Skip to main content
Menu Icon
Close

InfoBytes Blog

Financial Services Law Insights and Observations

Filter

Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.

  • OFAC settles with bank for alleged NKSR and Foreign Narcotics Kingpin Sanctions Regulations violations

    Financial Crimes

    On December 23, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) announced a roughly $115,005 settlement of two cases with a Delaware-based bank for allegedly processing transactions in violation of the North Korea Sanctions Regulations (NKSR) and the Foreign Narcotics Kingpin Sanctions Regulations. According to OFAC’s web notice, in the first matter, between December 2016 and August 2018, the bank processed 1,479 transactions totaling $382,685, and maintained nine accounts on behalf of five employees of the North Korean Mission to the United Nations without a license from OFAC. Additionally, the bank allegedly often misidentified North Korea or did not properly complete the citizenship field in the customer profiles, which resulted in failing to flag the accounts. The web notice explained that “[u]nder the [NKSR], a general license authorizing certain transactions with the North Korean Mission to the United Nations specifies that it does not authorize U.S. financial institutions to open and operate accounts for employees of the North Korean mission. It further specifies that U.S. financial institutions are required to obtain OFAC specific licenses to operate accounts for such persons.” According to the web notice, since the bank did not obtain a specific license to offer these services, its conduct resulted in apparent violations.

    In arriving at the settlement amount of $105,238, OFAC considered various aggravating factors, including, among other things, that the bank (i) failed to use due caution or care in processing the 1,479 transactions, which was in violation of the NKSR for over a year; (ii) “had reason to know that it maintained accounts for North Korean nationals because at account opening, the account holders of all nine accounts presented to [the bank] North Korean passports”; and (iii) “is a large and commercially sophisticated financial institution with a global presence.” OFAC also considered various mitigating factors, including, among other things, that the bank (i) “enhanced its controls for identifying government officials of sanctioned countries”; and (ii) “updated its operating procedures to specify that reviews of customers in or affiliated with sanctioned jurisdictions must be escalated.”

    In the second matter, according to the web notice, the bank allegedly maintained accounts for a U.S. resident who was on OFAC’s SDN List. The bank did not block the account and disclose to OFAC until after the fifth high-confidence sanctions screening alert was generated because the previous alerts had a “match on full name DOB and geographical location.” The bank’s fraud unit, unaware of the sanctions-related reason for account closure, then credited one of the individual’s accounts, which caused it to be re-opened. The notice reported that the failure to correctly identify the individual as a person on the SDN List was the result of human error and a breakdown in the bank’s sanctions compliance procedures. Further, “[i]n addition to incorrectly dispositioning these alerts, [the bank’s] analysts contravened [the bank’s] procedures which require alerts to be escalated if a match occurs in first and last name and any additional information field.” Such conduct resulted in 145 apparent violations of the Foreign Narcotics Kingpin Sanctions Regulations.

    In arriving at the settlement amount of $9,766, OFAC considered various aggravating factors, including, among other things, that the bank (i) “failed to exercise due caution or care for U.S. economic sanctions requirements by incorrectly adjudicating high-confidence sanctions screening alerts four times over four years, despite full date-of-birth and first and last name matches”; (ii) permitted $35,514.13 in transactions by an individual on the SDN List; and (iii) “is a large and sophisticated financial institution with a global presence.” OFAC also considered various mitigating factors, including, among other things, that the bank did not appear to have had actual knowledge of the conduct that led to the apparent violations, and represented that it has terminated this conduct and has undertaken remedial measures.

    Financial Crimes OFAC Of Interest to Non-US Persons Settlement Enforcement OFAC Sanctions OFAC Designations Department of Treasury North Korea

  • FTC settles with mortgage analytics company

    Federal Issues

    On December 22, the FTC announced the final approval of a settlement with a mortgage industry data analytics firm (defendant) for allegedly failing to develop, implement, and maintain a comprehensive information security program and ensure third-party vendors are capable of implementing and maintaining appropriate safeguards for customer information in violation of the Gramm-Leach Bliley Act’s Safeguards Rule. As previously covered by InfoBytes, in December 2020, the FTC alleged that a vendor hired by the defendant stored the unencrypted contents of mortgage documents on a cloud-based server without any protections to block unauthorized access, such as requiring a password. According to the FTC, because the vendor did not implement and maintain appropriate safeguards to protect customer information, the cloud-based server containing the data was improperly accessed approximately 52 times. The FTC claimed, among other things, that the defendant failed to adequately vet its third-party vendors and never took formal steps to evaluate whether the vendors could reasonably protect the sensitive information. Moreover, the defendant’s contracts allegedly did not require vendors to implement appropriate safeguards, nor did the defendant conduct risk assessments of its vendors.

