InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
State AGs Urge Card Companies to Advance Consumer Protection by Implementing Chip and PIN Technology
On November 16, nine state attorneys general sent a letter urging leading card brands to expedite the implementation of chip and PIN technology in the United States. The letter summarizes research connected to recent data breaches, stating “individuals whose credit or debit cards were breached in the past year were nearly three times more likely to be an identity fraud victim.” Addressing concern that PIN technology would be burdensome or confusing to consumers, the AGs maintain that many consumers are accustomed to financial transactions that rely on PIN technology, such as transactions involving debit cards, and point to a November 2014 poll that indicated cardholders were supportive of chip and PIN technology. The AGs emphasize that PIN technology is “nothing new” and is considered the “gold standard” for payment card security, noting that countries around the world have seen a dramatic decrease in fraud since implementing the technology. Finally, while the letter stresses that chip and PIN technology would better protect both consumers and businesses from data breaches, it does not suggest that the technology be legally mandated at the federal or state level: “[T]his letter calls upon you as good corporate citizens to voluntarily expedite the implementation of existing technology that offers the most substantial security benefits, and to continue to adapt and improve security as quickly as possible as technology advances.”
Industry Trade Groups Urge Congress to Pass Legislation to Protect Consumers from Data Breaches
On February 12, seven industry trade associations co-authored a letter to Congress regarding anticipated data breach legislation. The letter urges Congress to protect its constituents from the impact of identity theft and financial fraud resulting from data breaches by (i) considering a national data security and breach standard; (ii) recognizing the existing fraud protection standards (e.g., HIPAA and GLBA) and having them serve as a model for sectors where there are none; and (iii) encouraging shared responsibility between entities, including costs. The letter is the latest effort among the industry to lobby Congress in passing legislation to combat increasing data breaches and fraud.
Justice Scalia Places Renewed Focus on Lenity in Hybrid Civil-Criminal Statutes
On November 10, 2014, the Supreme Court denied Douglas Whitman’s petition for a writ of certiorari in Whitman v. United States, No. 14-29; Justice Antonin Scalia, joined by Justice Clarence Thomas, issued a brief statement specifically highlighting their view of the role that the doctrine of lenity should play in the interpretation of criminal statutes. Whitman asked the high court to review his 2012 conviction for securities fraud and conspiracy under the Securities Exchange Act of 1934. The Second Circuit appeared to defer to the SEC’s interpretation of ambiguous language in the Act—according to Justice Scalia, such an approach would disregard the “many cases . . . holding that, if a law has both criminal and civil applications, the rule of lenity governs its interpretation in both settings.” Justice Scalia further noted that it was the exclusive province of the legislature to create criminal laws, and to defer to the SEC’s interpretation of a criminal statute would “upend ordinary principles of interpretation.” Justice Scalia’s approach may indicate potential adjustments in the ongoing effort to strike the right balance between the due process rights of targets of enforcement actions to know what the law prohibits, and deference to enforcement agencies to interpret federal statutes flexibly. BuckleySandler discussed the tension between lenity and Chevron deference earlier this year in a January 16 article, Lenity, Chevron Deference, and Consumer Protection Laws.
ABA Petitions FCC To Allow Security And Fraud Alerts To Customers Without Consent
On October 14, the ABA submitted a petition to the FCC requesting that it exercise its statutory authority to allow financial institutions to send consumers certain security and fraud alerts without the consumers’ prior consent. Specifically, the consumers would receive alerts regarding: (i) transactions suggesting a risk of identity theft or fraud; (ii) potential security breaches involving personal information; (iii) preventative steps consumers can take to decrease their chances of falling victim to security breaches, in addition to steps they can take to remedy harm already caused by a breach; and (iv) actions required to receive a receipt for money transfers. The petition notes that the most effective way to ensure that consumers receive these important messages is through automated texts and calls to mobile devices and accordingly requests that the FCC allow for an exemption to the Telephone Consumer Protection Act to ensure that customers receive security and fraud notifications in a timely manner.
