InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
CFPB report on credit bureaus hints at rulemaking
On January 3, the CFPB released its annual report, pursuant to Section 611(e)(5) of the FCRA, on information gathered by the Bureau regarding certain consumer complaints on the three largest nationwide consumer reporting agencies (CRAs). According to the report, the Bureau received 488,000 consumer complaints about the CRAs from October 2021 through September 2022. The Bureau’s analysis revealed that 93 percent of consumers reported having previously attempted to fix their problem with the company. The report also noted that the use of problematic response types has decreased, and most complaints now receive “more substantive and tailored” responses. The report found that most responses from the CRAs describe the outcomes of consumers’ complaints. The Bureau highlighted areas that the CRAs should prioritize given the “challenges facing market participants and policy makers,” including: (i) considering consumer burden when implementing automated processes; (ii) recognizing how current processes will need to evolve in light of new technologies that can generate similar-sounding complaints that are in fact unique; and (iii) considering how to transition the market from control and surveillance to consumer participation. According to CFPB Director Rohit Chopra, the Bureau “will be exploring new rules to ensure that [the CRAs] are following the law, rather than cutting corners to fuel their profit model.”
FHA seeks feedback on changing reconsideration of valuation requests
Recently, FHA published a draft mortgagee letter (ML) proposing policy changes to its requirements for processing and documenting reconsideration of valuation (ROV) requests, specifically when requests are initiated by a borrower for the review of appraisal results. According to the ML, FHA provided proposed guidance to improve the process when prospective borrowers applying for FHA-insured Title II forward or Home Equity Conversion Mortgages (HECM) request an ROV on a property if the initial valuation is lower than expected, or that there is indication of illegal bias, that Fair Housing regulations have been violated, or that there may be unlawful discrimination. The draft also proposed updated appraisal review standards, which are intended to provide mortgagees and appraisers with clarifying guidance on the quality of an appraisal report and the ROV process and responsibilities. Public comments are due by February 2.
France fines software company €60 million for data violations
In December, the French data protection agency, Commission Nationale de l’Informatique et des Libertés (CNIL), imposed a €60 million penalty against a global software development company accused of making it harder for users of its search engine to reject cookies than to accept them. Based on investigations conducted in September 2020 and May 2021, CNIL claims that when users visited the search engine, cookies used for advertising purposes and countering advertising fraud, among other things, were automatically deposited on their terminal without the users’ consent. Under French law, these types of cookies may only be deposited after users have expressed their consent, according to CNIL. CNIL further observed that while the search engine offered a button to accept cookies immediately, it did not offer an equivalent button to allow the user to refuse the cookies as easily. By making the refusal mechanism more complex, users are discouraged from refusing cookies and are instead encouraged “to prefer the ease of the consent button in the first window,” CNIL said, adding that “such a procedure infringed the freedom of consent of Internet users.” Claiming violations of Article 82 of the French Data Protection Act, CNIL ordered the company to take measures within three months to modify its practices for obtaining consent from users residing in France. CNIL further stated that additional fines of €60,000 will be imposed per day of non-compliance following the end of the three-month period.
Irish DPC fines global social media company €390 million over targeted ads
On January 4, the Irish Data Protection Commission (DPC) announced the conclusion of two inquiries into the data processing practices of a global social media company’s European operations. Collectively, the DPC imposed fines totaling €390 million against the company for allegedly requiring users to accept targeted ads when accepting the company’s social media platform terms of service. Complaints were raised in 2018 by data subjects in Austria and Belgium, claiming that the company violated the GDPR by conditioning access to its services on users’ acceptance of the company’s updated terms of service, thereby “forcing” them to consent to the processing of their personal data for behavioral advertising and other personalized services. The company maintained that once a user accepted the updated terms of service, a contract was formed, and that processing user data in connection with the delivery of its social media services was necessary for the performance of that contract (including the provision of personalized services and behavioral advertising). According to the company, “such processing operations were lawful by reference to Article 6(1)(b) of the GDPR (the ‘contract’ legal basis for processing).”
