InfoBytes
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
Massachusetts targets trading platform for aggressive tactics
On December 16, the enforcement section of the Massachusetts Securities Division filed an administrative complaint against a broker-dealer online trading platform alleging the company violated various state laws by using “aggressive tactics” to gain inexperienced investors. According to the complaint, the company, among other things, (i) used advertising techniques, including using young actors, to target younger individuals (with a median customer age around 31 years old) with little to no investment experience; (ii) failed to implement policies and procedures that were “[r]easonably [d]esigned to [p]revent and [r]espond to [o]utages and [d]isruptions on its [t]rading [p]latform,” resulting in nearly 70 outages throughout 2020; (iii) used “gamification strategies,” such as confetti raining down on the screen after a trade or requiring customers to “tap” a fake debit card to increase their position on the waitlist, to “lure customers into consistent participation” with the platform; and (iv) failed to review and supervise, in accordance with its own procedures, the approval of options trading accounts. The complaint asserts that the company’s tactics failed to adhere to the fiduciary conduct standard required of broker-dealers in the state of Massachusetts since the adoption of amendments in March, with enforcement beginning on September 1. Massachusetts is seeking an injunction, restitution, disgorgement, and administrative fines.
OFAC sanctions entities supporting the sale of Iranian petrochemicals
On December 16, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) announced sanctions pursuant to Executive Order 13846 against four entities for facilitating the export of Iranian petrochemical products on behalf of a previously designated petrochemical company. According to OFAC, the designated entities—China- and United Arab Emirates-based companies—have allegedly provided the previously designated company “with critical shipping services or conducted financial transactions on” its behalf, which has enabled the previously designated company to “continue brokering and moving Iranian petrochemical exports.” As a result of the sanctions, all property and interests in property of the designated persons subject to U.S. jurisdiction are blocked, and any “entities that are owned, directly or indirectly, 50 percent or more by such persons, are also blocked.” OFAC noted that its regulations “generally prohibit” U.S. persons from participating in transactions with the designated persons. OFAC further warned foreign financial institutions that knowingly facilitating significant transactions or providing significant support to the designated persons may subject them to sanctions and could sever their access to the U.S. financial system.
Court enters nearly $90 million default judgment against student debt-relief defendants
On December 15, the U.S. District Court for the Central District of California entered a default judgment and order against two companies (collectively, “default defendants”) for their role in a student loan debt-relief operation. As previously covered by InfoBytes, the CFPB, along with the Minnesota and North Carolina attorneys general, and the Los Angeles City Attorney (together, the “states”), announced an action against the student loan debt relief operation (defendants) for allegedly deceiving thousands of student-loan borrowers and charging more than $71 million in unlawful advance fees. The complaint alleged that the defendants violated the Consumer Financial Protection Act, the Telemarketing Sales Rule, and various state laws by charging and collecting improper advance fees from student loan borrowers prior to providing assistance and receiving payments on the adjusted loans. In addition, the complaint asserts that the defendants engaged in deceptive practices by misrepresenting (i) the purpose and application of fees they charged; (ii) their ability to obtain loan forgiveness; and (iii) their ability to actually lower borrowers’ monthly payments. In September, the court entered final judgments against four of the defendants (covered by InfoBytes here), which included a suspended monetary judgment of over $95 million due to the defendants’ inability to pay.
The new default order enters a $55 million judgment against one of the defaulting defendants and requires the defaulting defendant to pay a $30 million civil money penalty with $50,000 of that sum going directly to each of the states. Additionally, the court entered a judgment of over $165,000 to the other defaulting defendant and total civil money penalties of $2.5 million, with $10,000 going to each of the states directly and an additional $1.25 million to California. The judgment also, among other things, permanently bans the defaulting defendants from telemarketing any consumer financial product or service and from selling any debt-relief service.
Court enters judgments against multiple defendants in CFPB debt-relief action
On December 15, the U.S. District Court for the Central District of California entered final judgment against two defendants (defendants) and a default judgment against another defendant (defaulting defendant) in an action brought by the CFPB alleging the defendants (and others not subject to these judgments) charged thousands of customers approximately $11.8 million in upfront fees in violation of the Telemarketing Sales Rule (TSR). As previously covered by InfoBytes, in July, the CFPB filed a complaint against the defendants, one other company, its two owners, and four attorneys, alleging the companies would market its debt-relief services to customers over the phone, encouraging those with private loans to sign up with an attorney to reduce or eliminate their student debt. The businesses allegedly charged the fees before the customer had made at least one payment on the altered debts, in violation of the TSR’s prohibition on requesting or receiving advance fees for debt-relief service or, for certain defendants, the TSR’s prohibition on providing substantial assistance to someone charging the illegal fees. In August, the court approved stipulated final judgments with one of the owners of the other company and three of the attorneys. In December, the court entered a default judgment against the other company and another owner (previous InfoBytes coverage available here).
