InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
Fed discusses cybersecurity risk management and emerging threats
On July 7, the Federal Reserve Board published its 2022 Cybersecurity and Financial System Resilience Report. Issued pursuant to the Consolidated Appropriations Act, the Fed’s report described measures it has taken to strengthen cybersecurity in the financial services sector. The report identified cybersecurity as a high priority for the Federal Reserve System and Board-supervised institutions and recognized the increasing and evolving nature of cybersecurity threats to the financial system. It delivered an overview of the Fed’s supervisory policies and procedures, which, among other things, require supervised institutions to implement internal controls and information systems appropriate to the size of the institution and to the nature, scope, and risk of its activities. The report explained that examiners’ cybersecurity evaluations consider “the business model and activities conducted by supervised institutions as part of a principles-based supervision program.” According to the Fed, an examination’s scope “is set as part of a multiyear supervisory plan that considers key cybersecurity risks, the industry landscape, and other factors such as emerging technologies.” The Fed explained that as part of these evaluations, “examiners consider business-line controls, risk-management practices, assurance functions, and governance activities performed by the firm’s senior management and board of directors.”
The report also outlined intergovernmental, international, and public and private sector coordination activities, and included a list of recent actions taken by the Fed and other agencies to promote cybersecurity. Additionally, the report discussed current or emerging threats to financial institutions’ ability to operate and protect customer data, including ransomware, sophisticated distributed denial of service threats, increasing geopolitical tensions, and attacks to supply chains or third parties. Other emerging technology-related cybersecurity threats are also discussed including “[p]otential cybersecurity vulnerabilities in fintech applications,” such as cryptocurrency exchanges, banking applications, and other platforms that provide “threat actors an opportunity to steal funds or data by compromising victims’ computer systems or technology infrastructure used to interact with the products or services.”
Ohio AG, FCC take action against robocall operation
On July 7, the Ohio attorney general filed a complaint against multiple companies for participating in an alleged unwanted car warranty call operation. The complaint, filed in the U.S. District Court for Southern District of Ohio, alleged that the 22 named defendants “participated in an unlawful robocall operation that bombarded American consumers with billions of robocalls.” Specifically, the complaint alleged that the defendants “initiated over 77 million robocalls per day for the purpose of generating sales leads, many times in relation to the sale of Vehicle Service Contracts (‘VSCs’) that are deceptively marketed as ‘car warranty’ plans,” totaling at least 800 million call attempts. The defendants allegedly violated the TSR, the Ohio Consumer Sales Practices Act, and the Ohio Telephone Solicitation Sales Act by, among other things: (i) deceptively representing the subject of the call; (ii) misrepresenting caller IDs, or “spoofing”; and (iii) acting as telephone solicitors without having registered as telephone solicitors with the Ohio AG’s Office, as required by law, and without having obtained and filed the required surety bond. The lawsuit coincided with the FCC’s announcement of actions taken to decrease robocalls, including sending cease and desist letters to several carriers in an attempt “to cut off a flood of possibly illegal robocalls marketing auto warranties targeting billions of consumers.” The announcement also noted that the FCC has authorized “all U.S.-based voice service providers to cease carrying any traffic originating from the [named] operation consistent with FCC regulations,” as detailed in a public notice to all U.S.-based voice service providers.
Brainard stresses need for crypto regulation
On July 8, Fed Vice Chair Lael Brainard warned that “[r]ecent volatility has exposed serious vulnerabilities in the crypto financial system.” Speaking before a Bank of England conference, Brainard explained that while crypto-assets are presented as a “fundamental break from traditional finance,” they are still susceptible to leverage, settlement, opacity, and maturity and liquidity transformation risks. The recent bankruptcy of a prominent crypto hedge fund and failed projects in the cryptocurrency space demonstrate that the crypto ecosystem faces many of the same challenges that are well known from traditional finance, she said. Brainard acknowledged that a “digital native form of safe central bank money could enhance stability by providing the neutral trusted settlement layer in the future crypto financial system,” but she also stressed that it is important “that the foundations for sound regulation of the crypto financial system be established now before the crypto ecosystem becomes so large or interconnected that it might pose risks to the stability of the broader financial system.” Novel crypto products often come with new risk factors, she said, adding that it may also be difficult “to distinguish between hype and value.” A strong regulatory framework that imposes “guardrails for safety and soundness, market integrity, and investor and consumer protection will help ensure that new digital finance products, platforms and activities are based on genuine economic value and not on regulatory evasion,” Brainard stated. She also noted that strong regulatory guardrails would also help investors and developers build “a resilient digital native financial infrastructure” and help banks, payments providers, and fintech companies “improve the customer experience, make settlement faster, reduce costs, and allow for rapid product improvement and customization.”
