Iowa Banking Law Blog

            The Seventh Circuit dismissed a class action lawsuit against Old National Bancorp, ruling consumers had no right to recover for a 2005 data breach.  The plaintiffs accused Old National Bancorp of failing to properly secure personal data collected through its web site after a hacker obtained access to a 2005 online customer application.  The breach exposed financial data and personal information, including social security numbers, of thousands of customers.

            The plaintiffs believed they should be compensated for the credit monitoring services they needed after the breach.  The Court ruled that Indiana law did not provide recovery for plaintiffs’ mere “allegations of increased risk of future identity theft.”  The Court stated the consumers “have not suffered a harm that the law is prepared to remedy.” 

            In sum, victims of data breaches cannot recover until they can show the breach actually led to identity theft.  At least according to this Court's determination, no remedy exists for an increased likelihood of identity theft, or for the expenses of credit monitoring.

For other articles on this see Wired, and Computerworld. 

Following the solicitation of comments from its proposed rulemaking, the Financial Crimes Enforcement Network (FinCEN) issued a final rule under Section 312 of the Patriot Act to take effect September 10, 2007.  The new rule will be applicable to new correspondent accounts opened by February 5, 2008.  In addition, pre-existing correspondent accounts must comply by May 5, 2008.  A correspondent account under the Patriot Act is defined as an account that is established by a financial institution through which a foreign bank handles transactions related to that foreign bank.  This allows foreign banks to conduct business in the United States without the expense of maintaining an office in the United States. 

The new rule requires financial institutions to establish enhanced due diligence policies for these correspondent accounts.  Those financial institutions that are required to enact these enhanced due diligence measures are those that maintain correspondent accounts for foreign banks operating under an offshore banking license, foreign banks that operate under a license issued by a country designated as non-cooperative with money laundering principles established by an international organization to which the United States belongs, and foreign banks that operate under a license issued by a country designated as warranting special measures - according to the Department of Treasury - due to money laundering concerns.

Once identified, these financial institutions are required to conduct an enhanced scrutiny of its correspondent accounts for the above foreign banks, including assessing its own money laundering program and monitoring transactions that flow through those correspondent accounts.  Financial institutions must also take steps to determine whether a foreign bank maintains correspondent accounts for other foreign banks and to identify the owners of a foreign bank, unless the shares are publicly traded.

The final rule can be found here.

For more information, please contact Mary A. Zambreno of Dickinson, Mackaman, Tyler & Hagen. 

The Federal Agencies jointly released the revised Bank Secrecy Act / Anti-Money Laundering Examination Manual.  Changes include a discussion regarding remote deposit capture, clarified responsibilities regarding ACH transactions, and an enhanced section on suspicious activity reports.  Click here for a brief summary of the changes.  The linked release also has a link to the actual manual.

In a report published in July, Celent reports that fewer than 2% of financial institutions currently offer online account opening and estimates that by 2010 that figure will increase to 18-20%.  Celent's full report must be purchased, but the summary provides some basic information on online bank account opening.  [if you have any question on the legal implication of online bank account opening, contact Jeffrey J. Andersen]. 

Both the Federal Reserve  and the FDIC released valuable resources to consumers.  The Federal Reserve has a site collecting relevant online resources for consumers faced with foreclosure.  Click here for the link.  The FDIC released a report entitled "51 Ways to Save Hundreds on Loans and Credit Cards" containing information and tips on a variety of issues, including student loans, mortages, auto loans, and payday loans. 

According to an article on cnet.com by Robert Vamosi multifactor authentication is not a silver bullet solution.  (link).  In 2005, the Federal Financial Institutions Examination Council (FFIEC) released a guidance encouraging financial institutions that engage in high risk transactions – those that allow customers to access personal information or move funds to other accounts – to utilize multi-factor authentication because it was considered to be more difficult to breach.  A multi-factor authentication would typically require the customer to enter, in various combinations, something he or she knows (e.g. a password), something he or she has (e.g. an ATM card), and something he or she is (e.g. fingerprinting).

However, according to the article cited above, multi-factor authentication is not necessarily so secure after all.  For example, if the authentication is based on something you know, such as “What is your favorite city?” and a customer’s user ID is “CubsFan123,” then chances are that the customer’s favorite city is Chicago.  For those banks that use security images to confirm to users that they are on the bank’s real site, phishers may be able to set up fake bank sites using the same security images because many of the major banks are using the same images in the same pattern consistently.  For banks that use device fingerprinting authentication by looking for unique information about a customer’s machine, researchers say that most machines have the same fingerprint, so a phisher could cut the fingerprint from a machine that has lawfully used the bank website and then paste that fingerprint, which the bank has already recognized, onto another machine to unlawfully access a customer’s account.

