InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
Mortgage lender to pay $23.7 million to settle FCA allegations
On June 29, the DOJ announced a $23.75 million settlement with a South Carolina-based mortgage lender to resolve alleged False Claims Act (FCA) violations related to its origination and underwriting of mortgages insured by the Federal Housing Administration (FHA). According to the DOJ, two former employees filed a lawsuit under the FCA’s whistleblower provisions alleging the lender failed to maintain quality control programs for preventing and correcting underwriting deficiencies. As part of the settlement, the lender admitted that it certified loans that did not meet the applicable requirements for FHA mortgage insurance and VA home loan guarantees. The lender also acknowledged that these loans would not have been insured or guaranteed by the agencies were it not for the submission of false certificates. While the conduct began in July 2008, the DOJ recognized that the lender has taken significant measures to stop the violations, both before and after being told of the investigation, and gave the lender credit for doing so. Under the terms of the settlement, the lender will pay $23.75 million to the U.S., with the whistleblowers receiving a total of $4.04 million of the settlement proceeds.
FTC, DOJ sue e-commerce company over child data
On May 31, the DOJ filed a complaint on behalf of the FTC against a global e-commerce tech company for allegedly violating the Children’s Online Privacy Protection Act Rule (COPPA) relating to its smart voice assistant’s data collection and retention practices. While the company repeatedly assured users that they could delete collected voice recordings and geolocation information, the complaint alleged that the company held onto some of this information for years to improve its voice assistant’s algorithm, thus putting the data at risk of harm from unnecessary access. Additionally, the complaint also contended that, for a significant period of time, the company continued to retain transcripts for recordings even after the voice recordings were deleted. According to the complaint, the company failed to provide complete, truthful notice to parents about its deletion practices and lacked an effective system to ensure users’ data deletion requests were honored.
The proposed court order would require the company to pay a $25 million civil money penalty and would prohibit the company from using geolocation and voice to create or improve any of its data products after a deletion request. The company would also be required to (i) delete any inactive smart voice assistant children’s accounts; (ii) notify users about its data retention and deletion practices and controls; and (iii) implement a privacy program specific to its use of users’ geolocation information, among other things.
FTC, DOJ sue maker of health app over data sharing
On May 17, the DOJ filed a complaint on behalf of the FTC against a health app for violating the Health Breach Notification Rule (HBNR) by allegedly sharing users’ sensitive personal information with third parties, disclosing sensitive health data, and failing to notify users of these unauthorized disclosures. According to the complaint, users were allegedly repeatedly and falsely promised via privacy policies that their health information would not be shared with third parties without the user’s knowledge or consent, and that any collected data was non-identifiable and only used for the defendant’s own analytics or advertising. The FTC charged the defendant with failing to implement reasonable measures to address the privacy and data security risks created by its use of third-party automated tracking tools and for sharing health information used for advertising purposes without obtaining users’ affirmative express consent. Under the HBNR, companies with access to personal health records are required to notify users, the FTC, and media outlets in certain situations, if there has been an unauthorized acquisition of unsecured personal health information. The defendant also allegedly failed to impose limits on how third parties could use the data and failed to adequately encrypt data shared with third parties, thus subjecting the data to potential interception and/or seizure by bad actors.
The proposed court order would require the defendant to pay a $100,000 civil penalty, and would permanently prohibit the company from sharing personal health data with third parties for advertising and from making future misrepresentations about its privacy practices. The defendant would also be required to (i) obtain user consent before sharing personal health data; (ii) limit data retention; (iii) request deletion of data shared with third parties; (iv) provide notices to users explaining the FTC’s allegations and the proposed settlement; and (v) implement comprehensive security and privacy programs to protect consumer data. The defendant has also agreed to pay a total of $100,000 to Connecticut, the District of Columbia, and Oregon (who collaborated with the FTC on the action) for violating state privacy laws with respect to its data sharing and privacy practices.
FinCEN fines trust company $1.5 million for BSA violations
On April 26, FinCEN announced its first enforcement action against a trust company, in which it assessed a $1.5 million civil money penalty against a South Dakota-chartered trust company for willful violations of the Bank Secrecy Act (BSA) and its implementing regulations. According to the consent order, the trust company admitted that it willfully failed to timely and accurately report hundreds of transactions to FinCEN involving suspicious activity by its customers, including transactions with connections to a trade-based money-laundering scheme and several securities fraud schemes. The agency cited the trust company’s “severely underdeveloped” process for identifying and reporting potentially suspicious activity as part of “an overall failure to build a culture of compliance.”
