Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
SEC fines Dutch medical supplier $62 million to settle FCPA charges
The SEC recently announced that a global Dutch manufacturer of health technology products agreed to pay more than $62 million to settle claims that it allegedly violated the FCPA with respect to the sale of medical diagnostic equipment in China. According to the SEC’s order, between 2014 and 2019, the manufacturer’s agents in China “engaged in improper conduct to influence foreign officials in connection with tender specifications in certain public tenders to increase the likelihood that [the manufacturer’s] products were selected.” Certain agents also allegedly engaged in a variety of improper bidding practices that unjustly enriched the manufacturer by $41 million. Special pricing discounts were given to distributors, which created a corruption risk that the increased distributor margins could be used to fund improper payments to government-owned hospital employees, the SEC claimed. During this time, the SEC found that the manufacturer lacked sufficient internal accounting controls to prevent and detect the conduct, and allegedly failed “to provide reasonable assurances” that transactions were accurately recorded in the Chinese agents’ books and records, which were consolidated into the manufacturer’s books and records.
The SEC stated that the manufacturer was previously charged with similar misconduct in Poland between 1999 and 2007, and that despite taking remedial efforts, the manufacturer failed to implement sufficient internal accounting controls relating to its sales of health technology products in China. The manufacturer consented to the SEC’s order without admitting or denying allegations that it violated the books and records and internal accounting control provisions of the Securities Exchange Act and agreed to pay $15 million in civil penalties and more than $47 million in disgorgement and prejudgment interest. The SEC recognized the company’s cooperation and remedial efforts.
OFAC reaches $3.3 million settlement with cosmetics company for Iranian sanctions violations
The U.S Treasury Department’s Office of Foreign Assets Control (OFAC) recently announced settlements with a California-based cosmetics company and a former senior company executive to resolve potential civil liability stemming from allegations that the company participated in a conspiracy to export goods and services from the United States to Iran over roughly an eight-year period. According to OFAC’s web notice, the company entered into an exclusive agreement with an Iranian distributor to sell products in the Middle East, specifically in Iran, without ever receiving a specific license or other applicable OFAC guidance to do so. OFAC maintained that these exported products (for which the company requested a license), were neither generally authorized nor exempt from prohibition. During a later acquisition, the company again applied for, but did not receive, a specific license to export products to Iran. The company knew that an OFAC license was required to lawfully export the products to Iran but continued to do so through departments generally overseen by the former senior company executive, OFAC said, adding that prior to the acquisition, the company did not disclosure the exports or its involvement with Iran, nor was this conduct discovered during pre-acquisition due diligence. By conspiring to export approximately $11.1 million worth of goods to Iran over approximately eight years, the company allegedly violated the Iranian Transactions and Sanctions Regulations.
In arriving at the settlement amount, OFAC considered, among other things, that the company willfully violated U.S. sanctions by exporting its products and services to Iran, despite having knowledge that such conduct was prohibited, and that senior company officials had actual knowledge of the alleged misconduct. The $3.3 million settlement (of which the former senior company executive is responsible for $175,000) reflects that while the company voluntarily self-disclosed the apparent violations, the violations constitute an egregious case. OFAC also considered several mitigating factors, including that: (i) the company has undertaking remedial measures to prevent future misconduct; (ii) the overall percentage represented by its sales to Iran is small; (iii) the company has not received a penalty notice from OFAC in the preceding five years; (iv) the company cooperated with OFAC during the investigation and agreed to toll the statute of limitations; and (v) the former senior company executive’s violations involved the export of benign consumer goods.
Providing context for the settlement, OFAC said, among other things, that the “case highlights that U.S. sanctions on Iran encompass a wide range of potentially violative conduct, including the formation and execution of conspiracies to engage in prohibited activities such as exporting goods to Iran and causing such exports to occur.” OFAC reminded businesses that “placement of a U.S. entity under the compliance structure of a non-U.S. entity that may lack sufficient familiarity with U.S. sanctions laws could prevent the prompt identification of and response to potentially prohibited conduct.”
U.S. and EU enter bilateral sanctions partnership
On May 16, the United States and the European Union entered into a bilateral partnership to strengthen working relationships and share sanctions expertise to address foreign policy goals. The U.S.-EU partnership’s foundation is premised on a collaborative approach for financial sanctions, in which the U.S. Treasury Department’s Office of Foreign Assets Control, the European External Action Service, and the European Commission Directorate-General for Financial Stability, Financial Services and Capital Markets Union will continue to work closely with partners around the world to ensure financial sanctions are fully contributing to member countries’ policy goals. Emphasizing that “[s]anctions are most effective when coordinated with a broad range of international partners who can magnify the economic and political impact,” Treasury stressed the importance of multilateral implementation to maximize the effectiveness of sanctions while minimizing unintended costs and compliance burdens.
