On December 8, the U.S. Court of Appeals for the Third Circuit held that application of Dodd-Frank’s Anti-Arbitration provision did not apply to causes of action asserted under the Anti-Retaliation Dodd Frank Provision due to the limiting language of the arbitration law. Khazin v. TD Ameritrade Holding Corp, No. 14-1689 (3rd Cir. Dec.8, 2014). In 2013, the plaintiff filed suit in the District of New Jersey alleging that he had been fired in the preceding year for whistleblowing. According to the complaint, the retaliation occurred after the plaintiff questioned a supervisor about the pricing of a financial product that did not comply with relevant securities regulations. The District Court ruled that Dodd Frank’s Anti-Arbitration Provision did not prohibit the enforcement of arbitration agreements that were signed before the enactment of Dodd-Frank. Rather than deciding on the timing issue, however, the Court of Appeals upheld the decision on statutory construction grounds based on the limiting language of the Anti-Arbitration provision indicating that it only applied to causes of action contained within the same section, and not all allegations under Dodd-Frank.
On December 10, NY DFS Superintendent Benjamin Lawsky issued a bulletin to all New York state-chartered or licensed banking institutions regarding an updated IT examination process. Effective immediately, cybersecurity examinations will be included within the overall IT examination process. The DFS cybersecurity examinations will incorporate a number of new topics, including: (i) corporate governance; (ii) protections against intrusion, such as multi-factor or adaptive authentication, along with server and database configuration; (iii) information security testing and monitoring; and (iv) cybersecurity insurance coverage, along with other third-party protections. Ultimately, the new examination process will assess a bank’s cybersecurity protections, in addition to how it manages potential cyber risks and handles a cybersecurity attack.
On December 3, Deputy Secretary Raskin delivered remarks at the Texas Bankers’ Association Executive Leadership Cybersecurity Conference. During her prepared remarks, Raskin noted recent data security breaches across many business sectors, including financial services, and presented ten questions for bank CEOs to consider when assessing their institutions’ cybersecurity readiness. Notably, Raskin urged the bank executives to consider relatively new cyber risk insurance for the financial recovery it provides as well as because the underwriting processes could enhance other cybersecurity controls and provide helpful information for assessing a bank’s risk level. Currently, over 50 insurance carriers offer some form of cyber insurance coverage. Raskin’s remarks comes only weeks after Congressional leaders sent a letter to financial institutions requesting that they provide information about their ability to protect consumers and safeguard personal information in the event of a data breach or cyber-attack.
On December 2, Fed Governor Brainard delivered remarks at the Economic Growth and Regulatory Paperwork Reduction Act (EGRPRA) Outreach Meeting in California. Governor Brainard noted the significance of safety and soundness in the banking system, but noted that some Dodd-Frank regulations should target only larger institutions so that undue burdens are not placed on community banks: “Applying a one-size-fits-all approach to regulations may produce a small benefit at a disproportionately large compliance cost to smaller institutions.” The EGRPRA review, conducted every 10 years, provides an opportunity for federal financial regulators to consider whether current regulations are outdated, unnecessary, or unduly burdensome.
On December 2, the FFIEC announced the release of its revised BSA/AML examination manual. The updated revisions address supervisory expectations and include regulatory changes since the manual’s last publication in 2010. Significantly modified sections of the examination include (i) Suspicious Activity Reporting, (ii) Currency Transaction Reporting, (iii) Foreign Bank and Financial Accounts Reporting, and (iv) Third-Party Payment Processors. The manual is available on the FFIEC BSA/AML InfoBase.
On November 25, FinCEN fined a small Florida-based credit union $300,000 in civil monetary penalties for violating the Bank Secrecy Act (BSA). From 2009 through 2014, FinCEN charged that, among other deficiencies within its anti-money laundering program, the credit union lacked proper internal controls and failed to designate a BSA compliance officer to monitor suspicious transactions. The credit union admitted that it violated Section 314(a) of the USA PATRIOT ACT, which requires financial institutions to search their records of accounts and transactions of individuals who may be involved in money laundering or terrorist financing activities. The credit union, with assets of $4 million and five employees, contracted with a third party vendor to provide services and subaccounts to 56 money services businesses located in Central America, Middle East, and Mexico. FinCEN stated that 90% of the credit union’s annual revenue was generated from these accounts.
On December 3, the New York Fed announced the formation of its Integrated Policy Analysis Group (IPA). Designed to develop the New York Fed’s view of the economic and financial environment globally, the IPA will (i) integrate information from within and outside the Bank to assess the developing economic and financial environment; (ii) assess risks with the potential to impact the Fed’s objectives and “consider policy options to mitigate those risks;” and (iii) manage international relationships. Alberto G. Musalem was appointed as the head of IPA, and the new group is scheduled to begin its work in January 2015.
On November 18, Representative Elijah Cummings (D-MD) and Senator Elizabeth Warren (D-MA) sent letters to 16 financial service institutions regarding recent data breaches. The letters requested that the institutions provide information about the data breaches, including “detailed briefings from corporate IT security officers.” The letters were tailored to the specific institutions, with requests to two companies that they provide information on how the “potential data breaches may have affected their administration of government purchase and charge cards under contracts with the General Services Administration.” The letters also remind the institutions of their responsibility to protect and safeguard consumers’ personal information.
