Top Story Operations Related

The Financial Crimes Enforcement Network (FinCEN) recently published [90 FR 5629, 1/17/2025] a final rule to reflect inflation adjustments to its civil money penalties (those within the jurisdiction of FinCEN). The increased maximum penalties listed became effective on January 17, 2025. The current maximum penalties can be found in FinCEN's regulations at 31 C.F.R. § 1010.821.

The NCUA has released a research note that provides an analysis of statistics for overdraft and non-sufficient funds fees, and observations on the relationship between overdraft and non-sufficient funds fees and other revenues.

The Note highlights two observations:

• Credit unions with higher combined overdraft and NSF fees per member do not seem to have lower fees per member for other services
• Credit unions with higher combined overdraft and NSF fee revenues do not seem to be using those fees to “subsidize” better interest rates

The NCUA’s Office of the Chief Economist will continue to analyze evolving trends in overdraft and NSF fees revenue as additional data become available.

The FDIC announced on Friday that the Pulaski Savings Bank of Chicago, Illinois, was closed by the Illinois Department of Financial and Professional Regulation (IDFPR) due its unsafe and unsound condition and an impaired capital position. The IDFPR appointed the FDIC as receiver. To protect depositors, the FDIC entered into a purchase and assumption agreement with Millennium Bank of Des Plaines, Illinois, to assume all deposits of Pulaski Savings Bank.

The FDIC preliminarily estimates that the failure will cost its Deposit Insurance Fund (DIF) about $28.5 million. The estimate will change over time as assets are sold. Suspected fraud caused the higher estimated cost to the DIF.

The Office of the Comptroller of the Currency has issued its January 2025 announcement of enforcement actions. Included were:

• The previously announced Cease and Desist Order against Bank of America, N.A., for violations and unsafe or unsound practices related to the bank's BSA/AML and sanctions compliance programs
• The previously announced Order of Prohibition and Order for Civil Money Penalty against Claudia Russ Anderson and Orders to Cease and Desist and Orders for Civil Money Penalty against David Julian and Paul McLinko, all former executives at Wells Fargo Bank, N.A.
• An Order of Prohibition against Brian Hernandez, a former financial services representative at a Queens, New York, branch of TD Bank, N.A., Wilmington, Delaware, for accessing the accounts of two elderly bank customers and making unauthorized ATM withdrawals totaling at least $187,000
• An Order of Prohibition against De'Anna Herrell, a former teller at and Atlanta, Georgia, branch of Wells Fargo Bank, N.A., Sioux Falls, South Dakota, for cashing a series of checks that she knew or had reason to know were fraudulent, resulting in a loss of at least $117,000 to the bank
• An Order of Prohibition against Cassandra Meadows, a former lead customer service representative at a Plainfield, Indiana, branch of Fifth Third Bank, N.A., Cincinnati, Ohio, for misappropriating at least $15,000 from the bank’s vault and the accounts of three bank customers, including an elderly customer’s account
• An Order of Prohibition against Nakyra Singletary, a former customer service and support representative at PNC Bank, N.A., Wilmington, Delaware, for providing confidential bank customer information to a third-party not employed by the bank, resulting in the misuse of customer information, fraud against bank customers, and a loss of at least $47,000 to the bank
• An Order of Prohibition and Cease and Desist Order against David Wu, a former loan officer at Sterling Bank and Trust, FSB, Southfield, Michigan, and current mortgage broker. While employed as a loan officer at Sterling, Wu did not disclose that he originated loans for clients of his closely held mortgage brokerage company. As a mortgage broker, Wu also used fraudulent means, including making false statements, concealing or otherwise not disclosing his role and fees, impersonating both applicants and their purported employers, and providing fraudulent or falsified documents, to cause Citizens Bank, N.A., Providence, Rhode Island, to originate mortgage loans for his clients and himself.

The OCC also updated its enforcement actions search tool to allow users to search for enforcement actions issued since 2012 by subject matter and to easily view subject matters covered in those actions. This update provides additional transparency into and search capability for the contents of the public enforcement action database.

The Federal Trade Commission has announced it has finalized changes to the Children’s Online Privacy Protection Rule to set new requirements around the collection, use and disclosure of children’s personal information and give parents new tools and protections to help them control what data is provided to third parties about their children.

The final rule requires parents to opt in to third-party advertising and includes other changes to address the emerging ways that consumers’ data is collected and used by companies, and particularly how children’s data is being shared and monetized.

The COPPA Rule, which first went into effect in 2000, requires certain websites and other online services to obtain verifiable parental consent before collecting, using or disclosing personal information from children under 13. It also provides other important rights for parents, including the right to require operators to delete personal information collected from their children, and imposes independent obligations on covered operators, for example with respect to data minimization and data retention.

The FTC's final rule makes several changes to the COPPA rule, including:

• Requiring opt-in consent for targeted advertising and other disclosures to third parties
• Limits on data retention
• Increasing Safe Harbor programs' transparency
• Amendments to several definitions, including expanding the definition of personal information to include biometric identifiers as well as government-issued identifiers

The final rule will become effective 60 days of its publication in the Federal Register. Compliance will be mandatory one year after publication.