The final judgment permanently bans the defendants from engaging in any debt-relief service or telemarketing of any consumer financial product or service. Additionally, the court entered a suspended judgment of over $11 million in redress, which will be satisfied by a payment of $5,000 (due to an inability to pay) and each defendant is required to pay a civil money penalty of $1 to the Bureau. Liability for nearly $5 million was entered by default judgment against the defaulting defendant and a civil monetary penalty in the amount of $5 million.
Irish Data Protection Commission fines U.S. social networking company for violating GDPR
On December 15, the Irish Data Protection Commission (Commission) announced a final decision was reached in a General Data Protection Regulation (GDPR) investigation into a U.S.-based social networking tech company’s actions related to a 2019 data breach that affected users across the European Union. The final decision, published by the European Data Protection Board (EDPA), imposes a €450,000 fine against the company, and resolves an investigation in which the Commission alleged the company violated Articles 33(1) and 33(5) of the GDPR by failing to provide notice about the breach within a 72-hour period and by neglecting to adequately document the breach. According to the Commission, this inquiry is the first “dispute resolution” Article 65 decision (draft decision) under the GDPR, and marks the first decision issued against a “big tech” company. According to the final decision, “a number of concerned supervisory authorities raised objections” to aspects of the draft decision, taking issue, among other things, with the size of the proposed fine, which was originally set between €135,000 and €275,000. The EDPA determined that the objections were “relevant and reasoned” and instructed the Commission to increase the fine to ensure “it fulfils its purpose as a corrective measure and meets the requirements of effectiveness, dissuasiveness and proportionality” established under the GDPR.
8th Circuit vacates FDCPA judgment against debt buyer
On December 14, the U.S. Court of Appeals for the Eighth Circuit vacated a $4,000 judgment in favor of a consumer in an FDCPA action against a debt buyer (defendant), concluding that while the defendant qualifies as a debt collector, the actions of the subsequent debt collector cannot be imputed to the defendant. According to the opinion, the defendant brought a collection action against a consumer, which was dismissed by the district court after the consumer retained an attorney and the defendant failed to respond to the consumer’s dismissal motion. The defendant subsequently hired a collection agency to collect on the debt but failed to inform the collection agency that the consumer had previous retained an attorney. After the collection agency sent a settlement offer to the consumer, the consumer filed an action against the defendant alleging violations of the FDCPA and the Arkansas Fair Debt Collection Practices Act (AFDCPA) for contacting her directly when she was represented by an attorney. The district court granted partial summary judgment in favor of the consumer, concluding, among other things, that the defendant (i) qualified as a debt collector under federal and state law; (ii) the defendant was acting as an agent of the collection agency; and (ii) the defendant is liable for the violations arising out of the collection agency’s contact with the consumer. The consumer accepted a $4,000 offer of judgment, and the district court entered final judgment.
On appeal, the 8th Circuit agreed that the defendant qualified as a debt collector under the FDCPA and the AFDCPA, but determined that the consumer “did not present sufficient evidence to establish that [the collection agency]’s actions may be imputed to [the defendant] as a matter of law.” Specifically, the appellate court concluded that in order to establish the defendant’s liability under the FDCPA, the consumer needed to show that the defendant was responsible for the collection agency’s action. Because it was established that the collection agency did not know that the consumer was represented by an attorney, the appellate court noted that the consumer “cannot prevail against [the defendant] on a theory of vicarious liability,” and instead, must prove that an agency relationship existed for direct liability. Because the consumer failed to put into evidence an agreement between the defendant and the collection agency and the district court failed to address the agency relationship, the appellate court concluded the district court erred in granting partial summary judgment and vacated the $4,000 judgment and remanded the case.
Agencies proposes SAR filing exemptions
On December 15, the FDIC issued a proposed rule (with accompanying Financial Institution Letter FIL-114-2020), which would amend the agency’s Suspicious Activity Report (SAR) regulation to permit additional, case-by-case, exemptions from SAR filing requirements. The proposed rule would allow the FDIC, in conjunction with the Financial Crimes Enforcement Network (FinCEN), to grant supervised institutions exemptions to SAR filing requirements when developing “innovative solutions to meet Bank Secrecy Act (BSA) requirements more efficiently and effectively.” The FDIC would seek FinCEN’s concurrence with an exemption when the exemption request involves the filing of a SAR for potential money laundering, violations of the BSA, or other unusual activity covered by FinCEN’s SAR regulation. The proposal allows the FDIC to grant the exemption for a specified time period and allows the FDIC to extend or revoke the exemption if circumstances change. The proposal is intended to reduce the regulatory burden on supervised financial institutions that are likely to leverage existing or future technologies to report suspicious activity in a different and innovative manner. Comments on the proposed rule must be submitted within 30 days of publication in the Federal Register.
