InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
DFPI addresses MTA licensing requirements
Recently, the California Department of Financial Protection and Innovation (DFPI) released new opinion letters covering aspects of the California Money Transmission Act (MTA) related to a digital currency trading platform and the referral of customers to financial institutions. Highlights from the redacted letters include:
- Digital Currency Trading Platform. The redacted opinion letter examines whether the inquiring Company requires licensure under the MTA. The letter describes that the Company’s customers would transfer digital currency into the account they have with the Company, with the balance being reflected in the customer’s wallet issued by the Company. The letter further explains that the Company would provide California residents access to its digital currency trading platform to buy, sell, or hold digital currency and provide liquidity services. The letter also describes, among other things, how customers could use the platform, transfer digital currency into the account, and transfer fiat currency by transferring it from their own bank account or by debit or credit card to the Company. Customers would not be able to send fiat or digital currency to others, except in the context of a sale. DFPI concluded that while the Company’s wallets holding fiat currency meet the definition of stored value, licensure under the MTA was not required because the Company offered fiat currency wallets to customers solely to facilitate the trade of digital currency. DFPI also noted that the Company does not require licensure under the MTA to perform Platform trading services or to issue wallets holding digital currencies.
- Referral of customers to financial institutions. The redacted opinion letter examines whether the inquiring Company’s referral service is subject to the MTA. The letter describes that under this service, the Company would refer customers to banks, trust companies, and other entities which are either licensed as money transmitters in California or exempt from licensure. Under the proposed referral service, customers would be re-directed to a financial institution’s website where they could set up and fund an account. Customers wishing to buy, sell, or exchange cryptocurrency or fiat currency could do so from the Company’s website and use a third party’s software platform to input their order details. The platform would check to make sure that the customer has sufficient assets in the customer’s account with the financial institution to purchase the cryptocurrency. The financial institution would be the only party to hold, receive, or transmit all cryptocurrencies in the customer’s account. DFPI concluded that the referral service does not meet the definition of money transmission because the service entails connecting customers with financial institutions from which customers can buy, sell, or exchange cryptocurrency. Further, DFPI noted that the transactions between customers and financial institutions are also not money transmission because the customer would simply exchange cryptocurrency directly with the financial institution. Accordingly, DFPI held that licensure under the MTA is not required because the Company will not sell or issue payment instruments, sell or issue stored value, or receive money for transmission by offering the referral service.
NYDFS fines money transmitter $8.25 million for AML compliance failures
On March 16, NYDFS announced the imposition of an $8.25 million fine on a money transmitter alleged to have violated anti-money laundering (“AML”) requirements and New York law by failing to adequately supervise local agents in New York City that processed an unusual volume of suspicious transactions to China. NYDFS conducted an examination and enforcement investigation, which found that the company “did not adequately oversee the activity of six agents that saw a large spike in transaction volume of business with China.” According to the investigation, there were roughly 7,500 transactions aggregating approximately $30 million in 2014. These figures rose to more than 25,000 transactions aggregating more than $100 million during the period between January 2016 and May 2017. Most of these transactions were processed by small, store-front independent agents—“a clear indicator of increased money laundering risk, particularly given that the destination was known to carry a high AML risk,” NYDFS stated, adding that the company should have also addressed risks resulting from a suspicious pattern of different senders transmitting money to the same recipient. NYDFS acknowledged that the company, when alerted to the increased transaction activity, severed its relationship with the problematic agents and implemented remedial measures to improve supervision of its agents. Under the terms of the consent order, the company will pay an $8.25 civil money penalty and is required to submit a report to NYDFS outlining enhancements made with respect to new and existing agents, suspicious activity reporting program, and special transaction limitations. Additionally, NYDFS announced that the company will also update the Department on improvements to the policies and procedures of its Bank Secrecy Act/AML compliance program and will provide data to NYDFS for ongoing monitoring purposes.
District Court approves $17 million data breach settlement
On March 15, the U.S. District Court for the Northern District of Illinois granted final approval of a class settlement to resolve claims alleging two defendant insurance companies failed to protect over six million employee/customers’ personal and private identifying information, including names, addresses, Social Security numbers, and driver’s license numbers, from two data breach and scraping incidents. According to the memorandum of law in support of the plaintiffs’ unopposed motion for final approval, plaintiffs separately filed complaints after learning the defendants were exposed to two separate data breaches in December 2020 and March 2021. The cases were consolidated, and parties engaged in settlement negotiations. Under the terms of the settlement agreement, the defendants will provide settling class members with at least $17.1 million in relief. Class members will also have automatic access to certain financial fraud services and may submit claims to receive compensation for out-of-pocket losses (capped at $10,000 per person) and lost-time losses (up to six hours of lost-time reimbursements at $18 per hour), in addition to receiving $50 per hour if they missed work to address the breaches. Additionally, a California subclass will also be able to file claims for $50 in statutory relief. Under the California Consumer Privacy Act, consumers may seek statutory damages of up to $750 per violation. Defendants are also responsible for a portion of attorneys’ fees and costs.
