InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
DOJ Unseals Indictment Against Individuals for Alleged Involvement in Hacks Against Various U.S. Institutions
On November 10, the DOJ unsealed an indictment against three individuals, Gery Shalon, Joshua Samuel Aaron and Ziv Orenstein, for allegedly orchestrating and committing computer hacking crimes against U.S. financial institutions, brokerage firms, and financial news publishers. According to the DOJ, “these three defendants perpetrated one of the largest thefts of financial-related data in history – making off with the sensitive information of literally thousands” of Americans. The DOJ alleges that, from approximately 2012 to mid-2015, Shalon and Aaaron hacked financial institutions to steal the personal information of more than 100 million customers, and then manipulated the price of certain U.S. publicly traded stocks, seeking to “market the stocks, in a deceptive and misleading manner, to customers of the victim companies whose contact information they had stolen in the intrusion.” Additionally, Shalon engaged in illegal businesses with Orenstein between 2007 and July 2015, allegedly operating (i) unlawful internet gambling businesses; (ii) multinational payment processors for illegal pharmaceutical suppliers, counterfeit and malicious software distributors, and unlawful internet casinos; and (iii) Coin.mx, a Bitcoin exchange company that violated federal anti-money laundering laws. Through the defendants’ schemes, they profited hundreds of millions of dollars in illegal funds and, using aliases, laundered criminal proceeds through at least 75 international shell companies and bank and brokerage accounts. The defendants are charged with multiple counts of offenses, including conspiracy to commit computer hacking, conspiracy to commit securities fraud, aggravated identity theft, wire fraud and operation of an unlicensed money transmitting business.
The DOJ also announced the unsealing of a separate indictment against Anthony R. Murgio, who was arrested on complaint in July for operating Coin.mx in the United States.
CFPB Settles with Payment Processor and Mortgage Servicer over Deceptive Mortgage Advertisement Allegations
On July 28, the CFPB announced that a Colorado-based payment processor, along with a Virginia-based mortgage servicer, agreed to pay a total of $38.5 million to resolve allegations that both entities used misleading advertisements related to a mortgage payment program. The CFPB alleged that both entities advertised the “Equity Accelerator Program” as a program that would help consumers save on interest payments by making mortgage payments biweekly rather than monthly. However, according to the CFPB, the program failed to make the biweekly payments, and no more than a “tiny” percentage of consumers enrolled in the program benefitted from the promised savings. Under the terms of the consent orders, the payment processor agreed to provide $33.4 million in restitution to affected consumers and pay a $5 million civil money penalty. The mortgage servicer will pay a $100,000 civil money penalty. Both entities also agreed to ensure that any advertisements concerning the mortgage program’s benefits complied with federal law.
Federal Reserve Announces Members of Faster Payments and Secure Payments Task Force
On July 21, the Federal Reserve Board of Governors announced the members of the Faster Payments and Secure Payments Task Force as described in the Strategies for Improving the U.S. Payment System white paper released earlier this year. The committees will advise the Federal Reserve task force chair on meeting agendas, and help prioritize various task force activities, among other payments initiatives. The members include various interest groups representing industry, tech, and government, among others. More information about the task forces and the Fed’s payments improvement initiatives can be found at fedpaymentsimprovement.org.
Alleged Ringleader of Global Cybercrimes Extradited to United States to Face Charges
Today, the DOJ unsealed an eighteen-count indictment in Brooklyn, New York charging a Turkish citizen (Defendant) with organizing worldwide cyberattacks against at least three U.S. payment processors’ computer networks. The Defendant’s organization allegedly used “sophisticated intrusion techniques” to hack the computer systems, stealing prepaid debit card data and subsequently using the stolen data to make ATM withdrawals in which standard withdrawal limits were manipulated to allow for greater withdrawals. According to the indictment, the Defendant managed a group of co-conspirators responsible for distributing the stolen card information to “cashing crews” around the world, who then used the information to conduct tens of thousands of fraudulent ATM withdrawals and fraudulent purchases. Within two days – February 27 and 28, 2011 – the DOJ alleges that the “cashing crews withdrew approximately $10 million through approximately 15,000 fraudulent ATM withdrawals in at least 18 countries.” The remaining two operations, occurring in late 2012 and early 2013, resulted in ATM withdrawals of roughly $5 million and $40 million, respectively. The Defendant, along with other high-ranking members of the conspiracy, received the funds from the fraudulent operations via wire transfer, electronic currency, and personal delivery of U.S. and foreign currency. The Defendant was arrested in Germany on December 18, 2013, and was extradited to the United States on June 23, 2015. The charges against the Defendant follow previous charges against members of the conspiracy, including the arrest of a member of the New York cashing crew.
CFPB Tackles Payment Processor for Charging Servicemembers Hidden Fees, Orders Over $3 Million in Consumer Relief
On April 20, the CFPB announced an enforcement action against a Kentucky-based third-party processor of military allotments and its subsidiary – together “Respondents” – for allegedly charging servicemembers millions of dollars in hidden fees. According to the Bureau, servicemembers set up allotment arrangements with the Respondents, and the Respondents were to pay creditors – auto lenders, installment lenders, and retail merchants – on behalf of deployed servicemembers. The Bureau alleges that from 2010 to 2014, the company violated UDAAP provisions of the Consumer Financial Protection Act by failing to (i) adequately disclose information about various fees associated with the Respondents’ services; and (ii) inform servicemembers when they were being charged residual-balance fees. The consent order requires that the Respondents pay approximately $3.1 million in relief to the affected servicemembers.
