Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
On September 21, Ginnie Mae issued All Participant Memorandum 20-12, which states that Ginnie Mae will stop accepting the delivery of single-family forward adjustable rate mortgage (ARM) loans, dated on or after January 1, 2021, with any interest term based on LIBOR, for securitization in any pool. Additionally, any adjustable rate reverse mortgages (HECMs) will be ineligible for securitization into any HMBS pool that relies on LIBOR if not securitized as of January 1, 2021, “without regard to their date of origination or the date in which the corresponding FHA case number was assigned.” Participations associated with HECM loans backing HMBS will continue to be eligible without restriction, so long as the issuance date is on or before December 1.
On September 14, the Financial Crimes Enforcement Network (FinCEN) issued a final rule to align Bank Secrecy Act (BSA) requirements applicable to most banks with the requirements applicable to banks lacking a “federal functional regulator.” In particular, the final rule will require all non-federally regulated banks — including private banks, non-federally insured credit unions, and certain trust companies — to establish and implement anti-money-laundering (AML) programs and customer identification programs (CIP).
On September 17, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) sanctioned an Iranian cyber threat group, 45 associated individuals, and one additional “front company” for allegedly being involved in a Government of Iran (GOI) malware campaign targeting international travel companies, Iranian dissidents, and journalists. Specifically, OFAC alleges that the front company “advances Iranian national security objectives and the strategic goals of Iran’s Ministry of Intelligence and Security (MOIS) by conducting computer intrusions and malware campaigns against perceived adversaries.” OFAC asserts that the 45 individuals provided support for MOIS cyber intrusions by serving as managers, programmers, and hacking experts. The front company has allegedly targeted hundreds of individuals and entities from more than 30 different countries, including using “malicious cyber intrusion tools” to target approximately 15 U.S. companies primarily in the travel sector.
As a result, all property and interests in property belonging to, or owned by, the identified individuals subject to U.S. jurisdiction are blocked, and “any entities 50 percent or more owned by one or more designated persons are also blocked.” U.S. persons are also generally prohibited from engaging in transactions with the designated individuals.
The FBI also issued a Public Intelligence Alert on the Iranian cyber threat group.
On September 17, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) announced a $894,111 settlement with a New York-based telecommunications systems and software company for four apparent violations of the Sudanese Sanctions Regulations (SSR). According to OFAC’s web notice, between June 2014 and October 2015, the company—through its wholly owned subsidiary—allegedly “indirectly exported warrantied satellite equipment and facilitated services and training to a government-owned entity in Sudan” in apparent violation of the SSR. Among other things, OFAC noted that the company and its subsidiary knew that the end-user of the equipment and services was the Sudan Civil Aviation Authority (SCAA), but the companies still organized the shipment of equipment through a Canadian company despite receiving multiple warnings about OFAC’s export restrictions for Sudan. Once it became known that the SCAA was the ultimate end-user, OFAC contended that the subsidiary’s former Director of Logistics and Export Compliance Official allegedly “attempted to transfer OFAC compliance obligations from [the subsidiary] to the Canadian [c]ompany.” Additionally, OFAC denied the subsidiary’s license application to provide certain warranty services.
In arriving at the settlement amount, OFAC considered various aggravating factors, including that (i) the subsidiary “demonstrated reckless disregard for U.S. sanctions requirements and failed to exercise a minimal degree of caution or care by approving warranty services for equipment provided to SCAA while an OFAC license was still pending”; (ii) the subsidiary did not heed warning signs indicating the transactions could have led to the apparent violations; and (iii) the subsidiary’s explanations in response to OFAC subpoenas and a request for information were inconsistent, which required OFAC expending “significant additional time and resources” building an accurate record of the apparent violations. OFAC also considered that it had not issued a violation against the company or its subsidiary in the five years preceding the earliest transaction at issue.
