InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
FFIEC issues second Examination Modernization Project update
On November 27, the Federal Financial Institutions Examination Council (FFIEC) issued the second update on the status of its Examination Modernization Project. The project’s objective is to identify and assess measures to improve the community bank safety and soundness examination process, pursuant to the Economic Growth and Regulatory Paperwork Reduction Act’s review of regulations. As previously covered by InfoBytes, in March, the FFIEC released the first update, which identified four areas with potential for the most “meaningful supervisory burden reduction.” The second update focuses on tailoring examination plans and procedures based on risk in order to reduce burden. Specifically, after a review of risk-based procedures and processes, the Federal Reserve Board, the FDIC, the NCUA, the OCC, and the State Liaison Committee have committed to issue reinforcing and clarifying examiner guidance to their examination staffs on risk-focused examination principles for community financial institutions, if necessary. The guidance covers, among other things, the following practices (i) consideration of the unique risk profile, complexity, and business model of the institution when developing the exam plan; (ii) tailoring of the document request list based on the financial institution’s business model, complexity, risk profile and planned scope of review; and (iii) applying examination procedures in a way that reduces the level of review of low risk institutions or low risk areas.
The FFIEC noted it may take further action to improve the examination process as the project progresses.
FTC commissioners discuss need for expanded authority over consumer data privacy and security
On November 27, the Senate Committee on Commerce, Science and Transportation’s Subcommittee on Consumer Protection, Product Safety, Insurance, and Data Security conducted a hearing to discuss, among other topics, whether the FTC should be granted expanded authority over consumer data privacy and security. The hearing entitled “Oversight of the Federal Trade Commission” heard from the Chairman of the FTC as well as the agency’s four commissioners. Ranking Member Senator Bill Nelson’s opening statement discussed the need for providing additional resources to the FTC in order to ensure the agency is able to perform its mandated duties and effectively protect U.S. consumers from unfair or deceptive acts or practices. The five witnesses agreed that enforcement remains a priority for the FTC and called for comprehensive consumer privacy legislation that would clarify the agency’s authority and the rules relating to data security and breach notification, while fostering competition and innovation to the benefit of consumers. Specifically, FTC Chairman Joseph Simons stated he would support federal data security legislation if it provided the following three items: (i) the ability to seek civil money penalties to effectively deter unlawful conduct; (ii) jurisdiction over nonprofits and common carriers; and (iii) broad rulemaking authority to issue implementing rules under the Administrative Procedures Act for consumer protection issues such as privacy and data security. Commissioner Rohit Chopra also emphasized the need for Congress to support the FTC’s authority under Section 13B of the FTC Act, which authorizes the FTC to seek preliminary and permanent injunctions against companies and individuals.
However, Senator Blumenthal argued that too often the FTC has “fallen short” on protecting consumer privacy, particularly in terms of enforcement and pressing challenges. According to Senator Blumenthal, big tech companies misuse their power and consent orders are not “vigorously and adequately enforced.” He argued that the FTC must have the tools and resources to establish meaningful penalties for first offenses that pose a credible deterrent and recognize state attorneys general to ensure violations are investigated and punished.
Among other things, the hearing also discussed topics addressing: (i) the FTC’s ongoing series of public hearings reexamining the agency’s approach to consumer privacy in light of changing technologies (see previous InfoBytes coverage here); (ii) federal preemption versus state-by-state laws and the risk of inconsistencies and compliance challenges; (iii) the potential use of the FTC’s Section 6B authority, which would allow requests to be sent to the tech industry to understand what data is collected from consumers and how that information is used, shared, and sold; (iv) privacy protections for children, including the strengths and weaknesses of the Children’s Online Privacy Protection Act, particularly with respect to children ages 13 and older; (v) data minimization controls; and (vi) notice and comment rulemaking authority.
OFAC announces cyber-related designations, releases digital-currency addresses to identify illicit actors
On November 28, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) announced sanctions pursuant to Executive Order 13694 against two Iran-based individuals for allegedly helping to facilitate the exchange of ransom payments made in Bitcoin into local currency. For the first time, OFAC also identified two digital currency addresses associated with the identified financial facilitators who are designated “for having materially assisted, sponsored, or provided financial, material, or technological support for, or goods or services to or in support of” ransomware attacks that threaten the “national security, foreign policy, or economic health or financial stability of the [U.S.]” According to OFAC, the provided digital currency addresses should be used to assist in identifying transactions and funds to be blocked as well as investigating potential connections.
