InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
UK Supreme Court rules claimant cannot bring privacy claims against U.S. tech company
On November 10, the UK Supreme Court issued a judgment in an appeal addressing whether a claimant can bring data privacy claims in a representative capacity against a global technology company in a class action suit. The claimant sought compensation on behalf of a class under section 13 of the Data Protection Act 1998 (DPA 1998) for damages suffered when the tech company allegedly tracked millions of iPhone users’ internet activity in England and Wales over a period of several months between 2011 and 2012, and used the collected data without users’ knowledge or consent for commercial purposes. The DPA 1998 was replaced by the UK General Data Protection Regulation and the Data Protection Act 2018 but was in force at the time of the alleged breaches and is applicable to this claim, the Court explained in a press summary. The Court also noted that, except in antitrust cases, UK legislation does not allow class actions and Parliament has not yet legislated to establish a class action regime related to data protection claims. The Court noted that the claimant sought to use “same interest” precedent, which allows a claim to be brought “by or against one or more persons who have the same interest as representatives of any other persons who have that interest.”
The Court reasoned that the case was “doomed to fail” because “the claimant seeks damages under section 13 of the DPA 1998 for each individual member of the represented class without attempting to show that any wrongful use was made by [the tech company] of personal data relating to that individual or that the individual suffered any material damage or distress as a result of a breach of the requirements of the Act by [the tech company].” The Court added that users’ “loss of control” over personal data did not constitute “damage” under section 13 of the DPA 1998 because the users were not shown to have lost money or suffer distress. If the case had been allowed to proceed, the tech company could have faced a £3 billion damages award.
UAE bank fined $100 million for Sudanese sanctions violations
On November 9, NYDFS announced that a United Arab Emirates bank will pay a $100 million penalty to resolve an investigation into payments it allegedly processed through financial institutions in the state, including one of the bank’s New York branches. These transactions, NYDFS stated, were in violation of Sudan-related U.S. sanctions. According to NYDFS’ investigation, the bank instructed employees to avoid including certain details in messages sent between banks that would have linked the transactions to Sudan. By concealing these details, the transactions bypassed other banks’ sanctions filters, which otherwise might have triggered alerts or transaction freezes, NYDFS said. As a result, between 2005 and 2009, the bank illegally processed more than $4 billion of payments tied to Sudan. Following an announcement in 2009 that a Swiss bank used by the bank to process these transactions was being investigated by the New York County District Attorney’s Office for violating economic sanctions rules, the bank closed all U.S. dollar accounts held by Sudanese banks, but failed to disclose the prohibited transactions to NYDFS as required until 2015. NYDFS asserted that “despite having ample notice of the prohibited nature of the Sudan-related [transactions] by 2009,” the bank’s New York branch processed an additional $2.5 million in Sudan-related payments. Under the terms of the consent order, the bank—which was previously cited by NYDFS for anti-money laundering and sanctions compliance deficiencies in a 2018 consent order that included a $40 million fine—is also required to provide a status report on its U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) compliance program, in addition to paying the $100 million penalty. NYDFS acknowledged the bank’s substantial cooperation and ongoing remedial efforts.
NYDFS coordinated its investigation with the Federal Reserve Board and OFAC, both of which announced separate settlements with the UAE bank the same day. The Fed’s announcement of its order to cease and desist cites the bank for having insufficient policies and procedures in place to ensure that activities involving branches outside the U.S. were in compliance with U.S. sanctions laws. Under the terms of the order, the bank is required, among other things, to implement an enhanced compliance program to ensure global compliance with U.S. sanctions, and must also conduct annual reviews, including a “risk-focused sampling” of its U.S. dollar payments, led by an independent external party. The order did not include any additional monetary penalties for the bank.
OFAC also issued a finding of violation (FOV) for violations of the now-repealed Sudanese Sanctions Regulations related to the bank’s actions. These violations included 1,760 transactions that involved USD transfers from Sudanese banks that were processed by the bank’s London branch and routed through U.S. banks. In determining that the appropriate administrative action was an FOV rather than a civil monetary penalty, OFAC stated the bank “voluntarily entered into a retroactive statute of limitations waiver agreement, without which OFAC would have been time-barred from charging the violations.” Because the payment messages did not include the originating Sudanese bank, U.S. correspondent banking partners “could not interdict the payments, and the payments were successfully processed through the U.S. financial system,” OFAC stated. However, OFAC credited the bank with providing substantial cooperation during the investigation, and noted that the bank had taken “extensive remediation” efforts before the investigation began in 2015, and has spent more than $122 million on compliance enhancements.
