InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
Treasury and Federal Reserve Support G-7 Elements of Cybersecurity for the Financial Sector
On October 11, the U.S. Department of the Treasury announced that the Group of Seven (G-7) countries – comprised of the United States, Canada, France, Germany, Italy, Japan, and the United Kingdom – issued fundamental elements to “help address cyber risks facing the financial sector from both entity-specific and system-wide perspectives.” In Fundamental Elements of Cybersecurity for the Financial Sector, G-7 outlines eight elements for private and public entities within the financial sector to use as “building blocks” for confronting cyber-related issues, the first of which is to establish and implement tailored cybersecurity strategies and operational frameworks that should be tailored to an entity’s nature, size, complexity, risk profile, and culture. G-7’s remaining seven elements are as follows: (i) define and facilitate effective governance structures to ensure accountability; (ii) identify cyber risks and implement control assessments, including systems, policies, procedures, and training; (iii) “establish systematic monitoring processes to rapidly detect cyber incidents and periodically evaluate the effectiveness of identified controls, including through network monitoring, testing, audits, and exercises”; (iv) ensure that incident response policies are effective and guarantee timeliness; (v) establish and test contingency plans that help to ensure effective recovery of critical functions and operations; (vi) share cybersecurity information with internal and external stakeholders, including threat indicators, vulnerabilities, and incidents; and (vii) develop a review process that addresses, among other things, evolving cyber risks. In support of the G-7 elements, Federal Reserve Vice Chairman Stanley Fischer stated that they are “a crucial step in furthering hardening each link in the chain of our global financial system.”
OCC Releases Bulletin on Revised Examination Procedures for the Military Lending Act
On October 7, following the Federal Reserve’s and the CFPB’s leads, the OCC released Bulletin 2016-33 advising financial institutions of updated interagency examination procedures for compliance with the Department of Defense’s (DoD) Military Lending Act (MLA) July 2015 final rule. As previously summarized in BuckleySandler’s Special Alert, the DoD issued an interpretive rule regarding the amendments to the regulations implementing the MLA on August 26, 2016. The 2015 final rule went into effect for consumer credit products other than credit cards on October 3, 2016. The requirements will take effect for credit card accounts one year later, on October 3, 2017. The OCC plans to include the updated interagency examination procedures in the Comptroller’s Handbook.
CFPB Releases Final Rule on Prepaid Financial Products; Chamber of Digital Commerce Comments on Scope of the Rule
On October 5, the CFPB released its final rule on prepaid financial products, including traditional prepaid cards, mobile wallets, person-to-person payment products, and other electronic accounts with the ability to store funds. The rule is intended to provide consumers with additional federal protections under the Electronic Fund Transfer Act analogous to the protections checking account consumers receive. The following federal protections are included in the new rule: (i) financial institutions will be required to provide certain account information for free via telephone, online, and in writing upon request, unless periodic statements are provided; (ii) financial institutions must work with consumers who find errors on their accounts, including unauthorized or fraudulent charges, timely investigate and resolve these incidents, and restore missing funds when appropriate; and (iii) consumers will be protected against unauthorized transactions, such as withdrawals or purchases, if their prepaid cards are lost or stolen. The rule contains new “Know Before You Owe” prepaid disclosures similar to those used for mortgages and student financial aid offers. In addition to requiring two (one short, the other long) disclosure forms, the new rule requires that prepaid account issuers post agreement offers made available to the general public on their websites, submit all agreements to the CFPB, and make agreements that are not required to be posted on their website available to relevant consumers. The new rule also includes credit protections stemming primarily from the Truth in Lending Act and the Credit Card Accountability Responsibility and Disclosure Act, including providing consumers with monthly credit billing statements, giving consumers reasonable time – at least 21 days – to repay their debt before incurring late fees, ensuring that consumers are able to repay the debt before making a credit offer, and limiting the fee and interest charges to 25% of the total credit limit during the first year an account is open. The rule, which has not yet been published in the Federal Register, has a general compliance date of October 1, 2017, but includes certain accommodations, one of which is an October 2018 effective date for the requirement that agreements be submitted to the CFPB.
The Chamber of Digital Commerce submitted comments to the CFPB in December advocating that virtual currency products and services should fall outside the scope of the prepaid rule. Pursuant to the final rule, the CFPB found that “application of Regulation E and this final rule to such products and services is outside the scope of this rulemaking.”
