The SEC and CFTC’s final rule requires affected entities offering or maintaining a “covered account” (generally, an account for personal, family, or household purposes that is designed to permit multiple transactions, such as a broker-dealer brokerage account) to develop and implement a written identity theft prevention program that is designed to detect, prevent, and mitigate identity theft in connection with the opening of a covered account or any existing covered account.  The program should be appropriate to the size and complexity of the entity and the nature and scope of its activities. 

The program is required to include reasonable policies and procedures to:

(1) Identify relevant Red Flags (activities that indicate the possible existence of identity theft) for the covered accounts that the entity offers or maintains, and incorporate those Red Flags into its program;

(2) Detect Red Flags that have been incorporated into the entity’s program;

(3) Respond appropriately to any Red Flags that are detected to prevent and mitigate identity theft; and

(4) Ensure the program is updated periodically, to reflect changes in risks to customers and to the safety and soundness of the entity from identity theft.  

The SEC and CFTC’s red flags rule is nuanced, particularly in defining the entities that are subject to its requirements.  SEC- and CFTC-regulated entities should review the rule carefully to determine whether they are required to develop identity theft prevention programs.

As of November 2012, 28 percent of all mobile phone users (compared to 21 percent in December 2011) and 48 percent of smartphone users (compared to 42 percent in December 2011) had used mobile banking in the past 12 months.  The recent report found that 15 percent of all smartphone users have made a payment from their phone in the past 12 months, compared to 12 percent of users from the prior report.  In addition, the use of mobile phones to deposit checks has doubled in the past year, rising from approximately 10 percent to 21 percent.      

The most common uses of mobile banking are to check account balances or recent transactions (87 percent of users) and to transfer money between accounts (53 percent of users).  The most common use of mobile payments is to make online bill payments (42 percent of users).  Six percent of all smartphone users have made a point-of-sale payment using their phone in the past 12 months, which represents a sizable increase from the one percent of users in December 2011. 

The report reiterated the reliance of the underbanked on mobile banking and mobile payments. In the past 12 months, almost 50 percent of underbanked consumers reported use of mobile banking and more than 30 percent reported use of mobile payments.

The bill provides that a financial institution subject to the requirement in the Gramm-Leach-Bliley Act (GLBA) to send annual privacy notices to customers is excluded from this requirement if the institution (1) only discloses customers’ nonpublic personal information to nonaffiliated third-parties pursuant to an exception in GLBA (e.g., for processing or servicing a customer’s account or to a service provider) from the overall opt-out framework and (2) has not changed its policies and practices with regard to disclosing nonpublic personal information from the policies and practices that were disclosed in the most recent notice sent to customers.  If either of these requirements ceases to apply, the institution would be required to send an annual privacy notice.  The legislation is intended to lessen the regulatory burden on financial institutions and potential for customer confusion in sending to customers privacy notices that have not changed over time and that are generally available on institutions’ websites. 

The study evaluated 1,001 consumers and 2,968 credit reports.  Of these totals, the study found that as many as 206 consumers identified material errors in their credit reports.  The most common errors identified were errors in tradeline data (consumer accounts) and collections information.  Another common error was inaccuracies in the header information such as current and previous address, age, and employment.

The FTC study is the first major study to take into consideration all of the primary groups that play a role in the credit reporting industry:  consumers; furnishers of information to consumer reporting agencies, including creditors, debt collection agencies, and courts; the Fair Isaac Corporation; and the national consumer reporting agencies.  The FTC will issue a final report on credit report accuracy in 2014.

The Executive Order follows legislative efforts in the last Congress to pass comprehensive cybersecurity bills.  After the Cybersecurity Act of 2012 (S. 3414) failed to pass in August 2012, Deputy National Security Adviser John Brennan mentioned in an appearance at the Council on Foreign Relations that the President was considering issuing an Executive Order to implement portions of the cybersecurity legislation.  In the subsequent months, the White House sought industry input on the Order.

The Order has two main components: increasing information sharing from the government to the private sector and establishing a Cybersecurity Framework to buttress the security of critical infrastructure. 

Section 7 of the Order turns to the Cybersecurity Framework.  Section 7 requires the Director of the National Institute of Standards and Technology to lead the development of a Cybersecurity Framework “to reduce cyber risks to critical infrastructure.”  The Framework will include “a set of standards, methodologies, procedures and processes that align policy, business, and technological approaches to address cyber risks” and “shall incorporate voluntary consensus standards and industry best practices to the fullest extent possible.”  The Framework’s guidance to critical infrastructure owners and operators will be “technology neutral” and preserve “a competitive market for products and services that meet the standards, methodologies, procedures and processes developed to address cyber risks.”  The Framework will be subject to “an open public review and comment process,” with a preliminary version to be published within 240 days and a final version to be issued within one year of the Order.

