Skip to main content
Menu Icon
Close

InfoBytes Blog

Financial Services Law Insights and Observations

Filter

Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.

  • Payment Card Group Refines Data Security Standards

    Privacy, Cyber Risk & Data Security

    On November 7, the PCI Security Standards Council (PCI SSC), an organization that develops standard for payment card security, released updated data security standards. One standard applies to entities involved in payment card processing—merchants, processors, acquirers, issuers, and service providers, as well as all other entities that store, process or transmit cardholder data. The other standard applies to software vendors and others who develop payment applications that store, process, or transmit cardholder data as part of authorization or settlement, where these payment applications are sold, distributed, or licensed to third parties. PCI SSC updates the standards every three years. This most recent update includes, among other things, requirements that payment card processors: (i) evaluate evolving malware threats for any systems not considered to be commonly affected; (ii) control physical access to sensitive areas for onsite personnel, including a process to authorize access, and revoke access immediately upon termination; (iii) protect devices that capture payment card data via direct physical interaction with the card from tampering and substitution; (iv) implement a methodology for penetration testing; (v) implement a process to respond to any alerts generated by the change-detection mechanism; and (vi) maintain information about which security requirements are managed by each service provider, and which are managed by the entity.

    Payment Systems Privacy/Cyber Risk & Data Security

  • Payment Network Providers Seek Collaboration On Digital Payment Standard

    Fintech

    On October 1, three payment network providers proposed that industry stakeholders collaborate on a token-based global security standard for online and mobile commerce. To meet growing consumer demand for secure digital transactions, the providers propose replacing traditional account numbers with a digital payment “token” for online and mobile transactions. They argue that tokens provide an additional layer of security and eliminate the need for merchants, digital wallet operators or others to store account numbers. The proposed standard used to generate tokens would be based on existing industry standards and would be available to all payment networks and other payment participants. The providers identify the following as key elements of the proposed standard: (i) new data fields to provide richer information about the transaction, which can help improve fraud detection and expedite the approval process, (ii) consistent methods to identify and verify a consumer before replacing the traditional card account number with a token, and (iii) a common standard designed to simplify the process for merchants for contactless, online or other transactions. The proposed standard incorporates comments from card issuers and merchants, and the participants intend to seek further collaboration from standard-setting bodies and other stakeholders.

    Payment Systems Mobile Commerce Mobile Payment Systems Privacy/Cyber Risk & Data Security

  • Federal Reserve Banks Seek Public Input on Threats to Payment System

    Fintech

    On September 10, the Federal Reserve Banks issued a public consultation paper  that identifies “key gaps and opportunities” in the U.S. payment system. They include: (i) payment recipients prefer other forms of payments than checks but exercise little control over the sender to request a preferred form of payment, (ii) the system lacks a “near-real-time” payment capability, (iii) innovations have not gained significant market penetration while legacy systems tend to be more ubiquitous, (iv) legacy systems lack certain desired features, including, for example, assurance that a payment will not be returned or reversed, (v) cross-border payments are slow and costly, and lack fee and timing transparency, (vi) some digital wallet applications reduce the visibility and choice of payment instrument at the point of sale, (vii) businesses’ legacy payment and accounting systems make straight-through processing difficult, but are costly to change, and (viii) data security fears inhibit adoption of electronic payments. The paper outlines certain desired outcomes and seeks input on strategies and tactics to address the perceived gaps and shape the future of the domestic payment system. Interested stakeholders can submit comments until December 13, 2013.

