Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
Banking company pleads guilty to mortgage fraud
On March 15, a Michigan-headquartered bank holding company agreed to plead guilty to securities fraud for filing misleading statements related to its 2017 initial public offering (IPO) and its 2018 and 2019 annual filings. According to the DOJ’s announcement, the bank holding company and its wholly owned subsidiary were under investigation over allegations that loan officers were encouraged to increase the volume of residential mortgage loan originations in order to artificially inflate bank revenue leading up to and following the IPO. The DOJ explained that the bank filed false securities statements about its residential mortgage loan program in its IPO, as well as in subsequent annual filings that “contained materially false and misleading statements that touted the soundness of the  loans.” These loans were actually “rife with fraud,” the DOJ said and cost non-insider victim-shareholders nearly $70 million. Senior management allegedly knew that loan officers were falsifying loan documents and concealing the fraudulent information from the bank’s underwriting and quality control departments, the DOJ maintained, noting that the actions caused the bank to originate loans and extend credit to borrowers who would have otherwise not qualified.
Under the terms of the plea agreement (which must be accepted by the court), the bank holding company will “be required to serve a term of probation through 2026, submit to enhanced reporting obligations to the department, and pay more than $27.2 million in restitution to its non-insider victim-shareholders.” The DOJ considered several factors when determining the criminal resolution, including the nature and seriousness of the offense and the pervasiveness of the misconduct at the most senior levels. The bank holding company received credit for its cooperation and for implementing extensive remedial measures, and has agreed to continue to fully cooperate with the DOJ in all matters relating to the covered conducts and other conduct under investigation. It is also required to self-report criminal violations and must continue to implement a compliance and ethics program to detect and deter future violations of U.S. securities law.
As previously covered by InfoBytes, the bank holding company’s subsidiary paid a $6 million civil money penalty to the OCC last September for alleged unsafe or unsound practices related to the residential mortgage loan program.
U.S., German law enforcement disable darknet crypto mixer
On March 15, U.S. law enforcement, along with German criminal authorities, disabled a darknet cryptocurrency “mixing” service used to allegedly launder more than $3 billion in cryptocurrency underlying ransomware, darknet market activities, fraud, cryptocurrency heists, hacking schemes, and other activities. According to the DOJ’s announcement, law enforcement agencies seized two domains and back-end servers, as well as more than $46 million in cryptocurrency. The DOJ claimed the mixing service allowed criminals to obfuscate the source of stolen cryptocurrency by commingling users’ cryptocurrency in a way that made it difficult to trace the transactions. In conjunction with the action taken against the mixing service, a Vietnamese national responsible for creating and operating the online infrastructure was charged with money laundering, operating an unlicensed money transmitting business, and identity theft connected to the mixing service. Separate actions have also been taken by German law enforcement authorities, the DOJ said. “Criminals have long sought to launder the proceeds of their illegal activity through various means,” Special Agent in Charge Jacqueline Maguire of the FBI Philadelphia Field Office said in the announcement. “Technology has changed the game, though[.] In response, the FBI continues to evolve in the ways we ‘follow the money’ of illegal enterprise, employing all the tools and techniques at our disposal and drawing on our strong partnerships at home and around the globe.”
OFAC sanctions additional persons in Bosnia and Herzegovina
On March 15, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) announced sanctions against three individuals in Bosnia and Herzegovina (BiH), pursuant to Executive Orders 14033 or 14059. The designations build on other sanctions measures taken in the region (covered by InfoBytes here) and “collectively underscore the United States’ willingness to hold accountable those who are undermining democratic institutions and furthering their agendas for political and personal gain, at the expense of peace, stability, and progress in the Western Balkans,” OFAC explained. Specifically, the sanctions target the director general for BiH’s Intelligence Security Agency, a BiH national who headed an agency responsible for obstructing or threatening the implementation of the Dayton Peace Agreement, and a significant Balkans narcotics trafficker.
As a result of the sanctions, all property and interests in property belonging to the sanctioned individuals subject to U.S. jurisdiction are blocked and must be reported to OFAC. Additionally, “any entities that are owned, directly or indirectly, individually or in the aggregate, 50 percent or more by one or more blocked persons are also blocked.” OFAC further noted that “transactions by U.S. persons or within (or transiting) the United States that involve any property or interests in property of designated or blocked persons are prohibited unless authorized by a general or specific license issued by OFAC, or exempt,” which “include the making of any contribution or provision of funds, goods, or services by, to, or for the benefit of any blocked person, or the receipt of any contribution or provision of funds, goods, or services from any such person.” OFAC warned financial institutions and other persons that should they engage in certain transactions or activities with the sanctioned individuals they may expose themselves to sanctions or be subject to an enforcement action.
