InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
Crypto company settles NY AG’s hidden-fee claims
On May 18, the New York attorney general announced a settlement with a Brooklyn-based cryptocurrency company to resolve claims that it charged investors “exorbitant and undisclosed fees” to store cryptocurrency in an account that was advertised as being free on its website. The fees charged to investors to use its wallet storage were allegedly so high that they completely cleaned out investors’ accounts, the AG said. The company agreed to the AG’s findings that it regularly charged and increased fees without properly notifying investors. According to the AG’s investigation, the company changed the wallet storage fee structure four times without clearly disclosing the fee increase, which led to some investors being charged fees equal to 96 percent of the value of their account holdings. In total, the company took approximately $4.25 million from investors. The AG maintained that the company also failed to register as a commodity broker dealer in the state for a period of time, and that while it was eventually granted a virtual currency license pursuant to 23 NYCRR Part 200, it failed to file a registration statement. Under the terms of the assurance of discontinuance, the company is required to pay $508,910 in restitution to the state and provide full restitution to all investors who were misled. The company is also required to provide monthly refund status updates to the AG, limit the amount of fees charged for using its wallet service to 0.002 percent per cryptocurrency per month for at least five years, and ensure that it adequately discloses all fees to investors.
Default judgment entered against provider of immigration bonds
The U.S. District Court for the Western District of Virginia recently entered default judgment against defendants accused of misrepresenting the cost of immigration bond services and deceiving migrants to keep them paying monthly fees by making false threats of deportation for failure to pay. As previously covered by InfoBytes, the defendants—a group of companies providing immigration bond products or services for non-English speaking U.S. Immigration and Customs Enforcement detainees—were sued by the CFPB and state attorneys general from Massachusetts, New York, and Virginia in 2021 for allegedly engaging in deceptive and abusive acts and practices in violation of the Consumer Financial Protection Act (CFPA). The defendants argued that the court lacked subject matter jurisdiction because the Bureau did not have authority to enforce the CFPA since the defendants are regulated by state insurance regulators and are merchants, retailors, or sellers of nonfinancial goods or services. However, the court disagreed, explaining that “limitations on the CFPB’s regulatory authority do not equate to limitations on this court’s jurisdiction.” (Covered by InfoBytes here.)
As explained in the court’s opinion, last year the plaintiffs filed a motion for sanctions and for an order to show cause why the court should not hold the defendants in contempt for actions relating to several ongoing discovery disputes. The court determined that the defendants failed to demonstrate that “factors other than obduracy and willfulness” led to their failure to comply with multiple discovery orders and that the defendants engaged in a “pattern of knowing noncompliance with numerous orders of the court.” These delays, the court said, have significantly harmed the plaintiffs in their ability to prepare their case. Finding each defendant in civil contempt of court, the court also entered a default judgment against the defendants, citing them for discovery violations in other cases. The court set June deadlines for briefs on remedies and damages.
New York proposes “landmark” crypto legislation
On May 5, New York Attorney General Letitia James announced proposed legislation to increase oversight of the cryptocurrency industry. Calling the “landmark legislation” the “strongest and most comprehensive set of regulations on cryptocurrency in the nation,” James said the bill would increase transparency, eliminate conflicts of interest, and impose “commonsense” investor protection measures consistent with other financial services regulations. Among other things, the bill would strengthen NYDFS’ regulatory authority over digital assets and codify the Department’s ability to license digital asset brokers, marketplaces, investment advisors, and issuers prior to engaging in business in the state. NYDFS would also be given jurisdiction to enforce violations of law within the crypto industry, including by issuing subpoenas; imposing civil penalties of $10,000 per violation per individual or $100,000 per violation per firm; collecting restitution, damages, and penalties; and shutting down businesses found to be engaging in fraud and illegal activities.
The bill would also strengthen investor protections by enacting and codifying “know-your-customer” protections, “[b]anning the use of the term ‘stablecoin’ to describe or market digital assets unless they are backed 1:1 with U.S. currency or high-quality liquid assets as defined in federal regulations,” and requiring crypto platforms to reimburse victims of fraud, similar to a bank’s responsibility under the EFTA. Other provisions would, among other things, (i) implement protections to stop conflicts of interest, including by preventing common ownership of crypto issuers, marketplaces, brokers, and investment advisers and preventing such persons from engaging in more than one of those activities; and (ii) require public reporting of financial statements to increase transparency and mandate that companies be required to undergo independent audits and publish audited financial statements, among other things.
The proposed bill will be submitted by the attorney general’s office to the New York Senate and Assembly for their consideration during the 2023 legislative session.
