InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
HUD announces disaster relief for homeowners in several states
On March 16, HUD announced disaster assistance for certain areas in Virginia and Tennessee (see here and here) impacted by severe winter storms. The disaster assistance follows President Biden’s major disaster declarations on March 11. According to the announcements, HUD is providing an automatic 90-day moratorium on foreclosures of FHA-insured home mortgages for covered properties and is making FHA insurance available to victims whose homes were destroyed or severely damaged, such that “reconstruction or replacement is necessary.” HUD’s Section 203(k) loan program enables individuals who have lost homes to finance a home purchase or to refinance a home to include repair costs through a single mortgage. The program also allows homeowners with damaged property to finance the repair of their existing single-family homes. Furthermore, HUD is allowing administrative flexibilities to community planning and development grantees, as well as to public housing agencies and Tribes.
On March 18, HUD announced disaster assistance for certain areas in Maine impacted by a severe storm and flooding. The disaster assistance follows President Biden’s major disaster declarations on March 15. According to the announcements, HUD is providing an automatic 90-day moratorium on foreclosures of FHA-insured home mortgages for covered properties and is making FHA insurance available to victims whose homes were destroyed or severely damaged, such that “reconstruction or replacement is necessary.” HUD’s Section 203(k) loan program enables individuals who have lost homes to finance a home purchase or to refinance a home to include repair costs through a single mortgage. The program also allows homeowners with damaged property to finance the repair of their existing single-family homes. Furthermore, HUD is allowing administrative flexibilities to community planning and development grantees, as well as to public housing agencies and Tribes.
OCC issues final rule for granting exemptions to SAR requirements
On March 16, the OCC issued a final rule amending its suspicious activity report (SAR) regulations. The rule sets out a process for national banks and federal savings associations to request exemptions from the OCC’s SAR requirements. To request exemption under the final rule, national banks or federal savings associations, including federal branches and agencies of foreign banks, must submit a request in writing to the OCC. The agency “will consider whether the exemption is consistent with the purposes of the [Bank Secrecy Act] and with safe and sound banking and may consider any other appropriate factors.” Where required, institutions must separately seek an exemption from FinCEN, and the OCC intends to coordinate with FinCEN on such requests. The final rule will also allow “the OCC to facilitate changes required by the Anti-Money Laundering Act of 2020" and “will make it possible for the OCC to grant relief to national banks or federal savings associations that develop innovative solutions intended to meet Bank Secrecy Act requirements more efficiently and effectively.”
District Court rules ratification unnecessary for CFPB to proceed with 2017 enforcement action
On March 16, the U.S. District Court for the Southern District of New York ruled that the CFPB can proceed with its 2017 enforcement action against a New Jersey-based finance company alleging, among other things, that it misled first responders to the World Trade Center attack and NFL retirees about high-cost loans mischaracterized as assignments of future payment rights. In 2020, the U.S. Court of Appeals for the Second Circuit vacated a 2018 district court order dismissing the case on the grounds that the Bureau’s single-director structure was unconstitutional, and that, as such, the agency lacked authority to bring claims alleging deceptive and abusive conduct by the company (covered by InfoBytes here). The 2nd Circuit remanded the case to the district court, determining that the U.S. Supreme Court’s ruling in Seila Law LLC v. CPFB (holding that the director’s for-cause removal provision was unconstitutional but severable from the statute establishing the Bureau, as covered by a Buckley Special Alert) superseded the 2018 ruling. The appellate court further noted that following Seila, former Director Kathy Kraninger ratified several prior regulatory actions (covered by InfoBytes here), including the enforcement action brought against the defendants, and as such, remanded the case to the district court to consider the validity of the ratification of the enforcement action. The defendants later filed a petition for writ of certiorari, arguing that the Bureau could not use ratification to avoid dismissal of the lawsuit, but the Supreme Court declined the petition. (Covered by InfoBytes here.)
In 2021, the defendants filed a motion to dismiss the Bureau’s enforcement action on the grounds that “it was brought by an unconstitutionally constituted agency” and that the Bureau’s “untimely attempt to subsequently ratify this action cannot cure the agency’s constitutional infirmity.” After narrowly reviewing whether the Bureau had the authority to bring claims under the Consumer Financial Protection Act, the district court turned to the Supreme Court’s June 2021 majority decision in Collins v. Yellen, which held that “‘an unconstitutional removal restriction does not invalidate agency action so long as the agency head was properly appointed[.]’” Accordingly, the agency’s actions are not void and do not need to be ratified, unless a plaintiff can show that “the agency action would not have been taken but for the President’s inability to remove the agency head.” (Covered by InfoBytes here.) The district court’s March 16 opinion applied Collins and ruled that “the CFPB possessed the authority to bring this action in February 2017 and, hence, that ratification by Director Kraninger was unnecessary.”
