InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
Treasury Deputy Secretary Raskin Delivers Remarks On Cybersecurity and Insurance
On September 10, Deputy Secretary of the Treasury Sarah Bloom Raskin delivered remarks at the Center for Strategic and International Studies Strategic Technologies Program in Washington, D.C. After summarizing threats posed to U.S. companies and strategic interests, citing to notable recent cyberattacks, Raskin laid out the roles governments, the insurance industry, and state insurance regulators can take in responding to cyberattacks.
Raskin noted that governments can facilitate information-sharing related to cyber threats and deter incidents through law enforcement and diplomatic engagement as well as by imposing financial sanctions on wrongdoers overseas. The insurance sector can gauge the risks and costs posed by cyber incidents and provide an important risk mitigation tool by allowing policyholders to transfer some financial exposure associated with cyber events. The insurance qualification and underwriting process also encourages businesses to engage in increased cybersecurity and risk-mitigation activities. Finally, state insurance regulators can assist response by setting standards for cybersecurity and the protection of the sensitive information of policyholders at the entities that they regulate.
CFPB Issues Consent Orders Regarding Debt Collection Practices
On September 9, the CFPB ordered the two largest U.S. debt buyers and collectors to pay a combined total of nearly $80 million in civil penalties and consumer restitution related to their debt collection practices. The CFPB alleged that both companies, among other things, engaged in robo-signing, sued (or threatened to sue) on stale debt, made inaccurate statements to consumers, and engaged in other illegal collection practices. In particular, the CFPB criticized the practice of purchasing debts without obtaining important documentation or information about the debt, or verifying to ensure the debts were accurate and enforceable before commencing collection activities. Under the consent orders, one company agreed to provide up to $42 million in consumer refunds, pay a $10 million civil money penalty, and cease collecting on a portfolio of consumer debt with a face value of over $125 million. The other company agreed to provide $19 million in restitution, pay an $8 million civil money penalty, and cease collecting on a consumer debt portfolio with a face value of over $3 million. In addition, both companies are also generally prohibited from reselling consumer debt. In prepared remarks announcing the enforcement action, CFPB Director Richard Cordray noted, “the terms of the orders will help reform and improve the tactics and approaches” within the debt collection market. The CFPB’s action comes as the industry anticipates the CFPB’s issuance of new debt collection rules.
Banking Trade Associations Urge Senate Leaders to Pass Regulatory Relief Legislation for Community Institutions
On September 8, four trade associations representing 14,000 financial institutions – the American Bankers Association, the Credit Union National Association, the Independent Community Bankers of America, and the National Association of Federal Credit Unions – submitted a letter to Senate Banking Committee Chairman Richard Shelby and Ranking Member Sherrod Brown urging them to enact bipartisan legislation that would provide “regulatory relief to community financial institutions.” The letter describes the measures that community banks have been forced to make to address the “growing volume and complexity of regulations,” including cutting back on their loan officers ranks in favor of additional compliance staff and adjusting or eliminating financial products and services offered to consumers. The letter urges the Senate to pass the Financial Regulatory Improvement Act of 2015, S. 1484, which was approved by the Senate Banking Committee in May. This legislation, the letter claims, will “addresses statutory and regulatory obstacles that thwart the ability of community banks and credit unions to fully serve the diverse financial services needs of consumers.”
Pennsylvania Regulator Addresses Cybersecurity
On September 8, Pennsylvania Department of Banking and Securities’ Secretary Robin Wiessmann issued a letter to Pennsylvania state-chartered, licensed, and registered financial services institutions and companies regarding the Department’s cybersecurity efforts to “prevent and defend against cyberattacks, reduce vulnerability, minimize damage and recover times, and promote awareness and education.” The letter encourages such entities to (i) develop cybersecurity attack prevention and mitigation plans; (ii) identify their cybersecurity vulnerabilities; (iii) evaluate the means necessary to protect their networks and data; (iv) conduct regular vulnerability assessments and penetration tests of their networks; (v) encrypt customer and investor data; (vi) ensure their operating systems are up-to-date; (vii) frequently update and utilize anti-virus software; and (viii) train and evaluate their staff and vendors, as well as educate their customers, regarding cybersecurity risks. In addition to reminding the Department’s regulated financial institutions and companies of the FFIEC’s June 30 release of a self-assessment tool designed to help evaluate cybersecurity risk, the letter also urges such entities to review the SEC's April 2015 cybersecurity guidance, which identifies cybersecurity “best practices” for registered investment companies and registered investment advisers.
In a separate September 8 press release, the Department announced the formation of a Cybersecurity Task Force. Comprised of regulatory, legal, and information technology staff, the task force is one of the first created by a state financial regulator to provide financial service companies with resources to address cybersecurity issues.
Two Additional Former PetroTiger Employees Sentenced Following FCPA Conspiracy Guilty Pleas
On September 10, Gregory Weisman, former general counsel of oil and gas services company PetroTiger, and Knut Hammarskjold, PetroTiger’s co-founder, were each sentenced to two years’ probation stemming from their prior guilty pleas to conspiring to violate the FCPA and commit wire fraud in connection with a bribe paid to an employee of Colombia’s state-run oil company in order to win a $45 million oil-services contract.
