About

Comment Policy

Disclaimer

Share or Subscribe



  • Subscribe in a reader

  • Your email address:


    Powered by FeedBlitz


  • Add to Technorati Favorites
  • Mymsn_2

  • Add to My Yahoo!
  • Subscribe with Bloglines
Add me to your TypePad People list

Search BLB


  • Google

Banking Blogs

Law Bloggers

Stats


Blog powered by TypePad
Member since 03/2004

« June 2005 | Main | August 2005 »

July 28, 2005

National Information Security Standards for Vendors

In response to highly publicized failures of information service providers ChoicePoint and LexisNexis, Bank of America, and credit card payment processor CardSystems Solutions, to protect consumers' personal information from security breaches, a number of bills have been introduced in the U.S. House of Representatives (for example,  the H.R. 3374, the Consumer Notification and Financial Data Protection Act of 2005) and the U.S. Senate (e.g., S. 1332, the Personal Data Privacy and Security Act of 2005) to deal with this perceived threat. H.R. 3374 would require "financial institutions" to establish data security safeguards, including procedures to be followed in the case of breaches of data security, that are already encompassed by the information security guidelines and data security breach procedures imposed by banks and other financial institutions by federal regulators. Although arguments could be made that the "guidelines" and other "guidance" issued by bank regulators, are not "the same" as a specific federal statute that mandates such procedures, the stronger argument is that federal guidelines have the same practical effect as a law, and that until those guidelines are shown to be inadequate - and there has been an insufficient amount of time since their promulgation to demonstrate such inadequacy - there is no demonstrable need for federal legislation that specifically applies to financial institutions. In fact, S. 1332, a bill of much broader scope than H.R. 3374, specifically exempts financial institutions that are subject to the data protection requirements of the Gramm-Leach-Bililey Act. Also, federal bank regulators will argue that imposing standards and procedures by means of "guidelines" rather than "law" permits flexibility in an area where technological changes occur rapidly and one size does not fit all.

Should a federal law be enacted that applies to financial institutions, banks would be well advised to make certain, through their own efforts and those of their trade associations, that,

  • the standards and requirements of any such law are no more stringent than those that are imposed currently by federal guidelines;
  • enforcement of such law does not include enforcement by state regulators or private citizens; and
  • such law preempt any state law with respect to the same subject matter.

If an "onerous" federal law is to be enacted, it should at least constitute a single national standard for all banks to follow, rather than the "crazy quilt" of sate laws that were permitted by Gramm-Leach-Bliley in the area of privacy.

On the other hand, there is a benefit to a federal law that imposes obligations on non-financial institution data security processors and other technology service providers to banks, to adopt data security measures with respect to personally identifiable information of consumers and procedures to promptly and effectively deal with failures of such data security measures. Although the Guidelines adopted by federal regulators under the Gramm-Leach-Bliley Act require each financial institution to "require its service providers by contract to implement appropriate measures designed to meet the objectives" of the Guidelines, it is the primary responsibility of the bank, not federal regulators, to impose these responsibilities on vendors and to monitor the vendors on a continuous basis to ensure compliance. Except to the extent that state law imposes a similar requirement (as is the case in California), vendors have room to "maneuver" in the course of contract negotiations in arguing over contractual language that the bank might think is necessary to protect it. Some vendors, especially those that deal with smaller banks, use the lack of sophistication of the bank and/or the vendor's unequal bargaining power, to engineer less-than-full protection for the bank in this area. Some vendors even attempt to shift the cost of compliance with the G-L-B guidelines onto the bank. If vendors are mandated by federal law to meet essentially the same data protection and notification-of-breach standards as are their bank customers, this would remove most of the bargaining power from the vendor to negotiate anything less than full compliance. Also, many vendors currently attempt to limit their liability for breaches of their contractual duties to the bank by imposing contractual limitations and/or exclusions on remedies and damages. This would be more difficult for vendors to negotiate if what they are trying to impose on the bank is a limitation or exclusion of damages or liability for the vendor's violation of law. It is customary that each party to the contract fully indemnify the other party for all violations of law. It may not always remove the issue from the bargaining table, but it should make it much more difficult for a vendor to "take a stand" on this issue, at least if it intends to represent financial institutions.
---Kevin Funnell

07:30 AM in Federal Legislation, Outsourcing, Privacy, Web/Tech | | Comments (0)

July 27, 2005

California May "Go It Alone" On Junk Faxes

California continues to "lead the way" on consumer protection legislation. As a bank (or other business) this can be a reason for wailing and the gnashing of teeth. For opponents of junk faxes, this may be an antidote to the recently passed federal act entitled the Junk Fax Prevention Act of 2005, which I posted about here.

