According to the SEC’s order, in September 2022, an unknown third-party hijacked a pre-existing email chain between what was then American Stock Transfer and a U.S.-based public-issuer client. The hacker, pretending to be an employee at the issuer, then instructed American Stock Transfer to issue millions of new shares of the issuer, liquidate those shares, and send the proceeds to an overseas bank. As a result,  American Stock Transfer followed these instructions and transferred approximately $4.78 million to bank accounts located in Hong Kong, of which American Stock Transfer was able to recover approximately $1 million.

In addition, the SEC found, around April 2023, in an unrelated incident, someone used stolen Social Security numbers of certain American Stock Transfer accountholders to create fake accounts that were automatically linked by American Stock Transfer to real client accounts based solely on the matching Social Security numbers, even though the names and other personal information associated with the fraudulent accounts did not match those of the legitimate accounts. This allowed the thief to liquidate securities held in the legitimate accounts and transfer a total of approximately $1.9 million in proceeds to external bank accounts, of which American Stock Transfer was able to recover approximately $1.6 million.

“American Stock Transfer failed to provide the safeguards necessary to protect its clients’ funds and securities from the types of cyber intrusions that have become a near-constant threat to companies and the markets,” said Monique Winkler, Director of the SEC’s San Francisco Regional Office. “As threat actors become more sophisticated in the cyber space, transfer agents must act to implement and maintain effective safeguards and procedures around client assets.”

In finding that Equiniti failed to assure that: (i) all securities in its custody or possession related to its transfer agent activities were held in safekeeping and were handled in a manner reasonably free from risk of theft, loss or destruction and (ii) all funds in it possession were protected against misuse, the SEC concluded that that the transfer agent violatedSection 17A(d) of the Securities Exchange Act of 1934 and Rule 17Ad-12. In addition to the civil penalty referenced above, Equiniti agreed to a cease-and-desist order and censure.  

The post Equiniti Trust Penalized by SEC for Failing to Protect Client Assets from Cyber Theft appeared first on Compliance Chief 360.

The SEC announced that the firms admitted their failures, acknowledged that their conduct violated numerous recordkeeping provisions of the federal securities laws, agreed to pay combined $392.75 million in fines, and have begun implementing improvements to their compliance policies and procedures to address these violations. The charged firms included well known banks such as RBC Capital Markets, BNY Mellon, TD Securities, Edward D. Jones, and many more.

These charges represent the government’s ongoing mission of suppressing off-channel communications between broker-dealers and investment advisors. “As today’s enforcement actions against more than two dozen firms reflect, we remain committed to ensuring compliance with the books and records requirements of the federal securities laws, which are essential to investor protection and well-functioning markets,” said Gurbir Grewal, Director of the SEC’s Division of Enforcement. “Among this group of firms, there are several that differentiated themselves by self-reporting prior to the staff’s investigation, demonstrating once again the real benefits of proactive cooperation.”

Each of the SEC’s investigations uncovered longstanding use of unapproved off-channel communications at these firms. As described in the SEC’s orders, the firms admitted that their employees sent and received off-channel communications that were records required to be maintained under the securities laws. The failure to maintain and preserve required records deprives the SEC of these communications in its investigations. The failures involved personnel at multiple levels of authority, including supervisors and senior managers.

The firms were each charged with violating certain recordkeeping provisions of the Securities Exchange Act, the Investment Advisers Act, or both. The firms were also each charged with failing to reasonably supervise their personnel with a view to preventing and detecting those violations.

CFTC Fines Banks for Failing to Uphold Recordkeeping Requirements

The CFTC fined multiple banks for similar recordkeeping violations. The Commission discovered that multiple financial institutions did not stop their employees from communicating through off-channel platforms such as IMessage or WhatsApp. The CFTC additionally found that the firms did not preserve the communications which added onto its violations

According to the CFTC, some firms, such as Truist Bank self-reported their violations which was heavily accounted for when determining their respective penalties. “In responding to an industry-wide and consequential problem, Truist set itself apart from the more than 20 other registrants the CFTC brought actions against for use of unapproved communications methods. How? Truist made the decision to self-report to the Division of Enforcement it had serious recordkeeping and supervisory failures. It is the only registrant to do so,” said Director of Enforcement Ian McGinley.