    Payment Systems Federal Reserve Mobile Payment Systems

  • New York Seeks to Halt Online Payday Loans, Collections; Federal Agencies Issue Subpoenas

    Consumer Finance

    On August 6, the New York Department of Financial Services (DFS) sent letters to 35 online lenders, including lenders affiliated with Native American Tribes, demanding that they cease and desist offering allegedly illegal payday loans to New York borrowers. The letters demand that within 14 days the companies confirm that they are no longer soliciting or making payday loans in excess of the state usury caps. Under New York law, it is civil usury for a company to make a loan or forbearance under $250,000 with an interest rate exceeding 16% per year, and a criminal violation to make a loan with an interest rate exceeding 25% per year. The letters also remind recipients that it is illegal to collect on loans that exceed the usury cap; a separate letter to third-party debt collectors included the same notice. The DFS previously warned third-party debt collectors about collecting on illegal payday loans in March. In addition, the Department of Financial Services sent letters to 117 banks and NACHA requesting that they work with the DFS to create a set of model safeguard procedures to deny ACH access to the targeted lenders and provide the DFS with information about steps the institutions are taking to halt the allegedly illegal activity.

    The role of banks in processing payday loan payments was identified as an enforcement priority earlier this year by the DOJ’s Financial Fraud Enforcement Task Force. The DOJ, the CFPB, and other federal agencies reportedly have issued subpoenas to banks and other entities as part of a broad investigation of online payday lending.

    Payment Systems Payday Lending Debt Collection DOJ Enforcement Internet Lending

  • FTC Extends Time to Comment on Proposed TSR Changes

    Fintech

    On July 12, the FTC extended the comment deadline on proposed changes to its Telemarketing Sales Rule (TSR). In May, the FTC proposed to prohibit the use of certain payment methods it believes are favored by “fraudulent telemarketers,” and sought comments by July 29, 2013. Because a slightly modified version of the original proposal was published in the Federal Register on July 9, 2013, the FTC now will accept comments through August 8, 2013.

    FTC Payment Systems Agency Rule-Making & Guidance

  • NACHA Bulletin Addresses Reinitiation of Returned Debits

    Fintech

    On July 15, the Electronic Payments Association (NACHA), the organization that manages the ACH Network, issued a bulletin that describes the provisions of NACHA’s operating rules regarding the “reinitiation” of returned ACH debit entries and the collection of return fees. With respect to the “reinitiation” of returned ACH debit entries the bulletin outlines  the limited circumstances under which the rules permits originators and originating depository financial institutions (ODFIs) to reinitiate returned entries. First, an originator or an ODFI may reinitiate a returned entry up to two times if the entry was returned for reasons of insufficient or uncollected funds. Second, an originator or an ODFI may reinitiate a returned entry for reason of stop payment, but only if the receiver of the entry reauthorized the reinitiation after the return of the original entry. Finally, unless authorization has been revoked, an originator or an ODFI may reinitiate an entry returned for any other reason, as long as the originator or ODFI has corrected or remedied the reason for the return. In instances where authorization has been revoked, an originator or ODFI may not be reinitiated. Additionally, in order for a reinitiation of a returned entry to take place within the ACH Network, it must take place within 180 days of the settlement date of the original entry. With respect to the collection of return fees, the bulletin explains that (i) a return fee entry may be initiated only to the extent permitted by applicable law, and only for an entry that was returned for reasons of insufficient or uncollected funds; (ii) originators and ODFIs must provide specific prior notice prior to charging return fees; (iii) return fees must be specifically labeled as return fees in any entry description; (iv) only one return fee may be assessed with respect to any returned entry; and (v) a return fee may not be assessed with respect to the return of a return fee entry (i.e., no “fees on fees”).

    Payment Systems Bank Compliance NACHA

  • FTC Sues Payment Processor for Assisting Allegedly Fraudulent Credit Card Debt Relief Operation

    Fintech

    On June 5, the FTC announced that it has added a payment processor as a defendant in an existing suit against a debt relief firm that the FTC alleges operated a credit card interest rate reduction scam. The FTC claims that the debt relief firm cold-called consumers and charged them up-front fees for promises of credit card interest rate reductions that the firm never obtained. The FTC charges that the payment processor knew, or consciously avoided knowing, the supposedly illegal nature of the operation and facilitated allegedly deceptive and abusive telemarketing acts or practices in violation of the Telemarketing Sales Rule. The FTC also alleges that the processor ignored the “alarmingly high” chargeback rates.