The CFPB has updated its Electronic Fund Transfer FAQs. New Transactions Coverage question 6 asks whether the compulsory use prohibition applies to tips, and is directed to employers whose employees receive compensation in the form of tips or gratuities. After explaining its reasoning, the CFPB's answer is "... employers are prohibited by EFTA and Regulation E from requiring workers to establish an account with a particular financial institution to receive tips."

The CFPB on Thursday announced it has ordered Block, Inc., the operator of the peer-to-peer payments app Cash App, to refund and pay other redress to consumers up to $120 million and pay a penalty of $55 million into the CFPB’s victims relief fund. The Bureau found that Block employed weak security protocols for Cash App and put its users at risk. While Block is required by law to investigate and resolve disputes about unauthorized transactions, the company’s investigations were woefully incomplete. Block directed users — who had suffered financial losses as a result of fraud — to ask their bank to attempt to reverse transactions, which Block would subsequently deny. Block also deployed a range of tactics to suppress Cash App users from seeking help, reducing its own costs.

Specifically, the CFPB found that Block:

• Failed to provide effective customer service for Cash App, including by failing to provide live telephone agents, which prevented consumers from being able to have their financial issues addressed in a proper and timely fashion and resulted in fake customer service lines through which consumers’ information would be stolen, in a manner that was unfair in violation of the Consumer Financial Protection Act of 2010 (CFPA).
• Failed to take timely, appropriate, and effective measures to prevent, detect, limit, and address fraud on the Cash App platform in a manner that was unfair in violation of the CFPA.
• Used the card network chargeback process as a substitute for fulfilling its obligations under the Electronic Fund Transfer Act (EFTA) and Regulation E to investigate and resolve disputes about unauthorized transactions in a timely manner in violation of the CFPA’s prohibition on unfair practices.
• Engaged in deception by misrepresenting that it protected consumers from unauthorized transfers and had a telephone line to report such unauthorized transfers.
• Failed to comply in multiple ways with the requirements of EFTA and Regulation E, including regarding error resolution.

The Federal Trade Commission has reported it will require web hosting company GoDaddy Inc and GoDaddy.com, LLC to implement a robust information security program to settle charges that the company failed to secure its website-hosting services against attacks that could harm its customers and visitors to the customers’ websites.

The FTC alleges in its complaint that, since 2018, GoDaddy has failed to implement reasonable and appropriate security measures to protect and monitor its website-hosting environments for security threats, and misled customers about the extent of its data security protections on its website hosting services. GoDaddy’s unreasonable security practices include failing to: inventory and manage assets and software updates; assess risks to its shared hosting services; adequately log and monitor security-related events in the hosting environment; and segment its shared hosting from less-secure environments, according to the complaint. The Commission says that GoDaddy’s data-security failures resulted in several major security breaches between 2019 and 2022 in which bad actors gained unauthorized access to customers’ websites and data.

In its proposed settlement order, the FTC will:

The Pennsylvania Department of Banking and Securities (DOBS) yesterday announced that it has joined 47 other state financial regulatory agencies in coordinated action against Block, Inc., owner of the CashApp mobile payment service, for violations of the Bank Secrecy Act (BSA) and anti-money laundering (AML) laws which are designed to protect the financial system from illicit activity. The enforcement action includes a multistate settlement in which Block has agreed to pay an $80 million penalty, with approximately $1.6 million allocated to each of the 48 participating state regulators. State regulators found that Block failed to meet certain requirements, which created the potential for its services to be exploited for money laundering, terrorism financing, and other illegal activities.

As part of the settlement, Block will hire an independent consultant to assess the effectiveness of its BSA/AML program and provide a report to the states within nine months. Block will then have 12 months to correct any deficiencies identified in the review. The enforcement effort, led by state regulators in Arkansas, California, Massachusetts, Florida, Maine, Texas, and Washington, was coordinated with Block’s cooperation throughout the process.

OFAC has posted a Notice of Recent Actions, including President Biden's signing of two Executive Orders, "Taking Additional Steps with Respect to the Situation in Syria" and "Strengthening and Promoting Innovation in the Nation's Cybersecurity"; North Korea and Sudan designations, a Russia-related designation removal; and a Settlement Agreement between OFAC and Family International Realty LLC and an individual.

Settlement:
OFAC entered into a $1,076,923 settlement with a Miami, Florida-based natural U.S. person and their real estate company Family International Realty LLC regarding their potential civil liability for apparent violations of OFAC's Ukraine-/Russia-related sanctions. Between 2018 and 2023, Family International Realty and its owner engaged in a willful scheme to evade OFAC sanctions by concealing the property interest of two sanctioned Russian oligarchs in luxury condominiums and profiting from the rental and sale of the properties, thereby committing 73 apparent violations of Executive Order 13685. The settlement amount reflects OFAC's determination that the conduct at issue was egregious and was not voluntarily self-disclosed. For more information, see OFAC's Enforcement Release.

The Notice also included additions of four individuals and five entities to OFAC's SDN List, and one deletion. Refer to the Notice for these details.