InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
District Court dismisses data breach claims due to lack of jurisdiction
On November 8, the U.S. District Court for the Northern District of California dismissed a putative class action brought against a French cryptocurrency wallet provider and its e-commerce vendor after determining that the court does not have jurisdiction over the companies. Plaintiffs—customers who purchased hardware wallets through the vendor’s platform between July 2017 and June 2020—alleged violations of state-level consumer protection laws after a 2020 data breach exposed the personal contact information of thousands of vendor customers. Plaintiffs contended that when the breach was announced in 2020, the wallet provider failed to inform them that their data was involved in the breach. Plaintiffs also alleged that an unauthorized third party gained access to the wallet provider’s e-commerce database and obtained the email addresses of one million customers as well as physical contact information for 9,500 customers. According to the plaintiffs, the wallet provider did not disclose that the attack on its website and the vendor’s data theft were connected, and it downplayed the seriousness of the attack. As a result, plaintiffs were allegedly subject to “phishing scams, cyber-attacks, and demands for ransom and threats.” Plaintiffs claimed that the companies failed to implement appropriate security measures to protect customer data, and brought claims against the companies for injunctive relief and other remedies under California’s unfair competition law, Georgia’s Fair Business Practices Act, and New York’s General Business Law. The defendant companies moved to dismiss, arguing that the court lacked personal jurisdiction and that plaintiffs failed to state a claim.
The court determined that it does not have jurisdiction over the French wallet provider, and ruled, among other things, that the plaintiffs did not establish that the wallet provider “expressly aimed” its activities towards California in a way that would establish specific jurisdiction, and “did not cause harm in California that it knew was likely to be suffered there.” The court further held that the fact that the vendor was headquartered in California at the time the breach occurred is not sufficient to establish general jurisdiction because the vendor moved to Canada before the class action was filed. “Courts have uniformly held that general jurisdiction is to be determined no earlier than the time of filing of the complaint,” the court wrote, dismissing the case with prejudice.
District Court denies EFTA safe harbor in overdraft class action
On November 8, the U.S. District Court for the District of New Hampshire denied a credit union’s motion to dismiss claims concerning its overdraft fees and policies. Plaintiffs filed a putative class action alleging that the defendant failed to properly disclose how it assessed overdrafts in violation of EFTA and implementing Regulation E. According to the plaintiffs, the defendant’s overdraft fee opt-in disclosure did not provide a “clear and readily understandable” explanation of the meaning of “enough money,” nor did it specify whether overdrafts are calculated based on the actual balance or the available balance. The defendant moved to dismiss, arguing that the opt-in disclosure should be read in conjunction with a separate membership agreement that outlines the account terms and discloses the defendant’s use of the “available balance” method to determine when an account is overdrawn. The defendant further contended that it did not violate Regulation E and that it qualifies for EFTA’s safe harbor provision. The court disagreed, ruling that the plaintiffs had plausibly alleged a violation of Regulation E, as it requires the opt-in disclosure to be “segregated from all other information.” Among other things, the court stated that “[c]ountless courts examining virtually identical language have agreed” that language similar to the phrase “enough money” can plausibly amount to a violation of Regulation E’s “clear and readily understandable” explanation of overdraft fees.
With respect to defendant’s safe harbor claim, the court observed that EFTA may provide safe harbor to banks using an appropriate CFPB model clause (15 U.S.C. § 1693m(d)(2)) or a disclosure form “substantially similar” to the Bureau’s Model Form A-9, which states “[a]n overdraft occurs when you do not have enough money in your account to cover a transaction, but we pay it anyway.” The court agreed, however, with the reasoning of several courts that using language identical to that in the A-9 does not necessarily provide safe harbor defeating plaintiffs’ claims where, as here, the plaintiffs “have plausibly stated a claim that the clause from Model Form A-9 was not ‘appropriate’ because the language did not describe [defendant’s] overdraft policy in a ‘clear and readily understandable’ way.”
Dept. of Defense announces version 2.0 of cybersecurity maturity model certification program
On November 4, the Department of Defense (DoD) announced the completion of an internal assessment of its Cybersecurity Maturity Model Certification (CMMC) program and enhancements to that program. While CMMC 2.0 remains focused on safeguarding sensitive national security information, it updates CMMC 1.0 (see DoD guidance here) by streamlining compliance rules, strengthening cyber protection standards for companies operating in the defense industrial base, and encouraging a collaborative culture of cybersecurity and cyber resilience. “By establishing a more collaborative relationship with industry, these updates will support businesses in adopting the practices they need to thwart cyber threats while minimizing barriers to compliance with DoD requirements,” Jesse Salazar, Deputy Assistant Secretary of Defense for Industrial Policy, stated. Among other things, CMMC 2.0: (i) simplifies CMMC standards and provides further clarity on cybersecurity regulatory, policy, and contracting requirements; (ii) focuses the most advanced cybersecurity standards and third-party assessment requirements on companies that support the highest priority programs; and (iii) “increase[es] DoD oversight of professional and ethical standards in the assessment ecosystem.” Changes reflected in CMMC 2.0 will be implemented through future rulemaking, and companies are not required to comply with CMMC requirements until the forthcoming rules take effect. DoD will also suspend a current CMMC pilot program and “will not approve inclusion of a CMMC requirement in any DoD solicitation” during this period.
