Top Story Security Related

The CFPB has announced its recognition of Financial Data Exchange, Inc. (FDX) as a standard-setting body under the CFPB’s Personal Financial Data Rights rule. The order of recognition is the first to be issued under the rule. The Personal Financial Data Rights rule, which was released in October 2024, requires financial institutions, credit card issuers, and other financial providers to unlock an individual’s personal financial data and transfer it to another provider at the consumer’s request for free. The CFPB established a formal application process outlining the qualifications to become a recognized industry standard setting body, which can issue standards that companies can use to help them comply with the CFPB’s rule.

The CFPB's order of recognition, valid for five years, includes conditions, such as:

• A ban on "pay-to-play" and other conflicts of interest
• Mandatory reporting on market adoption
• Transparency and availability of standards

The CFPB also issued updated procedures for how companies can request special regulatory treatment, such as a no-action letter. The procedures seek to increase transparency and reduce favoritism for individual companies.

• Updated Policy Statement on No-Action Letters
• Updated Policy Statement on Compliance Assistance Sandbox Approvals

The OCC has issued a proclamation allowing national banks, federal savings associations, and federal branches and agencies of foreign banks to close offices in areas of California affected by wildfires.

In issuing the proclamation, the OCC expects that only those bank offices directly affected by potentially unsafe conditions will close. Those offices should make every effort to reopen as quickly as possible to address the banking needs of their customers.

• OCC news release, 1/8/2025

The Treasury Department yesterday issued two announcements of actions taken by its Office of Foreign Assets Control (OFAC):

• The sanctioning of Mohammad Hamdan Daglo Mousa (Hemedti), the leader of Sudan’s Rapid Support Forces (RSF), and seven companies and one individual linked to the RSF.
• The sanctioning of Antal Rogan, a senior Hungarian government official, for his involvement in corruption in Hungary. He was designated under the authority of Executive Order 13818, which builds upon and implements the Global Magnitsky Human Rights Accountability Act.

For more information on the designated individuals and entities, see yesterday's BankersOnline OFAC Update.

The CFPB yesterday sent an email reminder that the filing period fro HMDA data collected in 2024 opened on January 1, 2025, and submissions will be considered timely if received on or before Monday, March 3, 2025.

As of January 1, 2025, users logging into the HMDA Platform will need to login via Login.gov, which utilizes multifactor authentication (MFA). Users will no longer have the option to sign in using the existing process. To facilitate this change, a Quick Reference Guide and Frequently Asked Questions have been created to help users establish a Login.gov account. Users may only use business email addresses; accounts associated with a personal email domain will not be accepted.

Yesterday, OFAC issued Syria General License 24 to expand authorizations for activities and transactions in Syria following the end of Bashar al-Assad's oppressive regime on December 8, 2024. This action underscores the United States’ commitment to ensuring that U.S. sanctions do not impede activities to meet basic human needs, including the provision of public services or humanitarian assistance. This authorization is for six months, as the U.S. government continues to monitor the evolving situation on the ground.

For a link to the new General License and related new and revised FAQs, see yesterday's BankersOnline OFAC Update.

• U.S. Treasury Department press release

The Treasury Department has reported that OFAC has sanctioned Integrity Technology Group, Incorporated, a Beijing-based cybersecurity company, for its role in multiple computer intrusion incidents against U.S. victims. These incidents have been publicly attributed to Flax Typhoon, a Chinese malicious state-sponsored cyber group that has been active since at least 2021, often targeting organizations within U.S. critical infrastructure sectors.

Chinese malicious cyber actors continue to be one of the most active and most persistent threats to U.S. national security, as highlighted in the most recent Office of the Director of National Intelligence Annual Threat Assessment. These actors continue to target U.S. government systems as part of their efforts, including the recent targeting of Treasury’s own IT infrastructure.

For identification information on Integrity Technology, see the January 3, 2025, BankersOnline OFAC Update.

The National Credit Union Administration has announced it has permanently prohibited two individuals from participating in the affairs of any federally insured depository institution.

• Demetria Baker, former chief executive officer at Lynchberg Municipal Federal Employees Credit Union (LMFECU), Lynchburg, Virginia, was issued a prohibition order after a finding that she made a series of loans to herself and her son that were in violation of LMEFCU policies for approval, documentation, or underwriting, and that a significant amount of cash was removed from a cash drawer that was only accessible to her.
• Teresa Paulo, a former employee at Southern Pine Credit Union, Valdosta, Georgia, received a notice of prohibition after she was convicted and sentenced for aggravated identity theft and bank fraud resulting from her misconduct at the credit union

OFAC has announced a $22,172 settlement with SkyGeek Logistics, Inc. SkyGeek agreed to settle its potential civil liability for six apparent violations of OFAC sanctions related to Russia’s aerospace and technology sectors.

