InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
State AGs reach $2 million settlement to resolve data breach
On December 18, state attorneys general from Connecticut, Indiana, Kentucky, Michigan, New Jersey, New York and Oregon announced a $2 million settlement with an online retailer concerning allegations that the retailer failed to promptly and adequately respond to a 2019 data breach that compromised more than 22 million consumers’ personal information. According to the Assurance of Voluntary Compliance, the retailer failed to detect a data breach that allowed an unidentified attacker to obtain information including Social Security numbers and tax identification numbers. After learning about the vulnerability from a third-party security researcher, the retailer issued a patch to remediate the vulnerability and required users to reset passwords on their customer accounts. However, the AGs claim that the retailer took nearly six months to conduct a full investigation into whether its user database had been breached, and, after determining that users’ personal information was for sale on the dark web, later began notifying affected users of the breach.
In addition to paying $2 million to the AGs, which is partially suspended due to the retailer’s financial condition, the retailer—who has not admitted to the alleged violations—has agreed to (i) develop and implement a comprehensive information security program; (ii) design an incident response and data breach notification plan to encompass preparation, detection and analysis, containment, eradication, and recovery; (iii) ensure personal information safeguards and controls are in place, such as encryption, segmentation, penetration testing, risk assessment, password management, logging and monitoring, personal information deletion, and account closure notification; and (iv) ensure third-party security assessments occur biennially for the next five years.
CSBS challenges OCC’s pending fintech charter
On December 22, the Conference of State Bank Supervisors (CSBS) filed a complaint in the U.S. District Court for the District of Columbia opposing the OCC’s impending approval of a national bank charter for a financial services provider (company), arguing that the OCC is exceeding its chartering authority. According to the complaint, the company’s charter is close to being formally approved by the OCC after being “solicited, vetted and in November 2020 accepted as complete” by the agency. The complaint asserts the company will continue its lending and payment activities (which are currently state-regulated) without obtaining deposit insurance from the FDIC. The complaint alleges that the company is applying for the OCC’s nonbank charter, which was invalidated by the U.S. District Court for the Southern District of New York in October 2019 (which concluded that the OCC’s Special Purpose National Bank Charter (SPNB) should be “set aside with respect to all fintech applicants seeking a national bank charter that do not accept deposits,” covered by InfoBytes here). CSBS argues that “by accepting and imminently approving” the company’s application, the “OCC has gone far beyond the limited chartering authority granted to it by Congress under the National Bank Act (the “NBA”) and other federal banking laws,” as the company is not engaged in the “business of banking.” CSBS seeks to, among other things, have the court declare the agency’s nonbank charter program unlawful and prohibit the approval of the company’s charter under the NBA without obtaining FDIC insurance.
Court grants preliminary approval of CCPA class action settlement
On December 29, the U.S. District Court for the Northern District of California granted preliminary approval of a proposed settlement in a class action alleging a children’s clothing company and cloud technology service provider (collectively, “defendants”) violated, among other things, the California Consumer Privacy Act (CCPA) after suffering a data breach and potentially exposing customers’ personal information (PII) used to purchase products from the company’s website. After the company issued a notice of the security incident in January 2020, the plaintiffs filed the class action alleging the company failed to (i) “adequately protect its users’ PII”; (ii) “warn users of its inadequate information security practices”; and (iii) “effectively monitor [the company]’s website and ecommerce platform for security vulnerabilities and incidents.”
After mediation, the plaintiffs filed an unopposed motion for preliminary approval of class action settlement, which provides for a $400,000 settlement fund to cover approximately 200,000 class members who made purchases through the company’s website from September 16, 2019 to November 11, 2019. Class members have the option of claiming a cash payment of up to $500 for a Basic Award or of up to $5,000 for a Reimbursement Award, with amounts increasing or decreasing pro rata based on the number of claimants. Additionally, the company agreed to certain business practice changes, including conducting a risk assessment of its data assets and environment and enabling multi-factor authentication for all cloud services accounts. When granting preliminary approval, the court concluded that the agreement does “not improperly grant preferential treatment to any individual or segment of the Settlement Class and fall[s] within the range of possible approval as fair, reasonable, and adequate.”
