InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
FFIEC Revises Information Security Booklet
On September 9, the FFIEC updated its Information Security booklet, a key element of its Information Technology Examination Handbook. The booklet is intended to provide examiners with guidance on assessing a financial institution’s information security operations, and is divided into the following four main sections: (i) Governance of the Information Security Program; (ii) Information Security Program Management; (iii) Security Operations; and (iv) Information Security Program Effectiveness. In addition to offering technology-centric recommendations such as encryption, the booklet advises firms to create security processes and risk assessment “commensurate with their operational complexities.” It also advises financial institutions to “have strong board and senior management support, promote integration of security activities and controls throughout the institution’s business processes, and establish clear accountability for carrying out security responsibilities.” As expected, the booklet highlights the importance of implementing effective oversight of third-party service providers. Pursuant to sub-section II.C.20, in order to ensure effective oversight of third-party service providers, management should, among other things, determine when third-parties identify, measure, mitigate, monitor, and report cyber risks so as to “facilitate a comprehensive understanding of the institution’s exposure to third-party cyber threats.”
Bank Regulators Signal Changes to Capital Holding Requirements
On September 8, the Federal Reserve Board (FRB) released a policy statement providing details regarding its Countercyclical Capital Buffer Framework (Framework). The FRB explained that the Framework is designed to implement requirements under the Basel III International bank capital rules, and will generally raise capital holding requirements for internationally active banks when there is an elevated risk of systemic credit losses. In responding to comments, the FRB used the policy statement to clarify that when the systemic threat is reduced, banks would be allowed to release excess capital into the economy to further create financial stability. Meanwhile, the Group of Central Bank Governors and Heads of Supervision (Group) that oversees the Basel Committee on Banking Supervision (Committee) cautioned the Committee to avoid significant increases in overall bank capital requirements as the Committee creates a final rule to address excessive variability in risk-weighted assets. The Group expressed its desire that the Committee focus on improving and harmonizing the methods through which banks determine their own risks. The Committee’s final rule is due by year’s end.
CFPB Issues Consent Order to National Bank Over Account Operations
On September 8, the CFPB issued a consent order to a national bank to resolve allegations that its employees opened deposit and credit card accounts for consumers without obtaining consent to do so. According to the CFPB’s consent order, the respondent implemented an incentive compensation program under which employees “engaged in Improper Sales Practices to satisfy goals and earn financial rewards.” The CFPB alleges that the bank’s employees’ Improper Sales Practices were unfair and abusive. Specifically, the consent order alleges that the employees, possibly without consumers’ knowledge or without their consent, (i) opened more than 1.5 million deposit accounts and subsequently transferred money from consumers’ existing accounts to fund the newly opened accounts; (ii) submitted approximately 565,000 credit card account applications on behalf of consumers, with consumers consequently incurring late, annual, and over-draft fees on such accounts; (iii) issued debit cards and created personal identification numbers to activate the cards; and (iv) enrolled consumers in online-banking services. Pursuant to the consent order, the bank, among other things, must pay a civil penalty of $100 million and an expected $2.5 million in consumer redress.
House Financial Services Committee Schedules Debate on Financial CHOICE Act
On September 13, the House Financial Services Committee will meet to discuss the Financial CHOICE Act. As previously covered in InfoBytes, the Financial CHOICE Act is a Republican alternative to the Dodd-Frank Act. The Committee is scheduled to debate potential amendments to the Financial CHOICE Act and to vote on the legislation.
