InfoBytes Blog

Bank to pay $1 billion to settle investors’ compliance claims

Last month, the U.S. District Court for the Southern District of New York preliminarily approved a securities litigation settlement that would require a national bank to pay $1 billion to resolve class claims that it misrepresented its progress in overhauling its internal controls and compliance processes. The required overhauls relate to consent orders entered between the bank and its regulators in 2018 concerning alleged improper banking practices and corporate oversight deficiencies. The settlement would resolve investors’ claims that the bank’s allegedly misleading statements artificially inflated the price of the bank’s common stock, which declined when additional information was revealed. The bank expressly denies that the lead plaintiffs “have asserted any valid claims,” and denies “any and all allegations of fault, liability, wrongdoing, or damages.” If granted final approval, the bank would be required to pay $1 billion into a fund to be distributed to certain affected investors.

Courts Securities Compliance Class Action

OCC releases enforcement actions

On May 18, the OCC released a list of recent enforcement actions taken against national banks, federal savings associations, and individuals currently and formerly affiliated with such entities. Among the enforcement actions is a consent order against an Indiana-based bank for allegedly engaging in unsafe or unsound practices relating to, among other things, its strategic and capital planning, risk management processes, audit program, and consumer compliance program (including alleged violations of TILA and Regulation Z). In addition to complying with measures to address the alleged deficiencies, the bank (which neither admits nor denies the allegations) is also required to submit written consumer compliance policies and procedures designed to ensure compliance with TILA and Regulation Z. The bank also must undergo an independent compliance review and audit and ensure bank officers and employees are appropriately trained.

Bank Regulatory Federal Issues OCC Enforcement TILA Regulation Z Compliance

CFPB issues guide on collecting small-biz data

The CFPB recently issued a compliance guide for its final rule implementing Section 1071 of the Dodd-Frank Act. Consistent with Section 1071, the final rule (issued at the end of March) will require financial institutions to collect and provide to the Bureau data on lending to small businesses, defined as an entity with gross revenue under $5 million in its last fiscal year (covered by InfoBytes here). The guide: (i) includes a detailed summary of the final rule’s requirements, including data reporting deadlines; (ii) provides comprehensive information on the types of data financial institutions need to collect and report on small business lending applications and decisions; and (iii) includes parameters for covered institutions and covered originations. The guide further breaks down reportable data points and explains the final rule’s “firewall” provision, which states that employees and officers of a financial institution or its affiliates “involved in making any determination” on a reportable application are generally prohibited from accessing applicant demographic information relating to ethnicity, race, sex, and status as a minority-owned, women-owned, or LGBTQI+-owned business. The guide specifies that certain exceptions may apply to situations where an employee involved in decision-making must have access to the data to fulfill their assigned job duties (e.g. a loan officer or loan processor). In these situations, financial institutions are required to provide notice to applicants that employees and officers involved in decision-making may have access to their demographic data.

Agency Rule-Making & Guidance Federal Issues CFPB Small Business Small Business Lending Section 1071 Dodd-Frank Compliance

FDIC issues 2023 Consumer Compliance Supervisory Highlights

On April 5, the FDIC released the March 2023 edition of the Consumer Compliance Supervisory Highlights, which is intended to “enhance transparency regarding the FDIC’s consumer compliance supervisory activities and to provide a high-level overview of consumer compliance issues identified in 2022 through the FDIC’s supervision of state non-member banks and thrifts.” In 2022, the FDIC conducted approximately 1,000 consumer compliance examinations and noted that “[o]verall, supervised institutions demonstrated effective management of their consumer compliance responsibilities.” The agency also initiated 21 formal enforcement actions and 10 informal enforcement actions addressing consumer compliance examination observations and issued civil money penalties totaling $1.3 million against institutions to address violations of the Flood Disaster Protection Act (FDPA), RESPA Section 8, FCRA, and Section 5 of the FTC Act, with an additional $13.6 million in voluntary restitutions to consumers. Additionally, the FDIC referred 12 fair lending matters to the DOJ in 2022. Covered topics include:

