About

Comment Policy

Disclaimer

Share or Subscribe



  • Subscribe in a reader

  • Your email address:


    Powered by FeedBlitz


  • Add to Technorati Favorites
  • Mymsn_2

  • Add to My Yahoo!
  • Subscribe with Bloglines
Add me to your TypePad People list

Search BLB


  • Google

Banking Blogs

Law Bloggers

Stats


Blog powered by TypePad
Member since 03/2004

« March 2005 | Main | May 2005 »

April 18, 2005

Interagency Guidance on Response to Unauthorized Access to Customer Information

As we noted last month, the momentum for federal legislation to require businesses to notify consumers of unauthorized access to their personal information continues to grow. On March 29, 2005, the federal bank regulatory agencies added their Guidance to the area when they adopted Final Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice. The Guidance interprets the Interagency Guidelines Establishing Information Security Standards that were adopted as required Section 501(b) of the Gramm-Leach-Bliley Act. Those standards will now require every financial institution to develop and  implement a risk-based response program to address incidents of unauthorized access to customer information in customer information systems that occur, notwithstanding the security procedures that have been adopted by the institution to prevent such unauthorized access.

At a minimum, the response program should contain procedures for the following:

  • Assessing the nature and scope of an incident, and identifying what customer information systems and types of customer information have been accessed or misused;
  • Notifying its primary Federal regulator as soon as possible when the institution becomes aware of an incident involving unauthorized access to or use of sensitive customer information, as defined below;
  • Consistent with the Agencies’ Suspicious Activity Report ("SAR") regulations,12 notifying appropriate law enforcement authorities, in addition to filing a timely SAR in situations involving Federal criminal violations requiring immediate attention, such as when a reportable violation is ongoing;
  • Taking appropriate steps to contain and control the incident to prevent further unauthorized access to or use of customer information, for example, by monitoring, freezing, or closing affected accounts, while preserving records and other evidence; and
  • Notifying customers when warranted.

If an institution's service provider's system has been compromised, it is the responsibility of the institution, not the service provider, to notify the institution's regulators and customers (although the institution may authorize the service provider to give such notification on its behalf).

The institution should conduct an investigation promptly after it has become aware of an incident of unauthorized access, and if it determines that misuse has occurred or is reasonably possible, it should notify the affected customers "as soon as possible." The institution can delay notification, however, if a law enforcement agency requests, in writing, that the institution delay notification on the grounds that it could interfere with a criminal investigation.

Institutions must take particular care when "sensitive customer information" (the customer's name, address or telephone number, in conjunction with the customer's social security number, driver’s license number, account number, credit or debit card number, or a personal identification number or password that would permit access to the customer’s account). Sensitive customer information also includes any combination of components of customer information that would allow someone to log onto or access the customer’s account, such as user name and password or password and account number.

If the institution can reasonably identify which customers have been affected, it may limit the notification. Otherwise, if it is unable to identify specific customers affected, it must notify all customers within the group whose information may reasonably be expected to be misused.

The customer notice should "clear and conspicuous" and should contain specific information as set forth in the Guidance. The institution must have in place "reasonable policies and procedures" and trained personnel to respond to customer inquiries and requests for assistance, and must provide in the notice a telephone number that customers can call for such information and assistance.Institutions are also "encouraged" to contact the "nationwide consumer reporting agencies" prior to notifying large numbers of customers when the notice contains contact information for such agencies. The notices can be sent "in any manner designed to ensure that s customer can reasonably be expected to receive it." If by telephone, however, we recommend that detailed records of the contact be retained in order to provide evidence that the notice was given orally and that it contained all information required or "suggested" by the Guidance.

I don't think that the Guidance will "head off" federal legislation that requires businesses generally to give similar notices. However, it may provide financial institutions with a valid argument that they should be exempted from any such legislation in light of the fact that they are already required to provide such a notice.
---Kevin Funnell

06:09 PM in FDIC, FRB, OCC, OTS, Privacy |

April 10, 2005

Best Practices in Overdraft Protection Programs

As we posted last month here, the Bank Regulatory agencies adopted Guidance (links in previous posts) in February concerning overdraft protection. The OTS and the rest of the FFIEC agencies adopted their Guidance separately and each version of the Guidance differs in several respects. We mentioned in our previous post the different approaches between the OTS and the other FFIEC agencies as to whether or not overdraft protections programs involved the granting of credit to the customer.

Another important difference concerns the "Best Practices" adopted by the two versions. As noted by the OTS, the Best Practices set forth in the OTS' version of the Guidance require financial institutions under their direct supervision (primarily federal savings associations and savings banks) to not manipulate transaction-clearing rules (including check-clearing and batch debit processing) to inflate fees. Furthermore, the OTS' Best Practices require thrift institutions to not permit customers to access overdaft amounts unless the customer is informed that the transaction will trigger an overdraft fee and is given an opportunity to cancel the transaction. If notice and opportunity to cancel is not feasible for a particular type of transaction, the institution should allow customers the choice to make access to the overdraft protection program unavailable by transaction type.

The other FFIEC agencies did not incorporate such a standard in their "Best Practices." The Uniform Commercial Code adopted by all States does not limit banks in this respect, and the commercial banks and credit unions do not believe that because the law does not restrict them, neither should any Best Practice Guidance adopted by the regulators. "Just do the right thing" is a relative concept in the world of commercial banking.

There has been concern expressed by consumer interest groups, columnists, and members of Congress about the potential abuse of Check 21, which became effective last October and that allows banks to clear checks and other payment items electronically. As we have previously posted here and here, the concern is that banks will clear checks written on accounts much faster than they will checks deposited to accounts, in order to deliberately throw customers into an overdraft status and inflate fees. The OTS -- being sensitive to this criticism, and, apparently, noticing the self-destructive tendencies of some commercial banks to obtusely shoot themselves smack-dab in their middle reputations while they seek to nickle and dime their customers --  is making a good faith attempt to require its supervised institutions to "do the right thing," even if the law allows them to do otherwise. In this manner, they are trying to head off a Congressional push to pass a "bad law" that could overreach and hamper  legitimate overdraft operations of savings banks. Apparently, the rest of the FFIEC regulators don't share this same concern.

The remaining Best Practices of the Agencies are consistent. To the extent the principles within the Best Practices embody requirements of other laws, they are enforceable as law. In addition, the Guidance codifies what the bank regulatory agencies consider "safe and sound" business practices. Of particular concern is the fact that failure to follow the Best Practices may indicate poor program management by the institution and impose upon the institution a higher risk of customer default, claims for misleading or outright deceptive advertising and trade practices, and damage to the bank's reputation (reputational risk).
---Kevin Funnell

04:27 PM in Consumer Law-General, Deposits, Federal Legislation, Lending | | Comments (0)

Recent Posts

Archives

More...

Categories

Business News

Regulators

Resources