InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
Republican lawmakers urge CFPB to extend Remittance Rule safe harbor
On September 30, 16 Republican members of Congress wrote to CFPB Director Kathy Kraninger to express concern over the upcoming expiration of a safe harbor to the Remittance Rule (the Rule), which allows certain insured depository institutions to estimate exchange rates and certain fees they are required to disclose to customers about remittance transactions. As previously covered by InfoBytes, the CFPB issued a Request for Information (RFI) last April on two aspects of the Rule that require financial institutions handling international money transfers, or remittance transfers, to disclose to individuals transferring money information about the exact exchange rate, fees, and the amount expected to be delivered. The RFI also sought feedback on a possible extension of the current statutory exception, which is set to expire July 21, 2020. While lawmakers recognize the CFPB’s interest in mitigating negative effects that may result from the exception’s expiration, they urged the CFPB to “take every available step” to ensure that consumers may continue to access remittance services. The lawmakers stressed that it is often difficult, if not “virtually impossible,” for depository institutions to calculate the exact cost of certain remittance transactions. The letter further noted that “depository institutions cannot readily covert all foreign currencies at the time a transfer is conducted, and if the currency exchange takes place after the transfer is initiated, a consumer’s financial institution may only be able to estimate the applicable exchange rate.” Accordingly, if the exception expired, it could cause many depository institutions to discontinue providing remittance services due to increased compliance risk, or cease transfers to certain countries or beneficial banks due to non-compliance risks.
The lawmakers urged the CFPB to use its statutory authority under the Electronic Fund Transfer Act or Dodd-Frank to make the exception permanent “so financial institutions are able to make long-term decisions regarding the provision of these services.”
CFPB report examines bankruptcy trends
On September 25, the CFPB released the latest quarterly consumer credit trends report, which examines how the volume and types of bankruptcy filings have changed from 2001 to 2018. The report focuses on consumers who filed for Chapter 7 or Chapter 13 bankruptcy during the reported timeframe. Key findings of the report include: (i) in 2005, there was a rush to file for bankruptcy before the income limits of the Bankruptcy Abuse Prevention and Consumer Protection Act (BAPCPA) went into effect, increasing the share of Chapter 7 filings to 80 percent of all personal bankruptcy filings that year; (ii) from 2015 to 2018, with the effects of the recession fading, Chapter 7 filings appear to have stabilized at about 63 percent; (iii) Chapter 7 and 13 filers, on average, had more than twice the mortgage debt during the recession than in the periods before and after; and (iv) median credit scores increase steadily from year-to-year after consumers file a bankruptcy petition, with Chapter 7 filers’ scores increasing more quickly than Chapter 13, on average.
CFTC awards $7 million to whistleblower for CEA action
On September 27, the Commodity Futures Trading Commission (CFTC) announced a whistleblower award of approximately $7 million to an individual who reported information that led to a successful Commodity Exchange Act (CEA) enforcement action. The associated order notes that five claimants submitted whistleblower award applications to the CFTC in response to the covered action, but the CFTC provided the award only to claimant one, as that individual voluntarily provided the original information to the Commission. The order does not provide any other significant details about the information provided or the related enforcement action. The CFTC has awarded over $90 million to whistleblowers since the enactment of the Whistleblower Program under the Dodd-Frank Act, and their information has led to more than $730 million in sanctions to date.
OFAC amends Venezuela-related general licenses
On September 30, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) announced amended Venezuelan General Licenses (GL) 3G, which supersedes and replaces GL 3F, and 9F, which supersedes GL 9E. The amended GLs concern authorized transactions related to the financing and dealings in certain bonds and securities, and extend the authorization wind-down periods to March 31, 2020. As previously covered by InfoBytes, the GLs were issued in conjunction with Executive Order 13884 which, among other things, prevents all property and interest in property of the Government of Venezuela within the U.S. or in the possession of a U.S. person from being transferred, paid, exported, withdrawn, or otherwise dealt in.
