On May 7, NYDFS granted its first charter to a New York-based commercial Bitcoin exchange. In February, the company requested a charter under the NYDFS’s application process, which included a thorough review of the company’s anti-money laundering, capitalization, consumer protection, and cyber security standards. Under the New York Banking Law, the company can start its operations immediately, but is subject to continual supervision by the NYDFS. Indeed, Superintendent Lawsky noted, “regulation will ultimately be important to the long-term health and development of the virtual currency industry.”
On May 5, a virtual currency company and its subsidiary agreed to pay a $700,000 civil money penalty for violating multiple provisions of the Bank Secrecy Act (BSA), in which both companies acted as a money service business and seller of virtual currency without properly registering with FinCEN, as well as, failed to implement and maintain an adequate anti-money laundering (AML) program. Furthermore, according to a Statement of Facts and Violations, FinCEN also charged the subsidiary for not filing or untimely filing suspicious activity reports related to several financial transactions. In addition to the civil money penalty, terms of the agreement require both companies to, among other things, (i) engage in remedial steps to ensure future compliance with AML statutory obligations; and (ii) enhance their current internal measures for compliance with the BSA. In a separate DOJ announcement, both companies entered into a settlement agreement to resolve potential criminal charges with the U.S. Attorney’s Office in the Northern District of California. Under terms of the DOJ settlement, both companies agreed to forfeit a total of $450,000, which will be credited to satisfy FinCEN’s $700,000 penalty, in exchange for the government not criminally prosecuting the companies for the aforementioned conduct.
Tennessee Enacts Legislation Requiring Payment Service Providers to Provide Adequate Disclosures to Merchants
On April 17, the Tennessee Governor Bill Haslem signed H.B. 547, which requires the disclosure of fees and other details in contracts entered into by payment service providers with merchants located within the state. The legislation requires the payment service providers to provide merchants with information detailing where the merchant can obtain access to operating rules, regulations, and bylaws under the agreement. In addition, the law requires payment service providers to disclose (i) the effective date of the agreement; (ii) terms of the agreement; (iii) any provisions relating to early termination or cancellation of the agreement; and (iv) a full schedule of all payment services fees with respect to the credit card, debit card, or other payment services under the agreement. The law also requires payment service providers to supply merchants with a monthly statement of fees, total value of transactions, and in some cases the aggregate fee percentage.
On March 23, the FTC announced – via blog post – the formation of the Office of Technology Research and Investigation (OTRI), a newly formed research office within its Bureau of Consumer Protection. The OTRI succeeds the Mobile Technology Unit and will have an enhanced mission within the FTC to investigate technology issues encompassing privacy, data security, automobiles, smart phones, smart homes, emerging payment methods, Internet of Things, and big data.
On March 23, Department of the Treasury’s OFAC announced a settlement agreement with a large money services business (MSB) for failing to implement an effective compliance program “to identify, interdict, and prevent transactions in apparent violation of the sanctions programs administered by OFAC.” According to the settlement, prior to the MSB’s 2013 “long term solution” to screen its transactions in real time against OFAC’s List of Specially Designated Nationals and Blocked Persons (the “SDN List”), deficiencies in the company’s transaction monitoring compliance procedures allowed for the processing of hundreds of transactions with OFAC-sanctioned individuals and countries. Specifically, OFAC alleged that from October 20, 2009 to April 1, 2013, the MSB processed over 100 transactions to or from an account registered to an individual on the SDN List because its “automated interdiction filter” did not initially identify the account holder as a potential match to the SDN List, and when it did, the MSB Operations Agents dismissed alerts on six separate occasions after failing to obtain or review documentation corroborating the identity of the SDN. Under the terms of the agreement, the MSB will (i) pay over $7 million to the Department of the Treasury and (ii) within six months, provide OFAC a summary of the company’s current policies and procedures as they relate to screening transactions and/or customers” to ensure compliance with OFAC regulations.
Recently, FinCEN announced a $1 million civil money penalty against the former Chief Compliance Officer (CCO) of a large financial services company for allegedly violating the Bank Secrecy Act (BSA) and its implementing regulations. In its complaint, FinCEN alleges that the CCO, from 2003 through 2008, failed to implement and maintain an effective AML program and file timely Suspicious Activity Reports as required by the BSA. As a result, the company’s money transfer system was used to carry out fraudulent activities causing customers to incur substantial losses. In addition to the penalty, FinCEN is seeking to prohibit the former CCO from participating, directly or indirectly, in the affairs of any financial institution.
Special Alert: CSBS Issues Policy, Draft Model Regulatory Framework, and Request for Comment Regarding State Regulation of Virtual Currency
On December 16, 2014, the Conference of State Bank Supervisors (“CSBS”) issued a Policy on State Regulation of Virtual Currency (the “Policy”), Draft Model Regulatory Framework, and a request for public comment regarding the regulation of virtual currency. The Policy and Draft Model Regulatory Framework were issued through the work of the CSBS Emerging Payments Task Force (the “Task Force”). The Task Force was established to explore the nexus between state supervision and the development of payment systems and is seeking to identify where there are consistent regulatory approaches among states.
As a result of its work to date, the Policy recommends that “activities involving third party control of virtual currency, including for the purposes of transmitting, exchanging, holding, or otherwise controlling virtual currency, should be subject to state licensure and supervision.” The Policy states that state regulators have determined certain activities involving virtual currency raise concerns in three areas: consumer protection, marketplace stability, and law enforcement. Read more…
While 2014 is closing out with worldwide cyber-threats, at BuckleySandler, we’re going to close out our first year publishing Digital Insights & Trends on an optimistic note. Looking forward, we welcome a mobile payments development that could be cause for cyber-celebration in 2015 and the years to follow.
