Skip to main content
Menu Icon
Close

InfoBytes Blog

Financial Services Law Insights and Observations

Filter

Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.

  • FinCrimes Webinar Series Recap: The Role of Corruption Risk in a Financial Crimes Compliance Program

    BuckleySandler hosted a webinar, The Role of Corruption Risk in a Financial Crimes Compliance Program: What are Banks Doing to Detect Corruption in the Wake of the FIFA Scandal?, on September 24, 2015 as part of their ongoing FinCrimes Webinar Series. Panelists included Thomas Coupe, EMEA Global Financial Crimes at Bank of America Merrill Lynch; and Compliance; Gaon Hart, Global Anti-Bribery & Corruption Policy and Education Lead at HSBC; and Denisse Rudich, Financial Crimes Compliance Specialist at Firedrake Consulting. The following is a summary of the guided conversation moderated by Jamie Parkinson, partner at BuckleySandler, and key take-aways you can implement in your company.

    Best Practice Tips and Take-Aways:

    1. Corruption risk for a financial services firm is presented both directly and indirectly. Corruption risk is presented directly when an employee or third parties acting on behalf of an institution act in a way that implicated anti-corruption laws, such as the Foreign Corrupt Practices Act, U.K. Bribery Act or another anti-corruption law. Corruption risk is presented indirectly when a customer seeks to use a financial institution for a corrupt deal or to hold or transmit funds associated with a corrupt scheme.
    2. It is important to have one person your organization can look to when an anti-corruption concern arises. This person should serve as the point of contact for your regulators and have the ability to quickly escalate concerns to senior management and the board of directors.
    3. New customers with past corruption issues present special challenges. Be sure that your onboarding and due diligence processes are able to identify and evaluate these concerns.
    4. Bear in mind that corruption risk management also requires looking at your organization internally. This means examining your own employees for conflicts issues, evaluating your organization’s sponsorships and donations, and performing due diligence on your third-party suppliers.
    5. Effective anti-corruption risk management requires cultivating a culture within your organization that supports your efforts. This is an area that regulators are increasingly interested in.

    Structuring an Effective Corruption Risk Management Function

    The panelists began the session by discussing where best to locate corruption risk management within a bank. The panelists observed that corruption risk management differs from other financial crimes areas, such as anti-money-laundering, because it is more inwardly focused. Panelists commented that, for some institutions, corruption risk management might be a better fit with areas that deal more with the culture of the organization, such as reputational risk and conduct risk. One panelist observed that the regulators have been increasing their focus on the culture of organizations, heightening the importance of this aspect of corruption risk management.

    The panelists discussed the most efficient way to structure an organization’s anti-corruption standards. Generally, the panelists agreed that it makes the most sense to develop centralized standards based on the most stringent anti-corruption statutes, such as the FCPA and UK Bribery act. This approach will help account for the extraterritorial application of the FCPA and UK Bribery act. The panelists recommended developing add-on standards that apply in countries where there is a local statute with additional requirements. In particular, the panelists observed that local statutes may provide different rules for entertainment expenses and facilitating payments.

    The panelists observed that corruption-risk screening should be integrated into the onboarding process for new customers. In this area, it is important to consider the differences between Public Officials (“PO’s”) and Politically-Exposed Persons (“PEP’s”). One key issue to be aware of is that screening tools and databases designed to identify PEP’s may miss lower-level PO’s. PEP screening tools may also miss State-Owned Enterprises; for example if the government owns only a small share of the company. Therefore, it is important to look closely at new customers and suppliers to identify if there are indirect links to government officials, or if the company has a history of working closely with the government, or if the company’s beneficial ownership raises any concerns.

    One of the panelists observed that a new customer with past corruption issues presents special concerns in the due diligence process. Here, robust due diligence is needed to assess what changes the customer has implemented since the corruption issue came to light, and whether they have cooperated with the authorities and/or compliance monitors. Heightened monitoring should also be put in place for these customers.

