Tougher Scrutiny on Cybersecurity at Banks in 2016

cyber secCybersecurity has been a focus as part of bank exams for years. Now the Federal Deposit Insurance Corp. (FDIC) is increasing its scrutiny of banks’ cybersecurity practices to ensure that the issue is getting appropriate attention from bank executives and boards. Bank regulators are planning to make cybersecurity a higher priority during bank exams as early as the second quarter of next year. The FDIC will revise its community bank examination program to break cybersecurity out as its own separate issue in examination comments.

Regulators want to ensure that there is an understanding of “cyber risk as it overlays into business decisions that you make at the board level,” an FDIC risk management official recently commented. Though outdated data security systems have typically been viewed as a “budget capital improvement” matter, the threat environment has changed. Now, the FDIC’s approach has changed along with it. Continue Reading

Alphabet Soup and Data Security

Data Security 2In the span of two days, mobile device users learned of two data breaches that could compromise their personal data. In one, Experian (a credit reporting agency) reported that it was hacked, potentially putting 15 million American consumers’ data at risk. Many of those consumers were T-Mobile customers who needed to submit to a credit check before signing up for a mobile plan. T-Mobile’s CEO John Legere issued a press release, stating that he was “incredibly angry about this data breach,” and that T-Mobile takes “customer and prospective customer privacy VERY seriously.” The second, far larger breach, affects approximately one billion Android mobile devices. The “Stagefright 2.0” security flaw—so-named because of another, similar “Stagefright” vulnerability from several months ago—allows hackers to access Android devices through disguised MP3 or MP4 media files—or even through logging into the same wifi network. Google will be rolling out patches to make devices more secure, but until then, users should be wary.

T-Mobile and Google are, no doubt, concerned about lawsuits, but must also consider the potential regulatory consequences of data breaches. We have previously discussed the FTC’s role in enforcing cybersecurity, and how it will likely assert its authority in more cases than ever before in the wake of its successes in the FTC v. Wyndham case. But the FTC is not the only regulatory body with a role in enforcing data security. As the list below shows, federal (and state) agencies are expanding their reach into the realm of data, and that reach will almost certainly only grow over time. Continue Reading

A Shift in Liability for Credit Card Fraud

Credit Cards Abstract ImageFor too long, “swiping” a credit card has had at least one meaning too many. There was “swiping” as it pertains to running the magnetic strip of your credit card inside the groove of a small payment terminal to make an in-person payment by credit card to a retailer. But there is also far too much of another kind of “swiping” that pertains to the counterfeiting of credit cards used in that fashion. The magnetic strips—essentially using the same technology used in cassette tapes made in the 1960s—have been too easy for fraudsters to track and then duplicate, running up unauthorized charges even for cardholders who had never lost physical possession of their cards. Traditionally, card issuers have been responsible for the costs of verified instances of credit card fraud and were undoubtedly not happy about bearing those costs.

As of October 1, there will now be a shift in liability in many instances. If card issuers have provided their customers with upgraded credit cards using EMV (the initials of Europay, MasterCard and Visa—the companies that pioneered the standard) chips,  the risk of loss for credit card fraud associated with transactions involving the upgraded cards will be borne by retailers that have not upgraded to EMV point-of-sale terminals (essentially, readers into which the chip portion of the card is inserted). Card issuers will still be liable for any fraud on cards that do not feature the new EMV technology. Continue Reading

Banks Get Big Win in Challenge to New York Ordinance

Many big cities in the United States responded to the fallout from the 2008 financial crisis by passing local laws which pressure banks to invest more in low-income neighborhoods. Between 2010 and 2013, cities such as New York, Seattle, Los Angeles, San Diego, San Jose, Boston, Minneapolis, Kansas City and Pittsburgh all enacted ordinances of this type. Their actions were, in many instances, motivated by concerns that federal and state regulatory bodies were not doing enough to seek compensation from the large banks—thought by many to be most responsible for the economic meltdown.

For example, New York’s law which was enacted in 2012, applied to 21 banks — including Bank of America, Citibank, JPMorgan Chase, and other large institutions — that are eligible to hold the city’s municipal deposits. The banks were required to provide extensive and detailed data to a new Community Reinvestment Advisory Board—data that goes well beyond what federal regulators collect under the Community Reinvestment Act (CRA). The information sought by New York related to the banks’ local small-business lending, their efforts to prevent foreclosures, their lending for affordable housing and their branches in low-income communities, among other categories. The ordinance also authorized New York’s Banking Commission to consider the banks’ responses to the information requests when deciding where to park the city’s sizable base of deposits. The idea was that this linkage of the information provided to the city’s banking decisions would give the affected banks an incentive to invest more in New York neighborhoods. Continue Reading

Financial Services Companies Seek Larger Payout in Target Data Security Suit

Attorneys for certain banks and other financial institutions that are caught up in Target’s 2013 data breach are objecting to the $67 million deal struck last week between the retailer and Visa Inc. The banks and credit unions are the only plaintiffs left in the data breach litigation after Target paid $10 million in March to settle more than 140 class actions filed against it by its customers. The remaining plaintiffs say that the deal does not pay them a sufficient amount for costs incurred in reissuing cards and reimbursing customers for fraudulent charges.Chess

Made public on Aug. 18, the $67 million resolution is designed to reimburse banks that issued Visa cards affected by the breach, which compromised 40 million credit and debit cards. But plaintiffs’ lawyers say the timing of the deal is suspicious, because the deadline is September 4, just six days before a hearing on their motion for class certification. They argue that this is a ploy by Target to avoid the significantly greater amount of damages they are seeking on behalf of a class of thousands of banks and credit unions. Continue Reading

Court Revives Antitrust Suit Against MasterCard, Visa, Three Banks

Numbers Under Review

A federal appeals court has revived a lawsuit accusing MasterCard, Visa and three major banks of illegally fixing ATM prices to the detriment of consumers. A federal district judge had thrown out the lawsuit in 2013 after finding the plaintiffs failed to show any conspiracy to overcharge consumers.

