Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
On August 2, NYDFS announced a consent order imposing a $30 million fine against a trading platform for alleged violations of the Department’s Virtual Currency Regulation (23 NYCRR Part 200), Money Transmitter Regulation (3 NYCRR Part 417), Transaction Monitoring Regulation (23 NYCRR Part 504), Cybersecurity Regulation (23 NYCRR Part 500), and for failing to maintain adequate Bank Secrecy Act/anti-money laundering (BSA/AML) obligations. According to a Department investigation, the platform’s BSA/AML compliance program contained significant deficiencies, including an inadequate transaction monitoring system. Among other things, the platform failed to timely transition its manual system to an automated transaction monitoring system, which was unacceptable for a program of its size, customer profiles, and transaction volumes, and did not devote sufficient resources to adequately address risks. The Department also found “critical failures” in the platform’s cybersecurity program, which failed to address operational risks, and that specific policies within the program did not fully comply with several provisions of the Department’s cybersecurity and virtual currency regulations. According to the press release, pursuant to NYDFS’s Transaction Monitoring Regulation and Cybersecurity Regulation, companies should only file a Certificate of Compliance with the Department if their programs are fully compliant with the applicable regulation.
In light of the program’s deficiencies, NYDFS stated that the platform’s 2019 certifications to the Department attesting to compliance with these regulations should not have been made and thus violated the law. The platform also “failed to comply with the Supervisory Agreement by failing to promptly notify the Department of (a) actual or material potential actions, proceedings, or similar process that were or may have been instituted against [the platform] or any affiliated entity by any regulatory body or governmental agency; and (b) of the receipt by [the platform], or any affiliated entity, of any subpoena from any regulatory body or governmental agency in which [the platform], or any affiliated entity, was the target of the investigation.” NYDFS determined that in addition to the penalty, the platform will be required to retain an independent consultant that will perform a comprehensive evaluation of its compliance with the Department’s regulations and the platform’s remediation efforts with respect to the identified deficiencies and violations.
A Buckley Special Alert is forthcoming.
On July 15, New York’s governor signed S9348, directing the superintendent of NYDFS to conduct a study of overdraft fees in the state. (See also NYDFS press release here.) The study will examine, among other things: (i) the total amount of overdraft fees paid in the state; (ii) the geographical distribution of these fees; (iii) whether certain communities have higher rates of overdraft fees than others and the possible reason for such high rates; (iv) “the percentage of overdraft fees reduced through direct or indirect negotiation”; and (v) the enumeration of consumer rights related to overdraft fee negotiations. The results of the study are to be delivered within one year to the governor, the temporary president of the senate, and the speaker of the assembly. The act is effective immediately.
On July 13, NYDFS called on all federal student loan servicers to increase awareness of and enroll borrowers in public service loan forgiveness programs before a temporary waiver expires on October 31. NYDFS’s letter reminded servicers that under the Public Service Loan Forgiveness (PSLF) program, full-time government and certain non-profit employees may be eligible to have federal direct loans forgiven after making 120 qualifying monthly payments. Last October, the Department of Education announced temporary PSLF changes due to the Covid-19 pandemic. These changes provided qualifying borrowers a time-limited PSLF waiver, which allows all payments to count towards PSLF regardless of loan program or payment plan (covered by InfoBytes here). Expressing concerns that many borrowers may not learn of this opportunity before it expires in October, NYDFS encouraged servicers to adopt eight best practices to promote awareness of the PSLF Program and the waiver. These include “enhanced trainings for customer service staff, proactive communications with borrowers, and increased promotion of the PSLF program on servicer websites and on borrower account pages,” NYDFS said in its announcement.
The letter follows a December 2021 NYDFS request sent to federal student loan servicers asking for updates on steps taken to address the waived rules. NYDFS also reminded servicers that it “will diligently enforce all servicer legal requirements concerning the PSLF program and will consider the extent to which servicers engaged in proactive measures to promote the PSLF Waiver in future supervisory examinations.”
