By Bruce Bennett, Carlo Kostka, Craig Pollack, Dan Cooper, Gemma Nash, Kristof Van Quathem, Mark Young, and Sophie Bertin

The EU Payment Services Directive (PSD2), which took effect on January 13, 2018, puts an obligation on banks to give Third Party Providers (TPPs) access to a customer’s payment account data, provided the customer expressly consents to such disclosure.  The new legislation is intended to improve competition and innovation in the EU market for payment services.  The General Data Protection Regulation (GDPR), which is due to take effect from May 25, 2018, enhances individuals’ rights when it comes to protecting their personal data.  The interaction between PSD2, aimed at increasing the seamless sharing of data, and the GDPR, aimed at regulating such sharing, raises complicated compliance concerns.

For example, where banks refrain from providing TPPs access to customer payment data for fear of breaching the privacy rights of their customers under the GDPR, competition authorities may consider this a breach of competition law.  This concern is already becoming a reality for banks – on October 3, 2017, the European Commission carried out dawn raids on banking associations in Poland and the Netherlands following complaints from fintech rivals that the associations were not providing them with what they considered legitimate access to customer payment data.
Continue Reading Overlap Between the GDPR and PSD2

On Wednesday, December 10, 2014, financial industry regulatory and enforcement agencies issued statements that their organizations will increase scrutiny of financial industry cybersecurity practices going forward.

In New York, the State’s Department of Financial Services Superintendent Benjamin Lawsky issued new guidelines to banks, detailing how their cybersecurity practices would be evaluated. The memorandum—sent to all New York chartered or licensed banking institutions—noted that the Department would take a close look at banks’ data breach detection abilities, cybersecurity corporate governance practices, resources devoted to information security, defenses against cyberattacks, management of third-party service providers, and cybersecurity insurance coverage, among other things.

The memorandum further noted that, prior to conducting an examination, the Department intends to request information on 12 information technology- and cybersecurity-related issues, including the qualifications and responsibilities of banks’ Chief Information Security Officers, information security policies, due diligence processes, and software development standards.
Continue Reading Financial Industry Regulators Increase Data Security Oversight

On May 6, 2014, the Consumer Financial Protection Bureau (“CFPB”) proposed a rule to modify the notice provisions of Regulation P, which implements the financial privacy provisions of the Gramm-Leach-Bliley Act (“GLBA”).

Regulation P requires financial institutions to deliver an annual privacy notice to customers, which is often accomplished through a direct mailing to the customer.  The proposed rule would allow a financial institution to meet this annual privacy notice delivery requirement, in certain circumstances, by continuously posting the privacy notice on its website in a clear and conspicuous manner (described as the “proposed alternative delivery method” in the proposed rule), and providing the customer with a clear and conspicuous annual disclosure that (i) the privacy notice has not changed, (ii) the notice is available on the institution’s website, and (iii) the customer may request a mailed copy of the notice by calling a toll-free number.

Continue Reading CFPB Proposes Revised Financial Privacy Rule

In January 2014, a massive data leak of some 104 million credit card accounts shocked South Korea.  The number of affected accounts was twice the number of the population of South Korea’s.  The incident arose when a temporary employee of a personal credit rating agency that manages personal financial data of customers of three major credit card companies allegedly copied personal credit details of millions of people on his portable disk drive and subsequently sold the information to loan marketers and brokers.

On March 10, 2014, the Korean Government announced plans to prevent a recurrence of a large-scale security breach in the financial sector (the “Plan”) (available in Korean here). The Plan contains a number of elements that may be modeled on the EU’s proposed General Data Protection Regulation, such as turnover-based sanctions, limitations on data transfers and data retention and a reinforcement of individuals’ rights.  Some of the proposed measures are supposed to be implemented by amending existing relevant laws. Members of the National Assembly have already tabled legislative proposals for a number of amendments that reflect the Plan at a parliamentary committee meeting on February 24, 2014; however, it is at present unclear when they will be discussed and adopted by the Parliament. By contrast, other measures that do not require legislative changes are likely to be implemented as quickly as possible.

If adopted, the legislative proposals will have a significant impact in particular on financial institutions that handle a large amount of Korean customers’ personal information — such as banks, credit card companies and personal credit rating agencies. However, companies in other sectors are not off the hook, as the Government has indicated the possibility of a comprehensive inquiry to improve general personal information protection beyond the financial sector in the near future.

Continue Reading Is Korea Moving Towards EU-Style Legislation for Financial Institutions?

On October 26, 2012, the FTC finalized settlements with Georgia auto dealer Franklin Budget Car Sales, Inc. and Utah-based debt collector EPN Inc. over charges that each company illegally exposed sensitive personal information of consumers by allowing peer-to-peer (P2P) file-sharing software to be installed on their corporate computer systems.  The final settlements follow a notice-and-comment period opened to the public in June 2012.

Continue Reading FTC Finalizes Settlements with Companies for Exposing Sensitive Consumer Information through Installation of Peer-to-Peer File Sharing Software

A bank that required a commercial customer to answer “challenge questions” for virtually all online payments and that did not implement other common security measures failed to provide a commercially reasonable level of security, the U.S. Court of Appeals for the First Circuit ruled this week.

The case arose when unknown hackers were able to make large electronic transfers over the course of seven days from Patco Construction’s accounts at Ocean Bank, a southern Maine community bank owned by People’s United Bank.  Patco lost more than $345,000. Patco sued People’s United, alleging that Ocean Bank’s security procedures were not “commercially reasonable,” and therefore the bank was liable for Patco’s loss under the Uniform Commercial Code.

Continue Reading First Circuit Finds Bank’s Online-Security Procedures ‘Commercially Unreasonable’

Earlier this week, Federal Communications Commission Chairman Julius Genachowski, together with major U.S. wireless carriers and chiefs of police, announced a plan to develop databases that will allow consumers whose mobile devices have been stolen to render the devices inoperable on mobile networks.  The database will be created over the next eighteen months. 

Using the

On Tuesday, the Payment Card Industry Security Standards Council announced that it was opening the formal feedback period for versions 2.0 of the Payment Card Industry Data Security Standard (“PCI-DSS”) and Payment Application Data Security Standard (“PA-DSS”), which were issued in October 2010 and will become effective exclusively when versions 1.2.1 are officially retired on

The Washington Post has published an article describing a relatively new arena for behavioral advertising: your online bank statement.  Participating banks serve marketing to their customers based on the customer’s spending history.  These promotions may be particularly valuable to advertisers because they are targeted based on how a customer actually spends his or her money and because customers can