Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
On October 14, NYDFS released a report detailing the Department’s investigation into the July 2020 social media hacks of public figures and cryptocurrency firms, concluding that the social media platform lacked adequate cybersecurity protections and recommending increased regulation of large social media companies. The investigation, which was requested by New York Governor Andrew Cuomo, determined, among other things, that (i) the social media hackers obtained log-in credentials from four employees by pretending to be from the company’s IT department; (ii) the hackers stole over $118,000 worth of bitcoin from consumers by tweeting “double your bitcoin” with a link to send bitcoin payments from celebrity accounts and several bitcoin companies; (iii) certain Department-regulated cryptocurrency companies blocked attempted transfers to the hacker’s addresses; and (iv) the social media company lacked adequate cybersecurity protection, including not having “a chief information security officer, adequate access controls and identity management, and adequate security monitoring.” The report recommends that the largest social media companies be designated as “systemically important institutions” subject to an analogue council of the Financial Stability Oversight Council. The report suggests the social media companies should be subject to enhanced regulation, including “stress test” scenarios covering cyberattacks and election interference.
On October 20, the New Jersey Attorney General and the Acting Director of the New Jersey Division of Consumer Affairs filed a complaint alleging a student loan servicer engaged in unlawful practices when collecting on loans owned by borrowers residing in the state. Among other things, the complaint alleges that the servicer (i) steered borrowers into forbearance programs instead of income-driven repayment (IDR) plans; (ii) failed to inform borrowers about IDR recertification deadlines and the effects of not timely submitting a recertification application; (iii) encouraged borrowers to obtain a cosigner for their student loans and then misrepresented the requirements for obtaining a cosigner release; and (iv) misled delinquent borrowers about the amount of their delinquency, by including the next month’s payment in the “present amount due.” The complaint alleges two violations of the New Jersey Consumer Fraud Act and seeks equitable injunctive relief, borrower restitution, disgorgement, statutory penalties, and costs and fees.
On October 15, NYDFS, in collaboration with the Conference of State Bank Supervisors and the Alliance for Innovative Regulation, announced that a first-of-its-kind techsprint focusing on virtual currency will take place early 2021. The techsprint will bring together regulators, fintech and virtual currency industry stakeholders, and experts to collaborate on regulatory compliance solutions. Possible solutions may include “process improvements to a functional prototype of a reporting mechanism,” such as Digital Regulatory Reporting (DRR), which will “give regulators instant access to data provided by firms under their supervision.” Based on the takeaways from the techsprint, NYDFS intends to “develop a set of common standards and an open source technical framework for DRR” that may be adopted by NYDFS and other regulatory agencies. As part of the collaboration, future techsprints will also be developed that focus on other types of nonbank entities subject to financial regulation.
On October 21, NYDFS announced authorization for a digital payments company to launch a service for U.S. customers to buy, sell, and hold certain NYDFS-approved cryptocurrencies. Under the terms of the “conditional Bitlicense,” the payments company will partner with a New York-chartered trust company responsible for providing cryptocurrency trading and custodial services. According to NYDFS Superintendent Linda Lacewell, this first conditional Bitlicense represents the state regulator’s efforts “to encourage, promote, and assist interested institutions to have a well-regulated way to access the New York virtual currency marketplace in a way that is both timely and protective of New York consumers.” NYDFS first announced the proposed conditional licensing framework in June (covered by InfoBytes here).
Global financial institution pays $2.9 billion to settle Malaysian FCPA conspiracy and bribery charges
On October 22, the DOJ announced that it entered into a deferred prosecution agreement with a global financial institution headquartered in New York (the company), in which the company agreed to pay a criminal fine of over $2.9 billion related to violations of the FCPA’s anti-bribery provisions. The company’s Malaysian subsidiary also pleaded guilty to one count of conspiracy to violate the anti-bribery provisions of the FCPA.
According to the DOJ, between 2009 and 2014, the company participated in a scheme to pay over $1.6 billion in bribes, directly and indirectly, to Malaysian and Abu Dhabi officials to obtain business, including a role in underwriting approximately $6.5 billion in three bond deals for a Malaysian sovereign wealth fund regarding energy development (previous InfoBytes coverage on the charges available here). The DOJ stated that the company admitted to engaging in the scheme through certain employees and agents, including (i) the company’s former Southeast Asia Chairman and managing director, who pleaded guilty in 2018 to conspiring to launder money and to violate the FCPA (covered by InfoBytes here); (ii) a former managing director and head of investment banking for the company’s Malaysian subsidiary, who was charged and subsequently extradited to the U.S. in 2019 and is scheduled to stand trial in March 2021 for conspiring to launder money and to violate the FCPA (covered by InfoBytes here); and (iii) a former executive who held leadership positions in Asia. The company admitted that their former employees and agents conspired with a Malaysian financier (who was indicted in 2018, covered by InfoBytes here) to bribe officials involved in the strategic development initiative by using funds diverted and misappropriated from bond offerings underwritten by the company. The employees and financer also retained a portion of the diverted funds for themselves. The company admitted that it did not take significant steps to ensure the Malaysian financier was not involved in the bond transactions even though they were aware his involvement posed “significant risk,” and the company ignored or nominally addressed the “significant red flags” raised during the due diligence process. The company received approximately $606 million in fees and revenue as a result of the scheme.