New York AG releases guide for businesses to protect consumer’s personal information
On April 19, the New York attorney general released a data security guide to help businesses adopt effective data security measures for protecting state residents’ personal information. The guide outlines recommendations for preventing data breaches and securing personal information, and discusses recent data security failures. Recommendations include (i) implementing strong controls for secure authentication; (ii) encrypting sensitive customer information; (iii) ensuring third-party vendors use appropriate, reasonable data security measures to safeguard customer information; (iv) maintaining inventories of assets and locations that contain customer information; (v) implementing effective safeguards to prevent “credential stuffing” attacks where usernames and passwords stolen from other online services are used in an attempt to log in to a customer’s online account; and (vi) notifying customers quickly and accurately when a data breach occurs. The guide is drawn from the AG’s experience in investigating and prosecuting data breaches.
FTC program targets robocalls from overseas
On April 11, the FTC implemented Project Point of No Entry (PoNE) in an attempt to stop foreign-based scammers and imposters from targeting U.S. consumers with illegal robocalls. The FTC warned “point of entry” or “gateway” VoIP service providers that routing or transmitting illegal call traffic may violate the Telemarketing Sales Rule, which allows the Commission to seek civil penalties, restitution, and injunctions to stop violations. Through Project PoNE, the FTC will identify violators and “pursue recalcitrant providers” by opening enforcement investigations and filing lawsuits, as appropriate. According to the FTC, “Project PoNE has uncovered the activity of 24 target point of entry service providers responsible for routing and transmitting illegal robocalls between 2021 and 2023, in connection with approximately 307 telemarketing campaigns, including government and business imposters, COVID-19 relief payment scams, and student loan debt relief and forgiveness schemes, among others.” The FTC attributed the results to its collaboration with the Industry Traceback Group, the FCC, and state attorneys general, and said it will make publicly available recordings of the robocalls that target providers have allowed into the U.S. to help consumers identify and avoid scams. The announcement highlighted that before being contacted by the FTC, “the targets had a combined total of 1,043 tracebacks,” but that after being warned about the possible illegal conduct, the number decreased to 196 tracebacks. Of these 196 tracebacks, the FTC said “147 are linked to two uncooperative providers, one of which is subject to an FCC law enforcement action.”
CFPB, New York AG ask court to lift stay after 2nd Circuit decision
On March 31, plaintiffs CFPB and the New York Attorney General moved the U.S. District Court for the Southern District of New York to lift its stay order in their litigation against a remittance provider in response to a recent U.S. Court of Appeals for the Second Circuit decision upholding the CFPB’s funding structure under the Constitution’s Appropriations Clause. (Covered by InfoBytes here.) The plaintiffs argued that the 2nd Circuit’s binding opinion has now “answer[ed] the question at the heart of this Court’s stay order: whether the Bureau’s statutory funding mechanism violates the Constitution.”
As previously covered by InfoBytes, the district court had originally paused the proceedings at the defendant’s request when the Supreme Court was considering whether to hear an appeal in a different matter relating to the Bureau’s funding structure. The district court continued the stay after the Supreme Court agreed to review the 5th Circuit’s decision in Community Financial Services Association of America v. Consumer Financial Protection Bureau, where it found that the CFPB’s “perpetual self-directed, double-insulated funding structure” violated the Constitution’s Appropriations Clause. The Supreme Court is scheduled to review the 5th Circuit’s decision next term (covered by InfoBytes here).
The agencies argued primarily that (i) the 2nd Circuit “expressly considered and rejected the Fifth Circuit’s contrary view in CFSA;” (ii) it “did so notwithstanding that the Supreme Court will consider the same issue next Term”; and (iii) “[g]rants of certiorari do not change the law, and a district court remains bound by circuit precedent until the Supreme Court or the court of appeals changes that precedent.”
On April 7, the court issued an order denying the Bureau's request and electing to keep the stay in place while the Supreme Court resolves the circuit split on this issue.
Law firm settles breach claims related to health care data
On March 27, the New York attorney general announced a settlement with a law firm to resolve claims that it allegedly failed to protect individuals’ personal and health care data. According to the announcement, an attacker was able to exploit a vulnerability in the law firm’s email server and gained access to the sensitive private information, including names, dates of birth, social security numbers, and/or health data, of nearly 115,000 individuals, including more than 60,000 New Yorkers. According to the AG, the law firm’s data security failures not only violated state law, but also violated HIPAA requirements relating to the adherence to certain advance data security practices. The law firm, which represents New York City area hospitals and maintains patients’ sensitive private information, is required to adopt several measures required by HIPAA, including conducting regular system risk assessments, encrypting private information housed on its servers, and adopting appropriate data minimization practices—all of which it failed to do prior to the breach.
