InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
SEC awards nearly $4 million to whistleblower living overseas
On September 24, the SEC announced a whistleblower award of almost $4 million to an individual residing in a foreign country. The SEC determined the individual voluntarily provided critical information and continued assistance, which helped the agency bring a successful enforcement action. The SEC now has awarded over $326 million to 59 individuals since 2012.
FinCEN advisory reminds financial institutions about recent updates to the lists of FATF-identified jurisdictions with AML/CFT deficiencies
On September 21, the Financial Crimes Enforcement Network (FinCEN) issued an advisory reminding financial institutions that, on June 29, the Financial Action Task Force (FATF) updated two documents that each list jurisdictions identified as having “strategic deficiencies” in their anti-money laundering and combatting the financing of terrorism (AML/CFT) regimes. The first document, the FATF Public Statement, identifies two jurisdictions, the Democratic People’s Republic of Korea and Iran, that are subject to countermeasures and/or enhanced due diligence (EDD) due to their strategic AML/CFT deficiencies. The second document, the Improving Global AML/CFT Compliance: On-going Process, identifies jurisdictions with strategic AML/CFT deficiencies. As further described in the document, FATF identified the following jurisdictions as having developed action plans to address their AML/CFT deficiencies: Ethiopia, Serbia, Sri Lanka, Syria, Trinidad and Tobago, Tunisia, and Yemen. Notably, Pakistan has been added to the list based on FATF-identified AML/CFT deficiencies, whereas Iraq and Vanuatu have been removed from the list due to “significant progress in improving its AML/CFT regime . . . [and] establish[ing] the legal and regulatory framework to meet the commitments in its action plan.” FinCEN urges financial institutions to consider both the FATF Public Statement and the Improving Global AML/CFT Compliance: On-going Process documents when reviewing due diligence obligations and risk-based policies, procedures, and practices.
OFAC issues temporary extensions of Ukraine-related General Licenses
On September 21, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) announced the issuance of Ukraine-related General Licenses (GL) 13D, 14A, and 16A, which amend previous licenses and extend the expiration date of those licenses from October 23 to November 12 for wind-down transactions relating to a specific list of companies and subsidiaries that otherwise would be prohibited by Ukraine-Related Sanctions Regulations. GL 13D supersedes GL 13C (see previous InfoBytes coverage here) and authorizes, among other things, (i) the divestiture of the holdings of specific blocked persons to a non-U.S. person; and (ii) the facilitation of transfers of debt, equity, or other holdings involving specified blocked persons to a non-U.S. person. GL 14A, which supersedes GL 14, relates to specific wind-down activities involving a Russian aluminum producer sanctioned last April (see previous InfoBytes coverage here). Finally, GL 16A supersedes GL 16 and authorizes, as previously covered by InfoBytes, the maintenance or wind down of operations, contracts, or other agreements that were in effect prior to April 6, 2018 and that involve a specific list of entities.
Visit here for additional InfoBytes coverage on Ukraine sanctions.
California amends the California Consumer Privacy Act of 2018
On September 23, the California governor signed SB 1121, a bill amending the California Consumer Privacy Act of 2018 (the Act) enacted on June 28. (See Buckley Sandler Special Alert here.) The Act, which carries an effective date of January 1, 2020, on most provisions, sets forth various requirements for businesses that collect, transfer, or sell a consumer’s personal information. Among other changes, SB 1121 makes the following amendments to the Act:
- The bill requires businesses that collect a consumer’s personal information to disclose the consumer’s right to delete personal information in a form that is reasonably accessible to the consumer;
- The bill clarifies that the requirements imposed and rights afforded to consumers by the Act should not be interpreted in a way that infringes on a business’s ability to comply with federal, state, or local laws or that conflicts with the California Constitution;
- The bill prohibits application of the Act to personal information collected, processed, sold, or disclosed pursuant to a specified federal law relating to banks, brokerages, insurance companies, and credit reporting agencies or pursuant to the California Financial Information Privacy Act;
- The bill clarifies that the only private right of action permitted under the Act is a private right of action for violations of the data breach provisions involving a consumer’s nonencrypted or nonredacted personal information and only to the extent that the business’ failure to maintain reasonable security measures caused the breach;
- The bill eliminates the requirement that plaintiffs notify the California Attorney General prior to proceeding with private litigation under the Act;
- The bill limits the civil penalties that the California Attorney General may assess for violations to $2,500 per violation or $7,500 per intentional violation; and
- The bill prohibits the California Attorney General from bringing an enforcement action under the Act until the earlier of either July 1, 2020, or six months after the publication of the final regulations.
