InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
Fed issues cease and desist order against California bank
On January 18, the Federal Reserve Board issued a cease and desist order against two California-based bank holding companies (companies) and their jointly-owned bank, due to “additional safety and soundness deficiencies at the Bank, including with respect to unsecured loans,” following the termination of a February 2021 written agreement. According to the Fed’s order, “the Bank is currently operating without a permanent Chief Executive Officer, and Chief Financial Officer, and a sufficient number of board members, which are vital to the safe and sound operations of the Bank in light of the numerous remedial requirements of the Written Agreement.” The order requires, among other things, that the bank, within 60 days, submit written lending and credit administration policies and procedures and retain an independent third party to assess the adequacy of the bank’s compensation governance, policies, procedures, and internal controls. The order imposes no financial penalty.
OCC issues cease and desist order against bank
On September 20, the OCC announced a cease and desist order issued against a bank for alleged “unsafe or unsound practices” related to “technology and operational risk management,” in addition to the bank’s noncompliance with the OCC’s Interagency Guidelines Establishing Information Security Standards contained in Appendix B to 12 CFR Part 30. Without admitting to or denying the claims, the bank is required by the order to improve information technology and operational risk governance, technology risk assessments, internal controls, and staffing deficiencies. Specifically, the bank must develop an acceptable, written action plan outlining the remedial actions necessary to achieve compliance with the order by addressing the alleged unsafe or unsound practices and noncompliance, which must specify, among other things, a description of the corrective actions, reasonable and well-supported timelines, and those responsible for completing the actions. The order provides that the bank must also establish a Compliance Committee to quarterly submit: (i) “a description of the corrective actions needed to achieve compliance with each Article of the order”; (ii) the specific corrective actions undertaken to comply with each Article of the Order”; and (iii) “the results and status of the corrective actions.”
SEC charges alternative data provider with securities fraud
On September 14, the SEC announced a settlement with an alternative data provider and one of the company’s co-founders (collectively, "respondents") resolving allegations that the company violated antifraud provisions by engaging in deceptive practices and making material misrepresentations regarding alternative data. According to the order, the respondents understood that companies would share their confidential app performance data if they promised not to disclose it to third parties. As a result, the respondents assured companies that their data would be aggregated and anonymized before being used by a statistical model to generate estimates of app performance. However, the respondents, between 2014 and mid-2018, utilized non-aggregated and non-anonymized data to alter its model-generated estimates to make them more valuable to sell to trading firms. The SEC alleged that the respondents violated provisions of the Exchange Act, such as Section 10(b) and Rule 10b-5 thereunder, because their misrepresentations and other deceptive practices misled subscribers regarding how the company’s intelligence estimates were calculated. The order, to which the respondents consented, imposes civil money penalties of $300,000 and $10 million. The order also provides that the company must cease and desist from committing or causing any future violations of the Exchange Act, and prohibits the co-founder from serving as an officer or director of a public company for three years.
OCC issues cease and desist order and $250 million penalty against national bank
On September 9, the OCC announced a cease-and-desist and consent order and a $250 million civil money penalty against a national bank for alleged unsafe or unsound practices related to deficiencies in its home lending loss mitigation program and for violations of a 2018 consent order. According to the OCC, the bank, among other things: (i) failed to fully implement and maintain adequate loss mitigation practices; (ii) had mitigation decisioning tools and operational deficiencies that caused errors in loss mitigation processes; (iii) failed to timely detect, prevent, and quantify inaccurate loan modification decisions, due to inadequate controls, insufficient independent oversight, and ineffective governance related to loss mitigation activities; and (iv) had deficient internal auditing, which failed to consider aspects of previously identified issues. The cease and desist order requires the bank, among other things, to establish significant improvements to its loss mitigation program and cease taking on certain new bulk residential mortgage servicing rights from third parties. The September 9 civil money penalty order, which notes that the bank has taken steps to comply with the 2018 consent order but failed to effectively implement corrective actions, requires the bank to pay a civil penalty of $250 million.
SEC says digital asset trading company violated the Exchange Act
On August 9, the SEC announced charges against a digital asset trading company for operating an unregistered online digital asset exchange in connection with its operation of a trading platform that facilitated buying and selling of digital asset securities. According to the SEC’s order, the company operated a web-based trading platform that facilitated buying and selling digital assets, which included digital assets that were investment contracts and therefore securities. The order finds that, “[n]otwithstanding its operation of the [Company] Trading Platform, [the company] did not register as a national securities exchange nor did it operate pursuant to an exemption from registration at any time, and its failure to do so was a violation of Section 5 of the Exchange Act,” despite operating as a Rule 3b-16(a) system under the Exchange Act. The order, which the company consented to without admitting or denying the findings, imposes a disgorgement fee of $8,484,313, a prejudgment interest fee of $403,995, and a civil penalty of $1.5 million, for a total of $10,388,309. The order also provides that the company must cease and desist from committing or causing any future violations of the Exchange Act and establishes a fair fund for the benefit of victims.
SEC settles with company selling securities through DeFi platform
On August 6, the SEC announced a settlement with two individuals and their company for the alleged unregistered sale of over $30 million of securities using smart contracts and decentralized finance technology, and for misleading investors regarding the operations and profitability of their business. According to the SEC’s order, the company offered and sold securities in unregistered offerings through a program from February 2020 to February 2021, which used smart contracts to sell two types of digital tokens: one type that could be purchased using specified digital assets and paid 6.25 percent in interest; and the other type that purportedly provided holders certain voting rights, some excess of profits, and the ability to profit from resales in the secondary market. The SEC alleged that the company violated provisions of the Securities Act, such as Section 5(a) and 5(c), by offering and selling securities without having a registration statement filed or in effect. In addition, the company violated Section 17(a) of the Securities Act, Section 10(b) of the Exchange Act, and Rule 10b-5 thereunder, by making materially false statements and engaging in other deceptive acts regarding business operations and profitability. The order, which the company consented to without admitting or denying the findings, imposes a civil money penalty of $125,000 to each individual and a total of $12,849,354 in disgorgement. The order also provides that the company must cease and desist from committing or causing any future violations of the Exchange Act.
