InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
SEC charges cryptocurrency lending platform involved in $2 billion scheme
On September 1, the SEC filed a complaint against an online cryptocurrency lending platform, its founder, and an additional executive and his affiliated company (collectively, “defendants”) alleging they fraudulently raised approximately $2 billion from retail investors through a global unregistered offering of investments involving digital assets. According to the SEC, the defendants sold securities in the form of investments tied to the company’s lending program, and falsely promised investors that its purported proprietary “volatility software trading bot” could generate monthly returns as high as 40 percent. However, the SEC alleged that instead of trading investor funds, the defendants used the funds for their own benefit, such as transferring funds to a digital wallet controlled by their top U.S. promoter (one of the defendants here). To hide the fact that they were not trading the funds as promised, the SEC claimed the defendants “conducted a Ponzi-like scheme in which they at times used funds deposited by newer investors in order to satisfy withdrawal demands made by earlier investors.” The SEC charged the defendants with violating antifraud and registration provisions of the federal securities laws, and is seeking injunctive relief, disgorgement plus prejudgment interest, and civil penalties. In a parallel action, the DOJ announced the same day that the top U.S. promoter pleaded guilty to criminal charges for his role in the cryptocurrency scheme.
FinCEN to host workshop on privacy enhancing digital identity
On August 31, the Financial Crimes Enforcement Network (FinCEN) announced it will host a special Innovations Hours Program on October 14, “focusing on the important role of digital identity to enhance financial services inclusion while supporting efforts to counter illicit activity that undermine the integrity and opportunity of the US financial system.” Fintech and regulatory technology (regtech) companies, venture capital firms, financial institutions, and others interested in providing a demonstration should highlight how their digital identity solutions work and how these solutions “would be used in practice as well as how they may support private- and public-sector efforts to enhance financial integrity and financial inclusion, while protecting personal privacy.” Interested companies should submit requests here no later than September 24. As previously covered by InfoBytes, the Innovation Hours Program was announced in 2019 to provide opportunities for fintech/regtech companies and financial institutions to showcase new and emerging approaches to combating money laundering and terrorist financing and to demonstrate how financial institutions could use such technologies.
SEC seeks public information regarding online trading
On August 27, the SEC announced a request for information and public comments regarding the use of digital engagement practices by broker-dealers and investment advisers, such as behavioral prompts, differential marketing, game-like features (gamification), and other design elements or features designed to engage with retail investors on digital platforms, as well as analytical and technological tools and methods (collectively “digital engagement practices” or “DEPs”). The SEC issued the request to better understand the market practices related to firms' use of DEPs and intends “to learn what conflicts of interest may arise from optimization practices and whether those optimization practices affect the determination of whether DEPs are making a recommendation or providing investment advice.” The request is also intended to provide a forum for market participants to provide their perspectives regarding the use of DEPs, including the potential benefits that DEPs provide to retail investors, and protection concerns related to potential investors. The request will assist in the Commission's assessment of existing regulations and consideration regarding whether regulatory action may be required to continue the Commission's mission. A statement by SEC Chair Gary Gensler noted that though “new technologies can bring us greater access and product choice, they also raise questions as to whether we as investors are appropriately protected when we trade and get financial advice.” The public comment period for the request will remain open for 30 days after publication in the Federal Register.
Agencies issue fintech guidance for community banks
On August 27, the FDIC, OCC, and Federal Reserve Board released a guide as part of its efforts to promote and support the adoption of new technologies by financial institutions. (See also FIL-59-2021 and OCC Bulletin 2021-40.) The Conducting Due Diligence on Financial Technology Companies: A Guide for Community Banks is intended to help community banks conduct due diligence when considering relationships with prospective fintech companies. Among other things, the guide addresses six key due diligence topics for community banks to consider, including (i) business experience, strategic goals, and qualifications; (ii) financial conditions and market information; (iii) legal and regulatory compliance; (iv) risk management policies, processes, and controls; (v) information security programs; and (vi) operational resilience, such as business continuity planning, incident response, service level agreements, and reliance on subcontractors. The guide also provides practical sources of information that may be useful when evaluating fintech companies. The agencies note that use of the guide, which is consistent with the FDIC’s Guidance for Managing Third-Party Risk, is voluntary and that the guide does not anticipate all types of fintech relationships and risks. Consistent with risk-based programs, a community bank may tailor how it uses the information “based on specific circumstances, the risks posed by each third-party relationship, and the related product, service, or activity. . . offered by the fintech company.”
