On February 27, Federal Reserve Board Chairman Janet Yellen made her first appearance as Chair before the Senate Banking Committee. During the course of the question and answer session, Ms. Yellen responded to a recent letter from Senator Elizabeth Warren (D-MA) and Representative Elijah Cummings (D-MD) that encouraged the Federal Reserve Board to play a larger role in major supervisory and enforcement decisions, as opposed to delegating most examination and settlement responsibilities to staff. Chairman Yellen generally agreed that the Board itself should play a larger part in supervision and enforcement and stated that she “fully expects” the Board to make changes to its policies. She added that with regard to legislation recently introduced by Senators Elizabeth Warren and Tom Coburn (R-OK) that would require greater transparency in federal settlements, the Federal Reserve Board intends to look carefully at what it discloses about enforcement actions and settlements and will try to provide more disclosure. Among the numerous other topics covered during the hearing, Chairman Yellen also addressed virtual currency issues, stating the Federal Reserve Board currently has no authority to oversee virtual currency. Her comments followed a letter sent on February 26, 2014 by Banking Committee member Joe Manchin (D-WV) to federal financial and enforcement authorities asking for a complete ban on Bitcoin in the United States. Ms. Yellen stated that while Congress should consider the appropriate legal framework for virtual currency, “there’s no intersection at all in any way between Bitcoin and banks that the Federal Reserve has the ability to supervise and regulate. So the Federal Reserve simply does not have authority to supervise or regulate Bitcoin in any way.”
State Banking Associations Object To Senators’ Request For Increased Bank Payment System Security Oversight
On March 5, 53 state bankers associations sent a letter to Federal Reserve Board Chair Janet Yellen defending banks’ efforts to secure consumer financial data and highlighting the responsibilities of other parties, in particular merchants, to do the same. The banking associations, representing bankers in every state and Puerto Rico, took issue with a letter Democratic Senators Dick Durbin (D-IL) and Al Franken (D-MN) sent last month to the Federal Reserve Board Chair seeking information about the Board’s oversight of card issuers’ fraud prevention policies and recommending that the Board do more to verify the effectiveness of such policies. The banking associations contend that the Senators’ letter is a “thinly veiled effort to once again advance the regulation of interchange under the guise of current concerns over data security,” and criticize the Senators for converting a discussion about security responsibilities into one about interchange fees.
On February 20, the CSBS announced the formation of an Emerging Payments Task Force to study changes in payment systems—including virtual currencies and other innovations—to determine the potential impact on consumer protection, state law, and banks and nonbank entities chartered or licensed by the states. The Task Force is comprised of nine state regulators, including New York State Department of Financial Services Superintendent Lawsky who has recently indicated New York will seek to become the first state to directly address virtual currency through new regulations. The Task Force will be chaired by David Cotney, Commissioner of the Massachusetts Division of Banks, who testified on these issues on behalf of the CSBS last fall before the Senate Banking Committee. The CSBS stated that the Task Force will “take a comprehensive approach to studying the changing payment systems” by engaging with a broad range of federal, state, and industry stakeholders to understand how new entrants and technologies affect the stability of payment systems and the broader financial marketplace and “to develop ideas for connecting the emerging payments landscape to the financial regulatory fabric.”
On February 11, at an event on the future of virtual currency, New York DFS Superintendent Benjamin M. Lawsky reiterated his intention to move forward with a virtual currency rulemaking this year as the DFS is “increasingly coming to the conclusion that simply applying our existing money transmission regulations to virtual currency firms is not sufficient.” Mr. Lawsky’s remarks follow a recent two-day DFS hearing regarding the potential state regulation of virtual currency. According to his most recent remarks, the proposal may include a specifically tailored BitLicense that adapts existing money transmission rules to virtual currency. In addition, the proposed rules may, among other things, include “a strong set of specially tailored, model consumer disclosure rules” that could address, for example, the irreversible nature of most transactions, the need to keep private keys private, and potential volatility. The DFS proposal may also seek to address capital, collateral, net worth, and investment requirements. Mr. Lawsky explained that the DFS would like more input about whether it should require licensed firms to only use public ledgers and whether to ban or restrict the use of tumblers by licensed firms.
