InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
Biden announces measures to ensure PPP loan access to "mom and pop" businesses
On February 22, the Biden administration announced measures to ensure the smallest businesses have access to Paycheck Protection Program (PPP) loans. (See also SBA press release here.) Specifically, the Biden administration has directed the Small Business Administration (SBA) to (i) provide an exclusive 14-day application window, starting Wednesday, February 24, during which only businesses with fewer than 20 employees are eligible to apply; (ii) set aside $1 billion for PPP loans for sole proprietors, independent contractors, and self-employed individuals in low- and moderate-income areas, and revise the loan calculation formula for these applicants to offer more relief; (iii) eliminate an exclusion that prevented small businesses owned at least 20 percent by an individual who was arrested for or convicted of a felony unrelated to financial assistance fraud within the previous year from applying for a PPP loan; (vi) eliminate the student loan delinquency restriction, which currently prevents small businesses owned at least 20 percent by an individual who is delinquent or has defaulted on student debt from receiving PPP loans; and (v) ensure non-citizen small business owners who are lawful U.S. residents may apply for PPP loans using individual taxpayer identification numbers.
Additionally, the Biden administration stated that SBA “is launching a new initiative to deepen its relationships with lenders” in order to facilitate communication regarding the PPP. The current round of PPP funding expires March 31 (covered by InfoBytes here).
Digital payment solutions company settles with OFAC for $500k
On February 18, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) announced a $507,375 settlement with a Georgia-based payment processing solutions company for 2,102 apparent violations of multiple sanctions programs. According to OFAC’s web notice, between 2013 and 2018, the company—which offers solutions for merchants to accept digital currency as payment for goods and services—allegedly processed thousands of transactions on behalf of individuals located in sanctioned jurisdictions based on IP addresses and invoice information. Specifically, OFAC alleged that the company “received digital currency payments on behalf of its merchant customers from those merchants’ buyers who were located in sanctioned jurisdictions, converted the digital currency to fiat currency, and then related that currency to its merchants.” While OFAC noted that the company screened its direct merchants against its List of Specially Designated Nationals and Blocked Persons and conducted due diligence to ensure merchants were not located in a sanctioned jurisdiction, the company’s transaction review process allegedly failed to screen identification and location data for its merchants’ buyers, many of whom were located in Crimea, Cuba, North Korea, Iran, Sudan, and Syria. As a result, these buyers, OFAC claimed, were able to make purchases from merchants located in the U.S. and elsewhere using digital currency on the company’s platform in violation of an executive order and multiple sanctions regulations.
In arriving at the settlement amount, OFAC considered various aggravating factors, including that the company (i) “failed to exercise due caution or care for its sanctions compliance obligations” by allowing buyers in sanctioned jurisdictions to transact with merchants despite having “sufficient information to screen those customers”; and (ii) conveyed more than $128,000 in economic benefit to individuals in OFAC sanctioned jurisdictions.
OFAC also considered various mitigating factors, including that the company (i) had implemented certain sanctions compliance controls, including due diligence and sanctions screening; (ii) trained employees—including senior management—that signing up merchants from sanctioned jurisdictions or trading with sanctioned persons is prohibited; (iii) cooperated with OFAC’s investigation; and (iv) terminated the conduct leading to the apparent violations and undertook remedial measures to minimize the risk of similar violations from occurring in the future. The base civil monetary penalty applicable in this action is $2,255,000; however, the lower settlement amount reflects OFAC’s consideration of the general factors under the Economic Sanctions Enforcement Guidelines.
Georgia announces new rental assistance program
On February 19, Georgia Governor Brian Kemp announced that Georgia has received $552 million from the federal government to implement a rental assistance program. The Georgia Department of Community Affairs will be administering the Georgia Rental Assistance program (subject to the still-developing U.S. Treasury guidelines), which will make payments directly to the landlords and utility providers of eligible individuals. To qualify for the program, a household must have:
- Qualified for unemployment benefits or experienced a reduction in household income, incurred significant costs, or experienced other financial hardship due directly or indirectly to Covid-19;
- Demonstrated a risk of experiencing homelessness or housing instability; and
- Have a household income at or below 80% of the Area Median Income (AMI), with priority given to: 1) households below 50% of the AMI, or 2) households with one or more individuals who have been unemployed 90 days or longer.
