Skip to main content
Menu Icon
Close

InfoBytes Blog

Financial Services Law Insights and Observations

Filter

Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.

  • California joins multistate settlement with securities brokerage

    State Issues

    On April 6, the California Department of Financial Protection and Innovation (DFPI) joined a multi-state settlement with a securities brokerage company stemming from an investigation spearheaded by state securities regulators from Alabama, Colorado, California, Delaware, New Jersey, South Dakota, and Texas relating to certain alleged operational and technical failures. According to DFPI, the investigation was triggered by a March 2020 incident in which the brokerage company experienced several platform outages during a period in which hundreds of thousands of investors relied on the company’s app to make trades, thus preventing some users from being able to process trades. The settlement order sets out multiple alleged violations by the brokerage company, including negligently disseminating inaccurate information to customers, failing to have a “reasonably designed customer identification program,” inadequately supervising critical technology, having a deficient system for dealing with customer inquiries, failing to exercise due diligence before approving certain option accounts, and failing to report all customer complaints to FINRA and state securities regulators.

    While the company neither admitted nor denied the findings, it agreed to pay up to $10.2 million in penalties and will continue to implement recommendations to address the alleged misconduct. DFPI noted in its announcement that it “found no evidence of willful or fraudulent conduct” by the company, and said the company fully cooperated with the investigation.

    State Issues Securities State Regulators California DFPI Settlement

  • Multinational tech company to pay $3.3 million for OFAC and BIS violations

    Financial Crimes

    On April 6, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC), in consultation with the Department of Commerce’s Bureau of Industry and Security (BIS), announced a $3.3 million settlement with a multinational technology company to resolve potential civil liabilities stemming from the exportation of services or software from the United States to sanctioned jurisdictions and to Specially Designated Nationals (SDNs) or blocked persons. The settlement comprised an agreement with OFAC to pay a civil penalty of $2,980,264.86 and an administrative penalty of $624,013 with BIS. In light of the related OFAC action, the company was given a $276,382 credit by BIS contingent upon the company fulfilling its requirements under the OFAC settlement agreement, resulting in a combined overall penalty amount of $3,327,896.86.

    According to OFAC’s web notice, the conduct underlying the administrative penalty imposed by BIS stemmed from certain conduct involving the company’s Russian subsidiary. The conduct underlying the settlement with OFAC took place between July 2012 and April 2019, when the company and certain subsidiaries allegedly “sold software licenses, activated software licenses, and/or provided related services from servers and systems located in the United States and Ireland to SDNs, blocked persons, and other end users located in Cuba, Iran, Syria, Russia, and the Crimea region of Ukraine.” The total value of the 1,339 apparent violations was more than $12 million. OFAC alleged that the causes of these apparent violations stemmed from a lack of complete or accurate information on end customers for the company’s products, and that during the relevant time period, there were shortcomings in the company’s restricted-party screening controls. Among other things, OFAC alleged that the company’s screening architecture did not aggregate identifying information across its various databases to identify SDNs or blocked persons, failed to screen and evaluate pre-existing customers in a timely fashion, and missed common variations of restricted party names.

    In arriving at the $2,980,265.86 settlement amount, OFAC considered various mitigating factors, including that (i) evidence did not show that persons located in U.S. offices or management were aware of the alleged activity at the time (the apparent violations were revealed during a self-initiated look back); (ii) upon identifying the apparent violations, the company self-disclosed the matter to OFAC, conducted a retrospective review of thousands of past transactions, cooperated with OFAC throughout the investigation, terminated the accounts of the SDNs or blocked persons, and updated internal procedures to disable access to products or services upon discovery of a sanctioned party; and (iii) the company “undertook significant remedial measures and enhanced its sanctions compliance program through substantial investment and structural changes.” OFAC outlined several compliance considerations for companies conducting business through foreign-based subsidiaries, distributors, and resellers, and reminded businesses that OFAC’s SDN List is dynamic, and that when changes to the list are made, “companies should evaluate their pre-existing trade relationships to avoid dealings with prohibited parties.”

