InfoBytes
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
DFPI launches debt collection investigation
On January 19, California’s Department of Financial Protection and Innovation (DFPI) announced the issuance of subpoenas to a dozen debt collection companies as part of its investigation into consumer complaints about alleged unlawful, unfair, deceptive, or abusive debt collection practices. This is DFPI’s first significant action since the California Consumer Financial Protection Law—which, among other things, expanded DFPI’s UDAAP authority by adding a prohibition on “abusive” acts or practices to California law—went into effect January 1 (covered by a Buckley Special Alert). According to DFPI, consumers across the country have filed complaints against the companies, alleging the debt collectors make repeated phone calls, fail to validate debts, and threaten to sue consumers for debts they do not owe. DFPI notes that the state’s new Debt Collection Licensing Act (enacted last September and covered by InfoBytes here) requires a person engaging in the business of debt collecting in the state of California to be licensed and provides for the regulation and oversight of debt collectors by the agency.
OFAC targets Venezuelan oil sector sanctions evasion network
On January 19, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) announced sanctions pursuant to Executive Order 13850 against three individuals, fourteen entities, and six vessels for allegedly engaging in activities tied to a Mexico-based network involved in the illicit sale of hundreds of millions of dollars of Venezuelan oil. The action builds on OFAC’s June 2020 sanctions against three individuals and eight foreign entities for allegedly engaging in activities in or associated with a network attempting to evade U.S. sanctions on Venezuela’s oil sector in order to benefit “the illegitimate Maduro regime” and Venezuela’s state-owned oil company, Petroleos de Venezuela, S.A. (covered by InfoBytes here). As a result, all property and interests in property belonging to the identified individuals and entities subject to U.S. jurisdiction are blocked, and “any entities that are owned, directly or indirectly, 50 percent or more by the designated entities, are also blocked.” U.S. persons are generally prohibited from dealing with any property or interests in property of blocked or designated persons.
OFAC issues counter terrorism general licenses and related FAQs, updates SDN List
On January 19, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) issued four General Licenses in conjunction with State Department designations against a foreign terrorist organization: General License 9, “Official Business of the United States Government,” General License 10, “Official Activities of Certain International Organizations,” General License 11, “Certain Transactions in Support of Nongovernmental Organizations’ Activities in Yemen,” and General License 12, “Transactions Related to the Exportation or Reexportation of Agricultural Commodities, Medicine, Medical Devices, Replacement Parts and Components or Software Updates.” The general licenses authorize certain transactions ordinarily prohibited by the Global Terrorism Sanctions Regulations, Foreign Terrorist Organizations Sanctions Regulations, and Executive Order 13224, including actions “to help facilitate the uninterrupted flow of humanitarian assistance, including COVID-19-related assistance, and certain other critical commodities to the people of Yemen that would otherwise be prohibited pursuant to authorities administered by OFAC.” OFAC also published related FAQs 875, 876, and 877.
OFAC also updated its Specially Designated Nationals and Blocked Persons List to add individuals and entities associated with Venezuela, Russia, and Yemen designations.
Massachusetts establishes student loan servicer licensing provisions
On January 14, the Massachusetts governor signed H. 5250, which provides new requirements for student loan servicers. Among other things, these provisions stipulate that servicers are not required to (i) be licensed as a debt collector, or (ii) be registered as a third-party loan servicer provided the servicer does not act, represent, operate, or hold itself out as a third-party loan servicer or a debt collector outside the scope of specified provisions. The bill also requires entities servicing student loans in the Commonwealth to be licensed, but exempts from the licensing requirement banks, credit unions, wholly-owned subsidiaries of banks and credit unions, and nonprofit or public institutions of higher education. H. 5250 also establishes a student loan ombudsman within the office of the attorney general who will be tasked with resolving complaints from student loan borrowers, and assisting student loan borrowers with repayment options, applying for loan discharges and forgiveness, and resolving billing disputes, among other things. Additionally, H. 5250 states that non-exempt student loan servicers must comply with all applicable state and federal regulations, and stipulates that the commissioner may conduct investigations and examinations and suspend licensure should a servicer be found to be in violation of the outlined provisions. In addition, should the commissioner determine that a servicer has committed fraud or engaged in unfair, deceptive, or dishonest actions, the commissioner may take action, including notifying the state attorney general or the student loan ombudsman, suspending or revoking the servicer’s license, and/or imposing an administrative penalty of no more than $50,000 per incident.
OCC settles with bank’s former GC on account openings
On January 15, the OCC announced a $3.5 million penalty against a national bank’s former general counsel for his role in the bank’s incentive compensation sales practices. As previously covered by InfoBytes, in January 2020, the OCC announced charges against the former general counsel and other executives, seeking a lifetime prohibition from participating in the banking industry, a personal cease and desist order, and/or civil money penalties. The January announcement included settlements with three of the executives, and the OCC settled with three others in September 2020 (covered by InfoBytes here).
