Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
On November 27, the NYDFS entered into a consent order with a title insurance company, which required the company to pay $1 million for failing to maintain and implement an effective cybersecurity policy and correct a cybersecurity vulnerability. The vulnerability allowed members of the public to access others’ nonpublic information, including driver’s license numbers, social security numbers, and tax and banking information. The consent order indicates the title insurance company discovered the vulnerability as early as 2018. The title insurance company’s failure to correct these changes violated Section 500.7 of the Cybersecurity Regulation.
In May 2019, a cybersecurity journalist published an article on the existence of a vulnerability in the title insurance company’s application, that led to a public exposure of 885 million documents, some found through search engine results. The journalist noted that “replacing the document ID in the web page URL… allow[ed] access to other non-related sessions without authentication.” Following the cybersecurity journalist’s article, and as required by Section 500.17(a) of the Cybersecurity Regulation, the title insurance company notified NYDFS of its vulnerability, at which point NYDFS investigated further. The title insurance company has been ordered to pay the penalty no later than ten days after the effective date.
On November 16, under California Corporations Code § 25532, the California Division of Financial Protection and Innovation (DFPI) issued a desist and refrain order against a securities investment platform for allegedly making false representations and material omissions to investors.
The DFPI alleges the investment platform sold securities in California on its website and the platform referred to them as “certificates.” The platform claimed that the certificates paid investors returns ranging from 2.5 percent to five percent in addition to guaranteed monthly returns. To solicit investors, the platform allegedly engaged in a multi-level marketing (MLM) structure that would have investors influence others to send money. DFPI alleged that the certificates were not qualified under the California Corporate Securities Law. DFPI also alleged that the platform omitted material information to investors, which included (i) falsely representing that the platform was partnered with a particular forex broker; (ii) representing that it was a licensed bank (while omitting that the “license” was granted by a “fictitious regulator”); (iii) using the terms “bank” and “banking” while omitting that it was not authorized to engage in the business of banking in California; (iv) misrepresenting profits and risk of loss; and (v) failing to disclose that its securities were not qualified in California.
On November 21, the DOJ seized nearly $9 million in stablecoins from cryptocurrency scammers after the criminals exploited over 70 victims. The DOJ seized stablecoins, a certain crypto asset pegged to a central bank’s currency, tied to the U.S. dollar. The scammers employed a long-con technique called “pig butchering” which is a tactic to build and exploit a victim’s trust over time by creating fake romantic enticements meant to swindle victims into handing over money. The criminals targeted and convinced victims to “make cryptocurrency deposits by fraudulently representing that the victims were making investments with trusted firms and cryptocurrency exchanges.”
The DOJ was able to trace the stolen funds based on the funds’ cryptocurrency addresses as part of a money laundering technique known as “chain hopping… used to ‘layer’ the proceeds of criminal activity into new cryptocurrency ecosystems, all to obfuscate the… ownership of those proceeds.” The DOJ worked with the U.S. Secret Service to trace the victim’s deposits, and it was originally alerted from victim reports made on the FBI’s Internet Crime Complaint Center and the FTC’s Consumer Sentinel Network.
On November 16, the FTC issued a proposed order against an integrated technology services company finding a violation of Section 5(a) of the Federal Trade Commission Act. According to the order, the company offered various products and services to jails, prisons, and detention facilities. These products and services included means of communication between incarcerated and non-incarcerated individuals, and, among other things, allowed non-incarcerated individuals to deposit funds into the accounts of incarcerated individuals. According to the complaint, and due to the nature of its operations, the company collected individuals’ sensitive personally identifiable information, including names, addresses, passport numbers, driver’s license numbers, Social Security numbers, and financial account information, some of which was exposed as a result of a data breach in August 2020 due to a misconfiguration in the company’s cloud storage environment.
In its decision, the FTC ordered the company to, among other things, (i) implement a comprehensive data security program, including “change management” measures and multifactor authentication; (ii) notify users affected by the data breach, who had not yet received notice, and offer credit monitoring and identity protection products; (iii) inform consumers and facilities within 30 days of future data breaches; and (iv) notify the FTC within 10 days of reporting any security incident to local, state, or federal authorities.
On November 20, the SEC filed a complaint in the U.S. District Court of the Northern District of California against a crypto trading platform, which allows customers to buy and sell crypto assets through an online market, for allegedly acting as an unregistered securities exchange, broker, dealer, and clearing agency. The SEC is also claimed defendant’s business practices, internal controls, and recordkeeping were inadequate and presented additional risks to consumers, that would also be prohibited had defendant been properly registered with the commission. For instance, the SEC cited practices including commingling billions of dollars of consumers’ cash and crypto assets with defendant’s own crypto assets and cash, which defendant’s 2022 independent auditor identified as “a significant risk of loss."
Director of the SEC’s Division of Enforcement, Gurbir S. Grewal said, “[Defendant’s] choice of unlawful profits over investor protection is one we see far too often in this space, and today we’re both holding [defendant] accountable for its misconduct and sending a message to others to come into compliance.”
The SEC seeks to (i) permanently enjoin defendant from violating Section 5 and section 17A of the Exchange Act; (ii) permanently enjoin defendant from offering or selling securities through crypto asset staking programs; (iii) disgorge defendant’s allegedly illegal gains and pay prejudgment interest; and (iv) impose a civil money penalty.