Montana becomes the ninth state to enact comprehensive privacy legislation
On May 19, the Montana governor signed SB 384 to enact the Consumer Data Privacy Act (CDPA) and establish a framework for controlling and processing consumer personal data in the state. Montana is now the ninth state in the nation to enact comprehensive consumer privacy measures, following California, Colorado, Connecticut, Virginia, Utah, Iowa, Indiana, and Tennessee. The CDPA applies to any person that conducts business in the state or produces products or services targeted to state residents and, during a calendar year, (i) controls or processes personal data of at least 50,000 consumers (“excluding personal data controlled or processed solely for the purpose of completing a payment transaction”), or (ii) controls or processes personal data of at least 25,000 consumers and derives 25 percent of gross revenue from the sale of personal data. The CDPA provides several exemptions, including nonprofit organizations, registered securities associations, financial institutions, data governed by the Gramm-Leach-Bliley Act and certain other federal laws, and covered entities governed by the Health Insurance Portability and Accountability Act. Highlights of the CDPA include:
- Consumers’ rights. Under the CDPA, consumers will be able to access their personal data; correct inaccuracies; request deletion of their data; obtain a copy of their data in a portable format; and opt out of the sale of their data. A consumer may also designate an authorized agent to act on the consumer’s behalf to opt out of the processing of their personal data.
- Data controllers’ responsibilities. Data controllers under the CDPA will be responsible for, among other things, (i) responding to consumer requests within 45 days unless extenuating circumstances arise and providing requested information free of charge, one for each consumer during a 12-month period; (ii) establishing a process to allow consumer appeals within a reasonable time period after a controller’s refusal to take action on a consumer’s request; (iii) establishing clear and conspicuous opt-out methods on a website that require consumers to affirmatively and freely choose to opt out of any processing of their personal data (and allowing for a mechanism that lets consumers revoke consent that is at least as easy as the mechanism used to provide consent); (iv) limiting the collection of data to what is adequate, relevant, and reasonably necessary for a specified purpose; (v) securing personal data from unauthorized access; (vi) processing data in compliance with state and federal anti-discrimination laws; (vii) obtaining consumer consent in order to process sensitive data; (viii) providing clear and meaningful privacy notices; and (ix) conducting data protection assessments and ensuring deidentified data cannot be associated with a consumer. The CDPA also sets forth obligations relating to contracts between a controller and a processor, including ensuring that contracts between a controller and a processor do not waive or limit consumer data rights.
- No private right of action but enforcement by state attorney general. The CDPA explicitly prohibits a private right of action. Instead, it grants the state attorney general excusive authority to enforce the law.
- Right to cure. Upon discovering a potential violation of the CDPA, the attorney general must give the data controller notice. The data controller then has 60 days to cure the alleged violation before the attorney general can file suit. The cure provision expires April 1, 2026.
The CDPA takes effect October 1, 2024.
Georgia enacts commercial financing disclosure requirements
On May 1, the Georgia governor signed SB 90 to, among other things, require disclosures in connection with commercial financing transactions. The amendments modify the existing state Fair Business Practices Act and apply to “commercial loans” and “commercial open-end credit plans.” The amendments define a “provider” as “a person who consummates more than five commercial financing transactions in this state during any calendar year and includes, but is not limited to, a person who, under a written agreement with a depository institution, offers one or more commercial financing products provided by the depository institution via an online platform that the person administers.” The amendments also establish parameters for qualifying commercial transactions and outline numerous exemptions. Specifically, prior to consummating a commercial financing transaction, a provider must (i) disclose the terms of the transaction as specified within the amendments, and (ii) include a description of the methodology used to calculate any variable payment amount and the circumstances that may cause a payment amount to vary. The provisions apply to any commercial financing transaction consummated on or after January 1, 2024. The amendments also address unfair or deceptive practices relating to brokerage engagements and is effective January 1, 2024.
Crypto company settles NY AG’s hidden-fee claims
On May 18, the New York attorney general announced a settlement with a Brooklyn-based cryptocurrency company to resolve claims that it charged investors “exorbitant and undisclosed fees” to store cryptocurrency in an account that was advertised as being free on its website. The fees charged to investors to use its wallet storage were allegedly so high that they completely cleaned out investors’ accounts, the AG said. The company agreed to the AG’s findings that it regularly charged and increased fees without properly notifying investors. According to the AG’s investigation, the company changed the wallet storage fee structure four times without clearly disclosing the fee increase, which led to some investors being charged fees equal to 96 percent of the value of their account holdings. In total, the company took approximately $4.25 million from investors. The AG maintained that the company also failed to register as a commodity broker dealer in the state for a period of time, and that while it was eventually granted a virtual currency license pursuant to 23 NYCRR Part 200, it failed to file a registration statement. Under the terms of the assurance of discontinuance, the company is required to pay $508,910 in restitution to the state and provide full restitution to all investors who were misled. The company is also required to provide monthly refund status updates to the AG, limit the amount of fees charged for using its wallet service to 0.002 percent per cryptocurrency per month for at least five years, and ensure that it adequately discloses all fees to investors.
