Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
On November 9, NYDFS announced that a United Arab Emirates bank will pay a $100 million penalty to resolve an investigation into payments it allegedly processed through financial institutions in the state, including one of the bank’s New York branches. These transactions, NYDFS stated, were in violation of Sudan-related U.S. sanctions. According to NYDFS’ investigation, the bank instructed employees to avoid including certain details in messages sent between banks that would have linked the transactions to Sudan. By concealing these details, the transactions bypassed other banks’ sanctions filters, which otherwise might have triggered alerts or transaction freezes, NYDFS said. As a result, between 2005 and 2009, the bank illegally processed more than $4 billion of payments tied to Sudan. Following an announcement in 2009 that a Swiss bank used by the bank to process these transactions was being investigated by the New York County District Attorney’s Office for violating economic sanctions rules, the bank closed all U.S. dollar accounts held by Sudanese banks, but failed to disclose the prohibited transactions to NYDFS as required until 2015. NYDFS asserted that “despite having ample notice of the prohibited nature of the Sudan-related [transactions] by 2009,” the bank’s New York branch processed an additional $2.5 million in Sudan-related payments. Under the terms of the consent order, the bank—which was previously cited by NYDFS for anti-money laundering and sanctions compliance deficiencies in a 2018 consent order that included a $40 million fine—is also required to provide a status report on its U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) compliance program, in addition to paying the $100 million penalty. NYDFS acknowledged the bank’s substantial cooperation and ongoing remedial efforts.
NYDFS coordinated its investigation with the Federal Reserve Board and OFAC, both of which announced separate settlements with the UAE bank the same day. The Fed’s announcement of its order to cease and desist cites the bank for having insufficient policies and procedures in place to ensure that activities involving branches outside the U.S. were in compliance with U.S. sanctions laws. Under the terms of the order, the bank is required, among other things, to implement an enhanced compliance program to ensure global compliance with U.S. sanctions, and must also conduct annual reviews, including a “risk-focused sampling” of its U.S. dollar payments, led by an independent external party. The order did not include any additional monetary penalties for the bank.
OFAC also issued a finding of violation (FOV) for violations of the now-repealed Sudanese Sanctions Regulations related to the bank’s actions. These violations included 1,760 transactions that involved USD transfers from Sudanese banks that were processed by the bank’s London branch and routed through U.S. banks. In determining that the appropriate administrative action was an FOV rather than a civil monetary penalty, OFAC stated the bank “voluntarily entered into a retroactive statute of limitations waiver agreement, without which OFAC would have been time-barred from charging the violations.” Because the payment messages did not include the originating Sudanese bank, U.S. correspondent banking partners “could not interdict the payments, and the payments were successfully processed through the U.S. financial system,” OFAC stated. However, OFAC credited the bank with providing substantial cooperation during the investigation, and noted that the bank had taken “extensive remediation” efforts before the investigation began in 2015, and has spent more than $122 million on compliance enhancements.
On November 5, the Illinois attorney general and the Illinois Department of Financial and Professional Regulation (IDFPR) announced a settlement resolving allegations that three companies violated Illinois lending laws by generating payday loan leads without a license and arranging high-cost payday loans for out-of-state payday unlicensed lenders. The AG and IDFPR further alleged that the companies falsely represented their loan network as being “trustworthy,” although the loan terms and conditions did not comply with Illinois law, which violated the Illinois’ Consumer Fraud and Deceptive Business Practices Act. The AG sued the companies in 2014 after the companies refused to comply with a cease and desist order issued by IDFPR, which required them to become licensed. According to the announcement, under the terms of the settlement, the companies are prohibited from: (i) arranging or offering small-dollar loans, online or otherwise, without being licensed by IDFPR; (ii) advertising or offering any small consumer loan arrangements or lead generation services in Illinois, unless they are licensed by IDFPR; and (iii) providing services associated with arranging or offering small dollar loans to Illinois consumers without being licensed by IDFPR.
Recently, the California Department of Financial Protection and Innovation (DFPI) reminded companies licensed under the California Financing Law that they must transition onto the Nationwide Multistate Licensing System & Registry (NMLS) by December 31. Licensees not currently on the NMLS must establish an account in the system and transfer information to DFPI through NMLS on or before the deadline. Applicants and transitioning licensees are required to submit IRS and Secretary of State documentation identifying the employer identification number and the state where the company is registered as a business. DFPI further stated that the time for “DFPI to process the licensee’s NMLS transition does not [affect] the licensure status of the licensee, and may occur after the licensee’s December 31, 2021 deadline to submit the licensee’s information to the DFPI through NMLS.”
