On July 17, FinCEN named FBME Bank Ltd., formerly known as the Federal Bank of the Middle East, as a foreign financial institution of primary money laundering concern pursuant to Section 311 of the USA PATRIOT Act. As detailed in a notice of finding, FinCEN asserts that the bank attracts illicit finance businesses by soliciting high-risk customers and promoting its weak AML controls. FinCEN explains that the bank changed its country of incorporation numerous times, partly due to its inability to adhere to regulatory requirements, and has established itself with a nominal headquarters in Tanzania. However, according to FinCEN, it transacts over 90 percent of its global banking business through branches in Cyprus and has taken active steps to evade oversight by the Cypriot regulatory authorities in the recent past. FinCEN is proposing a rule that, once final, will prohibit covered U.S. financial institutions from opening or maintaining correspondent or payable-through accounts for FBME, and for other foreign banks being used to process transactions involving FBME. The proposal also would require covered financial institutions to apply special due diligence to their correspondent accounts maintained on behalf of foreign banks to guard against processing any transactions involving FBME. Comments on the proposed rule are due 60 days after publication in the Federal Register.
On July 14, the OMB’s Office of Information and Regulatory Affairs (OIRA) concluded its review of a long-awaited FinCEN proposal to establish customer due diligence requirements for financial institutions, sending the rule back to FinCEN. In its spring 2014 rulemaking agenda, Treasury updated the timeline for the rule to indicate it could be proposed in July with a 60 day comment period. OIRA’s public records do not provide information about what, if any, changes OIRA sought or required prior to FinCEN finalizing the proposal. The public portion of the FinCEN rulemaking has been ongoing since February 2012 when FinCEN released an advance notice of proposed rulemaking to solicit comment on potential requirements for financial institutions to (i) conduct initial due diligence and verify customer identities at the time of account opening; (ii) understand the purpose and intended nature of the account; (iii) identify and verify all customers’ beneficial owners; and (iv) monitor the customer relationship and conduct additional due diligence as needed. FinCEN subsequently held a series of roundtable meetings, summaries of which it later published.
On July 1, the Federal Reserve Board announced a joint enforcement action with the Illinois Department of Financial and Professional Regulation against a state bank that allegedly failed to properly oversee a nonbank third-party provider of financial aid refund disbursement services. The consent order states that from May 2012 to August 2013, the bank opened over 430,000 deposit accounts in connection with the vendor’s debit card product for disbursement of financial aid to students. The agencies claim that during that time, the vendor misled students about the product, including by (i) omitting material information about how students could get their financial aid refund without having to open an account; (ii) omitting material information about the fees, features, and limitations of the product; (iii) omitting material information about the locations of ATMs where students could access their account without cost and the hours of availability of those ATMs; and (iv) prominently displaying the school logo, which may have erroneously implied that the school endorsed the product. The regulators ordered the bank to pay a total of $4.1 million in civil money penalties. In addition, the Federal Reserve is seeking restitution from the vendor, and, pursuant to the order against the bank, may require the bank to pay any amounts the vendor cannot pay in restitution to eligible students up to the lesser of $30 million or the total amount of restitution based on fees the vendor collected from May 2012 through June 2014. The consent order also requires the bank to submit for Federal Reserve approval a compliance risk management program in advance of entering into an agreement with a third party to solicit, market, or service a consumer deposit product on behalf of the bank.
On June 23, the DOJ released a transcript of a message delivered by Attorney General Eric Holder in which he pledged to continue investigations of financial institutions “that knowingly facilitate consumer scams, or that willfully look the other way in processing such fraudulent transactions.” These investigations are part of the DOJ’s “Operation Choke Point,” which has faced criticism from financial institutions and their advocates on Capitol Hill, and which payday lenders recently filed suit to halt. Opponents of the operation assert that the DOJ investigations, combined with guidance from prudential regulators, are targeting lawful businesses and cutting off their access to the financial system. In his remarks, the AG promised that the DOJ will not target “businesses operating within the bounds of the law,” but vowed to continue to pursue “a range of investigations into banks that illegally enable businesses to siphon billions of dollars from consumers’ bank accounts in exchange for significant fees.” Mr. Holder stated that he expects the DOJ to resolve some of these investigations in the coming months.
Supreme Court Holds President May Make Recess Appointments During Intra-Session Recesses Of Sufficient Length
On June 26, the Supreme Court rejected the federal government’s challenge to a January 2013 decision by the D.C. Circuit that appointments to the National Labor Relations Board (NLRB) made by President Obama in January 2012 during a purported Senate recess were unconstitutional. NLRB V. Noel Canning, No. 12-1281, 2014 WL 2882090 (U.S. Jun. 26, 2014). A five-member majority of the Court held that Presidents are permitted to exercise authority under the Recess Appointments Clause to fill a vacancy during both intra-session and inter-session recesses of sufficient length, and that such appointments may fill vacancies that arose prior to or during the recess.
