SEC and CFTC Issue Final Identity Theft Rule

Posted by Mike Nonaka on April 25, 2013

Last week, the Securities and Exchange Commission (SEC) and Commodity Futures Trading Commission (CFTC) published in the Federal Register a joint rule requiring entities regulated by the agencies to adopt programs to detect and prevent identity theft.  The rule is referred to as the “red flags rule” and applies to certain broker-dealers, mutual funds, investment advisers, futures commission merchants, retail foreign exchange dealers, commodity trading advisors, commodity pool operators, introducing brokers, swap dealers, major swap participant, and certain other entities regulated by the SEC and CFTC that qualify as a “financial institution” or “creditor” under the Fair Credit Reporting Act.  The SEC and CFTC promulgated the rule pursuant to the Dodd-Frank Act, which amended the Fair Credit Reporting Act to require the SEC and CFTC to adopt the red flags rule.  Prior to the Dodd-Frank Act, only the federal banking regulators and the Federal Trade Commission were required to adopt red flags rules applicable to the entities under their jurisdiction.  Entities will be expected to comply with the rule by November 20, 2013.    

The SEC and CFTC’s final rule requires affected entities offering or maintaining a “covered account” (generally, an account for personal, family, or household purposes that is designed to permit multiple transactions, such as a broker-dealer brokerage account) to develop and implement a written identity theft prevention program that is designed to detect, prevent, and mitigate identity theft in connection with the opening of a covered account or any existing covered account.  The program should be appropriate to the size and complexity of the entity and the nature and scope of its activities. 

The program is required to include reasonable policies and procedures to:

(1) Identify relevant Red Flags (activities that indicate the possible existence of identity theft) for the covered accounts that the entity offers or maintains, and incorporate those Red Flags into its program;

(2) Detect Red Flags that have been incorporated into the entity’s program;

(3) Respond appropriately to any Red Flags that are detected to prevent and mitigate identity theft; and

(4) Ensure the program is updated periodically, to reflect changes in risks to customers and to the safety and soundness of the entity from identity theft.  

The SEC and CFTC’s red flags rule is nuanced, particularly in defining the entities that are subject to its requirements.  SEC- and CFTC-regulated entities should review the rule carefully to determine whether they are required to develop identity theft prevention programs.

Federal Reserve Releases Report of Mobile Banking and Mobile Payments Use

Posted by Mike Nonaka on April 09, 2013

On March 27, 2013, the Federal Reserve released a report on consumers’ use of mobile banking and mobile payments.  The report follows a similar report issued by the Federal Reserve last year.  The report found that use of mobile banking has increased significantly in the past year while use of mobile payments has increased as well. 

As of November 2012, 28 percent of all mobile phone users (compared to 21 percent in December 2011) and 48 percent of smartphone users (compared to 42 percent in December 2011) had used mobile banking in the past 12 months.  The recent report found that 15 percent of all smartphone users have made a payment from their phone in the past 12 months, compared to 12 percent of users from the prior report.  In addition, the use of mobile phones to deposit checks has doubled in the past year, rising from approximately 10 percent to 21 percent.      

The most common uses of mobile banking are to check account balances or recent transactions (87 percent of users) and to transfer money between accounts (53 percent of users).  The most common use of mobile payments is to make online bill payments (42 percent of users).  Six percent of all smartphone users have made a point-of-sale payment using their phone in the past 12 months, which represents a sizable increase from the one percent of users in December 2011. 

 

Continue Reading

House Passes Legislation Eliminating Annual GLBA Privacy Notice Requirement

Posted by Mike Nonaka on March 14, 2013

Earlier this week, the House of Representatives passed H.R. 749, the Eliminate Privacy Notice Confusion Act.  The bill is sponsored by Rep. Blaine Leutkemeyer (R-MO) and Rep. Brad Sherman (D-CA).  An earlier version of the bill passed the House in December but was never taken up by the Senate.  We previously covered similar legislation introduced by Representative Leutkemeyer.

