InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
FTC settles action against e-commerce platform for data breach cover up
On March 15, the FTC announced a proposed settlement with two limited liability companies, the former and current owners, of an online customized merchandise platform (collectively, “respondents”) for allegedly failing to secure consumers’ sensitive personal data and covering up a major breach. According to the complaint, the respondents allegedly violated the FTC Act by, among other things, misrepresenting that they implemented reasonable measures to protect the personal information (PI) of customers against unauthorized access and for misrepresenting that appropriate steps to secure consumer account information following security breaches were taken. The complaint further alleged that respondents failed to apply readily available protections against well-known threats and adequately respond to security incidents, which resulted in the respondents' network being breached multiple times. Notably, one of the breaches involved a hacker gaining access to “millions of email addresses and passwords with weak encryption; millions of unencrypted names, physical addresses, and security questions and answers; more than 180,000 unencrypted Social Security numbers; and tens of thousands of partial payment card numbers and expiration dates.” The complaint goes on to allege that the online customized merchandise platform failed to properly investigate the breach for several months despite additional warnings, including failing to promptly notify its customers of the breach. Under the terms of the proposed settlement, the respondents are: (i) ordered to pay $500,000 in redress to victims of the data breaches: (ii) prohibited from making misrepresentations about their privacy and security measures, among other things, and (iii) required to have a third party assess their information security programs and provide the Commission with a redacted copy of that assessment suitable for public disclosure.
Biden signs $1.5 trillion omnibus package
On March 15, President Biden signed H.R. 2471 the “Consolidated Appropriations Act, 2022” (Act) into law. According to House Appropriations Committee Chair Rosa DeLauro’s press release, the Act is an omnibus spending measure that provides $1.5 trillion in discretionary resources across the 12 fiscal year 2022 appropriations bills. Among other things, the Act includes the “Cyber Incident Reporting for Critical Infrastructure Act of 2022,” which establishes requirements for reporting ransomware incidents on critical infrastructure to the DHS Cybersecurity and Infrastructure Security Agency (CISA). Specifically, Division Y Section 2242, establishes that companies must report incidents to CISA 72 hours after the covered entity reasonably believes that a cyber incident has occurred, or within 24 hours if a ransomware payment has occurred. If a company fails to meet the reporting requirements, the Act permits the cyber security director to “obtain information about the cyber incident or ransom payment by engaging the covered entity directly to request information about the cyber incident or ransom payment, and if the Director is unable to obtain information through such engagement, by issuing a subpoena to the covered entity, pursuant to subsection (c), to gather information sufficient to determine whether a covered cyber incident or ransom payment has occurred.” The Act also establishes that if CISA determines that the incident requires regulatory enforcement action or criminal prosecution, such information may be provided to the Attorney General or the appropriate regulator, who may utilize such information for a regulatory enforcement action or criminal prosecution. Within 24 months, CISA is directed to publish a notice of proposed rulemaking (NPRM) in the Federal Register to implement the Act, followed by the issuance of a final rule within 18 months of the NPRM. The final rule will outline the criteria of reporting and provide the effective dates for the reporting requirements. The Act also directs CISA to carry out an outreach and education campaign to inform covered entities about the rule’s requirements. Though the bill establishes that a court shall dismiss a cause of action against a person or entity for submitting a report, the liability protections “shall only apply to or affect litigation that is solely based on the submission of a covered cyber incident report or ransom payment report to the [Sector Risk Management] Agency.”
The Act also includes the “Adjustable Interest Rate (LIBOR) Act,” which establishes “a clear and uniform process, on a nationwide basis, for replacing LIBOR in existing contracts the terms of which do not provide for the use of a clearly defined or practicable replacement benchmark rate, without affecting the ability of parties to use any appropriate benchmark rate in new contracts,” among other things. Additionally, the Act includes rental assistance programs and climate restoration grants, which, according to a statement by HUD Secretary Marcia L. Fudge, “provides funding to improve the energy efficiency of housing and increase resilience to climate impacts.”
FTC alleges company misrepresented the quality, source of leads
On March 11, the FTC issued an administrative complaint against a Colorado-based digital marketplace company (defendant) alleging it used deceptive and misleading practices in selling home improvement project leads to service providers. The complaint alleges that since 2014 the defendant has made false, misleading, or unsubstantiated claims regarding the quality and source of the leads it sells to service providers, such as general contractors and small lawn care businesses. The complaint alleges, among other things, that the defendant told service providers that its leads resulted in actual home improvement jobs at rates higher than its own data supported, and that the defendant misled service providers about the cost of an optional one-month subscription to a software platform that it sold with its leads and the cost of the optional one-month help desk subscription. The defendant’s actions allegedly resulted in service providers, many of whom operate in the gig economy, spending time following leads below the promised quality and seeking refunds for those leads. The FTC’s Director of Bureau of Consumer Protection stated, “Today’s administrative complaint against [the defendant] shows that the FTC will use every tool in its toolbox to combat dishonest commercial practices.”
