What to protect -
Banking Records
Financial records
Restrictions
How financial services firms may collect, use and disclose personal information
Enacted to
Regulate the consumer reporting industry
Provide privacy rights in consumer reports.
FCRA mandates
Accurate and relevant data collection
Provides consumer with the ability to access and correct their information
Limits the use of consumer reports to defined permissible purposes.
First federal law to regulate the use of personal information in private businesses.
FCRA amendments in 1996 strengthened consumer access and correction rights and included provisions for non-consumer-initiated transactions (“prescreening”).
Prescreening
The process by which individual consumers are identified to receive firm offers of credit is based on a predetermined set of criteria used to prescreen those individuals for inclusion on a consumer list.
Prescreening is the only circumstance in which consumer report information may be used for marketing purposes, and one of the few circumstances in which consumer report information may be provided in the absence of a consumer-initiated transaction.
FACTA further amended relating to identity theft and other subjects.
FCRA regulates any “consumer reporting agency (CRA)” that furnishes a “consumer report.”
Creditworthiness
Credit standing
Credit capacity
Character
General reputation
Mode of living
Consumer Reporting Agency CRA
Any person/entity that
complies/evaluates PI for purposes of furnishing consumer reports to 3rd party for a fee (ex. Experian, Equifax and Transunion)
Small CRAs that compile PI like
criminal records
Driving histories
Background histories of pre-employment screening.
Consumer Report
Consumer report is any communication by a CRA related to an individual that pertains to the person’s:
Creditworthiness
Credit standing
Credit capacity
Character
General reputation
Personal characteristics
Mode of living
Used in whole or in part for the purpose of serving as a factor in establishing a consumer’s eligibility for credit, insurance, employment or other business purpose.
Use of Consumer Reports - What’s a valid request under CFRA for users of CRD:
3rd-party data for substantive decision making must be appropriately accurate, current, and complete.
Consumer must receive notice when 3rd party data is used to make adverse decision about them
Consumer reports may be used only for permissible purposes
Consumer must have access to their reports and an opportunity to dispute them or correct errors
Additionally, record keeping, providing certifications to the CRAs and securely disposing of the CRD.
FRCA also requires CRAs to:
Provide consumers access to information contained in their CRD and opportunity to dispute.
Reasonable steps to ensure maximums accuracy of information iii. Not report outdated negative information – 7 years or bankruptcies of 10 years.
Provide CRD only to entities that have permissible purpose
Provide consumer assistance as required by FTC rules
Enforcement of FCRA is through
Dispute resolution
Private litigation
Government actions.
In-house dispute with CRA, then private litigation – usually class action.
It can be enforced by FTC, CFPB, and state attorneys’ general.
Non Compliance with FCRA - Civil/Criminal penalties
Government enforcement actions for violations of the FCRA can be brought by the FTC, the CFPB, and state a orneys general.
At the federal level, both the FTC and the CFPB share responsibility to enforce the FCRA.
State attorneys general are required to give notice to the FTC prior to filing suit, and the FTC retains the authority to intervene in the cases brought by the state attorneys general
CRA Users must have “permissible purpose”
Order by court/federal grand jury subpoena
Consumer written instruction
Extension of credit via application of consumer / review or collection of consumer’s account
Employment purposes with consumer permission
Underwriting of insurance via application of consumer
Legitimate business need initiated by consumer
Review consumer’s account if consumer is meeting terms of account
Consumer’s eligibility for a license or other benefit granted by governmental instrumentality
Use by potential investor or servicer in a valuation of the credit or prepayment risk
Use by state or local officials for child support payments
Use for the purposes of making “prescreened” unsolicited offers of credit or insurance
Users must provide certifications
FCRA 604(f) prohibits any person from obtaining a CRD from a CRA unless the person has certified to the CRA the permissible purpose for which the report is being obtained and certifies that the report will not be used for any other purpose.
FCRA Disclosure
User must notify consumers when adverse actions are taken
Requires disclosure by all persons who use credit scores in making or arranging loans secured by residential real property.
In some instances, the person must provide a risk-based pricing notice to the consumer in accordance with the regulations jointly prescribed by the CFPB and the Federal Reserve Board.
