InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
DFPI, Fed to oversee bank’s self-liquidation
On June 1, the California Department of Financial Protection and Innovation (DFPI) announced that it issued a joint cease-and-desist order with the Federal Reserve Board to fulfill the voluntary liquidation of a crypto-friendly bank. Focusing on providing financial services in the crypto-asset industry, the bank began operating in 2013. In 2023, however, the bank announced its voluntary liquidation, following a mass exodus of high-profile clients. In the fourth quarter of 2022, the bank experienced a sudden drop in deposits, triggered by the collapse of a crypto-exchange company in the previous quarter. DFPI noted that in its most recent examinations of the bank, the bank showed deficits in security and compliance with regulations. Within 10 days of the order, the bank must submit a voluntary self-liquidation plan acceptable to DFPI and upon approval, must implement that plan to wind down its operations “in a safe and sound manner and in compliance with all applicable federal and state laws, rules, and regulations.” The bank has advised that the liquidation will include full repayment of all of its deposits.
NYDFS circulates advisory on file transfers
On June 2, NYDFS notified all regulated entities that an identified SQL injection vulnerability found in a web application of a managed file transfer software may allow unauthenticated attackers to gain access to its database. The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency and others circulated the advisory, which cautioned that this vulnerability is being actively exploited by threat actors to deploy ransomware, steal data, and disrupt operations. NYDFS advised all regulated entities to conduct prompt risks assessments on their organizations, customers, consumers, and third-party service providers to mitigate risk. Regulated entities were also reminded about the requirement to report cybersecurity events as promptly as possible but no later than 72 hours at the latest, and that “evidence of unauthorized access to information systems, such as webshell installation, even if there has been no malware deployed or data exfiltrated,” are considered a reportable cybersecurity event under 23 NYCRR Section 500.17(a)(2).
Fintech fined over interest charges billed as tips and donations
A California-based fintech company recently entered separate consent orders with California, Connecticut, and the District of Columbia to resolve allegations claiming it disguised interest charges as tips and donations connected to loans offered through its platform. The company agreed to (i) pay a $100,000 fine in Connecticut and reimburse Connecticut borrowers for all loan-related tips, donations, and fees paid; (ii) pay a $30,000 fine in the District of Columbia, including restitution; and (iii) pay a $50,000 fine in California, plus refunds of all donations received from borrowers in the state. The company did not admit to any violations of law or wrongdoing.
The Connecticut banking commissioner’s consent order found that the company engaged in deceptive practices, acted as a consumer collection agency, and offered, solicited, and brokered small loans for prospective borrowers without the required licensing. The company agreed that it would cease operations in the state until it changed its business model and practices and was properly licensed. Going forward, the company agreed to allow consumers to pay tips only after fully repaying their loans. The consent order follows a temporary cease and desist order issued in 2022.
A consent judgment and order reached with the D.C. attorney general claimed the company engaged in deceptive practices by misrepresenting the cost of its loans and by not clearly disclosing the true nature of the tips and donations. The AG maintained that the average APR of these loans violated D.C.’s usury cap. The company agreed to ensure that lenders accessing the platform are unable to see whether a consumer is offering a tip (or the amount of tip) and must take measures to make sure that withholding a tip or donation will not affect loan approval or loan terms. Among other actions, the company is also required to disclose how much lenders can expect to earn through the platform.
In the California consent order, the Department of Financial Protection and Innovation (DFPI) claimed that the majority of consumers paid both a tip and a donation. A pop-up message encouraged borrowers to offer the maximum tip in order to have their loan funded, DFPI said, alleging the pop-up feature could not be disabled without using an unadvertised, buried setting. These tips and/or donations were not included in the formal loan agreement generated in the platform, nor were borrowers able to view the loan agreement before consummation. According to DFPI, this amounted to brokering extensions of credit without a license. Additionally, the interest being charged (after including the tips and donations) exceeded the maximum interest rate permissible under the California Financing Law, DFPI said, adding that by disclosing that the loans had a 0 percent APR with no finance charge, they failed to comply with TILA.
DFPI examines whether some payment services are exempt from MTA
The California Department of Financial Protection and Innovation (DFPI) recently released a new opinion letter covering aspects of the California Money Transmission Act (MTA) relating to whether certain payment services are exempt or subject to licensure. The redacted opinion letter examines three payment services provided by the inquiring company. DFPI first analyzed and determined that payments received by a law firm collection agent from a different entity’s collection attorneys and remitted to said entity are exempt pursuant to MTA Financial Code section 2011. DFPI next considered whether the MTA’s agent of payee exemption applies to certain tax payment transactions wherein a customer’s payment obligation to the company is extinguished once the customer has submitted a payment through a particular contractor. According to DFPI, transactions conducted pursuant to a contract between the company and the contractor (appointed as a limited agent for the sole purpose of receiving payments on the company’s behalf from taxpayers) are exempt from the MTA under the agent of payee exemption. Finally, DFPI considered whether the agent of payee exemption applies to certain payments to government entities. DFPI explained, among other things, that the language contained within the contracts with each government entity “establishes that the government entity has appointed [the company] to act as its agent and that payment to [the company] extinguishes the payor’s payment obligation to the government entity.” As such, DFPI determined that “transactions conducted pursuant to contracts containing such language are exempt from the MTA under the agent of payee exemption.”