The bill provides that a financial institution subject to the requirement in the Gramm-Leach-Bliley Act (GLBA) to send annual privacy notices to customers is excluded from this requirement if the institution (1) only discloses customers’ nonpublic personal information to nonaffiliated third-parties pursuant to an exception in GLBA (e.g., for processing or servicing a customer’s account or to a service provider) from the overall opt-out framework and (2) has not changed its policies and practices with regard to disclosing nonpublic personal information from the policies and practices that were disclosed in the most recent notice sent to customers.  If either of these requirements ceases to apply, the institution would be required to send an annual privacy notice.  The legislation is intended to lessen the regulatory burden on financial institutions and potential for customer confusion in sending to customers privacy notices that have not changed over time and that are generally available on institutions’ websites. 

FTC Issues Report on Mobile Payments

Posted by Mike Nonaka on March 11, 2013

Last Friday, the Federal Trade Commission released a report, Paper, Plastic…or Mobile?, on the use of mobile payments.  The report follows a workshop hosted by the FTC in April 2012 that explored innovative mobile payment products and services, the potential benefits offered by mobile payments, and the concerns they raise.  For purposes of the report, mobile payments generally include four types of payment processes:  (1) near field communication (NFC) technologies, (2) mobile applications, (3) online checkout wallets, and (4) mobile carrier billing (charging of payments directly to a mobile phone bill).

The report focuses on the primary areas where the increasing use of mobile payments raises concerns, including dispute resolution, data security, and privacy.  The report also highlights special concerns regarding mobile carrier billing and international mobile payments.

Continue Reading

FTC Study Details Inaccuracies in Credit Reports

Posted by Mike Nonaka on February 14, 2013

This week, the Federal Trade Commission released a study of the U.S. credit reporting industry and credit report accuracy.  The study found that five percent of consumers had errors on one of their three nationwide credit reports that could lead them to pay more for financial products.  The study is required under section 319 of the Fair and Accurate Credit Transactions Act of 2003.

The study evaluated 1,001 consumers and 2,968 credit reports.  Of these totals, the study found that as many as 206 consumers identified material errors in their credit reports.  The most common errors identified were errors in tradeline data (consumer accounts) and collections information.  Another common error was inaccuracies in the header information such as current and previous address, age, and employment.

The FTC study is the first major study to take into consideration all of the primary groups that play a role in the credit reporting industry:  consumers; furnishers of information to consumer reporting agencies, including creditors, debt collection agencies, and courts; the Fair Isaac Corporation; and the national consumer reporting agencies.  The FTC will issue a final report on credit report accuracy in 2014.

PCI Council Releases PCI-DSS Cloud Computing Guidelines

Posted by Mike Nonaka on February 12, 2013

On February 7, 2013, the Payment Card Industry (PCI) council released a supplement to the payment card industry data security standards (PCI-DSS) on the use of cloud technologies and considerations for maintaining PCI DSS controls in cloud environments.  The supplement is intended for merchants, service providers, assessors, and other entities in evaluating the use of cloud computing in the context of PCI DSS.

The supplement considers “cloud computing” to mean a model for enabling on-demand network access to a shared pool of computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or cloud provider interaction.  Both cloud computing users and cloud service providers (CSPs) have compliance responsibilities under the supplement that depend on a number of variables, including (1) the purpose for which the client is using the cloud service, (2) the scope of PCI DSS requirements that the client is outsourcing to the CSP, (3) the services and system components that the CSP has validated within its own operations, (4) the service option that the client has selected to engage the CSP (Infrastructure as a Service, Platform as a Service, or Security as a Service), and (5) the scope of any additional services the CSP is providing to proactively manage the client’s compliance. 

The supplement provides cloud-related considerations for each of the PCI-DSS standards and allocates responsibility for each consideration between the user and CSP depending on the specific service option.  There are a number of compliance challenges associated with the use of cloud computing, such as the lack of visibility into CSPs’ security infrastructure and oversight of cardholder data storage, and the supplement provides guidance for addressing those challenges within the context of the user-CSP relationship.

FFIEC Proposes Social Media Guidance

Posted by Mike Nonaka on January 26, 2013

On January 22, 2013, the Federal Financial Institutions Examination Council proposed guidance on the applicability of consumer protection and compliance laws, regulations, and policies to activities conducted via social media by depository institutions.  The proposed guidance would not impose additional compliance obligations on institutions.  Instead, the guidance is intended to help financial institutions understand potential consumer compliance, legal, reputation, and operational risks associated with the use of social media, along with expectations for managing those risks. 

