InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
SEC amends electronic recordkeeping requirements for security-based swap entities
On October 12, the SEC adopted final amendments to its rule governing the electronic recordkeeping requirements for security-based swap entities. (See SEC fact sheet here.) The updates are applicable to security-based swap dealers (SBSDs) and major security-based swap participants (MSBSPs), and are intended to make the rule adaptable to new technologies in electronic recordkeeping. The amendments will also facilitate examinations of broker-dealers, SBSDs, and MSBSPs by “designating broker-dealer examining authorities as Commission designees for purposes of certain provisions of the broker-dealer record maintenance and preservation rule,” the SEC said. Specifically, the amendments address requirements related to the maintenance and preservation of electronic records, the use of third-party recordkeeping services to hold records, and the prompt production of records. Under the SEC’s broker-dealer electronic recordkeeping rule, broker-dealers are required “to preserve electronic records exclusively in a non-rewriteable, non-erasable format,” known as the “write once, read many format.” The amendments now provide an audit-trail alternative under which broker-dealers “must preserve electronic records in a manner that permits the recreation of an original record if it is altered, over-written, or erased.” According to the SEC’s announcement, the audit-trail alternative is intended to provide broker-dealers greater flexibility when configuring their electronic recordkeeping systems so they more closely align with current electronic recordkeeping practices, while also ensuring that the authenticity and reliability of the original records are protected. The amendments are also applicable to nonbank SBSDs and MSBSPs.
The final amendments are effective 60 days after publication in the Federal Register.
Fed vice chair discusses regulating financial innovation
On October 12, Federal Reserve Vice Chair for Supervision Michael S. Barr delivered remarks at D.C. Fintech Week in a speech titled Managing the Promise and Risk of Financial Innovation. Barr’s remarks focused on financial innovation supported by new technologies, or fintech. Among other things, Barr discussed supporting innovation with appropriate regulation, striking the right balance for crypto-asset activity, regulating stablecoins, recognizing the risks of tokenizing bank liabilities, advancing customer autonomy, and providing public sector support for payment innovation. Barr noted that cryptoassets’ rapid growth, in market capitalization and activity outside and inside supervised banks requires oversight, including safeguards to ensure that crypto service providers are subject to similar regulations as other financial services providers. Barr stated that “[t]he same type of activity should be regulated in the same way,” and this remains the case “even when the activity may look different from the typical activities we regulate, or when it involves an exciting new technology or a new way to provide traditional financial services.” He also disclosed that there are additional types of crypto asset-related activities where the Fed may need to provide guidance to the banking sector in the future. Barr noted that since “crypto assets have proved to be so volatile, they are unlikely to grow into money substitutes and become a viable means to pay for transactions.” He also warned banks seeking to experiment with these new technologies that they should only do so "in a controlled and limited manner.” Regarding the risks of tokenizing bank liabilities, Barr expressed concerns, stating that banks’ crypto-asset-related activities pose “novel risks,” and said that stablecoins could eventually pose a risk to financial stability and that regulators need to put in guardrails before their adoption is more widespread. Barr also acknowledged that not all tokenization arrangements are the same. He stated that potential designs “range from issuance of tokens on private, controlled networks to facilitate payments within or among banks, to proposals that explore issuance of freely circulating tokens on open, permissionless networks.”
District Court enters $228 million judgment in BIPA class action
On October 12, the U.S. District Court for the Northern District of Illinois entered a judgment for $228 million after a jury found that a defendant railway company committed 45,600 reckless or intentional violations of the Illinois Biometric Information Privacy Act (BIPA). The jury’s judgment, which does not include pre-judgment interest, was entered against the defendant in the amount of $228 million (BIPA provides for statutory damages of $5,000 for every willful or reckless violation and $1,000 for every negligent violation). Class members consisting of more than 44,000 truck drivers alleged in their second amended complaint that the defendant violated BIPA when it collected, captured, and stored their biometric identifiers and biometric information without obtaining their informed written consent or providing written disclosures explaining the purpose and duration of such use. The defendant countered that it should not be held liable for biometric data collection conducted on its behalf by a third-party contractor because BIPA does not impose liability for the acts of a third party. The court disagreed, ruling, among other things, that BIPA’s language “makes clear that [the defendant] need not have ‘collected’ the data itself to be liable,” and that there is evidence that the defendant “ultimately called the shots on whether and how biometric information is collected.”