Fed takes action against bank for flood insurance violations
On July 7, the Federal Reserve Board announced a civil money penalty against a Massachusetts state bank. In the order, the Fed alleged that the bank violated the National Flood Insurance Act (NFIA) and Regulation H. The order assesses a $17,000 penalty against the bank for an alleged pattern or practice of violations of Regulation H but does not specify the number or the precise nature of the alleged violations. The maximum civil money penalty under the NFIA for a pattern or practice of violations is $2,000 per violation.
FHA expands mortgage eligibility for Covid-affected borrowers
On July 7, FHA announced expanded mortgage eligibility for qualifying borrowers who previously experienced employment gaps or loss of income due to the Covid-19 pandemic. Under Mortgagee Letter (ML) 2022-09, salaried and hourly wage-earners, as well as self-employed individuals impacted by a Covid-19 related economic event (defined “as a temporary loss of employment, temporary reduction of income, or temporary reduction of hours worked during the Presidentially Declared COVID-19 National Emergency”), who now have stable income will have a greater opportunity to purchase a home using affordable FHA-insured mortgage financing. Specifically, ML 2022-09 updates calculation guidelines for a borrower’s effective income under certain sections in the Single-Family Housing Policy Handbook 4000.1. While ML 2022-09’s provisions are effective for all case numbers assigned on or after September 5, 2022, lenders may begin using the policies immediately. According to FHA Commissioner Julia Gordon, the changes further agency efforts “to facilitate recovery from COVID-19 and support access to homeownership, particularly for populations most deeply impacted by the pandemic.” Gordon noted that the pandemic impacted “the livelihoods of tens of millions of workers in this country, particularly workers of color and those at the lower end of the wage scale.”
Treasury releases fact sheet on digital asset international engagement
On July 7, the Secretary of the Treasury released a Fact Sheet on the Framework for International Engagement on Digital Assets. The Fact Sheet was delivered to President Biden, as directed in the Executive Order on Ensuring Responsible Development of Digital Assets (E.O.) and in consultation with the Secretary of State, the Secretary of Commerce, and the heads of other relevant agencies. The E.O. outlined an interagency approach to address the risks and harness the potential benefits of digital assets and their underlying technology, and directed the Administration to promote the “development of digital asset and central bank digital currencies (CBDC) technologies consistent with [the Treasury’s] values and legal requirements.” According to the announcement, “the framework is intended to ensure that, with respect to the development of digital assets, America’s core democratic values are respected; consumers, investors, and businesses are protected; appropriate global financial system connectivity and platform and architecture interoperability are preserved; and the safety and soundness of the global financial system and international monetary system are maintained.” The announcement also noted that “a history of robust engagement provides a strong foundation for expanded, strategic engagement going forward” and highlighted other key international engagements.
CFPB publishes rulemaking agenda
Recently, the Office of Information and Regulatory Affairs released the CFPB’s spring 2022 rulemaking agenda. According to the preamble, the information in the agenda is current as of April 1, 2022 and identifies regulatory matters that the Bureau “reasonably anticipates having under consideration during the period from June 1, 2022 to May 31, 2023.”
Key rulemaking initiatives include:
- Consumer Access to Financial Records. The Bureau notes that it is considering rulemaking to implement section 1033 of the Dodd-Frank Act to address the development and use of standardized formats for information made available to consumers. The Bureau will release materials in advance of convening a panel under the Small Business Regulatory Enforcement Fairness Act (SBREFA), in conjunction with the Office of Management and Budget and the Small Business Administration’s Chief Counsel for Advocacy.
- Amendments to FIRREA Concerning Automated Valuation Models. The Bureau is participating in interagency rulemaking with the Fed, OCC, FDIC, NCUA, and FHFA to develop regulations to implement the amendments made by the Dodd-Frank Act to FIRREA concerning appraisal automated valuation models (AVMs). The FIRREA amendments require implementing regulations for quality control standards for AVMs. The Bureau released a SBREFA outline in February 2022 and estimates in the agenda that the agencies will issue an NPRM in December 2022 (covered by InfoBytes here).
