Top Story Security Related

The Financial Crimes Enforcement Network (FinCEN) recently published [90 FR 5629, 1/17/2025] a final rule to reflect inflation adjustments to its civil money penalties (those within the jurisdiction of FinCEN). The increased maximum penalties listed became effective on January 17, 2025. The current maximum penalties can be found in FinCEN's regulations at 31 C.F.R. § 1010.821.

The CFPB has posted a Bureau Blog entry, "Holding Government Contractors Accountable for Wrongdoing," to announce that Argus Information and Advisory Services, a subsidiary of TransUnion, has agreed in writing that it will not seek any government contract with the Consumer Financial Protection Bureau for three years.

In March 2024, the Department of Justice took action against Argus to resolve claims that the company violated the False Claims Act and the Financial Institutions Reform, Recovery and Enforcement Act of 1989 (FIRREA), in connection with its access to and use of credit card data obtained pursuant to contracts with various federal regulators. The Department of Justice alleged that Argus ingested information in violation of its federal government contracts and improperly monetized it in its commercial business. Argus paid $37 million to resolve these allegations.

The CFPB was one of many federal financial regulators with a contractual arrangement with Argus. The CFPB notified the TransUnion affiliate that it was considering additional actions, and Argus has now committed to the CFPB that it will not seek any contracts for three years.

The FDI has issued a public service announcement alert [I-011625-PSA] to warn the public that scammers exploit mass casualty events and disasters, such as the New Year's Day terrorist attack in New Orleans and the ongoing wildfires in Los Angeles, to commit fraud by soliciting fake charitable donations to support victims or their families.

Scammers take advantage of catastrophic incidents — such as mass casualty events, terrorist attacks, war, natural disasters, or pandemics — to pose as charitable entities providing humanitarian aid or developing fundraising efforts, including monetary and cryptocurrency donations. Charitable fraud schemes associated with natural disasters are a common occurrence online as well as through in-person collection drives.

The Federal Trade Commission has announced it has finalized changes to the Children’s Online Privacy Protection Rule to set new requirements around the collection, use and disclosure of children’s personal information and give parents new tools and protections to help them control what data is provided to third parties about their children.

The final rule requires parents to opt in to third-party advertising and includes other changes to address the emerging ways that consumers’ data is collected and used by companies, and particularly how children’s data is being shared and monetized.

The COPPA Rule, which first went into effect in 2000, requires certain websites and other online services to obtain verifiable parental consent before collecting, using or disclosing personal information from children under 13. It also provides other important rights for parents, including the right to require operators to delete personal information collected from their children, and imposes independent obligations on covered operators, for example with respect to data minimization and data retention.

The FTC's final rule makes several changes to the COPPA rule, including:

• Requiring opt-in consent for targeted advertising and other disclosures to third parties
• Limits on data retention
• Increasing Safe Harbor programs' transparency
• Amendments to several definitions, including expanding the definition of personal information to include biometric identifiers as well as government-issued identifiers

The final rule will become effective 60 days of its publication in the Federal Register. Compliance will be mandatory one year after publication.

The Federal Trade Commission has reported it will require web hosting company GoDaddy Inc and GoDaddy.com, LLC to implement a robust information security program to settle charges that the company failed to secure its website-hosting services against attacks that could harm its customers and visitors to the customers’ websites.

The FTC alleges in its complaint that, since 2018, GoDaddy has failed to implement reasonable and appropriate security measures to protect and monitor its website-hosting environments for security threats, and misled customers about the extent of its data security protections on its website hosting services. GoDaddy’s unreasonable security practices include failing to: inventory and manage assets and software updates; assess risks to its shared hosting services; adequately log and monitor security-related events in the hosting environment; and segment its shared hosting from less-secure environments, according to the complaint. The Commission says that GoDaddy’s data-security failures resulted in several major security breaches between 2019 and 2022 in which bad actors gained unauthorized access to customers’ websites and data.

In its proposed settlement order, the FTC will:

The Pennsylvania Department of Banking and Securities (DOBS) yesterday announced that it has joined 47 other state financial regulatory agencies in coordinated action against Block, Inc., owner of the CashApp mobile payment service, for violations of the Bank Secrecy Act (BSA) and anti-money laundering (AML) laws which are designed to protect the financial system from illicit activity. The enforcement action includes a multistate settlement in which Block has agreed to pay an $80 million penalty, with approximately $1.6 million allocated to each of the 48 participating state regulators. State regulators found that Block failed to meet certain requirements, which created the potential for its services to be exploited for money laundering, terrorism financing, and other illegal activities.

