InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
FDIC releases October enforcement actions
On November 26, the FDIC released a list of administrative enforcement actions taken against banks and individuals in October. During the month, the FDIC issued three orders consisting of “one Order to Pay Civil Money Penalty, one Consent Order, and one Section 19 Order.” Among the orders is a civil money penalty imposed against an Arkansas-based bank based on allegations of deceptive practices related to misrepresenting the availability of Veterans Administration refinance loan terms. The bank, which did not admit or deny the violations, agreed to pay a $129,800 civil money penalty.
District Court enters final judgment in 2016 CFPB structured settlement action
On November 18, the U.S. District Court for the District of Maryland entered a stipulated final judgment and order against one of the individual defendants in an action concerning allegedly unfair, abusive, and deceptive structured settlement practices. As previously covered by InfoBytes, the Bureau claimed the defendants violated the CFPA by employing abusive practices when purchasing structured settlements from consumers in exchange for lump-sum payments. According to the Bureau, the defendants encouraged consumers to take advances on their structured settlements and falsely represented that the consumers were obligated to complete the structured settlement sale, “even if they [later] realized it was not in their best interest.” In July 2021, the court considered the defendants’ motion to dismiss the Bureau’s amended complaint, as well as the defendants’ motion for judgment on the pleadings on the grounds that the enforcement action was barred by the U.S. Supreme Court’s decision in Seila Law LLC v. CFPB, which held that that the director’s for-cause removal provision was unconstitutional (covered by a Buckley Special Alert), and that the ratification of the enforcement action “came too late” because the statute of limitations on the CFPA claims had already expired (covered by InfoBytes here). The court’s opinion allowed the Bureau to pursue its amended 2016 enforcement action, which alleged unfair, deceptive, and abusive acts and practices and sought a permanent injunction, damages, disgorgement, redress, civil penalties, and costs.
Under the terms of the settlement, the individual defendant—“an attorney who provided purportedly independent professional advice for almost all Maryland consumers who made structured-settlement transfers with [the defendants]” and who has neither admitted nor denied the allegations—is prohibited from, among other things, (i) participating or assisting others in participating in any structured-settlement transactions; (ii) owning, being employed by, or serving as an agent of any structured-settlement-factoring company; or (iii) providing independent professional advice concerning any structured-settlement transactions. The individual defendant is also prohibited from disclosing, using, or benefiting from affected consumers’ information, and must pay $40,000 in disgorgement and a $10,000 civil money penalty.
Fed announces written agreement against China-based bank and NY branch
On November 16, the Federal Reserve Board announced an enforcement action against a Chinese state-owned bank’s New York branch for alleged credit risk management deficiencies. The written agreement requires the bank and its branch to jointly submit a written plan to strengthen senior management oversight of risk management and internal controls, including a sustainable governance and risk management framework. Among other things, the plan must ensure that the branch’s risk management, internal audit function, and credit risk functions maintain appropriate stature and independence, and that potential credit risks are timely escalated. Additionally, risk management roles and responsibilities must be “clearly defined” in the plan, and the bank must ensure that “data management procedures are incorporated into an effective data governance framework.” After the Fed approves the plans, the bank and branch will have 30 days following the end of each quarter to submit “written progress reports detailing the form and manner of all actions taken to secure compliance” with the provisions of the written agreement.
CFPB sues pawn lenders for MLA violations
On November 12, the CFPB filed a complaint against a Texas-based pawn lender and its wholly owned subsidiary (together, “lenders”) for allegedly violating the Military Lending Act (MLA) by charging active-duty servicemembers and their dependents more than the allowable 36 percent annual percentage rate on pawn loans. According to the Bureau, between June 2017 and May 2021, the two lenders together allegedly made more than 3,600 pawn loans carrying APRs that “frequently exceeded” 200 percent to more than 1,000 covered borrowers. The Bureau further claimed that the lenders failed to make all loan disclosures required by the MLA and forced borrowers to waive their ability to sue. The identified 3,600 pawn loans only represent a limited period for which the Bureau has transactional data, the complaint stated, adding that the pawn stores located in Arizona, Nevada, Utah, and Washington that originated these loans only comprise roughly 10 percent of the Texas lender’s nationwide pawn-loan transactions. As such, that Bureau alleged that the lenders—together with their other wholly owned subsidiaries—made additional pawn loans in violation of the MLA from stores in these and other states. The Bureau seeks injunctive relief, consumer restitution, disgorgement, civil money penalties, and other relief, including a court order enjoining the lenders from collecting on the allegedly illegal loans and from selling or assigning such debts.
