InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
Fed, NYDFS fine Pakistan bank over $50 million for AML deficiencies
On February 24, the Federal Reserve Board and NYDFS announced an enforcement action against a Pakistan-based bank for alleged anti-money laundering (AML) violations. According to the Fed’s consent order and NYDFS’s consent order, following examinations conducted by the Fed and NYDFS in 2014 and 2015, the bank’s New York branch was identified as having deficiencies in its AML compliance and risk management programs, including compliance with related federal laws, rules, and regulations. According to the NYDFS press release, the bank did not comply with a Written Agreement with the Fed and NYDFS entered into in 2016 in which the bank acknowledged oversight and compliance deficiencies and agreed to remediate them. According to NYDFS, “[t]hese continued failures revealed that the Branch’s senior management were unwilling or unable to promote a culture of compliance, adequate resources were not provided for compliance programs, and the Bank failed to adequately supervise the Branch by allowing problems to worsen year after year. The conditions at the Branch demonstrated severe weaknesses, and unsafe, unsound conditions requiring urgent restructuring.”
Under the terms of the consent orders, the bank is required to pay civil money penalties of approximately $20.4 million to the Fed and $35 million to NYDFS. In addition to the monetary penalties, the bank is required to, among other things: (i) create a written plan detailing enhancements to the policies and procedures of the bank’s BSA/AML compliance program, its Suspicious Activity Monitoring and Reporting program, and its customer due diligence requirements; (ii) engage an independent consultant to conduct a comprehensive evaluation of the bank’s remediation efforts; and (iii) submit a status report within 60 days regarding a system of internal controls “reasonably designed to ensure compliance with BSA/AML requirements.” NYDFS acknowledged the bank’s “cooperation with the investigation and its ongoing remedial efforts.”
CFPB reviewing 2,100 comments on small business data collection
On February 22, the CFPB filed its eighth status report in the U.S. District Court for the Northern District of California, as required under a stipulated settlement reached in February 2020 with a group of plaintiffs, including the California Reinvestment Coalition, related to the collection of small business lending data. The settlement (covered by InfoBytes here) resolved a 2019 lawsuit that sought an order compelling the Bureau to issue a final rule implementing Section 1071 of the Dodd-Frank Act, which requires the Bureau to collect and disclose data on lending to women and minority-owned small businesses. The current status report states that the Bureau has met the deadlines under the stipulated settlement, which included issuing its long-awaited proposed rule (NPRM) last September. As covered by a Buckley Special Alert, the NPRM would require a broad swath of lenders to collect small business loan data, including information about the loans themselves, borrower characteristics, and demographic information regarding the borrower’s principal owners. This information would be reported annually to the Bureau and published by the Bureau on its website. The Bureau notes in its status report that the NPRM’s comment period ended on January 6. The Bureau is currently reviewing approximately 2,100 comments submitted via the public docket and will confer with plaintiffs regarding an appropriate deadline for issuing a final rule.
Find continuing Section 1071 coverage here.
FTC bans debt relief scheme operators
On February 28, the FTC announced the permanent ban of the operators (collectively, “defendants”) of a debt relief scheme from processing debt relief payments and ordered the defendants to pay a $5.3 million fine. According to the FTC’s July 2020 complaint, which was filed jointly with the Florida attorney general in the U.S. District Court for the Middle District of Florida, the defendants allegedly engaged in deceptive and abusive practices by selling their credit card interest rate reduction services to consumers in violation of the FTC Act, the Telemarketing Sales Rule, and the Florida Deceptive and Unfair Trade Practices Act. The FTC and Florida AG claimed that the defendants utilized telemarketing calls promising to reduce consumers’ credit card interest rates permanently and substantially, and, after posing as representatives or affiliates of consumers’ credit card companies, the defendants allegedly claimed they could save consumers thousands of dollars in credit card interest and enable them to pay off their debt faster. The complaint also asserted that the defendants, at times, opened new credit cards that offered low introductory interest rates and transferred the balances of consumers’ existing debt to the new cards. For that, customers paid upfront fees of between $995 and $4,995 while also paying “substantial” fees to transfer the balances.