On September 17, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) announced sanctions pursuant to Executive Order 13224 against two Lebanon-based companies for being owned, controlled, or directed by Hizballah. According to OFAC, the two companies are leveraged by Hizballah “to conceal money transfers to Hizballah’s own accounts,” which “further enrich[es] Hizballah’s leadership and supporters, and depriv[es] the Lebanese people of much-needed funds.” These sanctions are part of Treasury’s continuing efforts to disrupt the full range of Hizballah’s illicit financial activity. Since 2017, OFAC has designated more than 90 Hizballah-affiliated individuals and entities. As a result of the sanctions, all property and interests in property of the individuals, “and of any entities that are owned, directly or indirectly, 50 percent or more by them, individually, or with other blocked persons, that are in the United States or in the possession or control of U.S. persons, are blocked and must be reported to OFAC.” OFAC noted that its regulations “generally prohibit” U.S. persons from participating in transactions with the designated individuals, including “the making of any contribution or provision of funds, goods, or services by, to, or for the benefit of any blocked person or the receipt of any contribution or provision of funds, goods or services from any such person.” OFAC further warned that engaging in certain transactions with the designated individuals subjects persons to the risk of secondary sanctions pursuant to E.O. 13224 and the Hizballah Financial Sanctions Regulations, which implement the Hizballah International Financing Prevention Act of 2015. Furthermore, OFAC noted that it has the authority to “prohibit or impose strict conditions on the opening or maintaining in the United States of a correspondent account or a payable-through account by a foreign financial institution that knowingly facilitates a significant transaction for a terrorist group like Hizballah, or a person acting on behalf of or at the direction of, or owned or controlled by, [a Specially Designated Global Terrorist] such as Hizballah.”
On September 17, the California attorney general announced a settlement with a technology company that operates a fertility-tracking mobile app to resolve claims that security flaws put users’ sensitive personal and medical information at risk in violation of state consumer protection and privacy laws. According to the complaint filed in the Superior Court for the County of San Francisco, the company’s app allegedly failed to adequately safeguard and preserve the confidentiality of medical information by, among other things, (i) allowing access to user information without the user’s consent, by failing to “authenticate the legitimacy of the user to whom the medical information was shared”; (ii) allowing a password-change vulnerability to permit unauthorized access and disclosure of information stored in the app without the user’s consent; (iii) making misleading statements concerning implemented security measures and the app’s ability to protect consumers’ sensitive personal and medical information from unauthorized disclosure; and (iv) failing to implement and maintain reasonable security procedures and practices.
Under the terms of the settlement, the company—which does not admit liability—is required to pay a $250,000 civil penalty and incorporate privacy and security design principles into its mobile apps. The company must also obtain affirmative authorization from users before sharing or disclosing sensitive personal and medical information, and must allow users to revoke previously granted consent. Additionally, the company is required to provide ongoing annual employee training concerning the proper handling and protection of sensitive personal and medical information, in addition to training on cyberstalking awareness and prevention. According to the AG’s press release, the settlement also includes “a first-ever injunctive term that requires [the company] to consider how privacy or security lapses may uniquely impact women.”
On September 17, the U.S. Court of Appeals for the Eleventh Circuit reversed and vacated a district court judgment awarding an “incentive payment” to a TCPA class action representative, concluding it violates a U.S. Supreme Court decision prohibiting such awards. Additionally, the 11th Circuit remanded the case so that the district court could adequately explain its findings on the fees and costs issues. According to the opinion, a consumer initiated a TCPA class action against a collection agency for allegedly calling phone numbers that had originally belonged to consenting debtors but were subsequently reassigned to non-debtors. The action quickly moved to settlement and one class member objected, challenging “the district court’s decision to set the objection deadline before the deadline for class counsel to file their attorneys’-fee petition.” Additionally, among other things, the objector argued that the proposed $6,000 incentive award to the class action representative violates the 1880s Supreme Court decisions in Trustees v. Greenough and Central Railroad & Banking Co. v. Pettus. The district court overruled the class member’s objections.
On appeal, the 11th Circuit concluded that the district court “repeated several errors” that “have become commonplace in everyday class-action practice.” Specifically, the appellate court held that the district court “violated the plain terms of Federal Rule of Civil Procedure 23(h)” by setting the settlement objection date more than two weeks before the date class counsel had to file their attorneys’ fee petition. The appellate court also concluded that the district court violated the Supreme Court’s rule from Greenough and Pettus, which provides that “[a] plaintiff suing on behalf of a class can be reimbursed for attorneys’ fees and expenses incurred in carrying on the litigation, but he cannot be paid a salary or be reimbursed for his personal expenses.” The 11th Circuit noted that modern day incentive awards pose even more risks than the concerns from Greenough, promoting “litigation by providing a prize to be won.” Thus, according to the appellate court, although incentive awards may be “commonplace” in class action litigation, they are not lawful and therefore, the district court’s decision must be reversed.