    The settlement requires the defendant to, among other things, implement a comprehensive data security program and undergo biennial assessments conducted by a third party on the effectiveness of its program. Additionally, the defendant must report any future data breaches to the FTC no later than 10 days after it provides notice to any federal, state, or local government entity.

    FTC Commissioner Rebecca Kelly Slaughter provided a lone dissenting statement.

    Federal Issues FTC Enforcement Settlement Mortgages Gramm-Leach-Bliley Safeguards Rule Privacy/Cyber Risk & Data Security Third-Party Vendor Management Data Breach

  • FTC finalizes decision banning respondents from surveillance business

    Federal Issues

    On December 21, the FTC announced a decision banning a data monitoring application and its CEO (collectively, “respondents”) from the surveillance industry. As previously covered by InfoBytes, the respondents allegedly violated Section 5 of the FTC Act by failing to provide reasonable data security for consumers’ personal information. According to the FTC, the respondents allegedly “secretly harvest[ed] and shar[ed] data on people’s live location, web use, and online activities through their product’s hidden device hack,” and sold real-time access to their surveillance system, which allowed stalkers and domestic abusers to “stealthily track” unknowing victims. Under the terms of the final decision, the respondents are: (i) ordered to “immediately disable all access to any information collected by or through a monitored Mobile Device” and immediately stop collecting any data through any app installed before the date of entry of the order; (ii) required to delete any information illegally collected from their apps; (iii) required to notify owners who installed respondents’ apps on their devices that their devices might have been monitored and may not be secure; and (iv) banned from offering, promoting, selling, or advertising any surveillance app, service, or business. The respondents are also required to implement a comprehensive information security program and obtain initial and biennial third-party security assessments.

    Federal Issues FTC Privacy/Cyber Risk & Data Security FTC Act Enforcement UDAP

  • CFPB reaches settlement with online lender

    Federal Issues

    On December 30, the U.S. District Court for the Northern District of California approved the stipulated final judgment and order against a California-based online lender (defendant) for alleged violations of fair lending regulations and a 2016 consent order. As previously covered by InfoBytes, the CFPB filed a complaint against the defendant (the third action taken against the defendant by the CFPB) for allegedly violating the terms of a 2016 consent order related to false claims about its lending program. The 2016 consent order alleged that the defendant engaged in deceptive practices by misrepresenting, among other things, the fees it charged, the loan products that were available to consumers, and whether the loans would be reported to credit reporting companies, in violation of the CFPA, TILA, and Regulation Z (covered by InfoBytes here). According to the September 8 complaint, the defendants continued with much of the same illegal and deceptive marketing that was prohibited by the 2016 consent order. Among other things, the complaint alleged that the defendants violated the terms of the 2016 consent order and various laws by: (i) deceiving consumers about the benefits of repeat borrowing; and (ii) failing to provide timely and accurate adverse-action notices, which is in violation of ECOA and Regulation B.

    The settlement prohibits the defendant from: (i) making new loans; (ii) collecting on outstanding loans to harmed consumers; (iii) selling consumer information; and (iv) making misrepresentations when providing loans or collecting debt or helping others that are doing so. The order also imposes a $100,000 civil money penalty based on the defendant’s inability to pay.

    Federal Issues CFPB Enforcement CFPA TILA ECOA Regulation Z Regulation B Consumer Finance Fair Lending Online Lending UDAAP Deceptive Courts