NYDFS proposes vetting guidance for licensed or chartered entities
On May 9, NYDFS Superintendent Adrienne A. Harris released proposed guidance for banking organizations and non-depository financial institutions chartered or licensed under the New York Banking Law concerning the Department’s character and fitness assessment expectations. The proposed guidance sets forth several criteria, including that covered institutions (i) update and modernize policies and procedures to ensure designated persons, including senior officers and governing board members, undergo a robust initial vetting process to make sure no new circumstances or conflicts of interests arise that may compromise the organization; (ii) take a risk-based and proportionate approach to ensure their vetting frameworks are tailored to meet their specific business needs, operations, and risks; (iii) promptly inform NYDFS if, through a character and fitness review, a determination is made that a previously vetted designated person is no longer fit to perform the current function, or if a designated person has been transferred to another position or group (or modifications are made to a designated person’s current functions); and (iv) vet each designated person at the time they become a designated person, regardless of whether the person currently is or previously was a designated person at a different covered institution, including in instances involving a merger or acquisition. The announcement noted that a covered institution’s compliance with the guidance will be reviewed as part of its regular examination framework. Comments on the proposed guidance are due June 30.
Crypto platform reaches $1.2 million settlement on alleged compliance failures
On May 1, NYDFS issued a consent order against a cryptocurrency trading platform for engaging in alleged violations of the state’s cybersecurity regulation (23 NYCRR Part 500). According to the consent order, during examinations conducted in 2018 and 2020, NYDFS identified multiple alleged deficiencies in the respondent’s cybersecurity program, as required by both the cybersecurity regulation and the state’s virtual currency regulation (23 NYCRR Part 200). Following the examinations, NYDFS initiated an investigation into the respondent’s cybersecurity program. The Department concluded that the respondent failed to conduct periodic cybersecurity risk assessments “sufficient to inform the design of the cybersecurity program,” and failed to establish and maintain an effective cybersecurity program and implement a reviewed and board-approved written cybersecurity policy. Moreover, NYDFS claimed the respondent’s policies and procedures were not customized to meet the company’s needs and risks. Under the terms of the consent order, the respondent must pay a $1.2 million civil monetary penalty and submit quarterly progress reports to NYDFS detailing its remediation efforts.
Fed and Illinois regulator take action against bank on capital and management
On May 4, the Federal Reserve Board announced an enforcement action against an Illinois state-chartered community bank and its holding company related to alleged deficiencies identified in recent examinations. While the written agreement (entered into by the parties at the end of April) does not outline the specific deficiencies, it notes that the bank and the holding company have started taken corrective action to address the issues identified by the Federal Reserve Bank of St. Louis (FRB) and the Illinois Department of Financial and Professional Regulation (IDFPR). Among other things, the holding company’s board of directors must take appropriate steps to fully use its financial and managerial resources to ensure the bank complies with the written agreement and any other supervisory action taken by the bank’s federal or state regulator. The board is also required to submit a written plan to the FRB and the IDFPR describing actions and measures it intends to take to strengthen board oversight of the management and operations of the bank. The bank is required to submit a written plan outlining its current and future capital requirements and must notify the FRB and the IDFPR within 30 days after the end of any calendar quarter in which its capital ratios fall below the minimum ratios specified within the approved capital plan. Additionally, the bank is prohibited from taking on debt, redeeming its own stock, or paying out dividends or distributions without the prior approval of state and federal regulators.
House subcommittee holds hearing on stablecoin regulation
The House Financial Services Subcommittee on Digital Assets, Financial Technology and Inclusion recently held a hearing to examine stablecoins’ role in the payment system and to discuss proposed legislation for creating a federal framework for issuing stablecoins. A subcommittee memorandum identified different types of stablecoins (the most popular being pegged to the U.S. dollar to diminish volatility) and presented an overview of the market, which currently consists of more than 200 different types of stablecoins, collectively worth more than $132 billion. The subcommittee referred to a 2021 report issued by the President’s Working Group on Financial Markets, along with the FDIC and OCC (covered by InfoBytes here), in which it was recommended that Congress pass legislation requiring stablecoins to be issued only by insured depository institutions to ensure that payment stablecoins are subject to a federal prudential regulatory framework. The subcommittee discussed draft legislation that would define a payment stablecoin issuer and establish a regulatory framework for payment stablecoin issuers, including enforcement requirements and interoperability standards.