The Court determined that the phrase “recess of the Senate” is ambiguous, and that based on the functional definition derived from the historical practice of past presidents and the Senate, it is meant to cover both types of recesses. Further, the court held that although the Clause does not indicate how long a recess must be before a president may act, historical practice suggests that a recess less than 10 days is presumptively too short. The Court did not foreclose the possibility, however, that appointments during recesses of less than 10 days may be permissible in unusual circumstances. The Court also validated the Senate’s practice of using pro forma sessions to avoid recess appointments, holding the Senate is in session when it says it is, provided it retains capacity to conduct business. Because the Senate was in session during its periodic pro forma sessions, and because the recess appointments at issue were made during a three-day recess between such sessions, the appointments were invalid.
A minority of the Court concurred in the judgment, but endorsed a narrower reading of the President’s authority to make recess appointments and the Senate’s ability to avoid triggering the President’s recess-appointment power. Writing for that minority, Justice Scalia explained that the plain constitutional text limits the President’s recess appointment power to filling vacancies that first arise during the recess. The minority reading of the Clause also limits the President’s recess appointment power to recesses between legislative sessions, and not intra-session ones. CFPB Director Richard Cordray was appointed in the same manner and on the same day as the NLRB members whose appointments were at issue in this case, but was subsequently re-nominated and confirmed for the position. He later ratified CFPB actions taken during the period he served as a recess appointee.
On June 23, the ICBA and The Clearing House published a white paper on virtual currency that (i) defines virtual currency and describes the current regulatory environment; (ii) describes key players in the Bitcoin system; (iii) discusses the application of certain functional and prudential payment system regulations that may be applied to the Bitcoin system and other convertible decentralized virtual currencies; and (iv) evaluates potential regulation of virtual currency, virtual currency investment programs, and exchanges. The paper concludes, among other things, that: (i) credentials used to transact in Bitcoin are functionally similar to prepaid cards and arguably fall within the definition of such cards provided in Regulations E and II; and (ii) the CFPB may determine that cross-border transactions in Bitcoin fall within the scope of the CFPB’s Remittance Transfer Rule, which would require entities facilitating such transfers to comply with the rule’s disclosure, reversibility, and error-resolution requirements. The paper discusses potential safety and soundness oversight for entities in the Bitcoin system. It also suggests that existing regulations intended to protect consumers and market participants in the event of the failure of a securities or commodities exchange may be inapplicable to Bitcoin exchanges, and that alternative means of protecting investors and accountholders—such as disclosure requirements and coordinated state-level registration of exchanges—should be explored.
On June 25, the OCC published its semiannual risk report, which provides an overview of the agency’s supervisory concerns for national banks and federal savings associations, including operational and compliance risks. As in prior reports and as Comptroller Curry has done in speeches over the past year, the report highlights cyber-threats and BSA/AML risks. The OCC believes cyber-threats continue to evolve and require heightened awareness and appropriate resources to identify and mitigate the associated risks. Specifically, the OCC is concerned that cyber-criminals will transition from disruptive attacks to attacks that are intended to cause destruction and corruption. Extending another recent OCC theme, the report notes that the number, nature, and complexity of both foreign and domestic third-party relationships continue to expand, resulting in increased system and process interconnectedness and additional vulnerability to cyber-threats. The report also states that BSA/AML risks “remain prevalent given changing methods of money laundering and growth in the volume and sophistication of electronic banking fraud.” The OCC adds that “BSA programs at some banks have failed to evolve or incorporate appropriate controls into new products and services,” and again cautions that a lack of resources and expertise devoted to BSA/AML risk management can compound these concerns. Finally, the OCC expressed concern that competitive pressures in the indirect auto market are leading to an erosion of underwriting standards. The OCC’s supervisory staff plans to review retail credit underwriting practices at banks, especially for indirect auto.
On June 24, the FFIEC unveiled a new web page that will serve as a central repository for current and future FFIEC-related materials on cybersecurity. Although the FFIEC did not release any new resources, the launch shows the continuing focus of banking regulators on emerging cybersecurity risks. The FFIEC noted that the launch coincided with a pilot program through which state and federal regulators will assess how community financial institutions manage cybersecurity and their preparedness to mitigate increasing cyber risks. Regulators are particularly focusing on risk management and oversight, threat intelligence and collaboration, cybersecurity controls, service provider and vendor risk management, and cyber incident management and resilience.
