InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
OCC releases enforcement actions
On March 17, the OCC released a list of recent enforcement actions taken against national banks, federal savings associations, and individuals currently and formerly affiliated with such entities. Included is a cease and desist order against a New York-based bank for allegedly engaging in unsafe or unsound practices related to its information technology security and controls, as well as its information technology risk governance and board of director/management oversight of its corporate risk governance processes. The OCC also found alleged deficiencies (including unsafe or unsound practices) in the bank’s Bank Secrecy Act (BSA)/anti-money laundering risk management controls in the following areas: “internal controls, BSA officer, customer identification program, customer due diligence, enhanced due diligence, [] beneficial ownership,” and suspicious activity monitoring and reporting. The order requires the bank to, among other things, maintain a compliance committee, develop a corporate governance program to ensure appropriate board oversight, establish a written strategic plan and conduct an internal audit to assess the sufficiency of the bank’s internal controls program, implement information technology governance and security programs, and adopt an automated clearing house risk management program. The bank is also required to appoint a BSA officer to ensure adherence to the bank’s BSA/AML internal controls, conduct a suspicious activity review lookback, implement a customer information program that is reasonably designed to identify and verify beneficial owners of legal entity customers, and develop and adopt a BSA/AML model risk management process.
Banking company pleads guilty to mortgage fraud
On March 15, a Michigan-headquartered bank holding company agreed to plead guilty to securities fraud for filing misleading statements related to its 2017 initial public offering (IPO) and its 2018 and 2019 annual filings. According to the DOJ’s announcement, the bank holding company and its wholly owned subsidiary were under investigation over allegations that loan officers were encouraged to increase the volume of residential mortgage loan originations in order to artificially inflate bank revenue leading up to and following the IPO. The DOJ explained that the bank filed false securities statements about its residential mortgage loan program in its IPO, as well as in subsequent annual filings that “contained materially false and misleading statements that touted the soundness of the [] loans.” These loans were actually “rife with fraud,” the DOJ said and cost non-insider victim-shareholders nearly $70 million. Senior management allegedly knew that loan officers were falsifying loan documents and concealing the fraudulent information from the bank’s underwriting and quality control departments, the DOJ maintained, noting that the actions caused the bank to originate loans and extend credit to borrowers who would have otherwise not qualified.
Under the terms of the plea agreement (which must be accepted by the court), the bank holding company will “be required to serve a term of probation through 2026, submit to enhanced reporting obligations to the department, and pay more than $27.2 million in restitution to its non-insider victim-shareholders.” The DOJ considered several factors when determining the criminal resolution, including the nature and seriousness of the offense and the pervasiveness of the misconduct at the most senior levels. The bank holding company received credit for its cooperation and for implementing extensive remedial measures, and has agreed to continue to fully cooperate with the DOJ in all matters relating to the covered conducts and other conduct under investigation. It is also required to self-report criminal violations and must continue to implement a compliance and ethics program to detect and deter future violations of U.S. securities law.
As previously covered by InfoBytes, the bank holding company’s subsidiary paid a $6 million civil money penalty to the OCC last September for alleged unsafe or unsound practices related to the residential mortgage loan program.
U.S., German law enforcement disable darknet crypto mixer
On March 15, U.S. law enforcement, along with German criminal authorities, disabled a darknet cryptocurrency “mixing” service used to allegedly launder more than $3 billion in cryptocurrency underlying ransomware, darknet market activities, fraud, cryptocurrency heists, hacking schemes, and other activities. According to the DOJ’s announcement, law enforcement agencies seized two domains and back-end servers, as well as more than $46 million in cryptocurrency. The DOJ claimed the mixing service allowed criminals to obfuscate the source of stolen cryptocurrency by commingling users’ cryptocurrency in a way that made it difficult to trace the transactions. In conjunction with the action taken against the mixing service, a Vietnamese national responsible for creating and operating the online infrastructure was charged with money laundering, operating an unlicensed money transmitting business, and identity theft connected to the mixing service. Separate actions have also been taken by German law enforcement authorities, the DOJ said. “Criminals have long sought to launder the proceeds of their illegal activity through various means,” Special Agent in Charge Jacqueline Maguire of the FBI Philadelphia Field Office said in the announcement. “Technology has changed the game, though[.] In response, the FBI continues to evolve in the ways we ‘follow the money’ of illegal enterprise, employing all the tools and techniques at our disposal and drawing on our strong partnerships at home and around the globe.”
