InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
Obama Administration Issues Executive Order Terminating Côte d'Ivoire Sanctions Programs
On September 14, the White House issued an Executive Order titled “Termination of Emergency with Respect to the Situation in or in Relation to Côte d’Ivoire.” The Executive Order terminates the Côte d’Ivoire-related sanctions program. Accordingly, OFAC updated its SDN List to indicate the removal of the sanctions against the country established under the United Nations Security Council’s Resolution 2284. The Executive Order is effective immediately.
OFAC Publishes Burma-Related FAQ
On September 14, President Obama announced his intent to lift certain sanctions against Burma and to designate it as a least-developed beneficiary developing country for the purposes of the Generalized System of Preferences program, a status that would allow imported products from Burma to enjoy lower tariffs and preferential treatment. Accordingly, OFAC published new FAQ 480 to address the President’s announcement regarding the policy change with respect to Burma. The policy change will take effect when the President issues a new Executive Order and, at that time, OFAC “will formally remove the Burmese Sanctions Regulations from the Code of Federal Regulations and take other administrative actions as necessary.”
DOJ Declines FCPA Charges Against UK-Based Pharmaceutical Company Following SEC Settlement
In conjunction with the SEC’s recent settlement with a U.K.-based pharmaceutical company, the company announced on August 30 that the DOJ has closed its parallel foreign bribery investigation. As detailed here, the SEC settled charges against the company for allegedly improper payments made by its wholly owned subsidiaries in China and Russia. Under the SEC settlement, the company agreed to disgorge $4.325 million and pay a $375,000 civil penalty with $822,000 in prejudgment interest.
DOJ and SEC Decline FCPA Action Against California-Based Software Company
On September 8, a California-based software company disclosed in its annual statement that following an investigation into its operations in Russia and certain of the Commonwealth of Independent States, the DOJ and SEC have both declined to bring enforcement actions under the FCPA. An announcement of possible violations was first disclosed in the December 2013 blog post by Roxane Marenberg, Vice President and Deputy General Counsel in the company’s Global Compliance Enablement division. In the post, Marenberg stated that the company was conducting an investigation into alleged FCPA violations at the request of the SEC and DOJ in response to a communication those agencies had received concerning the company’s operations and discounting practices. The company’s disclosures did not provide any further detail about the nature of the business activities being investigated.
Special Alert: NYDFS Stakes Claim on Cybersecurity Regulation
On September 13, the New York Department of Financial Services (DFS) issued a proposed rule establishing cybersecurity requirements for financial services companies, and has thus ventured into new territory for state regulators. In the words of Governor Cuomo, “New York, the financial capital of the world, is leading the nation in taking decisive action to protect consumers and our financial system from serious economic harm that is often perpetrated by state-sponsored organizations, global terrorist networks, and other criminal enterprises."
Given the concentrated position of financial service companies in New York and the regulation’s definition of a Covered Entity – which includes “any Person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the banking law, the insurance law or the financial services law” – it could create an almost de facto national standard for medium to large financial services companies, regardless of where they keep their servers or suffer a cyberattack. This type of state-level regulation is not unprecedented. In 2003, California passed a data breach notification law that requires companies doing business in California to notify California residents of the breach and more recently amended the law to require 12 months of identity protection and strengthen data security requirements. In 2009, Massachusetts enacted a regulation mandating businesses implement security controls to protect personal information relating to state residents.
The DFS designed the regulation to protect both consumers and the financial industry by establishing minimum cybersecurity standards and processes, while allowing for innovative and flexible compliance strategies by each regulated entity. Yet the proposed regulation goes further than to just ask financial entities to conduct a risk assessment and to design measures to address the identified risks.
Click here to view the full Special Alert.
* * *
Questions regarding the matters discussed in this Alert may be directed to any of our lawyers listed below, or to any other BuckleySandler attorney with whom you have consulted in the past.
- John P. Kromer, (202) 349-8040
- Elizabeth E. McGinn, (202) 349-7968
Credit Union National Association: Credit Unions Remain Exempt from the FDCPA
On September 9, the Credit Union National Association (CUNA) sent a letter to the CFPB regarding the CFPB’s initial outline of the proposed rule for third party debt collectors. The letter asserts that, since the Fair Debt Collection Practices Act (FDCPA) was enacted, credit unions have been exempt from the statute’s rules and that to extend any rulemaking pursuant to the statute to include credit unions would be “unlawful.” The CUNA distinguishes credit unions from for-profit debt collectors subject to the FDCPA, claiming that credit unions’ collection approach is more holistic: “They are not just interested in short-term efforts of collecting a debt; instead, they try to find out the specific cause of their member’s financial challenge.” The CUNA is concerned that certain aspects of the CFPB’s proposal as outlined, including the “highlight technical substantiation and oversight requirements,” would negatively impact credit unions. The CUNA reminded the CFPB that pursuant to the Small Business Regulatory Enforcement Fairness Act (SBREFA), it is required to consider the recommendations in its letter before finalizing any rule.