On June 5, the FDIC and a Delaware bank entered a consent order that prohibits the bank from entering into any new relationships with third-party prepaid card processors or prepaid card program managers until the FDIC approves a written report from the bank that details the steps taken by the bank to (i) implement new BSA compliance policies and procedures; (ii) improve staff training; (iii) implement controls sufficient to mitigate BSA and safety and soundness risk associated with prepaid card, credit card merchant acquiring, and ACH activities; and (iv) perform a BSA risk assessment. The order similarly restricts the bank’s activities related to credit card merchant acquiring and ACH merchant payment processing. The order does not prohibit the bank from issuing prepaid cards through existing distribution channels under existing contracts with third-parties, but does restrict certain activities related to existing credit card and ACH processing activities. In addition, the bank must (i) retain and designate BSA and OFAC officers; (ii) conduct a suspicious activity reporting look-back review; and (iii) submit periodic progress reports. Finally, the order requires increased board supervision of the bank’s BSA compliance program and mandates the creation of a board-level BSA committee.
On June 16, New York Attorney General (AG) Eric Schneiderman announced that a national bank agreed to adopt new policies governing its use of a credit bureau that screens individuals seeking to open checking or savings accounts. The agreement is the first to come out of the AG’s ongoing investigation of the use of credit bureaus by major American banks. As the basis for its investigation, the AG’s office asserts that individuals who are deemed by one of these credit bureaus to present a credit or fraud risk are typically denied the opportunity to open an account, and that these credit bureau databases “disproportionately affect lower-income Americans, often punishing them for relatively small financial errors and forcing them to resort to fringe banking services that are more costly than mainstream checking and savings accounts.” According to the AG’s press release, under the terms of the agreement, the bank will continue screening customers for past fraud but will no longer seek to predict whether customers present credit risks. The bank also committed to expand its support for the Office of Financial Empowerment (OFE)—a New York City agency that provides financial education and counseling to low-income New Yorkers—by donating $50,000 to help OFE provide counseling for applicants who are rejected by the bank on the basis of a credit bureau report. The bank plans to implement the changes nationwide.
On June 16, the New York DFS launched a new database of online lenders that have been subject to actions by DFS based on evidence of illegal payday lending, and announced that one national bank had agreed to start using the tool. The DFS believes the database will help financial institutions meet “know your customer” obligations with regard to online lenders and will help ensure that electronic payment and debit networks are not used to transmit or collect on allegedly illegal, online payday loans made to New York residents. According to the DFS, the national bank plans to use the information about companies that may be engaged in illegal lending to (i) help confirm that its merchant customers are not using their accounts to make or collect on illegal payday loans to New York consumers; and (ii) identify payday lenders that engage in potentially illegal payday loan transactions with its New York consumer account holders, and, when appropriate, contact the lenders’ banks to notify them that the transactions may be illegal. The bank also agreed to provide DFS with information about payday lending activities by lenders listed in the database, including identifying lenders that continue to engage in potentially illegal lending activities despite the DFS’s previous actions. The database announcement is just the latest step taken by the DFS with regarding to online payday lending. Over the past year, the DFS has opened numerous investigations of online lenders and has scrutinized or sought to pressure debt collectors, payment system operators, and lead generators in an attempt to halt lending practices that the DFS claims violate state licensing requirements and usury restrictions.
Eighth Circuit Holds Bank That Complied With Reasonable Security Procedures Not Responsible For Loss Of Funds From Fraudulent Payment
On June 11, the U.S. Court of Appeals for the Eighth Circuit held that under the Uniform Commercial Code a bank that complied with commercially reasonable security measures was not responsible for a customer’s loss resulting from a fraudulent payment. Choice Escrow & Land Title, LLC v. BancorpSouth Bank, No. 13-1879, 2014 WL 2598764 (8th Cir. Jun. 11, 2014). The customer sued the bank claiming that a $440,000 wire transfer from its account through the bank’s internet wire transfer system was fraudulently initiated by a third-party. The court explained that Article 4A of the Uniform Commercial Code permits a bank to take steps to protect itself from liability by implementing commercially reasonable security procedures, and if the bank complies with these procedures in good faith and in accordance with the customer’s instructions, the customer bears the risk of loss from a fraudulent payment order. The parties agreed that the bank complied with its security procedures in accepting the payment order that resulted in the loss for the customer, but disputed whether (i) the bank’s security procedures were commercially reasonable, (ii) the bank accepted the payment order in good faith, and (iii) the bank accepted the payment order in compliance with the customer’s written instructions. The court concluded that the bank’s security procedures, which included password protection, daily transfer limits, device authentication, and dual control, were commercially reasonable because the bank followed 2005 FFIEC guidelines and further enhanced its security to address threats not considered by that potentially outdated guidance. Moreover, the court held that the customer assumed the risk of failure of security procedures by declining some of those procedures. The court also held that in promptly executing a payment order that had cleared its commercially reasonable security procedures, and absent any independent reason to suspect the payment was fraudulent, the bank acted in good faith in processing the payment. Finally, the court determined that an inquiry from the customer as to whether it would be possible for the bank to stop foreign wire transfers did not constitute an instruction to the bank, and therefore the bank did not violate any written instruction from the customer. Based on these holdings, the court concluded that, under the UCC, the loss of funds from the customer’s account fall on the customer and not the bank.