- Property Assessed Clean Energy Financing. The Bureau issued an ANPR in March 2019 to extend TILA’s ability-to-repay requirements to PACE transactions (covered by InfoBytes here). The Bureau is working to develop a proposed rule to implement Economic Growth, Regulatory Relief, and Consumer Protection Act section 307 in May 2023.
- Small Business Lending Data Collection Under the Equal Credit Opportunity Act. Section 1071 of the Dodd-Frank Act amended ECOA to require financial institutions to report information concerning credit applications made by women-owned, minority-owned, and small businesses, and directed the Bureau to promulgate rules for this reporting. The Bureau issued an NPRM in August 2021, and the comment period ended January 6 (covered by InfoBytes here). The agenda indicates that the Bureau estimates issuance of a final rule in March 2023.
- Adverse Information in Cases of Human Trafficking Under the Debt Bondage Repair Act. The National Defense Authorization Act amended the FCRA to prohibit consumer reporting agencies from providing reports containing any adverse items of information resulting from human trafficking. In June 2022, the CFPB issued a final rule implementing amendments to the FCRA intended to assist victims of human trafficking (covered by InfoBytes here).
CFPB advisory stresses “permissible purpose” of consumer reports
On July 7, the CFPB issued an advisory opinion to state its interpretation that under certain FCRA-permissible purpose provisions, a consumer reporting agency may not provide a consumer report to a user unless it has reason to believe that all of the information it includes pertains to the consumer who is the subject of the user’s request. The Bureau explained that “credit reporting companies and users of credit reports have specific obligations to protect the public’s data privacy,” and reminded covered entities that “FCRA section 604(f) strictly prohibits a person who uses or obtains a consumer report from doing so without a permissible purpose.”
Among other things, the FCRA is designed to ensure fair and accurate reporting and requires users who buy these consumer credit reports to have a legally permissible purpose. Specifically, the advisory opinion clarifies that (i) insufficient matching procedures can result in credit reporting companies providing reports to entities without a permissible purpose, thus violating a consumer’s privacy rights (the Bureau explained that if a credit reporting company uses name-only matching procedures, items appearing on a credit report may not all correspond to a single individual); (ii) it is unlawful to provide credit reports of multiple people as “possible matches” (credit reporting companies are obligated to implement adequate procedures to find the correct individual); (iii) disclaimers about insufficient matching procedures will not cure a failure to take reasonable measures to ensure the information provided in a credit report is only about the individual for whom the user has a permissible purpose; and (iv) credit report users must ensure that they are not violating an individual’s privacy by obtaining a credit report when they lack a permissible purpose for doing so.
The Bureau also outlined certain criminal liability provisions in the FCRA. According to the advisory opinion, covered entities may face criminal liability under Section 619 for obtaining information on an individual under false pretenses, while Section 620 “imposes criminal liability on any officer or employee of a consumer reporting agency who knowingly and willfully provides information concerning an individual from the agency’s files to an unauthorized person.” Violators can face criminal penalties and imprisonment, the Bureau said in its announcement.
As previously covered by InfoBytes, the Bureau finalized its Advisory Opinions Policy in 2020. Under the policy, entities seeking to comply with existing regulatory requirements are permitted to request an advisory opinion in the form of an interpretive rule from the Bureau (published in the Federal Register for increased transparency) to address areas of uncertainty.
Agencies release customer relationship and due diligence guidance
On July 6, the FDIC, Federal Reserve Board, FinCEN, NCUA, and OCC issued a joint statement concerning banks’ risk-based approach for assessing customer relationships and conducting customer due diligence (CDD). Specifically, the joint statement reinforces the agencies’ “longstanding position that no customer type presents a single level of uniform risk or a particular risk profile related to money laundering (ML), terrorist financing (TF), or other illicit financial activity.” Banks are reminded that they must apply a risk-based approach to CDD and adopt appropriate risk-based procedures for conducting ongoing CDD when developing risk profiles of their customers. Because customer relationships present varying levels of ML, TF, and other illicit financial activity risks, the agencies advised banks to, among other things, (i) understand the nature and purpose of customer relationships; and (ii) “conduct ongoing monitoring to identify and report suspicious transactions and, on a risk basis, to maintain and update customer information.”
Additionally, banks that comply with applicable Bank Secrecy Act/anti-money laundering (BSA/AML) legal and regulatory requirements and effectively manage and mitigate risks related to the unique characteristics of customer relationships, “are neither prohibited nor discouraged from providing banking services to customers of any specific class or type,” the agencies said, adding that “as a general matter” they will not direct banks to open, close, or maintain specific accounts as they “recognize that banks choose whether to enter into or maintain business relationships based on their business objectives and other relevant factors, such as the products and services sought by the customer, the geographic locations where the customer will conduct or transact business, and banks’ ability to manage risks effectively.” Banks are encouraged “to manage customer relationships and mitigate risks based on customer relationships, rather than decline to provide banking services to entire categories of customers.”
