InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
Terrorist Financing Targeting Center designates ISIS-affiliated financial facilitators and money services businesses
On July 15, the U.S. Treasury Department announced that the seven member nations of the Terrorist Financing Targeting Center (TFTC) have jointly designated six targets affiliated with the Islamic State of Iraq and Syria (ISIS), including three key money services businesses. Four targets are designated for providing “a critical financial and logistical lifeline to ISIS, its branches, and its global facilitation networks,” while two targets are designated for “abus[ing] the goodwill of the international community under the auspices of charitable giving to facilitate the transfer of funds for and to support the activities of ISIS’s branch in Afghanistan, ISIS-Khorasan (ISIS-K).” Since 2017, the participating TFTC members—Saudi Arabia, Bahrain, Kuwait, Oman, Qatar, the United Arab Emirates, and Treasury’s Office of Foreign Assets Control (OFAC)—have issued five rounds of joint designations against 60 terrorist targets globally, in an effort to challenge ISIS’s ability to finance its operations through money service businesses and charities operating under false pretenses.
As a result of the sanctions, “all property and interests in property of these targets that are or come within the United States or in the possession or control of U.S. persons must be blocked and reported to OFAC.” OFAC noted that its regulations “generally prohibit all dealings by U.S. persons or within the United States that involve any property or interests in property of blocked persons.” OFAC further warned that persons that engage in transactions with one of the designated individuals maybe be exposed to sanctions or subject to an enforcement action. Additionally, foreign financial institutions that knowingly facilitate significant transactions to the designated entities may be subject to prohibitions or strict conditions by OFAC.
OFAC issues sanctions for supporting Russian financier
On July 15, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) announced sanctions pursuant to Executive Orders 13848, 13694, and 13661 against three individuals and five entities located in Sudan, Hong Kong, and Thailand, for allegedly enabling a Russian financier to evade U.S. sanctions. According to OFAC, the financier supported the Internet Research Agency (IRA), a Russian “troll farm” designated by OFAC in 2018, and is believed to be the financier behind Private Military Company, a “designated Russian Ministry of Defense proxy force.” OFAC alleged that this operation “advocated for the use of social media-enabled disinformation campaigns similar to those deployed by the IRA, and the staging of public executions to distract protestors seeking reforms.” Additionally, OFAC alleged that the individual and Thailand and Hong Kong-based entities “facilitated over 100 transactions exceeding $7.5 million that were sent in the interest of [the financier].” As a result, all property and interests in property belonging to, or owned by, the identified individuals and entities subject to U.S. jurisdiction are blocked, and “any entities that are owned, directly or indirectly, 50 percent or more by the designated entities, are also blocked.” U.S. persons are generally prohibited from dealing with any property or interests in property of blocked or designated persons.
Court of Justice of the European Union invalidates EU-U.S. Privacy Shield; standard contractual clauses survive (for now)
On July 16, 2020, the Court of Justice of the European Union (CJEU) issued its opinion in the Schrems II case (Case C-311/18). In its opinion, the CJEU concluded that the Standard Contractual Clauses issued by the European Commission for the transfer of personal data to data processors established outside of the EU are valid. However, the Court invalidated the EU-U.S. Privacy Shield. The ruling cannot be appealed.
Background
In 2015, a privacy campaigner named Max Schrems filed a complaint with Ireland’s Data Protection Commissioner challenging a global social media company’s use of data transfers from servers in Ireland to servicers in the U.S. Schrems argued that U.S. laws did not offer sufficient protection of EU customer data, that EU customer data might be at risk of being accessed and processed by the U.S. government once transferred, and that there was no remedy available to EU individuals to ensure protection of their personal data after transfer to the U.S. Schrems sought the suspension or prohibition of future data transfers, which were executed by the company through standard data protection contractual clauses (a method approved by the Court in 2010 by Decision 2010/87). The social media company had utilized these standard contractual clauses after the CJEU invalidated the U.S. – EU Safe Harbor Framework in 2015.
Following the complaint, Ireland’s Data Protection Commissioner brought proceedings against the social media company in the Irish High Court, which referred numerous questions to the CJEU for a preliminary ruling, including questions addressing the validity of the standard contractual clauses and the EU-U.S. Privacy Shield.
CJEU Opinion – Standard Contractual Clauses (Decision 2010/87)
Upon review of the recommendations from the CJEU’s Advocate General published on December 19, 2019, the CJEU found the Decision approving the use of contractual clauses to transfer personal data valid.
The CJEU noted that the GDPR applies to the transfer of personal data for commercial purposes by a company operating in an EU member state to another company outside of the EU, notwithstanding the third-party country’s processing of the data under its own security laws. Moreover, the CJEU explained that data protection contractual clauses between an EU company and a company operating in a third-party country must afford a level of protection “essentially equivalent to that which is guaranteed within the European Union” under the GDPR. According to the CJEU, the level of protection must take into consideration not only the contractual clauses executed by the companies, but the “relevant aspects of the legal system of that third country.”
