneys general, and thousands of affected customers about two data breaches that occurred through their website on two different occasions. The plaintiffs alleged that the incident allowed hackers to “scrape[]” many of the defendants’ consumers’ names from the website by infecting the ecommerce platform with a “malicious code,” and stole the personally identifiable information of approximately 40,000 customers. According to the settlement, the deal will provide that class members can receive as much as $210 for out-of-pocket expenses such as card replacement fees, overdraft fees, interest, and up to $80 in costs for obtaining credit monitoring and identity theft protection, among other things. The district court also approved $2,500 payments to the lead plaintiffs as service awards.
FDIC announces Missouri disaster relief
On August 12, the FDIC issued FIL-39-2022 to provide regulatory relief to financial institutions and help facilitate recovery in areas of Missouri affected by severe storms and flooding from July 25-28. The FDIC acknowledged the unusual circumstances faced by institutions affected by the storms and suggested that institutions work with impacted borrowers to, among other things: (i) extend repayment terms; (ii) restructure existing loans; or (iii) ease terms for new loans to those affected by the severe weather, provided the measures are done “in a manner consistent with sound banking practices.” Additionally, the FDIC noted that institutions “may receive favorable Community Reinvestment Act consideration for community development loans, investments, and services in support of disaster recovery.” The FDIC will also consider regulatory relief from certain filing and publishing requirements.