The joint statement is applicable to all customer types referenced in the Federal Financial Institutions Examination Council (FFIEC) BSA/AML Examination Manual, as well as to those not specifically addressed in the manual. These include “independent automated teller machine owners or operators, nonresident aliens and foreign individuals, charities and nonprofit organizations, professional service providers, cash intensive businesses, nonbank financial institutions, and customers the bank considers politically exposed persons.” The agencies reiterated that the joint statement does not alter existing BSA/AML legal or regulatory requirements, nor does it establish new supervisory expectations. Moreover, the FFIEC BSA/AML Examination Manual does not establish requirements for banks, nor should the inclusion of sections on specific customer types be interpreted as a signal that certain customer types present uniformly higher risk.
DOJ charges six with crypto fraud
On June 30, the DOJ charged six individuals in four separate cases for allegedly playing a role in several cryptocurrency-related fraud schemes. In its press release announcing the indictments, the DOJ said these schemes include “the largest known Non-Fungible Token (NFT) scheme charged to date, a fraudulent investment fund that purportedly traded on cryptocurrency exchanges, a global Ponzi scheme involving the sale of unregistered crypto securities, and a fraudulent initial coin offering.”
- Crypto NFT Scheme: The DOJ charged a Vietnamese national with one count of conspiracy to commit wire fraud and one count of conspiracy to commit international money laundering related to his involvement in an NFT project, in which the individual and his co-conspirators allegedly engaged in a “rug pull” that ended the investment project and stole roughly $2.6 million from investors. Shortly after the rug pull, the DOJ said in its announcement that the individuals allegedly “laundered investors’ funds through ‘chain-hopping,’ a form of money laundering in which one type of coin is converted to another type and funds are moved across multiple cryptocurrency blockchains.” The individuals also allegedly used decentralized cryptocurrency swap services to hide the trail of investors’ stolen funds.
- Crypto Ponzi and Unregistered Securities Scheme: The DOJ charged two Brazilian nationals and a Florida resident with one count of conspiracy to commit wire fraud and one count of conspiracy to commit securities fraud in connection with a global cryptocurrency-based Ponzi scheme that generated approximately $100 million from investors. The Brazilian nationals were also charged with conspiracy to commit international money laundering. According to the DOJ, the individuals fraudulently promoted a cryptocurrency investment platform and unregistered securities offering by misrepresenting a purported proprietary trading bot and falsely guaranteeing returns to investors. The Brazilian nationals allegedly laundered investors’ funds through a foreign-based cryptocurrency exchange and paid earlier platform investors with money obtained from later investors, the DOJ said. The SEC also filed a lawsuit against all three individuals and their company in the U.S. District Court for the Southern District of Florida.
- Crypto Initial Coin Offering Scheme: A California resident who founded a cryptocurrency investment platform was charged by the DOJ with one count of securities fraud for his role in a cryptocurrency fraud scheme involving the platform’s initial coin offering (ICO), which raised roughly $21 million from investors globally. According to the DOJ, the individual falsified information in company white papers for prospective investors, promoted fake testimonials, and fabricated purported business relationships with the Federal Reserve Board and dozens of major companies to appear legitimate.
- Crypto Commodities Scheme: The DOJ charged the owner of a cryptocurrency investment platform with one count of conspiracy to commit wire fraud, four counts of wire fraud, one count of conspiracy to commit commodities fraud, and one count of obstruction of justice. The Nevada resident allegedly raised approximately $12 million from investors by using the platform to solicit investors’ participation in an unregistered commodity pool (“a fund that combines investors’ contributions to trade on the futures and commodity markets”), told investors that he used a trading bot that “could execute over 17,000 transactions per hour on various cryptocurrency exchanges” to earn profits, and falsely represented that this trading bot would generate between 500 to 600 percent returns on the amount invested.
“Our office is committed to protecting investors from sophisticated scammers seeking to capitalize on the relative novelty of digital currency,” U.S. Attorney Juan Antonio Gonzalez for the Southern District of Florida stated. “As with any emerging technology, those who invest in cryptocurrency must beware of profit-making opportunities that appear too good to be true.”