This week, several congressional committees held hearings to review recent data security breaches and related consumer privacy issues, particularly those related to consumer financial data and payment systems. Generally, the hearings covered (i) potential enhancements to federal enforcement capabilities, (ii) card and payment system technologies and potential data security standards, and (iii) consumer protection enhancements. The hearings included two by the Senate Banking Committee—the first by a Subcommittee and a second held by the full Committee—as well as hearings held by the Senate Judiciary Committee and a Subcommittee of the House Energy and Commerce Committee. With regard to federal enforcement capabilities, the FTC reiterated its support for federal legislation that establishes a national breach notification requirement and a federal data security standard the FTC can enforce with civil penalties. The FTC also would like (i) its jurisdiction for data security enforcement to include nonprofit organizations, and (ii) APA rulemaking authority to address evolving risks. In support of the FTC’s request for additional authority, several members highlighted their view of the FTC’s limited ability to enforce data security under section 5 of the FTC Act. In particular, Senator Elizabeth Warren (D-MA) asserted that the FTC Act’s demanding standard and lack of strict liability unnecessarily limits the FTC’s authority to protect the public in data security matters. The FTC believes federal legislation should not preempt stronger state laws, and that state attorneys general should have concurrent enforcement authority. Significant debate centered on the possible benefits of implementing “Chip and PIN” technology in payment cards, with several legislators questioning why such technology is in widespread use in other major economies but has not yet been deployed in the U.S. Witnesses representing retailers repeatedly called on banks and payment network companies to move immediately to that technology, claiming that the outdated cards still being issued in the U.S. create unnecessary security risk. Banks outlined their plans to move to chip-based cards by October 2015 and stressed the role retailers must play in helping secure consumer data. As a corollary to technological solutions, committee members debated the role of government in setting data security standards, including for payments. Several members of Congress were critical of non-governmental standards bodies and called for a technologically neutral federal standard. Finally, Senator Mark Warner (D-VA) expressed an interest in amending federal law to extend zero-liability protections currently applicable to credit card transactions to debit card transactions.
On January 27, during a speech to certified AML compliance specialists, the U.S. Attorney for the Southern District of New York, Preet Bharara, stressed BSA/AML enforcement as a top priority for his office. Mr. Bharara focused on three issues: (i) the importance of holding institutions accountable for misconduct; (ii) the need for law enforcement to stay ahead of rapidly changing markets and technologies; and (iii) organizational changes within his office to bring the needed resources to bear. With regard to enforcement against institutions, the U.S. Attorney rebutted arguments that prosecutors should focus on individuals and described the full spectrum of tools available to hold institutions accountable—ranging from pursuing criminal prosecutions to seeking monetary fines and restitution through civil actions. He stressed the need to employ the full range of tools against institutions, especially in the AML context where many of the anti-money laundering laws and BSA provisions are specifically directed at institutions. The U.S. Attorney also announced that his office’s Criminal Division’s Asset Forfeiture Unit will be renamed the Money Laundering and Asset Forfeiture Unit to reflect his office’s commitment to dedicate more physical and human resources to addressing money laundering crimes and BSA violations.
FinCEN Releases Additional Guidance Related To Virtual Currency Mining, Software, And Investment Activity
On January 30, FinCEN issued two rulings related to virtual currency mining and virtual currency software development and investment activity. The guidance clarifies FinCEN’s previous convertible virtual currency guidance. In FIN-2014-R001, FinCEN explains that miners of Bitcoins, whether individuals or corporations, who are engaging in mining solely for the miner’s own personal purpose are “users” of virtual currency and not MSBs under FinCEN’s previous guidance. FinCEN found this to be the case even if the miner from time to time must convert the mined Bitcoins into real currency or another convertible virtual currency so long as the conversion is solely for the miner’s own purposes and not as a business service performed for the benefit of another. In FIN-2014-R002, FinCEN states that a company that develops its own software to purchase virtual currency for its own account and to resell the virtual currency at the company’s own discretion and based on the company’s own investment decisions also is not an MSB under FinCEN’s prior guidance.
This week, New York State Department of Financial Services (NY DFS) Superintendent Benjamin Lawsky presided over a two-day hearing regarding emerging virtual currencies and the appropriate role of regulation. The hearing was the next step in an inquiry announced last August, and was held as the NY DFS considers developing a state license specific to virtual currency that would subject operators to state oversight. The panels featured the views of private investors, virtual currency firms, regulatory experts, and law enforcement officials. From our view inside the room, the most prominent, theme to emerge is that regulators will need to strike a balance between protecting the public interest—both from a consumer protection standpoint and with regard to the potential for criminal activity—while allowing emerging virtual currency technologies to develop, evolve, and thrive. Read more…
On January 28, the CFPB issued a consumer advisory in response to recent reports of data breaches at several large retailers. In addition to providing tips for consumers in the wake of a retail breach, the advisory encourages card holders to submit complaints about debit and credit card issuers’ inadequate responses to consumer charge disputes related to data breaches.
