InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
NIST Prepares Analysis of Comments Submitted Regarding Cybersecurity Framework
On May 16, the National Institute of Standards and Technology (NIST) released an initial analysis of the hundreds of comments it received in response to its request for information to begin developing the "Cybersecurity Framework" required by President Obama's executive order. The analysis sifts from the comments characteristics and considerations the Framework must encompass and practices identified as having wide utility and adoption, and identifies initial gaps in the responses that must be addressed in order to meet the goals of the executive order. The paper also includes a series of questions that will serve as the basis for additional discussion and study at an upcoming workshop to be hosted at Carnegie Mellon University in Pittsburgh, Pennsylvania on May 29-31, 2013.
State Department Finalizes Burma Investment Reporting Requirements
On May 23, the State Department announced that the Office of Management and Budget approved the final Burma Responsible Investment Reporting Requirements. Effective immediately, pursuant to General License No. 17, all U.S. persons with aggregate investment in Burma over $500,000 are subject to the reporting requirements, which generally cover a range of policies and procedures with respect to investments in Burma, including human rights, labor rights, land rights, community consultations and stakeholder engagement, environmental stewardship, anti-corruption, arrangements with security service providers, risk and impact assessment and mitigation, payments to the government, any investments with the Myanmar Oil and Gas Enterprise (MOGE), and contact with the military or non-state armed groups. The State Department will use the information collected to conduct to encourage U.S. businesses to develop robust policies and procedures to address a range of impacts resulting from their investments and operations in Burma.
FTC Approves Order Settling Data Breach Charges
On May 3, the FTC approved a final order settling charges against a California-based cord blood bank firm alleged to have violated the FTC Act by failing to use reasonable and appropriate procedures for handling customers’ personal information, despite its privacy policy claims to the contrary. Further, the FTC alleged that the firm created unnecessary risks to personal information by transporting portable data storage devices containing personal information in a manner that made the information vulnerable to theft, and failed to prevent, detect and investigate unauthorized access to computer networks. According to the FTC, these practices resulted in a data breach in which certain portable devices were stolen from an employee’s personal vehicle and the personal information of nearly 300,000 customers was compromised. The settlement requires the company to establish a comprehensive information security program and submit to security audits by independent auditors every other year for 20 years, and prohibits the company from misrepresenting the privacy and security of information collected from consumers.
FTC Sharpens Focus on Data Brokers
On May 7, the FTC released letters it sent to 10 data brokers warning that certain of the brokers’ practices could violate FCRA privacy protections. The announcement states that data broker companies that collect, distribute or sell information about consumers’ creditworthiness, eligibility for insurance, or suitability for employment are subject to FCRA, and as such, have an obligation to reasonably verify the identities of their customers and make sure that customers have a legitimate purpose for receiving consumer information. The letters were issued pursuant to an FTC “test-shopping” operation as part of an international privacy practice transparency sweep conducted by the Global Privacy Enforcement Network. The operation and subsequent warnings letters are the latest move by the FTC to address data broker compliance with FCRA. Last year, the FTC ordered certain data brokers to produce information about their collection and use of consumer data and announced at least one settlement with a data broker regarding FCRA compliance. However, the letters do not constitute an official notice that the companies are subject to FCRA or act as formal complaints, but rather “remind” the companies to review their practices to determine whether they are consumer reporting agencies subject to FCRA.
Special Alert: CFPB Issues Final Civil Penalty Fund Rule with Request for Comment
On April 26, the Consumer Financial Protection Bureau (CFPB or the Bureau) issued a final rule, effective immediately, that sets forth procedures for the administration of the Consumer Financial Civil Penalty Fund (Civil Penalty Fund or Fund). Under Dodd-Frank, all civil penalties obtained by the CFPB are deposited into the Civil Penalty Fund, which may be used to compensate victims and, to the extent any funds remain, to fund consumer education and financial literacy programs. The final rule identifies categories of victims who may receive payments from the Civil Penalty Fund and articulates the Bureau’s interpretation of the types of payments that may be appropriate for these victims. It also establishes procedures for allocating funds for such payments to victims and for consumer education and financial literacy programs. The CFPB simultaneously issued a proposed rule, seeking comment on possible revisions to the final rule. The CFPB is accepting comments on the proposed rule through July 8, 2013.