On September 18, the FDIC issued FIL-91-2020 to provide regulatory relief to financial institutions and help facilitate recovery in areas of Oregon affected by wildfires that began on September 7. In the guidance, the FDIC writes that, in supervising institutions affected by the wildfires, it will consider the unusual circumstances those institutions face. The guidance suggests that institutions work with impacted borrowers to, among other things, (i) extend repayment terms; (ii) restructure existing loans; or (iii) ease terms for new loans to those affected by the severe weather, provided the measures are “done in a manner consistent with sound banking practices.” Additionally, the FDIC notes that institutions may receive favorable Community Reinvestment Act consideration for community development loans, investments, and services in support of disaster recovery. The FDIC will also consider relief from certain reporting and publishing requirements.
Separately, on September 17, HUD announced disaster assistance available to certain counties impacted by the Oregon wildfires, providing foreclosure relief and other assistance to affected homeowners. Specifically, HUD is providing an automatic 90-day moratorium on foreclosures of FHA-insured home mortgages for covered properties and is making FHA insurance available to those victims whose homes were destroyed or severely damaged. Additionally, HUD’s Section 203(k) loan program will allow individuals who have lost homes to finance the purchase of a house, or refinance an existing house and the costs of repair, through a single mortgage. The program will also allow homeowners with damaged property to finance the rehabilitation of existing single-family homes.
On September 21, the Virginia governor announced the expansion of the Rebuild VA, the $70 million economic recovery fund for small businesses and nonprofits impacted by Covid-19. As a result of the expanded eligibility requirements, businesses that received funding from the federal CARES Act and supply chain partners of businesses whose normal operations were impacted by the Covid-19 pandemic will be eligible to receive grants of up to $10,000. The Rebuild VA funding may be used for, among other things, payroll support, employee salaries, and mortgage payments, rent, and utilities. The announcement provides additional information regarding eligibility for the grants.
On September 21, the New York governor issued Executive Order 202.64, which extends the moratorium on Covid-19-related commercial evictions until October 20. The eviction moratorium, which was first issued on March 20, has been extended several times. For our previous coverage, see here.
- Daniel P. Stipano to discuss "Making customers whole: Trends in remediation and restitution expectations" at the American Bar Association Business Law Virtual Section Meeting
- Jonice Gray Tucker to discuss "Fairness gone viral: Fair lending considerations for financial institutions amid Covid-19" at the American Bar Association Business Law Virtual Section Meeting
- Daniel P. Stipano to discuss "High standards: Best practices for banking marijuana-related businesses" at the ACAMS AML & Anti-Financial Crime Conference
- Daniel P. Stipano to discuss "Wait wait ... do tell me! Where the panelists answer to you" at the ACAMS AML & Anti-Financial Crime Conference
- Matthew P. Previn and Walter E. Zalenski to discuss "Is valid when made ... valid?" at the Women in Housing & Finance Partner Series webinar
- Warren W. Traiger and Caroline K. Eisner to discuss "CRA modernization and the OCC final rule" at CBA Live
- Daniel R. Alonso to discuss "Transnational corruption: A chat with former U.S. federal prosecutors in New York" at Marval Live Talks
- Sherry-Maria Safchuk and Lauren Frank to discuss "New CFPB interpretation on UDAAP" at a California Mortgage Bankers Association Mortgage Quality and Compliance Committee webinar
- Thomas A. Sporkin to discuss "Managing internal investigations and advanced government defense" at the Securities Enforcement Forum
- H Joshua Kotin to discuss "Mortgage servicing in a recession: Early intervention, loss mitigation and more" at the NAFCU Virtual Regulatory Compliance Seminar
- Daniel R. Alonso to discuss "Independent monitoring in the United States" at the World Compliance Association Peru Chapter IV International Conference on Compliance and the Fight Against Corruption
- Jonice Gray Tucker to discuss "The future of fair lending" at the Mortgage Bankers Association Regulatory Compliance Conference
- Michelle L. Rogers to discuss "Major litigation" at the Mortgage Bankers Association Regulatory Compliance Conference
- Kathryn L. Ryan to discuss "Pandemic fallout – Navigating practical operational challenges" at the Mortgage Bankers Association Regulatory Compliance Conference
- Jonice Gray Tucker to discuss "Consumer financial services" at the Practising Law Institute Banking Law Institute