CFPB Update - Bank Short Term Loans "Payday" for Banks? CFPB Outlines Sweeping Proposal to Level the Playing Field Between Payday Lenders, Banks and Credit Unions

This post was written by Travis A. Sabalewski and Nicholas F.B. Smyth.

Direct from Richmond, Virginia: yesterday, I (Travis) visited the Greater Richmond Convention Center, where the Consumer Financial Protection Bureau (CFPB) announced at a field hearing a sweeping proposal for new rules regarding payday/deposit advance loans, auto title loans, and certain high-interest, longer-term loans. (A Fact Sheet summary is here.) After CFPB Director Richard Cordray outlined the CFPB’s proposal, the Bureau heard from, first, a panel of industry and consumer advocates and, then, members of the public. The hearing was packed and the audience ̶ comprised of payday lender employees, consumer advocates, and others ̶ lively, with one or another of those groups applauding after nearly every person’s turn at the microphone.

Click here to read the full issued Client Alert.

Schlumberger Faces More Than $232.7 Million in Penalties and Pleads Guilty to Criminal Charges for Violations of U.S. Sanctions

This post was written by Leigh T. Hansson and Hena M. Schommer.

On March 25, 2015, Schlumberger Oilfield Holdings, Ltd. (“SOHL”), a wholly owned subsidiary of Schlumberger Ltd., the world’s largest oil-field services company (collectively “Schlumberger”), agreed to plead guilty to criminal charges, enter into a plea agreement, and pay $232.7 million in penalties for willfully facilitating illegal transactions and engaging in trade with Iran and Sudan. The charges were brought under the International Emergency Economic Powers Act (“IEEPA”), 50 U.S.C. § 1705, which makes it a crime to willfully commit, attempt, or cause a violation of any regulations issued pursuant to IEEPA. In this case, charges included violations of the Iranian Transaction Regulations, now known as the Iranian Transactions and Sanctions Regulations, and the Sudanese Sanctions Regulations, both issued pursuant to IEEPA.

Though both SOHL and Schlumberger Ltd. are non-U.S. entities, the charges outline a series of activities between February 2004 through June 2010, undertaken by Drilling & Measurements (“D&M”), a Schlumberger business segment headquartered in Sugar Land, Texas.

D&M personnel in the United States facilitated transactions with Iran and Sudan, systematically violating U.S. sanctions when they:

  • Made and implemented business decisions and company processes specifically concerning Iran and Sudan
  • Provided technical services to troubleshoot mechanical failures and sustain oilfield drilling equipment in Iran and Sudan
  • Approved and disguised capital expenditure requests from Iran and Sudan for the manufacture of new tools
  • Directed the transfer of equipment from oilfields in non-embargoed countries to oilfields in Iran and Sudan

Schlumberger is now paying the price for its failure to ensure U.S. entity and personnel compliance with U.S. economic sanctions. While Schlumberger had policies and procedures in place designed to ensure U.S. based entities complied with U.S. sanctions, Schlumberger failed to train or monitor its employees adequately to ensure that all U.S. personnel, including non-U.S. citizens, fully understood and complied with Schlumberger’s policies and procedures.

While a risk-based approach to compliance is encouraged by U.S. regulators, compliance programs require not only thorough implementation, including personnel and management training, but also continuous monitoring and auditing to ensure compliance.

In addition to Schlumberger, there are now several recent examples, including the PayPal, Inc. settlement with OFAC this week, of companies paying a steep price for inconsistent or inadequate implementation of existing compliance programs, along with a lack of training, or monitoring of compliance.  

Continuation of Russian Sanctions

Since March 2014, Reed Smith has been closely monitoring developments relating to the situation in the Ukraine and reporting them as Client Alerts and blog updates. We have set out below a brief summary of the EU’s decision of 20 March 2015 to effectively leave in place the sanctions imposed last year against Russia.

Click here to read the full issued Client Alert.

Inadequate Screening Processes Result in $7.65 Million Settlement for Violations of Various U.S. Sanctions Programs

This post was written by Michael J. Lowell and Paula A. Salamoun.

