InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
OCC Acting Comptroller Discusses Innovation and Technology in the Financial Services Industry
On October 19, OCC Acting Comptroller of the Currency Keith A. Noreika spoke at Georgetown University’s Institute of International Economic Law’s Fintech Week to discuss innovation within the financial technology sector and its impact on the evolution of the financial services marketplace. “[W]hat has allowed the business of banking to evolve so successfully is that we have remained open to change and created a framework of laws and regulation over time that allows banking activities to evolve,” Noreika remarked. “[W]e have to be careful to avoid defining banking too narrowly or in a stagnant way that prevents the system from taking advantage of responsible advances in technology and commerce.”
Noreika spoke about the OCC’s Office of Innovation (Office), which was created earlier this year to facilitate discussions related to fintech and financial innovation. A pilot framework is currently being developed by the Office to create a “controlled environment” for banks to develop and test products to provide insight into a “proposed product’s controls and risks” and how it might possibly impact OCC policies in the future.
Noreika also discussed the OCC’s position on issuing special purpose national bank charters to non-depository fintech companies seeking to expand into the banking sector—a concept currently being contested by both the Conference of State Bank Supervisors (CSBS) and the New York Department of Financial Services (NYDFS), and one which the OCC has not yet made a decision (See previous InfoBytes coverage of CSBS’ and NYDFS’ challenges here and here.) Addressing claims that fintech charters would inappropriately mix banking and commerce, Noreika refuted the argument and stated that his suggestion was to “talk to any company interested in becoming a bank and that commercial companies should not be prohibited from applying—if they meet the criteria for doing so.” Further, a “chartered entity, regulated by the OCC, would be a bank, engaged in at least one of the core activities of banking” as defined by the Bank Holding Company Act.
NYDFS Announces Two New Regulations Targeting Title Insurance Practices
On October 17, the New York Department of Financial Services (NYDFS) adopted two final regulations designed to stop “unscrupulous practices” in the title insurance industry. The final regulations—which are the culmination of a NYDFS’ investigation into the practices of title insurers—supersede “emergency” versions of both regulations that went into effect earlier this year. (See previously InfoBytes coverage here.) Specifically, the first rule clarifies that certain “reasonable and customary” advertising and marketing expenses will be permitted provided “they are without regard to insured status or conditioned directly or indirectly on the referral of title business.” Meals, entertainment, and other forms of inducements are prohibited. According to a NYDFS press release, the state’s “anti-inducement statute is not limited to situations in which there is a direct quid pro quo for business.” The second rule requires, among other things, that title insurance companies or agents function independently from any affiliates through which they generate a portion of their business and make “good faith” efforts to accept business from non-affiliate sources.
NYDFS Announces Settlement to Provide Restitution and Loan Forgiveness to Consumers Affected by Payday Lending Practices
On September 25, New York Department of Financial Services (NYDFS) Superintendent Maria T. Vullo announced the Department had entered into a consent order with a payday loan debt collector and payday loan servicer (together, “defendants”) for allegedly collecting on illegal payday loans made to New York consumers between 2011 to 2014. Payday lending, according to NYDFS’ press release, is illegal in the state, and debt collectors who “collect or attempt to collect outstanding payments from New Yorkers on payday loans violate debt collection laws.” The consent order notes that in 2013, NYDFS circulated a guidance letter to all debt collectors operating in the state to remind them that usurious loans made by non-bank lenders with interest rates exceeding the statutory maximum—and the attempts to collect debts on these types of loans—are “void and unenforceable and violate state and federal law.” However, one of the defendants continued to collect on payday loans for more than a year. The alleged actions, NYDFS asserted, are violations of the Fair Debt Collection Procedures Act, New York Debt Collection Procedures Law, and New York General Business Law.
Pursuant to the consent order, which includes a notice letter to be sent to affected consumers, the debt collector defendant must comply with the following: (i) cease all collection on payday loans in New York; (ii) release and discharge more than $11.8 million in outstanding applicable payday loan debts; (iii) move to vacate any judgments obtained on payday loan accounts; and (iv) “[r]elease any pending garnishments, levies, liens, restraining notices, or attachments relating to any judgments on New Yorkers’ payday loan accounts.” The loan servicer defendant must close any pending accounts in the state and cease communications with consumers regarding their accounts.
Data Breach Fallout Continues: Lawsuit Filed by Massachusetts AG, NYDFS Cybersecurity Regulation to Possibly Include Credit Reporting Agencies, and Joint Letter Sent From 34 States Requesting Fee-Based Credit Monitoring Service Be Disabled
The impact from the September 7 announcement that a major credit reporting agency suffered a data breach continues to be far reaching. On September 15, the agency issued a press release announcing additional information concerning its internal investigation, as well as responses to consumer concerns about arbitration and class-action waiver provisions in the Terms of Use applicable to its support package and regarding security freezes.
