Developments in cyberbanking
| Description: |
The proposed rule of cyberbanking.
|
|
On September 17, 2004, the Federal Reserve Board (FRB) released proposed revisions (the “Proposed Rule”) (1) to Regulation E, which implements the Electronic Fund Transfer Act (EFTA). (2) The Proposed Rule also includes several proposed revisions to the Official Staff Commentary (the “Commentary”), which serves as the vehicle by which the FRB staff issues official Regulation E interpretations. (3)
|
|
The Proposed Rule would amend Regulation E to address payroll cards. (4) In addition, the Proposed Rule includes revisions and clarifications relating to: stop payment and revocation of authorizations for preauthorized electronic fund transfers (“EFTs”)
|
|
In particular, the Proposed Rule would amend the definition of the term “account” under Regulation E to include a payroll card account “directly or indirectly established by an employer on behalf of a consumer to which EFTs of the consumer’s wages, salary, or other employee compensation are made on a recurring basis,” regardless of whether the account is operated or managed by a depository institution, an employer, or a third-party processor. (6) The supplemental information accompanying the Proposed Rule (the “Supplemental Information”) states that payroll cards would be covered regardless of whether the funds are held in individual employee accounts or in a pooled account
|
|
The Proposed Rule, however, would not cover cards used for only one-time transfers of salary-related payments. (8) In addition, the FRB has limited the scope of the Proposed Rule to payroll card products only. For example, the Supplemental Information explicitly states that the “characteristics of payroll card accounts … would not apply to a prepaid ‘gift’ card issued by a merchant.” (9)
|
|
In addition, the FRB solicits comments on whether Regulation E coverage should be determined by whether the payroll card account funds qualify as eligible “deposits” for purposes of the Federal Deposit Insurance Act. (10) Under the Federal Deposit Insurance Corporation proposal regarding stored value cards, deposit insurance requirements would apply whenever subaccounts are established and individually tracked, (11) which would be the case with most, if not all, payroll cards.
|
|
REPLACEMENT OF EXISTING DEBIT CARDS WITH MULTIPLE CARDS AS RENEWALS OR SUBSTITUTES
|
|
Section 205.5 of Regulation E permits financial institutions to distribute access devices on a solicited or unsolicited basis. (12) Existing section 205.5(a)(2)-1 of the Commentary provides a one-for-one rule that states, “[i]n issuing a renewal or substitute access device, a financial institution may not provide additional devices.” (13) Section 205.5(a) of Regulation E, however, states that financial institutions “may issue an access device to a consumer … [i]n response to an oral or written request for the device or … [a]s a renewal of, or in substitution for, an accepted access device whether issued by the institution or a successor.” (14)
|
|
The Proposed Rule would maintain the existing comment, but add another comment that would clarify that the: regulation does not prohibit a financial institution from replacing an accepted access device with more than one access device during the renewal or substitution of a previously issued device, provided that any additional access device is not validated at the time it is issued, and the institution complies with the [validation] requirement[] of section 205.5(b). (15)
|
|
This modification would clarify that multiple cards may be distributed as renewals or substitutes to existing cards under Regulation E by complying with the requirements of section 205.5(b). The FRB staff stated in the Supplemental Information its view that the combination of the one-for-one rule and the validation requirements of section 205.5(b) afford needed consumer protection. (16) Nevertheless, the Proposed Rule does not appear to preclude a single validation activating both access devices provided to a consumer as renewals or substitutes for a single access device.
