Top Story Operations Related

The CFPB yesterday announced action against VyStar Credit Union for harming consumers through its botched rollout of a new online banking system. In May 2022, VyStar transitioned to a new, dysfunctional online banking platform that made it difficult for credit union members to perform basic banking functions for weeks, with some features unavailable for more than six months. Families incurred fees and costs as a result of these problems. The CFPB is ordering VyStar to ensure that all consumers are made whole. VyStar must also pay a $1.5 million civil penalty to the CFPB’s victims relief fund.

VyStar, formerly known as JAX Navy Federal Credit Union, is a Florida state-chartered credit union headquartered in Jacksonville with 70 branches in Florida and 10 branches in Georgia. VyStar is one of the largest credit unions in the country, with approximately $14.75 billion in total assets and over 980,000 members. In May 2022, VyStar attempted to launch a new virtual banking platform. VyStar anticipated banking services would be inaccessible for several days during the transition to the new platform, but it turned out to be much longer. The new system crashed upon launch because VyStar brought it online prematurely and failed to establish or follow critical processes to ensure its success. The platform was taken offline soon after launch. Upon bringing the system back online, the new platform lacked key banking services, some of which were not restored for months.

For further details, see “VyStar CU pays $1.5M for botched systems upgrades” in BankersOnline’s Penalties pages.

• NCUA Chairman Harper and Board Member Otsuka Statements on CFPB's VyStar Credit Union action

FinCEN has reported that the Financial Action Task Force (FATF), an intergovernmental body that establishes international standards for anti-money laundering, countering the financing of terrorism, and countering the financing of proliferation of weapons of mass destruction (AML/CFT/CPF), updated its lists of jurisdictions with strategic AML/CFT/CPF deficiencies at the conclusion of its plenary meeting this month. FinCEN said U.S. financial institutions should consider the FATF’s stance toward these jurisdictions when reviewing their obligations and risk-based policies, procedures, and practices.

On October 25, 2024, the FATF added Algeria, Angola, Côte d’Ivoire, and Lebanon to its list of Jurisdictions Under Increased Monitoring and also removed Senegal from the list.

The FATF’s list of High-Risk Jurisdictions Subject to a Call for Action remains the same, with Iran, the Democratic People’s Republic of Korea (DPRK), and Burma subject to calls for action. Iran and DPRK are still subject to the FATF’s countermeasures, while Burma is still subject to the application of enhanced due diligence, but not countermeasures

The Department of the Treasury has announced it has sanctioned 275 individuals and entities involved in supplying Russia with advanced technology and equipment that it desperately needs to support its war machine. Yesterday’s action targets both individual actors and sprawling sanctions evasion networks across 17 jurisdictions, including India, the People’s Republic of China (PRC), Switzerland, Thailand, and Türkiye. In addition to disrupting global evasion networks, this action also targets domestic Russian importers and producers of key inputs and other materiel for Russia’s military-industrial base.

Treasury reported that the Department of State also targeted sanctions evasion and circumvention in multiple third countries, including several PRC-based companies exporting dual-use goods that fill critical gaps in Russia’s military-industrial base and entities and individuals in Belarus related to the Lukashenka regime’s support for Russia’s defense industry. State also targeted several senior Russian Ministry of Defense officials and defense companies and those supporting Russia’s future energy production and exports.

For the names and identification information of the designated parties, see yesterday’s BankersOnline OFAC Update.

The Treasury Department has announced the release of the National Strategy for Financial Inclusion in the United States, which identifies objectives and recommendations for policymakers, industry, employers, and community organizations to advance consumer access to safe financial products and services and strengthen financial security. The Strategy was requested in 2023 by Congress and has been informed by Treasury’s research and engagement with experts, community leaders, industry representatives, and other federal agencies, including public input through a Request for Information.

Objectives and key recommendations of the Strategy include:

• Promote access to transaction accounts that meet consumer needs
• Increase access to safe and affordable credit
• Expand equitable access to savings and investments
• Improve the inclusivity of financial products and services provided or backed by the government
• Foster trust in the financial system by protecting consumers from illegal and predatory practices

Treasury invited all stakeholders to engage with this Strategy, to innovate, and to collaborate in creating a more inclusive financial landscape.