Treasury Under Secretary for Terrorism and Financial Intelligence Sigal Mandelker stated, “We are publishing digital-currency addresses to identify illicit actors operating in the digital-currency space. Treasury will aggressively pursue Iran and other rogue regimes attempting to exploit digital currencies and weaknesses in cyber and [anti-money laundering/countering financing of terrorism] safeguards to further their nefarious objectives.” OFAC issued a warning that persons who engage in transactions with the identified individuals “could be subject to secondary sanctions” and that “[r]egardless of whether a transaction is denominated in a digital currency or traditional fiat currency, OFAC compliance obligations are the same.” As a result, all property and interests in property belonging to the identified individuals subject to U.S. jurisdiction “or within or transiting” the U.S. are blocked, and U.S. persons are generally prohibited from entering into transactions with them. OFAC also released new FAQs to provide guidance for financial institutions on digital currency.
View here for additional InfoBytes coverage on Iranian sanctions.
CFPB publishes quarterly report examining how natural disasters affect credit reporting
On November 21, the CFPB released the latest quarterly consumer credit trends report, which examines how natural disasters affect consumers’ credit reports based on a sample of approximately 5 million credit records. The report notes that while financial institutions are not required to report natural disaster assistance information, in 2017, about 8.3 percent of consumer credit reports included information in a special comment code labeled “affected by natural or declared disasters,” which the CFPB states is similar to the Federal Emergency Management Agency’s estimate that roughly 8 percent of U.S. residents were affected by natural disasters in 2017. Additionally, the report summarizes the natural disaster reporting trends for consumers in the Greater Houston area affected by Hurricane Harvey. Highlights of the report include (i) almost 40 percent of consumers with a credit report in the Greater Houston area received a comment code regarding the hurricane after it hit; (ii) the most common type of tradeline to receive a natural disaster comment code are mortgage loans; and (iii) accounts that received the natural disaster comment code are associated with higher rates of delinquency prior to Hurricane Harvey.
FHFA increases conforming loan limits for 2019
On November 27, the FHFA announced that it will raise the maximum conforming loan limits for mortgages purchased in 2019 by Fannie Mae and Freddie Mac from $453,100 to $484,350. The announcement marks the third consecutive year FHFA has increased the baseline loan limit. In high-cost areas, such as Los Angeles, New York, San Francisco, and Washington, D.C., the maximum loan limit will be $726,525. For a county-specific list of the maximum loan limits in the U.S., click here.
Agencies increase threshold for appraisal exemption under TILA for HPMLs
On November 23, the CFPB, OCC, and the Federal Reserve Board published a final rule in the Federal Register, which increases the smaller loan exemption threshold for the special appraisal requirements for higher-priced mortgage loans (HPMLs) under TILA. TILA requires creditors to obtain a written appraisal based on a physical visit to the home’s interior before making a HPML, unless the loan meets or is less than the threshold exemption. Each year the threshold must be readjusted based on the annual percentage increase in the Consumer Price Index for Urban Wage Earners and Clerical Workers. The exemption threshold for 2019 is $26,700, up from $26,000. This final rule is effective January 1, 2019.
Court holds SEC has not proven pre-ICO cryptocurrency is a “security”
On November 27, the U.S. District Court for the Southern District of California denied the SEC’s motion for a preliminary injunction against a cryptocurrency company, concluding the agency failed show the currency tokens were “securities” as defined under federal securities laws. According to the order, the SEC filed a complaint against the company in October alleging it falsely claimed its initial coin offering (ICO) was registered and approved by the SEC and other regulators, including using the agency’s seal in marketing materials. At the time of the filing, the SEC claimed the company had already raised more than $2.5 million in pre-ICO sales. The SEC moved for a preliminary injunction to freeze the company’s assets and prevent the company’s owner from buying or selling securities and other digital currency during the pendency of the case. Upon review, the court noted the SEC must establish the company previously violated federal securities laws and there is a reasonable likelihood that it will happen again. The SEC argued the allegedly fraudulent marketing materials used to raise money from 32 “test investors” violated federal securities laws, while the company argued the investors did not have an expectation to receive profits as they were working with the company on the exchange’s functionality and therefore, the currency tokens were not “securities.” The court denied the SEC’s motion, concluding that it could not determine whether the tokens were “securities” under federal law without full discovery as there were disputed issues of material facts, including what the test investors relied on in terms of marketing materials before they purchased the cryptocurrency tokens.