9th Circuit reaffirms order enforcing Seila CID
On December 29, the U.S. Court of Appeals for the Ninth Circuit reaffirmed a district court’s order granting the CFPB’s petition seeking to enforce a civil investigative demand (CID) sent to Seila Law. As previously covered by InfoBytes, the Bureau filed a supplemental brief arguing that the formal ratifications of then-Acting Director Mick Mulvaney and current Director Kathy Kraninger, paired with the U.S. Supreme Court’s ruling in Seila v. CFPB, are sufficient for the appellate court to enforce the CID previously issued against the law firm, and that “[s]etting aside the CID at this point would serve no valid purpose.” In reaffirming the order, the appellate court wrote that “Director Kraninger’s ratification remedied any constitutional injury that Seila Law may have suffered due to the manner in which the CFPB was originally structured. Seila Law’s only cognizable injury arose from the fact that the agency issued the CID and pursued its enforcement while headed by a Director who was improperly insulated from the President’s removal authority. Any concerns that Seila Law might have had about being subjected to investigation without adequate presidential oversight and control had now been resolved. A Director well aware that she may be removed by the President at will had ratified her predecessors’ earlier decisions to issue and enforce the CID.” The 9th Circuit also rejected Seila Law’s argument that the ratification occurred outside the limitations period for bringing an enforcement action against the law firm, determining that the “statutory limitations period pertains solely to the bringing of an enforcement action, which the CFPB had not yet commenced against Seila Law.”
OCC: Banks may use independent node verification networks and stablecoins for payment activities
On January 4, the OCC published an interpretive letter addressing the legal permissibility of certain payment-related activities involving the use of new technologies, including using independent node verification networks (INVN) and related stablecoins to conduct payment activities and other bank-permissible functions. Specifically, the letter clarifies that a national bank or federal savings association “may validate, store, and record payments transactions by serving as a node on an INVN,” and may also “use INVNs and related stablecoins to carry out other permissible payment activities” provided the bank or federal savings association complies with applicable laws and safe, sound, and fair banking practices. Due to the decentralized nature of INVNs—which not only “allows a comparatively large number of nodes to verify transactions in a trusted manner” but also “limits tampering or adding inaccurate information to the database because information is only added to the network after consensus is reached among the nodes validating the information”—the OCC believes that INVNs may enhance payment activities’ efficiency, effectiveness, and stability within the federal banking system. The letter also outlines potential risks associated with INVN-related activities, such as operational and compliance risks and fraud related to the possibility of money laundering and terrorist financing, and warns banks and federal savings associations to expand their programs to ensure compliance with Bank Secrecy Act reporting and recordkeeping requirements and to address cryptocurrency transaction risks.
FinCEN warns financial institutions about Covid-19 vaccine-related scams and cyberattacks
On December 28, the Financial Crimes Enforcement Network (FinCEN) issued a notice to financial institutions concerning the potential for Covid-19 vaccine-related fraud, ransomware attacks, and other types of criminal activity. Specifically, FinCEN warns financial institutions to be aware of the potential sale of unapproved and illegally marketed vaccines, as well as fraudsters offering vaccines sooner than allowed for a fee. Financial institutions should also look out for ransomware targeting vaccine delivery operations and supply chains. The notice provides instructions for filing suspicious activity reports regarding the aforementioned activity.
FinCEN proposes new reporting requirements for certain CVC and digital asset transactions
On December 18, the Financial Crimes Enforcement Network (FinCEN) issued a notice of proposed rulemaking (NPRM) that would require financial institutions and money service businesses (MSBs) to maintain records and submit reports to verify customer identities for certain transactions involving convertible virtual currency (CVC) or digital assets with legal tender status (LTDA). Under the NPRM, the requirements would apply to transactions involving CVC and LTDA that are held in certain “hosted” wallets at financial institutions, as well as in “unhosted” wallets, which are not held in an exchange or bank. Banks and MSBs would be required to file transaction reports within 15 days with FinCEN verifying the identity of customers if a counterparty to the transaction is using an unhosted or otherwise covered wallet and the transaction is greater than $10,000. Banks and MSBs would also be required to maintain records of customers’ CVC or LTDA transactions and counterparties—“including verifying the identity of their customers, if a counterparty uses an unhosted or otherwise covered wallet and the transaction is greater than $3,000.” According to Treasury Secretary Steven T. Mnuchin, the proposed rule “is intended to protect national security, assist law enforcement, and increase transparency while minimizing impact on responsible innovation” by “closing loopholes that malign actors may exploit.” FinCEN notes that, while the NPRM “proposes to prescribe by regulation that CVC and LTDA are ‘monetary instruments’ for purposes of the” Bank Secrecy Act (BSA), it does not “modify the regulatory definition of ‘monetary instruments’ or otherwise alter existing BSA regulatory requirements applicable to ‘monetary instruments’ in FinCEN’s regulations.” Comments on the NPRM were due January 4.