|
|
TELEPHONIC AUTHORIZATION FOR PREAUTHORIZED EFTs
|
|
Currently, preauthorized EFTs from consumer accounts under section 907(a) of the EFTA may be authorized by the consumer only in writing. (17) Section 205.10(b) of Regulation E implements this provision by requiring that preauthorized EFTs be authorized by consumers only in the form of a “writing signed or similarly authenticated.” (18) Moreover, the existing Commentary to section 205.10(b)-3 states that a tape recorded telephone conversation does not constitute proper authentication for the purposes of authorizing preauthorized EFTs. (19)
|
|
Representatives of the financial services industry have argued that the language contained in the Commentary is no longer appropriate in light of the passage of the Electronic Signatures in Global and National Commerce Act (“ESIGN Act”), which gives legal effect to an electronic record used as a substitute for a statutory writing requirement. (20)
|
|
In response, the Proposed Rule would withdraw section 205.10(b)-3. (21) The Proposed Rule, however, would not specifically address to what extent a tape recorded authorization would satisfy the ESIGN Act. Instead, in the Supplemental Information, the FRB notes that “[i]f under the E-Sign Act, a tape recorded authorization, or certain types of tape recorded authorizations, were properly determined by the person obtaining the authorization to constitute a written and signed … authorization, then the authorization would satisfy the Regulation E requirements.” (22) In addition, the FRB cautions institutions that to satisfy the Regulation E requirements, an authorization, either in paper or electronic form, “must be readily identifiable as such to the consumer, and the terms of the … debits to be authorized must be clear and readily understandable to the consumer.” (23)
|
|
The Proposed Rule would also address what constitutes reasonable procedures when a merchant seeks to obtain a consumer’s authorization, via telephone, for recurring payments for goods or services using the consumer’s credit or debit card. (24) Specifically, the Proposed Rule would add a comment to section 205.10(b) to state that procedures reasonably adapted to avoid error will vary with the circumstances. (25) The comment would also state that asking the consumer to specify whether the card to be used for the transaction “is a debit card or is a credit card, using those terms, is a reasonable procedure.” (26) Furthermore, the Proposed Rule would clarify that merchants are not required to obtain or consult bank identification numbers tables in order to be able to establish that they maintain procedures reasonably adapted to avoid error. (27)
|
|
STOP PAYMENT AND REVOCATION OF AUTHORIZATIONS FOR PREAUTHORIZED EFTs
|
|
Section 205.10(c)-2 of the existing Commentary explains that after a consumer has given notice to a financial institution that he or she has revoked his or her authorization for a specific preauthorized transfer, the financial institution “must block all future payments for the particular debit” and “may not wait for the payee-originator to terminate the automatic debits.” (28)
|
|
The Proposed Rule would revise section 205.10(c)-3 of the Commentary to clarify that an institution that does not have the capability of blocking a preauthorized debit from being posted to the consumer’s account, such as debits made on a real-time system, may instead use a third party to block the transfers, provided the recurring debits are stopped. (29)
|
|
REGULATION E REQUIREMENTS FOR ATM NOTICES
|
|
Section 205.16 of Regulation E requires a notice in a prominent location on or at an ATM “that a fee will be imposed for providing electronic fund transfer services or a balance inquiry.” (30) Section 205.16(b)(1)-1 of the Commentary states that an ATM operator “may provide a general statement that a fee will be imposed for providing EFT services or may specify the type of EFT for which a fee is imposed.” (31) This language has resulted in litigation in California against prominent financial institutions who used the term “may” rather than “will” in their ATM fee notice. (32)
|
|
The Proposed Rule would amend the Commentary to clarify that if there are circumstances in which an ATM fee will not be charged, ATM operators may disclose on the ATM signage that a fee “may” be imposed. (33) The Supplemental Information further states that “a disclosure on the ATM that a fee ‘will’ be imposed in all instances could be overbroad and misleading with respect to consumers who would not be assessed a fee for usage of the ATM.” (34)
|
|
The Proposed Rule would provide guidance on the procedures required under Regulation E for resolving errors, including the time limits and extent of the investigation. In particular, the Proposed Rule would clarify that where the consumer fails to provide the institution with timely notice (within sixty days after sending of statement first reflecting the alleged error), the institution need not comply with the error resolution requirements. (35) Nevertheless, if the claim involves allegations of an unauthorized EFT, the institution still must satisfy the unauthorized use provisions of Regulation E before imposing liability on the consumer. (36)
|
|
The Proposed Rule also clarifies the scope of the investigation requirement where the institution does not have an agreement for the type of EFT involved. (37) Specifically, under the Proposed Rule and the “four walls” rule, an institution would be required to use any relevant information available within its own records for purposes of determining whether an error occurred. (38)
|
|
NOTICE OF TRANSFERS VARYING IN AMOUNT
|
|
Section 205.10(d) requires the designated payee or the consumer’s financial institution to send written notice of the amount and date of the transfer at least ten days before the scheduled date of a transfer, if the transfer falls outside a specified range or exceeds the most recent transfer by more than an agreed upon amount. (39) The authors believe that this notice is burdensome and is inappropriate where the transfer is between accounts owned by the same consumer, even when those accounts are at different institutions.
