Posts tagged ‘OFAC’

SC to Consumers: When It Comes To Suing in Federal Court – No Harm, No Foul

A decision by the Supreme Court last week, TransUnion, LLC v. Ramirez, has some very practical implications for credit unions large enough to be on the radar of class action attorneys anxious to sue in federal court over alleged violations of federal law.  In a nutshell, the Supreme Court made it more difficult for plaintiffs to sue your credit union in federal court.

In order to understand just how important this case may be, it’s important to understand just how bad a job TransUnion did complying with the FCRA. A majority of the court held that notwithstanding all these mistakes, only individuals that could show they were harmed by these mistakes in a concrete way had the right to sue the company in federal court. 

In the aftermath of 9/11, TransUnion offered financial institutions a feature which allowed them to more easily spot individuals subject to OFAC sanctions. Specifically, the service informed creditors when a person’s first and last name was the same as an individual on an OFAC list.  Needless to say, this service generated a lot of false positives. One of its victims was Sergio Ramirez.  When he and his wife went to buy a Nissan Maxima, he thought the deal was done only to be informed by the car dealership that it would not sell the car to him because when they ran a TransUnion credit report it indicated that his name was a match for an individual who was on the OFAC sanctions list (incidentally, in the finest tradition of car salesmen everywhere, the dealership closed the deal with the alleged terrorist’s wife).

Things got even worse in the weeks ahead. Mr. Ramirez called TransUnion and requested a copy of his credit file. In response he received the statutory summary of his rights which he is entitled to under the FCRA, but the file he received did not include the OFAC notice.

Mr. Ramirez brought a class action lawsuit on behalf of individuals whose credit reports wrongly identified them as OFAC miscreants. The “class” contained 8,185 members but only 1,853 of these individuals had their credit reports disseminated to potential creditors during the relevant period. He successfully won at trial since there was more than enough evidence to prove that TransUnion violated several key provisions of the FCRA by failing to follow reasonable procedures to insure the accuracy of its credit reports and failed to provide consumers with accurate credit files upon request. In addition, the FCRA explicitly gives individuals the right to sue for violations of its provisions.

As I talked about in this blog before, an individual seeking to sue in federal court has to show not only that they were subject to a violation of the law but that they were subject to an actual concrete harm. In this case, the Supreme Court ruled that even when Congress writes a statute such as the FCRA and gives a person the right to receive damages for violations of that act, plaintiffs must still show that they suffered injury “in fact” in order to access the federal courts. In this case, a majority of the court agreed that the 1,800 individuals whose credit report was disseminated to potential creditors suffered an injury in fact by effectively being defamed. But what makes this decision so potentially significant is that the court did not believe that an inaccurate credit report by itself injured individuals enough to give them access to the federal courts. As judge Cavanaugh pithily explained “no concrete harm, no standing.”

Why does this matter so much? First, because its rationale could easily be applied not only to cases involving violations of the FCRA but to other violations of federal consumer laws such as the Truth In Lending Act which allowed consumers to sue lenders simply because a statute has been violated irrespective of whether or not anyone was harmed by this violation. To be clear, states such as NY and California are free to have their own standards for determining when someone can sue in state court. The long term impact of this decision may simply be to empower state courts to exercise greater influence over the way consumer laws are interpreted. But in the short term, expect more disputes over whether or not creditors can be sued in federal court.

June 29, 2021 at 8:49 am 1 comment

What’s Old is New Again – BSA Takes Center Stage

Let’s face it – these are heady days for cyber criminals. Crypto currencies provide an ideal means to facilitate illicit payments, an unprecedented number of people are working from home, the worldwide economic slowdown ensures a steady supply of potential fraudsters, particularly in countries that look the other way at this type of crime, and you have the US government throwing unprecedented amounts of money to consumers in as quick a way as possible. Put this all together and, in my ever so humble opinion, (at least in the short term) your credit union has to dedicate more of its compliance resources to ensure it is taking the steps necessary to detect and react to nefarious cyber activities, i.e. the “red flags” of criminal activity. 

Recently, there has been a sharp increase in the number of advisories of which your credit unions should be aware. With regard to PPP loans, FinCEN recently sent updated guidance reiterating your due diligence requirements and confirming what procedures can be used when assisting individuals applying for “second draw” PPP loans. This guidance is particularly useful for navigating your beneficial owner obligations. Remember that the PPP loan application requires you to identify any owner with a 20 percent stake in an applicant’s business, whereas FinCEN’s beneficial owner requirements kick in for individuals with a 25 percent stake. 

Just yesterday, FinCEN issued this guidance providing examples of how fraudsters are gaming the system to facilitate healthcare fraud. One of the examples it provided involved an individual who set up several shell pharmaceutical companies to get reimbursement for transactions that never took place. It looks like somebody better call Saul (for the uninformed, that is a Breaking Bad reference). 

