The SEC and CFTC’s final rule requires affected entities offering or maintaining a “covered account” (generally, an account for personal, family, or household purposes that is designed to permit multiple transactions, such as a broker-dealer brokerage account) to develop and implement a written identity theft prevention program that is designed to detect, prevent, and mitigate identity theft in connection with the opening of a covered account or any existing covered account.  The program should be appropriate to the size and complexity of the entity and the nature and scope of its activities. 

The program is required to include reasonable policies and procedures to:

(1) Identify relevant Red Flags (activities that indicate the possible existence of identity theft) for the covered accounts that the entity offers or maintains, and incorporate those Red Flags into its program;

(2) Detect Red Flags that have been incorporated into the entity’s program;

(3) Respond appropriately to any Red Flags that are detected to prevent and mitigate identity theft; and

(4) Ensure the program is updated periodically, to reflect changes in risks to customers and to the safety and soundness of the entity from identity theft.  

The SEC and CFTC’s red flags rule is nuanced, particularly in defining the entities that are subject to its requirements.  SEC- and CFTC-regulated entities should review the rule carefully to determine whether they are required to develop identity theft prevention programs.

As of November 2012, 28 percent of all mobile phone users (compared to 21 percent in December 2011) and 48 percent of smartphone users (compared to 42 percent in December 2011) had used mobile banking in the past 12 months.  The recent report found that 15 percent of all smartphone users have made a payment from their phone in the past 12 months, compared to 12 percent of users from the prior report.  In addition, the use of mobile phones to deposit checks has doubled in the past year, rising from approximately 10 percent to 21 percent.      

The most common uses of mobile banking are to check account balances or recent transactions (87 percent of users) and to transfer money between accounts (53 percent of users).  The most common use of mobile payments is to make online bill payments (42 percent of users).  Six percent of all smartphone users have made a point-of-sale payment using their phone in the past 12 months, which represents a sizable increase from the one percent of users in December 2011. 

The report reiterated the reliance of the underbanked on mobile banking and mobile payments. In the past 12 months, almost 50 percent of underbanked consumers reported use of mobile banking and more than 30 percent reported use of mobile payments.

The bill provides that a financial institution subject to the requirement in the Gramm-Leach-Bliley Act (GLBA) to send annual privacy notices to customers is excluded from this requirement if the institution (1) only discloses customers’ nonpublic personal information to nonaffiliated third-parties pursuant to an exception in GLBA (e.g., for processing or servicing a customer’s account or to a service provider) from the overall opt-out framework and (2) has not changed its policies and practices with regard to disclosing nonpublic personal information from the policies and practices that were disclosed in the most recent notice sent to customers.  If either of these requirements ceases to apply, the institution would be required to send an annual privacy notice.  The legislation is intended to lessen the regulatory burden on financial institutions and potential for customer confusion in sending to customers privacy notices that have not changed over time and that are generally available on institutions’ websites. 

The report focuses on the primary areas where the increasing use of mobile payments raises concerns, including dispute resolution, data security, and privacy.  The report also highlights special concerns regarding mobile carrier billing and international mobile payments.

