This past week, co-defendants in a class action related to the theft of cryptocurrency engaged in their own lawsuit over alleged security failures.  IRA Financial Trust, a retirement account provider offering crypto-assets, sued class action co-defendant Gemini Trust Company, LLC, a crypto-asset exchange owned by the Winklevoss twins, following a breach of IRA customer accounts.  IRA claims that Gemini failed to secure a “master key” to IRA’s accounts, and that hackers were able to exploit this alleged security flaw to steal tens of millions of dollars of cryptocurrency.  This lawsuit demonstrates the growing trend of cryptocurrency thefts resulting from cyber breaches, and ensuing litigation activity.

Continue Reading Litigation Between FinTech Companies Follows Class Action Over Cryptocurrency Theft

A bank partnership is the target of yet another “true lender” attack in a new class action filed last week.  Michael v. Opportunity Fin., LLC, No. 1:22-cv-00529 (W.D. Tex. June 1, 2022).  The lawsuit is aimed at the lending partnership between OppFi (a fintech) and FinWise Bank (its bank partner), which was also the target of a recent investigation by California’s banking regulator and another class action earlier this year.  This latest development cements a growing trend of true lender attacks after Congress repealed a regulation on the topic last year, dashing hopes of a uniform and predictable standard to identify the “true lender” in bank partnerships.

Continue Reading Bank Partnership Attacked (Again) Under True Lender Theory

A recent class action refiled in federal court against Shopify highlights a growing trend of lawsuits against companies related to the theft of cryptocurrency, particularly as a result of internal company threats. See Forsberg et al v. Shopify, Inc. et al, 1:22-cv-00436 (D. Del.). Despite not itself being a repository for or facilitating the sale of any cryptocurrency, the plaintiffs in the Shopify case allege that Shopify is liable for a theft of cryptocurrency after Shopify experienced a data breach caused by its own employees, which exposed a customer list for a cryptocurrency hardware wallet vendor, Ledger SAS. As cryptocurrency storage and related transactions increasingly feature in companies’ online presence, there is likely to be a growing risk posed by threat actors motivated to target crypto-related assets and data, and more litigation activity in this space.

According to the complaint, the Shopify case arose from a 2020 data breach.  In the cryptocurrency space, actual units of currency (e.g., bitcoin) are stored in digital “wallets” that are protected by “private keys.”  Private keys are access codes known only to the owner of the wallet.  Owners of cryptocurrency can store these private keys in internet-accessible databases and/or in physical devices or storage spaces that are not connected to the internet. 

Plaintiffs allege that Ledger SAS is a vendor of these physical devices and that it used Shopify as its e-commerce platform.  Because of this, they contend that Shopify possessed a list of customers who had purchased Ledger devices, including full names, emails, and physical addresses, and that this information allegedly was leaked by “two rogue members of [Shopify’s] support team” at the behest of a hacker.  Plaintiffs aver that Shopify’s alleged negligence in failing to prevent the data breach, coupled with allegedly delayed notice, allowed hackers to use the information to launch phishing attacks against plaintiffs and putative class members resulting in the loss of cryptocurrency and other injuries.  While Shopify and Ledger initially succeeded in securing dismissal of the lawsuit on personal jurisdiction grounds when it was filed in federal district court in California, a different set of named plaintiffs have since refiled these claims in the district of Delaware, where Shopify USA is incorporated.

Due to the nature of cryptocurrency valuations, the individual damages claims in these cases have the potential to exceed the more nominal individual amounts in a typical data breach case where the primary payout is identity theft protection services.  Furthermore, cryptocurrency transactions often are non-reversible, so unlike thefts from traditional online banking services, it may be difficult or impossible to claw back stolen crypto funds.  Other cases have been filed recently involving similar theories relating to data breaches that allegedly resulted in the theft of cryptocurrency, including in the Northern and Central Districts of California, suggesting that this area will continue to face increasing litigation activity.

This post has been updated.

On 20 April 2022, the UK Financial Conduct Authority (“FCA”) published its Policy Statement PS 22/3 on disclosures regarding diversity and inclusion targets for the boards and executive committees of UK-listed companies. These measures reflect the growing importance of  Environmental, Social and Governance (“ESG”) considerations, and have gained particular traction in the financial services sector, forming a key part of investment decisions. Indeed, July 2021 saw the FCA hone in on the “S” and “G” components on ESG with its initial consultation on D&I-related proposals.