On March 25, 2015, the U.S. Department of the Treasury’s Office of Foreign Assets Control (“OFAC”) and PayPal, Inc. (“PayPal”) agreed to a $7.65 million settlement to settle potential civil liability for 486 apparent violations of various financial sanctions. Between 2009 and 2013, PayPal, a digital payments processor, apparently processed hundreds of transactions in violation of multiple U.S. sanctions programs, including sanctions on Cuba, Iran, Sudan, the Weapons of Mass Destruction Proliferators Sanctions, and the Global Terrorism Sanctions. OFAC administers and enforces various U.S. sanctions programs against targeted countries, persons, organizations, and certain activities, such as terrorism.

According to the Settlement Agreement between OFAC and PayPal, PayPal apparently did not implement effective compliance procedures and processes to identify, interdict, and prevent transactions that would violate U.S. sanctions. PayPal had compliance procedures and processes for screening transactions, but these were ineffective because PayPal did not screen in-process transactions, and several of its employees failed to appropriately respond to a screening match. As a result of these lapses, the Settlement Agreement identified 486 transactions that appeared to violate U.S. sanctions. The total value of the alleged transactions in violation of the sanctions was approximately $44,000 – an average of just more than $90 per transaction. PayPal voluntarily disclosed these transactions to OFAC.

OFAC determined that a portion of the transactions were egregious and demonstrated reckless disregard for U.S. sanctions. Over a period of approximately four years, PayPal processed 136 transactions (totaling $7,091.77) involving an individual on the Specially Designated Nationals List (“SDN List”). OFAC noted that PayPal’s automated interdiction filter failed to match the account holder to the SDN List for a period of six months after the individual was added to the SDN List. OFAC has previously levied penalties where interdiction or screening processes do not identify SDNs at the time that they are added to the SDN List (see, e.g., settlement between OFAC and GEICO announced June 3, 2010). After the interdiction software flagged the SDN on six separate occasions, multiple PayPal employees apparently failed to follow company procedures and cleared the flags to allow the transactions to go forward, which the Settlement Agreement described as “particularly reckless.”

This enforcement action illustrates several important points for compliance:

First, the existence of a sanctions compliance program is not sufficient to avoid penalties if it does not work. In particular, a screening or interdiction program to flag potential blocked persons will not minimize sanctions risks if the people that receive those screening alerts do not appropriately respond. It is critical that all screening compliance programs have clear lines of responsibility for resolving or escalating potential matches, and that those programs are audited to ensure that they work.

Second, although OFAC expressly recognizes the need for risk-based compliance programs, low-value transactions do not necessarily mean low risk for violations or penalties resulting from those violations. According to the figures referenced in the Settlement Agreement, the average transaction that was in violation of the sanctions was approximately $90. A review of prior OFAC enforcement actions would provide additional examples of low-value transactions resulting in large monetary fines.

Third, OFAC’s enforcement actions demonstrate value for voluntarily disclosing violations and implementing remedial compliance measures, as PayPal apparently did in this case. With 486 apparent violations, the $7.65 million settlement is far below the high-end potential penalties. Further, the Settlement Agreement requires PayPal to provide only a presentation in six months summarizing policies and procedures as they relate to screening transactions and customers, rather than more intrusive oversight by OFAC through an outside monitor or mandatory audits.

Bank Settles Criminal Bank Secrecy Act and Civil Fraud Charges Arising from Its Inadequate Anti-Money Laundering Program

This post was written by Bethany R. Brown and Kathleen A. Nandan.

On March 10, 2015, the U.S. Department of Justice (“DOJ”) announced a $4.9 million settlement of criminal and civil charges against CommerceWest Bank (“CommerceWest” or the “Bank”) brought pursuant to the Bank Secrecy Act (“BSA”), the Financial Institutions Reform, Recovery and Enforcement Act (“FIRREA”), and the Fraud Injunction Statute. The government alleged that, between December 2011 and July 2013, the Irvine, California-based Bank willfully facilitated consumer fraud by failing to report the suspicious activities of V Internet Corp. LLC (“V Internet”), a Las Vegas-based, third-party payment processor that maintained accounts with CommerceWest.

