Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
On March 29, the SEC announced a more than $500,000 whistleblower award in connection with an enforcement action. According to the redacted order, the whistleblower raised concerns about alleged securities violations internally, which prompted an investigation by the company. The company then reported the information to an outside agency, which in turn made a referral to Commission staff, thus prompting the opening of the SEC’s investigation. The SEC noted that the whistleblower also provided helpful documents and met with Commission staff, allowing the SEC and another agency to quickly file actions and shut down the ongoing fraudulent scheme. Additionally, the SEC explained that because the whistleblower also submitted a tip to the SEC within 120 days of reporting the violations internally to the company, the whistleblower satisfied the SEC’s whistleblower rule’s “safe harbor” provision, thereby allowing the SEC to treat the whistleblower’s information “as though it had been made on the date that the [whistleblower] provided that same information to his/her employer.”
The SEC has now paid approximately $760 million to 145 individuals since the inception of the whistleblower program in 2012. The Commission noted that, with this award, it has now “awarded 40 individuals this fiscal year, surpassing last year’s record of 39 individual awards,” and has “awarded whistleblowers nearly $200 million in the first half of FY21 alone.”
On March 29, the FDIC, Fed, OCC, CFPB, and NCUA issued a request for information (RFI) seeking input on financial institutions’ use of artificial intelligence (AI), which may include AI-based tools and models used for (i) fraud prevention to identify unusual transactions for Bank Secrecy Act/anti-money laundering investigations; (ii) personalization of customer services; (iii) credit underwriting; (iv) risk management; (v) textual analysis; and (vi) cybersecurity. The RFI also solicits information on challenges financial institutions face in developing, adopting, and managing AI, as well as on appropriate governance, risk management, and controls over AI when providing services to customers. Additionally, the agencies seek input on whether it would be helpful to provide additional clarification on using AI in a safe and sound manner and in compliance with applicable laws and regulations. According to FDIC FIL-20-2021, while the agencies support responsible innovation by financial institutions and believe that new technologies, including AI, have “the potential to augment decision-making and enhance services available to consumers and businesses, . . . identifying and managing risks are key.” Comments on the RFI are due 60 days after publication in the Federal Register.
On March 26, the U.S. District Court for the District of Delaware dismissed a 2017 lawsuit filed by the CFPB against a collection of Delaware statutory trusts and their debt collector, ruling that the Bureau lacked enforcement authority to bring the action when its structure was unconstitutional. As previously covered by InfoBytes, the Bureau alleged the defendants filed lawsuits against consumers for private student loan debt that they could not prove was owed or that was outside the applicable statute of limitations, which allowed them to obtain over $21.7 million in judgments against consumers and collect an estimated $3.5 million in payments in cases where they lacked the intent or ability to prove the claims, if contested. In 2020, the court denied a motion to approve the Bureau’s proposed consent judgment, allowing the case to proceed. The defendants filed a motion to dismiss, arguing that the Bureau lacked subject-matter jurisdiction because the defendants should not have been under the regulatory purview of the agency, and that former Director Kathy Kraninger’s ratification of the enforcement action, which followed the Supreme Court holding in Seila Law LLC v. CFPB that that the director’s for-cause removal provision was unconstitutional but was severable from the statute establishing the Bureau (covered by a Buckley Special Alert), came after the three-year statute of limitations had expired. While the Bureau acknowledged that the ratification came more than three years after the discovery of the alleged violations, it argued that the statute of limitations should be ignored because the initial complaint had been timely filed and that the limitations period had been equitably tolled.
The court rejected the subject-matter jurisdiction argument because it held that the term “covered persons” as used in the Consumer Financial Protection Act, 12 U.S.C. § 5481(6), is not a jurisdictional requirement. However, the court then determined that the Bureau’s claims were barred by the statute of limitations. The Bureau filed the complaint while operating under a structure later found unconstitutional in Seila Law, and Director Kraninger’s subsequent ratification of the action came after the limitations period had expired. The court concluded that this made the complaint untimely. It also rejected the Bureau’s equitable tolling argument based on the Bureau’s failure to take actions to preserve its rights during the period when its constitutionality was in question. The court also noted that the Bureau “failed to pursue this very argument seriously in its brief,” which presented the equitable tolling argument in a “brief and conclusory” fashion.
