InfoBytes
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
New York requires financial institutions to provide written notice prior to charging account inactivity fees
On November 11, the New York governor signed S4188, which requires financial institutions to provide written notice to an account holder 30 days prior to charging any fee based on account inactivity. The provision applies to financial institutions as well as mortgage brokers, mortgage bankers, or other investment entities, “whether headquartered within or outside the state.” E-mail notifications will also satisfy the written notice requirement. The act will take effect 90 days after it was signed.
OFAC sanctions Syrian individuals and entities
On November 9, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) sanctioned 10 entities and seven individuals, including Syrian military officials, members of the Syrian Parliament, Syrian government entities, and various Syrian and Lebanese persons for allegedly supporting Bashar al-Assad regime’s petroleum industry. The individuals and entities were designated pursuant to Executive Orders 13852, 13573, and 13572. As a result, all property and interests in property belonging to the designated individuals and entities subject to U.S. jurisdiction are blocked and must be reported to OFAC. OFAC noted that its regulations “generally prohibit all dealings by U.S. persons or within (or transiting) the United States that involve any property or interests in property of blocked or designated persons,” and warned that non-U.S. persons that engage in transactions with the designated persons may expose themselves to designation.
OFAC sanctions network for procuring goods for Iranian military firm
On November 10, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) announced sanctions against a network of six companies and four individuals for allegedly facilitating the procurement of sensitive goods—including U.S.-origin electronic components—for an Iranian military firm that was previously designated by the U.S. and the European Union for being owned or controlled by Iran’s Ministry of Defense and Armed Forces Logistics. The designations are being taken pursuant to Executive Order 13382, which aims to freeze the assets of proliferators of weapons of mass destruction along with their supporters. As a result, all property and interests in property belonging to, or owned by, the designated persons subject to U.S. jurisdiction are blocked, and U.S. persons are also generally prohibited from engaging in transactions with them. OFAC further warned foreign financial institutions that knowingly facilitating significant transactions or providing significant support to the designated persons may subject them to U.S. sanctions.
Concurrent with OFAC’s designations, the U.S. Attorney’s Office for the District of Columbia filed a criminal complaint against two of the designated entities and one of the designated individuals for conspiring to violate U.S. export laws and sanctions against Iran.
District court holds no private right of action under E-SIGN Act
On October 26, the U.S. District Court for the District of Colorado denied, in relevant part, an individual’s motion for summary judgement, holding that no private right of action exists under the Electronic Signatures in Global and National Commerce (E-SIGN) Act. The plaintiff had asserted a violation of E-SIGN by an auto-dealership, who allegedly failed to advise the plaintiff of: (i) the right to receive paper copies (rather than electronic copies) of certain records; and (ii) the right to withdraw previously provided consent to receiving records in electronic form.
In ruling against the plaintiff’s motion, the court noted that where Congress creates specific means for enforcing a statute, a court will assume that Congress did not intend to allow any additional rights of action beyond those specified. When applied to the E-SIGN Act, the court found that no standalone remedy is necessary, as any violation of the E-SIGN Act would be “self-effectuating.” Any failure to “[d]emonstrate the proper consent for electronic service would only expose the party required to deliver the information in writing to whatever sanctions the law requiring written disclosure provides.” Therefore, the court found that “Congress appears to have provided no separate remedial scheme for violation of the E-SIGN Act's consent provisions, as no standalone remedy is necessary.”
FHA proposes private flood insurance option
On November 10, the Federal Housing Administration (FHA) issued a proposed rule which would allow mortgagors the option to purchase private flood insurance on FHA-insured mortgages for properties located in Special Flood Hazard Areas (SFHAs). Under the Flood Disaster Protection Act of 1973, property owners located in an SFHA, and a community participating in the National Flood Insurance Program, are required to purchase flood insurance as a condition of receiving a mortgage backed by Fannie Mae or Freddie Mac, the Department of Veterans Affairs, the United States Department of Agriculture, or the FHA. The proposed rule would allow the purchase of private mortgage insurance for properties in SFHAs for the first time. Additionally, the proposed rule seeks comment on a compliance aid, which would “help mortgagees evaluate whether a flood insurance policy meets the definition of ‘private flood insurance.’” According to the FHA, between three and five percent of FHA borrowers could obtain a private flood insurance policy if the option becomes available.
