InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
Kraninger resigns; Uejio to lead CFPB while Chopra awaits confirmation
On January 20, Kathy Kraninger resigned from her position as CFPB director and newly sworn-in President Biden announced that Dave Uejio would serve as acting director until permanent leadership is confirmed by the U.S. Senate. President Biden officially nominated Rohit Chopra as the permanent director of the Bureau.
Uejio has been with the Bureau since 2012, and prior to his appointment as acting director, he has served as the Bureau’s Chief Strategy Officer since 2015. Chopra, who is currently a Democratic Commissioner of the FTC, previously served as the Bureau’s first student loan ombudsman and assistant director of the Office for Students before leaving the Bureau in 2015.
Kraninger’s resignation is a notable departure from the Bureau’s original structure, as outlined in Dodd-Frank, which called for a single director, appointed to a five-year term and only removable by the president for cause (i.e., for “inefficiency, neglect of duty, or malfeasance in office”). As previously covered by a Buckley Special Alert, in June 2020, the Supreme Court, in a plurality opinion in Seila Law LLC v. CFPB, held that the CFPB’s statutory structure violates the constitutional separation of powers by restricting the president’s ability to remove the director. The Court remedied the constitutional violation by severing the “for cause” removal language from the remainder of the statute. When Kraninger submitted her resignation on President Biden’s Inauguration Day, she stated it was in “support of the Constitutional prerogative of the President to appoint senior officials within the government who support the President’s policy priorities…”
Agencies release SARs/AML consideration FAQs
On January 19, the Financial Crimes Enforcement Network (FinCEN), Federal Reserve Board, FDIC, NCUA, and the OCC, in consultation with staff at certain other federal functional regulators, published answers to frequently asked questions concerning suspicious activity reporting (SAR) and other anti-money laundering (AML) considerations. The answers clarify financial institutions’ commonly asked questions about SARs/AML regulatory requirements and are provided to assist financial institutions with their Bank Secrecy Act (BSA)/AML compliance obligations in order to enable them “to focus resources on activities that produce the greatest value to law enforcement agencies and other government users of [BSA] reporting.” Topics discussed include (i) law enforcement requests for financial institutions to maintain accounts; (ii) receipt of grand jury subpoenas and law enforcement inquiries and SAR filings; (iii) maintaining customer relationships following the filing of SARs; (iv) filing SARs based on negative news identified in media searches; (v) information provided in SAR data and narrative fields; and (vi) SAR character limits. The agencies note that the FAQs do not alter existing BSA/AML requirements or establish new supervisory expectations, but have been developed in response to recent recommendations as described more thoroughly in FinCEN’s Advance Notice or Proposed Rulemaking issued last September on AML program effectiveness (covered by InfoBytes here).
DACA recipients eligible for FHA loans
On January 20, the Federal Housing Administration (FHA) announced that Deferred Action for Childhood Arrivals (DACA) recipients are now eligible for FHA loans. Specifically, FHA is waiving the FHA Single Family Housing Handbook statement: “Non-US citizens without lawful residency in the U.S. are not eligible for FHA-insured mortgages.” As previously covered by InfoBytes, in June 2019, Len Wolfson, the Assistant Secretary for Congressional and Intergovernmental Relations at HUD sent a letter to Representative Pete Aguilar (D-CA) stating that DACA recipients are not eligible for FHA loans under FHA published policy, referring to the handbook statement. FHA is now reversing course, stating that the term “‘lawful residency’ pre-dates DACA and thus did not anticipate a situation in which a borrower might not have entered the country legally, but nevertheless be considered lawfully present.” In order to avoid confusion, FHA is waiving the Handbook subsection containing the statement in its entirety, but emphasizes that all other FHA borrower requirements remain in effect for all potential borrowers, including DACA recipients.
DFPI launches debt collection investigation
On January 19, California’s Department of Financial Protection and Innovation (DFPI) announced the issuance of subpoenas to a dozen debt collection companies as part of its investigation into consumer complaints about alleged unlawful, unfair, deceptive, or abusive debt collection practices. This is DFPI’s first significant action since the California Consumer Financial Protection Law—which, among other things, expanded DFPI’s UDAAP authority by adding a prohibition on “abusive” acts or practices to California law—went into effect January 1 (covered by a Buckley Special Alert). According to DFPI, consumers across the country have filed complaints against the companies, alleging the debt collectors make repeated phone calls, fail to validate debts, and threaten to sue consumers for debts they do not owe. DFPI notes that the state’s new Debt Collection Licensing Act (enacted last September and covered by InfoBytes here) requires a person engaging in the business of debt collecting in the state of California to be licensed and provides for the regulation and oversight of debt collectors by the agency.
