InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
FDIC releases September enforcement actions, including breaches of fiduciary duty and BSA violations
On October 26, the FDIC announced a list of administrative enforcement actions taken against banks and individuals in September. Included among the actions is a removal and prohibition and civil money penalty assessment issued against a bank’s president, CEO and board chairman (in his individual capacity as an institution-affiliated party) of a Florida-based bank for allegedly engaging in unsafe or unsound practices and breaches of fiduciary duty while employed by the bank. Among other claims, the respondent allegedly created a conflict of interest when he operated a consumer finance company, which he personally owned, out of one of the bank's branches. The FDIC contends that the respondent (i) operated the company through the utilization of bank property and staff without reimbursing the bank; (ii) issued loans to bank customers through the company; (iii) repaid the company using overdraft funds from customers’ bank accounts; and (iv) “caused the release and sale of bank collateral without full repayment to the bank when a portion of the sale proceeds were being used to pay on a finance company loan.” According to the FDIC, the respondent failed to disclose his actions to the bank’s board of directors as required by state law and a consent order the bank entered into in July 2010.
Additionally, a consent order was issued to a South Carolina bank related to alleged weaknesses in its Bank Secrecy Act (BSA) compliance program. The bank was ordered to, among other things, (i) revise and implement internal controls and policies and procedures for BSA compliance, including suspicious activity monitoring and reporting and customer due diligence procedures; (ii) perform an enhanced risk assessment of the bank’s operations; and (iii) take necessary steps to correct or eliminate all cited violations, such as conducting independent testing and implement effective BSA training programs.
There are no administrative hearings scheduled for November 2018. The FDIC database containing all 24 enforcement decisions and orders may be accessed here.
Federal Reserve enters into written compliance agreement with Oklahoma state bank
On October 22, the Federal Reserve Board (Board) entered into a written agreement with an Oklahoma state chartered bank, which outlines a compliance proposal to “maintain the financial soundness” of the bank. The agreement requires the bank to submit, within 60 days, written plans to improve various aspects of the bank’s functions including, but not limited to, (i) internal controls; (ii) credit risk management; (iii) liquidity and funds management; (iv) interest rate risk management; (v) information technology/cybersecurity; and (vi) BSA/AML compliance. The agreement also prevents the bank from extending, renewing, or restructuring any credit for any borrower whose loans or other extensions of credit were part of the Board’s examination critiques, without prior approval from the board of directors, who are required to document the reasons for the credit extension and certify its compliance with the terms of the agreement.
Consumer advocates testify before Senate Commerce Committee on need for federal consumer data privacy legislation
On October 10, the Senate Committee on Commerce, Science, and Transportation held the second in a series of hearings on the subject of consumer data privacy safeguards. The hearing entitled “Consumer Data Privacy: Examining Lessons From the European Union’s General Data Protection Regulation and the California Consumer Privacy Act” heard from consumer privacy advocates on lessons from the European Union’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) of 2018, and what types of consumer protections should be considered in future federal legislation. Committee Chairman, Senator John Thune, opened the hearing by emphasizing the importance of promoting privacy without stifling innovation. Senator Thune stated that, while understanding the experience of technology and telecommunications companies in this space is important, any new federal privacy law must also incorporate views from affected industry stakeholders and consumer advocates.
The consumer privacy advocate witnesses agreed there is a need for heightened consumer protections and rights, and that the time is ripe to have a debate on what a consumer data privacy law at the federal level would look like and how it would work with state level laws. However, witnesses cautioned that federal legislation should create a floor and not a ceiling for privacy that will not prevent states from passing their own privacy laws. One of the witnesses who led the effort behind the California ballot initiative that resulted in the CCPA emphasized that federal legislation should contain a robust enforcement mechanism, while a witness from the Center for Democracy & Technology said that (i) lawmakers should give the FTC the ability to fine companies that violate consumers’ privacy and provide the agency with more resources; and (ii) a federal law should cover entities of all sizes and clarify what secondary and third-party uses of data are permissible.
Among other things, the hearing also discussed topics addressing: (i) GDPR open investigations; (ii) support for state Attorney General enforcement rights; (iii) privacy protections for children, including the strengths and weaknesses of the Children’s Online Privacy Protection Act, particularly with respect to children ages 13 and older; and (iv) consumers’ rights to control their personal data.
CFPB announces settlement with companies that allegedly delayed transfer of consumer payments to debt buyers
On October 4, the CFPB announced a settlement with a group of Minnesota-based companies that allegedly violated the Consumer Financial Protection Act when consumers made payments on debts that the companies had already sold to third parties, and the companies improperly delayed the forwarding of some of those payments to debt buyers. According to the consent order, the companies—whose practices include the purchasing, servicing, collection, and furnishing consumer-report information on consumer loans—partnered with third-party banks to sell merchandise on closed-end or open-end revolving credit. Within a few days, banks originated the loans and sold the receivables to the companies. The companies subsequently serviced the debts and sold the receivables to a third party. For defaulted accounts, the companies charged off the accounts and sold them to third-party debt buyers. According to the Bureau, the companies allegedly failed to notify consumers when their accounts were sold, failed to inform them who now owned the debt, and continued to accept direct pays from consumers. The Bureau contends that between 2013 and 2016, the companies delayed forwarding direct pays for more than 31 days in 18,000 instances, and in 3,500 of those instances, the companies did not forward the payments for more than a year. Moreover, the Bureau asserts that these delays led to misleading collection efforts, including collection activity on accounts consumers had completely paid off. The order requires the companies to pay a civil money penalty of $200,000, and improve their policies and procedures to prevent further violations.