Pursuant to the final rule, victims are eligible for compensation from the Fund if a final order in a Bureau enforcement action imposed a civil penalty for the particular violation that harmed the victim. A final order is defined as a consent order or settlement issued by a court or by the Bureau, or an appealable order issued by a court or by the Bureau as to which the time for filing an appeal has expired and no appeals are pending. The Bureau’s proposed rule, however, states that it is considering whether it should revise the final rule to allow payments to victims of any “type” of activity for which civil penalties have been imposed, even if no enforcement action has imposed penalties for the “particular” activity that harmed the victims.
Under the final rule, victims will be compensated from the Fund to the extent of their uncompensated harm. Uncompensated harm is defined as the victim’s compensable harm minus any compensation for that harm that the victim has received or is reasonably expected to receive. The final rule describes three categories of compensation that a victim has received or may be reasonably expected to receive: (i) a previous allocation from the Civil Penalty Fund to the victim’s class; (ii) any redress that a final order in a Bureau enforcement action orders paid to the victim that has not been suspended, waived, or determined by the Chief Financial Officer to be uncollectible; and (iii) other redress that the Bureau knows has been paid to the victim. In determining whether a victim’s harm is compensable, the final rules states that the CFPB will look to the objective terms of the order imposing the civil penalty, or if the order does not set forth such objective terms, the victim’s out-of-pocket loss that resulted from the violation. The Bureau’s proposed rule, however, seeks comment on (i) what should qualify as compensable harm. (ii) whether, when the amount of harm cannot be determined based on the terms of a final order, the Fund Administrator should determine what amount of harm is “practicable,” as opposed to using the victim’s out-of-pocket loss, and (iii) whether, instead of paying victims for their uncompensated harm, the Bureau instead should pay victims a share of the civil penalties collected for the particular violations that harmed them.
The CFPB has stated that it will only make payments to victims to the extent practicable. In the final rule’s interpretative commentary, the CFPB explained that it believes that for payments to be “practicable,” it must be feasible to carry out all of the steps involved in making the payments, and to do so efficiently and without excessive administrative cost. The final rule identifies scenarios where distribution may be impracticable, including when the amount of the payment is so small the victim is unlikely to redeem it, the cost of distribution is not justified, the victim cannot be located with reasonable effort, the victim does not timely submit information required by the distribution plan, or the victim does not redeem the payment within a reasonable time.
With respect to fund allocation procedures, the final rule establishes a Civil Penalty Fund Administrator who will manage the Fund and report to the CFPB’s Chief Financial Officer. The Fund Administrator also must follow written direction provided by the Civil Penalty Fund Governance Board, which will be established by the Director of the CFPB. The Administrator will designate a payment administrator—who may be a CFPB employee or a contractor—who will propose a plan for distributing the allocated funds to individual victims. The plan must be approved by the Administrator.
Under the final rule, funds will be allocated based on six-month periods, which will be published on the CFPB’s website by July 8, 2013. The start date for the first period has been established as July 21, 2011. The first two periods, however, need not be exactly six months in order to allow the Bureau to establish a schedule that will be administratively efficient. When there are sufficient funds available to fully compensate all the victims in the six-month period class, the Fund Administrator will allocate to each victim the amount necessary to fully compensate those victims for their uncompensated harm. If there are insufficient funds to fully compensate victims in any six-month period, victims from the most recently concluded six-month period will receive an equal percentage of their uncompensated harm. In the event of a surplusage within a given six-month period, the Fund Administrator next will allocate any remaining funds to classes of victims from preceding six-month periods until no funds remain or the victims are fully compensated. The proposed rule seeks comments regarding (i) how funds should be allocated to classes of victims, particularly when there are insufficient funds in a particular period to fully compensate all victims and (ii) whether funds should be allocated more or less frequently, or whether a different method of timing allocations should be used.
