Skip to main content
Menu Icon
Close

InfoBytes Blog

Financial Services Law Insights and Observations

Filter

Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.

  • Department of Education Terminates Student Loan Sharing Agreements with CFPB, Announces Expanded Focus on Enforcement and Consumer Protection

    Lending

    On August 31, the U.S. Department of Education submitted a letter notifying the CFPB that it intends to terminate two Memoranda of Understanding (MOUs) between the agencies regarding the sharing of information in connection with the oversight of federal student loans. The MOUs that will terminate on September 30, 2017, are the “Memorandum of Understanding Between the Bureau of Consumer Financial Protection and the U.S. Department of Education Concerning the Sharing of Information” (Sharing MOU), dated October 19, 2011, and the “Memorandum of Understanding Concerning Supervisory and Oversight Cooperation and Related Information Sharing Between the U.S. Department of Education and the Consumer Financial Protection Bureau,” dated January 9, 2014.

    The letter rebukes the CFPB for overreaching and undermining the Education Department’s mission to serve students and borrowers, and states that it “takes exception to the CFPB unilaterally expanding its oversight role to include the Department's contracted federal student loan servicers.” The letter also accuses the CFPB of failing to share all complaints related to Title IV federal student loans within 10 days of receipt as required by the MOUs, and that the Bureau’s intervention in these cases “adds confusion to borrowers and servicers who now hear conflicting guidance related to Title IV student loan services for which the Department is responsible.”

    In a press release issued by the House Committee on Education and the Workforce on September 1, Representative Virginia Foxx (R-N.C.) praised the Department’s decision stating, “[t]he Department of Education has made it clear that its partnership with the CFPB is doing more harm than good when it comes to how it can best serve students and borrowers.” However, advocacy groups such as Americans for Financial Reform and the National Consumer Law Center (NCLC) criticized the Department’s decision, with the NCLC calling it “outrageous and deeply troubling” and refuting the Department’s claims that the CFPB “’unilaterally’ expanded its oversight role over servicers and collectors of federal student loans.” Instead it argued that the Department’s “failures are what led Congress to give the CFPB authority to help students.”

    On the same day, the Education Department issued a press release announcing “a stronger approach to how Federal Student Aid (FSA) enforces compliance by institutions participating in the Federal student aid programs by creating stronger consumer protections for students, parents and borrowers against ‘bad actors.’” The strategy will focus on illegitimate debt relief organizations and schools that defraud students, and FSA will engage in “comprehensive communications and executive outreach to ensure parties and their leadership understand their responsibilities, the consequences of non-compliance and appropriate remedies.” The CFPB was notably absent, however, from the release’s reference to FSA’s continued stakeholder coordination, which listed the FTC and the DOJ.

    On September 7, the CFPB responded to the CFPB’s letter to request time to “engage in a constructive conversation” with the Department to determine a path for continued collaboration to best serve the needs of student loan borrowers. Director Richard Cordray noted that because the Department has access to the CFPB’s Government Portal as part of the agencies’ arrangement, the Department is able to view borrower complaints in “near real-time.” According to Director Cordray, the Department has accessed the portal 80 times over the past three months. Several examples of the Bureau’s supervisory examinations are also provided to highlight the CFPB’s position that its actions have not been “inconsistent with the Department’s directives or [in conflict with the] shared goal of protecting student loan borrowers.”

    Lending Student Lending Federal Issues Department of Education CFPB House Committee on Education MOUs NCLC FSA

  • District Court Denies Class Certification for Lack of Temporal Constraint on Proposed Class Definition

    Courts

    On August 30, the U.S. District Court for the Southern District of New York issued an opinion and order denying the certification of a proposed class of investors alleging that a bank failed in its responsibilities as trustee of five residential mortgage-backed securities. The court found that “the proposed class cannot be certified because it is not ‘defined using objective criteria that establish a membership with definite boundaries’ . . . [such as] a fixed date, a window of acquisition, or length or continuity of ownership.” The judge ruled that the lack of a “temporal constraint on the proposed class definition” meant investors who bought and sold the securities before and after the alleged violations occurred could be included in the suit, despite the fact that any losses incurred by these groups would not necessarily be associated with the bank’s alleged misconduct. However, the court ruled that the plaintiff may file an amended motion proposing an alternative class construction within 45 days.