CFPB reminds servicers to use HAF funds to prevent foreclosure
On March 14, the CFPB published a blog post strongly encouraging mortgage servicers to participate in the Homeowner Assistance Fund (HAF) to help borrowers avoid foreclosure and resolve delinquencies. While participation is voluntary, the Bureau reminded servicers that it remains focused on preventing avoidable foreclosures, and HAF funds can only help “if mortgage servicers work with state housing finance agencies and HUD-approved housing counselors to help borrowers” complete the process. HAF funds may allow borrowers to pay down the amount owed on a mortgage and help them enter loan modifications with lower payments. The Bureau also encouraged servicers to offer HAF program training to customer service representatives to ensure borrowers are provided accurate information about the loss mitigation process. Additionally, servicers should maintain policies and procedures that are designed to properly evaluate loss mitigation applications and should review existing policies and procedures to ensure borrowers are not improperly referred to foreclosure, especially in cases where a borrower’s HAF application is pending, or a borrower is awaiting HAF funds. The Bureau reminded servicers that it will continue to closely monitor servicer conduct and review mortgage servicing complaints to ensure compliance with all applicable federal consumer financial laws.
OFAC sanctions Russians connected to human rights violations and Belarusian leader engaged in corruption
On March 15, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) announced sanctions pursuant to the Russia Magnitsky Act against four individuals and one entity. According to OFAC, the sanctioned individuals and entity were involved in concealing events surrounding the death of renowned Russian whistleblower, Sergei Magnitsky, or were connected to gross violations of human rights against a Russian human rights defender. OFAC also re-designated, pursuant to Executive Order 13405, the head of a corrupt government in Belarus who used his authorities to benefit his inner circle and regime, and newly designated his wife for being a senior level official engaged in public corruption.
As previously covered by InfoBytes, President Biden issued E.O 13405, “Blocking Property of Additional Persons Contributing to the Situation in Belarus,” which expanded the scope addressing the national emergency declared in E.O. 13405, “finding that the Belarusian regime’s harmful activities and long-standing abuses aimed at suppressing democracy and the exercise of human rights and fundamental freedoms in Belarus—including illicit and oppressive activities stemming from the August 9, 2020, fraudulent Belarusian presidential election and its aftermath, such as the elimination of political opposition and civil society organizations and the regime’s disruption and endangering of international civil air travel—constitute an unusual and extraordinary threat to the national security and foreign policy of the United States.” As a result of the sanctions, all property and interests in property belonging to the sanctioned entities subject to U.S. jurisdiction are blocked and must be reported to OFAC. Additionally, “any entities that are owned, directly or indirectly, 50 percent or more by one or more blocked persons are also blocked.” OFAC noted that U.S. persons are prohibited from participating in transactions with these persons, which includes “the making of any contribution or provision of funds, goods, or services by, to, or for the benefit of any blocked person or the receipt of any contribution or provision of funds, goods or services from any such person.”
SEC awards $14 million to whistleblower
On March 11, the SEC announced that it awarded a whistleblower nearly $14 million for exposing ongoing fraud by publishing on online report. According to the redacted order, the whistleblower voluntarily provided original information and prompted the opening of an investigation, which resulted in a successful enforcement action against the company and its CEO and the return of millions of dollars to harmed investors.
The SEC has awarded approximately $1.2 billion to 249 individuals since issuing its first award in 2012.
CFTC awards $500,000 to whistleblowers
On March 10, the CFTC announced awards totaling approximately $500,000 to two whistleblowers who “separately provided significant information and substantial assistance” that led to a successful Commodity Exchange Act enforcement action. The associated order noted that the claimants voluntarily provided original information, which began an underlying investigation and “significantly contributed to the success” of the enforcement action.
The CFTC has awarded approximately $300 million to whistleblowers since the enactment of its Whistleblower Program under Dodd-Frank, and whistleblower information has led to nearly $3 billion in monetary relief.
OFAC sanctions Russians for supporting DPRK’s WMD programs
On March 11, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) announced sanctions pursuant to Executive Order 13687 against two individuals and three entities based in Russia for allegedly supporting the Democratic People’s Republic of Korea’s (DPRK) “ongoing development of its weapons of mass destruction (WMD) and ballistic missile programs in violation of multiple United Nations Security Council resolutions.” The action specifically “targets a group of foreign individuals and companies that aid a DPRK defense industry-related procurement agent in Russia.” As a result of the sanctions, all property and interests in property of the sanctioned persons subject to U.S. jurisdiction are blocked and must be reported to OFAC. OFAC noted that its regulations generally prohibit U.S. persons from participating in transactions with the designated persons. OFAC’s announcement further warned that any foreign financial institution that knowingly facilitates significant transactions or provides significant financial services for any of the designated individuals may be subject to U.S. correspondent account or payable-through account sanctions, and that persons found to have engaged in certain transactions with the designated persons “may themselves be exposed to designation.”
