Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
California’s privacy agency finalizes CPRA regulations
On February 3, the California Privacy Protection Agency (CPPA) Board voted unanimously to adopt and approve updated regulations for implementing the California Privacy Rights Act (CPRA). The proposed final regulations will now go to the Office of Administrative Law, who will have 30 working days to review and approve or disapprove the regulations. As previously covered by InfoBytes, the CPRA (largely effective January 1, 2023, with enforcement delayed until July 1, 2023) was approved by ballot measure in November 2020 to amend and build on the California Consumer Privacy Act (CCPA). In July 2022, the CPPA initiated formal rulemaking procedures to adopt proposed regulations implementing the CPRA, and in November the agency posted updated draft regulations (covered by InfoBytes here and here).
According to the CPPA’s final statement of reasons, the proposed final regulations (which are substantially similar to the version of the proposed regulations circulated in November) address comments received by stakeholders, and include the following modifications from the initial proposed text:
- Amending certain definitions. The proposed changes would, among other things, modify the definition of “disproportionate effort” to apply to service providers, contractors, and third parties in addition to businesses, as such term is used throughout the regulations, to limit the obligation of businesses (and other entities) with respect to certain consumer requests. The term is further defined as “when the time and/or resources expended to respond to the request significantly outweighs the reasonably foreseeable impact to the consumer by not responding to the request,” and has been modified “to operationalize the exception to complying with certain CCPA requests when it requires ‘disproportionate effort.’” The proposed changes also introduce the definition of “unstructured” personal information, which describes personal information that could not be retrieved or organized in a predefined manner without disproportionate effort on behalf of the business, service provider, contractor, or third party as it relates to the retrieval of text, video, and audio files.
- Outlining restrictions on how a consumer’s personal information is collected or used. The proposed changes outline factors for determining whether the collection or processing of personal information is consistent with a consumer’s “reasonable expectations.” The modifications also add language explaining how a business should “determine whether another disclosed purpose is compatible with the context in which the personal information was collected,” and present factors such as the reasonable expectation of the consumer at the time of collection, the nature of the other disclosed purpose, and the strength of the link between such expectation and the nature of the other disclosed purpose, for assessing compatibility. Additionally, a section has been added to reiterate requirements “that a business’s collection, use, retention, and/or sharing of a consumer’s personal information must be ‘reasonably necessary and proportionate’ for each identified purpose.” The CPPA explained that this guidance is necessary for ensuring that businesses do not create unnecessary and disproportionate negative impacts on consumers.
- Clarifying requirements for consumer requests and obtaining consumer consent. Among other things, the proposed changes introduce technical requirements for the design and implementation of processes for obtaining consumer consent and fulfilling consumer requests, including but not limited to “symmetry-in-choice,” which prohibits businesses from creating more difficult or time consuming paths for more privacy-protective options than paths to exercise a less privacy protective options. The modifications also provide that businesses should avoid choice architecture that impairs or interferes with a consumer’s ability to make a choice, as “consent” under the CCPA requires that it be freely give, specific, informed, and unambiguous. Moreover, the statutory definition of a “dark pattern” does not require that a business “intend to design a user interface to have the substantial effect of subverting or impairing consumer choice.” Additionally, businesses that are aware of, but do not correct, broken links and nonfunctional email addresses may be in violation of the regulation.
- Amending business practices for handling consumer requests. The revisions clarify that a service provider and contractor may use self-service methods that enable the business to delete personal information that the service provider or contractor has collected pursuant to a written contract with the business (additional clarification is also provided on a how a service provider or contractor’s obligations apply to the personal information collected pursuant to its written contract with the business). Businesses can also provide a link to resources that explain how specific pieces of personal information can be deleted.
