InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
Deputy Comptroller Describes OCC's SCRA, Consumer Compliance Focus
On August 18, in a speech to the Association of Military Banks of America, Deputy Comptroller for Compliance Policy Grovetta Gardineer described the OCC’s increasing supervisory and enforcement focus on SCRA compliance. Ms. Gardineer explained that given the significant risks presented by a bank’s failure to comply with the SCRA, the OCC has “stepped up its focus on compliance” and “now requires . . . examiners to include evaluation of SCRA compliance during every supervisory cycle”—even though this closer scrutiny is not required by statute. Ms. Gardineer also highlighted the OCC’s concern regarding potential unfair and deceptive practices associated with overdraft and other administrative fees, especially when “poorly worded disclosures about fees” are contained in “page after page of legal notices and disclaimers.” And while Ms. Gardineer stated that the OCC itself is willing to take enforcement actions where necessary, she also stressed the importance of coordination between regulators to more effectively implement rules and help create a “culture that encourages . . . financial readiness” among servicemembers.
FTC Finalizes Mobile Application Privacy Settlements
On August 19, the FTC approved final orders resolving allegations that two companies: (i) misrepresented the level of security of their mobile applications; and (ii) failed to secure the transmission of millions of consumers’ sensitive personal information. The FTC alleged that one company’s application assured consumers that their credit card information was stored and transmitted securely even though the company disabled a higher level of security validation, which allowed such credit card information to be intercepted. In addition, the company allegedly failed to have an adequate process for receiving vulnerability reports from security researchers and other third parties. The FTC alleged that the second company also disabled enhanced security validation despite claiming that it followed industry-leading security precautions, which also left consumers’ information vulnerable to interception. The final settlement orders require both companies to establish comprehensive programs designed to address security risks during the development of their applications and to undergo independent security assessments every other year for the next 20 years. The settlements also prohibit the companies from misrepresenting the level of privacy or security of their products and services.
FinCEN Permanently Bars Casino Official Over BSA Violations
On August 20, FinCEN announced an action against a casino employee who admitted to violating the Bank Secrecy Act by willfully causing the casino to fail to file certain reports. FinCEN asserted based in part on information obtained from an undercover investigation that the employee helped high-end gamblers avoid detection of large cash transactions by agreeing not to file either Currency Transaction Reports or Suspicious Activity Reports as required under the BSA. FinCEN ordered the employee to pay a $5,000 civil money penalty, and immediately and permanently barred him from participating in the conduct of the affairs of any financial institution located in the U.S. or that does business within the U.S.
FINRA Charges Firm With AML And Systematic Market Access Violations
On August 18, FINRA announced a complaint against a financial services and investment firm, alleging that the firm was responsible for systematic supervisory and AML violations in connection with providing direct market access and sponsored access to broker-dealers and non-registered market participants. Specifically, FINRA claims that from January 2008 through August 2013, the firm failed to “ensure appropriate risk management controls and supervisory systems and procedures,” thereby allowing its market access customers to “self-monitor and self-report” possibly manipulative trades. Moreover, FINRA asserts that during the relevant time period, the firm was made aware of these potential regulatory and compliance risks though numerous industrywide notices, disciplinary decisions taken against other industry participants, and multiple self-regulatory organization inquiries and examinations. The firm may request a hearing before the FINRA disciplinary committee. If FINRA’s charges stand, the firm could face suspension, censure, and/or monetary penalties.
OCC Updates Merchant Processing Booklet
On August 20, the OCC issued Bulletin 2014-41, which announces a new “Merchant Processing” booklet of the Comptroller’s Handbook. This booklet replaces the booklet of the same name issued in December 2001 and provides updated guidance to examiners and bankers on assessing and managing the risks associated with merchant processing activities. Specific updates address: (i) the selection of third-party organizations and due diligence; (ii) technology service providers; (iii) on-site inspections, audits, and attestation engagements, including the “Statement on Standards for Attestation Engagement” (SSAE 16) and the “International Standard on Assurance Engagements” (ISAE 3402); (iv) data security standards in the payment card industry for merchants and processors; (v) the Member Alert to Control High-Risk Merchants (MATCH) list; (vi) BSA/AML compliance programs and appropriate policies, procedures, and processes to monitor and identify unusual activity; and (vii) appropriate capital for merchant processing activities.