As previously covered by InfoBytes, the Bureau issued a prior consent order against an affiliated lender in 2013, which required the payment of $14 million in consumer redress and a $5 million civil money penalty. The affiliated lender was also ordered to cease its MLA violations. In its current action, the Bureau noted that because the Texas lender (who was not identified in the 2013 action) is a successor to the prior affiliated lender, it is therefore subject to the 2013 order. Accordingly, the Bureau alleged that the Texas lender’s violations of the MLA also violated the 2013 order.
SEC awards $15 million to whistleblowers
On November 10, the SEC announced awards totaling over $15 million to two whistleblowers whose original information and voluntary assistance led to a successful SEC enforcement action. According to the redacted order, the first whistleblower alerted Commission staff to a fraudulent scheme, which prompted the opening of the investigation. While still substantial, the second whistleblower’s information was more limited in nature, and “had less of an impact on the success of the enforcement action,” as reflected in the respective amounts awarded. The SEC has awarded approximately $1.1 billion to 226 individuals since issuing its first award in 2012.
UAE bank fined $100 million for Sudanese sanctions violations
On November 9, NYDFS announced that a United Arab Emirates bank will pay a $100 million penalty to resolve an investigation into payments it allegedly processed through financial institutions in the state, including one of the bank’s New York branches. These transactions, NYDFS stated, were in violation of Sudan-related U.S. sanctions. According to NYDFS’ investigation, the bank instructed employees to avoid including certain details in messages sent between banks that would have linked the transactions to Sudan. By concealing these details, the transactions bypassed other banks’ sanctions filters, which otherwise might have triggered alerts or transaction freezes, NYDFS said. As a result, between 2005 and 2009, the bank illegally processed more than $4 billion of payments tied to Sudan. Following an announcement in 2009 that a Swiss bank used by the bank to process these transactions was being investigated by the New York County District Attorney’s Office for violating economic sanctions rules, the bank closed all U.S. dollar accounts held by Sudanese banks, but failed to disclose the prohibited transactions to NYDFS as required until 2015. NYDFS asserted that “despite having ample notice of the prohibited nature of the Sudan-related [transactions] by 2009,” the bank’s New York branch processed an additional $2.5 million in Sudan-related payments. Under the terms of the consent order, the bank—which was previously cited by NYDFS for anti-money laundering and sanctions compliance deficiencies in a 2018 consent order that included a $40 million fine—is also required to provide a status report on its U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) compliance program, in addition to paying the $100 million penalty. NYDFS acknowledged the bank’s substantial cooperation and ongoing remedial efforts.
NYDFS coordinated its investigation with the Federal Reserve Board and OFAC, both of which announced separate settlements with the UAE bank the same day. The Fed’s announcement of its order to cease and desist cites the bank for having insufficient policies and procedures in place to ensure that activities involving branches outside the U.S. were in compliance with U.S. sanctions laws. Under the terms of the order, the bank is required, among other things, to implement an enhanced compliance program to ensure global compliance with U.S. sanctions, and must also conduct annual reviews, including a “risk-focused sampling” of its U.S. dollar payments, led by an independent external party. The order did not include any additional monetary penalties for the bank.
OFAC also issued a finding of violation (FOV) for violations of the now-repealed Sudanese Sanctions Regulations related to the bank’s actions. These violations included 1,760 transactions that involved USD transfers from Sudanese banks that were processed by the bank’s London branch and routed through U.S. banks. In determining that the appropriate administrative action was an FOV rather than a civil monetary penalty, OFAC stated the bank “voluntarily entered into a retroactive statute of limitations waiver agreement, without which OFAC would have been time-barred from charging the violations.” Because the payment messages did not include the originating Sudanese bank, U.S. correspondent banking partners “could not interdict the payments, and the payments were successfully processed through the U.S. financial system,” OFAC stated. However, OFAC credited the bank with providing substantial cooperation during the investigation, and noted that the bank had taken “extensive remediation” efforts before the investigation began in 2015, and has spent more than $122 million on compliance enhancements.
