InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
FSOC reports on NBFIs
On February 4, the Financial Stability Oversight Council (FSOC) released a statement regarding nonbank financial intermediation. According to the statement, FSOC received updates on progress over the past year regarding three types of nonbank financial institutions (NBFIs), which include hedge funds, open-end funds, and money market funds (MMF). The statement noted that FSOC reestablished its Hedge Fund Working Group in 2021, with the primary objective of providing updates to FSOC’s “assessment of potential risks to U.S. financial stability from hedge funds, their activities, and their interconnections with other market participants.” FSOC “supports the Hedge Fund Working Group’s recommendation that the Office of Financial Research (OFR) consider ways to obtain better data on the uncleared bilateral repurchase agreement market, an important source of leverage for hedge funds.” In 2021, FSOC also established an interagency staff-level Open-end Fund Working Group, which assessed potential risks to U.S. financial stability arising from open-end funds. FSOC noted that it “supports the Open-end Fund Working Group’s continued analysis of the potential risks to financial stability that may arise from liquidity transformation at open-end funds.” In respect to MMF, FSOC noted that it supports the SEC’s efforts to reform MMFs and strengthen short-term funding markets.
OFAC sanctions Indonesian NGO
On February 3, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) announced sanctions pursuant to Executive Order 13224 against a non-governmental organization established by an Indonesia-based designated terrorist group for the purpose of providing financial support to extremists in Syria under the cover of humanitarian aid. According to Under Secretary of the Treasury for Terrorism and Financial Intelligence, Brian E. Nelson, “[t]he United States is taking this action to expose and disrupt [the terrorist group’s] deceptive efforts to use a purported ‘humanitarian organization’ for illicit purposes as a front for collecting and transferring funds.” Nelson added that “Treasury will continue to work with foreign partners to protect the non-profit sector from abuse by terrorist groups that disguise illicit finance flows as humanitarian activity.” As a result of the sanctions, all property and interests in property of the sanctioned entity subject to U.S. jurisdiction are blocked and must be reported to OFAC. U.S. persons are generally prohibited from engaging in any dealings involving the property or interests in property of blocked or designated persons, unless exempt or authorized by a general or specific OFAC license. OFAC further warned that the agency “can prohibit or impose strict conditions on the opening or maintaining in the United States of a correspondent account or a payable-through account of a foreign financial institution that knowingly conducted or facilitated any significant transaction on behalf of a Specially Designated Global Terrorist.”
OFAC issues counter terrorism FAQs
On February 2, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) published seven new Counter Terrorism-related frequently asked questions (FAQs). Among other things, the FAQs note that: (i) cash shipments to Afghanistan may be authorized under General Licenses (GL) 14, GL 18, or GL 19, provided that certain circumstances are met; (ii) nongovernmental organizations and international organizations may provide support to municipal water systems; (iii) both U.S. and non-U.S. companies may ship food to Afghanistan; and (vi) banks may process financial transfers and other transactions associated with food shipments to Afghanistan.
Colorado releases guidance on data privacy and security in advance of CPA implementation
On January 28, the Colorado attorney general issued prepared remarks and guidance on data security best practices in advance of the implementation of the Colorado Privacy Act (CPA). As covered by a Buckley Special Alert, the CPA was enacted last July to establish a framework for personal data privacy rights and provides consumers with numerous rights, including the right to access their personal data, opt-out of certain uses of personal data, make corrections to personal data, request deletion of personal data, and obtain a copy of personal data in a portable format. The Colorado AG has enforcement authority for the CPA, which does not have a private right of action. The CPA is effective July 1, 2023 with certain opt-out provisions taking effect July 1, 2024.
AG Phil Weiser stated that, by this fall, his office will post a formal Notice of Proposed Rulemaking, including a proposed set of model rules, with the goal of adopting a final rule roughly a year from now. AG Weiser also outlined best practices that will be weighed in determining whether a company is acting reasonably to safeguard sensitive information. Notably, the AG’s office will first evaluate whether a company has identified the types of data it collects and established a system for storing and managing that data (including disposal procedures). Considerations will then be made as to whether the company has a written information security policy and a written data incident response plan. The AG’s office will also examine a company’s practices for monitoring vendors’ data security measures. AG Weiser also referenced the recently released Data Security Best Practices guidance, which outlines key steps companies should take to protect consumer data, including ways to adopt information security and incident response policies, train employees on mitigating and responding to cybersecurity attacks, and notify appropriate parties in the event of a data breach, among other topics.
