Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
On December 2, the FDIC announced the release of its full enforcement manual (manual). According to Financial Institution Letter (see FIL-76-2019), the manual, which was posted to the FDIC website, is meant to “support the work of field office, regional office, and Washington office staff involved in processing and monitoring enforcement actions.” The letter states that the manual was released to promote “greater transparency” to FDIC-insured institutions and other concerned parties as to the agency’s enforcement policies and procedures. Additionally, the letter cautions that the manual “does not interpret any law or regulation” nor does it “establish supervisory requirements” or “industry guidance.”
On November 25, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) announced a $466,912 civil settlement with a California-based technology company to resolve alleged violations of the Foreign Narcotics Kingpin Sanctions Regulations (FNKSR). According to OFAC, the company voluntarily disclosed that it hosted a sanctioned Slovenian software developer on its platform and collected more than $1 million in payments from customers who downloaded the developer’s apps. The company’s actions—which included hosting, selling, and facilitating the transfer of the developer’s software and associated content, as well as processing 47 payments between 2015 and 2017—were in violation of the FNKSR because OFAC’s List of Specially Designated Nationals and Blocked Persons identified the developer as a significant foreign narcotics trafficker (SDNTK).
In arriving at the settlement amount, OFAC considered various mitigating factors, including that (i) the company voluntarily disclosed the violations and continued to cooperate by promptly responding to information requests; (ii) the volume and payment amounts were not significant when compared to the company’s annual total volume of transactions; (iii) OFAC has not issued a violation against the company in the five years preceding the earliest date of the transactions at issue; and (iv) the company has strengthened its compliance program to minimize the risk of recurrence.
OFAC also considered various aggravating factors, including that (i) the alleged conduct demonstrated a “reckless disregard for U.S. sanctions requirements”; (ii) the company’s processing of payments conferred a significant economic benefit to the developer; and (iii) the company failed to timely take corrective actions after identifying the developer as a SDNTK and continued to process payments.
On November 22, in a speech at The Clearing House + Bank Policy Institute Annual Conference, CFPB Director Kathy Kraninger noted that the Bureau is considering changes to its consent order process to “ensur[e] consent orders remain in effect only as long as needed to achieve their desired effects.” Specifically, Kraninger discussed that while most consent orders are effective for five-year periods and companies can request early termination or termination of indefinite orders, the Bureau has only terminated “a few” consent orders in the past. Similar to the Bureau’s recent changes to its Civil Investigative Demand (CID) policy (covered by InfoBytes here), Kraninger stated that the Bureau intends to announce an updated consent order policy “soon,” in order to “provide clarity and consistency.”
On November 25, Senators Elizabeth Warren (D-Mass) and Sherrod Brown (D-Ohio) wrote to CFPB Director Kathy Kraninger requesting a breakdown of how the Bureau enforces fair lending laws in light of recent allegations brought against a global financial services company that reportedly offered lower credit limits to women than to similarly creditworthy men. According to the Senators, the allegations raise questions as to whether a pattern of sex discrimination exists in the underwriting of the credit product and “underscore the importance of the CFPB adequately monitoring the lending practices of financial institutions . . . that are new to the consumer lending space.” The Senators also expressed concern that adjustments to the structure of the Bureau under President Trump’s administration have affected its “commitment to enforcing fair lending laws and carrying out its statutory responsibilities.” (Previous InfoBytes coverage here.) The Senators stated: “We’re concerned that this new structure, where many offices have varying degrees of authority, may allow new potentially discriminatory products to get to market without adequate oversight.” Specifically, the Senators asked the Bureau to respond to the following questions by December 9: (i) how does the Bureau “prioritize and evaluate risk when determining which financial institutions to examine for compliance with fair lending laws”; (ii) has the Bureau ever conducted a supervisory examination of the global financial services company’s fair lending compliance management system; (iii) have changes made to the Bureau’s structure affected its fair lending enforcement abilities; and (iv) are the Bureau’s standards used to determine violations of ECOA different under Director Kraninger.
On November 25, the CFPB announced a settlement with two companies that originated and serviced travel-related loans for military servicemembers and their families. According to the consent order with the lender and its principal, the lender (i) charged fees to customers who obtained financing, at a higher rate than those customers who paid in full, but failed to include the fee in the finance charge or APR; (ii) falsely quoted low monthly interest rates to customers over the phone; and (iii) failed to provide the required information about the terms of credit and the total of payments in violation of TILA and the TSR. The consent order prohibits future lending targeted to military consumers and requires the lender and its principal to pay a civil money penalty of $1. The order also imposes a suspended judgment of almost $3.5 million, based on an inability to pay.