On November 16, the OCC released a list of recent enforcement actions taken against national banks, federal savings associations, and individuals currently and formerly affiliated with such entities. Included is a cease and desist order against an Indiana bank for allegedly engaging in unsafe or unsound practices, related to corporate governance and enterprise risk management, credit underwriting and administration, liquidity risk management, and interest rate risk management. The order requires the bank to, among other things, (i) provide quarterly reports detailing corrective action and efforts to comply with the order; (ii) develop a written strategic plan; (iii) maintain specified capital ratios; (iv) engage an independent third party to review board and management supervision; (v) submit a written concentration risk management program and a written liquidity risk management program; (vi) adopt a credit underwriting and administration program; (vii) submit and adopt a written adequate allowance for credit losses; and (viii) adopt a written credit derivatives program.
On November 15, the CFPB announced a consent order against a Chicago-based small-dollar lender for allegedly violating a 2019 order and by independently violating the CFPA. According to the 2019 consent order, the respondent allegedly withdrew funds from consumers’ bank accounts without permission and failed to honor loan extensions. Specifically, the respondent replaced consumers’ bank account information used to pay for existing loans with separate account information supplied by a “lead generator.” Respondent allegedly debited consumers’ payments through the accounts provided by the lead generator, instead of the consumers’ originally saved payment method. The 2019 order, among other things, (i) barred the respondent from making or initiating electronic fund transfers without valid authorization; (ii) barred the respondent from failing to honor loan extensions; (iii) required the respondent to pay a $3.8 million civil money penalty. In its most recent order, the CFPB alleged that through an investigation of the respondent’s compliance with the 2019 order, the respondent continued the same unauthorized withdrawals and canceled loan extensions. The Bureau also alleged that the respondent failed to disclose that making a partial payment could cancel a loan extension and misrepresent associated fees, and they failed to provide consumers copies of signed authorizations. The respondent also allegedly provided inaccurate due dates, misrepresented skipping payments, and misrepresented loan amounts. The respondent released a statement on the enforcement action, highlighting its cooperation with the CFPB, and internal technical issues.
In the most recent order, the respondent, without admitting nor denying the CFPB’s allegations, agreed to pay a $15 million civil money penalty and refund affected consumers. The respondent also agreed to stop providing certain types of consumer loans for seven years (beginning in 2022) and to reform its executive compensation agreements and policies to ensure that compensation accounts for executives’ compliance with consumer financial protection laws, including the Consent Order. The respondent must conduct an annual compensation review and provide a report of the review to the CFPB.
On November 9, the SEC and DOJ charged two co-CEOs of a tech investment firm for allegedly directing a $100 million fraud scheme. The two individuals were the founders of a failed Fresno-based technology company and were charged with “conspiring to commit wire fraud and taking more than $100,000,000 from various businesses and individuals” under U.S.C. § 1349. The two founders allegedly misled investors through falsified documents, bank records, auditing reports, and accounting statements.
The DOJ alleges that, as recently as January 2022, “[the two individuals lied] to board members, investors, lenders, and others about [the company’s] finances to obtain investments, loans, and other funding… Much of the money went towards paying payroll, including the [co-CEOs’] $600,000 per year salaries.” Authorities discovered the alleged fraud scheme back in May 2023 when the company failed to make payroll and then terminated all its 900 employees. If convicted, the two founders face a maximum statutory penalty of 20 years in prison each and a $250,000 fine.
On October 23, DFPI announced enforcement actions against four debt collectors for engaging in unlicensed debt collection activity, in violation of Debt Collection Licensing Act and unfair, deceptive, or abusive acts or practices, in violation of the California Consumer Financial Protection Law. In its order against two entities, the department alleged that the entities contacted at least one California consumer and made deceptive statements in an attempt to collect a payday loan-related debt, among other things. In its third order against another two entities, DFPI alleged that a consumer was not provided the proper disclosures in a proposed settlement agreement to pay off their debts in a one-time payments. Additionally, DFPI alleged that the entity representatives made a false representation by communicating empty threats of an impending lawsuit.
Under their orders (see here, here, and here), the entities must desist and refrain from engaging in illegal and deceptive practices, including (i) failing to identify as debt collectors; (ii) making false and misleading statements about payment requirements; (iii) threatening unlawful action, such as a lawsuit, because of nonpayment of a debt; (iv) contacting the consumer at a forbidden time of day; (iv) making false claims of pending lawsuits or legal process and the character, amount, or legal status of the debt; (v) failing to provide a “validation notice” ; and (vi) threatening to sue on time-barred debt.
The entities are ordered to pay a combined $87,500 in penalties for each of the illegal and deceptive practices.
The FTC and the State of Wisconsin announced that they filed a complaint in the District Court for the Western District of Wisconsin against an auto dealer group, and its current and former owners, and general manager, alleging that the defendants deceived consumers by tacking hundreds or even thousands of dollars in illegal junk fees onto car prices and discriminated against American Indian customers by charging them higher financing costs and fees relative to similarly situated non-Latino whites.
The complaint also notes the disparity only increased since a change of ownership in 2019. Specifically, the complaint alleges that the defendants regularly charged many of their customers junk fees for “add-on” products or services without their consent, which resulted in additional fees and interest on the customers’ loans. Further, the defendants allegedly discriminated against American Indian customers in the cost of financing by adding more “markup” to their interest rates. This additional markup cost American Indian customers, on average, $401 more compared to non-Latino white customers.
The complaint resulted in two proposed settlements. The proposed settlement with the auto dealer, its current owners, and the general manager requires the company to stop deceiving consumers about whether add-ons are required for a purchase and obtain consumers’ express informed consent before charging them for add-ons. The settlement will also the require the defendants to establish a comprehensive fair lending program that, among other components, will allow consumers to seek outside financing for a purchase and cap the additional interest markup the auto dealer can charge consumers. The current owners and general manager will also be required to pay $1 million to be used to refund affected consumers.
Separately, the former owners agreed to pay $100,000 to be used to refund affected consumers.