InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
FINRA accepts AWC for paid influencers
On November 26, FINRA accepted a Letter of Acceptance, Waiver and Consent from a member firm (the respondent) based in New Jersey. According to the letter, from January 2020 through November 2024, the respondent engaged in various actions that allegedly violated sections of the FINRA Rules, Exchange Act Section 17(a), Exchange Act Rule 17a-4, and Rules 4 and 5 of Regulation S-P by (i) making, through paid social media influencers, misleading and promissory communications that were not fair and balanced, (ii) failing to have a registered principal review, (iii) failing to maintain a proper supervisory and record keeping system, including failure to file required options communications with FINRA, and (iv) failing to provide initial and annual privacy notices to about 450,000 customers. Without admitting or denying FINRA’s allegations, the respondent consented to a censure, a $750,000 fine, and an undertaking to remediate the identified issues and implement a compliant supervisory system.
FINRA accepts member firm AWC
On November 22, FINRA accepted a Letter of Acceptance, Waiver, and Consent (AWC) from a member firm regarding its alleged failure to establish, maintain and enforce a supervisory system and written supervisory procedures (WSPs) to ensure compliance with rules governing registered persons’ outside business activities. Specifically, from December 2020 to November 2021, the firm allegedly evaluated or recorded the outside business activities inadequately of one of its registered representatives, who was managing an investment fund providing loans to early-stage companies. FINRA determined these constituted violations of NASD Rule 3110(b) and FINRA Rules 3270 and 2010. The firm consented to a censure and a $60,000 fine without admitting or denying the allegations and agreed to update its Form BD (Uniform Application for Broker-Dealer Registration).
NYDFS secures $11.3M in penalties from auto insurers for data breaches
On November 25, NYDFS announced settlements with two auto insurance companies for inadequate data security that compromised the personal information of over 120,000 New York consumers and secured $11.3 million in total penalties. According to NYDFS, hackers exploited vulnerabilities in the companies’ online insurance applications to steal personal information, including driver’s license numbers, which were then used for fraudulent unemployment claims during the Covid-19 pandemic. Investigations revealed that the companies failed to implement sufficient data security controls and did not comply with NYDFS’s cybersecurity regulations. One company entered a consent order to pay $9.75 million and the other a consent order to pay $1.55 million in penalties.
The breaches occurred between November 2020 and April 2021, exposing the personal information of over 120,000 New Yorkers. The companies were criticized for not conducting comprehensive reviews of their systems despite being aware of the cyberattack risks. The settlements required the companies to enhance their cybersecurity measures, including maintaining comprehensive information security programs, developing data inventories, implementing reasonable authentication procedures, and improving logging and monitoring systems. Additionally, one company agreed to conduct a cybersecurity risk assessment and penetration testing, while the other will review its systems and improve protections against unauthorized access to nonpublic personal information.
Maryland implements updates to shared appreciation agreements
On November 25, new regulations in Maryland addressing shared appreciation agreements became effective. This action implements Ch. 568 (H.B. 1150) from 2023, which codified that shared appreciation agreements are mortgage loans subject to the Maryland Mortgage Lender Law (covered by InfoBytes here). The new regulations add key definitions, require certain disclosures, including a financing agreement and a commitment to borrowers (which includes a specified disclosure form) within 10 business days of a completed application. The new regulations also establish procedures for property value calculations and add a description of the ability to repay standard with respect to shared appreciation agreements.
Additionally, the regulations require that lenders must use a specified method for calculating property values, actual appreciation, and final payment amount. They also establish that a lender is deemed to have considered a borrower’s ability to repay (assuming all required disclosures have been provided) if (i) the agreement does not require periodic payments before termination; and (ii) has a term of at least five years.
