Skip to main content
Menu Icon Menu Icon

InfoBytes Blog

Financial Services Law Insights and Observations
Section Content

Upcoming Events


Subscribe to our InfoBytes Blog weekly newsletter for news affecting the financial services industry.

  • 9th Circuit denies bank’s challenge to FDIC bank secrecy order


    On March 12, the U.S. Court of Appeals for the 9th Circuit upheld a 2016 FDIC cease and desist order against a California bank arising out of alleged deficiencies in compliance management relating to the Bank Secrecy Act (BSA) and anti-money laundering laws. According to the opinion, FDIC examinations dating back to 2010 identified areas for BSA compliance improvement. While the bank made adjustments in response to the original findings, a 2012 FDIC examination found the bank’s BSA compliance program still was deficient, including because it did not “establish and maintain procedures designed to ensure adequate internal controls, independent testing, administration, and training”—known as the “four pillars”—and because the bank had not filed a necessary suspicious activity report. The bank argued that the BSA compliance standards were too vague, accused FDIC examiners of bias during the examination in a manner that violated its due process rights, and alleged that the decision was not supported by substantial evidence.

    The three-judge panel ruled that (i) there was no bias in the FDIC’s decision to assess a penalty against the bank because there was substantial evidence to support an administrative law judge’s findings that the bank’s failure to maintain adequate controls violated BSA regulations; and (ii) because the BSA and FDIC’s implementing regulations are “economic in nature and threaten no constitutionally protected rights,” vagueness is not an overriding concern. While the “four pillars” of BSA compliance are open to interpretation, the panel noted, the FDIC provides banks with a manual written by the Federal Financial Institutions Examination Council that sets forth a uniform compliance standard. Furthermore, FDIC Financial Institution Letter 17-2010 clarifies that the manual contains the FDIC’s BSA compliance supervisory expectations. “A BSA Officer at the Bank bearing the requisite ‘specialized knowledge’ would understand that compliance with the FFIEC Manual ensures compliance with the BSA. . . . The BSA and its implementing regulations are not unconstitutionally vague,” the panel stated. Therefore, the 9th Circuit held that the manual was entitled to Chevron deference and denied the bank’s petition for review.

    Courts Appellate Ninth Circuit Bank Secrecy Act Anti-Money Laundering Compliance FDIC FFIEC

    Share page with AddThis
  • District Court denies payment company’s request to set aside judgment


    On March 12, the U.S. District Court for the Northern District of California denied a company’s post-trial motions to set aside September 2017 judgments in a lawsuit brought by the CFPB for alleged violations of the Consumer Financial Protection Act (CFPA). Specifically, the bi-weekly payments company requested that the court set aside its injunction and reconsider a $7.93 million penalty in light of “new evidence” that demonstrated the company’s inability to pay the penalty. As previously covered by Infobytes, the CFPB filed the lawsuit in 2015, alleging, among other things, that the company made misrepresentations to consumers about its bi-weekly payment program by overstating the savings provided by the program and creating the impression the company was affiliated with the consumers’ lender. In denying the company’s motion, the court held that the company failed to present new evidence that would justify the relief. Additionally, the court rejected the argument that the permanent injunction placed on the company was overly burdensome, stating “in light of the evidence of defendants[’] prior practices…the limitations of the injunction reflect appropriate safeguards ‘to avoid deception of the consumer.’”

    Courts CFPB Payment Processors UDAAP CFPA

    Share page with AddThis
  • CFPB updates prepaid rule Small Entity Compliance Guide

    Agency Rule-Making & Guidance

    On March 13, the CFPB released version 3.0 of its prepaid rule Small Entity Compliance Guide and the guide to Preparing Short Form Disclosure for Prepaid Accounts. The updated guides reflect the 2018 final rule governing prepaid accounts (Rule). As previously covered by Infobytes, in December 2017, the Bureau announced its plan to delay the effective date and adopt the final amendments to the Rule. In January, the Bureau finalized the Rule and moved the effective date to April 1, 2019.

    Agency Rule-Making & Guidance CFPB Prepaid Rule

    Share page with AddThis
  • FTC settles credit card laundering lawsuit

    Federal Issues

    On March 9, the FTC entered into a settlement with a credit card merchant and its individual officer (collectively, “defendants”) relating to an allegedly deceptive credit card telemarketing operation. According to the FTC’s amended complaint, the defendants violated the FTC Act and the Telemarketing Sales rule by assisting a telemarketing company in masking its identity by processing the company’s credit card payments through multiple fictitious companies. The FTC previously had banned the telemarketing company from selling fraudulent “work-at-home” opportunities in 2015. The settlement, among other things, prohibits the defendants from processing payments or acting as an independent sales organization. The order also stipulates a judgment of approximately $1.3 million, which will be suspended unless it is determined that the financial statements defendants submitted to the FTC contain any inaccuracies.

