Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
Crypto platform reaches $1.2 million settlement on alleged compliance failures
On May 1, NYDFS issued a consent order against a cryptocurrency trading platform for engaging in alleged violations of the state’s cybersecurity regulation (23 NYCRR Part 500). According to the consent order, during examinations conducted in 2018 and 2020, NYDFS identified multiple alleged deficiencies in the respondent’s cybersecurity program, as required by both the cybersecurity regulation and the state’s virtual currency regulation (23 NYCRR Part 200). Following the examinations, NYDFS initiated an investigation into the respondent’s cybersecurity program. The Department concluded that the respondent failed to conduct periodic cybersecurity risk assessments “sufficient to inform the design of the cybersecurity program,” and failed to establish and maintain an effective cybersecurity program and implement a reviewed and board-approved written cybersecurity policy. Moreover, NYDFS claimed the respondent’s policies and procedures were not customized to meet the company’s needs and risks. Under the terms of the consent order, the respondent must pay a $1.2 million civil monetary penalty and submit quarterly progress reports to NYDFS detailing its remediation efforts.
Fed and Illinois regulator take action against bank on capital and management
On May 4, the Federal Reserve Board announced an enforcement action against an Illinois state-chartered community bank and its holding company related to alleged deficiencies identified in recent examinations. While the written agreement (entered into by the parties at the end of April) does not outline the specific deficiencies, it notes that the bank and the holding company have started taken corrective action to address the issues identified by the Federal Reserve Bank of St. Louis (FRB) and the Illinois Department of Financial and Professional Regulation (IDFPR). Among other things, the holding company’s board of directors must take appropriate steps to fully use its financial and managerial resources to ensure the bank complies with the written agreement and any other supervisory action taken by the bank’s federal or state regulator. The board is also required to submit a written plan to the FRB and the IDFPR describing actions and measures it intends to take to strengthen board oversight of the management and operations of the bank. The bank is required to submit a written plan outlining its current and future capital requirements and must notify the FRB and the IDFPR within 30 days after the end of any calendar quarter in which its capital ratios fall below the minimum ratios specified within the approved capital plan. Additionally, the bank is prohibited from taking on debt, redeeming its own stock, or paying out dividends or distributions without the prior approval of state and federal regulators.
District Court dismisses FTC’s privacy claims in geolocation action
On May 4, the U.S. District Court for the District of Ohio issued two separate rulings in a pair of related disputes between the FTC and a data broker. The disputes center around accusations made by the FTC last August that the data broker violated Section 5 of the FTC Act by unfairly selling precise geolocation data from hundreds of millions of mobile devices which can be used to trace individuals’ movements to and from sensitive locations (covered by InfoBytes here). The FTC sought a permanent injunction to stop the data broker’s practices, as well as additional relief. The data broker, upon learning that the FTC planned to filed a lawsuit against it, filed a preemptive lawsuit challenging the agency’s authority.
The court first dismissed the data broker’s preemptive bid to block the FTC’s enforcement action, ruling that the data broker has not identified any “viable cause of action” to support its request for injunctive relief. The court explained that injunctive relief is a “drastic remedy” that is only available if no other legal remedy is available. However, the data broker possesses an “adequate remedy at law,” the court said, “because it can seek dismissal of, and otherwise directly defend against, the FTC’s enforcement action.”
With respect to the FTC’s action, the court granted the data broker’s motion to dismiss the FTC’s complaint, but gave the agency leave to amend. The court agreed with the data broker that the FTC’s complaint lacks sufficient allegations to support its unfairness claim under Section 5 of the FTC Act. While the court disagreed with the data broker’s assertion that it did not have “fair notice that its sale of geolocation data without restrictions near sensitive locations could violate Section 5(a) of the FTC Act” or that the FTC had to allege a predicate violation of law or policy to state a claim, the court determined that the FTC failed to adequately allege that the data broker’s practices created “a ‘significant risk’ of concrete harm.” Moreover, the court found that “the purported privacy intrusion is not severe enough to constitute ‘substantial injury’ under Section 5(n).” The court noted, however that some of the deficiencies may be cured through additional factual allegations in an amended complaint.
