Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
On December 28 of last year, the Colorado Attorney General’s Office, through the Administrator of the Uniform Consumer Credit Code (UCCC), issued an advisory for entities filing sales finance notifications. The advisory strongly recommends that purchasers and assignees of consumer credit transactions subject to the UCCC develop and implement a due diligence process to confirm that the retail credit sellers originating those contracts have filed the proper notice under UCCC Section 5-6-203(4). As explained in the advisory, if notice is not properly filed, consumers “may not have an obligation to pay the finance charge due on those consumer credit transactions.” The list of retail credit sellers who currently file notifications with the department can be accessed here.
On February 16, New York Governor Andrew Cuomo announced that with the New York Department of Financial Services’ (NYDFS) publication of a Final Regulation, New York’s “First-in-the-Nation Cybersecurity Regulation” is set to take effect on March 1. As discussed previously in InfoBytes, the regulation—which requires banks, insurance companies, and other financial services institutions regulated by NYDFS to establish and maintain a cybersecurity program designed to protect consumers’ private data—imposes broad and, in some cases proscriptive, data security and cybersecurity requirements on Covered Entities that venture into new territory for both state and federal financial regulators. Indeed, as described by Governor Cuomo, the regulation reflects New York’s efforts to “lead the nation” through “decisive action to protect consumers and our financial system from serious economic harm that is often perpetrated by state-sponsored organizations, global terrorist networks, and other criminal enterprises.”
Moreover, as detailed in a follow-up InfoBytes Special Alert, NYDFS issued a updated proposed regulation on December 28 in response to over 150 comments and testimony presented at a hearing before New York State lawmakers. Though the updated proposed regulation did not differ drastically from the original, the revised proposed regulation provided for somewhat greater flexibility in how covered entities could go about implementing the requirements. Among other things, the December 28 revisions provided for: (i) longer timeframes for compliance with its requirements; (ii) more flexibility for compliance with certain requirements and acknowledgement that some requirements may not be applicable to all financial institutions; and (iii) clarifications to certain key definitions.
The newly released Final Regulation retains the revisions incorporated in the December 28 revision, but also contains the following notable revisions:
- Record retention requirements for audit trail materials relating to Cybersecurity Events were reduced from five years to three years.
- Clarification that Covered Entities’ policies and procedures for reporting by Third Party Service Providers of Cybersecurity Events only apply to the Covered Entity’s Nonpublic Information.
- The limited exemption for small businesses to certain requirements of the rule has been narrowed by including a Covered Entity’s New York affiliates when calculating its number of employees and annual revenue.
- Further clarification on the exemptions for companies regulated under New York’s Insurance Law.
With the expiration of the 30-day comment period and the publication of the Final Rule, New York’s Cybersecurity regulation is officially cleared to become effective upon publication in the New York State Register on March 1.
InfoBytes will continue to monitor the rollout of this pioneering regulation as it progresses.
On February 17, the California Department of Business Oversight (DBO) announced a settlement with a national mortgage servicer, resolving allegations that the company committed numerous violations of state and federal laws and regulations. The allegations arose from examinations of the company’s servicing practices by a third-party auditor. The examinations were conducted pursuant to a January 23, 2015 consent order entered into by the DBO and the company, and covered the period of January 1, 2012 through June 30, 2015. The 2017 consent order requires the company to pay $20 million in borrower restitution, mandates that the company provide borrowers with $198 million of debt forgiveness through loan modifications over three years, and imposes $5 million in penalties, attorney’s fees, and costs. However, the terms of the order also restore the company’s ability to service new California mortgages.
Georgia Attorney General Orders Payday Lenders to Pay $40 Million in Civil Monetary Penalty and Restitution to Consumers
On February 8, the Office of the Georgia Attorney General announced that it had entered into a settlement agreement with two payday lenders over claims that the companies violated the state’s Payday Lending Act, which prohibits unlicensed loans of $3,000 or less. While the interest rate for loans made under the Payday Lending Act is capped at 10 percent, the unlicensed lenders in this case allegedly issued over 18,000 loans with interest rates ranging from 140 percent to 340 percent and collected over $32 million in associated interest and fees since 2010. According to the terms of the settlement, the companies are required to (i) pay $23.5 million in consumer restitution; (ii) cease all collections and forgive all outstanding loans; (iii) pay a $1 million civil penalty to the state; and (iv) pay $500,000 as reimbursement for the state’s attorneys’ fees and costs.
