Top Story Security Related

The CFPB yesterday announced it has finalized a rule outlining the qualifications for becoming a recognized industry standard setting body that can issue standards that companies can use to help them comply with the CFPB’s upcoming Personal Financial Data Rights Rule. The new rule identifies the attributes that standard setting bodies must demonstrate in order to be recognized by the CFPB. The rule also includes a step-by-step guide for how standard setters can apply for recognition and how the CFPB will evaluate applications.

The CFPB is working to accelerate the shift to open banking in the United States. In 2010, Congress passed into law new personal financial data rights for consumers. Guaranteeing a consumer’s right to their data will open up more opportunities for smaller financial institutions and startups offering products and services. However, these new rights have not taken full effect, because the CFPB never issued a rule. In October 2023, the CFPB proposed a rule to implement these rights and will finalize it in the coming months.

As part of the upcoming Personal Financial Data Rights rule, the CFPB expects to allow companies to use technical standards developed by standard-setting organizations recognized by the CFPB. The final rule announced yesterday kicks off the process for standard-setting organizations to seek formal recognition. It also includes a mechanism for the CFPB to revoke the recognition of standard setters and a maximum recognition duration of five years, after which recognized standard setters will have to apply for re-recognition. These protections will ensure recognized standard setters’ ongoing adherence to the attributes codified in the rule.

UPDATE 6/11/2024: The final rule was published at 89 FR 49084 in the Federal Register on 6/11/2024. It will become effective July 11, 2024.

The NCUA has announced it issued four consent prohibition orders in May 2024. The individuals named below are permanently prohibited from participating in the affairs of any federally insured depository institution.

• Arneta Davis, a former member service representative of Dow Great Western Credit Union in Antioch, California; the NCUA Board found that she had stolen tens of thousands of dollars from credit union member accounts, defrauding the CU of over $40,000.
• Eric Stash, a former teller, loan officer, and branch manager of San Juan Credit Union in Blanding, Utah, for stealing over $294,000 in cash from the branch's vault and altering internal records.
• Britnee Maree Starling, a former member services representative/teller at AltaOne Federal Credit Union in Ridgecrest, California, for increasing her VISA credit card's cash advance limit from $1,000 to $100,000 and obtaining cash advances against the card of $96,950.
• Tina L. Torres, a former manager of Valley Agricultural Federal Credit Union in Santa Paula, California, for embezzling funds from the credit union by initiating unauthorized wire transfers and falsely reporting that the credit union held greater assets than it possessed, causing the credit union significant losses. Torres subsequently pleaded guilty to four counts of grand theft, two counts of forgery, and four counts of grand theft/embezzlement.

An order of prohibition bars a party from ever working for a federally insurance depository institution.

On Friday, the Treasury Department reported that OFAC has targeted four entities associated with OFAC-designated Rayan Roshd Afzar Company that have procured critical parts for Iran’s unmanned aerial vehicle (UAV) program. Additionally, OFAC is targeting an Iranian executive of Iran Aviation Industries Organization, a subsidiary of Iran’s Ministry of Defense and Armed Forces Logistics that oversees UAV manufacturers Iran Aircraft Manufacturing Industrial Company and Qods Aviation Industries.

For the names and identification information of the designated parties, see the May 31, 2024, BankersOnline OFAC Update.

The FDIC has issued a list of nine enforcement decisions and orders issued in April 2024.

• An order to pay a $13,000 civil money penalty for flood insurance rules violations was issued to CNB Bank, Carlsbad, New Mexico
• Consent orders were issued to —
  • Spring Valley Bank, Wyoming, Ohio
  • Tioga-Franklin Savings Bank, Philadelphia, Pennsylvania
  • Commodore Bank, Somerset, Ohio
  • The First Bank and Trust Company of Murphysboro, Murphysboro, Illinois (Corrected order)
• A notice of intention to prohibit and notice of charges for an order of restitution and assessment of a civil money penalty was issued to Derrick Alan Smith, formerly a community banking branch banker at Branch Banking and Trust Company (now known as Truist Bank), Charlotte, North Carolina
• An order of prohibition assessing a $7,000 civil money penalty was issued to Cody Kietzman formerly employed by The Frederick Community Bank, Paxton, Illinois
• An order of prohibition was issued to David P. Ritter formerly employed by Summit Community Bank, Inc., Moorefield, West Virginia
• An order approving the termination of FDIC insurance was issued to Interstate Federal Savings and Loan Association of McGregor, McGregor, Iowa

The Treasury Department has announced that OFAC has sanctioned two companies that are linked to the Private Military Company “Wagner” (Wagner Group). Mining Industries SARLU and Logistique Economique Etrangere SARLU were designated pursuant to Executive Order (E.O.) 14024 for enabling Wagner Group security operations and Wagner Group-linked illicit mining endeavors in the Central African Republic (CAR).