“Truist’s decision to self-report, cooperate, remediate, and be held accountable allowed it to benefit in the form of a substantially reduced penalty,” Director McGinley added. “At the same time, the CFTC’s message remains clear—recordkeeping and supervision requirements are fundamental, and registrants that fail to comply with these core obligations do so at their own peril.”

These charges once again display the government’s mission in combatting off-channel communications among broker-dealers and investment advisors. This is not the first time that they have gone after broker-dealers and investment advisors for their use of off-channel communications as a means to do business. In August 2023, the SEC and CFTC collected $555 million in penalties for recordkeeping failures and in 2022 the agencies collected $1.8 billion for similar conduct.  

Jacob Horowitz is a contributing editor at Compliance Chief 360° 

The post SEC and CFTC Fine Firms $474 million for Recordkeeping violations appeared first on Compliance Chief 360.

The complaint alleges that TikTok and ByteDance failed to comply with the COPPA requirement to notify and obtain parental consent before collecting and using personal information from children under the age of 13.

“TikTok knowingly and repeatedly violated kids’ privacy, threatening the safety of millions of children across the country,” said FTC Chair Lina Khan. “The FTC will continue to use the full scope of its authorities to protect children online—especially as firms deploy increasingly sophisticated digital tools to surveil kids and profit from their data.”

“The Justice Department is committed to upholding parents’ ability to protect their children’s privacy,” said Principal Deputy Assistant Attorney General Brian Boynton. “This action is necessary to prevent the defendants, who are repeat offenders and operate on a massive scale, from collecting and using young children’s private information without any parental consent or control.”

ByteDance and its related companies allegedly were aware of the need to comply with the COPPA Rule and the 2019 consent order and knew about TikTok’s compliance failures that put children’s data and privacy at risk. Instead of complying, ByteDance and TikTok spent years knowingly allowing millions of children under 13 on their platform designated for users 13 years and older in violation of COPPA, according to the complaint.

As of 2020, TikTok had a policy of maintaining accounts of children that it knew were under 13 unless the child made an explicit admission of age and other rigid conditions were met, according to the complaint. TikTok employees allegedly spent an average of only five to seven seconds reviewing each account to make their determination of whether the account belonged to a child.

The company allegedly continued to collect personal data from these underage users, including data that enabled TikTok to target advertising to them—without notifying their parents and obtaining their consent as required by the COPPA Rule. Even after it reportedly changed its policy not to require an explicit admission of age, TikTok still continued to unlawfully maintain and use personal information of children, according to the complaint.

TikTok’s practices prompted its own employees to raise concerns. As alleged, after failing to delete numerous underage child accounts, one compliance employee noted, “We can get in trouble … because of COPPA.”

TikTok Allowed Children to Bypass the Age Requirement

In addition, the complaint alleges that TikTok built back doors into its platform that allowed children to bypass the age gate aimed at screening children under 13. TikTok allegedly allowed children to create accounts without having to provide their age or obtain parental consent to use TikTok by using credentials from third-party services like Google and Instagram. TikTok classified such accounts as “age unknown” accounts, which grew to millions of accounts, according to the complaint.

TikTok also allegedly made it difficult for parents to request that their child’s accounts be deleted. When parents managed to navigate the multiple steps required to submit a deletion request, TikTok often failed to comply with those requests. TikTok also imposed unnecessary and duplicative hurdles for parents seeking to have their children’s data deleted. That practice allegedly continued even after the executive responsible for child safety issues told TikTok’s then-CEO, “we already have all the info that’s needed” to delete a child’s data when a parent requests it, yet TikTok would not delete it unless the parent fills out a second, duplicative form. If the parent did not do that, the executive allegedly added, “then we have actual knowledge of underage user[s] and took no action!”

