InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
U.S. Attorney General Discusses DOJ's Global Cybercrime Initiatives at Europol
On September 16, U.S. Attorney General Loretta Lynch addressed the European Cybercrime Center at Europol, where she highlighted recent and planned DOJ initiatives related to global cybercrime and cyber threat efforts and stressed the DOJ’s commitment to information-sharing with international law enforcement authorities. Lynch noted that the U.S. and the European Union recently signed an “Umbrella” Data Privacy and Protection Agreement aimed at strengthening the countries’ ability to take on crime and terrorism while protecting personal privacy. In addition, Lynch revealed that the DOJ intends to temporarily assign a U.S. attorney from the DOJ’s Criminal Division to work alongside European authorities to enhance collaboration and information-sharing.
Traders Who Allegedly Profited from Hacked News Releases Settle With SEC for $30 Million
On September 14, the SEC announced that it had reached a $30 million settlement with two defendants who allegedly profited from trading based on information hacked from newswire services. The settlement stems from an SEC complaint filed in August against 34 defendants for their alleged involvement in an international scheme that generated over $100 million in illegal profits over a five-year period. According to the SEC charges, defendants hacked into newswire services and transmitted stolen data to a network of international traders. The SEC claims that the parties to the settlement made $25 million in illicit profits by buying and selling contracts-for-differences (CFDs) based on hacked press release information they received from other defendants. In the proposed settlement offer, which requires court approval, the two defendants neither admit nor deny the SEC’s allegations, but agree to be enjoined from violating U.S. and SEC securities antifraud provisions, and to return $30 million in alleged illegal profits. The Chief of the SEC Enforcement Division’s Complex Financial Instruments Unit stated that the discovery and prosecution of the scheme “should serve as a shot across the bow of any trader who thinks that CFDs traded outside the United States can be used to mask their unlawful conduct,” and demonstrates the SEC’s “ability to police this opaque market.” The SEC’s case against the remaining 32 defendants remains pending.
FCC Cites Two Companies over Unauthorized Telemarketing Allegations
On September 11, the FCC issued citations against a Pennsylvania-based financial institution and a transportation network company (TNC), alleging that both companies engaged in unlawful business practices by infringing consumers’ rights to be free of unauthorized telemarketing robocalls to residential and wireless phones. The financial institution’s citation alleges that the bank required customers to agree to receive autodialed telemarketing texts in order to use its online banking and Apple Pay services. The TNC’s citation alleges that, although it allows consumers who sign up for ride-sharing service to opt out of receiving autodialed or prerecorded telemarketing calls and texts, the TNC does not allow users to access the service if they exercise these opt out rights. Both citations allege that these practices violate the FCC’s rules implementing the Telephone Consumer Protection Act (TCPA), and direct the companies to take immediate steps to come into compliance with the FCC’s rules, orders, and the TCPA prohibition against unlawful marketing and advertising calls. The FCC also warned that future violations may result in monetary forfeitures.
New York AG Settles with Community Bank over Redlining Allegations
On September 10, New York Attorney General Eric Schneiderman announced a settlement agreement with a New York-based community bank to resolve allegations that the bank engaged in discriminatory mortgage lending practices by excluding potential borrowers who resided in predominantly African-American neighborhoods in the Buffalo area. Under terms of the agreement, the bank agreed to revise its consumer and commercial lending policies to eliminate minimum mortgage amount requirements, provide fair lending training, to expand its lending footprint into previously excluded areas, and to establish an $825,000 fund to promote new homeownership and affordable housing opportunities.
CFPB Issues Consent Orders Regarding Debt Collection Practices
On September 9, the CFPB ordered the two largest U.S. debt buyers and collectors to pay a combined total of nearly $80 million in civil penalties and consumer restitution related to their debt collection practices. The CFPB alleged that both companies, among other things, engaged in robo-signing, sued (or threatened to sue) on stale debt, made inaccurate statements to consumers, and engaged in other illegal collection practices. In particular, the CFPB criticized the practice of purchasing debts without obtaining important documentation or information about the debt, or verifying to ensure the debts were accurate and enforceable before commencing collection activities. Under the consent orders, one company agreed to provide up to $42 million in consumer refunds, pay a $10 million civil money penalty, and cease collecting on a portfolio of consumer debt with a face value of over $125 million. The other company agreed to provide $19 million in restitution, pay an $8 million civil money penalty, and cease collecting on a consumer debt portfolio with a face value of over $3 million. In addition, both companies are also generally prohibited from reselling consumer debt. In prepared remarks announcing the enforcement action, CFPB Director Richard Cordray noted, “the terms of the orders will help reform and improve the tactics and approaches” within the debt collection market. The CFPB’s action comes as the industry anticipates the CFPB’s issuance of new debt collection rules.
Two Additional Former PetroTiger Employees Sentenced Following FCPA Conspiracy Guilty Pleas
On September 10, Gregory Weisman, former general counsel of oil and gas services company PetroTiger, and Knut Hammarskjold, PetroTiger’s co-founder, were each sentenced to two years’ probation stemming from their prior guilty pleas to conspiring to violate the FCPA and commit wire fraud in connection with a bribe paid to an employee of Colombia’s state-run oil company in order to win a $45 million oil-services contract.
Both Mr. Weisman and Hammarskjold were ordered to pay restitution as well as fines of $30,000 and $15,000, respectively. Mr. Weisman’s and Mr. Hammarskjold’s sentencing occurred almost three months after the third PetroTiger co-conspirator, former CEO Joseph Sigelman, received a three-year probation sentence in connection with the same bribes. Mr. Weisman had been the key witness against Mr. Sigelman at Mr. Sigelman’s June 2015 trial, but the trial abruptly ended after Mr. Sigelman entered a plea deal. The DOJ announced the plea after Mr. Weisman informed the court that he gave false testimony regarding the terms of his cooperation agreement. At Mr. Weisman’s sentencing, the District Judge referred to the abrupt turn of events at Mr. Sigelman’s trial as “the elephant in the room” but noted that misstatements by Mr. Weisman were “peripheral” to the charged offenses.