The Anti-Money Laundering Act of 2020 contained in the National Defense Authorization Act ordered FinCEN to provide guidance to financial institutions that are asked by law enforcement to keep an account open, even though they suspect or know that it is being used to facilitate criminal activities. The statute provides that financial institutions honoring such “keep open requests” shall not be liable for maintaining the account. This guidance, which was issued jointly by all the federal financial regulators, including the NCUA, implements this language. Finally, I want to remind you all of the guidance issued in October related to financial institutions that facilitate ransomware payments. Statistically speaking, there is a very good chance that many of your credit unions will either facilitate a ransomware payment, or be victimized by a ransomware attack. As I explained in this blog from the fall, OFAC is reminding third parties like insurance companies, banks and credit unions that they could find themselves subject to strict liability penalties for facilitating these payments if they are going to individuals on the OFAC list. While yours truly continues to believe that this is a woefully misguided warning, you should all have contingency plans for dealing with a ransomware scenario, and be cognizant of its potential OFAC implications.

February 3, 2021 at 9:26 am Leave a comment

Rising Ransomware Attacks Trigger Key Compliance Issues

The increasing scope and cost of ransomware attacks means that credit unions should be updating both their BSA and OFAC policies, as well as their cybersecurity infrastructure. It also raises additional considerations as you decide how best to protect your members in the event that your credit union is attacked. 

On October 1st, OFAC and FinCen issued complimentary statements explaining how ransomware attacks trigger OFAC obligations. In a nutshell, your OFAC framework should assess the likelihood that a member could use your credit union to facilitate a ransomware payment. The accompanying FinCen guidance also underscores reporting requirements that are triggered by a financial institution’s involvement with a ransomware transaction. 

If you’re thinking that this increased ransomware scrutiny raises more questions than answers, you won’t get an argument from me. Increasingly sophisticated cyber criminals are using ransomware attacks to extort a wide range of institutions, from universities – which they threaten with exposing personal student information – to hospitals, who are threatened with losing access to vital medical records, to banks and credit unions. Whether or not to pay the ransom is an extremely tough call, with strong arguments on either side. Now, this guidance is suggesting that once your member has made this tough decision, your credit union should investigate whether or not the blackmailer is on an OFAC list and inform your member that they can’t use you to facilitate payment. How’s that for customer service?

And what happens if your credit union is the victim of a ransomware attack? I’m assuming that many of your credit unions have insurance coverage for precisely this type of problem. If you don’t you should analyze whether or not you should. As an excellent article in Law360 (subscription required) by Walter Andrews, Andrea DeField and William Sowers of Hunton Andrews Kurth LLP explains, the statements by OFAC raise the same type of issues for insurance companies deciding whether or not to reimburse you as the victim that your financial institution has when considering a member under ransomware attack. This means that you would be wise to discuss this issue with your insurance company so you have an idea of the financial exposure your credit union is facing should this happen to you.

November 19, 2020 at 9:32 am 1 comment

Facebook Has A New Pen Pal: The Senate Banks Committee

On Friday, the Chairman and Ranking Member of the Senate Banks Committee sent a politely worded letter to Facebook inquiring about its plans to move aggressively into the payments market by offering its users the opportunity to buy products directly from merchants using a Facebook backed coin or cryptocurrency depending on how nefarious you want to make its plans sound.

Why is this a big deal? Well how much money do you make off credit and debit card transactions issued by your credit union? If Facebook successfully integrates the coin payment platform into its infrastructure this would mean that 1/3 of the world’s population could start using Facebook to facilitate purchases, making Facebook an overnight threat to Visa and MasterCard.

In their letter to Facebook, following an article describing Facebook’s plans in the Wall Street Journal, the Senators explain that in addition to Facebook’s cryptocurrency ambitions, “privacy experts have raised questions about Facebook’s extensive data collection practices and whether any of the data collected by Facebook is being used for purposes that do or should subject Facebook to the Fair Credit Reporting Act.”

As with so many other aspects of its growth Facebook is somewhat clumsily taking aim at the financial sector. In addition to questions about its cyber currency ambitions, it is currently being sued by HUD over claims that it violates its advertising platform allows lenders to effectively engage in digital redlining by choosing such finely tuned demographic target audiences in such a way that lenders can avoid offering financial products and services to minorities.

Assembly To Hold Municipal Deposit Hearing Next Monday

In case you haven’t heard, the Assembly Banks and Local Governments committee will be holding a hearing on municipal deposits next Monday. An assortment of credit union, bank and local government organizations have been invited to testify. This is a key opportunity for credit unions to respond to banker municipal deposit myths and finally allow public tax dollars to be placed in those financial institutions where they will most benefit taxpayers.

Department of Treasury Issues OFAC Guidance

I’ve been analyzing this guidance for a couple weeks now trying to figure out how significant it is and why it was issued in the first place. It seems to me that nothing in this release should be a surprise to anyone who has tried to comply with OFAC which I’m assuming almost all of my faithful readers have. Nevertheless, any time the Department of Treasury comes out with guidance on this issue you should read it and compare your practices with those expected by the regulator.

May 13, 2019 at 8:45 am Leave a comment

BS(A) Regulation?