New York AG sues national coffee chain over data breach
On September 26, the New York attorney general announced a lawsuit against a national franchisor of a coffee retail chain for allegedly failing to protect thousands of customer accounts from a series of cyberattacks. According to the complaint, the attorney general asserts that, beginning in 2015, customer accounts containing stored value cards that could be used to make purchases in stores and online were subject to repeated cyberattack attempts, resulting in almost 20,000 compromised accounts and “tens of thousands” of dollars stolen. The attorney general alleges that, following the attacks, the company failed to take steps to protect the affected customers, such as notifying them of the unauthorized access, resetting account passwords, or freezing the stored value cards. The complaint also alleges that the retailer failed to conduct an investigation to determine the extent of the attacks or implement appropriate safeguards to limit future attacks. In addition, according to the complaint, in 2018, a vendor notified the company of another attack that resulted in the unauthorized access of over 300,000 customer accounts, and the company’s response included inaccurate representations to customers. The complaint asserts violations of New York’s data breach notification statute and violations of New York’s consumer protection laws. The attorney general is seeking injunctive relief, restitution, disgorgement, and civil money penalties.
Agencies raise residential appraisal requirement to $400,000
On September 27, the OCC, the Federal Reserve Board, and the FDIC announced a final rule increasing the threshold for residential real estate transactions requiring an appraisal from $250,000 to $400,000. As previously covered by InfoBytes, in November 2018, the agencies proposed the threshold increase in response to feedback that the exemption threshold had not increased to keep pace with the price appreciation in the residential real estate market. The final rule also includes the rural residential appraisal exemption included in the Economic Growth, Regulatory Relief, and Consumer Protection Act (previously covered by InfoBytes here), and implements the Dodd-Frank Act mandate that institutions appropriately review appraisals for compliance with the Uniform Standards of Professional Appraisal Practice. The final rule is effective the first day after publication in the Federal Register, except for the evaluation requirement for transactions exempted by the rural residential appraisal exemption and the requirement to review appraisals for compliance with the Uniform Standards of Professional Appraisal Practice, which are effective January 1, 2020.
The FDIC press release is available here, the Federal Reserve Board press release is available here, and the concurrence letter from the CFPB is available here.
FDIC fines bank for flood insurance violations
On September 27, the FDIC announced its release of a list of administrative enforcement actions taken against banks and individuals in August. According to the press release, the FDIC issued 13 orders, which include “four consent orders; one removal and prohibition order; four civil money penalty orders; two terminations of consent orders; and five section 19 orders.” Notably, the FDIC assessed a civil money penalty against a Texas-based bank for alleged violations of the Flood Disaster Protection Act, including failing to (i) obtain flood insurance coverage on loans at the time of origination, increase, extension, or renewal; (ii) maintain flood insurance coverage for the term of a loan; (iii) follow force-placement flood insurance procedures; or (iv) provide borrowers with notice of the availability of federal disaster relief assistance “in all cases whether or not flood insurance is available under the [National Flood Insurance Act] for the collateral securing the loan.”
SEC announces several FCPA-related bribery settlements
At the end of September, the SEC announced three settlements resolving claims related to alleged violations of the FCPA.
On September 27, a UK-based bank holding company agreed to pay over $6 million to settle alleged charges that it violated the FCPA by hiring relatives of government officials and other clients in an attempt to secure business in the Asia Pacific-region. According to the SEC, the bank hired more than 100 people connected to foreign government officials or other clients through the bank’s unofficial intern “work experience program,” or as part of its formal internship program, graduate program, or for permanent positions. Employees then created false books and records that concealed the practices and circumvented internal controls in place to prevent the activities. In the administrative order, the SEC ultimately charged violations of the books and records and internal controls provisions of the FCPA. Without admitting or denying wrongdoing, the bank agreed to pay a $1.5 million civil money penalty (CMP) and more than $4.8 million in disgorgement and interest.
