Privacy & Security Law Blog

Privacy & Security Law Blog

Legal Commentary and Resources for the Payment Industry

Insight & Commentary on Information Management and Protection

Category Archives: Financial Services

Subscribe to Financial Services RSS Feed

Federal Financial Institutions Examination Council Launches Cybersecurity Webpage and Begins Cybersecurity Assessments

Posted in Cyber and National Security, Data Protection, Financial Services, Marketing and Consumer Privacy

For cyber criminals, banks are especially tempting targets – not only because banks are where the money is, but also because of the vast amount of proprietary information banks have about their customers.” Thomas J. Curry, Comptroller of the Currency

In comments before the Risk Management Association’s Governance, Compliance, and Operational Risk Conference last month, Thomas J. Curry, Comptroller of the Currency and Chairman of the Federal Financial Institutions Examination Council [1] stated that “Attacks on our information infrastructure are everywhere. … For cyber criminals, banks are especially tempting targets – not only because banks are where the money is, but also because of the vast amount of proprietary information banks have about their customers. Some attackers target banks because they want to undermine confidence in our country’s financial system. Penetrating the information defenses of any one system may enable attackers to penetrate another, and that in turn could enable more widespread attacks on the broader economy.”

Comptroller Curry stated that helping to make banks less vulnerable and more resilient to cyber-attacks has been one of his top priorities as Comptroller and Chairman of the FFIEC. As part of this effort, he formed the Cybersecurity and Critical Infrastructure ... Continue Reading

FFIEC Finalizes and Clarifies Its Social Media Policy

Posted in Financial Services

The Federal Financial Institutions Examination Council (FFIEC) recently released its final supervisory guidance on social media use.  In January 2013, we wrote about the FFIEC’s proposed guidance in connection with the applicability of existing laws and policies to the social media activities of financial institutions. Since that time the FFIEC received 81 official comments on its proposal. The final guidance is not markedly different from the proposed guidance but clarifies the proposal in a few areas.

CONTINUE READING…... Continue Reading

Genesco Wins One, Loses One in Its Case Challenging PCI DSS Fines and Assessments

Posted in Financial Services

On November 25, 2013, Chief Judge William Haynes filed the latest order in Genesco v. Visa, Civ. No. 3:13-cv-00202 (M.D. Tenn.). In his one-line order, Judge Haynes denied Genesco’s motion for partial summary judgment “without prejudice to renew after a reasonable period of discovery.” Genesco, Nashville-based retailer with 2,440 stores in the U.S., U.K., Canada, and Ireland, sued the three Visa entities in March 2013 after Visa imposed a total of $13,298,900 in PCI DSS noncompliance fines and assessments. Genesco had asked for judgment as a matter of law on its claims that Visa’s fines for alleged noncompliance with the Payment Card Industry Data Security Standard (“PCI DSS”) (1) violated Genesco’s acquiring banks’ contracts with Visa; (2) violated the California Unfair Businesses Practices Act (“UCL”); or (3) unjustly enriched Visa. The court’s denial of Genesco’s motion leaves most of the key issues in this important case to be resolved.... Continue Reading

Dealing with Networks and Regulatory Compliance: The Legal Side of Mobile Retail

Posted in Financial Services, Global, Policy and Regulatory Positioning

On April 16, 2013, DWT lawyers James Mann and Ronnie London presented on the topic of “Dealing with Networks and Regulatory Compliance: The Legal Side of Mobile Retail” at the RAMP Advanced Commerce and Mobile Retail Services Summit in Chicago.

The presentation focused primarily on two topics:

  • Why the Networks Are Here to Stay (and Some Suggestions for Dealing with Them)
  • Update on Mobile Regulatory Issues

To view the full presentation, click here.... Continue Reading

FTC Data Security Consent Decree Suggests Minimum Steps Companies Must Take

Posted in Cyber and National Security, Data Protection, Financial Services, Global, Marketing and Consumer Privacy, Policy and Regulatory Positioning

The FTC recently announced a consent decree with online retailer Life is good (www.lifeisgood.com) that offers insight into what that agency may believe are the bare minimum steps companies must take when making the kind of generic we-protect-the-information-you-give-us statements found in most privacy policies. The FTC claimed Life is good offered such reassurances but failed to have in place sufficient measures (from the FTC’s view) to back them up, based on the ability of a hacker to use SQL injection attacks on Life is good’s website to access consumers’ credit card numbers, expiration dates, and security codes. To resolve allegations in a draft complaint the FTC had prepared alleging unfair trade practices, Life is good settled the claims by entering a consent decree requiring it to adopt a comprehensive information-security program and obtain biennial audits by an independent third-party security professional … for the next 20 years.... Continue Reading

California Governor Vetoes Proposed Law Imposing Stronger Data Protection Requirements

Posted in Cyber and National Security, Financial Services, Policy and Regulatory Positioning