FTC Proposes Ban on Some Payment Methods Used by Telemarketers
On May 21, the FTC proposed to prohibit the use of certain payment methods it believes are favored by "fraudulent telemarketers." The FTC's proposed rule would amend the Telemarketing Sales Rule (TSR) to prohibit telemarketers from (i) using remotely created unsigned checks and payment orders to directly access consumer bank accounts, and (ii) receiving payment through “cash-to-cash” money transfers and “cash reload” mechanisms. The FTC explained that allegedly fraudulent telemarketers rely on such payment methods because they are largely unmonitored and provide fewer consumer fraud protections. The proposed rule also would (i) expand the TSR's ban on telemarketing "recovery services" in exchange for an advance fee and (ii) clarify various other provisions of the TSR. The FTC is accepting public comments on the proposal through July 29, 2013.
FTC Updates Guidance for Mobile and Internet Advertising Disclosures
Yesterday, the FTC released guidance for mobile and other online advertisers. The new guidance, “.com Disclosures: How to Make Effective Disclosures in Digital Advertising,” adapts and expands prior FTC guidance to account for a decade’s worth of additional experience with online marketing practices, consumers’ increasing use of smartphones, and merchants’ increasing use of social media marketing.
The new guidance highlights several key considerations for businesses as they develop advertisements for online and mobile media:
- The same consumer protection laws – e.g. UDAP – that apply to commercial activities in other media apply online and in the mobile marketplace.
- Limitations and qualifying information should be incorporated into any underlying claim, rather than provided as a separate disclosure qualifying the claim.
- Marketing materials that may be viewed on a variety of platforms, including handheld devices, should be designed so that required disclosures are effectively delivered on all of the platforms.
- Required disclosures must be clear and conspicuous, as determined by numerous factors.
- If a disclosure is necessary to prevent an advertisement from being deceptive, unfair, or otherwise violative of a FTC rule, and it is not possible to make the disclosure clearly and conspicuously, then that ad should not be disseminated.
To meet the clear and conspicuous standard, the FTC reminds advertisers that, generally, a disclosure should be placed as close as possible to the trigger claim, and that they should take account of the devices and platforms consumers may use to view the advertisement and disclosure. The FTC offers other specific guidance, with corresponding examples, for complying with the clear and conspicuous standard in online and mobile advertisements:
- When a space-constrained ad requires a disclosure, incorporate the disclosure into the ad whenever possible. When it is not possible it may be acceptable to make the disclosure clearly and conspicuously on the page to which the ad links.
- Hyperlinks used to lead to a disclosure should (i) be obvious, (ii) be labeled appropriately to convey the importance and relevance of the information it leads to, and consistently formatted, (iii) be placed as close as possible to the relevant information it qualifies, (iv) take consumers directly to the disclosure on the click-through page, and (v) be monitored for effectiveness and changed, if necessary.
- Avoid requiring consumers to “scroll” in order to find a disclosure, or, when necessary, use text or visual cues to encourage consumers to scroll to view the disclosure.
- Determine screen placement based on empirical research about where consumers do and do not look.
- Recognize and respond to any technological limitations or unique characteristics of a communication method.
- Display disclosures before consumers make a decision to buy, and consider repeating disclosures before a purchase is finalized.
- Repeat disclosures, as needed, on lengthy websites and in connection with repeated claims.
- For products intended or able to be purchased from “brick and mortar” stores or from online retailers other than the advertiser itself, the disclosure should be presented in the ad itself.
- Prominently display disclosures, based on an evaluation of the size, color, and graphic treatment of the disclosure in relation to other parts of the webpage. Do not relegate disclosures to “terms of use” and similar contractual agreements.
- Review the entire ad to assess whether the disclosure is effective in light of other elements that might distract consumers’ attention from the disclosure.
- Use audio disclosures when making audio claims, and present them in a volume and cadence so that consumers can hear and understand them.
- Display visual disclosures for a duration sufficient for consumers to notice, read, and understand them.
- Use plain language and syntax so that consumers understand the disclosures.
The updated guidance, and especially the FTC’s emphasis on the ability of marketing materials to effectively deliver disclosures across multiple platforms, should lead businesses with online marketing programs to carefully review and re-assess their marketing materials and methods of presentation.
President, Congress Extend Cross-Border Fraud Enforcement Law
On December 4, President Obama signed a bill, H.R. 6131, that extends through December 2020, a law that enhances the FTC’s ability to address cross-border fraud, and particularly to fight spam, spyware, and Internet fraud and deception. Originally passed in December 2006 and set to expire in December 2013, the U.S. SAFE WEB Act amended the FTC Act to include within the definition of "unfair or deceptive acts or practices" certain acts or practices involving foreign commerce. Further, the law authorizes the FTC to (i) disclose certain privileged or confidential information to foreign law enforcement agencies, and (ii) provide investigative assistance to a foreign law enforcement agency pursuing violations of laws prohibiting fraudulent or deceptive commercial practices or other practices substantially similar to practices prohibited by laws administered by the FTC without requiring that the conduct identified constitute a violation of U.S. laws.