Credit union and bank executives who have spent millions of dollars over the last decade complying with the Bank Secrecy Act can be forgiven for dropping the A on the BS (Policy).  With the announcement that it had agreed to a “record” $1.92 billion settlement to defer prosecution against HSBC for its willful violation of the BSA, the Justice Department has demonstrated that enforcement of banking regulations is in serious need of repair.  As I said in a previous blog on HSBC, some banks are too big to make comply with regulations, rendering the regulations all but useless.

For those of you who may have missed it, HSBC entered into an agreement with the Justice Department in which it admitted to ignoring the most basic elements of BSA and OFAC requirements.  Most notably, it failed to conduct basic customer due diligence with the result that it effectively facilitated the drug running operations of Mexican drug cartels.  As explained by my favorite Senate curmudgeon, Senator Chuck Grassley, in a letter to the Justice Department yesterday, HSBC has effectively purchased “a get-out-of-jail free card” for $1.92 billion on behalf of its employees, a fact which is all the more amazing when we really don’t know exactly how much money the bank made off these illegal transactions.  Let’s face it, if you’re big enough, crime really does pay.  No Justice Department official wants to be criticized for effectively killing a bank by holding its top level officials responsible for blatant misconduct.

Why should this bother credit unions?  For one thing, as a simple matter of fairness, a $20 million credit union that engaged in similar conduct would be facing the possibility of a forced merger or even closure due to its damaged reputation even though it could facilitate only a fraction of the damage caused by HSBC.  I have argued that all credit unions must make a good faith effort to comply with the BSA, but if this is the way the game is really going to be played, then it’s time we allow institutions below a certain size to be exempt from this requirement.

One final thought:  there is something wrong with a criminal justice system where homeless people selling small amounts of drugs on the street can face decades in jail for facilitating drug purchases and bank employees who facilitate close to $1 trillion in drug operations get to show up for work the next day as if nothing happened.

TAG Lives (Barely. . .)

The TAG legislation sought by the banking industry that would have extended the insurance guarantee for non-interest bearing accounts died in the Senate yesterday when it failed to clear yet another procedural hurdle.  On a practical level, this means that the only way this bill could possibly be rehabilitated for consideration in the waning days of the lame duck session is if it were combined with the credit union MBL proposal.  But this is still a real long shot and even if that happened it would still have to get through the House before the clock runs out on Congress.

CFPB to Approve Individual Waivers

I will write more about this in a future blog, but the CFPB is proposing granting individual waivers to credit unions and banks that want to test alternative disclosures which can more effectively meet the obligations of federal disclosure requirements.  You will have 60 days to comment on the proposal once it is published in the Federal Register.

December 14, 2012 at 7:27 am 2 comments

Too Big To Comply?

When my kids get old enough and they tell me that something is not fair, I can hardly wait to tell them “life’s not fair, get over it.”  Still, there are times when the inequity becomes so blatant, that it is impossible to ignore.

The latest example of this is the disclosure that HSBC has systematically ignored its most basic requirements to have adequate Anti Money Laundering programs and comply with OFAC. For years I’ve been wondering how a bank as large as HSBC, with affiliates in more than 80 countries and responsible for handling billions of dollars in transactions each day complies with these crucial regulations.  Now I know the answer…they don’t.

 According to a Senate report released yesterday, HSBC’s compliance efforts were so lax that it became a conduit for the Mexican drug cartel; was used by the Iranians to circumvent OFAC sanctions and may have even been used to help finance terrorists. 

 You would think that large multi-nationals are precisely the types of companies that regulators would most closely scrutinize when it comes to the implementation of regulations designed to protect our national security.  But the OCC’s oversight was, to put it nicely, lax.  Yesterday HSBC’s top compliance officer stepped down-I was afraid he was going to lay on a sword during the hearing but from my reading of the report, no compliance officer would’ve been successful in an environment in which compliance was understaffed and ignored.  Compliance starts at the top. 

 What the HSBC hearing demonstrates again is that some banks are too big to be forced to comply and they know it. They remind me of Alex Rodriguez apologizing for taking steroids but not offering to give back any of the money he made by cheating.

 In a worse-case scenario banks know that they will get hit with a large fine or maybe even a deferred prosecution, promise not to do it again, put new policies and procedures in place and go about their business in much the same way.  In contrast, we all know of credit unions that have been threatened with extinction for failing to comply with Bank Secrecy Act requirements. 

 As I commented last week, I don’t believe that small credit unions should get a pass from compliance simply because of their size.  But large financial institutions shouldn’t be able to ignore regulations which might cost them clients.  If regulators and policymakers  are serious about making sure that financial institutions  of all shapes and sizes comply with regulations, then it is time to see fines imposed that are proportionate to the bank’s balance sheet and perhaps see people go to jail when they choose to ignore the law.

 As long as this doesn’t happen, the joke is on people like me who foolishly believe that everyone should have to comply with the law.

July 18, 2012 at 7:05 am 2 comments


Authored By:

Henry Meier, Esq., Senior Vice President, General Counsel, New York Credit Union Association.

The views Henry expresses are Henry’s alone and do not necessarily reflect the views of the Association. In addition, although Henry strives to give his readers useful and accurate information on a broad range of subjects, many of which involve legal disputes, his views are not a substitute for legal advise from retained counsel.

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Join 756 other followers

Archives