• Fact Sheet on the report and recommendations

The FDIC has released its list of enforcement actions issued in September 2024. Among the ten actions listed, there were four consent orders, four orders terminating consent orders, and two orders terminating deposit insurance.

The consent orders were issued to:

• Industry State Bank, Industry, TX (jointly issued with the Texas Department of Banking)
• Fayetteville Bank, Fayetteville, TX ((jointly issued with the Texas Department of Banking)
• Citizens State Bank, Buffalo, TX (jointly issued with the Texas Department of Banking)
• International Bank of Chicago, Chicago, IL (jointly issued with the Illinois Department of Financial and Professional Regulation Division of Banking)

The orders terminating deposit insurance were issued to:

• Algonquin State Bank, Algonquin, IL (not engaged in the business of receiving deposits other than trust funds)
• McHenry Savings Bank, McHenry, IL (not engaged in the business of receiving deposits other than trust funds)

Terminations of previous consent orders were issued to LifeSteps Bank & Trust, Union Springs, AL; International Bank of Chicago, Chicago, IL; Sainte Marie State Bank, Sainte Marie, IL; and KansasLand Bank, Quinter, KS.

The CFPB has issued Consumer Financial Protection Circular 2024-06, "Background Dossiers and Algorithmic Scores for Hiring, Promotion, and Other Employment Decisions," presenting the question: "Can an employer make employment decisions utilizing background dossiers, algorithmic scores, and other third-party consumer reports about workers without adhering to the Fair Credit Reporting Act (FCRA)?"

The guidance warns that companies using third-party consumer reports — including background dossiers and surveillance-based, “black box” AI or algorithmic scores about their workers — must follow FCRA rules. This means employers must obtain worker consent, provide transparency about data used in adverse decisions, and allow workers to dispute inaccurate information.

Yesterday, FinCEN announced it has assessed a $900,000 civil money penalty against Sahara Dunes Casino, LP DBA Lake Elsinore Hotel and Casino (Lake Elsinore) for willful violations of the Bank Secrecy Act and its implementing regulations.

As part of its resolution with FinCEN, Lake Elsinore admitted to willful violations of the BSA, including failing to implement and maintain an effective AML program, failing to file currency transaction reports (CTRs) and suspicious activity reports (SARs), and certain recordkeeping failures. Lake Elsinore’s willful violations of the BSA, which continued for over four and a half years, resulted from decisions made by the card club’s management. In addition to the civil money penalty, Lake Elsinore will also be subject to an AML program review.

• Consent order

FinCEN has announced it has issued alert FIN-2024-Alert003 to financial institutions to counter financing of Hizballah and its terrorist activities. The alert was issued to help financial institutions identify funding streams supporting the Iran-backed Lebanese militia and U.S.-designated Foreign Terrorist Organization (FTO) Lebanese Hizballah. This alert supplements the information related to Hizballah’s financing outlined in FinCEN’s 2024 Advisory on Iran-Backed Terrorist Organizations.

• The financial stability implications of tokenization
• The status report on the G20 Crypto-Asset Policy Implementation Roadmap
• A consultation on a common Format for Incident Reporting Exchange (FIRE)
• G20 Roadmap for Enhancing Cross-border Payments: Consolidated progress report for 2024

This morning, the CFPB announced it has finalized a rule designed to give consumers greater rights, privacy, and security over their personal financial data. The rule will require financial institutions, credit card issuers, and other financial providers to unlock an individual’s personal financial data and transfer it to another provider at the consumer’s request for free.

The Bureau said that consumers will be able to more easily switch to providers with superior rates and services, and, by fueling competition and consumer choice, the rule will help lower prices on loans and improve customer service across payments, credit, and banking markets. The rule also establishes strong privacy protections, requiring that personal financial data can only be used for the purposes requested by the consumer. It ensures that third parties cannot use consumer data for other purposes that benefit the third party, but that consumers do not want. It also helps move the industry away from “screen scraping,” a still common but risky practice that typically involves consumers providing their account passwords to third parties who use them to access data indiscriminately through online banking portals.

Compliance with the rule, which amends 12 CFR Part 1033, will be implemented in phases, with larger providers subject to the rule sooner than smaller ones. Financial firms will be required to comply based on their size; the largest institutions will have to comply by April 1, 2026, while the smallest covered institutions will have until April 1, 2030. Certain small banks and credit unions are not subject to this rule.

• Executive Summary of Rule