Cyber Attacks and What It Means Under OFAC
The United States Department of the Treasury’s Office of Foreign Assets Control (OFAC) recently issued updated guidance to highlight the sanctions risks associated with ransomware payments. During the COVID-19 pandemic, cyber-attacks demanding ransomware payments increased significantly. OFAC issued guidance on facilitating these types of ransomware payments last year in October 2020 and has reissued this updated advisory because of the increased frequency in this type of attack. To clarify, the United States government strongly discourages private companies and citizens from paying ransom or extortion demands. It also warned that companies that facilitate these types of ransomware payments could be at risk of violating OFAC regulations.
Ransomware is a form of malicious software that blocks access to a computer system and/or data and extorting a ransom payment from the victims in exchange to releasing access back to them. According to the Federal Bureau of Investigation (FBI), there was almost a 21 percent increase in reported ransomware cases and a 225 percent increase in associated losses from 2019 and 2020. These attacks are targeted against all sorts of entities of all sizes and in both the private and public sectors. Sometimes when these attacks take place, the perpetrator, both the company and the developers of the ransomware are placed on OFAC’s cyber-related sanctions and other sanctions programs. In this updated advisory, OFAC states that it “has imposed, and will continue to impose, sanctions on these actors and others who materially assist, sponsor, or provide financial, material, or technological support for these activities.”
When OFAC designates persons or entities on its sanctions lists, U.S. persons are generally prohibited from engaging, either directly or indirectly, in transactions with these persons or entities. This is also considered strict liability and OFAC may hold people liable even if they did not know or have reason to know that he/she was engaging in a transaction that was prohibited under sanctions laws and regulations administered by OFAC. This is even more reason that banks should be aware of this guidance from OFAC and to ensure that the bank conduct OFAC checks whenever there is exposure to risk that the entities may be on a sanctions list. OFAC sanctions extend beyond the reach of those facilitating ransom payments but to those who are paying the ransom amounts as well. If, however, the bank does pay ransom amounts or facilitates payments to those on a sanctions list, OFAC does take into consideration voluntary self-disclosure.
Self-disclosure has always been important for OFAC violations and this applies consistently to cyber-attacks as well. When determining liability, OFAC considers a company’s full and ongoing cooperation with law enforcement both during and after a ransomware attack. This includes providing all relevant information such technical details, ransom payment demands, and ransom payment instructions. Self-disclosing and full cooperation are seen as significant mitigating factors to liability and OFAC is more likely to resolve violations, including via a no action letter or a cautionary letter, when the affected party takes the mitigating steps to report and cooperate with legal authorities.
Risk Management Considerations in Offering Deposit Accounts for Minors
Offering deposit accounts for minors can be a rewarding experience for the bank, the minor, and probably parents or guardians of the minor who are also customers of the bank. However, because minors in most cases are deemed to be unable to appreciate the risks of entering into a contract, there are several risk management considerations for the bank in offering services to these customers; for example, the terms addressed in the account agreement, whether an account can provide a debit card, and other considerations set forth under state law.
States generally protect minors from their lack of maturity by making contracts with minors voidable. This means that a minor who enters into a contract may decide not to be subject to its terms and the other party (here, the bank) would be unable to enforce the obligations of the account agreement. Still, many states also balance the need of minors to obtain bank accounts with the reluctance of banks to offer them due to the voidable nature of the contract.
State legislation varies widely in balancing these considerations. For example, the Texas Finance Code, § 34.305, allows a bank to establish a bank account for a minor in their sole name and hold the minor liable to the account agreement as if they are an adult. This provision is further subject to allowing the parent of the minor to deny access to the minor to the account. By contrast, Tennessee Code, § 45-2-702, allows a bank in Tennessee to establish a deposit account for a minor on the condition that another owner who is not a minor is also an owner of the account. Still, North Dakota, for example, passed on legislation thus far specifically addressing accounts for minors.
In light of these considerations, it is imperative for banks to review the governing provisions of their jurisdictions in structure account agreements and the accompanying services of a deposit account for a minor. A bank in Texas would have to create procedures to allow a parent or guardian to submit instructions to the bank in accordance with the provision above, Whereas, a Tennessee bank, would generally be able to hold the adult account-holder liable as a joint owner with the minor.
The above examples are default state provisions that undoubtedly inform bank procedures and the terms of deposit account agreements for minors. However, these examples are only the beginning of risk management considerations in offering deposit accounts for minors. For example, these default provisions may allow the bank to hold a minor liable to the account terms. However, a minor can still void contracts entered into with other parties. For example, if the bank issues a debit card to a minor, the minor may make a large purchase and void the purchase with the merchant on the basis of their age. In turn, such a merchant may pursue restitution against the bank for allowing the transaction to occur by having provided the minor a debit card.