The proposed guidance defines “social media” as “a form of interactive online communication in which users can generate and share content through text, images, audio, and/or video.”  The FFIEC warns that social media can impact a depository institution’s risk profile by increasing the risk of harm to consumers, compliance and legal risk, operational risk, and reputational risk. 

Continue Reading

FDIC Highlights Mobile Payment Technologies and Related Risks

Posted by Mike Nonaka on January 18, 2013

In its most recent issue of the Supervisory Insights newsletter, the Federal Deposit Insurance Corporation (FDIC) describes mobile payment technologies, the risks they pose to depository institutions, and the regulatory framework applicable to such technologies.  The FDIC notes the widespread use of smartphones as a payment technology and the increasing availability of point-of-sale terminals equipped to process payments using near-field communications.  Both of these factors require institutions to understand and adopt controls to mitigate risk from mobile payment technologies.

Continue Reading

FTC Enters into Consent Order with Mobile Application Developers for Fair Credit Reporting Act Violations

Posted by Mike Nonaka on January 14, 2013

Last week, the Federal Trade Commission entered into a consent order with two companies alleged to have operated as consumer reporting agencies, by providing criminal record reports through mobile applications, without complying with the Fair Credit Reporting Act (FCRA).  The consent order represents the FTC’s first FCRA case involving mobile applications. 

According to the FTC’s complaint, Filiquarian Publishing LLC, Choice Level LLC, and their CEO, Joshua Linsk, designed and marketed mobile applications that enabled users to search criminal records databases.  The companies marketed the applications for employment purposes as a tool to use in screening potential employees.  Indeed, one advertisement for the applications offered “Are you hiring somebody and wanting to quickly find out if they have a record?  Then Texas Criminal Record Search is the perfect application for you.”  The FTC alleged that the companies were operating as consumer reporting agencies in providing the criminal records reports for employment purposes and that the companies failed to comply with the FCRA.  The applications included disclaimers that the applications were not compliant with the FCRA and not to be used for FCRA permissible purposes; however, the FTC viewed these disclaimers as insufficient to insulate the companies from liability since the companies actively marketed the applications for employment purposes. 

The consent order, among other provisions, prohibits the companies from providing consumer reports to individuals if the companies do not have a reason to believe the individuals have a permissible purpose under the FCRA.  The order also prohibits the companies from failing to maintain reasonable procedures to assure maximum possible accuracy with respect to the consumer reports provided by the companies to consumers.  The companies are required to submit periodic reports to the FTC demonstrating compliance with the consent order.

FTC Announces Amended Rule on Identity Theft "Red Flags"

Posted by Kristi Cercone on December 04, 2012

On Friday, November 30, the Federal Trade Commission (FTC) issued an Interim Final Rule to amend its Red Flags Rule, which requires certain financial institutions and creditors to establish programs to detect, prevent and mitigate identity theft in connection with consumer accounts.  The Interim Final Rule narrows the definition of “creditor” in response to legislation passed by Congress in December 2010 (as covered in previous blog posts), excluding from the definition most doctors, lawyers, and other professionals who do not receive full payment at the time their service is furnished.  The rule is effective on February 11, 2013, and the FTC is seeking comments on the rule until that time.     

The Interim Final Rule narrows the circumstances under which creditors are covered by the Rule in an attempt to be consistent with Congress’s legislation. The amended Rule now provides that a creditor is covered only if, in the ordinary course of business, it regularly: (1) obtains or uses consumer reports in connection with a credit transaction; (2) furnishes information to consumer reporting agencies in connection with a credit transaction; or (3) advances funds to or on behalf of a person (except for a creditor who advances funds on behalf of the person for expenses incidental to a service provided by the creditor to that person).   

Under the Rule, covered entities’ Red Flag programs must: (1) include reasonable policies and procedures to identify signs – or “red flags” – of identity theft in the day-to-day operations of the business; (2) be designed to detect the red flags of identity theft known to the business; (3) set out the actions the business will take upon detecting red flags; and (4) re-evaluate its program periodically to reflect new risks.

