Understanding the Enhanced Regulation S-P Requirements

On May 16, 2024, the Securities and Exchange Commission adopted amendments to Regulation S-P, the regulation that governs the treatment of nonpublic personal information about consumers by certain financial institutions. The amendments apply to broker-dealers, investment companies, and registered investment advisers (collectively, “covered institutions”) and are designed to modernize and enhance the protection of consumer financial information. Regulation S-P continues to require covered institutions to implement written polices and procedures to safeguard customer records and information (the “safeguards rule”), properly dispose of consumer information to protect against unauthorized use (the “disposal rule”), and implementation of a privacy policy notice containing an opt out option. Registered investment advisers with over $1.5 billion in assets under management will have until November 16, 2025 (18 months) to comply, those entities with less will have until May 16, 2026 (24 months) to comply.

Incident Response Program

Covered institutions will have to implement an Incident Response Program (the “Program”) to their written policies and procedures if they have not already done so. The Program must be designed to detect, respond to, and recover customer information from unauthorized third parties. The nature and scope of the incident must be documented with further steps taken to prevent additional unauthorized use. Covered institutions will also be responsible for adopting procedures regarding the oversight of third-party service providers that are receiving, maintaining, processing, or accessing their client’s data. The safeguard rule and disposal rule require that nonpublic personal information received from a third-party about their customers should be treated the same as if it were your own client.

Customer Notification Requirement

The amendments require covered institutions to notify affected individuals whose sensitive customer information was, or is reasonably likely to have been, accessed or used without authorization. The amendments require a covered institution to provide the notice as soon as practicable, but not later than 30 days, after becoming aware that unauthorized access to or use of customer information has occurred or is reasonably likely to have occurred. The notices must include details about the incident, the breached data, and how affected individuals can respond to the breach to protect themselves. A covered institution is not required to provide the notification if it determines that the sensitive customer information has not been, and is not reasonably likely to be, used in a manner that would result in substantial harm or inconvenience. To the extent a covered institution will have a notification obligation under both the final amendments and a similar state law, a covered institution may be able to provide one notice to satisfy notification obligations under both the final amendments and the state law, provided that the notice includes all information required under both the final amendments and the state law, which may reduce the number of notices an individual receives.

Recordkeeping

Covered institutions will have to make and maintain the following in their books and records:

  • Written policies and procedures required to be adopted and implemented pursuant to the Safeguards Rule, including the incident response program;
  • Written documentation of any detected unauthorized access to or use of customer information, as well as any response to and recovery from such unauthorized access to or use of customer information required by the incident response program;
  • Written documentation of any investigation and determination made regarding whether notification to customers is required, including the basis for any determination made and any written documentation from the United States Attorney General related to a delay in notice, as well as a copy of any notice transmitted following such determination;
  • Written policies and procedures required as part of service provider oversight;
  • Written documentation of any contract entered into pursuant to the service provider oversight requirements; and
  • Written policies and procedures required to be adopted and implemented for the Disposal Rule.

Registered investment advisers will be required to preserve these records for five years, the first two in an easily accessible place.

Deep-Sea Mining–Article 1: What Is Happening With Deep-Sea Mining?

Debate continues on whether the UAE Consensus achieved at COP28 represents a promising step forward or a missed opportunity in the drive towards climate neutral energy systems. However, the agreement that countries should “transition away from fossil fuels” and triple green power capacity by 2030 spotlights the need for countries to further embrace renewable power.

This series will examine the issues stakeholders need to consider in connection with deep-sea mining. We first provide an introduction to deep-sea mining and its current status. Future articles will consider in greater detail the regulatory and contractual landscape, important practical considerations, and future developments, including decisions of the ISA Council.

POLYMETALLIC NODULES

Current technology for the generation of wind and solar power (as well as the batteries needed to store such power) requires scarce raw materials, including nickel, manganese, cobalt, and copper. The fact that these minerals are found in the millions of polymetallic nodules scattered on areas of the ocean floor gives rise to another debate on whether the deep-sea mining of these nodules should be pursued.
This issue attracted considerable attention over the summer of 2023, when the International Seabed Authority (ISA) Assembly and Council held its 28th Session and, in January 2024, when Norway’s parliament (the Storting) made Norway the first country to formally authorise seabed mining activities in its waters.

INTERNATIONAL REGULATION OF DEEP-SEA MINERALS: UNCLOS AND ISA

The United Nations Convention on the Law of the Sea (UNCLOS) provides a comprehensive regime for the management of the world’s oceans. It also established ISA.

ISA is the body that authorises international seabed exploration and mining. It also collects and distributes the seabed mining royalties in relation to those areas outside each nation’s exclusive economic zone (EEZ).

