InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
Japanese bank pays $33 million to settle NYDFS claims of weak BSA/AML controls
On June 24, the New York Department of Financial Services (NYDFS), together with the New York Attorney General, announced a $33 million settlement with a Japanese bank resolving allegations the bank’s internal controls—specifically, its anti-money laundering (AML), Bank Secrecy Act (BSA), and Office of Foreign Assets Control (OFAC) sanctions compliance programs—at its New York Branch were “systematically deficient” between November 2014 and November 2018. This allegedly resulted in violations of state and federal laws and regulations, as well as two previous NYDFS consent orders from 2013 and 2014. The settlement resolves an action that was commenced by the bank against NYDFS in connection with a 2017 application with the OCC to convert its state-licensed branches in New York, Illinois, and California and its state-licensed agency offices in Texas to federally licensed branches and agency offices. The action sought to block a NYDFS order that would keep the bank under its supervisory purview notwithstanding the OCC’s granting of the federal charter. The settlement indicates that neither NYDFS, NYAG, or the bank admit any wrongdoing, but have agreed to dismiss all outstanding claims, upon the bank’s monetary payment. The settlement states that NYDFS releases the bank of any further obligations related to the previous consent orders and notes that it “will not attempt to exercise any visitorial power or other supervisory, regulatory, or enforcement authority over [the bank] or its branches or agencies.”
New York settles with online retailer over data breach
On June 6, the New York Attorney General announced a $65,000 settlement with an online retailer resolving allegations that the company failed to provide notice of an online data breach to over 39,000 customers, including nearly 3,000 New Yorkers, for over three years. According to the announcement, unauthorized parties placed malicious code designed to steal credit card information in the company’s software in September 2014. The company discovered the code in November 2014, but did not remediate it until January 2015 (or February 2015, after the code was mistakenly reintroduced and permanently deleted). The Attorney General alleges that the company did not notify its affected customers until May 2018, and that, because the company did not notify New York authorities or its affected customers “in an expedient time-period, and without unreasonable delay,” it violated New York’s General Business Law § 899-aa.
The company offered potentially affected customers two years of free credit monitoring, fraud consultation, and identity theft restoration services, which is not required by law. In addition to the penalty, the settlement requires the company to conduct trainings for appropriate employees and conduct thorough investigations of any future data security breaches involving private information to ensure compliance with state law.
California announces $1.5 million in judgments against investment recovery telemarketing scheme
On May 28, the California Attorney General announced approximately $1.5 million in judgments against a company and four individuals (defendants) charged with allegedly operating a telemarketing scheme that offered fake investment recovery services. According to the Attorney General’s office, the defendants allegedly made false and deceptive claims to investors, many of whom were elderly, that the company could recover money lost from previous investments for an up-front fee of several thousand dollars. The terms of the judgments include $930,800 in combined civil penalties and $567,774 in restitution, and permanently enjoin and restrain the defendants from, among other things, making false or misleading statements in connection with telemarketing transactions. The Attorney General’s announcement also disclosed the recovery of nearly $25,000 in victim restitution pursuant to a bond issued to the company under California’s Telephonic Sellers Law.
25 state AGs reject CFPB payday proposal in comment letter
On May 15, a group of 25 Democratic Attorneys General submitted a comment letter in response to the CFPB’s February proposal to rescind certain provisions related to the underwriting standards of the “Payday, Vehicle Title, and Certain High-Cost Installment Loans” (the Rule) (covered by InfoBytes here). In the comment letter, the Attorneys General argue, among other things, that the elimination of the underwriting provisions of the Rule: (i) is inconsistent with the Bureau’s obligations to protect consumers under the Dodd-Frank Act; (ii) ignores state experiences with payday and vehicle title lending; and (iii) would reduce states’ ability to protect their residents from predatory lending.
Specifically, the letter argues that the Bureau’s reasoning for repealing the underwriting requirements—that the findings of the Rule “were not supported by sufficiently ‘robust and reliable’ evidence”—would saddle the Bureau with an unreasonably high evidentiary standard that would prevent the Bureau from regulating unfair and abusive practices. Additionally, the letter states that the Bureau’s conclusion that the underwriting requirements would harm consumers by reducing consumer’s access to credit and ability to choose lenders offering credit ignores “the experiences of numerous states that have implemented restrictions on payday and vehicle title lending—restrictions that have protected consumers without unreasonably limiting consumers’ access to credit.” States’ restrictions on payday and vehicle title lending, according to the letter, have “benefited consumers and expanded access to manageable credit.” Lastly, the letter asserts that maintaining a federal regulatory floor on lending activities is “crucial to supporting and complementing state oversight,” and removal of the floor will “enable lenders to continue trying to avoid state regulation and continue marketing expensive and often unlawful products to consumers without providing borrowers an opportunity for negotiation or comparison.”
The comment letter was written by the Attorneys General of the District of Columbia, New Jersey, California, Colorado, Connecticut, Delaware, Hawaii, Illinois, Iowa, Maine, Maryland, Massachusetts, Michigan, Minnesota, Nevada, New Mexico, New York, North Carolina, Oregon, Pennsylvania, Rhode Island, Vermont, Virginia, Washington, and Wisconsin.
As previously covered by InfoBytes, the same group of Attorneys General had urged the CFPB via a previous comment letter not to delay the August 19, 2019 compliance date for any aspect of the Rule, and had warned that they would consider taking legal action if the Bureau did so.
