InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
District court approves MDL data breach settlement
On July 21, the U.S. District Court for the Northern District of California issued an order approving a $117.5 million class action settlement, including $23 million in attorneys’ fees, with a global internet company to resolve multidistrict litigation concerning the exposure of class members’ sensitive information stemming from multiple data breaches. The settlement approval follows a fairness hearing, as the court originally denied preliminary approval due to several identified deficiencies (covered by InfoBytes here), including that the settlement inadequately disclosed the sizes of the settlement fund and class, as well as the scope of non-monetary relief, and “appear[ed] likely to result in an improper reverter of attorneys’ fees.” Last July, the court preliminarily signed off on a revised settlement, conditionally certifying a class of U.S. and Israeli residents and small businesses with accounts between 2012 and 2016 that were affected by the breaches. These class members have been certified in the final approved settlement, which requires the company to provide class members with either two years of credit monitoring services or alternative compensation for members who already have credit monitoring. Among other things, the company will allocate at least $66 million each year to its information security budget until 2022, will increase the number of full-time security employees from current levels, and will “align its information security program with the National Institute of Standards and Technology Cybersecurity Framework” and “undertake annual third-party assessments to ensure compliance” with the framework.
4th Circuit affirms arbitration clause waiving statutory rights is unenforceable
On July 21, the U.S. Court of Appeals for the Fourth Circuit affirmed a district court’s denial of defendants’ motion to compel arbitration, holding that the arbitration agreements operated as prospective waivers of federal law and were thus unenforceable. According to the opinion, a group of Virginia borrowers filed suit against two online lenders owned by a sovereign Native American tribe and their investors (collectively, “defendants”). In the action, the plaintiffs contended that they obtained payday loans from the defendants, which included annual interest rates between 219 percent to 373 percent—an alleged violation of Virginia’s usury laws and the Racketeer Influenced and Corrupt Organizations Act (RICO). The defendants moved to compel arbitration, which the district court denied, concluding that choice-of-law provisions—such as “‘[t]his agreement to arbitrate shall be governed by Tribal Law’; ‘[t]he arbitrator shall apply Tribal Law’; and the arbitration award ‘must be consistent with this Agreement and Tribal Law’”—prospectively excluded federal law, making them unenforceable.
On appeal, the 4th Circuit agreed with the district court despite a “strong federal policy in favor of enforcing arbitration agreements.” Most significantly, the appellate court rejected the defendants’ assertion that the choice-of-law provisions did not operate as a prospective waiver. The court noted that while the choice-of-law provisions “do not explicitly disclaim the application of federal law, the practical effect is the same,” as they limit an arbitrator’s award to “remedies available under Tribal Law,” effectively preempting “the application of any contrary law—including contrary federal law.” Moreover, the appellate court concluded that under the arbitration agreement, borrowers would be unable to effectively pursue RICO claims against the defendants, and more specifically, would be unable to “effectively vindicate a federal statutory claim for treble damages” under RICO. Thus, because federal statutory protections and remedies are unavailable to borrowers under the agreement, the appellate court concluded the entire agreement is unenforceable.
NYDFS enforces its cybersecurity regulation for the first time
On July 22, NYDFS filed a statement of charges against a title insurer for allegedly failing to safeguard mortgage documents, including bank account numbers, mortgage and tax records, and other sensitive personal information. This is the first enforcement action alleging violations of NYDFS’ cybersecurity regulation (23 NYCRR Part 500), which took effect in March 2017 and established cybersecurity requirements for banks, insurance companies, and other financial services institutions. (See InfoBytes coverage on NYDFS’ cybersecurity regulation here.) Charges filed against the company allege that a “known vulnerability” in the company’s online-based data storage platform was not fixed, which allowed unauthorized users to access restricted documents from roughly 2014 through 2019 by changing the ImageDocumentID number in the URL. Although an internal penetration test (i.e., an authorized simulated cyberattack) discovered the vulnerability in December 2018, NYDFS claims that the company did not take corrective action until six months later, when a well-known journalist publicized the problems.
