New Guidance for Employers Conducting Background Checks

By Angela Galloway

Employers who investigate workers' criminal or credit backgrounds may want to review federal guidelines released March 10.

The joint publication of the Federal Trade Commission and the Equal Employment Opportunity Commission provides detailed guidance for employers who check into the criminal or credit histories of applicants or employees. “Background Checks: What Employers Need to Know” aims to guide employers in complying with federal laws that prohibit workplace discrimination and regulate commercial background reporting agencies.

Separate laws restricting employers’ ability to request and/or rely on such background checks have also been enacted by many states and cities, including Seattle and San Francisco.

The publication released today offers guidelines for developing policies and practices that avoid improper practices or discriminatory employment decisions. For example, the report advises:

Continue Reading...

FFIEC Finalizes and Clarifies Its Social Media Policy

By Karen Ross

The Federal Financial Institutions Examination Council (FFIEC) recently released its final supervisory guidance on social media use.  In January 2013, we wrote about the FFIEC’s proposed guidance in connection with the applicability of existing laws and policies to the social media activities of financial institutions. Since that time the FFIEC received 81 official comments on its proposal. The final guidance is not markedly different from the proposed guidance but clarifies the proposal in a few areas.


Genesco Wins One, Loses One in Its Case Challenging PCI DSS Fines and Assessments

By Randy Gainer, Attorney, CISSP, Davis Wright Tremaine LLP

On November 25, 2013, Chief Judge William Haynes filed the latest order in Genesco v. Visa, Civ. No. 3:13-cv-00202 (M.D. Tenn.). In his one-line order, Judge Haynes denied Genesco’s motion for partial summary judgment “without prejudice to renew after a reasonable period of discovery.” Genesco, Nashville-based retailer with 2,440 stores in the U.S., U.K., Canada, and Ireland, sued the three Visa entities in March 2013 after Visa imposed a total of $13,298,900 in PCI DSS noncompliance fines and assessments. Genesco had asked for judgment as a matter of law on its claims that Visa’s fines for alleged noncompliance with the Payment Card Industry Data Security Standard (“PCI DSS”) (1) violated Genesco’s acquiring banks’ contracts with Visa; (2) violated the California Unfair Businesses Practices Act (“UCL”); or (3) unjustly enriched Visa. The court’s denial of Genesco’s motion leaves most of the key issues in this important case to be resolved.

Continue Reading...

Dealing with Networks and Regulatory Compliance: The Legal Side of Mobile Retail

On April 16, 2013, DWT lawyers James Mann and Ronnie London presented on the topic of “Dealing with Networks and Regulatory Compliance: The Legal Side of Mobile Retail” at the RAMP Advanced Commerce and Mobile Retail Services Summit in Chicago.

The presentation focused primarily on two topics:

  • Why the Networks Are Here to Stay (and Some Suggestions for Dealing with Them)
  • Update on Mobile Regulatory Issues

To view the full presentation, click here.

FTC Data Security Consent Decree Suggests Minimum Steps Companies Must Take

Posted by Ronald London

The FTC recently announced a consent decree with online retailer Life is good ( that offers insight into what that agency may believe are the bare minimum steps companies must take when making the kind of generic we-protect-the-information-you-give-us statements found in most privacy policies. The FTC claimed Life is good offered such reassurances but failed to have in place sufficient measures (from the FTC's view) to back them up, based on the ability of a hacker to use SQL injection attacks on Life is good’s website to access consumers' credit card numbers, expiration dates, and security codes. To resolve allegations in a draft complaint the FTC had prepared alleging unfair trade practices, Life is good settled the claims by entering a consent decree requiring it to adopt a comprehensive information-security program and obtain biennial audits by an independent third-party security professional … for the next 20 years.

Continue Reading...

California Governor Vetoes Proposed Law Imposing Stronger Data Protection Requirements

Posted by Charlene Brownlee

California Governor Arnold Schwarzenegger vetoed AB 779 -- legislation that would have amended California's data security breach legislation to impose stronger data protection requirements than the Payment Card Industry Data Security Standard

AB 779 would have prohibited businesses that sell goods or services to any resident of California and that accept as payment credit cards (and debit cards or other payment devices) from, among other things, storing, retaining, sending, or failing to limit access to payment-related data, and from storing sensitive authentication data subsequent to an authorization, unless a specified exception applied. Further, the bill would have made such businesses liable to the owner or licensee of the information for the reimbursement of costs of: (i) providing notice to consumers as required by existing data breach notification law; and (ii) card replacement as a result of the breach.

Continue Reading...

