Class Actions Begin: Plaintiffs Target Banks for PPP Loan Processing

A number of class-action lawsuits have been filed targeting national and community banks for their processing of loans under the Small Business Administration’s Paycheck Protection Program (PPP). It is not surprising that disputes have already arisen, given the swift creation of the vital relief program and equally rapid depletion of the $349 billion in initial funding. The suits allege that banks violated the CARES Act and state law by prioritizing high-value and existing customers over other small businesses.  More suits are likely to follow, whether based on similar theories or new ones that arise out of the next round of funding.

Plaintiffs in these class actions have accused banks of inappropriately processing and funding larger loans for “bigger business” clients and favoring current customers over other applicants who were unable to obtain loans before the funding ran out. One of the first class actions, filed in federal court in Maryland, sought a temporary restraining order and preliminary injunction to prevent banks from prioritizing current bank customers over individuals and businesses that were not current customers of the bank. The court denied plaintiffs’ request for emergency relief, concluded that there is no private right of action under the CARES Act, and found that plaintiffs’ claims were unlikely to survive. See here for a link to the decision. Plaintiffs have appealed to the Fourth Circuit. Two similar class actions have been filed in Texas federal court.

Another class action was filed this week in state court in Texas against a community bank, alleging fraud, breach of contract, breach of fiduciary duty, negligence and violations of the Texas Deceptive Trade Practices Act, all arising out of claims that the bank gave preference to customers eligible for larger loans in order to obtain more lucrative fees. Similarly, several small businesses have filed federal class actions in California and New York, accusing banks of false advertising, fraud, violations of state unfair competition law and deceptive trade practices, among others. Additional disputes are likely to arise as small businesses continue to face unprecedented circumstances; reportedly up to 80% of small businesses were unable to obtain loans during the first round of the program.


© 2020 Bracewell LLP

For more on CARES Act PPP Loans, see the National Law Review Coronavirus News section.

Bank Strategy Briefing: Moving Away From Common Bank Names

It is difficult to overstate the importance of a bank’s name. After all, it’s the centerpiece of a bank’s long-term branding strategy. Before reaching the teller line or setting up a meeting with a banker, seeing a bank’s name on a branch sign, billboard or website is likely the first interaction a customer has with the institution.  With many Midwest institutions approaching or surpassing 100-year anniversaries, a bank’s name may reflect generations of service to a community or the ownership family’s legacy.

Many banks share common names

A surprisingly large number of banks in the U.S. share common naming elements, as detailed below:

tableforweb[2].png

While many reasons for this degree of commonality exist, community pride and company history among them, similar names can result in market confusion, or worse, trademark disputes.

To differentiate themselves, a number of banks have begun changing names. In some instances, it’s a legal name change as specified in the institution’s articles, while in others it’s adopting a trade name.

How to change a bank’s legal name

The process for changing a legal name is relatively simple. First, a thorough search must be conducted to ensure the new name is available. This search would identify existing bank trademarks for the name as well as other potential uses that could cause marketplace confusion. Then comes amending the bank’s articles of incorporation. This requires board and shareholder approval. Once the amendment is effective, customer-facing marketing materials and legal documentation will need to reflect the new legal name.

How to adopt a trade name

Trade names are more nuanced and compliance-sensitive. In addition to validating that a name is available for use, various banking agencies require disclosures about the trade name to appear in signage, advertising and account-opening documentation. This helps customers understand that accounts under each name will be aggregated when calculating FDIC insurance coverage. For example, the Wisconsin Department of Financial Institution’s (WDFI’s) guidance requires disclosure that trade names be identified as a “branch” of the bank. WDFI does not permit other descriptors like “division” or “unit.”

Name changes create new marketing opportunities

Beyond the legal and logistical aspects of a name change, it’s important to develop a robust marketing plan to maximize the opportunity a name change creates. Consider ways to reintroduce the bank to the marketplace and retell its story to the community.


Copyright © 2020 Godfrey & Kahn S.C.