New York AG continues crackdown on unregistered crypto trading platforms
On March 9, the New York attorney general filed a petition in state court against a virtual currency trading platform (respondent) for allegedly failing to registeras a securities and commodities broker-dealer and falsely representing itself as a cryptocurrency exchange. The respondent’s website and mobile application enable investors to buy and sell cryptocurrency, including certain popular virtual currencies that are allegedly securities and commodities. The AG noted that this is one of the first times a regulator is making a claim in court that one of the largest cryptocurrencies available in the market is a security. According to the announcement, this cryptocurrency “is a speculative asset that relies on the efforts of third-party developers in order to provide profit to the holders.” As such, the respondent was required to register before selling the crypto assets, the AG said, further maintaining that the respondent also sells unregistered securities in the form of a lending and staking product. According to the AG, securities and commodities brokers are required to register with the state, which the respondent allegedly failed to do. Additionally, the respondent claimed to be an exchange but failed to appropriately register with the SEC as a national securities exchange or be designated by the CFTC as required under New York law. Nor did the respondent comply with a subpoena requesting additional information about its crypto-asset trading activities in the state, the AG said, noting that the respondent has already been found to be operating in multiple jurisdictions without proper licensure. The state seeks a court order (i) preventing the respondent from misrepresenting that it is an exchange; (ii) banning the respondent from operating in the state; and (iii) directing the respondent to undertake measures to prevent access to its mobile application, website, and services from within New York.
Last month the AG filed a similar petition against another virtual currency trading platform alleging similar violations (covered by InfoBytes here).
District Court: Failure to investigate duplicate reporting dispute could violate the FCRA
On March 10, the U.S. District Court for the Southern District of Illinois ruled a defendant credit union failed to properly report an individual’s debt to a consumer reporting agency or investigate his dispute. Plaintiff obtained a credit card from the defendant but fell behind on his payments. After his account was later sent to a third-party collection agency, the plaintiff obtained a copy of his credit report where he noticed that his credit card debt was listed twice—once as a “individual” and “revolving” account with a balance of $10,145, and another time as an “open” collections account with a different balance. Plaintiff sent identical dispute letters to the three major credit reporting agencies (CRAs), acknowledging the delinquent credit card but expressing confusion as to why the account was listed twice. He submitted additional similar disputes with the CRAs, claiming that the error caused him to be denied the opportunity to rent an apartment and made it difficult for him to obtain a mortgage. During discovery, two corporate witnesses testified on behalf of the defendant—one of whom is responsible for reviewing consumer credit disputes and verified the information being reported was accurate. A second witness also testified that while the defendant understood that the plaintiff was alleging inaccuracies due to the debt being reported twice, it chose to focus its investigation on verifying that the information in the plaintiff’s credit report matched the information in its internal system.
In denying the defendant’s motion for summary judgment, the court noted that while the U.S. Court of Appeals for the Seventh Circuit “has not decided whether double-reporting of a single debt on a credit report is an FCRA violation, district courts across the country have found that whether the practice is misleading and violates the FCRA is an issue of fact.” The court explained that an issue of fact exists as to whether double reporting the debt created a misleading impression that the plaintiff has two separate debts totaling $22,000 rather than a single debt of roughly $10,000. Moreover, even though the plaintiff’s dispute contained the message “duplicate,” the defendant did not address this issue nor did it request that a change be made to the plaintiff’s credit report. “A jury could reasonably conclude  that [defendant’s] investigation was inadequate under the FCRA,” the court wrote. “[W]hether [defendant’s] investigation or protocol may qualify as a willful violation giving rise to statutory or punitive damages is an issue for a jury as well.”
DOJ, CFPB: Lenders that rely on discriminatory appraisals violate the FHA and ECOA
On March 13, the DOJ and CFPB filed a statement of interest saying that a “lender violates both the [Fair Housing Act (FHA)] and ECOA if it relies on an appraisal that it knows or should know to be discriminatory.” (See also CFPB blog post here.) Pointing out that the case raises important legal questions regarding the issue of appraisal bias, the agencies explained that the DOJ has enforcement authority under both the FHA and ECOA, and the Bureau has authority to interpret and issue rules under ECOA and enforce the statute’s requirements.
