As previously covered in InfoBytes, on June 30, the FFIEC released a Cybersecurity Assessment Tool (Assessment) to provide a “repeatable and measurable process” for financial institutions to measure their cybersecurity readiness. The Assessment aims to help financial institutions determine their cybersecurity preparedness and make informed decisions regarding their risk management practices. In addition to the Assessment, the FFIEC also released an executive overview, a user’s guide, a pre-recorded webinar, a glossary of terms, and appendices to assist financial institutions in understanding supervisory expectations, increasing awareness of cybersecurity risks, and assessing and mitigating the threats facing their institutions. As an interagency body representing the Fed, FDIC, OCC, CFPB, and the NCUA, the FFIEC prescribes uniform principles, standards, and reporting forms for the federal examination of financial institutions, and makes recommendations to promote uniformity in the supervision of financial institutions.
Today, the CFPB filed proposed consent orders against two credit card add-on product vendors for allegedly billing consumers for credit monitoring and identity theft protection services they did not receive. Under the proposed consent orders, one vendor will provide nearly $7 million in restitution to the holders of approximately 73,000 accounts, and pay a $1.9 million civil money penalty. The other vendor will provide almost $55,000 in restitution to consumers who were incorrectly billed for identity theft or credit monitoring services, and pay a $1.2 million civil money penalty. The Bureau specifically noted that today’s announcement is the “first time the Bureau has brought actions directly against the companies” that market or administer ancillary products.
OCC Releases Semiannual Report Highlighting Key Risks Facing National Banks and Federal Savings Associations
Today, the OCC announced the release of its semiannual report, Semiannual Risk Perspective for Spring 2015, highlighting key risk areas affecting national banks and federal savings associations. Based on 2014 year-end data, the report identifies issues that pose a potential threat to the safety and soundness of banks and thrifts. It also sets forth the OCC’s supervisory priorities for the next 12 months, including, among others, (i) cybersecurity awareness and preventative controls, (ii) Bank Secrecy Act/Anti-Money Laundering compliance, (iii) fair access to credit, and (iv) underwriting practices, particularly with respect to leveraged loans, indirect auto lending, HELOCs, and credit related to the oil and gas sector. The report also notes declining revenues and profitability overall in OCC-supervised institutions.
On June 29, the FTC filed two administrative complaints and issued proposed orders against two Las Vegas auto dealers to resolve allegations that they engaged in misleading advertising practices that misrepresented the purchase price or leasing offers of their vehicles, as well as the amount actually due at signing. In addition, the FTC also contends that the auto dealers failed to disclose other key information in its advertisements, such as the need for a security deposit, whether a down payment was required, and the terms of repayment. Under the proposed consent orders, the FTC will require both dealerships to refrain from misrepresenting the actual cost to purchase or lease a vehicle, and to comply with requirements of the Consumer Leasing Act and the Truth in Lending Act. No monetary judgment is proposed for either auto dealership.
On June 29, a mobile app developer entered into an agreement with the FTC and the New Jersey AG to settle allegations that the developer engaged in deceptive and unfair practices by marketing its rewards app, called “Prized,” as being free of malicious software, also known as “malware.” However, according to the FTC, the true purpose of the mobile app was to uploaded malware onto consumers’ mobile devices capable of mining virtual currencies for the software developer. This process allegedly reduced the battery life of consumers’ devices and caused consumers to burn through their monthly data plans. Under terms of settlement, the developer and accompanying mobile app are (i) prohibited from creating and distributing malicious software, and (ii) required to pay $50,000 to the state of New Jersey, with $5,200 due immediately, and the remaining $44,800 payable if the developer fails to comply with the terms of the consent order or the New Jersey Consumer Fraud Act within three years of the order.
DOJ Assistant AG Caldwell Delivers Remarks at the ABA’s National Institute on Bitcoin and Other Digital Currencies
Today, Assistant Attorney General Leslie Caldwell delivered remarks at the ABA’s National Institute on Bitcoin and Other Digital Currencies. Speaking on the DOJ Criminal Division’s approach to the developing landscape of virtual currency, Caldwell acknowledged the legitimate uses of virtual currencies, such as having the ability to lower costs for brick and mortar businesses and its potential to promote a more efficient online marketplace, while also addressing the Department’s concern for the criminal activity surrounding virtual currencies, noting, “virtual currency facilitates a wide range of traditional criminal activities as well as sophisticated cybercrime schemes.” Citing recent actions against various individuals and groups involved in criminal activities that “sought to exploit decentralized systems such as Bitcoin” – specifically, Silk Road and Ross Ulbricht; and Carl Force and Shaun Bridges, both involved in the Baltimore Silk Road Task Force – Caldwell stressed that there are “many exchanges that don’t concern themselves with following the law.” She explained that the primary legal bases for enforcement are money services business, money transmission, and anti-money laundering statutes, as well as state money transmitter licensing laws and, in some states like New York, virtual-currency specific licensing requirements. Caldwell also noted the Department’s partnership with FinCEN, summarizing its involvement in the Ripple Labs resolution to show that “compliance and remediation can lead to a more favorable resolution of criminal investigations.” Further, Caldwell observed that while there is no “one-size-fits-all” compliance program, the adherence to regulations and state licensing laws by those involved in virtual currency businesses will reduce liability and complying with anti-money laundering guidelines will allow “the legitimate use of virtual currency to grow and be responsive to infiltration and abuse by criminal elements.”