OFAC targets Venezuelan oil sector sanctions evasion network
On January 19, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) announced sanctions pursuant to Executive Order 13850 against three individuals, fourteen entities, and six vessels for allegedly engaging in activities tied to a Mexico-based network involved in the illicit sale of hundreds of millions of dollars of Venezuelan oil. The action builds on OFAC’s June 2020 sanctions against three individuals and eight foreign entities for allegedly engaging in activities in or associated with a network attempting to evade U.S. sanctions on Venezuela’s oil sector in order to benefit “the illegitimate Maduro regime” and Venezuela’s state-owned oil company, Petroleos de Venezuela, S.A. (covered by InfoBytes here). As a result, all property and interests in property belonging to the identified individuals and entities subject to U.S. jurisdiction are blocked, and “any entities that are owned, directly or indirectly, 50 percent or more by the designated entities, are also blocked.” U.S. persons are generally prohibited from dealing with any property or interests in property of blocked or designated persons.
OFAC issues counter terrorism general licenses and related FAQs, updates SDN List
On January 19, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) issued four General Licenses in conjunction with State Department designations against a foreign terrorist organization: General License 9, “Official Business of the United States Government,” General License 10, “Official Activities of Certain International Organizations,” General License 11, “Certain Transactions in Support of Nongovernmental Organizations’ Activities in Yemen,” and General License 12, “Transactions Related to the Exportation or Reexportation of Agricultural Commodities, Medicine, Medical Devices, Replacement Parts and Components or Software Updates.” The general licenses authorize certain transactions ordinarily prohibited by the Global Terrorism Sanctions Regulations, Foreign Terrorist Organizations Sanctions Regulations, and Executive Order 13224, including actions “to help facilitate the uninterrupted flow of humanitarian assistance, including COVID-19-related assistance, and certain other critical commodities to the people of Yemen that would otherwise be prohibited pursuant to authorities administered by OFAC.” OFAC also published related FAQs 875, 876, and 877.
OFAC also updated its Specially Designated Nationals and Blocked Persons List to add individuals and entities associated with Venezuela, Russia, and Yemen designations.
Massachusetts establishes student loan servicer licensing provisions
On January 14, the Massachusetts governor signed H. 5250, which provides new requirements for student loan servicers. Among other things, these provisions stipulate that servicers are not required to (i) be licensed as a debt collector, or (ii) be registered as a third-party loan servicer provided the servicer does not act, represent, operate, or hold itself out as a third-party loan servicer or a debt collector outside the scope of specified provisions. The bill also requires entities servicing student loans in the Commonwealth to be licensed, but exempts from the licensing requirement banks, credit unions, wholly-owned subsidiaries of banks and credit unions, and nonprofit or public institutions of higher education. H. 5250 also establishes a student loan ombudsman within the office of the attorney general who will be tasked with resolving complaints from student loan borrowers, and assisting student loan borrowers with repayment options, applying for loan discharges and forgiveness, and resolving billing disputes, among other things. Additionally, H. 5250 states that non-exempt student loan servicers must comply with all applicable state and federal regulations, and stipulates that the commissioner may conduct investigations and examinations and suspend licensure should a servicer be found to be in violation of the outlined provisions. In addition, should the commissioner determine that a servicer has committed fraud or engaged in unfair, deceptive, or dishonest actions, the commissioner may take action, including notifying the state attorney general or the student loan ombudsman, suspending or revoking the servicer’s license, and/or imposing an administrative penalty of no more than $50,000 per incident.
OCC settles with bank’s former GC on account openings
On January 15, the OCC announced a $3.5 million penalty against a national bank’s former general counsel for his role in the bank’s incentive compensation sales practices. As previously covered by InfoBytes, in January 2020, the OCC announced charges against the former general counsel and other executives, seeking a lifetime prohibition from participating in the banking industry, a personal cease and desist order, and/or civil money penalties. The January announcement included settlements with three of the executives, and the OCC settled with three others in September 2020 (covered by InfoBytes here).
In addition to the $3.5 million penalty, the consent order against the former general counsel includes a personal cease and desist, and a requirement to cooperate with the OCC in any investigation or proceeding related to the sales practices of the bank. The consent order does not prohibit the former general counsel from holding future executive positions within the industry.