In addition to the $3.5 million penalty, the consent order against the former general counsel includes a personal cease and desist, and a requirement to cooperate with the OCC in any investigation or proceeding related to the sales practices of the bank. The consent order does not prohibit the former general counsel from holding future executive positions within the industry.
Law firm ordered to produce cyberattack report in malpractice action
On January 12, the U.S. District Court for the District of Columbia ordered a law firm to produce a forensic report generated by a consultant retained by the firm’s outside counsel in the wake of the plaintiff’s data breach, concluding that the report and associated materials were neither protected work product nor attorney-client privileged. According to the order, as part of a malpractice action in which the plaintiff, a Chinese entrepreneur, accused the law firm of failing to protect his personal information from hackers, the plaintiff moved to compel the production of “‘all reports of its forensic investigation into the cyberattack’ that led to the public dissemination of [plaintiff]’s confidential information.” The law firm opposed the motion, arguing that it already had turned over all relevant internally generated materials and any other documents were protected by attorney-client and work-product privileges. The law firm argued that the forensic report was only one half of a two-tracked investigation of the incident. On one track, the law firm’s usual cybersecurity vendor worked to investigate the attack to preserve business continuity while on a separate track, a different consultant was retained by counsel for the sole purpose of assisting the law firm in gathering information necessary to render legal advice.
The district court disagreed, concluding that the report is not covered by work-product privilege because the law firm failed to show that the report “‘would [not] have been created in the ordinary course of business irrespective of litigation.’” The court noted that the forensic report summarizes the findings of the investigation and that substantially the same document would have been prepared in any event as part of the ordinary course of the law firm’s business. While seeming to endorse the idea of a two-track investigation, the court noted that the law firm failed to provide any evidence that supported the fact that there were actually two tracks. Among other things, the court noted that the report summarizes findings into the data breach’s “cause, nature, and effect” and was used “for a range of non-litigation purposes,” including being shared with members of the law firm’s leadership and IT team and the FBI. In addition, the court noted that there was no evidence that the law firm’s usual cybersecurity vendor produced any findings, let alone a comprehensive report about the incident. Instead, the court stated that the record suggested that two days after the cyberattack began, the law firm turned to this second consulting firm instead of rather than in addition to the first consulting firm. Moreover, the court rejected the application of attorney-client privilege, concluding that the law firm’s “true objective was gleaning [the security-consulting firm]’s expertise in cybersecurity, not in ‘obtaining legal advice from [its] lawyer.’” The court noted that the report included remediation advice, indicating the security firm was “engaged for immediate ‘incident response.’” Lastly, the court noted the law firm can safely respond to the plaintiff’s interrogatories calling for information regarding other clients impacted by the cyberattack with “appropriate redactions in responsive documents” and “tailored” answers.
New York introduces biometric privacy act
On January 6, New York Assembly Bill A 27 was prefiled in the 2021-22 state legislative session, which would establish the Biometric Privacy Act and establish provisions regarding the retention, collection, disclosure and destruction of biometric identifiers or biometric information. Highlights of the bill include:
- Private entities in possession of biometric identifiers or information will be required to develop a written public policy “establishing a retention schedule and guidelines for permanently destroying biometric identifiers and information when the initial purpose for collecting or obtaining such identifiers or information has been satisfied or within three years of the individual’s last interaction with the private entity, whichever occurs first.” Further, unless a private entity possesses a valid warrant or court subpoena, it must comply with its established retention schedule and destruction guidelines.
- Prior to obtaining a person’s biometric identifier or information, a private entity must inform the subject (or a subject’s legally authorized representative) in writing that the identifier or information is being collected or stored, the specific purpose and length of term for which it is being collected, stored, and used, and must receive a written release from the subject or legally authorized representative.
- Private entities may not sell, lease, trade, or otherwise profit from a person’s biometric identifier or information.
- Private entities may not disclose, redisclose, or otherwise disseminate such information unless (i) the subject provides consent; (ii) “the disclosure or redisclosure completes a financial transaction requested or authorized by the subject” or the subject’s legally authorized representative; or (iii) the information is required by a valid warrant or court subpoena.
- Private entities must take measures to store, transmit, and protect all biometric identifiers and information from disclosure “using the reasonable standard of care within the private entity’s industry” and “in a manner that is the same as or more protective than the manner in which the private entity stores, transmits, and protects other confidential and sensitive information.”
- The bill provides a private right of action for any person aggrieved by the bill’s provisions, including damages of $5,000 or actual damages (whichever is greater), reasonable attorneys’ fees and costs, and other relief including injunctive relief as deemed appropriate.