Recently, the Utah Department of Commerce adopted amendments to the Utah Residential Mortgage Practices and Licensing Rules to eliminate unnecessary and redundant licensee expenses for criminal background checks and credit reports. Among other things, the amendments provide that if a licensee submits a fingerprint background report to the Nationwide Multistate Licensing System & Registry (NMLS) “that is current according to the NMLS and is dated within 90-days of the date of the application to renew, the Division shall use that fingerprint background report in satisfaction of the requirement of. . .subsection [R162-2c-204]. If there is no current fingerprint background report in the NMLS, the licensee shall submit a fingerprint background report to the NMLS with the licensee’s application to renew.” The same condition also applies to current credit reports dated within 30-days of the date the renewal application was submitted to the NMLS. The amendments also update certain license qualification provisions related to moral character and felony convictions, and eliminate provisions concerning employee incentive programs related to licensed entities. These provisions took effect October 26.
Recently, the California Department of Financial Protection and Innovation (DFPI) released several new opinion letters covering aspects of the California Money Transmission Act (MTA) related to virtual currency and agent of payee rules. Highlights from the redacted letters include:
- Cryptocurrency and Agent of Payee Exemption. The redacted opinion letter reviewed whether MTA licensure is required for a company’s proposal to offer payment processing services that would enable merchants to receive payments in U.S. dollars from buyers of goods and services, automatically exchange these payments into dollar-denominated tokens on a blockchain network, and to store the tokens in a custodial digital wallet. DFPI currently does not require licensure for companies to receive U.S. dollars from a buyer for transfer to a merchant’s wallet as dollar tokens. DFPI explained that even if it did regulate this activity, the structure of the company’s payment processing services satisfies the requirements of the agent-of-payee exemption, wherein the company acts as the agent of the merchant pursuant to a preexisting written contract and the company’s receipt of payment satisfies the buyer’s obligation to the merchant for goods or services. DFPI further explained that while storing dollar tokens in a custodial digital wallet or making subsequent transfers out of a wallet do not currently require licensure under the MTA, DFPI may later determine the activities are subject to regulatory supervision.
- Asset-Backed Tokens and Other Cryptocurrency. The redacted opinion letter asked DFPI whether an MTA license is required to (i) provide technical services to enable owners of metal to create digital assets representing interests in that metal; (ii) facilitate trading in these digital assets; or (iii) provide digital wallets to customers. The company intends to create a platform to facilitate the creation, sale, and trading of metal asset-backed tokens, whereby a customer purchases metal asset-backed tokens (ABTs) or currency tokens using fiat currency stored in an FBO account. Customers will not be allowed to transmit fiat currency to each other except to facilitate the purchase of ABTs or currency tokens, to receive proceeds from ABTs, or to pay platform fees. DFPI explained that while issuing stored value is generally considered money transmission, “[p]roviding technical services to assist in the creation of a [m]etal ABT and [i]ndustrial [t]okens and issuing a digital wallet holding the [m]etal ABT does not require licensure.” DFPI noted that the company is not itself issuing the ABT or industrial tokens. DFPI further concluded that the company does not need an MTA license to issue a digital wallet holding metal ATBs because the digital wallet is not stored value nor can the wallet’s contents be redeemed for money or monetary value or be used as payment for goods or services. DFPI separately indicated that a license is not currently required to facilitate the sale of ABTs, nor the issuance and sale of currency tokens. However, DFPI warned the company that the opinion only pertains to MTA, and that the company should be aware that metal ABTs and industrial tokens “could be considered a commodity and California Corporations Code section 29520 generally prohibits the sale of a commodity, unless an exception applies.”