Additionally, the complaint alleges that TikTok failed to:

• Notify parents about all of the personal data they were collecting from children;
• Obtain parental consent for the collection and use of that data;
• Limit the collection, use, and disclosure of children’s personal information; and
• Delete children’s personal information when requested by parents or when it was no longer needed.

The complaint asks the court to impose civil penalties against ByteDance and TikTok and to enter a permanent injunction against them to prevent future violations of COPPA.  

The post FTC Investigation Triggers Lawsuit Against TikTok for Children’s Privacy Violations appeared first on Compliance Chief 360.

In his final ruling, Judge Amit Mehta held that as a result of suppressing competition by paying billions of dollars to operators of web browsers and phone manufacturers to be their default search engine, Google has become a monopolist and “it has acted as one to maintain its monopoly.”

Judge Mehta emphasized that Google’s illegal practices has resulted in anticompetitive behavior. The tech giant’s exclusive deals with Apple and other large mobile companies that resulted in the preloading of Google’s search engine as the exclusive and default engine displays the company’s illegal practices. These contracts drove Google’s online advertising business as it transformed its search engine into the most convenient platform to access.

“This victory against Google is an historic win for the American people,” said Attorney General Merrick Garland. “No company — no matter how large or influential — is above the law. The Justice Department will continue to vigorously enforce our antitrust laws.” “This landmark decision holds Google accountable. It paves the path for innovation for generations to come and protects access to information for all Americans,” said Assistant Attorney General Kanter. “This victory is a reflection on the tireless efforts of the dedicated public servants at the Antitrust Division and our state law enforcement partners whose work made today’s decision possible.”

In response to the final ruling as well as Attorney Garland’s statement Google’s head of global affairs Kent Walker released his own statement that that displays the company’s dissatisfaction with the ruling. “This decision recognizes that Google offers the best search engine but concludes that we shouldn’t be allowed to make it easily available,” he said in a written statement that quoted complimentary passages from Mehta’s decision. “As this process continues, we will remain focused on making products that people find helpful and easy to use.”

What Does This Mean For the Future of Tech

Since Judge Mehta has yet to impose any penalties since Google has yet to appeal, the implication of this ruling is not completely clear. According to many, the most likely penalty imposed on Google will be a court order to terminate its existing contracts with Apple and other mobile companies. Ultimately, this case paves the way for AI-powered search engines to enter the industry and take control of what Google has to relinquish.

This case also teaches a valuable lesson to big tech companies to be cautious when drafting a contract that entails a sense of exclusivity. “If you’ve got a dominant product, you’ve got to be very careful to make sure that your licensing and contract agreements are open, because making them exclusive can be dangerous,” said University of Pennsylvania Carey Law School antitrust scholar, Herbet Hovenkamp. No longer can companies form contracts that aim to transform a product into a default platform for all users.

Although this decision will play a significant role in Google’s future business practices, it will have an even larger role for the tech industry as a whole. For now on, companies will have to be very careful when engaging in business agreements with third parties to use its products or else they will face a similar result to Google. This case is only the start of big tech antitrust lawsuits as companies such as Apple, Amazon and Meta face their own respective antitrust allegations.  

Jacob Horowitz is a contributing editor at Compliance Chief 360° 

The post Google Loses Antitrust Case For Having Dominant Search Engine appeared first on Compliance Chief 360.

The lawsuit accused Meta of using its users biometric data that is contained in photos and videos on Facebook without receiving permission to do so. As a result of this activity Facebook exploited the personal information of users and non-users alike to grow its empire and reap historic windfall profits.

“Companies that operate in Texas must be held accountable for their actions, particularly when it puts the privacy of Texans at risk. We’re grateful to have had the opportunity to work with the Office of the Attorney General, and we appreciate how the court handled this lawsuit,” attorneys Sam Baxter and Jennifer Truelove said in a written statement.