    Responding to a Corruption Concern

    The panelists discussed how to respond when the bank receives news that a counterparty or a customer may pose a corruption risk. Here, the panelists agreed that it is important to have a well-thought out and comprehensive incident response plan in place. This plan should:

    • Identify who in the organization is the designated point person for coordinating the response. This person should serve as the contact point for regulators, and be able to quickly escalate issues to senior management and board of directors. Along these lines,
    • Specify who is to be notified of the issue and when. The panelists stressed the need for the incident plan to also address reputational risk to the bank.
    • Lay out steps that allow the bank to determine if the corruption risk affects the bank, and if so, to what degree. This will involve using databases to search for names of both corporate and individual customers. This will also require setting up suspense accounts if needed and reporting these accounts as appropriate. After addressing the funds on hand within the bank, it will be necessary to perform a historical look-back for suspicious transactions.

    The panelists also discussed how to respond to corruption concerns that arise from within the organization. The panelists observed that AML monitoring tools will often detect transactions that may present a corruption risk. Therefore, it makes sense to have close communication between the AML function and corruption risk management. The panelists concluded the discussion by observing that corruption risk should become as central to a bank’s business function as credit-risk has been traditionally.

    Anti-Corruption Compliance Financial Crimes

  • North Carolina Passes Legislation Allowing Secured Parties to Submit E-Signatures to the DMV

    Fintech

    On October 12, North Carolina Governor Pat McCrory (R-NC) signed into law North Carolina SB 370. Effective August 2016, an application for a certificate of title, a registration plate, a registration card, and any other document required by the DMV to be submitted with the application and requiring a signature may be submitted with an electronic signature. The required notification may also be performed electronically. In addition, effective December 1, 2015, upon the satisfaction or other discharge of a security interest in a vehicle for which the certificate of title data is notated by a lien through electronic means, the secured party shall, within seven business days from the date of satisfaction, send electronic notice of the release of the security interest to the DMV through the electronic lien release system. The electronic notice of the release of the security interest sent to the DMV by the secured party shall direct that a physical certificate of title be mailed or delivered to the address noted by the secured party providing notice of the satisfaction or other discharge of the security interest. Upon receipt by the Division of an electronic notice of the release of the security interest, the Division shall mail or deliver a certificate of title to the address noted by the secured party within three business days.

    Electronic Signatures

  • Special Alert: CFPB Issues Guidance Regarding Marketing Services Agreements

    Consumer Finance

    On October 8, 2015, the Consumer Financial Protection Bureau (“CFPB”) published a compliance bulletin providing guidance to mortgage industry participants regarding the permissibility of marketing services agreements (“MSAs”) under the Real Estate Settlement Procedures Act (“RESPA”).The bulletin summarizes the CFPB’s “grave concerns” that settlement service providers have been improperly using MSAs to circumvent RESPA’s restrictions on the payment of kickbacks and referral fees in exchange for real estate settlement services.

    According to the bulletin, while MSAs are purportedly designed to permit individuals or entities to pay service providers bona fide compensation for goods, facilities, or services actually provided—which is expressly permitted under RESPA—in some cases, MSAs are actually used as a cover for illegal referral fee arrangements. The bulletin further notes that even facially-compliant MSAs can be implemented in a manner that ultimately results in the impermissible exchange of compensation for referrals of settlement service business, often as a result of the significant financial pressures that exist for participants in the mortgage and settlement service markets. The CFPB’s guidance emphasizes the dangers posed to consumers by MSA arrangements that hide or indirectly or inadvertently facilitate the unlawful exchange of payment for referrals of settlement service business, including potential increases in mortgage pricing and negative impacts on consumers’ ability to freely shop for mortgages and mortgage-related settlement services.

    Click Here to View the Full Special Alert

    ***

    Questions regarding the matters discussed in this Alert may be directed to any of our lawyers listed below, or to any other BuckleySandler attorney with whom you have consulted in the past.

     

    CFPB RESPA Agency Rule-Making & Guidance

  • Digital Insights & Trends: Embracing EMV Technology for Fraud Reduction and Loss Prevention

    Fintech

    Jeffrey Hydrick 5 x 7October 2015 represents a significant milepost in the migration of U.S. payments products to EMV chip technology. It also serves as a useful evaluation point as to what the technology achieves and where it falls short. By now, many U.S. cardholders have been issued EMV chip cards, the microprocessor-equipped cards that store the specific cardholder data on the embedded chip. For decades, U.S. payment cards stored cardholder data on a magnetic stripe on the back of the card, instead of a chip. Indeed most cards in the marketplace, including EMV cards, still contain the familiar “magstripe.” Unfortunately, the static nature of the data contained on the magstripe makes the production of counterfeit magstripe cards relatively easy. Once the cardholder data for a particular person is obtained, through “skimming” or other means, a usable counterfeit magstripe card can be produced and readily used at the point-of-sale, until the cardholder realizes that his or her data has been compromised. In contrast, EMV chip cards use a dynamic system of authentication at the point-of-sale, which makes the production of a counterfeit card with EMV chip technology much more difficult. As a result, merchants can safely conclude that an EMV chip card presented for payment in a point-of-sale transaction is authentic and not counterfeit, and card issuers should similarly experience smaller fraud losses.