Section 8 of the Order directs the Secretary of Homeland Security and sector-specific agencies to establish a “voluntary program to support the adoption of the Cybersecurity Framework by owners and operators of critical infrastructure.”  The Secretary of Homeland Security is further directed to “coordinate establishment of a set of incentives” to promote participation by owners and operators of critical infrastructure in the Framework program.

The Order also contemplates regulation by sector-specific agencies based on the Cybersecurity Framework.  Section 10 directs sector-specific agencies that regulate critical infrastructure to report to the President on “whether the agency has clear authority to establish requirements based upon the Cybersecurity Framework to sufficiently address current and projected cyber risks to critical infrastructure” and “any additional authority required.”

For additional details and analysis, please see our client alert on the Executive Order.

On January 22, 2013, the Federal Financial Institutions Examination Council proposed guidance on the applicability of consumer protection and compliance laws, regulations, and policies to activities conducted via social media by depository institutions.  The proposed guidance would not impose additional compliance obligations on institutions.  Instead, the guidance is intended to help financial institutions understand potential consumer compliance, legal, reputation, and operational risks associated with the use of social media, along with expectations for managing those risks. 

The proposed guidance defines “social media” as “a form of interactive online communication in which users can generate and share content through text, images, audio, and/or video.”  The FFIEC warns that social media can impact a depository institution’s risk profile by increasing the risk of harm to consumers, compliance and legal risk, operational risk, and reputational risk. 

1. A governance structure with clear roles and responsibilities for the Board of Directors or senior management to direct how social media contributes to the strategic goals of the institution, establish controls, and assesses risk on an ongoing basis;
2. Policies and procedures regarding the use of social media and monitoring for compliance with consumer protection laws and regulations;
3. Due diligence for selecting and managing third-party service provider relationships in social media;
4. An employee training program for official, work-related use of social media and other uses of social media;
5. An oversight process for monitoring information posted to proprietary social media sites administered by the institution;
6. Audit and compliance functions to ensure ongoing compliance with internal policies and applicable laws and regulations; and
7. Parameters for appropriate reporting to the Board of Directors or senior management regarding the effectiveness of the risk management program.

The guidance also highlights the unique privacy risks raised by social media to institutions and their customers. In particular, the guidance notes the Gramm-Leach-Bliley Act, CAN-SPAM Act and Telephone Consumer Protection Act, Children’s Online Privacy and Protection Act, and Fair Credit Reporting Act as all posing unique compliance challenges to institutions using social media to advertise and provide financial products and services.

Comments to the proposed guidance must be submitted within 60 days of the guidance’s publication in the Federal Register. The FFIEC is requesting specific comment on the following three questions:

1. Are there other types of social media, or ways in which financial institutions are using social media, that are not included in the proposed guidance but that should be included?
2. Are there other consumer protection laws, regulations, policies or concerns that may be implicated by financial institutions’ use of social media that are not discussed in the proposed guidance but that should be discussed?
3. Are there any technological or other impediments to financial institutions’ compliance with otherwise applicable laws, regulations, and policies when using social media of which the Agencies should be aware?

• BSA/AML risk – risk that mobile payment technologies will violate the Bank Secrecy Act or other anti-money laundering requirements.
• Fraud risk – risk that mobile payment technologies will fail to prevent or deter unauthorized transactions.
• Compliance risk – risk that mobile payment technologies will be used in a manner that violates applicable consumer protection laws, disclosure requirements, and supervisory guidance.
• Credit/liquidity risk – risk that a loss will occur from a failure by a mobile payment technology to collect on a credit obligation or failure to meet a payments-based contractual commitment.
• Operations/IT risk – risk that mobile payment technologies will fail to protect confidential financial information.
• Reputation risk – risk that negative consumer experience from mobile payment technologies or from an incident resulting from mobile payment technologies will reflect poorly on the institution.
• Vendor management risk – risk that a third-party providing mobile payment technologies to an institution will fail to meet expectations or suffer bankruptcy. 

The article also describes the laws and regulations applicable to mobile payment technologies, including the Electronic Fund Transfer Act; Truth in Lending Act; truth in billing requirements; unfair, deceptive, or abusive acts or practices (UDAAP) requirements; Gramm-Leach-Bliley Act; and deposit insurance requirements.  The FDIC concludes by reminding institutions to consistently apply fundamentals of payments risk management, in particular with regard to oversight of third-party relationships.

