On December 20, President Obama signed two bills impacting bank supervision and compliance. These bills were sent to the President after the Senate approved both measures on December 11. The first, H.R.4014, amends the Federal Deposit Insurance Act to protect information submitted to the CFPB as part of its supervisory process. For more information about these issues, please see our recent Special Alert. The second bill, H.R. 4367, amends the Electronic Fund Transfer Act to remove the requirement that ATMs have an attached placard disclosing fees. The amended law requires only that fees be disclosed on the ATM screen.
On April 2, the FFIEC advised financial institutions that distributed denial-of-service (DDoS) attacks on a financial institution’s public websites present operational and reputation risks. If coupled with attempted fraud, a financial institution may also experience fraud losses and face liquidity and capital risks. The FFIEC members expect financial institutions to address DDoS readiness as part of ongoing information security and incident response plans and to, among other things, (i) maintain an ongoing program to assess information security risk; (ii) monitor Internet traffic to the institution’s website to detect attacks; (iii) activate incident response plans and notify service providers, including Internet service providers, as appropriate, if the institution suspects that a DDoS attack is occurring; (iv) ensure sufficient staffing for the duration of the DDoS attack and consider hiring pre-contracted third-party servicers, as appropriate, that can assist in managing the Internet-based traffic flow; and (v) evaluate any gaps in the institution’s response following attacks and in its ongoing risk assessments, and adjust risk management controls accordingly.
In a second statement, the FFIEC advised financial institutions of a type of large dollar value ATM cash-out fraud by which cyber attackers gain access to, and alter the settings on, ATM web-based control panels used by small- to medium-sized financial institutions. The FFIEC states that institutions that issue debit, prepaid, or ATM cards may face operational risks, fraud losses, liquidity and capital risks, and reputation risks, and that institutions that outsource their card issuing function to a card processor may initially be liable for losses even if the compromise occurs at the processor. To mitigate these risks, the FFIEC expects member financial institutions to, among other things, (i) conduct ongoing information security risk assessments; (ii) perform security monitoring, prevention, and risk mitigation; (iii) take specific steps to protect against unauthorized access; (iv) implement and test controls around critical systems regularly; and (v) conduct information security awareness and training programs.
Federal Banking Regulators Issue Supplemental Statement Regarding Borrower and Institution Relief Following Hurricane Sandy
On November 14, the Federal Reserve Board, the OCC, the National Credit Union Administration, and the FDIC supplemented a prior statement on the impact of Hurricane Sandy on customers and the operations of financial institutions. The supplemental guidance identifies activities that could be considered “reasonable and prudent” steps to assist affected customers, including, for example (i) waiving certain fees and penalties, including ATM and overdraft fees, (ii) easing credit limits and terms for new loans, and (iii) offering payment accommodations. The regulators also provide post-storm guidance regarding loan modifications, the Community Reinvestment Act, and customer identification. The guidance largely mirrors guidance issued by the FDIC on November 9, 2012 in Financial Institution Letter FIL-47-2012.
On July 25, the U.S. District Court for the District of Minnesota granted summary judgment to a consumer alleging that the placement of an ATM fee notice on the inside of a “hooded ATM” was not “prominent and conspicuous” as required under the Electronic Funds Transfer Act (EFTA). Brown v. Wells Fargo & Co., No. 11-1362 2012 WL 3030294 (D. Minn. Jul. 25, 2012). The consumer, on behalf of a putative class, alleged that the ATM fee disclosure was placed on the inside of the hood protecting the screen, and not in a more conspicuous position. The consumer did not contest that the disclosure was provided electronically on the screen, as also required by the EFTA, and that he was aware before completing the transaction that he would be charged a fee. Because the EFTA does not define “prominent and conspicuous,” the court looked to other consumer protection statutes to determine that the disclosure must be displayed such that a reasonable person ought to have noticed. In this case, the court held that a reasonable person would not conclude that the notice was prominent and conspicuous because (i) the disclaimer was not in capital letters, (ii) the type and background of the notice were in a coordinating, not contrasting color, (iii) the notice was placed inside the hood as opposed to on top of the machine, and (iv) the notice generally did not stand out relative to other information on or near the ATM. While the court granted the consumer’s motion for summary judgment on the EFTA claims, the court disposed of his claim for unjust enrichment, and refused to certify the class, holding that the consumer failed to meet the requirements of either Rule 23(a) or (b). As we have reported in recent weeks, the U.S. Congress is considering legislation that would eliminate the physical fee disclosure requirement, and instead require that ATM operators only provide an on-screen notice.