- Amending requests to correct/know. Among other things, the revisions add language to allow “businesses, service providers, and contractors to delay compliance with requests to correct, with respect to information stored on archived or backup systems until the archived or backup system relating to that data is restored to an active system or is next accessed or used.” Consumers will also be required to make a good-faith effort to provide businesses with all necessary information available at the time of a request. A section has also been added, which clarifies “that implementing measures to ensure that personal information that is the subject of a request to correct remains corrected factors into whether a business, service provider, or contractor has complied with a consumer’s request to correct in accordance with the CCPA and these regulations.” Modifications have also been made to specify that a consumer can request that a business disclose their personal information for a specific time period, and changes have been made to provide further clarity on how a service provider or contractor’s obligations apply to personal information collected pursuant to a written contract with a business.
- Amending opt-out preference signals. The proposed changes clarify that the requirement to process opt-out preference signals applies only to businesses that sell or share personal information. Language has also been added to explain that “the opt-out preference signal shall be treated as a valid request to opt-out of sale/sharing for any consumer profile, including pseudonymous profiles, that are associated with the browser or device for which the opt-out preference signal is given.” When consumers do not respond to a business’s request for more information, a “business must still process the request to opt-out of sale/sharing” to ensure that “a business’s request for more information is not a dark pattern that subverts consumer’s choice.” Additionally, business should not interpret the absence of an opt-out preference signal as a consumer’s consent to opt-in to the sale or sharing of personal information.
- Clarifying requests to limit use and disclosure of sensitive personal information. The regulations require businesses to provide specific disclosures related to the collection, use, and rights of consumers for limiting the use of personal sensitive information in certain cases, including, among other things, requiring the use of a link to “Limit the Use of My Sensitive Personal Information” and honoring any limitations within 15 business days of receipt. The regulations also provide specific enumerated business uses where the right to limit does not apply, including to ensure physical safety and to prevent, detect, and investigate security incidents.
The proposed final regulations also clarify when businesses must provide a notice of right to limit, modify how the alternative opt-out link should be presented, provide clarity on how businesses should address scenarios in which opt-out preference signals may conflict with financial incentive programs, make changes to service provider, contractor, and third party obligations to the collection of personal information, as well as contract requirements, provide clarity on special rules applicable to consumers under 16-years of age, and modify provisions related to investigations and enforcement.
Separately, on January 10, the CPPA posted a preliminary request for comments on cybersecurity audits, risk assessments, and automated decisionmaking to inform future rulemaking. Among other things, the CPPA is interested in learning about steps it can take to ensure cybersecurity audits are “thorough and independent,” what content should be included in a risk assessment (including whether the CPPA should adopt the approaches in the EU GDPR and/or Colorado Privacy Act), and how “automated decisionmaking technology” is defined in other laws and frameworks. The CPPA noted that this invitation for comments is not a proposed rulemaking action, but rather serves as an opportunity for information gathering. Comments are due March 27.
CFPB issues HMDA reference chart for 2023
On February 9, the CFPB published the 2023 Reportable HMDA Data: A regulatory and reporting overview reference chart. The chart serves as a reference tool for data points that are required to be collected, recorded, and reported under Regulation C, as amended by HMDA rules, which were most recently issued in April 2020 (covered by InfoBytes here). The chart also provides relevant regulation and commentary sections and guidance for when to report “not applicable or exempt” as found in Section 4.2.2 of the 2022 Filing Instructions Guide. The Bureau notes that the “chart does not provide data fields or enumerations used in preparing the HMDA loan/application register (LAR).” For additional information on preparing the HMDA LAR, financial institutions should consult FFIEC guidance here.
California investigating mobile apps’ CCPA compliance
On January 27, the California attorney general announced an investigation into mobile applications’ compliance with the California Consumer Privacy Act (CCPA). The AG sent letters to businesses in the retail, travel, and food service industries who maintain popular mobile apps that allegedly fail to comply with consumer opt-out requests or do not offer mechanisms for consumers to delete personal information or stop the sale of their data. The investigation also focuses on businesses that fail to process consumer opt-out and data-deletion requests submitted through an authorized agent, as required under the CCPA. “On this Data Privacy Day and every day, businesses must honor Californians’ right to opt out and delete personal information, including when those requests are made through an authorized agent,” the AG said, adding that authorized agent requests include “those sent by Permission Slip, a mobile application developed by Consumer Reports that allows consumers to send requests to opt out and delete their personal information.” The AG encouraged the tech industry to develop and adopt user-enabled global privacy controls for mobile operating systems to enable consumers to stop apps from selling their data.
