InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
Massachusetts Division of Banks Issues New Cybersecurity Exam Procedures
Recently, the Massachusetts Division of Banks released examination procedures that incorporate cybersecurity as a module in all of its examinations of banks and non-bank licensees. The procedures contain two separate workbooks. The first, NDIS IT/Information Security Examination Work-program, contains questions related to a Licensee’s (i) risk assessment and management oversight; (ii) written information security program; (iii) data security operations; (iv) business continuity and disaster recovery; (v) cybersecurity; and (vi) IT audit. Section VII of the workbook provides space for an examination summary, and Section VIII of the first workbook contains various links to examination resources, including, but not limited to, the FFIEC Interagency Guidelines Establishing Information Security Standards, and a copy of 201 CMR 17.00 – Standards for the Protection of Personal Information of Residents of the Commonwealth. The second, Non-Depository Institution Supervision Information Technology Officer’s Questionnaire, “contains questions covering significant areas of the Licensee’s [IT] function.”
Last year, the Division sent a communique to CEOs of regulated institutions encouraging them to do a cybersecurity assessment using the FFIEC tool and noted that it would be looking at those assessments in future examinations.
Pennsylvania District Court Addresses "Public International Organization" Aspect of FCPA
The relatively sparse judicial caselaw on the FCPA expanded last week with a new opinion interpreting the “public international organization” language in the statute. In an opinion denying the defense’s Motion to Dismiss an indictment originally brought in 2015, Judge Paul Diamond of the United States District Court for the Eastern District of Pennsylvania found that the FCPA “plainly” applies to public international organizations. United States v. Dmitrij Harder, No. 2:15-cr-00001 (E.D. Pa. Mar. 2, 2016). Combined with the Eleventh Circuit’s 2014 opinion in Esquenazi, the contours of the types of foreign government entities subjecting defendants to FCPA sanctions are beginning to be fleshed out. (Previous coverage of the Esquenazi case can be found here.)
Dmitrij Harder – a Russian national, German citizen, and U.S. permanent resident – owned and operated two consulting companies that, in 2007 and 2009, assisted two different independent energy companies in obtaining financing from the European Bank for Regional Development (the “EBRD”). The EBRD is a multilateral development bank founded in 1991 to foster the growth of businesses operating in the former Soviet Union. Today it invests throughout Europe and is jointly owned by sixty-four countries.
The DOJ charged Harder in 2015 with 14 counts of violating the FCPA, the Travel Act, and money laundering. The government alleged that the energy companies entered into agreements with Harder whereby they agreed to pay him success fees upon receiving financing from the EBRD. After both companies obtained sizable investments from the EBRD – one company received an $85 million investment; the other a $40 million investment and $60 million loan – they allegedly paid Harder success fees totaling almost $8 million. Shortly after the success fees were paid, Harder allegedly wired payments totaling almost $3.5 million to the sister of an EBRD official. The government alleged that the sister of the EBRD official entered into sham consulting agreements with Harder’s companies, making it appear that the payments were made for services rendered under the agreements, but no such services were actually performed.
In arguing for dismissal of the FCPA counts of the indictment, Harder challenged the sufficiency of the Indictment on several bases, including a failure to plead the involvement of a “foreign official,” and that the Indictment impermissibly substituted the phrase “foreign government or instrumentality thereof” with “public international organization” in reciting the fourth of the FCPA’s proscribed corrupt purposes: “inducing such foreign official []to use his []influence with a foreign government or instrumentality thereof to affect or influence any act or decision of such government or instrumentality.” 15 USC 78dd-2(a)(3)(B).