According to FinCEN acting Director Himamauli Das, the trust company “had virtually no process to identify and report suspicious transactions, resulting in it processing over $4 billion in international wires with essentially no controls.” FinCEN said that the trust company should have realized that a large volume of activity from high-risk customers played a role in the closure of numerous correspondent accounts it maintained at other financial institutions, and pointed out that the trust company only began closing accounts flagged during an audit after several forced closures of its own accounts by other financial institutions and after receiving law enforcement inquiries about the accounts referred by the audit. However, at the time, the trust company made no effort to file suspicious activity reports (SARs), FinCEN found, claiming that the trust company processed hundreds of suspicious transactions worth tens of millions of dollars for risky customers that, among other things, appeared to operate in unrelated business sectors. FinCEN added that “personnel with [anti-money laundering (AML)] responsibilities have acknowledged not fully understanding federal SAR filing requirements and that they may have missed important information about some of their riskiest clients as the result of maintaining other, non-AML responsibilities.”
The consent order requires the trust company to hire an independent consultant to review its AML program and transactions from all referenced accounts, as well as any other accounts the trust company maintained for customer referrals, and conduct a SAR lookback review. The trust company is also required to implement recommendations made by the independent consultant and file SARs for any flagged covered transactions. FinCEN recognized the close collaboration and assistance provided by the DOJ and the FBI on this matter.
Federal agencies reaffirm commitment to confront AI-based discrimination
On April 25, the CFPB, DOJ, FTC, and Equal Employment Opportunity Commission released a joint statement reaffirming their commitment to protect the public from bias in automated systems and artificial intelligence (AI). “America’s commitment to the core principles of fairness, equality, and justice are deeply embedded in the federal laws that our agencies enforce to protect civil rights, fair competition, consumer protection, and equal opportunity,” the agencies said, emphasizing that existing authorities apply equally to the use of new technologies and responsible innovation as they do to any other conduct. The agencies have previously expressed concerns about potentially harmful AI applications, including black box algorithms, algorithmic marketing and advertising, abusive AI technology usage, digital redlining, and repeat offenders’ use of AI, which may contribute to unlawful discrimination, biases, and violate consumers’ rights.
“We already see how AI tools can turbocharge fraud and automate discrimination, and we won’t hesitate to use the full scope of our legal authorities to protect Americans from these threats,” FTC Chair Lina M. Khan said. “Technological advances can deliver critical innovation—but claims of innovation must not be cover for lawbreaking. There is no AI exemption to the laws on the books, and the FTC will vigorously enforce the law to combat unfair or deceptive practices or unfair methods of competition,” Khan added.
CFPB Director Rohit Chopra echoed Khan’s sentiments and said the Bureau, along with other agencies, are taking measures to address unchecked AI. “While machines crunching numbers might seem capable of taking human bias out of the equation, that’s not what is happening,” Chopra said. “When consumers and regulators do not know how decisions are made by artificial intelligence, consumers are unable to participate in a fair and competitive market free from bias,” Chopra added. The Director’s statements concluded by noting that the Bureau will continue to collaborate with other agencies to enforce federal consumer financial protection laws, regardless of whether the violations occur through traditional means or advanced technologies.
Additionally, Assistant Attorney General Kristen Clarke of the DOJ’s Civil Rights Division noted that “[a]s social media platforms, banks, landlords, employers and other businesses [] choose to rely on artificial intelligence, algorithms and other data tools to automate decision-making and to conduct business, we stand ready to hold accountable those entities that fail to address the discriminatory outcomes that too often result.”
OFAC reaches $508 million settlement with British tobacco company on North Korean transactions
On April 25, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) announced a $508 million settlement with one of the world’s largest tobacco companies to resolve potential civil liabilities stemming from allegations that the company sent more than $250 million in profits from a North Korean joint venture through U.S. financial institutions by relying on designated North Korean banks and several intermediaries. According to OFAC’s web notice, from 2007 to 2016, the London-headquartered company formed a conspiracy to export tobacco and related products to North Korea, and remitted approximately $250 million in payments from the North Korean joint venture. The payments were allegedly remitted through bank accounts controlled by sanctioned North Korean banks to the company’s Singaporean subsidiary via U.S. banks who cleared the transactions. By causing U.S. financial institutions to process wire transfers containing blocked property interests of sanctioned North Korean banks in order to export financial services and facilitate the export of tobacco, the company violated the Weapons of Mass Destruction Proliferators Sanctions Regulations and the North Korea Sanctions Regulations, OFAC said.
