About

Comment Policy

Disclaimer

Share or Subscribe



  • Subscribe in a reader

  • Your email address:


    Powered by FeedBlitz


  • Add to Technorati Favorites
  • Mymsn_2

  • Add to My Yahoo!
  • Subscribe with Bloglines
Add me to your TypePad People list

Search BLB


  • Google

Banking Blogs

Law Bloggers

Stats


Blog powered by TypePad
Member since 03/2004

« February 2005 | Main | April 2005 »

March 28, 2005

Disposal of Consumer Information

Deadlines have a way of creeping up on you. Regulations adopted last December by the OCC, OTS, FDIC and FRB (the "Regulations") to implement Section 216 of the Fair and Accurate Credit Transactions Act (the "FACT Act"), impose a July 1, 2005 compliance deadline, and it's apparent that some banks are just focusing on the issue.

Section 216 of the FACT Act added a new Section 628 to the Fair Credit Reporting Act (the "FCRA"), which is designed to help combat identity theft by requiring anyone who possesses or maintains "consumer information," or compilations of consumer information, to properly dispose of it. The Regulations attempt to accomplish this design by amending the "Interagency Guidelines Establishing Standards for Safeguarding Customer Information" (which are renamed to read "Interagency Guidelines Establishing Standards for Information Security") (the "Guidelines") to make clear that the Guidelines encompass not only the safeguarding of "customer information" (the "nonpublic personal information" of "customers," as those terms are defined by federal regulations), but also the proper disposal of "consumer information."  In other words, effective July 1, 2005, financial institutions will be required to dispose of "consumer information" in a manner consistent with their existing obligation under the Guidelines to properly dispose of "customer information."

In addition, With respect to any contract entered into by the institution on or after July 1, 2005 with a "service provider," the institution’s duty under the existing Guidelines to require its service providers, by contract, to implement appropriate measures designed to meet the objectives of the Guidelines will also encompass the disposal of "consumer information" by the service provider.  As to agreements entered into before July 1, 2005 with service providers "that have access to consumer information and that may dispose of consumer information," the institution must ensure that such agreements comply with the Guidelines relating to the proper disposal of consumer information no later than July 1, 2006. The definition of "service provider" in the Guidelines has been amended to cover "any person or entity that maintains, processes, or otherwise is permitted access to customer information or consumer information, through its provision of services directly to" the institution.

At a minimum, each financial institution will be required to broaden its risk assessment to an include an assessment of the reasonably foreseeable internal and external threats associated with the methods it uses to dispose of "consumer information." The steps that the institution must undertake will depend upon its existing process and procedures for managing these types of risk. Obviously, the institution must understand what "consumer information" it possesses and how it "disposes" of it. An additional review process will be necessary with respect to existing agreements with "service providers."

"Consumer information" is any record about an individual that is a "consumer report" (as defined by the FCRA) or is derived from a consumer report, and that is maintained or otherwise possessed by or on behalf of the Bank for a business purpose. "Consumer information" also means a compilation of such records (such as a list of names and credit scores of consumers derived from consumer reports). The definition excludes information that "does not identify an individual," for example aggregate data such as a mean credit score derived from a group of credit reports, or "blind data." The revised Guidelines, and the Supplementary Information that accompanies the Regulations give examples of what is included and what is excluded from this definition. Institutions should be aware that the definition of "consumer report" under the FCRA may cover many reports that the institution receives that are not connected with consumer loans (for example, background check reports provided by "consumer reporting agencies on applicants for employment).

There is no definition of "disposal" provided by the Regulations or the Guidelines. The "ordinary meaning" of that term applies. The FFIEC IT Examination Handbook and the Supplementary Information to the Regulations discuss what constitutes proper "disposal" and state that it depends upon the media that contains the information. Institutions should consider the discussion of when sale or other transfer of "consumer information" constitutes "disposal" and when it does not.

If financial institutions have not already begun this process, they should begin as soon as possible. July 1 will be here before you know it.
---Kevin Funnell

09:33 AM in FCRA, Privacy | | Comments (0)

March 15, 2005

Overdraft Protection: Clarification or Confusion?

On February 14, 2005, the OTS issued its Guidance on Overdraft Protection Programs. Four days later, the FDIC, FRB, OCC and NCUA (the "Other Bank Regulators") jointly did the same. One of the differences between the two approaches is interesting. It is also misunderstood by some commentators.

The Guidance issued by the Other Bank Regulators stated that "[w]hen overdrafts are paid, credit is extended." In other words, overdraft protection is a loan by the bank to the account holder. Some press commentators alleged that the OTS Guidance stated that overdraft protection is not an extension of credit.