Colorado regulator exempts certain cryptocurrency exchanges from money transmitter licensing requirements
On September 20, the Colorado Department of Regulatory Agencies Division of Banking (Division) issued interim guidance exempting certain types of cryptocurrency exchanges from the state’s money transmitter licensing requirements. Under the interim guidance—which outlines the Division’s interpretation of Colorado’s existing Money Transmitters Act (the Act)— the Division determined that the Act regulates the transmission of money, meaning legal tender, and that cryptocurrencies are not legal tender under the Act. As a result, virtual currency exchanges operating in Colorado do not require a license if transmitting only cryptocurrencies without any legal tender issued and backed by a government (fiat currency) involved in the transaction. However, if fiat currency is present in a transaction, then a virtual currency exchange may require a license. Additionally, a virtual currency exchange must obtain a license when it performs all of the following: (i) it engages in the business of selling and buying cryptocurrencies for fiat currency; (ii) it allows a Colorado customer to transfer cryptocurrency to another customer within the exchange; and (iii) it allows the transfer of fiat currency through the medium of cryptocurrency within the exchange. If a virtual currency exchange offers the ability to transfer fiat currency through the medium of cryptocurrency, the Division encourages the exchange to contact the Division to determine whether it must obtain a license.
Court sends class action TCPA suit against global ride-sharing company to arbitration
On September 20, the U.S. District Court for the Northern District of Illinois granted a global ride-sharing company’s motion for summary judgment, ruling that a user had consented to arbitrate any disputes when he signed up for an account with the company. Specifically, the named plaintiff of the proposed class action brought the suit against the company for allegedly violating the TCPA when he received a single text message he claims he did not consent to after signing up for the company’s app, and that he claimed he received after he deleted the app. The company moved to compel arbitration, which initially was denied in 2017, when the court held that the company had not shown enough evidence that users were aware of the arbitration agreement and ordered the parties to engage in expedited discovery limited to the arbitration agreement formation. However, following both parties’ cross-motions for summary judgment, the court determined that the plaintiff “failed to raise a genuine dispute as to whether he entered into an enforceable agreement to arbitrate,” and that the app presented a statement that creating an account meant that users agreed to the terms of service and privacy policy, which was presented to users “in an easy-to-read font on an uncluttered screen” and required no scrolling.
According to the court, “the manner in which this statement and the Terms of Service were presented placed a reasonable person on notice that there were terms incorporated with creating an . . . account and that, by creating an account, he or she was agreeing to those terms.” Concerning the plaintiff’s argument that his TCPA claim does not fall under the arbitration agreement’s purview, the court stated that the question of what falls within the scope of the arbitration agreement is itself subject to arbitration, and also stated that the Terms of Service specifically permitted the texting of promotional offers to customers, arguably requiring the TCPA claim to be arbitrated. The court dismissed without prejudice the plaintiff’s claims against the company and stayed the case until arbitration proceedings are resolved.
California law requires credit reporting agencies to address security vulnerabilities
On September 19, the California governor signed AB 1859, which requires a credit reporting agency “that owns, licenses, or maintains personal information about a California resident” or a third party that maintains such personal information on behalf of a credit reporting agency to implement available software updates to address security vulnerabilities. Specifically, a credit reporting agency, or applicable third party that knows, or reasonably should know, that a system maintaining personal information is subject to a security vulnerability must, within three days, begin testing for implementation of an available software update, and complete the update no later than 90 days after becoming aware of the vulnerability. The law requires the credit reporting agency to employ “reasonable compensating controls” to reduce the risk of breach until the software update is complete. Additionally, whether or not a software update is available, the law requires the credit reporting agency to keep with industry best practices, including by (i) identifying, prioritizing, and addressing the highest risk security vulnerabilities most quickly; (ii) testing and evaluating compensating controls and how they affect security vulnerabilities; and (iii) requiring, by contract, that third parties implement and maintain appropriate security measures for personal information. The legislation is expected to take effect January 1, 2019.