Under the terms of the settlement, the operators are permanently prohibited from participating the debt relief industry, misrepresenting material facts in connection with any product or service, and engaging in deceptive and abusive telemarketing acts and practices, unsubstantiated claims, and other payment practices. Two individual defendants agreed to pay a $225,000 monetary penalty and the other defendant agreed to pay $200,000.
CFPB guidance on automobile repossession warns on UDAAPs
On February 28, the CFPB released Bulletin 2022-4 regarding the repossession of vehicles and the potential for violations of Dodd-Frank’s prohibition on engaging in unfair, deceptive, or abusive acts or practices (collectively, “UDAAPs”) when repossessing vehicles. According to the Bulletin, “[t]he Bureau intends to hold loan holders and servicers accountable for UDAAPs related to the repossession of consumers’ vehicles.” To prevent UDAAPs, the Bureau noted that entities should, among other things: (i) review their policies and procedures regarding repossession and cancellation of repossession; (ii) ensure prompt communications between servicers and repossession service providers when a repossession is canceled and monitor compliance with cancellations; (iii) utilize monitoring of wrongful repossessions through routine oversight and audits of customer communications; and (iv) ensure corrective action programs are in place to address any violations and reimburse consumers for costs incurred as a result of unlawful repossessions. Additionally, the Bulletin suggests that entities should monitor service providers and any force-placed collateral protection insurance programs to verify that consumers are not charged for unnecessary force-placed insurance. According to the CFPB’s blog post released the same day, “the Bureau is closely watching the auto lending market. Auto loans are already the third largest consumer credit market in the United States at over $1.46 trillion outstanding, double the amount from ten years ago.”
District Court: Employees are not “customers” under California Customer Records Act in breach lawsuit
On February 24, the U.S. District Court for the Southern District of New York granted a waste management company’s motion to dismiss putative class action data breach claims after determining, in part, that the plaintiffs failed to allege how the company breached any duty of care. Plaintiffs, comprised of current and former employees, sued the company, claiming a 2021 data breach exposed their personal identifiable information (PII) to an unauthorized actor. Several plaintiffs were victims of apparent identity theft, the complaint stated, which alleged negligence, breach of contract and implied contract, breach of confidence, breach of fiduciary duty, unjust enrichment, and breach of the California Consumer Privacy Act, the state’s Unfair Competition Law, and the California Customer Records Act (CCRA). In dismissing the case, the court concluded, among other things, that the plaintiffs failed to plead facts showing specific measures that the company did or did not take, such as data encryption, to protect employee data. Additionally, the complaint did not “contain any allegations regarding the manner in which their systems were breached.” Moreover, the court determined that the complaint did not plausibly allege that the employees qualify as “customers” under the CCRA (a “customer” under the law is defined as “an individual who provides personal information to a business for the purpose of purchasing or leasing a product or obtaining a service from the business,” but in this matter, the court stated the plaintiffs did not allege that they provided their PII to the company in exchange for a product or service; rather, they were required to give their PII as part of their employment). The court also ruled that the plaintiffs did not plausibly allege that the company unreasonably delayed notifying them of the data breach by waiting 24 days after the breach to provide notice.
Wisconsin assembly passes comprehensive data privacy bill
On February 23, the Wisconsin assembly passed AB 957, which establishes requirements for controllers and processors of consumer personal data. An assembly amendment to the bill making various changes was adopted the same day. Highlights of the bill include:
- Applicability. The bill will apply to controllers (defined “as a person that, alone or jointly with others, determines the purpose and means of processing personal data”) that “control or process the personal data of at least 100,000 consumers or that control or process the personal data of at least 25,000 consumers and derive over 50 percent of their gross revenue from the sale of personal data.” Personal data is defined as any information linked or reasonably linkable to an individual minus publicly available information. Certain entities are exempt from the bill’s requirements, including “governmental bodies, financial institutions subject to federal privacy disclosure requirements [including affiliates of financial institutions], certain entities subject to federal health privacy laws, nonprofits, and institutions of higher education.” Data collected, processed, and maintained in compliance with the Children’s Online Privacy Protection Act is also exempt.
