Regulatory Action Highlights as of August 2024
Looking at the hottest new releases from regulators all across the globe.
There has been a lot happening in the fintech/financial services space - so many things we could talk about, with the always evolving Evolve-Synapse-etc saga, the CFPB dropping earned wage access guidance, the brokered deposit rule proposal by the FDIC, the economy seemingly headed for a recession, the electoral implications of each of the two major candidates for US President, and more. But in this week's edition, we'll try to focus in on what happened in the last month in the regulatory scene across the world. Drawing from our premium edition's massive consent order/regulatory action database, here are a few of the highlights we came across from each regulatory body as we dug in to make our updates:
1)
Company: HSBC
Regulator: FINMA (Switzerland)
Fine: None Yet
Why: Purported AML violations, supposedly dating between 2002 and 2015, with the lack of screening for two politically exposed persons who were making transactions between Lebanon and Switzerland.
What's Next: HSBC plans to appeal this decision. It should be noted that HSBC has been fined a total of $7.4 billion since 2000, with a seeming inability to establish sustainable controls.
2)
Company: Acima Holdings
Regulator: CFPB (US)
Fine: None Yet
Why: A cornucopia of issues here, including UDAAP violations, FCRA (Credit Reporting), Reg Z/TILA and Reg E.
What's Next: The CFPB does not name an amount but is seeking financial penalties. Interestingly, this is also the second CFPB consent order this year aimed towards someone named Allred, with Bloomtech CEO Austen Allred receiving a consent order a few months back.
3)
Company: Citi
Regulator: OCC and FRB (US)
Fine: $135,625,620
Why: Remember our story a few months back about "The OCC getting dragged into an unlawful termination lawsuit?" Well, consider them dragged and thoroughly angry at what they see. This has everything to do with the data-related accusations that were called out in Kathleen Martin's earlier lawsuit, so it will be no surprise to find out that the lawsuit has been amended a few days after this double-team by the OCC and FRB.
What's Next: Right now both the lawsuit and the OCC/FRB consent orders operate independently, but it makes Citi's attempts to dismiss the lawsuit look a bit tone-deaf. They have until this Thursday (August 8) to respond to the lawsuit.
4)
Company: Kikit and Mess Investments
Regulator: CFTC (US)
Fine: $31,000,000+
Why: Fraud, plain and simple. Another one of the "2021 success stories," this company was basically a front for its CEO Alejandro Tinoco to rack up money to charter private jets, purchase luxury mansions and other real estate, and purchase/lease luxury cars.
What's Next: Tinoco is already in jail at this point serving a 7-year sentence, so the CFTC could be seen as pouring salt on the wound here. But this is a great reminder that the penalties and regulatory pursuit may not end even if you wind up in jail; restitution is restitution after all.
5)
Company: Coinbase (CB Payments Limited)
Regulator: FCA (United Kingdom)
Fine: £3.5 million ($4.5 million USD).
Why: As someone who has dealt with a global US-based behemoth trying to maintain licenses in other countries, it was always a balancing act trying to demonstrate controls specific to a locality rather than constantly go back to the "parent company." In this case, this should be a huge wakeup call to any big tech company that has any payments licenses in the UK. The FCA can get down and dirty and into the weeds, and they will have no problem making a statement like "Other teams (including CBPL’s Compliance function, the Quality Assurance function and Coinbase Group’s Internal Audit function) did not consider or review the operation of the VREQ Flag and no external assessment of the VREQ Flag was conducted, despite there having been opportunities for CBPL to include a review of the VREQ Flag in other work that was being undertaken prior to December 2022." (For reference's sake, the VREQ Flag is a reference to a voluntary requirement that calls out a certain type of high risk customer and essentially discourages institutions from onboarding them but does not stop them, so long as the tag is present. Coinbase somehow was unable to apply this tag to around 13,000 customers).
What's Next: This could open the door for the FCA to go after companies that claim that in certain countries they are only serving as a conduit for payments under e-money licenses.
~~
Since we're having fun, stay tuned for more highlights coming on Wednesday. A brief interlude this Tuesday with our weekly events roundup. Stay tuned!