Bank Regulatory Agencies Release Updated BSA/AML Examination Manual

Posted by Peter Mucklestone

The Federal Financial Institutions Examination Council (FFIEC) recently released an updated 2007 version of the Bank Secrecy Act/Anti-Money Laundering (BSA/AML) Examination Manual, which updates and further clarifies supervisory expectations since the 2006 version was published last year. The Manual is used in connection with examinations of supervised financial institutions.

The revised version is based on feedback from the banking industry and examination staff. The Office of Foreign Asset Control (OFAC) collaborated on the revisions made to the section that addresses compliance with economic and trade sanctions administered and enforced by OFAC.

The 2007 version of the manual is located on the FFIEC BSA/AML InfoBase website.

OFAC Publishes Guidance for Banks

Posted by Peter Mucklestone

The Office of Foreign Assets Control (OFAC) recently published a brochure titled "Foreign Assets Control Regulations for the Financial Community" dated June 15, 2007, to help banks comply with the statutes and regulations that OFAC administers.

OFAC administers laws and regulations, including the Trading With the Enemy Act and the International Emergency Economic Powers Act, which further U.S. foreign policy and national security objectives through trade embargoes, blocked assets controls and other commercial and financial restrictions. All U.S. persons, including banks, must comply with the laws and regulations that OFAC administers.

Continue Reading...

OCC Approves National Bank Investment in Fraud Prevention Company

Posted by Peter Mucklestone and Jim Young

The Office of the Comptroller of the Currency (OCC) recently issued an Interpretive Letter (the “Letter”), which concludes that national banks have the authority under 12 U.S.C. § 24(Seventh) to make a noncontrolling investment in a certain limited liability company (the “Investee LLC”) that sells fraud prevention, identity verification, credential validation and payment/deposit risk services (the “Investee Activities”) to financial institutions, credit card issuers, check acceptance companies, brokerage firms, mutual fund companies, retailers, governmental agencies and others. 12 U.S.C. § 24(Seventh) contains a broad grant of authority allowing national banks to engage activities that are incidental to the "business of banking."

Continue Reading...

SAR Forms Revised

Posted by Peter Mucklestone

The Financial Crimes Enforcement Network (FinCEN) has revised the forms of Suspicious Activity Report (SAR). Certain financial companies are required to file SARs with the Treasury Department to report suspicious activity relevant to possible violations of law or regulations. The new forms should not be used before June 30, 2007, and the old forms will not be accepted after December 31, 2007.

There are different forms for different reporting companies. Depository Institutions should use FinCEN Form SAR-DI, Securities and Futures Industries should use FinCEN Form 101, Casinos and Card Clubs should use FinCEN Form 102 and Insurance Companies FinCEN should use Form 108.

The revisions are intended to facilitate joint filings and thereby reduce the number of duplicate SARs filed for a single transaction.

The new forms may be viewed at the FinCEN website.

Fincen Clarifies Independent Review Requirements for MSB AML Programs

The Department of the Treasury Financial Crimes Enforcement Network (Fincen) recently published Frequently Asked Questions (FAQs) providing guidance for money service businesses (MSBs) in connection with their anti-money laundering (AML) programs. 

Under the Bank Secrecy Act (BSA), MSBs must establish an AML program which sets forth at a minimum: internal policies, procedures, and controls; designates a compliance officer; provides for ongoing employee training; and provides for an independent audit function to test programs.   31 U.S.C. Section 5318(h).

Continue Reading...

When Your Offline Security Is Threatened By Your Online Activity, Part II

Posted by Joe Addiego

As blogged a month ago, several Craigslist users have been the target of violent robberies after being “cased out” during online transactions for the sale of their personal goods. It turns out that in addition to posing risks to your physical health, the use of message boards or auction sites can affect your financial health, as well, even if the financial transaction occurs offline.

The San Francisco Chronicle just reported an unfortunate incident that happened to a San Francisco resident, who unknowingly cashed a phony check he received in exchange for the sale of two bicycles he had posted for sale on Craigslist. The check was for an amount in excess of what he negotiated, but despite some reservations, the seller cashed the check anyway. Apparently, the scam was intended to induce the seller to deposit the check at his own bank, so that the scammer can cancel the check and request that the bank return the money, which would come out of the unsuspecting seller’s account, before the check is spotted as a phony.

Continue Reading...

Agencies Release FAQs For Internet Banking Authentication

Posted by Peter Mucklestone

The bank regulatory agencies recently released a frequently asked questions ("FAQs") document to aid in the implementation of the interagency guidance on Authentication in an Internet Banking Environment issued October 12, 2005 (the "Interagency Guidance"). The Interagency Guidance addresses the need for risk-based assessment, customer awareness, and security measures to reliably authenticate customers remotely accessing their financial institutions’ Internet-based financial services.