    Courts Class Action Mortgages Securities

  • CFPB, Treasury, and FinCEN Release Memorandum Emphasizing Financial Institutions’ Role in Preventing Elder Financial Exploitation

    Consumer Finance

    On August 30, the CFPB, Treasury Department, and Financial Crimes Enforcement Network (the agencies) issued a joint memorandum concerning elder financial exploitation (EFE). The agencies note that EFE—which is defined as “the illegal or improper use of an older person’s funds, property or assets”—has become the most common form of elder abuse in the U.S. The Memorandum on Financial Institution and Law Enforcement Efforts to Combat Elder Financial Exploitation emphasizes that financial institutions can play a key role in detecting, responding to, and preventing EFE, encourages collaboration with law enforcement and local adult protective service agencies to facilitate the timely response to reports, and outlines guidance relating to the filing of suspicious activity reports (SARs). According to the memorandum, “SARs can play an important role in the fight against EFE by providing information and references to any supporting documentation that can trigger an investigation, support an ongoing investigation, or identify previously unknown subjects and entities.” The agencies cautioned, however, that “access to SARs and their use is restricted under federal law” and that law enforcement agencies should contact FinCEN for assistance in SAR-related inquiries.

    Consumer Finance CFPB FinCEN SARs Agency Rule-Making & Guidance Department of Treasury Elder Financial Exploitation

  • CFPB Releases Updated Compliance Management Procedures in Supervision and Examination Manual

    Agency Rule-Making & Guidance

    On August 30, the CFPB posted revisions to its Compliance Management Review Examination Procedures—part of its Supervision and Examination Manual—that is intended to provide guidance for institutions when developing and maintaining compliance management systems (CMS). The Bureau advises that to maintain legal compliance, institutions must integrate and support an effective CMS “into the overall framework for product design, delivery, and administration across their entire product and service lifecycle,” and are required to manage relationships with service providers to ensure compliance with applicable federal consumer financial laws. The CFPB notes that an effective CMS is comprised of two interdependent control components: (i) “Board and Management Oversight”; and (ii) a “Compliance Program,” including policies and procedures, training, monitoring and/or auditing, and consumer complaint response processes. Updates have been made to the Examination Report Template–which provides the scope of review and consumer compliance rating based on the findings of the exam—and the Supervisory Letter Template–which references matters requiring attention or that need to be corrected based on the Bureau’s review.

    Agency Rule-Making & Guidance CFPB Bank Compliance Vendor Management

  • FTC Announces Two Separate Settlements to Resolve Allegedly Deceptive Telemarketing Schemes

    Consumer Finance

    On September 1, the FTC issued a press release announcing a settlement with a Utah-based operation and its owner (Defendants) to resolve allegations that the company had created merchant accounts to help telemarketers process consumer credit card transactions in violation of the Federal Trade Commission Act (FTC Act) and the Telemarketing Sales Rule (TSR). According to the complaint, Defendants nominated individuals to serve as “principals” of straw companies, which then were used to open merchant accounts to assist telemarketers who did not meet the requirements or standards for opening the accounts on their own. The telemarketers, in turn, allegedly deceived consumers by making false promises regarding business opportunities that they claimed would generate substantial income, and processed credit card payments from consumers using the straw company merchant accounts for the allegedly “worthless opportunities.” Under the terms of the order, Defendants are permanently banned from the payment processing business, including acting as an independent sales organization or sales agent, and must pay a judgment of more than $3 million. The FTC suspended the judgment due to the Defendants’ inability to pay, but noted that it “will become due immediately if [Defendants] are found to have misrepresented their financial condition.”