As for the Decision 2010/87, the CJEU determined that it provides effective mechanisms to, in practice, ensure contractual clauses governing data transfers are in compliance with the level of protection requirement by the GDPR, and appropriately requires the suspension or prohibition of transfers in the event the clauses are breached or unable to be honored. The CJEU specifically highlighted the certification required by the EU data exporter and the third-party country recipient to verify, prior to any transfer, (i) the level of data protection in the third-party country prior to any transfer; and (ii) abilities to comply with the data protection clauses.
CJEU Opinion - EU-U.S. Privacy Shield, (Decision 2016/1250)
The CJEU decided to examine and rule on the validity of the EU – U.S. Privacy Shield. The CJEU determined that because the requirements of U.S. national security, public interest and law enforcement have “primacy” over the data protection principles of the EU-U.S. Privacy Shield, the data transferred under the EU-U.S. Privacy Shield would not be subject to the same level of protections prescribed by the GDPR. Specifically, the CJEU held that the surveillance programs used by U.S. authorities are not proportionally equivalent to those allowed under the EU law because they are not “limited to what is strictly necessary,” nor, under certain surveillance programs, does the U.S. “grant data subjects actionable rights before the courts against the U.S. authorities.” Moreover, the CJEU rejected the argument that the Ombudsperson mechanism satisfies the GDPR’s right to judicial protection, stating that it “does not provide any cause of action before a body which offers the persons whose data is transferred to the United States guarantees essentially equivalent to those required by [the GDPR],” and the Ombudsperson “cannot be regarded as a tribunal.” Thus, on those grounds, the CJEU declared the EU-U.S. Privacy Shield invalid.
Colorado amends and extends executive order relating to evictions
On July 12, the Colorado governor issued Executive Order 2020 134, which amends and extends Executive Order 2020 101, which imposed limitations on certain evictions to provide relief to tenants affected by Covid-19. Among other changes, the amendments require landlords to provide tenants with 30 days’ notice of any default for nonpayment of rent occurring on or after March 10, during which time the tenant has a one-time opportunity to cure the default. Municipalities and other local jurisdictions are encouraged to suspend limitations on, among other things, the number of unrelated persons that can live in a single household to enable homeowners to provide rooms to those in need of housing. Executive Order 2020 101 is extended until 30 days from July 12, 2020, unless otherwise extended.
Special Alert: CFPB takes first-ever agency redlining action against nonbank lender
On July 15, the Consumer Financial Protection Bureau filed a complaint against a Chicago-based nonbank mortgage company alleging fair lending violations predicated, in part, on statements made by the company’s owner and other employees during radio shows and podcasts from 2014 through 2017. The complaint, filed in federal court in Illinois, marks the first instance in which a federal regulator has taken a public enforcement action against a nondepository institution based on allegations of redlining.
According to the CFPB, the mortgage company violated the Equal Credit Opportunity Act and the Consumer Financial Protection Act by engaging in discriminatory marketing and applicant outreach practices that allegedly:
9th Circuit: FCRA claim cannot prevail without first providing notice of disputed information
On July 14, the U.S. Court of Appeals for the Ninth Circuit affirmed summary judgment in favor of a group of defendants, including a credit reporting agency (CRA) and furnisher, after determining that a consumer plaintiff failed to adequately notify the CRA of an error on her credit report. According to the opinion, the plaintiff questioned the accuracy of certain information on her credit report and requested that these inaccuracies be investigated. Defendants investigated and corrected the inaccuracies and informed the plaintiff that if she further disputed the accuracy of the reported information, she could submit additional documentation to support her claim. Plaintiff continued to believe her credit report contained inaccuracies; specifically, she contended that the CRA was misreporting the date on which her bankruptcy was discharged. But rather than notify the CRA, she instead filed suit in federal district court alleging violations under the FCRA. The defendants filed for summary judgment which the district court granted, concluding that while “the date of the bankruptcy may have continued to be misreported after the conclusion of the reinvestigation,’ there was no genuine dispute of material fact on whether [the plaintiff] notified [the CRA] of that specific reporting error.” The 9th Circuit agreed, starting that because the plaintiff failed “to provide adequate notice of this reporting error” the scope of the defendants’ duties were limited. Moreover, the 9th Circuit held that a consumer cannot prevail on a “FCRA claim without first putting the [CRA] on notice of the information that is disputed.”
District court denies interlocutory appeal request in escrow interest action
On July 9, the U.S. District Court for the District of Maryland denied a national bank’s request for interlocutory appeal of the court’s February decision denying the bank’s motion to dismiss an action, which alleged that the bank violated Maryland law by not paying interest on escrow sums for residential mortgages. As previously covered by InfoBytes, after the bank allegedly failed to pay interest on a consumer’s mortgage escrow account, the consumer filed suit against the bank alleging, among other things, a violation of Section 12-109 of the Maryland Consumer Protection Act (MCPA), which “requires lenders to pay interest on funds maintained in escrow on behalf of borrowers.” The court rejected the bank’s assertion that the state law is preempted by the National Bank Act (NBA) and by the OCC’s 2004 preemption regulations. The court concluded that under the Dodd-Frank Act, national banks are required to pay interest on escrow accounts when mandated by applicable state or federal law.