New York Sanctions Bank For Alleged Failure To Comply With Prior AML Settlement
On August 19, the New York DFS announced a consent order with a British bank to resolve claims that the bank and its U.S. subsidiary failed to remediate AML compliance deficiencies as required by a prior settlement with the DFS that required the bank to, among other things, implement a transaction monitoring program. The DFS states that the compliance monitor appointed as part of the prior agreement determined that the procedures adopted by the bank to detect high-risk transactions contained errors and other problems that prevented the bank from identifying high-risk transactions for further review. The DFS asserts that the bank failed to detect these problems because of a lack of adequate testing both before and after implementation of the monitoring system. The DFS also claims the bank failed to properly audit its monitoring system. Under the latest consent order, the bank must: (i) suspend its dollar clearing operations for high-risk retail business clients of the bank’s Hong Kong subsidiary; (ii) obtain prior DFS approval to open a U.S. Dollar demand deposit account for any customer who does not already have such an account with the U.S. entity; and (iii) pay a $300 million penalty. The bank also must implement additional compliance enhancements, including enhanced due diligence and know-your customer requirements.
New York Announces Latest Action Against A Bank Consulting Firm
On August 18, the New York DFS announced an settlement with a bank consulting firm to resolve allegations related to certain services it performed for a bank charged last year with sanctions violations. The consulting firm allegedly altered an historical transaction review (HTR) report submitted to regulators regarding wire transfers that the bank completed on behalf of sanctioned countries and entities. At the bank’s request, the firm allegedly removed from the original HTR report key information and warning language concerning the bank’s transactions. Specifically, the DFS alleges that the firm: (i) removed the English translation of the bank’s wire stripping instructions; (ii) removed a regulatory term to describe the wire-stripping instructions and a discussion of the activities; and (iii) deleted “several forensic questions” that the firm identified as necessary for consideration in connection with the HTR report. The agreement prohibits the firm from doing business with any DFS-regulated institution for two years and requires the firm to: (i) pay a $25 million penalty; and (ii) implement certain reforms to address the conflicts of interest within the consulting industry.
New York Extends Comment Period For BitLicense Proposal
This week, the New York DFS announced the extension of the comment period on its proposal to create a regulatory licensing framework for virtual currency companies, including a so-called BitLicense. Given the “significant amount of public interest in and commentary on” the proposal, the DFS doubled the length of the comment period from 45 to 90 days. Comments are now due by October 21, 2014. Further information about the proposal and related issues is available here.
Federal Appeals Court Affirms Dodd-Frank Whistleblower Protections Do Not Apply Outside U.S.
On August 14, the U.S. Court of Appeals for the Second Circuit affirmed a district court’s holding that the Dodd-Frank Act’s antiretaliation provision does not apply extraterritorially. Liu Meng-Lin v. Siemens AG, No. 13-4385, 2014 WL 3953672 (2nd Cir. Aug. 14, 2014). A foreign worker was allegedly fired by his foreign employer for internally reporting violations of U.S. anti-corruption rules, which he claimed violated the antiretaliation provision of the Dodd-Frank Act. This provision prohibits an employer from firing or otherwise discriminating against any employee who makes a disclosure that is required or protected under Sarbanes-Oxley or any other law, rule, or regulation subject to the SEC’s jurisdiction. The court first determined that the facts alleged in the complaint revealed “essentially no contact with the United States” and rejected an argument that the foreign company voluntarily subjected itself to U.S. securities laws by listing its securities on the New York Stock Exchange. The court also held that, given the longstanding presumption against extraterritoriality and the absence of any “explicit statutory evidence that Congress meant for the provision to apply extraterritorially,” the cited provision does not apply to purely foreign-based claims.
Ninth Circuit Affirms Decision Not To Enforce Browsewrap Arbitration Agreement
On August 18, the U.S. Court of Appeals for the Ninth Circuit affirmed a district court’s decision not to enforce a retailer’s online “browsewrap” arbitration agreement because the retailer failed to provide adequate constructive notice. Nguyen v. Barnes & Noble Inc., No. 12-56628,2014 WL 4056549 (9th Cir. Aug. 18, 2014). The consumer filed suit alleging that the retailer’s cancellation of his online purchase of two sale items caused him to buy substitute products at a greater expense. The retailer responded that by making the purchase through the company’s website, the consumer accepted the website’s Terms of Use, which contained an agreement to arbitrate any claims arising out of use of the website. Although this “browsewrap” agreement provided that any user of the website was deemed to have accepted the agreement’s terms by, among other things, making a purchase, the district court held that the consumer did not have constructive notice of the Terms of Use because the site did not require that the consumer affirmatively assent to them. The Ninth Circuit agreed, holding that “where a website makes its terms of use available via a conspicuous hyperlink on every page of the website but otherwise provides no notice to users nor prompts them to take any affirmative action to demonstrate assent, even close proximity of the hyperlink to relevant buttons users must click on—without more—is insufficient to give rise to constructive notice.” The court also rejected the retailer’s argument that the customer had constructive notice of the browsewrap terms based on his prior experience with browsewrap agreements found on other sites, including some popular social media sites.