The disclosures proposed under the policy statement (see Appendix 1) enhance market participants’ engagement with ESG, building on, and amending, the Listing Rules (“LRs”) and Disclosure Guidance and Transparency Rules (“DTRs”). Amendments to the LRs and DTRs oblige in-scope companies to annually disclose whether they meet specific diversity targets in relation to gender and ethnicity.

What are in-scope companies required to disclose?

Applicable to UK and overseas issuers with a premium or standard listing, amended LR9 and LR14 introduce ongoing listing obligations. In-scope companies must include a statement in their annual financial report setting out whether they have met specific board diversity targets, including:

  1. at least 40% of the board to be women;
  2. at least one of the senior board positions (Chair, Chief Executive Officer, Chief Financial Officer or Senior Independent Director) to be held by a woman; and
  3. at least one director to have a minority ethnic background.

The disclosures must be made by reference to a specific reference date selected by the company during the relevant accounting period.

In-scope companies are further mandated to: (1) make numerical disclosures in standardised reporting tables on board composition and senior levels of executive management by either sex or gender and ethnic identities (see Annex 2 to the LRs); (2) show how diversity policies apply to board and executive committees; and (3) clarify the elements of diversity to which such diversity policies relate.

These disclosures are to be made on a “comply or explain” basis, such that those in-scope companies that do not meet the targets will need to explain why. Where in-scope companies have members of their board or executive management situated overseas, and local law restricts the collation and publication of relevant data, they may instead explain the extent to which they are unable to make the numerical disclosures. In-scope companies must also provide an explanation of their data collation approach. Guidance as to what this explanation should entail has been issued under LR 9.8.6IG and LR 14.3.36G, highlighting the need for consistency in approach, and an overview as to the methodology or source of the data used.

The FCA has also issued additional guidance on disclosures under LR 9.8 and LR 14.3. As part of their annual reports, in-scope companies may also wish to include the following information:

  1. A brief summary of any key policies, procedures and processes that contribute to improving board and executive management diversity;
  2. Any mitigating factors or circumstances that make achieving board diversity more challenging; and
  3. Any risks the company has identified in meeting board diversity targets in the next accounting period, or any plans to improve diversity.

The FCA has also extended DTR 7.2.8AR to require in-scope companies with a diversity policy to describe their particular policy for remuneration, audit and nominations committees. Diversity policy reporting will have to take stock of wider diversity characteristics, comprising ethnicity, sexual orientation, disability and socio-economic background.

Timings

The disclosures come into force for financial years beginning on or after 1 April 2022 (with a view to be assessed after three years). This means that the new disclosures will effectively appear in in-scope companies’ annual reports from Q2 2023 onwards.

The FCA has, nonetheless, encouraged companies whose financial years began before 1 April 2022 to consider voluntarily reporting on D&I targets.  Given the prominence of ESG, coupled with existing voluntary D&I initiatives (including the FTSE Women Leaders Review; the Hampton-Alexander Review and the Parker Review), it will not be surprising to see any such voluntary reporting in an effort to attract investors in an increasingly competitive marketplace.

Practical Steps

In-scope companies should begin to take stock of their D&I initiatives and ready themselves for the new disclosure regime. They should be particularly astute to:

  1. Defining and identifying “executive management” for the purposes of understanding which individuals will be in-scope for the new rules;
  2. How relevant data will be collated, including the nature of the data collection process and associated disclosures; and
  3. Any mitigating factors or circumstances that may make achieving board diversity more challenging.

 

On March 30, 2022, the Federal Deposit Insurance Corporation (“FDIC”) released a proposed policy statement related to sound management of exposures to climate-related financial risks (the “Proposal”).  The Proposal is targeted at FDIC-supervised financial institutions with more than $100 billion in total consolidated assets (“covered banks”) and is intended to provide a high-level framework for the safe and sound management of climate-related financial risks by covered banks and serve as the basis for more detailed guidance the FDIC expects to issue in the future.