On November 18, the New York DFS announced a consent order with a foreign bank for allegedly misleading regulators regarding its transactions with sanctioned countries, most notably Iran, Sudan, and Myanmar. According to the press release and consent order, from approximately 2007 through 2008, the bank convinced a consulting firm to “water down” reports submitted to regulators on its transactions. Specifically, the bank pressured the consulting firm to alter an historic transaction review (HTR) report to exclude key information, such as: (i) the English translation of the bank’s wire transfer instructions, which included a statement that the bank conducted business with “’enemy countries’ of the U.S.;” (ii) a majority of the consultant’s description of the bank’s wire transfer activities; and (iii) information “concerning [the bank’s] potential misuse of OFAC screening software” in connection with its wire transfer activities. The DFS ordered the bank to pay $315 million in penalties, in addition to the $250 million the DFS ordered the bank to pay June 2013 in connection with its sanctioned transactions.
Second Circuit Court of Appeals Prohibits Courts from Granting Garnishment Orders Against Foreign Bank Branches
On November 14, the Second Circuit Court of Appeals upheld the District Court for the Southern District of New York’s October 23 ruling that prohibited courts from granting garnishment orders against certain banks for assets maintained at bank branches. The Second Circuit noted that it had previously certified to the New York Court of Appeals the following question: “whether the separate entity rule precludes a judgment credit from ordering a garnishee bank operating branches in New York to restrain a debtor’s assets held in foreign branches of the bank.” The New York Court of Appeals held that according to New York’s separate entity rule, a creditor does not have the authority to freeze assets held at a foreign branch. The New York Court of Appeals rejected the plaintiffs’ argument that in Koehler v. Bank of Bermuda Ltd., 12 N.Y.3d 533 (2009), New York abandoned the requirements of the separate entity rule, observing that “abolition of the separate entity rule would result in serious consequences in the realm of international banking to the detriment of New Yorkʹs preeminence in global financial affairs.ʺ Upholding the District Court’s October 23 ruling, the Second Circuit Court of Appeals ordered that the District Court annul the restraining order on the defendants’ assets. Motorola Credit Corp. v. Nokia Corp., No. 13-2535-cv (2d Cir. Nov. 14, 2014).
On November 10, FinCEN released a statement to reiterate that banking organizations can serve Money Services Businesses (MSB) while meeting obligations under the Bank Secrecy Act. FinCEN noted that there is concern that banks may be terminating the accounts of MSBs on a wholesale basis because of potential regulatory scrutiny and that as a result MSBs are losing access to banking services. FinCEN stated that they do “not support the wholesale termination of MSB accounts without regard to the risks presented or the bank’s ability to manage the risk.” Rather, the risks presented by a given MSB can vary and, therefore, financial institutions should assess the risks on a case-by-case basis. FinCEN expects that banking organizations will manage the risks associated with MSB accounts and are committed to addressing the “wholesale de-banking of an important part of the financial system.”
On November 12, the Obama administration nominated Antonio Weiss as Under Secretary for Domestic Finance at the Department of Treasury. If confirmed as Under Secretary, Weiss would be responsible for coordinating policies on banking, debt financing, capital markets, and financial regulation – specifically overseeing implementation of the Dodd-Frank Act. Currently, Weiss serves as the global head of investment banking at a financial advisory and asset management firm.
On November 12, the FCA announced that it was fining five banks for their foreign exchange practices. Specifically, ineffective controls at the banks allegedly allowed traders to strategize and manipulate exchange rates for their benefit. Additionally, confidential bank information was compromised in online chat rooms, including “the disclosure of information regarding customer order flows and proprietary Bank information, such as [foreign exchange] rate spreads.” The combined amount of civil money penalties against the banks is $1.7 billion.
On November 10, the Financial Stability Board issued policy proposals in response to G20 Leaders’ request at the 2013 St. Petersburg Summit to develop proposals by the end of 2014. The proposals consist of “a set of principles and a detailed term sheet on the adequacy of loss-absorbing and recapitalization capacity of global systemically important banks (G-SIBs).” The proposals will establish a new minimum standard for total loss-absorbing capacity (TLAC). The new TLAC standard should (i) ensure home and host authorities that G-SIBs have adequate capacity to absorb losses; (ii) allow resolution authorities “to implement a resolution strategy that minimi[zes] any impact on financial stability and ensures the continuity of critical economic functions;” and (iii) help achieve an equal playing field internationally. Comments and responses to the proposals are due by February 2, 2015.
On November 3, the FFIEC released its observations from a cybersecurity assessment of more than 500 institutions, and recommended that all regulated financial institutions participate in the Financial Services Information Sharing and Analysis Center (FS-ISAC) as a medium to “identify, respond to, and mitigate cybersecurity threats and vulnerabilities.” The FS-ISAC is a non-profit information sharing forum created by industry participants to share physical and cybersecurity threat information within the public and private sector. The assessment supplemented regularly scheduled bank examinations and built upon supervisory expectations contained within existing FFIEC information technology guidance.