The company allegedly violated six provisions of 23 NYCRR Part 500, including failing to (i) conduct risk assessments for sensitive data stored or transmitted within its information systems; (ii) maintain appropriate, risk-based policies governing access controls to sensitive data; (iii) limit user-access privileges to information systems providing access to sensitive data, or periodically reviewing these access privileges; (iv) implement a risk assessment system to sufficiently identify the availability and effectiveness of controls for protecting sensitive data and the company’s information system; (v) provide adequate data security training for employees and affiliated title agents responsible for handling sensitive data; and (vi) encrypt sensitive documents or implement suitable controls to protect sensitive data. Additionally, NYDFS maintains that, among other things, the company misclassified the vulnerability as “low” severity despite the magnitude of the document exposure, failed to investigate the vulnerability within the timeframe dictated by the company’s internal cybersecurity policies, and did not conduct a reasonable investigation into the exposure or follow recommendations made by its internal cybersecurity team.
A hearing is scheduled for October 26 to determine whether violations occurred for the company’s alleged failure to safeguard consumer information.
Federal Reserve Board expands counterparties eligible to transact in facilities
On July 23, the Federal Reserve Board announced the expansion of counterparties eligible to transact with and provide services in the Term Asset-Backed Securities Loan Facility, Secondary Market Corporate Credit Facility, and Commercial Paper Funding Facility (previously discussed here, here, here, here). These facilities were created pursuant to section 13(3) of the Federal Reserve Act with the objective of increasing the movement of credit to households, businesses, and the economy.
Small Business Administration issues notice regarding forgiveness of Paycheck Protection Program loans
On July 23, the Small Business Administration issued a procedural notice providing information for Paycheck Protection Program lenders on submitting decisions on PPP borrower loan forgiveness applications to the SBA, requesting payment of the forgiveness amount, SBA loan forgiveness reviews, and payment of loan forgiveness amounts. For example, the notice provides instructions regarding documentation and data that the lender must submit when it issues a decision on loan forgiveness. The notice also indicates that the SBA intends to issue an interim final rule addressing how a borrower may appeal the SBA’s determination that it is ineligible for a PPP loan or ineligible for the loan amount or the loan forgiveness amount claimed by the borrower.
Texas Department of Banking issues guidance on Main Street Lending Program and state lending limits
The Texas Department of Banking issued guidance explaining the application of lending limits imposed on state chartered banks to loans issued under the Federal Reserve Bank of Boston’s Main Street Lending Program (“MSLP”). The guidance explains that if the bank funds a MSLP loan prior to seeking to sell a participation in the loan to the Department of the Treasury, the entire amount of the loan will count towards eligible lending limits. After the participation is sold, the portion of the loan sold need not be treated as a loan for purposes of lending limits. If the bank enters into a MSLP loan agreement, the funding of which is contingent on a binding commitment from the Treasury to purchase a participation in the loan, the bank need only include the portion of the loan to be retained when calculating lending limits.
OFAC sanctions persons connected to Nicaragua President Ortega; amends Nicaragua sanctions regulations and Ukraine-related general licenses
On July 17, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) announced sanctions pursuant to Executive Order 13851 against one of Nicaraguan President Ortega’s sons, as well as a second individual and two companies used to allegedly “distribute regime propaganda and launder money.” According to OFAC, the second sanctioned individual created shell companies to launder money from businesses that he operated on behalf of another one of the president’s sons previously designated by OFAC. OFAC also cited to the individual’s alleged involvement on behalf of a chain of sanctioned gas stations controlled by the Ortega family, designating the individual “for being responsible for or complicit in, or for having directly or indirectly engaged or attempted to engage in, a transaction or series of transactions involving deceptive practices or corruption by, on behalf of, or otherwise related to the [Government of Nicaragua (GoN)] or a current or former official of the GoN.” As a result, all property and interests in property of the sanctioned individuals and entities, and of any entities owned 50 percent or more by such persons subject to U.S. jurisdiction, are blocked and must be reported to OFAC. U.S. persons are also generally prohibited from entering into transactions with the sanctioned persons.
Separately, on July 16, OFAC announced amendments (effective July 17) to the Nicaragua Sanctions Regulations, which incorporate the Nicaragua Human Rights and Anticorruption Act of 2018, and, among other things, update the authority citation as well as the prohibited transactions and delegation sections. A general license previously posted on OFAC’s website authorizing certain U.S. government activities related to Nicaragua also has been incorporated. The final rule is effective July 17.
The announcement also extends the expiration date of two Ukraine-related general licenses (GLs). Both GL 13O, which supersedes GL 13N, and GL 15I, which supersedes GL 15H, now expire January 22, 2021, and authorize certain transactions necessary to divest or transfer debt, equity, or other holdings, or wind down operations or existing contracts with a Russian manufacturer previously sanctioned by OFAC in April 2018 (covered by InfoBytes here).