As financial services lawyers, we usually navigate the regulatory concerns of e-commerce providers in the financial sector for a clientele of banks, other financial institutions and technology companies. But we are keenly aware that access to financial services is vital even for those without access to traditional banks. This reality, referred to as the “unbanked” problem, has preoccupied financial service providers (and consumer advocates, and policymakers) for decades. Mobile payment technology may be the solution. Read more…
On December 18, Superintendent Lawsky delivered remarks regarding New York’s revised proposal for regulating virtual currency companies. The new proposal stems from the original July 17 proposal and includes certain revisions previously alluded to on October 17. Lawsky noted that the revisions will provide flexibility to virtual currency startups, while simultaneously allowing the New York Department of Financial Services to remain committed to protecting consumers. Most notably, the revised regulation “will offer a two-year transitional BitLicense, which may be issued to those firms who are unable to satisfy all of the requirements of a full license, and will be tailored to startups and small businesses.” According to Lawsky, while the companies will still have to abide by anti-money laundering and consumer protection requirements, the revisions are intended to “strike an appropriate balance between permitting innovation to proceed, while at the same time strongly protecting consumers and helping root out illicit activity.”
On November 13, the CFPB held a field hearing in Delaware to discuss its proposed rule regarding prepaid products. The proposal, which would amend Regulation E and Regulation Z, requires prepaid companies to provide certain protections under federal law.
In his opening remarks, Director Cordray noted that the many prepaid card consumers are some of the most economically vulnerable among us and that such cards have few, if any, protections under federal consumer financial law. Cordray outlined the reasons the Bureau’s proposed rule would “fill key gaps” for consumers. First, the proposed rule would provide consumers free and easy access to account information. Second, the proposed rule would mandate that financial institutions work with consumers to investigate any errors on registered cards. Third, the proposed rule would protect consumers against fraud and theft. Fourth, the rule includes “Know Before You Owe” prepaid disclosures, which would highlight key costs associated with the cards. Fifth, where prepaid card providers also extend credit to consumers such offers would be treated the same as credit cards under the law.
On November 10, FinCEN released a statement to reiterate that banking organizations can serve Money Services Businesses (MSB) while meeting obligations under the Bank Secrecy Act. FinCEN noted that there is concern that banks may be terminating the accounts of MSBs on a wholesale basis because of potential regulatory scrutiny and that as a result MSBs are losing access to banking services. FinCEN stated that they do “not support the wholesale termination of MSB accounts without regard to the risks presented or the bank’s ability to manage the risk.” Rather, the risks presented by a given MSB can vary and, therefore, financial institutions should assess the risks on a case-by-case basis. FinCEN expects that banking organizations will manage the risks associated with MSB accounts and are committed to addressing the “wholesale de-banking of an important part of the financial system.”
On November 2, New York Superintendent Lawsky delivered remarks at the Money 20/20 Conference on the state’s virtual currency and Bitcoin regulation. In October, Lawsky publicly stated that, as a result of the comments received on New York’s proposed BitLicense framework, there would be important changes made to the July 17 proposal. This week, on behalf of the NYDFS, Lawsky announced that additional changes are being considered to address “concern about the compliance costs of regulation on new or fledging virtual currency enterprises.” Specifically, Lawsky introduced the concept of a Transitional BitLicense, which would allow certain small, money transmitting startups to begin operating without huge compliance costs. Lawsky noted four main factors the NYDFS would consider when deciding whether or not to grant a Transitional BitLicense: (i) the nature and scope of the business and the associated risks for consumers; (ii) projected transactional and business volume; (iii) registration status as a Money Services Business with FinCEN; and (iv) previously established mitigating risk controls.
Recently, the Payment Card Industry (PCI) Security Standards Council published guidance to help organizations strengthen their security awareness. The guidance, developed by retailers, banks, and technology providers, details three recommendations for implementing a security awareness program: (i) Assembling a security awareness team, (ii) Developing appropriate security awareness content for your organization, and (iii) Creating a security awareness checklist. The PCI Security Standards Council is an open global forum comprised of more than 650 organizations, including banks, merchants, processors, and vendors, responsible for the development, management, education, awareness, and standards to increase payment data security.
On November 3, a large financial services company announced the rollout of its Token Service (Service) for online, mobile app, and in-store mobile purchases. The Service is designed to increase security and reduce magnetic-stripe card fraud. Based on EMVCo’s Payment Tokenization Specification and Technical Framework, the Service offers four main features: (i) token vault to store and designate tokens; (ii) ability to issue tokens; (iii) lifestyle management services to manage tokens; and (iv) anti-fraud and risk management services for institutions issuing the cards. The Service is currently available in the U.S. and is scheduled to launch internationally in 2015.
On October 28, the Federal Reserve announced its final rule to amend Regulation HH, standards for financial market utilities (FMUs) that have been designated as systemically important by the FSOC. The new rule will implement a common set of risk-management standards for all designated FMUs and revise certain definitions. Further, the Fed also announced final revisions to part 1 of its Federal Reserve Policy on Payment System Risk. The final rule and revisions to the policy are based on the Principles for Financial Market Infrastructures, which were developed jointly by the Committee on Payment and Settlement Systems and the International Organization of Securities Commissions. Specifically, the amendments and revisions will establish (i) separate standards to address credit risk and liquidity risk; (ii) new plans for recovery and orderly wind-down; (iii) new standards on general business risk and on tiered participation arrangements; and (iv) increased requirements on transparency and disclosure. The final rule will be effective on December 31, 2014. FMUs have until December 31, 2015 to comply with specific additional requirements set forth in the rule.