Module 2- Unit 2B: Financial
Who does the Red Flag Rule apply to ?
Financial institutions and creditors
Are stricter state laws pre-empted under GLBA ?
No
Is there a private right of action under GLBA ?
No
Are Employee Investigations treated like consumer reports under the FCRA ?
Not as long as 1. the EOR follows the procedures in FCRA for this; 2. no credit info is used; and 3. summary describing nature and scope of the investigation is provided to ee if adverse action is taken
What rights does FCRA give to consumers who are subject of investigative consumer reports ?
Users of such reports must disclose its use to the consumer.
Who does the Notice Requirement of the FCRA apply to ?
users of consumer reports - employers, lenders, insurers, CRAs
What are two examples of anitmoney laundering laws ?
1. Bank Secrecy Act of 1970 2. International Money Laundering Abatement and Anti-Terrorist Financing Act of 2001
What are the penalties for violating the BSA ?
1. Civil penalties for failing to comply(upto $25K or amount of transaction ) or negligence ($500 per violation ) 2. criminal penalties: fines (10k to100K) plus 1-5 years prison time
What does the GLBA Privacy Rule require financial institutions to do ?
1. Give customers clear notice of information sharing practices and policies when customer relationship is established and annually thereafter 2. Give customers right to opt out of having their nonpublic personal information shared with third parties and process opt outs within 30 days 3. refrain from disclosing to any non affiliated third party marketer account number or similar form of access code to consumers' credit card, deposit or transaction account 4.Protect security and confidentiality of customer records and information and protect against security threats and unauthorized use/access
What did the Red Flag Program Clarification Act do ?
1. It was passed to clarify definition of creditor to ensure that unintended people are not included such as attorneys and healthcare providers 2.applies rule to businesses whose accounts should be subject to reasonably foreseeable risk of identity theft
Under FCRA what 4 main requirements must users of consumer reports meet ?
1. Make sure data is accurate, current and complete 2. give consumers notice when third party data is used to make an adverse decision about them 3. use consumer reports for permissible purposes only 4. Give consumers access to their consumer reports and an opportunity to correct any errors
What are the major things FCRA did
1. Mandates accurate and relevant data collection 2. Provides consumers with the ability to access and correct their information 3. limits use of consumer reports to defined permissible purposes 4. consumers must receive notice when third party data is used to make adverse decisions about them s
What must a person do if they take Adverse actions based on information obtained from affiliates
1. Notify consumer of adverse action 2. Notice must inform consumer that they may obtain a disclosure of info relied up by making written request within 60 days of receiving the adverse action notice 3. If consumer makes request, disclose info no later than 30 days after receiving request
what are acceptable methods of disposal
1. Paper: Burn, pulverize, or shred 2. Electronic files - destroy so not readable 3. Conduct due diligence and hire document contract to dispose of material in a manner consistent with the rule
What are the penalties for violating GLBA provisions
1. Range from $5,500 to max of $27,500 if violation are unsafe, unsound, or reckless to as much as $1.1 million for knowing violations
What are the CFPBs powers
1. Rule making authority for FCRA, GLBA, and Fair Debt Collection Practices Act 2. Enforcement authority over all non depository financial institutions and over all depository institutions with more than $10 billion in assets. For depository institutions with assets of $10 billion or less, CFPB makes rules but enforcement power remains with banking regulators 3. It can bring enforcement actions for unfairness and deception 4. It can bring enforcement actions against abusive acts and practices 5. it can investigate, issue subpoenas, hold hearings, and commence civil actions against offenders. 6. Civil penalties "civil penalties vary from $5,526 per day for federal consumer privacy law violations to $27,631 per day for reckless violations and $1,105,241 for knowing violations.57 " Excerpt From: "IAPP_US_TB_US-Private-Sector-Privacy_1.0." iBooks.
What does GBLA privacy provisions require financial institutions to do ?
1. Store personal financial information in a secure manner 2. Provide notice of their policies regarding sharing of personal financial information 3. Provide consumers with the choice to opt out of sharing somer personal financial information
What are the methods to address privacy in Online banking
1. let customers know type of authentication methods the financial institution has in place 2. inform customers of dangers of using public WiFI connections 3. empower customers with info on mobile antivirus and malware detection software 4. create mobile privacy policy and have it certified by a reputable third party 5. Let customers decide which data to share and allow them to opt out of mobile ad targeting
What type of penalties can be enforced for violations of FCRA ?
1. civil and criminal penalties 2. actual damages, and statutory damages of at least $1,000 per violation, and at least $3,756 for willful violations
What did the Dodd-Frank Wall Street Reform and Consumer Protection Act do ?
1. created CFPB- independent bureau within the Federal Reserve 2. protects consumers against banks
What must each financial institution do to comply with GLBA the Safeguards Rule ?
1. designate EE to coordinate safeguards 2. Identify and assess risks to customer info in relevant area of company's operation and evaluate effectiveness of current safeguards -- risk assessment 3. design and implement safeguards program and regularly monitor and test it 4. select appropriate service providers and enter into agreement with them to implement safeguards 5. evaluate and adjust
How is FCRA enforced ?
1. dispute resolution 2. private litigation- created private right of action if consumer not satisfied with dispute resolution 3. government action
What did FACTA amend and how ?
1. it amended FCRA 2. Under FACTA stricter state laws are pre-empted in most areas
What must the notice to the consumer of adverse action based on a consumer report include under FCRA ?
1. name and conctact info for CRA 2. Statement that CRA can't explain why decision made bc they did not make adverse decision 3. Consumer has right to get a free disclosure from CRA if consumer requests within 60 days 4. Consumer can dispute directly with CRA the accuracy or completeness of info provided by CRA
Under FCRA what must CRAs do ?