NYDFS fines money transmitter $8.25 million for AML compliance failures
On March 16, NYDFS announced the imposition of an $8.25 million fine on a money transmitter alleged to have violated anti-money laundering (“AML”) requirements and New York law by failing to adequately supervise local agents in New York City that processed an unusual volume of suspicious transactions to China. NYDFS conducted an examination and enforcement investigation, which found that the company “did not adequately oversee the activity of six agents that saw a large spike in transaction volume of business with China.” According to the investigation, there were roughly 7,500 transactions aggregating approximately $30 million in 2014. These figures rose to more than 25,000 transactions aggregating more than $100 million during the period between January 2016 and May 2017. Most of these transactions were processed by small, store-front independent agents—“a clear indicator of increased money laundering risk, particularly given that the destination was known to carry a high AML risk,” NYDFS stated, adding that the company should have also addressed risks resulting from a suspicious pattern of different senders transmitting money to the same recipient. NYDFS acknowledged that the company, when alerted to the increased transaction activity, severed its relationship with the problematic agents and implemented remedial measures to improve supervision of its agents. Under the terms of the consent order, the company will pay an $8.25 civil money penalty and is required to submit a report to NYDFS outlining enhancements made with respect to new and existing agents, suspicious activity reporting program, and special transaction limitations. Additionally, NYDFS announced that the company will also update the Department on improvements to the policies and procedures of its Bank Secrecy Act/AML compliance program and will provide data to NYDFS for ongoing monitoring purposes.
District Court approves $17 million data breach settlement
On March 15, the U.S. District Court for the Northern District of Illinois granted final approval of a class settlement to resolve claims alleging two defendant insurance companies failed to protect over six million employee/customers’ personal and private identifying information, including names, addresses, Social Security numbers, and driver’s license numbers, from two data breach and scraping incidents. According to the memorandum of law in support of the plaintiffs’ unopposed motion for final approval, plaintiffs separately filed complaints after learning the defendants were exposed to two separate data breaches in December 2020 and March 2021. The cases were consolidated, and parties engaged in settlement negotiations. Under the terms of the settlement agreement, the defendants will provide settling class members with at least $17.1 million in relief. Class members will also have automatic access to certain financial fraud services and may submit claims to receive compensation for out-of-pocket losses (capped at $10,000 per person) and lost-time losses (up to six hours of lost-time reimbursements at $18 per hour), in addition to receiving $50 per hour if they missed work to address the breaches. Additionally, a California subclass will also be able to file claims for $50 in statutory relief. Under the California Consumer Privacy Act, consumers may seek statutory damages of up to $750 per violation. Defendants are also responsible for a portion of attorneys’ fees and costs.
Irish DPC fines global social media company €17 million for GDPR violations
On March 15, the Irish Data Protection Commission (DPC) adopted a decision fining a global social media company €17 million (approximately $18.6 million) after finding that the company failed to prevent a series of data breaches in 2018. The DPC conducted an inquiry into a series of 12 data breach notifications it received between June 7, 2018 and December 4, 2018, to examine the extent that the company complied with GDPR requirements related to the processing of personal data. Following the inquiry, the DPC found that the company violated GDPR Articles 5(2) and 24(1) by failing “to have in place appropriate technical and organizational measures which would enable it to readily demonstrate the security measures that it implemented in practice to protect EU users’ data, in the context of the twelve personal data breaches.” Article 5 outlines principles related to the processing of personal data and requires companies to ensure that EU residents’ personal data is processed “in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures.” Article 24(1) requires controllers to “implement appropriate technical and organizational measures to ensure and to be able to demonstrate that processing is performed in accordance with” the GDPR. The DPC noted that because the processing under examination constituted “cross-border” processing, the “decision represents the collective views of both the DPC and its counterpart supervisory authorities throughout the EU.”
