Skip to main content
Menu Icon
Close

InfoBytes Blog

Financial Services Law Insights and Observations

Filter

Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.

  • New York AG sues national coffee chain over data breach

    State Issues

    On September 26, the New York attorney general announced a lawsuit against a national franchisor of a coffee retail chain for allegedly failing to protect thousands of customer accounts from a series of cyberattacks. According to the complaint, the attorney general asserts that, beginning in 2015, customer accounts containing stored value cards that could be used to make purchases in stores and online were subject to repeated cyberattack attempts, resulting in almost 20,000 compromised accounts and “tens of thousands” of dollars stolen. The attorney general alleges that, following the attacks, the company failed to take steps to protect the affected customers, such as notifying them of the unauthorized access, resetting account passwords, or freezing the stored value cards. The complaint also alleges that the retailer failed to conduct an investigation to determine the extent of the attacks or implement appropriate safeguards to limit future attacks. In addition, according to the complaint, in 2018, a vendor notified the company of another attack that resulted in the unauthorized access of over 300,000 customer accounts, and the company’s response included inaccurate representations to customers. The complaint asserts violations of New York’s data breach notification statute and violations of New York’s consumer protection laws. The attorney general is seeking injunctive relief, restitution, disgorgement, and civil money penalties.

    State Issues State Attorney General Privacy/Cyber Risk & Data Security Data Breach

  • Agencies raise residential appraisal requirement to $400,000

    Agency Rule-Making & Guidance

    On September 27, the OCC, the Federal Reserve Board, and the FDIC announced a final rule increasing the threshold for residential real estate transactions requiring an appraisal from $250,000 to $400,000. As previously covered by InfoBytes, in November 2018, the agencies proposed the threshold increase in response to feedback that the exemption threshold had not increased to keep pace with the price appreciation in the residential real estate market. The final rule also includes the rural residential appraisal exemption included in the Economic Growth, Regulatory Relief, and Consumer Protection Act (previously covered by InfoBytes here), and implements the Dodd-Frank Act mandate that institutions appropriately review appraisals for compliance with the Uniform Standards of Professional Appraisal Practice. The final rule is effective the first day after publication in the Federal Register, except for the evaluation requirement for transactions exempted by the rural residential appraisal exemption and the requirement to review appraisals for compliance with the Uniform Standards of Professional Appraisal Practice, which are effective January 1, 2020.

    The FDIC press release is available here, the Federal Reserve Board press release is available here, and the concurrence letter from the CFPB is available here.

    Agency Rule-Making & Guidance Mortgages Appraisal OCC Federal Register Federal Reserve FDIC EGRRCPA CFPB Dodd-Frank

  • FDIC fines bank for flood insurance violations

    Federal Issues

    On September 27, the FDIC announced its release of a list of administrative enforcement actions taken against banks and individuals in August. According to the press release, the FDIC issued 13 orders, which include “four consent orders; one removal and prohibition order; four civil money penalty orders; two terminations of consent orders; and five section 19 orders.” Notably, the FDIC assessed a civil money penalty against a Texas-based bank for alleged violations of the Flood Disaster Protection Act, including failing to (i) obtain flood insurance coverage on loans at the time of origination, increase, extension, or renewal; (ii) maintain flood insurance coverage for the term of a loan; (iii) follow force-placement flood insurance procedures; or (iv) provide borrowers with notice of the availability of federal disaster relief assistance “in all cases whether or not flood insurance is available under the [National Flood Insurance Act] for the collateral securing the loan.”

    Federal Issues FDIC Enforcement Flood Insurance Flood Disaster Protection Act National Flood Insurance Act

  • SEC announces several FCPA-related bribery settlements

    Financial Crimes

    At the end of September, the SEC announced three settlements resolving claims related to alleged violations of the FCPA.

    On September 27, a UK-based bank holding company agreed to pay over $6 million to settle alleged charges that it violated the FCPA by hiring relatives of government officials and other clients in an attempt to secure business in the Asia Pacific-region. According to the SEC, the bank hired more than 100 people connected to foreign government officials or other clients through the bank’s unofficial intern “work experience program,” or as part of its formal internship program, graduate program, or for permanent positions. Employees then created false books and records that concealed the practices and circumvented internal controls in place to prevent the activities. In the administrative order, the SEC ultimately charged violations of the books and records and internal controls provisions of the FCPA. Without admitting or denying wrongdoing, the bank agreed to pay a $1.5 million civil money penalty (CMP) and more than $4.8 million in disgorgement and interest.