SEC’s $279 million whistleblower award is largest ever
On May 5, the SEC announced the Commission’s largest-ever award—nearly $279 million—awarded to a whistleblower for providing information and assistance leading to the successful enforcement of SEC and related actions. The SEC noted that this award is more than double the previous record-holding $114 award issued in October 2020. According to the redacted order, the whistleblower voluntarily provided original information, which caused enforcement staff to expand the scope of the investigation and saved the SEC significant time and resources. The whistleblower also provided substantial ongoing assistance, including providing multiple written submissions, communications, and interviews, the SEC said, finding also that the whistleblower satisfied the requirements under Rules 21-F-3(b)(1) for related actions awards as the related successful enforcement actions were partly based on the same information provided to the Commission. However, in the same order, the SEC affirmed denial of two other claimants’ award claims after determining, among other things, that the individuals did not submit information leading to the successful enforcement of the covered action.
FDIC releases March enforcement actions
On April 28, the FDIC released a list of administrative enforcement actions taken against banks and individuals in March. The FDIC made public 11 orders including “four prohibition orders, three orders terminating deposit insurance, two consent orders, one order to pay civil money penalty (CMP), and one order terminating consent order.” Included is a civil money order issued against a Missouri-based bank related to alleged violations of the Flood Disaster Protection Act (FDPA). The FDIC determined that the bank had engaged in a pattern or practice of violating the FDPA by increasing, extending, or renewing a loan secured by property located or to be located in a special flood hazard area without timely notifying the borrower and/or the servicer as to whether flood insurance was available for the collateral.
SEC orders crypto ATM operator to pay $3.9 million for selling unregistered tokens
On April 28, the SEC settled with a cryptocurrency ATM operator for allegedly selling unregistered tokens in order to raise money to expand its bitcoin ATM network. Described as a “token sale,” the SEC claimed the respondents in total raised crypto assets during an initial coin offering valued at roughly $3.65 million. According to the SEC, the company offered and sold its token as investment contracts, which qualified it as a security since investors would have reasonably expected to obtain future profits from the token’s rise in value based upon the respondents’ efforts. By offering and selling securities without having on file a registration statement with the SEC or qualifying for an exemption, the respondents violated Sections 5(a) and 5(c) of the Securities Act, the SEC said. Additionally, one of the respondents and its CEO were also accused of violating Section 17(a) of the Securities Act and Section 10(b) of the Exchange Act and Rule 10b-5 by making materially false and misleading statements and engaging in other fraudulent conduct connected to the offer and sale of the token. The respondents neither admitted nor denied the SEC’s findings, but agreed to pay a collective $3.92 million civil penalty and said they would cease and desist from committing violations of the Securities Act and the Securities Exchange Act. One of the individual respondents also received a three-year officer and director ban.
FTC obtains permanent ban against debt relief operators
On May 1, three individuals accused of allegedly participating in a credit card debt relief scheme agreed to court orders permanently banning them from telemarketing and selling debt relief products and services. As previously covered by InfoBytes, last November the FTC filed a lawsuit claiming the defendants and their affiliated companies violated the FTC Act and the Telemarketing Sales Rule by using telemarketers to pitch their deceptive scheme, in which they falsely claimed to be affiliated with a particular credit card association, bank, or credit reporting agency, and promised they could improve consumers’ credit scores after 12 to 18 months. The defendants also allegedly misrepresented that the upfront fee, which in some cases was as high as $18,000, was charged to consumers’ credit cards as part of the overall debt that would be eliminated, and therefore would not actually have to be paid. Without admitting or denying the allegations, the defendants agreed to the court orders (available here, here, and here) imposing numerous conditions, including (i) a permanent ban on advertising, selling, or assisting in any debt relief product or service or participating in telemarketing; (ii) a broad prohibition forbidding defendants from deceiving consumers about any other products or services they sell or market; and (iii) the surrender of certain property interests and assets that will be used to provide restitution to affected consumers. The orders impose a total monetary judgment of approximately $17.5 million, for which each defendant is jointly and severally liable, to be satisfied by defendants’ surrender of certain assets and subject to a partial suspension of the remainder of the judgment pursuant to defendants’ truthfulness regarding their financial status and ability to pay.
FinCEN highlights use of BSA reporting data
On April 25, FinCEN released its year-in-review for FY 2022. The annual summary provided insights into the agency’s efforts to support law enforcement and national security agencies, as well as statistics from Bank Secrecy Act (BSA) filings. FinCEN reported that BSA data was used to advance several law enforcement missions, including in 36.3 percent of active complex financial crimes investigations, 27.5 percent of active public corruption investigations, and 20.6 percent of active international terrorism investigations. Additionally, FinCEN noted that in FY 2022 there were over 7,600 Section 314(b)-registered financial institutions. Section 314(b) of the USA PATRIOT Act allows registered entities to share information about financial activity with one another to help entities of all sizes identify and report suspicious activity. FinCEN further reported that 92 percent of domestic law enforcement agencies that query BSA data “find the resulting financial intelligence valuable to the detection and deterrence of illicit activity.”