FinCEN hosts exchange on SAR reporting
On November 9, the Financial Crimes Enforcement Network (FinCEN) held a virtual “FinCEN Exchange” with members of the financial industry and law enforcement “to discuss FinCEN’s analysis of suspicious activity reporting (SAR) with a transactional nexus to Alabama, Florida, Georgia, Mississippi, and South Carolina.” As previously covered by InfoBytes, SAR Stats—formerly called By the Numbers—is an annual compilation of numerical data gathered from SARs filed by financial institutions using FinCEN’s new unified SAR form and e-filing process. According to FinCEN, analysis of certain Bank Secrecy Act filing statistics for SARs and an analysis of SAR filings related to recent FinCEN advisories were among the topics discussed. FinCEN also noted that this FinCEN Exchange “supports one of FinCEN’s highest priorities—to strengthen public-private partnerships to identify and mitigate threats in order to safeguard our national security and protect communities and citizens from harm.”
OFAC issues new Syria sanctions FAQ
On November 8, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) published new Syria FAQ 934, which relates to the United Nations and the U.S. government's stabilization and early recovery-related activities and transactions involving Syria. According to OFAC, the Syrian Sanctions Regulations (SySR) § 542.513 permit, under certain conditions, “the United Nations, its Specialized Agencies, Programmes, Funds, and Related Organizations and their employees, contractors, or grantees to engage in all transactions and activities in support of their official business in Syria, including any stabilization and early recovery-related activities and transactions in support of their official business.” This authorization applies to all United Nations employees, grantees, and contractors carrying out the official business of the United Nations, specialized agencies, programmes, funds, and related organizations. This includes nongovernmental organizations and private sector entities that act as grantees or contractors.
FAQ 934 also reiterates advice from FAQ 884 that non-U.S. persons, including nongovernmental organizations and foreign financial institutions “do not risk exposure to U.S. secondary sanctions pursuant to the Caesar Syria Civilian Protection Act of 2019” for activities that would be authorized for U.S. persons under the SySR. (Covered by InfoBytes here.)
Illinois AG, IDFPR settle with three payday lenders
On November 5, the Illinois attorney general and the Illinois Department of Financial and Professional Regulation (IDFPR) announced a settlement resolving allegations that three companies violated Illinois lending laws by generating payday loan leads without a license and arranging high-cost payday loans for out-of-state payday unlicensed lenders. The AG and IDFPR further alleged that the companies falsely represented their loan network as being “trustworthy,” although the loan terms and conditions did not comply with Illinois law, which violated the Illinois’ Consumer Fraud and Deceptive Business Practices Act. The AG sued the companies in 2014 after the companies refused to comply with a cease and desist order issued by IDFPR, which required them to become licensed. According to the announcement, under the terms of the settlement, the companies are prohibited from: (i) arranging or offering small-dollar loans, online or otherwise, without being licensed by IDFPR; (ii) advertising or offering any small consumer loan arrangements or lead generation services in Illinois, unless they are licensed by IDFPR; and (iii) providing services associated with arranging or offering small dollar loans to Illinois consumers without being licensed by IDFPR.
DFPI reminds CFL licensees of December 31 transition deadline
Recently, the California Department of Financial Protection and Innovation (DFPI) reminded companies licensed under the California Financing Law that they must transition onto the Nationwide Multistate Licensing System & Registry (NMLS) by December 31. Licensees not currently on the NMLS must establish an account in the system and transfer information to DFPI through NMLS on or before the deadline. Applicants and transitioning licensees are required to submit IRS and Secretary of State documentation identifying the employer identification number and the state where the company is registered as a business. DFPI further stated that the time for “DFPI to process the licensee’s NMLS transition does not [affect] the licensure status of the licensee, and may occur after the licensee’s December 31, 2021 deadline to submit the licensee’s information to the DFPI through NMLS.”
Utah amends mortgage practices and licensing rule provisions
Recently, the Utah Department of Commerce adopted amendments to the Utah Residential Mortgage Practices and Licensing Rules to eliminate unnecessary and redundant licensee expenses for criminal background checks and credit reports. Among other things, the amendments provide that if a licensee submits a fingerprint background report to the Nationwide Multistate Licensing System & Registry (NMLS) “that is current according to the NMLS and is dated within 90-days of the date of the application to renew, the Division shall use that fingerprint background report in satisfaction of the requirement of. . .subsection [R162-2c-204]. If there is no current fingerprint background report in the NMLS, the licensee shall submit a fingerprint background report to the NMLS with the licensee’s application to renew.” The same condition also applies to current credit reports dated within 30-days of the date the renewal application was submitted to the NMLS. The amendments also update certain license qualification provisions related to moral character and felony convictions, and eliminate provisions concerning employee incentive programs related to licensed entities. These provisions took effect October 26.