Government May be Immune to Suits Alleging Violations of FACTA

Posted by Kristi Cercone on November 14, 2012

The U.S. Supreme Court ruled on Tuesday that the federal government does not always lose its sovereign immunity to damages lawsuits claiming that an agency violated the Fair and Accurate Credit Transactions Act (“FACTA”) by printing the expiration date of a credit card on a receipt issued to a consumer. In a unanimous decision, authored by Justice Antonin Scalia, the Court rejected a November 2010 ruling by the Federal Circuit that the Little Tucker Act authorized the government to be sued for money damages under the Fair Credit Reporting Act (“FCRA”), which FACTA amended.  

James Bormes, a Chicago lawyer, paid a $350 court filing fee through the federal government’s pay.gov system with his American Express card. He was sent an electronic receipt for the transaction, which contained his credit card’s expiration date. Bormes alleged that this violated FACTA's prohibition on printing expiration dates on credit card receipts issued at the point of sale.  He sued the government, seeking class-action status on behalf of thousands of people issued receipts that displayed card expiration dates or more than the last five digits of credit and debit card numbers (which FACTA also prohibits).

The district court initially dismissed the suit, finding that the FCRA does not contain an explicit waiver of the government’s sovereign immunity and could, therefore, not allow for the plaintiff’s damages claims. Bormes appealed to the Federal Circuit, which has exclusive jurisdiction for appeals in which a lower court’s jurisdiction was based partly on the Little Tucker Act. The government moved to transfer the suit to the Seventh Circuit, arguing that the Act’s jurisdictional provision did not apply. The Federal Circuit denied the motion and vacated the lower court’s ruling. The federal government then took the sovereign immunity issue to the Supreme Court.

Continue Reading

CFPB Offers Assistance for Consumer Credit Reporting Complaints

Posted by Mike Nonaka on November 02, 2012

Last week, the Consumer Financial Protection Bureau (CFPB) announced that it had established a process for assisting consumers with credit reporting complaints.  The CFPB previously had implemented similar processes for complaints relating to credit cards, mortgages, bank accounts and services, private student loans, vehicle, and other consumer loans.  The complaint process is intended to complement the CFPB’s recent initiatives to supervise the consumer reporting industry, including the CFPB’s final rule establishing its authority to supervise consumer reporting agencies and examination manual for consumer reporting agencies.

The announcement makes clear that consumers should not file complaints with the CFPB in lieu of or before disputing inaccurate credit reporting information with the applicable consumer reporting agency.  Disputing inaccurate information with the applicable reporting agency preserves certain rights under the Fair Credit Reporting Act and serves as the most immediate way of resolving inaccurate information.  However, if the consumer is dissatisfied with the reporting agency’s resolution of the dispute, the announcement encourages the consumer to contact the CFPB.  The Federal Trade Commission has a similar process for assisting consumers with credit reporting complaints.

FTC Finalizes Settlements with Companies for Exposing Sensitive Consumer Information through Installation of Peer-to-Peer File Sharing Software

Posted by Mike Nonaka on October 29, 2012

On October 26, 2012, the FTC finalized settlements with Georgia auto dealer Franklin Budget Car Sales, Inc. and Utah-based debt collector EPN Inc. over charges that each company illegally exposed sensitive personal information of consumers by allowing peer-to-peer (P2P) file-sharing software to be installed on their corporate computer systems.  The final settlements follow a notice-and-comment period opened to the public in June 2012.

Continue Reading

CFPB Study Assesses Differences in Credit Scores Sold to Consumers and Creditors

Posted by Mike Nonaka on October 02, 2012

Last week, the Consumer Financial Protection Bureau (CFPB) released a study comparing credit scores sold to creditors and those sold to consumers.  The study found that approximately 1 in 5 consumers would, upon purchasing their credit score from a consumer reporting agency, receive a different credit score than the score provided to creditors for use in determining eligibility for products or services.  The study was required by section 1078 of the Dodd-Frank Wall Street Reform and Consumer Protection Act.