The article recommends that customers remain vigilant in scrutinizing a website’s certification, for example by ensuring that a bank’s internet address starts with “https” (which indicates an added security) rather than simply “http.”  As for banks, however, it appears that the FFIEC’s solution of using multi-factor authentication may need further assessment – but at least the FFIEC is making the phishers work harder.

            For more information contact Mary A. Zambreno of Dickinson, Mackaman, Tyler & Hagen, P.C.

Effective August 6, 2007, financial institutions are no longer required to make a receipt available for electronic fund transfers of $15 or less. 

Previously, under Regulation E, the Electronic Fund Transfer Act required financial institutions to make receipts available for all electronic fund transfers at electronic terminals, regardless of how nominal the transaction.  The Board of Governors of the Federal Reserve System (“Board”) noted in its notice of proposed rulemaking, issued on December 1, 2006, that such a requirement may be impractical for small-dollar environments, such as vending machines or mass transit systems that accept debit cards for payment.  The costs associated with installing and servicing equipment to generate receipts at these terminals for these types of transactions would have been burdensome.  The Board additionally noted that consumers are less likely to retain receipts for small-dollar transactions, and consumers would still be able to contest errors with their financial institutions upon receipt of their periodic statements.

In carving out this exception to the Electronic Fund Transfer Act, the Board reviewed approximately 56 comment letters from financial institutions, consumer groups, and individuals.  Generally, the financial institutions actually desired the Board to increase the dollar threshold from $15 to $25 to be more consistent with current rules regarding waiving of personal identification numbers and signature authorization for certain merchants, while consumer group advocates desired the Board to decrease the dollar threshold to $5 in order to protect consumers who may have to challenge their financial institutions about these transactions and are unable to produce a receipt as proof.  Ultimately, the Board determined that the $15 threshold amount was a good balance between the needs of the industry and of consumers.

The full text of the final rule and official staff interpretation can be found here:  http://www.ots.treas.gov/docs/8/86393.pdf.

For more information contact Mary A. Zambreno of Dickinson, Mackaman, Tyler & Hagen, P.C.

          The reports of a recent depositor run at the Countrywide Bank in California may reveal an emerging shortcoming in comfort with the industry's FDIC insurance.  See article in Atlantic Journal-Constitution.  This new phenomena of undifferentiated fear may be the result of the increasingly complex and intertwined system of financial products confronting and confusing investors.  An insightful analysis of this growing customer anxiety and the potential inability or unwillingness of bank customers to differentiate the "insured" financial product from the uninsured financial instrument can be found in the Op-Ed column by Paul Krugman of the New York Times available here (subscription required). 

          Whether more regulation, or simply more common sense, is needed to deal with the recent credit events, Barney Frank, Chair of the U.S. House Financial Service Committee believes in and is urging more federal intervention.  See Financial Times article.  Mr. Frank calls for regulation of mortgage brokers, guidelines for securitization of mortgages, and a total reevaluation of the regulation of financial markets. 

The National Credit Union Administration approved an agreement whereby Kinecta Federal Credit Union in Manhattan Beach, California would acquire 55 Nix Check Cashing retail outlets in the greater Los Angeles area.  Over time, the 55 outlets will be converted to full-fledged credit union branches.  Prior to the transaction, Kinecta had $4 billion in assets, 200,000 members, 700 employees and 23 branches.  For Nix's press release, click here.

This transaction is one the largest in credit union history.  The field of membership allowed in this transaction is as broad as we have seen.  It is still unclear whether this transaction will have a ripple effect through the industry and trigger other large transaction and field of membership expansions. 

George Will wrote an article for the Washington Post entitled "Folly and the Fed" that takes an interesting glimpse into both the pre-Federal Reserve past.  No matter your political bent, it is a concise, interesting read.

In an article in Computerworld, it is reported that TJX has incurred over $150 million in losses as a result of the recent data breach.  See "TJX says breach costs may exceed $150M."  The article states that this is the costliest data theft to date.  The TJX breach is expected to increase spending and investment into data security.  As discussed in a previous Iowa Banking Law Blog article, it has also prompted legislation.  See article on Minnesota Plastic Card Security Act.

