About

Comment Policy

Disclaimer

Sponsored Links

Subscribe

Add me to your TypePad People list

Search BLB


  • Google

Banking Blogs

Law Bloggers

Stats

Blog powered by TypePad
Member since 03/2004

« August 2005 | Main | October 2005 »

September 26, 2005

One Response to Sarbanes-Oxley: Go Private

ShrinkingHouston's Republic Bankshares of Texas Inc. responds to the expense of compliance with Sarbanes-Oxley by "going private." It's exchanging common for preferred shares to reduce its number of common stockholders below 300, so that it will no longer be considered a "public" corporation subject to the burdens of Sarbanes-Oxley (and many other filing requirements under the Securities and Exchange Act of 1934).

This solution makes sense for a bank like Republic, which has a relatively small number of shareholders. Other banks (and public companies) have utilized the same tactic. Obviously, it doesn't foreclose the ability to "go public" at a later date.

Sarbanes-Oxley compliance expenses continue to negatively impact the bottom lines of banks and other public companies, adding one more reason that banks are seeking regulatory relief on many fronts.

05:22 AM in Federal Legislation, Securities | | Comments (0)

September 23, 2005

Cardsystems Solutions Sells Out

BrokenlockThe steep price of security breaches appears to be playing out for Cardsystems Solutions, Inc. According to press reports today, Cardsystems is selling substantially all of its assets to CyberSource Corp.

As previously discussed on Bank Lawyer's Blog, Cardsystems Solutions Inc. had threaten to shut down in response to threats by Visa to pull its issuing banks' credit and debit card payment processing business from Cardsystems in the wake of a data security breach that exposed the personal information of 40 million cardholders. Apparently, Cardsystems was unable to convince Visa that it had adequately remedied weaknesses in its security.

Even if security systems vulnerabilities had been addressed, I have previously guessed that the real problem between Cardsystems and Visa has more to do with the fact that Cardsystems retained records that it was contractually prohibited from retaining. Such a "breach of faith" is difficult, if not impossible, to repair, and in this case the problem is exacerbated by Visa's deadline for transferring processing of October 31, 2005.

Banks need to take heed: when the regulators state that "reputational risk" is a serious matter when undertaking due diligence on vendors, they aren't kidding. In addition, this instance also may be the regulators' "poster child" of what can happen to a financial services company when its customers lose faith in it as a result of an information security systems breach.

Expect this to remain a "hot button" with bank examiners for some time to come.

03:10 PM in Privacy, Web/Tech | | Comments (0)

Credit Agencies Cooperate On Data Encryption

Crypto

The "Big Three" nationwide credit reporting agencies, Experian, Equifax and TransUnion, announced yesterday that they will cooperate in developing a single standard  for encrypting data send by information furnishers (such as banks and other lenders) to those agencies. The agencies "said the joint effort would involve the development and adoption of a data-cloaking code built on encrypted algorithm and 128-bit, secret-key technologies."

A single encryption standard makes it easier (and, I assume, less expensive) for banks and other "information furnishers" to deal with the encryption and transmission of credit experience information to the Big Three. Assuming the standard is "robust," it should also offer some assurance that the encryption standard that is adopted is "state of the art" and offers the best protection available.

Unfortunately, toward the latter part of the article, there is bad news from Visa and MasterCard with respect to the increasing sophistication of crooks using former KGB cryptographers.

Visa and MasterCard said the unity was required given the growing sophistication of the thieves, who, they said, were increasingly acting in concert and hiring former Soviet KGB cryptographers to help crack security codes.

Among the challenges the financial services industry faces is the emergence of highly sophisticated "sleeper crimeware" programs that infect a computer and then wait -- quietly -- for the user to log into a highly secure site such as an online banking or brokerage account.

Once the infected user has run the gauntlet of passwords and authentication hurdles and is inside, the sleeper program wakes up and swings into action, launching what is known in the industry as a man-in-the-middle attack.

In the case of an online bank account, for instance, it might send instructions to the secure server -- which the server believes to be legitimate and the infected user cannot see -- to liquidate the account and transfer the balance overseas using automatic clearing house services.

"We're making it tougher and tougher for the bad guys," John Shaughnessy, senior vice president for fraud prevention at Visa USA, told the Memphis conference on Monday.

"But the Russians are good."

Yes, the Russians are good and apparently the perfect product of a political and social system that amounts to no more than a very sophisticated "kleptocracy." The fall of the Soviet Union continues to have all sorts of unintended consequences as a system that has produced a generation of people devoid of strong moral principles, or even respect for man-made laws, adapts itself to the "free market system."

11:09 AM in Privacy, Web/Tech | | Comments (0)

September 22, 2005

Personailty Tests: ADA Violation?