The OCC also issued a proposal that would similarly allow the OCC to issue exemptions from SAR filing requirements to support national banks or federal savings associations developing innovative solutions intended to meet BSA requirements more efficiently and effectively.
FDIC finalizes industrial bank rules
On December 15, the FDIC approved a final rule (with accompanying fact sheet) that requires certain conditions and commitments for approval or non-objection to certain filings involving industrial banks and industrial loan companies (collectively, “industrial banks”), such as deposit insurance, change in bank control, and merger filings. The final rule is substantially similar to the proposed rule issued by the FDIC in March (covered by InfoBytes here) and applies to industrial banks whose parent company is not subject to consolidated supervision by the Federal Reserve Board. Specifically, the FDIC is now requiring a covered parent company to enter into written agreements with the FDIC and the industrial bank to: (i) address the company’s relationship with the industrial bank; (ii) require capital and liquidity support from the parent company to the industrial bank; and (iii) establish appropriate recordkeeping and reporting requirements. Additionally, the final rule requires prospective covered companies to agree to a minimum of eight commitments, which, for the most part, the FDIC has previously required as a condition of granting deposit insurance to industrial banks.
The final rule makes four substantive changes to the proposal: (i) requiring compliance from covered entities on or after the effective date of the rule rather than only after; (ii) requiring additional reporting regarding systems for protecting the security, confidentiality, and integrity of consumer and nonpublic personal information; (iii) increasing the threshold limiting the parent company’s representation on the board of the subsidiary industrial bank from 25 percent to less than 50 percent; and (iv) modifying the restrictions on appointments of directors and executives to apply only during the first three years of becoming a subsidiary of a covered parent company.
The final rule is effective April 1, 2021.
CFPB report anticipates data collection on small-business lending
On December 15, the CFPB released a report detailing the results of the panel convened pursuant to the Small Business Regulatory Enforcement Fairness Act (SBREFA), which discussed the Bureau’s pending rulemaking to implement Section 1071 Dodd-Frank Act. Section 1071 requires the Bureau to engage in a rulemaking to collect and disclose data on lending to both women-owned and minority-owned small businesses. In September, the Bureau released a detailed outline describing the proposals under consideration for Section 1071 implementation, including factors such as scope, covered lenders, covered products, data points, and privacy (details covered by InfoBytes here). The October panel was comprised of a representative from the Bureau, the Chief Counsel for Advocacy of the Small Business Administration, and a representative from the Office of Information and Regulatory Affairs in the Office of Management and Budget. The panel consulted with small entity representatives (SERs)—those who would likely be directly affected by the Section 1071 rulemaking—to discuss the economic impacts of compliance with the outline’s proposals, as well as regulatory alternatives to the proposals.
The report includes, among other things, the feedback and recommendations made by the SERs, and the findings and recommendations of the panel. Generally, the SERs were supportive of the proposal with “many expressly support[ing] broad coverage of both financial institutions and products in the 1071 rulemaking.” The SERs backed data transparency and simple regulations but expressed significant concern that the rulemaking would cause smaller financial institutions to “incur disproportionate compliance cost compared to large [financial institutions]” and would ultimately either decrease lending or increase costs for small businesses. The SERs also recommended that the Bureau take into account different types of financial institutions operating in the small business lending market, including non-depository institutions. The report also details specific recommendations by the panel, including that the Bureau issue compliance materials in connection with the rulemaking and consider providing sample disclosure language related to the collection of race, sex, and ethnicity information for principal owners as well as women-owned and minority-owned business status.
Agencies propose computer-security incident notification rule
On December 18, the FDIC, Federal Reserve Board, and the OCC (collectively, “agencies”) issued a joint notice of proposed rulemaking (NPRM), which would require supervised banking organizations to promptly notify their primary regulator within 36 hours of becoming aware that a “‘computer-security incident” that rises to the level of a ‘notification incident’” has occurred. Additionally, the NPRM would require bank service providers “to notify at least two individuals at affected banking organization customers immediately after the bank service provider experiences a computer-security incident that it believes in good faith could disrupt, degrade, or impair services provided for four or more hours.” According to the agencies, these “notification incidents” are significant computer-security incidents that have the potential to “jeopardize the viability of the operations of an individual banking organization,” and may impact the safety and soundness of stability of the banking organization, leading to a disruption in the delivery of bank products and services, among other things. The agencies stress, however, that the required notice is intended to serve as an early alert and not as an assessment of the incident. According to a statement released by FDIC Chairman Jelena McWilliams, only computer-security incidents that meet the definition of a “notification incident” must be reported—a figure which is estimated to be roughly 150 incidents a year, according to a review of supervisory data and suspicious activity reports.
Comments on the NPRM are due 90 days after publication in the Federal Register.