    Financial Crimes Of Interest to Non-US Persons OFAC Department of Treasury OFAC Sanctions OFAC Designations Enforcement Settlement Department of Commerce Cuba Iran Syria Ukraine Russia

  • NYDFS, crypto payment company reach AML/cybersecurity settlement

    State Issues

    On March 16, NYDFS issued a consent order against a payment service provider for allegedly failing to comply with the state’s virtual currency and cybersecurity regulations. The company was licensed to engage in virtual currency business activity in the state pursuant to 23 NYCRR Part 200. Licensees under Part 200 are required to, among other things, comply with federal and state laws mandating effective controls to guard against money laundering and certain other illegal activities. A 2022 NYDFS examination revealed that, although the company made improvements to address deficiencies within its AML and cybersecurity compliance programs that were identified during a 2018 examination, the programs still required additional improvements to achieve regulatory compliance. NYDFS concluded that the company violated sections of Part 200 by allegedly failing to develop adequate internal policies and controls to maintain compliance with applicable AML laws or to develop procedures to ensure compliance with necessary risk management requirements under applicable OFAC regulations. Furthermore, the company violated the state’s cybersecurity regulation (23 NYCRR Part 500) by failing to conduct periodic cybersecurity risk assessments and failing to timely appoint a designated chief information security officer responsible for overseeing, implementing, and reporting on the company’s cybersecurity program. Under the terms of the consent order, the company agreed to pay a $1 million civil monetary penalty and submit an action plan to NYDFS within 180 days detailing its remediation efforts. The company also agreed to conduct a comprehensive cybersecurity risk assessment within 150 days and to continue to strengthen its controls, policies, and procedures to prevent future violations.

    State Issues Digital Assets Privacy, Cyber Risk & Data Security State Regulators NYDFS Anti-Money Laundering Cryptocurrency Virtual Currency Payments Fintech Settlement 23 NYCRR Part 200 23 NYCRR Part 500 OFAC Risk Management

  • National bank fined $98 million by OFAC, Fed for sanctions violations

    Financial Crimes

    On March 30, the U.S. Treasury Department’s Office of Foreign Assets (OFAC) announced a $30 million settlement with a national bank to resolve potential civil liabilities stemming from trade insourcing software that the bank and its predecessor bank provided to a foreign European bank between 2008 and 2015. According to OFAC’s web notice, at the direction of a mid-level manager, the predecessor bank customized the software for general use by the European bank, which the predecessor bank “knew or should have known would involve engaging in trade-finance transactions with sanctioned jurisdictions and persons.” The European bank used the software to manage 124 non-OFAC compliant transactions totaling approximately $532 million involving parties in jurisdictions subject at the time of the transactions to sanctions regulations.

    OFAC noted that the national bank inherited the trade insourcing relationships when it acquired the predecessor bank, claiming that the national bank “did not identify or stop the European bank’s use of the software platform for trade-finance transactions involving sanctioned jurisdictions and persons for seven years despite potential concerns raised internally” following the acquisition. OFAC also noted, however, that the national bank’s alleged failure to stop the violations “was not a result of a systemic compliance breakdown within the broader [] organization,” which OFAC acknowledged has “a historically strong overall sanctions-compliance program.”

    In arriving at the settlement amount, OFAC considered various mitigating factors, including that (i) the majority of the 124 apparent violations related to agriculture, medicine, and telecommunications and therefore may have been eligible for a general or specific license, thus mitigating the harm to sanctions policy objectives; (ii) the legacy business unit at the predecessor bank was relatively small and that there was no indication that senior management either directed or had actual knowledge that the predecessor bank provided the software to the European bank for such purpose; and (iii) upon identifying the alleged violations, the bank promptly terminated the European bank’s access, voluntarily disclosed the matter to OFAC, conducted an extensive internal investigation, produced the results to OFAC, cooperated with OFAC throughout the investigation, agreed to toll the statute of limitations, and took remedial measures.