The FAQs are a representation of questions the agencies have received from financial institutions, agency examiners and technology service providers.  The FAQs are designed to assist financial institutions and their technology service providers in conforming to the Interagency Guidance by providing information on the scope of the Interagency Guidance, the timeframe for compliance, risk assessments, and other issues.

A link to the FAQs can be found on the Federal Financial Institutions Examination Council's (FFIEC) Web site.

Lawyers as "Service Providers" Under the Gramm-Leach-Bliley Act

Posted by Peter Mucklestone and Stuart Louie

Despite a ruling by the D.C. Circuit Court of Appeals that lawyers are not "financial institutions" under the Gramm-Leach-Bliley Act ("GLBA") and therefore need not comply with the privacy obligations under the GLBA required of financial institutions, it is likely that lawyers are "services provides" for the purposes of the GLBA when representing GLBA-regulated financial institutions. (See American Bar Ass'n v. Federal Trade Comm'n, 430 F.3d 457, 21 Law. Man. Prof. Conduct 616 (D.C. 2005). The consequence? Lawyers representing GLBA-regulated financial institutions may be required to give contractual assurances about their information security practices and, in particular, the steps they are taking to protect any personal information they may acquire in the course of their representation.

Continue Reading...

Mutual Funds Must Report Suspicious Activity

Posted by Peter Mucklestone

Mutual funds must start filing Suspicious Activity Reports (SARs) on suspicious transactions according to a final rule issued by the Financial Crimes Enforcement Network (FinCEN). This new requirement becomes effective 180 days after the date of publication of the final rule in the Federal Register, which was May 4, 2006.

Continue Reading...

Customer Identification Responsibilities for Agency Lending Transactions

Posted by Peter Mucklestone and Stuart Louie

On April 25, 2006, the Department of the Treasury, Financial Crimes Enforcement Network issued a guidance statement in respect of Customer Identification Program ("CIP") responsibilities arising out of transactions where U.S. banks or broker-dealers ("Agent Lenders") arrange loans of securities to broker-dealers ("Borrowers") under the Agency Lending Disclosure Initiative. In a typical agency lending transaction, an Agent Lender agrees to make securities (held by such Agent Lender on behalf of its customers ("Customers")) available to be loaned to Borrowers through Agent Lender's securities loan program. Other than imposing certain lending requirements and receiving periodic reports regarding loan transactions involving its securities, the Customers have virtually no role in the transaction. The master loan agreement is entered into between the Agent Lender and the Borrower and the Borrower typically records the loan transaction in an account in the name of the Agent Lender. Under the Agency Lending Disclosure Initiative, the Agent Lender, after the fact, will provide to Borrower information regarding the identities of the Customers whose securities have been loaned to the Borrower; however, the disclosure of such information is typically limited to certain personnel of Borrower responsible for credit risk management and regulatory capital reporting.

Continue Reading...

2006 - The Year Of Communication

Posted by Peter Mucklestone

The Fifth National Conference on Ensuring Privacy and Security of Consumer Information, sponsored by the American Conference Institute, began Thursday morning at the Marriott East Side Hotel in New York. The conference is billed by its sponsor as the leading legal and regulatory forum for privacy professionals at financial institutions.

Continue Reading...

Federal Bank and Thrift Regulatory Agencies Publish Guide to Help Financial Institutions Comply with Information Security Guidelines

Posted by Peter Mucklestone and Stuart Louie

The federal bank and thrift regulatory agencies recently announced the publication of a compliance guide for the Interagency Guidelines Establishing Information Security Standards (the "Security Guidelines"). The Security Guidelines (i) implement section 501(b) of the Gramm-Leach-Bliley Act (GLB Act) and section 216 of the Fair and Accurate Credit Transactions Act of 2003 (FACT Act) and (ii) establish standards relating to administrative, technical, and physical safeguards to ensure the security, confidentiality, integrity and the proper disposal of customer information. The Small-Entity Compliance Guide (the "Compliance Guide") is intended to help financial institutions comply with the Security Guidelines by summarizing the obligations of financial institutions to protect customer information and by illustrating how certain provisions of the Security Guidelines apply to specific situations.

Continue Reading...

Wisconsin Putting Names of Delinquent Taxpayers Online

Posted by Merrill Baumann

Many businesses look to enhance revenues with online activities. Add to this group a growing number of state and county taxing authorities, who now publish names of delinquent taxpayers on their website. The newest state is Wisconsin, whose Department of Revenue last month sent out over 7,000 letters to taxpayers, warning that their names will be put on the new online delinquent taxpayer list early next year if they don't pay up or agree to a payment plan. Wisconsin joins Washington, California, New Jersey, Minnesota, North Carolina, South Carolina, and several other states with this practice. Louisiana leaves no doubt over their site's objective, calling it "Cybershame."