- Cryptocurrency-to-Precious Metals Dealer. The redacted opinion letter reviewed whether an online cryptocurrency-to-precious metals dealer, which accepts a variety of different cryptocurrencies in exchange for precious metals and also purchases precious metals from customers using different cryptocurrencies, requires MTA licensure. The company referenced a 2016 decision where DFPI determined that a company operating a software technology platform to facilitate the purchase and sale of gold was not engaged in money transmission, that gold and other precious metals were not payment instruments, that the transactions did not represent selling or issuing stored value, and that “the activity did not constitute receiving money for transmission because the sale or repurchase of gold was a bargained-for-exchange and did not involve transmission to a third party.” The company argued that purchasing and selling precious metals with cryptocurrency is similar and should not trigger MTA’s licensing requirement. DFPI agreed that the company’s business activities do not meet the definition of money transmission because precious metals are not payment instruments, and as such, purchasing and selling precious metals for cryptocurrency does not represent the sale or issuance of a payment instrument. Additionally, DFPI concluded that the company is not selling or issuing stored value, nor do the transactions “involve the receipt of money or monetary value for transmission within or outside the U.S.”
- Virtual Currency Wallet. The redacted opinion letter asked whether an MTA license is required to operate a platform that will provide customers with an account to store and transfer virtual currencies. The company will also provide customers access to an exchange where they can facilitate the purchase or sale of virtual currencies in exchange for other virtual currencies. Fiat currency will not be used on the platform. DFPI stated that it does not currently require companies to obtain an MTA license to operate a platform that provides customers with an account to store and transfer virtual currencies. DFPI further stated that a license is not required to operate a platform that gives customers access to an exchange to purchase or sell virtual currencies in exchange for other virtual currencies.
- Purchase of Cryptocurrency. The redacted opinion letter examined whether a company that offers clients a direct opportunity to buy cryptocurrency in exchange for fiat currency requires MTA licensure. The company explained, among other things, that there is no transmission of cryptocurrency to third parties and that it does not offer money transmission services. DFPI concluded that because the company’s activities are limited to directly selling cryptocurrency to clients, it “does not require an MTA license because it does not involve the sale or issuance of a payment instrument, the sale or issuance of stored value, or receiving money for transmission.”
DFPI reminded the companies that its determinations are limited to the presented facts and circumstances and that any change could lead to different conclusions. Moreover, the letters do not relieve the companies from any FinCEN or federal regulatory obligations.
On November 8, the U.S. Court of Appeals for the Ninth Circuit affirmed a district court’s order denying a private Israeli company’s motion to dismiss claims based on foreign sovereign immunity. The Israeli company (defendant) designs and licenses surveillance technology to governments and government agencies for national security and law enforcement purposes. According to the opinion, the defendant markets and licenses a product that allows law enforcement and intelligence agencies to covertly intercept messages, take screenshots, or extract information such as a mobile device’s contacts or history. The plaintiffs (a messaging company and global social media company) sued the defendant claiming it sent malware through the messaging company’s server system to approximately 1,400 mobile devices to gather users’ information in violation of state and federal law, including the Computer Fraud and Abuse Act and the California Comprehensive Computer Data Access and Fraud Act. The defendant moved to dismiss, claiming foreign sovereign immunity protected it from the suit. The defendant further contended that even if the plaintiffs’ allegations were true, it was “acting as an agent of a foreign state, entitling it to ‘conduct-based immunity’—a common-law doctrine that protects foreign officials acting in their official capacity.” The district court disagreed, ruling that common-law foreign official immunity does not protect the defendant in this case because the defendant “failed to show that exercising jurisdiction over [the defendant] would serve to enforce a rule of law against a foreign state.”
Although the 9th Circuit agreed with the district court that the defendant, as a private company, is not entitled to immunity, the panel affirmed on separate grounds. The 9th Circuit based its determination instead on the fact that “the Foreign Sovereign Immunity Act (FSIA or Act) occupies the field of foreign sovereign immunity as applied to entities and categorically forecloses extending immunity to any entity that falls outside the FSIA’s broad definition of ‘foreign state.’” Among other things, the 9th Circuit rejected the defendant’s claim that because governments use its technology it is entitled to the immunity extended to sovereigns. “Whatever [the defendant’s] government customers do with its technology and services does not render [the defendant] an ‘agency or instrumentality of a foreign state,’ as Congress has defined that term,” the appellate court wrote. In contrast to the district court, the 9th Circuit rejected the defendant’s argument that it could claim foreign sovereign immunity under common-law immunity doctrines that apply to foreign officials (i.e., natural persons), finding that “Congress [had] displaced common-law sovereign immunity doctrine as it relates to entities.”