1. provide access and opportunity to dispute inaccurate information 2. take reasonable steps to ensure accuracy of info in consumer reports 3. no report negative info that is old - account data more than 7 years old and or bankruptcies more than 10 years old 4. Give consumer reports only to entities that have permissible purposes under FCRA 5. maintain records regarding entities that received consumer reports 6. provide consumer assistance
What did the BSA impose and on who ?
1. record retention requirements on financial institutions 2. financial institutions must file a suspicious activity report (SAR) in defined situations
What consumer protections did FACTA enact
1. required truncation of credit and debit card numbers - to prevent identity theft 2. Gave consumers new rights to an explanation of their credit score 3. Gave people right to get free annual credit report from each of the 3 national consumer credit agencies: Equifax, Experian, TransUnion 4. required regulators to promulgate Disposal Rule & Red Flag Rule
When must a SAR be filed ?
1. when insider is suspected of committing a crime - regardless of amount 2. when possible crime involving 5K or more and has a substantial basis for identifying suspect 3. possible crime involving 25K or more - even if suspect not known 4. potential money laundering of transactions aggregating 5K or more
When must a SAR be filed ? (Suspicious activity report )
1. when insider is suspected of committing a crime - regardless of amount 2. when possible crime involving 5K or more and has a substantial basis for identifying suspect 3. possible crime involving 25K or more - even if suspect not known 4. potential money laundering of transactions aggregating 5K or more
What is the Consumer Financial Protection Bureau
A new regulatory agency - CFPB Now has rule making authority for FCRA, as updated by FACTA, as well as for most financial institutions under GLBA. It shares enforcement authority for these with FTC and banking regulators
What does administrative security mean under the GLBA safeguards rule ?
Administrative security means management of workforce risks, employee training and vendor oversight
Who does FCRA regulate
Any consumer reporting agency (CRA) that furnishes a consumer report which is primarily used for assisting in establishing consumer eligibility for credit
Who enforces GLBA
CFPB for GLBA Privacy and Safeguard Rules State attorney generals can also enforce it at state level
What doe the FCRA notice requirement require ?
CRA must provide notice of their obligations to users of consumers reports. 1. User must have permissible purpose to obtain a consumer report 2. Users must provide certifications certifying to CRA the permissible purpose for which the report is being obtained and it will not be used for any other purpose 3. Users must notify consumers when adverse actions are taken
What does the FCRA notice requirement require ?
CRA must provide notice of their obligations to users of consumers reports. 1. User must have permissible purpose to obtain a consumer report 2. Users must provide certifications certifying to CRA the permissible purpose for which the report is being obtained and it will not be used for any other purpose 3. Users must notify consumers when adverse actions are taken
What is the Red Flags Rule ?
Certain financial must develop and implement written identity theft destruction programs and respond to red flags that signal identity theft
What is the Red Flags Rule ?
Certain financial must develop and implement written identity theft detection programs and respond to red flags that signal identity theft
What did the International Money Laundering Abatement and Anti-Terrorist Financing Act of 2001 do ?
Expanded BSA, and made it a rule that financial institutions must KNOW YOUR CUSTOMER to deter money laundering
Who enforces the disposal rule ?
FTC Federal Banking Regulators CFPB
What does FACTA stand for ?
Fair and Accurate Credit Transactions Act
What are the two rules GLBA enacted to ensure privacy
GLBA Privacy Rule GLBA Safegaurds Rule
What is the Gramm-Leach Bliley Act ?
GLBA lead to financial services modernization Driver - preventing financial services companies such as banks from sharing sensitive customer data with telemarketing firms
What is prescreening ?
Getting a list from a CRA of consumers who meet pre-established criteria. It is usually done by creditors and insurers.
What obligations does FCRA impose on organizations intending to use consumer reports for employment purposes ?
If an oraganization is going to use a consumer report for employment purposes, it must 1. Notify consumer 2. get prior written consumer authorization 3. certify to CRA above steps have been taken and will not use info in violation of law and if adverse action taken based on the consumer report, copy of report and summary of consumers rights will be provided to the consumer 4.Before taking adverse action, provide report to consumer with the summary of consumer rights
What is an investigative consumer report ?
It contains info about consumers character, general reputation, personal characteristics and mode of living. It is obtained through personal interviews by a CRA
What does physical security mean under the GLBA ?
It includes facilities, environmental safeguards, business continuity and disaster recovery
What is the CFPB?
It is an independent bureau within the Federal Reserve
Under GLBA, what is non public information ?
It is personally identifiable financial information 1. provided by a consumer to a financial institution 2. resulting from a transaction or service performed for the consumer or 3. otherwise obtained by the financial institution
What is the disposal rule ?
It requires any entity that uses a consumer report, on information derived from one, to dispose of that information in a way that prevents unauthorized access and misuse of the data
What does the FCRA require users of consumer reports to do if they take an adverse action against a consumer based on information from a CRA ?
Notify the consumer in writing, orally or by electronic means with specific information
What was the main driver under behind FACTA?
Prevention of identity theft
What is the standard for disposal
Reasonable to protect agains unauthorized access or use of consumer data
FCRA
Stands for Fair Credit Reporting Act It's purpose was to make sure that consumers could correct and access information used by banks to make lending decisions
What is the goal of Anti-Money Laundering Laws
To follow the money to help detect and deter illegal activity and provide evidence for proving illegality
What penalties can violators of the disposal rule face
civil liability state and federal enforcement actions
What does technical security mean under the GLBA safeguards rule ?
covers computer systems, networks and applications in addition to access controls and encryption