InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
DOJ announces international malware action, recovers $8.6 million in illicit profits
On August 29, the DOJ announced a multinational operation involving the U.S., France, Germany, the Netherlands, the UK, Romania, and Latvia to “disrupt” a malware’s infrastructure called Qakbot. Attorney General Merrick B. Garland stated that, “[t]ogether with our international partners, the Justice Department has hacked Qakbot’s infrastructure, launched an aggressive campaign to uninstall the malware from victim computers in the United States and around the world, and seized $8.6 million in extorted funds. ” The main method by which the Qakbot malware spreads to target computers is via spam emails that contain harmful attachments or links. Upon successfully infecting a target computer, the DOJ mentioned that Qakbot gains the capability to introduce other types of malware, such as ransomware. Over the past few years, many ransomware collectives have used Qakbot as an initial avenue for initiating infections and has caused hundreds of millions of dollars in damages. The DOJ highlighted that “[t]he action represents the largest U.S.-led financial and technical disruption of a botnet infrastructure leveraged by cybercriminals to commit ransomware, financial fraud, and other cyber-enabled criminal activity.”
SEC conducts its first-ever NFT enforcement again
On August 28, the SEC entered an order against a Los Angeles-based media and entertainment company charging them with conducting an unregistered offering of crypto asset securities in the form of non-fungible tokens (NFTs). According to the order, the company offered and sold different tiers of NFTs to hundreds of investors between October and December of 2021, and ultimately raised approximately $30 million from the sales. The SEC alleged that the company encouraged potential investors to purchase the unregistered NFTs in return for an investment in the business, promising “tremendous value” to the purchasers if the company was successful in its attempts to “build the next Disney” and launch other creative projects. The order found that the NFTs were ultimately investment contracts and therefore securities, and that the company subsequently violated federal securities laws by offering and selling crypto assets in an unregistered securities offering that was not otherwise exempt from registration requirements.
The SEC noted that all securities, in whatever form, are required to be registered and that when companies fail to register securities, “investors of all types are deprived of the protections afforded them by the robust disclosures and other safeguards long provided by our securities laws.” The company did not admit or deny the findings set forth in the order but agreed to cease-and-desist from violating registration provisions of the 1933 Act and pay a combined penalty of over $6.1 million in fees. The order also establishes a “Fair Fund” to return money to investors who paid to purchase NFTs.
On the same day, the SEC released a statement from Republican commissioners, Hester M. Peirce and Mark T. Uyeda, underscoring the significance of the commission’s first NFT enforcement action. “People are experimenting with a lot of different uses of NFTs,” said the commissioners in their partial dissents. “Consequently, any attempt to use this enforcement action as precedent is fraught with difficulty.” The commissioners further criticized the SEC’s failure to provide guidance on NFTs when they first started proliferating and raised several questions.
SEC awards whistleblower more than $18 million
On August 25, the SEC announced a whistleblower award of $18 million to a whistleblower who provided new information and assistance that led to a successful SEC enforcement action. According to the redacted order, the whistleblower provided additional helpful information and substantial, continuing assistance that helped the SEC staff saved f time and resources during the investigation. In the same order, the Commission affirmed the denial of a second claimant’s award claims after claimant 2 argued that they were the source of the original information that led to the opening of the investigation. The SEC determined that they had insufficient evidence to support their claims and that the Commission’s staff used claimant 1’s information, not claimant 2’s. Moreover, the claimant 2 did not satisfy “Rule 21F-4(c)(3), as Claimant 2 did not submit information to the Commission within 120 days of reporting it to the Company. Claimant 2 submitted information to the Commission after the Covered Action was filed and settled.”
SEC charges broker-dealer with failure to file suspicious activity reports
On August 29, the SEC announced that it had brought charges against a Chicago-based broker-dealer. The SEC alleged that between August 2012 and September 2020 the broker-dealer failed to file over 400 hundred legally required suspicious financial transaction reports related to over-the-counter securities transactions executed in the broker-dealer’s alternative trading system (ATS). According to the SEC’s order, it was found that the broker-dealer did not establish an anti-money laundering surveillance program until September 2020, despite having thousands of high-risk microcap and penny stock securities transactions executed daily on its ATS.
Daniel R. Gregus, Director of the SEC’s Chicago Regional Office, stated, “All SEC-registered broker-dealers have the responsibility to comply with the requirements of the Bank Secrecy Act, including the obligation to file SARs.”
Without admitting or denying that it violated Section 17(a) of the Securities Exchange Act and Rule 17a-8, the broker-dealer agreed to a censure and a cease-and-desist order, along with a $1.5 million penalty.
FDIC releases July enforcement actions, including breaches of fiduciary duty and FDPA violations
On August 25, the FDIC announced a list of administrative enforcement actions taken against banks and individuals in July. The 10 orders include “two orders that combined a prohibition order and order to pay CMP; one combined personal consent order and order to pay CMP; four prohibition orders; one order modifying a prohibition order; one order of termination of deposit insurance; and one order to pay CMP for pattern or practice violations of the Flood Disaster Protection Act.” The FDIC assessed a civil money penalty against a North Dakota-based bank for alleged violations of the Flood Disaster Protection Act and the National Flood Insurance Act including providing or extending loans secured by a building or mobile home situated in or intended for placement within an area with a recognized risk of flooding, without promptly notifying the borrower and/or the servicer about the availability of flood insurance for the asset.