Law firm ordered to produce cyberattack report in malpractice action
On January 12, the U.S. District Court for the District of Columbia ordered a law firm to produce a forensic report generated by a consultant retained by the firm’s outside counsel in the wake of the plaintiff’s data breach, concluding that the report and associated materials were neither protected work product nor attorney-client privileged. According to the order, as part of a malpractice action in which the plaintiff, a Chinese entrepreneur, accused the law firm of failing to protect his personal information from hackers, the plaintiff moved to compel the production of “‘all reports of its forensic investigation into the cyberattack’ that led to the public dissemination of [plaintiff]’s confidential information.” The law firm opposed the motion, arguing that it already had turned over all relevant internally generated materials and any other documents were protected by attorney-client and work-product privileges. The law firm argued that the forensic report was only one half of a two-tracked investigation of the incident. On one track, the law firm’s usual cybersecurity vendor worked to investigate the attack to preserve business continuity while on a separate track, a different consultant was retained by counsel for the sole purpose of assisting the law firm in gathering information necessary to render legal advice.
The district court disagreed, concluding that the report is not covered by work-product privilege because the law firm failed to show that the report “‘would [not] have been created in the ordinary course of business irrespective of litigation.’” The court noted that the forensic report summarizes the findings of the investigation and that substantially the same document would have been prepared in any event as part of the ordinary course of the law firm’s business. While seeming to endorse the idea of a two-track investigation, the court noted that the law firm failed to provide any evidence that supported the fact that there were actually two tracks. Among other things, the court noted that the report summarizes findings into the data breach’s “cause, nature, and effect” and was used “for a range of non-litigation purposes,” including being shared with members of the law firm’s leadership and IT team and the FBI. In addition, the court noted that there was no evidence that the law firm’s usual cybersecurity vendor produced any findings, let alone a comprehensive report about the incident. Instead, the court stated that the record suggested that two days after the cyberattack began, the law firm turned to this second consulting firm instead of rather than in addition to the first consulting firm. Moreover, the court rejected the application of attorney-client privilege, concluding that the law firm’s “true objective was gleaning [the security-consulting firm]’s expertise in cybersecurity, not in ‘obtaining legal advice from [its] lawyer.’” The court noted that the report included remediation advice, indicating the security firm was “engaged for immediate ‘incident response.’” Lastly, the court noted the law firm can safely respond to the plaintiff’s interrogatories calling for information regarding other clients impacted by the cyberattack with “appropriate redactions in responsive documents” and “tailored” answers.
New York introduces biometric privacy act
On January 6, New York Assembly Bill A 27 was prefiled in the 2021-22 state legislative session, which would establish the Biometric Privacy Act and establish provisions regarding the retention, collection, disclosure and destruction of biometric identifiers or biometric information. Highlights of the bill include:
- Private entities in possession of biometric identifiers or information will be required to develop a written public policy “establishing a retention schedule and guidelines for permanently destroying biometric identifiers and information when the initial purpose for collecting or obtaining such identifiers or information has been satisfied or within three years of the individual’s last interaction with the private entity, whichever occurs first.” Further, unless a private entity possesses a valid warrant or court subpoena, it must comply with its established retention schedule and destruction guidelines.
- Prior to obtaining a person’s biometric identifier or information, a private entity must inform the subject (or a subject’s legally authorized representative) in writing that the identifier or information is being collected or stored, the specific purpose and length of term for which it is being collected, stored, and used, and must receive a written release from the subject or legally authorized representative.
- Private entities may not sell, lease, trade, or otherwise profit from a person’s biometric identifier or information.
- Private entities may not disclose, redisclose, or otherwise disseminate such information unless (i) the subject provides consent; (ii) “the disclosure or redisclosure completes a financial transaction requested or authorized by the subject” or the subject’s legally authorized representative; or (iii) the information is required by a valid warrant or court subpoena.
- Private entities must take measures to store, transmit, and protect all biometric identifiers and information from disclosure “using the reasonable standard of care within the private entity’s industry” and “in a manner that is the same as or more protective than the manner in which the private entity stores, transmits, and protects other confidential and sensitive information.”
- The bill provides a private right of action for any person aggrieved by the bill’s provisions, including damages of $5,000 or actual damages (whichever is greater), reasonable attorneys’ fees and costs, and other relief including injunctive relief as deemed appropriate.
Notably, the New York Biometric Privacy Act is a close parallel to the Illinois Biometric Information Privacy Act, which was enacted in 2008.