The company’s $2.9 billion criminal penalty and disgorgement includes $1.6 billion in payments with respect to separate resolutions with foreign authorities in the United Kingdom, Singapore, Malaysia, and other domestic authorities in the U.S., including $154 million to the Federal Reserve, over $400 million to the SEC, and $150 million to the New York Department of Financial Services.
On October 16, the New Mexico governor issued an executive order renewing and extending the public health emergency until November 13, 2020. The executive order also extends the duration of Executive Order 2020-039 (previously covered here and here) to continue to permit notarial acts conducted through audio-visual technology, provided certain requirements are met.
On October 16, 2020, the Maryland governor issued Executive Order 20-10-16-01 to amend and restate an April 3 executive order regarding foreclosures and repossessions (previously covered here). The executive order, among other things: (i) suspends requirements regarding the repossession of any chattel home by self-help until the state of emergency is terminated; (ii) suspends the sale of certain properties unless certain notices are provided, (iii) suspends the operation of the commissioner’s Notice of Intent to Foreclose Electronic System, and discontinues acceptance of Notices of Intent to Foreclose until January 4, 2021, and (iv) suspends any judgment for possession or repossession, or warrant for restitution of possession or repossession of residential, commercial, or industrial real property, if the tenant can demonstrate that he/she suffered a substantial loss of income resulting from Covid-19 or related events. Maryland’s commissioner of financial regulation issued a Foreclosure Update and Repossession Update outlining the executive order.
On October 16, the Illinois governor issued Executive Order 2020-59, which extends several earlier executive orders through November 14, 2020 (previously covered here, here, and here). Among other things, the order extends: (i) Executive Order 2020-07 regarding in-person meeting requirements, (ii) Executive Order 2020-23 regarding actions by individuals licensed by the Illinois Department of Financial and Professional Regulation engaged in disaster response, (iii) Executive Order 2020-25 regarding garnishment and wage deductions (previously covered here), and (iv) Executive Order 2020-30 regarding residential evictions (previously covered here and here).
On October 12, the California Department of Justice released a third set of proposed modifications to the regulations implementing the California Consumer Privacy Act (CCPA). As previously covered by InfoBytes, on August 14, the regulations went into effect after being approved by the Office of Administrative Law (OAL). Highlights of the proposed modifications include:
- The addition of Section 999.306, subd. (b)(3), which provides illustrative examples of the methods businesses can use to provide the notice of right to opt-out of the sale of personal information through an offline method, when the business collects personal information in the course of interacting with consumers offline. Examples include: posting signage in the area where personal information is collected or providing the notice orally during calls where information is collected;
- The addition of Section 999.315, subd. (h), which provides illustrative examples of right to opt-out methods that are designed with the purpose or have the substantial effect of subverting or impairing a consumer’s choice to opt-out. Examples include: using double negatives or requiring consumers to click through a list of reasons why they should not opt-out before confirming their request;
- Amending Section 999.326, subd. (a), which clarifies what proof a business may require from an authorized agent and consumer when a consumer uses an agent to submit a request to know or a request to delete; and
Comments on the proposed modifications are due on October 28 by 5:00 p.m.
On October 13, the Conference of State Bank Supervisors (CSBS), joined by the Bankers Electronic Crimes Task Force and the U.S. Secret Service, released a self-assessment tool to help supervised financial institutions mitigate the risk of ransomware attacks. The tool will also help financial institutions assess how well they are managing risks and identify gaps for increasing security. CSBS developed the tool in conjunction with the U.S. Secret Service and the Bankers Electronic Crimes Task Force as incidents of ransomware have been on the rise and continue to spread.
- Thomas A. Sporkin to discuss "Managing internal investigations and advanced government defense" at the Securities Enforcement Forum
- Jeffrey P. Naimon to discuss "2021 - A new beginning/what's to come" at the QuestSoft Lending Compliance & Risk Management Virtual Conference
- H Joshua Kotin to discuss "Mortgage servicing in a recession: Early intervention, loss mitigation and more" at the NAFCU Virtual Regulatory Compliance Seminar
- Daniel R. Alonso to discuss "Independent monitoring in the United States" at the World Compliance Association Peru Chapter IV International Conference on Compliance and the Fight Against Corruption
- Jonice Gray Tucker to discuss "Cyber security, incident response, crisis management" at the Legal & Diversity Summit
- Jonice Gray Tucker to discuss "The future of fair lending" at the Mortgage Bankers Association Regulatory Compliance Conference
- Michelle L. Rogers to discuss "Major litigation" at the Mortgage Bankers Association Regulatory Compliance Conference
- Kathryn L. Ryan to discuss "Pandemic fallout – Navigating practical operational challenges" at the Mortgage Bankers Association Regulatory Compliance Conference
- Jonice Gray Tucker to discuss "Consumer financial services" at the Practising Law Institute Banking Law Institute
- Daniel P. Stipano to discuss "BSA/AML - Covid impact and regulatory/guidance roundup" at an NAFCU webinar