InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
Global tech corporation fined for GDPR violations fends off daily fines
According to sources, the Luxembourg President of the Administrative Tribunal issued an ordinance on December 17 partially suspending a July decision issued by the Luxembourg National Commission for Data Protection (CNPD) against a global technology corporation for alleged violations of the EU’s General Data Protection Regulations (GDPR). As previously covered by InfoBytes, the CNPD fined the corporation $746 million euro (approximately $888 million USD), issuing a decision against the corporation’s European headquarters, claiming the corporation’s “processing of personal data did not comply with the [GDPR].” The decision—which required corresponding practice revisions, the details of which were not disclosed—followed an investigation started in 2018 when a French privacy group claiming to represent the interests of Europeans filed complaints against several large technology companies to ensure European consumer data is not manipulated for commercial or political purposes. The December ordinance suspends orders that required the corporation to make a number of changes to its data processes by January 15 or risk additional daily fines. Sources stated that the CNPD’s order “had not been formulated in clear, precise and free of uncertainty terms” that would allow the corporation to meet the conditions. The corporation’s appeal is still pending.
CFPB enters proposed final judgment in 2016 structured settlement action
On December 17, the CFPB filed a proposed stipulated final judgment and order in an action accusing defendants of allegedly employing abusive practices when purchasing structured settlements from consumers in exchange for lump-sum payments. As previously covered by InfoBytes, the CFPB filed a complaint in 2016 claiming the defendants (including the company and executive leadership) violated the Consumer Financial Protection Act (CFPA) by encouraging consumers to take advances on their structured settlements and falsely representing that the consumers were obligated to complete the structured settlement sale, “even if they [later] realized it was not in their best interest.” The Bureau also alleged that the defendants “steered consumers to receive ‘independent advice’” from an outside attorney who was paid by the company and “provided purportedly independent professional advice for almost all Maryland consumers who made structured-settlement transfers with [the defendants].” After a series of motions were filed by the parties, including an amended complaint in 2017, the U.S. District Court for the District of Maryland eventually determined that the Bureau could pursue its enforcement action (covered by InfoBytes here).
Last month, the court entered a stipulated final judgment and order against the attorney, which required that the attorney pay $40,000 in disgorgement and a $10,000 civil money penalty (covered by InfoBytes here). Under the terms of the proposed settlement, the remainder of the defendants would be required to pay $40,000 in disgorgement and a civil penalty of $10,000, and are permanently barred from referring “consumers to a specific individual or for-profit entity for advice concerning any structured-settlement transactions, including for individual professional advice.”
FinCEN, OCC take action against bank for AML violations
On December 16, FinCEN announced an $8 million civil money penalty against a Texas-based bank for violating the Bank Secrecy Act (BSA) and its implementing regulations from at least 2015 to 2019 by allegedly failing to implement and maintain an effective, reasonably designed anti-money laundering (AML) program. According to the consent order, the bank allegedly failed to report hundreds of suspicious transactions to FinCEN involving illegal financial activity by its customers and continued to knowingly process the transactions after becoming aware that certain customers were subjects of criminal investigations. According to FinCEN, the bank’s violations “caused millions of dollars in suspicious transactions to go unreported to FinCEN in a timely and accurate manner, including transactions connected to tax evasion, illegal gambling, money laundering, and other financial crimes.”
The same day, the OCC announced a $1 million civil money penalty against the bank for “related violations.” According to the OCC’s separate but coordinated investigation with FinCEN, the bank allegedly failed to adopt and implement a BSA/AML system of internal controls to assure ongoing compliance with the BSA and its implementing regulations. According to the consent order, the bank’s alleged internal control deficiencies, and other failures in its BSA/AML compliance program, “resulted in the failure to investigate and disposition alerts and violations of the suspicious activity reporting requirements.” FinCEN's announcement noted that, “[a]s many of the facts and circumstances underlying the OCC’s civil penalty also form the basis of FinCEN’s Consent Order, FinCEN agreed to credit the $1 million civil penalty imposed by the OCC, and “[t]aken together, [the bank] will pay a total of $8 million to the U.S. Treasury as a penalty for its violations, with $7 million representing FinCEN’s penalty and $1 million representing the OCC’s penalty.”