On July 13, 2005, the California Senate Appropriations Committee approved a bill (SB 833). If SB 833 becomes law, it would, among other things, make it unlawful for a person or entity to fax an unsolicited advertisement to another person or entity if either the sender or the recipient is located in California. Unlike the federal act, SB 833 does not contain an exception for "existing business relationships."

The federal law does not contain a provision that preempts state law on the issue of unsolicited faxes. If passed, SB 833 will eliminate the existing business relationship exception under federal law as it applies to California senders and recipients. It will also make it a crime under California law to send faxes in violation of its provisions. Therefore, banks and other financial service providers that are either located in California, or plan to send faxed advertisements to businesses or individuals located in California, should carefully monitor the status of the bill as it makes its way through the California legislature. 
---Kevin Funnell

07:00 AM in Marketing, State Law | | Comments (0)

July 26, 2005

National Bank Operating Subsidiaries: Preemption Upheld By Federal Appeals Court

In the first decision on the issue by a federal appeals court, the United States Court of Appeals for the Second Circuit upheld an OCC regulation that provides that national bank operating subsidiaries are entitled to the same federal preemption from state laws as are their parent national banks. The decision in the case of Wachovia Bank N.A., et al. vs. Burke was decided July 11, 2005. Specifically, the court upheld a declaratory judgment by the district court that held that Connecticut statutes that required state licenses for first and second mortgage lenders and required mortgage lenders to maintain certain records and to make them available for inspection by the Connecticut Banking Commissioner, and that granted the Commissioner power to enforce those laws through proceedings and the issuance of cease and desist orders, did not apply to Wachovia National Bank's operating subsidiary, Wachovia Mortgage Corporation.

In its opinion, the Court of Appeals observed that while it was the first federal appeals  court to address this issue, three other federal district courts had ruled that federal preemption existed based on essentially the same reasoning used by the District Court in this case. One of the three cases was Nat'l City Bank of Ind. v. Thornburgh, 367 F. Supp. 2d 805 (D. Md. 2005), a decision that I predicted last fall when press reports of the case first surfaced. As I said then, "[t]he Commissioner is clearly going to lose. You can take that to the bank."

National banks and their operating subsidiaries are clearly preempted from the application of these types of state laws. The federal courts have been consistent in upholding the doctrine of federal preemption as to both types of entities, especially where the state laws involved address state licensing requirements and the visitorial powers of state regulators.

State regulators consistently lose these fights, yet continue to pick them. I suppose that's primarily to foster their political careers at the state level by tilting at the windmill that is the national banking system, and by appearing to champion the "rights" of their state over those of the federal government (or, at least, banks created by federal law). Having the law clearly against you hasn't discouraged this continuing waste of taxpayer dollars. Until every federal district court rules in the same manner or, if there is a conflict between the Circuit Courts, until the U.S. Supreme Court rules on this specific issue (operating subsidiaries), we may continue to see these lawsuits filed.

Nevertheless, and notwithstanding the possibility of state litigation, if you are considering conducting a mortage business on an interstate basis, a federal charter makes a lot of sense.
---Kevin Funnell

07:00 AM in Federal Preemption, OCC | | Comments (0)

July 25, 2005

CardSystems Solutions Threatens Shutdown

Credit card payment processor CardSystems Solutions Inc. threatened to shut down in response to the threatened loss of Visa's approval for its credit card issuing banks to use the processor. As I noted last week, Visa, CardSystems' largest customer, and American Express, announced that they would no longer permit their member banks to employ the services of the processor effective October 31, 2005. The withdrawal of approval is the result of a security breach in the processor's system that exposed the personal information of at least 40 million consumers to theft.

Testifying before Congress, CardSystems' CEO blamed the fact that the company notified customers of the breach with the imminent "extinction" of the company. I disagree. As noted in The Washington Post article (and elsewhere), Visa is particularly upset that the company retained personal information in its system ("for research purposes" according to the company) in direct violation of its contractual agreement not to retain such information. It's the blatant breach that is the problem, not the fact that the company's system was "hacked" (although that may be an indication of inadequate system safeguards), that has to be most troubling to Visa and other card companies.

