InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
Louisiana regulator provides guidance on business continuity plans
On April 1, the Louisiana Office of Financial Institutions issued a bulletin urging financial institutions to review their disaster recovery/business continuity plans and update them as needed to ensure that all interdependent operations are considered. The guidance includes a list of considerations, including, among other things: supplying staff with protective equipment and training; updated contact information for third party services and consideration of third party services that might become impaired in an incident; contingency communication process; remote work possibilities; identification of critical operations, including as examples, core processing systems, ATM processing and replenishment, online banking systems, payment processing, and wire processing; cross-training for continuity; and liquidity and cash considerations.
Illinois Department of Financial Regulation issues guidance to Illinois banks and credit unions
On March 30, the Illinois Department of Financial Regulation, Division of Banking and Division of Financial Institutions, issued guidance to Illinois banks and credit unions regarding support for consumers and businesses impacted by Covid-19. Illinois banks and credit unions are encouraged to use their capital and liquidity buffers as they respond to financial challenges resulting from the Covid-19 pandemic, such as to lend and undertake other supportive actions in a safe and sound manner. Illinois banks and credit unions also are encouraged to: (i) provide affected borrowers with payment accommodations to work through short-term setbacks; (ii) respond to borrowers from industry sectors particularly vulnerable to the volatility of the current economic environment; and (iii) work with small businesses, hourly workers, and independent contractors that have less financial flexibility to weather the economic decline.
The guidance further encourages Illinois banks and credit unions to assist affected borrowers by, among other things, waiving certain fees (e.g., ATM fees, overdraft fees, late fees), increasing ATM daily cash withdrawal limits, increasing credit card limits for creditworthy borrowers, and providing new loans on favorable terms. Prudent efforts to help consumers and businesses will not be subject to examiner criticism.
District court dismisses class claims regarding out-of-network ATM fees
On March 4, the U.S. District Court for the Southern District of California issued an order granting five separate motions for dismissal filed by a national bank and several independent ATM operators (defendants) regarding allegations that the defendants (i) charged unwarranted fees for using out-of-network (OON) ATMs for balance inquiries; (ii) made deceptive and misleading representations on screens and on signs regarding those fees; and (iii) assessed fees in violation of governing account documents. The plaintiffs’ putative class action alleged 13 claims against the defendants for violations of California’s Unfair Competition Law (CUCL), California’s False Advertising Law (FAL), and the California Consumer Legal Remedies Act (CLRA), as well as for conversion, negligence, and breach of contract. The defendants premised their motions to dismiss on several bases, including a lack of subject matter jurisdiction, lack of personal jurisdiction, and the plaintiffs’ failure to plead the necessary elements of the claims.
The court generally agreed with the arguments made by the defendants as to the court’s lack of subject matter and personal jurisdiction. In particular, the court held that the common law claims brought on behalf of the nationwide class should be dismissed for lack of Article III standing because the named plaintiffs failed to allege they were charged the relevant balance inquiry fees in states outside of California. In addition, the court agreed with an argument raised by one defendant that the plaintiffs lacked standing to file claims for injunctive relief for violations of the CUCL, FAL, and CLRA because they failed to allege a likelihood of actual or imminent future harm; specifically, they failed to allege they intended to use the ATMs in the future to make balance inquiries. The court thereafter assessed the plaintiffs’ remaining common law and statutory claims, and in each case, granted the defendants’ motions to dismiss the claims for various failures to establish the necessary elements of each of the alleged claims. Of the 13 dismissed claims, the court permitted plaintiffs leave to amend 10 of them. The court required any amended complaint address the standing issues related to claims brought on behalf of the California and nationwide classes.