In a second administrative order announced the same day, a Canadian fuel technology company agreed to pay over $4.1 million to settle FCPA bribery charges connected to a Chinese government official. The SEC alleged that the company and its former CEO transferred shares of stock in a Chinese joint venture to a Chinese private equity fund, in which the official had a financial stake, in an attempt to secure business and obtain a $3.5 million dividend payment. The SEC noted that the company concealed the identity of the private equity fund in its books and records, as well as in its public filings, by “falsely identifying a different entity as the counterparty to the transaction,” and that the CEO circumvented and falsely certified the sufficiency of the company’s internal accounting controls put in place to prevent such actions. Without admitting or denying wrongdoing, the company and the CEO consented to a cease and desist order covering violations of the anti-bribery, books and records, and internal controls provisions of the FCPA, and agreed to pay a $1.5 million CMP and $120,000 CMP, respectively, and more than $2.5 million in disgorgement and interest.
On September 26, a Wisconsin-based marketing provider agreed to pay nearly $10 million to settle FCPA charges related to bribery schemes in Peru and China. The alleged misconduct included the company’s Peruvian subsidiary paying or promising bribes to Peruvian government officials from at least 2011 to January 2016 in an attempt to secure sales contracts and avoid penalties, while also creating false records to conceal certain transactions with a sanctioned Cuban telecommunications company. The SEC stated that the company’s China-based subsidiary also made improper payments to employees of state owned entities and private customers through sham sales agents. According to the administrative order, the company violated the anti-bribery provisions of the FCPA as well as the books and records and internal controls provisions, including by failing to ensure that its internal accounting controls were sufficient to prevent the alleged bribery schemes in Peru and China. Without admitting or denying wrongdoing, the company consented to a cease and desist order, agreed to pay a $2 million CMP and over $7.8 million in disgorgement and interest, and will, for a one-year period, self-report on its compliance program.
Ballot initiative seeks to expand CCPA, create new enforcement agency
On September 25, Alastair Mactaggart, the Founder and Chair of the Californians for Consumer Privacy and the drafter of the initiative that ultimately resulted in the California Consumer Privacy Act (CCPA), announced a newly filed ballot measure to further expand the CCPA (currently effective on January 1, 2020), titled the “California Privacy Rights and Enforcement Act of 2020” (the Act) (an additional version of the Act is available with comments from McTaggart’s team). The Act would result in significant amendments to the CCPA, including the following, among others
- Sensitive personal information. The Act sets forth additional obligations in connection with a business’s collection, use, sale, or disclosure of “sensitive personal information,” which is a new term introduced by the Act. “Sensitive personal information” includes categories such as health information; financial information (stated as, “a consumer’s account log-in, financial account, debit card, or credit card number in combination with any required security or access code, password, or credentials allowing access to an account”); racial or ethnic origin; precise geolocation; or other data collected and analyzed for the purpose of identifying such information.
- Disclosure of sensitive personal information. The Act expands on the CCPA’s disclosure requirements to include, among other things, a requirement for businesses to specify the categories of sensitive personal information that will be collected, disclose the specific purposes for which the categories of sensitive personal information are collected or used, and disclose whether such information is sold. In addition, the Act prohibits a business from collecting additional categories of sensitive personal information or use sensitive personal information collected for purposes that are incompatible with the disclosed purpose for which the information was collected, or other disclosed purposes reasonably related to the original purpose for which the information was collected, unless notice is provided to the consumer.
- Contractual requirements. The Act sets forth additional contractual requirements and obligations that apply when a business sells personal information to a third party or discloses personal information to a service provider or contractor for a business purpose. Among other things, the Act obligates the third party, service provider, or contractor to provide at least the same level of privacy protection required by the Act. The contract must also require the third party, service provider, or contractor to notify the business if it makes a determination that it can no longer meet its obligation to protect the personal information as required by the Act.