Posturing the problem as one caused by making a "full disclosure" is, at best, missing the mark. Integrity as a "business partner" is best demonstrated by honoring your contractual commitments. The outright disregard of those obligations - especially with respect to such a high profile matter as the personal information of consumers - may brand a company as not worthy of continuing to operate as such a business partner. Its bank customers operate under regulatory guidelines that require them to notify their regulators and, in many instances, their customers of breaches of security where such information is compromised. Most banks are likely to pass along the cost (and perhaps the actual obligation) of either or both such notifications. In addition, as to California customers, state law requires the company to notify the consumers. Therefore, to argue that notification is an unanticipated or unacceptable risk to the processor indicates that the processor may need to find another line of business.---Kevin Funnell

01:19 PM in Outsourcing, Privacy, Web/Tech | | Comments (0)

July 22, 2005

Even More on Junk Faxes

As I posted here and here, in 2003, the FCC proposed a rule (initially to take effect January 1, 2005 and later postponed until June 30, 2005, then again to January 9, 2006) that would have eliminated the right of a business with an "established business relationship" with another business or individual to send that business or individual an unsolicited faxed advertisement without the recipient first giving the sender express written prior permission. Legislation was proposed in 2004 to override the FCC's proposed rule, but was not enacted. However, similar legislation (S. 714) was reintroduced in April 2005 as the "Junk Fax Prevention Act of 2005," was passed by both houses, and became law on July 8, 2005.

S. 714 expressly permits unsolicited faxed advertisements if (1) the recipient has an "established business relationship" with the sender; (2) the sender obtained the facsimile number from either the recipient in the context of an established business relationship or from a directory, advertisement or web site to which the recipient voluntarily agreed to make its facsimile number publicly available; and (3) the advertisement contains a conspicuous notice on its first page that the recipient has the right to "opt out" of receiving any further unsolicited faxes. Requirement (2) will not apply to facsimile numbers already possessed by a sender of recipients with whom the sender has an "established business relationship" prior to July 8, 2005. As to requirement (3), S.714 sets forth specific requirements for the content of the "opt out" notice, including the requirement that it contain a domestic telephone and facsimile number for sending opt-out notices and a "cost-free mechanism" for sending opt-out notices to the sender.

Thus, as long as a sender with an "established business relationship" with a recipient complies with the requirements of S. 714, it may send an unsolicited fax to the recipient, and the proposed FCC ban is effectively overturned.

The FCC also delayed until January 9, 2006 a proposed definition of "established business relationship" (47 CFR 64.1200(f)(3)) that would have limited the duration of the relationship to 18 months following the recipient's purchase or transaction with the sender or 3 months following the recipient's inquiry or application  regarding products or services offered by the sender. S. 714 permits the FCC to commence, after October 8, 2005, a rule making proceeding and to adopt a rule that limits the duration of an "established business relationship;" however, the FCC must consider four factors in promulgating any such rule:

  • whether the existence of the exception for an established business relationship "has resulted in a significant number of complaints";
  • whether "a significant number of such complaints involve unsolicited advertisements that were sent on the basis of an established business relationship that was longer in duration than the Commission believes is consistent with the reasonable expectations of consumers";
  • the costs to senders of establishing the existence of, and benefits to recipients of placing a limitation on, such relationships; and
  • whether the costs of compliance would be unduly burdensome to small business.

Obviously, S. 714 is a victory for businesses, particularly small businesses. On the other hand, as I have noted before, there are many recipients (including the author) who believe that the annoyance of receiving unsolicited faxes negatively impacts the likelihood of the recipient ever purchasing any product or service from that sender. Telemarketing wastes my time (which, to a professional, is money). Unsolicited fax solicitations not only waste time, they waste paper and printer ink.

In other words, merely because you can doesn't necessarily mean you should.
---Kevin Funnell

04:10 PM in Federal Legislation, Marketing | | Comments (0)

July 20, 2005

The High Price of Privacy Breaches

Visa and American Express punished credit card payment-processor CardSystems Solutions Inc. for a  breach of its computer security that left 40 million account holders' records vulnerable to hackers by requiring banks that issue their cards to replace the servicer by October 31, 2005. The breach of security was not the only motivating factor. According to the Associated Press, both entities were troubled by the fact that the break-in apparently occurred much earlier than CardSystems Solutions Inc. at first admitted, and, more importantly, by the fact that the processor retained personal information on cardholders in violation of VISA and Amex rules and (we assume) in violation of their agreements with the banks for whom the processor processed card payments.