The CommerceWest settlement is the second case – and the first criminal action – arising from DOJ’s Operation Choke Point, an initiative first disclosed in March 2013 that aims to prevent fraudsters from accessing consumer bank accounts by choking off their access to the payments system. Under Operation Choke Point, DOJ targets banks’ business relationships with companies believed to be at higher risk for fraud and money laundering, including payment processors and payday lenders. The settlement is also notable for its use of the criminal provisions of the BSA, the civil money penalty provisions of FIRREA, and the injunctive provisions of the Fraud Injunction Statute to extract monetary penalties and impose injunctive relief upon a financial institution whose allegedly lax anti-money laundering program allowed a fraud to flourish.

The BSA requires financial institutions to establish and implement policies to detect and prevent money laundering. One of the BSA’s specific mandates is that banks file Suspicious Activity Reports (“SARs”) regarding, among other things, “any suspicious transaction relevant to a possible violation of law or regulation.” FIRREA authorizes the government to seek civil money penalties against those who have violated certain criminal statutes that affect financial institutions, and the Fraud Injunction Statute authorizes the government to file a civil action to enjoin banking law violations and to freeze assets traceable to those violations.

V Internet processed transactions for merchants that created demand drafts to withdraw money from consumers’ bank accounts without authorization. A demand draft (also called a remotely created check or remotely created payment order) is a check created by a third party using an account holder’s name and bank account information that contains a statement claiming that the account holder has authorized the check in lieu of the account holder’s signature. During the 15 month period addressed in the settlement, CommerceWest accepted more than 1.3 million demand drafts depositing more than $45 million from V Internet.

The government alleged that CommerceWest facilitated V Internet’s fraudulent scheme by failing to file SARs, despite numerous red flags pertaining to the transactions. These red flags included the reversal or “return” of about 50 percent of the demand drafts by the consumers’ banks for a variety of reasons, CommerceWest’s inability to obtain evidence that the processor processed legitimate transactions, and letters and calls from several other banks complaining of fraud and warning CommerceWest that the demand drafts were unauthorized. In response to the consumers’ banks’ communications, CommerceWest blocked demand drafts destined for the complaining banks, but allowed V Internet to continue charging to other banks.

To settle the criminal and civil charges, CommerceWest agreed: (1) to pay a $1 million civil penalty and an additional $1 million in lieu of administrative forfeiture; and (2) not to assert a claim to the approximately $2.9 million seized from V Internet’s accounts at the Bank. In addition, CommerceWest agreed to cooperate with the government’s investigation and consented to the entry of a permanent injunction requiring it to perform due diligence on third-party payment processors, and to implement fraud detection, compliance monitoring and reporting, and recordkeeping programs in compliance with the BSA. This settlement reflects coordination among various components of the DOJ, and this multi-pronged civil and criminal approach may well be used as a template for other enforcement actions.

Reed Smith's Government Contracts Weekly Rundown

This post was written by Nkechi A. Kanu.

Here is a rundown of last week’s top developments related to government contracts to get you back on track and ready for Monday.

1. DOWNLOADING OS DOES NOT “SUBSTANTIALLY TRANSFORM” LAPTOP

U.S. Customs and Border Protection issued a final determination, finding that downloading an operating system into a laptop that was manufactured and assembled in a non-TAA-designated country was not enough to change the computer's country of origin for purposes of U.S. government procurement.

2. U.S. MUST REPAY PAYMENTS GIVEN TO UNAUTHORIZED AGENT OF CONTRACTOR

The Armed Services Board of Contract Appeals ruled that the United States must repay an Afghan contractor for cash payments that were stolen after the Army gave them to an unauthorized apparent agent of the company. Appeal of Seven Seas Shipchandlers, LLC. 