On the first challenge, Judge Diamond rejected the idea that officials of EBRD could not qualify as “foreign official[s]” within the FCPA’s prohibitions. Op. at 6; see also Op. at 8 (noting that “whether EBRD falls within the FCPA’s ambit is necessarily a ‘fact-bound question[]’ properly decided by a jury”). On the second challenged, Harder had maintained that permitting the government to substitute “public international organization” into the statute would create an entirely new offense with no basis in the statute. Rejecting this argument, Judge Diamond pointed out that public international organizations are themselves “an association of foreign governments.” Op. at 7. He reasoned that refusing to allow this substitution in the language of indictments where a public international organization, rather than a foreign government, is involved would “make it impossible to prosecute any public international organization employee who unlawfully used his position,” calling this “an absurd result” in light of Congress’ decision to include public international organizations within the scope of the FCPA. Op. at 7.
Harder also raised two challenges to the constitutionality of the FCPA’s inclusion of the EBRD. In 1998, the FCPA was amended to include employees of public international organizations within the scope of the Act’s prohibition on certain corrupt payments. The 1998 amendments brought employees of two groups of public international organizations within the scope of the FCPA; (1) those organizations that the President declares by Executive order are covered by the FCPA, and (2) those organizations identified pursuant to the International Organization Immunities Act (“the IOIA”), 22 USC 288. The IOIA allows the President, acting by executive order, to provide public international organizations in which the US participates with legal capacity, certain immunities, and privileges under US law. In 1991, the EBRD was designated a public international organization under the IOIA, and so it became subject to the FCPA after the 1998 amendments.
First, Harder argued that the FCPA’s inclusion of the EBRD and other public international organizations violates the non-delegation doctrine, which provides that where Congress delegates legislative authority it must do so with “an intelligible principle” to guide the exercise of the delegated authority. United States v. Cooper, 750 F.3d 263, 270 (3d Cir. 2014). Harder argued that Congress, by allowing the President to expand the list of public international organizations covered by the FCPA by executive order, impermissibly delegated its legislative function to the executive branch. Judge Diamond rejected this argument, finding that the legislative scheme enacted by Congress constrains the President’s ability to add public international organizations to the scope of the FCPA, and that the clearly stated purposes of the FCPA provide sufficient guidance. Op. at 9-11.
Second, Harder argued that the FCPA’s inclusion of the EBRD violates the void-for-vagueness doctrine, which provides that a criminal law is void if it fails to define the offense in a way that “ordinary people can understand what conduct is prohibited” and in a way that does not encourage “arbitrary and discriminatory enforcement.” Skilling v. United States, 561 U.S. 358, 402-403 (2010). Harder argued that the somewhat circuitous route by which the EBRD was made subject to the FCPA renders the law unconstitutionally vague because it would require individuals to monitor whether a particular public international organization has been the subject of an executive order that subjects it to the FCPA. Judge Diamond rejected this argument also, finding that an ordinary person could research the status of a public international organization. Judge Diamond also pointed out that there is a publicly available list of all public international organizations subject to the FCPA, and that the FCPA’s knowledge requirement alleviated any concern that a defendant might unwittingly violate the FCPA. Op. at 13.
District Judge Bans Company from Collecting and Disclosing Consumer Information
Recently, the U.S. District Court for the District of Nevada granted in part the FTC’s motion for summary judgment and motion for default judgment against a company, its subsidiaries, and seven individuals (collectively, defendants) for allegedly participating in a scheme to defraud consumers. FTC v. Ideal Fin. Solutions, Inc., No. 2:13-00143 (D. Nev. Feb. 23, 2016). According to the FTC, the defendants misrepresented themselves as consumer credit experts and bought previously declined payday loan applications from data brokers that contained personal information, such as Social Security numbers and bank accounts numbers. The district court found that the FTC “reasonably approximated the consumer-loss amount attributable to defendants: they are jointly and severally liable for $43,083,723, except for [one individual], who is jointly and severally liable for $36,575,542.” In addition, the court banned (i) all the defendants from collecting or disclosing consumer-account information without the consumer’s authorization; and (ii) three defendants from marketing, selling, and handling credit-related products or services.