New York announces $1.9 million data breach settlement with global retailer
On October 12, the New York attorney general announced a $1.9 million settlement with an international e-commerce retailer for failing to properly handle a 2018 data breach. According to the settlement, the e-commerce owns and operates two brands (collectively, “respondents”), which experienced a data breach that caused 39 million accounts to be stolen, including accounts for more than 800,000 New York residents. The AG found, among other things, that the respondents failed to properly safeguard consumers’ information, failed to adhere to requirements for protecting stored credit card data, and misrepresented the extent of the cyberattack to consumers. As a result of the settlement, the respondents are required to pay New York $1.9 million in penalties and costs, and must maintain a comprehensive information security program that includes robust hashing of customer passwords, among other things.
FinCEN provides timing on CTA rulemaking
On October 12, FinCEN acting Director Himamauli Das provided timelines on recent agency efforts to combat financial crime. Speaking during the ACAMS AML Conference, Das pointed to actions taken by bad actors to hide assets behind shell/front companies and evade U.S. sanctions, and highlighted measures, including beneficial ownership information reporting, suspicious activity reporting, and geographic targeting, designed to combat illicit activity. Das also provided an update on recent rulemakings mandated by the Corporate Transparency Act (CTA), including (i) the beneficial ownership reporting rule (which takes effect January 1, 2024, and is covered by InfoBytes here); (ii) the access rule, which would establish protocols for accessing the beneficial ownership database by law enforcement and financial institutions (FinCEN is currently working on the notice of proposed rulemaking and expects to issue it in the near term); and (iii) the Customer Due Diligence rule, which Das said will be revised “no later than one year after the effective date of the reporting rule” as required by the CTA. He added that FinCEN is also developing an “infrastructure to build a secure and confidential database that meets the highest security standards” to ensure only authorized users can access information. This system is expected to be operational by the time the beneficial ownership reporting rule takes effect. Additionally, FinCEN will, among other things, develop guidance and educational materials to assist companies when preparing their beneficial ownership information reports and will continue to regularly update its dedicated resource page on this subject.
Bank agrees to pay $1.8 billion to settle RMBS bond insurance claims
On October 7, a national bank announced in a regulatory filing that it has agreed to pay $1.84 billion to settle claims brought by a bond insurer concerning policies provided on residential mortgage-backed securities before the 2008 financial crisis. According to the regulatory filing, the agreement will “resolve all pending [bond insurer] lawsuits” (containing damages claims of more than $3 billion) against the bank and its subsidiaries, will cause all pending litigation to be dismissed with prejudice, and will release the bank and its subsidiaries from “all outstanding claims” related to bond insurance policies for certain securitized pools of residential mortgage loans.
District Court partially dismisses FDCPA suit concerning disputed debt
On October 5, the U.S. District Court for the District of Arizona partially granted a defendant’s motion to dismiss in an FDCPA suit, which alleged that the defendant furnished information to the credit reporting agencies (CRAs) that did not belong to the plaintiff. According to the order, the plaintiff noticed that the defendant was reporting a collection account to the CRAs for a debt he did not recognize. He called the defendant who was unable to locate the plaintiff through his personal identifiers. The defendant told the plaintiff that the debt reporting on the plaintiff’s credit report was a medical debt and was owed by a third party with a different name and a different social security number. After the defendant confirmed that the debt did not belong to him, the plaintiff submitted a dispute to the CRA challenging the defendant’s reporting of the debt and requested that the defendant and the CRA remove the debt from his report. The CRA notified the defendant of the plaintiff’s dispute within five days of receiving the dispute. The defendant allegedly continued to report the debt as belonging to the plaintiff to the CRA, and did not request that the CRA note on the plaintiff’s credit report that the debt was disputed by the plaintiff. The plaintiff claimed that the defendant violated the FDCPA, contending that his “credit score has decreased as a result of [the defendant’s] erroneous credit reporting, which has frustrated [the plaintiff’s] ability to obtain credit.” The plaintiff also alleged that he suffered emotional distress and anxiety.