    The four major U.S. payment networks (Visa, MasterCard, American Express and Discover) have long-recognized the fraud-reduction potential of EMV chip cards and, individually and through their jointly-controlled EMVCo. consortium, have pushed for the implementation of EMV technology in the U.S. As part of their efforts to encourage increased EMV chip card issuance by card issuers and acceptance by merchants, beginning in October 2015 the networks shift liability for card-present fraud losses to the party (i.e., merchant, merchant acquirer or issuer) that is least compliant with EMV requirements. For example, if fraud loss results from the use of a counterfeit magstripe card at point-of-sale, where the merchant maintains certified EMV chip terminals but the card issuer has not reissued its magstripe cards as EMV chip cards, the loss will be assigned to the card issuer. On the other hand, card issuers that have issued EMC chip cards may be able to avoid liability that arises from fraudulent transactions where the accepting merchant lacks a EMV chip terminal to be used to process the transaction.

    However, while EMV chip cards are a useful tool in the fight against payment card fraud, issuers and merchants should be aware of the following limitations of EMV technology:

    • Usage of stolen cards – While EMV technology assures that the payment card itself is legitimate and not counterfeit, the technology doesn’t prevent the use of stolen EMV chip cards, which continue to be usable by the holder of such cards.
    • Retention of signature validation – The payment networks have not mandated the use of the more secure PIN validation as part of their EMV requirements. Instead, a cardholder’s identity still is likely to be validated through a signature at point-of-sale, to the extent that the transaction threshold requires any validation. As was the case under the pre-EMV regime, signatures remain a difficult means by which to verify the identity of a cardholder, and they may not significantly deter thieves from using stolen EMV chip cards.
    • Card-not-present transactions – EMV chip card technology has no ability to reduce fraudulent transactions through online purchases, where cardholder information is entered manually. Indeed, in other countries where EMV technology has been adopted, fraud through online transactions has spiked, as fraudulent activity moved away from point-of-sale.
    • Continued presence of magstripe – The increased usage of EMV technology does not simultaneously signify the death of the magstripe, which continues to appear on EMV chip cards to permit such cards to be accepted and used at non-EMV equipped terminals. As a result, cardholder data can still be pulled from magstripe cards and used online.

    Now that EMV technology has entered into the next phase of U.S. adoption, the evaluation of its effect on fraud will begin. While there is little disagreement that EMV technology will decrease point-of-sale fraud through the use of counterfeit cards, issuers and merchants should recognize that EMV technology is not a panacea to fraud. The payments industry and its participants must continue to anticipate and to react to the changes in fraudulent activities that emerge in the post-EMV environment.

    Digital Insights and Trends Jeffrey Hydrick

  • U.S. House of Representatives Passes Several Financial Regulatory Relief Bills, Including TRID Safe Harbor

    Consumer Finance

    On October 7, the U.S. House of Representatives (U.S. House) passed several pieces of bipartisan legislation aimed at providing regulatory relief to lenders and strengthening consumer protection. This legislation included H.R. 3192, the Homebuyers Assistance Act, which was approved by a 303-121 vote, which seeks to provide a formal four-month safe harbor for lenders who in “good faith” work to comply with the CFPB’s new TRID Rule, which went into effect on October 3.  The U.S. House also unanimously approved H.R. 1553, the Small Bank Exam Cycle Reform Act, and H.R. 1839, the Reforming Access for Investments in Startup Enterprises (RAISE) Act. The Small Bank Exam Cycle Reform Act would allow well-managed banks with assets under $1 billion to qualify for an 18-month examination cycle, rather than the current 12-month cycle. The RAISE Act is intended to promote a liquid secondary market for shareholders seeking to sell private securities and encourage startups and private companies to raise capital to grow their businesses. This legislation will now go to the U.S. Senate for consideration.