- Consumer rights. Under the bill consumers will be able to, among other things, (i) confirm whether their personal data is being processed and access their data; (ii) make corrections; (iii) request deletion of their data; (iv) obtain a copy of their previously provided data; and (v) opt out of the processing of their data for targeted advertising, the sale of their data, and certain forms of automated processing of their data. Controllers will be prohibited from taking discriminatory actions against consumers who exercise certain rights.
- Controllers’ responsibilities. Data controllers under the bill will be responsible for responding to consumers’ requests without undue delay, including if a controller declines to take action regarding a consumer’s request. Responses to consumers’ requests must be provided free of charge once annually per consumer, and controllers will be required to establish an appeals process for denied requests, wherein “[w]ithin 60 days of receiving an appeal, a controller must inform the consumer in writing of any action taken or not taken in response to the appeal, including a written explanation of the reasons for its decisions. If the appeal is denied, the controller must provide the consumer with a method through which the consumer can contact the attorney general to submit a complaint.” The bill will also require controllers to disclose certain information regarding data collection and sharing practices to consumers, as well as how consumers may exercise their rights under the bill. Controllers will also be prohibited from collecting or processing personal data for purposes not relevant to or reasonably necessary for the purposes disclosed in the privacy notice.
- Data processing contracts. The bill requires controllers to enter into data processing contracts with data processors and “requires controllers to conduct data protection assessments related to certain activities, including processing personal data for targeted advertising, selling personal data, processing personal data for profiling purposes, and processing sensitive data, as defined in the bill.” The state attorney general may also request controllers to disclose any data protection assessments relevant to an investigation.
- Private right of action and state attorney general enforcement. The bill explicitly prohibits a private right of action. Instead, it grants the state attorney general exclusive authority to enforce the law and seek forfeiture of up to $7,500 per violation. The attorney general may also recover reasonable investigation and litigation expenses. The bill further “prohibits cities, villages, towns, and counties from enacting or enforcing ordinances that regulate the collection, processing, or sale of personal data.”
- Right to cure. Upon discovering a potential violation of the bill, the attorney general must give the controller or processor written notice. The controller or processor then has 30 days to cure the alleged violation before the attorney general can file suit.
If enacted in its current form, the bill would take effect January 1, 2024. The bill still needs to be approved by the state senate and any differences reconciled before the measure can be sent to the governor.
State AGs urge FTC to take action on impersonation scams
On February 23, a coalition of state attorneys general sent a letter to FTC Chair Lina M. Khan, responding to the Commission’s advance notice of proposed rulemaking and urging the FTC to target “impersonation scams” to ensure consumers are protected from harm. As previously covered by InfoBytes, last December the FTC issued a request for comments on a wide range of questions related to government and business impersonation fraud. According to the FTC, reported losses due to impersonation fraud have spiked during the Covid-19 pandemic, with data from the Social Security Administration reporting $2 billion in total losses between October 2020 and September 2021. The AGs commented that overall, they “believe there is a pressing need for FTC rulemaking to address the scourge of impersonation scams impacting consumers across the United States,” noting that “[a] national rule that encompasses and outlaws such commonly experienced scams discussed [within the letter] would assist attorneys general and their partners in reducing consumer harm, maximizing consumer benefits, and holding bad actors to account.” Among other things, the letter discussed state-specific consumer complaints related to business impersonation, document preparation, regulatory compliance, and lead generation scams, and warned that the FTC should explore the means and instrumentalities used in these types of fraud. One example, the AGs pointed out, is impersonators using third-party payment processing services to effectuate their scams, often times requiring certain payment methods for fictitious overdue mortgage, utility, and student loan debts. In stressing the “burgeoning need for a robust standard outlawing impersonation scams,” the AGs stated that “[w]hen a specific type of unfair or deceptive business practice becomes so prevalent, Commission rulemaking is appropriate.” They further added that these efforts are welcomed as part of their ongoing collaborative relationship with the FTC.