Since 1994, ISA has approved over 30 ocean-floor mining exploration contracts in the Atlantic, Pacific, and Indian oceans, with most covering the so-called ‘Clarion-Clipperton Zone’ (an environmental management area of the Pacific Ocean, between Hawaii and Mexico). These currently-approved contracts run for 15 years and permit contract holders to seek out (but not commercially exploit) polymetallic nodules, polymetallic sulphides, and cobalt-rich ferromanganese crusts from the deep seabed.

UNCLOS TWO-YEAR RULE AND ISA’S 28TH SESSION

Section 1(15) of the annex to the 1994 Implementation Agreement includes a provision known as the “two-year rule.” This provision allows any member state of ISA that intends to apply for the approval of a plan of work for exploitation of the seabed to request that the ISA Council draw up and adopt regulations governing such exploitation within two years.

In July 2021, the Republic of Nauru triggered the two-year rule, seeking authority to undertake commercial exploitation of polymetallic nodules under license. That set an operative deadline of 9 July 2023.

At meetings of the ISA Assembly and ISA Council in July 2023, the ISA Council determined that more time was needed to establish processes for prospecting, exploring, and exploiting mineral resources, and a new target was set for finalising the rules: July 2025.

The expiration of the two-year rule in July 2023 does allow mining companies to submit a mining license application at any time. However, the above extension gives the ISA Council direct input into the approval process, which will make approval of any application difficult.

NORWAY’S DEEP-SEA MINING PLAN

State legislation regulates deep-sea mining in different EEZs. Norway is one of the only countries that has its own legislation (the Norway Seabed Minerals Act of 2019) regulating the exploration and extraction of deep-sea minerals.

In December 2023, Norway agreed to allow seabed mineral exploration off the coast of Norway, ahead of a formal parliamentary decision. The proposal was voted 80-20 in favour by the Storting on 9 January 2024.

The proposal will permit exploratory mining across a large section of the Norwegian seabed, after which the Storting can decide whether to issue commercial permits.

The decision initially applies to Norwegian waters and exposes an area larger than Great Britain to potential sea-bed mining, although the Norwegian government has noted that it will only issue licenses after more environmental research has been done.

The Norwegian government has defended the plan as a way to seize an economic opportunity and shore up the security of critical supply chains. However, there is concern that this will pave the way towards deep-sea mining around the world. Green activists, scientists, fishermen, and investors have called upon Oslo to reconsider its position. They cite the lack of scientific data about the effects of deep-sea mining on the marine environment, as well as the potential impact on Arctic ecosystems. In November 2023, 120 European Union lawmakers wrote an open letter to Norwegian members of the Storting, urging them unsuccessfully to reject the project, and in February 2024, the European Parliament voted in favour of a resolution that raised concerns about Norway’s deep-sea mining regulations. This resolution carries no legal power, but it does send a strong signal to Norway that the European Union does not support its plans.

In May 2024, WWF-Norway announced it will sue the Norwegian government for opening its seabed to deep-sea mining. WWF-Norway claim that the government has failed to properly investigate the consequences of its decision, has acted against the counsel of its own advisors, and has breached Norwegian law.

METHODS OF POLYMETALLIC NODULE EXTRACTION

Should Norway, or any other nation, initiate commercial deep-seabed mining, one of the following methods of mineral extraction may be employed:

Continuous Line Bucket System

This system utilises a surface vessel, a loop of cable to which dredge buckets are attached at 20–25 meter intervals, and a traction machine on the surface vessel, which circulates the cable. Operating much like a conveyor belt, ascending and descending lines complete runs to the ocean floor, gathering and then carrying the nodules to a ship or station for processing.

Hydraulic Suction System

A riser pipe attached to a surface vessel “vacuums” the seabed, for example, by lifting the nodules on compressed air or by using a centrifugal pump. A separate pipe returns tailings to the area of the mining site.

Remotely Operated Vehicles (ROVs)

Large ROVs traverse the ocean floor collecting nodules in a variety of ways. This might involve blasting the seafloor with water jets or collection by vacuuming.

Recent progress has been made in the development of these vehicles; a pre-prototype polymetallic nodule collector was successfully trialed in 2021 at a water depth of 4,500 metres, and in December 2022, the first successful recovery of polymetallic nodules from the abyssal plain was completed, using an integrated collector, riser, and lift system on an ROV. A glimpse of the future of deep-sea ROVs perhaps comes in the form of the development of robotic nodule-collection devices, equipped with artificial intelligence that allows them to distinguish between nodules and aquatic life.

Key to all three methods of mineral extraction is the production support vessel, the main facility for collecting, gathering, filtering, and storing polymetallic nodules. Dynamically positioned drillships, formerly utilised in the oil and gas sector, have been identified/converted for this purpose, and market-leading companies active in deep-water operations, including drilling and subsea construction, are investing in this area. It will be interesting to see how the approach to the inherent engineering and technological challenges will continue to develop.