Posted by Charlene Brownlee

California Governor Arnold Schwarzenegger vetoed AB 779 — legislation that would have amended California’s data security breach legislation to impose stronger data protection requirements than the Payment Card Industry Data Security Standard

AB 779 would have prohibited businesses that sell goods or services to any resident of California and that accept as payment credit cards (and debit cards or other payment devices) from, among other things, storing, retaining, sending, or failing to limit access to payment-related data, and from storing sensitive authentication data subsequent to an authorization, unless a specified exception applied. Further, the bill would have made such businesses liable to the owner or licensee of the information for the reimbursement of costs of: (i) providing notice to consumers as required by existing data breach notification law; and (ii) card replacement as a result of the breach.... Continue Reading

Bank Regulatory Agencies Release Updated BSA/AML Examination Manual

Posted in Financial Services

Posted by Peter Mucklestone

The Federal Financial Institutions Examination Council (FFIEC) recently released an updated 2007 version of the Bank Secrecy Act/Anti-Money Laundering (BSA/AML) Examination Manual, which updates and further clarifies supervisory expectations since the 2006 version was published last year. The Manual is used in connection with examinations of supervised financial institutions.

The revised version is based on feedback from the banking industry and examination staff. The Office of Foreign Asset Control (OFAC) collaborated on the revisions made to the section that addresses compliance with economic and trade sanctions administered and enforced by OFAC.

The 2007 version of the manual is located on the FFIEC BSA/AML InfoBase website.... Continue Reading

OFAC Publishes Guidance for Banks

Posted in Financial Services

Posted by Peter Mucklestone

The Office of Foreign Assets Control (OFAC) recently published a brochure titled "Foreign Assets Control Regulations for the Financial Community" dated June 15, 2007, to help banks comply with the statutes and regulations that OFAC administers.

OFAC administers laws and regulations, including the Trading With the Enemy Act and the International Emergency Economic Powers Act, which further U.S. foreign policy and national security objectives through trade embargoes, blocked assets controls and other commercial and financial restrictions. All U.S. persons, including banks, must comply with the laws and regulations that OFAC administers.... Continue Reading

OCC Approves National Bank Investment in Fraud Prevention Company

Posted in Financial Services

Posted by Peter Mucklestone and Jim Young

The Office of the Comptroller of the Currency (OCC) recently issued an Interpretive Letter (the “Letter”), which concludes that national banks have the authority under 12 U.S.C. § 24(Seventh) to make a noncontrolling investment in a certain limited liability company (the “Investee LLC”) that sells fraud prevention, identity verification, credential validation and payment/deposit risk services (the “Investee Activities”) to financial institutions, credit card issuers, check acceptance companies, brokerage firms, mutual fund companies, retailers, governmental agencies and others. 12 U.S.C. § 24(Seventh) contains a broad grant of authority allowing national banks to engage activities that are incidental to the "business of banking."... Continue Reading

SAR Forms Revised

Posted in Financial Services

Posted by Peter Mucklestone

The Financial Crimes Enforcement Network (FinCEN) has revised the forms of Suspicious Activity Report (SAR). Certain financial companies are required to file SARs with the Treasury Department to report suspicious activity relevant to possible violations of law or regulations. The new forms should not be used before June 30, 2007, and the old forms will not be accepted after December 31, 2007.

There are different forms for different reporting companies. Depository Institutions should use FinCEN Form SAR-DI, Securities and Futures Industries should use FinCEN Form 101, Casinos and Card Clubs should use FinCEN Form 102 and Insurance Companies FinCEN should use Form 108.

The revisions are intended to facilitate joint filings and thereby reduce the number of duplicate SARs filed for a single transaction.

The new forms may be viewed at the FinCEN website.... Continue Reading

Fincen Clarifies Independent Review Requirements for MSB AML Programs

Posted in Financial Services

The Department of the Treasury Financial Crimes Enforcement Network (Fincen) recently published Frequently Asked Questions (FAQs) providing guidance for money service businesses (MSBs) in connection with their anti-money laundering (AML) programs. 

Under the Bank Secrecy Act (BSA), MSBs must establish an AML program which sets forth at a minimum: internal policies, procedures, and controls; designates a compliance officer; provides for ongoing employee training; and provides for an independent audit function to test programs.   31 U.S.C. Section 5318(h).... Continue Reading

When Your Offline Security Is Threatened By Your Online Activity, Part II

Posted in Financial Services

Posted by Joe Addiego

As blogged a month ago, several Craigslist users have been the target of violent robberies after being “cased out” during online transactions for the sale of their personal goods. It turns out that in addition to posing risks to your physical health, the use of message boards or auction sites can affect your financial health, as well, even if the financial transaction occurs offline.