Texas Alleged that Meta Violated its Data Privacy Laws

AG Paxton alleged Meta of violating Texas’s Capture or Use of Biometric Identifier Act and the Deceptive Trade Practices Act (CUBI). The claimed violation rose out of Meta’s “Tag Suggestions” feature on Facebook that consisted of an automated photo tagging feature when users upload photos or videos. Facebook introduced the facial recognition technology in 2010 which provided users with an easier way of tagging their friends. In 2021, the company announced that it would cease to use the technology after settling a case in which it was sued for violating Illinois’ ​​biometric privacy law.

“It was the first time the State of Texas sought to enforce its biometric-privacy law since enactment, requiring our team to develop novel litigation approaches and analyze important questions of first impression,” Zina Bash, representative attorney for Texas, said in a written statement. “And it was the first time a single state has ever achieved a settlement of this magnitude — which is even more rewarding because of the record time in which we obtained it. When we filed the case in 2022, we knew the state wanted to move quickly, and our team was relentless in litigating the case.”

In February 2022, Paxton filed a lawsuit in Texas state court against Facebook’s parent company, accusing it of violating the CUBI act by failing to obtain consent from Facebook users before collecting their data. The state also claimed that Meta unlawfully disclosed this data to third parties and failed to delete the data within the time frame specified by CUBI.

A Meta spokesperson said the company was “pleased to resolve this matter and look forward to exploring future opportunities to deepen our business investments in Texas, including potentially developing data centers.”  

Jacob Horowitz is a contributing editor at Compliance Chief 360° 

The post Meta Reaches Historic Settlement Over Biometric Data Violations appeared first on Compliance Chief 360.

Green Dot violated consumer law in its marketing, selling, and servicing of prepaid debit card products, and its offering of tax return preparation payment services. For example, Green Dot failed to adequately disclose the tax refund processing fee for tax preparation services offered on a third party’s website.

The firm also blocked access to accounts of legitimate customers receiving unemployment benefits and lacked reasonable policies and procedures to help those customers cure those blocks. In addition, Green Dot did not maintain effective consumer compliance risk management and anti-money laundering programs.

In response to the Fed’s announcement, Green Dot CEO George Gresham asserted that the company would strive to correct any and all deficiencies within Green Dot’s compliance program. “We have taken and will continue taking meaningful steps to correct and remediate those issues, including significant updates to our processes, our product packaging and marketing, our management team and our compliance programs,” Gresham said. “We are committed to cooperating and partnering closely with our regulators to ensure all concerns noted in the consent order are addressed and complied with and that our customers are well-served and protected on an ongoing basis.

Fed Orders Green Dot to Improve Compliance and Address Complaints

The Board is requiring the firm to take several steps to improve these programs. Green Dot is now required to hire an independent third-party to strengthen its consumer compliance risk management program and address the root causes of consumer complaints.

The firm also must develop an effective anti-money laundering program and hire an independent third-party to conduct a review of certain transaction activities to determine whether any suspicious activity conducted through the bank was properly identified and reported.

In his response, Gresham concluded by stating that the bank “remains optimistic about our financial and regulatory positions as well as our future growth potential and opportunity as we serve and empower customers directly and through our partners.”  

The post Federal Reserve Fines Green Dot for Consumer Compliance Violations appeared first on Compliance Chief 360.

The orders are aimed at helping the FTC better understand the dense market for products by third-parties that claim to use advanced algorithms, artificial intelligence and other technologies, along with personal information about consumers—such as their location, demographics, credit history, and browsing or shopping history—to categorize individuals and set a targeted price for a product or service. The study is aimed at helping the FTC better understand how surveillance pricing is affecting consumers, especially when the pricing is based on surveillance of an individual’s personal characteristics and behavior.

“Firms that harvest Americans’ personal data can put people’s privacy at risk. Now firms could be exploiting this vast trove of personal information to charge people higher prices,” said FTC Chair Lina Khan. “Americans deserve to know whether businesses are using detailed consumer data to deploy surveillance pricing, and the FTC’s inquiry will shed light on this shadowy ecosystem of pricing middlemen.”