Appellate Court Tells CitiMortgage It Can’t Force “Repurchase” Of What No Longer Exists

A recent decision by the United States Court of Appeals for the Eighth Circuit offers some vindication for mortgage companies still facing “repurchase” demands made by the banks to which they sold residential mortgages in the years leading up to the financial crisis that began in 2007 and accelerated in 2008.  In CitiMortgage, Inc. v. Equity Bank, N.A., No. 18-1312 (8th Cir. 2019), the Eighth Circuit (which has appellate jurisdiction over the federal district courts of Arkansas, Iowa, Minnesota, Missouri, Nebraska, and the Dakotas) reached the common-sense conclusion that a plaintiff cannot require a defendant loan originator/seller to “repurchase” a loan extinguished by foreclosure.  In such a circumstance, the court reasoned, there simply is nothing left to repurchase.  In so holding, the Eighth Circuit affirmed the judgment of the United States District Court for the Eastern District of Missouri  — a court that, despite being CitiMortgage’s consistently chosen forum for repurchase and contractual indemnification claims against loan sellers, had granted summary judgment to the defendant, Equity Bank, on this issue.

The relevant factual background is as follows. CitiMortgage filed suit against Equity, demanding that Equity repurchase 12 residential mortgage loans. CitiMortgage had notified Equity that it needed to take action under the cure-or-purchase provision in the parties’ Agreement.  The Eighth Circuit affirmed the district court’s holding that Equity’s duty to repurchase was limited to the six loans that had not gone through foreclosure. For the loans that had not gone through foreclosure, the court affirmed the district court’s holding that Equity breached the Agreement. The court rejected Equity’s claims that CitiMortgage’s letters lacked the necessary detail to trigger its duty to perform, and that CitiMortgage waited too long to exercise its rights. But, as to the six loans that had gone through foreclosure, the court affirmed the district court’s holding that Equity owed nothing to CitiMortgage.

As part of its analysis detailing the reasons that Equity could not be required to repurchase loans already foreclosed upon, the Eighth Circuit faulted CitiMortgage for never explaining what, exactly, Equity was supposed to repurchase. We have regularly made that argument when defending clients against repurchase claims and likewise, have never gotten a satisfactory response as to what our client could repurchase.   Typically, in tacit acknowledgment of the merit of that argument, plaintiffs make sure to do something that the appellate court intimated CitiMortgage should have done in this case.  That is to seek instead what is usually an alternative contractual remedy, indemnification.   Perhaps because it considered the repurchase provision in its contract with Equity more likely to generate a significant damages award (this contract’s repurchase provision established a “repurchase price formula” favorable to CitiMortgage), CitiMortgage opted in this case to seek only the remedy of “repurchase.”

To be sure, a plaintiff’s decision to seek an “indemnification” remedy also creates obstacles to recovery in most cases of this type.  Among those obstacles are many of the same statute of limitations problems that parties asking for repurchase face, as well as substantial questions about the circumstances under which the party seeking indemnification incurred the liability for which it is seeking payment.  Relatedly, whether a particular alleged loan defect can fairly be said to have caused the plaintiff’s monetary loss is typically very much in question when a plaintiff aggregator seeks indemnification from a defendant loan seller. Many battles over such issues remain to be fought, but, in the meantime, the Eighth Circuit’s recognition that a party cannot repurchase what no longer exists is a welcome development for residential mortgage loan originators.


© 2019 Bilzin Sumberg Baena Price & Axelrod LLP

Jurisdictional Lessons from Mt. Gox Cryptocurrency Litigation

Last week, on the heels of a significant decline in Bitcoin prices, Forbes reported that China’s Central Bank is set to launch the world’s first state-backed cryptocurrency. The cryptocurrency will be made available initially to seven of China’s largest financial institutions, including three banks and two financial technology companies (including Alibaba).  It is planned to eventually reach the virtual wallets of U.S. consumers, through relationships with Western correspondent banks.

Meanwhile, in the United States, litigation rages on against Mark Karpeles, the President and CEO of Mt. Gox. Formerly the world’s leading bitcoin exchange platform, Mt. Gox filed for bankruptcy protection in Japan in 2014 amidst reports of rampant security breaches and refusal by its Japanese banking partner, Mizuho Bank, to process withdrawals for Mt. Gox users. Before its bankruptcy, Mt. Gox announced that 850,000 bitcoins valued at more than $450 million had gone “missing,” likely due to cyber theft.