The DPC issued draft decisions, finding that (i) the company breached its transparency obligations because the “contract” legal basis for processing was not clearly disclosed to users, but that, (ii) in principle, the GDPR did not preclude the company’s reliance on such basis.
In accordance with the GDPR, the draft decisions were submitted to DPC’s EU peer regulators (Concerned Supervisory Authorities or “CSAs”). Regarding the question of whether the company had acted in contravention of its transparency obligations, the CSAs agreed with the DPC’s decisions but concluded that higher fines should be imposed. Ten of the 47 CSAs, however, concluded that the company “should not be permitted to rely on the contract legal basis on the grounds that the delivery of personalized advertising . . . could not be said to be necessary to perform the core elements of what was said to be a much more limited form of contract.” The DPC disagreed, arguing that personalized advertising is “central to the bargain struck between users and their chosen service provider” as part of the contract that is established when a user accepts the terms of service. The dispute was referred to the European Data Protection Board (EDPB) after the regulators were unable to reach a consensus.
The EDPC determined that, “as a matter of principle,” the company “is not entitled to rely on the ‘contract’ legal basis as providing a lawful basis for its processing of personal data for the purpose of behavioral advertising.” The DPC adopted the EDPC’s determination and issued final decisions, finding, among other things, that the company’s processing of users’ data in purported reliance on the “contract” legal basis amounts to a contravention of Article 6 of the GDPR. The decisions require the company to bring its processing operations into compliance with the GDPR within a three-month period and impose administrative fines higher than those originally proposed, in line with the EDPC’s direction to increase the fines.
The company released a statement following the decisions. According to the company, “[t]here has been a lack of regulatory clarity on this issue, and the debate among regulators and policymakers around which legal bases are most appropriate in a given situation has been ongoing for some time. This issue is also currently being debated by the highest courts in the EU, who may yet reach a different conclusion altogether.” The company added that “we strongly disagree with the DPC’s final decision, and believe we fully comply with GDPR by relying on Contractual Necessity for behavioural ads given the nature of our services. As a result, we will appeal the substance of the decision. Given that regulators themselves disagreed with each other on this issue up until the final stage of these processes in December, it is hard to understand how we can be criticised for the approach we have taken to date, and therefore we also plan to challenge the size of the fines imposed.”
OFAC sanctions individuals and entities tied to ISIS
On January 5, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) announced sanctions pursuant to Executive Order 13224 against a key financial facilitation network of the Islamic State of Iraq and Syria (ISIS), which includes four individuals and two entities in Türkiye who are connected to the group’s recruitment and financial transfers to and from Iraq and Syria. According to OFAC, the designated network has “played a key role in money management, transfer, and distribution for ISIS in the region.” The Turkish Ministry of Treasury and Finance, in collaboration with the Ministry of Interior, also implemented an asset freeze against members of this network. As a result of the sanctions, all property and interests in property belonging to the sanctioned persons subject to U.S. jurisdiction are blocked and must be reported to OFAC. Additionally, “any entities that are owned, directly or indirectly, 50 percent or more” by one or more blocked persons are also blocked. U.S. persons are also generally prohibited from engaging in any dealings involving the property or interests in property of blocked or designated persons. Persons that engage in certain transactions with the designated individuals or entities may themselves be exposed to secondary sanctions, OFAC warned, adding that “OFAC can prohibit or impose strict conditions on the opening or maintaining in the United States of a correspondent account or a payable-through account of a foreign financial institution that has knowingly conducted or facilitated any significant transaction on behalf of a Specially Designated Global Terrorist (SDGT).”
