InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
SEC issues $3 million in whistleblower awards
On March 18, the SEC announced whistleblower awards totaling over $3 million to three individuals for providing information and assistance in three separate covered actions. According to the first redacted order, the SEC awarded approximately $1.5 million to a whistleblower for providing information which led to the successful prosecution of an enforcement action. Additionally, the whistleblower assisted the staff throughout the investigation. According to the second redacted order, the SEC awarded over $1 million to an individual who provided information that prompted Commission staff to open an investigation that led to the successful prosecution of an enforcement action. The whistleblower continued to provide assistance by participating in interviews and giving additional documents. In the third redacted order, the SEC awarded over $400,000 to a whistleblower whose comprehensive tip led to an investigation and who provided substantial ongoing cooperation. The whistleblower also raised concerns internally, causing the conduct to cease.
The SEC has awarded approximately $1.2 billion to 254 whistleblowers since issuing its first award in 2012.
CFTC awards $10 million to whistleblower
On March 18, the CFTC announced an approximately $10 million award to a whistleblower whose information led the agency to a successful Commodity Exchange Act enforcement action. According to the CFTC, the claimant voluntarily provided original, “useful information at the earliest stages of the investigation and later provided supplemental information.” The associated order also noted that because of the claimant’s allegations, CFTC staff were able to draft the earliest round of subpoenas.
The CFTC has awarded approximately $330 million to whistleblowers since the enactment of its Whistleblower Program under Dodd-Frank, with whistleblower information helping the CFTC prosecute enforcement actions leading to more than $3 billion in monetary sanctions.
Bank fined $140 million for BSA/AML compliance failures
On March 17, FinCEN announced a $140 million civil money penalty against a federal savings bank for violating the Bank Secrecy Act (BSA) and its implementing regulations from at least January 2016 through April 2021 by allegedly failing to implement and maintain an effective, reasonably designed anti-money laundering (AML) program. According to FinCEN, the bank “also admitted that it willfully failed to accurately and timely report thousands of suspicious transactions to FinCEN involving suspicious financial activity by its customers, including customers using personal accounts for apparent criminal activity.” The consent order further noted that in 2017, the OCC informed the bank that its AML program failed to meet all the requirements of the agency’s regulations. The bank agreed to overhaul its AML program but, according to the order, the bank has not yet met all of the terms of its commitments to address the deficiencies. FinCEN emphasized that the bank’s violations resulted “in millions of dollars in suspicious transactions flowing through the U.S. financial system without appropriate reporting,” and stressed “that growth and compliance must be paired, and AML program deficiencies, especially deficiencies identified by federal regulators, must be promptly and effectively addressed.”
The same day, the OCC announced a $60 million penalty against the bank for related violations resulting from the separate but coordinated investigation with FinCEN. Among other things, the consent order identified several deficiencies related to inadequate internal controls and risk management practices, suspicious activity identification, staffing, training, and third-party risk management. FinCEN’s announcement noted that “[a]s many of the facts and circumstances underlying the OCC’s civil penalty also form the basis of FinCEN’s Consent Order, FinCEN agreed to credit the $60 million civil penalty imposed by the OCC,” adding that, combined, the bank “will pay a total of $140 million to the U.S. Treasury for its violations, with $80 million representing FinCEN’s penalty and $60 million representing the OCC’s penalty.”
District Court rules ratification unnecessary for CFPB to proceed with 2017 enforcement action
On March 16, the U.S. District Court for the Southern District of New York ruled that the CFPB can proceed with its 2017 enforcement action against a New Jersey-based finance company alleging, among other things, that it misled first responders to the World Trade Center attack and NFL retirees about high-cost loans mischaracterized as assignments of future payment rights. In 2020, the U.S. Court of Appeals for the Second Circuit vacated a 2018 district court order dismissing the case on the grounds that the Bureau’s single-director structure was unconstitutional, and that, as such, the agency lacked authority to bring claims alleging deceptive and abusive conduct by the company (covered by InfoBytes here). The 2nd Circuit remanded the case to the district court, determining that the U.S. Supreme Court’s ruling in Seila Law LLC v. CPFB (holding that the director’s for-cause removal provision was unconstitutional but severable from the statute establishing the Bureau, as covered by a Buckley Special Alert) superseded the 2018 ruling. The appellate court further noted that following Seila, former Director Kathy Kraninger ratified several prior regulatory actions (covered by InfoBytes here), including the enforcement action brought against the defendants, and as such, remanded the case to the district court to consider the validity of the ratification of the enforcement action. The defendants later filed a petition for writ of certiorari, arguing that the Bureau could not use ratification to avoid dismissal of the lawsuit, but the Supreme Court declined the petition. (Covered by InfoBytes here.)