The FTC is using its authority to conduct wide-ranging studies that do not have a specific law enforcement purpose, to obtain information from eight firms that advertise their use of AI and other technologies along with historical and real-time customer information to target prices for individual consumers. The orders were sent to Mastercard, Revionics, Bloomreach, JPMorgan Chase, Task Software, PROS, Accenture, and McKinsey & Co.

The orders are seeking information on four major areas:

• Types of products and services being offered: The types of surveillance pricing products and services that each company has produced, developed, or licensed to a third party, as well as details about the technical implementation and current and intended uses of this technology;
• Data collection and inputs: Information on the data sources used for each product or service, including the data collection methods for each data source, the platforms and methods that were used to collect such data, and whether that data is collected by other parties (such as other companies or other third parties);
• Customer and sales information: Information about whom the products and services were offered to and what those customers planned to do with those products or services; and
• Impacts on consumers and prices: Information on the potential impact of these products and services on surveilled consumers including the prices they pay.

The FTC has long been on the front lines of documenting and investigating the hidden ecosystem of data brokers, digital platforms, and other intermediaries that specialize in monitoring and selling user data. The FTC orders aim to shed light on how the current data ecosystem may facilitate the ability to target consumers with individual prices.  

The post FTC Issues Orders to Companies Seeking Information on Surveillance Pricing appeared first on Compliance Chief 360.

The penalties resulted from the Citi’s failure to resolve its “longstanding” risk management, data governance and internal controls deficiencies at the bank. The OCC said Wednesday that Citi failed “to meet remediation milestones and make sufficient and sustainable progress towards compliance with the 2020 order,” adding that it has amended the order“to ensure Citibank prioritizes the remediation work, including through the allocation of sufficient resources.”

In 2020, the OCC stated that Citi’s risk management policies and internal safeguards had been insufficient for a bank of its size and complexity for several years. The agency also criticized the bank’s senior leadership for providing “inadequate” oversight to ensure these issues were promptly addressed.

The OCC identified shortcomings in Citi’s infrastructure for risk control, data management, and compliance, noting that these flaws had, in some instances, “contributed to violations of law and regulations.” In the two years leading up to the 2020 enforcement action, the OCC fined Citi tens of millions of dollars for issues related to fair lending, flood insurance, and foreclosure holdings.

Citi CEO Jane Fraser said in a statement that there are areas where Citi hasn’t made progress quickly enough, despite progress in other areas such as simplifying the firm and addressing the consent orders. Fraser added that Citi has “intensified” its focus on data quality management over the last several months.

“We will get these areas where they need to be, as we have done in other areas of the transformation. As we’ve said from the beginning of this multi-year effort, we’re committed to spending what is necessary to address our consent orders, as our agreement with the OCC demonstrates,” Fraser said.

Federal Reserve Finds Citi’s Remedial Efforts To Be Inadequate

The Federal Reserve revealed that its assessment of Citi’s compliance program resulted in the discovery of “significant ongoing deficiencies … with respect to various areas of risk management and internal controls, including for data quality management and regulatory reporting, compliance risk management, capital planning and liquidity risk management.”

The Fed added that when evaluating Citi’s remediation efforts related to the 2020 order, the agency found that the bank’s progress in executing its plan to enhance its data quality management program inadequate.  

PHOTO BY ANTONIO VERNON, USED UNDER CC BY-SA 3.0

The post Citi Fined by OCC and Federal Reserve for Risk Management Failures appeared first on Compliance Chief 360.

 The ACA Group and National Society of Compliance Professionals released the results from the survey that exhibited the sense of uncertainty surrounding the enforcement of the SEC’s cybersecurity rules. The results indicated that 44 percent of respondents surveyed said they are uncertain about how the SEC will enforce the rules, while 36 percent of compliance professionals cited concerns with complying with cyber incident reporting requirements and timeframes.

Mike Pappacena, a partner of ACA group, said in a statement that “it’s clear that regulatory compliance remains a top concern,” because nearly half of respondents expressed uncertainty about SEC enforcement. Pappacena said the survey results underline the importance of staying ahead of evolving cybersecurity threats.