• Dispute Resolution – Depending on the payment source used to fund the mobile payment, there may or may not be statutory protections to consumers for fraudulent payments or unauthorized charges.  Credit cards and debit cards are subject to statutory protections whereas gift cards are not.  Some companies have contractually provided comparable protections to gift cards as the protections provided statutorily to credit cards and debit cards.  The report suggests companies should develop clear policies regarding fraudulent and unauthorized charges and convey these policies to consumers. 
• Data Security – The report references the study issued last year by the Federal Reserve on the use of mobile payments and its finding that 42 percent of consumers cited data security as the reason why they have not used mobile payments.  In fact, technological advances in mobile payments offer the potential for increased data security.  For example, mobile payment technology allows for end-to-end encryption of data throughout the entire payment chain whereas traditional payment systems store or transmit data in an unencrypted form for part of the process.  The report reminds consumers to take advantage of existing data security controls, such as password protection, and directs mobile payment providers to increase data security as financial information moves through the payment channel and to encourage adoption of strong security measures by all companies in the mobile payments chain.
• Privacy – The use of mobile payments raises significant privacy concerns due to the high number of companies involved in the mobile payments ecosystem and the large amount of data being collected.  Companies in the ecosystem include banks, merchants, payment card networks, operating system manufacturers, hardware manufacturers, mobile phone carriers, application developers, and coupon and loyalty program administrators.  The report states that three practices from the FTC privacy report, Protecting Consumer Privacy in an Era of Rapid Change, apply to mobile payment companies:  (1) privacy by design, (2) simplified privacy choices for businesses and consumers, and (3) greater transparency. 
• Mobile Carrier Billing – Mobile carrier billing presents particular challenges because there are no federal statutory protections governing consumer disputes about fraudulent or unauthorized charges and because of the prevalent practice of “cramming” involving a third-party placing fraudulent charges onto consumers’ mobile carrier billings.  Consumers should have the ability to block all third-party charges on their mobile accounts and mobile carriers should clearly and prominently inform customers that third-party charges may be placed on accounts and explain how to block all such charges.  Mobile carriers also should establish clear dispute resolution processes.  The report also recommends as a general matter that entities involved in third-party billing conduct meaningful upfront vetting to ensure that only legitimate third-party merchants are able to place charges. 
• International Mobile Payment Issues – Mobile payments have developed extensively in other countries in varying forms.  Consumers in some countries, such as Kenya and the Philippines, use mobile payments for remittances and person-to-person money transfers.  The Organization for Economic Cooperation and Development’s (OECD) Committee on Consumer Policy is in the process of preparing policy guidance for governments and stakeholders on issues such as information disclosures for mobile payments, dispute resolution, and the varying levels of consumer protection among payment providers and payment vehicles. 

The FTC concludes the report by encouraging companies developing mobile payment products and services to create them with financial, security, and privacy protections in mind.  The FTC will continue to monitor mobile payments and evaluate whether consumers have adequate protections and the information they need to make informed choices.

The study evaluated 1,001 consumers and 2,968 credit reports.  Of these totals, the study found that as many as 206 consumers identified material errors in their credit reports.  The most common errors identified were errors in tradeline data (consumer accounts) and collections information.  Another common error was inaccuracies in the header information such as current and previous address, age, and employment.

The FTC study is the first major study to take into consideration all of the primary groups that play a role in the credit reporting industry:  consumers; furnishers of information to consumer reporting agencies, including creditors, debt collection agencies, and courts; the Fair Isaac Corporation; and the national consumer reporting agencies.  The FTC will issue a final report on credit report accuracy in 2014.

The supplement considers “cloud computing” to mean a model for enabling on-demand network access to a shared pool of computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or cloud provider interaction.  Both cloud computing users and cloud service providers (CSPs) have compliance responsibilities under the supplement that depend on a number of variables, including (1) the purpose for which the client is using the cloud service, (2) the scope of PCI DSS requirements that the client is outsourcing to the CSP, (3) the services and system components that the CSP has validated within its own operations, (4) the service option that the client has selected to engage the CSP (Infrastructure as a Service, Platform as a Service, or Security as a Service), and (5) the scope of any additional services the CSP is providing to proactively manage the client’s compliance. 

The supplement provides cloud-related considerations for each of the PCI-DSS standards and allocates responsibility for each consideration between the user and CSP depending on the specific service option.  There are a number of compliance challenges associated with the use of cloud computing, such as the lack of visibility into CSPs’ security infrastructure and oversight of cardholder data storage, and the supplement provides guidance for addressing those challenges within the context of the user-CSP relationship.

On January 22, 2013, the Federal Financial Institutions Examination Council proposed guidance on the applicability of consumer protection and compliance laws, regulations, and policies to activities conducted via social media by depository institutions.  The proposed guidance would not impose additional compliance obligations on institutions.  Instead, the guidance is intended to help financial institutions understand potential consumer compliance, legal, reputation, and operational risks associated with the use of social media, along with expectations for managing those risks. 