DFPI addresses several MTA licensing exemptions
Recently, the California Department of Financial Protection and Innovation (DFPI) released several new opinion letters covering aspects of the California Money Transmission Act (MTA) related to virtual currency and agent of payee rules. Highlights from the redacted letters include:
- Cryptocurrency and Agent of Payee Exemption. The redacted opinion letter reviewed whether MTA licensure is required for a company’s proposal to offer payment processing services that would enable merchants to receive payments in U.S. dollars from buyers of goods and services, automatically exchange these payments into dollar-denominated tokens on a blockchain network, and to store the tokens in a custodial digital wallet. DFPI currently does not require licensure for companies to receive U.S. dollars from a buyer for transfer to a merchant’s wallet as dollar tokens. DFPI explained that even if it did regulate this activity, the structure of the company’s payment processing services satisfies the requirements of the agent-of-payee exemption, wherein the company acts as the agent of the merchant pursuant to a preexisting written contract and the company’s receipt of payment satisfies the buyer’s obligation to the merchant for goods or services. DFPI further explained that while storing dollar tokens in a custodial digital wallet or making subsequent transfers out of a wallet do not currently require licensure under the MTA, DFPI may later determine the activities are subject to regulatory supervision.
- Asset-Backed Tokens and Other Cryptocurrency. The redacted opinion letter asked DFPI whether an MTA license is required to (i) provide technical services to enable owners of metal to create digital assets representing interests in that metal; (ii) facilitate trading in these digital assets; or (iii) provide digital wallets to customers. The company intends to create a platform to facilitate the creation, sale, and trading of metal asset-backed tokens, whereby a customer purchases metal asset-backed tokens (ABTs) or currency tokens using fiat currency stored in an FBO account. Customers will not be allowed to transmit fiat currency to each other except to facilitate the purchase of ABTs or currency tokens, to receive proceeds from ABTs, or to pay platform fees. DFPI explained that while issuing stored value is generally considered money transmission, “[p]roviding technical services to assist in the creation of a [m]etal ABT and [i]ndustrial [t]okens and issuing a digital wallet holding the [m]etal ABT does not require licensure.” DFPI noted that the company is not itself issuing the ABT or industrial tokens. DFPI further concluded that the company does not need an MTA license to issue a digital wallet holding metal ATBs because the digital wallet is not stored value nor can the wallet’s contents be redeemed for money or monetary value or be used as payment for goods or services. DFPI separately indicated that a license is not currently required to facilitate the sale of ABTs, nor the issuance and sale of currency tokens. However, DFPI warned the company that the opinion only pertains to MTA, and that the company should be aware that metal ABTs and industrial tokens “could be considered a commodity and California Corporations Code section 29520 generally prohibits the sale of a commodity, unless an exception applies.”
- Cryptocurrency-to-Precious Metals Dealer. The redacted opinion letter reviewed whether an online cryptocurrency-to-precious metals dealer, which accepts a variety of different cryptocurrencies in exchange for precious metals and also purchases precious metals from customers using different cryptocurrencies, requires MTA licensure. The company referenced a 2016 decision where DFPI determined that a company operating a software technology platform to facilitate the purchase and sale of gold was not engaged in money transmission, that gold and other precious metals were not payment instruments, that the transactions did not represent selling or issuing stored value, and that “the activity did not constitute receiving money for transmission because the sale or repurchase of gold was a bargained-for-exchange and did not involve transmission to a third party.” The company argued that purchasing and selling precious metals with cryptocurrency is similar and should not trigger MTA’s licensing requirement. DFPI agreed that the company’s business activities do not meet the definition of money transmission because precious metals are not payment instruments, and as such, purchasing and selling precious metals for cryptocurrency does not represent the sale or issuance of a payment instrument. Additionally, DFPI concluded that the company is not selling or issuing stored value, nor do the transactions “involve the receipt of money or monetary value for transmission within or outside the U.S.”