OFAC reaches $7.6 million settlement with online digital-asset trading platform
On May 1, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) announced a roughly $7.6 million settlement with a Massachusetts-based online trading and settlement platform to resolve potential civil liability stemming from allegations that the platform allowed customers in sanctioned jurisdictions to engage in digital asset-related transactions. According to OFAC’s web notice, between January 2014 and November 2019, the platform allegedly permitted customers to make more than $15.3 million in trades, deposits, and withdrawals, despite having reason to know that the customers’ locations—based on both Know Your Customer (KYC) information and internet protocol address data—were in jurisdictions subject to comprehensive OFAC sanctions. OFAC noted that although the platform implemented a sanctions compliance program to screen new customers, it did not retroactively screen existing customers, thus allowing these customers to continue to conduct trading activity. While the platform made efforts to identify and restrict accounts with a nexus to certain sanctioned jurisdictions, compliance deficiencies resulted in the platform processing 65,942 online digital asset-related transactions for 232 customers apparently located predominantly in Crimea, but also in Cuba, Iran, Sudan, and Syria.
In arriving at the settlement amount, OFAC considered, among other things, that the platform failed to exercise due caution or care for its sanctions compliance obligations and had reason to know that certain customers were located in sanctioned jurisdictions. Additionally, the settlement amount reflects that the platform did not voluntarily disclose the apparent violations. OFAC also considered several mitigating factors, including that: (i) the platform was a small start-up when most of the apparent violations occurred; (ii) the platform has not received a penalty notice from OFAC in the preceding five years; (iii) the platform cooperated with OFAC during the investigation and undertook numerous remedial measures; and (iv) the volume of apparent violations represented a very small percentage of the total volume of transactions conducted on the platform annually.
Providing context for the settlement, OFAC said the “action highlights that online digital asset companies—like all financial service providers— are responsible for ensuring that they do not engage in transactions prohibited by OFAC sanctions, such as providing services to persons in comprehensively sanctioned jurisdictions. To mitigate such risks, online digital asset companies should develop a tailored, risk-based sanctions compliance program.”
FinCEN fines trust company $1.5 million for BSA violations
On April 26, FinCEN announced its first enforcement action against a trust company, in which it assessed a $1.5 million civil money penalty against a South Dakota-chartered trust company for willful violations of the Bank Secrecy Act (BSA) and its implementing regulations. According to the consent order, the trust company admitted that it willfully failed to timely and accurately report hundreds of transactions to FinCEN involving suspicious activity by its customers, including transactions with connections to a trade-based money-laundering scheme and several securities fraud schemes. The agency cited the trust company’s “severely underdeveloped” process for identifying and reporting potentially suspicious activity as part of “an overall failure to build a culture of compliance.”
According to FinCEN acting Director Himamauli Das, the trust company “had virtually no process to identify and report suspicious transactions, resulting in it processing over $4 billion in international wires with essentially no controls.” FinCEN said that the trust company should have realized that a large volume of activity from high-risk customers played a role in the closure of numerous correspondent accounts it maintained at other financial institutions, and pointed out that the trust company only began closing accounts flagged during an audit after several forced closures of its own accounts by other financial institutions and after receiving law enforcement inquiries about the accounts referred by the audit. However, at the time, the trust company made no effort to file suspicious activity reports (SARs), FinCEN found, claiming that the trust company processed hundreds of suspicious transactions worth tens of millions of dollars for risky customers that, among other things, appeared to operate in unrelated business sectors. FinCEN added that “personnel with [anti-money laundering (AML)] responsibilities have acknowledged not fully understanding federal SAR filing requirements and that they may have missed important information about some of their riskiest clients as the result of maintaining other, non-AML responsibilities.”
The consent order requires the trust company to hire an independent consultant to review its AML program and transactions from all referenced accounts, as well as any other accounts the trust company maintained for customer referrals, and conduct a SAR lookback review. The trust company is also required to implement recommendations made by the independent consultant and file SARs for any flagged covered transactions. FinCEN recognized the close collaboration and assistance provided by the DOJ and the FBI on this matter.