Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
On May 22, NYDFS announced its newly created Cybersecurity Division, led by Justin Herring as Executive Deputy Superintendent, that is, according to NYDFS, “the first of its kind to be established at a banking or insurance regulator.” The new division will focus on enforcing and issuing guidance on NYDFS’ cybersecurity regulation 23 NYCRR Part 500, advising on cybersecurity examinations, conducting cyber-related investigations, and disseminating information related to cyber-attack trends and threats. NYDFS highlighted Herring’s experience in supervising cybercrime and digital currency cases as Chief of the U.S. Attorney’s Office for the District of New Jersey Cyber Crimes Unit and a member of the Economic Crimes Unit, including investigating money laundering using digital currency and prosecuting unlicensed digital currency exchanges.
On May 30, the OCC filed a letter with the U.S. District Court for the Southern District of New York notifying the court that it intends to work with NYDFS to issue a proposed final order to the court in the action challenging the OCC’s decision to allow fintech companies to apply for a Special Purpose National Bank Charter (SPNB). As previously covered by InfoBytes, in May, the court denied the OCC’s motion to dismiss, concluding that, among other things, the OCC failed to rebut NYDFS’s claims that the proposed national fintech charter posed a threat to the state’s ability to establish its own laws and regulations, and therefore, the challenge “is ripe for adjudication.” In its letter, the OCC states that while it “disagrees with the Court’s decision, and reserves its right to appeal, it believes that the decision renders entry of final judgment in this matter appropriate.” An entry of final judgment, would allow the OCC to challenge the decision with the U.S. Court of Appeals for the 2nd Circuit.
On May 2, the U.S. District Court for the Southern District of New York denied the OCC’s motion to dismiss a complaint filed by NYDFS arguing that the agency’s decision to allow fintech companies to apply for a Special Purpose National Bank Charter (SPNB) is a move that will destabilize financial markets more effectively regulated by the state. (See previous InfoBytes coverage here.) The court, however, stated that because the OCC failed to rebut NYDFS’s claims that the proposed national fintech charter posed a threat to the state’s ability to establish its own laws and regulations, the challenge “is ripe for adjudication.” Specifically, NYDFS alleged that granting a national charter to fintech firms would limit its ability to regulate non-depository institutions and could potentially lead to a loss in revenue derived from assessments levied against state licensed institutions. The court rejected the OCC’s preemption arguments, writing that the “threats to New York's sovereignty are so clear that the OCC does not even mention, let alone contest, the state's interests. Instead, OCC focuses exclusively on constitutional and prudential ripeness.” The court further dismissed the OCC’s ripeness argument that it has yet to receive, review, or approve a SPNB application, and referred to NYDFS’ allegations that the OCC has “invited fintech companies . . . to discuss SPNB charters,” which potentially demonstrates “at least some demand for, and interest in, such charters.” While the court concedes that the potential for fintech companies to “flout” New York's laws would only occur once a fintech company has applied and been granted a SPNB charter, “those steps do not stymie [NYDFS’s] standing.”
In addressing NYDFS’s Administrative Procedures Act claim, the court found, among other things, that engaging in the “business of banking” under the National Bank Act (NBA) “unambiguously requires receiving deposits as an aspect of the business.” Furthermore, the court concluded that “absent a statutory provision to the contrary, only depository institutions are eligible to receive [a SPNB] from [the] OCC.” However, the court dismissed NYDFS’s claims that a SPNB charter conflicts with state law in violation of the Tenth Amendment of the U.S. Constitution. According to the court, while NYDFS has standing to raise a Tenth Amendment claim, it has failed to state such a claim “because federal law preempts state law only when ‘Congress has clearly expressed its intent,’” and in this instance, “the operative question is not whether the federal government has the power to take the action challenged in this case, but whether Congress has, in fact exercised that power.”
On April 29, NYDFS announced its newly created Consumer Protection and Financial Enforcement Division, led by Katherine Lemire as Executive Deputy Superintendent. The new office combines the Enforcement and Financial Frauds division with the Consumer Protection division and is responsible for ensuring compliance, fighting consumer fraud, and assisting NYDFS with the enforcement of the state’s Banking, Insurance and Financial Services laws. The office will have a particular investigative focus on the response to cybersecurity events and the creation of supervisory, regulatory and enforcement policy in the area of financial crimes. Prior to her new role, Lemire served as Assistant United States Attorney in the Southern District of New York where she investigated complex federal crimes, and as a prosecutor in the Manhattan District Attorney’s Office.
