SEC and CFTC Issue Final Identity Theft Rule

Posted by Mike Nonaka on April 25, 2013

Last week, the Securities and Exchange Commission (SEC) and Commodity Futures Trading Commission (CFTC) published in the Federal Register a joint rule requiring entities regulated by the agencies to adopt programs to detect and prevent identity theft.  The rule is referred to as the “red flags rule” and applies to certain broker-dealers, mutual funds, investment advisers, futures commission merchants, retail foreign exchange dealers, commodity trading advisors, commodity pool operators, introducing brokers, swap dealers, major swap participant, and certain other entities regulated by the SEC and CFTC that qualify as a “financial institution” or “creditor” under the Fair Credit Reporting Act.  The SEC and CFTC promulgated the rule pursuant to the Dodd-Frank Act, which amended the Fair Credit Reporting Act to require the SEC and CFTC to adopt the red flags rule.  Prior to the Dodd-Frank Act, only the federal banking regulators and the Federal Trade Commission were required to adopt red flags rules applicable to the entities under their jurisdiction.  Entities will be expected to comply with the rule by November 20, 2013.    

The SEC and CFTC’s final rule requires affected entities offering or maintaining a “covered account” (generally, an account for personal, family, or household purposes that is designed to permit multiple transactions, such as a broker-dealer brokerage account) to develop and implement a written identity theft prevention program that is designed to detect, prevent, and mitigate identity theft in connection with the opening of a covered account or any existing covered account.  The program should be appropriate to the size and complexity of the entity and the nature and scope of its activities. 

The program is required to include reasonable policies and procedures to:

(1) Identify relevant Red Flags (activities that indicate the possible existence of identity theft) for the covered accounts that the entity offers or maintains, and incorporate those Red Flags into its program;

(2) Detect Red Flags that have been incorporated into the entity’s program;

(3) Respond appropriately to any Red Flags that are detected to prevent and mitigate identity theft; and

(4) Ensure the program is updated periodically, to reflect changes in risks to customers and to the safety and soundness of the entity from identity theft.  

The SEC and CFTC’s red flags rule is nuanced, particularly in defining the entities that are subject to its requirements.  SEC- and CFTC-regulated entities should review the rule carefully to determine whether they are required to develop identity theft prevention programs.

Federal Reserve Releases Report of Mobile Banking and Mobile Payments Use

Posted by Mike Nonaka on April 09, 2013

On March 27, 2013, the Federal Reserve released a report on consumers’ use of mobile banking and mobile payments.  The report follows a similar report issued by the Federal Reserve last year.  The report found that use of mobile banking has increased significantly in the past year while use of mobile payments has increased as well. 

As of November 2012, 28 percent of all mobile phone users (compared to 21 percent in December 2011) and 48 percent of smartphone users (compared to 42 percent in December 2011) had used mobile banking in the past 12 months.  The recent report found that 15 percent of all smartphone users have made a payment from their phone in the past 12 months, compared to 12 percent of users from the prior report.  In addition, the use of mobile phones to deposit checks has doubled in the past year, rising from approximately 10 percent to 21 percent.      

The most common uses of mobile banking are to check account balances or recent transactions (87 percent of users) and to transfer money between accounts (53 percent of users).  The most common use of mobile payments is to make online bill payments (42 percent of users).  Six percent of all smartphone users have made a point-of-sale payment using their phone in the past 12 months, which represents a sizable increase from the one percent of users in December 2011. 

 

Continue Reading

House Passes Legislation Eliminating Annual GLBA Privacy Notice Requirement

Posted by Mike Nonaka on March 14, 2013

Earlier this week, the House of Representatives passed H.R. 749, the Eliminate Privacy Notice Confusion Act.  The bill is sponsored by Rep. Blaine Leutkemeyer (R-MO) and Rep. Brad Sherman (D-CA).  An earlier version of the bill passed the House in December but was never taken up by the Senate.  We previously covered similar legislation introduced by Representative Leutkemeyer.

The bill provides that a financial institution subject to the requirement in the Gramm-Leach-Bliley Act (GLBA) to send annual privacy notices to customers is excluded from this requirement if the institution (1) only discloses customers’ nonpublic personal information to nonaffiliated third-parties pursuant to an exception in GLBA (e.g., for processing or servicing a customer’s account or to a service provider) from the overall opt-out framework and (2) has not changed its policies and practices with regard to disclosing nonpublic personal information from the policies and practices that were disclosed in the most recent notice sent to customers.  If either of these requirements ceases to apply, the institution would be required to send an annual privacy notice.  The legislation is intended to lessen the regulatory burden on financial institutions and potential for customer confusion in sending to customers privacy notices that have not changed over time and that are generally available on institutions’ websites. 