OCC releases enforcement actions
On December 16, the OCC released a list of recent enforcement actions taken against national banks, federal savings associations, and individuals currently or formerly affiliated with such entities. Included in the release is a cease and desist order issued against an Oklahoma-based bank for alleged “unsafe or unsound practices” related “to management and board supervision, strategic and capital planning, risk ratings and loan review, credit administration, and the allowance for loan and lease losses.” Without admitting or denying the claims, the bank is required by the order to, among other things, maintain capital ratios, as defined in and as calculated in accordance with 12 C.F.R. Part 3: (i) “a total capital ratio at least equal to thirteen percent”; and (ii) “a leverage ratio at least equal to nine percent.” The order also provides that the bank must establish a Compliance Committee “to monitor and oversee the Bank’s compliance with the provisions of this [o]rder,” and “will meet at least monthly and maintain minutes of its meetings.”
DFPI takes action against auto loan company
On December 14, the California Department of Financial Protection and Innovation (DFPI) issued a consent order with an auto title lender, resolving allegations that the company (respondent) violated the Fair Access to Credit Act’s prohibition on making loans of $2,500 to less than $10,000 with interest rates greater than 36 percent. According to the consent order, the respondent was an established auto title lender that entered into an agreement with a Utah state-chartered bank to provide the bank with marketing and servicing services in connection with auto title loans offered to California consumers (Bank Loan Program). The respondent and the bank began offering Bank Loan Program loans to California residents in January 2020. That same month, the Fair Access to Credit Act amended the California Financing Law to prohibit licensed lenders from making loans with principal amounts of $2,500 to less than $10,000 with interest rates greater than 36 percent, plus the Federal Funds Rate. The consent order noted that “some loans made to California borrowers under the Bank Loan Program had principal amounts of $2,500 to less than $10,000 and were at interest rates that exceeded 36% plus the Federal Funds Rate.” The Commission served a subpoena seeking documents and information related to the Bank Loan Program with respect to California borrowers. After DFPI initiated the investigation, the respondent ceased marketing Bank Loan Program loans of less than $10,000 to California borrowers.
Pursuant to the consent order, the respondent agreed to not market auto title loans of less than $10,000 with interest rates exceeding 36 percent plus the Federal Funds Rate in a program involving a state-chartered bank and to not service such loans until September 2023, unless there is an intervening change in the law or regulation that would otherwise permit it to do so.
SEC settles with company distributing unregistered shares
On December 15, the SEC announced a settlement with a California-based broker-dealer for allegedly unlawfully distributing nearly 100 million unregistered shares of over 50 different low-priced microcap companies, and for the company’s failure to file suspicious activity reports (SARs) regarding those transactions. According to the SEC’s order, the company violated Sections 5(a) and 5(c) of the Securities Act, which “make it unlawful for any person, directly or indirectly, to offer or sell securities by any means or instruments of transportation or communication in interstate commerce unless a registration statement has been filed with the Commission with respect to Section 5(c) and is in effect with respect to Section 5(a),” by engaging in unregistered offers and sales of large blocks of low-priced securities by an offshore customer from January 2017 through September 2018. The order also noted that the company could not rely on an exemption under Section 4(a)(4) of the Securities Act, which would apply to the company “only if, after conducting a reasonable inquiry into the facts surrounding the sales at issue, [the company] was not aware of facts indicating that its offshore customer was engaging in an unlawful distribution of securities,” since the company allegedly failed to conduct a reasonable inquiry. Additionally, the company violated Section 17(a) of the Exchange Act and Rule 17a-8 thereunder by failing to file SARs for certain suspicious transactions that it executed on behalf of its offshore customer. The order, which the company consented to without admitting or denying the findings, imposes a civil money penalty of $1,000,000, a total of $173,508.40 in disgorgement, and $34,332.16 in prejudgment interest. The order also directs the company to engage an independent compliance consultant “to conduct a comprehensive review of, and to report and make recommendations as to, the effectiveness, construction and implementation of [the company’s] supervisory, compliance, and other policies and procedures reasonably designed to prevent violations of the federal securities laws by [the company] and its employees.” The order provides that the company will “cease and desist from committing or causing any violations and any future violations of Sections 5(a) and 5(c) of the Securities Act and Section 17(a) of the Exchange Act and Rule 17a-8 promulgated thereunder.”