OCC cites preemption decision in valid-when-made rule challenge
On August 24, the OCC filed a statement of recent decision in support of its motion for summary judgment in an action brought against the agency by several state attorneys general challenging the OCC’s final rule on “Permissible Interest on Loans that are Sold, Assigned, or Otherwise Transferred” (known also as the valid-when-made rule). The final rule was designed to effectively reverse the U.S. Court of Appeals for the Second Circuit’s 2015 Madden v. Midland Funding decision and provide that “[i]nterest on a loan that is permissible under [12 U.S.C. § 85 for national bank or 12 U.S.C. § 1463(g)(1) for federal thrifts] shall not be affected by the sale, assignment, or other transfer of the loan.” (Covered by a Buckley Special Alert.) The states’ challenge argued that the rule “impermissibly preempts state law,” is “contrary to the plain language” of section 85 (and section 1463(g)(1)), and “contravenes the judgment of Congress,” which declined to extend preemption to non-banks. Moreover, the states contended that the OCC “failed to give meaningful consideration” to the commentary received regarding the rule, essentially enabling “‘rent-a-bank’ schemes.” (Covered by InfoBytes here.) Both parties sought summary judgment, with the OCC arguing that the final rule validly interprets the National Bank Act (NBA) and that not only does the final rule reasonably interpret the “gap” in section 85, it is consistent with section 85’s “purpose of facilitating national banks’ ability to operate their nationwide lending programs.” Moreover, the OCC asserted that 12 U.S.C. § 25b’s preemption standards do not apply to the final rule, because, among other things, the OCC “has not concluded that a state consumer financial law is being preempted.” (Covered by InfoBytes here.)
In its August 24 filing, the OCC brought to the court’s attention a recent order issued by the U.S. District Court for the Western District of Wisconsin. As previously covered by InfoBytes, the Wisconsin court reviewed claims under the FDCPA and the Wisconsin Consumer Act (WCA) against a debt-purchasing company and a law firm hired by the company to recover outstanding debt and purported late fees on the plaintiff’s account in a separate state-court action. Among other things, the court examined whether the state law’s notice and right-to-cure provisions were federally preempted by the NBA, as the original creditor’s rights and duties were assigned to the debt-purchasing company when the account was sold. The court ultimately concluded that the WCA provisions “are inapplicable to national banks by reason of federal preemption,” and, as such, the court found “that a debt collector assigned a debt from a national bank is likewise exempt from those requirements” and was not required to send the plaintiff a right-to-cure letter “as a precondition to accelerating his debt or filing suit against him.”
SEC enhances public access to EDGAR financial disclosure data
On August 19, the SEC announced enhancements to provide public access to publicly traded companies’ EDGAR financial statements and other disclosures. For the first time, the SEC is releasing Application Programming Interfaces (APIs) that aggregate financial statement data in order to make corporate disclosures quicker and easier for developers and third-party services to use. APIs will also “allow developers to create web or mobile apps that directly serve retail investors.” According to EDGAR Business Office Director Jed Hickman, the “new APIs make important information about public companies more accessible and usable than ever before.” He added that this is another step in “the SEC’s continuing efforts to facilitate innovation and make financial disclosure data accessible to all market participants.”
FDiTech launches tech sprint to test institutions' resilience
On August 16, the FDIC’s technology lab, FDiTech, announced a tech sprint, which challenges participants to “identify solutions that can be used by institutions of all sizes to measure and test their resilience to a major disruption.” The tech sprint, From Hurricanes to Ransomware: Measuring Resilience in the Banking World, is designed to review new measures, data, tools, or capabilities to calculate how well community banks, and the banking sector as a whole, can withstand a major disruption. According to the FDIC, “[r]ecognizing the evolving threat environment to bank operations, their need to strengthen resilience, and given the challenges that banks face in identifying criteria to determine their respective levels of tolerance for a disruption, the FDIC seeks solutions that improve sector-wide resilience by helping answer the question: ‘What would be the most helpful set of measures, data, tools, or other capabilities for financial institutions, particularly community banks, to use to determine and to test their operational resilience against a disruption?’” Registration will be required for stakeholders to participate, and additional information on how to participate is expected on the FDiTech website.