Minnesota Attorney General settles with real estate broker over undisclosed payments
On November 19, the Minnesota Attorney General (AG) announced his recent settlement with a real estate broker (the defendant) over allegations related to the defendant’s advertising of home warranty service contracts with a third-party provider. The AG alleged the defendant did not disclose payments it received from a third-party home warranty provider and that its activities caused confusion among consumers about the value of the warranties, leading to potential violations of Minnesota’s consumer protection statutes. The AG also found that a third party’s home warranty service contracts confused consumers into believing that the third party’s home warranty was a valuable product and contained benefits that the warranty did not actually have. The defendant disputed these allegations, asserting that it provided written disclosures to customers, which were signed, indicating that the defendant advertised the warranties in exchange for a fixed service fee.
The defendant must pay $3.5 million to the AG. The settlement also included several injunctive relief measures. The defendant agreed to discontinue its existing contractual relationships with warranty service providers and refrain from entering new contracts for promoting third-party products or services. Minnesota consumers who purchased the home warranties on or after July 1, 2018, may be eligible for refunds if they meet certain criteria, such as having claims denied or not filing claims within the first year of purchase.
5th Circuit reverses and remands cryptocurrency software case stating OFAC exceeded its authority
On November 26, the U.S. Court of Appeals for the Fifth Circuit reversed and remanded a decision by the district court regarding the Office of Foreign Assets Control’s (OFAC) designation of a virtual currency mixer software as a Specially Designated National and Blocked Person (SDN) pursuant to the International Emergency Economic Powers Act (IEEPA). The IEEPA permits the President to block “any property in which any foreign country or a national thereof has any interest.” In this instance, President Obama authorized the Treasury to block “the property and interests” of persons that it determined supported North Korea or its pursuit of nuclear weapons and to block the “property and interests” for persons engaged in “cyber-enabled activities” that threaten the national security and economy of the U.S. The Treasury delegated this authority to OFAC, and OFAC designated the software as an SDN.
The plaintiffs argued that OFAC exceeded its statutory authority by designating the software as a SDN, claiming that the smart contracts created by the software did not meet the definition of “property” outlined in the IEEPA and the Administrative Procedure Act (APA). The district court held that the software was an entity that could be properly designated, and that smart contracts constituted “property” under the IEEPA. The 5th Circuit, citing Loper Bright v. Raimondo, engaged in its own analysis of the statute and concluded that the immutable smart contracts associated with the software, which facilitated anonymous cryptocurrency transactions, do not qualify as “property” under the IEEPA because they are not capable of being owned, and thus cannot be blocked under the IEEPA. The court’s ruling instructed the district court to grant the plaintiffs’ partial motion for summary judgment based on the APA.
District Court orders auto loan servicing company to pay $42M to CFPB
On November 26, the U.S. District Court for the Northern District of Georgia granted the CFPB’s motion for default judgment against the defendant, an auto loan servicing company, determining that the defendant’s bankruptcy filing did not stay the civil action. The court found the defendant liable for violating the CFPA, resulting in wrongful activation of starter-interruption devices (SIDs), failure to refund unearned guaranteed asset protection (GAP) fees, overbilling for insurance, misapplication of consumer payments, and wrongful repossession of vehicles. The court ordered the defendant to pay over $42 million in combined damages, restitution, interest and civil penalties, as well as enjoin permanently the defendant from future violations.
As previously covered by InfoBytes, the CFPB initially sued the auto loan servicer for allegedly engaging in unfair acts and practices in violation of the CFPA, including: wrongfully activating starter-interruption devices, which are devices that warn consumers with beeps or disable their car altogether when they make a loan payment late; failing to ensure refunds of over millions of dollars of GAP insurance premiums after consumers paid off their loan early or their car was repossessed by the auto-loan servicer; erroneously billing 34,000 consumers for collateral-protection insurance by charging consumers twice each billing cycle; wrongfully applying extra consumer payments first to late fees instead of accrued interest; and wrongfully repossessing consumers’ cars dozens of times.
The court noted its most recent decision was supported by expert testimony to quantify damages for wrongful repossessions, erroneous SID disables, and erroneous warning tones. However, the injunctive relief granted by the court was noted as largely “academic,” since the defendant has already ceased operations.
