InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
FFIEC Launches Cybersecurity Resources Web Page
On June 24, the FFIEC unveiled a new web page that will serve as a central repository for current and future FFIEC-related materials on cybersecurity. Although the FFIEC did not release any new resources, the launch shows the continuing focus of banking regulators on emerging cybersecurity risks. The FFIEC noted that the launch coincided with a pilot program through which state and federal regulators will assess how community financial institutions manage cybersecurity and their preparedness to mitigate increasing cyber risks. Regulators are particularly focusing on risk management and oversight, threat intelligence and collaboration, cybersecurity controls, service provider and vendor risk management, and cyber incident management and resilience.
Eighth Circuit Holds Bank That Complied With Reasonable Security Procedures Not Responsible For Loss Of Funds From Fraudulent Payment
On June 11, the U.S. Court of Appeals for the Eighth Circuit held that under the Uniform Commercial Code a bank that complied with commercially reasonable security measures was not responsible for a customer’s loss resulting from a fraudulent payment. Choice Escrow & Land Title, LLC v. BancorpSouth Bank, No. 13-1879, 2014 WL 2598764 (8th Cir. Jun. 11, 2014). The customer sued the bank claiming that a $440,000 wire transfer from its account through the bank’s internet wire transfer system was fraudulently initiated by a third-party. The court explained that Article 4A of the Uniform Commercial Code permits a bank to take steps to protect itself from liability by implementing commercially reasonable security procedures, and if the bank complies with these procedures in good faith and in accordance with the customer’s instructions, the customer bears the risk of loss from a fraudulent payment order. The parties agreed that the bank complied with its security procedures in accepting the payment order that resulted in the loss for the customer, but disputed whether (i) the bank’s security procedures were commercially reasonable, (ii) the bank accepted the payment order in good faith, and (iii) the bank accepted the payment order in compliance with the customer’s written instructions. The court concluded that the bank’s security procedures, which included password protection, daily transfer limits, device authentication, and dual control, were commercially reasonable because the bank followed 2005 FFIEC guidelines and further enhanced its security to address threats not considered by that potentially outdated guidance. Moreover, the court held that the customer assumed the risk of failure of security procedures by declining some of those procedures. The court also held that in promptly executing a payment order that had cleared its commercially reasonable security procedures, and absent any independent reason to suspect the payment was fraudulent, the bank acted in good faith in processing the payment. Finally, the court determined that an inquiry from the customer as to whether it would be possible for the bank to stop foreign wire transfers did not constitute an instruction to the bank, and therefore the bank did not violate any written instruction from the customer. Based on these holdings, the court concluded that, under the UCC, the loss of funds from the customer’s account fall on the customer and not the bank.
FTC Report Calls For Increased Data Broker Transparency
On May 27, the FTC released a report that claims—based on a study of nine data brokers—that data brokers generally operate with a “fundamental lack of transparency.” The FTC describes data brokers as companies that collect personal information about consumers from a wide range of sources and then provide that data for purposes of verifying an individual’s identity, marketing products, and detecting fraud or otherwise mitigating risk. The report is based in part on the nine brokers’ responses to FTC orders that required the brokers to provide information about: (i) the nature and sources of the consumer information the data brokers collect; (ii) how they use, maintain, and disseminate the information; and (iii) the extent to which the data brokers allow consumers to access and correct their information or to opt out of having their personal information sold or shared. The report summarizes the companies’ data acquisition processes, their product development and the types of products they provide, the quality of the data collected and sold, the types of clients to whom the data is sold, and consumer controls over the information. The FTC recommends that Congress consider enacting data broker legislation that would, among other things: (i) require data brokers to give consumers access to their data and the ability to opt out of having it shared for marketing purposes; (ii) require data brokers to clearly disclose that they not only use raw data, but that they also derive certain inferences from the data; (iii) address gaps in FCRA to provide consumers with transparency when a company uses a data broker’s risk mitigation product that limits a consumer’s ability to complete a transaction; and (iv) require brokers who offer people search products to allow consumers to access their own information and opt out of the use of that information, and to disclose the sources of the information and any limitations of the opt out.