On July 12, NYDFS issued guidance in an industry letter to regulated banking institutions, calling into question bank practices that can cause consumers to receive multiple overdraft and non-sufficient funds (NSF) fees from a single transaction. The industry letter identifies three specific types of fee practices as unfair or deceptive:
- Charging overdraft fees for “authorize positive, settle negative” transactions, where consumers are charged an overdraft fee even if they have sufficient money in their account when a bank approves a transaction, but the balance is negative when the payment is settled. Per NYDFS, imposing an overdraft fee in this situation is unfair because, among other things, consumers “have no control over or involvement in” when or how their debit transactions get settled.
- Charging “double fees” to consumers for a failed overdraft protection plan transfer, which occurs when a bank goes to transfer money from one deposit account to another deposit account to cover an overdraft transaction, but the first account lacks sufficient funds to cover the overdraft. Per NYDFS, double fees injure consumers “by imposing fees for a transfer that provides no value to the consumer and is not reasonably avoidable by consumers, who have no reason to expect that they will be charged a fee for an overdraft protection transfer that does not in fact protect them against an overdraft.”
- Charging NSF representment fees when a merchant tries several times to process a transaction that is deemed an overdraft and the bank charges a fee for each blocked representment without adequate disclosure. Banks that currently charge multiple NSF fees should “make clear, conspicuous, and regular disclosure to consumers that they may be charged more than one NSF fee for the same attempted debit transaction,” NYDFS stated. Additionally, banks are advised to consider other steps to mitigate the risk that consumers are charged multiple NSF fees, including limiting time periods for when multiple NSF fees may be charged, performing periodic manual reviews to identify instances of multiple NSF Fees, and offering refunds to affected consumers. NYDFS “ultimately expects [i]nstitutions will not charge more than one NSF fee per transaction, regardless of how many times that transaction is presented for payment,” the industry letter said.
NYDFS informed regulated entities that it will evaluate whether they “are engaged in deceptive or unfair practices with respect to overdraft and NSF fees in future Consumer Compliance and Fair Lending examinations.”
On June 30, the New York attorney general announced a settlement with a New York-based supermarket chain (respondent) for allegedly leaving more than three million customers’ personal information in unsecured, misconfigured cloud storage containers, which made the data potentially easy to access. The compromised data included customer account usernames and passwords, as well as customer names, email addresses, mailing addresses, and additional data derived from drivers’ license numbers. According to the assurance of discontinuance, a security researcher informed the respondent in 2021 that one of the cloud storage containers was misconfigured from its creation in January 2018 until April 2021, potentially exposing customers’ personal information. A second misconfigured container was identified in May 2021 that had been publicly accessible since November 2018, the AG said, noting that the respondent “immediately reviewed its cloud environment and identified the container, which had a database backup file with over three million records of customer email addresses and account passwords.” The AG asserted that the respondent also “failed to inventory its cloud assets containing personal information, secure all user passwords, and regularly conduct security testing of its cloud assets.” Nor did the retailer maintain long-term logs of its cloud assets, thus making it difficult to security incidents, the AG said.
The terms of the settlement require the respondent to pay $400,000 in penalties to the state. The respondent has also agreed to (i) maintain a comprehensive information security program, including reporting security risks to the company's leadership; (ii) establish practices and policies to maintain an inventory of all cloud assets and to ensure all cloud assets containing personal information have appropriate measures to limit access; (iii) develop a penetration testing program and implement centralized logging and monitoring of cloud asset activity; (iv) establish appropriate password policies and procedures for customer accounts; (v) maintain a reasonable vulnerability disclosure program to enable third parties to disclose vulnerabilities; (vi) establish appropriate practices for customer account management and authentication; and (vii) update its data collection and retention practices to ensure it only collects customers’ personal information when there is a reasonable business purpose for the collection and permanently deletes all personal information collected before the agreement for which no reasonable purpose exists.