CFPB Adopts Procedural Rule Establishing Application Process for the Designation of Rural Areas
On March 3, the CFPB adopted a procedural rule to establish an application process for identifying an area as rural or underserved that the CFPB, pursuant its authority under the Dodd-Frank Act, had not yet designated as rural. In December 2015, Congress passed the FAST Act, which contained several provisions intended to provide regulatory relief to community banks, including implementing a process under which banks and other stakeholders could petition the CFPB for rural or underserved designations in certain areas for the purposes of Federal consumer financial law. The CFPB’s recently issued procedural rule establishes such an application process. Under the process, banks must submit an application—by mail, email or hand delivery—to the CFPB Rural Application Coordinator containing, among other things, the following: (i) identifying information for the proposed designated rural area; (ii) justification for the proposed designation, providing supporting information from the U.S. Census Bureau, the Office of Management and Budget, the Department of Agriculture, and the State Bank Supervisor; and (iii) the area’s population density, including comparative information regarding “the population density of any nearby area with a greater population density that has been designated by the Bureau as a rural area.” The CFPB will begin accepting applications on March 31, 2016.
FinCEN Announces Proposed Rule to Amend FBAR Regulations
On March 1, FinCEN announced a Notice of Proposed Rulemaking to revise certain provisions in the rules related to the filing of Reports of Foreign Bank and Financial Accounts (FBAR). The proposed rule would, among other things, (i) remove provisions allowing limited account information to be reported when a filer has at least 25 foreign financial accounts; (ii) clarify and expand exemptions for officers and employees of institutions maintaining signature or other authority over accounts, but have no financial interest in such accounts; (iii) require institutions to maintain a list of the officers and employees with signature authority over accounts; (iv) amend the filing date for FBAR reports due in 2016; and (v) revise the FinCEN Form 114 instructions, which outline the BSA electronic filing requirements. Due to potential regulatory changes, FinCEN previously issued temporary notices to extend reporting deadlines for certain filers submitting FBARs.
Department of Commerce Reveals EU-U.S. Privacy Shield Framework
This week, the Department of Commerce released a package related to the EU-U.S. Privacy Shield Framework for transatlantic data flows. In February, the European Commission announced that the U.S. and the European Commission had agreed to a new Framework, but the Department of Commerce’s recently issued package is the first time the text of the agreement has been made available to the public. In addition to including the Framework itself, the package contains various copies of correspondence from U.S. officials discussing matters related to the Framework and how the appropriate U.S. government agencies will ensure the Framework, if adopted, will be enforced. Among other things, the new agreement (i) requires companies to respond to consumer complaints within 45 days of receiving the complaint; and (ii) describes a binding arbitration option for “certain ‘residual’ claims as to data covered by the EU-U.S. Privacy Shield.” Significantly, as noted in a statement from the European Commission, a final decision regarding the implementation of the Framework has not yet been made: “Now, a committee composed of representatives of the Member States will be consulted and the EU Data Protection Authorities (Article 29 Working Party) will give their opinion, before a final decision by the [members of the Commission]. In the meantime, the U.S. side will make the necessary preparations to put in place the new framework, monitoring mechanisms and the new Ombudsperson mechanism.”
On a related note, President Obama signed the Judicial Redress Act last week, which will lead to the highly anticipated signature of the EU-U.S. Data Protection Umbrella Agreement.
HUD Reaches $2.8 Million Settlement Over Redlining Allegations
On February 29, HUD announced an agreement with a Kansas City-based bank over its alleged redlining practices against African-American mortgage applicants. Two fair housing organizations (Complainants) filed separate complaints with HUD in October 2015 alleging that the bank engaged in discriminatory acts and violated the Fair Housing Act. According to Complainants, the bank’s “lack of market penetration in African-American communities made residential real estate products less available to persons based on race.” Complainants further alleged that the bank “designated their service area, or assessment area, in a way that excluded areas of high African-American concentration, which resulted in making residential real estate products less available to persons based on race” – a practice generally referred to as redlining. The agreement requires that the bank must, during the three-year agreement period: (i) allocate $75,000 in subsidy funds to provide discounts on home purchase loans to majority African-American census tracts in the Kansas City area; and (ii) originate $2.5 million in mortgage loans in African-American neighborhoods. Additional fair lending financing commitments pursuant the agreement require that the bank: (i) establish a loan pool of $105,000 to rehabilitate vacant or destroyed homes; (ii) spend $50,000 on marketing and outreach to African-American communities; (iii) provide $30,000 to support financial education in African-American communities; and (iv) spend $50,000 in support of the Complainants’ fair lending and community reinvestment work. The bank will also be required to appoint a Community Development Lender to focus on African-American neighborhoods and other lower-income communities. Finally, dependent upon the OCC’s approval of the bank’s application for a merger, the bank will be required to maintain three full-service branches in majority-minority census tract in the Kansas City area.