The bank subsequently moved for an interlocutory appeal. In denying the bank’s request, the court explained that there was not a difference of opinion among courts as to whether the NBA preempts Maryland’s interest on escrow law. Specifically, the court noted that its “conclusion aligns with the only other two courts that have examined [the] particular question,” citing to the U.S. Court of Appeals for the Ninth Circuit’s decision in Lusnak v Bank of America and the Eastern District of New York’s decision in Hymes v. Bank of America (covered by InfoBytes here and here, respectively). After finding there is no “difference of opinion as to any ‘controlling legal issue,’” the court concluded the motion failed to satisfy the requisite elements for an interlocutory appeal.
South Dakota requires mortgage licensees to register branches
On July 1, the South Dakota Division of Banking began accepting mortgage branch registration applications via NMLS. Previously, the division did not require branches of South Dakota mortgage lender licensees, mortgage brokerage licensees, or non-residential mortgage lender licensees to be registered in this fashion.
The NMLS description of the registration provides that it is required for any branch of a South Dakota mortgage lender licensee, mortgage brokerage licensee, or non-residential mortgage lender licensee that “for valuable consideration, originates, sells, or services mortgages, or holds himself, herself, or itself out as a person who, for valuable consideration, originates, sells, or services mortgages.”
Licensees have until December 31, 2021 (more than 17 months) to register their applicable branches. No items are required outside of NMLS regarding the application. However, branch managers must be licensed as South Dakota mortgage loan originators, which could take several months to coordinate.
House hearing on mortgage servicers’ implementation of CARES Act
On July 16, the House Financial Services Committee’s Subcommittee on Oversight and Investigations held a hearing entitled “Protecting Homeowners During the Pandemic: Oversight of Mortgage Servicers’ Implementation of the CARES Act.” The subcommittee’s memorandum regarding the hearing discussed, among other things, the HUD Office of Inspector General’s report of its review of the type of forbearance information accessible to borrowers on the top 30 mortgage servicers’ websites. The report highlighted concerns that 10 of the servicers failed to have forbearance information “‘readily available’ on their websites,” 14 servicers’ websites did not provide information about the length of the forbearance period to which borrowers are entitled under the CARES Act, and certain servicers “included information giving the impression that lump sum payments were required at the end of the forbearance period.”
Witnesses discussed widespread issues in CARES Act-related mortgage servicing, with several witnesses and lawmakers highlighting how preexisting inequalities have especially imperiled black and Latinx home ownership during the Covid-19 pandemic. One witness suggested that servicers should be required to provide written notice to borrowers of their options and rights under the CARES Act and should be held accountable for failing to provide consistent, accurate forbearance information to borrowers in a timely manner. Another witness noted that housing counselors have reported servicers providing misinformation on payment and deferral options, and stressed the need for coordinated efforts between the CFPB, FHFA, and HUD, in addition to strong supervisory and enforcement activity.
Other topics discussed during the hearing included (i) the importance of providing clear guidance for borrowers, as well as the importance of loan modifications, loss mitigation options, and long term solutions once forbearance has ended; (ii) understanding what servicers of non-federally backed mortgages not covered by the CARES Act are doing to assist borrowers, and whether there should be a safe harbor for these mortgage servicers from investor liability; and (iii) the CFPB’s responsibility for overseeing servicers. One of the witnesses noted during the hearing, however, that many mortgage servicers offered homeowners forbearance options before the CARES Act, provided forbearance to homeowners with non-federally backed mortgages, and have responded to “an evolving series of program and regulatory announcements from various programs and agencies.”
CFPB releases updated Covid-19 consumer complaints bulletin
On July 16, the CFPB released a newly updated consumer complaint bulletin analyzing complaints the Bureau has received during the Covid-19 pandemic. The bulletin analyzes complaints mentioning coronavirus-related key words (such as Covid, coronavirus, pandemic, CARES Act, and stimulus) that were received as of May 31. Complaints related to Covid-19 accounted for 8,357 of the more than 187,000 complaints the Bureau has received in 2020. Highlights of the bulletin include: (i) mortgage and credit cards are the top complaint categories for Covid-19 complaints; (ii) after the emergency declaration, the weekly average complaint volume for prepaid cards grew 105 percent, while the volume for student loans decreased by 24 percent; and (iii) 10 percent of complaints submitted by servicemembers were Covid-19 related compared to six percent of non-servicemember complaints. As previous covered by InfoBytes, in May, the Bureau issued the first complaint bulletin analyzing approximately 4,500 Covid-19-related complaints received at that time.
Additionally, the CFPB announced new capabilities for the public Consumer Complaint Database, including the ability to (i) view complaints over time to review for trends; (ii) refine visualizations based on user selected criteria; and (iii) aggregate complaints by various categories, such as issues and products.