As part of the settlement, Block will hire an independent consultant to assess the effectiveness of its BSA/AML program and provide a report to the states within nine months. Block will then have 12 months to correct any deficiencies identified in the review. The enforcement effort, led by state regulators in Arkansas, California, Massachusetts, Florida, Maine, Texas, and Washington, was coordinated with Block’s cooperation throughout the process.

OFAC has posted a Notice of Recent Actions, including President Biden's signing of two Executive Orders, "Taking Additional Steps with Respect to the Situation in Syria" and "Strengthening and Promoting Innovation in the Nation's Cybersecurity"; North Korea and Sudan designations, a Russia-related designation removal; and a Settlement Agreement between OFAC and Family International Realty LLC and an individual.

Settlement:
OFAC entered into a $1,076,923 settlement with a Miami, Florida-based natural U.S. person and their real estate company Family International Realty LLC regarding their potential civil liability for apparent violations of OFAC's Ukraine-/Russia-related sanctions. Between 2018 and 2023, Family International Realty and its owner engaged in a willful scheme to evade OFAC sanctions by concealing the property interest of two sanctioned Russian oligarchs in luxury condominiums and profiting from the rental and sale of the properties, thereby committing 73 apparent violations of Executive Order 13685. The settlement amount reflects OFAC's determination that the conduct at issue was egregious and was not voluntarily self-disclosed. For more information, see OFAC's Enforcement Release.

The Notice also included additions of four individuals and five entities to OFAC's SDN List, and one deletion. Refer to the Notice for these details.

The Federal Reserve Board, FDIC, OCC, NCUA and the California Department of Financial Protection and Innovation have issued a statement that they recognize the serious impact of the California wildfires and straight-line winds on the customers and operations of many financial institutions and will provide appropriate regulatory assistance to affected institutions subject to their supervision. The agencies encourage institutions operating in the affected areas to meet the financial services needs of their communities.

The statement addresses the subjects of temporary facilities, publishing requirements, regulatory reporting requirements, the Community Reinvestment Act, and investments, and provides links to the Interagency Supervisory Examiner Guidance for Institutions Affected by a Major Disaster.

The Consumer Financial Protection Bureau on Friday announced it is seeking public input on strengthening privacy protections and preventing harmful surveillance in digital payments, particularly those offered through large technology platforms. The agency is requesting comment on implementing existing financial privacy law and how to address intrusive data collection and personalized pricing. Comments will be accepted through April 11, 2025.

Additionally, the CFPB requested comments by March 31, 2025, on a proposed interpretive rule outlining how the Electronic Fund Transfer Act, which provides consumers with protections against errors and fraud, applies to new types of digital payment mechanisms, such as those currently offered through large technology companies and video gaming platforms, as well as stablecoins and other digital currencies that are not widely used today in consumer transactions. The Bureau also posted a Blog article requesting emailed comments by March 31, 2025, from electronic gamers and the general public on their experiences with video game currencies.

PUBLICATION UPDATES:

• The proposed Regulation E interpretive rule was published at 90 FR 3723 in the 1/15/2025 Federal Register.
• The request for information regarding collection, use, and monetization of consumer payment and other personal financial data was published at 90 FR 3804 on 1/15/2025.

On Friday, the Treasury Department reported actions to fulfill the G7 commitment to reduce Russian revenues from energy, including blocking two major Russian oil producers. These actions also impose sanctions on an unprecedented number of oil-carrying vessels, many of which are part of the “shadow fleet,” opaque traders of Russian oil, Russia-based oilfield service providers, and Russian energy officials. The actions are underpinned by the issuance of a new determination that authorizes sanctions pursuant to Executive Order 14024 against persons operating or having operated in the energy sector of the Russian Federation economy. The Department of State also took steps to reduce Russia’s energy revenues by blocking two active liquefied natural gas projects, a large Russian oil project, and third-country entities supporting Russia’s energy exports. State also designated numerous Russia-based oilfield service providers and senior officials of State Atomic Energy Corporation Rosatom.

Treasury also reported that OFAC has sanctioned eight Venezuelan officials who lead key economic and security agencies enabling Nicolas Maduro’s repression and subversion of democracy in Venezuela. In addition, OFAC sanctioned high-level Venezuelan officials in the military and police who lead entities with roles in carrying out Maduro’s repression and human rights abuses against democratic actors.

For the names and identification information of the designated individuals, entities, and vessels, see this BankersOnline OFAC Update.