As previously covered by InfoBytes, the CCPA was enacted in 2018 and took effect January 1, 2020. The California Privacy Protection Agency is currently working on draft regulations to implement the California Privacy Rights Act, which largely became effective January 1, to amend and build upon the CCPA. (Covered by InfoBytes here.)
Danish financial institution fined $2 billion for anti-money-laundering compliance failures
On December 13, a Danish global financial institution pled guilty to conspiring to commit bank fraud and agreed to forfeit approximately $2 billion. According to court documents, the financial institution defrauded U.S. banks at which it held correspondent accounts by misrepresenting the state of its AML controls and transaction monitoring capabilities. According to the Department of Justice, between 2008 and 2016, the financial institution offered banking services through its Estonia branch, including a business line serving non-resident customers (known as “NRP”). The Estonia branch allowed NRP customers to transfer large amounts of money with little to no oversight, and branch employees conspired with NRP customers to hide the true nature of the transactions, including through the use of shell companies that obscured the actual owners of the funds. During this period, the Estonia branch processed $160 billion through U.S. banks on behalf of NRP customers.
The financial institution and its Estonia branch were required to provide information to U.S. banks in order to open and maintain correspondent accounts. This included information related to AML controls, transaction monitoring, and customers. By at least February 2014, the financial institution became aware of some NRP customers who were engaged in highly suspicious and potentially criminal transactions, including through U.S. banks. The DOJ noted that the financial institution was also aware that the Estonia branch’s AML program and procedures were not appropriate to meet the risks associated with NRP customers, but instead of providing truthful information, the financial institution lied about the state of the Estonia branch’s AML compliance program.
Under the terms of the plea agreement, the bank has agreed to a criminal forfeiture of $2.059 billion. The bank will also enter into separate criminal or civil resolutions with domestic and foreign authorities. The DOJ will credit approximately $850 million in payments made by the financial institution to resolve related parallel investigations by other domestic and foreign authorities. The DOJ noted that the financial institution “received full credit for cooperation and remediation because it provided full cooperation with the investigation and demonstrated recognition and affirmative acceptance of responsibility for its criminal conduct.”
The same day, the SEC announced fraud charges against the financial institution in connection with a related, parallel proceeding. The financial institution agreed to pay roughly $413 million, including a $178.6 million civil monetary penalty, as well as $178.6 million in disgorgement and $55.8 million in prejudgment interest. The SEC said it will deem the disgorgement and prejudgment interest satisfied by forfeiture and confiscation ordered in parallel criminal cases with the DOJ, the United States Attorney’s Office for the Southern District of New York, and Denmark’s Special Crime Unit.
FTC extends compliance on some Safeguards provisions
On November 15, the FTC announced that covered financial institutions now have until June 9, 2023, to comply with certain updated Safeguards Rule requirements. The Commission issued this extension based on reports, including a letter from the SBA’s Office of Advocacy, that a shortage of qualified personnel to implement financial institutions’ information security programs and supply chain issues could delay security system upgrades.
As previously covered by InfoBytes, in October 2021, the FTC issued a final rule updating the Safeguards Rule to strengthen data security protections for consumer financial information following widespread data breaches and cyberattacks. Among other things, the final rule added specific criteria financial institutions and other entities, such as mortgage brokers, motor vehicle dealers, and payday lenders, must undertake when conducting a risk assessment and implementing an information security program. Among other requirements, these include implementing provisions related to access controls, data inventory and classification, authentication, encryption, disposal procedures, and incident response. The final rule also added measures to ensure employee training and service provider oversight are effective and expanded the definition of “financial institution” to include “entities engaged in activities that the Federal Reserve Board determines to be incidental to financial activities.” Included in the definition are “finders” (i.e. companies that bring together buyers and sellers of products or services that fall within the scope of the Safeguards Rule). While many provisions of the Safeguards Rule became effective 30 days after publication in the Federal Register, certain other provisions, including requirements applicable to covered financial institutions, were set to take effect December 9, 2022.