The proposed guidance defines “social media” as “a form of interactive online communication in which users can generate and share content through text, images, audio, and/or video.”  The FFIEC warns that social media can impact a depository institution’s risk profile by increasing the risk of harm to consumers, compliance and legal risk, operational risk, and reputational risk. 

1. A governance structure with clear roles and responsibilities for the Board of Directors or senior management to direct how social media contributes to the strategic goals of the institution, establish controls, and assesses risk on an ongoing basis;
2. Policies and procedures regarding the use of social media and monitoring for compliance with consumer protection laws and regulations;
3. Due diligence for selecting and managing third-party service provider relationships in social media;
4. An employee training program for official, work-related use of social media and other uses of social media;
5. An oversight process for monitoring information posted to proprietary social media sites administered by the institution;
6. Audit and compliance functions to ensure ongoing compliance with internal policies and applicable laws and regulations; and
7. Parameters for appropriate reporting to the Board of Directors or senior management regarding the effectiveness of the risk management program.

The guidance also highlights the unique privacy risks raised by social media to institutions and their customers. In particular, the guidance notes the Gramm-Leach-Bliley Act, CAN-SPAM Act and Telephone Consumer Protection Act, Children’s Online Privacy and Protection Act, and Fair Credit Reporting Act as all posing unique compliance challenges to institutions using social media to advertise and provide financial products and services.

Comments to the proposed guidance must be submitted within 60 days of the guidance’s publication in the Federal Register. The FFIEC is requesting specific comment on the following three questions:

1. Are there other types of social media, or ways in which financial institutions are using social media, that are not included in the proposed guidance but that should be included?
2. Are there other consumer protection laws, regulations, policies or concerns that may be implicated by financial institutions’ use of social media that are not discussed in the proposed guidance but that should be discussed?
3. Are there any technological or other impediments to financial institutions’ compliance with otherwise applicable laws, regulations, and policies when using social media of which the Agencies should be aware?

• BSA/AML risk – risk that mobile payment technologies will violate the Bank Secrecy Act or other anti-money laundering requirements.
• Fraud risk – risk that mobile payment technologies will fail to prevent or deter unauthorized transactions.
• Compliance risk – risk that mobile payment technologies will be used in a manner that violates applicable consumer protection laws, disclosure requirements, and supervisory guidance.
• Credit/liquidity risk – risk that a loss will occur from a failure by a mobile payment technology to collect on a credit obligation or failure to meet a payments-based contractual commitment.
• Operations/IT risk – risk that mobile payment technologies will fail to protect confidential financial information.
• Reputation risk – risk that negative consumer experience from mobile payment technologies or from an incident resulting from mobile payment technologies will reflect poorly on the institution.
• Vendor management risk – risk that a third-party providing mobile payment technologies to an institution will fail to meet expectations or suffer bankruptcy. 

The article also describes the laws and regulations applicable to mobile payment technologies, including the Electronic Fund Transfer Act; Truth in Lending Act; truth in billing requirements; unfair, deceptive, or abusive acts or practices (UDAAP) requirements; Gramm-Leach-Bliley Act; and deposit insurance requirements.  The FDIC concludes by reminding institutions to consistently apply fundamentals of payments risk management, in particular with regard to oversight of third-party relationships.

According to the FTC’s complaint, Filiquarian Publishing LLC, Choice Level LLC, and their CEO, Joshua Linsk, designed and marketed mobile applications that enabled users to search criminal records databases.  The companies marketed the applications for employment purposes as a tool to use in screening potential employees.  Indeed, one advertisement for the applications offered “Are you hiring somebody and wanting to quickly find out if they have a record?  Then Texas Criminal Record Search is the perfect application for you.”  The FTC alleged that the companies were operating as consumer reporting agencies in providing the criminal records reports for employment purposes and that the companies failed to comply with the FCRA.  The applications included disclaimers that the applications were not compliant with the FCRA and not to be used for FCRA permissible purposes; however, the FTC viewed these disclaimers as insufficient to insulate the companies from liability since the companies actively marketed the applications for employment purposes. 