UAE manufacturer settles OFAC, DOJ charges for apparent North Korean sanctions violations
On July 16, a United Arab Emirates cigarette filter and tear tape manufacturer settled OFAC and DOJ charges for apparent violations of the North Korea Sanctions Regulations (NKSR) 31 C.F.R. part 510 and the International Emergency Economic Powers Act (IEEPA). According to OFAC’s release, the company allegedly violated the NKSR by (i) engaging in deceptive practices in order to export cigarette filters to North Korea through a network of front companies in China and other countries; and (ii) receiving three wire transfers totaling more than $330,000 in accounts at a U.S. bank’s foreign branch as payment for exporting the filters. OFAC noted that the conduct leading to the apparent violations included aggravating factors such as (i) the company’s senior manager and customer-facing employee willfully violated the NKSR by agreeing to, among other things, transact with non-North Korean front companies to conceal the North Korea connection despite a company policy that “warned that its banks would not handle transactions with sanctioned jurisdictions” including North Korea; and (ii) the senior manager and customer-facing employee were aware that the filters would be sent to North Korea. OFAC also considered various mitigating factors, including that the company substantially cooperated with OFAC’s investigation and agreed to provide ongoing cooperation. Under the terms of the settlement agreement, the company is required to pay a $665,112 civil monetary penalty to OFAC, which will be deemed satisfied by payment of the fine assessed by the DOJ arising out of the same conduct.
In the parallel criminal enforcement action, the company entered into a deferred prosecution agreement with the DOJ, accepting responsibility for its criminal conduct and agreeing to pay a $666,543.88 fine. According to the DOJ, this is the Department’s first corporate enforcement action for violations of the IEEPA. In addition, the company agreed to, among other things, fully cooperate with any investigation, implement a compliance program designed to prevent and detect any future violations of U.S. economic sanctions regulations, provide quarterly reports to the DOJ regarding the status of compliance improvements, provide OFAC-related training, and annually certify to OFAC that it has implemented and has continued to uphold its compliance-related commitments.
CFPB approves new automatic savings program under CAS Policy
On July 17, the CFPB announced a new Compliance Assistance Statement of Terms Template (CAST Template) under its Compliance Assistance Sandbox (CAS) Policy issued to a company’s program designed to help employees build emergency savings. Specifically, under the approved template, known as “Autosave,” interested employers could help employees build emergency savings by directing a portion of the employee’s pay to an employee-designated account at a financial institution; or if an employee does not designate an account, directing the funds to an “Autosave” account at an employer-designated institution. The Bureau notes that a CAST Template is necessary for this program due to the legal uncertainty around the application of the “compulsory use” prohibition in the Electronic Fund Transfer Act (EFTA), and Regulation E. However, the applicants assert the Autosave program embodies a “reasonable default enrollment method,” which, according to the Bureau, can be consistent with the consumer choice requirements of the EFTA and Regulation E.
Foreclosure relief operation ordered to pay $40,000 penalty in CFPB action
On July 23, the CFPB announced that the U.S. District Court for the Central District of California entered a stipulated final judgment and order against a foreclosure relief services company, along with the company’s president/CEO (defendants), resolving CFPB allegations that the defendants engaged in deceptive and abusive acts and practices in connection with the marketing and sale of purported financial-advisory and mortgage-assistance-relief services to consumers. As previously covered by InfoBytes, in September 2019, the CFPB filed a complaint alleging that since 2014, the defendants violated the Consumer Financial Protection Act (CFPA) and Regulation O by, among other things, making deceptive and unsubstantiated representations about the efficacy and material aspects of its mortgage assistance relief services, as well as making misleading or false claims about the experience and qualifications of its employees. The Bureau also alleged the defendants’ misrepresentations constituted abusive acts and practices because consumers “generally did not understand and were not in a position to evaluate the accuracy of [the defendants’] marketing representations or the quality of the mortgage-assistance-relief services that [the defendants] sold.” Moreover, the Bureau claimed the defendants further violated Regulation O by charging consumers advance fees before rendering services.
The stipulated final judgment suspends $3 million in consumer redress based upon the defendants’ sworn financial statements and disclosures of material assets that detailed their inability to pay, but orders the defendants to pay $40,000 in civil money penalties. Additionally, the judgment permanently restrains the defendants from offering mortgage relief and financial advisory services and subjects the defendants to certain reporting and recordkeeping requirements.