Iowa Banking Law Blog

            The Seventh Circuit dismissed a class action lawsuit against Old National Bancorp, ruling consumers had no right to recover for a 2005 data breach.  The plaintiffs accused Old National Bancorp of failing to properly secure personal data collected through its web site after a hacker obtained access to a 2005 online customer application.  The breach exposed financial data and personal information, including social security numbers, of thousands of customers.

            The plaintiffs believed they should be compensated for the credit monitoring services they needed after the breach.  The Court ruled that Indiana law did not provide recovery for plaintiffs’ mere “allegations of increased risk of future identity theft.”  The Court stated the consumers “have not suffered a harm that the law is prepared to remedy.” 

            In sum, victims of data breaches cannot recover until they can show the breach actually led to identity theft.  At least according to this Court's determination, no remedy exists for an increased likelihood of identity theft, or for the expenses of credit monitoring.

For other articles on this see Wired, and Computerworld. 

Following the solicitation of comments from its proposed rulemaking, the Financial Crimes Enforcement Network (FinCEN) issued a final rule under Section 312 of the Patriot Act to take effect September 10, 2007.  The new rule will be applicable to new correspondent accounts opened by February 5, 2008.  In addition, pre-existing correspondent accounts must comply by May 5, 2008.  A correspondent account under the Patriot Act is defined as an account that is established by a financial institution through which a foreign bank handles transactions related to that foreign bank.  This allows foreign banks to conduct business in the United States without the expense of maintaining an office in the United States. 

The new rule requires financial institutions to establish enhanced due diligence policies for these correspondent accounts.  Those financial institutions that are required to enact these enhanced due diligence measures are those that maintain correspondent accounts for foreign banks operating under an offshore banking license, foreign banks that operate under a license issued by a country designated as non-cooperative with money laundering principles established by an international organization to which the United States belongs, and foreign banks that operate under a license issued by a country designated as warranting special measures - according to the Department of Treasury - due to money laundering concerns.

Once identified, these financial institutions are required to conduct an enhanced scrutiny of its correspondent accounts for the above foreign banks, including assessing its own money laundering program and monitoring transactions that flow through those correspondent accounts.  Financial institutions must also take steps to determine whether a foreign bank maintains correspondent accounts for other foreign banks and to identify the owners of a foreign bank, unless the shares are publicly traded.

The final rule can be found here.

For more information, please contact Mary A. Zambreno of Dickinson, Mackaman, Tyler & Hagen. 

The Federal Agencies jointly released the revised Bank Secrecy Act / Anti-Money Laundering Examination Manual.  Changes include a discussion regarding remote deposit capture, clarified responsibilities regarding ACH transactions, and an enhanced section on suspicious activity reports.  Click here for a brief summary of the changes.  The linked release also has a link to the actual manual.

In a report published in July, Celent reports that fewer than 2% of financial institutions currently offer online account opening and estimates that by 2010 that figure will increase to 18-20%.  Celent's full report must be purchased, but the summary provides some basic information on online bank account opening.  [if you have any question on the legal implication of online bank account opening, contact Jeffrey J. Andersen]. 

Both the Federal Reserve  and the FDIC released valuable resources to consumers.  The Federal Reserve has a site collecting relevant online resources for consumers faced with foreclosure.  Click here for the link.  The FDIC released a report entitled "51 Ways to Save Hundreds on Loans and Credit Cards" containing information and tips on a variety of issues, including student loans, mortages, auto loans, and payday loans. 

According to an article on cnet.com by Robert Vamosi multifactor authentication is not a silver bullet solution.  (link).  In 2005, the Federal Financial Institutions Examination Council (FFIEC) released a guidance encouraging financial institutions that engage in high risk transactions – those that allow customers to access personal information or move funds to other accounts – to utilize multi-factor authentication because it was considered to be more difficult to breach.  A multi-factor authentication would typically require the customer to enter, in various combinations, something he or she knows (e.g. a password), something he or she has (e.g. an ATM card), and something he or she is (e.g. fingerprinting).

However, according to the article cited above, multi-factor authentication is not necessarily so secure after all.  For example, if the authentication is based on something you know, such as “What is your favorite city?” and a customer’s user ID is “CubsFan123,” then chances are that the customer’s favorite city is Chicago.  For those banks that use security images to confirm to users that they are on the bank’s real site, phishers may be able to set up fake bank sites using the same security images because many of the major banks are using the same images in the same pattern consistently.  For banks that use device fingerprinting authentication by looking for unique information about a customer’s machine, researchers say that most machines have the same fingerprint, so a phisher could cut the fingerprint from a machine that has lawfully used the bank website and then paste that fingerprint, which the bank has already recognized, onto another machine to unlawfully access a customer’s account.

The article recommends that customers remain vigilant in scrutinizing a website’s certification, for example by ensuring that a bank’s internet address starts with “https” (which indicates an added security) rather than simply “http.”  As for banks, however, it appears that the FFIEC’s solution of using multi-factor authentication may need further assessment – but at least the FFIEC is making the phishers work harder.

            For more information contact Mary A. Zambreno of Dickinson, Mackaman, Tyler & Hagen, P.C.

Effective August 6, 2007, financial institutions are no longer required to make a receipt available for electronic fund transfers of $15 or less. 

Previously, under Regulation E, the Electronic Fund Transfer Act required financial institutions to make receipts available for all electronic fund transfers at electronic terminals, regardless of how nominal the transaction.  The Board of Governors of the Federal Reserve System (“Board”) noted in its notice of proposed rulemaking, issued on December 1, 2006, that such a requirement may be impractical for small-dollar environments, such as vending machines or mass transit systems that accept debit cards for payment.  The costs associated with installing and servicing equipment to generate receipts at these terminals for these types of transactions would have been burdensome.  The Board additionally noted that consumers are less likely to retain receipts for small-dollar transactions, and consumers would still be able to contest errors with their financial institutions upon receipt of their periodic statements.

