Top Story Compliance Related

In a CFPB Blog article ("Banks' responsibility for scams")posted yesterday, CFPB General Counsel Seth Frotman described an ongoing case in which Citibank has been sued by the state of New York for failing to respond adequately when people promptly told the bank that scammers had stolen money by initiating wire transfers from the consumers’ accounts online. The losses New York alleges people have suffered are serious: for example, New York alleges that one person discovered that a scammer had changed her online banking password, transferred money from her savings to her checking account, and then stole $40,000 via wire transfer—all through Citibank’s online banking platform. And New York alleges that instead of complying with the Electronic Fund Transfer Act’s protections in circumstances like these, Citibank looked to a law that was intended to govern transactions between commercial entities which does not provide the same level of consumer protection to victims of scams.

Mr. Frotman reports that, in response to New York’s allegations, Citibank has argued that the Electronic Fund Transfer Act doesn’t apply because the scammers ultimately used a wire transfer to take the money, and the Act contains an exemption for transfers made by banks “by means of” a wire service. But the CFPB disagrees with Citibank's stance, as it explained in a Statement of Interest (amicus brief) submitted to the court. The Bureau's position is that when a bank connects wire transfer capabilities to its online consumer banking platform and a person authorizes (or a scammer purports to authorize) a transfer online, the Electronic Fund Transfer Act applies to the transaction except for the bank-to-bank portion of it.

Editor's Note: CFPB Blog articles are not official interpretations of law or regulations. The ABA and other industry associations have issued a statement opposing the CFPB's blog article, arguing that the “CFPB cannot reinterpret a statute and reverse decades of settled law in an amicus brief and then use a blog post to suggest that its position is the law.”

The staff of the Federal Trade Commission has provided its annual report to the Consumer Financial Protection Bureau on its enforcement and related activities in 2023 on the Truth in Lending Act (TILA), Consumer Leasing Act (CLA), and Electronic Fund Transfer Act (EFTA).

The report highlights the FTC’s enforcement actions and initiatives under these laws and their implementing regulations, including in the areas of automobile financing and leasing, payday lending, other credit and leasing, and electronic fund transfers.

• Press release

The Department of the Treasury announced yesterday that OFAC has designated three individuals, Yunhe Wang, Jingping Liu, and Yanni Zheng, for their activities associated with the malicious botnet tied to the residential proxy service known as 911 S5. OFAC also sanctioned three entities—Spicy Code Company Limited, Tulip Biz Pattaya Group Company Limited, and Lily Suites Company Limited—for being owned or controlled by Yunhe Wang.

For identity information on the designated individuals and entities, see the BankersOnline May 28, 2024, OFAC Update.

The Office of Foreign Assets Control (OFAC) has amended the Cuban Assets Control Regulations, 31 C.F.R. Part 515 (CACR) to further implement portions of the president’s foreign policy toward Cuba. Among other things, these amendments increase support for internet freedom for the Cuban people and independent Cuban private sector entrepreneurs by expanding authorizations for internet-based services and a range of financial transactions. The rule was published in the Federal Register and became effective today.

OFAC also issued six new, Cuba-related Frequently Asked Questions (FAQs 1174-1179) and amended eight Cuba-related Frequently Asked Questions (FAQs 732, 736, 745, 748, 757, 769, 770, and 785).

The FDIC yesterday issued FIL-26-2024 announcing revisions to Call Reports and the FFIEC 002 Report as published [89 FR 45046] on May 22, 2024, in the Federal Register.

Proposed changes were issued on September 28, 2023 (FIL-52-2023) and December 27, 2023 (FIL-68-2023). After considering the comments received on these notices, the agencies are moving forward with certain proposed revisions related to replacing references to “troubled debt restructurings” with “modifications to borrowers experiencing financial difficulty” consistent with ASU 2022-02, the reporting on the internet website addresses of depository institution trade names, and the adoption of the standards for electronic signatures. These updates to the Call Report and FFIEC 002 report forms and instructions will be effective as of the June 30, 2024, report date.

The agencies are implementing revisions related to reporting of loans to NDFIs as of the December 31, 2024, report date. The agencies are also adding a new Memorandum item that would identify the amounts reported as a structured financial product that are guaranteed by U.S. Government agencies or sponsored agencies, which would be effective as of the December 31, 2024, report date.

The agencies are continuing to review comment letters related to loan modifications to borrowers experiencing financial difficulty under ASU 2022-02, as well as the proposed clarification on the reporting of past due loans and proposed reporting of long-term debt requirements, for further changes to the Call Report and the FFIEC 002. Comments on the May 22, 2024, Federal Register notice will be accepted through June 21, 2024.

The National Credit Union Administration has published [89 FR 45602] in this morning's Federal Register a notice of regulatory review and request for comments.