Payments are generally capped at 12 months of rent and utilities, but may extend to 15 under certain circumstances.
Hawaii extends work from home guidance
The Hawaii Department of Financial Institutions extended interim guidance permitting certain licensees with a physical presence to reduce hours or work from home to coincide with local mayor’s orders (see previous coverage here, here, here and here). The department explained that licensees may continue work from home status until applicable mayor’s orders are lifted. The department will also continue remote work status.
FDIC announces first-ever chief innovation officer
On February 16, the FDIC announced the appointment of Sultan Meghji as the agency’s first Chief Innovation Officer. Prior to the FDIC, Meghji was the co-founder of a financial technology firm that provides, “secure, cloud-native, artificial intelligence-based software for community banks and credit unions.” Additionally, Mr. Meghji served as an advisor to the U.S. Treasury, the Group of Seven (G7), the OCC, and the FBI in the areas of cybersecurity, quantum computing, and artificial intelligence. In accepting the position, Meghji stated that his mission “is to engage both public and private sector partners to ensure the financial system of the future is innovative, resilient, and equitable.”
Florida legislature introduces comprehensive privacy bill
On February 15, the Florida legislature filed HB 969, which would, among other things, regulate the sale and sharing of consumers’ personal data. Highlights of the bill include:
- Applicability. The bill will apply to for profit businesses that do business in the state, collect consumers’ personal information (“or is the entity on behalf of which such information is collected”), and (i) have global annual gross revenues exceeding $25 million; (ii) annually buy, receive, sell, or share for commercial purposes, personal information of at least 50,000 consumers, households, or devices; or (iii) derive 50 percent or more of its gross revenue from the sale of personal information. Notably, data governed by certain federal regulations and specified protected health information are exempt from coverage.
- Consumer rights. Under the bill consumers will be able to, among other things, access their personal data; have available at least two methods for requesting personal information free of charge within a certain timeframe; make corrections; request deletion of their data; obtain a copy of their data in a portable format; and opt out of third-party disclosure of their personal information collected by businesses. Businesses will also be prohibited from selling or disclosing the personal information of minor consumers, except in certain circumstances, and will be prohibited from taking certain discriminatory actions against consumers who exercise certain rights. Additionally, the bill will provide that contracts or agreements that waive or limit certain consumer rights are void and unenforceable.
- Disclosures. The bill will require businesses that collect consumers’ personal data to disclose certain information regarding data collection and selling practices to consumers at or before the point of collection. This information “may be provided through a general privacy policy or through a notice informing the consumer that additional specific information will be provided upon a certain request.” Businesses will also be prohibited from collecting or using additional categories of personal information without first notifying consumers.
- Security. Under the bill, businesses will be required “to implement reasonable security procedures and practices” to protect consumers’ personal information. The definition of “personal information” will also be revised “to include additional specified information to data breach reporting requirements.”
- Private cause of action. The bill will provide “a private right of action for consumers whose nonencrypted and nonredacted personal information or e-mail addresses are subject to unauthorized access,” and will allow consumers to bring a civil action for injunctive or declaratory relief, as well as damages that must be at least $100 but not more than $750 per consumer per incident or actual damages, whichever is greater. The Department of Legal Affairs is also authorized to seek civil penalties of no more than $2,500 for each unintentional violation or $7,500 for each intentional violation. However, fines may be tripled if a violation involves consumers 16 years of age or younger.
- Right to cure. Upon notification of any alleged violation of the law, businesses have 30 days to cure the alleged violation.
If enacted in its current form, the bill would take effect January 1, 2022. Florida is just one of several states that have recently introduced or advanced privacy legislation (continuing InfoBytes coverage available here).