According to OFAC, the settlement is the largest ever reached with a non-financial institution and reflects the statutory maximum penalty due to OFAC’s determination that the company’s conduct was egregious and not voluntarily self-disclosed. In arriving at the settlement amount, OFAC determined, among other things, that the company and its subsidiaries willfully conspired to transfer hundreds of millions of dollars related to North Korea through U.S. financial institutions while being aware that U.S. sanctions regulations prohibited this conduct. The company and its subsidiaries also allegedly “relied on an opaque series of front companies and intermediaries” to conceal their North-Korea-related business, with management having actual knowledge about the alleged conspiracy from the beginning. OFAC also considered various mitigating factors, including that the company has not received a penalty notice from OFAC in the preceding five years, and that the company cooperated with OFAC and agreed to toll the statute of limitations.
Providing context for the settlement, OFAC said that this action demonstrates that “creating the illusion of distance between a firm and apparently violative conduct does not shield that firm from liability.” Moreover, “[s]enior management decisions to approve or otherwise support arrangements that obscure dealings with sanctioned countries and parties can be reflected throughout an organization, compounding sanctions risks and increasing the likelihood of committing potential violations.”
Concurrently, the DOJ announced that the company and one of its subsidiaries have agreed to pay combined penalties of more than $629 million to resolve bank fraud and sanctions violations charges stemming from the aforementioned conduct. According to the DOJ, the subsidiary pleaded guilty to a criminal information charging both entities with conspiracy to commit bank fraud and conspiracy to violate the International Emergency Economic Powers Act. The company entered into a deferred prosecution agreement related to these charges.
OFAC designates evasion network supporting Hizballah financier
On April 18, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) announced sanctions, pursuant to Executive Order 13224, as amended, against a “vast international money laundering and sanctions evasion network” comprised of 52 individuals and entities in Lebanon, the United Arab Emirates, South Africa, Angola, Côte d’Ivoire, the Democratic Republic of the Congo, Belgium, the United Kingdom, and Hong Kong. The designated network assisted a Hizballah financier and Specially Designated Global Terrorist (previously sanctioned by OFAC in 2019) in evading U.S. sanctions by facilitating the payment, shipment, and delivery of goods and services, including cash, diamonds, art, and luxury goods, for the benefit of the sanctioned individual who used the funds to finance the Hizballah financier and his lifestyle, OFAC said, explaining that the network used shell companies and fraudulent schemes to disguise the Hizballah financier’s role in the financial transactions. Under Secretary of the Treasury for Terrorism and Financial Intelligence Brian E. Nelson warned in the announcement that “[l]uxury good market participants should be attentive to these potential tactics and schemes, which allow terrorist financiers, money launderers, and sanctions evaders to launder illicit proceeds through the purchase and consignment of luxury goods.” Treasury has issued warnings on money laundering and terrorist financing risks associated with the trade of works of art in a February 2022 report and an October 2020 art advisory (covered by InfoBytes here and here).
As a result of the sanctions, all property and interests in property belonging to the sanctioned persons that are in the U.S. or in the possession or control of U.S. persons are blocked and must be reported to OFAC. “[A]ny entities that are owned, directly or indirectly, 50 percent or more by one or more blocked persons are also blocked.” U.S. persons are also generally prohibited from engaging in any dealings involving the property or interests in property of blocked or designated persons. OFAC warned that “persons that engage in certain transactions with the persons designated today may themselves be exposed to sanctions or subject to an enforcement action.” Additionally, “any foreign financial institution that knowingly facilitates a significant transaction or provides significant financial services for any of the targets designated today pursuant to E.O. 13224, as amended, could be subject to U.S. sanctions.”
The action by Treasury was taken in coordination with the Department of Homeland Security, the Department of State’s Rewards for Justice program, and the United Kingdom. The same day, the DOJ unsealed a nine-count indictment charging the Hizballah financier and eight co-defendants with conspiring to evade terrorism-related sanctions. According to the DOJ, despite being sanctioned and prohibited from engaging in transactions with U.S. persons, the Hizballah financier and the other co-defendants used a complex web of business entities to conduct money laundering transactions involving valuable artwork and diamond-grading services.