The NCUA Board is voluntarily reviewing agency regulations to identify rules that are outdated, unnecessary, or unduly burdensome on federally insured credit unions. The NCUA is not statutorily required to undertake the Economic Growth and Regulatory Paperwork Reduction Act (EGRPRA) review; however, the Board has elected to participate in the decennial review process.

The NCUA divided its regulations into 10 categories. Over the next 2 years, the NCUA will publish four Federal Register documents each requesting comment on multiple categories of regulations. This first document requests comment by August 21, 2024, on regulations concerning the following two categories: “Applications and Reporting,” and “Powers and Activities.”

The Securities and Exchange Commission this morning announced that The Intercontinental Exchange, Inc. (ICE) agreed to pay a $10 million penalty to settle charges that it caused the failure of nine wholly-owned subsidiaries, including the New York Stock Exchange, to timely inform the SEC of a cyber intrusion as required by Regulation Systems Compliance and Integrity (Regulation SCI).

According to the SEC's Order, in April 2021, a third party informed ICE that ICE was potentially impacted by a system intrusion involving a previously unknown vulnerability in ICE’s virtual private network (VPN). ICE investigated and was immediately able to determine that a threat actor had inserted malicious code into a VPN device used to remotely access ICE’s corporate network. However, the SEC’s order finds that ICE personnel did not notify the legal and compliance officials at ICE’s subsidiaries of the intrusion for several days in violation of ICE’s own internal cyber incident reporting procedures. As a result of ICE’s failures, those subsidiaries did not properly assess the intrusion to fulfill their independent regulatory disclosure obligations under Regulation SCI, which required them to immediately contact SEC staff about the intrusion and provide an update within 24 hours unless they immediately concluded or reasonably estimated that the intrusion had or would have no or a de minimis impact on their operations or on market participants.

The CFPB this morning issued an interpretive rule that confirms that Buy Now, Pay Later (BNPL) lenders are credit card providers. Accordingly, BNPL lenders must provide consumers some key legal protections and rights that apply to conventional credit cards. These include a right to dispute charges and demand a refund from the lender after returning a product purchased with a BNPL loan. The CFPB launched its inquiry into the rapidly expanding BNPL market more than two years ago and continues to see consumer complaints related to refunds and disputed transactions.

Under the rule, BNPL lenders will be required to:

• Investigate disputes
• Refund returned products or canceled services
• Provide periodic billing statements

The interpretive rule is applicable 60 days after its May 31, 2024, publication at 89 FR 47068 in the Federal Register (Effective date July 30, 2024). While the CFPB states that Administrative Procedures Act does not require it, the Bureau is opting to collect comments on the rule and may make revisions after reviewing any feedback. Comments will be accepted on the rule through August 1, 2024.
Update: Federal Register publication information and effective date have been added. References to a "proposal" have been removed; the interpretive rule was issued to become effective as published, but may be revised after the CFPB reviews the feedback it receives.

The Conference of State Bank Supervisors, which owns and operates the NMLS, is inviting comments on proposed 2025 NMLS fee changes affecting both state licensing and federal registration of mortgage loan originators. Comments are due by Monday, July 22, 2024, at 5 p.m. EDT.

The NMLS will conduct a virtual town hall discussion on the proposal on Thursday, June 13, at 1 p.m. EDT. Registration in now open for the event. Webinar space is limited, but a recording will be made available.

On Monday, as part of the Treasury Department's Counter Fentanyl Strike Force, FinCEN, in partnership with the IRS Criminal Investigation (CI), announced a new initiative to combat the illicit trafficking of fentanyl into the United States. The “Promoting Regional Outreach to Educate Communities on the Threat of Fentanyl” (or PROTECT) series of FinCEN Exchange sessions will be held through the remainder of 2024 in U.S. cities that are highly impacted by the opioid epidemic.

The series is specifically designed to work with regional and local banks who are deeply connected to their communities and offer unique perspectives on the opioid crisis, and will focus on how law enforcement can best support their efforts to monitor activity that may be tied to the illicit trafficking of fentanyl. At these exchanges, federal officials brief on information critical to tracking these illicit financial flows, including typologies and red-flag indicators of fentanyl-related activity, and discuss what types of information are particularly valuable when financial institutions report suspicious activity.

The PROTECT series is being launched in collaboration with other government partners, including the Drug Enforcement Administration, Homeland Security Investigations, Customs and Border Protection, the U.S. Secret Service, the Federal Bureau of Investigation, the Department of Justice Money Laundering and Asset Recovery Section, various U.S. Attorney’s Offices, and local law enforcement agencies.

The Boston event in the PROTECT series was conducted on Monday, bringing federal agencies and law enforcement authorities from the Boston area together with representatives from the financial industry for a discussion on ways to deepen collaboration and enhance the value of suspicious activity reporting to counter illicit fentanyl trafficking. FinCEN and law enforcement representatives highlighted the significant value that Suspicious Activity Reports contribute to law enforcement efforts to combat fentanyl trafficking, and financial institutions shared their observations on money laundering flows and tactics used by narcotraffickers and their enablers.