PersonalityBanks are required to conduct background checks on employees who will have access to customer information, and are also prohibited by federal law from employing persons who have been convicted of certain crimes or who are subject to certain prohibition orders issued by regulatory authorities. Thus, banks are used to obtaining background checks on employees.

Many banks are also using certain types of tests to attempt to screen out potential employees who might be likely to steal or lie. Various firms offer such "personality tests."

The U.S. Seventh Circuit Court of Appeals has clarified that while use of "personality tests" to identify such personality traits as "honesty, preferences and habits" does not violate the Americans With Disabilities Act, the use of the Minnesota Multiphasic Personality Inventory by Rent-A-Center to exclude existing employees from management positions did violate the ADA because "whether or not Rent-A-Center used the test to weed out applicants with certain [psychological] disorders, its use of the MMPI likely had the effect of excluding employees with disorders from promotions." Thus, the ADA's general prohibition against using "medical examinations" that tend to screen out people with disabilities.

Relying on EEOC guidance, the court set forth seven factors to determine whether a test is a "medical examination:"

(1) whether the test is administered by a health care professional;

(2) whether the test is interpreted by a health care professional;

(3) whether the test is designed to reveal an impairment of physical or mental health;

(4) whether the test is invasive;

(5) whether the test measures an employee’s performance of a task or measures his/her physiological responses to performing the task;

(6) whether the test normally is given in a medical setting; and

(7) whether medical equipment is used.

Although the District Court placed much emphasis upon the fact that the test results were not interpreted by a health professional, the Court of Appeals held that only one factor may be determinative. Here, the court determined that factor number 3 was present and, therefore, the use of the test violated the ADA.

The obvious lesson for Human Resources professionals is not to use the MMPI test for employment screening purposes, and to be cautious when using any personality test.

05:54 PM in Employment | | Comments (5)

September 21, 2005

US Data Security Breach Notification Legislation Delayed

News.com reports that the U.S. Senate Judiciary Committee will not take up three pending data security breach notification bills until next week, at the earliest. John Roberts' Supreme Court nomination will take up tomorrow's agenda.

As I noted last week, it appears increasingly unlikely (although not impossible) that banks (and other businesses) will obtain, this year, a single, national standard for dealing with when and how businesses must notify customers of data security breaches. Although compliance with the Interagency Guidelines on this issue provides some protection, state law requirements will continue to be an issue for banks.

01:48 PM in Federal Legislation, Privacy, State Law, Web/Tech | | Comments (0)

September 19, 2005

Another One Bites The Dust

Last_man_standingLast Thursday in the US Court of Federal Claims, Astoria Federal Savings won a $435,770,000 breach of contract claim against the United States government. The decision is here. The decision in the Astoria case is one in a line of so-called Winstar decisions, named after the first plaintiff to win one of these cases at the Supreme Court level in 1996. Read here if you're interested.

These cases arise out of the failures of savings and loan institutions insured by the Federal Savings and Loan Insurance Corporation (since merged into the FDIC) in the 1980S. Initially, the FSLIC and the banking regulators allowed a healthy thrift to "merge" with (actually acquire the deposits and "good assets" of) the insolvent thrift and add the "negative net worth" of that thrift to the healthy bank's capital in the form of an intangible asset called "supervisory goodwill." The regulators permitted the healthy bank to write off (amortize) the "supervisory goodwill" against future earnings over a period of 40 years. Certain other "forbearances" were also granted the bank. The acquiring bank was allowed to use the additional "capital" to grow the bank, thereby "earning its way" out of the problems of the insolvent thrift and helping the FDIC from having to pay off the insolvent institution's insured depositors. There were later variations on this plan, most prominently in connection with the "Southwest Plan" formulated in the late 1980S, but the crucial factor in all these transactions was that "forbearances" were granted by the banking regulators to the acquiring banks that allowed them to avoid certain regulatory requirements that would otherwise have applied to their operations.

In 1989, Congress passed the Financial Institutions Reform, Recovery and Enforcement Act (FIRREA), which mandated strict new capital requirements for financial institutions. In implementing FIRREA, the banking regulators took the position that they had no ability to continue the forbearances previously granted to the acquiring banks, and the Government revoked them. In the case of "supervisory goodwill," this meant that the acquiring banks could no longer treat supervisory goodwill as an asset amortizable over 40 years, but one that must be written off over a much shorter time frame prescribed by FIRREA. Obviously, this caused the banks who had purchased the insolvent institutions to have to raise new capital quickly, often on unfavorable terms, in order not to be in violation of new, higher capital requirements. Many (most) of these banks sued the US Government for breach of contract.

In the vast majority of the cases, the banks have won, if not all the damages that they sought, then billions of dollars. They have been opposed at every step by the US Government, which has routinely appealed the decisions, and, although in some cases it has succeeded on appeal in whittling down the damages to some degree, it has not succeeded in avoiding the liability of the government for its breach of contract. Yet, on and on it fights.

