Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
Recently, the New York DFS announced that an online payday loan lead generator and its CEO will pay a $1 million penalty and cease payday loan lead generation activities in New York to resolve allegations that its payday loans charge fees had interest rates greater than the usury limits allowed under New York law, and that it failed to protect consumers' personal information. According to the DFS, the company (i) "advertised payday loans and connected New York consumers to payday lenders without disclosing that the payday loans contained terms that violate New York usury laws"; and (ii) failed to take any protective measures when selling leads to its network of lead buyers, despite advertising that it "prides itself in putting [its] customer's security and personal information protection at the top of [its] priority list." In the event that the company solicits non-payday lending services in New York in the future, the order requires it to establish and adhere to data security protocols for the secure use, transfer, and storage of consumers' personal information. This action represents the DFS's first action to require a company to implement consumer data security measures to its future collection of consumers' personal information.
On January 21, New York Governor Andrew Cuomo nominated Maria Vullo to serve as the NYDFS’s superintendent. If approved by the New York State Senate, Vullo would replace former superintendent Benjamin Lawsky, who left the Department in June 2015. Governor Cuomo noted that Vullo is a “tough and fair litigator” who “has shown an immovable commitment to upholding the law and protecting consumers.” Vullo has worked in the private and public sectors, and has over 25 years of practice in business litigation and investigations. In 2010, Vullo also served under then AG Cuomo as Executive Deputy Attorney General for Economic Justice, handling various consumer protection, investor protection, and antitrust matters.
On December 17, the New York DFS announced an enforcement action against a New York branch of a Pakistan-based bank. The Federal Reserve Bank of New York (FRBNY) and the DFS recently conducted an examination of the branch and found significant risk management and compliance failures with regard to state and federal laws, rules, and regulations relating to anti-money laundering (AML) compliance. Under the terms of the DFS’s order, the branch agreed to reform its policies and procedures to ensure compliance with AML laws. Per the order, the bank must submit to the DFS, within 60 days of the order, a number of written programs regarding its (i) corporate governance and management oversight; (ii) BSA/AML compliance review; (iii) customer due diligence; and (iv) suspicious activity monitoring and reporting. The branch must also hire an independent third-party approved by the DFS and the FRBNY to review the effectiveness of the bank’s compliance program, and to prepare a written report of its findings, conclusions, and recommendations for the program. Because the branch’s compliance with OFAC regulations was insufficient, the order also mandates that the bank retain an independent third-party to examine its U.S. dollar-clearing transactions between October 2014 and March 2015. Significantly, the order does not require the branch to pay a civil money penalty.
On December 1, the New York DFS announced a proposed anti-terrorism and anti-money laundering regulation, Transaction Monitoring and Filtering Program Requirements and Certifications. Key requirements of the proposed regulation include maintaining programs (i) to monitor transactions after they’ve been executed for potential BSA/AML violations and Suspicious Activity Reporting; and (ii) to ban certain transactions that are prohibited by applicable sanctions, politically exposed persons lists, and internal watch lists. The proposed regulation outlines the programs’ respective minimum requirements, including ensuring that they are based on the Risk Assessment of the institution. Critically, the proposal also requires a Certifying Senior Officer of the regulated financial institutions to file with the Department executed certifications ensuring compliance with the requirements by April 15 of each year.
On November 19, the New York DFS announced a consent order with a nonbank mortgage originator to resolve allegations that its employees engaged in a scheme to cheat on state-required continuing education courses and exams. Specifically, the DFS alleged that at least 20 Mortgage Loan Originators (MLOs), including the Chief Executive Officer and former Chief Operating Officer, encouraged compliance staff to take required continuing education courses and exams on their behalf. Furthermore, the MLOs “shared information acquired during licensing exams with . . . senior management, despite the fundamental obligation of test-takers to preserve the confidentiality of all such information.” The DFS’s examination of the mortgage originator revealed additional state banking law violations, including (i) failing to provide mandatory disclosures on more than 100 subprime loans; (ii) misstating applicable late fees on at least three loans; (iii) failing to maintain the minimum line of credit; and (iv) underreporting its total New York revenue in its 2010 and 2011 Volume of Operations Report. The settlement requires the mortgage originator to immediately surrender its mortgage banker’s license and its status as an exempt mortgage servicer in New York, and pay a civil money penalty in the amount of $1 million.