On February 9, the New York Attorney General’s (NYAG’s) office announced two settlements with mobile app developers who allegedly omitted information about their data collection practices in their privacy policies. While the investigation revealed that neither developer misused their customers’ personal information or improperly disclosed such information to third parties, the NYAG’s office determined that both companies failed to properly disclose the fact that they had collected the information as required by law. Both companies have agreed to add privacy policies to their apps.
On February 1, the Conference of State Bank Supervisors (CSBS) announced the release of its BSA/AML Self-Assessment Tool—a new, voluntary tool to help banks and non-depository financial institutions better manage Bank Secrecy Act/Anti-Money Laundering (BSA/AML) risk. Building upon CSBS’s efforts to help banks understand their risk exposure to third-parties, the self-assessment tool—developed jointly by the CSBS and state regulators—aims to help institutions better identify, monitor, and communicate BSA/AML risk, thereby reducing some of the burden and uncertainty surrounding compliance and facilitating more transparency within the financial sector. The self-assessment tool is available for use by any institution and may be accessed here. A narrated tutorial is also available here. Last year, CSBS released a white paper that outlines state supervision of money services businesses.
On January 31, state attorneys general from 49 states and the District of Columbia announced a $5 million settlement with a global money services business that resolves investigations into allegations that scammers used the company’s wire transfer services to defraud consumers over a period of 9 years. The company agreed to implement an anti-fraud program as part of the settlement, with the settlement funds paying for the states’ costs and fees. As discussed previously on InfoBytes, the company recently entered a $586 million settlement with the DOJ in connection with similar AML-related claims, which will be used for refunds to the victims of fraud-induced wire transfers.
On January 30, the New York Department of Financial Services (NYDFS) announced that it had assessed a $425 million fine against a German bank as part of a consent order addressing allegations that the bank allowed $10 billion in “mirror trades” involving Russian investors by failing to properly enforce protections against money laundering. According to the press release, the bank and several of its senior managers allegedly “missed key opportunities to detect, intercept and investigate a long-running mirror-trading scheme facilitated by its Moscow branch and involving New York and London branches.” Specifically, the consent order claims the bank (i) conducted its business in an unsafe and unsound matter; (ii) implemented weak “Know Your Customer” processes; (iii) failed to accurately rate its country and client risks for money laundering throughout the relevant time period and lacked a global policy benchmarking its risk appetite; (iv) maintained ineffective, understaffed anti-financial crime, AML, and compliance units; and (v) had a flawed corporate structure and organization.
In addition to the $425 million monetary penalty, the bank must, within 60 days of the consent order, engage an independent monitor to “conduct a comprehensive review of the [b]ank’s existing BSA/AML compliance programs, policies and procedures.” Furthermore, the bank must submit in writing for NYDFS review an action plan outlining enhancements to its current BSA/AML compliance programs.
On January 29, New York Attorney General Eric T. Schneiderman announced a settlement with a foreign computer manufacturer over allegations of a data breach of customer data. The AG’s office claims the security vulnerabilities allowing for the breach lasted almost a full calendar year. In addition to a $115,000 penalty, the manufacturer is required to “maintain [both] reasonable security policies designed to protect consumer personal information. . .[and] data security standards required by the credit card industry.”
On January 18, the New York State Department of Financial Services (NYDFS) announced that it had approved the application of Coinbase, Inc., for a virtual currency and a money transmitter license. According to NYDFS, the license was issued to Coinbase—a digital currency wallet that facilitates transactions with Bitcoin and other virtual currencies—only after “a comprehensive review of Coinbase’s applications, including the company’s anti-money laundering, capitalization, consumer protection, and cyber security policies.” Having met the New York regulator’s standards for operations in the state, Coinbase may now operate, under supervision by NYDFS, as a service for buying, selling, sending, receiving and storing Bitcoin.
As previously covered in InfoBytes, NYDFS’s BitLicense framework—which was finalized back in June 2015—requires virtual currency companies to submit a 31-page application providing information covering, among other things: (i) written policies and procedures including, but not limited to BSA/AML, cybersecurity, privacy and information security, (ii) company information, (iii) biographical information on company directors and stockholders, and (iv) an explanation of the methodology used to calculate the value of virtual currency in fiat currency. In addition, the NYDFS released a set of FAQs to help clarify the BitLicense requirements. To date, NYDFS has approved five firms for virtual currency charters or licenses, while denying those applications that did not meet its standards.