3. OFPP INTRODUCES NEW TOOL FOR RATING ACQUISITIONS

The Office of Federal Procurement Policy issued guidance last week for Acquisition 360, a feedback tool to help OFPP and agencies evaluate and improve their acquisition procedures from pre-award activities to contract award and debriefings.

4. EXEC ORDER – PLANNING FOR FEDERAL SUSTAINABILITY

President Obama signed an executive order Thursday that requires federal agencies to cut their greenhouse gas emissions by 40 percent by 2025, and introduces expanded and updated federal environmental performance goals to help cut greenhouse gas emissions across the government and the federal supply chain.

5. GSA – NOTICE OF CLASS DEVIATION

The Office of Acquisition Policy is requesting feedback on a proposed class deviation to the Federal Acquisition Regulation (FAR) and the General Services Acquisition Regulation (GSAR) to address common Commercial Supplier Agreement terms that are inconsistent with or create ambiguity with federal law.

Update: Proposed Settlement in Target Data Breach Litigation

This post was written by Paul Bond, Lisa Kim, and Christine Czuprynski.

The proposed settlement agreement in the Target data breach consumer litigation that we reported on on March 19, 2015 has been approved by the judge, and a final approval hearing set for November 10, 2015. Based on this order, class members should start to receive notice of the settlement within 45 days of yesterday’s order.

Proposed Settlement in Target Data Breach Litigation

This post was written by Paul Bond, Lisa Kim, and Christine Czuprynski.

A proposed settlement has been reached in the multi-district consumer litigation Target faces following a data breach that compromised at least 40 million credit cards during the 2013 holiday shopping season. The settlement, which requires Target to pay $10 million into a settlement fund and adopt specific data security measures, still needs court approval.

If approved, class members who used credit or debit cards at Target stores between November 27, 2013, and December 18, 2013, will be eligible to receive up to $10,000 individually upon submitting a claim form seeking reimbursement for any costs associated with identity theft, unauthorized charges, and higher interest rates that resulted from unauthorized activity on credit accounts. Those class members who submit documentation of their losses will be paid first, and those class members without documentary evidence of losses are eligible to receive an equal share of whatever is remaining in the settlement fund.

As our colleague Mark Melodia noted, the settlement is unique not only because Target agrees to adopt data security protocols, but also because of the amount of attorneys’ fees. The attorneys for the class will seek fees in an amount not to exceed $6.75 million, which is on the high end of the historical range.

In late 2014, Target sought to dismiss the claims, but the court denied that motion and allowed the case to proceed. The preliminary approval hearing on the settlement was scheduled for Thursday morning in front of Judge Magnuson.

Enforced subject access requests now a criminal offence in the UK

This post was written by Cynthia O’Donoghue and Katalina Bateman.

In September 2014 we reported on the UK’s intention to stamp out a practice commonly known as “enforced subject access requests”. This concerned the previously dormant section 56 of the UK Data Protection Act 1998 (‘DPA’), which, following an announcement from the Ministry of Justice, was implemented on March 10, 2015. Under this section, it is now a criminal offence for an entity to require an individual to submit a subject access request under section 7 of the DPA for his or her own protected personal data that the entity would otherwise be unable to access.

This will prevent employers from requiring a candidate or current employee to use his or her subject access rights under the DPA to obtain and then provide certain records to the employer as a condition of employment. By way of an example, this will affect those organisations that had been using enforced subject access requests submitted to the police to check individuals’ criminal and other protected records but choose not to use the established legal system.

Section 56 also has a second limb, affecting the provision of goods, services and facilities to the public. Under section 56 (2) a person concerned with the provision of goods, facilities or services to the public must not make the provision of goods and services conditional on an individual making a subject access request and providing their records. Since the restriction applies whether or not there is payment for the goods and services, this also affects volunteered services.

Going forward, if an organisation is interested in accessing criminal records, it will have to request a criminal records check. Bear in mind that once this information is processed, the organization will then be a data controller for sensitive personal data with all the compliance responsibilities found under the DPA.