• An overview of the most frequently cited violations, with approximately 73 percent of total violations involving TILA, Reg Z, Section 5 of the FTC Act, the FDPA, EFTA, and the Truth in Savings Act, with violations of Section 5 of the FTC (which prohibits unfair or deceptive acts or practices) moving up as a top-five violation.
• An overview of issues found during examinations involving institutions that purchased “trigger leads” but did not provide consumers with a firm offer of credit. Among other things, examiners identified occurrences where representatives failed to comply with FCRA disclosure requirements during sales calls by not communicating, among other things, that an offer of credit was being made.
• Findings where institutions “unilaterally applied excess interest to the servicemember’s principal loan balance without giving the servicemember an option of how to receive the funds”—a violation of the SCRA’s anti-acceleration provision.
• Information on regulatory developments, including recent FDIC actions and efforts to (i) address appraisal bias; (ii) modernize the Community Reinvestment Act; (iii) remind creditors that they may establish special purpose credit programs under ECOA to meet the credit needs of certain classes of persons; (iv) implement a supervisory approach, consistent with the CFPB’s approach, for FDIC-supervised institutions with respect to reporting HMDA data; (v) provide revised information on flood insurance compliance responsibilities; (vi) address occurrences where persons misuse the FDIC’s name or logo, or make false or misleading representations about deposit insurance; (vii) assess crypto-asset-related activities; (viii) adopt revised guidelines for appeals of material supervisory determinations; and (ix) address compliance risks associated with multiple re-presentment of NSF fees.
• A summary of consumer compliance resources available to financial institutions.
• An overview of consumer complaint trends.

Bank Regulatory Federal Issues FDIC Consumer Finance Supervision Compliance examin

California’s privacy agency finalizes CPRA regulations

On February 3, the California Privacy Protection Agency (CPPA) Board voted unanimously to adopt and approve updated regulations for implementing the California Privacy Rights Act (CPRA). The proposed final regulations will now go to the Office of Administrative Law, who will have 30 working days to review and approve or disapprove the regulations. As previously covered by InfoBytes, the CPRA (largely effective January 1, 2023, with enforcement delayed until July 1, 2023) was approved by ballot measure in November 2020 to amend and build on the California Consumer Privacy Act (CCPA). In July 2022, the CPPA initiated formal rulemaking procedures to adopt proposed regulations implementing the CPRA, and in November the agency posted updated draft regulations (covered by InfoBytes here and here).

According to the CPPA’s final statement of reasons, the proposed final regulations (which are substantially similar to the version of the proposed regulations circulated in November) address comments received by stakeholders, and include the following modifications from the initial proposed text:

• Amending certain definitions. The proposed changes would, among other things, modify the definition of “disproportionate effort” to apply to service providers, contractors, and third parties in addition to businesses, as such term is used throughout the regulations, to limit the obligation of businesses (and other entities) with respect to certain consumer requests. The term is further defined as “when the time and/or resources expended to respond to the request significantly outweighs the reasonably foreseeable impact to the consumer by not responding to the request,” and has been modified “to operationalize the exception to complying with certain CCPA requests when it requires ‘disproportionate effort.’” The proposed changes also introduce the definition of “unstructured” personal information, which describes personal information that could not be retrieved or organized in a predefined manner without disproportionate effort on behalf of the business, service provider, contractor, or third party as it relates to the retrieval of text, video, and audio files.
• Outlining restrictions on how a consumer’s personal information is collected or used. The proposed changes outline factors for determining whether the collection or processing of personal information is consistent with a consumer’s “reasonable expectations.” The modifications also add language explaining how a business should “determine whether another disclosed purpose is compatible with the context in which the personal information was collected,” and present factors such as the reasonable expectation of the consumer at the time of collection, the nature of the other disclosed purpose, and the strength of the link between such expectation and the nature of the other disclosed purpose, for assessing compatibility. Additionally, a section has been added to reiterate requirements “that a business’s collection, use, retention, and/or sharing of a consumer’s personal information must be ‘reasonably necessary and proportionate’ for each identified purpose.” The CPPA explained that this guidance is necessary for ensuring that businesses do not create unnecessary and disproportionate negative impacts on consumers.
• Providing disclosure and communications requirements. The proposed changes also introduce formatting and presentation requirements, clarifying that disclosures must be easy to read and understandable and conform to applicable industry standards for persons with disabilities, and that conspicuous links for websites should appear in a similar manner as other similarly-posted links, and, for mobile applications, that conspicuous links should be accessible in the business’ privacy policy.
• Clarifying requirements for consumer requests and obtaining consumer consent. Among other things, the proposed changes introduce technical requirements for the design and implementation of processes for obtaining consumer consent and fulfilling consumer requests, including but not limited to “symmetry-in-choice,” which prohibits businesses from creating more difficult or time consuming paths for more privacy-protective options than paths to exercise a less privacy protective options. The modifications also provide that businesses should avoid choice architecture that impairs or interferes with a consumer’s ability to make a choice, as “consent” under the CCPA requires that it be freely give, specific, informed, and unambiguous. Moreover, the statutory definition of a “dark pattern” does not require that a business “intend to design a user interface to have the substantial effect of subverting or impairing consumer choice.” Additionally, businesses that are aware of, but do not correct, broken links and nonfunctional email addresses may be in violation of the regulation.
• Amending business practices for handling consumer requests. The revisions clarify that a service provider and contractor may use self-service methods that enable the business to delete personal information that the service provider or contractor has collected pursuant to a written contract with the business (additional clarification is also provided on a how a service provider or contractor’s obligations apply to the personal information collected pursuant to its written contract with the business). Businesses can also provide a link to resources that explain how specific pieces of personal information can be deleted.
• Amending requests to correct/know. Among other things, the revisions add language to allow “businesses, service providers, and contractors to delay compliance with requests to correct, with respect to information stored on archived or backup systems until the archived or backup system relating to that data is restored to an active system or is next accessed or used.” Consumers will also be required to make a good-faith effort to provide businesses with all necessary information available at the time of a request. A section has also been added, which clarifies “that implementing measures to ensure that personal information that is the subject of a request to correct remains corrected factors into whether a business, service provider, or contractor has complied with a consumer’s request to correct in accordance with the CCPA and these regulations.” Modifications have also been made to specify that a consumer can request that a business disclose their personal information for a specific time period, and changes have been made to provide further clarity on how a service provider or contractor’s obligations apply to personal information collected pursuant to a written contract with a business.
• Amending opt-out preference signals. The proposed changes clarify that the requirement to process opt-out preference signals applies only to businesses that sell or share personal information. Language has also been added to explain that “the opt-out preference signal shall be treated as a valid request to opt-out of sale/sharing for any consumer profile, including pseudonymous profiles, that are associated with the browser or device for which the opt-out preference signal is given.” When consumers do not respond to a business’s request for more information, a “business must still process the request to opt-out of sale/sharing” to ensure that “a business’s request for more information is not a dark pattern that subverts consumer’s choice.” Additionally, business should not interpret the absence of an opt-out preference signal as a consumer’s consent to opt-in to the sale or sharing of personal information.
• Amending requests to opt-out of sale/sharing. The revisions, among other things, clarify that, at a minimum, a business shall allow consumers to submit requests to opt-out of sale/sharing through an opt-out preference signal and through one of the following methods—an interactive form accessible via the “Do No Sell or Share My Personal Information” link, the Alternative Opt-out Link, or the business’s privacy policy. The revisions also make various changes related to service provider, contractor, and third-party obligations.
• Clarifying requests to limit use and disclosure of sensitive personal information. The regulations require businesses to provide specific disclosures related to the collection, use, and rights of consumers for limiting the use of personal sensitive information in certain cases, including, among other things, requiring the use of a link to “Limit the Use of My Sensitive Personal Information” and honoring any limitations within 15 business days of receipt.  The regulations also provide specific enumerated business uses where the right to limit does not apply, including to ensure physical safety and to prevent, detect, and investigate security incidents.

