Iowa Banking Law Blog

In an update to an earlier cnet.com article (discussed here), author Robert Vamosi discusses a Cloudmark and Harris Interactive survey about the effects of phishing on consumer behavior. 

According to the survey, about 37% of the respondents have opened emails from unknown senders, 13% have clicked on links contained in emails from unknown senders, 9% have opened attachments in emails from unknown senders, and 6% have responded to emails claiming problems with the recipient’s account.  Each type of behavior greatly increases an individual’s chances of becoming victimized by a hacker.  The article also states that about 70% of those who responded said that they have changed their behavior as a result of the dangers of phishing and 20% of those people said that they would likely decrease the frequency of their online transactions, which might have a negative effect on the economy.

However, the author stresses that the phishing attack is not on the bank or the financial institution – the attack is actually on the customer.  Nonfinancial sites are also targeted since the goal of a hacker is often simply to obtain an individual’s credit card and personal information.  Be sure to make your customers aware of when, if ever, your institution will send them an email so they can better avoid becoming a phishing victim.

The federal banking regulators (the FDIC, Federal Reserve, OCC, OTS, and NCUA), along with the Conference of State Bank Supervisors (CSBS) issued a statement encouraging regulated institutions that service mortgage loans to employ certain "loss mitigation techniques" that would preserve homeownership.  The statement is a follow-up to the April 2007 Statement on Working with Mortgage Borrowers and the July 2007 Statement on Subprime Mortgage Lending.  Unlike these previous statements, which urged prudent workout arrangements, the new statement is focused on mortgage loans that have been transferred into securitization trusts. 

The regulators state that when faced with an increased risk of default, servicers of loans should: contact the borrower and assess their ability to repay, assess whether default is reasonably foreseeable, and explore, where appropriate, a loss mitigation strategy that avoids foreclosure, such as loan modifications, payment deferral, conversion into fixed rate, and capitalization of delinquent amounts.

In considering loss mitigation techniques, the statement urges services to consider the borrower's income, debt, and housing related expenses.  Servicers are also urged to refer borrowers to government programs, non-profits, and counseling services that could assist the borrower.  The statement claims that "loss mitigation techniques" that preserve homeownership are less costly than foreclosure. 

This guidance was issued as political pressure to address the mortgage industry mounts.  Presidential candidates have increasingly integrated mortgage and foreclosure issues into their agendas.  President Bush threw his hat in the ring last week by announcing that his administration would put forth proposals to prevent some expected defaults over the next two years.

Unfortunately, this regulatory statement may not stem the congressional tide to over-regulate the industry.

According to an article on cnet.com by Robert Vamosi multifactor authentication is not a silver bullet solution.  (link).  In 2005, the Federal Financial Institutions Examination Council (FFIEC) released a guidance encouraging financial institutions that engage in high risk transactions – those that allow customers to access personal information or move funds to other accounts – to utilize multi-factor authentication because it was considered to be more difficult to breach.  A multi-factor authentication would typically require the customer to enter, in various combinations, something he or she knows (e.g. a password), something he or she has (e.g. an ATM card), and something he or she is (e.g. fingerprinting).

However, according to the article cited above, multi-factor authentication is not necessarily so secure after all.  For example, if the authentication is based on something you know, such as “What is your favorite city?” and a customer’s user ID is “CubsFan123,” then chances are that the customer’s favorite city is Chicago.  For those banks that use security images to confirm to users that they are on the bank’s real site, phishers may be able to set up fake bank sites using the same security images because many of the major banks are using the same images in the same pattern consistently.  For banks that use device fingerprinting authentication by looking for unique information about a customer’s machine, researchers say that most machines have the same fingerprint, so a phisher could cut the fingerprint from a machine that has lawfully used the bank website and then paste that fingerprint, which the bank has already recognized, onto another machine to unlawfully access a customer’s account.

The article recommends that customers remain vigilant in scrutinizing a website’s certification, for example by ensuring that a bank’s internet address starts with “https” (which indicates an added security) rather than simply “http.”  As for banks, however, it appears that the FFIEC’s solution of using multi-factor authentication may need further assessment – but at least the FFIEC is making the phishers work harder.

            For more information contact Mary A. Zambreno of Dickinson, Mackaman, Tyler & Hagen, P.C.

          The reports of a recent depositor run at the Countrywide Bank in California may reveal an emerging shortcoming in comfort with the industry's FDIC insurance.  See article in Atlantic Journal-Constitution.  This new phenomena of undifferentiated fear may be the result of the increasingly complex and intertwined system of financial products confronting and confusing investors.  An insightful analysis of this growing customer anxiety and the potential inability or unwillingness of bank customers to differentiate the "insured" financial product from the uninsured financial instrument can be found in the Op-Ed column by Paul Krugman of the New York Times available here (subscription required). 

          Whether more regulation, or simply more common sense, is needed to deal with the recent credit events, Barney Frank, Chair of the U.S. House Financial Service Committee believes in and is urging more federal intervention.  See Financial Times article.  Mr. Frank calls for regulation of mortgage brokers, guidelines for securitization of mortgages, and a total reevaluation of the regulation of financial markets. 

          The federal agencies this week issued proposed illustrations contemplated by last month's jointly issued Statement on Subprime Mortgage Lending (Subprime Statement).  Triggered by the agencies' concerns over subprime mortgage lending practices for certain adjustable-rate mortgage (ARM) products, the illustrations aim to improve communications between lenders and consumers by providing examples of the types of communications anticipated by July's Subprime Statement. 

          The Subprime Statement encourages lenders to provide consumers clear, balanced, and timely information to help consumers more effectively weigh the costs and benefits of certain ARM products.  The illustrations both:

• explain some important features and hazards identified in the Subprime Statement (such as payment shock), and
• provide a chart of potential implications of payment shock in a specific, easy-to-understand fashion.

          Use of the illustrations is completely voluntary.  Institutions are free to tailor the illustrations to reflect their product offerings, current market conditions, and a consumer's particular loan requirements.  Whether institutions choose to use the illustrations or not, they should review their statements to consumers regarding subprime lending to ensure that they are clear, balanced, and full explain the terms and risks of such loans.

         The agencies seek public comment on the proposed illustrations.  Comments are due 60 days from the Federal Register publication.  The proposed illustrations are available here on the OTS website.

          For more information on ensuring that your institution is making the necessary disclosures, contact Megan Erickson of Dickinson, Mackaman, Tyler & Hagen, P.C. at 515-244-2600.