In its consent order against the servicer, the Bureau asserts the servicer engaged in deceptive practices by overcharging servicemembers for debt-cancellation products and, in violation of the FCRA’s implementing Regulation V, never established or maintained written policies and procedures regarding the accuracy of information furnished to credit reporting agencies. The consent order issues injunctive relief and requires the servicer to (i) pay a $25,000 civil money penalty; (ii) provide redress to consumers who were allegedly overcharged for the debt-cancellation product; (iii) pay over $54,000 in restitution to borrowers with no outstanding balance on their loans and issue additional account credits to borrowers with outstanding balances; and (iv) establish reasonable policies and procedures for accurate reporting to consumer reporting agencies.
On November 22, the CFPB announced a settlement with an employment background screening company resolving allegations that the company violated the FCRA. In the complaint, the Bureau asserts that the company failed to “employ reasonable procedures to assure maximum possible accuracy” in the consumer reports it prepared. Specifically, the Bureau claims that until October 2014, the company matched criminal records with applicants based on only two personal identifiers, which created a “heightened risk of false positives” in commonly named individuals. The company also had a practice of including “high-risk indicators,” sourced from a third party, in its consumer reports and did not follow procedures to verify the accuracy of the designations. Additionally, the Bureau asserts that the company failed to maintain procedures to ensure that adverse public record information was complete and up to date, resulting in reporting outdated adverse information in violation of the FCRA. Under the stipulated judgment, in addition to injunctive relief, the company will be required to pay $6 million in monetary relief to affected consumers and a $2.5 million civil money penalty.
On November 22, the New York Senate’s Committee on Consumer Protection and Committee on Internet and Technology held a joint hearing titled, “Consumer Data and Privacy on Online Platforms,” which discussed the proposed New York Privacy Act, SB S5642 (the Act). The Act was introduced in May and seeks to regulate the storage, use, disclosure, and sale of consumer personal data by entities that conduct business in New York State or produce products or services that are intentionally targeted to residents of New York State. The Act contains different provisions than the California Consumer Privacy Act (CCPA), which is set to take effect on January 1, 2020 (visit here for InfoBytes coverage on the CCPA). Highlights of the Act include:
- Fiduciary Duty. Most notably, the Act requires that legal entities “shall act in the best interests of the consumer, without regard to the interests of the entity, controller or data broker, in a manner expected by a reasonable consumer under the circumstances.” Specifically, the Act states that personal data of consumers “shall not be used, processed or transferred to a third party, unless the consumer provides express and documented consent.” The Act imposes a duty of care on every legal entity, or affiliate of a legal entity, with respect to securing consumer personal data against privacy risk and requires prompt disclosure of any unauthorized access. Moreover, the Act requires that legal entities enter into a contract with third parties imposing the same duty of care for consumer personal data prior disclosing, selling, or sharing the data with that party.
- Consumer Rights. The Act requires covered entities to provide consumers notice of their rights under the Act and provide consumers with the opportunity to opt-in or opt-out of the “processing of their personal data” using a method where the consumer must clearly select and indicate their consent or denial. Upon request, and without undue delay, covered entities are required to correct inaccurate personal data or delete personal data.
- Transparency. The Act requires covered entities to make a “clear, meaningful privacy notice” that is “in a form that is reasonably accessible to consumers,” which should include: the categories of personal data to be collected; the purpose for which the data is used and disclosed to third parties; the rights of the consumer under the Act; the categories of data shared with third parties; and the names of third parties with whom the entity shares data. If the entity sells personal data or processes data for direct marketing purposes, it must disclose the processing, as well as the manner in which a consumer may object to the processing.
- Enforcement. The Act defines violations as an unfair or deceptive act in trade or commerce, as well as, an unfair method of competition. The Act allows for the attorney general to bring an action for violations and also prescribes a private right of action on any harmed individual. Covered entities are subject to injunction and liable for damages and civil penalties.
According to reports, state lawmakers at the November hearing indicated that federal requirements would be “the best scenario,” but in the absence of Congressional movement in the area, one state senator noted that the state legislators must “assure [their] constituents that [the state legislature is] doing everything possible to protect their privacy.” Witnesses expressed concern that the Act would be placing too many new requirements on businesses that differ from what other states have already enacted, and encouraged more consistent baseline standards for compliance instead of a patchwork approach. Some witnesses expressed specific concern with the opt-in requirement for the collection and use of consumer data, noting that waiting on consumers to opt-in, as opposed to just opting-out, makes compliance difficult to administer. Lastly, many witnesses were displeased about the broad private right of action in the Act, but consumer groups praised the provision, noting that the state attorney general does not have the resources to regulate and enforce against all the data collection and sharing in the state.
