Skip to main content
Menu Icon
Close

InfoBytes Blog

Financial Services Law Insights and Observations

Filter

Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.

  • SEC charges communications company with accounting control failure

    Securities

    On June 18, the SEC issued a cease-and-desist order (order) against a Delaware-based business communication and marketing service provider (respondent) to settle allegations of cybersecurity controls violations related to a 2021 ransomware attack.

    According to the order, the SEC alleged respondent did not have adequate controls to ensure cybersecurity incidents were reported to its management and did not respond to alerts indicating unusual network activity in a timely manner. Among other allegations, the order contended that respondent relied on a third-party vendor to review and escalate the large volume of alerts issued by its cybersecurity detection systems but did not implement procedures or controls to effectively confirm that the vendor’s review and escalation of alerts were consistent with the respondent’s expectations. The order noted that respondent cooperated with the investigation, reported the cybersecurity incident promptly, and took steps to enhance its cybersecurity technology and controls. Without admitting the SEC’s allegations, respondent agreed to a $2,125,000 civil money penalty.

    Notably, in addition to alleged violation of Exchange Act Rule 13a-15(a) requiring public companies to maintain disclosure controls and procedures designed to ensure timely disclosure of incidents in compliance with the Commission’s rules, the order also alleged that respondent’s failure to design effective procedures to ensure escalation and timely decisions regarding potential security incidents violated Section 13(b)(2)(B) of the Securities Exchange Act of 1934. Section 13(b)(2)(B) required covered companies to “devise and maintain a system of internal accounting controls sufficient to provide reasonable assurances, among other things, that access to company assets was permitted only in accordance with management’s general or specific authorization.”

    In a statement responding to the order, SEC Commissioners Pierce and Uyeda took issue with the Commission’s application Section 13(b)(2)(B). Specifically, the commissioners argued that the requirement to maintain internal accounting controls ensuring “that access to company assets” must be authorized by management and was intended to protect the accuracy of corporate transactions for the use and disposition of assets in transactions. They noted that “[w]hile [respondent’s] computer systems constitute an asset in the sense of being corporate property, computer systems are not the subject of corporate transactions,” and that faulting respondent’s internal accounting controls in the context of a ransomware attack “breaks new ground with its expansive interpretation of what constitutes an asset under Section 13(b)(2)(B)(iii).”

    Securities Cease and Desist Civil Money Penalties Delaware Cyber Risk & Data Security Enforcement SEC

  • OCC announces enforcement actions for June 2024

    On June 17, the OCC released a list of recent enforcement actions against national banks, federal savings associations, and individuals affiliated with such entities (defined as institution-affiliated parties, or IAPs). In its enforcement actions against national banks, the OCC alleged that one bank had deficient anti-money laundering (AML) and BSA controls; another pertained to a bank’s alleged unsafe or unsound practices related to the bank’s board and management oversight, including strategic planning, liquidity and interest risk management, and audit management, among other issues identified.

    The announcement included two other enforcement actions against IAPs, which were generally used to “deter, encourage correction of, or prevent violations, unsafe or unsound practices, or breaches of fiduciary duty.” One was for accessing customer accounts improperly and providing information on those accounts to a third-party individual; the other was for embezzlement. Lastly, the release reported the termination of an enforcement action against a bank for unsafe or unsound practices since the bank demonstrated compliance with “all articles of an enforcement action.” More information on the OCC’s enforcement action types can be found here.

    Bank Regulatory OCC Enforcement Federal Issues Cease and Desist

  • California’s DFPI orders two crypto-asset companies to stop operations

    Financial Crimes

    On June 5, the California DFPI issued two desist and refrain orders against securities firms for allegedly offering unqualified securities under California’s Corporate Securities Law (CSL). The first order was against a company incorporated in the U.K., whereby the DFPI alleged the firm offered and sold unpermitted securities to Californians through its website. Since 2023, these alleged securities were interest-bearing accounts where the firm promised to pay interest on deposited assets that would be deployed into decentralized finance liquidity pools. According to the order, these securities were packaged as investment contracts “that were neither qualified nor exempt from the qualification requirement” of the state’s CSL. The second order was against another crypto-asset firm whereby the firm offered crypto asset interest-bearing accounts beginning in 2023 that were neither qualified nor exempt from the qualification requirement under the CSL, and the DFPI had not permitted the firm to sell securities in California. Both orders required the firms to desist and refrain from selling securities in California until the CSL’s requirements have been met.