- Eligibility for financial or lending services. The Act would require a business that collects personal information to disclose whether the business is profiling consumers and using their personal information for purposes of determining eligibility for, among other things, financial or lending services, housing, and insurance, as well as “meaningful information about the logic involved in using consumers’ personal information for this purpose.” Additionally, the business appears required to state in its privacy policy notice if such profiling had, or could reasonably have been expected to have, a significant, adverse effect on the consumers with respect to financial lending and loans, insurance, or any other specific categories that are enumerated. Notably, while Mactaggart has expressed heightened concern with sensitive personal information, such as health and financial information, the Act appears to retain the CCPA’s current exemptions under the Fair Credit Reporting Act and the Gramm-Leach-Bliley Act.
- Advertising and marketing opt-out. The Act includes a consumer’s right to opt-out, at any time, of the business’s use of their sensitive personal information for advertising and marketing or disclosure of personal information to a service provider or contractor for the same purposes. The Act requires that businesses provide notice to consumers that their sensitive personal information may be used or disclosed for advertising or marketing purposes and that the consumers have “the right to opt-out” of its use or disclosure. “Advertising and marketing” means a communication by a business or a person acting on the business’s behalf in any medium intended to induce a consumer to buy, rent, lease, join, use, subscribe to, apply for, provide, or exchange products, goods, property, information, services, or employment.
- Affirmative consent for sale of sensitive personal information. The Act expands on the CCPA’s opt-out provisions and prohibits businesses from selling a consumer’s sensitive personal information without actual affirmative authorization.
- Right to correct inaccurate information. The Act provides consumers with the right to require a business to correct inaccurate personal information.
- Definition of business. The Act revises the definition of “business” to:
- Clarify that the time period for calculating annual gross revenues is based on the prior calendar year;
- Provide that an entity meets the definition of “business” if the entity, in relevant part, alone or in combination, annually buys the personal information of 100,000 or more consumers or households;
- Include a joint venture or partnership composed of business in which each business has at least a 40% interest; and
- Provides a catch-all for businesses not covered by the foregoing bullets.
- The “California Privacy Protection Agency.” The Act creates the California Privacy Protection Agency, which would have the power, authority, and jurisdiction to implement and enforce the CCPA (powers that are currently vested in the attorney general). The Act states that the Agency would have five members, including a single Chair, and the members would be appointed by the governor, the attorney general, and the leaders of the senate and assembly.
If passed, the Act would become operative on January 1, 2021 and would apply to personal information collected by a business on or after January 1, 2020.
As previously covered by a Buckley Special Alert, on September 13, lawmakers in California passed numerous amendments to the CCPA, which are awaiting Governor Gavin Newsom’s signature, who has until October 13 to sign. The amendments leave the majority of the consumer’s rights intact, but certain provisions were clarified — including the definition of “personal information” — while other exemptions were clarified regarding the collection of certain data that have a bearing on financial services companies.
CFPB files claims against Maryland debt collectors
On September 25, the CFPB filed a complaint in the U.S. District Court for the District of Maryland against a debt collection entity, its subsidiaries, and their owner (collectively, “defendants”) for allegedly violating the FCRA, FDCPA, and the CFPA. In the complaint, the Bureau alleges that the defendants violated the FCRA and its implementing Regulation V by, among other things, failing to (i) establish or implement reasonable written policies and procedures to ensure accurate reporting to consumer-reporting agencies; (ii) incorporate appropriate guidelines for the handling of indirect disputes in its policies and procedures; (iii) conduct reasonable investigations and review relevant information when handling indirect disputes; and (iv) furnishing information about accounts after receiving identity theft reports about such accounts without conducting an investigation into the accuracy of the information. The Bureau separately alleges that the violations of the FCRA and Regulation V constitute violations of the CFPA. Additionally, the Bureau alleges that the defendants violated the FDCPA by attempting to collect on debts without a reasonable basis to believe that consumers owed those debts. The Bureau is seeking an injunction, damages, redress to consumers, disgorgement, the imposition of a civil money penalty, and costs.