Module 2- Unit 2B: Financial

Who does the Red Flag Rule apply to ?

Financial institutions and creditors

Are stricter state laws pre-empted under GLBA ?

No

Is there a private right of action under GLBA ?

No

Are Employee Investigations treated like consumer reports under the FCRA ?

Not as long as 1. the EOR follows the procedures in FCRA for this; 2. no credit info is used; and 3. summary describing nature and scope of the investigation is provided to ee if adverse action is taken

What rights does FCRA give to consumers who are subject of investigative consumer reports ?

Users of such reports must disclose its use to the consumer.

Who does the Notice Requirement of the FCRA apply to ?

users of consumer reports - employers, lenders, insurers, CRAs

What are two examples of anitmoney laundering laws ?

1. Bank Secrecy Act of 1970 2. International Money Laundering Abatement and Anti-Terrorist Financing Act of 2001

What are the penalties for violating the BSA ?

1. Civil penalties for failing to comply(upto $25K or amount of transaction ) or negligence ($500 per violation ) 2. criminal penalties: fines (10k to100K) plus 1-5 years prison time

What does the GLBA Privacy Rule require financial institutions to do ?

1. Give customers clear notice of information sharing practices and policies when customer relationship is established and annually thereafter 2. Give customers right to opt out of having their nonpublic personal information shared with third parties and process opt outs within 30 days 3. refrain from disclosing to any non affiliated third party marketer account number or similar form of access code to consumers' credit card, deposit or transaction account 4.Protect security and confidentiality of customer records and information and protect against security threats and unauthorized use/access

What did the Red Flag Program Clarification Act do ?

1. It was passed to clarify definition of creditor to ensure that unintended people are not included such as attorneys and healthcare providers 2.applies rule to businesses whose accounts should be subject to reasonably foreseeable risk of identity theft

Under FCRA what 4 main requirements must users of consumer reports meet ?

1. Make sure data is accurate, current and complete 2. give consumers notice when third party data is used to make an adverse decision about them 3. use consumer reports for permissible purposes only 4. Give consumers access to their consumer reports and an opportunity to correct any errors

What are the major things FCRA did

1. Mandates accurate and relevant data collection 2. Provides consumers with the ability to access and correct their information 3. limits use of consumer reports to defined permissible purposes 4. consumers must receive notice when third party data is used to make adverse decisions about them s

What must a person do if they take Adverse actions based on information obtained from affiliates

1. Notify consumer of adverse action 2. Notice must inform consumer that they may obtain a disclosure of info relied up by making written request within 60 days of receiving the adverse action notice 3. If consumer makes request, disclose info no later than 30 days after receiving request

what are acceptable methods of disposal

1. Paper: Burn, pulverize, or shred 2. Electronic files - destroy so not readable 3. Conduct due diligence and hire document contract to dispose of material in a manner consistent with the rule

What are the penalties for violating GLBA provisions

1. Range from $5,500 to max of $27,500 if violation are unsafe, unsound, or reckless to as much as $1.1 million for knowing violations

What are the CFPBs powers

1. Rule making authority for FCRA, GLBA, and Fair Debt Collection Practices Act 2. Enforcement authority over all non depository financial institutions and over all depository institutions with more than $10 billion in assets. For depository institutions with assets of $10 billion or less, CFPB makes rules but enforcement power remains with banking regulators 3. It can bring enforcement actions for unfairness and deception 4. It can bring enforcement actions against abusive acts and practices 5. it can investigate, issue subpoenas, hold hearings, and commence civil actions against offenders. 6. Civil penalties "civil penalties vary from $5,526 per day for federal consumer privacy law violations to $27,631 per day for reckless violations and $1,105,241 for knowing violations.57 " Excerpt From: "IAPP_US_TB_US-Private-Sector-Privacy_1.0." iBooks.

What does GBLA privacy provisions require financial institutions to do ?

1. Store personal financial information in a secure manner 2. Provide notice of their policies regarding sharing of personal financial information 3. Provide consumers with the choice to opt out of sharing somer personal financial information

What are the methods to address privacy in Online banking

1. let customers know type of authentication methods the financial institution has in place 2. inform customers of dangers of using public WiFI connections 3. empower customers with info on mobile antivirus and malware detection software 4. create mobile privacy policy and have it certified by a reputable third party 5. Let customers decide which data to share and allow them to opt out of mobile ad targeting

What type of penalties can be enforced for violations of FCRA ?

1. civil and criminal penalties 2. actual damages, and statutory damages of at least $1,000 per violation, and at least $3,756 for willful violations

What did the Dodd-Frank Wall Street Reform and Consumer Protection Act do ?

1. created CFPB- independent bureau within the Federal Reserve 2. protects consumers against banks

What must each financial institution do to comply with GLBA the Safeguards Rule ?

1. designate EE to coordinate safeguards 2. Identify and assess risks to customer info in relevant area of company's operation and evaluate effectiveness of current safeguards -- risk assessment 3. design and implement safeguards program and regularly monitor and test it 4. select appropriate service providers and enter into agreement with them to implement safeguards 5. evaluate and adjust

How is FCRA enforced ?

1. dispute resolution 2. private litigation- created private right of action if consumer not satisfied with dispute resolution 3. government action

What did FACTA amend and how ?

1. it amended FCRA 2. Under FACTA stricter state laws are pre-empted in most areas

What must the notice to the consumer of adverse action based on a consumer report include under FCRA ?

1. name and conctact info for CRA 2. Statement that CRA can't explain why decision made bc they did not make adverse decision 3. Consumer has right to get a free disclosure from CRA if consumer requests within 60 days 4. Consumer can dispute directly with CRA the accuracy or completeness of info provided by CRA

Under FCRA what must CRAs do ?