FTC Study Details Inaccuracies in Credit Reports

Posted by Mike Nonaka on February 14, 2013

This week, the Federal Trade Commission released a study of the U.S. credit reporting industry and credit report accuracy.  The study found that five percent of consumers had errors on one of their three nationwide credit reports that could lead them to pay more for financial products.  The study is required under section 319 of the Fair and Accurate Credit Transactions Act of 2003.

The study evaluated 1,001 consumers and 2,968 credit reports.  Of these totals, the study found that as many as 206 consumers identified material errors in their credit reports.  The most common errors identified were errors in tradeline data (consumer accounts) and collections information.  Another common error was inaccuracies in the header information such as current and previous address, age, and employment.

The FTC study is the first major study to take into consideration all of the primary groups that play a role in the credit reporting industry:  consumers; furnishers of information to consumer reporting agencies, including creditors, debt collection agencies, and courts; the Fair Isaac Corporation; and the national consumer reporting agencies.  The FTC will issue a final report on credit report accuracy in 2014.

President Obama Issues Cybersecurity Executive Order

Posted by Kristen Eichensehr on February 14, 2013

In his State of the Union message on Tuesday, President Obama announced that he had signed an Executive Order addressing the cybersecurity of  critical infrastructure.  President Obama emphasized that in the face of threats to corporate secrets, the power grid, and financial institutions, among others, “We cannot look back years from now and wonder why we did nothing in the face of real threats to our security and our economy.”

The Executive Order follows legislative efforts in the last Congress to pass comprehensive cybersecurity bills.  After the Cybersecurity Act of 2012 (S. 3414) failed to pass in August 2012, Deputy National Security Adviser John Brennan mentioned in an appearance at the Council on Foreign Relations that the President was considering issuing an Executive Order to implement portions of the cybersecurity legislation.  In the subsequent months, the White House sought industry input on the Order.

The Order has two main components: increasing information sharing from the government to the private sector and establishing a Cybersecurity Framework to buttress the security of critical infrastructure. 

Continue Reading

FFIEC Proposes Social Media Guidance

Posted by Mike Nonaka on January 26, 2013

On January 22, 2013, the Federal Financial Institutions Examination Council proposed guidance on the applicability of consumer protection and compliance laws, regulations, and policies to activities conducted via social media by depository institutions.  The proposed guidance would not impose additional compliance obligations on institutions.  Instead, the guidance is intended to help financial institutions understand potential consumer compliance, legal, reputation, and operational risks associated with the use of social media, along with expectations for managing those risks. 

The proposed guidance defines “social media” as “a form of interactive online communication in which users can generate and share content through text, images, audio, and/or video.”  The FFIEC warns that social media can impact a depository institution’s risk profile by increasing the risk of harm to consumers, compliance and legal risk, operational risk, and reputational risk. 

Continue Reading

FDIC Highlights Mobile Payment Technologies and Related Risks

Posted by Mike Nonaka on January 18, 2013

In its most recent issue of the Supervisory Insights newsletter, the Federal Deposit Insurance Corporation (FDIC) describes mobile payment technologies, the risks they pose to depository institutions, and the regulatory framework applicable to such technologies.  The FDIC notes the widespread use of smartphones as a payment technology and the increasing availability of point-of-sale terminals equipped to process payments using near-field communications.  Both of these factors require institutions to understand and adopt controls to mitigate risk from mobile payment technologies.

Continue Reading

FTC Announces Amended Rule on Identity Theft "Red Flags"

Posted by Kristi Cercone on December 04, 2012

On Friday, November 30, the Federal Trade Commission (FTC) issued an Interim Final Rule to amend its Red Flags Rule, which requires certain financial institutions and creditors to establish programs to detect, prevent and mitigate identity theft in connection with consumer accounts.  The Interim Final Rule narrows the definition of “creditor” in response to legislation passed by Congress in December 2010 (as covered in previous blog posts), excluding from the definition most doctors, lawyers, and other professionals who do not receive full payment at the time their service is furnished.  The rule is effective on February 11, 2013, and the FTC is seeking comments on the rule until that time.     