The advisory is the first public response from the CFPB on data breach issues. It follows a request last month from Senator Chuck Schumer (D-NY), a member of the Senate Banking Committee, that the CFPB conduct an investigation of the data breach and issue a “full report on the findings of its investigation — informing the public of how this breach occurred, how consumers can protect themselves from similar attacks, and any further recommendations the CFPB may have for retailers to minimize the occurrence of similar breaches.” Schumer also asked Director Cordray to “take a closer look at whether retailers systems should be required to transfer credit and debit card information as encrypted data. . . . The CFPB must ensure that necessary rules and standards for retailers are in place to validate consumers’ trust in the transaction process.”
Numerous congressional committees share jurisdiction over data breach issues. The Senate Banking Committee will be among the first to act with a hearing scheduled for February 3, 2014 that will feature governmental witnesses, as well as the views of the retailer and banking industries.
On January 21, the U.S. Court of Appeals for the Ninth Circuit affirmed a district court’s dismissal of a constitutional challenge to certain credit card fees. In re Late Fee and Over-Limit Fee Litig., No. 08-15218, 2014 WL 211729 (9th Cir. Jan. 21, 2014). A group of credit card holders filed a class action suit claiming that credit card overlimit fees and late fees are analogous to punitive damages imposed in the tort context, and therefore such fees are subject to substantive due process limits. The card holders asserted that because banks are compensated through high penalty interest rates for the lost time value and collection costs associated with any breach of the credit contract, the other charges are duplicative and therefore punitive. The court explained that its decision hinged on the similarities and differences between liquidated damages and punitive damages, and determined that the penalty clauses at issue originate from the parties’ private credit card contracts, and are distinct from the jury-determined punitive damages awards. The court held, therefore, that the “jurisprudence developed to limit punitive damages in the tort context does not apply to contractual penalties, such as the credit card fees at issue in this case.”
Federal Reserve Board Seeks Comment On Designated Utilities’ Risk Management Standards, Payment System Risk Policy
On January 10, the Federal Reserve Board proposed revisions to the Regulation HH risk-management standards for certain financial market utilities that have been designated as systemically important by the Financial Stability Oversight Council, and for which the Federal Reserve Board is the Supervisory Agency pursuant to Title VIII of the Dodd-Frank Act. The Board also requested comment on related revisions to part I of the Federal Reserve Policy on Payment System Risk (PSR policy), which applies to financial market infrastructures more generally, including those operated by the Federal Reserve Banks. The Federal Reserve states that both sets of proposed changes are based on and generally are consistent with the April 2012 Principles for Financial Market Infrastructures developed jointly by the international standard-setting bodies, the Committee on Payment and Settlement Systems and the Technical Committee of the International Organization of Securities Commissions. Among other things, the revisions: (i) establish separate standards to address credit risk and liquidity risk, (ii) add a standard on general business risk, and (iii) heighten requirements on transparency and disclosure. Comments on both proposals must be submitted by March 31, 2014.
Federal, State Authorities Announce Coordinated Economic Sanctions Enforcement Actions Against Foreign Bank
On December 11, the Federal Reserve Board, the Treasury Department’s Office of Foreign Assets and Controls (OFAC), and the New York Department of Financial Services (DFS) announced that a foreign bank agreed to pay $100 million to resolve federal and state investigations into the bank’s practices concerning the transmission of funds to and from the U.S. through unaffiliated U.S. financial institutions, including by and through entities and individuals subject to the OFAC Regulations. The investigations followed a voluntary review by the bank of its U.S. dollar transactions, the results of which it submitted to federal, state, and foreign authorities. The federal and state authorities alleged that the bank engaged in payment practices that interfered with the implementation of U.S. economic sanctions, including by removing material references to U.S.-sanctioned locations or persons from payment messages sent to U.S. financial institutions. They assert the alleged failures resulted from inadequate risk management and legal review policies and procedures to ensure that activities conducted at offices outside the U.S. comply with applicable OFAC Regulations. As part of the resolution, the bank consented to a Federal Reserve cease and desist order and civil money penalty order, pursuant to which the bank must pay $50 million, continue to enhance its compliance controls, and retain an independent consultant to conduct an OFAC compliance review. A separate settlement with OFAC requires the bank to pay $33 million, which will be satisfied as part of the payment to the Federal Reserve. The DFS order assesses an additional $50 million penalty. The DFS highlighted that, as part of its cooperation with authorities, the bank took disciplinary action against individual wrongdoers, including through dismissals.