1. provide access and opportunity to dispute inaccurate information 2. take reasonable steps to ensure accuracy of info in consumer reports 3. no report negative info that is old - account data more than 7 years old and or bankruptcies more than 10 years old 4. Give consumer reports only to entities that have permissible purposes under FCRA 5. maintain records regarding entities that received consumer reports 6. provide consumer assistance

What did the BSA impose and on who ?

1. record retention requirements on financial institutions 2. financial institutions must file a suspicious activity report (SAR) in defined situations

What consumer protections did FACTA enact

1. required truncation of credit and debit card numbers - to prevent identity theft 2. Gave consumers new rights to an explanation of their credit score 3. Gave people right to get free annual credit report from each of the 3 national consumer credit agencies: Equifax, Experian, TransUnion 4. required regulators to promulgate Disposal Rule & Red Flag Rule

When must a SAR be filed ?

1. when insider is suspected of committing a crime - regardless of amount 2. when possible crime involving 5K or more and has a substantial basis for identifying suspect 3. possible crime involving 25K or more - even if suspect not known 4. potential money laundering of transactions aggregating 5K or more

When must a SAR be filed ? (Suspicious activity report )

1. when insider is suspected of committing a crime - regardless of amount 2. when possible crime involving 5K or more and has a substantial basis for identifying suspect 3. possible crime involving 25K or more - even if suspect not known 4. potential money laundering of transactions aggregating 5K or more

What is the Consumer Financial Protection Bureau

A new regulatory agency - CFPB Now has rule making authority for FCRA, as updated by FACTA, as well as for most financial institutions under GLBA. It shares enforcement authority for these with FTC and banking regulators

What does administrative security mean under the GLBA safeguards rule ?

Administrative security means management of workforce risks, employee training and vendor oversight

Who does FCRA regulate

Any consumer reporting agency (CRA) that furnishes a consumer report which is primarily used for assisting in establishing consumer eligibility for credit

Who enforces GLBA

CFPB for GLBA Privacy and Safeguard Rules State attorney generals can also enforce it at state level

What doe the FCRA notice requirement require ?

CRA must provide notice of their obligations to users of consumers reports. 1. User must have permissible purpose to obtain a consumer report 2. Users must provide certifications certifying to CRA the permissible purpose for which the report is being obtained and it will not be used for any other purpose 3. Users must notify consumers when adverse actions are taken

What does the FCRA notice requirement require ?

CRA must provide notice of their obligations to users of consumers reports. 1. User must have permissible purpose to obtain a consumer report 2. Users must provide certifications certifying to CRA the permissible purpose for which the report is being obtained and it will not be used for any other purpose 3. Users must notify consumers when adverse actions are taken

What is the Red Flags Rule ?

Certain financial must develop and implement written identity theft destruction programs and respond to red flags that signal identity theft

What is the Red Flags Rule ?

Certain financial must develop and implement written identity theft detection programs and respond to red flags that signal identity theft

What did the International Money Laundering Abatement and Anti-Terrorist Financing Act of 2001 do ?

Expanded BSA, and made it a rule that financial institutions must KNOW YOUR CUSTOMER to deter money laundering

Who enforces the disposal rule ?

FTC Federal Banking Regulators CFPB

What does FACTA stand for ?

Fair and Accurate Credit Transactions Act

What are the two rules GLBA enacted to ensure privacy

GLBA Privacy Rule GLBA Safegaurds Rule

What is the Gramm-Leach Bliley Act ?

GLBA lead to financial services modernization Driver - preventing financial services companies such as banks from sharing sensitive customer data with telemarketing firms

What is prescreening ?

Getting a list from a CRA of consumers who meet pre-established criteria. It is usually done by creditors and insurers.

What obligations does FCRA impose on organizations intending to use consumer reports for employment purposes ?

If an oraganization is going to use a consumer report for employment purposes, it must 1. Notify consumer 2. get prior written consumer authorization 3. certify to CRA above steps have been taken and will not use info in violation of law and if adverse action taken based on the consumer report, copy of report and summary of consumers rights will be provided to the consumer 4.Before taking adverse action, provide report to consumer with the summary of consumer rights

What is an investigative consumer report ?

It contains info about consumers character, general reputation, personal characteristics and mode of living. It is obtained through personal interviews by a CRA

What does physical security mean under the GLBA ?

It includes facilities, environmental safeguards, business continuity and disaster recovery

What is the CFPB?

It is an independent bureau within the Federal Reserve

Under GLBA, what is non public information ?

It is personally identifiable financial information 1. provided by a consumer to a financial institution 2. resulting from a transaction or service performed for the consumer or 3. otherwise obtained by the financial institution

What is the disposal rule ?

It requires any entity that uses a consumer report, on information derived from one, to dispose of that information in a way that prevents unauthorized access and misuse of the data

What does the FCRA require users of consumer reports to do if they take an adverse action against a consumer based on information from a CRA ?

Notify the consumer in writing, orally or by electronic means with specific information

What was the main driver under behind FACTA?

Prevention of identity theft

What is the standard for disposal

Reasonable to protect agains unauthorized access or use of consumer data

FCRA

Stands for Fair Credit Reporting Act It's purpose was to make sure that consumers could correct and access information used by banks to make lending decisions

What is the goal of Anti-Money Laundering Laws

To follow the money to help detect and deter illegal activity and provide evidence for proving illegality

What penalties can violators of the disposal rule face

civil liability state and federal enforcement actions

What does technical security mean under the GLBA safeguards rule ?

covers computer systems, networks and applications in addition to access controls and encryption