Under the terms of the assurance of discontinuance, the law firm is required to pay $200,000 in penalties to the state and strengthen its cybersecurity measures. Required actions include encrypting private information, monitoring and logging network activity, establishing a reasonable patch management policy, developing a penetration testing program, updating its data collection and retention practices, and permanently deleting data “when there is no reasonable business or legal purpose to retain it.”
Colorado finalizes privacy rules
On March 15, the Colorado attorney general’s office finalized rules to implement and enforce the Colorado Privacy Act (CPA). The final rules, which went through three draft versions (covered by InfoBytes here), were filed with the Colorado Secretary of State following completion of a review by the attorney general’s office. (See redline version of the final rules showing changes made to address concerns raised through public comments here.) As previously covered by a Special Alert, the CPA was enacted in July 2021 to establish a framework for personal data privacy rights. The CPA, which is effective July 1, 2023 with certain opt-out provisions taking effect July 1, 2024, provides consumers with numerous rights, including the right to access their personal data, opt-out of certain uses of personal data, make corrections to personal data, request deletion of personal data, and obtain a copy of personal data in a portable format. Under the CPA, the attorney general has enforcement authority for the law, which does not have a private right of action. In addition to promulgating rules to carry out the requirements of the CPA, the attorney general has authority to issue interpretive guidance and opinion letters, as well as the authority to develop technical specifications for at least one universal opt-out mechanism. Colorado is one of several states that have enacted comprehensive privacy laws that take effect in 2023, joining California, Connecticut, Utah, and Virginia. (Covered by InfoBytes here, here, here, and here.) The final rules will be published in the Colorado Register in March and will go into effect July 1.
Real estate brokerage firm settles claims of discriminatory practices
On March 15, the New York attorney general announced a settlement with a real estate brokerage firm to resolve claims that it allegedly discriminated against Black, Hispanic, and other homebuyers of color on Long Island. According to the announcement, the Office of the Attorney General commenced investigations into several brokerage firms, in which it found that agents employed by the brokerage firm at issue violated the Fair Housing Act and New York state law when they allegedly “subjected prospective homebuyers of color to different requirements than white homebuyers, directed homebuyers of color to homes in neighborhoods where residents predominantly belonged to communities of color, and otherwise engaged in biased behavior.” In certain instances, agents allegedly disparaged neighborhoods of color and “warned white potential homebuyers about the diverse racial makeup of the neighborhood but did not share the same comments with Black and Hispanic potential homebuyers.”
Under the terms of the assurance of discontinuance, the brokerage firm agreed to stop the alleged conduct, will offer comprehensive fair housing training to all agents, and will provide a discrimination complaint form on its website. The brokerage firm will also pay $20,000 in penalties and $10,000 to Suffolk County to promote enforcement and compliance with fair housing laws. This is the fourth action taken by the AG’s office against real estate brokerage firms in the state. As previously covered by InfoBytes, last August three Long Island real estate brokerage firms entered settlements to resolve claims of discriminatory practices.
New York AG continues crackdown on unregistered crypto trading platforms
On March 9, the New York attorney general filed a petition in state court against a virtual currency trading platform (respondent) for allegedly failing to registeras a securities and commodities broker-dealer and falsely representing itself as a cryptocurrency exchange. The respondent’s website and mobile application enable investors to buy and sell cryptocurrency, including certain popular virtual currencies that are allegedly securities and commodities. The AG noted that this is one of the first times a regulator is making a claim in court that one of the largest cryptocurrencies available in the market is a security. According to the announcement, this cryptocurrency “is a speculative asset that relies on the efforts of third-party developers in order to provide profit to the holders.” As such, the respondent was required to register before selling the crypto assets, the AG said, further maintaining that the respondent also sells unregistered securities in the form of a lending and staking product. According to the AG, securities and commodities brokers are required to register with the state, which the respondent allegedly failed to do. Additionally, the respondent claimed to be an exchange but failed to appropriately register with the SEC as a national securities exchange or be designated by the CFTC as required under New York law. Nor did the respondent comply with a subpoena requesting additional information about its crypto-asset trading activities in the state, the AG said, noting that the respondent has already been found to be operating in multiple jurisdictions without proper licensure. The state seeks a court order (i) preventing the respondent from misrepresenting that it is an exchange; (ii) banning the respondent from operating in the state; and (iii) directing the respondent to undertake measures to prevent access to its mobile application, website, and services from within New York.
Last month the AG filed a similar petition against another virtual currency trading platform alleging similar violations (covered by InfoBytes here).