    Concurrently, the Federal Reserve Board issued an order fining the bank holding company in the amount of $67.8 million for allegedly engaging in unsafe or unsound practices related to its oversight of sanctions compliance risks at the national bank. The Fed noted that the national bank “no longer offers the trading platform to foreign banks” and has “strengthened firmwide compliance with OFAC regulations.”

    Financial Crimes Of Interest to Non-US Persons OFAC Department of Treasury Enforcement OFAC Sanctions OFAC Designations Settlement

  • District Court approves $1.75 million data breach settlement

    Privacy, Cyber Risk & Data Security

    On March 3, the U.S. District Court for the Central District of California granted final approval of a $1.75 million class action settlement resolving allegations related to a 2020 data breach that compromised nearly 100,000 individuals’ personally identifiable information, including financial information, social security numbers, health records, and other personal data. The affected individuals are students, parents, and guardians who were enrolled in a system used to manage student data in a California school district. According to class members, by failing to adequately safeguard users’ login credentials and by failing to timely notify individuals of the breach, the company violated, among other things, California’s unfair competition law, the California Customer Records Act, and the California Consumer Privacy Act.

    Under the terms of the settlement, the company is required to pay a non-reversionary settlement amount of $1.75 million, which will be used to compensate class members and pay for attorney fees and costs, service awards, and administrative expenses. Additionally, as outlined in the motion for preliminary approval of the class action settlement, class members are eligible to submit claims for “ordinary losses” (capped at $1,000 per person), as well as “extraordinary losses” (capped at $10,000 per person). Ordinary losses include expenses such as bank fees, long distance phone charges, certain cell phone charges, postage, gasoline for local travel, “[f]ees for additional credit reports, credit monitoring, or other identity theft insurance products,” and up to 40 hours of time, at $25/hour, for at least one full hour used to deal with the data breach. Extraordinary losses are described as those “arising from financial fraud or identity theft” where the “loss is an actual, documented, and unreimbursed monetary loss” and is “fairly traceable to the data breach” and not already covered by another reimbursement category. Class members must also show that they made “reasonable efforts to avoid, or seek reimbursement for, the loss.” All class members will be offered 12 months of credit monitoring and identity theft protection at no cost, and the company will implement “information security enhancements” to prevent future occurrences.

    Privacy, Cyber Risk & Data Security Courts Settlement Data Breach Class Action State Issues California CCPA

  • OFAC settles with Indian tobacco company on North Korean transactions

    Financial Crimes

    On March 1, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) announced a $332,500 settlement with an India-registered tobacco company to resolve allegations that it “requested payment in U.S. dollars for its indirect exportation of tobacco to the Democratic People’s Republic of Korea [(DPRK)].” According to OFAC’s web notice, in late 2016, an assistant manager at the company and a representative from a Thai intermediary began communicating about a prospective order of tobacco from a DPRK customer. A decision was eventually made not to include the DPRK customer or to list the DPRK in trade documents for the order. Rather, the order listed the Thai intermediary as the customer and China as the destination. OFAC maintained that the company issued three invoices to the Thai intermediary for its tobacco orders, and asked that payments be sent in USD to either the company’s bank account at a non-U.S. bank in India or to the India-branch of a U.S. bank. Between July and August 2017, four Hong Kong-organized intermediaries remitted funds to the company for these shipments and made five payments totaling approximately $369,228. Four of the five USD payments were sent to the non-U.S. bank, causing three U.S. financial institutions to clear the payments. The fifth payment was sent to the India-branch of a U.S. bank. By directing the Hong Kong intermediaries to remit payments in USD, OFAC claimed the company “caused U.S. correspondent banks that processed the payments, as well as the foreign branch of a U.S. bank, to export financial services to or otherwise facilitate the exportation of tobacco to the DPRK” in violation of the North Korea Sanctions Regulations.