In 2021, the defendants filed a motion to dismiss the Bureau’s enforcement action on the grounds that “it was brought by an unconstitutionally constituted agency” and that the Bureau’s “untimely attempt to subsequently ratify this action cannot cure the agency’s constitutional infirmity.” After narrowly reviewing whether the Bureau had the authority to bring claims under the Consumer Financial Protection Act, the district court turned to the Supreme Court’s June 2021 majority decision in Collins v. Yellen, which held that “‘an unconstitutional removal restriction does not invalidate agency action so long as the agency head was properly appointed[.]’” Accordingly, the agency’s actions are not void and do not need to be ratified, unless a plaintiff can show that “the agency action would not have been taken but for the President’s inability to remove the agency head.” (Covered by InfoBytes here.) The district court’s March 16 opinion applied Collins and ruled that “the CFPB possessed the authority to bring this action in February 2017 and, hence, that ratification by Director Kraninger was unnecessary.”
NYDFS fines money transmitter $8.25 million for AML compliance failures
On March 16, NYDFS announced the imposition of an $8.25 million fine on a money transmitter alleged to have violated anti-money laundering (“AML”) requirements and New York law by failing to adequately supervise local agents in New York City that processed an unusual volume of suspicious transactions to China. NYDFS conducted an examination and enforcement investigation, which found that the company “did not adequately oversee the activity of six agents that saw a large spike in transaction volume of business with China.” According to the investigation, there were roughly 7,500 transactions aggregating approximately $30 million in 2014. These figures rose to more than 25,000 transactions aggregating more than $100 million during the period between January 2016 and May 2017. Most of these transactions were processed by small, store-front independent agents—“a clear indicator of increased money laundering risk, particularly given that the destination was known to carry a high AML risk,” NYDFS stated, adding that the company should have also addressed risks resulting from a suspicious pattern of different senders transmitting money to the same recipient. NYDFS acknowledged that the company, when alerted to the increased transaction activity, severed its relationship with the problematic agents and implemented remedial measures to improve supervision of its agents. Under the terms of the consent order, the company will pay an $8.25 civil money penalty and is required to submit a report to NYDFS outlining enhancements made with respect to new and existing agents, suspicious activity reporting program, and special transaction limitations. Additionally, NYDFS announced that the company will also update the Department on improvements to the policies and procedures of its Bank Secrecy Act/AML compliance program and will provide data to NYDFS for ongoing monitoring purposes.
Irish DPC fines global social media company €17 million for GDPR violations
On March 15, the Irish Data Protection Commission (DPC) adopted a decision fining a global social media company €17 million (approximately $18.6 million) after finding that the company failed to prevent a series of data breaches in 2018. The DPC conducted an inquiry into a series of 12 data breach notifications it received between June 7, 2018 and December 4, 2018, to examine the extent that the company complied with GDPR requirements related to the processing of personal data. Following the inquiry, the DPC found that the company violated GDPR Articles 5(2) and 24(1) by failing “to have in place appropriate technical and organizational measures which would enable it to readily demonstrate the security measures that it implemented in practice to protect EU users’ data, in the context of the twelve personal data breaches.” Article 5 outlines principles related to the processing of personal data and requires companies to ensure that EU residents’ personal data is processed “in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures.” Article 24(1) requires controllers to “implement appropriate technical and organizational measures to ensure and to be able to demonstrate that processing is performed in accordance with” the GDPR. The DPC noted that because the processing under examination constituted “cross-border” processing, the “decision represents the collective views of both the DPC and its counterpart supervisory authorities throughout the EU.”
