Inside Privacy - Updates on Developments in Global Privacy & Data Security

On April 4, 2012, Fiserv, one of the largest payment processing service providers for the banking industry, released a white paper analyzing the current state of multi-channel banking, which is a consumer’s use of more than one channel to conduct banking activities.  The white paper, titled “Snacking, Lunching and Fine Dining: How Mobile is Reshaping Every Banking Channel,” argues that mobile banking’s evolution from informational services, such as balance inquiries and ATM locations, to transactional services, such as bill payment and funds transfers, impacts all three of the primary banking channels: branch banking, online banking, and mobile banking. 

The white paper analogizes mobile banking to snacking, online banking to lunching, and branch banking to fine dining based on the consumer’s level of interaction with the bank.  A consumer’s use of mobile banking is akin to snacking because the consumer’s interaction is quick and may have a sense of urgency.  For example, a consumer may use mobile banking to check his or her balance or pay a bill immediately before its due date.  Online banking is similar to lunching in that the interaction is more structured and routine than mobile banking.  Online banking is conducive to in-depth and periodic self-service banking activities, including managing budgets and finances.  Branch banking is comparable to fine dining because consumers now only rarely visit their local bank branches to conduct banking activities.  Typically, consumers visit their bank branches for infrequent consultative services that require substantial interaction. 

Optimizing consumers’ multi-channel banking experiences ultimately will provide a number of benefits to banks and consumers, including increased efficiency from focusing on the delivery of specific services in the particular channel that is the most used by consumers.  Privacy and security are one impediment to consumers' adoption of mobile banking services.  Accordingly, banks' ability to enhance privacy and security in connection with services delivered through the mobile channel ultimately will help determine the extent to which they profit from multi-channel banking.     

Last year, the Federal Financial Institutions Examination Council (FFIEC) released a much-anticipated supplement to its Authentication in an Internet Banking Environment guidance.  The supplement updates the FFIEC’s supervisory expectations regarding depository institutions’ customer authentication, layered security, and other controls for Internet banking.  Starting this year, FFIEC information technology examinations will include reviews for compliance with the supplement. 

A study released by Guardian Analytics suggests that institutions are moving towards compliance with the supplement but may not be completely prepared for FFIEC IT examinations to be conducted in 2012.  The Guardian Analytics study polled executives at 100 U.S.-based financial institutions in November 2011.  The study found that 43 percent of institutions had not yet completed a risk assessment of online banking, and 41 percent had not developed a plan for addressing online banking security gaps.  Further, 22 percent of institutions had not reviewed the FFIEC supplement.  It is expected that the supplement will be a hot topic throughout 2012 as FFIEC IT examinations reveal the agencies’ stance on the supplement as well as institutions’ compliance with the supplement.    

In a report released on September 28, 2011, Verizon concluded that only 21 percent of organizations subject to the payment card industry’s data security standards (PCI-DSS) were fully compliant with PCI-DSS.  Verizon’s prior report found that 22 percent of organizations were fully compliant with PCI-DSS.  The PCI-DSS consist of 12 requirements relating to an organization’s information security for cardmember data.  The report is based on PCI assessments conducted by Verizon’s team of qualified security assessors and investigations of security breaches.  Verizon found that organizations most often struggled with Requirements 3 (protection of stored data), 11 (testing security systems and processes), and 12 (maintain a policy that addresses information security).   The report contains a number of interesting observations about the industry’s approach to complying with the 12 PCI-DSS requirements.

PCI compliance is essential for merchants and payment processors that accept, store, or transmit cardmember data.  PCI compliance routinely is assessed in the context of strategic transactions and becomes a focal point in the event of a data breach.

Today, the Consumer Financial Protection Bureau ("CFPB") assumed certain powers and authorities set forth in Title X of the Dodd-Frank Wall Street Reform and Consumer Protection Act.  The CFPB is tasked with implementing and enforcing Federal consumer financial laws to ensure that consumers have access to markets for consumer financial products and services, and that such markets are "fair, transparent, and competitive."  The CFPB is an independent bureau within the Federal Reserve System and headed by a director appointed by the President and confirmed by the Senate.  President Obama recently nominated Richard Cordray, former Ohio Attorney General, to serve as the CFPB’s director.  Mr. Cordray has not yet been confirmed by the Senate.