          The federal agencies this week issued proposed illustrations contemplated by last month's jointly issued Statement on Subprime Mortgage Lending (Subprime Statement).  Triggered by the agencies' concerns over subprime mortgage lending practices for certain adjustable-rate mortgage (ARM) products, the illustrations aim to improve communications between lenders and consumers by providing examples of the types of communications anticipated by July's Subprime Statement. 

          The Subprime Statement encourages lenders to provide consumers clear, balanced, and timely information to help consumers more effectively weigh the costs and benefits of certain ARM products.  The illustrations both:

• explain some important features and hazards identified in the Subprime Statement (such as payment shock), and
• provide a chart of potential implications of payment shock in a specific, easy-to-understand fashion.

          Use of the illustrations is completely voluntary.  Institutions are free to tailor the illustrations to reflect their product offerings, current market conditions, and a consumer's particular loan requirements.  Whether institutions choose to use the illustrations or not, they should review their statements to consumers regarding subprime lending to ensure that they are clear, balanced, and full explain the terms and risks of such loans.

         The agencies seek public comment on the proposed illustrations.  Comments are due 60 days from the Federal Register publication.  The proposed illustrations are available here on the OTS website.

          For more information on ensuring that your institution is making the necessary disclosures, contact Megan Erickson of Dickinson, Mackaman, Tyler & Hagen, P.C. at 515-244-2600. 

The FDIC issued its 2nd Quarter Letter to Stakeholders highlighting the FDIC's activities and accomplishments over that period.  The Letter contains links to many of the FDIC's important publications over this period and summaries of important statistics.

The Board of Governors and FinCEN assessed a 20 million dollar civil penalty against American Express Bank International and a 5 million dollar penalty against American Express Travel Related Services, Inc. for Bank Secrecy Act violations.  Roger T. Cole, the director of the FRB Division of Banking Supervision and Regulation said "Today's action by the Federal Reserve underscores the necessity for banking institutions to have anti-money laundering controls in place that are commensurate with the level of risk associated with their operations.  Every banking organization should ensure that its risk-management practices are effective in mitigating the risks associated with its particular operations.”  Click here to link to the official FRB press release.

For a page and a half insight into the economic traumas of the last week, see an article by Daniel Gross in Slate magazine entitled "When Fools Rush In, The Joke's on Them, Dissecting the Henry Youngman Economy."

"The Federal Reserve Board on Wednesday announced the execution of a Written Agreement by and among Marshall BankFirst Corp., Minneapolis, Minnesota, BANKFIRST, Sioux Falls, South Dakota, the South Dakota Department of Revenue and Regulation, Division of Banking, and The Federal Reserve Bank of Minneapolis."  The agreement is available here. 

On August 3, 2007, the Office of Thrift Supervision (OTS) issued an Advance Notice of Proposed Rulemaking seeking comments not only about defining unfair and deceptive practices but also about whether the OTS should expand current prohibitions against unfair or deceptive acts.  The OTS seeks comment on various issues, including:

• Should the OTS consider further rulemaking on unfair and deceptive practices that would cover products and services in addition to consumer credit? 
• Should the rulemaking cover non-savings institution entities that are related to a savings institution? 
• What principles should OTS consider in defining an act or pratice as unfair and deceptive? 
• Is the FTC guidance on unfair and deceptive practices appropriate for the OTS?
• Should the OTS expand its advertising regulation?

The OTS's proposal does not commit the agency to any particular course of action, if merely seeks comment on the most effective course of action.  Nonetheless, it is a strong indication that the OTS intends to strengthen its unfair and deceptive practices regualtions.  Many analysts think that, at the very least, any OTS rule or guideline will address issues related to unfair mortgages due to the increasing delinquency and foreclosure rates on home loans.

As a bit of background, the Federal Trade Commission Act shields depository institutions from FTC enforcement, leaving unfair and deceptive practices to the Federal Reserve, OTS, and NCUA to deal with.  In June, Rep. Barney Frank threatened the Federal Reserve, stating that if it does not use its rulemaking authority to address unfair and deceptive pratices, and subprime lending specifically, then Congress may take away the Federal Reserve's rulemaking authority on the issue and give it back to the FTC. 

