InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
FTC and DOJ announce $5 billion privacy settlement with social media company; SEC settles for $100 million
On July 24, the FTC and the DOJ officially announced (see here and here) that the world’s largest social media company will pay a $5 billion penalty to settle allegations that it mishandled its users’ personal information. As previously covered by InfoBytes, it was reported on July 12 that the FTC approved the penalty, in a 3-2 vote. This is the largest privacy penalty ever levied by the agency, almost “20 times greater than the largest privacy or data security penalty ever imposed worldwide,” and one of the largest ever assessed by the U.S. government for any violation. According to the complaint, filed the same day as the settlement, the company allegedly used deceptive disclosures and settings to undermine users’ privacy preferences in violation of a 2012 privacy settlement with the FTC, which allowed the company to share users’ data with third-party apps that were downloaded by users’ “friends.” Moreover, the complaint alleges that many users were unaware the company was sharing the information, and therefore did not take the steps needed to opt-out of the sharing. Relatedly, the FTC also announced a separate action against a British consulting and data analytics firm for allegedly using deceptive tactics to “harvest personal information from millions of [the social media company’s] users.”
In addition to the monetary penalty, the 20-year settlement order overhauls the company’s privacy program. Specifically, the order, among other things, (i) establishes an independent privacy committee of the company’s board of directors; (ii) requires the company to designate privacy program compliance officers who can only be removed by the board’s privacy committee; (iii) requires an independent third-party assessor to perform biennial assessments of the company’s privacy program; (iv) requires the company to conduct a specific privacy review of every new or modified product, service, or practice before it is implemented; and (v) mandates that the company report any incidents in which data of 500 or more users have been compromised to the FTC.
In dissenting statements, Commissioner Chopra and Commissioner Slaughter asserted that the settlement, while historic, does not contain terms that would effectively deter the company from engaging in future violations. Commissioner Slaughter argues, among other things, that the civil penalty is insufficient and believes the order should have contained “meaningful limitations on how [the company] collects, uses, and shares data.” Similarly, Commissioner Chopra argues that the order imposes no meaningful changes to the company’s structure or financial incentives, and the immunity provided to the company’s officers and directors is unwarranted.
On the same day, the SEC announced that the company also agreed to pay $100 million to settle allegations that it mislead investors about the risks it faced related to the misuse of its consumer data. The SEC’s complaint alleges that in 2015, the company was aware of the British consulting and data analytics firm’s misuse of its consumer data but did not correct its disclosures for more than two years. Additionally, the SEC alleges the company failed to have policies and procedures in place during that time that would assess the results of internal investigations for the purposes of making accurate disclosures in public filings. The company neither admitted nor denied the allegations.
Hungarian subsidiary of multinational technology company settles FCPA claims
On July 22, the DOJ announced an $8.7 million settlement with the Hungarian subsidiary of an American multinational technology company to resolve allegations of bid-rigging and bribery in violation of the FCPA. The SEC simultaneously announced a related resolution with the parent technology company over the operations of subsidiaries in four countries, with the parent company paying an additional $16.5 million.
According to the DOJ announcement, between 2013 and 2015, executives and employees of the Hungarian subsidiary falsely represented to the parent company that discounts were necessary to finalize deals with resellers to sell company licenses to government customers; however, the savings were allegedly used for “corrupt purposes” in violation of the FCPA. The subsidiary entered into a non-prosecution agreement with DOJ, which noted that while the subsidiary did not voluntarily self-disclose the misconduct, it received credit for the company’s “substantial cooperation with the Department’s investigation and for taking extensive remedial measures.” Specifically, the subsidiary terminated four licensing partners and the company implemented an enhanced compliance system and internal controls to address corruption risks.
SEC settles with U.S. affiliate of Japanese financial institution for mortgage-backed securities failures
On July 15, the SEC announced an approximately $25 million settlement with the U.S. affiliate of a Japanese financial holding company, resolving allegations that the company failed to adequately supervise mortgage-backed securities traders. According to the orders, covering commercial mortgage-backed securities (CMBS) and residential mortgage-backed securities (RMBS), from approximately January 2010 through April 2014 several traders allegedly made false or misleading statements while negotiating the sales of CMBS and RMBS, including information about (i) the company’s purchase price of the securities; (ii) the compensation the company would receive on the trades; and (iii) the current ownership of the securities. The SEC alleges the company failed to reasonably supervise traders to prevent the alleged violations of federal antifraud provisions. The orders acknowledge the company’s significant cooperation in the matter and require the company to reimburse customers the full amount of profits earned from the identified trades, totaling over $4.2 million to CMBS customers and over $20.7 million to RMBS customers. Additionally, the orders penalize the company $500,000 related to the CMBS trades and $1 million related to the RMBS trades.