FTC Announces Orders Banning Owners of a Debt Relief Operation from Related Activities
On September 8, the FTC announced that, under separate stipulated final orders (here and here), two owners of a debt relief operation are permanently banned from the debt relief business for violations of the FTC Act, the Telemarketing and Consumer Fraud and Abuse Prevention Act, and the Telemarketing Sales Rule. The FTC’s 2015 complaint alleged that the companies and the owners (collectively, defendants) convinced consumers with payday loan debts to enroll in their “Financial Hardship Program” (Program) by falsely promising to renegotiate the terms of their loans. Consumers were advised to stop making payments to their lenders and pay money to the Program instead, including enrollment and bi-weekly fees. According to the FTC, the defendants “failed to provide the consumers with the promised debt relief, and consumers ended up in deeper financial trouble, having paid hundreds of dollars for no reduction or settlement of their loans.” The stipulated final orders each impose monetary judgments of more than $23.7 million. The judgments will be partially suspended when the individually named owners pay $149,537 and approximately $8,037, respectively. In addition to barring the defendants from the debt relief operation business, the orders further prohibit them from “making representations about financial and other products and services, and from making unsubstantiated claims about any products or services,” and “from profiting from consumers’ personal information and failing to dispose of it properly.”
OFAC Imposes Civil Penalty for the Export of Orthodontic Supplies to Iran
On September 7, OFAC announced a $43,200 settlement with an Oregon-based manufacturing company for alleged violations of the Iranian Transactions and Sanctions Regulations (ITSR), 31 C.F.R. part 560. Specifically, OFAC alleges that the company violated §§ 560.204 and 560.206 of the ITSR between April 2008 and July 2010 by exporting orthodontic supplies, with a collective value of $59,886, to Germany, United Arab Emirates, and/or Lebanon with the knowledge or reason to know that the supplies were ultimately destined for Iran. The settlement amount reflects OFAC’s consideration of the following aggravating factors: (i) the company acted willfully by exporting products it knew or had reason to know were ultimately destined for Iran; (ii) the company’s management knew or had reason to know that the products were destined for Iran; and (iii) the company failed to implement a compliance program until June 2008. Mitigating factors considered when determining the settlement amount include (i) the fact that alleged violations did not “result in great economic or other benefit conferred on Iran” because the transactions were generally consistent with OFAC’s licensing policy; (ii) the company’s lack of sanctions history with OFAC for five years before the first of the seven alleged violations; (iii) the company’s cooperation with OFAC by agreeing to toll the statute of limitations; (iv) the company’s development of an economic sanctions compliance procedure in June 2008 and the subsequent draft of a written compliance policy; and (v) the company’s lack of “commercial sophistication in conducting international sales at the time of the alleged violations.”
FATF Updates List of Jurisdictions with AML/CFT Deficiencies, FinCEN Issues Related Advisory
On September 7, FinCEN issued advisory bulletin FIN-2016-A004 notifying financial institutions of updates to the Financial Action Task Force’s (FATF) list of jurisdictions containing anti-money laundering/combating the financing of terrorism (AML/CFT) deficiencies. The FATF updated two documents categorizing certain jurisdictions: (i) the FATF Public Statement, identifying jurisdictions that are subject to the FATF’s call for countermeasures or are subject to Enhanced Due Diligence (EDD) due to AML/CFT deficiencies; and (ii) the Improving Global AML/CFT Compliance: on-going process, identifying jurisdictions which have developed an action plan with the FATF to address strategic AML/CFT deficiencies. Revisions to the FATF Public Statement include the 12 months suspension of FATF’s call for countermeasures against Iran; in turn, Iran was added to the EDD category based on the continued risk posed by Iran to the international financial system. North Korea remains the sole country subject to countermeasures. Jurisdictions currently on the Improving Global AML/CFT Compliance: on-going process list include Afghanistan, Bosnia and Herzegovina, Guyana, Iraq, Lao PDR, Syria, Uganda, Vanuatu, and Yemen. Myanmar (Burma) and Papua New Guinea were removed from the list. FinCEN reminded financial institutions that they are subject to a broad range of restrictions on dealing with North Korea and Iran, in spite of the 12-month suspension of its call for countermeasures against Iran.