FFIEC gives authentication and access guidance to financial institutions
On August 11, the Federal Financial Institutions Examinations Council (FFIEC) published guidance, on behalf of its members, to provide financial institutions with examples of effective authentication and access risk management principles and practices for customers, employees, and third parties accessing digital banking services and financial institution information systems. Among other things, the guidance: (i) acknowledges significant risks associated with the cybersecurity threat landscape, which reinforces the need for financial institutions to effectively authenticate users and for customers to protect information systems, accounts, and data; (ii) provides examples of effective risk assessment practices, such as inventory of information systems and inventory of digital banking services and customers; and (iii) indicates that single-factor authentication with layered security is inadequate, therefore, multi-factor authentication or controls of equivalent strength with layered security may be more effective.
The guidance replaces the FFIEC-issued Authentication in an Internet Banking Environment (2005) and the Supplement to Authentication in an Internet Banking Environment (2011).
SEC settles with company over misrepresentation of ICO
On July 14, the SEC announced a settlement with the owners and operators of a software platform provider, resolving allegations that the company violated anti-touting provisions by failing to disclose the compensation it received from issuers of the digital asset securities it profiled. According to the order, the company’s website, which was accessible in the U.S. from 2016 to August 2019, publicized offerings for digital tokens. The platform claimed to “list” or profile the “best” token offerings, such as so-called initial coin offerings (ICOs) and initial exchange offerings. The company also allegedly claimed that its “mission [was] to make it easy and safe for people around the world to join ICOs.” According to the order, the platform profiled more than 2,500 different token offerings, which compromised fundraising of over $10 billion. The SEC alleged that the company violated provisions of the Securities Act, such as Section 2(a), because the digital tokens publicized by the company included those that were offered and sold as investment contracts, and 17(b), because the company promoted a security without disclosing that they received compensation for doing so. The order, which the company consented to without admitting or denying the findings, imposes a civil money penalty of $154,434 and $43,000 in disgorgement, and provides that the company must cease and desist from committing or causing any future violations of the anti-touting provisions of the federal securities laws. SEC Commissioners Hester M. Peirce and Elad L. Roisman dissented from the settlement, stating they agreed that “touting securities without disclosing the fact that you are getting paid, and how much, violates Section 17(b)” but “[they] are disappointed that the Commission’s settlement with [the company] did not explain which digital assets touted by [the company] were securities[.]”
DFPI addresses cryptocurrency MTA licensing exemptions
Recently, California’s Department of Financial Protection and Innovation (DFPI) released a new opinion letter covering aspects of the California Money Transmission Act (MTA) related to certain cryptocurrency activities. According to the letter, the requesting company intends to provide an internet-enabled peer-to-peer (P2P) marketplace for the purchase and sale of certain decentralized digital currencies. The P2P marketplace will enable buyers and sellers of the specified cryptocurrency “to connect and arrange for the direct settlement of purchases and sales between such users” through a variety of means, such as bank transfers, gift cards, money transmission, debit card, credit card, among others. Additionally, the company’s P2P marketplace will allow customers to (i) buy goods or services with the specified cryptocurrency from unaffiliated, third-party online retailers who accept that cryptocurrency as a form of payment; (ii) exchange their cryptocurrency for the rights to a US dollar-backed stablecoin; and (iii) remit funds in different currencies, including foreign currency. The company emphasized that it will “not collect, store, or transmit any digital or fiat currency” in any of its four proposed products. DFPI concluded that the Delaware company’s proposed services are not subject to licensing under the MTA, explaining that the sale and purchase of cryptocurrency directly between two parties, in which the company does not facilitate the exchange of the fiat currency or the cryptocurrency, does not meet the definition of money transmission. Likewise, the company’s other proposed products do not constitute money transmission either. DFPI reminded the company, however, that its determination is limited to the facts as presented and that at any time DFPI may determine that the activities are subject to regulatory supervision. Moreover, the letter does not relieve the company from any FinCEN or federal agency obligations.