VA proposes amendments to IRRRL requirements
On November 1, the Department of Veterans Affairs (VA) published a proposed rule in the Federal Register, which would amend the agency’s rules on VA-backed interest rate reduction refinancing loans (IRRRLs). Specifically, the proposed amendments would update existing VA IRRRL regulations to meet current statutory requirements for determining whether the agency can guarantee or insure a refinance loan. The amendments would modify current regulations to reflect requirements related to, among other things, net tangible benefit, recoupment, and seasoning standards. Additionally, due to confusion among program participants, VA is proposing clarifications to minimize the risk of lender noncompliance, thereby safeguarding veterans, easing lender concerns, reducing potential instability in the secondary loan market, and insulating taxpayers from unnecessary financial risk. Comments on the proposed rule are due January 3, 2023.
OFAC, FinCEN take action against virtual currency exchange
On October 11, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC), together with the Financial Crimes Enforcement Network (FinCEN), announced two settlements for more than $24 million and $29 million, respectively, with a Washington state-based virtual currency exchange. According to OFAC’s announcement, this is the agency’s largest virtual currency enforcement action to date, and represent the first parallel actions taken by FinCEN and OFAC in this space.
OFAC settlement. OFAC’s web notice stated that between March 28, 2014 and December 31, 2017, the exchange operated 1,730 accounts that processed 116,421 virtual currency-related transactions totaling roughly $263,451,600.13, in apparent violation of OFAC sanctions against Cuba, Ukraine, Iran, Sudan, and Syria. Specifically, due to alleged deficiencies in the exchange’s sanctions compliance procedures, the exchange failed to prevent persons located in the sanctioned jurisdictions from using its platform to engage in more than $263,000,000 worth of virtual currency-related transactions. OFAC claimed that while the IP addresses and physical address information collected on each customer at onboarding should have given the exchange reason to know that the persons were located in jurisdictions subject to sanctions, the exchange did not “screen customers or transactions for a nexus to sanctioned jurisdictions.” Rather, the exchange only screened transactions for hits against lists including OFAC’s List of Specially Designated Nationals and Blocked Persons. In arriving at the settlement amount of $24,280,829.20, OFAC considered various aggravating factors, including that the exchange did not exercise due caution or care for its sanctions compliance obligations and conveyed economic benefit to persons located in jurisdictions subject to OFAC sanctions, thus causing harm to the integrity of multiple sanctions programs. OFAC also considered various mitigating factors, including that the exchange provided substantial cooperation throughout the investigation, most of the transactions were for a relatively small amount and represented a small percentage when compared to the exchange’s annual volume of transactions, and the exchange has undertaken remedial measures intended to minimize the risk of recurrence of similar conduct.
FinCEN settlement. According to FinCEN’s press release, an investigation found that from February 2014 through December 2018, the exchange failed to maintain an effective AML program, resulting in its inability to appropriately address risks associated with its products and services, including anonymity-enhanced cryptocurrencies. The exchange also failed to effectively monitor transactions on its trading platform, and relied “on as few as two employees with minimal anti-money laundering training and experience to manually review all of the transactions for suspicious activity, which at times were over 20,000 per day.” FinCEN claimed that the exchange conducted more than 116,000 transactions valued at over $260 million with persons located in jurisdictions subject to OFAC sanctions, including those operating in Iran, Cuba, Sudan, Syria, and the Crimea region of Ukraine, and failed to file suspicious activity reports (SARs) between February 2014 and May 2017. The exchange also “failed to file SARs on a significant number of transactions involving sanctioned jurisdictions, including the processing of over 200 transactions that involved $140,000 worth of virtual assets—nearly 100 times larger than the average withdrawal or deposit on the Bittrex platform—and 22 transactions involving over $1 million worth of virtual assets,” FinCEN said in its announcement. Under the terms of the consent order, the exchange—which admitted to willfully violating the Bank Secrecy Act (BSA) and its implementing regulations—will pay a $29,280,829.20 civil money penalty. FinCEN stated it will credit the $24,280,829.20 the exchange has agreed to pay for the OFAC violations.