Agencies again defer action against foreign funds under Volcker Rule
On July 17, the FDIC, the Federal Reserve Board, and the OCC (collectively, the “agencies”) announced that they will not take action against foreign banks for qualifying foreign excluded funds, subject to certain conditions, under the Volcker Rule for an additional two years. The announcement notes that the agencies consulted with the SEC and the CFTC on the decision. Since 2017, the agencies have deferred action on qualifying foreign funds that might be covered under the Volcker Rule (covered by InfoBytes here and here). In a joint statement, the agencies note that they have not finalized revisions to regulations implementing Section 13 of the Bank Holding Company Act, and in order to “provide interested parties greater certainty about the treatment of qualifying foreign excluded funds in the near term,” the agencies are proposing not to take action through July 21, 2021.
SEC defends whistleblower award delay in foreign bribery case
On July 11, the SEC responded to a petition asking the U.S. Court of Appeals for the District of Columbia to compel a whistleblower award determination from the agency. In April 2017, the “John Doe” petitioner had applied for an SEC whistleblower award, claiming that beginning in May 2011 and continuing for the next several years, he voluntarily provided original information to the Commission that led to the SEC and DOJ’s $519 million resolution of foreign bribery claims against a multinational pharmaceutical company (previously reported here). Under the SEC Whistleblower Program established by the Dodd-Frank Act, the petitioner could be eligible for up to 30% of that $519 million recovery. In April 2019, after the SEC still had not issued a preliminary determination in connection with his application, the petitioner sought relief in court. The petitioner argued that it was a “simple task” to evaluate his claim, and the agency’s two-year delay was “unreasonable.”
In its response, the SEC argued that the petitioner “greatly misapprehends the work, effort, and time involved in reviewing whistleblower claims,” “overlooks the substantial complexities involved in adjudicating claims regarding the matter,” and “ignores that the SEC is processing a voluminous number of other whistleblower applications that require the attention of the Commission in addition to his claim.”
For additional information about SEC whistleblower awards and procedures under the SEC Whistleblower Program, see the article published here by Buckley LLP attorneys.
SEC, FINRA address digital asset securities compliance requirements
On July 8, the SEC and the Financial Industry Regulatory Authority (FINRA) issued a joint statement in response to compliance questions received from broker-dealer participants who handle digital asset securities. While recognizing that the application of federal securities law and FINRA rules to digital asset securities, as well as related innovative technologies, “raise novel and complex regulatory and compliance questions and challenges,” the joint statement encourages “reasonably practicable” efforts to address these issues. Among other things, the guidance emphasizes that broker-dealer participants who try to maintain custody of clients’ digital asset securities must comply with the SEC’s Customer Protection Rule to safeguard customers’ assets and prevent investor loss or harm. In situations involving noncustodial digital asset securities activities, relevant laws, rules, and requirements must also be followed, even if these activities generally do not raise the same level of concern. The SEC and FINRA also acknowledge that compliance with these rules may be challenging as technological enhancements and situations unique to digital asset securities continue to develop, and emphasize that they will continue to engage with broker-dealer participants as the marketplace evolves.
Agencies adopt final rules excluding community banks from the Volcker Rule; simplify regulatory capital rules
On July 9, the Federal Reserve Board (Fed), CFTC, FDIC, OCC, and SEC adopted a final rule implementing sections of the Economic Growth, Regulatory Relief, and Consumer Protection Act to grant an exclusion for community banks from the Volcker Rule, which generally restricts banking entities from engaging in proprietary trading and from owning, sponsoring, or having certain relationships with hedge funds or private equity funds. Qualifying financial institutions must have fewer than $10 billion in total consolidated assets and total trading assets, as well as liabilities that are equal to or less than five percent of their total consolidated assets. The rule also permits, under certain circumstances, a hedge fund or private equity fund organized and offered by a banking entity to share a name with a banking entity that is its investment advisor that is not an insured bank or bank holding company. The rule will take effect upon publication in the Federal Register.
The same day, the Fed, FDIC, and OCC also finalized a rule “intended to simplify and clarify a number of the more complex aspects of the agencies’ existing regulatory capital rules” for banks with less than $250 billion in total consolidated assets and less than $10 billion in total foreign exposure. Among other changes, the rule alters the capital treatment for mortgage servicing assets, certain deferred tax assets, as well as investments in the capital instruments of unconsolidated financial institutions. The final rule will be effective as of April 1, 2020, for the amendments to simplify capital rules, and as of October 1, 2019 for revisions to the pre-approval requirements for the redemption of common stock and other technical amendments.
House Fintech Task Force holds first hearing
On June 25, the House Financial Services Committee’s Task Force on Financial Technology held its first-ever hearing, entitled “Overseeing the Fintech Revolution: Domestic and International Perspectives on Fintech Regulation.” As previously covered by InfoBytes, the Committee created the task force to explore the use of alternative data in loan underwriting, payments, big data, and data privacy challenges. The hearing’s witness panel consisted of high-ranking innovation officials across various agencies and associations, including the CFPB, OCC, SEC, CSBS, and the U.K.’s Financial Conduct Authority. Among other things, the hearing discussed whether digital currency is considered a security, the OCC’s special purpose national bank charter, and the U.K.’s regulatory sandbox approach.