Risk-based pricing occurs when lenders offer different interest rates and loan terms to borrowers, based on individual creditworthiness.
The Risk-Based Pricing Rule requires you to notify consumers if they are getting worse terms because of information in their credit report.
An alternative way of complying with the Rule is to give a credit score disclosure notice to all customers, regardless of the terms on which you granted them credit (“credit score disclosure exception” notice).
The Federal Trade Commission, the Consumer Financial Protection Bureau, and the federal banking agencies each have published a Risk-Based Pricing Rule. The substance of the rules is identical.
Consumer Reports and Employment – Additional obligations:
Make a clear conspicuous written notification to the consumer before the report is obtained, that a CRD may be obtained by the employer.
Obtain prior written consumer authorization in order to obtain a CRD.
Certify to the CRA that the above steps have been followed, that the information being obtained will not be used in violation of law.
Before taking an adverse action, provided a copy of the report to the consumer and summary of rights from the CRA.
Employee Investigations – investigations of suspected misconduct by an employee.
These investigations are not treated as CRD if:
Employer complies with procedures;
No credit information is used;
A summary describing the nature and scope is provided to the employee if an adverse action is taken based on the investigation.
Investigative Consumer Reports
contains consumer’s character, general reputation, personal characteristics and mode of living.
Gathered through interviews by CRA.
Disclosures under FCRA
Disclosure is required if intended to be used.
Consumer must be informed by writing and delivered to consumer not later than 3 days after the report was requested
Must contain summary of consumer rights required by FCRA; user must certify to CRA that required disclosure has been made; user must make disclosure of the nature and score of the investigation (written + delivered).
Medical Information under FCRA
FCRA limits medical information obtained from CRAs, other than payment information that appears in a coded form and does not identify the medical provider.
Consumer must provide consent if medical information is to be used for insurance purpose or it must be coded.
If it is used for employment purposes, written consent is needed.
“Prescreened” Lists
FCRA permits creditors/insurers to obtain limited CRI for use in unsolicited offers of credit or insurance under conditions.
If using prescreened lists:
Before offer is made, establish criteria of offer/grant credit/insurance;
Maintain criteria on file for 3 years
Plus include written solicitation letter.
Fair and Accurate Credit Transactions Act (FACTA)
Passed in 2003 that made amendments to FCRA.
Stricter state laws are preempted in most areas, although they retained some powers to enact laws addressing identity theft
Pertaining to frequency of free credit reports, the federal law permitted state laws in Colorado, Georgia, Maine, Maryland, Mass, New Jersey, and Vermont to remain in effect.
FACTA identified specific state laws that remain in effect
CA/CO – laws about credit scores and insurance laws
CO/GA and others, free credit reports
It enacted a number of consumer protections
Truncation of credit/debit cards
Right to request free annual credit report
Other identity theft protections
Required regulators to promulgate a Disposal Rule and Red Flags Rule.
Disposal Rule
Requires user of consumer report for business purpose to “reasonably” dispose of it in a way preventing unauthorized access and misuse.
Includes CRA, lenders, employers, insurers, landlords, car dealers, attorneys, debt collectors, and government agencies
Enforced by the FTC, the federal banking regulators, and CFPB.
Red Flags Rule
Requires entities to develop a set of rules to mandate the detection, prevention and mitigation of identity theft.
The rule requires to develop and implement written identity theft detection programs that can identify and respond to the “red flags” that signal identity theft.
Scope: Financial Institutions - Bank, Savings, Loans, & Credit Unions.
Background
General framework for confidentiality of records in the financial services sector.
Major legislation that codified the consolidation of the US banking, securities, and insurance industries in the late 1990s that promulgated “Privacy Rule” and “Safeguards Rule.”
Storage, Notice, and Opt Out Choice
US Bancorp
One of the most prominent cases involved US Bancorp and the telemarketing form MemberWorks.
that resulted in $3 million settlement for allegations that the bank had sent detailed customer information that enabled the marketer to directly withdraw funds from the customer account.
This case focused popular and regulatory attention on the prevalence of data-sharing relationships between banks and 3rd-party marketers.
marketers.
Congress responded with GLBA with significant privacy and security.
