Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
On December 5, the FTC and the Ohio attorney general announced that the U.S. District Court for the Western District of Texas issued a temporary restraining order (TRO) against a VoIP service provider and its foreign counterpart for facilitating (or consciously avoiding knowing of) a “phony” credit card interest rate reduction scheme committed by one of its client companies at the center of a joint FTC/Ohio AG action. As previously covered by InfoBytes, the original complaint alleged that a group of individuals and companies—working in concert and claiming they could reduce interest rates on credit cards—had violated the FTC Act, the Telemarketing Sales Rule, and various Ohio consumer protection laws. In addition to obtaining a TRO against the most recent alleged participants, the FTC and Ohio AG amended their July complaint to add the telecom companies as defendants alleging the companies were “played a key role in robocalling consumers to promote a credit card interest reductions scheme.”
On December 6, the DOJ announced that it entered into a deferred prosecution agreement with a Swedish-based telecommunications company, in which the company agreed to pay more than $1 billion in criminal and civil penalties related to alleged violations of the FCPA’s anti-bribery, books and records, and internal control provisions. The company’s Egyptian subsidiary also pleaded guilty in New York federal court to a one-count criminal information that charged it with conspiracy to violate the FCPA’s anti-bribery provisions. The SEC simultaneously announced a resolution with the company. Under the terms of the agreements, the company agreed to pay a criminal fine of more than $520 million to the DOJ, and will cooperate with any ongoing investigations, enhance its compliance program, and be subject to an independent compliance monitor for three years. An additional $540 million in disgorgement and interest will be paid to the SEC. The announcements cited improper payments and accounting practices regarding five countries and various third party agents. The company received partial cooperation credit and a 15 percent criminal fine reduction for (i) “conducting a thorough internal investigation” and “making regular factual presentations to the [D]epartment”; (ii) voluntarily making foreign witnesses available to prosecutors; and (iii) “producing extensive documentation and disclosing some conduct of which the [D]epartment was previously unaware.” Additionally, the DOJ recognized the company’s measures to improve its anti-bribery compliance processes.
On December 4, FinCEN announced the release of a Financial Trend Analysis titled, “Elders Face Increased Financial Threat from Domestic and Foreign Actors.” In compiling the report, FinCEN reviewed Bank Secrecy Act (BSA) elder financial exploitation suspicious activity reports (SARs) from 2013 to 2019 to detect patterns and trends. Among other things, the study found that (i) elder financial exploitation filings nearly tripled during the study period, from around 2,000 per month in 2013 to nearly 7,500 in 2019, the majority of which were filed by money services businesses (MSBs) and depository institutions; (ii) while the amount of SARs filed by MSBs ebbed and flowed from 2013 to 2019, those of depository institutions steadily increased; (iii) MSBs filed nearly 80 percent of all SARs describing financial scams, while securities and futures firms filed just over 70 percent of all SARs describing theft; (iv) financial theft from elders is most frequently perpetrated by family members or caregivers; (v) SARs indicated that the most common scams included lottery, person-in-need, and romance scams, the majority of which saw elder victims transferring funds through MSBs; and (vi) money transfer scam SARs were most commonly filed by MSBs who transferred money to a receiver located outside the U.S.
On December 2, the FDIC announced the release of its full enforcement manual (manual). According to Financial Institution Letter (see FIL-76-2019), the manual, which was posted to the FDIC website, is meant to “support the work of field office, regional office, and Washington office staff involved in processing and monitoring enforcement actions.” The letter states that the manual was released to promote “greater transparency” to FDIC-insured institutions and other concerned parties as to the agency’s enforcement policies and procedures. Additionally, the letter cautions that the manual “does not interpret any law or regulation” nor does it “establish supervisory requirements” or “industry guidance.”
On November 25, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) announced a $466,912 civil settlement with a California-based technology company to resolve alleged violations of the Foreign Narcotics Kingpin Sanctions Regulations (FNKSR). According to OFAC, the company voluntarily disclosed that it hosted a sanctioned Slovenian software developer on its platform and collected more than $1 million in payments from customers who downloaded the developer’s apps. The company’s actions—which included hosting, selling, and facilitating the transfer of the developer’s software and associated content, as well as processing 47 payments between 2015 and 2017—were in violation of the FNKSR because OFAC’s List of Specially Designated Nationals and Blocked Persons identified the developer as a significant foreign narcotics trafficker (SDNTK).