The consent order, among other provisions, prohibits the companies from providing consumer reports to individuals if the companies do not have a reason to believe the individuals have a permissible purpose under the FCRA.  The order also prohibits the companies from failing to maintain reasonable procedures to assure maximum possible accuracy with respect to the consumer reports provided by the companies to consumers.  The companies are required to submit periodic reports to the FTC demonstrating compliance with the consent order.

The Interim Final Rule narrows the circumstances under which creditors are covered by the Rule in an attempt to be consistent with Congress’s legislation. The amended Rule now provides that a creditor is covered only if, in the ordinary course of business, it regularly: (1) obtains or uses consumer reports in connection with a credit transaction; (2) furnishes information to consumer reporting agencies in connection with a credit transaction; or (3) advances funds to or on behalf of a person (except for a creditor who advances funds on behalf of the person for expenses incidental to a service provided by the creditor to that person).   

Under the Rule, covered entities’ Red Flag programs must: (1) include reasonable policies and procedures to identify signs – or “red flags” – of identity theft in the day-to-day operations of the business; (2) be designed to detect the red flags of identity theft known to the business; (3) set out the actions the business will take upon detecting red flags; and (4) re-evaluate its program periodically to reflect new risks.

James Bormes, a Chicago lawyer, paid a $350 court filing fee through the federal government’s pay.gov system with his American Express card. He was sent an electronic receipt for the transaction, which contained his credit card’s expiration date. Bormes alleged that this violated FACTA's prohibition on printing expiration dates on credit card receipts issued at the point of sale.  He sued the government, seeking class-action status on behalf of thousands of people issued receipts that displayed card expiration dates or more than the last five digits of credit and debit card numbers (which FACTA also prohibits).

The district court initially dismissed the suit, finding that the FCRA does not contain an explicit waiver of the government’s sovereign immunity and could, therefore, not allow for the plaintiff’s damages claims. Bormes appealed to the Federal Circuit, which has exclusive jurisdiction for appeals in which a lower court’s jurisdiction was based partly on the Little Tucker Act. The government moved to transfer the suit to the Seventh Circuit, arguing that the Act’s jurisdictional provision did not apply. The Federal Circuit denied the motion and vacated the lower court’s ruling. The federal government then took the sovereign immunity issue to the Supreme Court.

“Where, as in FCRA, a statute contains its own self-executing remedial scheme, [courts] look only to that statute to determine whether Congress intended to subject the United States to damages liability.” The Court ruled that the federal government, therefore, does not necessarily give up its sovereign immunity in FCRA cases. It refrained, however, from deciding whether the FCRA, on its own, waives that immunity. Transferring the case for remand the Court reserved that question for the Seventh Circuit to consider.

Looking ahead, even if the Seventh Circuit concludes that the FCRA does, in fact, waive the government’s immunity, it will be an uphill battle for Bormes. In 2010, the Seventh Circuit, in Shlahtichman v. 1-800 Contacts, Inc., 615 F.3d 794 (7th Cir. 2010), ruled that the FACTA does not apply to electronic displays or e-mail confirmations of online transactions.

The announcement makes clear that consumers should not file complaints with the CFPB in lieu of or before disputing inaccurate credit reporting information with the applicable consumer reporting agency.  Disputing inaccurate information with the applicable reporting agency preserves certain rights under the Fair Credit Reporting Act and serves as the most immediate way of resolving inaccurate information.  However, if the consumer is dissatisfied with the reporting agency’s resolution of the dispute, the announcement encourages the consumer to contact the CFPB.  The Federal Trade Commission has a similar process for assisting consumers with credit reporting complaints.

On October 26, 2012, the FTC finalized settlements with Georgia auto dealer Franklin Budget Car Sales, Inc. and Utah-based debt collector EPN Inc. over charges that each company illegally exposed sensitive personal information of consumers by allowing peer-to-peer (P2P) file-sharing software to be installed on their corporate computer systems.　 The final settlements follow a notice-and-comment period opened to the public in June 2012.