The defendant argued that it did not violate the FDCPA because it was the CRA that connected the underlying debt to the plaintiff’s credit report. The defendant also argued that the plaintiff did not provide the defendant with an appropriate period of time to mark the debt as disputed before filing the suit in question. The court found that the plaintiff had stated a claim upon which relief could be granted, explaining, among other things, that the defendant “does not point to any authority that, to state a claim under § 1692e(8), reporting of a debt must be to a credit report as opposed to any third party.” However, the court dismissed the § 1692f claim on the ground that the underlying conduct was already covered in the 1692e(8) claim.
Republicans seek answers from OCC on bank-fintech partnerships
On October 11, House Financial Services Committee Ranking Member Patrick McHenry (R-NC), joined by Republican members of the Task Force on Financial Technology, sent a letter to acting Comptroller of the Currency Michael J. Hsu asking for clarification on the OCC’s position regarding bank-fintech partnerships. The lawmakers asserted that the OCC previously “worked to provide banks and their customers with a clear understanding of the regulatory and supervisory expectations surrounding emerging products and services,” as well as how to properly assess risk, but contended that leadership under the current administration has not continued to do so. Citing the importance of innovation to the U.S. economy and the impact new financial products and services can have on costs, inclusion, and competition, the letter expressed concerns related to the potential for further uncertainty surrounding these partnerships and the resulting consequences for consumers. “Technological innovation fostered by fintech partnerships has enabled banks to reach segments of the population that may have been left behind and increase customer engagement,” the lawmakers wrote, expressing their belief that the benefits from these partnerships far outweigh the risks. “Much of this innovation has been driven by industry newcomers that have developed a novel product or business model. When properly regulated, these partnerships can provide greater financial inclusion, spur technological innovation, and foster competition that ultimately benefits consumers.”
Referring to an action taken by President Biden in June 2021, which repealed the OCC’s “true lender” rule pursuant to the Congressional Review Act (covered by InfoBytes here), the lawmakers asked the OCC whether it anticipates fintech partnerships ending as a result of potential regulatory changes, and questioned how the agency plans to “ensure that examiners do not discourage innovation through fintech partnerships” or “impose unreasonable burdens on banks and fintechs.” The letter also asked the OCC to respond to a series of questions, including, among other things, how it plans to determine the acceptable terms for bank-fintech partnerships, how it intends to analyze fintechs that are helping to bring the banking business into the digital era, and how examiners will evaluate a bank’s assessments of third parties’ cybersecurity risk management and resilience capabilities and whether such evaluations will “be carefully tailored to the actual risk posed by the particular bank-fintech partnership.”
OFAC, FinCEN take action against virtual currency exchange
On October 11, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC), together with the Financial Crimes Enforcement Network (FinCEN), announced two settlements for more than $24 million and $29 million, respectively, with a Washington state-based virtual currency exchange. According to OFAC’s announcement, this is the agency’s largest virtual currency enforcement action to date, and represent the first parallel actions taken by FinCEN and OFAC in this space.