On April 15, U.S. regulators announced settlements totaling $1.3 billion with several banking units of a German-headquartered financial institution to resolve allegations by the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC), the DOJ, the Federal Reserve Board, the New York Department of Financial Services (NYDFS), and the New York County District Attorney’s Office of apparent violations of multiple sanctions programs, including those related to Burma, Cuba, Iran, Libya, Sudan, and Syria. According to OFAC’s announcement, between January 2007 and December 2011, the institution’s banking units in Germany, Austria, and Italy processed thousands of payments through U.S. financial institutions on behalf of sanctioned entities “in a manner that did not disclose underlying sanctioned persons or countries to U.S. financial institutions which were acting as financial intermediaries.”
According to the roughly $611 million combined settlement agreements (see here, here, and here), OFAC considered various aggravating factors, and noted, among other things, that the institution’s banking units failed to sufficiently enforce policies addressing OFAC sanctions concerns or restrict the processing of transactions in U.S. dollars involving persons or countries subject to sanctions programs administered by OFAC. Additionally, OFAC asserted that the Austrian banking unit claimed on several occasions that OFAC’s sanctions programs “were not legally binding or relevant to [the bank].” OFAC further stated that while the banking units failed to voluntarily self-disclose the alleged violations, they have each agreed to implement and maintain compliance commitments to minimize the risk of the recurrence of the alleged conduct.
The approximate $611 million penalty will be deemed satisfied by the banking units’ payments to other U.S. regulators, which includes an almost $317 million forfeiture and roughly $468 million fine to the DOJ, $158 million fine to the Federal Reserve, and $405 million fine to the NYDFS.
On April 10, NYDFS announced that it denied a company’s applications to engage in virtual currency business and money transmission activity in New York due to the company’s alleged deficiencies in BSA/AML and Office of Foreign Assets Control (OFAC) compliance requirements, capital requirements, and token and product launches. According to the denial letter, the company applied for a virtual currency business activity license in August 2015, and had been operating under NYDFS’ virtual currency “safe harbor” ever since. Additionally, in July 2018, the company applied to engage in money transmission activity with the state. According to NYDFS, the state’s licensing law requires an applicant to demonstrate the ability to comply with the provisions of the licensing requirements, including “implementing an effective BSA/AML/OFAC compliance program as well as other measures to protect customers and the integrity of the virtual currency markets.” Based on NYDFS’ four-week on-site review of the company’s operations, NYDFS concluded, among other things, that the company’s BSA/AML/OFAC compliance program lacked (i) adequate internal policies, procedures and controls; (ii) a qualified, effective compliance officer; (iii) adequate employee training; (iv) adequate independent program testing; and (v) adequate customer due diligence. The company is required to immediately cease operating in New York State and doing business with New York residents and has 60 days to wind down or transfer its positions and transactions.
On March 31, the New York governor announced the passage of the state’s FY 2020 Budget, which includes an amendment (known as “Article 14-A” or “the Act”) to the state’s banking law with respect to the licensing of private student loan servicers. Article 14-A requires student loan servicers to be licensed by the New York Department of Financial Services (NYDFS) in order to service student loans owned by residents of New York. The licensing provisions do not apply to the servicers of federal student loans—defined as, “(a) any student loan issued pursuant William D. Ford Federal Direct Loan Program; (b) any student loan issued pursuant to the Federal Family Education Loan Program, which was purchased by the government of the United States pursuant to the federal Ensuring Continued Access to Student Loans Act and is presently owned by government of the United States; and (c) any other student loan issued pursuant to a federal program that is identified by the superintendent as a ‘federal student loan’ in a regulation”—as the Act treats federal servicers as though they are a licensed student loan servicer. Banking organizations, foreign banking organizations, national banks, federal savings associations, federal credit unions, or any bank or credit union organized under the laws of any other state, are also considered exempt from the new state licensing requirements.
In addition to the licensing requirements, Article 14-A also prohibits any student loan servicer—including those exempt from licensing requirements or deemed automatically licensed—from, among other things, (i) engaging in any unfair, deceptive, or predatory act or practice with regard to the servicing of student loans, including making any material misrepresentations about loan terms; (ii) misapplying payments to the balance of any student loan; (iii) providing inaccurate information to a consumer credit reporting agency; and (iv) making false representations or failing to respond to communications from NYDFS within fifteen calendar days. Article 14-A requires student loan servicers (not including exempt organizations) to accurately report a borrower’s payment performance to at least one credit reporting agency if the organization regularly reports information to a credit reporting agency. Additionally, the Act specifies that a student loan servicer shall inquire on how a borrower would like nonconforming payments to be applied and continue that application until the borrower provides different directions. Article 14-A also outlines examination and recordkeeping requirements and allows for the NYDFS Superintendent to penalize servicers the greater of (i) up to $10,000 for each offense; (ii) a multiple of two times the violation’s aggregate damages; or (iii) a multiple of two times the violation’s aggregate economic gain. Article 14-A takes effect 180 days after becoming law.