OFAC sanctions suppliers of Iranian UAVs used in Russia’s war against Ukraine
On January 6, the U.S. Treasury Department’s Office of Foreign Assets Control announced sanctions pursuant to Executive Order 13382 against six executives and board members of a U.S.-designated Iranian defense manufacturer allegedly responsible for designing and producing unmanned aerial vehicles (UAVs) that are being transferred by Iran for use in Russia’s war against Ukraine. The director of a key organization responsible for overseeing Iran’s ballistic missile programs has also been sanctioned. OFAC further announced that it is updating the defense manufacturer’s entry on the Specially Designated Nationals and Blocked Persons List to include its new alias. As a result of the sanctions, all property and interests in property belonging to the sanctioned individuals and entities that are in the U.S. or in the possession or control of U.S. persons are blocked and must be reported to OFAC. Further, “any entities that are owned, directly or indirectly, 50 percent or more by one or more blocked persons are also blocked.” U.S. persons are generally prohibited from engaging in any dealings involving the property or interests in property of blocked or designated persons. Persons that engage in certain transactions with the designated individuals or entities may themselves be exposed to sanctions, and “any foreign financial institution that knowingly facilitates a significant transaction or provides significant financial services for any of the individuals or entities designated today pursuant to E.O. 13382 could be subject to U.S. sanctions.”
SEC brings charges in connection with alleged $45 million crypto fraud
On January 4, the SEC filed a complaint in the U.S. District Court for the Eastern District of Michigan against a cryptocurrency operation and connected individuals and entities (collectively, defendants), alleging that they were involved in a fraudulent scheme that generated more than $45 million. According to the complaint, the defendants falsely claimed that investors could generate extravagant returns by investing in a blockchain technology that would be sold for trillions of dollars. More specifically, from at least 2019 to 2022, the defendants allegedly disseminated false and misleading statements to investors regarding the purported value of the blockchain technology, the parties involved in the supposed sale of the blockchain technology, and the use of investment proceeds. The complaint further alleges that the defendants collectively misappropriated millions of dollars of investor funds for personal use. These activities violated the antifraud and registration provisions of the Securities Act and Exchange Act and other requirements, according to the SEC. The SEC’s complaint seeks disgorgement plus pre-judgment interest, penalties, and permanent injunctions against all defendants, and officer and director bars against the individuals, in addition to a conduct-based injunction against one of the individuals.
CFPB and New York say auto lender misled consumers
On January 4, the CFPB and New York attorney general filed a complaint against a Michigan-based auto finance company accused of allegedly misrepresenting the cost of credit and deceiving low-income consumers into taking out high-interest loans on used vehicles. (See also AG’s press release here.) The joint complaint alleges, among other things, that the defendant based the price of a loan (and then artificially inflated the principal amount) and the payment to the dealer on the projected amount that may be collected from the consumer during the life of the loan (without factoring in whether consumers could actually afford the loan).
The Bureau and AG further argued that the true cost of credit is hidden in inflated principal balances in order to evade state interest rate caps. An investigation conducted by the AG found that while the defendant’s loan agreements in New York claimed an APR of 22.99 percent or 23.99 percent (just below the 25 percent usury cap), the defendant actually charged on average more than 38 percent (and on many occasions charged an APR in excess of 100 percent). These high-interest loans, the AG claimed, often caused consumers to accrue additional fees and become delinquent on their loans.
The complaint also alleged the defendant failed to consider consumers’ ability to repay their loans in full, engaged in aggressive debt collection tactics, and created financial incentives for dealers to add on extra products, such as vehicle service contracts. Add-on products generated roughly $250 million in revenue for the defendant in 2020, the complaint said, adding that these alleged deceptive lending practices lowered consumers’ credit scores and cost borrowers millions of dollars. The complaint further maintained that the defendant packaged the consumer loans into securities that were sold to investors on the premise that the underlying loans complied with applicable law. These alleged false representations, the complaint said, constituted securities fraud under New York’s Martin Act.
The complaint — which also alleges violations of the Consumer Financial Protection Act’s prohibition against deceptive and abusive acts or practices, New York usury limits, and other state consumer and investor protection laws — seeks, among other things, injunctive relief, monetary relief, disgorgement, and civil money penalties of $1,000,000 for each day of violations.
The defendant was previously targeted for violating consumer protection laws in 2021 by the Massachusetts attorney general, who announced a $27.2 million settlement to resolve allegations of predatory lending and deceptive debt collection practices. (Covered by InfoBytes here.)