Subcommittee Chairman, French Hill (R-AR), delivered opening remarks, in which he commented that the proposed legislation would require stablecoin issuers to comply with redemption requirements, monthly attestation and disclosures, and risk management standards. Recognizing the significant amount of work yet to be done in this space, Hill said he believes that “innovation is fostered through choice and competition,” and that “one way to do that is through multiple pathways to become a stablecoin issuer, though with appropriate protections [to] prevent regulatory arbitrage and a race to the bottom.” He cited reports that digital asset developers are leaving the U.S. for countries that currently provide a more established regulatory framework for digital assets, and warned that this will stymie innovation, jobs, and consumer/investor protection. He also criticized ”the ongoing turf war between the SEC and CFTC” with respect to digital assets, and warned that “[w]hen you have two agencies contradicting each other in court about whether one of the most utilized stablecoins in the market is a security or a commodity, what you end up with is uncertainty.”
Witness NYDFS Superintendent Adrienne A. Harris discussed the framework that is currently in place in New York and highlighted requirements for payment stablecoin issuers operating in the state. In a prepared statement, Harris said many domestic and foreign regulators call the Department’s regulatory and supervisory oversight of virtual currency the “gold standard,” in which virtual currency entities are “subject to custody and capital requirements designed to industry-specific risks necessary for sound, prudential regulation.” Harris explained that NYDFS established “additional regulations, guidance, and company-specific supervisory agreements to tailor [its] oversight” over financial products, including stablecoins, and said the Department is the first agency to provide regulatory clarity for these types of products. She highlighted guidance released last June, which established criteria for regulated entities seeking to issue USD-backed stablecoins in the state (covered by InfoBytes here), and encouraged a collaborative framework that mirrors the regulatory system for more traditional financial institutions and takes advantage of the comparative strengths offered by federal and state regulators. Federal regulators will be able to comprehensively address “macroprudential considerations” and implement foundational consumer and market protections, while states can “leverage their more immediate understanding of consumer needs” and more quickly modernize regulations in response to industry developments and innovation, Harris said.
DFPI cracks down on crypto platforms’ AI claims
On April 19, the California Department of Financial Protection and Innovation (DFPI) announced enforcement actions against five separate entities and an individual for allegedly offering and selling unqualified securities and making material misrepresentations and omissions to investors in violation of California securities laws. According to DFPI, the desist and refrain orders allege that the subjects (which touted themselves as cryptocurrency trading platforms) engaged in a variety of unlawful and deceptive practices, including promising investors high yield returns through the use of artificial intelligence to trade crypto assets, falsely representing that an insurance fund would prevent investor losses, and using investor funds to pay purported profits to other investors. The subjects also allegedly took measures to make the scams appear to be legitimate businesses through the creation of professional websites and social media accounts where influencers and investors shared testimonials about the money they were supposedly making. The orders require the subjects to stop offering, selling, buying, or offering to buy securities in the state, and demonstrate DFPI’s continued crackdown on high yield investment programs.
DFPI says escrow trust accounts are not stored value under MTA
The California Department of Financial Protection and Innovation recently released a new opinion letter covering aspects of the California Money Transmission Act (MTA) and the Escrow Act related to persons engaging in business as an escrow agency within the state. The redacted opinion letter examines a request from the inquiring company for confirmation that it does not require either an internet escrow agent license or a money transmitter license in the state of California in connection with its proposed business model (details on the model have been omitted). DFPI responded that under the Escrow Law, “it is unlawful for any person to engage in business as an escrow agent within this state except by means of a corporation duly organized for that purpose licensed by the commissioner as an escrow agent.” The definition of an “internet escrow agent,” DFPI explained, was added to Financial Code section 17003, subdivision (b) to mean “any person engaged in the business of receiving escrows for deposit or delivery over the Internet.” DFPI concluded that based on the facts asserted within the request, the inquiring company has not demonstrated that its proposed model is exempt from the Escrow Law.
DFPI further considered whether the inquiring company’s proposed model meets the definition of stored value under the MTA, and whether it qualifies for several exemptions under the statute. DFPI explained that the transactions under consideration are not considered “stored value under the definition in Financial Code section 2003, subdivision (x), because they do not represent a claim against the issuer; rather, the money comes under [the inquiring company’s] possession and control and therefore must be placed in an escrow trust account. “An escrow trust account is not the same as stored value,” DFPI said, adding that since the transaction is not stored value, it is unnecessary to address the remaining arguments regarding the MTA.