- Compliance Management
- Consumer Lending and Services
- Depository Institutions
- Fair Lending
- Federal Regulatory
- Legal Developments
- Non-Depository Institutions
- State Regulatory
When at first you don’t succeed, seek post-verdict decertification: Lessons learned from Mazzei v. The Money Store
What do you do when a court certifies a class over your objection and denies your motion for directed verdict on the critical class certification issue at trial, and a jury awards $32 million ($54 million if you count pre-judgment interest) on an individual claim worth $133.80? This was the situation the defendants faced in Mazzei v. The Money Store. What happened defied all odds. Read more >>
Public and private sectors agree: Investment needed in banks’ cybersecurity
The Federal Reserve (the Fed) recently announced that it will participate in a study to determine how effective the central bank is at overseeing cybersecurity practices in the financial industry. The Fed’s Office of Inspector General (OIG) will be conducting the internal audit and plans to release the findings in the fourth quarter of this year.
The announcement comes on the heels of congressional inquiry into the Fed’s security practices in light of the attempted theft of $951 million from a Federal Reserve Bank of New York account held by Bangladesh Bank, the South Asian country’s central bank. While the N.Y. Fed successfully blocked 30 transactions that would have totaled an $850 million withdrawal, five transactions totaling $101 million were successful.
The OIG study will be the first public report to detail how strictly the central bank holds the financial industry to the regulations that are in place to protect from hackers and other criminals. “The growing sophistication and volume of cybersecurity threats presents a serious risk to all financial institutions,” according to the OIG. Mary Jo White, Chair of the Securities and Exchange Commission, described attacks like the one against the N.Y. Fed as the biggest risk currently facing the financial industry.
This sentiment seems to be echoed by the private sector as well. An international survey conducted by Kaspersky Lab and B2B International found that among businesses around the globe, protection from cyberattacks ranked amongst their highest priorities. Of the 5,500 businesses surveyed, 41 percent have invested in an in-house solution for protecting their financial transactions and 45 percent use a bank-provided solution.
While the investment rate is prolific, firms’ confidence in their ability to thwart an attacker is not so widespread. The most confident sector — the telecommunications industry — reported confidence with their fraud security at a 70 percent rate. Only 67 percent of financial institutions reported their confidence in the same. Forty-seven percent of the firms surveyed indicated that their protections needed improvement.
Looking at the financial industry specifically, 48 percent of the respondents “admitted what they do to address the problem can be described as ‘mitigation’ rather than ‘prevention.’” One of the largest concerns for banks – (38 percent of the organizations surveyed agreed it’s a problem for them) is distinguishing an attack from normal customer activity.
Proposed Ohio bill could impact nonbank lenders and credit services organizations
The Ohio General Assembly is considering a major overhaul of Ohio’s banking laws, and hidden within the 443-page legislation are two changes that will likely impact nonbank lenders, lead generators and credit services organizations. Senate Bill 317 was introduced on April 20, 2016, and proposes to do the following:
- In the current version of the bill, Section 1103.18 of the Ohio Revised Code would be amended to allow a state-chartered bank to sue and obtain a temporary restraining order, an injunction and damages, including punitive damages, from any person who uses a state bank’s name in an advertisement in a manner that misleads a person into believing that the person issuing the advertisement is associated or affiliated with the state bank.
Thus, mailers showing a consumer’s current bank lender on the envelope, in the envelope window or anywhere in the advertisement could subject the nonbank lender to civil litigation and punitive damages.
- The bill also proposes to grant the deputy superintendent for consumer finance authority to examine credit services organizations licensed under Chapter 4712 of the Ohio Revised Code. The amendment, however, is not being made to Chapter 4712. Instead, the amendment has been placed in Ohio Revised Code Section 1181.21(C).
Track the progress of the bill here.
FDIC under fire following recent string of data breaches
A recent data breach at the Federal Deposit Insurance Corporation (FDIC) is just one of many that have occurred in the past several months. The banking regulator is now under fire for its responses following a slew of breaches involving more than 10,000 sensitive and private data records. The FDIC was questioned about the breaches on May 12, 2016, during a hearing held by the House of Representatives Subcommittee on Oversight. Representatives criticized the FDIC, suggesting that it handled the incidents too slowly, did not notify Congress in a timely manner and failed to provide requested documents.
The FDIC was also criticized for failing to notify its employees who were affected by the breaches. It is estimated that the personal data of approximately 160,000 people have been impacted by these breaches, which occurred between October 30, 2015, and the present. The information includes names, bank account numbers and, possibly, social security numbers. According to Republican Representative Barry Loudermilk, chair of the subcommittee, the FDIC has still not notified any of these employees that their private information may have been compromised.