    FTC Payment Systems Enforcement

  • District Court Holds Gift Cardholders Suffer No Damages from Inability to Apply Unexhausted Balances

    Fintech

    On August 17, the U.S. District Court of the Southern District of New York dismissed a putative class action alleging deceptive sales practices under New York law against gift card distributors. Preira v. Bancorp Bank, No 11-1547, 2012 WL 3541702 (S.D.N.Y. Aug. 17, 2012). The plaintiff alleged that the defendants advertised that the gift cards could be used like debit cards, but that in fact merchants would not allow cardholders to conduct split transactions where the card was used to pay for a portion of a transaction and other means were used to pay the remaining balance. This restriction, the plaintiff claimed, prevented cardholders from completely depleting the value of the gift cards. The court rejected the plaintiff’s claim, holding that she failed to allege a cognizable injury because (i) some merchants do accept split transactions, (ii) the cardholder agreement provides that cards can be returned to the issuer in exchange for the unused balance, which never expires, and (iii) even if the damages are not based on the loss of the remaining value of the cards but on misleading statements that lead cardholders to believe the cards function like debit cards, the plaintiff failed to allege that debit cardholders can make split purchases at any retailer and, in any event, deception itself, without further injury, is not a cognizable harm under state law.

    Payment Systems Gift Cards

  • Key Considerations in Drafting Mobile Disclosures

    Fintech

    Recent developments at the FTC and CFPB provide some guidance on how regulators may approach disclosures on smartphones and other mobile devices.

    The recent CFPB Remittance Rule on international remittance transfers indicates some flexibility in the provision of disclosures in the remittances context via a mobile device. Additionally, the FTC’s recent report on best practices in consumer data privacy notes the difficulty in providing privacy notices on the smaller screens of mobile devices and encourages shorter, more effective privacy policies as a result.

    These developments raise a series of questions for corporate counsel to consider when advising on the drafting and delivery of mobile disclosures. Specifically, questions include:

    1. Is the length of the mobile disclosure document as brief and succinct as it can be? Does it use concrete, everyday words and the active voice? Do the disclosures avoid multiple negatives, technical jargon and ambiguous language?
    2. Are the mobile disclosures presented in a logical sequence? Are they laid out in clear, concise sentences, paragraphs and sections? Are they placed in equal prominence to each other, absent any other specific regulatory format or placement requirements? Is the content placed on a particular page appropriate for the sizing of the page on the mobile screen? If not, are textual or visual cues used to encourage scrolling?
    3. Does the mobile disclosure "call attention to itself?" Is it on a screen the mobile user must access or will likely access frequently? If not, is it behind a hyperlink on an introductory screen that is clearly labeled so as to convey the importance of the linked disclosure? Is it presented with a clear, visible heading and an easy-to-read typeface and typesize?
    4. Have various technical and other applicable industry standards been consulted in the process of designing, developing and displaying mobile disclosures?

     

    Payment Systems Mobile Banking Privacy/Cyber Risk & Data Security

  • FTC Obtains Agreement from Payment Processor to Prohibit Use of New Payment Method

    Fintech

    On January 5, the FTC announced a settlement with a payment processor and two of its principals that will prohibit the company from using a new payment method, through which accounts were debited without account-holder consent. The FTC alleged that the company actively promoted the method as a way to avoid scrutiny associated with other payment methods, and ignored red flags - such as payment-rejection rates exceeding 80 percent - that its merchant customers were seeking to defraud account-holders. As a result, according to the FTC, consumers incurred significant costs, including for overdraft fees. In addition to banning the use of this payment process, the settlement requires, among other things, that the company monitor client return rates and investigate rates exceeding 2.5 percent.

    FTC Payment Systems

Pages

Upcoming Events