Under the final rule, any funds that remain after distribution can be allocated to consumer education or financial literacy programs, based on criteria separately adopted by the CFPB. The Fund Administrator, however, does not have the authority to select or allocate funds to particular programs. The proposed rule also seeks comment regarding whether there should be a limit to the amount of funds that may be allocated to such programs.
The CFPB will issue annual reports that describe how the funds will be allocated, the basis for those allocations, and how the funds have been distributed. The reports will be available on the CFPB’s web site.
Spotlight on the False Claims Act: Wartime Suspension of Limitations Act Suspends Statute of Limitations in False Claims Act Cases
The False Claims Act (FCA), which allows both the government and whistleblowers to seek treble damages for claims of civil fraud on the United States, is a powerful tool. In the past two years, the government has aggressively used the FCA to target financial institutions for claims of reckless lending and improper servicing. (e.g. FCA, FHA Lending, and US v. Deutsche Bank). As events leading to the financial crisis have approached - and in some cases exceeded - the FCA’s statute of limitations, financial institutions have increasingly responded to such claims by arguing that the government did not assert them in a timely manner.
A recent Fourth Circuit decision interpreting the Wartime Suspension of Limitations Act (WSLA), an obscure act first enacted during World War II, however, threatens to make it significantly more difficult for financial institutions to assert a statute of limitations defense to FCA claims. The case, United States ex rel. Carter v. Halliburton, came before the Fourth Circuit after a lower court dismissed an FCA lawsuit brought against Halliburton and related entities (collectively “KBR”) as barred by the FCA’s six-year statute of limitations. In a critical decision, the Fourth Circuit reversed the dismissal on the grounds that the FCA’s statute of limitations was tolled by the WSLA.
The holding is significant as the Fourth Circuit held that the WSLA applies regardless of whether the government or a private plaintiff prosecutes the case or the case involves the defense industry. The case, therefore, has the potential to reach any FCA defendant in any civil case — from financial institutions to healthcare providers.
The WSLA, enacted in 1942, extended the time to bring charges related to “indictable” fraud against the U.S. when “at war.” An amendment in 1944 deleted the term “indictable.” In 2008, the Wartime Enforcement of Fraud Act further amended the WSLA to allow it to apply whenever “Congress has enacted specific authorization for the use of the Armed Forces,” and extend the tolling period until “five years after the termination of hostilities.”
In a novel interpretation, the Fourth Circuit held that the WSLA applies to both civil and criminal fraud claims against the U.S., regardless of whether the U.S. has intervened, and even without a formal declaration of war. The Fourth Circuit first held that a formal declaration of war is not required under the WSLA, and that the U.S. was “at war” in Iraq from the date that Congress authorized the use of military force in 2002.
The court also held that the U.S. was still “at war” for the purposes of the WSLA when the alleged fraud occurred because neither Congress nor the President had met the formal requirements of the act for ending the tolling period. The Fourth Circuit then held that the WSLA applies to both criminal and civil cases because the 1944 amendments removed the word “indictable.”
Finally, the Fourth Circuit held that whether the U.S. – or a plaintiff – brings an FCA claim under the qui tam provisions is “irrelevant” because the WSLA’s tolling provision hinges not on who brings the claim, but when the claim is brought. Accordingly, the Fourth Circuit held that the relator’s FCA claims against KBR were not time-barred.
As Dietrich Knauth, a reporter with Law 360, recently noted, “The Fourth Circuit's decision in Carter v. Halliburton caused consternation among many FCA defense attorneys, who said that the decision effectively eviscerates the FCA's time limits.” Indeed, while the Fourth Circuit’s decision is remarkable, the theory advanced by the relator is gaining traction, including in cases outside of the defense industry. In mid-2012, the Department of Justice successfully made the same arguments in United States v. BNP Paribas SA, when it brought civil claims against under the FCA, alleging that the defendants had defrauded the U.S. in connection with commodity payment guarantees provided by the Department of Agriculture.