CA AG Publishes Guide On Online Privacy Policies
On May 21, California AG Kamala D. Harris issued a guide providing recommendations to businesses affected by the 2013 amendments to the California Online Privacy Protection Act (CalOPPA). Those amendments require website operators to disclose how they respond to “do not track” signals or other mechanisms that provide consumers a choice regarding the collection of personally identifiable information (PII) over time and across different sites or online services. In developing an online privacy policy, the guide advises companies to use plain language, in an easily readable format, and to clearly and conspicuously identify and explain its online tracking and PII collection and sharing practices. Additionally, the guide recommends that policies provide (i) the choices a consumer has regarding the collection, use, and sharing of PII; (ii) a link to any privacy policy maintained by third parties receiving PII; and (iii) contact information for questions or concerns.
European Court of Justice Holds Individuals Have "Right To Be Forgotten"
On May 13, the European Court of Justice held that an internet search operator is responsible for the processing of personal data that appear on web pages published by third parties, and that an individual has a right to ask a search engine operator to remove from search results specific links to materials that include the individual’s personal information. The court considered the issue in response to questions referred from a Spanish court about the scope of a 1995 E.U. directive designed to, among other things, protect individual privacy rights when personal data are processed. The court determined that “by searching automatically, constantly and systematically for information published on the internet, the operator of a search engine ‘collects’ data within the meaning of the directive,” and further determined that the operator “processes” and “controls” individual personal data within the meaning of the directive. The court held that a search engine operator “must ensure, within the framework of its responsibilities, powers and capabilities, that its activity complies with the directive’s requirements,” including by, in certain circumstances, removing “links to web pages that are published by third parties and contain information relating to a person from the list of results displayed following a search made on the basis of that person’s name,” even when publication of that person’s information on those pages is lawful. Further, the court held that although the search engine operator’s processing operations take place outside of the E.U., the operator is covered by the directive because the operator also has operations in an E.U. member state that were “intended to promote and sell, in the Member State in question, advertising space offered by the search engine in order to make the service offered by the engine profitable.”
New York Plans Targeted Bank Cybersecurity Examinations
On May 6, New York Governor Andrew Cuomo released a report on bank cybersecurity preparedness and directed the New York State Department of Financial Services (DFS) to conduct targeted cybersecurity preparedness assessments of the DFS-regulated banks. The DFS is revising its examination procedures to add questions to assess IT management and governance, incident response and event management, access controls, network security, vendor management, and disaster recovery. DFS plans to release additional details about the timing and content of these examination procedures in the coming weeks. The report follows a year-long survey of 154 DFS-regulated banks, which revealed that “most institutions experienced intrusions or attempted intrusions into their IT systems over the past three years.” The review revealed that third-party payment processor breaches were reported by 18% and 15% of small and large institutions, respectively, and that large institutions also cited mobile banking exploitation, ATM skimming/point-of-sale schemes), and insider access breaches. Last year, the DFS announced a similar inquiry into cyber preparedness at insurance companies it regulates.
CFPB Proposes Limited Relief From Annual Privacy Notice Delivery Requirements
On May 7, the CFPB issued a proposed rule that would provide financial institutions an alternative method for delivering annual privacy notices. The Gramm-Leach-Bliley Act (GLBA) and Regulation P require financial institutions to, among other things, provide annual privacy notices to customers—either in writing or electronically with consumer consent. Industry generally has criticized the current annual notice requirement as ineffective and burdensome, with most financial institutions providing the notices by U.S. postal mail. The proposed rule would allow financial institutions, under certain circumstances, to comply with the GLBA annual privacy notice delivery requirements by (i) continuously posting the notice in a clear and conspicuous manner on a page of their websites, without requiring a login or similar steps to access the notice; and (ii) mailing the notices promptly to customers who request them by phone.
Specifically, under the CFPB’s proposal, a financial institution subject to the GLBA privacy notice requirements would be permitted to post annual notices online, provided the institution:
- Does not share the customer’s nonpublic personal information with nonaffiliated third parties in a manner that triggers GLBA opt-out rights;
- Does not include on its annual privacy notice a Fair Credit Reporting Act (FCRA) § 603(d)(2)(A)(iii) notice regarding the ability to opt out of information sharing with the institution’s affiliates;
- Does not use its annual privacy notice as the only notice provided to satisfy affiliate marketing opt-out notice requirements under section 624 of FCRA;
- Has not changed the information included in the privacy notice since the customer received the previous notice;
- Uses the model form provided in Regulation P; and
- Inserts a clear and conspicuous statement, at least once per year on a notice or disclosure the institution issues under any other provision of law, announcing that the annual privacy notice is available on the institution’s website, such notice has not changed since the previous notice, and a copy of such notice will be mailed to customers who request it by calling a toll-free telephone number.