The Interim Final Rule narrows the circumstances under which creditors are covered by the Rule in an attempt to be consistent with Congress’s legislation. The amended Rule now provides that a creditor is covered only if, in the ordinary course of business, it regularly: (1) obtains or uses consumer reports in connection with a credit transaction; (2) furnishes information to consumer reporting agencies in connection with a credit transaction; or (3) advances funds to or on behalf of a person (except for a creditor who advances funds on behalf of the person for expenses incidental to a service provided by the creditor to that person).   

Under the Rule, covered entities’ Red Flag programs must: (1) include reasonable policies and procedures to identify signs – or “red flags” – of identity theft in the day-to-day operations of the business; (2) be designed to detect the red flags of identity theft known to the business; (3) set out the actions the business will take upon detecting red flags; and (4) re-evaluate its program periodically to reflect new risks.

CFPB Offers Assistance for Consumer Credit Reporting Complaints

Posted by Mike Nonaka on November 02, 2012

Last week, the Consumer Financial Protection Bureau (CFPB) announced that it had established a process for assisting consumers with credit reporting complaints.  The CFPB previously had implemented similar processes for complaints relating to credit cards, mortgages, bank accounts and services, private student loans, vehicle, and other consumer loans.  The complaint process is intended to complement the CFPB’s recent initiatives to supervise the consumer reporting industry, including the CFPB’s final rule establishing its authority to supervise consumer reporting agencies and examination manual for consumer reporting agencies.

The announcement makes clear that consumers should not file complaints with the CFPB in lieu of or before disputing inaccurate credit reporting information with the applicable consumer reporting agency.  Disputing inaccurate information with the applicable reporting agency preserves certain rights under the Fair Credit Reporting Act and serves as the most immediate way of resolving inaccurate information.  However, if the consumer is dissatisfied with the reporting agency’s resolution of the dispute, the announcement encourages the consumer to contact the CFPB.  The Federal Trade Commission has a similar process for assisting consumers with credit reporting complaints.

CFPB Study Assesses Differences in Credit Scores Sold to Consumers and Creditors

Posted by Mike Nonaka on October 02, 2012

Last week, the Consumer Financial Protection Bureau (CFPB) released a study comparing credit scores sold to creditors and those sold to consumers.  The study found that approximately 1 in 5 consumers would, upon purchasing their credit score from a consumer reporting agency, receive a different credit score than the score provided to creditors for use in determining eligibility for products or services.  The study was required by section 1078 of the Dodd-Frank Wall Street Reform and Consumer Protection Act.

The study also found that differences in the scores provided to consumers versus creditors could harm consumers and that most consumers would never find out that the credit score given to them may not be the score in fact used by creditors.  To address these findings, the CFPB recommended that consumers shop around for credit and carefully review their credit reports. 

The CFPB commenced supervision of consumer reporting agencies on September 30, 2012.  The differences highlighted in the study will be one of the CFPB’s focal points during supervisory examinations.

FDIC Official Discusses Implementation of FFIEC Authentication Guidance

Posted by Mike Nonaka on September 05, 2012

In an interview with Information Security Media Group, William Henley, Associate Director of the Federal Deposit Insurance Corporation’s (FDIC) Technology Supervision Branch, discussed the status of the banking industry’s implementation of FFIEC authentication guidance released in July 2011.  Henley generally said that the industry was working towards compliance and offered that FDIC examiners at this stage were looking for good faith efforts to comply:  “What the examiners were looking for were reasonable, good faith efforts that an institution was working toward compliance….If any institution was working toward a compliance plan, that's all they needed to do.”

He also described the federal banking agencies’ move away from “controls-based oversight” to “governance-based oversight.”  The agencies do not want to be in the position of constantly reacting to the newest form of technology through the issuance of internal controls guidance tailored to the technology.  Instead, the agencies would prefer to address emerging technology risks through requirements relating to robust risk management, board oversight, and broader risk mitigation strategies that can address any form of emerging technology.

The federal banking agencies have prioritized information security highly.  We will continue to monitor and report on developments.

FTC Obtains Second Largest Civil Penalty Under FCRA

Posted by Libbie Canter on August 13, 2012

An employment background screening company will pay a $2.6 million civil penalty to settle Federal Trade Commission charges under the Fair Credit Reporting Act.   The FTC alleged that HireRight Solutions, Inc., which compiles background reports to assist employers in making hiring and other employment-related decisions, is a consumer reporting agency since its reports “bear on . . . consumers’ general reputation and personal characteristics; and are used as a factor in determining eligibility for employment.”  The FTC charged that, as a consumer reporting agency, HireRight had an obligation to follow reasonable procedures to assure the maximum possible accuracy of the information in its consumer reports -- an obligation that the FTC says HireRight violated.

