FFIEC Advises Banks On Website, ATM Cyber Attacks

On April 2, the FFIEC advised financial institutions that distributed denial-of-service (DDoS) attacks on a financial institution’s public websites present operational and reputation risks. If coupled with attempted fraud, a financial institution may also experience fraud losses and face liquidity and capital risks. The FFIEC members expect financial institutions to address DDoS readiness as part of ongoing information security and incident response plans and to, among other things, (i) maintain an ongoing program to assess information security risk; (ii) monitor Internet traffic to the institution’s website to detect attacks; (iii) activate incident response plans and notify service providers, including Internet service providers, as appropriate, if the institution suspects that a DDoS attack is occurring; (iv) ensure sufficient staffing for the duration of the DDoS attack and consider hiring pre-contracted third-party servicers, as appropriate, that can assist in managing the Internet-based traffic flow; and (v) evaluate any gaps in the institution’s response following attacks and in its ongoing risk assessments, and adjust risk management controls accordingly.

In a second statement, the FFIEC advised financial institutions of a type of large dollar value ATM cash-out fraud by which cyber attackers gain access to, and alter the settings on, ATM web-based control panels used by small- to medium-sized financial institutions. The FFIEC states that institutions that issue debit, prepaid, or ATM cards may face operational risks, fraud losses, liquidity and capital risks, and reputation risks, and that institutions that outsource their card issuing function to a card processor may initially be liable for losses even if the compromise occurs at the processor. To mitigate these risks, the FFIEC expects member financial institutions to, among other things, (i) conduct ongoing information security risk assessments; (ii) perform security monitoring, prevention, and risk mitigation; (iii) take specific steps to protect against unauthorized access; (iv) implement and test controls around critical systems regularly; and (v) conduct information security awareness and training programs.

LinkedInFacebookTwitterGoogle+Share

President Signs ATM Disclosure Bill and CFPB Privilege Bill

On December 20, President Obama signed two bills impacting bank supervision and compliance. These bills were sent to the President after the Senate approved both measures on December 11. The first, H.R.4014, amends the Federal Deposit Insurance Act to protect information submitted to the CFPB as part of its supervisory process. For more information about these issues, please see our recent Special Alert. The second bill, H.R. 4367, amends the Electronic Fund Transfer Act to remove the requirement that ATMs have an attached placard disclosing fees. The amended law requires only that fees be disclosed on the ATM screen.

LinkedInFacebookTwitterGoogle+Share

Congress Acts on Several Banking Bills, Two Set for President’s Signature

On December 11, the U.S. Senate passed by voice vote two bills impacting bank supervision and compliance. The first, H.R.4014, amends the Federal Deposit Insurance Act to protect information submitted to the CFPB as part of its supervisory process. The bill provides CFPB-supervised institutions the same non-waiver of privilege protections already afforded to information submitted by supervised entities to federal, state, and foreign banking regulators. For more information about these issues, please see our recent Special Alert. The second bill, H.R. 4367, amends the Electronic Fund Transfer Act to remove the requirement that ATMs have an attached placard disclosing fees. The amended law will require only that fees be disclosed on the ATM screen. Both bills previously were passed by the U.S. House of Representatives and now go to the President. On December 12, the House passed  H.R. 5817, which would exempt from Gramm-Leach-Bliley Act (GLBA) annual privacy policy notice requirements any financial institution that (i) provides nonpublic personal information only in accordance with specified requirements, and (ii) has not changed its policies and practices with regard to disclosing nonpublic personal information from those included in its most recent disclosure. The bill now proceeds to the Senate. A fourth bill, S. 3637, which would extend the Transaction Account Guarantee program for two additional years, was blocked in the Senate on December 13, 2012. The program, which was established by the Dodd-Frank Act to provide unlimited deposit insurance for noninterest-bearing transaction accounts, will expire at the end of 2012 if legislators do not take further action to extend the program.

LinkedInFacebookTwitterGoogle+Share

Federal Banking Regulators Issue Supplemental Statement Regarding Borrower and Institution Relief Following Hurricane Sandy

On November 14, the Federal Reserve Board, the OCC, the National Credit Union Administration, and the FDIC supplemented a prior statement on the impact of Hurricane Sandy on customers and the operations of financial institutions. The supplemental guidance identifies activities that could be considered “reasonable and prudent” steps to assist affected customers, including, for example (i) waiving certain fees and penalties, including ATM and overdraft fees, (ii) easing credit limits and terms for new loans, and (iii) offering payment accommodations. The regulators also provide post-storm guidance regarding loan modifications, the Community Reinvestment Act, and customer identification. The guidance largely mirrors guidance issued by the FDIC on November 9, 2012 in Financial Institution Letter FIL-47-2012.

LinkedInFacebookTwitterGoogle+Share

Federal Court Ruling on Placement of ATM Fee Notice Favors Consumers

On July 25, the U.S. District Court for the District of Minnesota granted summary judgment to a consumer alleging that the placement of an ATM fee notice on the inside of a “hooded ATM” was not “prominent and conspicuous” as required under the Electronic Funds Transfer Act (EFTA). Brown v. Wells Fargo & Co., No. 11-1362 2012 WL 3030294 (D. Minn. Jul. 25, 2012). The consumer, on behalf of a putative class, alleged that the ATM fee disclosure was placed on the inside of the hood protecting the screen, and not in a more conspicuous position. The consumer did not contest that the disclosure was provided electronically on the screen, as also required by the EFTA, and that he was aware before completing the transaction that he would be charged a fee. Because the EFTA does not define “prominent and conspicuous,” the court looked to other consumer protection statutes to determine that the disclosure must be displayed such that a reasonable person ought to have noticed. In this case, the court held that a reasonable person would not conclude that the notice was prominent and conspicuous because (i) the disclaimer was not in capital letters, (ii) the type and background of the notice were in a coordinating, not contrasting color, (iii) the notice was placed inside the hood as opposed to on top of the machine, and (iv) the notice generally did not stand out relative to other information on or near the ATM. While the court granted the consumer’s motion for summary judgment on the EFTA claims, the court disposed of his claim for unjust enrichment, and refused to certify the class, holding that the consumer failed to meet the requirements of either Rule 23(a) or (b). As we have reported in recent weeks, the U.S. Congress is considering legislation that would eliminate the physical fee disclosure requirement, and instead require that ATM operators only provide an on-screen notice.

LinkedInFacebookTwitterGoogle+Share
COMMENTS: 0
TAGS: , ,
POSTED IN: Banking, Courts, E-Commerce