Notably, the New York Biometric Privacy Act is a close parallel to the Illinois Biometric Information Privacy Act, which was enacted in 2008.
Updated Washington State Privacy Act re-introduced
On January 5, the Washington State Privacy Act, SB 5062, (referred to as “2021 WPA” or “bill”) was re-introduced for the 2021-22 state legislative session with some notable changes from the 2020 version. (InfoBytes coverage of the 2020 Washington Privacy Act, SB 6281, available here.) Highlights of the 2021 WPA include:
- Applicability. The bill will apply to legal entities that conduct business or produce products or services that are targeted to Washington consumers that also (i) control or process personal data for at least 100,000 consumers; or (ii) derive more than 25 percent of gross revenue from the sale of personal data, in addition to processing or controlling the personal data of at least 25,000 consumers (the 2020 version included a 50 percent gross revenue threshold). State and local governments, municipal corporations, certain protected health information, personal data governed by state and federal regulations, and employment records continue to be exempt from coverage. Additionally, the bill adds nonprofit corporations, air carriers, and institutions of higher education to the exemption list.
- Consumer rights. Consumers will be able to exercise the following rights concerning their personal data: access; correction; deletion; access in a portable format; and opt-out rights, including the right to opt out of the processing of personal data for targeted advertising and the sale of personal data.
- Controller responsibilities. Controllers required to comply with the bill will be responsible for (i) transparency in a privacy notice; (ii) limiting the collection of data to what is required and relevant for a specified purpose; (iii) ensuring data is not processed for reasons incompatible with a specified purpose; (iv) securing personal data from unauthorized access; (v) prohibiting processing that violates state or federal laws prohibiting unlawful discrimination against consumers; (vi) obtaining consumer consent in order to process sensitive data; and (vii) ensuring contracts and agreements do not contain provisions that waive or limit a consumer’s rights. Controllers must also conduct data protection assessments for all processing activities that involve personal data. Notably, the 2021 WPA removes the requirement from the 2020 legislation that controllers conduct additional assessments each time a processing change occurs that materially increases the risk to consumers.
- State attorney general. The bill explicitly precludes a private right of action but permits the state attorney general to bring actions and impose penalties of no more than $7,500 per violation. The bill removes the 2020 requirement that the AG submit a report evaluating the liability and enforcement provisions by 2022, but requires the AG to work in concert with the state’s office of privacy and data protection on a technology review report to be submitted to the governor by December 2022.
- Right to cure. The bill includes a new 30-day right to cure any alleged violation after a warning letter is sent by the AG identifying the specific provisions believed to have been violated.
- Preemption. Similar to the 2020 WPA, the bill would preempt local laws, ordinances, and regulations, but includes an exception for any laws, ordinances or regulations “regarding the processing of personal data by controllers or processors” that were adopted prior to July 1, 2020.
FinCEN reaches $390 million settlement with bank for BSA violations
On January 15, the Financial Crimes Enforcement Network (FinCEN) announced a $390 million civil money penalty against a national bank for allegedly violating the Bank Secrecy Act and its implementing regulations. The settlement resolves an investigation into the bank’s alleged failure to maintain an effective anti-money laundering (AML) program. According to FinCEN, the bank’s check-cashing business unit failed to file thousands of suspicious activity reports (SARs) and currency transaction reports (CTR). As a result, suspicious transactions were not reported in a timely and accurate manner. FinCen noted that while the bank was allegedly aware of several compliance and money laundering risks associated with its check-cashing business unit, its process for investigating suspicious transactions was insufficient. The bank also allegedly failed to file SARs even though it had actual knowledge of criminal charges against specific customers and continued to process transactions for these customers’ businesses. In determining the penalty, FinCEN considered the bank’s significant remediation efforts—including taking remedial measures related to its SARs and CTR filing systems and enhancing its AML program over the past several years—as well as its cooperation with the agency’s investigation.
OFAC sanctions Cuban Ministry of the Interior for human rights abuse
On January 15, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) announced sanctions against the Cuban Ministry of Interior and the Minister of Interior for his alleged connection to serious human rights abuses. According to OFAC, the sanctions are taken pursuant to Executive Order 13818, which implements the Global Magnitsky Human Rights Accountability Act and “targets perpetrators of serious human rights abuse and corruption.” As a result of the sanctions, all of the individual’s property and interests in property that are blocked pursuant to the Cuban Assets Control Regulations continue to be blocked, as well as any of the individual’s property and interests in property in the United States or possessed or controlled by U.S. persons. Additionally, OFAC regulations prohibit U.S. persons from participating in transactions with the individual unless exempt or otherwise authorized by an OFAC general or specific license.