FTC permanently bans payment processor from debt relief processing
On November 8, the FTC announced the permanent ban of a payment processor from processing debt relief payments and ordered payment of $500,000 in consumer redress. According to the FTC’s complaint, the payment processor and its owner (collectively, “defendants”) allegedly processed roughly $31 million in consumer payments on behalf of a student loan debt relief operation charged by the FTC in 2019 for allegedly engaging in deceptive practices when marketing and selling their debt relief services. As previously covered by InfoBytes, the FTC claimed the operators (i) charged borrowers illegal advance fees; (ii) falsely claimed they would service and pay down their student loans; and (iii) obtained borrowers’ credentials in order to change consumers’ contact information and prevent communications from loan servicers. The FTC alleged the defendants processed payments from tens of thousands of consumers even though they were aware of numerous issues with the scheme and had received complaints from consumers and banks. The FTC further alleged that the defendants continued to process payments until the FTC took enforcement action against the operation.
Under the terms of the settlement, the defendants are permanently prohibited from processing payments for debt relief services and student loan entities and are banned from processing payments for any merchant unless there is a signed, written contract. The defendants are also required to screen prospective high-risk clients to determine whether such clients are, or are likely to be, engaging in deceptive or unfair activities. In addition, the settlement imposes a $27.5 million judgment against the defendants, which is largely suspended following the payment of $500,000, due to the defendants’ inability to pay the full amount.
Illinois enacts the Protecting Household Privacy Act
Earlier this year, the Illinois governor signed HB 2553 to create the Protecting Household Privacy Act. Among other things, the act specifies when state law enforcement agencies may acquire and use data from household electronic devices. The act defines “household electronic data” as information or input provided by a person to a household electronic device that is capable of facilitating electronic communications. (A “household electronic device” excludes personal computing devices and digital gateway devices.) The act generally prohibits law enforcement agencies from obtaining household electronic data “or direct[ing] the acquisition of household electronic data from a private third party.” Exceptions to this prohibition include when a law enforcement agency first obtains a warrant, an emergency situation arises, or the owner of the household electronic device lawfully consents to the acquisition of the data. The act also states that it shall not “be construed to require a person or entity to provide household electronic data to a law enforcement agency,” except as provided under certain provisions outlined in Section 15. The act further requires entities disclosing household electronic data to “take reasonable measures to ensure the confidentiality, integrity, and security of any household electronic data during transmission to any law enforcement agency, and to limit any production of household electronic data to information responsive to the law enforcement agency request.” Additionally, the act outlines information retention limits, which provide, among other things, that if a law enforcement agency obtains household electronic data and does not file criminal charges, it must destroy the data within 60 days unless subject to certain circumstances. The act is effective January 1, 2022.
Kansas AG fines companies for unlawful data disposal
On November 1, the Kansas attorney general ordered three national companies that manage business documents to pay fines totaling nearly $500,000 for the alleged unlawful disposal of records containing consumers’ personal information. According to the Kansas AG, the companies violated the Kansas Consumer Protection Act and the Wayne Owen Act by repeatedly disposing of records in unsecured trash receptacles without “rendering the personal information unreadable or undecipherable.” By engaging in these actions, the AG stated, the companies failed to comply with the requirements that companies implement and maintain reasonable policies and procedures and exercise reasonable care to protect personal information from unauthorized access and use, and take reasonable steps to destroy records containing personal information when they are no longer needed. Under the terms of the consent judgments (see here, here, and here), the companies must pay the fine, implement measures to ensure the proper disposal of documents, conduct employee training on the proper handling and disposal of personal information, and evaluate their information security programs and policies to ensure personal information is protected.
California AG takes action against casino for AML violations
On November 5, the California attorney general filed an administrative accusation with the California Gambling Control Commission against a California casino for violating the Bank Secrecy Act’s (BSA) anti-money laundering provisions. The action, which follows a federal investigation, alleges that the casino “overlooked, neglected, or was willfully blind to accusations and actions taken against other casinos for violations of the BSA and for failing to maintain adequate Anti Money Laundering (AML) programs.” The casino had previously entered into a Non-Prosecution Agreement with the U.S. Attorney’s Office for the Central District of California, accepted responsibility for “failing to properly file reports for a foreign national who conducted millions of dollars in cash transactions at the casino,” and agreed to pay $500,000 and undergo an increased review of its AML compliance program to prevent future violations, according to a DOJ press release. The California AG now seeks to hold the casino and its owners responsible for state law violations.