The FTC charged Franklin Budget Car Sales with violations of the Gramm-Leach-Bliley Act (GLBA).　 GLBA applies to financial institutions, and the FTC treated Franklin as a financial institution because of the financing services it provides consumers in connection with the purchase of automobiles.　 In particular, the FTC alleged that Franklin failed to give consumers annual privacy notices and opt-out notices, as required under the GLBA privacy rule, and failed to protect the security, confidentiality, and integrity of customer information, as required under the GLBA safeguards rule.　 The FTC also alleged that Franklin violated section 5 of the FTC Act because the privacy statement it gave consumers claimed that the dealership restricted access to consumers’ nonpublic personal information to only employees.　 The FTC alleged that EPN violated section 5 of the FTC Act by failing to employ reasonable and appropriate measures to prevent unauthorized access to personal information.

The settlement agreements require both companies to implement comprehensive information security programs to protect the security, confidentiality, and integrity of consumer information.　 In addition, Franklin is required to comply with the GLBA privacy rule by sending annual privacy notices to consumers and, if applicable, opt-out notices if the company shares consumer information with nonaffiliated third-parties.　 Both companies also are required to obtain initial and biennial information security assessments and reports from an independent third-party to validate the effectiveness of their information security programs.　 Among other requirements, the agreements also require the companies to satisfy recordkeeping and reporting requirements.

Although the agreements do not impose civil fines, if either company violates its settlement agreement, the company may be liable for a fine of up to $16,000 per violation.

The study also found that differences in the scores provided to consumers versus creditors could harm consumers and that most consumers would never find out that the credit score given to them may not be the score in fact used by creditors.  To address these findings, the CFPB recommended that consumers shop around for credit and carefully review their credit reports. 

The CFPB commenced supervision of consumer reporting agencies on September 30, 2012.  The differences highlighted in the study will be one of the CFPB’s focal points during supervisory examinations.

He also described the federal banking agencies’ move away from “controls-based oversight” to “governance-based oversight.”  The agencies do not want to be in the position of constantly reacting to the newest form of technology through the issuance of internal controls guidance tailored to the technology.  Instead, the agencies would prefer to address emerging technology risks through requirements relating to robust risk management, board oversight, and broader risk mitigation strategies that can address any form of emerging technology.

The federal banking agencies have prioritized information security highly.  We will continue to monitor and report on developments.

In addition to a $2.6 million civil penalty, the consent decree enjoins HireRight from failing to follow reasonable procedures to:

• Ensure that its consumer reports reflect the current status of criminal records that have been expunged;
• Prevent the inclusion of multiple entries for a single criminal offense; and
• Prevent the inclusion of information about individuals other than the person about whom a consumer report pertains. 

The consent decree also enjoins HireRight from failing to provide consumers full access to records maintained about them or failing to investigate or respond promptly to consumer disputes about the accuracy of HireRights’ consumer reports.   

According to press reports, this is the second largest civil penalty that the FTC has obtained under the FCRA.  In 2006, ChoicePoint, Inc. agreed to pay $10 million to settle claims under the FCRA. 

The final rule defines a “larger participant” in the consumer reporting market as a nonbank covered person that offers or provides consumer reporting and has annual receipts from consumer reporting in excess of $7 million.

A larger participant in the consumer reporting market will be notified if the CFPB intends to initiate a supervisory activity (e.g., examination) with respect to the participant.  The participant may contest the supervisory activity on the grounds that the participant does not meet the definition of “larger participant” by submitting a response to the CFPB. 

The CFPB’s final rule makes clear that supervision of larger participants will be “probabilistic” in nature.  The CFPB will examine certain larger participants on a periodic basis while other larger participants may be examined less frequently.  The CFPB’s supervisory decisions, including decisions regarding the frequency and extent of examinations, will be informed by statutory factors including the size and transaction volume of individual participants, the risks posed to consumers, and the extent of state consumer protection oversight.

