InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
OCC reaches $17 million settlement with former executive over account openings
On March 15, the OCC announced a $17 million civil money penalty and prohibition order against a former senior executive who served as head of a national bank’s community banking division for her role in the bank’s incentive compensation sales practices. As previously covered by InfoBytes, in January 2020, the OCC announced charges against the former general counsel and other executives, seeking a lifetime prohibition from participating in the banking industry, a personal cease and desist order, and/or civil money penalties. The 2020 announcement included settlements with three of the executives. The OCC settled with three others in September 2020, as well as with the bank’s former general counsel in January 2021 (covered by InfoBytes here and here). In addition to the $17 million penalty, the former senior executive entered a plea agreement admitting to one count of obstructing a bank examination.
FTC finalizes gaming company order on dark patterns
On March 14, the FTC finalized an administrative order requiring a video game developer to pay $245 million in refunds to consumers allegedly tricked into making unwanted in-game purchases. As previously covered by InfoBytes, the FTC filed an administrative complaint claiming players were able to accumulate unauthorized charges without parental or card holder action or consent. The FTC alleged that the company used a variety of dark patterns, such as “counterintuitive, inconsistent, and confusing button configuration[s],” designed to get players of all ages to make unintended in-game purchases. These tactics caused players to pay hundreds of millions of dollars in unauthorized charges, the FTC said, adding that the company also charged account holders for purchases without authorization. Under the terms of the final decision and order, the company is required to pay $245 million in refunds to affected card holders. The company is also prohibited from charging players using dark patterns or without obtaining their affirmative consent. Additionally, the company is barred from blocking players from accessing their accounts should they dispute unauthorized charges.
Separately, last month the U.S. District Court for the Eastern District of North Carolina entered a stipulated order against the company related to alleged violations of the Children’s Online Privacy Protection Act (COPPA). The FTC claimed the company failed to protect underage players’ privacy and collected personal information without first notifying parents or obtaining parents’ verifiable consent. Under the terms of the order, the company is required to ensure parents receive direct notice of its practices with regard to the collection, use or disclosure of players’ personal information, and must delete information previously collected in violation of COPPA’s parental notice and consent requirements unless it obtains parental consent to retain such data or the player claims to be 13 or older through a neutral age gate. Additionally, the company is required to implement a comprehensive privacy program to address the identified violations, maintain default privacy settings, obtain regular, independent audits, and pay a $275 million civil penalty (the largest amount ever imposed for a COPPA violation).
Real estate brokerage firm settles claims of discriminatory practices
On March 15, the New York attorney general announced a settlement with a real estate brokerage firm to resolve claims that it allegedly discriminated against Black, Hispanic, and other homebuyers of color on Long Island. According to the announcement, the Office of the Attorney General commenced investigations into several brokerage firms, in which it found that agents employed by the brokerage firm at issue violated the Fair Housing Act and New York state law when they allegedly “subjected prospective homebuyers of color to different requirements than white homebuyers, directed homebuyers of color to homes in neighborhoods where residents predominantly belonged to communities of color, and otherwise engaged in biased behavior.” In certain instances, agents allegedly disparaged neighborhoods of color and “warned white potential homebuyers about the diverse racial makeup of the neighborhood but did not share the same comments with Black and Hispanic potential homebuyers.”
Under the terms of the assurance of discontinuance, the brokerage firm agreed to stop the alleged conduct, will offer comprehensive fair housing training to all agents, and will provide a discrimination complaint form on its website. The brokerage firm will also pay $20,000 in penalties and $10,000 to Suffolk County to promote enforcement and compliance with fair housing laws. This is the fourth action taken by the AG’s office against real estate brokerage firms in the state. As previously covered by InfoBytes, last August three Long Island real estate brokerage firms entered settlements to resolve claims of discriminatory practices.
OCC releases enforcement actions
On March 17, the OCC released a list of recent enforcement actions taken against national banks, federal savings associations, and individuals currently and formerly affiliated with such entities. Included is a cease and desist order against a New York-based bank for allegedly engaging in unsafe or unsound practices related to its information technology security and controls, as well as its information technology risk governance and board of director/management oversight of its corporate risk governance processes. The OCC also found alleged deficiencies (including unsafe or unsound practices) in the bank’s Bank Secrecy Act (BSA)/anti-money laundering risk management controls in the following areas: “internal controls, BSA officer, customer identification program, customer due diligence, enhanced due diligence, [] beneficial ownership,” and suspicious activity monitoring and reporting. The order requires the bank to, among other things, maintain a compliance committee, develop a corporate governance program to ensure appropriate board oversight, establish a written strategic plan and conduct an internal audit to assess the sufficiency of the bank’s internal controls program, implement information technology governance and security programs, and adopt an automated clearing house risk management program. The bank is also required to appoint a BSA officer to ensure adherence to the bank’s BSA/AML internal controls, conduct a suspicious activity review lookback, implement a customer information program that is reasonably designed to identify and verify beneficial owners of legal entity customers, and develop and adopt a BSA/AML model risk management process.