Both Mr. Weisman and Hammarskjold were ordered to pay restitution as well as fines of $30,000 and $15,000, respectively. Mr. Weisman’s and Mr. Hammarskjold’s sentencing occurred almost three months after the third PetroTiger co-conspirator, former CEO Joseph Sigelman, received a three-year probation sentence in connection with the same bribes. Mr. Weisman had been the key witness against Mr. Sigelman at Mr. Sigelman’s June 2015 trial, but the trial abruptly ended after Mr. Sigelman entered a plea deal. The DOJ announced the plea after Mr. Weisman informed the court that he gave false testimony regarding the terms of his cooperation agreement. At Mr. Weisman’s sentencing, the District Judge referred to the abrupt turn of events at Mr. Sigelman’s trial as “the elephant in the room” but noted that misstatements by Mr. Weisman were “peripheral” to the charged offenses.
FTC Chairwoman Ramirez Urges Start-Ups to Establish a "Culture of Security"
On September 9, FTC Chairwoman Edith Ramirez delivered remarks at the Start For Security workshop, an FTC initiative intended to provide start-ups and developers with the resources and information necessary to integrate effective data security strategies into their products. In her remarks, Ramirez advised companies to establish a “culture of security” by: (i) embedding privacy and security into the development process of apps and other products; (ii) testing the product to ensure that security defaults work properly and controls are secure; and (iii) establishing a “bug bounty” program or a contact point for when flaws, bugs, and vulnerabilities in software are discovered.
State AGs File Amicus Brief With U.S. Supreme Court in FCRA Standing Case
On September 9, the Massachusetts Attorney General announced that her office, along with 12 other states and the District of Columbia, had filed with the U.S. Supreme Court an amicus brief supporting the plaintiff-respondent in Spokeo v. Robins. (Previous InfoBytes coverage can be seen here). The putative class-action plaintiff in that case claimed that an online data broker published inaccurate information about him in violation of the Fair Credit Reporting Act (FCRA). Reversing the district court, the U.S. Court of Appeals for the Ninth Circuit held that the violation of a statutory right created by FCRA was, in itself, a sufficient injury to confer standing to sue under Article III of the Constitution. In their multistate amicus brief, the AGs argued that the Supreme Court should affirm this holding. The states asserted that businesses frequently rely on consumer data profiles to make important credit, employment, housing, and insurance decisions. However, “the damage done by . . . an inaccurate data profile is frequently impossible for the affected consumer to detect or quantify,” they argued. Accordingly, “Congress rightly has authorized statutory damages for a willful violation of the FCRA.” The AGs asserted that, given their limited resources, statutory damage cases and private class actions are needed to supplement their own consumer protection actions.
Leading Casino Settles with FinCEN for $8 Million for BSA Violations
On September 8, FinCEN announced the assessment of an $8 million civil money penalty against a leading U.S.-based casino for its willful violations of the BSA’s requirements to develop and implement a reasonably designed AML program and to report suspicious activity. Among other things, FinCEN alleged that the casino failed to implement adequate internal controls, conduct adequate independent testing of AML compliance, provide adequate training, and file SARs. Of note were private gaming salons that cater to wealthy patrons and allowed such patrons to gamble anonymously. In addition to the $8 million penalty, which will be allowed as a general unsecured claim in the casino’s bankruptcy proceeding (pending approval of the consent by the bankruptcy court), the casino must also, among other things, hire an independent third party to test its BSA/AML compliance program, annually provide its implementation plan and training program to FinCEN for a period of three years, and conduct a look-back review of all transactions through branch offices in Asia and California for SAR compliance.
Mortgage Banking Firm Settles with DOJ for Participation in Fraudulent Reimbursement Scheme
On September 4, the DOJ announced a settlement of more than $29 million with a Florida-based mortgage banking firm in connection with violations of the False Claims Act. The firm’s subsidiaries participated in HUD’s Home Equity Conversion Mortgages (HECM) program, which insures reverse mortgage loans by reimbursing lenders that are unable to recoup the full amount of a reverse mortgage loan once the loan becomes due and payable. HUD will reimburse sales commissions paid to real estate agents in connection with the liquidation of foreclosed properties, but will not reimburse fees paid to real estate agents for referrals of loans to be liquidated. According to the DOJ, from July 2010 to October 2014, the firm used straw companies to split commissions with real estate agents, and then later submitted claims to HUD for reimbursement of the full commission amount. Additionally, from August 2009 to March 2015, the firm encouraged its subsidiaries to submit false debenture interest claims to HUD. Specifically, the subsidiaries neglected to disclose that they had failed to meet certain required regulatory deadlines and were therefore not entitled to interest payments. The DOJ stated that the settlement “represents a significant milestone in [the DOJ’s] long standing campaign against mortgage fraud.”
FTC to Host Privacy and Security Event
On August 28, the FTC announced that it will hold a public event, PrivacyCon, to examine current research and trends in protecting consumer privacy and security. Several “whitehat” researchers, academics, industry representatives, consumer advocates, and a range of government regulators are scheduled to address, among other things, how companies can protect against new security vulnerabilities. PrivacyCon will take place in Washington, D.C. on January 14, 2016.