The San Francisco Chronicle just reported an unfortunate incident that happened to a San Francisco resident, who unknowingly cashed a phony check he received in exchange for the sale of two bicycles he had posted for sale on Craigslist. The check was for an amount in excess of what he negotiated, but despite some reservations, the seller cashed the check anyway. Apparently, the scam was intended to induce the seller to deposit the check at his own bank, so that the scammer can cancel the check and request that the bank return the money, which would come out of the unsuspecting seller’s account, before the check is spotted as a phony.... Continue Reading

Agencies Release FAQs For Internet Banking Authentication

Posted in Financial Services

Posted by Peter Mucklestone

The bank regulatory agencies recently released a frequently asked questions ("FAQs") document to aid in the implementation of the interagency guidance on Authentication in an Internet Banking Environment issued October 12, 2005 (the "Interagency Guidance"). The Interagency Guidance addresses the need for risk-based assessment, customer awareness, and security measures to reliably authenticate customers remotely accessing their financial institutions’ Internet-based financial services.

The FAQs are a representation of questions the agencies have received from financial institutions, agency examiners and technology service providers.  The FAQs are designed to assist financial institutions and their technology service providers in conforming to the Interagency Guidance by providing information on the scope of the Interagency Guidance, the timeframe for compliance, risk assessments, and other issues.

A link to the FAQs can be found on the Federal Financial Institutions Examination Council’s (FFIEC) Web site. ... Continue Reading

Lawyers as “Service Providers” Under the Gramm-Leach-Bliley Act

Posted in Financial Services, Policy and Regulatory Positioning

Posted by Peter Mucklestone and Stuart Louie

Despite a ruling by the D.C. Circuit Court of Appeals that lawyers are not "financial institutions" under the Gramm-Leach-Bliley Act ("GLBA") and therefore need not comply with the privacy obligations under the GLBA required of financial institutions, it is likely that lawyers are "services provides" for the purposes of the GLBA when representing GLBA-regulated financial institutions. (See American Bar Ass’n v. Federal Trade Comm’n, 430 F.3d 457, 21 Law. Man. Prof. Conduct 616 (D.C. 2005). The consequence? Lawyers representing GLBA-regulated financial institutions may be required to give contractual assurances about their information security practices and, in particular, the steps they are taking to protect any personal information they may acquire in the course of their representation.... Continue Reading

Customer Identification Responsibilities for Agency Lending Transactions

Posted in Financial Services

Posted by Peter Mucklestone and Stuart Louie

On April 25, 2006, the Department of the Treasury, Financial Crimes Enforcement Network issued a guidance statement in respect of Customer Identification Program (“CIP”) responsibilities arising out of transactions where U.S. banks or broker-dealers (“Agent Lenders”) arrange loans of securities to broker-dealers (“Borrowers”) under the Agency Lending Disclosure Initiative. In a typical agency lending transaction, an Agent Lender agrees to make securities (held by such Agent Lender on behalf of its customers (“Customers”)) available to be loaned to Borrowers through Agent Lender’s securities loan program. Other than imposing certain lending requirements and receiving periodic reports regarding loan transactions involving its securities, the Customers have virtually no role in the transaction. The master loan agreement is entered into between the Agent Lender and the Borrower and the Borrower typically records the loan transaction in an account in the name of the Agent Lender. Under the Agency Lending Disclosure Initiative, the Agent Lender, after the fact, will provide to Borrower information regarding the identities of the Customers whose securities have been loaned to the Borrower; however, the disclosure of such information is typically limited to certain personnel of Borrower responsible for credit risk management and ... Continue Reading

Federal Bank and Thrift Regulatory Agencies Publish Guide to Help Financial Institutions Comply with Information Security Guidelines

Posted in Financial Services

Posted by Peter Mucklestone and Stuart Louie

The federal bank and thrift regulatory agencies recently announced the publication of a compliance guide for the Interagency Guidelines Establishing Information Security Standards (the “Security Guidelines”). The Security Guidelines (i) implement section 501(b) of the Gramm-Leach-Bliley Act (GLB Act) and section 216 of the Fair and Accurate Credit Transactions Act of 2003 (FACT Act) and (ii) establish standards relating to administrative, technical, and physical safeguards to ensure the security, confidentiality, integrity and the proper disposal of customer information. The Small-Entity Compliance Guide (the “Compliance Guide”) is intended to help financial institutions comply with the Security Guidelines by summarizing the obligations of financial institutions to protect customer information and by illustrating how certain provisions of the Security Guidelines apply to specific situations.... Continue Reading

Wisconsin Putting Names of Delinquent Taxpayers Online

Posted in Financial Services

Posted by Merrill Baumann

Many businesses look to enhance revenues with online activities. Add to this group a growing number of state and county taxing authorities, who now publish names of delinquent taxpayers on their website. The newest state is Wisconsin, whose Department of Revenue last month sent out over 7,000 letters to taxpayers, warning that their names will be put on the new online delinquent taxpayer list early next year if they don’t pay up or agree to a payment plan. Wisconsin joins Washington, California, New Jersey, Minnesota, North Carolina, South Carolina, and several other states with this practice. Louisiana leaves no doubt over their site’s objective, calling it “Cybershame.”... Continue Reading