Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
On July 19, the New Jersey Bureau of Securities (Bureau) announced a cease and desist order against a financial services company for allegedly selling unregistered securities in the form of interest-earning cryptocurrency accounts and failing to explain to investors that the accounts were not licensed in New Jersey. According to the order, the company has been funding its lending operations and proprietary trading business since 2019 by selling interest-bearing cryptocurrency accounts that are not protected by or registered with any federal or state securities regulator. The order notes that the company “held the equivalent of $14.7 billion from the sale of these unregistered securities in violation of the Securities Law.” In addition, the order, which become effective July 22, requires the company to stop selling any unregistered security or violating any securities law. According to the Bureau, the recent action “comes amid rising concerns over the proliferation of decentralized finance platforms like [the company] that seek to reinvent traditional financial systems such as banks and brokerages for digital asset investors,” and that “[u]nlike traditional, regulated banks and brokerage firms, however, investors’ losses are not insured against or protected by the Federal Deposit Insurance Corporation or Securities Investor Protection Corporation.”
On June 15, the SEC announced charges against a real estate settlement services company for its role in allegedly failing to disclose controls and procedures related to a cybersecurity vulnerability that exposed sensitive customer information. According to the SEC’s order, an independent cybersecurity journalist warned the company in May 2019 of a vulnerability concerning its system for sharing document images that exposed over 800 million images dating back to 2003, including images containing sensitive personal data such as social security numbers and financial information. In response, the company allegedly issued a press release for inclusion in the cybersecurity journalist’s report published in May 2019 and furnished a Form 8-K to the Commission on May 28, 2019. However, according to the order, the company’s senior executives responsible for these kinds of releases “were not apprised of certain information that was relevant to their assessment of the company’s disclosure response to the vulnerability and the magnitude of the resulting risk.” Specifically, the order states that senior executives were not informed that the company’s information security personnel had identified a vulnerability several months earlier, in January 2019, but failed to remediate the vulnerability in accordance with the company’s policies. The order finds that the company “failed to maintain disclosure controls and procedures designed to ensure that all available, relevant information concerning the vulnerability was analyzed for disclosure in the company’s public reports filed with the Commission.” The SEC charged the company with violating Rule 13a-15(a) of the Exchange Act and ordered the company, who agreed to a cease-and-desist order, to pay a $487,616 penalty.
On February 28, the FDIC released a list of administrative enforcement actions taken against banks and individuals in January. The FDIC issued 18 orders, which “consisted of two consent orders; one civil money penalty; three removal and prohibition orders; eight section 19 orders; three terminations of consent orders and cease and desist orders; and one order terminating prompt corrective action.” Among the actions was a civil money penalty assessed against a Montana-based bank for allegedly violating the Flood Disaster Protection Act by failing to obtain adequate flood insurance coverage on certain loans and failing to provide borrowers with notice of the availability of federal disaster relief assistance. Separately, in a joint action with the California Department of Business Oversight, the agency issued a consent order against a California-based bank related to alleged weaknesses in its Bank Secrecy Act and anti-money laundering (BSA/AML) compliance program. Among other things, the bank was ordered to (i) retain qualified management to ensure compliance with applicable laws and regulations; (ii) “correct all violations of law to the extent possible”; (iii) implement a revised, written BSA compliance program to address BSA/AML deficiencies; (iv) establish a written Customer Due Diligence Program to ensure the reasonable detection of suspicious activity and the identification of higher-risk customers; (v) adopt a process for reviewing transaction monitoring alerts; and (vi) “ensure that suspicious activity monitoring system is independently validated.”
On February 20, the OCC released a list of recent enforcement actions taken against national banks, federal savings associations, and individuals currently and formerly affiliated with such entities. The new enforcement actions include four civil money penalty orders, three cease and desist orders, five removal/prohibition orders, and a termination of an existing enforcement action. Included among the actions is a January 30 Consent Order to resolve the OCC’s claims that a New York-based bank engaged in Bank Secrecy Act/Anti-Money Laundering (BSA/AML) compliance program violations. According to the consent order, an OCC examination identified alleged deficiencies in the bank’s BSA/AML compliance program, including (i) failure to “assess and monitor high risk customer activity flowing to or from high risk jurisdictions”; (ii) deficient BSA/AML policies, procedures, systems and controls; (iii) inadequate suspicious activity monitoring and suspicious activity reporting (SAR) to FinCEN; (iv) deficient Customer Due Diligence processes, including failure to appoint a BSA officer; and (v) failure to sufficiently monitor or provide controls for increased wire and ACH transactions. The consent order requires the bank to, among other things, (i) appoint a compliance committee within 30 days; (ii) submit a written strategic plan to the OCC covering at least the next three years; (iii) appoint a “permanent, qualified, and experienced BSA Officer” with sufficient staff; (iv) create and adopt a “written program of internal control policies and procedures to provide for the compliance with the BSA”; and (v) adopt and deploy a “written system of internal controls and processes to ensure compliance with the requirements to file SARs.”
On February 22, the OCC announced a cease and desist order against three U.S. branches of a Japanese bank for allegedly violating the Bank Secrecy Act (BSA). According to the order, after an examination of the branches’ BSA/Anti-Money Laundering and OFAC compliance programs, the OCC identified alleged deficiencies in the branches’ BSA compliance program, including (i) internal controls; (ii) suspicious activity monitoring, which resulted in untimely suspicious activity report filings; (iii) foreign correspondent due diligence program; and (iv) trade finance monitoring. The OCC did not issue a monetary penalty against the branches and noted in the order’s announcement that the branches have already begun corrective actions. This action demonstrates U.S. banking regulators’ continued scrutiny of the BSA compliance programs of U.S. branches and subsidiaries of non-U.S. banks that provide international access to the U.S. financial system.
As previously covered by InfoBytes, in November 2017, the OCC issued a consent order with the branches that required corrective actions related to OFAC compliance. The branches continue to operate under this order.
- Jeffrey P. Naimon to provide “Fair lending update” at the Colorado Mortgage Lenders Association Operational and Compliance Forum
- Jonice Gray Tucker to discuss “Justice for all: Achieving racial equity through fair lending” at CBA Live
- Warren W. Traiger to discuss “On the horizon for CRA modernization” at CBA Live
- APPROVED Webcast: Strategy & Technology: A dynamic duo for successful regulatory exams
- Daniel R. Alonso to discuss “Primer on cross-border prosecutions in Argentina, Brazil, Colombia, and Mexico for U.S. criminal lawyers” at a New York City Bar Association webinar
- Jonice Gray Tucker to discuss "Fair lending" at the Mortgage Bankers Association Regulatory Compliance Conference
- Michelle L. Rogers to discuss “State law regulatory and enforcement trends” at the Mortgage Bankers Association Regulatory Compliance Conference
- Jonice Gray Tucker to discuss “Government investigations, and compliance 2021 trends” at the Corporate Counsel Women of Color Career Strategies Conference
- Max Bonici to discuss “BSA/AML trends: What to expect with the implementation of the AML Act of 2020” at the American Bar Association Banking Law Fall Meeting
- H Joshua Kotin to discuss “Modifications and exiting forbearance” at the National Association of Federal Credit Unions Regulatory Compliance Seminar
- Jonice Gray Tucker to discuss “Fintech trends” at the BIHC Network Elevating Black Excellence Regional Summit
- Jonice Gray Tucker to discuss "Consumer financial services" at the Practising Law Institute Banking Law Institute