The ICO recommends that if it is necessary to conduct a criminal records check, then detailed standard and enhanced checks can be done through the appropriate statutory procedures - the Disclosure and Barring Service in England and Wales, Disclosure Scotland in Scotland and Access Northern Ireland in Northern Ireland – which were formally known as ‘CRB checks.’

In England and Wales, committing an offence under section 56 of the DPA can carry an unlimited fine and the ICO has stated that it intends to actively prosecute those who continue to enforce subject access requests, to both protect individuals and encourage the use of the DBS. Further guidance on how not to fall foul of section 56 can be found in the ICO’s guide on enforced subject access.

Reed Smith's Government Contracts Weekly Rundown

This post was written by Nkechi A. Kanu.

1. COMMERCIAL CONTRACTING RULES APPLY TO FEDERAL SUPPLY SCHEDULES

On Tuesday, March 10, 2015, the Court of Appeals for the Federal Circuit reversed and remanded a decision by the Court of Federal Claims, which permitted the Centers for Medicare and Medicaid Services (“CMS”) to include contract clauses that deviated from federal government commercial contracting rules.

2. FEDERAL PROSECUTORS NET $2.3B IN HEALTH CARE FRAUD RECOVERY

According to a report released by law firm Bass Berry & Sims PLC, the federal government netted nearly $2.3 billion from recoveries under the False Claims Act related to federal healthcare programs.  

3. INFORMAL SOLICITATION OBJECTION DOESN’T PRESERVE STANDING

The Court of Federal Claims affirmed the dismissal of protests over two government contracts for federal offender rehabilitation services, finding that the protester did not have standing because it never submitted an acceptable bid and didn't formally protest the terms of the solicitations.

4. COMMENT PERIOD REOPENED FOR SBA RULE TO IMPLEMENT NDAA

The U.S. Small Business Administration (SBA) is reopening the comment period for a proposed rule that implements provisions of the National Defense Authorization Act (NDAA) of 2013, which pertains to performance requirements applicable to small business and socioeconomic program set aside contracts, small business subcontracting, the non-manufacturer rule and affiliation rules.

5. NASA ADOPTS CONTRACTOR WHISTLEBLOWER PROTECTIONS

NASA has adopted, without change, an interim rule amending the NASA FAR Supplement (NFS) to implement Contractor Whistleblower Protections.

French Supreme Administrative Court decision significantly broadens the scope of the French Sunshine Act

This post was written by Daniel Kadar. 

A decision of the French Supreme Administrative Court (Conseil d’Etat) dated 24 February 2015 has significantly broadened the scope of the French ‘Sunshine Act’:

  • Whereas initially health care companies were only obliged to disclose the existence of agreements with health care professionals (HCPs), they will now also be required to disclose the remuneration of French HCPs.
  • Companies which manufacture or market non-corrective contact lenses, cosmetic and tattoo products will have their transparency reporting duties aligned with the ones applicable to health care companies.

Further developments from the French authorities on this matter will need to be closely monitored, since they will probably bring significant changes to reporting requirements. In particular, the date of application of this new interpretation is key, since it could have a major impact on disclosure requirements for the remuneration of French HCPs.

Read more on this matter in our client alert.

Update on State Attorneys General: Connecticut Creates a Permanent Privacy Department; NAAG Covers Big Data, Cybersecurity, and Cloud Computing; and States Amend Breach Laws

This post was written by Divonne Smoyer and Christine N. Czuprynski.

The federal government may be pushing a cybersecurity and data privacy agenda, but that doesn’t mean that the states are taking a back seat. The state attorneys general are maintaining their focus on issues relating to privacy and data security and expanding the scope of that focus to address the ever-evolving nature of those issues.

On March 11, 2015, Connecticut Attorney General George Jepsen announced the creation of the Privacy and Data Security Department in his office that will be tasked with privacy and data security investigations and litigation. The attorney general, who created a privacy task force four years ago, hopes that the creation of this specialized department will solidify Connecticut’s role as a leader in this space. The attorney general is making the shift from a task force to a permanent department because the need for such a focus has not let up in the last four years, and shows no signs of doing so.