- Virtual Currency Wallet. The redacted opinion letter asked whether an MTA license is required to operate a platform that will provide customers with an account to store and transfer virtual currencies. The company will also provide customers access to an exchange where they can facilitate the purchase or sale of virtual currencies in exchange for other virtual currencies. Fiat currency will not be used on the platform. DFPI stated that it does not currently require companies to obtain an MTA license to operate a platform that provides customers with an account to store and transfer virtual currencies. DFPI further stated that a license is not required to operate a platform that gives customers access to an exchange to purchase or sell virtual currencies in exchange for other virtual currencies.
- Purchase of Cryptocurrency. The redacted opinion letter examined whether a company that offers clients a direct opportunity to buy cryptocurrency in exchange for fiat currency requires MTA licensure. The company explained, among other things, that there is no transmission of cryptocurrency to third parties and that it does not offer money transmission services. DFPI concluded that because the company’s activities are limited to directly selling cryptocurrency to clients, it “does not require an MTA license because it does not involve the sale or issuance of a payment instrument, the sale or issuance of stored value, or receiving money for transmission.”
DFPI reminded the companies that its determinations are limited to the presented facts and circumstances and that any change could lead to different conclusions. Moreover, the letters do not relieve the companies from any FinCEN or federal regulatory obligations.
9th Circuit: Israeli company is not entitled to foreign sovereign immunity over malware claims
On November 8, the U.S. Court of Appeals for the Ninth Circuit affirmed a district court’s order denying a private Israeli company’s motion to dismiss claims based on foreign sovereign immunity. The Israeli company (defendant) designs and licenses surveillance technology to governments and government agencies for national security and law enforcement purposes. According to the opinion, the defendant markets and licenses a product that allows law enforcement and intelligence agencies to covertly intercept messages, take screenshots, or extract information such as a mobile device’s contacts or history. The plaintiffs (a messaging company and global social media company) sued the defendant claiming it sent malware through the messaging company’s server system to approximately 1,400 mobile devices to gather users’ information in violation of state and federal law, including the Computer Fraud and Abuse Act and the California Comprehensive Computer Data Access and Fraud Act. The defendant moved to dismiss, claiming foreign sovereign immunity protected it from the suit. The defendant further contended that even if the plaintiffs’ allegations were true, it was “acting as an agent of a foreign state, entitling it to ‘conduct-based immunity’—a common-law doctrine that protects foreign officials acting in their official capacity.” The district court disagreed, ruling that common-law foreign official immunity does not protect the defendant in this case because the defendant “failed to show that exercising jurisdiction over [the defendant] would serve to enforce a rule of law against a foreign state.”
Although the 9th Circuit agreed with the district court that the defendant, as a private company, is not entitled to immunity, the panel affirmed on separate grounds. The 9th Circuit based its determination instead on the fact that “the Foreign Sovereign Immunity Act (FSIA or Act) occupies the field of foreign sovereign immunity as applied to entities and categorically forecloses extending immunity to any entity that falls outside the FSIA’s broad definition of ‘foreign state.’” Among other things, the 9th Circuit rejected the defendant’s claim that because governments use its technology it is entitled to the immunity extended to sovereigns. “Whatever [the defendant’s] government customers do with its technology and services does not render [the defendant] an ‘agency or instrumentality of a foreign state,’ as Congress has defined that term,” the appellate court wrote. In contrast to the district court, the 9th Circuit rejected the defendant’s argument that it could claim foreign sovereign immunity under common-law immunity doctrines that apply to foreign officials (i.e., natural persons), finding that “Congress [had] displaced common-law sovereign immunity doctrine as it relates to entities.”
District Court preliminarily approves TCPA class action settlement
On November 8, the U.S. District Court for the Eastern District of New York granted preliminary approval for a $38.5 million settlement in a class action against a national gas service company and other gas companies (collectively, defendants) for allegedly violating the TCPA by soliciting calls to cellular telephones. The plaintiff’s memorandum of law requested preliminary approval of the class action settlement. The proposed settlement sought to establish a settlement class of all U.S. residents who “from March 9, 2011 until October 29, 2021, received a telephone call on a cellular telephone using a prerecorded message or artificial voice” regarding several topics including: (i) the payment or status of bills; (ii) an “important matter” regarding current or past bills and other related issues; and (iii) a disconnect notice concerning a current or past utility account. Under the terms of the preliminarily approved settlement, the defendants will provide monetary relief to claiming class members in an estimated amount between $50 and $150. The settlement would additionally require the companies to implement new training programs and procedures to prevent any future TCPA violations. The settlement permits counsel for the proposed class to seek up to 33 percent of the settlement fund to cover attorney fees and expenses.