    CFPB U.S. House Bank Supervision TRID

  • HUD Charges Colorado Landlords with Violations of the Fair Housing Act

    Consumer Finance

    On October 7, HUD announced a September 24 Charge of Discrimination against a group of Colorado landlords for allegedly “steering” families with children to apartments located at the rear end of the apartment building, an alleged violation of the FHA. According to HUD, from September 2013 to February 2014, Complainant DMFHC, a Colorado non-profit organization dedicated to promoting equal housing opportunities throughout the Denver, Colorado area, conducted various tests to show that respondents discriminated against families with children by making units in the front of the apartment building unavailable to them. HUD alleges that, “Respondents violated the Act by restricting the housing choices of families with children and perpetuating segregated housing patterns within the Subject Property by assigning families with children to the rear building.” The charge, which assesses a $16,000 civil money penalty fee for each violation of the FHA, will be heard by a United States Administrative Law Judge, unless a party elects to have the case heard in federal district court.

    HUD FHA

  • California Governor Signs Law Amending Civil Code Privacy Provisions

    Privacy, Cyber Risk & Data Security

    On October 6, Governor Jerry Brown (D-CA) signed into law AB 964/Chapter 522, which, among other things, defines “encrypted” as it pertains to data breach notification requirements for business and public agencies. Current California law provides that when a business’s security system or data is breached, the business must disclose the breach to “any California resident whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person.” Effective January 1, 2016, the bill – for the purpose of data breach notification requirements – defines “encrypted” as “unusable, unreadable, or indecipherable to an unauthorized person through a security technology or methodology generally accepted in the field of information technology.”

    Privacy/Cyber Risk & Data Security

  • Buckley Sandler Files Amicus Curiae Brief on Behalf of Industry Group in RESPA Case; Marks First Appeal Against CFPB Director Decision

    Consumer Finance

    On October 5, BuckleySandler attorneys filed an amicus curiae brief on behalf of the Consumer Mortgage Coalition (CMC) in the first case to come up on appeal to the District of Columbia Circuit since the CFPB was founded in 2011. In the CMC’s brief, BuckleySandler attorneys argued that the CFPB Director’s decision to ignore the decades-long interpretation of Section 8 of RESPA will harm consumers by eliminating an important form of risk retention, making the home mortgage closing process more difficult and expensive for consumers, and will particularly harm the country’s least affluent mortgage borrowers.

    CFPB RESPA

  • Fannie Mae and Freddie Mac Issue Guidelines for Mortgage Repurchases

    Consumer Finance

    On October 7, under the direction of the FHFA, Fannie Mae and Freddie Mac jointly issued new guidelines clarifying how the GSEs will categorize origination defects, how lenders can correct the defects, and allows for various remedies, including requiring lenders to repurchase a loan for mortgages containing “significant defects.” The framework, Selling Representations and Warranties Framework – Origination Defects and Remedies, expands on 2012 and 2014 announcements, sets forth new parameters for when lenders must cover the losses on mortgage loans that are identified as having one or more defects, and categorizes defects in three ways: (i) findings; (ii) price-adjusted loans; and (iii) significant defects. According to the guidelines, loan defects categorized as “findings” would not require  lenders  to correct or “remedy” the loan. Loan defects categorized  as “price-adjusted loans” would require lenders to pay  applicable loan-level price adjustment fees. Lastly, for loans under the “significant defects” category, lenders must repurchase the loan unless the GSE offers the lender a repurchase alternative. The lender is permitted to appeal “significant defects” findings and the possible outcomes are (i) rescission or close out, as applicable, of the remedy request; (ii) agreement on a repurchase alternative; or (iii) fulfillment of the remedy request. The new guidelines are effective January 1, 2016.

    Freddie Mac Fannie Mae

  • Special Alert: Cross-Border Data Transfers Significantly Impacted by EU Court Decision Invalidating Adequacy of U.S.-EU Data Protection Safe Harbor Framework

    Privacy, Cyber Risk & Data Security

    On October 6, the Court of Justice of the European Union (CJEU) in Schrems v. Data Protection Commissioner (“Schrems”) declared “invalid” a decision of the European Commission that the United States-European Union Safe Harbor framework (Safe Harbor) provides adequate protection for personal data transferred from the European Union (EU) to the United States (U.S.). Thousands of U.S. companies have registered with the U.S. Department of Commerce in order to permit the transfer of personal data from the EU to the U.S.