NYDFS and international bank enter into second supplemental consent order over BSA/AML compliance deficiencies
On November 21, NYDFS and an international bank entered into a second supplemental consent order covering its settlement over alleged deficiencies in the bank’s Bank Secrecy Act/anti-money laundering and Office of Foreign Assets Control (OFAC) compliance program controls. As previously covered by Infobytes, in 2012, the bank agreed to engage an independent on-site monitor for 24 months to evaluate the New York branch’s BSA/AML and OFAC compliance programs and operations and was issued a $340 million civil money penalty. In 2014 NYDFS issued a subsequent consent order outlining the monitor’s findings, including reports of significant failures in the bank’s transaction monitoring. The 2014 order extended the engagement of the monitor for another two years, outlined remedial measures to address continued deficiencies, and required the bank to pay an additional $300 million civil money penalty. In April 2017, NYDFS and the bank entered into the first supplemental consent order to modify the 2012 and 2014 orders, acknowledging the bank made significant improvements in its BSA/AML compliance program but extended the monitor through December 2018 with all the other terms and conditions of the 2012 and 2014 consent orders remaining in full effect.
Now, beginning January 1, 2019, the second supplemental order issued by NYDFS requires the bank to engage an independent consultant, selected by the regulator, for a period of up to one year, with a possible extension of one additional year, to provide guidance for completing remediation called for in the 2012 and 2014 consent orders. In response to the second supplemental order, the bank stated it remained “committed to completing the remaining tasks necessary for that remediation.”
OFAC reaches settlement with company for alleged Ukrainian sanctions violations
On November 27, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) announced a $87,507 settlement with an aerospace and defense technology company for three alleged violations by a former subsidiary of the Ukraine-Related Sanctions Regulations (URSR). According to OFAC, the settlement resolves potential civil liability for the former subsidiary’s alleged involvement in the “indirect export of components to be incorporated into commercial air traffic control radar” through Canadian and Russian distributors “to a person owned 50 percent or more, directly or indirectly, by a person identified on OFAC’s List of Specially Designated Nationals and Blocked Persons.”
In arriving at the settlement amount, OFAC considered the following as aggravating factors: (i) the former subsidiary’s failure to recognize warning signs; (ii) the transactions, which constituted the apparent violations, were reviewed and approved by the Director of Global Trade Compliance, and “resulted in harm to the sanctions program objectives of the URSR”; (iii) the company and former subsidiary are large, sophisticated entities; and (iv) the company and its compliance personnel previously violated Iranian Transaction and Sanctions Regulations, while the former subsidiary was subject to a consent agreement as a result of recurring compliance failures.
However OFAC also considered mitigating factors, including (i) the former subsidiary has not received a penalty or finding of a violation in the five years prior to the transactions at issue; (ii) the company has cooperated with OFAC and implemented remedial measures, including terminating the violative conduct and implementing steps to minimize the risk of reoccurring conduct; and (iii) the company voluntarily disclosed the alleged violations on behalf of the former subsidiary.
Visit here for additional InfoBytes coverage on Ukraine sanctions.
Court grants summary judgment in favor of bank in TCPA action
On November 13, the U.S. District Court for the District of Minnesota held that a bank’s predictive dialing systems do not violate the Telephone Consumer Protection Act (TCPA), granting summary judgment for the bank. According to the opinion, a customer of a national bank changed his phone number and his previous number was reassigned to the plaintiff in the case. The customer did not inform the bank he had changed his phone number, and between September 2015 and December 2015, the bank called the plaintiff’s cell phone 140 times. The plaintiff subsequently informed the bank he was not a customer and the bank ceased calling the cell phone number. In January 2016, the plaintiff filed a complaint alleging the company violated the TCPA by placing auto-dialed calls to his cell phone. The court stayed the action pending the result of the D.C. Circuit case ACA International v. FCC (covered by a Buckley Sandler Special Alert), which narrowed the FCC’s 2015 interpretation of “autodialer” under the TCPA.
In reviewing cross-motions for summary judgment, the court disagreed with the plaintiff that the company’s predictive dialing systems qualified as an autodailer under the TCPA. Citing to ACA International, the court noted that predictive dialers are not always autodialers under the Act, the equipment must have the capacity to randomly or sequentially generate numbers to dial, and the plaintiff failed to provide sufficient evidence to prove the systems has this capability. Moreover, the court rejected the plaintiff’s argument that it should follow the 9th Circuit, which recently broadened the definition of autodialer under the TCPA (covered by InfoBytes here), concluding that other courts’ narrow interpretations were more persuasive (InfoBytes coverage available here).