The case, which is currently pending in the U.S. District Court for the District of Maryland, concerns whether an appraiser, a real estate appraisal company, and an online mortgage lender (collectively, “defendants”) violated federal and state law by undervaluing plaintiffs’ home on the basis of race and denying a mortgage refinancing application based on the appraisal. Plaintiffs, who are Black, claimed their home was appraised for a lower amount on the basis of race, and maintained that the lender denied their loan even after being told the appraisal was discriminatory. Additionally, plaintiffs claimed that after they replaced family photos with pictures of white people and had a white colleague meet a new appraiser, that appraiser appraised the house for $750,000—a nearly 60 percent increase despite there not being any significant improvements made to the house or meaningful appreciation in the value of comparable homes in the market.
The defendant appraiser filed a counterclaim against the plaintiffs providing technical arguments for why he valued the home at $472,000, including that the property next door was listed for $500,000, but was later reduced to $475,000, only 10 days after he completed the appraisal. He further claimed that the second appraisal failed to include that property as a comparison and relied on home sales that had not happened as of the time of the first appraisal. The lender argued that it should not be held liable because it was relying on a third-party appraiser and that “it can be liable only if it took discriminatory actions that were entirely separate from [the appraiser’s].”
While the statement does not address the issue of vicarious liability, the DOJ and CFPB asserted that lenders can be held liable under the FHA and ECOA for relying on discriminatory appraisals. They explained that it is “well-established that a lender is liable if it relies on an appraisal that it knows or should know to be discriminatory.” The statement also provided that for disparate treatment claims under the FHA and ECOA, “plaintiffs need only plead facts that plausibly allege discriminatory intent.” The agencies also argued that a violation of Section 3617 of the FHA (which includes “a prohibition against retaliating in response to the exercise of fair housing rights”) “does not require a ‘predicate violation’ of the FHA.
Fed to launch FedNow in July
On March 15, the Federal Reserve Board announced a July launch date for its FedNow Service. (Covered by a Special Alert here.) Beginning the first week of April, the Fed will start formally certifying participants, with early adopters completing a customer testing and certification program in preparation for sending live transactions through the system. The certification process “encompasses a comprehensive testing curriculum with defined expectations for operational readiness and network experience,” the Fed explained. “We couldn’t be more excited about the forthcoming FedNow launch, which will enable every participating financial institution, the smallest to the largest and from all corners of the country, to offer a modern instant payment solution,” said Ken Montgomery, First Vice President of the Federal Reserve Bank of Boston and FedNow program executive. “With the launch drawing near, we urge financial institutions and their industry partners to move full steam ahead with preparations to join the FedNow Service,” Montgomery added.
In addition to certifying early adopters for the July launch, the Fed said it will continue to engage with financial institutions and service providers to complete the testing and certification program throughout 2023 and beyond. FedNow “will launch with a robust set of core clearing and settlement functionality and value-added features,” the agency said, explaining that “[m]ore features and enhancements will be added in future releases to continue supporting safety, resiliency and innovation in the industry as the FedNow network expands in the coming years.”
Fed governor says transparency is key for promoting innovation in the banking system
On March 14, Federal Reserve Governor Michelle W. Bowman presented thoughts on innovation trends within the U.S. financial system during a conference held by the Independent Community Bankers of America. Bowman commented that innovation has always been a priority for banks of all sizes and business models, and that regulators—often accused of “being hostile to innovation” within the regulated financial system—are continually trying to learn and adapt to new technologies, which often introduce new risks and vulnerabilities. In order to address these challenges, which are often amplified for community banks, Bowman said banks must be prepared to make improvements to risk management, cybersecurity, and consumer compliance measures, and regulators—playing a complementary role—must ensure rules are clear and transparent. She further stressed that “[i]t is absolutely critical that innovation not distract banks and regulators from the traditional risks that are omnipresent in the business of banking, particularly credit, liquidity, concentration, and interest rate risk.” Noting that these types of risks are present in all bank business models, Bowman said they “can be especially acute for banks engaging in novel activities or exposed to new markets, including crypto-assets.”
Explaining that transparency is important for promoting a safe, sound, and fair banking system, particularly when it comes to innovation, Bowman stated that insufficient clarity or transparency or disproportionately burdensome regulations may “cause new products and services to migrate to the shadow banking system.” Bowman went on to discuss ways bank regulation and supervision can support responsible innovation, and highlighted unique challenges facing smaller banks, as well as key actions taken by regulators to date relating to crypto assets, third-party risk management, cybersecurity, Community Reinvestment Act reform, bank mergers, and overdraft fees, among others.
SEC proposes new cybersecurity requirements
On March 15, a divided SEC issued several proposed amendments to the agency’s cybersecurity-related rules.