Top 20 Bank Settles with DOJ Over Alleged Violations of the False Claims Act
On September 13, the DOJ announced a $52.4 million settlement with a top 20 bank to resolve allegations that it violated the False Claims Act by knowingly originating and accepting FHA-insured mortgage loans that did not comply with HUD origination, underwriting, and quality control requirements. It is the smallest settlement of a False Claims Act FHA-insured mortgage loans case against a bank to date as part of the government’s recent enforcement initiative in this area. According to the Statement of Facts issued as part of the settlement agreement, from January 1, 2006 through December 31, 2011 (relevant time period), the bank, while acting as a direct endorsement lender (DEL) in the FHA program, (i) certified certain mortgage loans for FHA insurance that failed to meet HUD underwriting requirements regarding borrower creditworthiness; (ii) failed to adhere to various HUD quality control requirements; and (iii) failed to adhere to HUD’s self-reporting requirements. The DOJ noted that the “claims asserted against [the bank] are allegations only, and there has been no determination of liability.” BuckleySandler represented the bank in this matter.
FFIEC Revises Information Security Booklet
On September 9, the FFIEC updated its Information Security booklet, a key element of its Information Technology Examination Handbook. The booklet is intended to provide examiners with guidance on assessing a financial institution’s information security operations, and is divided into the following four main sections: (i) Governance of the Information Security Program; (ii) Information Security Program Management; (iii) Security Operations; and (iv) Information Security Program Effectiveness. In addition to offering technology-centric recommendations such as encryption, the booklet advises firms to create security processes and risk assessment “commensurate with their operational complexities.” It also advises financial institutions to “have strong board and senior management support, promote integration of security activities and controls throughout the institution’s business processes, and establish clear accountability for carrying out security responsibilities.” As expected, the booklet highlights the importance of implementing effective oversight of third-party service providers. Pursuant to sub-section II.C.20, in order to ensure effective oversight of third-party service providers, management should, among other things, determine when third-parties identify, measure, mitigate, monitor, and report cyber risks so as to “facilitate a comprehensive understanding of the institution’s exposure to third-party cyber threats.”
Bank Regulators Signal Changes to Capital Holding Requirements
On September 8, the Federal Reserve Board (FRB) released a policy statement providing details regarding its Countercyclical Capital Buffer Framework (Framework). The FRB explained that the Framework is designed to implement requirements under the Basel III International bank capital rules, and will generally raise capital holding requirements for internationally active banks when there is an elevated risk of systemic credit losses. In responding to comments, the FRB used the policy statement to clarify that when the systemic threat is reduced, banks would be allowed to release excess capital into the economy to further create financial stability. Meanwhile, the Group of Central Bank Governors and Heads of Supervision (Group) that oversees the Basel Committee on Banking Supervision (Committee) cautioned the Committee to avoid significant increases in overall bank capital requirements as the Committee creates a final rule to address excessive variability in risk-weighted assets. The Group expressed its desire that the Committee focus on improving and harmonizing the methods through which banks determine their own risks. The Committee’s final rule is due by year’s end.
CFPB Issues Consent Order to National Bank Over Account Operations
On September 8, the CFPB issued a consent order to a national bank to resolve allegations that its employees opened deposit and credit card accounts for consumers without obtaining consent to do so. According to the CFPB’s consent order, the respondent implemented an incentive compensation program under which employees “engaged in Improper Sales Practices to satisfy goals and earn financial rewards.” The CFPB alleges that the bank’s employees’ Improper Sales Practices were unfair and abusive. Specifically, the consent order alleges that the employees, possibly without consumers’ knowledge or without their consent, (i) opened more than 1.5 million deposit accounts and subsequently transferred money from consumers’ existing accounts to fund the newly opened accounts; (ii) submitted approximately 565,000 credit card account applications on behalf of consumers, with consumers consequently incurring late, annual, and over-draft fees on such accounts; (iii) issued debit cards and created personal identification numbers to activate the cards; and (iv) enrolled consumers in online-banking services. Pursuant to the consent order, the bank, among other things, must pay a civil penalty of $100 million and an expected $2.5 million in consumer redress.