SEC penalizes investment company $1 million for cyber security failings
On September 26, the SEC announced a settlement with an Iowa-based broker-dealer and investment advisement company, which agreed to pay $1 million to resolve allegations that the company violated the Safeguards Rule and the Identity Theft Red Flags Rule arising out of the company’s failure to protect confidential customer information from intrusion. This is the SEC’s first enforcement action charging violations under the Rule. According to the order, intruders were able to access the company’s system by impersonating company contractors, calling the company’s support line, and requesting their passwords be reset. The intruders gained access to the company’s system that contained personally identifiable information for approximately 5,600 customers and obtained unauthorized access to account documents for three customers. The SEC identified weaknesses in the company’s cybersecurity procedures, including failure to terminate the intruders’ access even after the intrusion was flagged and failure to apply its procedures to the systems used by its independent contractors. The order takes into account remedial acts undertaken by the company, including blocking malicious IP addresses and issuing breach notices to affected customers, and requires the company to pay a $1 million penalty and retain an independent consultant to evaluate its compliance with the Safeguards Rule and the Identity Theft Red Flags Rule. The company did not admit nor deny the SEC’s findings.
FDIC publishes August enforcement actions, fines individual for inaccurate past-due loan reports
On September 28, the FDIC announced a list of administrative enforcement actions taken against banks and individuals in August. Included among the actions is a removal and prohibition and civil money penalty assessment issued against an individual acting as an institution-affiliated party of a New Jersey-based bank for allegedly engaging in unsafe or unsound practices and breaches of fiduciary duty while employed as the bank’s chief lending officer. Among other claims, the respondent allegedly “originated loans and extended the maturity dates on existing loans to borrowers despite their inability to repay the loans, and caused inaccurate past-due reports on the loans to be provided to the Board of Directors of the Bank (Board), thereby preventing the Board from discovering that the borrowers were not making their payments to the Bank on a timely basis.”
Also on the FDIC’s list of August orders are five Section 19 orders, which allow applicants to participate in the affairs of an insured depository institution after having demonstrated “satisfactory evidence of rehabilitation,” six terminations of consent orders, and three terminations of orders for restitution. The FDIC database containing all August enforcement decisions and orders may be accessed here.
There are no administrative hearings scheduled for October 2018.
FTC and NYAG settle with debt collectors who falsely threatened consumers
On September 21, the FTC announced settlements with multiple New York debt collection operations and their principals (defendants) for unlawful debt collection practices. The settlements are a result of 2015 joint lawsuits by the FTC and the New York Attorney General, alleging the defendants unlawfully used threats and abusive language, including false threats that consumers would be arrested, to collect more than $45 million in supposed debts (previously covered by InfoBytes here). The settlement orders ban the defendants from the business of debt collection and prohibit the defendants from (i) misrepresenting information related to financial products and services; (ii) disclosing, using, or benefitting from the consumer information obtained through the course of the debt collection activities; and (iii) failing to disclose of such personal information properly. The two orders (located here and here) impose a $22.5 million judgment against one set of defendants, and a judgment of $4.4 million against other defendants. The judgments are suspended as to some of the defendants due to inability to pay.
SEC awards whistleblower $1.5 million after reducing amount for reporting delay
On September 14, the Securities and Exchange Commission (Commission) announced a whistleblower award likely to yield the whistleblower more than $1.5 million for volunteering information that led to a successful enforcement action. In its order, the Commission notes that it “severely reduced the award here after considering the award criteria identified in Rule 21F-6 of the Exchange Act.” Specifically, the Commission alleges the whistleblower was culpable and “unreasonably delayed” reporting the information for over a year after the occurrence of the underlying facts, only doing so after learning a Commission investigation was ongoing and receiving a “significant and direct financial benefit.”
The SEC’s whistleblower program has awarded approximately $322 million to 58 individuals since issuing its first award in 2012.
SEC confirms staff statements create no enforceable legal obligations
On September 13, Securities and Exchange Commission (Commission) Chairman, Jay Clayton, issued a statement confirming that staff communications, in the form of written statements, compliance guides, letters, speeches, responses to frequently asked questions, and responses to specific requests for assistance, are “nonbinding and create no enforceable legal rights or obligations of the Commission or other parties.” Clayton’s statement echoes a similar position taken in a joint statement by five federal agencies regarding supervisory guidance, released two days earlier (previously covered by InfoBytes here). Clayton emphasized that only Commission adopted rules and regulations have the force and effect of law and encouraged public engagement on staff statements in order to assist the Commission in developing future rules and regulations.
Agencies say supervisory guidance does not have the “force and effect” of law
On September 11, five federal agencies (the Federal Reserve Board, CFPB, FDIC, NCUA, and OCC) issued a joint statement confirming that supervisory guidance “does not have the force and effect of law, and [that] the agencies do not take enforcement actions based on supervisory guidance.” The statement distinguishes the various types of supervisory guidance—interagency statements, advisories, bulletins, policy statements, questions and answers, and frequently asked questions—from laws or regulations and emphasizes that the intention of supervisory guidance is to outline agencies’ expectations or priorities. The statement highlights five policies and practices related to supervisory guidance: (i) limit the use of numerical thresholds or other “bright-line” requirements; (ii) examiners will not cite to “violations” of supervisory guidance; (iii) request for public comment does not mean the guidance has the force and effect of law; (iv) limit multiple issuances of guidance on the same topic; and (v) continue to emphasize the role of supervisory guidance to examiners and to supervised institutions.