THE RISKS OF DEEP-SEA MINING

As a nascent industry, deep-sea mining presents risks to both the environment and the stakeholders involved:

Environmental Risks

ISA’s delayed operative deadline for finalising regulations has been welcomed by parties who are concerned about the environmental impact that deep-sea mining may have.

Scientists warn that mining the deep could cause an irreversible loss of biodiversity to deep-sea ecosystems; sediment plumes, wastewater, and noise and light pollution all have the potential to seriously impact the species that exist within and beyond the mining sites. The deep-ocean floor supports thousands of unique species, despite being dark and nutrient-poor, including microbes, worms, sponges, and other invertebrates. There are also concerns that mining will impact the ocean’s ability to function as a carbon sink, resulting in a potentially wider environmental impact.

Stakeholder and Investor Risks

While deep-sea mining doesn’t involve the recovery and handling of combustible oil or gas, which is often associated with offshore operations, commercial risks associated with the deployment of sophisticated (and expensive) equipment in water depths of 2,000 metres or greater are significant. In April 2021, a specialist deep-sea mining subsidiary lost a mining robot prototype that had uncoupled from a 5-kilometer-long cable connecting it to the surface. The robot was recovered after initial attempts failed, but this illustrates the potentially expensive problems that deep-sea mining poses. Any companies wishing to become involved in deep-sea mining will also need to be careful to protect their reputation. Involvement in a deep-sea mining project that causes (or is perceived to cause) environmental damage or that experiences serious problems could attract strong negative publicity.

INVESTOR CONSIDERATIONS

Regulations have not kept up with the increased interest in deep-sea mining, and there are no clear guidelines on how to structure potential deep-sea investments. This is especially true in international waters, where a relationship with a sponsoring state is necessary. Exploitative investments have not been covered by ISA, and it is unclear how much control investors will have over the mining process. It is also unclear how investors might be able to apportion responsibility for loss/damage and what level of due diligence needs to be conducted ahead of operations. Any involvement carries with it significant risk, and stakeholders will do well to manage their rights and obligations as matters evolve.

Acting U.S. Attorney Levy Forecasts False Claims Act COVID Cases Targeting Private Lenders Of CARES Act Loans That Failed In Their Obligation To Safeguard Government Funds

Acting U.S. Attorney Joshua Levy discussed the enforcement priorities for the Massachusetts U.S. Attorney’s Office (USAO) during a Q&A session on May 29, 2024, and made clear that the historical focus of the office remains the top priority: detecting and combating health care fraud, waste, and abuse. In particular, both Levy and Chief of the USAO’s Civil Division, Abraham George, have recently indicated that the government will pursue large dollar COVID fraud cases both criminally and civilly. As we have discussed previously, we expect False Claims Act (FCA) COVID cases to materialize in the coming years as the government zeroes in on wrongdoers via enhanced data analytics and AI tools as well as via traditional investigative methods and the forthcoming Whistleblower Rewards Program.

Recent COVID FinTech Lender, Kabbage, $120 MM False Claims Act Settlement

The recent Kabbage settlement is illustrative of the types of COVID cases the office is looking to bring pursuant to the FCA. Acting U.S. Attorney Levy discussed the settlement, publicized in May, with now-bankrupt online lender, Kabbage Inc. Kabbage allegedly knowingly processed and submitted thousands of false claims for Paycheck Protection Program (PPP) loan forgiveness, loan guarantees, and processing fees. The PPP – a loan program for small businesses created via the Coronavirus Aid, Relief, and Economic Security (CARES) Act – was administered the federal Small Business Administration (SBA). The CARES Act authorized private lenders to approve PPP loans for eligible borrowers who could later seek forgiveness for the loans if borrowers used the loans for eligible expenses, including employee payroll.

Among other things, participating PPP lenders were obligated to 1) confirm borrowers’ average monthly payroll costs by PPP loan documentation; and 2) follow applicable Bank Secrecy Act/Anti-Money Laundering (BSA/AML) requirements. SBA guaranteed any unforgiven or defaulted PPP loans as long as the private lender adhered to PPP requirements.

Private lenders received a fixed fee calculated as a percentage of the loan amount. Here, U.S. Attorney Levy’s office alleged that Kabbage awarded inflated and fraudulent loans to maximize its profits, then sold its assets and left the remaining company financially depleted, leading to bankruptcy. Kabbage was allegedly aware of the following errors as of April 2020, failed to correct them, and continued to make improper loan disbursements after learning of the issues:

  1. double-counting state and local taxes paid by employees when calculating gross wages;
  2. failing to exclude annual compensation above $100,000 per employee; and
  3. improperly calculating employee leave and severance payments.