Today, FinCEN announced the assessment of a civil money penalty against a Los Angeles-based Money Services Business (MSB) and its owner for alleged violations of the Bank Secrecy Act (BSA). During a 2011 examination of the MSB, FinCEN determined that, from October 1, 2010 through the present, the MSB knowingly violated the BSA by failing to (i) establish and ensure ongoing compliance with an adequate AML program; (ii) provide adequate training; and (iii) conduct independent testing of its compliance program. In addition, the MSB violated the BSA’s reporting requirements by failing to “file required currency transaction reports (“CTRs”) on all of its reportable transactions during the examination scope period,” and continued to file untimely CTRs even after the examination scope period ended on March 31, 2011. Finally, FinCEN expressed concern over the MSB owner’s failure to disclose that the MSB “frequently exchanged check for cash with another MSB, an arrangement known as ‘wholesaling’ or ‘bulk check cashing.’” According to the assessment document, the MSB’s owner, who was also the designated AML compliance officer, participated in the BSA violations by failing to accept his responsibility to “ensure that [an] AML program was in place, was effective, and was followed.” To resolve FinCEN’s allegations, the MSB and its owner admitted to violating the BSA program and its reporting requirements and will pay a civil money penalty of $60,000.
On June 25, Federal Reserve Governor Jerome Powell delivered remarks at a payments conference hosted by the Federal Reserve Bank of Kansas to discuss improvements to the U.S. payments system. Specifically, Powell advised that payment system participants must work together to improve the payment system, stating “[A]t a minimum, banks, merchants, and other institutions that process or store sensitive financial information need to keep their hardware and software current to the latest industry standards.” He noted that the Federal Reserve has established two task forces regarding the U.S. payment system, one geared towards faster payments and the other geared towards payment security. Powell cited the use of EMV chip cards and tokenization technology as examples of effective payment security measures. In addition, Powell discussed the importance of proactive efforts to implement preventative measures to prepare for potential cyber-attacks or data breaches.
Today, the CFPB expanded its consumer complaint database, publishing for the first time over 7,700 consumer narratives which provide descriptive details of issues consumers face with respect to mortgages, bank accounts, credit cards, and debt collection, among other topics. As previously covered in InfoBytes, the Bureau finalized its Policy earlier this year requiring consumers who file complaints to “opt-in” to have the actual narrative of the complaint disclosed in the CFPB consumer complaint database. In addition, the Bureau issued a Request For Information seeking feedback on how complaint information contained within the database can be more easily identified and “normalized.” The Bureau also announced that it had received more than 627,000 complaints as of June 1, with mortgages and debt collection among the most frequent sources of complaints.
On June 23, the Board of Governors announced the execution of an enforcement action against a California-based community bank over BSA/AML deficiencies. According to the Cease and Desist Order, the deficiencies were identified by the Federal Reserve Bank of San Francisco and the California Department of Business Oversight, and directs the Bank to submit written plans outlining their efforts to strengthen their BSA/AML risk management program, including customer due-diligence and suspicious activity monitoring and reporting policies and procedures. In addition, the Bank must retain an independent third party to conduct a review of account and transaction activity affiliated with any high-risk customer and foreign branch accounts conducted at, by, or through the Bank from July 2014 through December 2014. No civil money penalty was imposed on the Bank.
On June 23, the CFPB published its eighth edition of Supervisory Highlights, covering supervisory activities from January 2015 through April 2015. The latest edition identifies issues with dual-tracking at mortgage servicers and the need for improved quality control measures at consumer reporting agencies. The report also provided supervisory observations related to debt collection, student loan servicing, mortgage origination and servicing, and fair lending. Notably, the report reveals that non-public supervisory actions and self-reported violations at banks and nonbanks in the areas of mortgage origination, fair lending, mortgage servicing, deposits, payday lending, and debt collection resulted in $11.6 million in remediation to more than 80,000 consumers during the first four months of 2015.