The study also found that differences in the scores provided to consumers versus creditors could harm consumers and that most consumers would never find out that the credit score given to them may not be the score in fact used by creditors.  To address these findings, the CFPB recommended that consumers shop around for credit and carefully review their credit reports. 

The CFPB commenced supervision of consumer reporting agencies on September 30, 2012.  The differences highlighted in the study will be one of the CFPB’s focal points during supervisory examinations.

FDIC Official Discusses Implementation of FFIEC Authentication Guidance

Posted by Mike Nonaka on September 05, 2012

In an interview with Information Security Media Group, William Henley, Associate Director of the Federal Deposit Insurance Corporation’s (FDIC) Technology Supervision Branch, discussed the status of the banking industry’s implementation of FFIEC authentication guidance released in July 2011.  Henley generally said that the industry was working towards compliance and offered that FDIC examiners at this stage were looking for good faith efforts to comply:  “What the examiners were looking for were reasonable, good faith efforts that an institution was working toward compliance….If any institution was working toward a compliance plan, that's all they needed to do.”

He also described the federal banking agencies’ move away from “controls-based oversight” to “governance-based oversight.”  The agencies do not want to be in the position of constantly reacting to the newest form of technology through the issuance of internal controls guidance tailored to the technology.  Instead, the agencies would prefer to address emerging technology risks through requirements relating to robust risk management, board oversight, and broader risk mitigation strategies that can address any form of emerging technology.

The federal banking agencies have prioritized information security highly.  We will continue to monitor and report on developments.

FTC Obtains Second Largest Civil Penalty Under FCRA

Posted by Libbie Canter on August 13, 2012

An employment background screening company will pay a $2.6 million civil penalty to settle Federal Trade Commission charges under the Fair Credit Reporting Act.   The FTC alleged that HireRight Solutions, Inc., which compiles background reports to assist employers in making hiring and other employment-related decisions, is a consumer reporting agency since its reports “bear on . . . consumers’ general reputation and personal characteristics; and are used as a factor in determining eligibility for employment.”  The FTC charged that, as a consumer reporting agency, HireRight had an obligation to follow reasonable procedures to assure the maximum possible accuracy of the information in its consumer reports -- an obligation that the FTC says HireRight violated.

In addition to a $2.6 million civil penalty, the consent decree enjoins HireRight from failing to follow reasonable procedures to:

  • Ensure that its consumer reports reflect the current status of criminal records that have been expunged;
  • Prevent the inclusion of multiple entries for a single criminal offense; and
  • Prevent the inclusion of information about individuals other than the person about whom a consumer report pertains. 

The consent decree also enjoins HireRight from failing to provide consumers full access to records maintained about them or failing to investigate or respond promptly to consumer disputes about the accuracy of HireRights’ consumer reports.   

According to press reports, this is the second largest civil penalty that the FTC has obtained under the FCRA.  In 2006, ChoicePoint, Inc. agreed to pay $10 million to settle claims under the FCRA. 

CFPB Issues Rule to Supervise Larger Participants in Consumer Reporting Market

Posted by Mike Nonaka on July 18, 2012

The Consumer Financial Protection Bureau (CFPB) has issued a final rule to implement its authority under section 1024 of Dodd-Frank to subject “larger participants” in the consumer reporting market to CFPB supervision.  The rule will have significant consequences for companies in the consumer reporting industry.  The final rule follows a proposed rule issued in February 2012 indicating that the CFPB intended to supervise the consumer reporting market as part of the CFPB’s authority to supervise nonbank providers of consumer financial products and services.  The final rule is effective September 30, 2012. 

The final rule defines a “larger participant” in the consumer reporting market as a nonbank covered person that offers or provides consumer reporting and has annual receipts from consumer reporting in excess of $7 million.

Continue Reading

FFIEC Issues Risk Management Guidance for Cloud Computing

Posted by Mike Nonaka on July 17, 2012

On July 10, the Federal Financial Institutions Examination Council (FFIEC) issued risk management guidance for depository institutions’ use of cloud computing.  The guidance defines cloud computing generally as “a migration from owned resources to shared resources in which client users receive information technology services, on demand, from third-party service providers via the Internet ‘cloud.’”  The guidance also considers cloud computing to be a form of outsourcing subject to the risk management requirements set forth in the FFIEC Information Technology Examination Handbook for Outsourcing Technology Services.