Kabbage also allegedly failed to implement appropriate fraud controls to comply with the PPP, BSA, and AML by knowingly:

  1. removing underwriting steps to facilitate processing a high volume of loan applications and maximizing loan processing fees;
  2. setting substandard fraud check thresholds;
  3. relying on automated tools that were inadequate in identifying fraud;
  4. devoting insufficient personnel to conduct fraud reviews;
  5. discouraging its fraud reviewers from requesting information from borrowers to substantiate their loan requests; and
  6. submitting to the SBA thousands of dubious PPP loan applications that were fraudulent or highly suspicious.

The settlement, which will result in the U.S. securing up to $120 million pursuant to bankruptcy proceedings, resolves qui tam complaints brought by two separate whistleblowers: an accountant who submitted PPP loan applications to multiple lenders and a former analyst in Kabbage’s collection department.

Predictions for Future COVID Fraud Enforcement

Acting U.S. Attorney Levy’s comments make clear that we can expect to see FCA COVID cases targeting private lenders of CARES Act loans that failed in their obligation to safeguard government funds. To date, COVID fraud prosecution has largely targeted “low-hanging fruit” criminal cases, such as those involving submission of false information to obtain COVID relief funding that the recipient spends on luxury items. We discussed in April that the COVID Fraud Enforcement Task Force (CFETF) and a bipartisan group of Senators had, via a report and draft legislation, pleaded with Congress to increase funding to prosecute COVID fraud. Investigations such as those involving Kabbage require a large investment of resources and, as U.S. Attorney Levy commented, his office must prioritize large-dollar COVID fraud cases most likely to result in specific and general fraud deterrence.

As we have written previously, the government is playing a long game tracking COVID fraud. The Justice Department’s CFETF reported in April that to date, the DOJ had seized or forfeited $1.4 billion in stolen relief funds as well as bringing criminal charges against 3,500 defendants and 400 civil settlements. With a ten-year statute of limitations and increasingly more accurate data analytics tools, we expect the DOJ will continue to identify and recover misappropriated funds from large and lower dollar fraudsters. So long as COVID fraud enforcement remains a well-funded priority of the government, we anticipate a steady stream of FCA COVID settlements involving lenders and borrowers. The government is casting a wide net to recoup the nearly $300 billion in COVID fraud estimates. We will continue to monitor and report on developments.

CFPB Launches Public Inquiry into Rising Mortgage Closing Costs and ‘Junk Fees’

Go-To Guide:
  • The Consumer Financial Protection Bureau (CFPB) has launched a public inquiry into rising mortgage closing costs, seeking to understand the reasons behind the increase, identify who benefits, and find ways to reduce costs for both borrowers and lenders.
  • This inquiry, part of a broader effort against “junk fees,” aims to gather public input on the impact of these fees on consumers’ financial health and the mortgage lending market, with a focus on third-party costs, fee beneficiaries, and the evolving nature of these expenses.

On May 30, 2024, the CFPB issued a new request for information (RFI) from the public regarding “why closing costs are increasing, who is benefiting, and how costs for borrowers and lenders could be lowered.”

As part of a wider effort targeting what both the CFPB and the Biden administration refer to as “junk fees,” the CFPB is focusing on evaluating how these fees affect consumers’ financial health and the broader impact on mortgage lenders. This follows the CFPB’s continued expression of interest in “junk fees,” on which GT reported in a May 2024 blog post.

“Junk fees and excessive closing costs can drain down payments and push up monthly mortgage costs,” CFPB Director Rohit Chopra said in a separate press release. “The CFPB is looking for ways to reduce anticompetitive fees that harm both homebuyers and lenders.”

The Request for Information

According to a recent CFPB analysis, mortgage closing costs surged by over 36% from 2021 to 2023. The CFPB alleges that these unavoidable fees can strain household budgets and limit the ability to afford a down payment, while also hindering lenders from offering competitive mortgage options due to the higher costs they must absorb or pass on.

The CFPB is seeking public input to address these concerns and make mortgage costs more manageable. Some key areas of interest include:

  • Competitive pressure. The CFPB aims to evaluate the extent to which consumers or lenders currently apply competitive pressure on third-party closing costs, seeking to understand market barriers that limit competition.
  • Fee beneficiaries. The CFPB aims to identify the beneficiaries of required services and determine whether lenders have control or influence over the third-party costs that are transferred to consumers.
  • How fees are evolving and their impact on consumers. The CFPB seeks details on which expenses have surged the most in recent years and the factors driving these increases, such as the higher prices for credit reports and credit scores. Additionally, the CFPB is interested in understanding how closing costs affect housing affordability, access to homeownership, and home equity.

Takeaways

The CFPB oversees numerous laws and regulations concerning mortgage lending and real estate settlement, such as the Truth in Lending Act, the Fair Credit Reporting Act, and the Real Estate Settlement Procedures Act. The insights gained from this inquiry are poised to shape rulemaking, guidance, and various policy initiatives moving forward.

The CFPB invites comments and data from the public and stakeholders within 60 days of the RFI being published in the Federal Register.