In carving out this exception to the Electronic Fund Transfer Act, the Board reviewed approximately 56 comment letters from financial institutions, consumer groups, and individuals.  Generally, the financial institutions actually desired the Board to increase the dollar threshold from $15 to $25 to be more consistent with current rules regarding waiving of personal identification numbers and signature authorization for certain merchants, while consumer group advocates desired the Board to decrease the dollar threshold to $5 in order to protect consumers who may have to challenge their financial institutions about these transactions and are unable to produce a receipt as proof.  Ultimately, the Board determined that the $15 threshold amount was a good balance between the needs of the industry and of consumers.

The full text of the final rule and official staff interpretation can be found here:  http://www.ots.treas.gov/docs/8/86393.pdf.

For more information contact Mary A. Zambreno of Dickinson, Mackaman, Tyler & Hagen, P.C.

          The reports of a recent depositor run at the Countrywide Bank in California may reveal an emerging shortcoming in comfort with the industry's FDIC insurance.  See article in Atlantic Journal-Constitution.  This new phenomena of undifferentiated fear may be the result of the increasingly complex and intertwined system of financial products confronting and confusing investors.  An insightful analysis of this growing customer anxiety and the potential inability or unwillingness of bank customers to differentiate the "insured" financial product from the uninsured financial instrument can be found in the Op-Ed column by Paul Krugman of the New York Times available here (subscription required). 

          Whether more regulation, or simply more common sense, is needed to deal with the recent credit events, Barney Frank, Chair of the U.S. House Financial Service Committee believes in and is urging more federal intervention.  See Financial Times article.  Mr. Frank calls for regulation of mortgage brokers, guidelines for securitization of mortgages, and a total reevaluation of the regulation of financial markets. 

The National Credit Union Administration approved an agreement whereby Kinecta Federal Credit Union in Manhattan Beach, California would acquire 55 Nix Check Cashing retail outlets in the greater Los Angeles area.  Over time, the 55 outlets will be converted to full-fledged credit union branches.  Prior to the transaction, Kinecta had $4 billion in assets, 200,000 members, 700 employees and 23 branches.  For Nix's press release, click here.

This transaction is one the largest in credit union history.  The field of membership allowed in this transaction is as broad as we have seen.  It is still unclear whether this transaction will have a ripple effect through the industry and trigger other large transaction and field of membership expansions. 

George Will wrote an article for the Washington Post entitled "Folly and the Fed" that takes an interesting glimpse into both the pre-Federal Reserve past.  No matter your political bent, it is a concise, interesting read.

In an article in Computerworld, it is reported that TJX has incurred over $150 million in losses as a result of the recent data breach.  See "TJX says breach costs may exceed $150M."  The article states that this is the costliest data theft to date.  The TJX breach is expected to increase spending and investment into data security.  As discussed in a previous Iowa Banking Law Blog article, it has also prompted legislation.  See article on Minnesota Plastic Card Security Act.

          The federal agencies this week issued proposed illustrations contemplated by last month's jointly issued Statement on Subprime Mortgage Lending (Subprime Statement).  Triggered by the agencies' concerns over subprime mortgage lending practices for certain adjustable-rate mortgage (ARM) products, the illustrations aim to improve communications between lenders and consumers by providing examples of the types of communications anticipated by July's Subprime Statement. 

          The Subprime Statement encourages lenders to provide consumers clear, balanced, and timely information to help consumers more effectively weigh the costs and benefits of certain ARM products.  The illustrations both:

• explain some important features and hazards identified in the Subprime Statement (such as payment shock), and
• provide a chart of potential implications of payment shock in a specific, easy-to-understand fashion.

          Use of the illustrations is completely voluntary.  Institutions are free to tailor the illustrations to reflect their product offerings, current market conditions, and a consumer's particular loan requirements.  Whether institutions choose to use the illustrations or not, they should review their statements to consumers regarding subprime lending to ensure that they are clear, balanced, and full explain the terms and risks of such loans.

         The agencies seek public comment on the proposed illustrations.  Comments are due 60 days from the Federal Register publication.  The proposed illustrations are available here on the OTS website.

          For more information on ensuring that your institution is making the necessary disclosures, contact Megan Erickson of Dickinson, Mackaman, Tyler & Hagen, P.C. at 515-244-2600. 

The FDIC issued its 2nd Quarter Letter to Stakeholders highlighting the FDIC's activities and accomplishments over that period.  The Letter contains links to many of the FDIC's important publications over this period and summaries of important statistics.

The Board of Governors and FinCEN assessed a 20 million dollar civil penalty against American Express Bank International and a 5 million dollar penalty against American Express Travel Related Services, Inc. for Bank Secrecy Act violations.  Roger T. Cole, the director of the FRB Division of Banking Supervision and Regulation said "Today's action by the Federal Reserve underscores the necessity for banking institutions to have anti-money laundering controls in place that are commensurate with the level of risk associated with their operations.  Every banking organization should ensure that its risk-management practices are effective in mitigating the risks associated with its particular operations.”  Click here to link to the official FRB press release.

For a page and a half insight into the economic traumas of the last week, see an article by Daniel Gross in Slate magazine entitled "When Fools Rush In, The Joke's on Them, Dissecting the Henry Youngman Economy."

"The Federal Reserve Board on Wednesday announced the execution of a Written Agreement by and among Marshall BankFirst Corp., Minneapolis, Minnesota, BANKFIRST, Sioux Falls, South Dakota, the South Dakota Department of Revenue and Regulation, Division of Banking, and The Federal Reserve Bank of Minneapolis."  The agreement is available here.