Evidence shows that at least seven recent breaches were caused by former employees as they were leaving the FDIC. The FDIC maintains that these breaches occurred inadvertently, but Congress is skeptical that the breaches were not intentional. One case is allegedly the subject of a criminal investigation. While the FDIC has indicated that it is completing a “top to bottom review” of its technology information policies, it appears that Congress will continue to apply pressure to the FDIC related to its response and handling of these breaches. According to Rep. Loudermilk in the subcommittee’s press release, the American people “have good reason to question whether their private banking information is properly secured by the FDIC.”
Email spoofs: Criminals posing as your government examiner
Imagine the humiliation of having to confess that your company had a data breach and inadvertently sent hundreds of loan files chock full of nonpublic personal information directly to a criminal posing as your friendly government examiner. That would not be a good day at the office.
How could this happen and what steps can you take to prevent this nightmare? Here are dos and don’ts to help you verify the identity and credentials of examiners conducting remote examinations. Read more >>
What you need to be doing NOW about cybersecurity
Spotlighting the importance of cybersecurity risk management, Bricker & Eckler attorney Greg Krabacher presents “What you need to know NOW about cybersecurity” at today's 2016 Ohio Mortgage Bankers Association Annual Convention. The event is currently taking place in Columbus, Ohio.
With recent threats on personal information, financial services providers, especially, are vulnerable to cyber-attacks. While the sensitivity of the information they hold puts lenders at immense risk, those that establish a comprehensive plan and make use of industry tools and resources may avoid a catastrophic outcome should a data breach occur. Krabacher offers the following first steps:
- Establish a plan and incident response team
- Assess data breach risk and inventory personally identifiable information or confidential client information
- Become familiar with applicable laws and regulations
- Educate and train employees
For more information regarding the OMBA Annual Convention, click here.
Ohio DFI issues data security guidelines
In response to increased financial fraud issues, the Ohio Division of Financial Institutions (DFI) recently issued data security guidelines. While the DFI specifically addressed debit card issues, its language indicates expectations for all institutions, requiring active steps to implement data security measures.
The DFI emphasized the following obligations:
- Daily review of security-related issues
- Email security and encryption
- Timely review of security and activity reports
- Suspicious activity report (SAR) training
- Standardized security controls
- After hours mechanisms to control suspicious activity
At its Ohio Banker’s Day on March 31, 2016, the DFI spent considerable time discussing financial fraud. It is apparent that further guidelines and bulletins will be forthcoming and will apply to all consumer-related activity, including lending. In light of its supervisory bulletin, verbal statements and the Consumer Financial Protection Bureau’s recent order in Dwolla, it is expected that data security will be a priority item in any future Ohio financial institution examinations.
Announcing our Cybersecurity Law blog
Readers of the Financial Services Law blog are invited to visit our newly-launched Cybersecurity Law blog, an online resource featuring news, information and legal analysis on current cybersecurity and data breach issues. Articles and posts, authored by Bricker & Eckler attorneys, share in-depth insights and legal implications on topics that have both local and global significance.
We encourage you to subscribe to the blog via FeedBurner to have frequent updates sent directly to your inbox. Additionally, be sure to visit the blog and bookmark the site for easy reference.
Do your company’s cybersecurity practices deceive consumers?
Not a day goes by without breaking news of a cybersecurity breach. Indeed, thoughts of a system hack keep many executives up at night. Small- and medium-sized businesses often fear that they do not have the robust resources or staff to adequately handle these threats.
The Consumer Financial Protection Bureau (CFPB) has now weighed in on these issues with a consent order that delivers cybersecurity guidelines.Of particular importance is the fact that the CFPB has now used its ultimate weapon — Unfair, Deceptive, or Abusive Acts or Practices (UDAAP) — as a tool to ensure that companies adopt effective security protocols.
For a detailed analysis of the CFPB's consent order and what it means for consumer-facing businesses, read the latest Cybersecurity Insight.
Ohio prepayment penalty adjustment for 2016
Don’t forget to update your Ohio Homebuyers’ Protection Act Informational Document with the 2016 prepayment penalty adjustment. Beginning January 1, 2016, no mortgage broker, loan officer or nonbank mortgage lender may charge a penalty for the prepayment or refinancing of a residential mortgage obligation secured by a first lien if the loan amount is less than $87,410. See Ohio Revised Code 1343.011(C)(2).
The Ohio Homebuyers’ Protection Act Informational Document is required by Ohio Revised Code 1345.05(G). An acknowledgement of the consumer’s receipt must be retained by the lender, mortgage broker and loan officer, as applicable. The Ohio Attorney General and the Department of Commerce may examine your records to ensure that you are providing the most current version of this document to consumers with the 2016 adjusted amount. The updated form can be found here. The rule regarding distribution and receipt of the Informational Document can be found here.
We hope you have a happy, healthy and prosperous New Year.