InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
FATF calls for countermeasures on Iran; discusses global AML/CFT deficiencies
On February 21, the U.S. Treasury Department released a public statement issued by the Financial Action Task Force (FATF) following the conclusion of its plenary meeting held February 19-21, calling on its members and urging all jurisdictions to impose countermeasures on Iran for failing to address deficiencies in its anti-money laundering/combating the financing of terrorism (AML/CFT) regime. FATF provided specific examples of countermeasures within The Interpretive Note to Recommendation 19, which include, among other things, (i) “[p]rohibiting financial institutions from establishing branches or representative offices in” Iran; (ii) “[l]imiting business relationships or financial transactions with” Iran; and (iii) “[r]equiring financial institutions to review, amend, or if necessary, terminate correspondent relationships with [Iranian] banks.” According to Treasury, the “countermeasures should be developed and implemented to protect the international financial system from the ongoing money laundering, terrorist financing, and proliferation financing . . . risks emanating from Iran.”
Treasury also discussed recent FATF guidance on digital identity for customer identification and verification. According to FATF, the guidance “explains how digital ID systems can meet FATF customer due diligence requirements and will assist governments and financial institutions worldwide when applying a risk-based approach to using digital ID systems.”
FATF’s public statement also discussed progress made by the U.S. to strengthen its AML/CFT system, including Treasury’s customer due diligence rulemaking and beneficial ownership requirements that took effect in 2018. According to Treasury, the U.S. is also one of the first countries to voluntarily submit to an assessment of its compliance with new FATF standards regarding virtual assets.
Finally, Treasury reported that FATF is calling “on all countries to apply countermeasures on North Korea due to the ongoing money laundering, terrorist financing, and weapons of mass destruction proliferation financing risks to the international financial system.” On the same day as its public statement, Treasury released an updated list of jurisdictions under increased monitoring that are actively working with FATF to address strategic AML/CFT deficiencies.
FTC report highlights 2019 privacy and data security work
On February 25, the FTC released its annual report highlighting the agency’s privacy and data security work in 2019. Among other items, the report highlights consumer-related enforcement activities in 2018, including:
- A $5 billion penalty—the largest consumer privacy penalty to date—against a global social media company to resolve allegations that the company violated its 2012 FTC privacy order and mishandled users’ personal information. (Covered by InfoBytes here.)
- A $170 million penalty against a global online search engine and its video-sharing subsidiary to resolve alleged violations of the Children’s Online Privacy Protection Act (COPPA). (Covered by InfoBytes here.)
- A proposed settlement in the FTC’s first case against developers of “stalking” apps that monitor consumers’ mobile devices and allegedly compromise consumer privacy in violation of the FTC’s Act prohibition against unfair and deceptive practices and COPPA.
- A global settlement of up to $700 million issued in conjunction with the CFPB, 48 states, the District of Columbia and Puerto Rico, to resolve federal and state investigations into a 2017 data breach that reportedly compromised sensitive information for approximately 147 million consumers. (Covered by InfoBytes here.)
The report also discusses the FTC’s enforcement of the EU-U.S. Privacy Shield framework, provides links to FTC congressional testimony on privacy and data security, and offers a list of relevant rulemaking, including rules currently under review. In addition, the report highlights recent privacy-related events, including (i) an FTC hearing examining consumer privacy as part of its Hearings on Competition and Consumer Protection in the 21st Century; (ii) the fourth annual PrivacyCon event, which hosted research presentations on consumer privacy and security issues (covered by InfoBytes here); (iii) a workshop examining possible updates to COPPA; and (iv) a public workshop that examined issues affecting consumer reporting accuracy.
Hospitality company’s bid to dismiss data breach suit denied
On February 21, the U.S. District Court for the District of Maryland denied an international hospitality company’s motion to dismiss multidistrict litigation resulting from its 2018 data breach. As previously covered by InfoBytes, the court also recently denied the company’s motion to dismiss in a suit brought by the city of Chicago as well as in a suit brought by a group of banks, both based on the same data breach of the company. The plaintiffs in this instance filed suit following the data breach, which exposed personal information including passport numbers and payment card numbers. The company argued, however, that the plaintiffs lacked standing and that they did not state a claim for which relief could be granted.
In the opinion, the court determined that the plaintiffs had successfully established injury-in-fact by claiming, among other things, that (i) plaintiffs’ personal information was targeted in the data breach and some plaintiffs were victims of identity theft, which “makes the threatened injury sufficiently imminent”; (ii) plaintiffs had spent time and money to mitigate harm from the data breach; and (iii) plaintiffs’ personal information lost value. The court also found that the company’s failure to properly secure the plaintiffs’ personal data could be traced to fraudulent accounts opened in certain plaintiffs’ names. In addition, the court denied the company’s motion to dismiss state negligence claims, contract claims, tort claims, and statutory claims in California, Florida, Georgia, Maryland, Michigan, New York, and Oregon. The court did, however, dismiss the plaintiffs’ negligence claims under Illinois law.