States enact data breach notification requirements
On May 10, the New Jersey governor signed S 52, which amends the state’s data breach notification provisions. The amendments expand the definition of “personal information” to include “user name, email address, or any other account holder identifying information, in combination with any password or security question and answer that would permit access to an online account.” The amendment further permits breached entities to provide individuals, whose account access credentials have been compromised, with the opportunity to promptly change online account information, so long as the notification is not sent to an email account subject to the security breach. The amendments take effect on September 1.
On May 7, the Washington governor signed HB 1071, which amends the state’s data breach notification law to, among other things, (i) narrow the window for post-breach notification to affected individuals and to the state Attorney General, if applicable, from 45 days to 30 days after discovery; (ii) require notifications to contain the date of the breach and the date of the discovery of the breach, if known; (iii) permit electronic notification to affected individuals, which must instruct them to promptly change passwords and security questions or answers, as applicable; and (iv) significantly expand the items included in the notice to the Attorney General, including a summary of steps taken to contain the breach. In addition, HB 1071 expands the definition of “personal information” to include, among other things, the full birth date; a private key unique to an individual that is used to authenticate or sign electronic records; student, military, or passport ID numbers; health insurance identification numbers; biometric data or medical history; and user names and email addresses combined with passwords or security questions. The amendments take effect March 1, 2020.
Indiana sues credit reporting agency over 2017 data breach
On May 6, the Indiana Attorney General announced a lawsuit filed against a national credit reporting agency in response to its 2017 data breach, alleging the company “chose increasing revenue over protecting the safety of consumers’ sensitive personal information.” According to the complaint, the state alleges the company violated the Indiana Deceptive Consumer Sales Act by failing to secure 3.9 million residents’ personal data while representing to consumers that its payment systems were compliant with Payment Card Industry (PCI) standards. The complaint alleges among other things that the company “knew the system was storing payment card information in clear text, which was a known violation of the [PCI standard]” and “[d]espite its knowledge, … made a conscious choice to break the rules.” Indiana is seeking civil penalties, consumer restitution, costs and injunctive relief.
New York charges virtual currency operators with fraud
On April 25, the New York Attorney General announced that operators of a virtual currency trading platform and “tether” virtual currency issuer, along with their affiliated entities, are enjoined from engaging in activities that may have defrauded investors trading in cryptocurrency. The AG’s investigation found that the operators allegedly “engaged in a cover-up to hide the apparent loss of $850 million dollars of co-mingled client and corporate funds.” Under the terms of the court order, the operators and companies must, among other things, (i) immediately end the further dissipation of U.S. dollar assets that back “tether” tokens; (ii) are prohibited from making any distributions to executives, employees, or agents, investors, or associates from “funds that that have been loaned, extended, or pledged, or otherwise taken from the U.S. dollar reserves held by the operator”; and (iii) are prohibited from destroying or deleting potentially relevant documents and communications.
Maryland charges title company with making unlicensed, usurious consumer loans
On April 11, the Maryland Attorney General announced an administrative proceeding taken against a title company, its owner, and related businesses for allegedly making unlicensed and usurious title loans secured by consumers’ motor vehicles. According to the AG’s charges, the defendants, among other things, allegedly engaged in unfair or deceptive trade practices by offering consumers high-interest, short-term title loans with typical annual interest rates of 360 percent. The AG contends that the loans offered by the defendants qualify as consumer loans under Maryland law and therefore are subject to state interest rate caps. Furthermore, the AG alleges that the defendants were never licensed by the Maryland Commissioner of Financial Regulation to make consumer loans in the state. The AG seeks an order compelling the defendants “to permanently cease and desist from making unlicensed and usurious consumer loans in Maryland, to pay restitution to all affected consumers, and to pay civil penalties.”
Maryland settles with reverse mortgage servicer for alleged illegal inspection fees
On April 16, the Maryland Attorney General announced a settlement with a reverse mortgage servicer for allegedly charging homeowners illegal inspection fees. According to the Attorney General, from 2010 through 2016, the servicer passed the cost of inspecting properties in default on to homeowners, which Maryland law does not allow. In 2013, the Maryland Commissioner of Financial Regulation put the servicer on notice that it was charging prohibited inspection fees, but the servicer did not cease the activity until January 1, 2017. The servicer has since refunded or reversed nearly $44,000 in property inspection fees charged to consumers. The settlement agreement requires the servicer to (i) refund inspection fees that have not yet been refunded; (ii) provide notice to any sub-servicer that the inspection fees should be refunded or not collected; (iii) pay $5,000 to the state for costs associated with the investigation; and (iv) pay $50,000 in civil money penalties.
California settles with rental car companies over artificially inflated vehicle repair charges
On April 15, the California Attorney General announced a $4.6 million settlement with a rental car company and affiliate resolving a joint investigation with the district attorneys into the company’s violation of state consumer protection laws. According to the AG, the companies, among other things, overcharged customers for rental vehicle repairs and failed to disclose material damage to the rental cars at the time of sale or disposal. Under state law, rental car companies are prohibited from charging customers more than the actual cost of repair, which includes any discounts the company receives according to the complaint. However, the companies frequently billed customers charges that were higher than the actual cost of the repair through the use of third-party repair estimates. Under the terms of the stipulated judgment, which also include comprehensive injunctive terms to prevent future misconduct, the companies—which did not admit liability—have agreed to comply with California laws and are required to pay (i) $1 million in restitution to affected customers; (ii) $3.3 million in civil penalties; and (iii) $300,000 in investigative costs.