Federal Reserve and New York DFS Take Action Against Canadian Bank for Deficiencies Relating to AML Compliance
On November 10, the Federal Reserve and the New York DFS announced an enforcement action against a Canadian bank for alleged deficiencies relating to its BSA/AML compliance program. In order to resolve the allegations, the bank agreed to prepare various written policies and procedures, including (i) a written plan that provides for a sustainable governance framework, including improving the management information systems reporting of compliance with BSA/AML requirements, OFAC regulations, and State Regulations; (ii) a revised written BSA/AML compliance program; (iii) a revised written program for conducting customer due diligence; (iv) a written program that ensures that any suspicious activity is timely reported; and (v) a written plan to improve compliance with OFAC regulations. All policies must be submitted for approval within 60 days of the agreement’s issuance date.
On November 9, the New York DFS sent a letter to federal regulators and other interested parties, including the CFPB, Federal Reserve Board, and the OCC, regarding potential new regulations aimed at increasing cybersecurity efforts within the financial sector. The letter references recent DFS reports that covered key findings from surveys given to regulated banking organizations on their cybersecurity programs, costs, and future plans. The reports raised the following concerns: (i) the speed of technological change and the increasingly sophisticated nature of threats; (ii) third-party service providers tend to have access to sensitive information and companies’ IT systems, providing potential hackers with a point of entry; and (iii) the “scale and breadth of the most recent breaches and incidents.” In light of these concerns, the DFS asserts that it would be beneficial to coordinate with state and federal regulators to “develop a comprehensive [cybersecurity] framework that addresses the most critical issues, while still preserving the flexibility to address New York-specific concerns.” According to the letter, the DFS expects to propose regulations requiring entities to set specific requirements in areas such as: (i) cybersecurity policies and procedures; (ii) third-party service provider management; (iii) cybersecurity personnel and intelligence, including implementing mandatory cybersecurity training programs; and (iv) notice of cybersecurity breaches.
On November 4, the Federal Reserve and the New York DFS announced a combined $258 million penalty against a global bank for “violations in connection with transactions on behalf of countries and entities subject to U.S. sanctions.” According to the Fed’s cease and desist order, the bank failed to implement adequate risk management and compliance policies and procedures to “ensure that activities conducted at offices outside the United States complied with applicable OFAC Regulations and were timely reported in response to inquiries by the Federal Reserve Bank of New York.” Specifically, the Fed alleged that, from November 2001 to January 2006, foreign offices of the bank processed funds transfers with parties subject to OFAC Regulations through the bank’s New York-based subsidiary and other unaffiliated U.S. financial institutions without having the information necessary to determine that the transactions were consistent with U.S. law. The Fed’s order requires the bank to develop a compliance program that establishes (i) policies and procedures to ensure compliance with applicable OFAC regulations; (ii) an OFAC compliance reporting system; and (iii) requirements for employee training in OFAC-related issues. Under the terms of the DFS consent order, the bank agreed to hire an independent monitor to conduct a comprehensive review of its BSA/AML and OFAC sanctions compliance program, policies, and procedures.
On October 28, the New York DFS resolved an enforcement action with a New York State-charted bank for alleged violations of state banking law. The DFS alleged that the bank hired a former New York Federal Reserve Bank examiner and permitted him to work on matters for an entity that the employee had examined while at the New York Fed, in violation of a notice of post-employment restrictions from the New York Fed. The DFS also alleged that the employee obtained confidential regulatory or supervisory information from a now former New York Fed employee and distributed the information to a Managing Director at the bank for the purpose of advising the entity. In addition to the bank’s alleged failure to screen the employee from working on matters related to the entity he had examined, the DFS’s order alleges that the bank failed to “provide training to personnel regarding what constituted confidential supervisory information and how it should be safeguarded.” Under the settlement terms, the bank will (i) pay a civil money penalty of $50 million to the DFS; (ii) reform its policies and procedures to ensure the proper handling of confidential supervisory information and the monitoring of assignments of former government employees; and (iii) not re-hire the bank employee and Managing Director, who had been terminated as result of the matter.