FDIC guide encourages fintech/bank partnerships
On February 24, the FDIC’s technology lab, FDiTech, announced the release of a new guide intended to assist fintech companies and other third parties with bank partnerships. Conducting Business with Banks: A Guide for Fintechs and Third Parties identifies several areas for third parties to consider when exploring potential partnerships with banks relevant to navigating regulatory requirements and due diligence processes. These include being able to: (i) “[u]nderstand the framework of laws and regulations” applicable to banks, such as those “related to consumer protection, privacy and data security, . . . the Bank Secrecy Act[,] and federal anti-money laundering laws”; (ii) “[m]aintain a well-managed and financially strong business”; (iii) respond to requests for information from potential partners that demonstrate “product integrity, risk management mitigation, and consumer protection”; and (iv) demonstrate the ability to ensure ongoing compliance with applicable laws and regulations and that appropriate monitoring systems have been implemented. In addition, the guide also outlines special considerations for modelers, and emphasizes that banks will expect to understand a third party’s use of models and algorithms or other automated decision-making systems.
As previously covered by InfoBytes, FDiTech was established in 2019 to encourage innovation within the banking industry, support collaboration for piloting new products and services, eliminate regulatory uncertainty, and manage risks.
CFPB denies debt collection law firm’s request to set aside CID
On February 10, the CFPB denied a debt collection law firm’s request to modify or set aside a third-party Civil Investigative Demand (CID) issued to the firm by the Bureau while investigating possible violations of the FDCPA, CFPA, and the FCRA. As previously covered by InfoBytes, the Bureau also denied a request by a debt collection company to modify or set aside a CID, which sought information about the company’s business practices and its relationship with the firm in the same investigation. The firm’s petition asserted arguments largely based on the theory that the CFPB’s structure is unconstitutional, and that the Dodd-Frank Act provides the Bureau’s director with “overly broad executive authority.” Alternatively, the firm argued that if the CID is not set aside, it should be modified, stating, among other things, that the CID’s scope exceeds applicable statutes of limitation.
As it did in the debt collection company’s request to set aside or modify the CID, the Bureau rejected the firm’s constitutionality argument, stating that “[t]he administrative process for petitioning to modify or set aside CIDs is not the proper forum for raising and adjudicating challenges to the constitutionality of provisions of the Bureau’s statute.” Additionally, the Bureau’s Decision and Order discounts the firm’s statute of limitations argument, contending that “the Bureau is not limited to gathering information only from the time period in which conduct may be actionable. Instead, what matters is whether the information is relevant to conduct for which liability can be lawfully imposed.” The Bureau also directed the firm to comply with the CID within ten days of the Order.
FTC, New York settle with debt collection schemer
On February 25, the FTC and the New York attorney general announced a settlement with an individual defendant who controlled a New York-based debt collection operation for allegedly violating the FTC Act, the FDCPA, and New York state law by using false or deceptive tactics to collect money from consumers. As previously covered by InfoBytes, the FTC and the New York AG filed a complaint against the operation in 2018, alleging that operation employees threatened consumers with arrest or lawsuits and sometimes falsely posed as law enforcement officials or attorneys. In addition, the FTC and New York AG claimed employees allegedly increased pressure on consumers by telling them they owed more than indicated in the operation’s records, using forms that showed both the actual balance owed by the consumer as well as a higher balance the collectors claimed the consumers owed—a practice known as “overbiffing.” Under the terms of the settlement, the defendant—who neither admitted nor denied the allegations—is permanently banned from participating in debt collection activities and “is prohibited from misleading consumers about any financial-related products” or services. The settlement also imposed a $1.7 million judgment, of which all but $30,000 is suspended due to the defendant’s inability to pay.
FTC gives annual ECOA summary to CFPB
On February 21, the FTC announced it recently provided the CFPB with its annual summary of work on ECOA-related policy issues, focusing specifically on the Commission’s activities with respect to Regulation B. The summary discusses, among other things, the following FTC research and policy development initiatives:
- The FTC continued its series of Hearings on Competition and Consumer Protection in the 21st Century. Session 12 of these hearings specifically focused on consumer privacy and “the use of big data in automated decision making and how . . . ECOA should inform the use of data collected from consumers.” Session 14 included a roundtable of state attorneys general and senior staff who addressed consumer protection issues related to “the impact of big data and algorithms on equal access to credit.”
- The FTC held a forum with a variety of business leaders, enforcement attorneys, and policymakers to discuss ECOA’s applicability to small business financing.
- The FTC held a consumer reporting workshop to discuss ECOA as well as (i) consumer report furnisher practices; (ii) making credit decisions based on fairness; and (iii) avoiding the use of a prohibited basis in extending credit.
- The FTC’s Military Task Force continued to work on military consumer protection issues, including military consumers’ rights to “various types of notifications as applicants for credit, including for adverse action, and information about the anti-discrimination provisions, in ECOA and Regulation B.”
- The FTC continued to participate in the Interagency Task Force on Fair Lending, along with the CFPB, DOJ, HUD, and federal banking regulatory agencies.
The summary also highlights FTC business and consumer education efforts on fair lending issues, as well as blog posts discussing the online marketplace for small business financing.