Tennessee Enacts Legislation Requiring Payment Service Providers to Provide Adequate Disclosures to Merchants
On April 17, the Tennessee Governor Bill Haslem signed H.B. 547, which requires the disclosure of fees and other details in contracts entered into by payment service providers with merchants located within the state. The legislation requires the payment service providers to provide merchants with information detailing where the merchant can obtain access to operating rules, regulations, and bylaws under the agreement. In addition, the law requires payment service providers to disclose (i) the effective date of the agreement; (ii) terms of the agreement; (iii) any provisions relating to early termination or cancellation of the agreement; and (iv) a full schedule of all payment services fees with respect to the credit card, debit card, or other payment services under the agreement. The law also requires payment service providers to supply merchants with a monthly statement of fees, total value of transactions, and in some cases the aggregate fee percentage.
OCC Updates Merchant Processing Booklet
On August 20, the OCC issued Bulletin 2014-41, which announces a new “Merchant Processing” booklet of the Comptroller’s Handbook. This booklet replaces the booklet of the same name issued in December 2001 and provides updated guidance to examiners and bankers on assessing and managing the risks associated with merchant processing activities. Specific updates address: (i) the selection of third-party organizations and due diligence; (ii) technology service providers; (iii) on-site inspections, audits, and attestation engagements, including the “Statement on Standards for Attestation Engagement” (SSAE 16) and the “International Standard on Assurance Engagements” (ISAE 3402); (iv) data security standards in the payment card industry for merchants and processors; (v) the Member Alert to Control High-Risk Merchants (MATCH) list; (vi) BSA/AML compliance programs and appropriate policies, procedures, and processes to monitor and identify unusual activity; and (vii) appropriate capital for merchant processing activities.
Payment Cards Security Standards Organization Publishes Third-Party Security Assurance Guidance
On August 7, the PCI Security Standards Council (PCI SSC), the open global forum responsible for setting payment security standards, published an information supplement titled “Third-Party Security Assurance Guidance,” which is designed to help organizations and their business partners reduce payment data risk from third-party operations. In November 2013, the PCI SSC updated two data security standards. The first, PCI DSS, applies to entities involved in payment card processing—merchants, processors, acquirers, issuers, and service providers, as well as all other entities that store, process or transmit cardholder data, and the second, PA DSS, applies to software vendors and others who develop payment applications that store, process, or transmit cardholder data as part of authorization or settlement, where these payment applications are sold, distributed, or licensed to third parties. The new guidance supplements certain PCI DSS requirements related to when a merchant or entity shares cardholder data with a third-party service provider. Specifically, the supplemental guidance provides “practical recommendations” on how to: (i) conduct due diligence and risk assessment when engaging third-party service providers; (ii) implement a consistent process for engaging third-parties; (iii) develop appropriate agreements, policies, and procedures with third-party service providers; and (iv) implement a process for maintaining and managing third-party relationships through the lifetime of the engagement.
FDIC Responds To Choke Point Scrutiny With Clarified TPPP Guidance
On July 28, the FDIC issued FIL-41-2014 to clarify its supervisory approach to bank relationships with third-party payment processors (TPPPs). In short, the letter removes the FDIC’s list of examples of merchant categories from its existing guidance and informational article. That list, which identified potential “high-risk” businesses, including firearms and ammunition merchants, coin dealers, and payday lenders, among numerous others, has been scrutinized and challenged by members of Congress in recent months. The new guidance explains the “lists of examples of merchant categories have led to misunderstandings regarding the FDIC’s supervisory approach to TPPPs, creating the misperception that the listed examples of merchant categories were prohibited or discouraged.” The FDIC’s letter continues to defend the list as “illustrative of trends identified by the payments industry at the time the guidance and article were released” and reasserts that it is the FDIC’s policy that insured institutions that properly manage customer relationships are neither prohibited nor discouraged from providing services to any customer operating in compliance with applicable law.
Attorney General Vows To Continue Operation Choke Point
On June 23, the DOJ released a transcript of a message delivered by Attorney General Eric Holder in which he pledged to continue investigations of financial institutions “that knowingly facilitate consumer scams, or that willfully look the other way in processing such fraudulent transactions.” These investigations are part of the DOJ’s “Operation Choke Point,” which has faced criticism from financial institutions and their advocates on Capitol Hill, and which payday lenders recently filed suit to halt. Opponents of the operation assert that the DOJ investigations, combined with guidance from prudential regulators, are targeting lawful businesses and cutting off their access to the financial system. In his remarks, the AG promised that the DOJ will not target “businesses operating within the bounds of the law,” but vowed to continue to pursue “a range of investigations into banks that illegally enable businesses to siphon billions of dollars from consumers’ bank accounts in exchange for significant fees.” Mr. Holder stated that he expects the DOJ to resolve some of these investigations in the coming months.