Agencies warn banks of crypto-asset risks
On January 3, the FDIC, Federal Reserve Board, and OCC issued a joint interagency statement highlighting key risks banks should consider when choosing to engage in cryptocurrency-related services. Risks flagged by the agencies include: (i) the possibility of fraud and scams among crypto-asset sector participants; (ii) legal uncertainties related to custody practices, redemptions, and ownership rights; (iii) misleading disclosures made by crypto firms that may be unfair, deceptive, or abusive; (iv) volatility in crypto-asset markets, including the susceptibility of stablecoins to run risk, which could impact deposit flows; (v) contagion risks resulting from interconnections among crypto-asset participants that may present concentration risks for banks with exposure to the crypto-asset sector; (vi) lack of maturity in risk management and governance practices within the crypto-asset sector; and (vii) elevated risks associated with open, public, and/or decentralized networks.
The agencies commented that while they will continue to take a cautious approach to current or proposed crypto-asset-related activities (and are not prohibiting nor discouraging banks from providing crypto services to customers, as permitted by law or regulation), they currently “believe that issuing or holding as principal crypto-assets that are issued, stored, or transferred on an open, public, and/or decentralized network, or similar system is highly likely to be inconsistent with safe-and-sound banking practices.” Moreover, the agencies expressed “significant safety and soundness concerns with business models that are concentrated in crypto-asset-related activities or have concentrated exposures to the crypto-asset sector.” Agencies have developed processes for banks to engage in robust supervisory discussions with their supervisory office about any proposed or existing crypto-asset-related activities, the agencies advised, adding that before launching any activities, banks should take appropriate risk management measures and assess whether the activity can be performed in a safe and sound manner, is legally permissible, and complies with applicable laws and regulations. Additional statements will be released in the future by the agencies.
“The events of the past year have been marked by significant volatility and the exposure of vulnerabilities in the crypto-asset sector,” the agencies said as they stressed the importance of keeping crypto-asset risks that cannot be mitigated or controlled from migrating to the banking system.
The OCC separately issued a bulletin advising supervised banks to follow processes outlined in OCC Interpretive Letter 1179 (covered by InfoBytes here) before engaging in certain crypto-asset-related activities.
Crypto platform reaches $100 million settlement to resolve alleged compliance failures
On January 4, NYDFS issued a consent order against a cryptocurrency trading platform for engaging in alleged violations of New York virtual currency, anti-money laundering, transaction monitoring, and cybersecurity regulations. According to the consent order, in 2020, NYDFS found significant deficiencies across the respondent’s compliance program, including its Know-Your Customer/Customer Due Diligence (KYC/CDD) procedures, Transaction Monitoring System (TMS), OFAC screening program, and AML risk assessments. As a result of these findings, the respondent agreed to improve its BSA/AML and OFAC compliance programs, including engaging an independent consultant to develop a remediation plan and improve its compliance program.
In 2021, NYDFS launched an investigation to determine whether the respondent’s compliance deficiencies had resulted in any legal violations. The investigation found “substantial lapses in [the respondent’s] KYC/CDD program, its TMS, and in its AML and OFAC sanctions controls systems, as well as issues concerning [the respondent’s] retention of books and records, and with respect to meeting certain of its reporting obligations to the Department.” NYDFS noted that in late 2020 and 2021, the respondent took steps to remediate the issues identified by the Department and the independent consultant; however, substantial weaknesses remained, and its compliance system was inadequate to handle the growing volume of the respondent’s business.
Under the terms of the consent order, the respondent must pay a $50 million civil penalty to NYDFS and invest $50 million in its compliance program. Additionally, an independent third party will continue to work with the respondent for another year, which may be extended at the Department’s sole discretion. NYDFS noted that the respondent has already taken steps to build a more effective and robust compliance program under the supervision of NYDFS and the NYDFS-appointed independent monitor. According to the respondent’s press release, the company “has taken substantial measures to address these historical shortcomings” and “remains committed to being a leader and role model in the crypto space, including partnering with regulators when it comes to compliance and other areas.”