    In a second administrative order announced the same day, a Canadian fuel technology company agreed to pay over $4.1 million to settle FCPA bribery charges connected to a Chinese government official. The SEC alleged that the company and its former CEO transferred shares of stock in a Chinese joint venture to a Chinese private equity fund, in which the official had a financial stake, in an attempt to secure business and obtain a $3.5 million dividend payment. The SEC noted that the company concealed the identity of the private equity fund in its books and records, as well as in its public filings, by “falsely identifying a different entity as the counterparty to the transaction,” and that the CEO circumvented and falsely certified the sufficiency of the company’s internal accounting controls put in place to prevent such actions. Without admitting or denying wrongdoing, the company and the CEO consented to a cease and desist order covering violations of the anti-bribery, books and records, and internal controls provisions of the FCPA, and agreed to pay a $1.5 million CMP and $120,000 CMP, respectively, and more than $2.5 million in disgorgement and interest.

    On September 26, a Wisconsin-based marketing provider agreed to pay nearly $10 million to settle FCPA charges related to bribery schemes in Peru and China. The alleged misconduct included the company’s Peruvian subsidiary paying or promising bribes to Peruvian government officials from at least 2011 to January 2016 in an attempt to secure sales contracts and avoid penalties, while also creating false records to conceal certain transactions with a sanctioned Cuban telecommunications company. The SEC stated that the company’s China-based subsidiary also made improper payments to employees of state owned entities and private customers through sham sales agents. According to the administrative order, the company violated the anti-bribery provisions of the FCPA as well as the books and records and internal controls provisions, including by failing to ensure that its internal accounting controls were sufficient to prevent the alleged bribery schemes in Peru and China. Without admitting or denying wrongdoing, the company consented to a cease and desist order, agreed to pay a $2 million CMP and over $7.8 million in disgorgement and interest, and will, for a one-year period, self-report on its compliance program.

    Financial Crimes FCPA Bribery Of Interest to Non-US Persons SEC China

  • Ballot initiative seeks to expand CCPA, create new enforcement agency

    Privacy, Cyber Risk & Data Security

    On September 25, Alastair Mactaggart, the Founder and Chair of the Californians for Consumer Privacy and the drafter of the initiative that ultimately resulted in the California Consumer Privacy Act (CCPA), announced a newly filed ballot measure to further expand the CCPA (currently effective on January 1, 2020), titled the “California Privacy Rights and Enforcement Act of 2020” (the Act) (an additional version of the Act is available with comments from McTaggart’s team). The Act would result in significant amendments to the CCPA, including the following, among others

    • Sensitive personal information. The Act sets forth additional obligations in connection with a business’s collection, use, sale, or disclosure of “sensitive personal information,” which is a new term introduced by the Act. “Sensitive personal information” includes categories such as health information; financial information (stated as, “a consumer’s account log-in, financial account, debit card, or credit card number in combination with any required security or access code, password, or credentials allowing access to an account”); racial or ethnic origin; precise geolocation; or other data collected and analyzed for the purpose of identifying such information.
    • Disclosure of sensitive personal information. The Act expands on the CCPA’s disclosure requirements to include, among other things, a requirement for businesses to specify the categories of sensitive personal information that will be collected, disclose the specific purposes for which the categories of sensitive personal information are collected or used, and disclose whether such information is sold. In addition, the Act prohibits a business from collecting additional categories of sensitive personal information or use sensitive personal information collected for purposes that are incompatible with the disclosed purpose for which the information was collected, or other disclosed purposes reasonably related to the original purpose for which the information was collected, unless notice is provided to the consumer.
    • Contractual requirements. The Act sets forth additional contractual requirements and obligations that apply when a business sells personal information to a third party or discloses personal information to a service provider or contractor for a business purpose. Among other things, the Act obligates the third party, service provider, or contractor to provide at least the same level of privacy protection required by the Act. The contract must also require the third party, service provider, or contractor to notify the business if it makes a determination that it can no longer meet its obligation to protect the personal information as required by the Act.
    • Eligibility for financial or lending services. The Act would require a business that collects personal information to disclose whether the business is profiling consumers and using their personal information for purposes of determining eligibility for, among other things, financial or lending services, housing, and insurance, as well as “meaningful information about the logic involved in using consumers’ personal information for this purpose.” Additionally, the business appears required to state in its privacy policy notice if such profiling had, or could reasonably have been expected to have, a significant, adverse effect on the consumers with respect to financial lending and loans, insurance, or any other specific categories that are enumerated. Notably, while Mactaggart has expressed heightened concern with sensitive personal information, such as health and financial information, the Act appears to retain the CCPA’s current exemptions under the Fair Credit Reporting Act and the Gramm-Leach-Bliley Act.
    • Advertising and marketing opt-out. The Act includes a consumer’s right to opt-out, at any time, of the business’s use of their sensitive personal information for advertising and marketing or disclosure of personal information to a service provider or contractor for the same purposes. The Act requires that businesses provide notice to consumers that their sensitive personal information may be used or disclosed for advertising or marketing purposes and that the consumers have “the right to opt-out” of its use or disclosure. “Advertising and marketing” means a communication by a business or a person acting on the business’s behalf in any medium intended to induce a consumer to buy, rent, lease, join, use, subscribe to, apply for, provide, or exchange products, goods, property, information, services, or employment.
    • Affirmative consent for sale of sensitive personal information. The Act expands on the CCPA’s opt-out provisions and prohibits businesses from selling a consumer’s sensitive personal information without actual affirmative authorization.
    • Right to correct inaccurate information. The Act provides consumers with the right to require a business to correct inaccurate personal information.
    • Definition of business.  The Act revises the definition of “business” to:
      • Clarify that the time period for calculating annual gross revenues is based on the prior calendar year; 
      • Provide that an entity meets the definition of “business” if the entity, in relevant part, alone or in combination, annually buys the personal information of 100,000 or more consumers or households;
      • Include a joint venture or partnership composed of business in which each business has at least a 40% interest; and
      • Provides a catch-all for businesses not covered by the foregoing bullets.
    • The “California Privacy Protection Agency.” The Act creates the California Privacy Protection Agency, which would have the power, authority, and jurisdiction to implement and enforce the CCPA (powers that are currently vested in the attorney general). The Act states that the Agency would have five members, including a single Chair, and the members would be appointed by the governor, the attorney general, and the leaders of the senate and assembly.