Collectively – and with broad interpretation - the Halliburton and BNP Paribas decisions could be invoked to suspend the limitations period for a wide-range of FCA claims and are certain to spur increased litigation as the government, relators and defendants alike join the fast-growing debate about the WSLA’s proper application.
For more information, see:
- Little Known Statute May Breathe New Life Into Stale False Claims Act Cases Against Financial Institutions (April 18, 2013; Thomson Reuters Accelus/Compliance)
- FCA Allows Treble Damages - 'But Treble What?' (March 26, 2013; Law360)
- False Claims Act & FIRREA (BuckleySandler Practice Overview)
CFPB Report Urges Adoption of Standards for Marketing Financial Adviser Services to Seniors
On April 18, the CFPB issued a report that reviews the marketing of investment adviser services to older Americans. The CFPB found that financial advisers use more than 50 different designations to market expertise in financial issues affecting seniors, which the CFPB claims creates confusion in the marketplace. The report includes detailed recommendations for the SEC and Congress related to (i) consumer education and disclosures, (ii) standards for the acquisition of senior designations, (iii) standards for senior designee conduct, and (iv) enforcement related to the misuse of senior designations. Among the recommendations, the CFPB suggests that policymakers consider requiring adviser education and standardized testing prior to obtaining a senior designation. The CFPB also suggests that the SEC and state policymakers consider increasing enforcement of misleading or other improper conduct by a holder of a senior designation and that state policymakers consider providing consumers with a private right of action to seek relief for the improper use of senior designations.
CFPB Narrows Application of Credit Card Fee Limit
On March 28, the CFPB published a final rule to remove from Regulation Z a limitation on fees charged prior to credit card account opening. Effective immediately, the rule amends a restriction adopted by the Federal Reserve Board in April 2011, which expanded the 2009 Credit CARD Act fee limitation on certain fees charged during the first year after the account is opened to include fees charged prior to account opening. The CFPB rule eliminates the limitations on fees charged prior to account opening, and covers only those fees charged during the first year after account opening. The rule responds to a legal challenge to restricting the amount of fees charged prior to account opening, which resulted in a court issuing a preliminary injunction to halt the implementation of the Federal Reserve Board’s broader application of the fee limit.
EU Parliament Approves Online Transaction Dispute Resolution Platform
On March 12, the European Commission announced that the European Parliament voted to support new legislation governing the out-of-court resolution of contractual disputes resulting from online transactions for the sale of goods or services, referred to as Online Dispute Resolution (ODR). The ODR legislation establishes a single EU-wide platform to handle disputes between traders and consumers arising from cross-border online transactions. The platform, which would not be applicable to offline transactions, will: (1) allow consumers and traders to electronically submit complaints related to online transactions along with related documents to an alternative dispute resolution entity; (2) allow alternative dispute resolution entities to receive and transmit information electronically; and (3) allow the parties to conduct and resolve the dispute resolution process via the platform. The platform is intended to be operational by 2015.
U.K. FSA Seeks Comments on New Consumer Credit Regulatory Regime
On March 6, the U.K. Financial Services Authority (FSA) issued a consultation paper (CP) to outline the regulatory regime for consumer credit markets after its regulatory powers transfer to the Financial Conduct Authority (FCA). The FCA is a new regulatory body that will succeed the FSA later this year, and will assume regulatory responsibility over the U.K.’s consumer credit and retail markets regulatory responsibilities. In addition to those markets, the FCA also will regulate conduct in wholesale markets, supervise the trading infrastructure that supports retail and wholesale markets, and prudentially regulate firms not regulated by the new Prudential Regulatory Authority. The CP outlines (i) the supervision of and reporting by covered firms, (ii) the interim permission for OFT license holders to continue operations, (iii) the supervision of credit advertising being subject to the Financial Services and Markets Act financial promotions regime, (iv) prudential requirements for debt management firms, (v) the Consumer Credit Act provisions that survive under the new FCA credit regime, and (vi) the sources of funding for the regime. Comments on the proposal are due by May 1, 2013.