|
|
To provide additional flexibility, the Proposed Rule would state that a financial institution need not give the consumer the option of receiving such a notice before transfers of funds where the transfer is to an account of the consumer held at another financial institution, even when the other account is a joint account and the consumer is one of the joint account holders. (40)
|
|
ELECTRONIC CHECK CONVERSIONS
|
|
The Proposed Rule would address coverage of electronic check conversion services and clarify the rights, liabilities, and responsibilities of parties engaged in such transactions. (41) Under the Proposed Rule, a notice about covered electronic check conversions would have to be provided for each transaction. (42) The proposed notice would inform consumers that when a check is used to initiate an EFT, funds may be debited from the consumer’s account quickly, and as applicable, that the consumer’s check will not be returned. (43)
|
|
FEDERAL RESERVE BOARD STUDY ON DEBIT CARD FEES
|
|
Since the mid-1990s, the number of debit cards in circulation has grown to approximately 287 million. (44) Correspondingly, from 1999 to 2003, the number of consumers using debit cards at the point of sale (POS) has grown from forty-eight percent to fifty-seven percent for online personal identification number (PIN) based transactions and from forty-two percent to fifty-four percent for offline signature based transactions. (45) To support this sharp rise in debit card usage, the total number of POS debit card terminals in operation has increased significantly. (46)
|
|
Notwithstanding the obvious popularity of each method of debit card transaction, the differing costs and fees associated with online PIN based transactions and offline signature-based transactions have resulted in a schism between account holding financial institutions and merchants. (47) For example, an account holding financial institution can generally produce more revenue from interchange fees paid by merchants as a result of offline signature-based POS transactions. (48) On the other hand, merchants generally prefer consumers to utilize online PIN-based POS transactions to minimize transaction costs by reducing interchange fees. (49)
|
|
On May 21, 2004, at the request of some members of the U.S. Senate Committee on Banking, Housing, and Urban Affairs (the “Committee Members”), (50) the FRB published a notice of study and request for information concerning the disclosure of POS debit card transaction fees. (51) The Committee Members’ request followed closely after the publication of a study by the New York Public Interest Research Group, in which it asserts that eighty-nine percent of banks surveyed in the state of New York assess fees for online PIN-based POS transactions ranging from ten cents to $1.50. (52) The FRB noted that the Committee Members’ request for the study reflects [the] concern that consumers may be unaware, or not adequately informed, that their own bank may impose … PIN fees when the consumer chooses online debit [and] may also reflect the belief that, unlike the various fees and surcharges that a consumer may be assessed [at an automated teller machine] transaction, PIN-use fees assessed at the [POS] may not be adequately disclosed or timely disclosed at the [POS], or might be inadequately disclosed in the regular account statement the consumer receives after the debit purchase date. (53)
|
|
NOTICE OF STUDY AND REQUEST FOR INFORMATION
|
|
Presently, the EFTA and its implementing regulation, Regulation E, establish a framework outlining the rights, responsibilities and liabilities of the various participants in EFTs. (54) In addition, the EFTA and Regulation E impose disclosure obligations on financial institutions that provide EFT services to consumers, including POS debit transactions. (55) For example, an account holding financial institution must make disclosures to consumers regarding fees for POS transactions at three points in time: (i) in the initial disclosures provided at the time the consumer contracts for EFT services
|
|
In light of this disclosure framework, the FRB’s notice of study and request for information solicited comment on two disclosure-related issues. First, comments were solicited as to whether existing disclosures adequately inform consumers of fees imposed by an account holding institution when debit cards are used at the POS. (59) Commenters were asked to address whether initial disclosures, disclosures contained in periodic statements, or disclosures included on receipts at electronic terminals are effective “in providing consumers with sufficient information about … [POS] fee practices.” (60) Furthermore, assuming that enhanced disclosures may be necessary, the FRB solicited comment on whether such disclosures would be most effective as “initial disclosures, disclosures provided as part of the consumer’s periodic account activity statement, or disclosures [made] available on … terminal receipt[s].” (61)
|
|
Second, the FRB solicited comment on whether additional disclosures should be required in a consumer’s periodic account activity statement. (62) Assuming that additional disclosures in the periodic account activity statement may be beneficial to consumers, the FRB also requested comment on whether such disclosures should reflect: (i) the amount of fees imposed in connection with a POS debit card transaction
|
|
Not surprisingly, the issue of fees charged to consumers by account holding financial institutions for online PIN-based debit transactions, and the disclosure of such fees, has provoked a mixed response from the financial services industry, consumer protection groups, and the general public. Specifically, those supporting enhanced and/or additional debit card POS fee disclosures argue that fees imposed on consumers for online PIN-based debit transactions are not adequately disclosed, thereby creating consumer surprise as to the amount and the source of such fees–raising the issue of whether real-time fee disclosures should be required at the POS. (64) In contrast, those in opposition to the modification of the existing disclosure framework argue that existing disclosures under the EFTA and Regulation E adequately inform consumers of fees that may be charged to their accounts. (65) Furthermore, opposition groups warn that the implementation of real-time fee disclosures at the POS would require a substantial restructuring of the POS debit transaction processing industry, resulting in significant costs that could offset any potential benefits related to real-time fee disclosure. (66)
|
|
On November 18, 2004, the FRB, in response to the request by the U.S. Senate Committee on Banking, Housing, and Urban Affairs, issued a report based on its study of the disclosure of fees related to debit card purchases (the “Report”). (67) The Report presents the findings of the FRB on the disclosure of fees charged by depository institutions for customer initiated PIN debit transactions at the POS. (68) In creating the Report, the FRB collected and analyzed data from more than 800 depository institutions and 1,500 consumers and conducted interviews with various participants in the payment card industry (the “Study”). (69) In addition, the Report incorporates comments from members of the public submitted in response to the FRB’s notice of study and request for information. Below is a summary of the Report.