CFPB issues two new CAS approval orders
On December 30, the CFPB issued two compliance assistance sandbox (CAS) approval orders covering a dual-feature credit card and an earned wage access product. The first approval was issued to a federal savings bank regarding its proposal to develop a “dual-feature credit card,” which would be offered to consumers with limited or damaged credit history to help reestablish more favorable credit history. According to the approval order, the consumer would be required to provide a security deposit to be used with the secured credit card feature and after “at least one year” and meeting certain eligibility requirements, the consumer would be offered to “graduate” to unsecured use of the credit card. The three-year approval order, by operation of TILA section 130(f), provides the bank a safe harbor from liability under TILA and Regulation Z, to the fullest extent permitted by section 130(f), as to any act done in good faith compliance with the order.
The second approval order covers certain aspects of an earned wage access (EWA) payment program, which allows employees access to their earned but unpaid wages prior to payday. According to the CAS application, an employee of a participating employer can download the company’s app and agree to the company’s terms prior to engaging in an EWA program. Among other things, the company notes that it will not engage in any debt collection activities related to the EWA program or submit reports to a consumer reporting agency regarding the transactions. The two-year approval order, by operation of TILA section 130(f), provides the company a safe harbor from liability under TILA and Regulation Z, to the fullest extent permitted by section 130(f) as to any act done in good faith compliance with the order.
CFPB reaches $2 million settlement with installment lender for MLA, EFTA violations
On December 30, the CFPB announced a settlement with a Nevada-based consumer lender resolving allegations that the company violated the Military Lending Act (MLA), the Electronic Fund Transfer Act (EFTA), and the CFPA when making installment loans. The settlement is part of “the Bureau’s sweep of investigations of multiple lenders that may be violating the MLA.” According to the Bureau, the company allegedly made loans to active-duty servicemembers and their dependents (covered borrowers) in violation of the MLA by requiring borrowers to repay installment loans by “allotment.” Additionally, the Bureau alleges that the company violated the EFTA by requiring all of its covered borrowers to authorize the company “to initiate an electronic-fund transfer on the first business day after the due date of a payment that has been missed.” This requirement, the Bureau states, violates the EFTA’s prohibition against requiring borrowers to preauthorize electronic-fund transfers as a condition of receiving credit.
Under the terms of the consent order, the company is required to pay a $2.175 million civil money penalty, and must also, among other things, (i) provide notice of the Bureau’s consent order to all covered borrowers repaying their loans by allotment, along with notice that they may elect to change their repayment method; and (ii) provide training to employees involved in loan origination. Furthermore, the company is prohibited from accepting payment by allotment without first obtaining signed authorization from the borrower, and is banned from providing any incentives to employees or considering the number or rate of consumers who elect to repay by allotment during performance evaluations.
Illinois reissues and extends several Covid-19 executive orders
On January 8, the governor of Illinois issued Executive Order 2021-01 extending numerous executive orders through February 6, 2021 (previously covered here, here, here, here, and here). Among other things, the order extends: (i) Executive Order 2020-07 regarding in-person meeting requirements, (ii) Executive Order 2020-23 regarding actions by individuals licensed by the Illinois Department of Financial and Professional Regulation engaged in disaster response, (iii) Executive Order 2020-25 regarding garnishment and wage deductions (previously covered here), (iv) Executive Order 2020-30 regarding residential evictions (previously covered here and here).