On April 9, U.S. and U.K regulators announced that a London-based global financial institution would pay $1.1 billion to settle allegations by the DOJ, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC), the Federal Reserve Board, the New York Department of Financial Services (NYDFS), the Manhattan District Attorney, and the U.K.’s Financial Conduct Authority (FCA) for allegedly violating multiple sanctions programs, including those related to Burma, Cuba, Iran, Sudan, and Syria. According to the OFAC announcement, from June 2009 until May 2014, the institution processed thousands of transactions involving persons or countries subject to sanctions programs administered by OFAC, but the majority of the actions at issue concern Iran-related accounts maintained by the institution’s Dubai branches. OFAC alleged the Dubai branches processed transactions through the institution’s New York branches on behalf of customers that were physically located or ordinarily resident in Iran.
According to the $639 million settlement agreement, OFAC noted, among other things, that the institution “acted with reckless disregard and failed to exercise a minimal degree of caution or care” with respect to the actions at issue. Moreover, OFAC alleged that the institution had actual knowledge or reason to know its compliance program was “inadequate to manage the [the institution]’s risk.” OFAC considered numerous mitigating factors, including that the institution’s substantial cooperation throughout the investigation and its undertaking of remedial efforts to avoid similar violations from occurring in the future.
The $639 million penalty will be deemed satisfied by the institution’s payments to other U.S. regulators, which includes, $240 million forfeiture and $480 million fine to the DOJ, $164 million fine to the Federal Reserve, and $180 million fine to the NYDFS. The institution also settled with the FCA for $133 million. The settlement illustrates the risks to foreign financial institutions associated with compliance lapses when processing transactions through the U.S. financial system.
On January 31, NYDFS issued Supplement No. 2 to Insurance Circular Letter No. 1 (2003), which provides guidance to the title insurance industry following a January 15 unanimous decision by the Appellate Division of the New York State Supreme Court to uphold Insurance Regulation 208. The Appellate Division’s decision vacated the majority of a trial court order annulling Regulation 208, which limits title insurers’ ability to offer inducements to obtain business. (See previous InfoBytes coverage here.)
The NYDFS supplement highlighted three critical holdings from the Appellate Division’s decision. First, the court upheld Regulation 208’s ban on inducements for future title insurance business, recognizing that NYDFS had found that lavish gifts were routinely offered to intermediaries such as lawyers in anticipation of receiving business. Second, the appellate court held that Insurance Law § 6409(d), which prohibits a commission, rebate, fee, or “other consideration or valuable thing,” is not limited to a prohibition on quid pro quo exchanges for specific business. Third, the court annulled Regulation 208’s ban on certain closer fees and fees for ancillary searches.
NYDFS’ cybersecurity FAQs provide process for covered entities that no longer qualify for exemptions
On February 2, NYDFS updated its answers to FAQs regarding 23 NYCRR Part 500, which established cybersecurity requirements for banks, insurance companies, and other financial services institutions. (See here for previous InfoBytes coverage on updates to the FAQs.) Among other things, the update outlines the procedures covered entities must follow if the entity ceases to qualify for exemptions under Section 500.19. Covered entities who no longer qualify for an exemption will have 180 days from the end of their most recent fiscal year to comply with all applicable requirements of 23 NYCRR Part 500. NYDFS further notes that covered entities may be required to periodically refile their exemptions to ensure qualification.
- APPROVED Webcast: Introducing Mogy — APPROVED’s licensing technology solution
- Hank Asbill to discuss "Pay no attention to the man behind the curtain: Addressing prosecutions driven by hidden actors" at the National Association of Criminal Defense Lawyers West Coast White Collar Conference
- Daniel P. Stipano to discuss "Mid-year policy update" at the ACAMS AML Risk Management Conference
- Daniel P. Stipano to discuss "Keep off the grass: Mitigating the risks of banking marijuana-related businesses" at the ACAMS AML Risk Management Conference
- Christopher M. Witeck and Moorari K. Shah to discuss "The latest in vendor management regulations" at a Mortgage Bankers Association webinar
- Buckley Webcast: Hot topics in debt collection — An analysis of recent federal FDCPA litigation
- Jonice Gray Tucker to discuss "How to succeed in law school" at the SEO Law DC Panel Discussions
- Amanda R. Lawrence to discuss "Navigating the challenges of the latest data protection regulations and proven protocols for breach prevention and response" at the ACI National Forum on Consumer Finance Class Actions and Government Enforcement
- Benjamin W. Hutten to discuss "Requirements for banking inherently high-risk relationships" at the Georgia Bankers Association BSA Experience Program
- Brandy A. Hood to discuss "RESPA Section 8/referrals: How do you stay compliant?" at the New England Mortgage Bankers Conference
- Daniel P. Stipano to discuss "Lessons learned from recent enforcement actions and CMPs" at the ACAMS AML & Financial Crime Conference
- Daniel P. Stipano to discuss "Assessing the CDD final rule: A year of transitions" at the ACAMS AML & Financial Crime Conference