Privacy and data security are on the minds of the attorneys general as they come out of their most recent National Association of Attorneys General (NAAG) meetings and head into spring. The NAAG Southern Region Meeting, which concluded March 13, 2015, covered “Big Data – Challenges and Opportunities,” and included panels on data breach, cybersecurity, cloud computing and the proposal for a national data breach notification law.

NAAG President Mississippi Attorney General Jim Hood, whose presidential initiative for the 2014-15 year is “Protecting Our Digital Lives: New Challenges for Attorneys General,” will host the presidential initiative summit in mid-April in Biloxi, Mississippi. On the summit agenda: intellectual property theft, cloud computing, and digital currency.

In addition, state attorneys general are seeking to revise and expand upon existing data breach and privacy legislation. We have previously discussed the changes being considered in New York and Oregon. The Washington Attorney General is also pushing for changes to that state’s data breach notification law. Regulated entities can expect to continue to see a lot of action from the states on these issues. 

FCA raises concerns over structured products

This post was written by Chris Borg and Tom Webley.

The UK’s Financial Conduct Authority (FCA) has published its Occasional Paper No. 9, setting out the results of the FCA’s research into how well customers understood structured products. The answer, according to the report, is not very well. The report found that, while investors’ expectations of growth in the FTSE were in line with the FCA’s assumptions, investors overestimated the likely returns on structured products based on the same indices.

Click here to read the full issued Client Alert.

From 'Akzo' to 'Loi Macron': There is still no Legal Privilege for In-House Lawyers in France

This post was written by Daniel Kadar.

A significant difference between the French and U.S. and UK legal systems is in the understanding of legal privilege: it does not exist for in-house counsel in France. The French approach is in line with the 2010 Akzo decision, in which the Grand Chamber of the European Court of Justice (ECJ) ruled that the requirement of independence means the absence of any employment relationship between the lawyer and his client, so that legal professional privilege does not cover exchanges within a company or group with in-house lawyers.

Click here to read the full issued Client Alert.

French courts are competent to judge over a French Facebook user's complaint

This post was written by Daniel Kadar.

It is foreseeable that not many of Facebook’s millions of users every day have ever had a look at the social network’s Terms & Conditions.

Only the readers of the fine print may know that these Terms & Conditions provide that any claim related to Facebook must be resolved exclusively in the United States District Court for the Northern District of California or a state court located in San Mateo County, and that the law of the State of California must necessarily prevail without regards to conflict of law provisions. This provision is deemed to protect Facebook against the claims arising from foreign users. It has recently been challenged by French courts.

In a decision dated March 23, 2012, the Court of Appeal of Pau dismissed Facebook’s forum clause and found it unclear and difficult to read for users. On March 5, 2015, for the second time, the Paris Court of First Instance (Tribunal de Grande Instance) rejected Facebook’s challenge to its jurisdiction.

In this case, an art-lover schoolteacher had published on his wall a link to Gustave Courbet’s famous and provocative painting, “L’origine du monde,” representing a naked woman. Like many 19th century critics, Facebook found unacceptable the displaying of a nude body on its network and suspended the account. In 2011, after several unsuccessful requests asking for its reactivation, the schoolteacher and former Facebook user filed a lawsuit against the company for violation of his free speech rights. Facebook used its Terms & Conditions as a shield and challenged French courts’ jurisdiction. The clause was however declared null and void by the Paris Court of First Instance. Judges will now hear parties’ main arguments.

This approach is consistent with the French data protection authority’s (Commission Nationale de l’Informatique et des Libertés – CNIL) approach on jurisdiction: as soon as means for collecting, processing and transferring data are located in France, such as a computer or a tablet, the CNIL considers it has jurisdiction.

There is a clear trend now that the defense based on a jurisdiction clause becomes less and less efficient. As a result, compliance to local regulation becomes key.