The proposed final regulations also clarify when businesses must provide a notice of right to limit, modify how the alternative opt-out link should be presented, provide clarity on how businesses should address scenarios in which opt-out preference signals may conflict with financial incentive programs, make changes to service provider, contractor, and third party obligations to the collection of personal information, as well as contract requirements, provide clarity on special rules applicable to consumers under 16-years of age, and modify provisions related to investigations and enforcement.

Separately, on February 10, the CPPA posted a preliminary request for comments on cybersecurity audits, risk assessments, and automated decisionmaking to inform future rulemaking. Among other things, the CPPA is interested in learning about steps it can take to ensure cybersecurity audits are “thorough and independent,” what content should be included in a risk assessment (including whether the CPPA should adopt the approaches in the EU GDPR and/or Colorado Privacy Act), and how “automated decisionmaking technology” is defined in other laws and frameworks. The CPPA noted that this invitation for comments is not a proposed rulemaking action, but rather serves as an opportunity for information gathering. Comments are due March 27.

Privacy, Cyber Risk & Data Security State Issues California CCPA CPPA CPRA Compliance State Regulators Opt-Out Consumer Protection

CFPB issues HMDA reference chart for 2023

On February 9, the CFPB published the 2023 Reportable HMDA Data: A regulatory and reporting overview reference chart. The chart serves as a reference tool for data points that are required to be collected, recorded, and reported under Regulation C, as amended by HMDA rules, which were most recently issued in April 2020 (covered by InfoBytes here). The chart also provides relevant regulation and commentary sections and guidance for when to report “not applicable or exempt” as found in Section 4.2.2 of the 2022 Filing Instructions Guide. The Bureau notes that the “chart does not provide data fields or enumerations used in preparing the HMDA loan/application register (LAR).” For additional information on preparing the HMDA LAR, financial institutions should consult FFIEC guidance here.

Federal Issues CFPB HMDA Mortgages Compliance

California investigating mobile apps’ CCPA compliance

On January 27, the California attorney general announced an investigation into mobile applications’ compliance with the California Consumer Privacy Act (CCPA). The AG sent letters to businesses in the retail, travel, and food service industries who maintain popular mobile apps that allegedly fail to comply with consumer opt-out requests or do not offer mechanisms for consumers to delete personal information or stop the sale of their data. The investigation also focuses on businesses that fail to process consumer opt-out and data-deletion requests submitted through an authorized agent, as required under the CCPA. “On this Data Privacy Day and every day, businesses must honor Californians’ right to opt out and delete personal information, including when those requests are made through an authorized agent,” the AG said, adding that authorized agent requests include “those sent by Permission Slip, a mobile application developed by Consumer Reports that allows consumers to send requests to opt out and delete their personal information.” The AG encouraged the tech industry to develop and adopt user-enabled global privacy controls for mobile operating systems to enable consumers to stop apps from selling their data.

As previously covered by InfoBytes, the CCPA was enacted in 2018 and took effect January 1, 2020. The California Privacy Protection Agency is currently working on draft regulations to implement the California Privacy Rights Act, which largely became effective January 1, to amend and build upon the CCPA. (Covered by InfoBytes here.)

Privacy, Cyber Risk & Data Security State Issues State Attorney General California CCPA Compliance Opt-Out Consumer Protection CPRA

Danish financial institution fined $2 billion for anti-money-laundering compliance failures

On December 13, a Danish global financial institution pled guilty to conspiring to commit bank fraud and agreed to forfeit approximately $2 billion. According to court documents, the financial institution defrauded U.S. banks at which it held correspondent accounts by misrepresenting the state of its AML controls and transaction monitoring capabilities. According to the Department of Justice, between 2008 and 2016, the financial institution offered banking services through its Estonia branch, including a business line serving non-resident customers (known as “NRP”). The Estonia branch allowed NRP customers to transfer large amounts of money with little to no oversight, and branch employees conspired with NRP customers to hide the true nature of the transactions, including through the use of shell companies that obscured the actual owners of the funds. During this period, the Estonia branch processed $160 billion through U.S. banks on behalf of NRP customers.