District Court partially grants summary judgment to defendants in FCA case
On February 1, the U.S. District Court for the Eastern District of California denied a relator’s (plaintiff’s) motion for summary judgment on an allegation of promissory fraud in violation of the False Claims Act (FCA) in a case against a rocket manufacturer and its subsidy (defendants). The court similarly denied the defendants’ cross-motion for summary judgment on the promissory fraud violation, but granted the defendants’ motion for summary judgment with respect to allegations of false certification in violation of the FCA. According to the opinion, the plaintiff, who was briefly employed by defendants as the senior director for Cyber Security, Compliance, and Controls, alleged that the defendants fraudulently induced the government to contract with the defendants in 18 contracts, while knowingly out of compliance with Defense Federal Acquisition Regulation 48 C.F.R. § 252.204– 7012 and NASA Federal Acquisition Regulation 48 C.F.R. § 1852.204-76, which impose cybersecurity and confidentiality requirements applicable to persons who receive government contracts. The court noted that plaintiff’s claims were based in part on allegations that defendants failed to disclose data breaches when required to do so. Conversely, defendants argued that they had disclosed their non-compliance with the identified regulations to the DoD and to NASA on multiple occasions and had been working with the government to obtain a waiver. In light of this, the court denied summary judgment on the promissory fraud violation, holding that “[a] genuine dispute of material fact exists as to the sufficiency of the disclosures[.]” The court also decreased the number of contracts the court will assess from 18 to 7, holding that the court will only rule on allegations that pertain to events before the case was filed in 2015. Similarly, the court granted defendants’ motion for summary judgment with respect to allegations of false certification on the grounds that “relator’s claim for false certification is based solely on an invoice payment under a NASA contract that was entered into after relator brought this action and is therefore not a proper basis for his false certification claim.”
OCC looks at compliance with state laws in CRA evaluations
On February 2, the OCC issued Bulletin 2022-2 addressing the agency’s processes for considering state banking commissioner input related to the performance of national banks under state community reinvestment laws, as well as state consumer complaint referrals. Among other things, the Bulletin outlines OCC policy and procedures for considering state input on the community reinvestment performance of OCC-supervised banks, including the implementation of Riegle–Neal Interstate Banking and Branching Efficiency Act community reinvestment-related provisions. Noting that several states and the District of Columbia have adopted community reinvestment laws that are similar to the federal Community Reinvestment Act (CRA), the OCC states that it will consider input from state banking commissioners regarding a national bank’s performance under applicable state community reinvestment laws when evaluating the bank’s CRA performance. The Bulletin also provides general guidance related to the OCC’s expectations concerning the handling of consumer complaints that state officials refer to national banks and federal savings associations, as well as state referrals of complaints to the OCC. The Bulletin “reminds banks that the OCC’s exclusive visitorial authority is not a basis for declining to address consumer complaints referred by state or local officials,” and “encourages banks to explain to state officials how complaints were resolved but without compromising consumers’ privacy interests or other confidential information.” Additionally, state officials are encouraged to refer to the OCC complaints alleging violations of federal fair lending laws or illegal, predatory, unfair, or deceptive acts or practices.
Bulletin 2022-2 rescinds OCC Advisory Letters 99-1 and 2004-2.
FDIC expands #GetBanked campaign
On February 2, the FDIC announced the expansion of its #GetBanked public awareness campaign into the Los Angeles, Dallas, and Detroit metropolitan areas in continuation of the agency’s efforts to increase financial inclusion to the unbanked population. The FDIC stated that the campaign “is focused on areas where research finds that a significant number of Black and Hispanic households are unbanked,” with the goal of “encourag[ing] unbanked consumers to consider opening a checking account.” With a series of English- and Spanish-language digital, audio, and video advertisements, the FDIC intends to reach unbanked consumers, specifically during the tax filing season. The campaign also includes resources to help consumers choose the best account to meet their needs and identify low-cost bank accounts.