Banking company pleads guilty to mortgage fraud
On March 15, a Michigan-headquartered bank holding company agreed to plead guilty to securities fraud for filing misleading statements related to its 2017 initial public offering (IPO) and its 2018 and 2019 annual filings. According to the DOJ’s announcement, the bank holding company and its wholly owned subsidiary were under investigation over allegations that loan officers were encouraged to increase the volume of residential mortgage loan originations in order to artificially inflate bank revenue leading up to and following the IPO. The DOJ explained that the bank filed false securities statements about its residential mortgage loan program in its IPO, as well as in subsequent annual filings that “contained materially false and misleading statements that touted the soundness of the [] loans.” These loans were actually “rife with fraud,” the DOJ said and cost non-insider victim-shareholders nearly $70 million. Senior management allegedly knew that loan officers were falsifying loan documents and concealing the fraudulent information from the bank’s underwriting and quality control departments, the DOJ maintained, noting that the actions caused the bank to originate loans and extend credit to borrowers who would have otherwise not qualified.
Under the terms of the plea agreement (which must be accepted by the court), the bank holding company will “be required to serve a term of probation through 2026, submit to enhanced reporting obligations to the department, and pay more than $27.2 million in restitution to its non-insider victim-shareholders.” The DOJ considered several factors when determining the criminal resolution, including the nature and seriousness of the offense and the pervasiveness of the misconduct at the most senior levels. The bank holding company received credit for its cooperation and for implementing extensive remedial measures, and has agreed to continue to fully cooperate with the DOJ in all matters relating to the covered conducts and other conduct under investigation. It is also required to self-report criminal violations and must continue to implement a compliance and ethics program to detect and deter future violations of U.S. securities law.
As previously covered by InfoBytes, the bank holding company’s subsidiary paid a $6 million civil money penalty to the OCC last September for alleged unsafe or unsound practices related to the residential mortgage loan program.
U.S., German law enforcement disable darknet crypto mixer
On March 15, U.S. law enforcement, along with German criminal authorities, disabled a darknet cryptocurrency “mixing” service used to allegedly launder more than $3 billion in cryptocurrency underlying ransomware, darknet market activities, fraud, cryptocurrency heists, hacking schemes, and other activities. According to the DOJ’s announcement, law enforcement agencies seized two domains and back-end servers, as well as more than $46 million in cryptocurrency. The DOJ claimed the mixing service allowed criminals to obfuscate the source of stolen cryptocurrency by commingling users’ cryptocurrency in a way that made it difficult to trace the transactions. In conjunction with the action taken against the mixing service, a Vietnamese national responsible for creating and operating the online infrastructure was charged with money laundering, operating an unlicensed money transmitting business, and identity theft connected to the mixing service. Separate actions have also been taken by German law enforcement authorities, the DOJ said. “Criminals have long sought to launder the proceeds of their illegal activity through various means,” Special Agent in Charge Jacqueline Maguire of the FBI Philadelphia Field Office said in the announcement. “Technology has changed the game, though[.] In response, the FBI continues to evolve in the ways we ‘follow the money’ of illegal enterprise, employing all the tools and techniques at our disposal and drawing on our strong partnerships at home and around the globe.”
New York AG continues crackdown on unregistered crypto trading platforms
On March 9, the New York attorney general filed a petition in state court against a virtual currency trading platform (respondent) for allegedly failing to registeras a securities and commodities broker-dealer and falsely representing itself as a cryptocurrency exchange. The respondent’s website and mobile application enable investors to buy and sell cryptocurrency, including certain popular virtual currencies that are allegedly securities and commodities. The AG noted that this is one of the first times a regulator is making a claim in court that one of the largest cryptocurrencies available in the market is a security. According to the announcement, this cryptocurrency “is a speculative asset that relies on the efforts of third-party developers in order to provide profit to the holders.” As such, the respondent was required to register before selling the crypto assets, the AG said, further maintaining that the respondent also sells unregistered securities in the form of a lending and staking product. According to the AG, securities and commodities brokers are required to register with the state, which the respondent allegedly failed to do. Additionally, the respondent claimed to be an exchange but failed to appropriately register with the SEC as a national securities exchange or be designated by the CFTC as required under New York law. Nor did the respondent comply with a subpoena requesting additional information about its crypto-asset trading activities in the state, the AG said, noting that the respondent has already been found to be operating in multiple jurisdictions without proper licensure. The state seeks a court order (i) preventing the respondent from misrepresenting that it is an exchange; (ii) banning the respondent from operating in the state; and (iii) directing the respondent to undertake measures to prevent access to its mobile application, website, and services from within New York.
