Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
On August 12, the SEC’s Office of Compliance Inspections and Examinations issued a risk alert to broker-dealers and investment advisers (firms) impacted by the Covid-19 pandemic addressing observations and recommendations related to several categories, including investor asset protection; personnel supervision; practices related to fees, expenses, and financial transactions; investment fraud; business continuity; and protecting sensitive information. The alert recommends firms review—and where appropriate—modify supervisory and compliance policies and procedures as they deal with market volatility and technological challenges brought by the Covid-19 pandemic. The alert notes that firms may need to update their practices to address, among other things, (i) unusual or unscheduled investor withdrawals; (ii) staffers communicating or executing transactions off-site or on personal devices, or making securities recommendations tied to market sectors experiencing high volatility or fraud; and (iii) supervisors having less oversight and interaction with staff in remote environments, leading to difficulties in maintaining effective due diligence, conducting background checks when hiring, or overseeing requisite examinations. Additionally, firms are instructed to monitor potential conflicts of interest and fee errors when informing investors about the costs of services, investment products, and related compensation, while also ensuring recommendations are made in the “best interest of investors.” The alert also recognizes that “times of crisis or uncertainty can create a heightened risk of investment fraud through fraudulent offerings,” and advises firms to “be cognizant of these risks when conducting due diligence on investments and in determining that the investments are in the best interest of investors.” Firms and investors who suspect fraud are advised to contact the SEC and report the potential fraud.
On July 27, the Financial Industry Regulatory Authority (FINRA) entered into a Letter of Acceptance, Waiver and Consent (AWC), fining a California-based securities firm $50,000 for allegedly failing to implement and follow its own anti-money laundering (AML) compliance procedures. As a result, the firm allegedly failed to detect red flags concerning potentially suspicious activity and failed to investigate or report the activity in a timely manner. According to FINRA, a sales practice examination detected instances between November 2012 and December 2016 in which the firm failed to detect red flags in four related accounts, including suspicious activity related to: (i) the “ownership of multiple accounts without an apparent business purpose for multiple accounts”; (ii) an account owner with a “significant disciplinary history related to securities fraud”; (iii) possible manipulative trading activity; (iv) unusual, unexpected transfer activity between related accounts without an apparent business purpose; and (v) unexplained third-party wire transfers, inconsistent with expected account activity. FINRA stated that although the “firm’s AML procedures indicated that when the firm detected any red flags of potentially suspicious activity, it would determine whether and how to investigate further,” the firm failed to implement these measures. The firm neither admitted nor denied the findings set forth in the AWC agreement but agreed to pay the fine and address identified deficiencies in its programs to ensure compliance with its AML obligations.
On July 22, the OCC issued an interpretive letter concluding that national banks and federal savings associations (collectively, “banks”) may hold cryptocurrency on behalf of customers so long as they effectively manage the risks and comply with applicable law. Specifically, the letter responds to a bank’s proposal to offer cryptocurrency custody services to its customers as part of its standard custody business. The OCC notes that “there is a growing demand for safe places, such as banks, to hold unique cryptographic keys associated with cryptocurrencies.” The letter emphasizes that the OCC “generally has not prohibited banks from providing custody services for any particular type of asset,” and providing cryptocurrency custody services “falls within  longstanding authorities to engage in safekeeping and custody activities.”
The OCC notes that while the custody services will not “entail any physical possession of the cryptocurrency,” OCC regulations authorize banks to provide through electronic means any activities that they are otherwise authorized to perform. Thus, because banks may perform custody services for physical assets, they are “likewise permitted to provide those same services via electronic means (i.e., custody of cryptocurrency).” Additionally, a bank with trust powers has the authority to hold cryptocurrencies in a fiduciary capacity, in the same way they manage other assets they hold as fiduciaries.
The OCC reminds banks that they should develop and implement sound risk management practices, and specifically notes that “custody activities should include dual controls, segregation of duties and accounting controls.” Moreover, banks should “conduct a legal analysis to ensure the activities are conducted consistent with all applicable law,” noting that “[d]ifferent cryptocurrencies may also be subject to different OCC regulations and guidance outside of the custody context, as well as non-OCC regulations.”
On July 16, the OCC released a list of recent enforcement actions taken against national banks, federal savings associations, and individuals currently and formerly affiliated with such entities. Included among the actions is a June 23 consent order, which resolves OCC claims that a California-based bank violated a 2016 consent order concerning Bank Secrecy Act/anti-money laundering compliance program deficiencies. According to the OCC, the bank failed to timely comply with the 2016 consent order and is required to pay a $100,000 civil money penalty. The list also includes a July 25 civil money penalty order against a New York-based bank, which requires the payment of $43,000 for an alleged pattern or practice of violations of the Flood Disaster Protection Act and its implementing regulations.