FTC, DOJ sue payment processor for tech support scams
On April 17, the DOJ filed a complaint on behalf of the FTC against several corporate and individual defendants for violating the FTC Act and the Telemarketing Sales Rule (TSR) by allegedly engaging in credit card laundering for tech support scams. (See also FTC press release here.) According to the complaint, since at least 2016, the defendants—a payment processing company and several of its subsidiaries, along with the company’s CEO and chief strategy officer—worked with telemarketers who made misrepresentations to consumers about the performance and security of their computers through the use of deceptive pop ups in order to sell technical support scams. Defendants’ involvement included assisting and facilitating the illegal sales and laundering the credit card charges through their own merchant accounts (thus giving the scammers access to the U.S. credit card network) where defendants received a commission for each charge. The complaint maintained that the defendants “engaged in this activity even though it and its officers knew or consciously avoided knowing that its tech support clients were engaged in deceptive telemarketing practices.”
The proposed court orders (see here, here, and here) each impose monetary judgments of $16.5 million and (i) prohibit the defendants from engaging in credit card laundering through merchant accounts; (ii) require the defendants to screen and monitor any high-risk clients and take action if clients should charge consumers without authorization or violate the TSR; and (iii) prohibit the defendants from engaging in payment processing or assisting tech support companies that engage in false or unsubstantiated telemarketing or advertising. According to the DOJ’s announcement the defendants will be required to pay a combined total of $650,000 in consumer redress. This payment will result in the suspension of the total monetary judgment of $49.5 million due to the defendants’ inability to pay.
OFAC sanctions chemical suppliers tied to Mexican drug cartel
On April 14, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) announced sanctions, pursuant to Executive Order 14059, against two Chinese entities and five individuals based in China and Guatemala for their roles in supplying precursor chemicals to Mexican drug cartels for the production of illicit fentanyl intended for U.S. markets. OFAC coordinated with the DEA and the DOJ to take this action. “Treasury, as part of the whole-of-government effort to respond to [the fentanyl] crisis, will continue to vigorously apply our tools to prevent the transfer of precursor chemicals and machinery necessary to produce this drug,” Under Secretary of the Treasury for Terrorism and Financial Intelligence Brian E. Nelson said in the announcement. The sanctions block all property and interests in property subject to U.S. jurisdiction belonging to the sanctioned persons and require such property, as well as “any entities that are owned, directly or indirectly, 50 percent or more by one or more blocked persons,” to be reported to OFAC. U.S. persons are also generally prohibited from engaging in any dealings involving the property or interests in property of blocked or designated persons. OFAC warned that “persons that engage in certain transactions with the individuals and entities designated today may themselves be exposed to sanctions or subject to an enforcement action.”
OFAC sanctions darknet marketplace for selling stolen data
On April 5, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) announced sanctions, pursuant to Executive Order (E.O.) 13694, as amended by E.O. 13757, against one of the world’s largest darknet marketplaces for its involvement in the theft and sale of device credentials and related sensitive information. According to OFAC, the marketplace accesses victims’ devices without authorization and sells the stolen data, including usernames and passwords, on the darknet. The action was taken in coordination with the DOJ and international partners from a dozen countries who are also taking action against market users across multiple jurisdictions and seizing associated website domains. The designation built upon previous actions taken against darknet marketplaces, including sanctions issued last year against the world’s most prominent darknet market. (Covered by InfoBytes here.) OFAC also referenced FinCEN’s 2019 Advisory on Illicit Activity Involving Convertible Virtual Currency, to warn “that darknet markets frequently include offers for the sale of illicit goods and services that use virtual currencies as a method of payment.” (Covered by InfoBytes here.) As a result of the sanctions, all property and interests in property belonging to the sanctioned entity in the U.S. must be blocked and reported to OFAC. OFAC noted that U.S. persons are prohibited from participating in transactions with sanctioned persons, and that “persons that engage in certain transactions with the entity designated today may themselves be exposed to sanctions.”
The DOJ stated in its press release that, along with its partners, it had “dismantled” the marketplace and “arrested many of its users around the world.” The DOJ explained that the marketplace “was also one also one of the most prolific initial access brokers [] in the cybercrime world,” and “attract[ed] criminals looking to easily infiltrate a victim’s computer system.” The marketplace sold access to ransomware actors looking to attack computer networks in the United States and globally, the DOJ said, adding that the marketplace also sold device “fingerprints” used to trick third-party websites into thinking the marketplace user was the actual account owner.