The online survey consisted of around 310 investment adviser firms. All firm sizes were represented and responding firms belonged to varied business types, with most responses coming from asset managers, broker- dealers, and alternative investment advisors.

According to the survey, around 80% of the participants are confident in their firms’ ability to combat a cyber breach and that the top cyber threat that raised concern is payment fraud and business email compromise.

As a result of the SEC’s adopted rule, public companies are now required to disclose cybersecurity incidents they experience and to disclose on an annual basis material information regarding their cybersecurity risk management, strategy, and governance. The SEC rules now require companies to disclose any cybersecurity incident they determine to be material and to describe the material aspects of the incident’s nature, scope, and timing, as well as its material impact or reasonably likely material impact on the registrant.

The SEC additionally requires companies to describe their processes, if any, for assessing, identifying, and managing material risks from cybersecurity threats, as well as the material effects or reasonably likely material effects of risks from cybersecurity threats and previous cybersecurity incidents. The companies are provided a four-day grace period to disclose any cybersecurity incidents from the moment it deems the incident as material.

The SEC’s Consideration of Additional Cybersecurity Proposals

Cybersecurity has been a top priority for the SEC. The Commission is currently considering other cybersecurity-related proposals including one that would require brokers, dealers, investment advisers and companies to implement written policies and procedures concerning unauthorized access to or use of customer information. This would include procedures that are purposed for notifying customers of the incident.

The SEC is also proposing to broaden the scope of information covered by making changes to the requirements for safeguarding customer records and information, and for properly disposing of consumer report information.

Although these proposed measures signal a determined effort to enhance protection for investors, many are worried as to exactly how the SEC will enforce these newly adopted rules and proposals.  

Jacob Horowitz is a contributing editor at Compliance Chief 360°    

The post SEC’s Cyber-Rule Enforcement a Prime Worry for Compliance appeared first on Compliance Chief 360.

AIA is the world’s first set of regulations designed to oversee the field of AI. “We finally have the world’s first binding law on artificial intelligence, to reduce risks, create opportunities, combat discrimination, and bring transparency,” said Brando Benifei, a European Union lawmaker from Italy. “Thanks to Parliament, unacceptable AI practices will be banned in Europe and the rights of workers and citizens will be protected. The AI Office will now be set up to support companies to start complying with the rules before they enter into force. We ensured that human beings and European values are at the very center of AI’s development.”

The new law comes at a point where many countries have introduced new AI rules. Last year, the Biden administration approved an executive order requiring AI companies to notify the government when developing AI models that may pose serious risk to national security, national economic security, or national public health and safety.

AIA Bans Specific Uses of AI

AIA bans certain AI applications that threaten citizens’ rights, including biometric categorization systems based on sensitive information and real-time and remote biometric identification systems, such as facial recognition. The use of AI to classify people based on behavior, socio-economic status or personal characteristics and to manipulates human behavior or exploits people’s vulnerabilities will also be forbidden.

However, some exceptions may be allowed for law enforcement purposes. “Real-time” remote biometric identification systems will be allowed in a limited number of serious cases, while “post” remote biometric identification systems, where identification occurs after a significant delay, will be allowed to prosecute serious crimes and only after court approval.

AIA also introduces new transparency rules that mainly effect Generative AI. The regulation sets out multiple transparency requirements that this sort of AI will have to satisfy, including compliance with EU copyright law. This entails disclosing when content is generated by AI, implementing measures within the model to prevent the generation of illegal content, and providing summaries of copyrighted data utilized during the model’s training process. Additionally, artificial or manipulated images, audio or video content (“deepfakes”) need to be clearly labelled as such.

AIA is projected to become officially effective by May or June, pending some last procedural steps, including approval from EU member states. Implementation of provisions will occur gradually, with countries require to prohibit banned AI systems six months following the law’s enactment.  

Jacob Horowitz is a contributing editor at Compliance Chief 360°

The post EU Passes World’s First Comprehensive AI Law appeared first on Compliance Chief 360.