    The EU’s 1995 Data Protection Directive (Directive) requires that the transfer of personal data from an EU country to another country take place only if the other country ensures an adequate level of data protection. For the past 15 years, per a 2000 decision by the Commission of the European Communities, U.S. companies participating in Safe Harbor have been deemed to meet adequacy standards. Advocate General (AG) Yves Bot of the CJEU issued an opinion in September (“AG Opinion”) calling that 2000 decision invalid. AG Bot’s opinion declared that the existing framework governing that exchange of data fails to “ensure an adequate level of protection of the personal data which is transferred to the United States from the European Union” because that framework, in AG Bot’s view, contains holes that can allow access to European’s personal data by the NSA and other U.S. security agencies. “[T]he law and practice of the United States allow the large-scale collection of the personal data of citizens of the [EU] which is transferred under the [framework] without those citizens benefiting from effective judicial protection.” And while the FTC and private dispute resolution providers have the power to monitor possible breaches of the framework by private companies, neither has the power to monitor possible breaches by U.S. security agencies. AG Bot stated his belief that, even with an adequacy decision, national Data Protection Authorities retain the power to assess the sufficiency of national data protection regimes outside the EU to which personal data will be transferred.

    In Schrems, the CJEU, shortly following the AG Opinion, considered the following two questions:

    1. Are national DPAs bound by adequacy findings of the European Commission with regard to the transfer of personal data to a third country outside the EU?
    2. May or must a national DPA conduct his or her own investigation of the matter in the light of factual developments in the meantime since that Commission decision if a complaint from a data subject regarding the transfer is received?

    In responding to the two questions, the CJEU largely agreed with AG Bot’s opinion, though in language more temperate than the Bot opinion. The CJEU opinion states that:

     

    a decision adopted pursuant to Article 25(6) of [the Data Protection Directive], such as [the decision on adequacy for the Safe Harbor framework], by which the Commission finds that a third country ensures an adequate level of protection, does not prevent a supervisory authority of a Member State, within the meaning of Article 28 of that directive, from examining the claim of a person concerning the protection of his rights and freedoms in regard to the processing of personal data relating to him which has been transferred from a Member State to that third country when that person contends that the law and practices in force in the third country do not ensure an adequate level of protection.

     

    The CJEU found that the “term ‘adequate level of protection’ must be understood as requiring the third country in fact to ensure, by reason of its domestic law or its international commitments, a level of protection of fundamental rights and freedoms that is essentially equivalent to that guaranteed within the European Union by virtue of [the Data Protection Directive] read in the light of the Charter.” In light of well-publicized revelations regarding intelligence gathering by U.S. government agencies and that some of that intelligence gathering involved information transferred by companies from Europe to the U.S., the CJEU found that adequate protections for personal data could not be “ensured” in the U.S. for personal data transferred under Safe Harbor.

    Negotiations are underway for a new Safe Harbor. The Obama Administration stated that it is “deeply disappointed” with the CJEU decision with Commerce Secretary Prizker noting that the decision “creates significant uncertainty for both U.S. and EU companies and consumers, and puts at risk the thriving transatlantic digital economy.”

    Impact to Clients

    Business entities currently relying on Safe Harbor as a transfer mechanism for personal information will need to evaluate alternative transfer mechanisms. Model contracts (contracts containing standard contractual clauses approved by the European Commission) are a viable alternative, however, multiple contracts may be required to effectively cover all of the transfers addressed by a single Safe Harbor certification. While data subject consent is another option, businesses should be aware that Data Protection Authorities and the Article 29 Working Party (which provides guidance on implementing EU Data Protection requirements) generally do not approve of consent as a transfer mechanism for large volume or repeating transfers of EU-sourced personal information. Binding Corporate Rules (BCRs) may provide a longer option, but their scopes of implementation and requirement for national DPA approval make them impractical as an immediate solution.

    While the consensus appears to be that there will be some grace period for business entities to adjust to the ruling, those individuals responsible for compliance with privacy and data protection requirements should move swiftly toward an acceptable method for moving personally identifiable information from the EU to the U.S.

     

    * * *

     

    Questions regarding the matters discussed in this Alert may be directed to any of our lawyers listed below, or to any other BuckleySandler attorney with whom you have consulted in the past.

     

    FTC Privacy/Cyber Risk & Data Security

Pages

Upcoming Events