On March 30, NYDFS issued an updated cybersecurity fraud alert that warns of other techniques used in a widespread cybercrime campaign targeting public-facing websites. As previously covered in InfoBytes, the update stems from NYDFS’ February 16 cybersecurity fraud alert sent to regulated entities, which described a “widespread cybercrime campaign” designed to steal nonpublic private consumer information (NPI) from public-facing websites and use the stolen NPI to fraudulently apply for pandemic and unemployment benefits. In addition to the techniques previously identified, NYDFS alerts regulated entities of the following additional hacking methods: (i) using web-debugging tools to steal unredacted, plaintext NPI while in transit from the data vendor to the company; and (ii) credential stuffing to gain access to insurance agent accounts and using those agent accounts to steal consumer NPI. To prevent sensitive data from being stolen from public-facing websites, NYDFS advises financial organizations to circumvent displaying prefilled NPI, even in redacted form, and to guarantee that all portals are being guarded by the “robust access controls required by [NYDFS]’s cybersecurity regulation.” The alert also outlines remediation steps that financial institutions should execute to guarantee basic security.
On March 30, the U.S. Treasury Department issued frequently asked questions to provide timely guidance concerning all aspects of the Emergency Capital Investment Program (ECIP). The FAQs cover issues regarding:
- The types of institutions eligible to participate in the ECIP;
- Submission of an ECIP application and emergency investment lending plan;
- How Treasury will decide allocation of the available capital among applicants that meet the thresholds for eligibility, including how well an applicant has responded to the needs of communities impacted by the Covid-19 pandemic;
- Whether an institution can choose to issue preferred stock or subordinated debt in the ECIP; and
- Compliance and reporting requirements.
The ECIP was established by the Consolidated Appropriations Act of 2021 (covered by InfoBytes here), and will provide up to $9 billion in capital directly to Community Development Financial Institutions and minority depository institutions to provide, among other things, “loans, grants, and forbearance for small and minority businesses and consumers in low income communities” that may be disproportionately impacted by the Covid-19 pandemic. As previously covered in InfoBytes, on March 22, the OCC, Federal Reserve Board, and the FDIC published an interim final rule (IFR) to facilitate the implementation of the ECIP.
On March 25, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) announced sanctions pursuant to Executive Order (E.O.) 14014 against two military holding companies in Burma. According to OFAC, these sanctions specifically target “the Burmese military’s control of significant segments of the Burmese economy.” As a result of the sanctions, all property and interests in property belonging to the sanctioned entities subject to U.S. jurisdiction, which enjoy a privileged position in the Burmese economy, are blocked and must be reported to OFAC. Additionally, “any entities that are owned, directly or indirectly, 50 percent or more by one or more blocked persons are also blocked.” U.S. persons are generally prohibited from engaging in any dealings involving the property or interests in property of blocked or designated persons.
Concurrent with the sanctions, OFAC issued four general licenses (GL) and related FAQs: (i) GL 1, “Official Business of the United States Government”; (ii) GL 2, “Official Activities of Certain International Organizations and Other International Entities”; (iii) GL 3, “Certain Transactions in Support of Nongovernmental Organizations’ Activities”; and (iv) GL 4, “Authorizing the Wind Down of Transactions Involving Myanmar Economic Corporation and Myanma Economic Holdings Limited.” GLs 1, 2, and 3 authorize certain transactions prohibited by E.O. 14014 that are associated with, respectively, the official business of the U.S. government, the official business of certain international organizations and other international entities, and certain nongovernmental organizations’ activities. GL 4 authorizes, through June 22, transactions and activities ordinarily incident to the wind down of transactions involving the two sanctioned companies as well as any entity owned by 50 percent or more of the sanctioned companies. Additionally, FAQ 882 clarifies which organizations within the United Nations’ programs are covered by GL 2, whereas FAQ 883 stipulates that “wind down transactions may be processed through the U.S. financial system or involve U.S. persons, as long as the transactions comply with the terms and conditions in GL 4.”