    Separately on August 31, the FTC announced that a default judgment had been issued in a pending action brought against the operators of a deceptive telemarketing scheme who allegedly targeted Spanish-speaking consumers by pretending to be affiliated with the Peruvian government and deceived consumers by giving the impression that the calls were from emergency responders or by people the consumers had provided as references. The allegations, which violated the FTC Act and the TSR, claimed that consumers were presented opportunities to participate in language courses at discounted prices and were misled about prizes they had won. When consumers declined to participate or cancelled delivery of the prizes, the telemarketers made “false and threatening” claims of “legal or financial consequences,” allegedly posing as lawyers or government officials. Under the terms of the default judgment, the telemarketers (i) are ordered to pay $6.3 million as equitable monetary relief; (ii) are banned from telemarketing activities; and (iii) prohibited from misrepresenting material facts.

    Consumer Finance FTC Enforcement Telemarketing Sales Rule FTC Act Settlement

  • OCC Updates Comptroller’s Licensing Manual to Provide Revised Guidance on Change in Bank Control Process

    Agency Rule-Making & Guidance

    On September 1, the OCC released OCC Bulletin 2017-33 announcing a new booklet to provide guidance for persons seeking to acquire control of national banks and federal savings associations. The “Change in Bank Control” booklet, which is part of the Comptroller’s Licensing Manual, provides, among other things:

    • an overview of evaluation criteria and considerations taken into account when the OCC reviews a notice of change;
    • timeframe requirements and information regarding the notice process;
    • the required contents of an application and application process; and
    • references and links to informational resources, including sample forms and documents and statutory/regulatory requirements.

    Reflected in the newly issued booklet are updates to procedures and regulations that have been implemented since 2007, including the integration of the Office of Thrift Supervision into the OCC in 2011 and the issuance of revised regulation 12 C.F.R. § 5 that went into effect July 1, 2015.

    Agency Rule-Making & Guidance OCC Licensing Comptroller's Licensing Manual

  • Delaware Governor Enacts Amendments to Computer Security Code

    State Issues

    On August 17, Delaware Governor John Carney signed into law amendments (House Substitute No. 1) to the state’s code regarding computer security breaches involving personal information. Among other changes, the amendments include the following: (i) any person who conducts business in Delaware and maintains personal information must implement and maintain safeguard procedures to protect personal information; (ii) the definition of a “breach of security”—defined as the “unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information”—eliminates “good faith acquisition” breaches where information is not used for unauthorized purposes, as well as instances where breached data is encrypted or protected by an unavailable encryption key; (iii) adds to the definition of “personal information” items such as passport numbers, email addresses and passwords, medical history information, health insurance and tax identification numbers, and biometric data; (iv) strengthens consumer protections, including requirements that notices to consumers must be sent no later than 60 days after it has been determined that a breach has occurred, a notification must be sent to the state Attorney General for breaches affecting more than 500 residents, and free credit monitoring services must be provided to residents involved in the breach of a social security number. The amendments become effective on April 14, 2018.

    State Issues State Legislation Privacy/Cyber Risk & Data Security

  • NYDFS Fines Global Bank Nearly $630 Million for Alleged BSA/AML Compliance Failures

    Financial Crimes

    On August 24, the New York Department of Financial Services (NYDFS) announced that it had assessed a nearly $630 million fine against a global bank (Bank) and its New York branch as part of a consent order addressing allegations that the Bank failed to fix “serious” and “persistent” failures in its Bank Secrecy Act and anti-money laundering (BSA/AML) compliance programs. NYDFS claimed in its Notice of Hearing and Statement of Charges (Notice) that these failures “indicate a fundamental lack of understanding of the need for a vigorous compliance infrastructure, and the dangerous absence of attention by [the Bank’s] senior management for the state of compliance at the [Bank’s] New York branch.” NYDFS will move for the penalty at a hearing scheduled for September 27, 2017. According to an order issued that same day, NYDFS expanded its investigation into the alleged misconduct to cover the period between October 1, 2013 through September 30, 2014, and April 1, 2015 through July 31, 2017. Specifically, the violations cited in the Notice include the following:

    • 855 “batch-waived” transaction alerts that were improperly “cleared by [New York] Branch staff without review or rationale for the failure to review the alerts” and without written approval of the batch waive process by head office or local management;
    • control deficiencies concerning the Bank’s relationship with a Saudi Arabian bank with reported ties to Al Qaeda and the financing of terrorism—transactions with the Saudi Arabian bank comprised approximately 24 percent of the total number of transactions conducted through the New York branch;
    • more than 13,000 transactions failed to identify essential information such as originator and beneficiary identities; and
    • more than 4,000 transactions were excluded from screening after being included on the Bank’s “good guy list” comprised of customers “who purportedly have been screened and identified as very low risk,” although the investigation identified several parties that had been either “improperly included” or met criteria which warranted screening.

    The Bank issued a press release following the announcement, stating its plans to “vigorously contest [the penalty] . . . as being unjustified, capricious, unreasonable, not supported by facts or law and as being time barred.” The Bank claimed it has undergone “sincere and extensive remediation measures” to improve its compliance efforts since NYDFS issued an order in 2015 calling for oversight and improvements to its BSA/AML processes. The Bank expressed its intention to surrender its foreign bank branch license for the New York branch and NYDFS has issued an order to effectuate the surrender by September 23, 2017.

    Financial Crimes Bank Secrecy Act Anti-Money Laundering

  • FTC and 32 States Settle Charges with Computer Manufacturer Concerning Preinstalled Software that Allegedly Compromised Online Security

    Privacy, Cyber Risk & Data Security

    On September 5, the FTC announced that, along with 32 state attorneys general, it had entered into a consent order with a global computer manufacturer to settle charges that it had preloaded advertising software on certain laptops that compromised consumers’ security protections. According to a complaint filed by the FTC, as well as complaints filed by the state attorneys general (see New Jersey Attorney General’s complaint), the manufacturer allegedly began selling the preloaded laptops beginning in August 2014. The software program—using a technique known as a “man-in-the-middle”—was able to access and collect consumers’ personal information that was transmitted over the internet, including login credentials, social security numbers, financial details, medical information, and email communications, without the consumers’ permission. The process entailed replacing the security certificates of visited encrypted websites with the software’s own certificates that could be easily compromised. The digital certificate substitution created multiple security vulnerabilities, which, among other issues, prevented consumers’ browsers from warning users if they visited “potentially spoofed or malicious websites with invalid digital certificates.” The FTC noted in its complaint that “[t]his practice violated basic encryption key management principles because attackers could exploit this vulnerability to issue fraudulent digital certificates that would be trusted by consumers' browsers.”

    According to the complaints, the manufacturer allegedly (i) did not disclose to consumers prior to purchase that the problematic software had been installed; (iii) failed to warn consumers about the security vulnerability; and (iii) unfairly preinstalled software, which acted as a “man-in-the-middle” between consumers and visited websites—all of which are violations of state consumer protection laws and the Federal Trade Commission Act. The complaints further alleged that the manufacturer failed to provide consumers with an easy way to effectively opt out of the preinstalled software.

    The terms of the FTC consent order stipulate the following: (i) the manufacturer is prohibited from making misleading representations about any software feature; (ii) consumers must affirmatively grant consent before this type of software may be installed, and the manufacturer must provide instructions for consumers to revoke consent or opt out; and (iii) a comprehensive software security program must be developed and implemented to address new and existing software security risks and will be subject to third-party biennial assessments for the next 20 years. The judgment reached with the state attorneys general also imposes a $3.5 million settlement to be divided between the states.

