II. C. Financial

Fair and Accurate Credit Transactions Act (FACTA) of 2003

Made substantial amendments to FCRA, intended primarily to help consumers combat identity theft. FACTA is also concerned with issues such as accuracy, privacy, limits on information sharing and new consumer rights to disclosure. Created disposal and red flags rules. CFPB is rule-making and enforcement authority. Stricter state laws are preempted - although states retain some powers to enact laws addressing identity theft.

Abusive act or practice

- Materially interferes with the ability of a consumer to understand a term or condition of a consumer financial product or service or - Takes unreasonable advantage of: 1. A lack of understanding on the part of the consumer of the material risks, costs, or conditions of the product or service 2. The inability of the consumer to protect its interests in selecting or using a consumer financial product or service; or 3. The reasonable reliance by the consumer on a covered person to act in the interests of the consumer

Under FCRA, CRA's are required to:

- Provide consumers with access to info in report and the opportunity to dispute/correct errors - Ensure maximum possible accuracy of report - Not report negative info that is outdated (account data more than seven years old, bankruptcies older than 10 years) - Provide reports only to entities that have permissible purpose - Maintain records regarding entities that received reports - Provide consumer assistance as required by FTC

Who does CFPB have enforcement authority over?

- ll nondepository financial institutions - all depository institutions with more than $10bil in assets (banking regulators have enforcement power for less than $10bil assets)

Three levels of security under GLBA:

1. Administrative security: includes program definition, management of workforce risks, employee training, vendor oversight 2. Technical security: covers computer systems, networks, and applications in addition to access controls and encryption 3. Physical security: includes facilities, environmental safeguards, business continuity, disaster recovery

Requirements under GLBA safeguard rule:

1. Designate an employee to coordinate safeguards 2. Identify and assess risks to customer information 3. Design and implement a safeguard program and regularly monitor and test it 4. Select appropriate service providers and enter into agreements with them 5. Evaluate and adjust the program in light of relevant circumstances

FACTA Provisions

1. Free credit reports - Consumers will receive one free credit report every 12 months from each of the "big three" national credit bureaus. 2. Fraud alerts - Victims of identity theft can place a fraud alert on their accounts, which are effective for 90 days, but may be extended (with proof of identity theft) for a period of seven years. 2. Truncation - Systems that print payment card receipts must employ PAN truncation so that the consumer‟s full account number is not visible on the slip. 3. Available information - The FACTA includes provisions that help victims access copies of the imposter‟s account application and transactions. 4. Collection agencies - Once creditors are notified of debts due to identity theft, they are not permitted to sell the debt or place it for collection. 5. Red flags - Financial institutions, creditors and other businesses that rely on consumer reports are required to detect and resolve fraud by identity theft.

Users of consumer reports must meet which requirements?

1. Third party data for decision making must be accurate, current, and complete 2. Consumers must receive notice when third party data is used to make adverse decisions 3. Consumer reports may only be used for permissible purposes 4. Consumers must have access to their consumer reports and provide an opportunity to dispute or correct errors 5. other requirements, such as record keeping, providing certifications to the CRAs, securely disposing of the consumer report data

CRA's are required to provide notice of their obligations to users of consumer reports:

1. Users must have a permissible purpose - ordered by court or subpoena - instructed by consumer in writing - extension of credit as result of application - for employment purposes - hiring/promotion decisions where consumer has given written permission - insurance underwriting - legitimate business need - to review account to see if it meets terms 2. Users must provide certifications 3. Users must notify consumers when adverse actions are taken

FACTA and workplace privacy

An employer who suspects an employee of misconduct does not have to give notice or get the employee‟s permission to conduct a misconduct investigation. Like other inquiries covered by the FCRA, this only applies if the employer hires an outside party to conduct the investigation.

Consumer report

Any communication by a CRA related to an individual that pertains to the person's creditworthiness, credit standing, credit capacity, character, general reputation, personal characteristics, mode of living and that is used for the purpose of serving as a factor in establishing a consumer's eligibility for credit, insurance, employment, etc.

Consumer Reporting Agency (CRA)

Any person or entity that complies or evaluates personal information for the purpose of furnishing consumer reports to third parties for a fee.

Fair Credit Reporting Act (FCRA) of 1970

Enacted to regulate the consumer reporting industry and provide privacy rights in consumer reports; mandates accurate and relevant data collection, provides consumers with the ability to access and correct their information, and limits the use of consumer reports to defined permissible purposes. Regulates any 'consumer reporting agency' (CRA) that furnishes a consumer report (ex. Equifax, TransUnion, Experian). Also imposes obligations on orgs that are not CRA's including users (lenders, insurers, employers, and others who use consumer reports) and furnishers (lenders, retailers, and others who furnish credit history or other personal information to the CRAs). Generally, preempts state law (see FACTA). Does not preempt states from creating stronger legislation in the area of employment credit history checks such as the California ICRAA.

California Financial Information Privacy Act (California SB-1)

Expands privacy protections afforded under GLBA and increases disclosure requirements of F.I's. and grants consumers rights with regards to info sharing: - Must opt in for FI to share data with nonaffiliated parties - Opt-in provisions must be presented on form titled 'Important Privacy Choices for Consumers' and written in simple English - Grants consumers opt out for info sharing between the FI and affiliates not in the same line of business Violations: negligent noncompliance is punishable with statutory damages of $2,500 per consumer, up to $500,000/occurrence. Willful non-compliance eliminates the $500,000 cap.