    In arriving at the settlement amount, OFAC determined, among other things, that several managers had actual knowledge of the alleged conduct at issue, and that the company “acted recklessly” by “fail[ing] to exercise a minimal degree of caution or care for U.S. sanctions laws and regulations and caus[ing] U.S. financial institutions to export financial services or otherwise facilitate the exportation of tobacco to the DPRK.”

    OFAC also considered various mitigating factors, including that the company has not received a penalty notice from OFAC in the preceding five years. Additionally, the company undertook remedial measures upon learning of the alleged violations, cooperated with OFAC throughout the investigation, and agreed to toll the statute of limitations, the notice said.

    Providing context for the settlement, OFAC said that this action “highlights the deceptive practices DPRK entities use to evade U.S. and international sanctions and acquire revenue-generating goods, such as by employing intermediaries in various countries to coordinate shipping and make payments.”

    Financial Crimes Of Interest to Non-US Persons Department of Treasury OFAC OFAC Sanctions OFAC Designations Settlement North Korea Enforcement

  • DOJ announces $9 million redlining settlement with Ohio bank

    Federal Issues

    On February 28, the DOJ announced a settlement with an Ohio-based bank to resolve allegations that the bank engaged in a pattern or practice of lending discrimination by engaging in “redlining” in the Columbus metropolitan area. The DOJ’s complaint claimed that from at least 2015 to 2021, the bank failed to provide mortgage lending services to Black and Hispanic neighborhoods in the Columbus area. The DOJ also alleged that all of the bank’s branches were concentrated in majority-white neighborhoods, and that the bank did not take meaningful measures to compensate for not having a physical presence in majority-Black and Hispanic communities.

    Under the proposed consent order, the bank will, among other things, (i) invest a minimum of $7.75 million in a loan subsidy fund for majority-Black and Hispanic neighborhoods in the Columbus area to increase access to credit for home mortgage, improvement, and refinance loans, and home equity loans and lines of credit; (ii) invest $750,000 to go towards outreach, advertising, consumer financial education, and credit counseling initiatives; (iii) invest $500,000 to be spent in developing community partnerships to expand access to residential mortgage credit  for Black and Hispanic consumers; (iv) establish one new branch and one new mortgage loan production office in majority-Black and Hispanic neighborhoods in the Columbus area (the bank must “ensure that a minimum of four mortgage lenders, at least one of whom is Spanish-speaking, are assigned to serve these neighborhoods” and employ a full-time community development officer to oversee lending in these neighborhoods); and (v) conduct a community credit needs assessment to identify financial services needs in majority-Black and Hispanic census tracts in the Columbus area. The announcement cited the bank’s cooperation with the DOJ to remedy the identified redlining concerns.

    Federal Issues DOJ Discrimination Redlining Fair Lending Enforcement Settlement Consumer Finance

  • Massachusetts AG reaches $6.5M settlement over deceptive auto-renewal and collection practices

    State Issues

    The Massachusetts attorney general recently reached a $6.5 million settlement with a home security services company, its sister companies, and its CEO to resolve allegations that the defendants violated Massachusetts consumer protection laws by trapping customers in auto renewal contracts and engaging in illegal debt collection practices. The final judgment by consent, filed in Suffolk County Superior Court, resolves a 2019 lawsuit alleging the defendants engaged in unfair and deceptive tactics to prevent customers from canceling their contracts, charged for services during system outages or for services that were never provided, steered customers into contract renewal instead of cancellation, and engaged in aggressive and illegal debt collection practices. Under the terms of the settlement, the defendants are required to pay $1.8 million and waive and forgive $4.7 million of outstanding customer debt. Although they denied the allegations, the defendants have agreed to implement changes to their business practices, including taking measures to come into compliance with the attorney general’s debt collection regulations, offering credits to customers who purchased non-functional systems that cannot be repaired, implementing new complaint procedures, and permitting existing customers to cancel their contracts by telephone, email, and web portal. Additionally, the defendants will make several revisions to the terms of their contracts relating to auto-renewal practices, monitoring charges, cancellation policies and procedures, late fees and other costs.