SEC representative, Valerie Szczepanik, stated that she believes the SEC has been “quite clear” with regard to initial coin offerings, noting that “[e]ach digital asset is its own animal. It has to be examined on its facts and circumstances to determine what in fact it is. It could be a security, it could be a commodity, it could be something else. So we stand ready to provide kind of guidance to folks if they want to come and talk to us. We encourage them to come talk to us before they do anything so they can get the benefit of our guidance.”
While much of the OCC special purpose bank charter discussion focused on a social media’s plan to launch its own virtual currency, CSBS representative, Charles Clark, emphasized that “[s]tate regulators oppose the special purpose charter because it lacks statutory authority” and that it should be up to Congress to decide whether the OCC can regulate non-bank entities. Clark noted that a federal system would create an unlevel playing field compared to a state system where “a small company can enter the system, scale up, and be competitive with an innovative idea.”
Lastly, the FCA representative, Christopher Woolard, emphasized that fintech firms participating in the country’s sandbox program are “fully regulated” and probably the U.K.’s “most heavily supervised,” noting that the FCA believes “sandbox firms have to work in the real world from day one.” Additionally, Woolard asserted that the sandbox program is making a difference in the market stating that of their 110 tests, 80 percent of the firms that enter the program go on to fully operate in the market. He concluded asserting, “we believe that around millions of consumers have [] access to new products [] geared around better value or greater convenience.”
Multinational retailer settles FCPA claims by DOJ and SEC for $282 million
On June 20, the DOJ announced a $137 million settlement with a U.S.-based multinational retailer (the Retailer) and its wholly owned Brazilian subsidiary (the Subsidiary) to resolve claims they violated the FCPA. The Retailer entered into a non-prosecution agreement, while the Subsidiary pleaded guilty. On the same day, the SEC issued an administrative order requiring the Retailer to pay $144 million in disgorgement and interest. The SEC stated that the Retailer failed to “operate a sufficient anti-corruption compliance program for more than a decade as the retailer experienced rapid international growth.” In total, the Retailer will pay more than $282 million to settle the charges.
According to the DOJ announcement, from 2001 to 2011, the Retailer failed to implement and maintain internal accounting controls related to anti-corruption, and senior officials were aware of the failures. The failures allegedly allowed the Retailer’s foreign subsidiaries in Mexico, India, Brazil and China to hire third-party intermediaries (TPIs) “without establishing sufficient controls to prevent those TPIs from making improper payments to government officials in order to obtain store permits and licenses,” which, in turn, allowed the foreign subsidiaries to open stores faster, earning the company additional profits. In its non-prosecution agreement with the DOJ, in addition to the monetary penalty, the Retailer agreed to: (i) appoint an independent compliance monitor for a two-year term; and (ii) continue to cooperate with the DOJ’s investigation. The monetary penalty amount was calculated by reducing by 25 percent the bottom of the U.S. Sentencing Guidelines fine range for the portion of the penalty applicable to conduct in Brazil, China, and India, and reducing by 20 percent the bottom of the U.S. Sentencing Guidelines fine range for the portion of the penalty applicable to conduct in Mexico.
SEC separately settles ADR allegations against international bank subsidiary and securities company
On June 14, the SEC announced a $42 million settlement with a wholly-owned subsidiary of an international bank to resolve allegations that certain associated persons on its securities lending desk allegedly improperly pre-released American Depositary Receipts (ADRs), or “U.S. securities that represent shares in foreign companies.” The SEC announcement explains that “[t]he practice of ‘pre-release’ allows ADRs to be issued without the deposit of foreign shares, provided brokers receiving them have an agreement with a depositary bank and the broker or its customer owns the number of foreign shares that corresponds to the number of shares the ADRs represent.” According to the SEC, the subsidiary “improperly obtained pre-released ADRs from depositary banks when [the subsidiary] should have known that neither the firm nor its customers owned the foreign shares needed to support those ADRs.” The SEC asserts that this resulted in an inflated total number of foreign issuer’s tradeable securities and short selling and dividend arbitrage. The SEC alleged that these practices violated the Securities Act of 1933 and claimed that the subsidiary failed to reasonably supervise its securities personnel. The consent order requires the subsidiary to pay more than $24 million in disgorgement, roughly $4.4 in prejudgment interest, and a civil money penalty of approximately $14.3 million. The order acknowledges the subsidiary’s cooperation in the investigation.
On the same day, the SEC announced an $8.1 million consent order with a securities company to resolve allegations that the company allegedly improperly pre-released American Depositary Receipts (ADRs). According to the SEC, the company, in violation of the Securities Act of 1933, “improperly obtained pre-released ADRs from depositary banks when [the company] should have known that neither the firm nor its customers owned the foreign shares needed to support those ADRs.” The SEC announcement asserts that the lack of shares to support the ADRs resulted in an inflated total number of foreign issuer’s tradeable securities and short selling and dividend arbitrage. Additionally, the SEC alleges the company failed to establish and implement effective policies and procedures to address whether the company was in compliance with its obligations in connection with pre-release transactions. The consent order requires the company to pay more than $4.8 million in disgorgement, approximately $800,000 in prejudgment interest, and a civil money penalty of more than $2.4 million. The order acknowledges the company’s cooperation in the investigation.