In the aftermath, Mt. Gox account holders filed putative class actions against Karpeles and Mizuho in the Central District of California, the Northern District of Illinois, and the Eastern District of Pennsylvania, asserting causes of action for negligence, fraud, and tortious interference. In each action, both defendants filed motions to dismiss, claiming lack of personal jurisdiction due to their residences in France and Japan, respectively.

Earlier this year, all three courts dismissed Mizuho from the litigation, agreeing that the bank did not purposefully direct any activity at the forum states. Mt. Gox’s bank accounts with Mizuho were located in Japan, the decisions not to process withdrawals from those accounts were made by Mizuho employees located in Japan, and all wire transfers were initiated or received in Japan.

However, all three courts denied Mr. Karpeles’ motions to dismiss for lack of personal jurisdiction.  Mr. Karpeles,  a French citizen, argued that his contacts with the forum states were merely the incidental result of where some Mt. Gox users lived. The courts unanimously disagreed.

In the most recent of these three decisions, the Eastern District of Pennsylvania, relying on the previous decisions by the courts in California and Illinois, held that it has specific jurisdiction over Karpeles “because he availed himself of the privilege of conducting business in Pennsylvania through soliciting business from [a named plaintiff] and thousands of other Pennsylvania residents through the Mt. Gox website.” Pearce v. Karpeles, No. CV 18-306, 2019 WL 3409495, at *4 (E.D. Pa. July 26, 2019).

The Court applied the “sliding scale” test established by Zippo Manufacturing v. Zippo Dot Com, Inc., 952 F. Supp. 1119, 1123-24 (W.D. Pa. 1997), which has been characterized as “a seminal authority regarding personal jurisdiction based upon the operation of an internet website,” to determine that Karpeles’ internet presence sufficiently gave rise to personal jurisdiction over him. Karpeles, 2019 WL 3409495, at *4-5. The Zippo scale “ranges from situations where a defendant uses an interactive commercial website to actively transact business with residents of a forum state (personal jurisdiction exists) to situations where a passive website merely provides information that is accessible to users in the forum state (personal jurisdiction does not exist).” Id. at *4. Under that Pennsylvania precedent, a defendant has purposefully availed itself of the privilege of doing business in the state if its website “repeatedly attracts business from a forum or knowingly conducts business with forum state residents via the site.” Id. at *5.

The Court held that Mt. Gox’s internet activity fell at the “interactive end of the Zippo spectrum.” Id. Mt. Gox’s website was interactive, allowing users to open and manage accounts, make purchases and trades, and transfer and deposit cash. Id. Further, Mt. Gox had knowledge of the residences of its users because at the time they opened accounts, they had to provide Mt. Gox with their addresses and other personal information. Id. Users could also purchase “Yubikeys” (a hardware authentication device that allows users to securely log into their accounts) to be sent to their physical addresses. Id. Approximately 4% of all Mt. Gox users (over 19,000 individuals) who registered with addresses were Pennsylvania citizens, making Karpeles’ interactions with the forum state neither random, isolated, nor fortuitous. Id. at *6.

The Court also rejected Karpeles’ assertion that it would be unfair to force him to defend in the United States since he is on probation in Japan and prohibited from leaving the country, holding that the interests of the plaintiffs and the forum state justified any burden of defending in Pennsylvania. Karpeles, 2019 WL 3409495, at *8-9.

The increased use of cryptocurrency looks inevitable, with Facebook’s cryptocurrency, Libra, poised to launch in 2020, and some economists proposing that a cryptocurrency backed by central banks throughout the world will email one day replace the U.S. dollar as the world’s global reserve currency. As cryptocurrency proliferates, it is likely that so too will cryptocurrency litigation, bringing with it a host of jurisdictional challenges for litigants. The Mt. Gox-related orders provide valuable insight into how some such challenges may be resolved in the future.