We have provided ongoing analysis and commentary on this issue as it has developed. See below more context on legislative and regulatory efforts to curb “junk fees”:

Zeba Pirani contributed to this article

Death, Taxes, and Crypto Reporting – The Three Things You Cannot Escape

The IRS released a draft of Form 1099-DA “Digital Asset Proceeds from Broker Transactions” in April which will require anyone defined as a “broker” to report certain information related to the sale of digital assets. The new reporting requirements will be effective for transactions occurring in 2025 and beyond. The release of Form 1099-DA follows a change in the tax law.

In 2021, Congress amended code section 6045 to define “broker” to include any “person who (for consideration) is responsible for regularly providing any service effectuating transfers of digital assets on behalf of another person.” This is an expansion of the definition of a “broker.” The language ‘any service effectuating transfers of digital assets’ is oftentimes construed by many in the tax practitioner community as a catch-all term, in which the government could use to determine many people involved in digital asset platforms aa “brokers.”

The IRS proposed new regulations in August 2023 to further define and clarify the new reporting requirements. Under the proposed regulations, Form 1099-DA reporting would be required even for noncustodial transactions including facilitative services if the provider is in a “position to know” the identity of the seller and the nature of the transaction giving rise to gross proceeds. With apparently no discernible limits, facilitative services include “services that directly or indirectly effectuate a sale of digital assets.” Position to know means “the ability” to “request” a user’s identifying information and to determine whether a transaction gives rise to gross proceeds. Under these proposed regulations and the expanded definition of “broker,” a significant number of transactions that previously did not require 1099 reporting will now require reporting. There has been pushback against these proposed regulations, but the IRS appears determined to move forward with these additional reporting requirements.

Anti-Money Laundering and Sanctions Whistleblower Reward Program is a Force-Multiplier to Detect and Combat Terrorist Financing

Anti-Money Laundering and Sanctions Whistleblower Program

In a May 6, 2024 speech at the SIFMA AML Conference, the Director of the Department of the Treasury’s Financial Crimes Enforcement Network (FinCEN) Andrea Gacki discussed the success of the Anti-Money Laundering Act (AMLA) in generating disclosures about money laundering and sanctions evasion:

[The whistleblower] program holds tremendous potential as an enforcement force-multiplier. Whistleblowers have submitted information relating to some of the most pressing policy objectives of the United States, from Iran- and Russia-related sanctions evasion to drug-trafficking to cyber-crimes and corruption. While efforts are underway to develop an online tip intake portal and other aspects of this important program, I want to note that even while these efforts are underway, the program is actively receiving, reviewing, and sharing tips with our enforcement partners.

We have received over 270 unique tips since the program’s inception, and many of the tips received have been highly relevant to many of Treasury’s top priorities.

The AMLA incentivizes whistleblowers to report money laundering and sanctions evasion by requiring the Department of the Treasury to pay an award where a whistleblower’s voluntary disclosure of original information leads to a successful enforcement action imposing monetary sanctions above $1,000,000. The minimum whistleblower award is ten percent of collected monetary sanctions and the maximum award is thirty percent. Awards are paid from penalties collected in successful enforcement actions stemming from whistleblower disclosures.

To determine the amount of an AMLA whistleblower award, Treasury will consider:

  • the significance of the information provided by the whistleblower to the success of the covered money laundering judicial or administrative action;
  • the degree of assistance provided by the whistleblower and any legal representative;
  • the programmatic interest of Treasury in deterring the particular violations that the whistleblower disclosed; and
  • additional relevant factors that Treasury will promulgate, which will likely echo the factors that the SEC employs to determine the amount of an SEC whistleblower award.

FinCEN Issues Advisory About Terrorist Financing

Among the violations that whistleblowers can help the government detect and combat are sanctions evasion and money laundering related to Islamic Republic of Iran-backed terrorist organizations. On May 8, 2024, FinCEN issued an Advisory to assist financial institutions in detecting potentially illicit transactions related to Islamic Republic of Iran-backed terrorist organizations. FinCEN Advisory to Financial Institutions to Counter the Financing of Iran-Backed Terrorist Organizations, FIN-2024-A001 (May 8, 2024).

The Advisory identifies the means by which certain terrorist organizations receive support from Iran and the techniques they use to illicitly access or circumvent the international financial system to raise, move, and spend funds. According to the Advisory, the sale of commodities, particularly oil, is the primary source of revenue for Iran to fund its terrorist proxies. Iran has “established large-scale global oil smuggling and money laundering networks to enable access to foreign currency and the international financial system through the illicit sale of crude oil and petroleum products in global markets.” FIN-2024-A001, at 3. In 2021, the National Iranian Oil Company sold approximately $40 billion worth of petroleum products and in 2023, Iran’s exports to the People’s Republic of China reached approximately 1.3 million barrels per day. Some of the proceeds of the sale of Iranian oil finances the activities of the IRGC-Qods Force and other terrorist groups.