• Due Diligence – Institutions should conduct due diligence with respect to the cloud computing provider to assess the provider’s controls to protect the confidentiality and integrity of data stored in the cloud, to determine whether data will be stored on servers used by other clients of the provider and, if so, the provider’s access controls, and to evaluate the provider’s disaster recovery and business continuity plans.
• Vendor Management – Institutions may require additional controls to manage cloud computing providers that have little experience with financial institution clients and may determine that retention of a particular provider is unacceptable due to the provider’s unwillingness or inability to satisfy bank regulators’ supervisory guidance.
• Audit – Institutions’ audit coverage should include outsourced cloud computing. 
• Information Security – Institutions should incorporate cloud computing services in existing information security policies, standards, and practices and ensure that data is protected and access to data is properly restricted.  An institution also should effectively monitor data security threats to the institution’s systems and to the provider’s systems and develop incident response methodologies. 
• Legal, Regulatory, and Reputational Considerations – Institutions should assess the extent to which cloud computing services increase the complexity of complying with applicable legal and regulatory requirements.  In addition, contracts with cloud computing providers should specify the providers’ obligations with respect to institutions’ responsibilities for compliance with privacy laws, for responding to and reporting security incidents, and for fulfilling regulatory requirements to notify customers and regulators of any breaches.
• Business Continuity – Institutions should determine whether the provider and the provider’s network carriers have adequate plans and resources to ensure institutions’ continuity of operations, as well as the ability to recover and resume operations if an unexpected disruption occurs.

The lawsuit and settlement are noteworthy insofar they underscore the potential significance of the FFIEC guidance, including the FFIEC’s release in 2011 of a supplement to its authentication guidance, to mitigate both regulatory and litigation risk.   

Based on the FTC’s complaint, it appears that Spokeo assembled consumer information from online and offline sources, such as social networking sites and data brokers, to create consumer profiles for sale to third parties.  These consumer profiles typically included name, physical address, email address, phone number, hobbies, ethnicity, religion, and photographs.  Spokeo marketed these consumer profiles to human resources professionals, promoted them as a useful factor in deciding whether to interview a candidate, dedicated a portion of its website to recruiters, and offered special subscription plans to those recruiters.  In 2010, Spokeo amended the Terms of Service on its website to state that it is not a consumer reporting agency and that Spokeo could not be used for FCRA-covered purposes.  However, according to the complaint, Spokeo failed to take any action to ensure that third parties did not use its website and the information available on it for FCRA-covered purposes.

The FTC concluded in its complaint that Spokeo is a “consumer reporting agency” and that the consumer profiles sold by Spokeo are “consumer reports.”  The complaint alleged that Spokeo violated the FCRA by failing to have the requisite procedures in place to limit the furnishing of consumer reports only for permissible purposes and to ensure the accuracy of information in consumer profiles.  The complaint also alleged that Spokeo violated the FCRA because it failed to provide the standard “user” notice to third parties accessing consumer profiles, and because it furnished consumer profiles to third parties for whom Spokeo had no reason to believe had a permissible purpose.  The complaint also alleged that Spokeo violated Section 5 of the FTC Act by directing its employees to post comments endorsing Spokeo to news and technology websites under account names that were developed by the company to give the impression that they were independent, ordinary consumers.

To settle these charges, Spokeo agreed to enter into a consent order with the FTC, which requires Spokeo to pay a civil penalty equal to $800,000 and prohibits the company from violating the FCRA and Section 5 of the FTC Act.  If Spokeo subsequently violates the FCRA, FTC Act, or provisions in the consent order, the FTC will be able to fine Spokeo at levels substantially higher than what the FCRA alone permits.  The consent order also imposes rigorous reporting and recordkeeping requirements on Spokeo and requires various forms of ongoing monitoring by the FTC.

Spokeo’s founder, Harrison Tang, responded to the action in a blog post stating that the company never intended to operate as a consumer reporting agency and has since implemented changes to its website to align with the FCRA.  The FTC’s action against Spokeo is significant because it signifies the FTC’s intent to extend FCRA enforcement to companies that collect and sell consumer data that can be used in certain impermissible ways under the FCRA.