InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
NYDFS, insurance broker reach $3 million cyber breach settlement
On April 14, NYDFS announced a settlement with an insurance broker to resolve allegations that the broker violated the state’s cybersecurity regulation (23 NYCRR Part 500) by failing to report it was the subject of two cyber breaches between 2018 and 2020. Under Part 500.17, regulated entities are required to provide timely notice to NYDFS when a cybersecurity event involves harm to customers (see FAQs here). A September 2019 examination revealed that the cyber breaches involved unauthorized access to an employee’s email account, which could have provided access to personal data, including social security and bank account numbers. NYDFS also alleged that the broker failed to implement a multi-factor authentication as required by 23 NYCRR Part 500. Under the terms of the consent order, the broker will pay a $3 million civil monetary penalty and will make further improvements to strengthen its existing cybersecurity program to ensure compliance with 23 NYCRR Part 500. NYDFS acknowledged the broker’s “commendable” cooperation throughout the examination and investigation and stated that the broker had demonstrated its commitment to remediation.
Firm settles with FINRA on AML compliance violations
On April 12, the Financial Industry Regulatory Authority (FINRA) entered into a Letter of Acceptance, Waiver, and Consent (AWC), fining a New York-based member firm for allegedly failing to implement a reasonable anti-money laundering (AML) program for transactions involving low-priced securities. The firm also allegedly failed to establish a due diligence program for monitoring and investigating “potentially suspicious transactions.” According to FINRA, the firm and its principal failed to, among other things, (i) take reasonable steps to establish and implement an AML program tailored to the firm’s new business line (and particularly the deposit and liquidation of microcap stocks), resulting in the firm’s failure to identify or investigate potentially suspicious transactions; and (ii) provide meaningful guidance regarding how the principal was to identify or review red flags specific to the customer account business. In addition, FINRA allegedly found that the principal “repeatedly” permitted deposits and re-sales of microcap securities despite missing documentation. As a result, the firm and its principal violated FINRA Rules 3310(a) (Anti-Money Laundering Compliance Program), 3110(a) (Supervision) and 2010 (Standards of Commercial Honor and Principles of Trade).
PA AG settles with collector over payday loan scheme
On April 9, the Pennsylvania attorney general announced settlements with the former CEO of a since-dissolved lender and a debt collector to resolve claims that the collector charged borrowers interest rates as high as 448 percent on loans and lines of credit. The AG alleged that the former CEO “participated in, directed and controlled” business activities related to the allegedly illegal online payday lending scheme, while the debt collector collected more than $4 million related to Pennsylvania consumers’ loan accounts. The terms of the settlement require the individual defendant to comply with relevant consumer protection laws and limits the individual defendant’s ability to work in the consumer lending industry in Pennsylvania for the next nine years. Additionally, the individual defendant is required to pay the Commonwealth $3 million.
The AG’s office noted that the U.S. District Court for the Eastern District of Pennsylvania also approved a settlement with the debt collector, which requires the company to comply with relevant consumer protection laws and, among other things, undertake the following actions: (i) ensure that all acquired debts, for which it attempts to collect, comply with applicable laws and regulations; (ii) cancel all balances on applicable accounts, take no further action to collect debts allegedly owed by Pennsylvania consumers on these accounts, and notify consumers of the cancellations; (iii) “refrain from engaging in [c]ollections on any [d]ebts involving loans made over the internet by [n]on-bank lenders that violate Pennsylvania laws,” including its usury laws; and (iv) will not sell, re-sell, or assign debt related to applicable accounts, including accounts subject to a previously-negotiated nationwide class action settlement agreement and Chapter 11 bankruptcy plan. Previous InfoBytes coverage related to the payday lending scheme can be found here, here, and here.
CFPB action against debt settlement firm targets abusive acts
On April 13, the CFPB entered into a preliminary settlement with an online debt-settlement company for allegedly violating the CFPA’s prohibition on abusive acts or practices and failing to clearly and conspicuously disclose total cost under the Telemarketing Sales Rule. The complaint alleges that the company took “unreasonable advantage of consumers’ reasonable reliance that [it] would protect their interests in negotiating their debts” by failing to disclose its relationship to certain creditors and steering consumers into high-cost loans offered by affiliated lenders. The CFPB alleges that the company regularly prioritized creditors with which it had undisclosed relationships in settlements of consumers’ debts. Under the terms of the proposed stipulated final judgment and order, the CFPB is seeking restitution, damages, disgorgement, and civil money penalties.
In the Bureau’s announcement, acting Director David Uejio states that “[t]he CFPB will not tolerate companies that purport to represent consumers, but instead abuse their trust in a self-dealing scheme. This case provides a clear example of what Congress intended to prohibit when it created the CFPB and gave it authority to prevent abusive practices.”
SEC awards approximately $2.5 million to whistleblower
On April 9, the SEC announced an approximately $2.5 million whistleblower award in connection with a successful enforcement action. According to the redacted order, the whistleblower supplied information that led to charges related to a breach of fiduciary duties owed to investors, provided significant ongoing assistance to enforcement staff, and reported the information internally to the company.