On March 24, the New York attorney general issued official guidance for New York state banking institutions, creditors, and debt collectors to clarify that federal stimulus payments are exempt from garnishment under New York law. The guidance, which is based on multiple state and federal consumer protection laws, explains that any attempt to garnish stimulus funds from consumers in the state would constitute “illegal acts” because such garnishment would violate prohibitions under the New York City Consumer Protection Law, New York General Business Law 601(8), the FDCPA, and Dodd-Frank prohibitions of unfair, deceptive, and abusive acts or practices. Banking institutions are also advised to treat these stimulus payments “as subject to the same protections as statutorily exempt payments.”
On March 25, the Federal Reserve Board announced that measures previously instituted to ensure that large banks maintain a high level of capital resilience in light of uncertainty introduced by the Covid-19 pandemic would expire for most banks after June 30. As previously covered by InfoBytes, the Fed’s measures prohibited large banks from making share repurchases and capped dividend payments. The Fed most recently advised that “[i]f a bank remains above all of its minimum risk-based capital requirements in this year’s stress test, the additional restrictions will end after June 30 and it will be subject to the [stress capital buffer]’s normal restrictions.” Banks whose capital levels fall below required levels in the stress tests will remain subject to the restrictions through September 30. Further, banks still below the capital required by the stress test at that time will face even stricter distribution limitations.
In March, the Financial Action Task Force (FATF) updated pre-existing guidance on its risk-based approach to virtual assets (VAs) and virtual asset service providers (VASPs). The draft updated guidance revises guidance originally released June 2019, wherein FATF members agreed to regulate and supervise virtual asset financial activities and related service providers (covered by InfoBytes here) and place anti-money laundering and countering the financing of terrorism (AML/CFT) obligations on VAs and VASPs. According to FATF, the revisions “aim to maintain a level playing field for VASPs, based on the financial services they provide in line with existing standards applicable to financial institutions and other AML/CFT-obliged entities, as well as minimizing the opportunity for regulatory arbitrage between sectors and countries.” The revisions provide updated guidance in six main areas intended to:
- Clarify VA and VASP definitions to make it clear that these definitions are expansive and that “there should not be a case where a relevant financial asset is not covered by the FATF Standards (either as a VA or as a traditional financial asset)”;
- Provide guidance on how FATF Standards apply to so-called stablecoins;
- Provide further guidance on risks and potential risk mitigants for peer-to-peer transactions;
- Provide updated guidance on VASP licensing and registration requirements;
- Provide additional guidance for public and private sectors on the implementation of the “travel rule”; and
- Include principles of information sharing and cooperation among VASP supervisors.
FATF intends to consult private sector stakeholders before finalizing the revisions, and is separately considering implementing revised FATF Standards on VAs and VASPs—as well as whether further updates are necessary—through a second 12-month review.
- Jeffrey P. Naimon to discuss "Post-pandemic CFPB exam preparation" at the Mortgage Bankers Association Spring Conference & Expo
- Jonice Gray Tucker to discuss "Making fair lending work for you" at the Mortgage Bankers Association Spring Conference & Expo
- Jonice Gray Tucker to discuss "Reading the tea leaves of President Biden’s initial financial appointees" at LendIt Fintech
- APPROVED Webcast: Staying in the know with Buckley regtech solutions
- Moorari K. Shah to discuss “CA, NY, federal licensing and disclosure” at the Equipment Leasing & Finance Association Legal Forum
- Jonice Gray Tucker to discuss "Compliance under Biden" at the WSJ Risk & Compliance Forum
- Sherry-Maria Safchuk to discuss UDAAP at an American Bar Association webinar
- Jeffrey P. Naimon to discuss "What to expect: The new administration and regulatory changes" at the Mortgage Bankers Association Legal Issues and Regulatory Compliance Conference
- Jonice Gray Tucker to discuss “The future of fair lending” at the Mortgage Bankers Association Legal Issues and Regulatory Compliance Conference
- Steven R. vonBerg to discuss "LO comp challenges" at the Mortgage Bankers Association Legal Issues and Regulatory Compliance Conference
- Michelle L. Rogers to discuss "Major litigation" at the Mortgage Bankers Association Legal Issues and Regulatory Compliance Conference
- Michelle L. Rogers to discuss “The False Claims Act today” at the Federal Bar Association Qui Tam Section Roundtable