The Interim Final Rule narrows the circumstances under which creditors are covered by the Rule in an attempt to be consistent with Congress’s legislation. The amended Rule now provides that a creditor is covered only if, in the ordinary course of business, it regularly: (1) obtains or uses consumer reports in connection with a credit transaction; (2) furnishes information to consumer reporting agencies in connection with a credit transaction; or (3) advances funds to or on behalf of a person (except for a creditor who advances funds on behalf of the person for expenses incidental to a service provided by the creditor to that person).   

Under the Rule, covered entities’ Red Flag programs must: (1) include reasonable policies and procedures to identify signs – or “red flags” – of identity theft in the day-to-day operations of the business; (2) be designed to detect the red flags of identity theft known to the business; (3) set out the actions the business will take upon detecting red flags; and (4) re-evaluate its program periodically to reflect new risks.

The announcement makes clear that consumers should not file complaints with the CFPB in lieu of or before disputing inaccurate credit reporting information with the applicable consumer reporting agency.  Disputing inaccurate information with the applicable reporting agency preserves certain rights under the Fair Credit Reporting Act and serves as the most immediate way of resolving inaccurate information.  However, if the consumer is dissatisfied with the reporting agency’s resolution of the dispute, the announcement encourages the consumer to contact the CFPB.  The Federal Trade Commission has a similar process for assisting consumers with credit reporting complaints.

The study also found that differences in the scores provided to consumers versus creditors could harm consumers and that most consumers would never find out that the credit score given to them may not be the score in fact used by creditors.  To address these findings, the CFPB recommended that consumers shop around for credit and carefully review their credit reports. 

The CFPB commenced supervision of consumer reporting agencies on September 30, 2012.  The differences highlighted in the study will be one of the CFPB’s focal points during supervisory examinations.

He also described the federal banking agencies’ move away from “controls-based oversight” to “governance-based oversight.”  The agencies do not want to be in the position of constantly reacting to the newest form of technology through the issuance of internal controls guidance tailored to the technology.  Instead, the agencies would prefer to address emerging technology risks through requirements relating to robust risk management, board oversight, and broader risk mitigation strategies that can address any form of emerging technology.

The federal banking agencies have prioritized information security highly.  We will continue to monitor and report on developments.

In addition to a $2.6 million civil penalty, the consent decree enjoins HireRight from failing to follow reasonable procedures to:

• Ensure that its consumer reports reflect the current status of criminal records that have been expunged;
• Prevent the inclusion of multiple entries for a single criminal offense; and
• Prevent the inclusion of information about individuals other than the person about whom a consumer report pertains. 

The consent decree also enjoins HireRight from failing to provide consumers full access to records maintained about them or failing to investigate or respond promptly to consumer disputes about the accuracy of HireRights’ consumer reports.   

According to press reports, this is the second largest civil penalty that the FTC has obtained under the FCRA.  In 2006, ChoicePoint, Inc. agreed to pay $10 million to settle claims under the FCRA. 

The final rule defines a “larger participant” in the consumer reporting market as a nonbank covered person that offers or provides consumer reporting and has annual receipts from consumer reporting in excess of $7 million.

A larger participant in the consumer reporting market will be notified if the CFPB intends to initiate a supervisory activity (e.g., examination) with respect to the participant.  The participant may contest the supervisory activity on the grounds that the participant does not meet the definition of “larger participant” by submitting a response to the CFPB. 

The CFPB’s final rule makes clear that supervision of larger participants will be “probabilistic” in nature.  The CFPB will examine certain larger participants on a periodic basis while other larger participants may be examined less frequently.  The CFPB’s supervisory decisions, including decisions regarding the frequency and extent of examinations, will be informed by statutory factors including the size and transaction volume of individual participants, the risks posed to consumers, and the extent of state consumer protection oversight.

• Due Diligence – Institutions should conduct due diligence with respect to the cloud computing provider to assess the provider’s controls to protect the confidentiality and integrity of data stored in the cloud, to determine whether data will be stored on servers used by other clients of the provider and, if so, the provider’s access controls, and to evaluate the provider’s disaster recovery and business continuity plans.
• Vendor Management – Institutions may require additional controls to manage cloud computing providers that have little experience with financial institution clients and may determine that retention of a particular provider is unacceptable due to the provider’s unwillingness or inability to satisfy bank regulators’ supervisory guidance.
• Audit – Institutions’ audit coverage should include outsourced cloud computing. 
• Information Security – Institutions should incorporate cloud computing services in existing information security policies, standards, and practices and ensure that data is protected and access to data is properly restricted.  An institution also should effectively monitor data security threats to the institution’s systems and to the provider’s systems and develop incident response methodologies. 
• Legal, Regulatory, and Reputational Considerations – Institutions should assess the extent to which cloud computing services increase the complexity of complying with applicable legal and regulatory requirements.  In addition, contracts with cloud computing providers should specify the providers’ obligations with respect to institutions’ responsibilities for compliance with privacy laws, for responding to and reporting security incidents, and for fulfilling regulatory requirements to notify customers and regulators of any breaches.
• Business Continuity – Institutions should determine whether the provider and the provider’s network carriers have adequate plans and resources to ensure institutions’ continuity of operations, as well as the ability to recover and resume operations if an unexpected disruption occurs.

