Top Story Compliance Related

The Department of the Treasury has announced it has sanctioned 275 individuals and entities involved in supplying Russia with advanced technology and equipment that it desperately needs to support its war machine. Yesterday’s action targets both individual actors and sprawling sanctions evasion networks across 17 jurisdictions, including India, the People’s Republic of China (PRC), Switzerland, Thailand, and Türkiye. In addition to disrupting global evasion networks, this action also targets domestic Russian importers and producers of key inputs and other materiel for Russia’s military-industrial base.

Treasury reported that the Department of State also targeted sanctions evasion and circumvention in multiple third countries, including several PRC-based companies exporting dual-use goods that fill critical gaps in Russia’s military-industrial base and entities and individuals in Belarus related to the Lukashenka regime’s support for Russia’s defense industry. State also targeted several senior Russian Ministry of Defense officials and defense companies and those supporting Russia’s future energy production and exports.

For the names and identification information of the designated parties, see yesterday’s BankersOnline OFAC Update.

The Federal Trade Commission on Friday announced a proposed stipulated settlement order against rideshare operator Lyft, Inc. that would require Lyft's claims about drivers’ pay to be based on typical earnings. Lyft has also agreed to back up with evidence any claims it makes about drivers’ pay, clearly notify drivers about the terms of its “earnings guarantee” offers, and pay a $2.1 million civil penalty.

The FDIC has released its list of enforcement actions issued in September 2024. Among the ten actions listed, there were four consent orders, four orders terminating consent orders, and two orders terminating deposit insurance.

The consent orders were issued to:

• Industry State Bank, Industry, TX (jointly issued with the Texas Department of Banking)
• Fayetteville Bank, Fayetteville, TX ((jointly issued with the Texas Department of Banking)
• Citizens State Bank, Buffalo, TX (jointly issued with the Texas Department of Banking)
• International Bank of Chicago, Chicago, IL (jointly issued with the Illinois Department of Financial and Professional Regulation Division of Banking)

The orders terminating deposit insurance were issued to:

• Algonquin State Bank, Algonquin, IL (not engaged in the business of receiving deposits other than trust funds)
• McHenry Savings Bank, McHenry, IL (not engaged in the business of receiving deposits other than trust funds)

Terminations of previous consent orders were issued to LifeSteps Bank & Trust, Union Springs, AL; International Bank of Chicago, Chicago, IL; Sainte Marie State Bank, Sainte Marie, IL; and KansasLand Bank, Quinter, KS.

The CFPB has issued Consumer Financial Protection Circular 2024-06, "Background Dossiers and Algorithmic Scores for Hiring, Promotion, and Other Employment Decisions," presenting the question: "Can an employer make employment decisions utilizing background dossiers, algorithmic scores, and other third-party consumer reports about workers without adhering to the Fair Credit Reporting Act (FCRA)?"

The guidance warns that companies using third-party consumer reports — including background dossiers and surveillance-based, “black box” AI or algorithmic scores about their workers — must follow FCRA rules. This means employers must obtain worker consent, provide transparency about data used in adverse decisions, and allow workers to dispute inaccurate information.

The Federal Reserve Board has announced the execution of a written agreement by and among U & I Financial Corp and UniBank (both of Lynnwood, Washington), the Federal Reserve Bank of San Francisco, and Washington Department of Financial Institutions (Tumwater, Washington) addressing certain deficiencies at UniBank, including deficiencies in the bank's consumer compliance risk management program.

Yesterday, FinCEN announced it has assessed a $900,000 civil money penalty against Sahara Dunes Casino, LP DBA Lake Elsinore Hotel and Casino (Lake Elsinore) for willful violations of the Bank Secrecy Act and its implementing regulations.

As part of its resolution with FinCEN, Lake Elsinore admitted to willful violations of the BSA, including failing to implement and maintain an effective AML program, failing to file currency transaction reports (CTRs) and suspicious activity reports (SARs), and certain recordkeeping failures. Lake Elsinore’s willful violations of the BSA, which continued for over four and a half years, resulted from decisions made by the card club’s management. In addition to the civil money penalty, Lake Elsinore will also be subject to an AML program review.