It is my view that the US Government fights this war of attrition not because it expects to win, but because it hopes (with some justification, given the length of time these cases have lasted) to defuse the publicity they will receive when adverse decisions are finally rendered and all appeals are exhausted. In other words, like all good bureaucrats, they wish to postpone and defer the assumption of responsibility for unpleasant decisions. Rather than sitting down at a table to negotiate a reasonable settlement and thereby avoid years of litigation costs (in time and money), the preferred alternative is protracted litigation. If a court tells the Government what it must pay, then no government official can be criticized by any other official (or politician or reporter) for "giving away" too much. After all, what are litigation costs to a party when it's the taxpayer who foots that party's bill?

Of course, the Government would argue that it is saving the public treasury a net amount by lowering the damage amounts. I think, based solely on my having been involved in the savings and loan "bailouts" and their aftermath, and my nearly 30 years as a bank and savings and loan attorney, that the Government could have settled many of these cases for less than the total amount of damages the plaintiffs ultimately will win without the years of litigation costs. However, by the time anyone gets around to totaling up the "net savings" to see whether the Government did a "good" job or a "bad" one by litigating these cases as it has, there will no one left who will accept responsibility or, perhaps, who really cares.

The primary beneficiaries of this protracted litigation are, of course, the plaintiffs' counsel. Most of them are paid on an hourly basis and the longer and more difficult the case, the more money they make. An obstinate opponent with bad law on its side and with the US Treasury available to fund a judgment against it is a trial lawyer's dream. When the dust finally settles, the last man standing will be a plaintiff's lawyer.

Is this a great country or what?

Of course, that's just my opinion. I could be wrong.

06:34 PM in Conservatorship/Receivership | | Comments (0)

September 16, 2005

Disposal of Consumer Information II

A recent conversation with a client indicates that there may be some confusion about the applicability of requirements of federal law on the disposal of "consumer information" by individuals and businesses. In March, I posted about a new rule adopted by the Federal Banking Agencies that requires banks who use "consumer information" (generally, a record of an individual that is contained in a consumer report or derived from a consumer report) to properly dispose of such information. That rule became effective June 1, 2005.

Although my post, and the banking regulations cited in that post, applied specifically to banks (this is, after all, a blog entitled "Bank Lawyer's Blog"), the Federal Trade Commission also adopted regulations that apply the same requirements to any other business or individual that uses a "consumer report." For example, any employer - bank or non-bank - that's orders a "consumer report" on a prospective employee must comply with the rule. The rules also apply to such businesses as attorneys and private investigators that use consumer reports. The FTC rules also became effective June 1, 2005.

Thus, the disposal rule doesn't merely apply to banks and other financial institutions. If you use "consumer information," you should be complying with the provisions of the FTC's rules on disposal of the consumer information. You're subject to the same disposal rules as a financial institution.

08:53 AM in FCRA, FTC | | Comments (0)

September 15, 2005

Holding Technology Service Providers Accountable

Federal banking regulators expect that financial institutions that outsource technology services to third party vendors will have contractual remedies that are adequate to protect the bank in the event that the vendor is negligent or fails to adequately perform its services for the institution. A typical expectation is articulated in the Office of the Comptroller of the Currency's Bulletin 2001-47 on "Third Party Relationships." In the Bulletin, the OCC states that it favors indemnification provisions that require each party to indemnify the other for damages and third party claims that result from the negligence of the "indemnifying" party, so that the bank is not liable to third parties for the failures of the service provider. We agree that, in an ideal world, technology service providers would agree to be fully accountable for the results of their own negligence and their failure to perform their services in accordance with the terms of the agreement with the institution.

Unfortunately, we have yet to encounter a major provider of technology products or services that is willing to provide such broad protection. With respect to failures to meet "service level agreements" (which assumes that the service provider will agree to meet a meaningful level of performance of the services), most service providers severely limit the recourse of the bank in the event of a failure. Although variations are many, a not uncommon provision attempts to limit the bank's remedy to a refund of a pro rata portion of the monthly or quarterly fees paid by the bank for the period of the service failure, with a cap on the amount of total damages. Consequential, special and similar damages are generally excluded. As for "actual damages," most service providers insist on limiting their exposure to a set number of months of fees paid by the bank, or to a fixed dollar "cap."

As to indemnification, while some service providers are willing to indemnify the bank without limit for claims related to a breach of confidentiality and security obligations, and, in some cases, for the service provider's "gross" (not "ordinary") negligence, others are either unwilling to do so or will attempt to impose severe dollar limits on their exposure. Others may agree  to broader indemnification obligations, but only with respect to third party claims, not those of the bank itself, and/or only to such matters as personal injury and damage to tangible personal property. The variations are many, and often keyed to the "hot buttons" of the vendor's risk management policies (or general counsel).