On June 12, the Federal Reserve Board and the OCC separately released proposed rules that would push back by 90 days the start date of the stress test cycles and the deadlines for submitting stress test results. The regulators propose making the new schedules effective beginning with the 2015-2016 cycles. On June 13, the FDIC proposed a rule to similarly shift the stress test cycles. In addition, the Federal Reserve’s proposed rule would (i) modify the capital plan rule to limit a large bank holding company’s ability to make capital distributions to the extent that its actual capital issuances were less than the amount indicated in its capital plan; (ii) clarify the application of the capital plan rule to a large bank holding company that is a subsidiary of a U.S. intermediate holding company of a foreign banking organization; and (iii) make other technical clarifying changes. Comments on the Federal Reserve’s proposal are due by August 11, 2014. Comments on the OCC’s and the FDIC’s proposals are due 60 days after their publication in the Federal register.
On June 18, the U.S. Attorney for the District of Maryland announced that a federal judge ordered a bank to forfeit $560,000 in drug proceeds laundered through the bank on which the bank failed to file currency transaction reports. The DOJ claimed that a member of a drug trafficking organization asked a teller at a Maryland bank branch to convert the proceeds from the sale of illegal drugs from small denomination bills to $100 bills, and paid the teller a one percent fee for each transaction for making the exchange without filing a currency transaction report. The government filed a civil action in February 2014 seeking forfeiture and alleging that the money was subject to forfeiture because the bank failed to file currency transactions reports on bank transactions in amounts in excess of $10,000, as required by law. The teller admitted that on each occasion she converted the bills without filing or causing anyone else at the bank to file a currency transaction report. She was sentenced to a month in prison followed by eight months of home detention for failing to file currency transaction reports on suspected drug proceeds, and must perform community service and forfeit the $5,000 she was paid in the scheme.
Wisconsin Federal Court Holds Dodd-Frank Whistleblower Protections Not Available For Reported Violations Of Banking Laws
On June 4, the U.S. District Court for the Eastern District of Wisconsin held that a former bank executive cannot pursue a claim that, when the bank terminated his employment, it violated the whistleblower-protection provisions of the Dodd-Frank Act because those protections apply only to individuals who report violations of securities laws and not to those who report alleged violations of other laws, such as banking laws. Zillges v. Kenney Bank & Trust, No. 13-1287, 2014 WL 2515403 (E.D. Wis. June 4, 2014). A former bank CEO sued the bank and certain affiliated companies and individuals, and claimed that they conspired to terminate his employment and prevent him from earning stock options after he observed conduct that he believed violated federal banking laws and reported the allegedly illegal conduct to the bank’s board of directors, the FDIC, and the FTC. The court held that in order to qualify as a whistleblower under Dodd-Frank, the disclosure must relate to a violation of securities laws. Accordingly, because the whistleblower disclosed alleged violations of only banking laws, the whistleblower provisions of Dodd-Frank did not apply. In doing so, the court explicitly side-stepped the question of whether a person is a whistleblower subject to Dodd-Frank protections if he or she makes a protected disclosure to someone other than the SEC. The court acknowledged the disagreement on that issue, which involves the interplay between the statutory definition of “whistleblower” and the protected actions listed in the statute, explaining that although the statute requires a person to provide information to the SEC in order to qualify as a whistleblower, some of the protected activities do not necessarily involve disclosures to the SEC. To date, some courts have reasoned that Congress could not have intended this result and have concluded that a person who makes a disclosure that falls within the protected activities, whether the disclosure is made to the SEC or not, is a “whistleblower” within the meaning of Dodd-Frank, while other courts have concluded that a person is a “whistleblower” only if the person makes the disclosure to the SEC.