District Court receives joint settlement notice for personal information data breach
On November 26, the U.S. District Court for the Northern District of Georgia received notice of a class-wide settlement reached between plaintiffs, an individual and a class of similarly situated harmed individuals, and the defendant, a deposit risk management firm, in a data breach case. The parties informed the court they have prepared a class action settlement agreement to be executed by December 6 and anticipate filing a motion for preliminary approval by the court by December 16. The parties requested that the case be stayed, and all pending dates will be stricken.
The complaint, filed on July 8, detailed a hacking incident that occurred on November 3, 2023, when the defendant detected unusual activity on its computer systems. The breach compromised sensitive personal information maintained by the defendant, including names, Social Security numbers, financial account information, driver’s license numbers, and addresses. The defendant waited seven months before notifying the affected individuals, during which time the plaintiffs were at risk of identity theft or harm.
The plaintiffs alleged the defendant failed to implement reasonable data security measures which put the plaintiff’s personal information at risk, violating the California Consumer Privacy Act (CCPA) and other regulations. The complaint included seven counts against the defendant: negligence, negligence per se, breach of implied contract, violations of the CCPA, unjust enrichment, breach of third-party beneficiary contract, and declaratory judgment. The plaintiffs sought monetary relief, injunctive relief, and lifetime credit monitoring for the affected class members. The number of affected class members is unknown but is estimated to be in the thousands.
The complaint further claimed the defendant’s inadequate security measures and failure to properly monitor its networks led to the data breach. The plaintiffs argued the defendant’s actions resulted in significant harm, including the loss of control over their personal information, potential identity theft, and other financial damages. The plaintiffs also highlighted the defendant’s alleged violations of the CCPA, which mandates the implementation of reasonable security procedures to protect consumers’ personal information.
State chartered bank challenges constitutionality of FDIC enforcement proceedings
On November 19, a Kansas state chartered bank filed a complaint for declaratory and injunctive relief against the FDIC and two Administrative Law Judges (ALJs) from the Office of Financial Institution Adjudication. The plaintiff alleged the FDIC’s attempt to impose civil monetary penalties through an administrative proceeding violated the U.S. Constitution.
Specifically, the plaintiff argued that the FDIC’s proceedings violate the Seventh Amendment by seeking to impose civil monetary penalties through an ALJ acting as a “fact-finder” instead of through a jury in an Article III court. The plaintiff emphasized the Seventh Amendment preserves the right to a jury trial in suits at common law, and that civil penalties are a type of remedy that historically are to be imposed by a jury. The complaint cited Supreme Court rulings, such as SEC v. Jarkesy, to support the argument that the imposition of such penalties by an ALJ, rather than a jury, is unconstitutional.
Additionally, the plaintiff contended ALJs are unconstitutionally insulated from presidential oversight due to two layers of removal protection — “that is, when the ALJs are removable only for cause, by officials who themselves are removable only for cause” — which violates Article II of the Constitution. The plaintiff alleged his lack of removal protection of FDIC ALJs “produces an administrative bureaucracy that operates on regulated parties without the constitutionally required ‘degree of electoral accountability.’” In sum, the plaintiff sought a court declaration that the FDIC’s structure and proceedings are unconstitutional, an injunction to halt the current administrative proceedings, and a permanent injunction to prevent the FDIC from pursuing penalties in this manner. The plaintiff also requested the return of privileged documents obtained by the FDIC and compensation for legal costs.
5th Circuit: The CFPB’s payday lender rule will begin in March 2025
On November 25, the U.S. Court of Appeals for the Fifth Circuit granted motions for clarification from both the appellants and the appellees to specify that the court’s stay will be lifted on March 30, 2025, for the CFPB’s payday lending rule. As previously covered by InfoBytes, the CFPB announced its payday lender rule will take effect on March 30, 2025, and this order issued by the appellate court confirms such date. The court’s decision modifies the order entered October 14, 2021, and specifies that March 30, 2025, is 286 days following the U.S. Supreme Court’s judgment in the case. Most recently in this case, the 5th Circuit denied rehearing en banc (covered by InfoBytes here).