|
|
PREVALENCE OF PIN DEBIT FEES
|
|
* Approximately fourteen percent of all surveyed depository institutions that offer debit cards charge at least some of their customers a PIN debit fee. (70)
|
|
* Larger depository institutions are more likely than smaller depository institutions to charge PIN debit fees. (71)
|
|
* Approximately one percent of all reporting depository institutions charge fees for signature debit. (72)
|
|
* Approximately fifty-two percent of all reporting households have a debit card and thirteen percent of those households reported that their depository institutions charge PIN debit fees. (73)
|
|
* Approximately fifteen percent of customers with debit cards are subject to PIN debit fees. (74)
|
|
ADEQUACY OF EXISTING PIN DEBIT FEE DISCLOSURES
|
|
* Study findings indicate that of the consumers and merchants surveyed, many regard the PIN debit fee information included in the initial and change-in-terms disclosure statements to be of limited value. (75)
|
|
* Fifty-five percent of all households surveyed with a debit card reported that they were “very satisfied” with the information provided by their depository institutions, while thirty percent reported that they were “somewhat satisfied.” (76)
|
|
* Twenty-two percent of households who reported that their depository institutions charge PIN debit fees indicated a desire for additional information regarding those fees, such as the “date, time, purchase amount, and merchant’s name and address.” (77)
|
|
IMPLEMENTATION OF ENHANCED OR NEW FORMS OF PIN DEBIT FEE DISCLOSURES
|
|
* Improvements to initial and change-in-terms disclosure statements may improve consumers’ knowledge about the PIN debit fees that their depository institutions may charge. Study findings, however, indicate that consumers rarely read and/or understand these disclosures. (78)
|
|
* Depository institutions could improve current PIN debit fee disclosure practices through line item disclosure for each fee transaction on the periodic statement. (79)
|
|
* Study findings indicate that implementation of real-time fee disclosure at the POS would involve extensive changes to the current infrastructure of the payments system. Specifically, implementation of such a scheme would require modifications to systems and hardware, changes to the database infrastructure at card issuing institutions and costly merchant upgrades of existing POS terminals. In addition, the FRB states that the current variety of pricing structures associated with PIN debit fees further complicates the effective implementation of a real-time fee disclosure scheme. (80)
|
|
* FRB states that any regulatory change to the existing disclosure framework should focus on the improvement of the market’s ability to function efficiently and that this approach should incorporate how enhanced or new methods of disclosure might affect the cost to the entire financial system. (81)
|
|
CURRENT DISCLOSURE COMPLIANCE BY DEPOSITORY INSTITUTIONS
|
|
* A high percentage of depository institutions, ranging from ninety-two to ninety-five percent during the 2001, 2002, and 2003 reporting periods, satisfy all current regulatory requirements for any EFT. In addition, the FRB states that an even higher percentage of depository institutions satisfy the specific requirements for the disclosure of PIN debit transaction fees. (82)
|
|
OCC ADVISORY LETTER AL 2004-9
|
|
In response to federal legislation facilitating the adoption of electronic record retention systems, national banks may now implement a variety of new business processes, including “loan file imaging, retention of paperless applications and online agreements, and the use of electronic payment systems.” (83) In particular, the passage of the ESIGN Act was instrumental in these developments. The ESIGN Act permits an “electronic record” to satisfy most legal record retention requirements if the electronic record is: (i) maintained in a form that can accurately retain the original information in the contract or other record
|
|
While the fulfillment of these three general standards should satisfy a requirement that a contract or other legal document be retained in a written form, (85) the Office of the Comptroller of the Currency (OCC) noted that the ESIGN Act “does not resolve all legal or practical issues relating to electronic records.” (86) Therefore, the OCC cautions that while national banks may rely on the ESIGN Act to satisfy record retention requirements, national banks also must “carefully plan [the] implementation and operation” of such electronic record retention systems to ensure proper regulatory compliance. (87)
|
|
In response to these concerns, on June 21, 2004, the OCC issued Advisory Letter AL 2004-9 (the “Advisory Letter”), which highlights various compliance issues arising under the ESIGN Act in connection with electronic record retention systems. (88) The Advisory Letter provides “a basic framework” to “assess and address” key issues relating to electronic record retention systems. (89) Specifically, the Advisory Letter addresses the functional and regulatory considerations of electronic record retention systems and the proper implementation of such systems. (90)
|
|
FUNCTIONAL AND REGULATORY CONSIDERATIONS
|
|
To achieve the “essential functions and purposes” related to specific records included within a particular electronic record retention system, the system must maintain an appropriate level of “accuracy, accessibility, [and] integrity.” (91) Nevertheless, the Advisory Letter notes that the ESIGN Act does not include specific definitions outlining minimum standards of “accuracy, integrity or accessibility” in connection with the proper administration of an electronic record retention system. (92) Thus, the OCC explains that the ESIGN Act’s general standards will require additional development and interpretation before they can be utilized in a consistent manner. (93) Furthermore, the Advisory Letter indicates that, until such time that specific standards are developed, national banks should “design, implement, and operate” electronic record retention systems in a manner that adequately serves the following purposes and functions. (94)