Additionally, an Iowa-based bank and the OCC reached a formal agreement on June 16 for alleged unsafe or unsound practices related to, among other things, credit underwriting, credit administration, problem loan management, and real estate valuation practices. Among other conditions, the agreement requires the bank to (i) appoint a compliance committee to ensure adherence to the agreement’s provisions; (ii) establish a three-year strategic plan outlining goals and objectives related to the bank’s risk profile and liability structure; (iii) submit a commercial and retail credit underwriting and administration program to ensure the bank “analyzes credit and collateral information sufficient to identify, monitor, and report the [b]ank’s credit risk, properly account for loans, and assign accurate risk ratings in a timely manner”; (iv) implement programs providing for an annual review of loans, loan level stress testing, and problem loan management; (v) implement an exception tracking and reporting system; and (vi) establish an appraisal and evaluation program.
California Department of Business Oversight will monitor licensees’ compliance with face covering guidance
The California Department of Business Oversight announced that it will monitor licensees’ compliance with face covering guidance issued by the California governor and the California Department of Public Health. All customers must be required to wear appropriate face coverings under circumstances outlined in the guidance, and those who refuse to comply and do not meet the outlined exemptions should be refused entry to banks, credit unions, and other places of business.
On July 8, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) announced a $134,523 settlement with a Washington-based company that provides retail, e-commerce, and digital services worldwide. According to OFAC, due to deficiencies in the company’s sanctions screening process, between 2011 and 2018, the company provided goods and services to OFAC sanctioned persons; to persons located in the sanctioned region or countries of Crimea, Iran, and Syria; and “for persons located in or employed by the foreign missions of Cuba, Iran, North Korea, Sudan, and Syria.” Additionally, the company allegedly accepted and processed orders that primarily consisted of low-value retail goods and services from persons listed on OFAC’s List of Specially Designated Nationals and Blocked Persons who were blocked pursuant to sanctions regulations involving the Democratic Republic of Congo, Venezuela, Zimbabwe, among others. These apparent violations occurred “primarily because [the company’s] automated sanctions screening processes failed to fully analyze all transaction and customer data relevant to compliance with OFAC’s sanctions regulations,” OFAC stated, claiming the company also “failed to timely report several hundred transactions conducted pursuant to a general license issued by OFAC that included a mandatory reporting requirement, thereby nullifying that authorization with respect to those transactions.”
In arriving at the settlement amount, OFAC considered various mitigating factors, including that the apparent violations were non-egregious and (i) the company voluntarily disclosed the violations and cooperated with the investigation; and (ii) the company has undertaken significant remedial efforts to address the deficiencies and to minimize the risk of similar violations from occurring in the future.
OFAC also considered various aggravating factors, including that the company failed to exercise due caution or care to ensure its sanctions screening process was able to properly flag transactions involving blocked persons and sanctioned jurisdictions. “This case demonstrates the importance of implementing and maintaining effective, risk-based sanctions compliance controls,” OFAC stated. “[G]lobal companies that rely heavily on automated sanctions screening processes should take reasonable, risk-based steps to ensure that their processes are appropriately configured to screen relevant customer information and to capture data quality issues.”
On June 29, the OCC released its Semiannual Risk Perspective for Spring 2020, which reports on key risk areas that pose a threat to the safety and soundness of national banks and federal savings associations. In particular, the OCC focused this report on the financial impacts of the Covid-19 pandemic on the federal banking industry, emphasizing that weak economic conditions stemming from the shutdown will stress financial performances in 2020, and that banks should monitor elevated compliance risks that may occur as a result of their responses to the pandemic, including participating in the Paycheck Protection Program as well as forbearance and deferred payment programs. The report highlighted that the surge in consumer demands, government programs, and the modifications to operations due to remote work and the “short timelines for implementing changes placed additional strains on banks already operating in a stressed environment.” However, the report noted that, “[s]ome banks are leveraging innovative technologies and third parties, including fintech firms, to help manage these challenges,” and that “[b]ank risk management programs should maintain effective controls for third-party due diligence and monitoring and other oversight processes, operational errors, heightened cyber security risks, and potential fraud related to stimulus programs.” The report highlighted several areas of concern for banks, including (i) credit risk increases; (ii) interest rate risk, including risks related to the LIBOR cessation; (iii) operational risks related to banks’ Covid-19 response; (iv) heightened cyber risks; and (v) compliance risks related to Bank Secrecy Act/anti-money laundering laws, consumer compliance, and fair lending.