© 2019 Bilzin Sumberg Baena Price & Axelrod LLP

NCUA Issues New Guidance to Credit Unions Which Permits Hemp Banking

On August 19, 2019, the chairman of the National Credit Union Association issued a letter with guidance to all credit unions.  Prior to August 19, hemp businesses had difficulty locating banks or other entities that would permit them to conduct normal merchant banking activities. That issue has, in part, been addressed by this letter of guidance. Questions remain, however, regarding many merchant services and whether FinCEN will issue a similar guidance.  In either event, banks or credit unions that bank with hemp businesses have numerous compliance obligations under the Bank Secrecy Act (BSA) and Anti-Money Laundering Act (AML).  It is important to make your banking institution aware of your business purpose to avoid the Suspicious Activity Reports (SAR) that could negatively impact your business operations.

According to Chairman Hood, “Credit unions need to be aware of the Federal, State and Indian Tribe laws and regulations that apply to any hemp-related businesses they serve. Credit unions that choose to serve hemp-related businesses in their field of membership need to understand the complexities and risks involved.

While it is generally a credit union’s business decision as to the types of permissible services and accounts to offer, credit unions must have a Bank Secrecy Act (BSA) and Anti-Money Laundering (AML) compliance program commensurate with the level of complexity and risks involved. In particular, credit unions need to incorporate the following into their BSA/AML policies, procedures, and systems:

  • Credit unions need to maintain appropriate due diligence procedures for hemp-related accounts and comply with BSA and AML requirements to file Suspicious Activity Reports (SARs) for any activity that appears to involve potential money laundering or illegal or suspicious activity. It is the NCUA’s understanding that SARs are not required to be filed for the activity of hemp-related businesses operating lawfully, provided the activity is not unusual for that business. Credit unions need to remain alert to any indication an account owner is involved in illicit activity or engaging in activity that is unusual for the business.

  • If a credit union serves hemp-related businesses lawfully operating under the 2014 Farm Bill pilot provisions, it is essential the credit union knows the state’s laws, regulations, and agreements under which each member that is a hemp-related business operates. For example, a credit union needs to know how to verify the member is part of the pilot program.  Credit unions also need to know how to adapt their ongoing due diligence and reporting approaches to any risks specific to participants in the pilot program.

  • When deciding whether to serve hemp-related businesses that may already be able to operate lawfully–those not dependent on the forthcoming USDA regulations and guidelines for hemp production–the credit union needs to first be familiar with any other federal and state laws and regulations that prohibit, restrict, or otherwise govern these businesses and their activity.  For example, a credit union needs to know if the business and the product(s) is lawful under federal and state law, and any relevant restrictions or requirements under which the business must operate.

https://www.ncua.gov/newsroom/press-release/2019/ncua-releases-interim-guidance-serving-hemp-businesses

As the regulatory entities work through the changes in federal law, new rules and regulations are inevitable.  FinCEN, the FDA and TTB are expected to issue new regulations, although they do not appear to be on the horizon any time soon.  The SAFE Banking Act, STATE’s Act and other new federal legislation remain held up in committee.


© 2019 Dinsmore & Shohl LLP. All rights reserved.

For more on finance regulations, see the National Law Review Financial Institutions & Banking law page.

The Post-Election FinTech World: Are Happy Days (for Bankers) Here Again?

Fintech financial technologyIn the days following the U.S. federal elections that resulted in the election of Donald Trump as President and Republican control of the 115th Congress, FinTech companies, banks, and other financial institutions are increasingly asking whether they still need to worry about compliance with the landmark Dodd-Frank Wall Street Reform and Consumer Protection Act (“Dodd-Frank”), Consumer Financial Protection Bureau (“CFPB”) regulatory actions, and other financial services regulations.