Massachusetts AG Lawsuit. On September 19, Massachusetts Attorney General Maura Healey announced it had filed the first enforcement action in the nation against the credit reporting agency. The complaint, filed in Massachusetts Superior Court, alleges that the agency ignored cybersecurity vulnerabilities for months before the breach occurred and claims that the agency could have prevented the data breach had it “implemented and maintained reasonable safeguards, consistent with representations made to the public in its privacy policies, industry standards, and the requirements of [the Massachusetts Data Security Regulations],” which went into effect March 1, 2010. The failure to secure the consumer information in its possession, the complaint asserts, constitutes an “egregious violation of Massachusetts consumer protection and data privacy laws.” Causes of action under the complaint arise from (i) the agency’s failure to provide prompt notice to the commonwealth or the public; (ii) the agency’s failure to safeguard consumers’ personal information; and (iii) the agency engaging in unfair or deceptive acts or practices under Massachusetts law. The commonwealth seeks, among other things, civil penalties, disgorgement of profits, and restitution.
NYDFS Cybersecurity Regulation. On September 18, New York Governor Andrew M. Cuomo directed NYDFS to issue a proposed regulation that would expand the state’s “first-in-the-nation” cybersecurity standard to include credit reporting agencies and to require the agencies to register with NYDFS. The annual reporting obligation would, according to a press release issued by NYDFS, grant it the authority to deny or revoke a credit reporting agency’s authorization to do business with New York’s regulated financial institutions should the agency be found in violation of certain prohibited activities, including engaging in unfair, deceptive or predatory practices. Under the proposed regulation, credit reporting agencies would be subject to compliance examinations by NYDFS, would be required to initially register with NYDFS by February 1, 2018 and annually thereafter, and would be required to comply with cybersecurity regulations starting on April 4, 2018, in accordance with a phased-in compliance schedule. On the same day, NYDFS issued a separate press release urging New York state chartered and licensed financial institutions to take immediate action to protect consumers in light of the recent credit reporting agency data breach. The guidance presented in the release by the NYDFS is provided in conjunction with the state’s cybersecurity regulations.
State Attorneys General Request. On September 15, a letter co-authored by 34 state attorneys general was sent to the credit reporting agency’s legal counsel. The letter expresses concern over the agency’s conduct since the disclosure of the breach, including the offer of both fee-based and a free credit monitoring services, the waiver of certain consumer rights under the agency’s terms of service, and the charges incurred by consumers for a security freeze with other credit monitoring companies. Specifically, the attorneys general objected to the agency “using its own data breach as an opportunity to sell services to breach victims,” and argued that “[s]elling a fee-based product that competes with [the agency’s] own free offer of credit monitoring services to [data breach victims] is unfair, particularly if consumers are not sure if their information was compromised.” Accordingly, the letter requests that the agency temporarily disable links to fee-based services and extend the offer of free services until at least January 31, 2018. Further, the letter also expresses concern that consumers must pay for a security freeze with other credit monitoring companies and states that the agency should reimburse consumers who incur fees to completely freeze their credit.
Buckley Special Alert: New York Governor Cuomo Directs NYDFS to Make Credit Reporting Agencies Comply With the State’s Cybersecurity Regulation
On September 18, 2017, New York Governor Andrew Cuomo directed the New York Department of Financial Services (NYDFS) to issue a regulation that would require all consumer credit reporting agencies doing business in the state to register with NYDFS by February 1, 2018, and to re-register annually. Governor Cuomo’s directive was issued in response to a recent highly publicized security incident at a major consumer credit reporting agency. NYDFS issued a proposed regulation on the same day (CRA Regulation).
One of the primary intents of the registration directive is to make consumer credit reporting agencies subject to the state’s “First-in-the-Nation Cybersecurity Regulation” (Cybersecurity Regulation) (see previous InfoBytes coverage here) that was finalized earlier this year. The Cybersecurity Regulation applies to entities “operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law or the Financial Services Law” and regulated by NYDFS. The Cybersecurity Regulation imposes a series of requirements on covered entities with compliance deadlines ranging from August 28, 2017 to March 1, 2019. These substantive requirements, which are in many ways more stringent and proscriptive than federal requirements for financial institutions, are described in our previous InfoBytes coverage on the Cybersecurity Regulation. Consumer credit reporting agency registrants would be subject to all of the requirements of the Cybersecurity Regulation, but under a different schedule beginning on April 4, 2018 and running through October 4, 2019.
***
Click here to read full special alert.If you have questions about the report or other related issues, please visit our Privacy, Cyber Risk & Data Security practice page, or contact a Buckley attorney with whom you have worked in the past.