On October 20, the DOJ, OFAC, the NYDFS, the Manhattan District Attorney’s Office, and the Federal Reserve simultaneously announced that a Paris-based investment bank would pay a total of more than $787 million to settle multiple alleged violations of U.S. sanctions regulations. The OFAC settlement resolves allegations that the investment bank and certain predecessor banks, between August 6, 2003 and September 16, 2008, processed 4,055 transactions – for a total of approximately $337,043,846 – to or through U.S. financial institutions that involved countries and/or persons subject to the sanctions regulations administered by OFAC. The investment bank settled with OFAC for more than $329,500,000, an amount that reflects the agency’s consideration of the following aggravating factors: (i) the investment bank had indications that its actions had the potential to constitute violations of the U.S. law before the earliest date of the apparent violations; (ii) several managers of the investment bank were aware of the conduct that led to the violations; (iii) the investment bank’s conduct resulted in significant harm to various sanctions programs OFAC oversees and their associated policy objectives; (iv) the investment bank’s size and sophistication, along with its global presence; and (v) the investment bank’s failure to maintain proper controls to prevent the violations from occurring and otherwise maintain an adequate compliance program.
In addition to OFAC’s settlement, parallel actions against the bank resulted in the investment bank agreeing to pay (i) $385 million to the NYDFS; (ii) $90.3 million to the Federal Reserve; (iii) $156 million to the Manhattan District Attorney’s Office; and (iv) $156 million to the U.S. Attorney’s Office for the District of Columbia.
- Daniel P. Stipano to discuss "Wait wait ... do tell me! Where the panelists answer to you" at the ACAMS AML & Anti-Financial Crime Conference
- Matthew P. Previn and Walter E. Zalenski to discuss "Is valid when made ... valid?" at the Women in Housing & Finance Partner Series webinar
- Warren W. Traiger and Caroline K. Eisner to discuss "CRA modernization and the OCC final rule" at CBA Live
- Daniel R. Alonso to discuss "Transnational corruption: A chat with former U.S. federal prosecutors in New York" at Marval Live Talks
- Sherry-Maria Safchuk and Lauren Frank to discuss "New CFPB interpretation on UDAAP" at a California Mortgage Bankers Association Mortgage Quality and Compliance Committee webinar
- Daniel R. Alonso to moderate "Regional anti-corruption enforcement colloquium" at the Latin Lawyer GIR Interactive Anti-Corruption & Investigations
- APROVED Webcast: 20 for the ’20s: What the coming decade holds for MLO licensing
- Kathryn L. Ryan to discuss "NMLS mortgage call report – Where’s NMLS 2.0?" at the QuestSoft Lending Compliance Conference
- Thomas A. Sporkin to discuss "Managing internal investigations and advanced government defense" at the Securities Enforcement Forum
- H Joshua Kotin to discuss "Mortgage servicing in a recession: Early intervention, loss mitigation and more" at the NAFCU Virtual Regulatory Compliance Seminar
- Daniel R. Alonso to discuss "Independent monitoring in the United States" at the World Compliance Association Peru Chapter IV International Conference on Compliance and the Fight Against Corruption
- Jonice Gray Tucker to discuss "The future of fair lending" at the Mortgage Bankers Association Regulatory Compliance Conference
- Michelle L. Rogers to discuss "Major litigation" at the Mortgage Bankers Association Regulatory Compliance Conference
- Kathryn L. Ryan to discuss "Pandemic fallout – Navigating practical operational challenges" at the Mortgage Bankers Association Regulatory Compliance Conference
- Jonice Gray Tucker to discuss "Consumer financial services" at the Practising Law Institute Banking Law Institute