    Federal Issues Payment Processors FTC Act Telemarketing Sales Rule FTC Settlement

    Share page with AddThis
  • California judge limits plaintiffs’ ability to seek certain punitive damages in internet data breach

    Privacy, Cyber Risk & Data Security

    On March 9, the U.S. District Court for the Northern District of California partially granted a motion to dismiss limiting plaintiffs’ ability to seek certain punitive damages for data breaches. The court also held that the plaintiffs cannot seek claims under the California Customer Records Act (CRA). The consolidated litigation results from announcements that hackers had breached the defendant’s systems and accessed users’ personal information in multiple attacks between 2013 and 2016. While the court kept several claims alive, including one alleging company executives purposefully concealed the hacks and others related to good faith and fair dealing, the court found the plaintiffs had failed to establish when the company learned about the 2013 and 2014 hacks, which warranted dismissal of most of the claims brought under the CRA. With respect to the limit on punitive damages, the court held that there is no punitive remedy for the alleged breaches relating to the breach of contract and CRA claims. However, the court did allow the plaintiffs to seek punitive damages for concealment, negligence, and misrepresentation related to the executives’ alleged suppression of the breach. 

    Privacy/Cyber Risk & Data Security Courts Damages Data Breach

    Share page with AddThis
  • 9th Circuit reinstates class action data breach lawsuit against online retailer


    On March 8, the U.S. Court of Appeals for the 9th Circuit reinstated a putative class action lawsuit against an online retailer, concluding that the increased risk of identity theft resulting from a 2012 data breach affecting over 24 million shoppers gave consumers Article III standing to sue. The three-judge panel held that the district court erred in dismissing claims brought by consumers who did not allege financial losses as a result of the data breach because the stolen information provided hackers the “means to commit fraud or identity theft.” The panel noted that evidence that another group of consumers had suffered financial losses from the same data breach undermined the argument that the data stolen would not lead to fraud or identity theft. In addition, although the defendant asserted that too much time had passed since the data breach for any harm to be considered imminent, the panel found that determining jurisdiction requires an assessment of a plaintiff’s standing at the time the suit was filed, and that the risk of harm was sufficiently imminent at the time of filing. The 9th Circuit remanded the case back to the lower court for review.

    The panel also addressed a separate appeal by the class on the district court’s decision not to enforce a purported settlement agreement, affirming the lower court’s decision “because the parties did not have a meeting of the minds on all essential terms of the agreement.”

    Courts Ninth Circuit Appellate Privacy/Cyber Risk & Data Security Data Breach Class Action

    Share page with AddThis
  • Financial Stability Board releases supplementary guidance on sound compensation practices

    Federal Issues

    On March 9, the Financial Stability Board (FSB) announced the release of its Supplementary Guidance to the FSB Principles and Standards on Sound Compensation Practices (Supplementary Guidance) relating to FSB’s Principles and Standards published in 2009. The Supplementary Guidance arises out of a 2015 workplan implemented to address concerns about compensation practices that could create misaligned incentives within financial institutions. The Supplementary Guidance, which does not contain new or additional principles and standards, provides recommendations presented in three parts: (i) “governance of compensation and misconduct risk”; (ii) “effective alignment of compensation with misconduct risk”; and (iii) “supervision of compensation and misconduct risk.” The Supplementary Guidance notes that “inappropriately structured compensation arrangements can provide individuals with incentives to take imprudent risks,” which may lead to potential harm for financial institutions and their customers or stakeholders. The Supplementary Guidance suggests that financial institutions use compensation tools as part of an overall strategy to limit risks and address misconduct, and cautions that “compensation should be adjusted for all types of risk.” 

    Federal Issues Financial Stability Board Risk Management Compensation

    Share page with AddThis
  • South Dakota amends money lending licenses statute

    State Issues

    On March 1, the South Dakota Governor signed H.B.1082, amending South Dakota’s money lending licenses statute. Pursuant to H.B. 1082, engagement in the “business of lending money,” for which a license is required, is expressly defined not to include engagement in: (i) “any seller-financed transaction for the sale of assets to a purchaser”; or (ii) “any seller-financed transaction for the sale of real estate through a contract for deed,” so long as the interest rate for such transactions does not exceed the rate permitted under S.D. Code Ann. § 54-4-44. 

