InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
NYDFS imposes $30 million fine against trading platform for cybersecurity, BSA/AML violations
On August 2, NYDFS announced a consent order imposing a $30 million fine against a trading platform for alleged violations of the Department’s Virtual Currency Regulation (23 NYCRR Part 200), Money Transmitter Regulation (3 NYCRR Part 417), Transaction Monitoring Regulation (3 NYCRR Part 504), Cybersecurity Regulation (23 NYCRR Part 500), and for failing to maintain adequate Bank Secrecy Act/anti-money laundering (BSA/AML) obligations. According to a Department investigation, the platform’s BSA/AML compliance program contained significant deficiencies, including an inadequate transaction monitoring system. Among other things, the platform failed to timely transition its manual system to an automated transaction monitoring system, which was unacceptable for a program of its size, customer profiles, and transaction volumes, and did not devote sufficient resources to adequately address risks. The Department also found “critical failures” in the platform’s cybersecurity program, which failed to address operational risks, and that specific policies within the program did not fully comply with several provisions of the Department’s cybersecurity and virtual currency regulations. According to the press release, pursuant to NYDFS’s Transaction Monitoring Regulation and Cybersecurity Regulation, companies should only file a Certificate of Compliance with the Department if their programs are fully compliant with the applicable regulation.
In light of the program’s deficiencies, NYDFS stated that the platform’s 2019 certifications to the Department attesting to compliance with these regulations should not have been made and thus violated the law. The platform also “failed to comply with the Supervisory Agreement by failing to promptly notify the Department of (a) actual or material potential actions, proceedings, or similar process that were or may have been instituted against [the platform] or any affiliated entity by any regulatory body or governmental agency; and (b) of the receipt by [the platform], or any affiliated entity, of any subpoena from any regulatory body or governmental agency in which [the platform], or any affiliated entity, was the target of the investigation.” NYDFS determined that in addition to the penalty, the platform will be required to retain an independent consultant that will perform a comprehensive evaluation of its compliance with the Department’s regulations and the platform’s remediation efforts with respect to the identified deficiencies and violations.
A Buckley Special Alert is forthcoming.
FDIC releases June enforcement actions
On July 29, the FDIC released a list of administrative enforcement actions taken against banks and individuals in June. During the month, the FDIC made public twelve orders consisting of “three consent orders, one order to pay civil money penalty, four orders of prohibition, one section 19 order, one order terminating consent order, two orders of termination of insurance, one Notice of Intention to Prohibit from Further Participation, Notice of Assessment of Civil Money Penalties, Findings of Fact and Conclusions of Law, Order to Pay, Notice of Hearing, and Prayer for Relief.” The FDIC imposed a civil money penalty against a Missouri-based bank for alleged violations of the Flood Disaster Protection Act. Among other things, the FDIC claimed that the bank “made, increased, extended or renewed a loan secured by a building or mobile home located or to be located in a special flood hazard area without providing timely notice to the borrower and/or the servicer as to whether flood insurance was available for the collateral.” The bank must pay a $7,000 civil money penalty.
The actions also include a consent order with a Georgia-based bank, which alleged that the bank violated “law or regulation related to weaknesses in the Bank’s compliance with the Bank Secrecy Act.” According to the consent order, the bank must, among other things: (i) “enhance its oversight of the Bank’s BSA/AML Compliance Program and assume full responsibility for the approval of sound BSA/AML policies, procedures, and processes”; (ii) “revise, adopt, and implement a written BSA/AML Compliance Program, including policies and procedures”; and (iii) “review and revise as appropriate its written policies, procedures, and processes for assessing the money laundering, terrorist financing, and other illicit financial activities risk profile of the Bank.”
FTC brings action against payment processor for misleading small businesses
On July 29, the FTC announced a settlement with a payment processing company and two of its sales affiliates (collectively, “defendants”) to resolve claims that they “trapp[ed] small businesses with hidden terms, surprise exit fees, and zombie charges.” The FTC alleged that the defendants made false claims about fees and cost savings, including “false and baseless claims about their processing services” to lure merchants, many of whom had limited English proficiency. According to the complaint, once merchants were enrolled, the defendants allegedly withdrew funds from their accounts without their consent and made it difficult and expensive for them to cancel the service. The complaint also alleged that the defendants violated the Restore Online Shoppers’ Confidence Act (ROSCA) by failing to disclose material terms, by charging consumers without their express informed consent, and by failing to provide a simple mechanism for consumers to cancel the agreements.