In addition to a $2.6 million civil penalty, the consent decree enjoins HireRight from failing to follow reasonable procedures to:

  • Ensure that its consumer reports reflect the current status of criminal records that have been expunged;
  • Prevent the inclusion of multiple entries for a single criminal offense; and
  • Prevent the inclusion of information about individuals other than the person about whom a consumer report pertains. 

The consent decree also enjoins HireRight from failing to provide consumers full access to records maintained about them or failing to investigate or respond promptly to consumer disputes about the accuracy of HireRights’ consumer reports.   

According to press reports, this is the second largest civil penalty that the FTC has obtained under the FCRA.  In 2006, ChoicePoint, Inc. agreed to pay $10 million to settle claims under the FCRA. 

CFPB Issues Rule to Supervise Larger Participants in Consumer Reporting Market

Posted by Mike Nonaka on July 18, 2012

The Consumer Financial Protection Bureau (CFPB) has issued a final rule to implement its authority under section 1024 of Dodd-Frank to subject “larger participants” in the consumer reporting market to CFPB supervision.  The rule will have significant consequences for companies in the consumer reporting industry.  The final rule follows a proposed rule issued in February 2012 indicating that the CFPB intended to supervise the consumer reporting market as part of the CFPB’s authority to supervise nonbank providers of consumer financial products and services.  The final rule is effective September 30, 2012. 

The final rule defines a “larger participant” in the consumer reporting market as a nonbank covered person that offers or provides consumer reporting and has annual receipts from consumer reporting in excess of $7 million.

Continue Reading

FFIEC Issues Risk Management Guidance for Cloud Computing

Posted by Mike Nonaka on July 17, 2012

On July 10, the Federal Financial Institutions Examination Council (FFIEC) issued risk management guidance for depository institutions’ use of cloud computing.  The guidance defines cloud computing generally as “a migration from owned resources to shared resources in which client users receive information technology services, on demand, from third-party service providers via the Internet ‘cloud.’”  The guidance also considers cloud computing to be a form of outsourcing subject to the risk management requirements set forth in the FFIEC Information Technology Examination Handbook for Outsourcing Technology Services.

Continue Reading

First Circuit Finds Bank's Online-Security Procedures 'Commercially Unreasonable'

Posted by Michael Beder on July 06, 2012

A bank that required a commercial customer to answer “challenge questions” for virtually all online payments and that did not implement other common security measures failed to provide a commercially reasonable level of security, the U.S. Court of Appeals for the First Circuit ruled this week.

The case arose when unknown hackers were able to make large electronic transfers over the course of seven days from Patco Construction’s accounts at Ocean Bank, a southern Maine community bank owned by People’s United Bank.  Patco lost more than $345,000. Patco sued People’s United, alleging that Ocean Bank’s security procedures were not “commercially reasonable,” and therefore the bank was liable for Patco’s loss under the Uniform Commercial Code.

Continue Reading

Settlement Reached in Data Security Breach Lawsuit Against Bank

Posted by Mike Nonaka on June 20, 2012

Yesterday, Village View, Inc. reached a settlement with Professional Business Bank, a California state-chartered bank subject to regulation by the Federal Deposit Insurance Corporation (FDIC), over the company’s lawsuit against the bank arising from a data security breach.  In March 2010, Village View lost nearly $400,000 after the company’s bank account was compromised by hackers.  The company brought suit against Professional Business Bank alleging, among other claims, that the bank failed to comply with the Federal Financial Institutions Examination Council’s (FFIEC) authentication guidance from 2005 and other FDIC guidance on identify theft.  Specifically, Village View’s complaint alleged that the bank used only single factor authentication as opposed to multifactor authentication required by the FFIEC guidance.  The company announced that the settlement amount included the full amount of lost funds plus interest from the bank.   

The lawsuit and settlement are noteworthy insofar they underscore the potential significance of the FFIEC guidance, including the FFIEC’s release in 2011 of a supplement to its authentication guidance, to mitigate both regulatory and litigation risk.   

PCI Council Issues Guidance for Mobile Payment Acceptance

Posted by Mike Nonaka on May 17, 2012

Yesterday, the Payment Card Industry Council issued guidance for merchants using smartphones or tablets to accept payments from customers.  The guidance follows up on the PCI Council Chairman’s pledge in February, as reported in this blog, to make mobile payments a top priority.  Payment card readers that can be attached to a smartphone or tablet have become popular in recent years due to portability and cost efficiencies. 