GLBA Purpose
Eliminated legal barriers to affiliations among banks, securities firms, insurance companies and other financial services companies.
Under GLBA privacy, financial institutions are required:
store information in a secure manner;
Provide notice of their policies;
Provide opt out choice of sharing information.
Scope and Enforcement of GLBA
Applies to
“financial institutions” that are “significantly engaged” in financial activities banks, insurance providers, securities firms, payment settlement services, check-cashing services, credit counselors, mortgage lenders).
Regulates
Financial institution management of “nonpublic personal information” – Personal Identifiable Financial Information.
Example: Home Email address
GLBA and Privacy Notices
Standard for privacy notices where initial and annual privacy notices to consumers on 9 categories of information, and must process opt-out within 30 days.
The privacy notices must include:
What information is collected about its consumer;
With whom it’s shared;
How it is protected;
An explanation of how to opt-out.
Provided this notice standard is met, a financial institution may share any information with its affiliated companies (CRA?)
Note: GLBA prohibits disclosure of consumer account numbers to non-affiliated companies for marketing purposes even if consumer did not opt- out.
Consumer cannot opt out if:
Information is shared with outside companies that provide essential services like data processing
Disclosure is legally required;
Customer date is shared with outside providers that market the financial company’s products/services.
GLBA Safeguards Rule
Requires security controls to protect the confidentiality and integrity of personal consumer information (electronic and paper records).
It requires implementation of a comprehensive “information security program” that contains “administrative, technical, and physical safeguards” to protect the security, confidentiality and integrity of customer information.
It must contain certain elements, including a designated employee to coordinate the program, audit systems to determine risk, and certain procedures to take with service providers to ensure that the security of the information is maintained.
It must provide:
Administrative security;
Technical security;
Physical security.
California SB-1 (CA Financial Information Privacy Act)
Purpose.
Expands the financial privacy of GLBA.
It increases the disclosure requirements and grants consumer increased rights with regard to the sharing of information.
Statutory damages of $2,500 up to $500k per occurrence.
Opt-in/Opt-out
Written opt-in is required to share personal information with nonaffiliated 3rd parties.
Opt-in must be titled “Important Privacy Choices for Consumers.”
SB-1 grants consumers the ability to opt out of information sharing between their financial institutions and affiliates not in the same line of business.
BUT, a financial institution need not obtain consent in order to share non- medical information with its wholly owned subsidiaries engaged in the same line of business
insurance, banking, securities
if they are regulated by the same functional regulator.
Why.
2008 response to financial crisis
Purpose.
It created the CFPB as an independent bureau within the Federal Reserve
CFRB oversees the relationship between consumers and providers of financial products and services.
CFRB assumed rule-making authority for specific existing laws related to financial privacy (FCRA, GLBA, and Fair Debt Collection Practices Act).
Exception of
Section 615(e) red flag guidelines and regulation
Section 628 disposal of records
CFPB can bring actions for “unfairness and deception.”
CFPB has a new power to enforce against “abusive acts and practices” – materially interferes with the ability to understand terms or conditions or takes unreasonable advantages.
CFPB - Part of the Federal Reserve
Head of CFPB - President Appointed/Senate Approval
Goal
The fundamental goal of AML laws is to “follow the money.”
The idea of thorough record keeping is that it will help detect illegal activity, and provide evidence for proving illegality.
The Bank Secrecy Act (BSA) of 1970
Authorizes US Treasury secretary to issue regulations that:
Impose extensive record-keeping
Reporting requirements on financial institutions.
They must keep records and file reports on certain financial transactions, including currency transactions in excess of $10,000, which may be relevant to criminal, tax, or regulatory proceedings.
Regulates certain wire transfers, including fund transfers and transmittals of funds by financial institutions.
Record Retention Requirements - more than $10k
Suspicious Activity Reports – must file SAR that can alert government agencies to potential suspicious transactions.
The International Money-Laundering Abatement and Anti-Terrorist Financing Act of 2001
Expanded the reach of BSA and made other significant changes to US anti money laundering laws.
Part of US Patriot act
Measures to address online and banking
Financial institutions
Careful use of software
Education of consumer
Consumers
Proper browser selection
Proper use of patching