Wyoming enacts genetic data privacy provisions
On March 8, the Wyoming governor signed HB 86, which requires businesses that collect genetic data to obtain consent from a consumer or a consumer’s authorized representative before collecting genetic data, performing genetic testing, or retaining or disclosing a consumer’s genetic data. To safeguard the privacy, confidentiality, security, and integrity of a consumer’s genetic data, businesses must, among other things, (i) provide clear, transparent information to consumers about the collection, use, or disclosure of genetic data before collecting it (including providing a publicly available privacy notice); and (ii) obtain express consent from a consumer before collecting genetic data, and receive separate express consent for transferring or disclosing genetic data to persons “other than the company’s vendors and service providers, or for using genetic data beyond the primary purpose of the genetic testing product or service and inherent contextual uses,” or for retaining genetic data after the initial testing service is completed. The Act outlines additional requirements and prohibitions on the disclosure and retention of genetic data and requires businesses to implement and maintain a comprehensive security program to protect genetic data from unauthorized access, use, or disclosure. Additionally, the Act provides consumers with the statutory right to access and request deletion of genetic data when it is no longer being used or needed for the purpose for which it was collected and provides consumers with a private right of action to seek damages from businesses who violate the Act. Under the Act, businesses have 60 days from the date of notice to cure any alleged violations. The Wyoming attorney general also has the authority to enforce the Act and may seek penalties of up to $2,500 for each violation, as well as actual damages for harmed consumers on whose behalf the action was brought and attorneys’ fees and costs.
Covered entities or business associates governed by the privacy, security, and breach notification rules issued by the Department of Health and Human Services that collect protected health information under HIPAA are exempt from the Act’s provisions. The Act takes effect July 1.
California clarifies that internally generated inferences are “personal information” under the CCPA
On March 10, the California Office of the Attorney General (OAG) issued an opinion on the question of whether, under the California Consumer Privacy Act (CCPA), a consumer’s right to know the specific pieces of personal information collected by a covered business about that consumer applies to internally generated inferences that the business holds about the consumer from either internal or external information sources. According to the OAG, the answer is yes—consumers have the right to know internally generated inferences about themselves, and a business must provide such information upon request, unless a business can demonstrate an applicable CCPA statutory exception. The CCPA, which was enacted in June 2018 and became effective January 1, 2020 (covered by a Buckley Special Alert), provides California consumers with new rights of control over the personal information held about them (with certain exceptions), including the right to know what information is being collected and how a business uses and shares that information, the right to delete personal information, and the right to opt out of certain transfers and sales of their personal information. The OAG noted that while the Consumer Privacy Rights Act of 2020 will become fully operative January 1, 2023, none of the act’s amendments to the CCPA will change the conclusions presented in the opinion.
The OAG’s opinion defines “inference” under the CCPA to mean “the derivation of information, data, assumptions, or conclusions from facts, evidence, or another source of information or data.” Example inferences such as “married,” “homeowner,” “online shopper,” or “likely voter,” the OAG explained, are derived from information collected by businesses such as online transactions, social network posts, or public records. OAG noted that some businesses also use proprietary methods to create inferences and “then sell or transfer the inferences to others for commercial purposes,” thus allowing, according to studies, “seemingly innocuous data points” to be combined with other data points “to deduce startlingly personal characteristics.” According to the OAG’s interpretation of the plain language of the CCPA, as well as legislative history, businesses are generally required “to disclose internally generated inferences to consumers” “regardless of whether the inferences were generated internally by the responding business or obtained by the responding business from another source.”