There are a number of ways to address risks like the debit card example above. The state provisions above may already allow the bank to transfer the liability incurred from the merchant to the minor. The consideration here is reputation risk. Such a liability transfer may result in collection efforts or litigation. It is very unlikely such actions would be well-perceived by the public when taken by a bank against a minor, even if in good faith. Therefore, a potential consideration would be offering lower transaction limits. This approach potentially balances offering a competitive deposit account for a minor with risks of substantial losses that can lead to dispute with minors.
Going Bank in Time Before Going Forward Again
On June 5, 2020, the Office of the Comptroller of the Currency (OCC) released a final rule to modernize its Community Reinvestment Act (CRA) framework (June 2020 Rule). After the other regulatory agencies failed to follow suit, the OCC issued a proposed rule to rescind the June 2020 Rule in favor of working together with the other agencies to develop a new framework. The OCC proposed to replace the existing 12 CFR part 25 with a revised 12 CFR part 25 based on the 1995 Rules and reinstate 12 CFR part 195 (for savings associations). The proposal makes 12 CFR part 25 substantively identical to the 1995 rule again. All definitions, performance tests and standards, and related data collection, recordkeeping, and reporting requirements would revert to those in place before the OCC issued the June 2020 Rule. Also, the rules surrounding the public file and public notice requirements would revert to those in the 1995 rule. The proposed rule applies to all national banks and all federal and state savings associations. If you would like to comment on any aspect of the proposal, you must submit those before October 29, 2021. The June 2020 Rule will remain in effect until replaced by final rules based on this proposal.
How Do We Get Back There Again?
The OCC recognizes that banks have relied on the June 2020 Rule to plan for their ongoing compliance with the CRA. The agency also acknowledged that replacing the newly created framework impacts, among other things, how examiners evaluate banks and what qualifying activities they would consider in CRA examinations. Therefore, to ease the transition, the OCC proposed a transition plan to replace certain aspects of the June 2020 Rule, which it summarizes in a chart on page 38 of the proposed rule, https://www.occ.gov/news-issuances/federal-register/2021/nr-occ-2021-94a.pdf. Banks would have a minimum of 30 days following publication of any final rules regarding this proposal, before they would be required to comply with most of the provisions described in the proposed rule. Therefore, the OCC is considering an effective date of January 1, 2022, for any final rules, provided they are published by December 1, 2021.
Size Matters
Under the OCC’s abandoned CRA modernization effort, many banks changed type based on the new asset thresholds in the June 2020 Rule. As a result, they are now subject to different performance standards for activities conducted on or after October 1, 2020. Also, former “large banks” that became “intermediate banks” under the June 2020 Rule were no longer required to collect data for calendar years 2021 onward and report data for calendar years 2022 onward. Many of these banks will transition back to their prior bank size based on the now-proposed asset-size thresholds. Consistent with its historical practices, if the proposed rules take effect on January 1, 2022, the OCC will require newly-classified large banks to begin collecting data on January 1, 2023, and reporting required and optional data the following year. The OCC will not require banks transitioning from small banks to Intermediate Small Banks (ISB) to transition to the ISB performance standards. However, the OCC would consider the change in bank size as part of the bank's performance context when evaluating the bank's CRA performance.
Getting Credit Where Credit is Due
Under the proposed rule, OCC-regulated banks would receive consideration in their CRA examinations for activities that met the qualifying activities criteria or definitions that were in effect when the bank conducted those activities. The OCC will maintain the illustrative list of qualifying activities on its website to help banks determine whether the activities they performed while the June 2020 Rule was in effect are eligible for CRA consideration. However, activities included on the illustrative list may not receive consideration if conducted after the effective date of the final rules.
Where is That Public File?
The June 2020 Rule changed the public file requirements by reducing the information required in the public file and changing the requirements for how an OCC-regulated bank makes the public file available to the public, including permitting these banks to make the public file available solely on their websites. Under the proposed rules, banks would need to include additional information in their public file and make the file available at their main office. Interstate banks must make their public file available at one branch in each state and more limited information at each branch. Since the proposed rules would impose additional public file content and availability requirements, the OCC expects to provide in the final rule that banks would comply with these requirements no later than three months after the final rule's effective date.