OFAC settlement. OFAC’s web notice stated that between March 28, 2014 and December 31, 2017, the exchange operated 1,730 accounts that processed 116,421 virtual currency-related transactions totaling roughly $263,451,600.13, in apparent violation of OFAC sanctions against Cuba, Ukraine, Iran, Sudan, and Syria. Specifically, due to alleged deficiencies in the exchange’s sanctions compliance procedures, the exchange failed to prevent persons located in the sanctioned jurisdictions from using its platform to engage in more than $263,000,000 worth of virtual currency-related transactions. OFAC claimed that while the IP addresses and physical address information collected on each customer at onboarding should have given the exchange reason to know that the persons were located in jurisdictions subject to sanctions, the exchange did not “screen customers or transactions for a nexus to sanctioned jurisdictions.” Rather, the exchange only screened transactions for hits against lists including OFAC’s List of Specially Designated Nationals and Blocked Persons. In arriving at the settlement amount of $24,280,829.20, OFAC considered various aggravating factors, including that the exchange did not exercise due caution or care for its sanctions compliance obligations and conveyed economic benefit to persons located in jurisdictions subject to OFAC sanctions, thus causing harm to the integrity of multiple sanctions programs. OFAC also considered various mitigating factors, including that the exchange provided substantial cooperation throughout the investigation, most of the transactions were for a relatively small amount and represented a small percentage when compared to the exchange’s annual volume of transactions, and the exchange has undertaken remedial measures intended to minimize the risk of recurrence of similar conduct.
FinCEN settlement. According to FinCEN’s press release, an investigation found that from February 2014 through December 2018, the exchange failed to maintain an effective AML program, resulting in its inability to appropriately address risks associated with its products and services, including anonymity-enhanced cryptocurrencies. The exchange also failed to effectively monitor transactions on its trading platform, and relied “on as few as two employees with minimal anti-money laundering training and experience to manually review all of the transactions for suspicious activity, which at times were over 20,000 per day.” FinCEN claimed that the exchange conducted more than 116,000 transactions valued at over $260 million with persons located in jurisdictions subject to OFAC sanctions, including those operating in Iran, Cuba, Sudan, Syria, and the Crimea region of Ukraine, and failed to file suspicious activity reports (SARs) between February 2014 and May 2017. The exchange also “failed to file SARs on a significant number of transactions involving sanctioned jurisdictions, including the processing of over 200 transactions that involved $140,000 worth of virtual assets—nearly 100 times larger than the average withdrawal or deposit on the Bittrex platform—and 22 transactions involving over $1 million worth of virtual assets,” FinCEN said in its announcement. Under the terms of the consent order, the exchange—which admitted to willfully violating the Bank Secrecy Act (BSA) and its implementing regulations—will pay a $29,280,829.20 civil money penalty. FinCEN stated it will credit the $24,280,829.20 the exchange has agreed to pay for the OFAC violations.
During remarks delivered at the Association of Certified Anti-Money Laundering Specialists, Under Secretary for Terrorism and Financial Intelligence Brian Nelson discussed, among other topics, Treasury’s efforts to counter illicit finance. Nelson highlighted the aforementioned settlements, stressing that failing to comply with BSA/AML requirements and SARs filing obligations “are not something that companies focused on growth can simply put off to a later day.” He also emphasized that Treasury will continue to strengthen ties with interagency partners and international counterparts to identify and pursue potential violations.
Biden outlines aggressive approach for strengthening U.S. cybersecurity
On October 11, President Biden outlined actions for strengthening and safeguarding the nation’s cybersecurity. In addition to stressing the importance of improving cybersecurity and resilience measures for critical infrastructure owners and operators, the Biden administration outlined additional priorities that focus on (i) strengthening the federal government’s cybersecurity requirements; (ii) countering ransomware attacks, including by making it more difficult for criminals to move illicit money; (iii) collaborating with allies and partners to build collective cybersecurity, develop coordinated responses, and develop cyber deterrence; (iv) imposing costs on and sanctioning malicious cyber actors; (v) implementing internationally-accepted cyber “rules of the road”; (vi) strengthening cyber-education efforts; (vii) developing quantum-resistant encryption algorithms to protect privacy in digital systems such as online banking; and (viii) establishing research centers and workforce development programs under the National Quantum Initiative to protect investments, companies, and intellectual property and prevent harm as technology in this space continues to develop.