  • DOJ, FTC ban firm and CEO from negative option marketing

    Federal Issues

    On December 16, the DOJ and the FTC announced that a brokerage firm and its CEO (collectively, “defendants”) must pay $21 million in consumer redress and are permanently banned from engaging in deceptive negative option marketing for allegedly violating, among other things, the FCRA, TSR, and the Restore Online Shoppers’ Confidence Act (ROSCA). According to the FTC’s complaint filed by the DOJ, the defendants claimed that the company’s background reports on certain individuals had particular criminal records, even when they did not include such information, to mislead consumers into signing up for auto-renewing, premium subscriptions. The FTC claimed consumers who allegedly searched the firm’s website for an individual’s background report were shown search results that often falsely implied that the subject of the search may have records of criminal or sexual offenses, which could only be viewed by purchasing a subscription from the firm. The complaint alleged that the firm’s misleading statements resulted in some consumers believing that they, or other individuals, had arrest or criminal records. The complaint further alleged that the firm operated as a consumer reporting agency and violated the FCRA by, among other things, failing to maintain verifiable, reasonable procedures on how its reports would be utilized to ensure the information was accurate and to ensure that the information it sold would be used for legal purposes. Additionally, the defendants allegedly violated the TSR by misrepresenting its refund and cancellation policies. The complaint also alleged that the defendants’ misleading billing practices violated ROSCA by, among other things, failing to clearly disclose upfront charges.

    Under the terms of the settlement, the defendants agreed to separate judgments, which total approximately $33.9 million. The settlement also banned the defendants from engaging in deceptive negative option marketing. The CEO is ordered to pay a total of $5 million, and the firm is ordered to pay a partially suspended judgment of $16 million due to the company’s inability to pay the full amount. Together, the money will be used to provide refunds to consumers. The firm is required to pay the full remaining amount of the judgment if the company is found to have misrepresented its finances and must implement a monitoring program to ensure the company is complying with the FCRA.

    Federal Issues FTC Enforcement DOJ FCRA Telemarketing Sales Rule ROSCA Negative Option

  • Global tech corporation fined for GDPR violations fends off daily fines

    Privacy, Cyber Risk & Data Security

    According to sources, the Luxembourg President of the Administrative Tribunal issued an ordinance on December 17 partially suspending a July decision issued by the Luxembourg National Commission for Data Protection (CNPD) against a global technology corporation for alleged violations of the EU’s General Data Protection Regulations (GDPR). As previously covered by InfoBytes, the CNPD fined the corporation $746 million euro (approximately $888 million USD), issuing a decision against the corporation’s European headquarters, claiming the corporation’s “processing of personal data did not comply with the [GDPR].” The decision—which required corresponding practice revisions, the details of which were not disclosed—followed an investigation started in 2018 when a French privacy group claiming to represent the interests of Europeans filed complaints against several large technology companies to ensure European consumer data is not manipulated for commercial or political purposes. The December ordinance suspends orders that required the corporation to make a number of changes to its data processes by January 15 or risk additional daily fines. Sources stated that the CNPD’s order “had not been formulated in clear, precise and free of uncertainty terms” that would allow the corporation to meet the conditions. The corporation’s appeal is still pending.

    Privacy/Cyber Risk & Data Security Luxembourg Of Interest to Non-US Persons GDPR EU Enforcement

  • CFPB enters proposed final judgment in 2016 structured settlement action

    Federal Issues

    On December 17, the CFPB filed a proposed stipulated final judgment and order in an action accusing defendants of allegedly employing abusive practices when purchasing structured settlements from consumers in exchange for lump-sum payments. As previously covered by InfoBytes, the CFPB filed a complaint in 2016 claiming the defendants (including the company and executive leadership) violated the Consumer Financial Protection Act (CFPA) by encouraging consumers to take advances on their structured settlements and falsely representing that the consumers were obligated to complete the structured settlement sale, “even if they [later] realized it was not in their best interest.” The Bureau also alleged that the defendants “steered consumers to receive ‘independent advice’” from an outside attorney who was paid by the company and “provided purportedly independent professional advice for almost all Maryland consumers who made structured-settlement transfers with [the defendants].” After a series of motions were filed by the parties, including an amended complaint in 2017, the U.S. District Court for the District of Maryland eventually determined that the Bureau could pursue its enforcement action (covered by InfoBytes here).

    Last month, the court entered a stipulated final judgment and order against the attorney, which required that the attorney pay $40,000 in disgorgement and a $10,000 civil money penalty (covered by InfoBytes here). Under the terms of the proposed settlement, the remainder of the defendants would be required to pay $40,000 in disgorgement and a civil penalty of $10,000, and are permanently barred from referring “consumers to a specific individual or for-profit entity for advice concerning any structured-settlement transactions, including for individual professional advice.”