Default judgment entered against provider of immigration bonds
The U.S. District Court for the Western District of Virginia recently entered default judgment against defendants accused of misrepresenting the cost of immigration bond services and deceiving migrants to keep them paying monthly fees by making false threats of deportation for failure to pay. As previously covered by InfoBytes, the defendants—a group of companies providing immigration bond products or services for non-English speaking U.S. Immigration and Customs Enforcement detainees—were sued by the CFPB and state attorneys general from Massachusetts, New York, and Virginia in 2021 for allegedly engaging in deceptive and abusive acts and practices in violation of the Consumer Financial Protection Act (CFPA). The defendants argued that the court lacked subject matter jurisdiction because the Bureau did not have authority to enforce the CFPA since the defendants are regulated by state insurance regulators and are merchants, retailors, or sellers of nonfinancial goods or services. However, the court disagreed, explaining that “limitations on the CFPB’s regulatory authority do not equate to limitations on this court’s jurisdiction.” (Covered by InfoBytes here.)
As explained in the court’s opinion, last year the plaintiffs filed a motion for sanctions and for an order to show cause why the court should not hold the defendants in contempt for actions relating to several ongoing discovery disputes. The court determined that the defendants failed to demonstrate that “factors other than obduracy and willfulness” led to their failure to comply with multiple discovery orders and that the defendants engaged in a “pattern of knowing noncompliance with numerous orders of the court.” These delays, the court said, have significantly harmed the plaintiffs in their ability to prepare their case. Finding each defendant in civil contempt of court, the court also entered a default judgment against the defendants, citing them for discovery violations in other cases. The court set June deadlines for briefs on remedies and damages.
Freddie allows digital paystubs in underwriting
On May 22, Freddie Mac announced new capabilities allowing lenders to use a borrower’s digital paystub data when assessing income paid through direct deposit. Lenders will be able to access the enhancements to Freddie’s automated income assessment tool through the Loan Product Advisor (LPA) asset and income modeler (AIM). Freddie noted that in addition to providing access to direct deposit data, AIM is also able to “assess income from tax return data for self-employed borrowers as well as bank account data to identify a history of positive monthly cash flow activity” to help first-time homebuyers and borrowers in underserved communities who may not qualify through traditional methods of underwriting. AIM is also designed to notify lenders when submitting this type of account data may benefit a borrower. The new AIM capability will be available beginning June 7 to Freddie-approved sellers that use LPA.
FHA expedites claims process for HECMs
On May 17, HUD announced new policies to expedite claims processing for home equity conversion mortgages (HECM). Specifically, FHA’s policies will allow for faster payment of funds to mortgagees upon assignment of an HECM to HUD by allowing borrowers with FHA mortgages to submit a request for a preliminary title approval earlier in the process and with fewer documents. Mortgagees will now be able to assign an HECM to HUD once the HECM reaches 98 percent of the maximum claim amount (MCA) and may begin submitting required information to HUD when the HECM reaches 97 percent of the MCA (based on the value of the property at the time the HECM loan is originated). The previous percentage was set at 97.5 percent. Additionally, mortgagees will be able to submit original notes and mortgages after assignment claim payment rather than before. HUD explained that allowing for earlier claim submission and improving document submission measures will hopefully shorten the time between the HECM reaching 98 percent of MCA and FHA paying the mortgagee for the claim.
FTC, DOJ sue maker of health app over data sharing
On May 17, the DOJ filed a complaint on behalf of the FTC against a health app for violating the Health Breach Notification Rule (HBNR) by allegedly sharing users’ sensitive personal information with third parties, disclosing sensitive health data, and failing to notify users of these unauthorized disclosures. According to the complaint, users were allegedly repeatedly and falsely promised via privacy policies that their health information would not be shared with third parties without the user’s knowledge or consent, and that any collected data was non-identifiable and only used for the defendant’s own analytics or advertising. The FTC charged the defendant with failing to implement reasonable measures to address the privacy and data security risks created by its use of third-party automated tracking tools and for sharing health information used for advertising purposes without obtaining users’ affirmative express consent. Under the HBNR, companies with access to personal health records are required to notify users, the FTC, and media outlets in certain situations, if there has been an unauthorized acquisition of unsecured personal health information. The defendant also allegedly failed to impose limits on how third parties could use the data and failed to adequately encrypt data shared with third parties, thus subjecting the data to potential interception and/or seizure by bad actors.
The proposed court order would require the defendant to pay a $100,000 civil penalty, and would permanently prohibit the company from sharing personal health data with third parties for advertising and from making future misrepresentations about its privacy practices. The defendant would also be required to (i) obtain user consent before sharing personal health data; (ii) limit data retention; (iii) request deletion of data shared with third parties; (iv) provide notices to users explaining the FTC’s allegations and the proposed settlement; and (v) implement comprehensive security and privacy programs to protect consumer data. The defendant has also agreed to pay a total of $100,000 to Connecticut, the District of Columbia, and Oregon (who collaborated with the FTC on the action) for violating state privacy laws with respect to its data sharing and privacy practices.