Red Flags Program Clarification Act of 2010

Narrows the previously broad definition of creditor to not implicate entities that extend credit only for "expenses incidental to a service." Creditor defined as one who in the normal course of business: - Obtain or use of consumer reports in connection with a credit transaction - Furnish information to CRA in connection with a credit transaction OR - Advance funds to or on behalf of someone, except for expenses incidental to a service provided by the creditor to that person

Consumer Financial Protection Bureau (CFPB)

Oversees the relationship between consumers and providers of financial products and services; holds authority to examine, write regulations, bring enforcement actions concerning businesses that provide financial products or services.

The International Money Laundering Abatement and Anti-Terrorist Financing Act of 2001

Part of the USA PATRIOT Act. - Expanded the BSA reach (new reporting and record-keeping requirements for different industries) - Gave U.S Treasury secretary the ability to create broad rules to implement modified Know Your Customer requirements - development and implementation of formal anti-money-laundering programs

Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010

Provides financial regulators with information to monitor and understand the risks of the financial system so that measures can be taken to control them.

GLBA Safeguards Rule

Requires F.I. to maintain security controls to protect the confidentiality and integrity of personal consumer info, including both electronic and paper records. F.I. must develop a comprehensive info sec program that addresses "administrative, technical, and physical safeguards" to protect the security, confidentiality, and integrity of customer information.

The Disposal Rule (FACTA)

Requires any individual or entity that uses a consumer report, or information derived from a consumer report, for a business purpose to dispose of that information in a way that prevents unauthorized access and misuse of the data. State disposal rules may impose broader requirements. - Burn, pulverize, or shred papers containing consumer report info - Destroy/erase electronic files containing consumer report info - Conduct due diligence and hire document destruction contractor to dispose of material specifically identified as consumer report info consistent w/ rule

The Red Flags Rule (FACTA)

Requires certain financial entities to develop and implement written identity theft detection programs that can identify and respond to the "red flags" that signal identity theft. FTC recommended red flags: - Alerts from CRA - Suspicious identification documents - Suspicious personal identifying data - Unusual use of a covered account

The Financial Services Modernization Act of 1999 (Gramm-Leach-Bliley Act (GLBA))

Sets the privacy framework for modern banking. Financial institutions must protect consumers' nonpublic personal info. Promulgated a Privacy Rule and Safeguards Rule. At the state level, state attorneys general can enforce GLBA. Stricter state laws are not preempted under GLBA - validity of stricter state laws however, can be subject to challenge because there is limited preemption under FCRA, so courts would need to determine which federal financial privacy statute governs for particular state law. No private right to action, however, failure to comply with certain notice requirements may be considered a deceptive trade practice which some states give private right to action for.

Investigative consumer reports

contain information about a consumer's character, reputation, personal characteristics, mode of living - obtained through personal interviews

Methods to address concerns regarding online banking:

o Careful design and updating of relevant software o Education of individual consumer (selecting appropriate internet browser, using firewalls, antivirus programs, anti-malware programs, strong passwords/encryption

CFPB has the enforcement authority to:

o Conduct investigations and issue subpoenas o Hold hearings and commence civil actions against offenders

Consumer rights for investigative consumer reports:

o Consumer must be informed than investigative consumer report may be obtained o Disclosure must be in writing and delivered to consumer some time before but not later than three days after the date which the report was first requested o Disclosure must include a statement informing the consumer of his or her right to request additional disclosures and a summary of consumer rights under FCRA o User must certify to the CRA that the required disclosures have been made o Upon written request of a consumer, the user must make a complete disclosure of the nature and scope of the investigation o Nature and scope disclosures must be made in a written statement that mailed or delivered to consumer no later than five days after the date on which the request was received from the consumer or the report was first requested (whichever later)

Steps to address consumer privacy/security concerns for online banking:

o Letting customers know the type of authentication methods the financial institution has in place o Informing customers of the dangers of using public Wi-Fi connections o Empowering customers with information on mobile antivirus and malware detection software o Creating a mobile privacy policy and having it certified by a reputable third party o Fostering trust with customers by enabling them to decide which data to share and allowing them to opt out of mobile ad targeting

GLBA Privacy Rule components:

o Prepare and provide to customers clear and conspicuous notice of F.I's info sharing policies, must be provided when relationship is established & annually after that o Clearly provided customers the right to opt out of having their nonpublic personal info shared with nonaffiliated third parties (subject to exceptions such as joint marketing and transaction processing) o Refrain from disclosing to any nonaffiliated third-party marketer an account number or similar form of access code to a consumer's credit card, deposit or transaction account o Comply with regulations to protect the security and confidentiality of customer records and info. Protect against security threats and unauthorized access.

'Non-public personal information' or 'personally identifiable financial information'

o Provided by the consumer to a financial institution o Resulting from a transaction or service performed for the consumer OR o Otherwise obtained by the financial institution

Under GLBA's privacy provisions, financial institutions are required to:

o Store personal financial info in a secure manner o Provide notice of their policies regarding the sharing of personal financial info o Provide consumers with the choice to opt out of sharing some personal financial info

GLBA Privacy notice must contain:

o What info the F.I collects o With whom it shares the info o How it protects/safeguards the info o Explanation of opt out policy o Must process opt-outs within 30 days

GLBA violation penalties

subject to penalties under the Financial Institution Reform, Recovery, and Enforcement Act (FIRREA). FIRREA penalties range from up to $5,500 for violation of laws to a max of $27,500 if violations are unsafe, unsound, or reckless. As much as $1.1mil for knowing violations.