New Jersey orders company to stop selling unregistered securities
On July 19, the New Jersey Bureau of Securities (Bureau) announced a cease and desist order against a financial services company for allegedly selling unregistered securities in the form of interest-earning cryptocurrency accounts and failing to explain to investors that the accounts were not licensed in New Jersey. According to the order, the company has been funding its lending operations and proprietary trading business since 2019 by selling interest-bearing cryptocurrency accounts that are not protected by or registered with any federal or state securities regulator. The order notes that the company “held the equivalent of $14.7 billion from the sale of these unregistered securities in violation of the Securities Law.” In addition, the order, which become effective July 22, requires the company to stop selling any unregistered security or violating any securities law. According to the Bureau, the recent action “comes amid rising concerns over the proliferation of decentralized finance platforms like [the company] that seek to reinvent traditional financial systems such as banks and brokerages for digital asset investors,” and that “[u]nlike traditional, regulated banks and brokerage firms, however, investors’ losses are not insured against or protected by the Federal Deposit Insurance Corporation or Securities Investor Protection Corporation.”
SEC charges settlement company with cybersecurity disclosure violations
On June 15, the SEC announced charges against a real estate settlement services company for its role in allegedly failing to disclose controls and procedures related to a cybersecurity vulnerability that exposed sensitive customer information. According to the SEC’s order, an independent cybersecurity journalist warned the company in May 2019 of a vulnerability concerning its system for sharing document images that exposed over 800 million images dating back to 2003, including images containing sensitive personal data such as social security numbers and financial information. In response, the company allegedly issued a press release for inclusion in the cybersecurity journalist’s report published in May 2019 and furnished a Form 8-K to the Commission on May 28, 2019. However, according to the order, the company’s senior executives responsible for these kinds of releases “were not apprised of certain information that was relevant to their assessment of the company’s disclosure response to the vulnerability and the magnitude of the resulting risk.” Specifically, the order states that senior executives were not informed that the company’s information security personnel had identified a vulnerability several months earlier, in January 2019, but failed to remediate the vulnerability in accordance with the company’s policies. The order finds that the company “failed to maintain disclosure controls and procedures designed to ensure that all available, relevant information concerning the vulnerability was analyzed for disclosure in the company’s public reports filed with the Commission.” The SEC charged the company with violating Rule 13a-15(a) of the Exchange Act and ordered the company, who agreed to a cease-and-desist order, to pay a $487,616 penalty.
FDIC releases January enforcement actions
On February 28, the FDIC released a list of administrative enforcement actions taken against banks and individuals in January. The FDIC issued 18 orders, which “consisted of two consent orders; one civil money penalty; three removal and prohibition orders; eight section 19 orders; three terminations of consent orders and cease and desist orders; and one order terminating prompt corrective action.” Among the actions was a civil money penalty assessed against a Montana-based bank for allegedly violating the Flood Disaster Protection Act by failing to obtain adequate flood insurance coverage on certain loans and failing to provide borrowers with notice of the availability of federal disaster relief assistance. Separately, in a joint action with the California Department of Business Oversight, the agency issued a consent order against a California-based bank related to alleged weaknesses in its Bank Secrecy Act and anti-money laundering (BSA/AML) compliance program. Among other things, the bank was ordered to (i) retain qualified management to ensure compliance with applicable laws and regulations; (ii) “correct all violations of law to the extent possible”; (iii) implement a revised, written BSA compliance program to address BSA/AML deficiencies; (iv) establish a written Customer Due Diligence Program to ensure the reasonable detection of suspicious activity and the identification of higher-risk customers; (v) adopt a process for reviewing transaction monitoring alerts; and (vi) “ensure that suspicious activity monitoring system is independently validated.”
OCC releases January enforcement actions
On February 20, the OCC released a list of recent enforcement actions taken against national banks, federal savings associations, and individuals currently and formerly affiliated with such entities. The new enforcement actions include four civil money penalty orders, three cease and desist orders, five removal/prohibition orders, and a termination of an existing enforcement action. Included among the actions is a January 30 Consent Order to resolve the OCC’s claims that a New York-based bank engaged in Bank Secrecy Act/Anti-Money Laundering (BSA/AML) compliance program violations. According to the consent order, an OCC examination identified alleged deficiencies in the bank’s BSA/AML compliance program, including (i) failure to “assess and monitor high risk customer activity flowing to or from high risk jurisdictions”; (ii) deficient BSA/AML policies, procedures, systems and controls; (iii) inadequate suspicious activity monitoring and suspicious activity reporting (SAR) to FinCEN; (iv) deficient Customer Due Diligence processes, including failure to appoint a BSA officer; and (v) failure to sufficiently monitor or provide controls for increased wire and ACH transactions. The consent order requires the bank to, among other things, (i) appoint a compliance committee within 30 days; (ii) submit a written strategic plan to the OCC covering at least the next three years; (iii) appoint a “permanent, qualified, and experienced BSA Officer” with sufficient staff; (iv) create and adopt a “written program of internal control policies and procedures to provide for the compliance with the BSA”; and (v) adopt and deploy a “written system of internal controls and processes to ensure compliance with the requirements to file SARs.”