    Financial Crimes California DFPI Cease and Desist Cryptocurrency U.K.

  • OCC releases enforcement actions for May 2024

    On May 23, the OCC released a list of recent enforcement actions against national banks, federal savings associations, and individuals affiliated with such entities (defined as institution-affiliated parties, or IAPs). The actions against two individual banks include two formal agreements in which the OCC alleged that the banks engaged in unsafe or unsound practices related to risk governance and internal controls for one bank; and capital planning, strategic and succession planning, and liquidity risk management for the other bank. The announcement also included five enforcement actions against IAPs to “deter, encourage correction of, or prevent violations, unsafe or unsound practices, or breaches of fiduciary duty.” Specifically, the announcement included four prohibition orders and one notice of charges against IAPs, mainly individuals, for criminal activity. More information on the OCC’s enforcement action types can be found here.

    Bank Regulatory Federal Issues OCC Enforcement Cease and Desist

  • Texas issues a cease and desist order against a securities firm

    Securities

    On April 22, the Securities Commission of the State of Texas issued an Emergency Cease and Desist Order pursuant to the Texas Securities Act against respondents for allegedly offering investments in a digital gold vault that “purportedly secured physical gold and generates passive income using fintech and blockchain technology,” and are therefore subject to the Securities Act. The Securities Commission alleged that the investments were being “illegally, deceptively and fraudulently offered in Texas” and issued the Emergency Cease and Desist Order to “stop the scheme and protect the public from immediate and irreparable harm.” Respondents were ordered to immediately cease and desist from: (i) offering any security in Texas until the security is properly registered or exempt from registration; (ii) acting as securities dealers, agents, investment advisors, or investment advisor representatives in Texas until they are registered with the Securities Commissioner or exempt from registration; (ii) engaging in any fraud in connection with the offer for sale of any security in Texas; and (iv) offering securities in Texas through an offer containing a statement that is materially misleading or otherwise likely to deceive the public.

    Securities Fraud Financial Crimes Cease and Desist Texas

  • OCC releases enforcement actions for April 2024

    On April 18, the OCC released a list of recent enforcement actions against national banks, federal savings associations, and individuals affiliated with such entities (defined as institution-affiliated parties, or IAPs). The actions against banks include two formal agreements and one cease and desist order against three individual banks. In each instance, the OCC alleged that the banks engaged in unsafe or unsound practices related to some combination of board oversight, liquidity management, capital requirements, or credit risk. With respect to IAPs, the announcement included four enforcement actions against IAPs to “deter, encourage correction, or prevent violations, unsafe or unsound practices, or breaches of fiduciary duty.” The OCC issued prohibition orders, which prohibit the IAP from any participation in the affairs of a bank or other institution, for all four IAPs and assessed civil money penalties ranging from $40,000 to $400,000 against three of them. The announcement also included two more prohibition orders against two additional IAPs for criminal activities. More information on the OCC’s enforcement action types can be found here.

    Bank Regulatory Enforcement OCC Cease and Desist

  • FTC orders tax filing software company to cease and desist following ALJ decision

    Federal Issues

    On January 22, the FTC issued an opinion and order against the maker of a popular tax filing software.  The FTC found that the company engaged in unfair and deceptive acts or practices by marketing the software as “free” when it was not available as free to more than two-thirds of consumers and ordered the company to “cease and desist making the deceptive claims.”

    The FTC’s opinion and order were issued after its de novo review following the September 2023 ruling from an administrative law judge (“ALJ”), in the FTC’s March 2022 administrative complaint against the company (previously reported by InfoBytes here), in which the ALJ found that the company engaged in deceptive advertising. 

    The company is a publicly traded corporation that offers a variety of software programs. The software in question is a program that assists customers with preparing and filing their taxes. The FTC alleged that since 2016 the company marketed its tax filing software in violation of Section 5 of the FTC Act through television and online ads, stating consumers could file their taxes for free when less than one-third of taxpayers were eligible for the company’s free edition of the software.