CFPB Creates HMDA and ECOA Safe Harbor for New Fannie/Freddie Application Form
On September 29, the CFPB published an Approval Action in the Federal Register that provides a safe harbor under the Equal Credit Opportunity Act (ECOA) and Regulation B for lenders who use the revised Uniform Residential Loan Application (URLA) form issued by Fannie Mae and Freddie Mac in August 2016. The Bureau’s Approval Action states that it has “determined that the relevant language in the 2016 URLA is in compliance with” Regulation B’s requirements for whether, and how, a creditor may seek information about an applicant’s race, color, religion, national origin, sex, marital status, and income sources, and information about an applicant’s spouse or former spouse.
The Bureau’s Approval Action also offers flexibility for lenders who must collect and report information about mortgage applicants’ ethnicity and race under the Home Mortgage Disclosure Act (HMDA), implemented by Regulation C. On October 28, 2015, the Bureau amended Regulation C to require covered lenders to offer applicants the opportunity to self-identify using disaggregated categories of ethnicity and race, effective January 1, 2018. The CFPB notes in the Federal Register notice that before January 1, 2108, asking applicants to self-identify using the disaggregated categories would not have been allowed under Regulation B’s restrictions on seeking information about an applicant’s ethnicity, race and other characteristics. The Approval Action gives lenders the option of using the disaggregated categories of ethnicity and race for applications taken in 2017 without violating Regulation B. It states that if a lender opts to collect information using the disaggregated categories in 2017, for applications that see final action before January 1, 2018, the lender must report the data to the Bureau using only the current aggregate categories for ethnicity and race. If a lender takes final action in 2018 or later on an application received in 2017, it may choose to report the data using either the current aggregate or the new disaggregated categories.
OCC Issues Bulletin Regarding Mandatory Contractual Stay Requirements for Qualified Financial Contracts
On October 3, the OCC issued Bulletin 2016-31 seeking comment on a proposed rule intended to “enhance the resilience and the safety and soundness of federally chartered and licensed financial institutions.” Pursuant to the proposal, a covered bank would be required to ensure that a covered qualified financial contract (i) contains a contractual stay-and-transfer provision equivalent to those contained in the Dodd-Frank Act’s stay-and-transfer provision under title II and in the Federal Deposit Insurance Act; and (ii) restricts the use of default rights based on an affiliate’s insolvency. Moreover, the proposal would “make conforming amendments in certain definitions in the capital adequacy standards in 12 CFR 3 and the liquidity risk measurement standards in 12 CFR 50.” Comments on the proposed rule are due by October 18, 2016.
FinCEN Assesses Civil Money Penalty Against Nevada-Based Casino for BSA/AML Violations
On October 3, FinCEN assessed a $12 million civil money penalty against a Nevada-based casino for willfully violating the anti-money laundering (AML) provisions of the Bank Secrecy Act (BSA). Pursuant to the Statement of Facts, from March 2009 through September 28, 2015, the casino allegedly failed to (i) develop and implement an effective AML program reasonably designed to ensure compliance with the BSA; (ii) exercise due diligence in its monitoring of suspicious activity; and (iii) maintain sufficient AML compliance controls, procedures, training, and audits, which resulted in multiple filing and recordkeeping control violations. As part of the FinCEN’s Assessment and the Non-Prosecution Agreement filed by the U.S. Attorney’s Officers, the casino must (i) perform a series of required Remedial Measures to ensure compliance going forward; and (ii) conduct a look-back review to ensure that suspicious transactions and attempted transactions were appropriately reported for transactions that occurred between 2010 and 2013.
FinCEN Acting Director Comments on Recent Casino Actions and Culture of Compliance
On October 3, FinCEN Acting Director Jamal El-Hindi issued a statement regarding anti-money laundering and countering the financing of terrorism compliance. According to Acting Director El-Hindi, two recent actions against casinos represent failure to (i) adequately train staff at every level in the organization; and (ii) properly file - or file at all – Suspicious Activity Reports and Currency Transaction Reports. Still, Acting Director El-Hindi acknowledged that casinos in general have improved their AML compliance efforts. Acting Director El-Hindi stated that FinCEN will continue to work with casinos on their compliance efforts, and cautioned that “[a] good compliance culture is one where doing the right thing is rewarded, and where ‘looking the other way’ has consequences.”