It is true that there will likely be some significant regulatory changes, but it is a little too early for industry participants to pop the champagne corks.  Here are our thoughts about some of the top issues impacting FinTech companies, banks, and other financial institutions:

Dodd-Frank and the CFPB

Created under Dodd-Frank in response to the financial crisis of 2007–2008, the CFPB’s stated aim is “to make consumer financial markets work for consumers, responsible providers, and the economy as a whole.”  Since its inception, the CFPB has regulated the consumer financial services marketplace through sweeping rulemakings, including the recent issuance of a long-awaited final rule for prepaid accounts.[1]  Precedent-setting enforcement actions also have been increasingly utilized by the CFPB in lieu of, or as a precursor to, rulemakings promulgated in accordance with the Administrative Procedure Act.  Policymakers, banks, and others within the broader financial services industry have criticized the CFPB for regulatory overreach and for imposing burdensome, duplicative regulations on market participants that ultimately impact on consumer choice.[2]

It is no surprise, therefore, that revising the CFPB’s structure and operations to try to make the agency more transparent and accountable is among the top priorities of both the incoming Administration and Congress as part of reform of Dodd-Frank.  Some version of House Financial Services Committee Chairman Jeb Hensarling’s (R-TX) financial reform legislation (H.R. 5983, the “Financial CHOICE Act” or “FCA”), will undoubtedly serve as a basis for any reform efforts undertaken in the early days of the Trump Administration and the new Congress.  Although the CFPB will likely survive in the new Administration and Republican-led House and Senate, the FCA furnishes a blueprint for the kinds of reforms that likely will be made.

The FCA contains provisions that would make significant modifications to the structure of the CFPB by making it an independent agency outside of the Federal Reserve to be headed by a five-member commission, instead of a single director.  The FCA would rename the CFPB the “Consumer Financial Opportunity Commission” and would give the agency the mission of consumer protection and competitive markets.  The FCA would also subject the CFPB’s funding to the Congressional appropriations process.  The FCA also includes provisions designed to address the CFPB’s use of enforcement actions by repealing the agency’s authority over “abusive practices” in the consumer financial services industry.  In addition, the FCA also contains H.R. 5413, the “CFPB Data Accountability Act,” which would require the CFPB to verify a consumer complaint prior to posting it on the CFPB’s website.

Durbin Amendment

The FCA also contains a provision that would repeal the “Durbin Amendment,” which limited the interchange fees that banks charge merchants to process electronic debit transactions.  Following enactment of Dodd-Frank, many payments industry participants raised concerns that small banks and low-and moderate-income consumers have been adversely impacted by the Durbin Amendment, while retailers have disproportionately benefited.  Given the anticipated focus of the Trump Administration and new Congress on the promotion of financial market innovation and competitiveness, it is increasingly likely that changes to this provision could be considered as part of broader financial regulatory reform efforts.  Whether it will be entirely repealed is another question.  Merchants, who fought hard for the Durbin Amendment by arguing that the high fees imposed by major banks and the payment networks were unfair, can be expected to vigorously oppose such an effort.

Regulatory Outlook

The regulatory outlook for the CFPB for the near future will likely be impacted by a number of important factors, including the outcome of the CFPB’s recent petition to the U.S. Court of Appeals for the District of Columbia Circuit (“D.C. Circuit”), which requested the full D.C. Circuit to rehear PHH Corp. v. CFPB.[3]  The petition follows the recent holding in PHH by a three-judge panel of the D.C. Circuit that the CFPB’s existing structure is unconstitutional and that the director of the CFPB serves at the pleasure of the President.[4]  President-elect Trump currently has the ability to remove current CFPB Director Richard Cordray “for cause” and to nominate a replacement to be confirmed by the Senate.  Such a change in the director of the CFPB before the D.C. Circuit makes a decision on whether to rehear PHH could have significant implications for the CFPB’s regulatory activities.  Republicans in the 115th Congress also are expected to use the Congressional Review Act (“CRA”) to repeal certain regulations recently issued during the Obama Administration.  However, many of the CFPB’s rules are expected to remain in place but be subject to additional Congressional scrutiny.  Notably, some Congressional Republicans have previously expressed concerns about the broad scope of the CFPB’s rule on prepaid accounts, although it is not yet clear whether the rule will be among the regulations that could be the focus of repeal efforts through use of the CRA.  Additionally, Congressional Republicans will likely subject the CFPB’s operations to heightened oversight and will probably seek to repeal the agency’s authority to prohibit arbitration agreements and to issue guidance related to indirect automobile lending.