Therefore, while the "guidance" of the regulators indicates that bank examiners will expect to see the bank indemnified for the negligence of the vendor, that rarely will be the case. The problem is not confined to banks and other financial institutions.

Earlier this year, the Wall Street Journal observed that major technology customers were "fed up" with spending millions of dollars for software that contained flaws, and with the software vendors' attempts to disclaim and/or severely limit their liability for such flaws. Chief Information, Technology and Security Officers at major  companies such as General Motors, AT&T and Alcoa were demanding that "vendors should begin to stand behind their products as much as sellers of other products and services do."

The major corporations are frustrated with the technology service and product providers' attempts to disclaim most liability for breaches of their service level agreements, for damages caused by their failure to perform, or for their own negligence. As noted in the article, although purchasers have some bargaining power when technology markets "soften," the ultimate threat of "walking away" is difficult to carry out because of the cost of switching providers. In addition, some technology providers have a virtual monopoly in their areas, and can afford to dig in their heels. Banks are also facing these "facts of life."

Exacerbating the perceived problem are recent data security breaches, which have increased in notoriety since the Wall Street Journal article was published. Even experts within the technology industry agree that some liability may have to be imposed on the industry in order to get them to focus on security. "It's still not top of mind," said a Computer Associates International Inc. executive.

If General Motors has trouble imposing an obligation of full recourse on its technology service providers, the problem for a community, and even mid-sized regional, bank is many times more difficult. It might be of assistance, especially to smaller institutions that lack bargaining power, if the banking regulators took notice of which vendors were and which were not willing to "step up to the plate" and provide their bank customers with adequate recourse in the event of failures to perform. Letting the banks, or the vendors themselves, understand that those vendors who are not willing to give banks adequate protection will not, over the long haul, be acceptable as service providers to banks, may cause a "paradigm shift" among vendors. Obviously, there is a limit to what the regulators are able to do, but the "little guys" could use some help in this area.

04:54 AM in Outsourcing, Web/Tech | | Comments (0)

September 14, 2005

OTS Guidance On Opening Accounts For Victims of Hurricane Katrina

The Office of Thrift Supervision has issued guidance to institutions under its supervision concerning problems associated with the opening of accounts for victims of Hurricane Katrina, and how to address those problems. Many of these victims lack documentation required by the Bank Secrecy Act and other federal laws in order to open bank accounts. The guidance takes the form of a series of "Q & A," and should prove useful to all financial institutions, whether or not they are regulated by the OTS.

10:48 PM in Banking Law-General, Deposits | | Comments (0)

State Data Security Breach Notification Laws

A useful chart of various state data security breach notification laws has been posted by the Washington, D.C.-based law firm of Crowell & Moring LLP here. A brief article supplementing the chart is found here.

As with all such resources, Crowell & Moring (and the host of this blog, as well) disclaims any intent to provide legal advice by the posting of or reference to the chart. It's posted (and linked to) merely for informational purposes. Nevertheless, it may provide a good starting point for businesses interested in trying to get a handle on this expanding patchwork of state laws.

The federal banking regulators earlier this year adopted data security breach guidelines, as I've discussed in a previous post. To the extent that a specific state's law exempts a bank or thrift that complies with the federal guidelines from that law's requirements, then that state's law should not be a concern. Some of the state laws (for example those of Nevada and Minnesota) do provide such an exemption. Other states (such as New York and California) do not. As the federal banking regulators discussed in the supplementary discussion accompanying the guidelines, 15 U.S.C Section 6807 provides that state laws are preempted by the federal guidelines in this area only to the extent that state law is inconsistent with the federal guidelines, and state law is not considered to be "inconsistent" to the extent that it provides "greater" protection than is afforded by the federal guidelines. Therefore, even national banks and federal thrifts would be advised to (A) take state law seriously in this area and (B) focus their efforts on ensuring the adoption of a single, workable national standard that would preempt state laws.

As previously discussed, a number of federal proposals are working their way (slowly, thus far) through Congress. Given the need to address Hurricane Katrina relief legislation, the accelerated schedule for the confirmation hearings of John Roberts as Chief Justice of the Supreme Court, and the desire of Congress to adjourn by the end of September, the odds of such legislation passing this year no longer appear to be favorable. Until federal legislation is passed, all banks doing business in more than one state should be prepared to comply with the most restrictive and demanding state laws that would be applicable to their business.

05:21 AM in Outsourcing, Privacy, State Law, Web/Tech | | Comments (0)

Next »

Recent Posts

Archives

More...

Categories

Business News

Regulators

Resources