FTC sues sales organization in business opportunity scam
On March 15, the FTC filed an administrative complaint against an independent sales organization and its owners (collectively, “respondents”) for allegedly opening merchant accounts for fictitious companies on behalf of a business opportunity scam previously sued by the FTC in 2013. According to the complaint, the scammers promoted business opportunities to consumers that falsely promised they would earn thousands of dollars. From its previous 2013 lawsuit, the FTC obtained judgments and settlements of over $7.3 million (covered by InfoBytes here). The complaint alleged that respondents violated the FTC Act and the Telemarketing Sales Rule by helping the scammers launder millions of dollars of consumers’ credit card payments from 2012 to 2013 and ignoring warning signs that the merchants were fake. The FTC claimed that the respondents, among other things, (i) opened merchant accounts based on “vague” business descriptions; (ii) ignored the fact that for most of the merchants, the principals or business owners had poor credit ratings, which should have raised questions about the financial health of the merchants; (iii) neglected to obtain merchants’ marketing materials or follow up on signs that the merchants were engaged in telemarketing; and (iv) ignored inconsistencies related to the bank accounts listed on several of the merchants’ applications. The FTC further claimed that the respondents created 43 different merchant accounts for fictitious companies on behalf of the scam and even provided advice to the organizers of the scam on how to spread out the transactions among different accounts to evade detection.
Under the terms of the proposed consent order (which is subject to public comment and final FTC approval), the respondents would be prohibited from engaging in credit card laundering, as well as any other tactics to evade fraud and risk monitoring programs. The respondents would also be banned from providing payment processing services to any merchant that is, or is likely to be, engaged in deceptive or unfair conduct, and to any merchant that is flagged as high-risk by credit-card industry monitoring programs. Furthermore, the respondents would be required to screen potential merchants and monitor the sales activity and marketing practices of current merchants engaged in certain activities that could harm consumers. The FTC noted that it is unable to obtain a monetary judgment due to the U.S. Supreme Court’s decision in AMG Capital Management v. FTC, which held that the FTC does not have statutory authority to obtain equitable monetary relief under Section 13(b) of the FTC Act. (Covered by InfoBytes here.)
FTC settles action against e-commerce platform for data breach cover up
On March 15, the FTC announced a proposed settlement with two limited liability companies, the former and current owners, of an online customized merchandise platform (collectively, “respondents”) for allegedly failing to secure consumers’ sensitive personal data and covering up a major breach. According to the complaint, the respondents allegedly violated the FTC Act by, among other things, misrepresenting that they implemented reasonable measures to protect the personal information (PI) of customers against unauthorized access and for misrepresenting that appropriate steps to secure consumer account information following security breaches were taken. The complaint further alleged that respondents failed to apply readily available protections against well-known threats and adequately respond to security incidents, which resulted in the respondents' network being breached multiple times. Notably, one of the breaches involved a hacker gaining access to “millions of email addresses and passwords with weak encryption; millions of unencrypted names, physical addresses, and security questions and answers; more than 180,000 unencrypted Social Security numbers; and tens of thousands of partial payment card numbers and expiration dates.” The complaint goes on to allege that the online customized merchandise platform failed to properly investigate the breach for several months despite additional warnings, including failing to promptly notify its customers of the breach. Under the terms of the proposed settlement, the respondents are: (i) ordered to pay $500,000 in redress to victims of the data breaches: (ii) prohibited from making misrepresentations about their privacy and security measures, among other things, and (iii) required to have a third party assess their information security programs and provide the Commission with a redacted copy of that assessment suitable for public disclosure.
FTC alleges company misrepresented the quality, source of leads
On March 11, the FTC issued an administrative complaint against a Colorado-based digital marketplace company (defendant) alleging it used deceptive and misleading practices in selling home improvement project leads to service providers. The complaint alleges that since 2014 the defendant has made false, misleading, or unsubstantiated claims regarding the quality and source of the leads it sells to service providers, such as general contractors and small lawn care businesses. The complaint alleges, among other things, that the defendant told service providers that its leads resulted in actual home improvement jobs at rates higher than its own data supported, and that the defendant misled service providers about the cost of an optional one-month subscription to a software platform that it sold with its leads and the cost of the optional one-month help desk subscription. The defendant’s actions allegedly resulted in service providers, many of whom operate in the gig economy, spending time following leads below the promised quality and seeking refunds for those leads. The FTC’s Director of Bureau of Consumer Protection stated, “Today’s administrative complaint against [the defendant] shows that the FTC will use every tool in its toolbox to combat dishonest commercial practices.”
SEC awards $14 million to whistleblower
On March 11, the SEC announced that it awarded a whistleblower nearly $14 million for exposing ongoing fraud by publishing on online report. According to the redacted order, the whistleblower voluntarily provided original information and prompted the opening of an investigation, which resulted in a successful enforcement action against the company and its CEO and the return of millions of dollars to harmed investors.
The SEC has awarded approximately $1.2 billion to 249 individuals since issuing its first award in 2012.