The Proposal includes both a general set of principles for the management of climate-related financial risks and brief descriptions of how those risks can be assessed in various risk categories.  In these substantive respects, the Proposal effectively mirrors a similar proposal issued by the Office of the Comptroller of the Currency in December 2021 on a nearly verbatim basis.  (See Covington’s prior client alert on that OCC proposal here for a discussion of the substance of that proposal, which applies equally to the FDIC’s more recent Proposal.)  However, the preamble discussion that accompanies the Proposal does include several statements not contained in the December 2021 OCC proposal, most notable of which are statements that “the manner in which financial institutions manage climate-related financial risks to address safety and soundness concerns should also seek to reduce or mitigate the impact that management of these risks may have on broader aspects of the economy, including the disproportionate impact of risk on LMI and other disadvantaged communities” and that “[t]hrough this and any subsequent climate-related financial risk guidance, the FDIC will continue to encourage institutions to prudently meet the financial services needs of their communities.”

Like the OCC’s December 2021 proposal, the Proposal both requests public comment in general and poses a range of specific questions for commenters to consider.  These questions largely mirror those posed in the OCC proposal, but also include an additional question asking whether the FDIC or other agencies should “modify existing regulations and guidance, such as those associated with the Community Reinvestment Act, to address the impact climate-related financial risks may have on LMI and other disadvantaged communities.”

Comments are due sixty days after the Proposal is published in the Federal Register, which is likely to occur in the next several weeks.

In the wake of rulings upholding federal regulators’ “valid when made” rules, a new lawsuit serves as a reminder that state regulators and class-action plaintiffs’ lawyers may continue to challenge the bank partnership lending model under the “true lender” doctrine.

Continue Reading Fintech Lawsuit Highlights True Lender Risk for Bank Partnership Lending Model

Delivering a significant win for the financial services industry, a California federal judge upheld “valid when made” rules promulgated by the Office of the Comptroller of the Currency (OCC) and the Federal Deposit Insurance Corporation (FDIC) in California v. OCC, No. 4:20-cv-05200 (N.D. Cal. Feb. 8, 2022) and California v. FDIC, No. 4:20-cv-05860 (N.D. Cal. Feb. 8, 2022).  Those rules sought to undo the Second Circuit’s 2015 decision in Madden v. Midland Funding—a decision that class-action plaintiffs’ lawyers and state regulators have invoked to bring lawsuits challenging so-called “rent-a-bank” schemes between banks and third parties.  The rules were finalized in June and July 2020, and established a bright-line rule that the interest rate charged on a bank-made loan may still be charged after the loan is sold to a third party.

Continue Reading A Closer Look: Federal Court Upholds OCC’s & FDIC’s Valid-When-Made Rules

On December 16, 2021, the Office of the Comptroller of the Currency (“OCC”) issued draft principles (the “Proposal”) on the identification and management of climate-related financial risks by OCC-supervised banks with more than $100 billion in total consolidated assets (“covered banks”). The Proposal is intended to provide a high-level framework for the safe and sound management of climate-related financial risks by covered banks and will serve as the basis for more detailed guidance applicable to all OCC-supervised banks. Feedback on the Proposal is due by February 14, 2022; the OCC has indicated that subsequent guidance will incorporate the feedback received on the Proposal and distinguish the roles and responsibilities of boards of directors and management.

Click here to read our Ten Things to Know about the Proposal.

On Thursday, October 21, 2021, the Financial Stability Oversight Council released a Report on Climate-Related Financial Risk (the “Report”). The Report represents the culmination of a deliberative process that began on May 20, 2021, when President Biden signed an Executive Order on Climate-Related Financial Risk. The Report is a milestone for the Biden Administration, and it confirms a clear new consensus among regulatory leadership that climate risk mitigation is a core priority for federal financial agencies.

Click here to read our Seven Things to Know about the Report.

On Tuesday, July 13, 2021, the Board of Governors of the Federal Reserve System, the Office of the Comptroller of the Currency, and the Federal Deposit Insurance Corporation (collectively, the “Agencies”) invited public comment on proposed interagency guidance on managing risks associated with third-party relationships (the “Proposed Guidance”). By harmonizing for the first time the Agencies’ supervisory expectations and guidance on third-party risk management, which has become a significant supervisory priority in recent years, the Proposed Guidance would promote consistency in how the Agencies will assess banking organizations’ third-party risk management.

Click here to read our Five Things to Know about the Proposed Guidance.