FinCEN Issues Advisory on E-Mail Compromise Fraud Schemes
On September 6, FinCEN issued advisory bulletin FIN-2016-A003 notifying financial institutions of a growing number of e-mail compromise schemes, in which criminals misappropriate funds by deceiving financial institutions and their customers into conducting wire transfers. The advisory summarizes the three main stages of email compromise schemes, which involve impersonating victims to submit seemingly legitimate transactions instructions: (i) compromising victim information and e-mail accounts, whereby criminals access an e-mail account via social engineering or computer intrusion techniques; (ii) transmitting fraudulent transaction instructions, whereby criminals use stolen e-mail account information to send financial institutions fraudulent wire transfer instructions; and (iii) executing unauthorized transactions, whereby the fraudulent wire transfer instructions direct the financial institution to deposit the transfers to the criminals’ domestic or foreign banks. The advisory further warned of two prevalent email compromise schemes: i) Business E-mail Compromise (BEC), which targets commercial customers of financial institutions; and (ii) E-mail Account Compromise (EAC), which targets personal bank accounts. When conducting a BEC scheme, criminals will impersonate company employees, a company supplier, or a company executive to “authorize or order payment through seemingly legitimate internal e-mails.” EAC schemes, however, target individuals conducting large transactions through financial institutions, lending entities, real estate companies, and law firms. Developed in coordination with the FBI and the U.S. Secret Service, the advisory provides red flags for financial institutions to use to identify and prevent BEC and EAC e-mail fraud schemes.
Second Circuit Remands Case to District Court, Rules Web Provider Failed to Show Plaintiff Agreed to Arbitration
Recently, the Court of Appeals for the Second Circuit vacated in part a district court ruling, specifically its decision to dismiss a plaintiff’s putative-class action claim on the grounds that the plaintiff failed to plausibly state a claim for relief. Nicosia v. Amazon.com, Inc., No. 15-423-cv (2d Cir. Aug. 25, 2016). The district court concluded that a consumer was “bound by the mandatory arbitration provision in [a web provider’s] Conditions of Use” by placing an order on the web-based provider’s site; the Second Circuit was “not convinced.” The court reasoned that “[n]othing about the ‘Place your order’ button alone suggests that additional terms apply, and the presentation of terms is not directly adjacent to the ‘Place your order’ button so as to indicate that a user should construe clicking as acceptance.” The court further noted the web-based provider’s order page was distracting: “there appear to be between fifteen and twenty-five links on the Order Page, and various text is displayed in at least four font sizes and six colors (blue, yellow, green, red, orange, and black), alongside multiple buttons and promotional advertisements.” As a result, the court stated that it did “not hold that there was no objective manifestation of mutual assent here as a matter of law” but instead concluded that “reasonable minds could disagree on the reasonableness of notice.” The case was remanded for further proceedings.
CFSA Releases Positive Payday Loan Testimonials Submitted to the CFPB
On September 6, the Community Financial Services Association of America (CFSA) released a 2,000-plus page document containing testimonials submitted to the CFPB regarding consumers’ positive experiences with the payday loan industry. A CFSA representative uncovered the allegedly “buried” stories through a Freedom of Information Act (FOIA) request filed December 31, 2015. According to the CFSA, of the newly discovered 12,546 consumer comments regarding to the payday loan industry, 12,308 “praised the industry and its products and services, or otherwise indicated positive experiences.” Among other things, the CFSA further noted that (i) since the CFPB implemented its consumer complaint portal in 2011, approximately 1.5% of all complaints received related to the payday loan industry; (ii) in an FTC 2015 summary of consumer complaints, the “FTC found that just 0.003% of more than three million complaints related to payday lending”; and (iii) at least two customer surveys reveal that payday loan borrowers are overwhelmingly satisfied with the product. Regarding the CFPB’s proposed rules to address the short-term lending industry, CFSA CEO Dennis Shaul commented, “[i]t is clear that millions of consumers are satisfied with the payday loan product and services, and do not want the federal government to take this valued credit option away from them.”