The CFPB cites the following benefits of the proposed rule:
- Provides consumers with constant access to privacy policies;
- Incentivizes financial institutions to limit their data sharing with unaffiliated third parties;
- Allows consumers who are concerned about their personal information to comparison shop before deciding which financial institution to use; and
- Reduces the cost for companies to provide annual privacy notices.
The proposed rule would provide some relief to industry, particularly where broader bipartisan legislative solutions have failed to gain substantial traction. Last year, the House passed legislation that would fully exempt a financial institution from the annual notice requirement if it (i) provides nonpublic personal information only in accordance with specified requirements, and (ii) has not changed its policies and practices with regard to disclosing nonpublic personal information from its most recent disclosure. A similar Senate bill introduced early last year has not moved forward, though its sponsor, Senator Sherrod Brown (D-OH), pressed the CFPB director about the issue during a hearing last fall.
The CFPB’s proposal will remain open for comment for 30 days following its publication in the Federal Register.
White House Big Data Review Addresses Discrimination, Privacy Risks
On May 1, the White House’s working group on “big data” and privacy published a report on the findings of its 90-day review. In addition to considering privacy issues associated with big data, the group assessed the relationship between big data and discrimination, concluding, among other things, that “there are new worries that big data technologies could be used to ‘digitally redline’ unwanted groups, either as customers, employees, tenants, or recipients of credit” and that “big data could enable new forms of discrimination and predatory practices.” The report adds, “[t]he same algorithmic and data mining technologies that enable discrimination could also help groups enforce their rights by identifying and empirically confirming instances of discrimination and characterizing the harms they caused.” The working group recommends that the DOJ, the CFPB, and the FTC “expand their technical expertise to be able to identify practices and outcomes facilitated by big data analytics that have a discriminatory impact on protected classes, and develop a plan for investigating and resolving violations of law in such cases,” and adds that the President’s Council of Economic Advisers should assess “the evolving practices of differential pricing both online and offline, assess the implications for efficient operations of markets, and consider whether new practices are needed to ensure fairness.” The working group suggests that federal civil rights offices and the civil rights community should collaborate to “employ the new and powerful tools of big data to ensure that our most vulnerable communities are treated fairly.” With regard to privacy the report states that the “ubiquitous collection” of personal information and data, combined with the difficulty of keeping data anonymous, require policymakers to “look closely at the notice and consent framework that has been a central pillar of how privacy practices have been organized for more than four decades.” Among its policy recommendations, the working group urges (i) enactment of a Consumer Privacy Bill of Rights, informed by a Department of Commerce public comment process, and (ii) the adoption of a national data breach bill along the lines of the Administration’s May 2011 Cybersecurity legislative proposal. It also calls for data brokers to provide more transparency and consumer control of data.
New York Financial Services Regulator First To Sue Under Dodd-Frank's UDAAP Provisions
On April 23, New York State Department of Financial Services (NYS DFS) Superintendent Benjamin Lawsky became the first state regulator to sue a financial services company to enforce the Dodd-Frank Act’s Title X prohibitions against unfair, deceptive, and abusive practices (UDAAP). Last month, Illinois Attorney General Lisa Madigan filed what appears to be the first suit by a state attorney general to enforce Dodd-Frank’s UDAAP provisions. Although state authorities generally are limited to enforcing Title X against state banks and non-bank financial service companies—except that state attorneys general may enforce rules of the CFPB against national banks and thrifts—these actions bring into sharp focus the full scope and reach of the Title X’s enforcement provisions and are likely to inspire similar state actions.
Mr. Lawsky’s complaint accuses a nonbank auto finance company of violating Sections 1031 and 1036 of the Dodd-Frank Act, as well as Section 408 of the New York Financial Services Law and Section 499 of the New York Banking Law by, among other things, “systematically hid[ing] from its customers the fact that they have refundable positive credit balances.” The complaint alleges that the company concealed its customers’ positive account balances—from insurance payoffs, overpayments, trade-ins, and other reasons—by programming its customer-facing web portal to shut down a customer’s access to his or her loan account once the loan was paid off, even if a positive credit balance existed. The company allegedly failed to refund such balances absent a specific request from a customer. In addition, the complaint charges that the company hid the existence of positive credit balances by submitting to the New York State Comptroller’s Office false and misleading “negative” unclaimed property reports, which represented under penalty of perjury that the company had no unrefunded customer credit balances.The complaint claims that DFS’s examination findings for the company “demonstrate the persistent refusal and failure of [the company] and its owner . . . to implement even the most basic policies, procedures and controls necessary to manage a $300 million, state-licensed lending institution.” Further, Mr. Lawsky asserts that the company rejected “virtually all of those findings” and ignored or refused, based largely on economic considerations, to comply with written directives to institute proper policies, procedures, and controls.