New York AG continues crackdown on unregistered crypto trading platforms
On March 9, the New York attorney general filed a petition in state court against a virtual currency trading platform (respondent) for allegedly failing to registeras a securities and commodities broker-dealer and falsely representing itself as a cryptocurrency exchange. The respondent’s website and mobile application enable investors to buy and sell cryptocurrency, including certain popular virtual currencies that are allegedly securities and commodities. The AG noted that this is one of the first times a regulator is making a claim in court that one of the largest cryptocurrencies available in the market is a security. According to the announcement, this cryptocurrency “is a speculative asset that relies on the efforts of third-party developers in order to provide profit to the holders.” As such, the respondent was required to register before selling the crypto assets, the AG said, further maintaining that the respondent also sells unregistered securities in the form of a lending and staking product. According to the AG, securities and commodities brokers are required to register with the state, which the respondent allegedly failed to do. Additionally, the respondent claimed to be an exchange but failed to appropriately register with the SEC as a national securities exchange or be designated by the CFTC as required under New York law. Nor did the respondent comply with a subpoena requesting additional information about its crypto-asset trading activities in the state, the AG said, noting that the respondent has already been found to be operating in multiple jurisdictions without proper licensure. The state seeks a court order (i) preventing the respondent from misrepresenting that it is an exchange; (ii) banning the respondent from operating in the state; and (iii) directing the respondent to undertake measures to prevent access to its mobile application, website, and services from within New York.
Last month the AG filed a similar petition against another virtual currency trading platform alleging similar violations (covered by InfoBytes here).
Software company to pay $3 million to SEC for misleading disclosures about ransomware attack
On March 9, the SEC charged a South Carolina-based donor data management software company with allegedly making materially misleading disclosures about a 2020 ransomware attack. According to the SEC’s cease-and-desist order, the company issued statements that the ransomware attack did not affect donor bank account information or social security numbers. It was later revealed that the attacker had accessed and exfiltrated the unencrypted sensitive information. However, the SEC maintained that due to the company’s alleged failure to maintain disclosure controls and procedures, employees did not inform senior management responsible for public disclosures. As a result, the company’s quarterly report filed with the SEC allegedly omitted material information about the scope of the attack and “misleadingly characterized the risk of exfiltration of such sensitive donor information as hypothetical,” the SEC said. The company did not admit or deny the SEC’s findings, but agreed to pay a $3 million civil penalty and said it would cease and desist from committing violations of the Securities Act of 1933 and the Securities Exchange Act of 1934.
Design firm to settle False Claims Act allegations related to cybersecurity failures
On March 14, the DOJ announced a $293,771 settlement with a design company to resolve alleged False Claims Act (FCA) violations related to failures in its cybersecurity practices. According to the DOJ, the company failed to secure personal information on a federally-funded Florida children’s health insurance website that was created, hosted, and maintained by the company. “Government contractors responsible for handling personal information must ensure that such information is appropriately protected,” Principal Deputy Assistant Attorney General Brian M. Boynton, head of the Justice Department’s Civil Division, said in the announcement. “We will use the [FCA] to hold accountable companies and their management when they knowingly fail to comply with their cybersecurity obligations and put sensitive information at risk.” In this case, the Florida entity (which receives federal Medicaid funds, as well as state funds to provide children’s health insurance programs) contracted with the design company for the provision of a hosting environment that complied with HIPPA’s personal information protection requirements. The company also agreed to adapt, modify, and create code on the webserver to support the secure communication of data. However, between January 1, 2014, and Dec. 14, 2020, the company allegedly failed to provide secure hosting of applicants’ personal information and failed to implement necessary updates. In December 2020, the website experienced a data breach that potentially exposed more than 500,000 applicants’ personal identifying information and other data. In response to the data breach and the company’s cybersecurity failure, the Florida entity shut down the website’s application portal.
States receive $245 million judgment against robocall operation
On March 6, the U.S. District Court for the Southern District of Texas entered stipulated orders and permanent injunctions against two individuals who, along with their companies (also named as defendants in the litigation), allegedly operated a massive robocall campaign to sell extended car warranties and health care services. (See orders here and here.) Eight states attorneys general alleged violations of the TCPA and the Telemarketing Sales Rule, as well as various state consumer protection laws, claiming that the defendants initiated millions of robocalls to individuals nationwide without their prior express consent, spoofed caller ID numbers to mislead recipients, and called people whose numbers were on the Do Not Call Registry. Under the terms of the orders, the individual defendants (who neither admitted nor denied the allegations) are permanently banned from initiating or facilitating (or causing others to initiate or facilitate) any robocalls, working in or with companies that make robocalls, or engaging in any telemarketing. The court also ordered each individual defendant to pay a $122.3 million monetary judgment; however, these payments are mostly suspended in favor of the more permanent bans due to their inability to pay. The states noted that they are continuing their cases in the same action against others who allegedly worked with the individual defendants to facilitate the robocalls.