On Tuesday, the federal appeals court in Washington ruled that a group of consumers and independent ATM operators could pursue antitrust claims against the defendants. Specifically, the plaintiffs will be permitted to argue that the payment processors coordinated with Bank of America Corp., JPMorgan Chase & Co. and Wells Fargo & Co. to adopt anticompetitive fees. Continue Reading

Mid-2015 Mortgage Crisis Update – The Repurchase Demands Continue

In the aftermath of the financial crisis, Fannie Mae and Freddie Mac aggressively demanded Wall Street and big bank aggregators (“aggregators”) repurchase millions of defaulted and distressed loans, due to purported breaches of representations, warranties and covenants. In the past few years, there have been several blockbuster settlements with the government-sponsored enterprises (GSEs), such as Citigroup’s 2013 settlement with Fannie Mae in which it agreed to pay Fannie Mae $968 million to resolve existing and potential future mortgage repurchase claims on loans sold to the U.S. mortgage guarantor between 2000 and 2012. Similarly, Bank of America, Wells Fargo, and JPMorgan Chase also settled with the GSEs.

BlackandRedcubeMaintaining Business Relationships

At the time of Citi’s settlement, Jane Fraser, CEO of CitiMortgage, said in a statement “[w]e have a strong and productive relationship with Fannie Mae.” In a similar statement, Bradley Lerman, Executive Vice President and General Counsel of Fannie Mae, commented that the “resolution is an example of our desire to work together with our business partners to find common ground.” Mr. Lerman added that the agreement” compensates taxpayers for losses, and allows Fannie Mae and Citigroup to move forward and strengthen [their] business relationship.” Continue Reading

Wells Accused of Profiting from Foreclosure Relief Program

Women Real EstateA recent class action lawsuit filed on behalf of thousands of homeowners in New York against Wells Fargo alleges that while the bank received $25 billion in government bailout funds it failed to make a good faith effort to help borrowers avoid foreclosure in compliance with the federal government’s Home Affordable Modification Program (HAMP). The complaint, filed in the US District Court for the Eastern District of New York, accuses Wells of breach of contract, fraudulent inducement, unjust enrichment and violations of consumer protection laws. The lawsuit is one of several cases across the country alleging similar misconduct against banks.

HAMP was launched in 2009 as part of the federal government’s initiative to ease the foreclosure crisis. In exchange for receiving federal bailout funds, Wells Fargo was obligated to participate in HAMP, which precluded the initiation of foreclosure actions against struggling borrowers without first evaluating their eligibility for assistance. Continue Reading

CFPB, DOJ Show Renewed Interest in Pursuing “Redlining” Cases

Evidence is mounting that the Consumer Financial Protection Bureau (CFPB) and the Department of Justice (DOJ) are taking a renewed interest in investigating possible redlining—the practice of lenders charging certain groups more for products, or altogether excluding minorities within certain geographic areas.

InvestigationThere has been a substantial increase in recent months of warnings by government officials to lenders about redlining, a lending practice that has been prohibited for decades. The CFPB and DOJ are evidently using slightly different screening methodologies than other regulators, and those differing methodologies are somewhat broader than the norm, which is leading to a larger number of findings of redlining. Regulators, however, assert that there is a different explanation for why they are finding more instances of redlining. Their view is that lenders, forced to scale back the availability of credit in the aftermath of the financial crisis, are resorting to the practice as a means of limiting the pool of borrowers to whom they might extend credit. Continue Reading

Quicken Loans Takes on the DOJ & HUD

Quicken Loans, the nation’s largest Federal Housing Administration (FHA)-backed mortgage lender, filed suit on Friday, April 17 in the United States District Court in Detroit against the United States Department of Justice (DOJ) and the Department of Housing and Urban Development (HUD). In the suit, Quicken alleged that it is a target of a probe in “which the DOJ is ‘investigating’ and pressuring large, high-profile lenders into publicly ‘admitting’ wrongdoing.” Quicken says the government threatened to file a lawsuit against it unless the company paid damages based on a sampling of its loans backed by the FHA. The government wanted payment of damages to be coupled with an admission by Quicken that its lending practices were “significantly flawed,” and that it had committed wrongdoing.Compass Pointing the Way to Integrity in Business

The company says that the public statements the government wanted it to make were blatantly false. Quicken also asserts that, before filing its lawsuit, it had already provided the DOJ with more than 85,000 documents, including 55,000 emails. In addition, the DOJ, without filing any lawsuit against Quicken, has conducted hundreds of hours of depositions from numerous Quicken team members. Three years later, the DOJ inquiry has (according to Quicken) resulted in the threat of a federal lawsuit based on “faulty analysis of a miniscule number of cherry-picked mortgages from the nearly 250,000 FHA loans the company has closed since 2007.”

According to FHA statistics, Quicken has originated the government agency’s best performing loan portfolio. The FHA’s publicly available data appears to establish that Quicken has the lowest “compare ratio” — the default rate of a single lender compared to FHA’s total mortgage portfolio — in recent years. Continue Reading