Norwegian Data Protection Authority fines U.S. dating app $7.1 million for alleged GDPR violations
On December 13, the Norwegian Data Protection Authority issued a reduced administrative fine against a U.S. company operating a GPS-based mobile dating app for allegedly violating the EU’s General Data Protection Regulation (GDPR). The regulator’s 2020 complaint stated that the company allegedly forced users to accept a full privacy policy in order to use the app, rather than providing users the option to independently and specifically consent to the sharing of their data with third parties and the company’s other data processing operations. This consent mechanism, the regulator claimed, “infringed most of the requirements for valid consent” under GDPR Articles 4(11), 6(1)(a), 7 and 9(2)(a). According to the regulator, the company allegedly shared user data with third parties for marketing purposes, including IP addresses, GPS location information, gender, age, and device information, among others, without a valid legal basis and disclosed “special category personal data to advertising partners without a valid exemption.” The regulator reduced the originally proposed $11.1 million fine to approximately $7.2 million, noting that the company’s efforts “to remedy the deficiencies in [its] previous [consent mechanism were] a mitigating factor.” However, the regulator noted that the company benefited financially from its GDPR violations, which was an “aggravating factor” in its deliberations.
FTC settles with advertising platform for COPPA violations
On December 15, the FTC announced a settlement with a California-based online advertising platform for allegedly engaging in deceptive acts of practices and violating the Children’s Online Privacy Protection Act Rule (COPPA). (See also DOJ press release here.) According to the FTC, the defendant operates a programmatic advertising exchange that monetizes websites and mobile apps through the sale of ad space. The defendant also contracts with advertising technology companies that aggregate and sell advertising inventory for publishers and then send the defendant ad requests. The DOJ, on behalf of the FTC, filed a complaint claiming the defendant, among other things, violated COPPA by collecting personal information about children under the age of 13 without notifying their parents and obtaining their consent. Additionally, the FTC claimed that while the defendant’s privacy policy provided users the option to opt-out of the collection of their location data, the defendant still allegedly collected geolocation information from users who specifically asked not to be tracked. The FTC stated that the defendant reviewed hundreds of apps that were directed to children under 13, but did not flag the apps or their data as “child-directed” and permitted the apps to participate in the ad exchange. In addition, the FTC claimed that the defendant allegedly disclosed this personal data to third parties for ads targeted at users of these child-directed apps.
Under the stipulated final order, the defendant must, among other terms, (i) implement a comprehensive privacy program to ensure compliance with COPPA and stop collecting and retaining personal information from children under 13 without verifiable parental consent; (ii) stop misrepresenting a user’s ability to opt-out of the collection of personal information and location information (collectively, “covered information”) and confirm that a user has provided affirmative consent for the collection of location information; (iii) implement safeguards to protect covered information and conduct annual reviews to assess for internal and external risks to the privacy of covered information that could lead to unauthorized access; (iv) engage a third party to conduct biennial privacy assessments; (v) delete all ad request data collected to serve targeted ads prior to the issuance of the order; and (vi) periodically re-review apps to identify those that are directed towards children and ban these apps from its ad exchange. The order also provides for a $7.5 million penalty that will be suspended upon payment of $2 million due to the defendant’s inability to pay the full amount.
CFPB’s debt-collection suit can proceed
On December 13, the U.S. District Court for the District of Delaware ruled that the CFPB can proceed with its 2017 enforcement action against a collection of Delaware statutory trusts and their debt collector for, among other things, allegedly filing lawsuits against consumers for private student loan debt that they could not prove was owed or that was outside the applicable statute of limitations. (Covered by InfoBytes here.) According to the court’s opinion, the U.S. Supreme Court’s decision in Seila Law v. CFPB (which determined that the director’s for-cause removal provision was unconstitutional but was severable from the statute establishing the Bureau—covered by a Buckley Special Alert) upended its previous dismissal of the case, which had held that the Bureau lacked enforcement authority to bring the action when its structure was unconstitutional. The court also previously ruled that the Bureau’s claims were barred by the statute of limitations and that former Director Kathy Kraninger’s subsequent ratification of the action came after the limitations period had expired. (Covered by InfoBytes here.)
In now finding that the CFPB can proceed with the 2017 enforcement action, the court rejected the statute of limitations argument because, under the Supreme Court’s ruling that unconstitutional removal protections do not automatically void agency actions, the Bureau’s action in 2017 was valid and it stopped the three-year clock when it sued. While the court recognized the defendants’ argument that the Bureau first discovered the alleged violations on September 4, 2014, when it issued a civil investigative demand and then sued on September 18, 2017 (allegedly exceeding the three-year limit by two weeks), the court noted that at this stage it could not find a time bar because nothing on the “face of the complaint” supports the defendants’ argument that the allegations are untimely.