Under the terms of the proposed settlement, the defendants are, among other things, prohibited from making misrepresentations, making unsubstantiated claims, and using unfair debiting practices. The defendants will also be prohibited from making withdrawals from any of their customers’ bank accounts without authorization. The defendants must pay $4.9 million to the FTC, which will be used to provide refunds to affected businesses.
Republicans allege CFPB “collusion” with states
On July 28, House Financial Services Committee Ranking Member Patrick McHenry (R-NC) and two other Republican members sent a letter to CFPB Director Rohit Chopra, expressing their concerns that the Bureau has been “colluding” with states to “intimidate companies by conspiring with state agencies to pursue duplicative enforcement actions” in the financial services industry. The letter recognizes that state AGs “may enforce the CFPA in cases where the CFPB has not,” but argues that “the statute does not allow for a state attorney general to become a party to an existing CFPB enforcement action.” As previously covered by InfoBytes, the Bureau issued an interpretive rule in May addressing states’ authority to bring enforcement actions for violations of federal consumer financial protection laws, including the CFPA. The representatives argue that although the CFPB has a duty to enforce the CFPA and protect consumers from predatory and discriminatory practices, the Bureau’s interpretive rule is “akin to deputizing state attorneys general to enforce the CFPA on behalf of the CFPB – something Congress did not authorize.” The letter concludes with a request for documents and information from the Bureau by August 12, including (i) the legal authority that allows the CFPB to “recruit state attorneys general to join existing CFPB actions"; (ii) any “safeguards” the CFPB has in place to avoid “redundant and duplicative state actions”; and (iii) “all documents and communications between offices of state attorneys general and the CFPB since October 12, 2021” and “all information regarding complaints filed in a judicial court received by the CFPB pursuant to 12 USC § 5552.”
CFPB, DOJ take action against mortgage lender
On July 27, the CFPB and the DOJ jointly filed a lawsuit against a Delaware-based mortgage lender for engaging in unlawful discrimination. The complaint, filed in the U.S. District Court for the Eastern District of Pennsylvania, alleges that the defendant violated the Equal Credit Opportunity Act (ECOA) and its implementing Regulation B and the Consumer Financial Protection Act (CFPA) by, among other things, engaging in unlawful discrimination on the basis of race, color, or national origin against applicants and prospective applicants, including by redlining majority-minority neighborhoods, and by engaging in acts and practices directed at prospective applicants that would discourage prospective applicants from applying for credit. The DOJ also alleged a violation of the Fair Housing Act, including the “making unavailable or denial of dwellings to persons because of race, color, and national origin,” among other things.
The proposed consent order, if entered by the court, would be Bureau’s first nonbank mortgage redlining resolution. It would require the defendant, among other things, to: (i) deposit $18.4 million into a loan subsidy program; (ii) pay a $4 million penalty to the Bureau; and (iii) pay $2 million to fund advertising to generate applications in redlined areas. The proposed order also notes the defendant neither admits nor denies the allegations in the complaint. According to a statement released by CFPB Director Rohit Chopra, the Bureau “will continue to seek new remedies to ensure all lenders meet and fulfill their responsibilities and obligations and the CFPB continues to be on the lookout for emerging digital redlining to ensure that discrimination cannot be disguised by an algorithm.”
CFPB issues consent order against nonbank automotive finance company
On July 26, the CFPB announced a consent order against a nonbank automotive finance company to resolve allegations that it engaged in furnishing inaccurate information to consumer reporting companies. The CFPB alleged that the company violated the FCRA and Regulation V by, among other things, failing to: (i) “promptly update and correct information it furnished to Consumer Reporting Agencies (CRAs) that it determined was not complete or accurate, and continued to furnish this inaccurate and incomplete information;” (ii) “modify or delete information disputed by consumers that [the company] found to be inaccurate”; and (iii) “establish and implement reasonable written policies and procedures regarding the accuracy and integrity of information provided to CRAs.” The CFPB also alleged that the company violated the CFPA because of the FCRA and Regulation V violations, which it alleged also constitute violations of the CFPA, and for using “ineffective manual processes and systems containing known logic errors to furnish information to CRAs.” Under the terms of the Bureau’s consent order, the company is required to provide $13.2 million in redress to harmed consumers, review all account files that it currently furnishes to credit reporting companies and correct all inaccuracies described in the order, then send updated information to the credit reporting companies, establish and implement written a compliance plan, and pay a $6 million civil penalty to the Bureau.