|
|
POTENTIAL USE IN LITIGATION SUPPORT
|
|
Because the ESIGN Act does not provide assured standards for electronic record admissibility and because the admissibility requirements for electronic records can vary from state to state, the Advisory Letter advises national bank management to consult with legal counsel to ensure that electronic record retention systems are compliant with relevant court admissibility standards. (95)
|
|
RECORDS NEEDED FOR INTERNAL AND EXTERNAL AUDITS AND CONTROLS
|
|
The Advisory Letter advises consultation with internal and external auditors in order to confirm that electronic record retention systems contain the appropriate records to facilitate auditing and control functions. (96) To guard against record falsification and manipulation, the Advisory Letter emphasizes the record retention requirements of the “Guidelines and Interagency Standards for Safety and Soundness,” which require a record retention system, whether paper or electronic, to adequately support an internal auditing system. (97)
|
|
RECORDS NEEDED FOR BANK SUPERVISION
|
|
Because the OCC’s supervisory role requires complete access to appropriate and accurate records, the Advisory Letter indicates that electronic record retention systems must be maintained in such a manner that (i) permits the OCC access to reliable information
|
|
RECORDS NEEDED TO COMPLY WITH LAWS AND REGULATIONS
|
|
While some federal regulations, such as Regulations B, Z, and DD (Consumer Protection), Title 12 of the Code of Federal Regulations, sections 12.3 and 12.4 (Securities Activities), and Title 31 of the Code of Federal Regulations, sections 103.29 and 103.32 (Bank Secrecy Act Compliance), contain record retention requirements, most do not provide clear instructions on electronic record retention. (102) Therefore, the Advisory Letter indicates that electronic record retention systems should comply with each law’s specific record retention requirements. (103)
|
|
IMPLEMENTATION CONSIDERATIONS
|
|
Planning and Due Diligence
|
|
Before the implementation of any form of electronic record retention system, the Advisory Letter explains that national banks should conduct appropriate planning and due diligence–including collecting input from all affected areas of the bank. (104) As a part of the planning and due diligence processes undertaken in preparation for the implementation of an electronic record retention system, the Advisory Letter urges consideration of the following issues.
|
|
In order to properly secure and protect confidential information stored in an electronic format, the Advisory Letter indicates that electronic storage systems should be adequately protected from unauthorized entry or data manipulation. (105)
|
|
To protect against unauthorized access or record alteration, the Advisory Letter indicates that all internal controls include various protection methods including the “segregation of duties, physical and logical access controls, retention requirements, documentation of changes to records, elimination of write-access to records after capture, encryption for transmission and storage, software integrity checks, and equipment and record media disposal procedures.” (106)
|
|
To protect against record inaccessibility following an emergency, the Advisory Letter indicates that electronic records should be “sufficiently backed up.” (107) According to the Advisory Letter, a national bank should implement a consistent backup and recovery process utilizing offsite record back-up, proper access controls, and periodic testing. (108)
|
|
Record Destruction and Disposal
|
|
The Advisory Letter indicates that the destruction and disposal of electronic records should consist of a “systematic and well-documented procedure and an approved records retention and disposition schedule” and comply with the guidelines and rules on safeguarding customer information, which was issued to implement section 501(b) of the Gramm-Leach-Blilely Act. (109) In addition, the Advisory Letter indicates that electronic record destruction procedures “must conform to [the] OCC’s requirements issued under section 216” of the Fair and Accurate Credit Transactions Act of 2003. (110)
|
|
Retention Periods and Content
|
|
To comply with all legal requirements in connection with the appropriate period of retention for retained records, the Advisory Letter advises national banks to implement a period of retention that is specific to each individual record and that is consistent with any appropriate legal, regulatory, fiscal, or administrative requirement. (111) With regard to the content of retained electronic records, the OCC advises that the content of a record, rather than its format, should determine its retention eligibility. (112)
|
|
The Advisory Letter indicates that an electronic record retention system should provide enough flexibility so that there is no impediment to the accessibility of electronic records if a future update or change in technology requires the migration of such electronic records to a new system. (113) The Advisory Letter notes that national banks should “assess and test the impact” on electronically stored records in the event of a change to the electronic record retention system. (114)
|
|
INSTANCES OF “PHISHING” ON THE RISE
|
|
Increasingly, customers of financial institutions are falling victim to a rapidly growing form of internet fraud known as “phishing.” Phishing, a fraudulent activity in which thieves entice individuals into sharing their private financial information by posing as legitimate companies, caused 1.2 billion dollars in losses to banks and credit card companies in 2003 alone. (115) In response to the alarming growth of this particularly elusive form of fraud, various federal banking agencies have issued guidance with regard to the prevention, mitigation, and education of consumers on this subject.