On November 21, the DOJ updated its FCPA Corporate Enforcement Policy to clarify ways in which companies can voluntarily disclose information in an effort to receive leniency from the Department in foreign bribery situations. First, a company does not need to have a complete picture of a possible violation when it first shares information with the DOJ; rather, the company should “make clear that it is making its disclosure based upon a preliminary investigation.” Next, the agency expects a company to disclose “where the company is aware of relevant evidence not in the company’s possession,” simplifying the requirement which previously called for disclosure of “opportunities for the department to obtain relevant evidence not in the company’s possession.” Finally, in the course of a merger or acquisition “an acquiring company that discloses misconduct may be eligible for a declination, even if aggravating circumstances existed as to the acquired entity.”
As previously covered by InfoBytes, the policy was last amended in March (March 2019 version available here) to, among other things, clarify the Department’s position on the use of ephemeral messaging apps by companies seeking full cooperation credit under the policy.
On November 15, the SEC announced it issued its fiscal year 2019 whistleblower program annual report to Congress, which states that since the program’s inception, the SEC has ordered over $2 billion in total monetary sanctions in enforcement actions that resulted from information brought by meritorious whistleblowers. As for FY 2019, the SEC received over 5,200 whistleblower tips, with over 300 tips relating to cryptocurrencies, and awarded approximately $60 million in whistleblower awards to eight individuals. Since the program’s inception, the SEC has awarded approximately $387 million to 67 whistleblowers. The report acknowledges that FY 2019 was an “unusual year” due to the lapse in appropriations, referring to the government shutdown from the end of December 2018 through most of January 2019, and includes a summary of the six actions leading to the eight awards of FY 2019. The report notes that the agency anticipates final rules to be adopted in FY 2020 related to the July 2018 proposed amendments to the whistleblower program (covered by InfoBytes here). The proposed amendments, among other things, address the Supreme Court ruling in Digital Realty Trust, Inc. v. Somers (covered in a Buckley Special Alert) and authorize the SEC to adjust an award’s percentage as appropriate to advance the goals of rewarding and incentivizing whistleblowers.
On the same day, the SEC announced a collective award of over $260,000 to three whistleblowers who submitted a joint tip “alerting the agency to a well-concealed fraud targeting retail investors,” which led to a successful enforcement action. The order does not provide any additional details regarding the whistleblower or the company involved in the enforcement action. With this new action, the SEC has now awarded approximately $387 million to 70 whistleblowers.
On November 15, the U.S. District Court for the Northern District of Georgia entered a stipulated final judgment and order to resolve allegations concerning one of the defendants cited in a 2015 action taken against an allegedly illegal debt collection operation. As previously covered by InfoBytes, the CFPB claimed that several individuals and the companies they formed attempted to collect debt that consumers did not owe or that the collectors were not authorized to collect. The complaint further alleged uses of harassing and deceptive techniques in violation of the CFPA and FDCPA, and named certain payment processors used by the collectors to process payments from consumers. While the claims against the payment processors were dismissed in 2017 (covered by InfoBytes here), the allegations against the outstanding defendants remained open. The November 15 stipulated final judgment and order is issued against one of the defendants who—as an officer and sole owner of the debt collection company that allegedly engaged in the prohibited conduct—was found liable in March for violations of the FDCPA, as well as deceptive and unfair practices and substantial assistance under CFPA.
Among other things, the defendant, who neither admitted nor denied the allegations except as stated in the order, is (i) banned from engaging in debt collection activities; (ii) permanently restrained and enjoined from making misrepresentations or engaging in unfair practices concerning consumer financial products or services; and (iii) prohibited from engaging in business ventures with the other defendants; using, disclosing or benefitting from certain consumer information; or allowing third parties to use merchant processing accounts owned or controlled by the defendant to collect consumer payments. The stipulated order requires the defendant to pay a $1 civil money penalty and more than $5.2 million in redress, although full payment of the judgment is suspended upon satisfaction of specified obligations and the defendant’s limited ability to pay.
- Daniel P. Stipano to discuss "ACAMS Moneylaundering.com Year-End Compliance Review and 2020 Outlook" at an ACAMS webinar
- APPROVED Webcast: Periodic reporting made easier
- Daniel P. Stipano to discuss "A 20/20 view on 2020’s legislative and regulatory outlook" at the ACAMS Anti-Financial Crime and Public Policy Conference