District Court denies MSJ because of ambiguities in bank’s ATM fee contract language
On October 7, the U.S. District Court for the Southern District of California denied a national bank’s motion for partial summary judgment in a class action alleging the bank wrongfully charged ATM fees in violation of the bank’s standardized account agreement. According to the opinion, the plaintiffs filed the action asserting that the bank charges its customers two out-of-network (OON) fees when an account holder conducts a balance inquiry and then obtains a cash withdrawal at an OON ATM. The bank moved for summary judgment on the breach of contract claim, arguing that the terms and conditions of the contract provide for the charge of a fee “for each balance inquiry, cash withdrawal, or funds transfer undertaken at a non-[bank] branded ATM.” After conducting a limited discovery on the breach of contract issue, the district court denied the bank’s motion, concluding there are “ambiguities regarding the contract terms.” Specifically, the court noted that contract documents describe a “Foreign ATM Fee” as “initiated at an ATM other than a [bank] ATM” and that it uses the singular term of “fee” while providing “no further explanation as to what ‘initiated’ means.” According to the court, there is “ambiguity in the term ‘initiate’ that is ‘susceptible to at least two reasonable alternative interpretations.’” Moreover, the court also concluded that certain onscreen warnings about the right to cancel caused “uncertainty and ambiguity” regarding the assessment of fees, and because there are ambiguities regarding the fee terms, the court could not conclude that the plaintiffs failed to prove a breach of contract.
Filipino National Sentenced for Running $9 Million Cybercrime Ring
On June 8, a U.S. District Court Judge sentenced a Filipino national to over five years in prison and two years of supervised release after pleading guilty to conspiracy to commit bank fraud last year. The defendant operated a $9 million international cybercrime operation that utilized stolen credit and debit accounts to process unauthorized financial transactions, according to an investigation led by the District of New Jersey U.S. Attorney’s Office. To obtain credit and debit card account information, the defendant engaged in computer hacking and ATM skimming, whereby millions of dollars were “monetized” through a “global network of ‘cashers’” who encoded the data onto counterfeit cards and then used the cards to withdraw money and make purchases.
OIG for U.S. Postal Service Probes Expansion Into Financial Services
On May 21, the Office of Inspector General for the U.S. Postal Service (OIG) issued a report titled, “The Road Ahead for Postal Financial Services.” The report follows a January 2014 white paper issued by the OIG, which explored how the U.S. Postal Service could expand its provision of financial products to underserved Americans. The report summarizes five potential approaches for increasing the Postal Service’s financial services offerings, including: (i) expand current product offerings, which include paper money orders, international remittances, gift cards, and limited check cashing, as well as adjacent services (e.g., bill pay, ATMs); (ii) develop one key partner to provide financial services offerings, including possible expansion to general purpose reloadable prepaid cards, small loans, and/or deposit accounts; (iii) develop different partners for each product; (iv) make the Postal Service a “marketplace” for distribution of financial products of an array of providers; and/or (v) license the Postal Service as a financial institution focused on the financially underserved (although the OIG is not recommending this approach). Factors to consider when determining which approach to take, if any, include the legal and regulatory landscape; the effectiveness of cash management systems; dedication of the internal team, and public awareness of existing and potential services offered.
Federal Reserve Board Reports On Prepaid Cards, Domestic Payments
Recently, the Federal Reserve Board released two payments-related reports: (i) a report to Congress on government-administered general use prepaid cards; and (ii) a detailed report on the Federal Reserve’s 2013 payments study. The report on government-administered prepaid cards analyzes the $502 million in fee revenue collected by issuers in 2013, a majority of which was attributable to interchange fees. For consumer-related fees, the report indicates such fees derived primarily from ATM-related charges. The second report details findings from the 2013 Federal Reserve Payments Study, the fifth in a series of triennial studies conducted by the Federal Reserve System to comprehensively estimate and study aggregate trends in noncash payments in the United States. The paper expands on the 2013 summary findings originally published last December, and includes, among many other things, the following new findings: (i) credit cards are more prevalent than other general-purpose card types; (ii) among general-purpose cards with purchase activity in 2012, consumers preferred debit cards, with an average use of 23 payments per month, compared with an average of 11 payments per month for general-purpose credit cards and 10 payments per month for general-purpose prepaid cards; (iii) although the number of ATM cash withdrawals using debit cards and general-purpose prepaid cards dropped slightly, growth in the value of ATM withdrawals continued to exceed inflation; (iv) the number of online bill payments reported by major processors, which included those initiated through online banking websites and directly through billers and settled over ACH, exceeded three billion in 2012; and (v) there were more than 250 million mobile payments made using a mobile wallet application, and at least 205 million person-to-person or money transfer payments.