By taking this step, the OTS has put further pressure on the Federal Reserve to take action.  To date, the Federal Reserve has expressed a preference for using its supervisory authority on a case-by-case basis, as opposed to writing proscriptive regulations.  (link to article on Federal Reserve Governor Kroszner's statements in House hearing). 

The full text of the proposed rulemaking can be found here:  http://www.ots.treas.gov/docs/7/73373.pdf

For further information contact Mary A. Zambreno and Jeffrey J. Andersen of Dickinson, Mackaman, Tyler & Hagen, P.C.

Minnesota has become the first state to enact legislation shifting the costs of data breaches from financial institutions to merchants in certain circumstances, thus holding merchants responsible for sensitive customer information. (Link)  Under the Plastic Card Security Act, merchants are prohibited from storing PINs, security codes, or magnetic stripe data from customer’s credit or debit cards for more than 48 hours after authorization of the transaction.  The law mirrors industry standards contractually required by credit card vendors such as Visa and Mastercard. Under the Act, If a merchant violates the statute and a breach occurs, the retailer must reimburse the financial institution for the costs of reasonable actions taken by the institution as a result of the breach.  The TJX (parent of T.J. Maxx and Marshalls) data breach, which is thought to have originated at a St. Paul Marshalls, was the likely impetus of this law.  A similar bill was rejected in Texas.  As of yet, it is unclear whether other state legislatures will follow suit with a similar statute.  See the Minneapolis-St. Paul Star Tribune for another article on the law.   

For more information contact Howard O. Hagen.   

The August Chicago Fed Letter (available here) discusses the current payment methods environment. The letter discusses demographic trends in competing for young adults and other consumers who have been underserved by the financial services industry, the recent trend of mobile payments, the future of cash, and the growing presence of retailers within the payments system.

The Federal Reserve Bank of Chicago named Charles Evans as its new president.  For a brief biography of Mr. Evans see his Biography page on the Federal Reserve Bank of Chicago site.  For more information and analysis see articles in the Chicago Tribune and the Daily Herald.

Two leaders in the House Financial Services Committee, Carolyn Maloney and Paul Gillmor, have introduced a bill that would allow consumers to freeze access to their credit reports.  For a brief description of the bill click here.  The text of the bill is not yet available online, but should be soon.  When it is, it should be here.

The Federal Reserve Bank of New York published an article in its Current Issues in Economics and Finance entitled "Evaluating the Relative Strength of the U.S. Capital Markets."  It discusses the growing concern that U.S. capital markets are losing market share to overseas competitors.

The purpose of suspicious activity reports is to enable law enforcement to fully investigate serious crimes such as money laundering and terrorist funding and to provide them with valuable information the perpetration of the crimes.  The information provided in SARs may also be of value to those involved in the suspicious transaction or to third parties, such as private litigants.  These parties often know or suspect of a SAR's existence and issue a subpeona for the SAR and any supporting documents.  How should you respond to such a subpoena?

Federal law is very clear on how to respond.  Under 31 U.S.C. 5318(g), after a SAR has been reported, “the financial institution, director, officer, employee, or agent may not notify any person involved in the transaction that the transaction has been reported.”  Although this provision would seem to allow the reporting of a SAR to someone not involved in the transactions, the Federal Regulations on SARs clearly state otherwise. 

The Regulations for the OCC (12 CFR 21.11), FDIC (12 CFR 353.1), and Federal Reserve (12 CFR 208.62) say the exact same thing: any bank subpoenaed or requested to disclose a SAR or the information contained therein “shall decline to produce the [SAR] or to provide any information that would disclose that a [SAR] has been prepared or filed," citing the applicable regulations, applicable law (e.g., 31 U.S.C. 5318(g)), or both, and notify the appropriate regulatory agency.  If a bank is regulated by the Federal Reserve and the OCC, to be on the safe side it should notify both agencies of the subpoena.  There is a safe harbor in the regulations for disclosure to law enforcement or bank supervisory agencies.  Nonetheless, it may still be prudent to contact the appropriate regulatory agency before disclosure.       

It is important to remember that in declining production of the SAR, you cannot even disclose that a SAR exists.  Although your bank keeps the SAR, it is not your property; it should be treated accordingly.

Banks should have a policy in place on handling SARs and should educate all employees who deal with SARs on proper SAR procedures.  If you have any questions regarding SARs, including what should be reported or what documentation is required, contact Jeffrey J. Andersen.