The primary importance of the distinction lies in whether overdraft fees are "finance charges under Truth-in-Lending and whether TIL disclosures of such charges must be given to an account holder. If the overdraft protection is not an extension of credit, then clearly TIL disclosures do not need to be given. If the overdraft protection is a loan, then to avoid having to give TIL disclosures, some other basis must be found, under the TIL Act itself, for an exemption from the requirement that TIL disclosures must be made. The Other Bank Regulators pronounced that although overdraft protection is a loan, (a) the fees charged by banks for paying overdraft items are not considered "finance charges" under Truth in Lending if the bank has not agreed in writing to pay the overdrafts, and (b) even if the bank has agreed in writing to pay the overdrafts as part of the deposit account agreement, such fees are finance charges "only to the extent the fees exceed the charges imposed for paying or returning overdrafts on a similar transaction account that does not have overdraft protection." In other words, if you don't charge more in fees for paying an overdraft under a written agreement than you do for paying or returning a check where there is no agreement, then such fees are not "finance charges" under the TIL Act that need to be disclosed in the manner required by that Act. The OTS refused to dive into this legal thicket. Some commentators found this "complicated" line of reasoning more "confusing" than the more "simple" OTS approach.

The nation's largest federal savings bank (and largest payer of assessments to the OTS), Washington Mutual (Wamu), is involved in a class action lawsuit over the failure to give such TIL disclosures in connection with its overdraft protection program, and some commentators (particularly consumer advocacy groups and some of the other irritated bank regulators) have alleged that the OTS was "breaking ranks" with Other Bank Regulators in order to bolster (or at least not injure) Wamu's legal position in the pending litigation.

My reading of the OTS guidance does not support the conclusion that the OTS flatly stated that overdraft protections are not extensions of credit. The OTS states that its Guidance "does not address whether overdrafts are credit because OTS believes that some 'bounce protection' programs are provided to customers for a fee for service rather than an extension of credit. Other overdraft plans, particularly those where the savings association performs a credit check on the borrower, provide a period of time to repay the overdraft, and charge interest based upon the amount and time the overdraft is outstanding, are loans. It is not within the scope of this Guidance to make a determination of whether any particular overdraft program is credit." The OTS cautions savings associations that it is "important that savings associations have their overdraft protections reviewed by counsel for compliance with all applicable laws prior to implementation."

I don't think that the OTS clearly came down on the side of "no extension of credit." Rather, they stated that it depends on the nature of the overdraft program itself, and ultimately this is a matter upon which the institution should seek legal advice. However, the OTS "believes" that some programs are not "loans." Hardly a bold pronouncement.

Under either approach, a bank needs to first seek legal advice as to whether or not its overdraft program is an extension of credit under applicable law and, if so, what laws (including the Truth in Lending Act) have an impact on its program. Certainly, the recent regulatory "guidance" has muddied, rather than cleared, these waters.

---Kevin Funnell

05:06 PM in Consumer Law-General, Deposits, Federal Legislation, Lending | | Comments (0)

March 14, 2005

Breaches of Computer Security: The Noose Tightens

Last July I posted about Section 1798.82 of the California Civil Code, which requires businesses to notify California residents of breaches of security of computer systems when their unencrypted personal information is reasonably believed to have been acquired by an unauthorized person.

With the recent security failures of ChoicePoint and LexisNexis subsidiary Seisint that resulted in the release to "unauthorized persons" (i.e. criminals) of the personal information of literally tens of thousands of Americans, and with the snafu by Bank of America when it lost a backup tape containing similar information, the call for a national law to require all businesses in the United States to similarly notify consumers of such breaches of security should be expected to pick up steam. Although recent press attention has focused primarily on unregulated "information brokers" like Choice Point, banks and other regulated financial intuitions should be expected to be included within the mix, especially since they are already subject to comprehensive regulations requiring them to safeguard the security of nonpublic personal information of consumers and customers.

We have heard grumblings from some banks about the possibility of such regulation and the additional regulatory burden it will place upon them. Personally, I think this is foolish. A well conceived plan of notifying customers of security breaches when the bank reasonably believes that nonpublic personal information may have been released should be part of every financial institution's security plan. If it isn't, then I would argue that the institution isn't doing an adequate job of contingency planning.

Bad facts make bad law, especially at the state level. If there is momentum building for such legislation in states other than California, then it would make sense to have federal legislation that enacts one national standard in this regard, rather than have a patchwork quilt of state standards. Banks also have a reputation for trust that they must maintain with consumers to give them a competitive edge over their rivals for consumers' dollars.

Rather than fight the momentum, I recommend that banks lead it in the right direction. Taking the California law as a starting point (since it is likely to be legislators' starting point), thoughtful industry lobbyists should be crafting federal legislative proposals that correct the deficiencies with the California law as noted in our previous post, and build something that addresses this perceived problem in a way that gives comfort to consumers, but that does not overburden institutions.

In other words, quit whining and get out ahead of the curve.
---Kevin Funnell

08:51 PM in Federal Legislation, Federal Preemption, Privacy, State Law, Web/Tech | | Comments (0)

The "Right" To Float: Part Deux

In January, I posted here about the "Consumer Checking Account Fairness Act", introduced in the U.S. House of Representatives in 2004 but not passed, and warned bankers that it might be reintroduced in 2005. Well, it was reintroduced in the House of Representatives on February 15, 2005 as H.R. 799. The same issues discussed with respect to last year's version of the Act apply to this year's version. If you care about the issue, contact your elected Congressperson or U.S. Senators and let them know your position.
---Kevin Funnell

08:17 PM in Deposits, Electronic Banking, Federal Legislation, FRB |

Recent Posts

Archives

More...

Categories

Business News

Regulators

Resources