The court also held that the Bureau did not need to ratify the suit. Pointing to the majority opinion in the Supreme Court’s decision in Collins v. Yellen (covered by InfoBytes here), the court stated that “‘an unconstitutional removal restriction does not invalidate agency action so long as the agency head was properly appointed[,]’” and therefore the agency’s actions are not void and do not need to be ratified, unless a plaintiff can show that “the agency action would not have been taken but for the President’s inability to remove the agency head.” The court wrote: “This suit would have been filed even if the director had been under presidential control. It has been litigated by five directors of the CFPB, four of whom were removable at-will by the President. . . . And the CFPB did not change its litigation strategy once the removal protection was eliminated. This is strong evidence that this suit would have been brought regardless.”
The court also disagreed with the defendants’ argument that, as trusts, they are not “covered persons” under the Consumer Financial Protection Act (CFPA). While the defendants argued that they used subservicers to collect debt and therefore did not “engage in” providing services listed in the CFPA, the court stated that the trusts were still “engaged” in their business and the alleged misconduct even though they contracted it out. “[I]f Congress wanted to allow enforcement against only those who directly engage in offering or providing consumer financial services, it could have said so,” the court said.
SEC, CFTC settle with national bank’s subsidiary
On December 17, the SEC announced charges against a subsidiary limited liability company of a national bank for Securities Exchange Act violations because the firm and its employees allegedly failed to maintain recordkeeping requirements. According to the order, from at least January 2018 through at least November 2020, the company’s employees communicated about securities business matters on their personal devices, using text messaging applications and personal email accounts. These communications were not maintained or preserved by the company, and some were not able to be furnished promptly to a Commission representative when requested, allegedly in violation of Section 17(a) of the Exchange Act and Rules 17a4(b)(4) and 17a-4(j) thereunder. Additionally, the company’s “widespread failure to implement its policies and procedures which forbid such communications led to its failure to reasonably supervise its employees within the meaning of Section 15(b)(4)(E) of the Exchange Act.” The company received subpoenas for documents and records requests in numerous Commission investigations during the time that it failed to maintain required securities records relating to the business. In its response to the subpoena requests, the bank allegedly did not search for relevant records contained on the personal devices of its employees. The order further noted that because the company’s “recordkeeping failures impacted the Commission’s ability to carry out its regulatory functions and investigate potential violations of the federal securities laws across these investigations, the Commission was often deprived of timely access to evidence and potential sources of information for extended periods of time and, in some instances, permanently.” According to the SEC, the company admitted the facts set forth in the SEC’s order and acknowledged that its conduct violated the federal securities laws, and agreed to: (i) pay a $125 million penalty; (ii) implement robust improvements to its compliance policies and procedures, including retaining “a compliance consultant to, among other things, conduct a comprehensive review of its policies and procedures relating to the retention of electronic communications found on personal devices and [the company’s] framework for addressing non-compliance by its employees with those policies and procedures”; and (iii) cease and desist from committing or causing any violations and any future violations of Section 17(a) of the Exchange Act and Rule 17a-4 thereunder.
The same day, the CFTC announced a $75 million settlement with the company, the national bank, and its public limited company (collectively, “respondents”) for allegedly failing to maintain, preserve, and produce records that were required to be kept under CFTC recordkeeping requirements, and failing to diligently supervise matters associated with its businesses as CFTC registrants. According to the CFTC order, from at least 2015, the respondents’ employees internally and externally communicated on unapproved channels, and had messages related to the respondents’ businesses as CFTC registrants that were required to be maintained under CFTC-mandated recordkeeping requirements. The order also noted that the written communications were not maintained and preserved by the respondents, and they were not able to be furnished promptly to a CFTC representative when requested. The order further alleged that the widespread use of unauthorized communication methods by the respondents’ employees to conduct firm business violated their own policies and procedures. The respondents also did not maintain adequate internal controls with respect to business-related communications on non-approved communication methods. The order requires the respondents to pay a $75 million civil monetary penalty, to cease and desist from further violations of recordkeeping and supervision requirements, and to engage in specified remedial undertakings.