Fed issues enforcement action against state bank and its holding company
On August 17, the Fed announced an enforcement action against a state bank and its holding company for failing to comply with conditions imposed during the approval process for the bank to become a member of the Federal Reserve System and subsequent application for acquisition. Namely, the order provides that, among other conditions and limitations, the bank was required to provide advance notice of any change in its business plan, and was found to have changed the business plan without the requisite prior written approval. As part of the order, the bank will wind down its operations as part of a purchase agreement where it will sell its assets to a third-party bank and it will ensure the conservation of capital, preservation of cash assets, and will limit its business activities to only those necessary to consummate the purchase agreement.
SEC charges fintech investment adviser for misleading advertising
On August 21, the SEC announced charges against a New York-based fintech investment adviser for using hypothetical performance metrics in misleading advertisements, compliance failures that led to misleading disclosures, and failure to adopt policies concerning crypto asset trading by employees, among other things. These charges mark the first violation of the SEC’s amended marketing rule.
According to the order, the fintech investment adviser made misleading statements on its website by failing to include material information, and without having adopted and implemented required policies and procedures under the SEC’s marketing rule. The SEC also found that the company made conflicting disclosures regarding crypto assets custody and failed to adopt policies related to employee personal trading in crypto assets.
The company consented to the order finding that it violated the Advisers Act and without admitting or denying the SEC’s findings, entered into a cease-and-desist order, a censure, and agreed to pay $192,454 in disgorgement, prejudgment interest and an $850,000 civil penalty that will be distributed to affected clients.
OCC releases enforcement actions and terminations
On August 17, the OCC released a list of recent enforcement actions taken against national banks, federal savings associations, and individuals currently and formerly affiliated with such entities. The new enforcement actions include civil money penalty orders, formal agreements, and prohibition orders, each issued with the consent of the parties. The OCC also announced a termination of an existing enforcement action against a bank. Included in the release is a formal agreement entered into with a Minnesota-based bank on June 27 in connection with OCC findings of alleged unsafe or unsound practices relating to, among other things, consumer compliance and third party risk management. In connection to violations of certain Flood Disaster Protection Act rules, the agreement requires the bank to (i) establish a compliance committee to monitor the bank’s progress in complying with the agreement’s provisions; (ii) report such progress to the bank’s board of directors on a quarterly basis; and (iii) implement a written consumer compliance program. This program must also include procedures and guidance for compliance with all consumer protection laws, rules, and regulations to which the bank should adhere, an independent audit program, a comprehensive training program for bank personnel in the consumer protection laws, rules, and regulations as appropriate, and policies to manage risks in the credit process. It also separately requires revisions to the third-party risk management program addressing due diligence and monitoring of third parties, including monitoring for compliance with consumer protection-related laws and regulations.
FTC temporarily halts unlawful business opportunity scheme
On August 22, the FTC announced that the U.S. District Court for the Southern District of California recently issued a temporary restraining order against a business opportunity operation for allegedly engaging in deceptive practices. According to the FTC’s complaint, the operation made claims in violation of the FTC Act, the FTC’s Business Opportunity Rule, and the Consumer Review Fairness Act of 2016 by, among other things; (i) making false claims that they offered a “venture capital-backed” and “artificial intelligence-integrated” e-commerce business opportunity for consumers to buy into; (ii) falsely promoting themselves as e-commerce experts and self-made millionaires who have assisted others in generating tens of millions of dollars; (iii) relying on false business projections, including that customers would make a “$4k-$6k consistently monthly net profit”; (iv) false claims about the use of AI tools to maximize revenues; and (v) false endorsements, including false claims of success on social media by an affiliate marketer. The court’s temporary restraining order prohibited the operation from conducting business, froze its assets, appointed a temporary receiver, and required the operation to turn over business records to the FTC. Beyond the temporary restraining order, the FTC is seeking preliminary and permanent injunctive relief, monetary relief, and additional relief as determined by the court. The FTC also highlighted that its ability to provide these refunds would not be possible if the action hadn't predated the 2021 Supreme Court ruling (covered by InfoBytes here) that the FTC lacks authority under Section 13(b) of the FTC Act to seek monetary relief in federal court. The FTC used the opportunity to encourage Congress to restore its ability to seek monetary relief in federal court.
District Court files temporary restraining order to stop scammers in FTC suit
On August 21, the FTC announced it has stopped California-based scammers (defendants) who allegedly preyed on students seeking debt relief by pretending to be affiliated with the Department of Education. According to the August 14 complaint, since at least 2019, the defendants allegedly targeted students and illegally collected $8.8 million in advance fees in exchange for student loan debt relief services that did not exist. The defendants allegedly misled consumers by charging them for services that are free through the Department of Education, claiming consumers needed to pay fees or make payments to access federal student loan forgiveness, using names like "Biden Loan Forgiveness," that does not correspond to any actual government program. For instance, one consumer was asked to pay $375 for a processing fee to have up to $20,000 in loans forgiven because of a Pell Grant. Another was told they would get a $10,000 reduction in their loan balance and a new repayment plan with six $250 monthly payments under the “student loan forgiveness program.” The FTC alleges violations of Section 5 of the FTC Act, which prohibits deceptive acts or practices, TCPA, and the Gramm-Leach-Bliley Act. The complaint also alleges that the defendants used such misrepresentations to illegally obtain consumers’ banking information, and typically collected hundreds of dollars in unlawful advance fees—sometimes through remotely created checks in violation of the Telemarketing Sales Rule. The U.S. District Court of the Central District of California filed a temporary restraining order, resulting in an asset freeze, among other things. The FTC seeks preliminary, and permanent injunctive relief, monetary relief, and other relief.