On November 8, the New York governor signed several pieces of legislation relating to consumer protection. Among those, S.153 /A.2832 enacts The Consumer Credit Fairness Act, which expands consumer protections against abusive debt collection by, as explained by NYDFS acting Superintendent Adrienne A. Harris, “address[ing] known predatory debt collection practices, barring an abusive common tactic engaged by predatory debt collectors which is to sue on time-barred consumer debts for which they lack even the most basic of documentation.” Certain parts of the Consumer Credit Fairness Act are effective immediately. S.4823/A.3359, effective 30 days after being signed into law, prohibits utility companies from engaging in harassment, oppression, or abuse when coordinating with a residential customer. According to the press release, this legislation responds “to various unscrupulous practices that utility corporations engage in, such as creating a ‘payment agreement’ with customers that encourage customers to take large down payments in exchange for utilities such as energy not being shut down.” S.1199/A.5838 requires the Public Service Commission to have at least one member who is an expert in consumer advocacy. It will also go into effect 30 days after being signed into law.
Earlier this year, the Illinois governor signed HB 2553 to create the Protecting Household Privacy Act. Among other things, the act specifies when state law enforcement agencies may acquire and use data from household electronic devices. The act defines “household electronic data” as information or input provided by a person to a household electronic device that is capable of facilitating electronic communications. (A “household electronic device” excludes personal computing devices and digital gateway devices.) The act generally prohibits law enforcement agencies from obtaining household electronic data “or direct[ing] the acquisition of household electronic data from a private third party.” Exceptions to this prohibition include when a law enforcement agency first obtains a warrant, an emergency situation arises, or the owner of the household electronic device lawfully consents to the acquisition of the data. The act also states that it shall not “be construed to require a person or entity to provide household electronic data to a law enforcement agency,” except as provided under certain provisions outlined in Section 15. The act further requires entities disclosing household electronic data to “take reasonable measures to ensure the confidentiality, integrity, and security of any household electronic data during transmission to any law enforcement agency, and to limit any production of household electronic data to information responsive to the law enforcement agency request.” Additionally, the act outlines information retention limits, which provide, among other things, that if a law enforcement agency obtains household electronic data and does not file criminal charges, it must destroy the data within 60 days unless subject to certain circumstances. The act is effective January 1, 2022.
On November 8, the New York governor signed measures to help prevent robocalls and increase consumer protections. The measures build upon federal actions to combat robocalls and “will enable telecom companies to prevent these calls from coming in in the first place, as well as empower our state government to ensure that voice service providers are validating who is making these calls so enforcement action can be taken against bad actors,” Governor Kathy Hochul stated.
S.6267a requires telecommunication companies to block certain calls, including those from (i) numbers that are not valid North American numbering plan numbers; (ii) numbers that are not allocated to a provider by the North American numbering plan administrator or the pooling administrator; and (iii) unused numbers that are allocated to a provider. According to the governor’s press release, the act codifies into state law the provisions of an FCC 2017 rule that took effect in June 2021 and allows telecommunications companies to proactively block calls from certain numbers. (Covered by InfoBytes here.) These types of numbers, the release states, “are indicative of ‘spoofing’ schemes in which the true caller identity is masked behind a fake, invalid number.” The act takes effect immediately.
The second act, S.4281a, requires voice services providers to authenticate calls using the STIR/SHAKEN call authentication framework. As previously covered by InfoBytes, in 2020, the FCC, pursuant to the TRACED Act, adopted new rules requiring providers to implement the STIR/SHAKEN framework by June 2021. Under New York’s new measure, providers have up to 12 months to implement this framework or an “alternative technology that provides comparable or superior capability to verify and authenticate caller identification in the internet protocol networks of voice service providers.” Violators face a fine of up to $100,000 for each offense per day that the framework is not in place. This act is also effective immediately.
On November 8, the New York governor signed S.2628, which requires employers to notify their employees in writing upon hiring of their intention to monitor or intercept telephone or email conversations or transmissions, or monitor the use or access of other electronic devices. Employers must receive acknowledgement from the employee either in writing or electronically and are also required to post the notice of electronic monitoring in a conspicuous area where it can be viewed by employees. The act applies to any individual, corporation, partnership, firm, or association with a place of business in New York, but does not include the state or political subdivisions of the state. Also exempt are processes “designed to manage the type or volume of incoming or outgoing electronic mail or telephone voice mail or internet usage, that are not targeted to monitor or intercept the electronic mail or telephone voice mail or internet usage of a particular individual, and that are performed solely for the purpose of computer system maintenance and/or protection.” The attorney general is authorized to enforce the act and fine employers found to be in violation of the provisions. The act takes effect in 180 days.