NYDFS Issues Reminder on Cybersecurity Regulation Compliance Effective August 28
On August 28, the New York Department of Financial Services (NYDFS) issued an announcement reminding all NYDFS-regulated banks, insurance companies, and other financial services institutions that they must now begin complying with the state’s “first-in-nation cybersecurity regulation.” As previously covered in Infobytes, the regulation took effect March 1, 2017, but August 28 was the first compliance date. Covered entities are now required to implement the following: (i) a cybersecurity program designed to protect consumers’ private data; (ii) board/senior officer-approved written policy or policies; (iii) a designated Chief Information Security Officer to help protect an entity’s data and systems; and (iv) “controls and plans in place to help ensure the safety and soundness of New York’s financial services industry.” Furthermore, covered entities must begin reporting cybersecurity events through NYDFS’ online cybersecurity portal. (See previous InfoBytes coverage here.) Notices of exemption may be filed within “30 days of the determination that the covered entity is exempt,” and covered entities must file a certificate of compliance confirming compliance for the previous calendar year no later than February 15, 2018. NYDFS also released a series of frequently asked questions to provide assistance to institutions when complying with the regulation’s requirements.
OCC Files Motion Seeking Dismissal of NYDFS Fintech Challenge
On August 18, the OCC filed a motion in the U.S. District Court for the Southern District of New York to dismiss a lawsuit brought by the New York Department of Financial Services (NYDFS) challenging the OCC’s fintech charter, which would allow the OCC to consider applications from fintech firms for Special Purpose National Bank Charters (SPNB). See Vullo v. Office of the Comptroller of the Currency, Case 17-cv-03574 (S.D.N.Y., Aug. 18, 2017). In a memorandum supporting its motion to dismiss, the OCC argued that the case is not ready for judicial review because NYDFS’ claims that the charter is unlawful and would grant preemptive powers over state law are “contingent on future actions that [the] OCC might or might not take.” Therefore, because NYDFS “cannot point to any injury-in-fact that it has suffered as a result of [the] OCC’s purported actions . . . all of the potential injuries . . . are future-oriented and speculative, and therefore insufficient to confer standing.” Citing Lujan v. Defenders of Wildlife, the OCC asserted that injury must be “likely”—not just “speculative” in nature.
The OCC additionally contended that NYDFS’ challenge lacks standing because:
- The matter fails to meet the fitness and hardship prongs for ripeness and lacks evidence of concrete hardship: (i) the fitness prong is not met because the OCC’s inquiry regarding whether to offer SPNB Charters is ongoing and it has not decided whether it will accept applications for the charters; and (ii) the hardship prong is not met because the OCC averred NYDFS “will not suffer any immediate or significant hardship” if the court were to delay review of this matter.
- Any challenge to the OCC’s 2003 amendment to Section 5.20(e)(1) is “time-barred by the statute of limitations applicable to civil actions against federal agencies.” Furthermore, “[i]nsofar as the adoption of the amendment . . . constitutes a final agency action that [NYDFS] seeks to challenge here, any cause of action would have accrued on January 16, 2004, when the Final Rule became effective. 68 Fed. Reg. 70122 (Dec. 17, 2003). Accordingly, the time for filing a facial challenge to the regulation expired on January 16, 2010.”
- NYDFS’ complaint fails to state a claim on which relief may be granted because the OCC would have had to have issued Section 5.20(e)(1) charters—non-finalized policy statements and requests for public input alone are insufficient to satisfy the “final agency action” requirement needed to give rise to a claim under the Administrative Procedure Act. The OCC asserted it has not completed its decision-making process and that its actions have not affected rights or obligations or resulted in legal consequences.
- Under the National Bank Act, the OCC’s interpretation of “the business of banking”—in which a special purpose bank “must conduct at least one of the following three core banking functions: receiving deposits; paying checks; or lending money”—deserves Chevron deference.
- The OCC has statutory and constitutional authority to issue a Section 5.20(e)(1) charter because: (i) the limited judicial authority cited by the DFS is not entitled to weight; (ii) the historical understanding of “bank” is consistent with the OCC’s interpretation; and (iii) any SPNB charters issued to fintechs pursuant to Section 5.20(e)(1) would not violate the Tenth Amendment.
See additional InfoBytes coverage on NYDFS’s challenge to the OCC’s special purpose fintech charter here and here.