• Consent order

The CFPB yesterday announced action against Apple, Inc. ("Apple") and Goldman Sachs Bank USA ("Goldman Sachs") for customer service breakdowns and misrepresentations that impacted hundreds of thousands of Apple Card users. The CFPB found that:

• Apple failed to send tens of thousands of consumer disputes of Apple Card transactions to Goldman Sachs, and when Apple did send disputes to Goldman Sachs, the bank did not follow numerous federal requirements for investigating the disputes
• Apple and Goldman launched Apple Card despite third-party warnings to Goldman that the Apple Card disputes system was not ready due to technological issues
• These failures meant that consumers faced long waits to get money back for disputed charges, and some had incorrect negative information added to their credit reports

The CFPB is ordering Goldman Sachs to pay at least $19.8 million in redress and a $45 million civil money penalty, and Apple to pay a $25 million civil money penalty. The CFPB is also banning Goldman Sachs from launching a new credit card unless it can provide a credible plan that the product will actually comply with the law.

The CFPB also found that Apple and Goldman Sachs misled consumers about interest-free payment plans for Apple devices. Many customers thought they would automatically get interest-free monthly payments when buying Apple devices with their Apple Card. Instead, they were charged interest. In some cases, Apple did not even show the interest-free payment option on its website on certain browsers. Goldman Sachs also misled consumers about the application of some refunds, which led to consumers paying additional interest charges.

Goldman Sachs Group, Inc. (NYSE: GS), is one of the largest financial institutions in the world. It operates Goldman Sachs Bank USA, headquartered in New York City. Goldman Sachs primarily focuses on investment banking and investment management, not consumer finance. Apple Card was Goldman Sachs’s first significant experiment in credit card lending.

• Consent order against Goldman Sachs Bank USA
• Consent order against Apple, Inc.

FinCEN has announced it has issued alert FIN-2024-Alert003 to financial institutions to counter financing of Hizballah and its terrorist activities. The alert was issued to help financial institutions identify funding streams supporting the Iran-backed Lebanese militia and U.S.-designated Foreign Terrorist Organization (FTO) Lebanese Hizballah. This alert supplements the information related to Hizballah’s financing outlined in FinCEN’s 2024 Advisory on Iran-Backed Terrorist Organizations.

The Securities and Exchange Commission has announced charges against four current and former public companies – Unisys Corp., Avaya Holdings Corp., Check Point Software Technologies Ltd, and Mimecast Limited – with making materially misleading disclosures regarding cybersecurity risks and intrusions. The SEC also charged Unisys with disclosure controls and procedures violations. The companies agreed to pay the following civil penalties to settle the SEC’s charges:

• Unisys — $4 million
• Avaya — $1 million
• Check Point — $995,000
• Mimecast — $990,000

The charges against the four companies result from an investigation involving public companies potentially impacted by the compromise of SolarWinds’ Orion software and by other related activity. According to the SEC’s orders, Unisys, Avaya, and Check Point learned in 2020, and Mimecast learned in 2021, that the threat actor likely behind the SolarWinds Orion hack had accessed their systems without authorization, but each negligently minimized its cybersecurity incident in its public disclosures.

This morning, the CFPB announced it has finalized a rule designed to give consumers greater rights, privacy, and security over their personal financial data. The rule will require financial institutions, credit card issuers, and other financial providers to unlock an individual’s personal financial data and transfer it to another provider at the consumer’s request for free.

The Bureau said that consumers will be able to more easily switch to providers with superior rates and services, and, by fueling competition and consumer choice, the rule will help lower prices on loans and improve customer service across payments, credit, and banking markets. The rule also establishes strong privacy protections, requiring that personal financial data can only be used for the purposes requested by the consumer. It ensures that third parties cannot use consumer data for other purposes that benefit the third party, but that consumers do not want. It also helps move the industry away from “screen scraping,” a still common but risky practice that typically involves consumers providing their account passwords to third parties who use them to access data indiscriminately through online banking portals.

Compliance with the rule, which amends 12 CFR Part 1033, will be implemented in phases, with larger providers subject to the rule sooner than smaller ones. Financial firms will be required to comply based on their size; the largest institutions will have to comply by April 1, 2026, while the smallest covered institutions will have until April 1, 2030. Certain small banks and credit unions are not subject to this rule.

• Executive Summary of Rule