House subcommittee discusses CFPB reform proposals
On March 9, the House Financial Services Committee’s Subcommittee on Financial Institutions and Monetary Policy held a hearing to discuss proposals that would alter the structure and authority of the CFPB. The subcommittee heard from several witnesses, including the CEO of the American Financial Services Association (AFSA), the Bureau’s former deputy director, and the Minnesota attorney general.
During the hearing, members discussed legislation that would reform the Bureau, including: (i) the Consumer Financial Protection Commission Act, which would make the Bureau an independent commission; (ii) the Transparency in CFPB Cost-Benefit Analysis Act, which would require the Bureau to include a statement justifying any proposed rulemaking (including “why the private market, State, local, or tribal authorities cannot adequately address the problem”), as well as provide qualitative and quantitative cost assessments and data or studies used in preparing a proposal; (iii) the CFPB-IG Reform Act, which would create a separate inspector general for the Bureau; and (iv) the Taking Account of Bureaucrats’ Spending (TABS) Act, which would make the Bureau an independent agency from the Federal Reserve System called the “Consumer Financial Empowerment Agency” that would be funded through congressional appropriations rather than the Fed.
In his prepared testimony, the AFSA CEO alleged several examples of regulatory overreach taken by the Bureau, including: (i) imposing limits on arbitration, despite the Bureau’s own finding that arbitration benefits consumers; (ii) releasing guidance, instead of legislative rulemaking, which creates ambiguity for companies and consumers; (iii) using “regulation by enforcement” to change TILA and creating an ability to repay standard that does not exist in any consumer financial law or regulation; (iv) issuing press releases that serve as regulations and provide recommendations inconsistent with the plain language of laws such as the SCRA; and (v) creating potential harm to servicemembers through misinterpretations of the Military Lending Act. He further explained that a press release issued by the Bureau last year on junk fees (covered by InfoBytes here) “goes beyond its authority” and creates confusion for both depository institutions and finance companies who are unsure what the rules are. He emphasized that “the best way to protect consumer is to protect access to credit,” and the best method for achieving this “is to have clearly defined terms and conditions that both industry and the regulatory community can understand and follow.”
The former CFPB deputy director also asserted in his prepared testimony that the agency is prone to exceeding statutory limits or requirements. He commented that “[w]hile one or two of these actions could perhaps be dismissed as over-exuberance, the frequency with which these issues arise suggests that the agency lacks adequate internal or external controls to ensure it operates within the law,” and that in “the absence of these controls . . . [it] compels the conclusion that the CFPB is ripe for reform.” He also maintained that having the Bureau go through the annual appropriations process would help the agency “focus its priorities” and “improve its effectiveness and efficiency.” He further noted that expanding the Bureau’s UDAAP authority to cover conduct it observes in the marketplace (such as applying UDAAP credit discrimination laws to any decision making by a financial institution) is “a decision fundamentally for Congress.”
The Minnesota attorney general, however, highlighted joint enforcement actions taken with the Bureau in his prepared testimony, stating that by serving “as a critical enforcement partner,” the agency is operating as Congress intended when it created the Bureau in response to the 2008 financial crisis. “The CFPB’s destruction would topple the whole system like dominos,” he stressed, adding that the funding arguments fall short as several federal agencies are not funded by Congress.
Senators Sherrod Brown (D-OH), Chair of the Senate Banking Committee, and Representative Maxine Waters (D-CA), Ranking Member of the House Financial Services Committee, issued a statement strongly disagreeing with the introduced legislation. “We will continue to work with our colleagues to stop any anti-consumer bill and protect the CFPB so that consumers can continue to have an agency solely dedicated to protecting their hard-earned money,” the lawmakers said.
Online lender asks Supreme Court to review ALJ ruling
A Delaware-based online payday lender and its founder and CEO (collectively, “petitioners”) recently submitted a petition for a writ of certiorari challenging the U.S. Court of Appeals for the Tenth Circuit’s affirmation of a CFPB administrative ruling related to alleged violations of the Consumer Financial Protection Act (CFPA), TILA, and EFTA. The petitioners asked the Court to first review whether the high court’s ruling in Lucia v. SEC, which “instructed that an agency must hold a ‘new hearing’ before a new and properly appointed official in order to cure an Appointments Clause violation” (covered by InfoBytes here), meant that a CFPB administrative law judge (ALJ) could “conduct a cold review of the paper record of the first, tainted hearing, without any additional discovery or new testimony.” Or, the petitioners asked, did the Court intend for the agency to actually conduct a new hearing. The petitioners also asked the Court to consider whether an agency funding structure that circumvents the Constitution’s Appropriations Clause violates the separation of powers so as to invalidate prior agency actions promulgated at a time when the Bureau was receiving such funding.
