Financial Institutions

On March 27, 2013, the Federal Reserve released a report on consumers’ use of mobile banking and mobile payments.  The report follows a similar report issued by the Federal Reserve last year.  The report found that use of mobile banking has increased significantly in the past year while use of mobile payments has increased as well. 

As of November 2012, 28 percent of all mobile phone users (compared to 21 percent in December 2011) and 48 percent of smartphone users (compared to 42 percent in December 2011) had used mobile banking in the past 12 months.  The recent report found that 15 percent of all smartphone users have made a payment from their phone in the past 12 months, compared to 12 percent of users from the prior report.  In addition, the use of mobile phones to deposit checks has doubled in the past year, rising from approximately 10 percent to 21 percent.      

The most common uses of mobile banking are to check account balances or recent transactions (87 percent of users) and to transfer money between accounts (53 percent of users).  The most common use of mobile payments is to make online bill payments (42 percent of users).  Six percent of all smartphone users have made a point-of-sale payment using their phone in the past 12 months, which represents a sizable increase from the one percent of users in December 2011. 


Continue Reading Federal Reserve Releases Report of Mobile Banking and Mobile Payments Use

Earlier this week, the House of Representatives passed H.R. 749, the Eliminate Privacy Notice Confusion Act.  The bill is sponsored by Rep. Blaine Leutkemeyer (R-MO) and Rep. Brad Sherman (D-CA).  An earlier version of the bill passed the House in December but was never taken up by the Senate.  We previously covered similar legislation

On January 22, 2013, the Federal Financial Institutions Examination Council proposed guidance on the applicability of consumer protection and compliance laws, regulations, and policies to activities conducted via social media by depository institutions.  The proposed guidance would not impose additional compliance obligations on institutions.  Instead, the guidance is intended to help financial institutions understand potential consumer compliance, legal, reputation, and operational risks associated with the use of social media, along with expectations for managing those risks. 

The proposed guidance defines “social media” as “a form of interactive online communication in which users can generate and share content through text, images, audio, and/or video.”  The FFIEC warns that social media can impact a depository institution’s risk profile by increasing the risk of harm to consumers, compliance and legal risk, operational risk, and reputational risk. 


Continue Reading FFIEC Proposes Social Media Guidance

On Friday, November 30, the Federal Trade Commission (FTC) issued an Interim Final Rule to amend its Red Flags Rule, which requires certain financial institutions and creditors to establish programs to detect, prevent and mitigate identity theft in connection with consumer accounts.  The Interim Final Rule narrows the definition of “creditor” in response to legislation

In an interview with Information Security Media Group, William Henley, Associate Director of the Federal Deposit Insurance Corporation’s (FDIC) Technology Supervision Branch, discussed the status of the banking industry’s implementation of FFIEC authentication guidance released in July 2011.  Henley generally said that the industry was working towards compliance and offered that FDIC examiners at this

The Consumer Financial Protection Bureau (CFPB) has issued a final rule to implement its authority under section 1024 of Dodd-Frank to subject “larger participants” in the consumer reporting market to CFPB supervision.  The rule will have significant consequences for companies in the consumer reporting industry.  The final rule follows a proposed rule issued in February 2012 indicating that the CFPB intended to supervise the consumer reporting market as part of the CFPB’s authority to supervise nonbank providers of consumer financial products and services.  The final rule is effective September 30, 2012. 

The final rule defines a “larger participant” in the consumer reporting market as a nonbank covered person that offers or provides consumer reporting and has annual receipts from consumer reporting in excess of $7 million.

Continue Reading CFPB Issues Rule to Supervise Larger Participants in Consumer Reporting Market

On July 10, the Federal Financial Institutions Examination Council (FFIEC) issued risk management guidance for depository institutions’ use of cloud computing.  The guidance defines cloud computing generally as “a migration from owned resources to shared resources in which client users receive information technology services, on demand, from third-party service providers via the Internet ‘cloud.’”  The guidance also considers cloud computing to be a form of outsourcing subject to the risk management requirements set forth in the FFIEC Information Technology Examination Handbook for Outsourcing Technology Services.

Continue Reading FFIEC Issues Risk Management Guidance for Cloud Computing

A bank that required a commercial customer to answer “challenge questions” for virtually all online payments and that did not implement other common security measures failed to provide a commercially reasonable level of security, the U.S. Court of Appeals for the First Circuit ruled this week.

The case arose when unknown hackers were able to make large electronic transfers over the course of seven days from Patco Construction’s accounts at Ocean Bank, a southern Maine community bank owned by People’s United Bank.  Patco lost more than $345,000. Patco sued People’s United, alleging that Ocean Bank’s security procedures were not “commercially reasonable,” and therefore the bank was liable for Patco’s loss under the Uniform Commercial Code.

Continue Reading First Circuit Finds Bank’s Online-Security Procedures ‘Commercially Unreasonable’

Yesterday, Village View, Inc. reached a settlement with Professional Business Bank, a California state-chartered bank subject to regulation by the Federal Deposit Insurance Corporation (FDIC), over the company’s lawsuit against the bank arising from a data security breach.  In March 2010, Village View lost nearly $400,000 after the company’s bank account was compromised by hackers. 

Last week, Rep. Blaine Luetkemeyer (R-MO) introduced legislation (H.R. 5817) to limit the obligations of certain financial institutions to provide an annual privacy notice to consumers.  Under the Gramm-Leach-Bliley Act (“GLBA”), financial institutions must provide customers an initial privacy notice and, for the duration of a customer relationship, an annual privacy notice that describes the company’s information-sharing practices.  While anything is possible in Washington, particularly in a Presidential election year, the expectation is that this bill is unlikely to progress to enactment.

Under H.R. 5817, a financial institution would not be obligated to provide customers with an annual privacy notice so long as the company shares information only in certain limited respects (that are more narrow than those permitted under federal law) and provided that the company has not changed its privacy policies or practices from those disclosed in its most recent privacy notice.   Specifically, the carve-out would only be available to those financial institutions that do not share information in either of the following respects:

Continue Reading Proposed Bill Would Limit Annual Privacy Notice Requirement Under GLBA