Eleventh Circuit Holds Bank Security Procedure Insufficient to Provide Safe Harbor from Liability for Fraudulent Wire Transfer
On November 27, the U.S. Court of Appeals for the Eleventh Circuit held that a bank may be liable for an allegedly fraudulent in-person wire transfer because it failed to implement a commercially reasonable security procedure to verify the authenticity of the wire transfer order and to detect transmission or content errors. Chavez v. Mercantil Commercebank N.A., No. 11-15804, 2012 WL 5907151 (11th Cir. Nov. 27, 2012). The plaintiff, a Venezuelan resident who opened an account at a Florida bank, elected a security procedure under the account’s Funds Transfer Agreement that provided only that the bank require written authorization by him in order to process any orders for the account. The plaintiff sued the bank for lost funds, claiming that the bank allowed an unauthorized individual to initiate a fraudulent in-person wire transfer of funds out of the account. The district court granted summary judgment in favor of the bank, holding that state law creates a safe harbor that relieves banks of liability for fraudulent payment orders if the bank and the customer agree to a commercially reasonable security procedure and the bank follows that procedure in good faith. The appellate court held that the agreed-upon security procedure was not in fact a security procedure as defined by statute. The court explained that state law disavows security procedures that require only a comparison of a signature on a payment order with an authorized specimen signature of the customer. In this case, the security procedure required written authorization, but was silent as to how the bank was to verify that authorization, i.e., it did not even require that the signature be compared to one on file. The court held that because the bank and the account holder did not agree to a security procedure, the bank could not seek safe harbor protection and reversed the district court’s order. One judge dissented from the majority opinion and argued that the Funds Transfer Agreement encompassed both the required and discretionary security procedures, which, taken together, were commercially reasonable and followed in good faith, therefore affording the bank safe harbor protection.
DOJ Sues Mortgage Lender Over Alleged Fraudulent Certification of FHA Loans
On October 9, the U.S. Attorney for the Southern District of New York and the U.S. Department of Housing and Urban Development (HUD) announced a civil fraud suit against a mortgage lender alleged to have falsely certified loans under the FHA’s Direct Endorsement Lender Program. The suit, filed in coordination with the Financial Fraud Enforcement Task Force (FFETF), claims that from May 2001 through October 2005, the lender regularly and knowingly engaged in reckless origination and underwriting of FHA loans, while certifying to HUD that those loans met the FHA Direct Endorsement Lender Program requirements and were therefore eligible for FHA insurance. Further, the suit alleges that the lender failed to conduct adequate quality control, failed to comply with HUD self-reporting requirements, and later attempted to cover up its reporting failures. The government claims that it was required to pay, and will continue to have to pay, FHA benefits on defaulted loans that contained material violations, and seeks treble damages and penalties under the False Claims Act, as well as Financial Institutions Reform, Recovery, and Enforcement Act penalties. The government also seeks compensatory damages under the common law theories of breach of fiduciary duty, gross negligence, negligence, unjust enrichment, and payment under mistake of fact. This suit follows the settlements earlier this year of several other cases involving similar claims. One other similar suit is currently pending.
DOJ Announces Results of Year-Long Mortgage Fraud Initiative
On October 9, the DOJ, HUD, the FTC, and the FBI announced the results of the Distressed Homeowner Initiative, a year-long national effort to coordinate federal and state investigation and prosecution of alleged mortgage fraudsters. The Initiative was carried out under the Mortgage Fraud Working Group of the FFETF. Between October 1, 2011 and September 30, 2012, the unit’s work resulted in 285 criminal indictments and informations against 530 defendants. The announcement described many of the Working Group’s investigative tactics, including undercover operations, and explained the reasons behind the Working Group’s focus on Southern California. The Working Group expects more enforcement actions to result from ongoing investigations, and the FFETF has several other active working groups, including the Residential Mortgage-Backed Securities Working Group that recently sued a major bank over alleged fraudulent misrepresentations and omissions in the sale of RMBS to investors.