OFAC issues Cambodia advisory; sanctions Cambodian officials
On November 10, OFAC published a Cambodia Business Advisory on High-Risk Investments and Interactions, which addresses two primary areas of risk exposure for U.S. companies: (i) illicit finance activities in Cambodia and related risks for certain sectors; and (ii) involvement with Cambodian entities connected to trafficking in persons, wildlife, and narcotics trafficking in Cambodia and associated risks for certain sectors.
The same day, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) announced sanctions pursuant to Executive Order 13818 against two Cambodian government officials under the Global Magnitsky Human Rights Accountability Act. According to OFAC, the sanctioned individuals, among other things, allegedly conspired to inflate the cost of facilities at a Cambodian naval base and personally benefit from the proceeds.
SEC awards $15 million to whistleblowers
On November 10, the SEC announced awards totaling over $15 million to two whistleblowers whose original information and voluntary assistance led to a successful SEC enforcement action. According to the redacted order, the first whistleblower alerted Commission staff to a fraudulent scheme, which prompted the opening of the investigation. While still substantial, the second whistleblower’s information was more limited in nature, and “had less of an impact on the success of the enforcement action,” as reflected in the respective amounts awarded. The SEC has awarded approximately $1.1 billion to 226 individuals since issuing its first award in 2012.
SEC approves PCAOB Rule under the Holding Foreign Companies Accountable Act
On November 5, the SEC announced it approved the Public Company Accounting Oversight Board’s (PCAOB) Rule 6100, Board Determinations Under the Holding Foreign Companies Accountable Act, which establishes a framework for the PCAOB’s determinations under that act “that the PCAOB is unable to inspect or investigate completely registered public accounting firms located in a foreign jurisdiction because of a position taken by an authority in that jurisdiction.” According to the Commission order, PCAOB Rule 6100 establishes, among other things: (i) the factors the PCAOB will evaluate and the information the PCAOB will consider when assessing if a determination is warranted; (ii) the form, public availability, effective date, and duration of such determinations; and (iii) the process by which the board will reaffirm, modify, or vacate any such determinations. According to a statement released by SEC Chair Gary Gensler, the rule is an “important step to protect U.S. investors,“ and it is “critical that the Commission and the PCAOB work together to ensure that the auditors of foreign companies accessing U.S. capital markets play by the same rules.”
UK Supreme Court rules claimant cannot bring privacy claims against U.S. tech company
On November 10, the UK Supreme Court issued a judgment in an appeal addressing whether a claimant can bring data privacy claims in a representative capacity against a global technology company in a class action suit. The claimant sought compensation on behalf of a class under section 13 of the Data Protection Act 1998 (DPA 1998) for damages suffered when the tech company allegedly tracked millions of iPhone users’ internet activity in England and Wales over a period of several months between 2011 and 2012, and used the collected data without users’ knowledge or consent for commercial purposes. The DPA 1998 was replaced by the UK General Data Protection Regulation and the Data Protection Act 2018 but was in force at the time of the alleged breaches and is applicable to this claim, the Court explained in a press summary. The Court also noted that, except in antitrust cases, UK legislation does not allow class actions and Parliament has not yet legislated to establish a class action regime related to data protection claims. The Court noted that the claimant sought to use “same interest” precedent, which allows a claim to be brought “by or against one or more persons who have the same interest as representatives of any other persons who have that interest.”
The Court reasoned that the case was “doomed to fail” because “the claimant seeks damages under section 13 of the DPA 1998 for each individual member of the represented class without attempting to show that any wrongful use was made by [the tech company] of personal data relating to that individual or that the individual suffered any material damage or distress as a result of a breach of the requirements of the Act by [the tech company].” The Court added that users’ “loss of control” over personal data did not constitute “damage” under section 13 of the DPA 1998 because the users were not shown to have lost money or suffer distress. If the case had been allowed to proceed, the tech company could have faced a £3 billion damages award.