Financial Institutions Can Serve as Intermediates for Terrorist Financing Transactions

Financial institutions located outside Iran become intermediaries for the IRGC-QF’s terrorist financing transactions. In particular, “third-country front companies—often incorporated as ‘trading companies’ or ‘general trading companies’—and exchange houses act as a global ‘shadow banking’ network that processes illicit commercial transactions and channels money to terrorist organizations on Iran’s behalf.” Those exchange houses and front companies rely on banks with correspondent accounts with U.S. financial institutions, especially to process dollar-denominated transactions. FIN-2024-A001, at 5.

The Advisory lists red flags of illicit or suspicious activity that financial institutions should consider in determining if a behavior or transaction is indicative of terrorist finance or is otherwise suspicious and therefore may warrant the filing of a Suspicious Activity Report:

  • A customer or a customer’s counterparty conducts transactions with Office of Foreign Assets Control (OFAC)-designated entities and individuals, or transactions that contain a nexus to identifiers listed for OFAC-designated entities and individuals, to include email addresses, physical addresses, phone numbers, passport numbers, or CVC addresses.
  • Information included in a transaction between customers or in a note accompanying a peer-to-peer transfer include key terms known to be associated with terrorism or terrorist organizations.
  • A customer conducts transactions with a money services business (MSB) or other financial institution, including a VASP, that operates in jurisdictions known for, or at high risk for, terrorist activity and is reasonably believed to have lax customer identification and verification processes, opaque ownership, or otherwise fails to comply with AML/CFT best practices.
  • A customer conducts transactions that originate with, are directed to, or otherwise involve entities that are front companies, general “trading companies” with unclear business purposes, or other companies whose beneficial ownership information indicates that they may have a nexus with Iran or other Iran-supported terrorist groups. Indicators of possible front companies include opaque ownership structures, individuals and/or entities with obscure names that direct the company, or business addresses that are residential or co-located with other companies.
  • A customer that is or purports to be a charitable organization or NPO84 solicits donations but does not appear to provide any charitable services or openly supports terrorist activity or operations. In some cases, these organizations may post on social media platforms or encrypted messaging apps to solicit donations, including in CVC.
  • A customer receives numerous small CVC payments from many wallets, then transfers the funds to another wallet, particularly if the customer logs in using an Internet Protocol (IP) based in a jurisdiction known for, or at high risk for, terrorist activity. In such cases, financial institutions may also be able to provide associated technical details such as IP addresses with time stamps and device identifiers that can provide helpful information to authorities.
  • A customer makes money transfers to a jurisdiction known for, or at high risk for, terrorist activity that are inconsistent with their stated occupation or business purpose with vague stated purposes such as “travel expenses,” “charity,” “aid,” or “gifts.
  • A customer account receives large payouts from social media fundraisers or crowdfunding platforms and is then accessed from an IP address in a jurisdiction known for, or at high risk for, terrorist activity, particularly if the social media accounts that contribute to the fundraisers contain content supportive of terrorist campaigns.
  • A customer company is incorporated in the United States or a third-country jurisdiction, but its activities occur solely in jurisdictions known for, or at high risk for, terrorist activity and show no relationship to the company’s stated business purpose.

FIN-2024-A001, at 12-13.

CFTC Releases Artificial Intelligence Report

On 2 May 2024, the Commodity Futures Trading Commission’s (CFTC) Technology Advisory Committee (Committee) released a report entitled Responsible AI in Financial Markets: Opportunities, Risks & Recommendations. The report discusses the impact and future implications of artificial intelligence (AI) on financial markets and further illustrates the CFTC’s desire to oversee the AI space.

In the accompanying press release, Commissioner Goldsmith Romero highlighted the significance of the Committee’s recommendations, acknowledging decades of AI use in financial markets and proposing that new challenges will arise with the development of generative AI. Importantly, the report proposes that the CFTC develop a sector-specific AI Risk Management Framework addressing AI-associated risks.

The Committee opined that, without proper industry engagement and regulatory guardrails, the use of AI could “erode public trust in financial markets.” The report outlines potential risks associated with AI in financial markets such as the lack of transparency in AI decision processes, data handling errors, and the potential reinforcement of existing biases.

The report recommends that the CFTC host public roundtable discussions to foster a deeper understanding of AI’s role in financial markets and develop an AI Risk Management Framework for CTFC-registered entities aligned with the National Institute of Standards and Technology’s AI Risk Management Framework. This approach aims to enhance the transparency and reliability of AI systems in financial settings.

The report also calls for continued collaboration across federal agencies and stresses the importance of developing internal AI expertise within the CFTC. It advocates for responsible and transparent AI usage that adheres to ethical standards to ensure the stability and integrity of financial markets.