MasterCard has given the company until the end of August to correct deficiencies in its systems and procedures. VISA concluded that the processor could not correct those deficiencies.

A couple of obvious points: (1) make certain that the bank's contracts with payment processors contain provisions that meet not only the privacy and security requirements of the law (for example, those imposed by Gramm-Leach-Bliley and its implementing regulations), but the privacy and security requirements of other interested parties that might be imposed upon the bank and its contractors, such as VISA and Amex, and that permit the bank to terminate in a timely manner the processing agreement for a breach of those obligations; and (2) that even though a bank builds obligations into the contract, ongoing monitoring by the bank and/or a third party (such as an annual SAS 70 audit), is an essential part of a vendor management program.

This incident also demonstrates that "reputational risk" is real. The processor retained and used "for research purposes" personal data that it had agreed not to retain and use. Existing and future customers will have to consider carefully whether such an organization is to be trusted not to renege on its obligations in the future. That's an ugly fact of life.
---Kevin Funnell

04:10 PM in Outsourcing, Privacy, Web/Tech | | Comments (0)

FDIC Backs Off Preemption: For Now

In what some press reports are categorizing as a sharp disagreement among members of the FDIC Board, the Board yesterday voted 4 to 1 to table a notice of proposed rule making that would permit FDIC-insured state banks to operate nationwide under the laws of their home state, in a similar manner to the way in which national banks and thrifts may operate nationwide without having to comply with most state laws that govern the operations and activities of state banks and thrifts. As expected, Chairman Don Powell was a strong supporter of the proposed rule making. According to an article in today's American Banker (paid subscription required), Powell's primary opposition came from Acting Comptroller of the Currency Julie Williams and Acting  Director of the Office of Thrift Supervision Richard Riccobono. Such opposition is not unexpected, inasmuch as federal preemption provides a definite charter enhancement for the national banks and federal savings associations regulated by those two agencies. Also opposing the Chairman were Board members Thomas Curry, a former state regulator who has expressed doubts previously about the potentially harmful effects of preemption on states (harm that would be outweighed by the benefits to state banks operating outside their home state's borders), and FDIC Vice Chairman John Reich, who has been nominated to become Director of the OTS and is not likely to favor preemption in that capacity. Reich was quoted, however, as acknowledging that the dual banking system "is in danger."

The ostensible reason for tabling the proposal is to allow the FDIC's legal staff to explore the legal basis for FDIC preemption, notwithstanding the FDIC's General Counsel's preliminary opinion that such preemption has a legal basis. According to the American Banker article, Julie Williams asserted that the "legal basis is nonexistent and not even plausible." That certainly doesn't appear to be a mind open to persuasion.

There is no obvious benefit for the OTS and OCC Board members to support FDIC preemption. As Chairman Powell noted, this conflict-of-interest may necessitate the reorganization of the Board of the FDIC so that it acts in the best of interests of all participants in the dual banking system, not just the national banking portion of that system. However, the likelihood of such a reorganization is problematic. Therefore, unless Powell can convince both other members of the Board, Curry and whoever replaces Reich, to support him on this issue (and Curry has already voiced his opposition), he faces a steep uphill battle, no matter what the legal staff of the FDIC comes eventually presents to the Board.

At this point, FDIC action on preemption is possible, but not probable. In other words, all you state banks out there: don't hold your breath.
---Kevin Funnell

02:35 PM in FDIC, Federal Preemption, State Law | | Comments (0)

July 17, 2005

FDIC Hearing On Preemption of State Law

Wasting little time following FDIC's Chairman Don Powell's speech last month on the perceived need for the FDIC to preempt state law, the FDIC last week issued a notice that the FDIC will hold an open session on July 19 at which one of the topics that will be discussed will be "Advance Notice of Proposed Rulemaking on Petition for Rulemaking to Preempt Certain State Laws."

Stay tuned.

05:09 PM in FDIC, Federal Preemption, State Law | | Comments (0)

Recent Posts

Archives

More...

Categories

Business News

Regulators

Resources