The OAG further explained that, inferences are “personal information” for purposes of the CCPA, and therefore must be disclosed provided two conditions exist: (i) “the inference is drawn ‘from any of the information identified”’ in subdivision (o) of Civil Code section 1798.140, which includes, among other things, personal identifiers such as names, addresses, account numbers, or identification numbers, customer records, age, gender, race, or religion, as well as inferences obtained from any of the provided items; and (ii) “the inference is used to ‘create a profile about a consumer,’ or in other words to predict a salient consumer characteristic.” For the purposes of responding to a consumer’s request to know, the OAG stated that “it does not matter whether the business gathered the information from the consumer, found the information in public repositories, bought the information from a broker, inferred the information through some proprietary process of the business’s own invention, or any combination thereof.” The business is required to disclose the personal information it holds to the consumer upon request. The OAG noted, however, that the CCPA does not require businesses to disclose protected trade secrets used to derive its inferences, provided the business demonstrates “that such inferences are indeed trade secrets under the applicable law.”
DFPI reminds financial institutions of their sanctions compliance obligations
On March 4, the California Department of Financial Protection and Innovation (DFPI) issued guidance, in light of the evolving situation in Ukraine, to remind financial institutions of their sanctions compliance obligations under state and federal law. Licensees are reminded that they are prohibited from participating in financial transactions with individuals and entities listed on the SDN List, and encouraged to review specific, more limited sanctions that have been placed on several Russian entities. This information can be found on OFAC's website.
Additionally, licensees are strongly encouraged to immediately ensure their systems, programs, and processes comply with OFAC regulations, and review and monitor all transactions (particularly trade finance transactions and funds transfers) to identify and block transactions subject to sanctions. Licensees should also follow OFAC directions related to blocked funds.
DFPI further warned that Russia’s invasion of Ukraine increases the risk that listed individuals and entities will attempt to evade sanctions by using virtual currency transfers, and encouraged licensees to review OFAC Guidance to protect against these risks. Licensees engaged in transactions involving virtual currencies are instructed to implement policies, procedures, and processes to protect against the unique risks posed by virtual currencies and should “consider virtual currency-specific control measures including sanctions lists, geographic screening, and any other measures appropriate to the licensee’s specific risk profile.”
Additionally, DFPI cautioned that the “Russian invasion significantly elevates the cyber risk for the U.S. financial sector,” and licensees are instructed to take measures to mitigate cybersecurity threats, including adopting core cybersecurity hygiene measures, eliminating any non-essential networking protocols, ensuring procedures are able to address a ransomware attack, and reevaluating “plans to maintain essential services, protect critical data, and preserve customer confidence considering the realistic threat of extended outages.” Licensees are encouraged to track alerts from the Cybersecurity and Infrastructure Security Agency.
Licensees conducting business in Ukraine and/or Russia should also “take increased measures to monitor, inspect, and isolate traffic from Ukrainian or Russian offices and service providers,” and “segregate networks for Ukrainian or Russian offices from the global network.”
NYDFS also recently issued similar guidance for New York state regulated entities on its cybersecurity and virtual currency regulations in response to the Russian invasion and recently imposed sanctions. (Covered by a Buckley Special Alert.)
11th Circuit affirms $23 million judgment against founder of debt relief operation
On March 9, the U.S. Court of Appeals for the Eleventh Circuit affirmed summary judgment in favor of the FTC and the Florida attorney general after finding that an individual defendant could be held liable for the actions of the entities he controlled. As previously covered by InfoBytes, the FTC and the Florida AG filed a complaint in 2016 against several interrelated companies and the individual defendant who founded the companies, alleging violations of the FTC Act, the Telemarketing Sales Rule, and the Florida Deceptive and Unfair Trade Practices Act. The complaint alleged that the defendants engaged in a scheme that targeted financially distressed consumers through illegal robocalls selling bogus credit card debt relief services and interest rate reductions. Among other things, the defendants also claimed to be “licensed enrollment center[s]” for major credit card networks with the ability to work with a consumer’s credit card company or bank to substantially and permanently lower credit card interest rates and charged up-front payments for debt relief and rate-reduction services. In 2018, the court granted the FTC and the Florida AG’s motion for summary judgment, finding there was no genuine dispute that the individual defendant controlled the defendant entities, that he knew his employees were making false representations, and that he failed to stop them. The court entered a permanent injunction, which ordered the individual defendant to pay over $23 million in equitable monetary relief and permanently restrained and enjoined the individual defendant from participating—whether directly or indirectly—in telemarketing; advertising, marketing, selling, or promoting any debt relief products or services; or misrepresenting material facts.
The individual defendant appealed, arguing that there were genuine disputes over whether: (i) he controlled the entities; (ii) he had knowledge that employees were making misrepresentations and failed to prevent them; (iii) employee affidavits “attesting that they had saved customers money created an issue of fact about whether his programs did what he said they would do”; and (iv) he had knowledge of “rogue employees” violating the “do not call” registry to solicit customers.