On June 27, the CFPB and New York attorney general filed an amended complaint in the U.S. District Court for the Southern District of New York, removing references to a New Jersey-based finance company’s arrangements with seven former NFL players in an action concerning whether the company and its affiliates (collectively, “defendants”) mischaracterized high-cost loans as assignments of future payment rights. As previously covered by InfoBytes, the agencies filed a lawsuit in 2017 claiming, among other things, that the defendants misled World Trade Center attack first responders and professional football players in selling expensive advances on benefits to which they were entitled and mischaracterized extensions of credit as assignments of future payment rights, thereby misleading their victims into repaying far more than they received. Specifically, the initial filing in 2017 alleges that the defendants (i) used “confusing contracts” to prevent the individuals from understanding the terms and costs of the transactions; (ii) lied to the individuals by telling them the companies could secure their payouts more quickly; (iii) misrepresented how quickly they would receive payments from the companies, and (iv) collected interest at an illegal rate. The amended complaint removes all references to defendants’ arrangements with the ex-NFL players, but maintains claims related to financing deals signed with first responders to the World Trade Center attack.
The court issued an order on June 28 accepting the agencies’ unopposed motion to file the amended complaint to “remove references to NFL player consumers and to remove allegations in Count VIII” related to alleged violations of New York General Obligations Law § 13-101 concerning personal injury claims. No additional details on the reasons for the removals are provided.
The amended complaint follows a March order issued by the district court (covered by InfoBytes here) in which it ruled that the CFPB could proceed with its 2017 enforcement action. In 2020, the U.S. Court of Appeals for the Second Circuit vacated the district court’s 2018 order (covered by InfoBytes here), which had dismissed the case on the grounds that the Bureau’s single-director structure was unconstitutional, and that, as such, the agency lacked authority to bring claims alleging deceptive and abusive conduct by the company. The 2nd Circuit remanded the case to the district court, determining that the U.S. Supreme Court’s ruling in Seila Law LLC v. CFPB (holding that the director’s for-cause removal provision was unconstitutional but severable from the statute establishing the Bureau, as covered by a Buckley Special Alert) superseded the 2018 ruling.
On June 15, NYDFS issued a proposed check cashing regulation following an emergency regulation announced in February that halted annual increases on check-cashing fees and locked the current maximum fee set last February at 2.27 percent (covered by InfoBytes here). The proposed regulation establishes a new fee methodology which evaluates the needs of licensees and consumers who use check cashing services. Two tiers of fees for licensed check cashers are recommended: (i) the maximum fee that a check casher may charge for a public assistance check issued by a federal or state government agency (including checks for Social Security, unemployment, retirement, veteran’s benefits, emergency relief, housing assistance, or tax refunds) is set at 1.5 percent; and (ii) the maximum fee a check casher is permitted to charge for all other checks, drafts, or money orders is $1 or 2.2 percent, whichever is greater. NYDFS added that starting January 31, 2027 (and annually every five years thereafter), licensed check cashers may request an increase in the maximum fees established. Comments on the proposed regulation will be accepted for 60 days.
On May 20, NYDFS Superintendent Adrienne A. Harris emphasized the role regulation plays in protecting consumers from cybercriminals in the virtual currency marketplace. According to Harris, NYDFS is committed to mitigating risks in this space by guarding against sanctions evasion and illicit activity and making sure corporate infrastructure and consumer data are well protected from bad actors. Harris stressed that NYDFS “will continue to improve upon [its] regulation and supervision; engage with key stakeholders on important trends and issues; collaborate with state, federal and international regulators; and strive to be a forward-looking, innovative regulator, including through [its] VOLT initiative,” which supports the department’s efforts to increase transparency and enhance supervision related to virtual currency.