FATF updates statements concerning jurisdictions with AML/CFT/CPF deficiencies
On March 10, the Financial Crimes Enforcement Network (FinCEN) announced updates to the Financial Action Task Force (FATF) statements concerning jurisdictions with strategic anti-money laundering, countering the financing of terrorism, and combating weapons of mass destruction proliferation financing (AML/CFT/CPF) deficiencies. Specifically, to ensure compliance with international standards, FAFT updated the following two statements: (i) Jurisdictions under Increased Monitoring, which identifies jurisdictions with strategic deficiencies in their AML/CFT/CPF regimes that have committed to, or are actively working with, FATF to address those deficiencies in accordance with an agreed upon timeline and; (ii) High-Risk Jurisdictions subject to a Call for Action, which identifies jurisdictions with significant strategic deficiencies in their AML/CFT/CPF regimes and instructs FATF members to apply enhanced due diligence, and in the most serious cases, apply counter-measures to protect the international financial system from such risks. Among other things, through the announcement, FinCEN reminded covered financial institutions of their obligations to comply with due diligence obligations for foreign financial institutions (in addition to their general obligations) to ensure their due diligence programs “include appropriate, specific, risk-based, and, where necessary, enhanced policies, procedures, and controls that are reasonably designed to detect and report known or suspected money laundering activity conducted through or involving any correspondent account established, maintained, administered, or managed in the United States.” Money service businesses are also required to establish appropriate policies to address money laundering and terrorism financing risks posed by their relationships with foreign agents or foreign counterparties. FinCEN further instructed financial institutions to comply with U.S. prohibitions against the opening or maintaining of any correspondent accounts, whether directly or indirectly, for North Korean or Iranian financial institutions, which are already prohibited under existing U.S. sanctions and FinCEN regulations. As previously covered by InfoBytes, FinCEN last announced updates to the FATF statements in October.
OFAC sanctions Russians, issues guidance on sanctions evasion through virtual currency, general licenses, and FAQs
On March 11, the U.S. Department of the Treasury’s Office of Foreign Assets Control issued guidance, in line with the G7 leaders' statement, to guard against possible attempts to use virtual currency to evade U.S. sanctions imposed on Russia. According to OFAC, the public guidance “further cut[s] off avenues for potential sanctions evasion by Russia” and “continues to make clear that Treasury’s expansive sanctions actions against Russia require all U.S. persons to comply with OFAC regulations, regardless of whether a transaction is denominated in traditional fiat currency or virtual currency.
Additionally, OFAC announced sanctions against Russian and Kremlin elites, and Russia’s political and national security leaders who have supported Russia’s invasion of Ukraine. As a result of the sanctions, all property and interests in property belonging to the sanctioned individuals and entities that are in the U.S. or in the possession or control of U.S. persons, and “any entities that are owned, directly or indirectly, 50 percent or more” by the targeted individuals and/or entities are blocked and must be reported to OFAC. The sanctions complement an Executive Order (E.O) issued by President Biden that imposes new import and export restrictions on Russia, including the export of U.S. banknotes to Russia. Among other things, this E.O. prohibits the importation into the U.S. of certain products of Russian Federation origin. Additionally, the E.O. bans the exportation, reexportation, sale, or supply, directly or indirectly, from the U.S., or by a U.S. person, wherever located, of U.S. dollar-denominated banknotes to the Russian government or to any person located in the Russian Federation.
OFAC also issued Russia-related General License 17 to authorize the import of existing purchases of prohibited products that are under pre-existing contract until March 25, 2022, and General License 18 and General License 19 to authorize certain activities regarding U.S. dollar-denominated banknotes as they pertain to personal remittances and U.S. persons, respectively. OFAC also issued Ukraine-related General License 23, “Blocking Property of Certain Persons and Prohibiting Certain Transactions With Respect to Continued Russian Efforts to Undermine the Sovereignty and Territorial Integrity of Ukraine,” “to authorize certain transactions that are ordinarily incident and necessary to nongovernmental organizations’ activities in the so-called Donetsk People’s Republic (DNR) or Luhansk People’s Republic (LNR) regions of Ukraine, including activities related to humanitarian projects to meet basic human needs, democracy building, education, non-commercial developments projects, and environmental and natural resource protection,” and published new Frequently Asked Questions and amended one Frequently Asked Question regarding Russia sanctions.
Find continuing InfoBytes coverage on the U.S. sanctions response to Russia’s invasion of Ukraine here.