Eleventh Circuit Affirms Dismissal of FCRA Claims Since Alleged Inaccurate Information Was Not Objectively and Readily Verifiable

In Holden v. Holiday Inn Club Vacations Inc., No. 22-11014, No. 22-11734, 2024 WL 1759143 (11th Cir. 2024), which was a consolidated appeal, the United States Court of Appeals for the Eleventh Circuit (“Eleventh Circuit” or “Court”) held that the purchasers of a timeshare did not have actionable FCRA claims since the alleged inaccurate information reported to one of the consumer reporting agencies (“CRAs”) was not objectively and readily verifiable. In doing so, the Eleventh Circuit affirmed two decisions issued by United States District Court for the Middle District of Florida (“District Court”) granting of summary judgment in favor of the timeshare company in the respective cases.

Summary of Facts and Background

Two consumers, Mark Mayer (“Mayer”) and Tanethia Holden (“Holden”), entered into two separate purchase agreements with Holiday Inn Club Vacations Incorporated (“Holiday”) to acquire timeshare interests in Cape Canaveral and Las Vegas, respectively. Holiday is a timeshare company that allows customers to purchase one or more of its vacation properties in weekly increments that can be used annually during the designated period. As part of the transaction, Holiday’s customers typically elect to finance their timeshare purchases through Holiday, which results in the execution of a promissory note and mortgage.

  1. Mayer’s Purchase, Default, and Dispute

On September 15, 2014, Mayer entered into his purchase agreement with Holiday, which contained a title and closing provision stating the transaction would not close until Mayer made the first three monthly payments, and Holiday recorded a deed in Mayer’s name. The purchase agreement also included a purchaser’s default provision stating that upon Mayer’s default or breach of any of the terms or conditions of the agreement, all sums paid by Mayer would be retained by Holiday as liquidated damages and the parties to the purchase agreement would be relieved from all obligations thereunder. Further, the purchase agreement provided that any payments made under a related promissory note prior to the closing would be subject to the purchaser’s default provision. On the same day, Mayer executed a promissory note to finance his timeshare purchase, which was for a term of 120 months. On July 13, 2015, Holiday recorded a deed in Mayer’s name, and he proceeded to tender timely monthly payments until May 2017. As a result of Mayer’s failure to tender subsequent payments, Holiday reported Mayer’s delinquency to the CRA.

Approximately two years later, Mayer obtained a copy of his credit report and discovered Holiday had reported a past-due balance. Thereafter, Mayer sent multiple letters to the CRA disputing the debt, as he believed the purchase agreement was terminated under the purchaser’s default provision. Each dispute was communicated to Holiday, who in turn certified that the information was accurately reported. Mayer sued Holiday for an alleged violation of 15 U.S.C. § 1681s-2(b) of the FCRA based on the furnishing of inaccurate information and failure to “fully and properly re-investigate” the disputes. Holiday eventually moved for partial summary judgment, which the District Court granted. The District Court reasoned that the underlying issue of whether the default provision excused Mayer’s obligation to keep paying was a legal dispute rather than a factual inaccuracy and, in turn, made Mayer’s claim not actionable under the FCRA. Mayer timely appealed to the Eleventh Circuit.

  1. Holden’s Purchase, Default, and Dispute

On June 25, 2016, Holden entered into her purchase agreement with Holiday, which contained a nearly identical title and closing provision to that of Mayer’s purchase agreement. Additionally, Holden’s purchase agreement incorporated a similar purchaser’s default provision. Similarly, Holden executed a promissory note to finance her timeshare purchase, which was for a term of 120 months, and entered into a mortgage to secure the payments under the note. After making her third payment, Holden defaulted and hired an attorney to cancel the purchase agreement pursuant to the closing and title provision and purchaser’s default provision. However, Holiday disputed the purchase agreement was canceled and, on June 19, 2017, recorded a timeshare deed in Holden’s name. More importantly, Holiday reported Holden’s delinquent debt to the CRA.

In response, Holden’s attorney sent three dispute letters to Holiday, which resulted in Holiday investigating the dispute and determining the reporting was accurate since Holden was still obligated under the note. Eventually, Holden sued Holiday for various violations of Florida State law and the FCRA. Holden claimed Holiday reported inaccurate information to the CRA, failed to conduct an appropriate investigation, and failed to correct the inaccuracies. The parties filed competing motions for partial summary judgment, which ended with the District Court granting Holiday’s motion and denying Holden’s motion. Specifically, the District Court held that Holden’s FCRA claim failed because contract disputes regarding whether Holden still owed the underlying debt are legal disputes and not factual inaccuracies. Holden timely appealed to the Eleventh Circuit.