On June 18, the CFPB launched a pilot advisory opinion program (AO program) to allow entities to submit requests to the Bureau for written guidance in cases of regulatory compliance uncertainty. The pilot AO program procedural rule went into effect June 22, and states that the AO program—established in response to external stakeholder feedback encouraging the Bureau to provide written guidance—will primarily focus on clarifying ambiguities in Bureau regulations, although AOs may also clarify statutory ambiguities. The Bureau notes, however, that it will not issue AOs on matters that require notice-and-comment rulemaking or that are better addressed through that process, and does not intend to issue an AO that will change a regulation or replace a regulation or statute with a “bright-light standard that eliminates all the required analysis.” During the pilot, requests will not be accepted from third parties, such as trade associations or law firms, on behalf of unnamed entities. According to the Bureau’s announcement, it will select topics based on the program’s priorities, and, if appropriate, may publicly “issue an [AO] based on its summary of the facts presented that would be applicable to other entities in situations with similar facts and circumstances.”
The pilot AO program will focus on the following four priorities: (i) providing consumers “with timely and understandable information to make responsible decisions”; (ii) identifying “outdated, unnecessary or unduly burdensome regulations in order to reduce regulatory burdens”; (iii) consistently enforcing federal consumer financial laws “in order to promote fair competition”; and (iv) “[e]nsuring markets for consumer financial products and services operate transparently and efficiently to facilitate access and innovation.”
In determining the appropriateness of an AO, the Bureau will consider several factors, including whether (i) prior Bureau examinations have identified the issue as one that may benefit from additional regulatory clarity; (ii) the issue is “of substantive importance or impact or one whose clarification would provide significant benefit”; and/or (iii) the issue concerns an ambiguity not previously addressed through an interpretive rule or other authoritative source. Additionally, issues currently under investigation or enforcement likely will not be considered appropriate for an AO.
A proposed procedural rule and information collection was also announced June 18, which requests comments on the proposed AO program. Comments must be received 60 days after publication in the Federal Register. The proposed AO program, following the conclusion of the pilot, will be fully implemented after the Bureau reviews the comments.
On May 27, the CFPB issued an updated HMDA Small Entity Compliance Guide to reflect the changes made to Regulation C by the April final rule, which permanently raised coverage thresholds for collecting and reporting data about closed-end mortgage loans and open-end lines of credit (covered by InfoBytes here). The final rule, which amends Regulation C, increases the permanent threshold from 25 to 100 loans starting July 1, 2020, for both depository and nondepository institutions. The final rule also increases the permanent threshold for collecting and reporting data about open-end lines of credit from 100 to 200, but this change will not take effect until January 1, 2022, when the current temporary threshold of 500 open-end lines of credit expires. Beginning in 2022, both depository and nondepository institutions that meet this threshold must report data on open-end lines of credit by March 1 of the following calendar year. The Guide also notes the CFPB’s statement that, as of March 26, 2020, it “does not intend to cite in an examination or initiate an enforcement action against any institution for failure to report its HMDA data quarterly.”
On May 11, the Arkansas Insurance Department issued a bulletin regarding compliance and licensing for admitted and surplus lines insurance carriers doing business in Arkansas. Insurers and other regulated entities are advised that they must continue to expeditiously adjust claims during Covid-19. The bulletin also provides guidance on regulatory filing deadlines, the permissibility of electronic filings and signatures, the status of on-site examinations by the department, license renewals, and continuing education deadlines.
- Daniel R. Alonso to moderate an interactive roundtable at the Latin Lawyer and GIR Connect: Anti-Corruption & Investigations Conference
- APPROVED Checkpoint Webcast: You have license renewal questions, we have answers
- Jonice Gray Tucker to discuss “Fintech trends” at the BIHC Network Elevating Black Excellence Regional Summit
- Jeffrey P. Naimon to discuss "Truth in lending” at the American Bar Association National Institute on Consumer Financial Services Basics
- Daniel R. Alonso to discuss anti-money-laundering at FELABAN Spanish-language webinar “Perspective for banks: LAFT, FINCEN, OFAC, Cryptocurrency”
- Daniel R. Alonso to discuss "What’s new in BSA/AML compliance?" at the Institute of International Bankers Regulatory Compliance Seminar
- Jon David D. Langlois to discuss "Regulatory update: What you need to know under the new boss; It won’t be the same as the old boss" at the IMN Residential Mortgage Service Rights Forum (East)
- Benjamin B. Klubes to discuss “Creating a Fantastic Workplace Culture”
- John R. Coleman and Amanda R. Lawrence to discuss “Consumer financial services government enforcement actions – The CFPB and beyond” at the Government Investigations & Civil Litigation Institute Annual Meeting
- Jonice Gray Tucker to discuss "Consumer financial services" at the Practising Law Institute Banking Law Institute
- Jonice Gray Tucker to discuss “Regulators always ring twice: Responding to a government request” at ALM Legalweek