NYDFS proposes partnership with CDFIs
On February 25, NYDFS announced a proposal to partner with Community Development Financial Institutions (CDFIs) to deliver $150 million to small businesses. According to the announcement, the partnership was announced after Governor Kathy Hochul held a roundtable related to “how New York State can spur economic recovery in Black and brown communities,” as well as “new efforts to fight structural racism embedded in the financial system and support innovative community lending programs and economic development services focused on reaching communities of color.” The announcement pointed out that the partnership is part of the governor’s FY2023 budget, which proposed an unprecedented assistance package for small businesses, including more than $500 million to the state. Governor Hochul also announced an advisory council of New York State-chartered CDFIs and minority depository institutions, which will be led by NYDFS Superintendent Adrienne Harris, and “will elevate the specific concerns of New York CDFIs and MDIs to support communities of color and ensure their needs are met.”
FDIC releases January enforcement actions
On February 25, the FDIC released a list of administrative enforcement actions taken against banks and individuals in January. During the month, the FDIC made public nine orders consisting of “four Orders to Pay Civil Money Penalty, one order terminating consent order, one voluntary termination of deposit insurance, and three orders of prohibition from further participation.” Among the actions is an order to pay a civil money penalty imposed against a Wisconsin-based bank related to alleged violations of the Flood Disaster Protection Act. Among other things, the FDIC claimed that the bank “fail[ed] to obtain adequate flood insurance for two loans,” and “faile[d] to provide to borrowers a Notice of Special Flood Hazard and Availability of Federal Disaster Relief Assistance within a reasonable time before the completion of the transaction on four loans.” The order requires the payment of a $3,000 civil money penalty. The orders also include pay a civil money penalty order imposed against a Iowa-based bank related to alleged violations of the Flood Disaster Protection Act. Among other things, the FDIC claimed that the bank: (i) “made, increased, extended, or renewed loans secured by a building or mobile home located or to be located in a special flood hazard area without requiring that the collateral be covered by flood insurance”; (ii) “made, increased, extended, or renewed a loan secured by a building or mobile home located or to be located in a special flood hazard area without providing timely notice to the borrower and/or the servicer as to whether flood insurance was available for the collateral”; and (iii) “failed to comply with proper procedures for force-placing flood insurance in instances where the collateral was not covered by flood insurance at some time during the term of the loan.” The order requires the payment of a $16,250 civil money penalty.
FHFA finalizes enterprise regulatory capital framework
On February 25, FHFA announced a final rule, which amends the Enterprise Regulatory Capital Framework (ERCF) by refining the prescribed leverage buffer amount (leverage buffer) and risk-based capital treatment of retained credit risk transfer (CRT) exposures for Fannie Mae and Freddie Mac (collectively, GSEs). Among other things, the final rule: (i) replaces the fixed leverage buffer equal to 1.5 percent of a GSE's adjusted total assets with a dynamic leverage buffer equal to 50 percent of the GSE's stability capital buffer; (ii) replaces the prudential floor of 10 percent on the risk weight assigned to any retained CRT exposure with a prudential floor of 5 percent on the risk weight assigned to any retained CRT exposure; and (iii) removes the requirement that a GSE must apply an overall effectiveness adjustment to its retained CRT exposures in accordance with the ERCF’s securitization framework. Additionally, the final rule implements technical corrections to provisions of the ERCF that were published in December 2020. (Covered by InfoBytes here.) The ERCF amendments and technical corrections will be effective 60 days after publication in the Federal Register.