The financial institution and its Estonia branch were required to provide information to U.S. banks in order to open and maintain correspondent accounts. This included information related to AML controls, transaction monitoring, and customers. By at least February 2014, the financial institution became aware of some NRP customers who were engaged in highly suspicious and potentially criminal transactions, including through U.S. banks. The DOJ noted that the financial institution was also aware that the Estonia branch’s AML program and procedures were not appropriate to meet the risks associated with NRP customers, but instead of providing truthful information, the financial institution lied about the state of the Estonia branch’s AML compliance program.

Under the terms of the plea agreement, the bank has agreed to a criminal forfeiture of $2.059 billion. The bank will also enter into separate criminal or civil resolutions with domestic and foreign authorities. The DOJ will credit approximately $850 million in payments made by the financial institution to resolve related parallel investigations by other domestic and foreign authorities. The DOJ noted that the financial institution “received full credit for cooperation and remediation because it provided full cooperation with the investigation and demonstrated recognition and affirmative acceptance of responsibility for its criminal conduct.”

The same day, the SEC announced fraud charges against the financial institution in connection with a related, parallel proceeding. The financial institution agreed to pay roughly $413 million, including a $178.6 million civil monetary penalty, as well as $178.6 million in disgorgement and $55.8 million in prejudgment interest. The SEC said it will deem the disgorgement and prejudgment interest satisfied by forfeiture and confiscation ordered in parallel criminal cases with the DOJ, the United States Attorney’s Office for the Southern District of New York, and Denmark’s Special Crime Unit.

Financial Crimes Securities SEC DOJ Of Interest to Non-US Persons Anti-Money Laundering Compliance Denmark

FTC extends compliance on some Safeguards provisions

On November 15, the FTC announced that covered financial institutions now have until June 9, 2023, to comply with certain updated Safeguards Rule requirements. The Commission issued this extension based on reports, including a letter from the SBA’s Office of Advocacy, that a shortage of qualified personnel to implement financial institutions’ information security programs and supply chain issues could delay security system upgrades.

As previously covered by InfoBytes, in October 2021, the FTC issued a final rule updating the Safeguards Rule to strengthen data security protections for consumer financial information following widespread data breaches and cyberattacks. Among other things, the final rule added specific criteria financial institutions and other entities, such as mortgage brokers, motor vehicle dealers, and payday lenders, must undertake when conducting a risk assessment and implementing an information security program. Among other requirements, these include implementing provisions related to access controls, data inventory and classification, authentication, encryption, disposal procedures, and incident response. The final rule also added measures to ensure employee training and service provider oversight are effective and expanded the definition of “financial institution” to include “entities engaged in activities that the Federal Reserve Board determines to be incidental to financial activities.” Included in the definition are “finders” (i.e. companies that bring together buyers and sellers of products or services that fall within the scope of the Safeguards Rule). While many provisions of the Safeguards Rule became effective 30 days after publication in the Federal Register, certain other provisions, including requirements applicable to covered financial institutions, were set to take effect December 9, 2022.

Federal Issues Privacy, Cyber Risk & Data Security Agency Rule-Making & Guidance Safeguards Rule FTC Compliance

VA proposes amendments to IRRRL requirements

On November 1, the Department of Veterans Affairs (VA) published a proposed rule in the Federal Register, which would amend the agency’s rules on VA-backed interest rate reduction refinancing loans (IRRRLs). Specifically, the proposed amendments would update existing VA IRRRL regulations to meet current statutory requirements for determining whether the agency can guarantee or insure a refinance loan. The amendments would modify current regulations to reflect requirements related to, among other things, net tangible benefit, recoupment, and seasoning standards. Additionally, due to confusion among program participants, VA is proposing clarifications to minimize the risk of lender noncompliance, thereby safeguarding veterans, easing lender concerns, reducing potential instability in the secondary loan market, and insulating taxpayers from unnecessary financial risk. Comments on the proposed rule are due January 3, 2023.

Agency Rule-Making & Guidance Federal Issues Department of Veterans Affairs IRRRL Compliance