On May 17, NYDFS announced an industry letter to establish its expectations for all institutions engaged in reverse mortgage lending in the State on cooperative apartment units (coop-reverse mortgages) once newly enacted Section 6-O*2 of the New York Banking Law takes effect May 30. The letter noted there is a comprehensive regulatory framework that addresses the marketing, origination, and servicing of reverse mortgages in New York and stated that most of the existing requirements apply equally to coop-reverse mortgages. This includes Title 3 of the New York Code of Rules and Regulations Part 79 (3 NYCRR 79), which establishes various requirements relating to the marketing, origination, servicing, and termination of reverse mortgage loans in New York, and Title 3 of the New York Code of Rules and Regulations Part 38 (3 NYCRR 38), which addresses issues involving, among other things, commitments and advertising for mortgage loans generally. Even so, the letter noted that NYDFS is considering amending its existing regulations to specifically address coop-reverse mortgages, or issuing a separate regulation governing this as a new product. Finally, the letter explained that “institutions that seek to originate, or service coop-reverse mortgages are directed to comply with the provisions of 3 NYCRR 79, and 3 NYCRR 38 in originating or servicing such mortgages” (subject to described clarifications, modifications, and exclusions). However, NYDFS stated that “in the event of any inconsistency between the provisions of Section 6-O*2 and provisions of either 3 NYCRR 79 or 3 NYCRR 38, the provisions of Section 6-O*2 will govern; and in the event of any inconsistency between the provisions of 3 NYCRR 79 and 3 NYCRR 38, provisions of 3 NYCRR 79 will govern.”
On May 20, a global payments provider, which was recently sued by the New York attorney general and the CFPB, filed a pre-motion letter hinting that it will challenge the constitutionality of the Bureau’s funding structure. As previously covered by InfoBytes, the complaint claimed the “repeat offender” defendant allegedly violated numerous federal and state consumer financial protection laws in its handling of remittance transfers. Earlier in the month, the defendant called the allegations “false, inflammatory and misleading,” and took issue with the Bureau’s suggestion that it had “uncovered widespread and systemic issues involving ‘substantial’ consumer harm.” According to the defendant, “data from the CFPB’s own consumer complaint portal strongly suggest otherwise.” (Covered by InfoBytes here.)
The defendant raised several arguments, including that the “CFPB’s funding structure also violates the Appropriations Clause, requiring dismissal”—a nod to a recent en banc decision issued by the U.S. Court of Appeals for the Fifth Circuit (covered by InfoBytes here), in which several dissenting judges argued that the case should be dismissed because the agency’s funding structure violates the Constitution’s separation of powers and “is doubly removed from congressional review.” The defendant’s pre-motion letter also argued that the Bureau’s complaint should be moved to the Northern District of Texas where the company is headquartered and where the Bureau’s examinations were conducted.
In response, the Bureau and New York AG filed their own letter responding to the defendant’s proposed grounds for dismissal, countering, among other things, that the case is “adequately pled,” the claims are timely, and that the Bureau’s funding structure is constitutional. Challenging the defendant’s contention that the Bureau’s statutory method of funding violates the Constitution’s appropriations clause, the letter stressed that the U.S. Supreme Court and the U.S. Court of Appeals for the Second Circuit have held that this clause “simply requires that federal spending be authorized by statute,” adding that “[b]oth the Bureau’s receipt of funds and its use of those funds are so authorized.”
- Kathryn L. Ryan to host the affiliate members meeting at AARMR’s 2022 Annual Regulatory Conference & Training
- Kathryn L. Ryan and Jedd R. Bellman to discuss “Risk and compliance management: Are you covered?” at a Mortgage Bankers Association webinar
- Melissa Klimkiewicz and Daniel A. Bellovin to discuss “Things to know about flood insurance” at a NAFCU webinar
- Hank Asbill to discuss “Ethical issues at sentencing” at the 31st Annual National Seminar on Federal Sentencing
- Max Bonici will moderate a panel on “Enforcement risk and other regulatory and compliance issues related to crypto and digital assets” at the American Bar Association’s 2022 Annual Meeting
- John R. Coleman to provide a “CFPB Update” at MBA’s 2022 Regulatory Compliance Conference
- Amanda R. Lawrence to discuss “The shifting data privacy and data protection landscape” at MBA’s 2022 Regulatory Compliance Conference
- Benjamin W. Hutten to discuss “Fundamentals of financial crime compliance” at the Practicing Law Institute
- Benjamin W. Hutten to discuss “Ongoing CDD: Operational considerations” at NAFCU’s Regulatory Compliance & BSA Seminar