|
|
OFFICE OF THRIFT SUPERVISION
|
|
On March 8, 2004, the Office of Thrift Supervision (OTS) issued an alert warning that phishing could lead to financial loss, identity theft, and loss of consumer confidence in affected financial institutions. (116) Given these repercussions, the OTS advised financial institutions to implement safeguards that will reduce the likelihood of this type of fraud. (117) The OTS encourages the financial institutions it regulates when appropriate, to take the prevention, mitigation, and response measures noted below.
|
|
PREVENTION AND MITIGATION
|
|
The OTS advises the institutions it regulates to:
|
|
* implement a policy requiring that the institution “will not solicit confidential or sensitive customer information via e-mail and, [periodically] inform customers of this policy
|
|
* periodically notify customers regarding the financial institution’s security policies and practices, including specifics about the kinds of information that the financial institution would not request via email, telephone, or other communication methods, and the role the customer can play in securing his or her information. (119) The notice should include information to make customers aware of the various frauds and scams that can be effectuated using email, the internet, or other communication methods. (120) In addition, the notice should provide guidance to customers as to the proper steps to take if they suspect that they have been targeted by one of these fraudulent schemes
|
|
* include a security-related page on the institution’s website to educate customers about phishing and other internet-related fraud
|
|
* adopt a policy of personalizing customer emails, informing customers of this policy, and warning them not to respond to mass-mailed emails
|
|
* keep abreast of advances in technology designed to protect customer information, and the timely application of system and software patches and upgrades
|
|
* maintain information security procedures consistent with current industry best practices and regulatory guidance
|
|
* ensure that website certificates are kept current and educating customers to verify that the website they are viewing is actually that of the financial institution. (126)
|
|
INCIDENT RESPONSE MEASURES
|
|
The OTS also encourages the institutions it regulates to adopt incident-response measures that include:
|
|
* posting prominent alert notices on the financial institution’s website when it becomes aware of actual phishing incidents using the financial institution’s proprietary information. (127) The notice should give details of the phishing incident and reiterate the financial institution’s security policies and practices. (128) The notice also should include contact information where customers can get additional information or report instances of phishing
|
|
* contacting customers directly by mail and/or email
|
|
* monitoring customer accounts for unusual activity and trends
|
|
* flagging and closely monitoring the accounts of customers who report that they have become victims of phishing or other fraudulent activity
|
|
* alerting the financial institution’s staff to the incident of phishing so that they are sensitive to the situation and can report unusual activity
|
|
* encouraging customers who believe that they have been victims of a phishing scam to take precautions such as changing passwords and login information, contacting credit reporting services and having a fraud alert attached to their credit report file, and monitoring the activity in their accounts. (134)
|
|
FEDERAL DEPOSIT INSURANCE CORPORATION
|
|
On March 12, 2004, the Federal Deposit Insurance Corporation (FDIC) released a guidance similar to that of the OTS, as noted above, alerting the financial institutions it regulates to the increasing occurrence of email and internet fraud schemes. (135) “Guidance on Safeguarding Customers Against E-Mail and Internet-Related Fraudulent Schemes” (the “FDIC Guidance”) describes how institutions can assist in protecting their customers. (136) Similar to the OTS alert, the FDIC Guidance suggests that institutions consider developing programs to educate customers about email and internet-related fraudulent schemes and to enhance security programs to mitigate the risks associated with such schemes. (137)
|
|
While the FDIC Guidance suggests a number of prevention and mitigation measures similar to the OTS alert, the FDIC Guidance also encourages financial institutions to implement information security controls to (i) “improv[e] authentication methods and procedures to protect against the risk of” password or identity theft
|
|
IDENTITY THEFT PENALTY ENHANCEMENT ACT
|
|
Congress, recognizing the growing threat posed by phishing, passed the Identity Theft Penalty Enhancement Act (the “Act”), which establishes sentencing guidelines for aggravated identity theft. (139) The Act imposes a sentence of two years imprisonment in addition to any sentence for the underlying felony, when a person “knowingly transfers, possesses, or uses, without lawful authority, a means of identification of another person” during an enumerated felony violation. (140) The enumerated felonies include, among other things, fraud and related activities under section 1028 (except section 1028(a)(7)) of Title 18. (141) A person convicted of aggravated identity theft cannot be placed on probation for the crime, nor can a prison sentence under this section be served concurrently with any other sentence (except when the additional term of imprisonment is imposed by the court at the same time for an additional violation of this section, the court may, in its discretion exercised in accordance with applicable guidelines, impose a sentence that runs concurrently in whole or in part). (142) Additionally, a court may not take into account any sentence imposed under this section in determining the sentence for the underlying felony. (143)
|
|
(1.) Electronic Fund Transfers, 69 Fed. Reg. 55,996 (Sept. 17, 2004) (to be codified at 12 C.F.R pt. 205).