FTC sues sales organization in business opportunity scam
On March 15, the FTC filed an administrative complaint against an independent sales organization and its owners (collectively, “respondents”) for allegedly opening merchant accounts for fictitious companies on behalf of a business opportunity scam previously sued by the FTC in 2013. According to the complaint, the scammers promoted business opportunities to consumers that falsely promised they would earn thousands of dollars. From its previous 2013 lawsuit, the FTC obtained judgments and settlements of over $7.3 million (covered by InfoBytes here). The complaint alleged that respondents violated the FTC Act and the Telemarketing Sales Rule by helping the scammers launder millions of dollars of consumers’ credit card payments from 2012 to 2013 and ignoring warning signs that the merchants were fake. The FTC claimed that the respondents, among other things, (i) opened merchant accounts based on “vague” business descriptions; (ii) ignored the fact that for most of the merchants, the principals or business owners had poor credit ratings, which should have raised questions about the financial health of the merchants; (iii) neglected to obtain merchants’ marketing materials or follow up on signs that the merchants were engaged in telemarketing; and (iv) ignored inconsistencies related to the bank accounts listed on several of the merchants’ applications. The FTC further claimed that the respondents created 43 different merchant accounts for fictitious companies on behalf of the scam and even provided advice to the organizers of the scam on how to spread out the transactions among different accounts to evade detection.
Under the terms of the proposed consent order (which is subject to public comment and final FTC approval), the respondents would be prohibited from engaging in credit card laundering, as well as any other tactics to evade fraud and risk monitoring programs. The respondents would also be banned from providing payment processing services to any merchant that is, or is likely to be, engaged in deceptive or unfair conduct, and to any merchant that is flagged as high-risk by credit-card industry monitoring programs. Furthermore, the respondents would be required to screen potential merchants and monitor the sales activity and marketing practices of current merchants engaged in certain activities that could harm consumers. The FTC noted that it is unable to obtain a monetary judgment due to the U.S. Supreme Court’s decision in AMG Capital Management v. FTC, which held that the FTC does not have statutory authority to obtain equitable monetary relief under Section 13(b) of the FTC Act. (Covered by InfoBytes here.)
FDIC rescinds Covid-19 filing extension for Part 363 annual reports
On March 15, the FDIC rescinded its Statement on Part 363 Annual Reports in Response to the Coronavirus, which had provided certain insured depository institutions (IDIs) with total assets of $500 million or more an additional 45 days to file their Part 363 Annual Reports and Other Reports and Notices. FIL-10-2022 rescinds FIL-30-2020 and is effective for fiscal years beginning after December 31, 2021. Going forward, the deadline for IDIs to file their annual reports “reverts to either 90 or 120 days after the end of the IDI’s fiscal year, depending on the IDI’s status as a public filer.” The FDIC reminded IDIs that if they are unable to meet their filing deadline, they “must submit a written Notice of Late Filing to the FDIC, the appropriate federal banking agency, and any appropriate state bank supervisor by the 90- or 120-day report filing deadline.”
CFPB updates debt collection examination procedures to include Regulation F provisions
Recently, the CFPB updated its debt collection examination procedures to incorporate provisions of Regulation F (the FDCPA’s implementing regulation). As previously covered by InfoBytes, in October 2020, the Bureau issued its final rule (effective November 30, 2021) amending Regulation F to address debt collection communications and prohibitions on harassment or abuse, false or misleading representations, and unfair practices. Following the publication of the final rule, the Bureau also released debt collection compliance guidance and frequently asked questions that address validation information generally and validation information related to residential mortgage debt (covered by InfoBytes here). The Bureau noted that depending on the scope of an examination, “and in conjunction with the compliance management system and consumer complaint response review procedures,” an examination will cover at least one of the following modules: (i) entity business model; (ii) communications in connection with debt collection; (iii) information sharing, privacy, and interactions with consumer reporting agencies; (iv) validation notice, consumer FDCPA disputes and complaints, and ceasing communication; (v) payment processing and account maintenance; (vi) ECOA; and (vii) litigation practices, administrative wage garnishment and repossession, and time-barred debt.
FHFA orders stress tests for Fannie and Freddie
On March 16, FHFA published orders applicable March 10 for Fannie Mae and Freddie Mac (GSEs) with respect to stress test reporting as of December 31, 2021, under Dodd-Frank as amended by the Economic Growth, Regulatory Relief, and Consumer Protection Act. Under Dodd-Frank, certain federally regulated financial companies with total consolidated assets of more than $250 billion are required to conduct periodic stress tests to determine whether the companies have the capital necessary to absorb losses as a result of severely adverse economic conditions. The orders are accompanied by Summary Instructions and Guidance, which include stress test scenarios and revised templates (baseline, severely adverse, and variables and assumptions) for regulated companies to use when reporting the results of the stress tests (orders and instructions are available here). According to the Summary Instructions and Guidance, the GSEs have until May 20 to submit baseline and severely adverse results to FHFA and the Federal Reserve Board, and must publicly disclose a summary of severely adverse results between August 1 and 15.