In addition to being the first of its kind, the suit is notable for several other reasons. First, the suit names the company’s individual owner and CEO. Mr. Lawsky recently urged financial services regulators to consider taking more actions against individuals. His remarks added to a trend among regulators and enforcement authorities to more aggressively pursue individual alleged bad actors. In the complaint, Mr. Lawsky argues that “as the person responsible for oversight of [the company’s] operations and for setting and effectuating policies” the owner caused the company to adopt a policy of “stealing, converting, and retaining for its positive credit balances belonging to its customers.”
Second, Mr. Lawsky claims that certain of the alleged practices violate Dodd-Frank’s prohibition against “abusive” acts or practices. Although defined in the statute, the government has yet to provide additional guidance as to which acts or practices might be considered “abusive.” For instance, the CFPB, which has authority to draft regulations defining abusive practices, has declined to do so. Instead it has elected to develop the abusive standard through enforcement, most recently in an action against a for-profit educational institution, though no court has yet ruled on what constitutes an abusive practice.
Third, Mr. Lawsky filed the suit with the help of an outside plaintiffs’ firm. The practice of state agencies hiring outside counsel to represent them in investigations has been the subject of lawsuits and criticisms. The practice has been criticized in part because it creates an incentive for the outside lawyers to find violations in order to be paid. It also has been the subject of litigation where the law firm assisting the agency also represented other clients adverse to the target of the investigation.
Fourth, the complaint alleges that the finance company violated Section 1036 with regard to its data security and privacy practices and representations. Mr. Lawsky claims that the finance company falsely represented to its customers, in connection with servicing automobile loans, that it implemented reasonable and appropriate measures to protect borrowers’ personal information against unauthorized access. Instead, the complaint charges the company failed to take such reasonable and necessary actions and/or expend resources necessary to provide such protection, and in doing so took unreasonable advantage of (i) the inability of its customers to protect their own interests; and (ii) the reasonable reliance by its customers on the company to act it their interests.
Finally, the suit demonstrates the significant level of regulatory and enforcement activity originating from the NYS DFS. In recent months, Mr. Lawsky has moved to exercise the full scope of his authorities and has positioned himself at the forefront of numerous financial services issues, including, for example, by: (i) developing a regulatory framework for virtual currencies; (ii) aggressively supervising mortgage servicing rights transfers; (iii) obtaining a substantial settlement in a state licensing enforcement action; and (iv) conducting an expansive investigation related to online payday lending.
Comptroller Curry Takes Vendor Management Message To Third-Party Providers
On April 16, Comptroller of the Currency Thomas Curry spoke to attendees of the Consumer Electronics Show Government Conference, taking his concerns about banks’ vendor relationships and cybersecurity risks to potential third-party technology service providers. Comptroller Curry explained the banking system’s vulnerability to cyberattacks given its significant reliance on technology and telecommunications, and expressed particular concern about potential attacks on community banks. He reiterated several of the specific risk issues he recently discussed with community bankers. Comptroller Curry (i) outlined risks related to the consolidation of bank vendors; (ii) identified as a “special problem” banks’ reliance on foreign vendors, and cautioned banks to consider the legal and regulatory implications of where their data is stored or transmitted; and (iii) expressed concern about vendors’ access to important and confidential bank and customer data. He assured attendees that the OCC is not trying to discourage the use of third-party vendors, but in explaining the OCC’s particular focus on controls and risk management practices employed by vendors that provide services to banks and thrifts, Comptroller Curry advised vendors of the OCC’s authority under the Bank Service Company Act to issue enforcement actions and its authority to examine vendors designated as Technology Service Providers. He reported that banks have asked the OCC to more actively supervise critical service providers and stated that in working to protect the banking system the OCC will have to “look beyond individual financial institutions to the range of vendors and customers that have access to some part of its infrastructure and systems.”