FTC requires video conferencing provider to improve security safeguards
On November 9, the FTC announced a settlement with a video conferencing provider, resolving allegations that the company violated the FTC Act by misleading users about the levels of encryption and security offered for securing communications during meetings. The FTC’s complaint alleges that, since at least 2016, the company engaged in a series of deceptive and unfair practices by claiming it offered end-to-end encryption to secure users’ communications and—according to the FTC’s press release—“tout[ing] its level of encryption as a reason for customers and potential customers to use [its] videoconferencing services.” The FTC contends that the company actually maintained a lower level of security, which allowed the company access to the contents of users’ meetings, including sensitive personal information, and allegedly secured these meetings with a lower level of encryption than promised. Users who wanted to store recorded meetings using cloud storage provided by the company were told that the meetings were immediately encrypted, but in certain instances, unencrypted meeting recordings were allegedly stored on company servers for up to 60 days before being transferred to the secure cloud storage. In addition, the company allegedly compromised some users’ security by secretly installing software that would allow users to join a meeting by bypassing a browser safeguard designed to protect users from a common type of malware. According to the FTC, the company, among other things, failed to implement any measures to protect users’ security, failed to monitor service providers who had access to the network, lacked a systematic process for incident response, and allegedly increased users’ risk of remote video surveillance by strangers.
The proposed settlement order requires the company to (i) assess and document security risks; (ii) develop ways to manage and safeguard against such risks; (iii) deploy additional methods, including multi-factor authentication, to protect against unauthorized access of the network; and (iv) take other steps, such as implementing data deletion controls and preventing known compromised user credentials from being used. Company personnel must also review any software updates for security flaws to “ensure the updates will not hamper third-party security features.” Furthermore, the company is prohibited from misrepresenting its privacy and security practices, and is required to obtain biennial third-party assessments of its security practices (which the FTC has the authority to approve) and notify the FTC if it experiences a data breach.
GSEs approve continued use of Classic FICO
On November 10, the FHFA announced that, in accordance with the requirements of the Validation and Approval of Credit Score Models Rule (covered by InfoBytes here), Fannie Mae and Freddie Mac (GSEs) have approved the Classic FICO credit score model for continued use. (See also GSE announcements here and here). The FHFA notes that this approval will allow the GSEs “to continue supporting the mortgage market while assessing more modern credit score models” received in response to a Joint Enterprise Credit Score Solicitation announced in February. The FHFA anticipates that the validation and approval process for the additional credit score models will take an additional year to complete.
Fed targets flood insurance violations
On November 10, the Federal Reserve Board (Fed) announced an enforcement action against an Arkansas-based bank for alleged violations of the National Flood Insurance Act (NFIA) and Regulation H, which implements the NFIA. The consent order assesses a $12,000 penalty against the bank for an alleged pattern or practice of violations of Regulation H, but does not specify the number or the precise nature of the alleged violations. The maximum civil money penalty under the NFIA for a pattern or practice of violations is $2,000 per violation.
SEC issues two separate whistleblower awards totaling over $4.3 million
On November 5, the SEC announced two separate whistleblower awards totaling over $4.3 million. According to the first redacted order, the SEC awarded a whistleblower more than $3.6 million for (i) providing information that alerted enforcement staff to misconduct occurring abroad that would otherwise “have been difficult to detect”; (ii) providing “substantial and ongoing assistance” to enforcement staff, including traveling to another country to meet with staff in person at the whistleblower’s own expense and providing “extensive supporting documentation”; and (iii) suffering hardships due to the whistleblowing. The SEC further noted in the order that while the whistleblower’s “ministerial role in the underlying misconduct” was considered, the Commission did not reduce the award for culpability as the whistleblower “took exceptional steps to report the misconduct from abroad and provided extraordinary assistance.”
In the second redacted order, the SEC awarded $750,000 to a whistleblower for providing significant information that led to a successful enforcement action. According to the SEC, while the covered action was already open when the whistleblower provided the original information, the whistleblower’s information caused enforcement staff to investigate different conduct, which ultimately formed the basis for the covered action. The whistleblower also met with Commission staff in person and explained “the likely mechanics of the fraudulent scheme.”
The SEC has now paid approximately $719 million to 112 individuals since the inception of the program.
FinCEN updates FATF-identified jurisdictions with AML/CFT deficiencies
On November 6, the Financial Crimes Enforcement Network (FinCEN) issued an advisory to inform financial institutions of updates to the Financial Action Task Force (FATF)-identified jurisdictions with “strategic deficiencies” in their anti-money laundering and combating the financing of terrorism (AML/CFT) and counter-proliferation financing deficiencies. The advisory notes that in response to the Covid-19 pandemic, FATF gave identified-jurisdictions the option to report their progress at the October 2020 meetings or defer reporting, leaving their February statements in place. Additionally, the advisory reminds members that its February 2020 statement High-Risk Jurisdictions Subject to a Call for Action remains in effect and urges “all jurisdictions to impose countermeasures on Iran and the Democratic People’s Republic of Korea (DPRK) to protect the international financial system from significant strategic deficiencies in their AML/CFT regimes.” The advisory also notes that FATF updated its Jurisdictions under Increased Monitoring document, removing Iceland and Mongolia. The advisory also outlines AML program risk assessment considerations, as well as suspicious activity report filing guidance.