Tag Archives: Zila Reyes Acosta-Grimes

CFPB’s Report on Buy Now, Pay Later

by Courtney M. Dankworth, Alexandra N. Mogul, Gregory J. Lyons, Courtney Bradford Pike, Zila Reyes Acosta-Grimes, and Jehan A. Patterson

On Thursday, September 16, 2022, the Consumer Financial Protection Bureau (“CFPB” or the “Bureau”) published a report (the “Report”) detailing the regulatory risks of Buy Now, Pay Later (“BNPL”) products in response to last December’s market monitoring orders to five BNPL companies.

BNPL generally refers to a credit product offered by a third-party institution that enables consumers to split the payment for a retail transaction into four equal installments: the first payment is a down payment due at checkout, and the remaining payments are made in two-week intervals over the next six weeks. BNPL lenders do not charge interest; rather, they incur revenue in the form of late fees and, in some instances, transaction fees.

This blog post first provides a brief overview of some of the unique qualities of the BNPL industry, which has been experiencing significant growth over the past few years. It then outlines the key risks to consumers posed by the BNPL industry as highlighted in the Report as well as the Bureau’s stated next steps for increasing its oversight of the industry. At least in the near term, it appears that the Bureau intends to exercise its jurisdiction over BNPL lenders through supervisory examinations and the issuance of interpretive rules or similar guidance to provide consumers with protections similar to those in the traditional credit card space. This blog post outlines steps that BNPL lenders may wish to consider taking to mitigate the potential risks to consumers that the Report identifies.

Continue reading

Tips for Creating a Sensible Cybersecurity and AI Risk Framework for Critical Vendors

by Avi Gesser, Anna Gressel, Zila Reyes Acosta-Grimes, and Michael Bloom

Companies face increasing cybersecurity and AI risk from third-party vendors. Cybersecurity risks arise when companies share sensitive personal data or company information with their vendors or when their vendors have direct access to the company’s information systems. Companies using AI technology that is developed by a vendor can also face risk if the AI behaves unexpectedly, and that results in negative impacts including on critical business operations. In recognition of these kinds of third-party data risks, on October 30, 2020, federal banking agencies—including the Board of Governors of the Federal Reserve System, the Office of the Comptroller of the Currency (“OCC”) and the Federal Deposit Insurance Corporation (“FDIC”)—released a joint paper (the “Joint Paper”) outlining sound practices designed to help banks increase operational resilience.

Continue reading

First Enforcement Action by New York DFS Under Its Cyber Rules Shows Where Companies Face Regulatory Risk – Six Quick Takeaways

by Luke Dembosky, Jeremy Feigelson, Avi Gesser, Jim Pastore, Lisa Zornberg, Zila Reyes Acosta-Grimes, Michael BloomChristopher S. Ford, and Mengyi Xu

The New York State Department of Financial Services (“DFS”) issued a Statement of Charges and Notice of Hearing (PDF: 278 KB) (the “Charges”) on July 21, 2020 against First American Title Insurance Company (“First American”) for multiple violations of the DFS Part 500 Cybersecurity Regulation (PDF: 97.4 KB) (the “Regulation”), including:

    • Failure to perform an adequate risk assessment
    • Failure to maintain proper access controls
    • Failure to provide adequate security training for cybersecurity employees
    • Failure to encrypt certain nonpublic information

The Charges carry potential penalties of up to $1,000 per violation, and in its press release, the DFS asserts that each instance of nonpublic information that was accessed by an unauthorized person constitutes a separate violation. The Charges allege that hundreds of millions of documents were at risk, more than 350,000 documents were accessed without authorization, and a sample of 1,000 documents found that 30% contained nonpublic information.

Continue reading

FBI Warns of a Rise in Business Email Compromise Scams — Tips for Preventing and Responding to BECs in Remote Work Environments

by Avi Gesser, Zila Reyes Acosta-Grimes, Christopher S. Ford, Robert Maddox, and Brenna Rae Sooy

On June 9, Calvin A. Shivers, Assistant Director of the Criminal Investigative Division of the FBI, testified before the Senate Judiciary Committee regarding a variety of frauds during COVID-19, including Business Email Compromise (“BEC”) frauds and the FBI’s response.

BECs are among the most successful and persistent forms of cyber attacks. Indeed, the FBI has seen increases in cyber-enabled financial fraud like BECs every year since 2013. In 2019 alone, the FBI reported (PDF: 2.87 MB) 23,775 BECs and email account compromise complaints that led to adjusted losses of over $1.7 billion. For example, on May 13, the Norwegian Investment Fund for developing countries, Norfund, announced it was the victim of a BEC fraud, whereby cyber criminals diverted a $10 million loan intended for a microfinance institution in Cambodia. The fraud took place on March 16, but it was not discovered until April 30 when the hackers attempted a second fraud. Further, on April 6 and April 13, the FBI warned that, due to COVID-19-related disruptions, many businesses have become more vulnerable to BECs.

Continue reading

BSA/AML and KYC in a Crisis: Supervisors Provide Guidance as Financial Institutions Respond to the COVID-19 Pandemic

by Satish M. Kini, David G. Sewell, Zila Reyes Acosta-Grimes, Isabel Espinosa de los Reyes, Robert T. Dura, and Jonathan R. Wong

As the COVID-19 pandemic continues to unfold, the U.S. Congress, Treasury Department and Federal Reserve have taken extraordinary measures that would have been unimaginable just weeks ago in an attempt to stabilize the U.S. economy. Financial institutions are on the front lines of many of the new programs and are otherwise taking steps to support customers and communities affected by the crisis—while also protecting their employees through remote work arrangements and other measures.

Meeting obligations under the Bank Secrecy Act (the “BSA”) and associated anti-money laundering (“AML”) regulations—as well as supervisory know your customer (“KYC”) expectations—is challenging under ordinary circumstances and even more so in these conditions. Regulators have begun to offer guidance regarding their BSA expectations in these challenging circumstances. We highlight and summarize relevant developments below. Continue reading