UAE bank fined $100 million for Sudanese sanctions violations
On November 9, NYDFS announced that a United Arab Emirates bank will pay a $100 million penalty to resolve an investigation into payments it allegedly processed through financial institutions in the state, including one of the bank’s New York branches. These transactions, NYDFS stated, were in violation of Sudan-related U.S. sanctions. According to NYDFS’ investigation, the bank instructed employees to avoid including certain details in messages sent between banks that would have linked the transactions to Sudan. By concealing these details, the transactions bypassed other banks’ sanctions filters, which otherwise might have triggered alerts or transaction freezes, NYDFS said. As a result, between 2005 and 2009, the bank illegally processed more than $4 billion of payments tied to Sudan. Following an announcement in 2009 that a Swiss bank used by the bank to process these transactions was being investigated by the New York County District Attorney’s Office for violating economic sanctions rules, the bank closed all U.S. dollar accounts held by Sudanese banks, but failed to disclose the prohibited transactions to NYDFS as required until 2015. NYDFS asserted that “despite having ample notice of the prohibited nature of the Sudan-related [transactions] by 2009,” the bank’s New York branch processed an additional $2.5 million in Sudan-related payments. Under the terms of the consent order, the bank—which was previously cited by NYDFS for anti-money laundering and sanctions compliance deficiencies in a 2018 consent order that included a $40 million fine—is also required to provide a status report on its U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) compliance program, in addition to paying the $100 million penalty. NYDFS acknowledged the bank’s substantial cooperation and ongoing remedial efforts.
NYDFS coordinated its investigation with the Federal Reserve Board and OFAC, both of which announced separate settlements with the UAE bank the same day. The Fed’s announcement of its order to cease and desist cites the bank for having insufficient policies and procedures in place to ensure that activities involving branches outside the U.S. were in compliance with U.S. sanctions laws. Under the terms of the order, the bank is required, among other things, to implement an enhanced compliance program to ensure global compliance with U.S. sanctions, and must also conduct annual reviews, including a “risk-focused sampling” of its U.S. dollar payments, led by an independent external party. The order did not include any additional monetary penalties for the bank.
OFAC also issued a finding of violation (FOV) for violations of the now-repealed Sudanese Sanctions Regulations related to the bank’s actions. These violations included 1,760 transactions that involved USD transfers from Sudanese banks that were processed by the bank’s London branch and routed through U.S. banks. In determining that the appropriate administrative action was an FOV rather than a civil monetary penalty, OFAC stated the bank “voluntarily entered into a retroactive statute of limitations waiver agreement, without which OFAC would have been time-barred from charging the violations.” Because the payment messages did not include the originating Sudanese bank, U.S. correspondent banking partners “could not interdict the payments, and the payments were successfully processed through the U.S. financial system,” OFAC stated. However, OFAC credited the bank with providing substantial cooperation during the investigation, and noted that the bank had taken “extensive remediation” efforts before the investigation began in 2015, and has spent more than $122 million on compliance enhancements.
FinCEN hosts exchange on SAR reporting
On November 9, the Financial Crimes Enforcement Network (FinCEN) held a virtual “FinCEN Exchange” with members of the financial industry and law enforcement “to discuss FinCEN’s analysis of suspicious activity reporting (SAR) with a transactional nexus to Alabama, Florida, Georgia, Mississippi, and South Carolina.” As previously covered by InfoBytes, SAR Stats—formerly called By the Numbers—is an annual compilation of numerical data gathered from SARs filed by financial institutions using FinCEN’s new unified SAR form and e-filing process. According to FinCEN, analysis of certain Bank Secrecy Act filing statistics for SARs and an analysis of SAR filings related to recent FinCEN advisories were among the topics discussed. FinCEN also noted that this FinCEN Exchange “supports one of FinCEN’s highest priorities—to strengthen public-private partnerships to identify and mitigate threats in order to safeguard our national security and protect communities and citizens from harm.”
OFAC issues new Syria sanctions FAQ
On November 8, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) published new Syria FAQ 934, which relates to the United Nations and the U.S. government's stabilization and early recovery-related activities and transactions involving Syria. According to OFAC, the Syrian Sanctions Regulations (SySR) § 542.513 permit, under certain conditions, “the United Nations, its Specialized Agencies, Programmes, Funds, and Related Organizations and their employees, contractors, or grantees to engage in all transactions and activities in support of their official business in Syria, including any stabilization and early recovery-related activities and transactions in support of their official business.” This authorization applies to all United Nations employees, grantees, and contractors carrying out the official business of the United Nations, specialized agencies, programmes, funds, and related organizations. This includes nongovernmental organizations and private sector entities that act as grantees or contractors.
FAQ 934 also reiterates advice from FAQ 884 that non-U.S. persons, including nongovernmental organizations and foreign financial institutions “do not risk exposure to U.S. secondary sanctions pursuant to the Caesar Syria Civilian Protection Act of 2019” for activities that would be authorized for U.S. persons under the SySR. (Covered by InfoBytes here.)