On June 19, the OCC released recent enforcement actions taken against national banks, federal savings associations, and individuals currently or formerly affiliated with national banks and federal savings associations. Among the actions was the issuance of a consent order for a civil money penalty against a national bank for allegedly violating the Federal Trade Commission Act. During its investigation, the OCC discovered deficiencies relating to the bank’s billing and marketing practices, specifically with regard to identity protection and debt cancellation products. According to the consent order, since April 2004, the bank, along with an identity protection product vendor, marketed and sold various types of identity theft protection products to its customers. Before customers could access the credit monitoring service of the identity theft product, they “were required to provide sufficient personal verification information and consent before their credit bureau reports could be accessed.” However, the OCC found that the vendor (i) billed the bank’s customers the full fee for the products, even if they were not receiving all of the credit monitoring services; (ii) billed the customers prior to receiving the customers’ information and consent and establishment of credit monitoring; and (iii) failed to ensure that customers received electronic benefit notifications. The bank retained a portion of the fees that the customers paid. Additionally, the bank’s vendors incorrectly informed customers during telemarketing calls that only one of the products offered had the ability to access identity protection benefits electronically. As a result, some customers purchased the more expensive Enhanced Identity Theft Protection, as opposed to the less expensive Identity Theft Protection, under the mistaken belief that this was the only way they could access the product’s benefits online. Finally, the OCC also alleged that, from August 2005 through November 2013, the bank’s debt cancellation product vendor’s billing practices, which posted recurring payments on the same day of the month regardless of the payments’ due dates, resulted in some customers paying recurring late fees. The bank will pay $4,000,000 to resolve the OCC’s allegations.
On June 18, the CFPB announced an enforcement action against a third-party medical debt collection company for allegedly failing to issue debt validation notices to customers, mishandling consumer credit reporting disputes, and preventing customers from exercising certain debt collection rights. According to the Bureau, from 2011 through 2013, the company failed to properly investigate consumers’ complaints with respect to information furnished to credit reporting agencies, and lacked internal policies and procedures on how to handle and respond to the complaints, resulting in a violation of the Fair Credit Reporting Act (FCRA). In addition, the Bureau contends that the company did not properly inform consumers of the amount of medical debt owed before commencing efforts to obtain payment on the debt, subsequently violating the Fair Debt Collection Practices Act (FDCPA). The CFPB ordered the medical debt collector to, among other things, (i) provide over $5 million in restitution to affected consumers, (ii) correct errors in consumer credit reports, (iii) pay a $500,000 civil money penalty, and (iv) improve its business practices.
On June 17, the U.S. House Appropriations Committee approved an amendment that would require the CFPB to conduct a peer-reviewed cost-benefit analysis of the use of arbitration agreements prior to issuing a final rule. The amendment is tied to a fiscal year 2016 financial services spending bill, which would bring the Bureau under the congressional appropriations process. U.S. House Representatives Steve Womack (R-AR) and Tom Graves (R-GA) brought forth the amendment, which was adopted by the Committee on a voice vote.
FHA Announces Updated Defect Taxonomy to Clarify its Plan for Classifying Loan Defects Found in its Single-Family Loan Portfolio
On June 18, the FHA released its Single-Family Housing Loan Quality Assessment Methodology (“Defect Taxonomy”), a framework outlining the agency’s plans to identify and capture information related to loan defects found in Single-Family FHA endorsed loans. The new framework is intended to increase the efficacy of FHA’s Quality Assurance efforts and focuses on three core concepts – (i) identifying defects, (ii) capturing the sources and causes of defects, and (iii) assessing the severity of defects. Once implemented, the Defect Taxonomy will reduce the number of codes that the FHA uses to describe loan defects from 99 to nine. Additionally, the Defect Taxonomy will implement “Basis of Ratings Codes” that will capture both the sources and causes of defects. Finally, the Defect Taxonomy will refine FHA’s process for communicating the severity of defects by subdividing its current categories of “Unacceptable” and “Deficient” findings into four tiers of findings that will describe defects in greater detail. The FHA anticipates that these changes will provide greater transparency to lenders so that they can mitigate their credit risk when originating FHA loans. FHA further hopes that the Defect Taxonomy will help FHA monitor for deficiency trends and enhance its program policies. In its announcement, FHA warns that the Defect Taxonomy “is not a comprehensive statement on all compliance monitoring or enforcement efforts by FHA or the Federal Government and does not establish standards for administrative or civil enforcement action….” FHA also maintains that the Defect Taxonomy does not address how FHA will respond (i) to findings of patterns and practices of loan-level defects in FHA originations or (ii) to findings of fraud or misrepresentation in connection with any FHA-insured loan. FHA has yet to set a date for the Defect Taxonomy to take effect.