In arriving at the settlement amount, OFAC considered various mitigating factors, including that (i) the company voluntarily disclosed the violations and continued to cooperate by promptly responding to information requests; (ii) the volume and payment amounts were not significant when compared to the company’s annual total volume of transactions; (iii) OFAC has not issued a violation against the company in the five years preceding the earliest date of the transactions at issue; and (iv) the company has strengthened its compliance program to minimize the risk of recurrence.
OFAC also considered various aggravating factors, including that (i) the alleged conduct demonstrated a “reckless disregard for U.S. sanctions requirements”; (ii) the company’s processing of payments conferred a significant economic benefit to the developer; and (iii) the company failed to timely take corrective actions after identifying the developer as a SDNTK and continued to process payments.
On December 3, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) announced additions to the Specially Designated Nationals List (SDN List) pursuant to Executive Order 13884, which blocks the property of the Venezuelan government. OFAC identified six tankers of Venezuela’s state-owned oil company as property of the Venezuelan Government and therefore as blocked property, after all the vessels recently transported petroleum to Cuba. A seventh tanker also was identified as a blocked property, pursuant to Executive Order 13850 for operating in the oil sector of the Venezuelan economy, after delivering Venezuelan petroleum to Cuba. According to the press release, the vessel’s name had been changed to circumvent sanctions as it moved Venezuelan oil to Cuba. The SDN List was updated to link the new name of the vessel to its former name. OFAC reiterated that its “regulations generally prohibit all transactions by U.S. persons or within (or transiting) the United States that involve any property or interests in property of blocked or designated persons.”
On November 19, Neustar released a report showing a 241 percent increase in Distributed Denial of Service (DDoS) attacks in 3Q 2019 versus 3Q 2018. Notably, a couple of new and emerging methods of DDoS attacks have emerged, including:
- DDoS reflection/amplification attacks take advantage of IP spoofing techniques to return large amounts of information in response to a small request;
- Exploitation of Apple Remote Management technology;
- Exploitation of Web Service Dynamic Discovery (WS-DD), which has been increasingly used by IoT devices, including security devices and cameras.
Although the financial sector is not necessarily the prime sector for non-state actor DDoS attacks, it remains particularly susceptible as critical infrastructure in the context of state-supported or state-sponsored cyberattacks, which generally maintain advanced persistent threats or APTs and more sophisticated attack methods.
Why is this important. The NYDFS Cybersecurity Regulations (Regulations) and the FTC proposed Safeguards Rule (Rules), previously covered by InfoBytes here, have imposed (or may impose in the future) technical cybersecurity standards (in addition to blanket statements about “reasonable security measures”) for covered entities, such as multi-factor authentication, encryption, and annual penetration testing, among other things. Although the Rules and the Regulations are not the first regulations to impose technical standards (for example, Massachusetts’ standards for the protection of personal information under 201 Mass. Code Regs. 17.01 et seq.), the Rules and Regulations are the first to embed the CIA Triad as a core cybersecurity principle into the definition of “Cybersecurity Event” and “Security Event,” respectively. The CIA Triad represents the core objectives of cybersecurity, which are confidentiality, integrity, and availability.
Implications for Financial Institutions. Geopolitical developments can often give rise to an increase in cyberattacks designed to disrupt, degrade, deny, or destroy information systems without stealing a single byte of information. Institutions that have built their information security plan solely around “security” and “confidentiality” principles may want to consider reviewing and updating risk assessments, plans, and procedures, and, if applicable, expand them to include availability threats, especially with respect to incident response operations and plans (as well as disaster recovery operations), as may be required under the proposed Rules.
For NYDFS, cybersecurity events are 72 hour reportable events, so a DDoS attack, if significant, could represent a reportable event and potential follow up, even if no PII was lost.