During remarks delivered at the Association of Certified Anti-Money Laundering Specialists, Under Secretary for Terrorism and Financial Intelligence Brian Nelson discussed, among other topics, Treasury’s efforts to counter illicit finance. Nelson highlighted the aforementioned settlements, stressing that failing to comply with BSA/AML requirements and SARs filing obligations “are not something that companies focused on growth can simply put off to a later day.” He also emphasized that Treasury will continue to strengthen ties with interagency partners and international counterparts to identify and pursue potential violations.
FINRA fines broker dealer for AML failures
On September 9, FINRA settled charges with a broker dealer (respondent) for alleged failures in its anti-money laundering (AML) compliance program. According to the letter of acceptance, waiver, and consent, the respondent allegedly failed to, among other things: (i) establish a reasonably designed AML program; (ii) implement a customer identification program; (iii) reasonably supervise for potentially manipulative trading; and (iv) preserve and maintain certain electronic communications. Additionally, FINRA found that the respondent unreasonably relied on manual reviews of the daily trade blotter to identify market manipulation. FINRA’s order includes alleged violations of FINRA Rule 2010, Rule 3110, Rule 3310(a)-(b) and Rule 4511. FINRA also determined that the respondent violated Securities Exchange Act of 1934 Section 17(a) and Rule 17a-4(b)(4). The respondent agreed to pay a $450,000 civil monetary penalty to FINRA and is prohibited from providing market access for two years.
FDIC updates risk management, consumer compliance examination policies
Recently, the FDIC updated Section 2.1 of its Risk Management Manual of Examination Policies related to capital. The FDIC noted that since capital adequacy assessments are central to the supervisory process, examination staff “evaluate all aspects of a financial institution’s risk profile and activities to determine whether its capital levels are appropriate and in compliance with minimum regulatory requirements.” This includes examining a financial institution’s capital ratios, risk-weighted assets, regulatory capital requirements, community bank leverage ratios, capital adequacy (including liquidity, earnings, and market risk), and adherence to laws and regulations. The FDIC also announced updates to the Privacy—Telephone Consumer Protection Act section within its Consumer Compliance Examination Manual (CEM). The CEM includes supervisory policies and examination procedures for FDIC examination staff evaluating financial institutions’ compliance with federal consumer protection laws and regulations.
FINRA reminds firms of their obligation to supervise digital signatures
Recently, FINRA issued Regulatory Notice 22-18 reminding member firms of their obligation to supervise for digital signature forgery and falsification. FINRA reported it has received a rising number of reports claiming registered representatives and associated persons have been forging or falsifying customer signatures, as well as those of colleagues or supervisors in some instances. Issues have been flagged in “account opening documents and updates, account activity letters, discretionary trading authorizations, wire instructions and internal firm documents related to the review of customer transactions.” FINRA advised member firms to review outlined methods and scenarios for identifying digital signature forgery or falsification in order to mitigate risk and meet regulatory obligations.
- Keisha Whitehall Wolfe to discuss “Tips for successfully engaging your state regulator” at the MBA's State and Local Workshop
- Max Bonici to discuss “Enforcement risk and trends for crypto and digital assets (Part 2)” at ABA’s 2023 Business Law Section Hybrid Spring Meeting
- Jedd R. Bellman to present “An insider’s look at handling regulatory investigations” at the Maryland State Bar Association Legal Summit