In 2024, SkyGeek attempted two refunds and sent four shipments to two Specially Designated Nationals in the United Arab Emirates sanctioned in connection with these sectors. The settlement amount reflects OFAC's determination that the apparent violations were non-egregious and that certain of its conduct was voluntarily self-disclosed.

Additional details are available in OFAC's enforcement release, which indicates that two of SkyGeek's apparent transaction violations were blocked and reported to OFAC by a financial institution.

The Treasury Department on Tuesday reported OFAC sanctions actions.

• A Russian judge was sanctioned for her role in the arbitrary detention of Moscow city councilor and human rights defender Alexei Gorinov. The judge was designated under the authority of Executive Order 13818, which builds upon and implements the Global Magnitsky Human Rights Accountability Act and targets perpetrators of serious human rights abuse and corruption.
• OFAC also designated a subordinate organization of Iran’s Islamic Revolutionary Guard Corps (IRGC), and a Moscow-based affiliate organization of the Russian Main Intelligence Directorate (GRU) and its director under the authority of Executive Order 13848 (U.S. election interference). As affiliates of the IRGC and GRU, these actors aimed to stoke socio-political tensions and influence the U.S. electorate during the 2024 U.S. election.

For the names and identification information of the designated parties, see Tuesday's BankersOnline OFAC Update.

The FDIC on Friday made public its November 2024 administrative enforcement actions against banks and individuals. There were two orders of prohibition, two consent orders, three orders for civil money penalties (CMPs), one combined order of prohibition and order for restitution, and one notice of charges for assessment of a CMP.

Assessment of Civil Money Penalties:

• Spring Valley Bank, Wyoming, OH, a $19,800 CMP for violations of the Home Mortgage Disclosure Act (HMDA) and of Regulation C for failing to follow HMDA reporting requirements.
• Rockland Trust Company, Rockland, MA, a $10,000 CMP for engaging in a pattern or practice of violations of the Flood Disaster Protection Act and section 339.3(a) of the FDIC's Rules and Regulations, in 10 instances by making, increasing, extending, and/or renewing designated loans secured by personal property not covered by flood insurance by failing to require borrowers to get flood insurance covering contents pledged as security when contents are owned by a non-borrower guarantor.
• Citizens State Bank, Hudson, WI, a $6,000 CMP for engaging in a pattern or practice of committing violations of the FDPA and Part 339 of the FDIC Rules and Regulations, 12 C.F.R. Part 339, by failing to obtain flood insurance on a building securing a designated loan at the time of the origination of one loan; failing to obtain adequate flood insurance at the time of the origination of four loans; and failing to follow force placement flood insurance procedures in four instances

Notice of Charges and of Hearing for Assessment of Civil Money Penalty:

• CBW Bank, Weir, KS, related to a determination that the bank violated laws and regulations by failing to maintain an adequate Anti-Money Laundering/Countering the Financing of Terrorism (AML/CFT) compliance program, which led to multiple incidents where the bank repeatedly violated the Bank Secrecy Act and its implementing regulations. If the bank fails to timely request a hearing on the FDIC's charges, a CMP of $20,448,000 will be imposed.

Assessment of Civil Money Penalty and Removal/Prohibition Order:

• Carlos Acosta, formerly a senior vice president and Chief auditor of Citizens Business Bank, Ontario, CA, for recording confidential meetings, including meetings with FDIC and state examiners, without consent, and attempting to extort bank executives. CMP: $70,000.
• Bryan E. Dalton, a former loan officer at RiverBank, Pocahontas, AR, in an adjudicated decision, a $35,000 CMP and a notice of prohibiiton for a scheme by which he misappropriated $87,951.50 from the accounts of four loan customers.

Removal/Prohibition Orders:

• Stacia S. Wilson, former vice president at St. Clair County State Bank, Osceola, MO, after a finding that she created false and fictitious loans using bank customer information without their knowledge, misappropriated funds to fund payments on those loans, and used the proceeds of the loans for her personal gain.
• Jessica Ann Marshall, former branch manager at Bank of Idaho, Idaho Falls, ID, for stealing cash and embezzling funds from the bank in the amount of $345,774.66, and falsifying documents and directing bank employees to falsify documents to hide her actions.