Continue Reading

Settlement Reached in Data Security Breach Lawsuit Against Bank

Posted by Mike Nonaka on June 20, 2012

Yesterday, Village View, Inc. reached a settlement with Professional Business Bank, a California state-chartered bank subject to regulation by the Federal Deposit Insurance Corporation (FDIC), over the company’s lawsuit against the bank arising from a data security breach.  In March 2010, Village View lost nearly $400,000 after the company’s bank account was compromised by hackers.  The company brought suit against Professional Business Bank alleging, among other claims, that the bank failed to comply with the Federal Financial Institutions Examination Council’s (FFIEC) authentication guidance from 2005 and other FDIC guidance on identify theft.  Specifically, Village View’s complaint alleged that the bank used only single factor authentication as opposed to multifactor authentication required by the FFIEC guidance.  The company announced that the settlement amount included the full amount of lost funds plus interest from the bank.   

The lawsuit and settlement are noteworthy insofar they underscore the potential significance of the FFIEC guidance, including the FFIEC’s release in 2011 of a supplement to its authentication guidance, to mitigate both regulatory and litigation risk.   

FTC Enters into Consent Order with Spokeo over Fair Credit Reporting Act Violations

Posted by Mike Nonaka on June 13, 2012

Yesterday, the Federal Trade Commission entered into a consent decree with Spokeo, Inc., for violations of the Fair Credit Reporting Act.  As reflected in the FTC staff blog post, the FTC’s action against Spokeo is the first FCRA case to address the sale of data collected from online sources, including social media, in the context of employee screening.  

Based on the FTC’s complaint, it appears that Spokeo assembled consumer information from online and offline sources, such as social networking sites and data brokers, to create consumer profiles for sale to third parties.  These consumer profiles typically included name, physical address, email address, phone number, hobbies, ethnicity, religion, and photographs.  Spokeo marketed these consumer profiles to human resources professionals, promoted them as a useful factor in deciding whether to interview a candidate, dedicated a portion of its website to recruiters, and offered special subscription plans to those recruiters.  In 2010, Spokeo amended the Terms of Service on its website to state that it is not a consumer reporting agency and that Spokeo could not be used for FCRA-covered purposes.  However, according to the complaint, Spokeo failed to take any action to ensure that third parties did not use its website and the information available on it for FCRA-covered purposes.

The FTC concluded in its complaint that Spokeo is a “consumer reporting agency” and that the consumer profiles sold by Spokeo are “consumer reports.”  The complaint alleged that Spokeo violated the FCRA by failing to have the requisite procedures in place to limit the furnishing of consumer reports only for permissible purposes and to ensure the accuracy of information in consumer profiles.  The complaint also alleged that Spokeo violated the FCRA because it failed to provide the standard “user” notice to third parties accessing consumer profiles, and because it furnished consumer profiles to third parties for whom Spokeo had no reason to believe had a permissible purpose.  The complaint also alleged that Spokeo violated Section 5 of the FTC Act by directing its employees to post comments endorsing Spokeo to news and technology websites under account names that were developed by the company to give the impression that they were independent, ordinary consumers.

To settle these charges, Spokeo agreed to enter into a consent order with the FTC, which requires Spokeo to pay a civil penalty equal to $800,000 and prohibits the company from violating the FCRA and Section 5 of the FTC Act.  If Spokeo subsequently violates the FCRA, FTC Act, or provisions in the consent order, the FTC will be able to fine Spokeo at levels substantially higher than what the FCRA alone permits.  The consent order also imposes rigorous reporting and recordkeeping requirements on Spokeo and requires various forms of ongoing monitoring by the FTC.

Spokeo’s founder, Harrison Tang, responded to the action in a blog post stating that the company never intended to operate as a consumer reporting agency and has since implemented changes to its website to align with the FCRA.  The FTC’s action against Spokeo is significant because it signifies the FTC’s intent to extend FCRA enforcement to companies that collect and sell consumer data that can be used in certain impermissible ways under the FCRA.

Older Posts