Once it has a confirmed Director, the CFPB will have rulemaking authority and, with respect to certain entities, enforcement authority under certain federal laws with privacy implications, such as the Fair Credit Reporting Act, Fair Debt Collection Practices Act, and the financial privacy sections of the Gramm-Leach-Bliley Act.  The CFPB also will enforce with respect to certain entities consumer protection regulations already promulgated by other federal agencies under these Federal consumer financial laws.  In addition, select classes of nonbank institutions will be subject to regular supervision by CFPB examiners for compliance with these Federal consumer financial laws.

The CFPB will have more limited authority until a Director is confirmed, although the full scope of this limited authority during the interim period is not entirely clear.

Additional information regarding the CFPB can be found in an alert we prepared for clients following Dodd-Frank’s passage.

The Society for Worldwide Interbank Financial Telecommunication, or SWIFT, provides an organizational platform for facilitating international payments.  U.S. and foreign financial institutions use SWIFT messages to initiate, process, receive, and settle payment orders.  The amount of information exchanged via SWIFT is immense.  More than 9,000 financial institutions in 209 countries rely on SWIFT to process international payments, and an average of 17,000,000 SWIFT messages are sent in a given day.  SWIFT messages contain sensitive financial information about consumers, businesses, and governments and for that reason raise unique financial privacy concerns.

In recent years, governments such as the United States have obtained access to the SWIFT database, including transactions involving citizens as well as foreign residents, in order to combat terrorism.  However, certain countries have criticized and pushed back against such access out of concerns for their citizens’ privacy.  In 2010, the United States and European Union reached an agreement whereby SWIFT message information will be made available only for the purpose of preventing, detecting, and prosecuting terrorism and only upon a showing that such information is necessary.

More broadly, the Dodd-Frank Act provides for Federal Reserve supervision of systemically important payment and settlement activities, and it is generally expected that the international payments system will receive more attention from regulators in the future.  For instance, recent Treasury rulemakings have requested further comment on the subject of non-U.S. payment and settlement providers. 

On April 7, 2011, the Securities and Exchange Commission announced a total of $55,000 in fines against three former executives of a securities broker-dealer for violations of the privacy and safeguard rules in Regulation S-P.  The fines mark the first time the SEC has imposed administrative fines for violations of these rules.  Copies of the SEC’s announcement and orders can be found here. 

The SEC alleged that, in the course of winding down the business operations of GunnAllen Financial, the former president and former national sales manager downloaded customer records, including names and addresses, account numbers, and asset values, and provided the records to the sales manager’s new employer.  The SEC found that their actions violated the privacy rule, which obligates broker-dealers to give customers a reasonable opportunity to opt out before customer information is shared with unaffiliated third-parties, and the safeguards rule, which requires broker-dealers to have adequate policies and procedures in place to safeguard customer data.  The SEC found that the company’s former chief compliance officer was culpable for violations of the safeguards rule.  The SEC also found that the company’s policies and procedures were inadequate because they simply recited Regulation S-P and were not modified over time, even after the company was affected by security breaches.

According to a Federal Deposit Insurance Corporation survey of depository institutions, approximately 38 percent of institutions offer some form of remote deposit capture (RDC) service.  RDC enables a customer to deposit checks and other items electronically through the internet or the customer’s mobile phone.  The service was first authorized in 2004 when Congress passed the “Check Clearing for the 21st Century Act.”  RDC may help an institution expand its geographic reach by offering deposit services to customers who are not located nearby one of the institution’s branches or other offices.  However, the federal banking agencies are mindful of the risks involved with RDC services, including the need to protect customers’ nonpublic personal information, and have stressed sound risk management practices tailored to RDC.

The federal banking agencies recommend that institutions address RDC services in their existing risk assessments, implement physical and logical access controls over RDC data and services, impose risk-based guidelines to determine which customers should be eligible for use of the service, offer RDC training for customers, and consider applicable laws and regulations such as the Check Clearing for the 21st Century Act, Federal Reserve Regulation CC and Regulation J, applicable state laws and regulations, and other guidance.  Risk management for RDC should also address the use of third-party vendors and service providers.  According to the survey, 68 percent of institutions that offer RDC rely on either a third-party program or third-party software or hardware owned by the third-party.  For this reason, institutions should pay close attention to third-party risk in providing RDC services.