FCC proposes to classify ringless voicemails as “calls” under the TCPA
On February 2, FCC Chairwoman Jessica Rosenworcel announced a proposal that would classify technology that leaves ringless voicemails on consumers’ cell phones as “calls” under the TCPA and therefore subject to the FCC’s robocalling restrictions. If adopted by the full Commission, callers using this form of technology would be required to obtain a consumer’s consent before delivering a ringless voicemail. The announcement explained that the TCPA “prohibits making any non-emergency call using an automatic telephone dialing system or an artificial or prerecorded voice to a wireless telephone number without the prior express consent of the called party.” According to Chairwoman Rosenworcel, ringless voicemails should face the same consumer protection rules as other robocalls. The proposal is in response to a petition that asked the FCC to find that ringless voicemails are not calls protected by the TCPA.
District Court grants summary judgment in favor of debt collector
On January 31, the U.S. District Court for the Middle District of Florida granted summary judgment in favor of a defendant debt collector concerning alleged violations of the FDCPA. The plaintiff alleged that she received six phone calls from the defendant, starting in May of 2020, seeking to collect debt owed by the plaintiff’s granddaughter. The plaintiff allegedly explained to the defendant during the first call that she did not live with her granddaughter and that the defendant would not be able to reach the granddaughter through that number. She also allegedly requested the defendant stop calling. On June 27, 2020 the plaintiff filed suit alleging violations of Sections 1692d, 1692c(a)(1), and 1692e of the FDCPA and the Florida Consumer Collections Practices Act (FCCPA). The court dismissed the state law claim, as well as the plaintiff’s Section 1692d claim, after determining that “neither the volume and frequency nor the content of the calls constituted abusive or harassing conduct under the FDCPA or FCCPA.”
After reviewing the remainder of the FDCPA claims, the court ruled that the plaintiff’s Section 1692c(a)(1) claim failed because the protections afforded by Section 1692c(a)(1) are applicable only to a “consumer” meaning “any natural person obligated or allegedly obligated to pay any debt.” The court explained that because the plaintiff “did not owe the subject debt” the defendant was “entitled to judgment as a matter of law on” the Section 1692c(a)(1) claim. Additionally, the court determined that the plaintiff failed to show evidence that the defendant violated Section 1692e by making false, deceptive, or misleading representations when attempting to collect on the debt, because “[a] reasonable jury could not conclude from this record that the least sophisticated consumer would have been misled to believe that the purpose of the phone calls was to attempt to collect a debt from [the plaintiff].”
District Court approves class settlement in data breach
On January 28, the U.S. District Court for the Northern District of California granted a plaintiffs’ motion for final approval in a class action settlement alleging an online support services provider (defendant) failed to adequately secure and safeguard the payment card data and other personally identifiable information that it collected while customers shopped and interacted with customer service websites. According to the order, four companies contracted with the defendant to provide sales software, customer service software, and voice and chat agent services for sales support for online shoppers. However, according to the plaintiff class, the defendant was allegedly negligent in securing customers’ data, which permitted hackers to access their names, addresses, and credit card information, in violation of California’s Unfair Competition Law and Illinois' Consumer Fraud and Deceptive Business Practices Act. The plaintiff class also alleged that the defendant did not disclose the breach for a period of approximately six months after the breach was detected and fixed in October 2017. Under the terms of the settlement, class members are eligible to receive reimbursement from the defendant of up to $2,000 if documentation is provided to prove they incurred out-of-pocket expenses resulting from the intrusion, which includes unreimbursed bank fees, long distance calling charges and costs of credit reports or fraud reimbursement services purchased in the wake of the breach. Additionally, class members who assert that they spent three hours or less dealing with the breach can also separately receive compensation at a rate of $20 per hour for that lost time, and may claim an additional two hours of lost time “if they can provide adequate documentation of those additional two hours spent dealing with the [d]ata [i]ncident,” according to the order. The court also awarded class counsel $450,000 in attorney fees and litigation costs and expenses and $2,000 service awards to each of the three lead plaintiffs.