NYDFS Launches New Cybersecurity Portal, Sets Compliance Deadlines
On July 31, the New York Department of Financial Services (NYDFS) announced the launch of an online cybersecurity portal for businesses to securely report cybersecurity events as required by the state’s cybersecurity regulation that took effect March 1. (See previous InfoBytes summary here.) The regulation, Cybersecurity Requirements for Financial Services Companies, requires all banks, insurance companies, and other financial services institutions regulated by NYDFS to establish and maintain cybersecurity programs to safeguard consumers’ private data. The cyber portal is designed to facilitate easy reporting of cybersecurity events and will allow regulated entities to file compliance certifications. Starting August 28, 2017, all entities required to comply with NYDFS cybersecurity regulations “must file certain notifications to the [Financial Services] Superintendent including notices of certain cybersecurity events within 72 hours from a determination that a reportable event has occurred.” A cybersecurity event is reportable if it: (i) “impacts the covered entity and notice of it is required to be provided to any government body, self-regulatory agency or any other supervisory body”; or (ii) “has a reasonable likelihood of materially harming any material part of the normal operation(s) of the covered entity.” Additionally, covered entities are required to file a certificate of compliance confirming compliance for the previous calendar year no later than February 15, 2018.
OCC Requests Pre-Motion Conference to Discuss NYDFS Fintech Challenge
On July 25, acting U.S. Attorney for the Southern District of New York, Joon H. Kim, filed a letter with the federal court in that district on behalf of the OCC, requesting a pre-motion conference to discuss its anticipated motion to dismiss the New York Department of Financial Service’s (NYDFS) suit against the OCC’s special purpose fintech charter. See Vullo v. Office of the Comptroller of the Currency, Case 17-cv-03574 (S.D.N.Y., Jul. 25, 2017). As previously covered in InfoBytes, NYDFS filed the lawsuit May 12 on the grounds that the charter is unlawful and would grant preemptive powers over state law. Kim cites the following three reasons for dismissal of NYDFS’s complaint:
- NYDFS lacks standing to bring the suit because, although the OCC has “publically [sic] contemplated the possibility of issuing fintech charters…those public statements do not amount to a ‘final agency action’ subject to challenge under the [Administrative Procedure Act].” Indeed, since any harm NYDFS can identify is “conjectural or hypothetical,” and it has not suffered any “actual or imminent” injury, the Court lacks subject matter jurisdiction.
- OCC’s interpretation of its statutory authority under the National Bank Act (NBA) refers to Section 5.20(e)(1), which “reasonably limits the issuance of charters to institutions that carry on at least one of three ‘core banking activities’ [such as] the receipt of deposits, the payment of checks, or the lending of money.” Thus, regulations that allow chartering approvals—even if the chartered companies don't take deposits—is reasonable because they carry on at least one core banking function.
- The Supremacy Clause of the U.S. Constitution would protect fintech banks chartered under the relevant OCC rules and entitle them to NBA protections against state interference. Kim noted that it “is well established that the Supremacy Clause operates in concert with the NBA to displace state laws or state causes of action that conflict with federal law or that prevent or significantly interfere with national bank powers.”
The OCC faces a separate fintech lawsuit in the District Court for the District of Columbia brought by the Conference of State Bank Supervisors. (See previous Special Alert.)
NYDFS Fines Global Bank $350 Million for Alleged Foreign Exchange Trading Violations
On May 24, the New York Department of Financial Services (NYDFS) announced that it had assessed a $350 million fine against a global bank and its New York branch (Bank) as part of a consent order addressing allegations that the Bank’s foreign-exchange business had engaged in long-term violations of New York banking law. According to the announcement, NYDFS investigated alleged misconduct occurring between 2007 to 2013 and found the improper conduct “included collusive activity by foreign exchange traders to manipulate foreign exchange currency prices and foreign exchange benchmark rates; executing fake trades to influence the exchange rates of emerging market currencies; and improperly sharing confidential customer information with traders at other large banks.” Specifically, the violations include the following:
- collusion through on-line chat rooms to manipulate securities prices and artificially increase profits;
- improperly exchanging information about past and impending customer trades, including sharing confidential customer information via personal email, in order to maximize profits at customers’ expense;
- manipulating “the price at which daily benchmark rates were set—both from collusive market activity and improper submissions to benchmark-fixing bodies”; and
- “misleading customers by hiding markups on executed trades, including by using secretive hand signals when customers were on the phone; or by deliberately ‘underfilling’ a customer trades, in order to keep part of a profitable trade for the Bank’s own book.”
In addition to the $350 million monetary penalty, the Bank must, within 90 days of the consent order, submit written plans to (i) improve senior management’s oversight of the Bank’s compliance with New York laws and regulations governing its foreign exchange trading business; (iii) enhance internal controls and compliance to adhere to state and federal laws and regulations; and (iii) improve its compliance risk management and internal audit programs. Additionally, the Bank terminated certain employees involved in the misconduct and has agreed it will not—directly or indirectly—re-hire these individuals in the future. As part of this process, the Bank conducted an “employee accountability review” and disciplined other employees “for misconduct or supervisory failures.”