Leading Casino Settles with FinCEN for $8 Million for BSA Violations
On September 8, FinCEN announced the assessment of an $8 million civil money penalty against a leading U.S.-based casino for its willful violations of the BSA’s requirements to develop and implement a reasonably designed AML program and to report suspicious activity. Among other things, FinCEN alleged that the casino failed to implement adequate internal controls, conduct adequate independent testing of AML compliance, provide adequate training, and file SARs. Of note were private gaming salons that cater to wealthy patrons and allowed such patrons to gamble anonymously. In addition to the $8 million penalty, which will be allowed as a general unsecured claim in the casino’s bankruptcy proceeding (pending approval of the consent by the bankruptcy court), the casino must also, among other things, hire an independent third party to test its BSA/AML compliance program, annually provide its implementation plan and training program to FinCEN for a period of three years, and conduct a look-back review of all transactions through branch offices in Asia and California for SAR compliance.
U.S. Attorney General Lynch: "More Determined Than Ever to Vigorously Enforce the Fair Housing Act"
On September 2, U.S. Attorney General Loretta Lynch delivered remarks at HUD’s Fair Housing Policy Conference. In her remarks, Lynch stressed the importance of fair housing as being a primary driver “to access to employment, to education, to credit, to transportation, to safety and to a whole range of institutions and opportunities.” Lynch stated that she is “more determined than ever to vigorously enforce the Fair Housing Act (FHA).” Among other things, Lynch provided an overview on how the DOJ is implementing new programs, technology, and research to conduct electronic testing, allowing the DOJ to expand the reach of its Fair Housing Testing Program. The Attorney General also expressed her support of HUD’s recently issued “Affirmatively Furthering Fair Housing” rule, and signaled that the DOJ intends to “vigorously enforce” the FHA using every available tool, including the disparate impact theory, which the Supreme Court ruled recently as a valid enforcement tool to challenge unfair mortgage lending practices.
Special Alert: Third Circuit Gives FTC Green Light to Continue Enforcing Corporate Data Security
On August 24, the U.S. Court of Appeals for the Third Circuit affirmed the Federal Trade Commission’s authority to hold companies accountable for their data security practices under Section 5 of the FTC Act (15 U.S.C. § 45(a)), which declares unlawful “unfair or deceptive acts or practices in or affecting commerce.” The unanimous ruling found that “deficient cybersecurity,” practices, which “fail to protect consumer data against hackers,” may be found to be “unfair” practices under the Act, subject to FTC enforcement. The FTC had sued Wyndham for allegedly deficient cybersecurity practices that enabled hackers to obtain payment card information from over 619,000 consumers.
In affirming that the FTC has authority under Section 5 to pursue claims of inadequate data security, the Third Circuit explained that a company’s inadequate data security in the face of foreseeable intrusions falls within the plain meaning of “unfair.” The Third Circuit assured Wyndham that this authority does not enable the agency to dictate the type of locks on hotel room doors or the placement of guards on corporate premises. Nor does it have the authority to sue for every perceived deficiency, just as it would not have the authority to sue supermarkets simply for failing to consistently “sweep up banana peels.” However, the court pointed out that it matters how – and how many – consumers are affected by a company’s practice: “were Wyndham a supermarket, leaving so many banana peels all over the place that 619,000 customers fall hardly suggests it should be immune from liability under § 45(a).”
Wyndham had also argued that it lacked fair notice that the FTC had the authority to assess data security practices under Section 5, but the Third Circuit disagreed, pointing out that the FTC has offered specific public guidance on data security over the years, and has filed multiple complaints and consent decrees “raising unfairness claims based on inadequate corporate cybersecurity” that put companies on notice of its enforcement authority in this space.
The Third Circuit provided some guidance of its own on how can companies avoid FTC enforcement actions alleging unfairness in data security practices, stating that “the relevant inquiry here is a cost-benefit analysis . . . that considers a number of relevant factors, including the probability and expected size of reasonably unavoidable harms to consumers given a certain level of cybersecurity and the costs to consumers that would arise from investment in stronger cybersecurity.” The more sensitive consumer data a company collects, the more it must invest in sound data security safeguards.
As a result, companies need to review their data security practices against both the standard enacted by Congress specifically to govern data security in the Gramm-Leach-Bliley Act and the much more general “unfairness” standard found in the FTC Act as well as other federal and state laws.
* * *
Questions regarding the matters discussed in this Alert may be directed to any of our lawyers listed below, or to any other BuckleySandler attorney with whom you have consulted in the past.
- Jeffrey P. Naimon, (202) 349-8030
- Walter E. Zalenski, (202) 461-2910
Leading International Financial Services Institution Pays $1.7 Million to Settle Sanctions Liability
On August 27, Treasury’s OFAC announced a settlement agreement requiring a Switzerland-based financial institution to pay slightly over $1.7 million to resolve potential liability over alleged violations of the Global Terrorism Sanctions Regulations, 31 C.F.R. part 594. According to OFAC, over a five-year period ending in 2013, the financial institution processed over 220 securities and other investment transactions involving an individual included on OFAC’s Specially Designated Nationals and Blocked Persons List. As part of the agreement, OFAC highlighted important mitigating factors leading to its reduced settlement amount with the financial institution noting that the bank has in place an adequate global sanctions compliance program, and that the “[institution] took remedial action in response to the apparent violations, including by conducting a thorough internal investigation regarding the apparent violations.”