The case involves a challenge to a 2015 administrative action that alleged the petitioners engaged in unfair or deceptive acts or practices when making short-term loans (covered by InfoBytes here). The Bureau’s order required the petitioners to pay $38.4 million as both legal and equitable restitution, along with $8.1 million in penalties for the company and $5.4 million in penalties for the CEO. As previously covered by InfoBytes, between 2018 and 2021, the Court issued four decisions, including Lucia, which “bore on the Bureau’s enforcement activity in this case” by “deciding fundamental issues related to the Bureau’s constitutional authority to act” and appoint ALJs. During this time, two different ALJs decided the present case years apart, with their recommendations separately appealed to the Bureau’s director. The director upheld the decision by the second ALJ and ordered the lender and its owner to pay the restitution. A district court issued a final order upholding the award, which the petitioners appealed, arguing, among other things, that the enforcement action violated their due-process rights by denying the CEO additional discovery concerning the statute of limitations. The petitioners claimed that they were entitled to a “new hearing” under Lucia, and that the second administrative hearing did not rise to the level of due process prescribed in that case.
However, the 10th Circuit affirmed the district court’s $38.4 million restitution award, rejecting the petitioners’ various challenges and affirming the director’s order. The 10th Circuit determined that there was “no support for a bright-line rule against de novo review of a previous administrative hearing,” nor did it see a reason for a more extensive hearing. Moreover, the petitioners “had a full opportunity to present their case in the first proceeding,” the 10th Circuit wrote.
The petitioners maintained that “[d]espite the Court’s clear instruction to hold a ‘new hearing,’ ALJs and courts have reached divergent conclusions as to what Lucia requires, expressing confusion and frustration regarding the lack of guidance.” What it means to hold a “new hearing” runs “the gamut,” the petitioners wrote, pointing out that while some ALJs perform a full redo of the proceedings, others merely accept a prior decision based on a cold review of the paper record. The petitioners argued that they should have been provided a true de novo hearing with an opportunity for new testimony, evidence, discovery, and legal arguments. The rehearing from the new ALJ was little more than a perfunctory “paper review,” the petitioners wrote.
Petitioners asked the Court to grant the petition for three reasons: (i) “the scope of Lucia’s ‘new hearing’ remedy is an important and apparently unsettled question of federal law”; (ii) “the notion Lucia does not require a genuinely ‘new’ de novo proceeding is necessarily wrong because a sham ‘remedy’ provides parties no incentive to litigate Appointments Clause challenges”; and (iii) the case “is an ideal vehicle to provide guidance on Lucia’s ‘new hearing’ remedy.” The petitioners further argued that “Lucia’s remedy should provide parties an incentive to raise separation of powers arguments by providing them actual and meaningful relief.”
The petitioners’ second question involves whether Appropriations Clause violations that render an agency’s funding structure unconstitutional, if upheld, invalidate agency actions taken under such a structure. The petitioners called this “an important, unsettled question of federal law meriting the Court’s review,” citing splits between the Circuits over the constitutionality of the Bureau’s funding structure which has resulted in uncertainty for both regulators and regulated parties. Recently, the Court granted the Bureau’s request to review the 5th Circuit’s decision in CFSAA v. CFPB, which held that Congress violated the Appropriations Clause when it created what the 5th Circuit described as a “perpetual self-directed, double-insulated funding structure” for the agency (covered by InfoBytes here).
SEC files emergency action on $100 million crypto fraud
On March 6, the SEC announced it had filed an emergency action against a Miami-based investment adviser and one of its principals (collectively, “defendants”) in connection with a $100 million crypto asset fraud scheme. According to the SEC’s complaint, filed in the U.S. District Court for the Southern District of Florida, the defendants allegedly promised investors that their money would be primarily used to trade crypto assets and would generate returns through separately managed accounts and five private funds. The SEC alleged, however, that the defendants “disregarded the [funds’] structure, commingled investor assets, and used over $3.6 million to make Ponzi-like payments to fund investors.” Moreover, the SEC claimed that the defendants falsely represented that one of the funds received an audit opinion from a “top four auditor,” when in fact none of the funds ever received an audit opinion. The individual defendant also allegedly misappropriated investor money for personal use and provided altered documents with inflated bank account balances to a third-party administrator of some of the funds.
The SEC’s complaint alleges violations of the antifraud provisions of the federal securities laws and seeks permanent injunctions, disgorgement, prejudgment interest, and civil money penalties. The SEC is also seeking an officer and director bar and conduct-based injunction against the individual defendant. Additionally, the complaint includes a list of “relief defendants” and seeks disgorgement from each of the funds and from another entity that allegedly received approximately $12 million from the defendants and the funds. The announcement noted that the SEC successfully received an asset freeze, appointment of a receiver, and other emergency relief against the defendants.