    If passed, the Act would become operative on January 1, 2021 and would apply to personal information collected by a business on or after January 1, 2020.

    As previously covered by a Buckley Special Alert, on September 13, lawmakers in California passed numerous amendments to the CCPA, which are awaiting Governor Gavin Newsom’s signature, who has until October 13 to sign. The amendments leave the majority of the consumer’s rights intact, but certain provisions were clarified — including the definition of “personal information” — while other exemptions were clarified regarding the collection of certain data that have a bearing on financial services companies.

     

     

    Privacy/Cyber Risk & Data Security State Issues State Legislation State Attorney General CCPA

  • CFPB files claims against Maryland debt collectors

    Federal Issues

    On September 25, the CFPB filed a complaint in the U.S. District Court for the District of Maryland against a debt collection entity, its subsidiaries, and their owner (collectively, “defendants”) for allegedly violating the FCRA, FDCPA, and the CFPA. In the complaint, the Bureau alleges that the defendants violated the FCRA and its implementing Regulation V by, among other things, failing to (i) establish or implement reasonable written policies and procedures to ensure accurate reporting to consumer-reporting agencies; (ii) incorporate appropriate guidelines for the handling of indirect disputes in its policies and procedures; (iii) conduct reasonable investigations and review relevant information when handling indirect disputes; and (iv) furnishing information about accounts after receiving identity theft reports about such accounts without conducting an investigation into the accuracy of the information. The Bureau separately alleges that the violations of the FCRA and Regulation V constitute violations of the CFPA. Additionally, the Bureau alleges that the defendants violated the FDCPA by attempting to collect on debts without a reasonable basis to believe that consumers owed those debts. The Bureau is seeking an injunction, damages, redress to consumers, disgorgement, the imposition of a civil money penalty, and costs.

    Federal Issues CFPB FCRA Enforcement FDCPA Credit Reporting Agency Credit Report Debt Collection CFPA

  • CFPB issues filing guides for 2020 HMDA data

    Agency Rule-Making & Guidance

    On September 25, the CFPB released the Filing Instructions Guide for HMDA data collected in 2020 that must be reported in 2021. The guide references changes to the submission process, and includes a reminder that, starting in 2020, “covered institutions that reported a combined total of at least 60,000 applications and covered loans in the preceding calendar year are required to report HMDA data quarterly. Instructions for quarterly reporting can be found in the Supplemental Quarterly Reporting Guide, which was issued the same day. The file format for submitting the HMDA data, along with the required data fields to be collected and reported, have not changed. 

    Agency Rule-Making & Guidance CFPB HMDA FFIEC Mortgages

  • Seventh Circuit affirms dismissal of FDCPA suit concerning “current balance” reference

    Courts

    On September 25, the U.S. Court of Appeals for the Seventh Circuit affirmed the dismissal of an action against a debt collection agency for allegedly violating the FDCPA by referring to the amount owed as a “current balance” in a letter—even though it was static and not going to change. According to the opinion, the plaintiff contended that  “current balance” falsely implied that the balance might increase in the future, which, she argued, was a violation of the FDCPA’s prohibition on false, deceptive, or misleading representations connected to the collection of a debt. By implying that the amount owed might increase if not paid, the plaintiff argued, the debt collector allegedly misled debtors into giving static debts greater priority. The district court granted the debt collector’s motion to dismiss for failure to state a claim, ruling “that no significant fraction of the population would be misled” by the letter’s use of the “current balance” phrase. The plaintiff appealed, arguing that the phrase would confuse an unsophisticated consumer.