On November 26, the Wisconsin governor signed SB 457, which, among other things, includes provisions granting temporary authority for certain mortgage loan originators (MLOs) to originate loans in the state while their license applications are pending. Specifically, SB 457 provides that in order to be eligible for temporary authority to operate, the individual must have been a registered MLO prior to becoming employed by a mortgage banker or mortgage broker, and must meet the following additional criteria: (i) no previous MLO application denials; (ii) no MLO license suspensions or revocations in any governmental jurisdiction; (iii) has not been “subject to, or served with, a cease and desist order in any governmental jurisdiction or by the director or the [CFPB]”; (iv) has not been convicted of a disqualifying crime; and (v) must be registered with the NMLS as a loan originator for a one-year period immediately preceding the date on which the applicant furnished the required information. For individuals who were licensed MLOs in another state, and are now employed by a mortgage banker or mortgage broker in Wisconsin, the individual is eligible for temporary authority to operate if the individual met criteria (i) through (iv) listed above and was licensed in another state during the 30 days prior to submitting the required application information in Wisconsin. Beginning November 28, SB 457 permits qualifying MLO applicants to engage in mortgage transactions while their applications are pending for licensure for up to 120 days, or upon the withdrawal, denial, or approval of the licensing application, whichever is sooner.
On December 4, the Financial Stability Oversight Council (FSOC) issued final interpretive guidance to revise and update 2012 guidance concerning nonbank financial company designations. According to Treasury Secretary Steven T. Mnuchin, the guidance “enhances [FSOC’s] ability to identify, assess, and respond to potential risks to U.S. financial stability. . . by promoting careful analysis and creating a more streamlined process.” Among other things, the guidance (i) implements an activities-based approach for identifying, assessing, and addressing potential risks and threats to financial stability in the U.S., allowing FSOC to work with federal and state financial regulators to implement appropriate actions when a potential risk is identified; (ii) enhances the analytic framework for potential nonbank financial company designations, which includes a cost-benefit analysis and a review of the likelihood of a company’s material financial distress determined by its vulnerability to a range of factors; and (iii) enhances the efficiency and effectiveness of the nonbank financial company designation process by condensing the process into two stages and increasing “engagement with and transparency to” companies under review, as well as their regulators, through the creation of pre- and post-designation off ramps.
FSOC also released its 2019 annual report to Congress, which reviews financial market developments, identifies emerging risks, and offers recommendations to enhance financial stability. Key highlights include:
- Cybersecurity. FSOC states that “[g]reater reliance on technology, particularly across a broader array of interconnected platforms, increases the risk that a cybersecurity event will have severe consequences for financial institutions.” Among other things, FSOC recommends continued robust, comprehensive cybersecurity monitoring, and supports the development of public and private partnerships to “increase coordination of cybersecurity examinations across regulatory authorities.”
- Nonbank Mortgage Origination and Servicing. The report adds the increasing share of mortgages held by nonbank mortgage companies to its list of concerns. FSOC notes that of the 25 largest originators and servicers, nonbanks originate roughly 51 percent of mortgages and service approximately 47 percent—a notable increase from 2009 where nonbanks only originated 10 percent of mortgages and serviced just 6 percent. FSOC states that risks in nonbank origination and servicing arise because most nonbanks have limited liquidity as compared to banks and rely more on short-term funding, among other things. FSOC recommends that federal and state regulators continue to coordinate efforts to collect data, identify risks, and strengthen oversight of nonbanks in this space.
- Financial Innovation. The report discusses the benefits of new financial products and practices, but cautions that these may also create new risks and vulnerabilities. FSOC recommends that these products and services—particularly digital assets and distributed ledger technology—should be continually monitored and analyzed to understand their effects on consumers, regulated entities, and financial markets.
On November 21, six Democratic Senators wrote to OCC Comptroller Joseph Otting and FDIC Chairman Jelena Williams to strongly oppose recent proposed rules by the agencies (see OCC notice here and FDIC notice here). As previously covered by a Buckley Special Alert, the OCC and FDIC proposed rules reassert the “valid-when-made doctrine,” which states that loan interest that is permissible when the loan is made to a bank remains permissible after the loan is transferred to a nonbank. In the letter, the Senators suggest that the proposed rules enable non-bank lenders to avoid state interest rate limits. According to the letter, the proposed rules would encourage “payday and other non-bank lenders to launder their loans through banks so that they can charge whatever interest rate federally-regulated banks may charge.” Additionally, the letter urges both agencies to consider their past declarations against “rent-a-bank” schemes, and contends that the agencies should not attempt to address Madden v. Midland Funding, LLC, which rejected the valid-when-made doctrine, through rulemaking, but should instead leave such lawmaking to Congress.