    The FTC took issue with the company’s claim that the software was “free” when it restricted its eligibility for the free version to those with “simple tax returns.” While the definition of “simple tax returns” has changed over time, in 2022 it was limited to filed returns that included a Form 1040 with limited attached schedules. However, the FTC alleged most taxpayers do not have “simple tax returns” as defined by the company, including those with mortgage or property income, investment income, or charitable donations over $300.

    According to the FTC, from 2016 to 2022, the company ran “dozens” of unique ads through television, radio, the internet, social media, and other advertising channels, that garnered “billions of impressions.” The company and its ad agency understood that advertising its product as free would be a “powerful” lure to entice new customers, stating “Lead with [f]ree to raise heads and drive traffic and acquisition[.]” Although disclaimers are present in the ads, the FTC alleged the company’s disclaimers are inadequate to “cure the misrepresentations” faced by the consumer.

    The company continued to market its products as free for three years after multiple lawsuits were filed by the Los Angeles City Attorney and the County Counsel for the County of Santa Clara, California, alleging unfair and deceptive marketing of free versions of the software. Various state Attorneys General opened subsequent investigations that led the company to enter into a settlement agreement with all fifty states pursuant to which the company agreed to pay $141 million and submit to restrictions on its advertising and marketing of the software. Among other restrictions, the FTC’s final order prohibits the company from making any misrepresentations of the cost of its products and services, or the requirement that a consumer use its paid products or services in order to accurately file their taxes online or claim a credit or deduction. Additionally, the order imposes record-keeping and reporting requirements that will remain effective for a period of twenty years after the issuance date of the order.

    Federal Issues FTC Cease and Desist ALJ FTC Act

  • OCC releases January enforcement actions

    On January 17, the OCC released a list of recent enforcement actions taken against national banks, federal savings associations, and individuals currently and formerly affiliated with such entities. Included is a notice of charges seeking cease and desist orders against three subsidiary banks of the same bank holding company (see here, here, and here), which alleged that each bank engaged in unsafe or unsound practices relating to an investment strategy concentrated in long-term securities. The unsafe practices, the OCC explained, exposed each bank to excessive interest rate risk without adequate sources of contingency funding and contingency capital. The OCC further alleged that each bank failed to mitigate such risk in a timely manner. 

    Bank Regulatory Federal Issues OCC Enforcement Cease and Desist

  • OCC issues cease-and-desist order to NY bank

    Agency Rule-Making & Guidance

    On December 14, the OCC released a list of recent enforcement actions taken against national banks, federal savings associations, and individuals that are or were affiliated with such entities. Included is a cease-and-desist order against an upstate New York bank for allegedly engaging in unsafe or unsound practices, including on the bank’s corporate governance, capital planning, interest rate risk management, liquidity risk management, and reports of condition.

    Under the order, the bank must appoint a compliance committee to take corrective action, submit a three-year strategic plan to establish objectives for the bank’s risk profile, earnings performance, growth, and balance sheet mix, among other areas, and maintain a capital ratio of at least 15 percent, a common equity tier 1 capital of at least equal to 14 percent, and a leverage ratio of at least ten percent. The order also requires the bank to create an interest rate risk program and a third-party risk management program.

    Agency Rule-Making & Guidance Cease and Desist New York Banking Corporate Governance Capital Requirements

  • OCC releases enforcement actions

    On November 16, the OCC released a list of recent enforcement actions taken against national banks, federal savings associations, and individuals currently and formerly affiliated with such entities. Included is a cease and desist order against an Indiana bank for allegedly engaging in unsafe or unsound practices, related to corporate governance and enterprise risk management, credit underwriting and administration, liquidity risk management, and interest rate risk management. The order requires the bank to, among other things, (i) provide quarterly reports detailing corrective action and efforts to comply with the order; (ii) develop a written strategic plan; (iii) maintain specified capital ratios; (iv) engage an independent third party to review board and management supervision; (v) submit a written concentration risk management program and a written liquidity risk management program; (vi) adopt a credit underwriting and administration program; (vii) submit and adopt a written adequate allowance for credit losses; and (viii) adopt a written credit derivatives program.

    Bank Regulatory Federal Issues OCC Enforcement Cease and Desist

Pages

Upcoming Events