The case arose when unknown hackers were able to make large electronic transfers over the course of seven days from Patco Construction’s accounts at Ocean Bank, a southern Maine community bank owned by People’s United Bank.  Patco lost more than $345,000. Patco sued People’s United, alleging that Ocean Bank’s security procedures were not “commercially reasonable,” and therefore the bank was liable for Patco’s loss under the Uniform Commercial Code.

Patco argued that by asking users to answer the challenge questions so frequently, the bank increased the risk of fraud  by providing more opportunities for hackers to intercept the information using keyloggers or other malware that might have infected a customer’s computer. Patco later found remnants of the Zeus/Zbot malware on its computers, although it could not determine whether that malware had captured Patco’s banking credentials. The First Circuit agreed that lowering the dollar threshold for challenge questions without implementing additional, compensating security measures “rendered Ocean Bank’s security procedures commercially unreasonable.” Accordingly, the First Circuit reversed the district court’s decision to grant summary judgment to the bank.

The lawsuit and settlement are noteworthy insofar they underscore the potential significance of the FFIEC guidance, including the FFIEC’s release in 2011 of a supplement to its authentication guidance, to mitigate both regulatory and litigation risk.   

The guidance urges merchants to secure account data at the point of capture using validated point-to-point (P2PE) solutions in order to maintain data security throughout the payment lifecycle.  A validated P2PE solution ensures that cardholder data is encrypted before it enters the mobile payment acceptance device.  These solutions also reduce the scope of merchants’ PCI compliance obligations.

The white paper analogizes mobile banking to snacking, online banking to lunching, and branch banking to fine dining based on the consumer’s level of interaction with the bank.  A consumer’s use of mobile banking is akin to snacking because the consumer’s interaction is quick and may have a sense of urgency.  For example, a consumer may use mobile banking to check his or her balance or pay a bill immediately before its due date.  Online banking is similar to lunching in that the interaction is more structured and routine than mobile banking.  Online banking is conducive to in-depth and periodic self-service banking activities, including managing budgets and finances.  Branch banking is comparable to fine dining because consumers now only rarely visit their local bank branches to conduct banking activities.  Typically, consumers visit their bank branches for infrequent consultative services that require substantial interaction. 

Optimizing consumers’ multi-channel banking experiences ultimately will provide a number of benefits to banks and consumers, including increased efficiency from focusing on the delivery of specific services in the particular channel that is the most used by consumers.  Privacy and security are one impediment to consumers' adoption of mobile banking services.  Accordingly, banks' ability to enhance privacy and security in connection with services delivered through the mobile channel ultimately will help determine the extent to which they profit from multi-channel banking.     

The survey found that the most common reasons for consumers not adopting mobile banking were satisfaction with traditional banking services and concerns over security, including potential hackers and the perceived inadequacy of existing technology.  Consumers do not use mobile payments because of security concerns and because traditional payment forms such as cash or credit card can be regarded as being simpler or easier to use. 

These findings highlight the progress depository institutions must make to advance consumers’ use of mobile financial services: namely, enhance information security technology and inform consumers of the effectiveness of such technology.  Indeed, the survey concludes that “consumers’ perception that mobile banking and mobile payments are unsecure is currently one of the primary impediments to adoption.  If consumers’ perception of security issues changes—whether due to actual or perceived improvements—adoption rates may significantly increase.”

A study released by Guardian Analytics suggests that institutions are moving towards compliance with the supplement but may not be completely prepared for FFIEC IT examinations to be conducted in 2012.  The Guardian Analytics study polled executives at 100 U.S.-based financial institutions in November 2011.  The study found that 43 percent of institutions had not yet completed a risk assessment of online banking, and 41 percent had not developed a plan for addressing online banking security gaps.  Further, 22 percent of institutions had not reviewed the FFIEC supplement.  It is expected that the supplement will be a hot topic throughout 2012 as FFIEC IT examinations reveal the agencies’ stance on the supplement as well as institutions’ compliance with the supplement.