|
|
(2.) Electronic Fund Transfer Act, Pub. L. No. 95-630, 92 Stat. 3728 (1978) (codified as amended at 15 U.S.C. [subsection] 1601-1693 (2000)).
|
|
(3.) Electronic Fund Transfers, 69 Fed. Reg. at 55,996.
|
|
(10.) Id. at 55,999-56,000.
|
|
(11.) Federal Deposit Insurance Corporation, 69 Fed. Reg. 20,558, 20,565 (Apr. 16, 2004) (to be codified at 12 C.F.R. pt. 303).
|
|
(12.) Electronic Fund Transfers, 12 C.F.R. [section] 205.5 (2004).
|
|
(13.) 12 C.F.R. pt. 205, supp. I, [section] 205.5(a)(2) cmt. 1 (2004).
|
|
(14.) 12 C.F.R. [section] 205.5(a).
|
|
(15.) Electronic Fund Transfers, 69 Fed. Reg. at 56,010.
|
|
(17.) Consumer Credit Protection Act, 15 U.S.C. [section] 1693e (2000).
|
|
(18.) 12 C.F.R. [section] 205.10(b).
|
|
(19.) 12 C.F.R. pt. 205, supp. I, [section] 205.10(b) cmt. 3.
|
|
(20.) Electronic Fund Transfers, 69 Fed. Reg. at 55,998, 56,003. See ESIGN Act, 18 U.S.C. [subsection] 7001-7031 (2000 & Supp. II).
|
|
(21.) Electronic Fund Transfers, 69 Fed. Reg. at 55,998, 56,003.
|
|
(28.) 12 C.F.R. pt. 205, supp. I, [section] 205.10(c) cmt. 2 (2004).
|
|
(29.) Electronic Fund Transfers, 69 Fed. Reg. at 56,011.
|
|
(30.) 12 C.F.R. [section] 205.16(b)(1) (emphasis added).
|
|
(31.) 12 C.F.R. pt. 205, supp. 1, [section] 205.16(b)(1), cmt. 1 (emphasis added).
|
|
(32.) Am. Bankers Ass’n v. Lockyer, No. Civ. S. 04-0778 MCE KJ, 2004 WL 1490432 (E.D. Cal. June 30, 2004).
|
|
(33.) Electronic Fund Transfers, 69 Fed. Reg. at 56,011.
|
|
(39.) Electronic Fund Transfers, 12 C.F.R. [section] 205.10(d) (2004).
|
|
(40.) Electronic Fund Transfers, 69 Fed. Reg. at 56,011.
|
|
(44.) Federal Reserve System, 69 Fed. Reg. 29,308 (May 21, 2004).
|
|
(45.) Press Release, American Bankers Association, Both PIN and Signature Debit Get Strong Support From Consumers (Jan. 8, 2004), available at http://www.aba.com
|
|
(47.) Federal Reserve System, 69 Fed. Reg. at 29,309.
|
|
(52.) New York Public Interest Research Group, Pricey Plastic: NYPIRG Report and Survey of Plastic Card Fees, at http://www.nypirg.org/consumer/cards/debit.html (last visited Feb. 13, 2005).
|
|
(53.) Federal Reserve System, 69 Fed. Reg. at 29,309.
|
|
(54.) Consumer Credit Protection Act, 15 U.S.C. [subsection] 1693-1693r (2000)
|
|
(55.) 15 U.S.C. [section] 1693(c)
|
|
(56.) 12 C.F.R. [section] 205.7(a).