    Federal Issues CFPB Enforcement Structured Settlement UDAAP Abusive Consumer Finance

  • FinCEN, OCC take action against bank for AML violations

    Federal Issues

    On December 16, FinCEN announced an $8 million civil money penalty against a Texas-based bank for violating the Bank Secrecy Act (BSA) and its implementing regulations from at least 2015 to 2019 by allegedly failing to implement and maintain an effective, reasonably designed anti-money laundering (AML) program. According to the consent order, the bank allegedly failed to report hundreds of suspicious transactions to FinCEN involving illegal financial activity by its customers and continued to knowingly process the transactions after becoming aware that certain customers were subjects of criminal investigations. According to FinCEN, the bank’s violations “caused millions of dollars in suspicious transactions to go unreported to FinCEN in a timely and accurate manner, including transactions connected to tax evasion, illegal gambling, money laundering, and other financial crimes.”

    The same day, the OCC announced a $1 million civil money penalty against the bank for “related violations.” According to the OCC’s separate but coordinated investigation with FinCEN, the bank allegedly failed to adopt and implement a BSA/AML system of internal controls to assure ongoing compliance with the BSA and its implementing regulations. According to the consent order, the bank’s alleged internal control deficiencies, and other failures in its BSA/AML compliance program, “resulted in the failure to investigate and disposition alerts and violations of the suspicious activity reporting requirements.” FinCEN's announcement noted that, “[a]s many of the facts and circumstances underlying the OCC’s civil penalty also form the basis of FinCEN’s Consent Order, FinCEN agreed to credit the $1 million civil penalty imposed by the OCC, and “[t]aken together, [the bank] will pay a total of $8 million to the U.S. Treasury as a penalty for its violations, with $7 million representing FinCEN’s penalty and $1 million representing the OCC’s penalty.”

    Federal Issues Bank Regulatory Bank Secrecy Act Anti-Money Laundering Enforcement FinCEN OCC Financial Crimes

  • OCC releases enforcement actions

    Federal Issues

    On December 16, the OCC released a list of recent enforcement actions taken against national banks, federal savings associations, and individuals currently or formerly affiliated with such entities. Included in the release is a cease and desist order issued against an Oklahoma-based bank for alleged “unsafe or unsound practices” related “to management and board supervision, strategic and capital planning, risk ratings and loan review, credit administration, and the allowance for loan and lease losses.” Without admitting or denying the claims, the bank is required by the order to, among other things, maintain capital ratios, as defined in and as calculated in accordance with 12 C.F.R. Part 3: (i) “a total capital ratio at least equal to thirteen percent”; and (ii) “a leverage ratio at least equal to nine percent.” The order also provides that the bank must establish a Compliance Committee “to monitor and oversee the Bank’s compliance with the provisions of this [o]rder,” and “will meet at least monthly and maintain minutes of its meetings.”

    Federal Issues Bank Regulatory OCC Enforcement Bank Compliance

  • DFPI takes action against auto loan company

    State Issues

    On December 14, the California Department of Financial Protection and Innovation (DFPI) issued a consent order with an auto title lender, resolving allegations that the company (respondent) violated the Fair Access to Credit Act’s prohibition on making loans of $2,500 to less than $10,000 with interest rates greater than 36 percent. According to the consent order, the respondent was an established auto title lender that entered into an agreement with a Utah state-chartered bank to provide the bank with marketing and servicing services in connection with auto title loans offered to California consumers (Bank Loan Program). The respondent and the bank began offering Bank Loan Program loans to California residents in January 2020. That same month, the Fair Access to Credit Act amended the California Financing Law to prohibit licensed lenders from making loans with principal amounts of $2,500 to less than $10,000 with interest rates greater than 36 percent, plus the Federal Funds Rate. The consent order noted that “some loans made to California borrowers under the Bank Loan Program had principal amounts of $2,500 to less than $10,000 and were at interest rates that exceeded 36% plus the Federal Funds Rate.” The Commission served a subpoena seeking documents and information related to the Bank Loan Program with respect to California borrowers. After DFPI initiated the investigation, the respondent ceased marketing Bank Loan Program loans of less than $10,000 to California borrowers.

    Pursuant to the consent order, the respondent agreed to not market auto title loans of less than $10,000 with interest rates exceeding 36 percent plus the Federal Funds Rate in a program involving a state-chartered bank and to not service such loans until September 2023, unless there is an intervening change in the law or regulation that would otherwise permit it to do so.

    State Issues Licensing DFPI State Regulators Enforcement Consumer Finance California Fair Access to Credit Act California Financing Law

Pages

Upcoming Events