The first is a proposed rule that would implement cybersecurity requirements for participants in the securities market, including broker-dealers, clearing agencies, and major security-based swap participants, among others. (See also SEC press release and fact sheet.) Among other things, the proposed rule would require all market entities to establish, maintain, and enforce written policies and procedures that are reasonably designed to address cybersecurity risks. Market participants would also be required to review the design and effectiveness of their cybersecurity policies and procedures at least once a year, and immediately provide the SEC written electronic notice of a significant cybersecurity incident should the participant have a reasonable basis to conclude that the incident had occurred or is occurring. Certain market entities would also be required to make public disclosures addressing cybersecurity risks and significant cybersecurity incidents to improve transparency. The SEC explained that the “interconnectedness of [m]arket [e]ntities increases the risk that a significant cybersecurity incident can simultaneously impact multiple [m]arket [e]tities causing systemic harm to the U.S. securities markets.”
The second proposed rule would amend Regulation S-P to enhance the protection of customer information and provide a federal minimum standard for data breach notifications. Regulation S-P requires broker-dealers, investment companies, and registered investment advisers to implement written policies and procedures for safeguarding customer records and information. The regulation also imposes requirements for proper disposal of consumer report information, implements privacy notice and opt-out provisions, and requires covered institutions to tell customers how their financial information is used. (See also SEC press release and fact sheet.) Under the proposed rule, covered institutions would be required to adopt an incident response program to address unauthorized access or use of customer information. Covered institutions would also be required to notify customers affected by certain types of data breaches that may expose them to identity theft or other harm by providing “notice as soon as soon as practicable, but not later than 30 days after the covered institution becomes aware that an incident involving unauthorized access to or use of customer information has occurred or is reasonably likely to have occurred.” The proposed rule would also “extend the protections of the safeguards and disposal rules to both nonpublic personal information that a covered institution collects about its own customers and to nonpublic personal information that a covered institution receives about customers of other financial institutions.” Modifications to provisions related to registered transfer agents are also proposed.
Comments on both proposed rules are due 60 days after publication in the Federal Register.
Additionally, the SEC announced it has reopened the comment period on proposed cybersecurity risk management rules and amendments for registered investment advisers and funds. Under the proposed rules, advisers and funds would be required to adopt and implement written policies and procedures reasonably designed to address cybersecurity risks that could harm advisory clients and fund investors. The proposed rules also laid out additional requirements relating to the disclosure of cybersecurity risks and significant cybersecurity incidents as well as filing and recordkeeping. (Covered by InfoBytes here.) The SEC reopened the comment period for an additional 60 days.
In voting against the proposed rules, Commission Hester M. Pierce questioned, among other things, whether the amendments would create overlapping requirements for financial firms subject to state data breach laws that have customer notification provisions, some of which conflict with the SEC’s proposals. Commissioner Mark T. Uyeda also raised concerns as to how the three proposals interact with each other. He cautioned that the “lack of an integrated regulatory structure may even weaken cybersecurity protection by diverting attention to satisfy multiple overlapping regulatory regimes rather than focusing on the real threat of cyber intrusions and other malfeasance.”
FHFA delays effective date of DTI ratio-based fee
On March 15, FHFA delayed the implementation of a new debt-to-income ratio-based fee to August 1, in order to ensure lenders have sufficient time to prepare. In January, FHFA made several changes relating to upfront fees for certain borrowers with debt-to-income (DTI) ratios above 40 percent. The updated and recalibrated pricing grids also include the upfront fee eliminations announced last October to increase pricing support for purchase borrowers limited by income or by wealth, FHFA said. The agency made the decision to delay the effective date by three months based on feedback from mortgage industry stakeholders who raised concerns about the operational challenges of implementing the DTI ratio-based fee. FHFA also confirmed that “lenders will not be subject to post-purchase price adjustments related to this DTI ratio-based fee for loans acquired by [Fannie Mae and Freddie Mac] between August 1, 2023, and December 31, 2023.” The agency explained that this temporary exception “will not alter any other quality control review decisions by [Fannie Mae and Freddie Mac].”
- Keisha Whitehall Wolfe to discuss “Tips for successfully engaging your state regulator” at the MBA's State and Local Workshop
- Max Bonici to discuss “Enforcement risk and trends for crypto and digital assets (Part 2)” at ABA’s 2023 Business Law Section Hybrid Spring Meeting
- Jedd R. Bellman to present “An insider’s look at handling regulatory investigations” at the Maryland State Bar Association Legal Summit