|
|
(57.) Id. [section] 205.9(b).
|
|
(58.) Id. [section] 205.9(a).
|
|
(59.) Federal Reserve System, 69 Fed. Reg. 29,308, 29,310 (May 21, 2004).
|
|
(64.) BOARD OF GOVERNORS OF THE FEDERAL RESERVE SYSTEM, 108TH CONG., REPORT TO THE CONGRESS ON THE DISCLOSURE OF POINT-OF-SALE DEBIT FEES 31-32 (2004) [hereinafter REPORT], available at http:// www. federalreserve. gov/ boarddocs/rptcongress/posdebit2004.pdf.
|
|
(65.) See, e.g., Comment Letter from Cary Whaley, Associate Director, Independent Community Bankers of America, to Jennifer Johnson, Secretary, Board of Governors of the Federal Reserve System (July 23, 2004), available at http://www.icba.org/advocacy/commentlettersdetail.cfm?sn.itemnumber = 1711&itemnumber=675&pf=1.
|
|
(67.) REPORT, supra note 64, at 3.
|
|
(83.) Electronic Record Keeping, OCC Advisory Letter, AL 2004-9 [1995 Transfer Binder] Fed. Banking L. Pep. (CCH) [paragraph] 60-592, at 69, 173-9 (June 21, 2004) [hereinafter Advisory Letter].
|
|
(84.) ESIGN Act, 15 U.S.C. [subsection] 7001(d)(1)(A)-(B) (2000 & Supp. II)
|
|
(85.) 15 U.S.C. [section] 7001(d)
|
|
(86.) Advisory Letter, supra note 83, at 69, 173-9.
|
|
(98.) 12 U.S.C. [section] 481 (2000)
|
|
(99.) 12 U.S.C. [section] 1818(c)(3) (2000)
|
|
(100.) Advisory Letter, supra note 83, at 69, 173-10.
|
|
(102.) Id. at 69, 173-10, 69, 173-11.
|
|
(103.) Id. at 69, 173-11.
|
|
(110.) Id. at 69, 173-12. OCC requirements under section 216 of the Fair and Accurate Credit Transactions Act require “any person that maintains or otherwise possesses consumer information … derived from consumer reports … to properly dispose of any such information or compilation.” Id.
|
|
(115.) James Swann, Gone Phishing: Helping Customers Avoid the Hook, 13 COMMUNITY BANKER 40 (Aug. 2004).
|
|
(116.) Memorandum from Scott M. Albinson, Office of Thrift Supervision, Department of the Treasury, to Chief Executive Officers of Regulated Entities (Mar. 8, 2004) [hereinafter Memorandum], available at http://www.ots.treas.gov/docs/2125193.pdf.
|
|
(118.) Id. at 2. The Financial and Banking Information Infrastructure Committee and the Financial Services Sector Coordinating Council issued a special report in May 2004 which, in addition to outlining similar prevention and mitigation measures for financial institutions, also outlines measures that consumers can take to prevent, detect, and respond to a phishing attack. See FINANCIAL AND BANKING INFORMATION INFRASTRUCTURE COMMITTEE AND THE FINANCIAL SERVICES SECTOR COORDINATING COUNCIL, LESSONS LEARNED BY CONSUMERS, FINANCIAL SECTOR FIRMS, AND GOVERNMENT AGENCIES DURING THE RECENT RISE OF PHISHING ATTACKS (May 2004), available at http://www.treas.gov/offices/domestic-finance/financial-institution/cip /pdf/fbiic-fsscc-report-2004.pdf.
|
|
(119.) Memorandum, supra note 116, at 2.
|
|
(135.) FDIC, Financial Institution Letter FIL-27-2004, Guidance on Safeguarding Customers Against E-Mail and Internet-Related Fraudulent Schemes (Mar. 12, 2004), available at http://www.fdic.gov/ news/news/financial/2004/fil2704.html.
|
|
(139.) Identity Theft Penalty Enhancement Act, Pub. L. No. 108-275, 118 Stat. 831 (codified as amended in scattered sections of 18 U.S.C.).
|
|
(140.) 18 U.S.C. [section] 1028A(a)(1).
|
|
(141.) Id. [section] 1028A(c).
|
|
(142.) Id. [section] 1028A(b)(1)-(2).
|
|
(143.) Id. [section] 1028A(b)(3).
|
|
Mark T. Gillett, Obrea O. Poindexter, and M. Sean Ruff *
|
|
* Mr. Gillette practices law with Morrison & Foerster LLP in Los Angeles, California. Ms. Poindexter and Mr. Ruff practice law with Morrison & Foerster LLP in Washington, D.C.
|
|