OIG Conducts Review of Department of Education Program for Ensuring Compliance with SCRA
On February 29, the Department of Education Office of Inspector General (OIG) published a response to a congressional request that the OIG conduct a review of student loan servicers’ compliance with the SCRA. The OIG analyzed SCRA reviews performed by the Department of Education (Department), obtained relevant documentation, and met with officials involved in planning and conducting SCRA program reviews. The OIG found that the Department’s sampling design for SCRA reviews did not accurately identify borrowers eligible for SCRA benefits. Specifically, the OIG found that the Department’s May 26, 2015 press release claiming 99% compliance with the SCRA was unreliable; of the 597 loans that the OIG reviewed, only 55 requested SCRA benefits and only 37 were eligible. The OIG also noted that the Department “did not make any effort to require the TIVAS [Title IV Approved Student Loan Servicers] to identify and correct all potential instances of incorrect denials of the SCRA interest rate cap.”
OCC Updates Civil Money Penalties Policies and Procedures
On February 26, the OCC published Bulletin 2016-5 to revise its Policies and Procedures Manual (PPM) to establish new guidance on the agency’s policies and procedures for assessing civil money penalties (CMP) against national banks, thrifts, service providers, and institution-affiliated parties. The newly issued PPM 5000-7 (REV), “Civil Money Penalties,” replaces the following documents: (i) the June 16, 1993 Banking Circular 273, “Civil Money Penalties”; (ii) the May 21, 1993 PPM 5000-27 (REV), “Civil Money Penalty Assessment for Delinquent or Inaccurate Call Reports,” as well as the similarly titled and dated Banking Circular 270 issue; and (iii) the December 3, 2009 OTS Regulatory Bulletin 18-3b, “Enforcement Policy Statement on Civil Money Penalties.” In addition to detailing the agency’s procedural process for determining CMP amounts under 12 USC 1818(i) and for determining the level of action against an institution, the bulletin includes matrices that outline 14 different factors the OCC considers when assessing the severity of a violation against institutions and institution-affiliated parties.
California AG Harris: Department of Education Should Revise Regulations to Protect Students Defrauded by For-Profit Colleges
Last week, California AG Kamala Harris requested that the Department of Education revise its proposed regulations regarding debt relief for students allegedly misled by “predatory” and for-profit colleges that advertise inflated job placement rates and asked that the Department “do more” to protect the students affected. Defrauded students have a right under Federal law to have loans discharged when their schools engage in misrepresentations and other unlawful conduct. According to AG Harris, the process for asserting this right is unclear. While the Department has emphasized that it intends to enforce an effective and streamlined loan discharge process to provide students’ relief, in the second of three negotiated rulemaking sessions, the Department “unveiled proposed language that contradicts the intent of previous discussions by narrowing, limiting, and delaying student relief.” In response to the Department’s proposal, Harris called on the Department to revise its regulations in a manner that ensures “fair and effective defense-to-repayment procedures.” Specifically, AG Harris commented that the procedures must (i) refer to state law for a basis to assert a defense; (ii) not include a statute of limitations for borrowers to assert a defense to repayment; (iii) provide procedures for broad and instantaneous relief to student borrowers affected by schools’ deceptive practices; and (iv) ban schools from making the discharge process burdensome and expensive.