OCC Issues Guidance on "De-Risking" in Foreign Correspondent Banking Relationships
On October 5, the OCC issued Bulletin 2016-32 to provide highly anticipated guidance regarding “de-risking” in foreign correspondent banking relationships. Last week, Comptroller Curry stated that the OCC intended to issue guidance that would reiterate the agency’s “risk management expectations for banks to establish and follow policies and procedures for regularly conducting risk evaluations of their foreign correspondent portfolios.” The guidance outlines “best practices” for banks to use when “conducting periodic reevaluations of the risks related to foreign correspondent accounts and making account retention or termination decisions.” As expected and as previously summarized in BuckleySandler’s Special Alert, these best practices include, but are not limited to, (i) establishing effective governance for overseeing how banks reevaluate risk and monitor recommendations for retaining or terminating foreign correspondent accounts; (ii) communicating regularly to senior management about decisions to retain or terminate foreign correspondent accounts, giving consideration to any adverse impact that closures may have on access to financial services for an entire group of customers or an entire region; (iii) establishing lines of communication with foreign correspondent customers in the context of determining whether to withdraw from a relationship; (iv) considering specific information these customers may provide that may mitigate risks they present; (v) when decisions are made to terminate accounts, providing sufficient time for customers to establish alternative banking relationships, unless any delay would create additional risk; and (vi) maintaining clear audit trails documenting the reasons and methods used for considering account closure.
FCC Releases Revised Proposed Privacy Rules for Broadband Providers
On October 6, the FCC issued a fact sheet on revised privacy rules related to broadband internet services. According to the fact sheet, the proposed rules “are designed to evolve with changing technologies and encourage innovation, and are in harmony with other key privacy frameworks and principles – including those outlined by the [FTC] and the Administration’s Consumer Privacy Bill of Rights.” The FCC first issued a set of privacy rules concerning consumer rights in relation to broadband internet service providers (ISPs) in March. In Chairman Tom Wheeler’s October 6 blog post regarding the recent revisions, he noted that the revised proposal “provide[s] consumers increased choice, transparency and security online.” The proposed rules, among other things, would require ISPs to (i) let consumers know the type of information they are collecting, specify how and the extent to which the information can be used and shared, and identify with whom the information is shared; (ii) obtain consumers’ opt-in consent to use sensitive information, including, among other things, geo-location, social security numbers, and web browsing history; and (iii) provide an opt-out option, consistent with customer expectations, for the use and sharing of non-sensitive information. Notably, the proposed rules “do not apply to the privacy practices of websites or apps, over which the [FTC] has authority…even when a website or app is owned by a broadband provider.” The Commission is scheduled to vote on the proposal on October 27.
DOJ Issues Two Declination Letters Requiring Disgorgement
On September 29, the DOJ issued two declination letters concerning suspected FCPA violations, closing their investigations of two Texas-based corporations. The DOJ claims that its investigation of one of the corporations found that the company’s employees paid approximately $500,000 in bribes to Venezuela and China government officials in order to influence those officials’ purchasing decisions and thereby secure approximately $2.7 million in profits. With respect to its investigation of the second corporation, DOJ claims that the company’s China subsidiary provided approximately $45,000 worth of benefits to China government officials to obtain sales which generated profits of approximately $335,000. In connection with the issuance of the declination letters, the companies agreed to the disgorgement of their profits from the sales associated with their purportedly illegal conduct.
The declinations were made pursuant to the FCPA Pilot Program, a one-year program launched in April 2016 to encourage companies to voluntarily self-disclose FCPA-related misconduct, cooperate with DOJ, and make appropriate remediation efforts. The DOJ’s decision to close the investigations was based on a number of factors including the companies’ (i) voluntary disclosures; (ii) thorough internal investigations; (iii) full cooperation in providing DOJ with information about the individuals responsible for the purported misconduct; (iv) agreement to disgorge all profits made from the purported misconduct; (v) enhancement of compliance programs and internal accounting controls; and (vi) remediation in the form of terminating or sanctioning employees responsible for the purported misconduct. These are the fourth and fifth declination letters issued under the Pilot Program.
The disgorgement of profits in connection with the declination letters to the two corporations raises the question of whether such disgorgement may be a prerequisite to obtaining a declination letter under the Pilot Program. Companies that previously received declination letters under the Pilot Program were required to disgorge profits as part of settling related SEC enforcement actions. Past FCPA Scorecard coverage of the Pilot Program and associated declination letters may be found here.
Pages
Upcoming Events
- Keisha Whitehall Wolfe to discuss “Tips for successfully engaging your state regulator” at the MBA's State and Local Workshop
- Max Bonici to discuss “Enforcement risk and trends for crypto and digital assets (Part 2)” at ABA’s 2023 Business Law Section Hybrid Spring Meeting
- Jedd R. Bellman to present “An insider’s look at handling regulatory investigations” at the Maryland State Bar Association Legal Summit