Last month the AG filed a similar petition against another virtual currency trading platform alleging similar violations (covered by InfoBytes here).
Software company to pay $3 million to SEC for misleading disclosures about ransomware attack
On March 9, the SEC charged a South Carolina-based donor data management software company with allegedly making materially misleading disclosures about a 2020 ransomware attack. According to the SEC’s cease-and-desist order, the company issued statements that the ransomware attack did not affect donor bank account information or social security numbers. It was later revealed that the attacker had accessed and exfiltrated the unencrypted sensitive information. However, the SEC maintained that due to the company’s alleged failure to maintain disclosure controls and procedures, employees did not inform senior management responsible for public disclosures. As a result, the company’s quarterly report filed with the SEC allegedly omitted material information about the scope of the attack and “misleadingly characterized the risk of exfiltration of such sensitive donor information as hypothetical,” the SEC said. The company did not admit or deny the SEC’s findings, but agreed to pay a $3 million civil penalty and said it would cease and desist from committing violations of the Securities Act of 1933 and the Securities Exchange Act of 1934.
Design firm to settle False Claims Act allegations related to cybersecurity failures
On March 14, the DOJ announced a $293,771 settlement with a design company to resolve alleged False Claims Act (FCA) violations related to failures in its cybersecurity practices. According to the DOJ, the company failed to secure personal information on a federally-funded Florida children’s health insurance website that was created, hosted, and maintained by the company. “Government contractors responsible for handling personal information must ensure that such information is appropriately protected,” Principal Deputy Assistant Attorney General Brian M. Boynton, head of the Justice Department’s Civil Division, said in the announcement. “We will use the [FCA] to hold accountable companies and their management when they knowingly fail to comply with their cybersecurity obligations and put sensitive information at risk.” In this case, the Florida entity (which receives federal Medicaid funds, as well as state funds to provide children’s health insurance programs) contracted with the design company for the provision of a hosting environment that complied with HIPPA’s personal information protection requirements. The company also agreed to adapt, modify, and create code on the webserver to support the secure communication of data. However, between January 1, 2014, and Dec. 14, 2020, the company allegedly failed to provide secure hosting of applicants’ personal information and failed to implement necessary updates. In December 2020, the website experienced a data breach that potentially exposed more than 500,000 applicants’ personal identifying information and other data. In response to the data breach and the company’s cybersecurity failure, the Florida entity shut down the website’s application portal.
States receive $245 million judgment against robocall operation
On March 6, the U.S. District Court for the Southern District of Texas entered stipulated orders and permanent injunctions against two individuals who, along with their companies (also named as defendants in the litigation), allegedly operated a massive robocall campaign to sell extended car warranties and health care services. (See orders here and here.) Eight states attorneys general alleged violations of the TCPA and the Telemarketing Sales Rule, as well as various state consumer protection laws, claiming that the defendants initiated millions of robocalls to individuals nationwide without their prior express consent, spoofed caller ID numbers to mislead recipients, and called people whose numbers were on the Do Not Call Registry. Under the terms of the orders, the individual defendants (who neither admitted nor denied the allegations) are permanently banned from initiating or facilitating (or causing others to initiate or facilitate) any robocalls, working in or with companies that make robocalls, or engaging in any telemarketing. The court also ordered each individual defendant to pay a $122.3 million monetary judgment; however, these payments are mostly suspended in favor of the more permanent bans due to their inability to pay. The states noted that they are continuing their cases in the same action against others who allegedly worked with the individual defendants to facilitate the robocalls.
Pages
Upcoming Events
- Keisha Whitehall Wolfe to discuss “Tips for successfully engaging your state regulator” at the MBA's State and Local Workshop
- Max Bonici to discuss “Enforcement risk and trends for crypto and digital assets (Part 2)” at ABA’s 2023 Business Law Section Hybrid Spring Meeting
- Jedd R. Bellman to present “An insider’s look at handling regulatory investigations” at the Maryland State Bar Association Legal Summit