The Fair Credit Reporting Act

As the Eleventh Circuit reiterated in Holden, when a furnisher is notified of a consumer’s dispute, the furnisher must undertake the following three actions: (1) conduct an investigation surrounding the disputed information; (2) review all relevant information provided by the CRA; and (3) report the results of the investigation to the CRA. When a furnisher determines an item of information disputed by a consumer is incomplete, inaccurate, or cannot be verified, the furnisher is required to modify, delete, or permanently block reporting of the disputed information. See 15 U.S.C. § 1681s-2(b)(1)(E). Additionally, any disputed information that a furnisher determines is inaccurate or incomplete must be reported to all other CRAs. See 15 U.S.C. § 1681s-2(b)(1)(D). Despite the foregoing, consumers have no private right of action against furnishers merely for reporting inaccurate information to the CRAs. The only private right of action a consumer may assert against a furnisher is for a violation of 15 U.S.C. § 1681s-2(b) for failure to conduct a reasonable investigation upon receiving notice of a dispute from a CRA. See 15 U.S.C. § 1681s-2(c)(1)).

To successfully prove an FCRA claim, the consumer must demonstrate the following: (1) the consumer identified inaccurate or incomplete information that the furnisher provided to the CRA; and (2) the ensuing investigation was unreasonable based on some facts the furnisher could have uncovered that establish the reported information was inaccurate or incomplete.

The Eleventh Circuit’s Decision

In affirming the District Court’s decisions granting summary judgment and dismissing the FCRA claims, the Eleventh Circuit clarified that whether the alleged inaccuracy was factual or legal was “beside the point. Instead, what matters is whether the alleged inaccuracy was objectively and readily verifiable.” Specifically, the Eleventh Circuit cited to Erickson v. First Advantage Background Servs. Corp., 981 F. 3d 1246, 1251-52 (11th Cir. 2020), which defined “accuracy” as “freedom from mistake or error.” The Eleventh Circuit continued by reiterating that “when evaluating whether a report is accurate under the [FCRA], we look to the objectively reasonable interpretations of the report.” As such, “a report must be factually incorrect, objectively likely to mislead its intended user, or both to violate the maximal accuracy standards of the [FCRA].”

Based on this standard, the Eleventh Circuit held that the alleged inaccurate information on which Mayer and Holden based their FCRA claims was not objectively and readily verifiable since the information stemmed from contractual disputes without simple answers. As such, the Eleventh Circuit found that Holiday took appropriate action upon receiving Mayer and Holden’s disputes by assessing the issues and determining whether the respective debts were due and/or collectible, which thereby satisfied its obligation under the FCRA. While Mayer and Holden argued to the contrary, the Eleventh Circuit held that the resolutions of these contract disputes were not straightforward applications of the law to facts. In support of its decision, the Eleventh Circuit cited to the fact that Florida State courts have reviewed similar timeshare purchase agreements and reached conflicting conclusions about whether the default provisions excused a consumer’s obligation to pay the underlying debt.

Conclusion

Holden is a limited victory for furnishers, as the Eleventh Circuit declined to impose a bright-line rule that only purely factual or transcription errors are actionable under the FCRA and held a court must determine whether the alleged inaccurate information is “objectively and readily verifiable.” Accordingly, there are situations when furnishers are required by the FCRA to accurately report information derived from the readily verifiable and straightforward application of the law to facts. One example of such a situation is misreporting the clear effect of a bankruptcy discharge order on certain types of debt. Thus, furnishers should revisit their investigation and verification procedures so they do not run afoul of the FCRA. Furnishers should also continue to monitor for developing case law as other circuit courts confront these issues.

States Sue the Biden Administration to Stop Loan Relief Plan

On April 9, 2024, seven states filed suit against the Biden administration in an attempt to block its new “SAVE” plan, an income-driven repayment plan that leads to eventual loan forgiveness. The case is pending in the U.S. District Court for the Eastern District of Missouri.

Plaintiff states claim that the plan is unlawful because it evades limits Congress imposed for income-based repayment plans and sets arbitrarily high thresholds that would effectively create a grant program for student borrowers. Plaintiffs allege that the US Supreme Court struck down a similar plan last year proposed by the Biden administration which would have cost taxpayers $430 billion. See Biden v. Nebraska, 143 S. Ct. 2355, 2362 (2023). The states allege that the plan violates the Higher Education Act of 1965 and subsequent amendments, which allows student-loan cancelation to occur only after a borrower pays 15% of their disposable income (which is defined as 150% above the poverty line) after 25 years.

The states further allege that the disposable income threshold would increase from 150% to 225% above the poverty line and that the plan would only require borrowers to pay 5% of their income for 10 years before loans are cancelled, “gut[ting] the statutory purpose of providing loans.”

Plaintiffs seek a declaratory judgment that the relief plan is unlawful and injunctive relief.

Putting It Into Practice: State attorneys general continue to challenge Biden regulatory actions through litigation (previously discussed here and here). Given the success they have achieved thus far, it will be interesting to see how this litigation develops. We will continue to monitor the case for developments.