On December 12, the Federal Reserve Board issued a revised proposed rule that would, among other things, encourage depositary banks to receive, and paying banks to send, returned checks electronically. The revised proposal is intended to address comments the Board received in response to a 2011 proposal to amend subparts C and D of Regulation CC. The Board is now seeking comment on two alternative frameworks for return requirements. Under the first, the expeditious-return requirement currently imposed on paying and returning banks for returned checks would be eliminated; a paying bank returning a check would be required to provide the depositary bank with a notice of nonpayment of the check—regardless of the amount of the check being returned—only if the paying bank sends the returned check in paper form. Under the second, the current expeditious-return requirement—using the current two-day test—would be retained for checks being returned to a depositary bank electronically via another bank, but the notice-of-nonpayment requirement would be eliminated. The Board is proposing to retain, without change, the current same-day settlement rule for paper checks. In addition, the Board is also requesting comment on applying Regulation CC’s existing check warranties to checks that are collected electronically and on new warranties and indemnities related to checks collected electronically and to electronically-created items. Comments are due by May 2, 2014.
On December 10, the CFPB released a consent order with a federal savings association, pursuant to which the bank will refund approximately $34 million to more than one million credit card holders who were enrolled in deferred-interest financing for healthcare services. The order does not include a civil penalty. The deferred-interest action is the first public action taken by the CFPB since it promised to scrutinize such products in its October credit card report.
The product at issue typically is offered by healthcare providers who offer personal lines of credit for healthcare services, including medical, dental, cosmetic, vision, and veterinary care. The CFPB alleges that the bank failed to sufficiently train healthcare providers to deliver material information about deferred-interest promotional periods associated with the credit cards, which led to consumers being misled during the enrollment process. The CFPB further claimed that healthcare providers improperly completed applications and submitted them on behalf of consumers, failed to provide consumers with copies of the credit card agreement, and, where disclosures were provided, those disclosures failed to adequately explain the deferred-interest promotion.
In addition to consumer redress, the order mandates certain terms of the bank’s contracts with medical providers offering the healthcare credit card. For example, the bank must incorporate specific “transparency principles” into its agreements with healthcare providers, and the contracts must prohibit certain charges. The bank also must enhance disclosures provided with the card application and billing statements, and improve training for healthcare providers offering the card. In addition, the order details consumer complaint resolution requirements, and prohibits certain incentive arrangements and paid endorsements. To date, the CFPB has not released the attachments to the consent order, which include, among other things, the transparency principles and disclosures.
The New York Attorney General entered into a similar agreement with the bank earlier this year. Under that agreement, the bank was likewise required to add a set of transparency principles to provider contracts to ensure that card terms were described accurately and to revise promotional interest rate options and other disclosures to better inform consumers’ use of the card.
On December 2, the U.S. Court of Appeals for the Fifth Circuit held that a set of parens patriae suits filed by the Mississippi Attorney General (AG) against credit card issuers is not subject to federal jurisdiction under the Class Action Fairness Act (CAFA) or National Bank Act (NBA) preemption. Hood v. JP Morgan Chase & Co., No. 13-60686, 2013 WL 6230960 (5th Cir. Dec. 2, 2013). The consolidated appeal involves cases originally filed by the AG in state court against six credit card issuers for allegedly violating the Mississippi Consumer Protection Act in connection with the marketing, sale, and administering of certain ancillary products, including payment protection plans. After the card issuers removed the cases, a federal district court denied the state’s motion to remand, holding that it had subject matter jurisdiction because: (i) the cases were CAFA mass actions; (ii) the NBA (and the Depository Institutions Deregulation and Monetary Control Act for one state-chartered bank defendant) preempted some of the state law claims; and (iii) it had supplemental jurisdiction over the remaining state law claims. The Sixth Circuit disagreed and held that the card issuers failed to prove that any card holder met CAFA’s individual amount in controversy requirement, rejecting the issuers’ argument that the state is the real party in interest and its claims for restitution and civil penalties exceed the threshold. The court also rejected the issuers’ argument—and the district court’s holding—that the payment protection plans were part of the loan agreement and the fees associated with the plans constitute “interest,” such that the state’s challenge to the plans was an implicit usury claim preempted by the NBA. Instead, the court held that while the plans could conceivably fit within the definition of “interest,” there is no clear rule on this subject that demands removal. Moreover, the court held that even if the payment protection plan fees are “interest,” the claims still would not be preempted because the state does not allege that the issuers charged too much interest, but rather challenges the alleged practice of improperly enrolling customers in the plans. The court reversed the district court and remanded for further proceedings consistent with its opinion.