District Court holds hotel calling system is not an autodialer under TCPA
On September 24, the U.S. District Court for the Middle District of Florida held that a hotel calling system, which required human intervention before a call was placed, does not qualify as an automatic telephone dialing system (autodialer) under the TCPA. The plaintiff filed the putative class action complaint alleging the hotel chain used an autodialer to call her cell phone without her consent. The hotel moved for summary judgment, arguing that the system did not qualify as an autodialer under the TCPA because it required a hotel agent to click “Make Call” before the system dialed the number. The court agreed, concluding that the defining characteristic of an autodialer is “the capacity to dial numbers without human intervention,” which the court noted remains unchanged even in light of the D.C. Circuit decision in ACA International v. FCC (covered by a Buckley Special Alert here). Because the calling system would not initiate an outbound call without an agent clicking the “Make Call” button, the court determined the plaintiff’s TCPA claim failed and granted summary judgment for the hotel chain.
New York Attorney General sues nine student debt relief companies
On September 20, the New York Attorney General announced a lawsuit against nine student loan debt relief companies, along with their financing company, and two individuals (collectively, “defendants”), alleging that the defendants fraudulently, deceptively, and illegally marketed, sold, and financed student debt relief services to consumers nationwide. Among other things, the complaint alleges that the defendants (i) sent direct mail solicitations to consumers that deceptively appeared to be from a governmental agency or an entity affiliated with a government agency; (ii) misrepresented that they would apply fees paid by borrowers to student loan balances; (iii) charged consumers over $1,000 for services that were available for free; (iv) requested upfront payments in violation of federal and state credit repair and debt relief laws; (v) charged usurious interest rates; and (vi) provided consumers with “incomplete and harmful advice,” such as counseling borrowers to consolidate federal student loans without explaining that in certain circumstances borrowers could “lose months or years of loan payments they had already made that would qualify toward forgiveness of their loans under the Public Service Loan Forgiveness Program.” The New York Attorney General maintains that these practices violated several federal and state consumer protection statutes, including the Telemarketing Sales Rule, New York General Business Law, the state’s usury cap on interest rates as covered by New York Banking Law and New York General Obligations Law, disclosure requirements under the Truth in Lending Act, and the Federal Credit Repair Organization Act.
3rd Circuit says IRS reporting language may violate FDCPA
On September 24, the U.S. Court of Appeals for the 3rd Circuit reversed the district court’s dismissal of a putative class action alleging a debt collector violated the FDCPA by including a statement noting that debt forgiveness may be reported to the IRS. The case was centered on the plaintiffs’ claim that letters sent to collect on debts that were less than $600, which contained the language “[w]e are not obligated to renew this offer. We will report forgiveness of debt as required by IRS regulations. Reporting is not required every time a debt is canceled or settled, and might not be required in your case,” were “false, deceptive and misleading” under the FDCPA because only discharged debts over $600 are required to be reported to the IRS. The district court dismissed the action, concluding the letters were not deceptive and the least sophisticated consumer would interpret the statement to mean in certain circumstances some discharges are reportable but not all are reportable.
Upon appeal, the 3rd Circuit disagreed with the district court, finding “the least sophisticated debtor could be left with the impression that reporting could occur,” notwithstanding the letter’s qualifying statement that reporting is not required every time a debt is canceled or settled, and therefore, the language could signal a potential FDCPA violation. Recognizing the industry’s regular use of form letters, the appeals court noted, “we must reinforce that convenience does not excuse a potential violation of the FDCPA.”