    On appeal, the 7th Circuit determined that there is nothing inherently misleading about the reference and stated that, not only did the debt collector’s letter not contain a directive for a debtor to call for a current balance, it also failed to include language implying that a “current balance” means anything other than the balance owed. “It takes an ingenious misreading of this letter to find it misleading,” the appellate court concluded. “Dunning letters can comply with the [FDCPA] without answering all possible questions about the future. A lawyer’s ability to identify a question that a dunning letter does not expressly answer (‘Is it possible the balance might increase?’) does not show the letter is misleading, even if a speculative guess to answer the question might be wrong.”

     

    Courts Debt Collection FDCPA Appellate Seventh Circuit

  • FinCEN Director warns of account takeovers via fintech data aggregators

    Financial Crimes

    On September 24, Financial Crimes Enforcement Network (FinCEN) Director Kenneth Blanco spoke at the Federal Identity (FedID) Forum and Exposition, discussing the role of FinCEN in combatting fraud and cybercrime and highlighting concerns regarding identity crimes. Blanco noted that FinCEN sees approximately 5,000 account takeover reports each month, a crime that “involves the targeting of financial institution customer accounts to gain unauthorized access to funds.” Moreover, FinCEN sees a high amount of fraud through account takeovers via fintech platforms, where cybercriminals use fintech data aggregators to facilitate account takeovers and fraudulent wires. Blanco stated that cybercriminals create fraudulent accounts and are able to “exploit the platforms’ integration with various financial services to initiate seemingly legitimate financial activity while creating a degree of separation from traditional fraud detection efforts.”

    Additionally, Blanco discussed how cybercriminals use business email compromise (BEC) fraud schemes to target financial institutions and relayed FinCEN’s efforts to combat these schemes. As previously covered by InfoBytes, in July, FinCEN issued an updated advisory, describing general trends in BEC schemes, information concerning the targeting of non-business entities, and risks associated with the targeting of vulnerable business processes. Blanco also discussed (i) FinCEN’s final rule titled the “Customer Due Diligence Requirements for Financial Institutions,” (the CDD Rule) (prior coverage by InfoBytes here); and (ii) FinCEN’s December 2018 joint statement with federal banking agencies encouraging innovative approaches to combatting money laundering, terrorist financing, and other illicit financial threats when safeguarding the financial system (previously covered by InfoBytes here).

     

     

    Financial Crimes Fintech Bank Secrecy Act Anti-Money Laundering CDD Rule Fraud Of Interest to Non-US Persons

  • EU's “right to be forgotten” law applies only in EU

    Courts

    On September 24, the European Court of Justice held that Europe’s “right to be forgotten” online privacy law — which allows individuals to request the deletion of personal information from online sources that the individual believes infringes on their right to privacy—can be applied only in the European Union. The decision results from a challenge by a global search engine to a 2015 order by a French regulator, Commission Nationale de l'Informatique et des Libertés (CNIL), requiring the search engine to delist certain links from all of its global domains, not just domains originating from the European Union. The search engine refused to comply with the order, and the CNIL imposed a 100,000 EUR penalty. The search engine sought annulment of the order and penalty, arguing that the “right to be forgotten” does not “necessarily require that the links at issue are to be removed, without geographical limitation, from all its search engine’s domain names.” Moreover, the search engine asserted that the CNIL “disregarded the principles of courtesy and non-interference recognised by public international law” and infringed on the freedoms of expression, information, and communication.

    The Court of Justice agreed with the search engine. Specifically, the Court noted that while the “internet is a global network without borders” and internet users’ access outside of the EU to a referencing link to privacy infringing personal information is “likely to have immediate and substantial effects on that person within the Union itself,” there is no obligation under current EU law for a search engine to carry out the requested deletion on all global versions of its network. The Court explained that numerous nations do not recognize “the right to be forgotten” or take an alternate approach to the right. Additionally, the Court emphasized that “the right to the protection of personal data is not an absolute right, but must be considered in relation to its function in society and be balanced against other fundamental rights, in accordance with the principle of proportionality.” The Court concluded that, while the EU struck that balance within its union, “it has not, to date, struck such a balance as regards the scope of a de-referencing outside of the union.”

    Courts Privacy/Cyber Risk & Data Security European Union Of Interest to Non-US Persons

Pages

Upcoming Events