FFIEC Advises Banks On Website, ATM Cyber Attacks
On April 2, the FFIEC advised financial institutions that distributed denial-of-service (DDoS) attacks on a financial institution’s public websites present operational and reputation risks. If coupled with attempted fraud, a financial institution may also experience fraud losses and face liquidity and capital risks. The FFIEC members expect financial institutions to address DDoS readiness as part of ongoing information security and incident response plans and to, among other things, (i) maintain an ongoing program to assess information security risk; (ii) monitor Internet traffic to the institution’s website to detect attacks; (iii) activate incident response plans and notify service providers, including Internet service providers, as appropriate, if the institution suspects that a DDoS attack is occurring; (iv) ensure sufficient staffing for the duration of the DDoS attack and consider hiring pre-contracted third-party servicers, as appropriate, that can assist in managing the Internet-based traffic flow; and (v) evaluate any gaps in the institution’s response following attacks and in its ongoing risk assessments, and adjust risk management controls accordingly.
In a second statement, the FFIEC advised financial institutions of a type of large dollar value ATM cash-out fraud by which cyber attackers gain access to, and alter the settings on, ATM web-based control panels used by small- to medium-sized financial institutions. The FFIEC states that institutions that issue debit, prepaid, or ATM cards may face operational risks, fraud losses, liquidity and capital risks, and reputation risks, and that institutions that outsource their card issuing function to a card processor may initially be liable for losses even if the compromise occurs at the processor. To mitigate these risks, the FFIEC expects member financial institutions to, among other things, (i) conduct ongoing information security risk assessments; (ii) perform security monitoring, prevention, and risk mitigation; (iii) take specific steps to protect against unauthorized access; (iv) implement and test controls around critical systems regularly; and (v) conduct information security awareness and training programs.
President Signs ATM Disclosure Bill and CFPB Privilege Bill
On December 20, President Obama signed two bills impacting bank supervision and compliance. These bills were sent to the President after the Senate approved both measures on December 11. The first, H.R.4014, amends the Federal Deposit Insurance Act to protect information submitted to the CFPB as part of its supervisory process. For more information about these issues, please see our recent Special Alert. The second bill, H.R. 4367, amends the Electronic Fund Transfer Act to remove the requirement that ATMs have an attached placard disclosing fees. The amended law requires only that fees be disclosed on the ATM screen.
Congress Acts on Several Banking Bills, Two Set for President's Signature
On December 11, the U.S. Senate passed by voice vote two bills impacting bank supervision and compliance. The first, H.R.4014, amends the Federal Deposit Insurance Act to protect information submitted to the CFPB as part of its supervisory process. The bill provides CFPB-supervised institutions the same non-waiver of privilege protections already afforded to information submitted by supervised entities to federal, state, and foreign banking regulators. For more information about these issues, please see our recent Special Alert. The second bill, H.R. 4367, amends the Electronic Fund Transfer Act to remove the requirement that ATMs have an attached placard disclosing fees. The amended law will require only that fees be disclosed on the ATM screen. Both bills previously were passed by the U.S. House of Representatives and now go to the President. On December 12, the House passed H.R. 5817, which would exempt from Gramm-Leach-Bliley Act (GLBA) annual privacy policy notice requirements any financial institution that (i) provides nonpublic personal information only in accordance with specified requirements, and (ii) has not changed its policies and practices with regard to disclosing nonpublic personal information from those included in its most recent disclosure. The bill now proceeds to the Senate. A fourth bill, S. 3637, which would extend the Transaction Account Guarantee program for two additional years, was blocked in the Senate on December 13, 2012. The program, which was established by the Dodd-Frank Act to provide unlimited deposit insurance for noninterest-bearing transaction accounts, will expire at the end of 2012 if legislators do not take further action to extend the program.