    Privacy/Cyber Risk & Data Security State Attorney General Enforcement Settlement FTC Act

  • Basel Committee on Banking Supervision Issues Consultative Document on Implications of Fintech for the Banking Industry

    Fintech

    As waves of innovative financial technology (fintech) continue to reshape the financial services landscape, banking institutions and their supervisors have invested significant effort in analyzing its impact and developing an appropriate response. On August 31, the Basel Committee on Banking Supervision (BCBS), the primary global standard setter for the prudential regulation of banks, weighed in. Through the release of a consultative document, Sound Practices: Implications of fintech developments for banks and bank supervisors, the BCBS identified 10 key observations, accompanied by 10 recommendations, for banks and bank supervisors to address the challenges posed by advances in fintech.

    The report summarizes the main findings of a BCBS task force established to analyze developments in fintech and their impact on the banking industry. Quantifying the size and growth of fintech is difficult; among other reasons, most jurisdictions have not formally defined “fintech” (notably, the report includes a glossary of terms and acronyms related to the delivery of fintech products and services, and is the first attempt by the BCBS to provide a common definition in this space). Yet the significant number of financial products and services derived from fintech innovations and the trend of rising investment in fintech companies globally warrants attention. As the BCBS acknowledges, while the impact of fintech on banking remains uncertain, “that change could be fast-paced and significant.”

    In its report, the BCBS observes that the rise of fintech innovation has resulted in “a battle for the customer relationship and customer data,” the result of which “will be crucial in determining the future role of banks.” To assess the impact of the evolution of fintech products and services, the BCBS identified five stylized scenarios describing the potential impact of fintech on banks. In addition, the BCBS assessed six case studies focused on specific innovations (e.g., big data, cloud computing, innovative payment services, and neo-banks), in order to understand the individual risks and opportunities of a specific fintech development through the different scenarios. The extent to which banks or new fintech entrants will own the customer relationship varied across each scenario. However, in almost every scenario, the position of the incumbent banks will be challenged. The BCBS finds that “a common theme across the various scenarios is that banks will find it increasingly difficult to maintain their current operating models, given technological change and customer expectations.”

    In analyzing fintech’s potential impact, the BCBS analyzes previous waves of innovation in banking, such as ATMs, electronic payments, and the Internet. While each of these have changed the face of banking, the BCBS highlights two key differences as it concerns fintech’s potential impact: the current pace of innovation is faster now than in previous decades and the pace of adoption has also increased. As a result, the Committee warns, “the effects of innovation and disruption can happen more quickly than before, implying that incumbents may need to adjust faster.”

    The BCBS stated that banking standards and supervisory expectations “should be adaptive to new innovations, while maintaining appropriate prudential standards.” Against this backdrop, the Committee concluded its report with 10 key observations and recommendations for consideration by banks and bank supervisors.

    These include:

    • The overarching need to ensure safety and soundness and high compliance standards without inhibiting beneficial innovation in the banking sector;
    • Key risks for banks related to fintech developments, including strategic/profitability risks, operational, cyber and compliance risks;
    • Implications for banks of the use of innovative enabling technologies;
    • Implications for banks of the growing use of third parties, via outsourcing and/or partnerships;
    • Cross-sectoral cooperation between supervisors and other relevant authorities;
    • International cooperation between banking supervisors;
    • Adaptation of the supervisory skillset;
    • Potential opportunities for supervisors to use innovative technologies ("suptech");
    • Relevance of existing regulatory frameworks for new innovative business models; and
    • Key features of regulatory initiatives set up to facilitate fintech innovation.

    By issuing this guidance, BCBS is prompting global regulators to address technological advancements and novel business models with the same sense of urgency that the banking and fintech industries are employing. It will be incumbent on the financial services industry – traditional and novel business models alike – to work together to inform and shape what those supervisory guidelines will look like.

    Comments on BCBS’s consultative document will be accepted through October 31, 2017.

    Fintech Basel Bank Supervision Vendor Management

Pages

Upcoming Events