The guidance urges merchants to secure account data at the point of capture using validated point-to-point (P2PE) solutions in order to maintain data security throughout the payment lifecycle.  A validated P2PE solution ensures that cardholder data is encrypted before it enters the mobile payment acceptance device.  These solutions also reduce the scope of merchants’ PCI compliance obligations.

Fiserv Releases White Paper on Multi-Channel Banking

Posted by Mike Nonaka on April 06, 2012

On April 4, 2012, Fiserv, one of the largest payment processing service providers for the banking industry, released a white paper analyzing the current state of multi-channel banking, which is a consumer’s use of more than one channel to conduct banking activities.  The white paper, titled “Snacking, Lunching and Fine Dining: How Mobile is Reshaping Every Banking Channel,” argues that mobile banking’s evolution from informational services, such as balance inquiries and ATM locations, to transactional services, such as bill payment and funds transfers, impacts all three of the primary banking channels: branch banking, online banking, and mobile banking. 

The white paper analogizes mobile banking to snacking, online banking to lunching, and branch banking to fine dining based on the consumer’s level of interaction with the bank.  A consumer’s use of mobile banking is akin to snacking because the consumer’s interaction is quick and may have a sense of urgency.  For example, a consumer may use mobile banking to check his or her balance or pay a bill immediately before its due date.  Online banking is similar to lunching in that the interaction is more structured and routine than mobile banking.  Online banking is conducive to in-depth and periodic self-service banking activities, including managing budgets and finances.  Branch banking is comparable to fine dining because consumers now only rarely visit their local bank branches to conduct banking activities.  Typically, consumers visit their bank branches for infrequent consultative services that require substantial interaction. 

Optimizing consumers’ multi-channel banking experiences ultimately will provide a number of benefits to banks and consumers, including increased efficiency from focusing on the delivery of specific services in the particular channel that is the most used by consumers.  Privacy and security are one impediment to consumers' adoption of mobile banking services.  Accordingly, banks' ability to enhance privacy and security in connection with services delivered through the mobile channel ultimately will help determine the extent to which they profit from multi-channel banking.     

Federal Reserve Official Testifies Before Congress on Mobile Financial Services

Posted by Mike Nonaka on April 01, 2012

On March 29, 2012, Director of the Federal Reserve’s Division of Consumer and Community Affairs Sandra Braunstein testified before the Senate Banking Committee on consumers’ use of mobile financial services.  Ms. Braunstein distinguished between “mobile banking,” which is a consumer’s use of a mobile device to interact with a financial institution, including checking balances and transferring funds, and “mobile payments,” which are purchases, bill payments, charitable donations, or payments to other persons using a mobile device.  After making this distinction, she referred to the Federal Reserve’s recent survey of consumers’ adoption of mobile banking and mobile payments.

The survey found that the most common reasons for consumers not adopting mobile banking were satisfaction with traditional banking services and concerns over security, including potential hackers and the perceived inadequacy of existing technology.  Consumers do not use mobile payments because of security concerns and because traditional payment forms such as cash or credit card can be regarded as being simpler or easier to use. 

These findings highlight the progress depository institutions must make to advance consumers’ use of mobile financial services: namely, enhance information security technology and inform consumers of the effectiveness of such technology.  Indeed, the survey concludes that “consumers’ perception that mobile banking and mobile payments are unsecure is currently one of the primary impediments to adoption.  If consumers’ perception of security issues changes—whether due to actual or perceived improvements—adoption rates may significantly increase.”

FFIEC Authentication Guidance to be a Hot Topic in 2012

Posted by Mike Nonaka on January 10, 2012

Last year, the Federal Financial Institutions Examination Council (FFIEC) released a much-anticipated supplement to its Authentication in an Internet Banking Environment guidance.  The supplement updates the FFIEC’s supervisory expectations regarding depository institutions’ customer authentication, layered security, and other controls for Internet banking.  Starting this year, FFIEC information technology examinations will include reviews for compliance with the supplement. 

A study released by Guardian Analytics suggests that institutions are moving towards compliance with the supplement but may not be completely prepared for FFIEC IT examinations to be conducted in 2012.  The Guardian Analytics study polled executives at 100 U.S.-based financial institutions in November 2011.  The study found that 43 percent of institutions had not yet completed a risk assessment of online banking, and 41 percent had not developed a plan for addressing online banking security gaps.  Further, 22 percent of institutions had not reviewed the FFIEC supplement.  It is expected that the supplement will be a hot topic throughout 2012 as FFIEC IT examinations reveal the agencies’ stance on the supplement as well as institutions’ compliance with the supplement.    

Older Posts