    State Issues Lending Licensing State Legislation

    Share page with AddThis
  • House Financial Services Committee holds hearing on data security, breach notifications

    Privacy, Cyber Risk & Data Security

    On March 7, the House Financial Services Subcommittee on Financial Institutions and Consumer Credit held a hearing entitled “Legislative Proposals to Reform the Current Data Security and Breach Notification Regulatory Regime” to discuss data security and breach notification rules and cybersecurity supervision and examination standards for reporting agencies. Subcommittee Chairman Blaine Luetkemeyer, R-Mo., opened the hearing by stating that “[f]orty-eight states, the District of Columbia, Guam, Puerto Rico and the Virgin Islands have all enacted differing laws requiring private companies to notify individuals of breaches of personal information,” and emphasized the need for a “national solution” to create data security safeguards and responsible notification processes.

    Legislation. The hearing discussed two legislative proposals sponsored by Representatives Luetkemeyer and Patrick McHenry, R-NC, respectively: the “Data Acquisition and Technology Accountability and Security Act” (DATAS Act) and the “Promoting Responsible Oversight of Transactions and Examinations of Credit Technology Act of 2017” (PROTECT Act). The DATAS Act would, among other things, (i) establish broad standards for data protection across industries; (ii) create new federal post-data breach notification requirements; and (iii) establish steps that covered entities must take to notify regulators, law enforcement, and victims after certain types of data breaches. Included within the PROTECT Act are provisions that would (i) subject large consumer reporting agencies to cybersecurity supervision and examination measures; (ii) amend the FCRA to allow consumers to request security freezes be placed, removed, or temporarily lifted on their credit reports; (iii) provide provisions for fees and exceptions from such fees; and (iv) prohibit consumer reporting agencies from including a consumer’s Social Security number in a credit report or being used as a method to identify a consumer.

    Hearing Testimony. The hearing’s four witnesses provided testimony related to current issues with data beaches and protecting consumer information, and commented on the inconsistencies in data breach laws. Among the issues discussed were (i) the challenges of creating a “universal, unique identifier” separate from a Social Security number; (ii) efforts to establish streamlined, uniform, national data breach notification, security, and credit freeze standards; and (iii) the need for U.S. businesses that handle sensitive financial information to implement measures to protect the data and maintain consumers’ trust. Massachusetts Assistant Attorney General and Director of Data Privacy & Security for the Attorney General’s Consumer Protection Division, Sara Cable, stated in her written testimony and during the hearing that the proposed DATAS Act’s consumer notice provisions would “leave consumers in a worse position than the status quo.” She also expressed concern that the bill “allows entities to push the cost of the data security crisis onto consumers without providing any meaningful remedy, strips the state Attorneys General of the authority they are presently and actively using to protect their consumers from breaches, and hamstrings efforts of the States to enact laws in response to future risks in an era of increasing and rapidly evolving technology.” 

    Privacy/Cyber Risk & Data Security House Financial Services Committee Data Breach FCRA Federal Legislation

    Share page with AddThis
  • Several companies report developments in FCPA investigations

    Financial Crimes

    In the second half of February, at least three unrelated companies have publicly disclosed the existence and/or status of various FCPA investigations in forms filed with the SEC:

    • Data analytics company: On February 23, a data analytics company disclosed that the DOJ and SEC have both declined to pursue FCPA enforcement actions in connection with a subsidiary’s “questionable expenditures for travel, gifts and other expenses” in Turkey. As the Dayton, Ohio-based company previously disclosed on August 4, 2017, the company initiated an internal investigation after discovering the questionable expenditures, self-reported the issues to the DOJ and SEC, cooperated with the agencies, and undertook certain remedial actions.
    • Dialysis provider​: On February 27, a dialysis provider disclosed that the DOJ and SEC are investigating potential FCPA violations related to “certain conduct in the company’s products business in a number of countries,” and that it has reserved €200 million for a potential settlement with the agencies. After receiving “certain communications alleging conduct in countries outside the U.S. that might violate the FCPA or other anti-bribery laws” in 2012, the Bad Homburg, Germany-based company conducted an internal investigation, self-reported the issues to the DOJ and SEC, cooperated with the agencies, and undertook certain remedial actions.
    • Energy company​: On February 28, an energy company disclosed that the DOJ and SEC have both declined to pursue FCPA enforcement actions in connection with “self-reported [accounting] errors and possible irregularities” at an Italian subsidiary conducting business in the Middle East. In April 2016, the Houston-based company previously disclosed that it was restating its 2015 financial statements and conducting an internal investigation related to the accounting issues. Although “the SEC’s investigation related to the circumstances giving rise to the restatement is continuing,” the FCPA piece of the investigation has concluded.

    Financial Crimes SEC DOJ FCPA

    Share page with AddThis