On appeal, the 11th Circuit determined that the facts presented by the individual defendant did not create a genuine dispute about whether he controlled the entities, and further stated that the individual defendant is liable for the employees’ misrepresentations because of his control of the entities and his knowledge of those misrepresentations. The appellate court explained that while the individual defendant argued that he could not be liable because he did not participate in those representations, he failed to present any evidence in support of that argument and, even if he had, “it wouldn’t matter, because [the individual defendant’s] liability stems from his control of [the companies], not from his individual conduct.” Additionally, the appellate court held that whether the services were helpful to customers was immaterial and did not absolve him of liability, because liability for deceptive sales practices does not require worthlessness. As to the “do not call” registry violations, the appellate court disagreed with the individual defendant’s claim that an “outside dialer or lead generator”—not the company—placed the outbound calls, holding that this excuse also does not absolve him of liability.
District Court partially grants motion for class certification
On March 4, the U.S. District Court for the Eastern District of California granted in part a consumer plaintiff’s motion for class certification after denying the defendant credit reporting agency’s motion for summary judgment in an FCRA and California Consumer Credit Reporting Agencies Act (CCRAA) suit. The plaintiff, on behalf of the class, alleged that the defendant “failed to follow reasonable procedures to assure the maximum possible accuracy of the consumer information included in its OFAC Check documents” and “failed to disclose upon request all information in consumer files,” in violation of CCRAA and the FCRA. Additionally, the plaintiff alleged that the defendant “failed to reinvestigate the disputed OFAC-related information that it had prepared and sold” to its clients. In granting in part the plaintiff’s motion for class certification, the district court quoted the U.S. Supreme Court case TransUnion LLC v. Ramirez, which ruled that only a plaintiff concretely harmed by a defendant’s violation of the FCRA has Article III standing to seek damages against a private defendant in federal court (covered by InfoBytes here). In referencing TransUnion LLC v. Ramirez, the district court noted that “[the plaintiff] and the putative class members incurred the ‘same or similar injury’ in that they suffered ‘concrete reputational harm’ from the ‘same conduct’ of [the defendant].” The district court further noted that as a basis for class typicality, “[e]ven if [the plaintiff’s] injuries were slightly more severe than some class members’ injuries, [the plaintiff’s] injuries still arose ‘from the same event or practice or course of conduct that [gave] rise to the claims of other class members and [his claims were] based on the same legal theory.’” Consequently, the district court certified the class with respect to plaintiff’s FCRA allegations for statutory damages and CCRAA claims for injunctive relief. However, the district court denied class certification with respect to plaintiff’s CCRAA allegations for statutory damages, noting that “[t]he CCRAA, unlike the FCRA, requires a showing of actual harm where, as here, the plaintiff is seeking statutory punitive damages” because “individual issues will predominate.”
District Court preliminarily approves $4.75 million data breach settlement
On March 3, the U.S. District Court for the Western District of Texas preliminarily approved a $4.75 million class action settlement resolving claims between a pharmacy benefits manager and consumers in six different proposed class actions filed in Texas and California. The court also conditionally certified a nationwide settlement class and a California settlement subclass. According to the memorandum in support of the plaintiffs’ motion for preliminary approval of the settlement, plaintiffs claimed the company acted negligently by failing to implement reasonable safeguards for protecting customers’ personally identifiable information and preventing a 2021 data breach, which exposed their sensitive, protected health information. The plaintiffs also alleged that the company breached California privacy and consumer protection laws. If the settlement is granted final approval, the company will be required to create a $4.75 million settlement, and “develop, implement, and maintain a comprehensive information security program that is reasonably designed to protect the security, integrity and confidentiality” of customers’ personal data. The company may also be responsible for a portion of attorneys’ fees, costs, and service awards.
New York college to cancel $20 million in unpaid loans
On March 2, the New York City mayor announced an agreement with a for-profit college resolving allegations that it violated various provisions of New York consumer protection laws. According to the press release, the New York City Department of Consumer and Worker Protection filed the lawsuit against the defendant in 2018, claiming that it, among other things: (i) collected debts that were not owed; (ii) concealed its identity from former students when collecting debts; and (iii) falsely misrepresented when debts were accrued on official documents. Under the terms of the settlement agreement, the defendant is required to cease collecting outstanding student loans incurred prior to January 2019, which are estimated to be valued at approximately $20 million. The defendant must also pay $350,000 in restitution, establish polices related to communicating with students about debt owed to the college, and ensure that the statutes of limitation on debt collection are observed.