For the identification information of the designated parties, see the May 30, 2024, BankersOnline OFAC Update.

The Treasury Department yesterday announced it has published a 2024 Non-fungible Token (NFT) Illicit Finance Risk Assessment. The risk assessment explores how vulnerabilities associated with NFTs and NFT platforms may be exploited by illicit actors for money laundering, terrorist financing, and proliferation financing.

The assessment finds that NFTs are highly susceptible to use in fraud and scams and are subject to theft. The report determines that illicit actors can use NFTs to launder proceeds from predicate crimes, often in combination with other methods to obfuscate the illicit source of proceeds of crime. It also found little evidence of the misuse of NFTs by terrorists or proliferators, in contrast to fraudsters, to date. The assessment finds that inadequate cybersecurity protections, challenges related to copyright and trademark protections, and the hype and fluctuating pricing of NFTs can enable criminals to perpetrate fraud and theft related to NFTs and NFT platforms. Moreover, some NFT firms and platforms lack appropriate controls to mitigate risks to market integrity and to combat money laundering and terrorist financing, and sanctions evasion. The assessment recognizes that mitigation measures, such as industry tools, law enforcement authorities, and analysis of public blockchain data, can partially mitigate such risks.

To address outstanding risks, the risk assessment recommends several U.S. government actions, including:

• Raising awareness within industry of existing obligations
• Continuing to enforce existing laws and regulations related to NFTs and NFT platforms; and
• Considering further application of regulations to NFTs and NFT platforms

The OCC has issued its Alert 2024-1 indicating that consumers have reported receiving various forms of fictitious correspondence via email, Google Chat, and the U.S. Postal Service related to up-front fee scams involving fictitious inheritance or beneficiary payouts. The notifications appear to be initiated by senior officials of the Office of the Comptroller of the Currency (OCC) regarding funds purportedly held by the OCC. Scam correspondence may include the names of other governmental agencies who are purportedly involved in the fake transaction.

In all instances, victims are initially contacted regarding funds being held on their behalf by the OCC and are asked to provide the scammers general personal information including name, address, and telephone number. Follow-up correspondence from the scammers includes requests for more specific personal information including, but not limited to Social Security number, bank account details, and copies of driver’s licenses and passports. Correspondence is generally poorly written with typographical and grammatical errors and may include instructions for the victim to pay thousands of dollars in required fees or taxes for the release of the supposedly held funds.

These scams not only involve the theft of victim funds, but also their identities. There are at least four known variations of this scam. Refer to the OCC's Alert for details and other information.

The Department of the Treasury announced yesterday that OFAC has designated three individuals, Yunhe Wang, Jingping Liu, and Yanni Zheng, for their activities associated with the malicious botnet tied to the residential proxy service known as 911 S5. OFAC also sanctioned three entities—Spicy Code Company Limited, Tulip Biz Pattaya Group Company Limited, and Lily Suites Company Limited—for being owned or controlled by Yunhe Wang.

For identity information on the designated individuals and entities, see the BankersOnline May 28, 2024, OFAC Update.

The Office of Foreign Assets Control (OFAC) has amended the Cuban Assets Control Regulations, 31 C.F.R. Part 515 (CACR) to further implement portions of the president’s foreign policy toward Cuba. Among other things, these amendments increase support for internet freedom for the Cuban people and independent Cuban private sector entrepreneurs by expanding authorizations for internet-based services and a range of financial transactions. The rule was published in the Federal Register and became effective today.

OFAC also issued six new, Cuba-related Frequently Asked Questions (FAQs 1174-1179) and amended eight Cuba-related Frequently Asked Questions (FAQs 732, 736, 745, 748, 757, 769, 770, and 785).

Acting Comptroller of the Currency Michael J. Hsu discussed recovery planning via livestream in remarks May 27 at the Entrepreneurship, Markets and Technology: Regulation's Challenges in a Changing World Conference in Zurich, Switzerland.

In his remarks, Mr. Hsu discussed the importance of recovery planning and how it can mitigate the too-big-to-fail problem. He highlighted the importance of recovery planning at large banks in the context of the bank failures in March 2023 and offered thoughts on expanding recovery planning guidelines to apply to banks with at least $100 billion in assets.