    State Issues State Attorney General Massachusetts Settlement Debt Collection Consumer Finance

  • District Court approves $1.95 million TCPA settlement

    Courts

    On February 7, the U.S. District Court for the Eastern District of Missouri granted final approval to a $1.95 million settlement in a class action TCPA suit concerning allegations that a defendant debt collection company placed calls to consumers’ cell phones through the use of an artificial or prerecorded voice without first obtaining consumers’ prior express consent. The plaintiff also claimed that the defendant allegedly repeatedly delivered artificial or prerecorded voice messages to wrong or reassigned cell phone numbers that did not belong to the intended recipient. According to the plaintiff, the defendant continued to place calls to his cell phone even after he informed a company representative that it had the wrong number and that he did not know the individual the defendant was attempting to reach. The plaintiff sued alleging violations of Section 227(b)(1)(A)(iii) of the TCPA. While denying all liability alleged in the lawsuit, the defendant agreed to the terms of the settlement agreement, which defines class members as “[a]ll persons in the United States who (a) received a call from [the defendant] between December 16, 2017 and July 7, 2022 on their cellular telephone, (b) with an artificial or prerecorded voice, (c) for which [the defendant’s] records contain a ‘WN’ designation and an ‘MC’ and/or ‘MD’ notation.” The defendant is required to establish a $1.95 million settlement fund, pay $650,00 in attorneys’ fees and $10,477 in costs and expenses, and pay a $10,000 incentive award to the named plaintiff.

    Courts Settlement TCPA Class Action Debt Collection

  • 8th Circuit affirms almost $20 million in damages and attorney’s fees in RMBS action

    Courts

    On February 2, the U.S. Court of Appeals for the Eighth Circuit affirmed a district court order requiring a mortgage lender to pay $5.4 million in damages and $14 million in attorney’s fees for selling mortgages that did not meet agreed-upon contractual representations and warranties to a now-defunct company that packaged and resold the loans to residential mortgage-back securities (RMBS) trusts. The now-defunct company was sued by the RMBS trusts after loans underlying the securitizations began defaulting at a high rate during the 2008 financial crisis. A liquidating trust was established to oversee wind-down measures after the company filed for bankruptcy. The liquidating trust later began suing originators for indemnification over the allegedly defective mortgages. In 2020, the district court ruled in favor of the liquidating trust and entered judgment for $5.4 million in damages, $10.6 million in attorney’s fees, $3.5 million is costs, $2 million in prejudgment interest, and $520,212 in “post-award prejudgment interest.” The district court found, among other things, that the lender had breached its client contracts, and that in doing so, contributed to the now-defunct company’s “losses, damages, or liabilities within the scope of the contractual indemnity.” The court also found the liquidating trust’s damages methodology to be reasonable and nonspeculative. The lender appealed, disagreeing with how the underlying contracts were interpreted, as well as the allocation of multi-party damages and the post-trial award of fees, costs, and interest.

    On appeal, the 8th Circuit disagreed, concluding that the terms of the parties’ contract made the lender liable. The appellate court also rejected the lender’s contention that it should not be expected to pay the claims against the now-defunct company because they were extinguished in bankruptcy, and that the methodology used to calculate the damages was inaccurate. In awarding $5.4 million in indemnification damages, the appellate court held that the district court properly found that the expert’s “‘calculation of damages was reasonable and non-speculative,’ and that his methodology produced a reasonably certain measure of [the liquidating trust’s] indemnifiable damages.” The 8th Circuit further concluded that the fee award was fair and that the district court had accounted for the complexity of the case and the importance of conducting a detailed loan-by-loan analysis. The appellate court also accused the lender of relitigating already decided issues and driving up the costs. However, the 8th Circuit did order the district court to recalculate the post-judgment interest award using guidance under 28 U.S.C. § 1961(a) rather than the 10 percent prejudgment interest rate under Minnesota law.

    Courts Appellate Eighth Circuit Mortgages RMBS Settlement Attorney Fees Interest

Pages

Upcoming Events