FDIC updates its enforcement actions manual
On July 25, the FDIC announced that it updated chapters its Formal and Informal Enforcement Actions Manual, entitled Overview and Administrative Matters and Cease-and-Desist Actions, respectively, regarding the agency’s minimum standards for terminating cease and desist and consent orders issued under Section 8(b) of the FDI Act. According to the FDIC, “the manual provides direction for professional staff related to the work necessary to pursue formal and informal enforcement actions,” and is “intended to support the work of the field, regional, and Washington office’s staff involved in processing and monitoring enforcement actions.” The FDIC is authorized to issue a cease-and-desist order if an insured depository institution has engaged, or is about to engage, in “an unsafe or unsound practice in conducting the business of the institution, or [a] violation of a law and/or regulation, written agreement with the FDIC, or written condition imposed by the FDIC in connection with the granting of any application or other request.” The updates, among other things, clarify that cease-and-desist or consent orders may be terminated if: (i) the institution is in full compliance with all provisions of the order and has fully corrected legal violations, unsafe or unsound practices, or other conditions that led to the issuance of the order; (ii) any provisions deemed “not in compliance” have become outdated or irrelevant; or (iii) deterioration or any provisions deemed “not in compliance” leads to issuance of a new or revised formal action.
FCC orders phone companies to block car warranty scammers
On July 21, the FCC announced it is ordering phone companies to stop carrying traffic regarding a known robocall scam marketing auto warranties. The FCC noted that the operation is also the target of an ongoing investigation by the FCC’s Enforcement Bureau and a lawsuit by the Ohio Attorney General. As previously covered by InfoBytes, the Ohio AG filed a complaint against multiple companies for participating in an alleged unwanted car warranty call operation. The complaint, filed in the U.S. District Court for Southern District of Ohio, alleged that the 22 named defendants “participated in an unlawful robocall operation that bombarded American consumers with billions of robocalls.” The FCC’s order follows its announcement of actions taken to decrease robocalls, including sending cease and desist letters to several carriers in an attempt “to cut off a flood of possibly illegal robocalls marketing auto warranties targeting billions of consumers.” The announcement also noted that the FCC has authorized “all U.S.-based voice service providers to cease carrying any traffic originating from the [named] operation consistent with FCC regulations,” as detailed in the notice.
FTC, state AGs order says retailer used illegal tactics on servicemembers
On July 20, the FTC and 18 state attorneys general announced a proposed order against a national jewelry retailer (defendant) for allegedly using illegal financing and sales practices on service members and their families. In the complaint, the FTC alleged that the defendants violated the TILA, Holder Rule, and EFTA, among other things, by: (i) making false or unsubstantiated claims that financing jewelry purchases through the company would result in higher credit scores; (ii) misrepresenting that the protection plan was required to finance purchases; and (iii) failing to provide clear written disclosures and meet authorization requirements for contracts. The complaint also alleged that the defendant violated the Military Lending Act (MLA), the FTC’s first action under this Act, because, by failing to “provide disclosures in accord with TILA, including the Itemization of the Amount Financed, they also do not provide all disclosures required by the MLA.” The proposed order requires that the defendants are, among other things: (i) prohibited from making misrepresentations; (ii) prohibited from making unsubstantiated claims; (ii) banned from the marketing or sale of ancillary products or services; and (iii) banned from transferring retail installment contracts to third parties. The order also requires the defendant to refund approximately $10.9 million for purchased protection plans, and provide refunds for overpayments.
DOJ announces settlement with ride sharing company over ADA violations
On July 18, the DOJ announced a settlement in the U.S. District Court for the Northern District of California to resolve a lawsuit alleging that a ride sharing service (defendant) violated the Americans with Disabilities Act (ADA). According to the complaint, in April 2016, the defendant started charging passengers wait time fees, which charged wait time fees starting two minutes after the defendant’s vehicle arrives at the pickup location, and the fees are charged until the vehicle starts its trip. The DOJ claimed that the defendant violated the ADA by failing to: (i) “ensure adequate vehicle boarding time for passengers with disabilities”; (ii) “ensure equitable fares for passengers with disabilities”; and (iii) “make reasonable modifications to its policies and practices of imposing wait time fees as applied to passengers who, because of disability, require more time to board the vehicle.” According to the settlement agreement, the defendant – who denies any wrongdoing, liability, or fault – must, among other things: (i) pay $1.7 million to more than 1,000 riders who have already complained to the company about being charged wait time fees as a result of a disability; (ii) pay $500,000 to “other harmed individuals identified by the department”; and (iii) pay a $50,000 civil money penalty to the U.S. Additionally, according to the DOJ, the defendant has committed under the two-year agreement to waive wait time fees for all riders who certify that they (or someone they frequently travel with) need more time to get in a car due to a disability. Among other things, the defendant also will ensure that refunds are easily available for anyone who does not have a waiver and is charged a wait time fee because of disability.