The SEC has now paid approximately $762 million to 148 individuals since the inception of the whistleblower program in 2012.
FTC settles with sellers of antennas, signal amplifiers
On April 8, the U.S. District Court for the Southern District of New York issued a nearly $32 million judgment against the owners and operators of a New York-based enterprise that sells antennas and amplifiers (collectively, “defendants”) for allegedly misleading customers about the quality of their products. The agency alleges in its complaint that the defendants violated the FTC Act by “making deceptive performance claims for their over-the-air television antennas and related signal amplifiers, using deceptive consumer endorsements, and misrepresenting that some of their web pages were objective news reports about the antennas.” Under the terms of the order, the company is barred from making misleading claims about the products’ quality, the number of channels users can acquire, or any other claims about its ranking compared to other products. While the order imposes a $32 million judgment against the defendants, the full judgment will be suspended upon payment of $650,000, subject to certain conditions.
CFPB settles with California-based company for debt collection violations
On April 6, the CFPB announced a consent order against a California-based debt collector and its former owner for allegedly harassing consumers and threatening to take legal action if they did not pay their debts. According to the CFPB, the respondents violated the FDCPA and the CFPA’s prohibition against deceptive acts or practices by mailing letters to consumers printed with “Litigation Notice” that threatened recipients with legal action if they did not repay their debts. However, the Bureau stated that the respondents did not file lawsuits against the consumers, nor did they hire law firms or lawyers to obtain any judgments or collect on any such judgments. Under the terms of the consent order, the respondents are permanently banned from the debt collection industry and are ordered to pay $860,000 in redress to its victims, which has been suspended due to an inability to pay, as well as a $2,200 civil money penalty. This is the CFPB’s latest action taken against debt collectors that have used false threats to collect debts. As previously covered in InfoBytes, in 2019 the CFPB and New York attorney general announced proposed settlements with a network of New York-based debt collectors to resolve allegations that the defendants engaged in improper debt collection tactics in violation of the CFPA, the FDCPA, and various New York laws. Also, in 2018, the CFPB announced a settlement with a Kansas-based company and its former CEO and part-owner that allegedly engaged in improper debt collection tactics in violation of the CFPB’s prohibitions on engaging in unfair, deceptive, or abusive acts or practices (covered by InfoBytes here).
FINRA fines broker-dealer for alleged supervision failures
On April 5, the Financial Industry Regulatory Authority (FINRA) entered into a Letter of Acceptance, Waiver, and Consent (AWC), with a New York-based broker-dealer subsidiary of a global financial services company to resolve allegations that it failed to monitor employees’ outside brokerage accounts for “potentially deceptive trading practices.” Among other things, FINRA alleged that the firm’s failure to maintain a supervisory system to ensure employees disclosed their outside brokerage accounts precluded the personal account trading team from accurately monitoring account activity for compliance with the firm’s trading restrictions. FINRA further indicated that “[w]hile the firm ultimately was able to review the relevant trading activity, the inability to do so earlier led to the firm’s failure to timely monitor trading in these accounts.” The firm neither admitted nor denied the findings set forth in the AWC letter but agreed to pay a $345,000 fine.
Fed formalizes stance on supervisory guidance
On March 31, the Federal Reserve Board issued a final rule codifying the Interagency Statement Clarifying the Role of Supervisory Guidance issued by the CFPB, FDIC, NCUA, and OCC on September 11, 2018 (2018 Statement). As previously covered by InfoBytes, an October 2018 joint proposal amended the 2018 Statement by (i) clarifying that references in the 2018 Statement limiting agency “criticisms” includes criticizing institutions “through the issuance of [matters requiring attention] and other supervisory criticisms, including those communicated through matters requiring board attention, documents of resolution, and supervisory recommendations”; and (ii) adding that supervisory criticisms should be “specific as to practices, operations, financial conditions, or other matters that could have a negative effect on the safety and soundness of the financial institution, could cause consumer harm, or could cause violations of laws, regulations, final agency orders, or other legally enforceable conditions.” The final rule is effective 30 days after publication in the Federal Register, and mirrors final rules issued by the CFPB, OCC, FDIC, and NCUA.
DFPI sanctions former PACE solicitor under California Consumer Financial Protection Law
On March 30, the California Department of Financial Protection and Innovation (DFPI) announced it has permanently banned an individual and three companies he owns or controls for allegedly evading Property Assessed Clean Energy (PACE) laws. According to DFPI, the respondents, among other things, engaged in unfair and deceptive marketing tactics by “marketing their product as a ‘no-cost’ government-funded program” and “using an unenrolled company to advertise and solicit consumers for PACE financing.” DFPI claimed the respondents offered and sold PACE financing without enrolling with a PACE program administrator, failed to clearly and accurately inform consumers about how PACE financing works, and “misled consumers about their relationships with public agencies, lenders, PACE program administrators, and each other.” Under the terms of the consent order, the respondents agreed to cease and desist from offering PACE financing to consumers, agreed not to use “PACE” in business names, websites, marketing materials, or construction communications, and agreed not to seek future enrollment with any PACE program administrator.