OCC releases January enforcement actions
On February 20, the OCC released a list of recent enforcement actions taken against national banks, federal savings associations, and individuals currently and formerly affiliated with such entities. The new enforcement actions include four civil money penalty orders, three cease and desist orders, five removal/prohibition orders, and a termination of an existing enforcement action. Included among the actions is a January 30 Consent Order to resolve the OCC’s claims that a New York-based bank engaged in Bank Secrecy Act/Anti-Money Laundering (BSA/AML) compliance program violations. According to the consent order, an OCC examination identified alleged deficiencies in the bank’s BSA/AML compliance program, including (i) failure to “assess and monitor high risk customer activity flowing to or from high risk jurisdictions”; (ii) deficient BSA/AML policies, procedures, systems and controls; (iii) inadequate suspicious activity monitoring and suspicious activity reporting (SAR) to FinCEN; (iv) deficient Customer Due Diligence processes, including failure to appoint a BSA officer; and (v) failure to sufficiently monitor or provide controls for increased wire and ACH transactions. The consent order requires the bank to, among other things, (i) appoint a compliance committee within 30 days; (ii) submit a written strategic plan to the OCC covering at least the next three years; (iii) appoint a “permanent, qualified, and experienced BSA Officer” with sufficient staff; (iv) create and adopt a “written program of internal control policies and procedures to provide for the compliance with the BSA”; and (v) adopt and deploy a “written system of internal controls and processes to ensure compliance with the requirements to file SARs.”
OFAC releases FAQs for reporting, procedures and penalties regulations
On February 20, the U.S. Treasury Department's Office of Foreign Assets Control (OFAC) issued two new FAQs related to the Reporting, Procedures and Penalties Regulations (RPPR). The RPPR “set forth standard reporting and recordkeeping requirements and license application and other procedures relevant to the economic sanctions programs administered by OFAC.” As previously covered by InfoBytes, OFAC amended the RPPR last June to expand instructions and add “new requirements for parties filing reports on blocked property, unblocked property, or rejected transactions,” updating six sections of the regulations. The two new FAQs state that the June amendment is currently in effect and that all parties, including entities that are not U.S. financial institutions, must obey all of the RPPR requirements, which include submitting reports to OFAC “within 10 business days of [a] rejected transaction.” Information on submitting the reports can be found here.
The FAQs also address how much information must be included in a rejected transaction report. OFAC anticipates filers will include all required information “that is in the filer’s possession in a rejected transaction report, and generally does not expect reporters to seek further information from their counterparty.” However, OFAC does expect that, at a minimum, filers will include (i) the identity of the filer; (ii) the date of the rejected transaction; (iii) the authority under which the transaction was rejected; and (iv) all pertinent documentation acquired with the transaction.
District court rejects bank’s bid to dismiss NSF suit
On February 19, the U.S. District Court for the Southern District of West Virginia denied a bank’s motion to dismiss a putative class action suit alleging the bank violated account agreements by routinely assessing more than one “non-sufficient funds fee [(NSF)] for a single attempted transaction.” According to the order, the plaintiff filed a lawsuit asserting various claims, including for breach of contract, unjust enrichment, and deceptive business practices in violation of the West Virginia Consumer Credit and Collection Act (WVCCCA) due to the bank’s alleged practice of charging multiple $36 NSF fees when customers try to make a purchase but are declined due to insufficient funds. The plaintiff claimed that the bank’s failure to clearly alert customers of its practice of charging more than one NSF fee “for a single transaction . . . is confusing or misleading conduct” and “an unlawful practice under the WVCCCA.” The bank moved to dismiss the claims, arguing among other things, that the plaintiff’s 2012 account agreement contained an arbitration clause and that federal law preempts the plaintiff’s state-law claims regarding fees imposed by national banks.
The court first disagreed with the bank on the matter of arbitration, stating that the arbitration clause contained in the 2012 account agreement may have been erased by updates the bank made in 2017 to the plaintiff’s account terms, which provided that the account would “be governed by the following terms and conditions” but omitted any mention of arbitration. As for preemption, the court ruled that the plaintiff’s state-law claims “are precisely the sort of claims that are not preempted by federal law.” (Emphasis in the original.) According to the court, “the proposition that ‘state law claims challenging fees imposed by national banks are expressly preempted by federal law’ is as overbroad as it is incorrect.” Furthermore, the court noted that the plaintiff’s “own principal citation makes this point clearly, noting that ‘it is . . . well established that true breach of contract and affirmative misrepresentation claims’—both state law torts—‘are not federally preempted.’” In addition, the court determined that it is unclear whether the bank’s account agreement governing the bank’s relationship with the customer authorized it to charge successive NSF fees per transaction. The court also concluded that it was not clear that the NSF fees could legally constitute billing errors—a contention made by the bank in its argument that the case was time-barred because the plaintiff failed to dispute the additional NSF fees within the 60-day window to challenge a billing error as permitted under the Electronic Funds Transfer Act. Explaining its reasoning, the court noted that it “struggles to conceive of a scenario in which a fee could be justified by a contract and assessed as a regular business practice, yet still be considered an ‘error’ within any reasonable definition of the word.”