But You Approved the Plan…
The June 2020 Rule permitted banks to include target market assessment areas when requesting approval for a strategic plan. The OCC proposes maintaining any strategic plans approved by the OCC under the June 2020 Rule and would not require these banks to amend their strategic plans.
Rest assured that Compliance Alliance is committed to helping OCC-regulated banks transition back to the old rules. We’ll be bringing you up-to-date information about the transition as it is released. C/A's CRA Toolkit also has summaries and other great tools to help you meet your CRA obligations. The OCC-specific tools in that toolkit will be developed after the OCC has issued a final rule that puts the 1995 Rules back into place. We’ll also be bringing all of our members the tools that you will need to comply with the interagency CRA framework as it is proposed. Make sure you are receiving our daily emails so that you can stay up on the latest news and to contact our Hotline team if you have specific questions as we take this trip together.
CAN-SPAM—Not Actually in a Can
As a kid, my mother would pan-fry some slices of canned spam once or twice a year. I never really knew what was in Spam as a kid, and as an adult I haven’t eaten it in years! Standing for ‘Special Processed American Meat’ in the UK or ‘Spiced Ham’ in the US, the texture, content, and makeup is still largely unknown to most individuals who eat it. Mysteriously, Spam is found in almost every major grocery chain and can remain shelf-stable for potentially 2-5 years. Many a comedian has joked that the three things to survive a nuclear holocaust would be Spam, cockroaches, and twinkies.
Most unabashedly, Spam now barges into our everyday life. In general, we correlate it with telemarketing phone calls, miscellaneous mailed advertisements, and yes, even unsolicited bulk email.
In an effort to minimize and control the mass distributions of non-solicited pornography and marketing, Congress enacted the Controlling the Assault of Non-Solicited Pornography and Marketing (“CAN-SPAM”) Act to set the national standard for the regulation of unsolicited emails.
So what does this mean? When we are talking about banking, we are primarily looking at the marketing element of the Act. The Act covers sending electronic commercial messages to existing and potential customers, including consumers and businesses. The email itself is considered to be commercial if the main purpose is to sell a product or service.
When preparing to send out a commercial message to their existing or potential customers, the bank should first obtain affirmative consent to send the email, and the bank should make sure to include the following in the email itself:
- An accurate header information
- A subject line that is not misleading
- The actual physical location of the bank
- A statement identifying the message as an ad
- A statement identifying how the recipient can opt-out of receiving future emails from you
This, however, does not conclude the bank’s responsibility. Once the email has been drafted and sent out, the bank is required to honor any opt-out requests that they may receive within 10 business days. Furthermore, not only should the bank monitor the commercial messages that they are sending, but any that are being sent out on their behalf (e.g., third-party vendor). The law makes it clear that even if you hire another company to handle your email marketing, you can’t contract away your legal responsibility to comply with the law. Both the company whose product is promoted in the message and the company that sends the message may be held legally responsible. As such, the bank should establish policies and procedures that allow them to make sure their commercial messages are meeting the required elements.
It is important to note, there is one – fairly large – exception to CAN-SPAM. Since CAN-SPAM applies to ‘Commercial Messages’, it would not apply to emails that are transactional or relationship in nature. This means that in the event that a bank is sending emails out that are multi-purposed, they should determine what the primary purpose is. The FTC’s regulations provide further clarification regarding the determination of whether an e-mail message has “commercial” promotion as its primary purpose: [16 CFR 316.3]
(1) The primary purpose of an e-mail message will be deemed to be commercial if it contains only the commercial advertisement or promotion of a commercial product or service (commercial content);
(2) The primary purpose of an e-mail message will be deemed to be commercial if it contains both commercial content and “transactional or relationship” content (see below for definition) if either:
- § A recipient reasonably interpreting the subject line of the e-mail message would likely conclude that the message contains commercial content; or
- § The e-mail message’s “transactional or relationship” content does not appear in whole or substantial part at the beginning of the body of the message.
(3) The primary purpose of an e-mail message will be deemed to be commercial if it contains both commercial content as well as content that is not transactional or relationship content if a recipient reasonably interpreting either:
- § The subject line of the e-mail message would likely conclude that the message contains commercial content; or
- § The body of the message would likely conclude that the primary purpose of the message is commercial.
(4) The primary purpose of an e-mail message will be deemed to be transactional or relationship (non-commercial) if it contains only “transactional or relationship” content.
In today’s environment, people expect to get Spam (the email variety). Nevertheless, the bank should make sure they are properly meeting the CAN-SPAM requirements to help minimize any potential marketing risks.