NYDFS announces cybersecurity fraud alert
On February 16, NYDFS issued a cybersecurity fraud alert to regulated entities describing a “widespread cybercrime campaign” designed to steal nonpublic private consumer information (NPI) from public-facing websites and use the stolen NPI to fraudulently apply for pandemic and unemployment benefits. NYDFS states that it has received reports from several regulated entities of “successful or attempted data theft” from websites providing instant rate quotes such as auto insurance rates, noting that even if NPI is redacted, “hackers have shown that they are adept at stealing the full unredacted NPI.” NYDFS advises regulated entities to review security controls for public-facing websites that display or transmit NPI (even redacted NPI), and reminds entities of their obligations under the state’s cybersecurity regulation to promptly report the theft of consumers’ NPI. (See InfoBytes coverage on NYDFS’ cybersecurity regulation here.) The cybersecurity fraud alert furthers NYDFS’ commitment to improving cybersecurity protections for both consumers and the industry, and follows an enforcement action taken last year alleging cybersecurity regulation violations (see InfoBytes coverage of NYDYS’ complaint against a title insurer for allegedly failing to safeguard mortgage documents here), as well as the regulator’s recently issued cybersecurity insurance framework (covered by InfoBytes here).
Court holds satellite provider not liable for telemarketer’s calls
On February 12, the U.S. District Court for the Northern District of Georgia granted summary judgment in favor of a satellite TV company as to a class action’s TCPA claims, concluding that the company was not liable for its telemarketing service provider’s cold calls. As previously covered by InfoBytes, a consumer filed a class action against the company alleging that the company failed to maintain an “internal do-not-call list,” which allowed the company and its telemarketing service provider to contact him eighteen times after he repeatedly asked to not be contacted. The consumer sought certification “of all persons who received more than one telemarketing call from [the telemarketing service provider] on behalf of [the company] while it failed to maintain an internal do-not-call list.” The district court certified two representative classes: the Internal Do Not Call (IDNC) class and the National Do Not Call (NDNC) class. The company appealed the IDNC class and the U.S. Court of Appeals for the Eleventh Circuit vacated the district court’s certification of the IDNC class. The company then moved for summary judgment on the certified NDNC class claims and plaintiff’s individual IDNC claim.
Upon review, the court granted summary judgment in favor of the company concluding that there was no evidence that (i) the cold calls were made by the telemarketing provider within its actual authority from the company; (ii) the company made representations sufficient to give the telemarketing provider the apparent authority to make the cold calls; or (iii) the company ever ratified the cold calls. Specifically, the court noted that not only did the company “categorically ban[] all residential and cellular cold calls,” it also “regularly issued reminders that [the telemarketing provider] was required to continue implementation of national-do-not-call procedures in compliance with the TCPA.”
OCC says storm-affected banks may close
On February 16, the OCC issued a proclamation permitting OCC-regulated institutions, at their discretion, to close offices affected by Winter Storm Uri “for as long as deemed necessary for bank operation or public safety.” The proclamation directs institutions to OCC Bulletin 2012-28 for further guidance on actions they should take in response to natural disasters and other emergency conditions. According to the 2012 Bulletin, only bank offices directly affected by potentially unsafe conditions should close and institutions should make every effort to reopen as quickly as possible to address customers’ banking needs.
Find continuing InfoBytes coverage on disaster relief here.
OFAC revokes Yemen-related general licenses and designations
On February 16, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) revoked and archived five counter terrorism-related general licenses (GL) related to the Ansarallah designations after the U.S. Department of State determined that Ansarallah would “no longer be[] blocked pursuant to the Global Terrorism Sanctions Regulations, 31 C.F.R. part 594, the Foreign Terrorist Organizations Sanctions Regulations, 31 C.F.R. part 597, or Executive Order 13224, as amended.” Specifically, OFAC revoked GL 9, “Official Business of the United States Government,” GL 10, “Official Activities of Certain International Organizations,” GL 11, “Certain Transactions in Support of Nongovernmental Organizations’ Activities in Yemen,” GL 12, “Transactions Related to the Exportation or Reexportation of Agricultural Commodities, Medicine, Medical Devices, Replacement Parts and Components or Software Updates,” and GL 13,“Authorizing Transactions Involving Ansarallah.” Additionally, OFAC removed frequently asked questions 875, 876, and 877 from its website and made deletions to the Specially Designated Nationals and Blocked Persons list.