Enforcement Outlook Generally

Although the CFPB’s activities may be reduced through reformation of the agency or an appreciable change in its leadership, such changes are also likely to be accompanied by heightened regulatory and enforcement efforts by state government officials and an increase in efforts by consumers to seek redress in the courts.  Anticipating that the incoming Administration could result in a reduction of enforcement activities against banks and financial institutions at the federal level, many state attorneys general are indicating that they will step into the vacuum to protect consumers if necessary.  It has been widely reported,[5] for example, that both New York and California attorneys general intend to fill any regulatory enforcement void created by the incoming Administration.  Nevertheless, a shift in the CFPB’s enforcement priorities may have a lasting impact on financial institutions and financial markets.

Conclusion

Going forward, payments companies and other consumer financial services industry participants should certainly monitor changes in laws, regulations, and enforcement actions closely as they seek to better understand these changing legal and regulatory dynamics and the nature of the regulations with which they will be required to comply.

Copyright 2016 K & L Gates

[1] See, Eric A. Love, Judith Rinearson and Linda C. Odom, CFPB Finalizes Expansive Prepaid Account Rule Creating New Compliance Hurdles, K&L Gates Legal Insight, (Nov. 2016), https://www.fintechlawblog.com/wp-content/uploads/2016/11/FinTech-blog-4….

[2] See, e.g., Press Release, House Financial Services Committee, Who will protect consumers from the overreach of the Consumer Financial Protection Bureau? (Mar. 3, 2015), http://financialservices.house.gov/news/documentsingle.aspx?DocumentID=3….

[3] See, Respondent Consumer Financial Protection Bureau’s Petition for Rehearing En Banc, No. 15-177 (D.C. Cir. Nov. 18, 2016) (Doc. #1646917).

[4] See, PHH Corp. v. Consumer Financial Protection Bureau, No. 15-1177 (D.C. Cir. Oct. 11, 2016).

[5] See, e.g., Joel Stashenko, Trump Presidency Could Shift Regulatory Spotlight to State and AG, N.Y. Law Journal, Nov. 14, 2016.

New York Proposes First-Ever Cybersecurity Regulation for Financial Institutions

cybersecurity regulationThe New York Department of Financial Services recently announced a new proposed rule, which would require financial institutions and insurers to implement strong policies for responding to cyberattacks and data breaches.  Specifically, the rule would require insurers, banks, and other financial institutions to develop detailed, specific plans for data breaches; to appoint a chief privacy security officer; and to increase monitoring of the handling of customer data by their vendors.

Until now, various regulators have been advancing similar rules on a voluntary basis.  This is reportedly the first time that a state regulatory agency is seeking to implement mandatory rules of this nature.

“New York, the financial capital of the world, is leading the nation in taking decisive action to protect consumers and our financial system from serious economic harm that is often perpetrated by state-sponsored organizations, global terrorist networks, and other criminal enterprises,” said New York Governor Cuomo. He added that the proposed regulation will ensure that the financial services industry upholds its commitment to protect customers and take more steps to prevent cyber-attacks.

The rule would go into effect in 45 days, subject to notice and public comment period.  Among other detailed requirements, it will mandate a detailed cybersecurity program and a written cybersecurity policy.  While larger financial institutions already likely have such policies in place, the rule puts more pressure on them to fully comply.  It also mandates the hiring of a Chief Privacy Officer at a time when privacy professionals are already in a very high demand.  To attract top talent, the financial institutions will need to allocate appropriate budgets for such hiring.

Additionally, the rules outline detailed requirements for the hiring and oversight of third-party vendors.  Regulated entities who allow their vendors to access nonpublic information will now have to engage in appropriate risk assessment, establish minimum cybersecurity practices for vendors, conduct due diligence processes and periodic assessment (at least once a year) of third-party vendors to verify that their cybersecurity practices are adequate.  More detailed specifications can be found here.  Other requirements include employment and training of cybersecurity personnel, timely destruction of nonpublic information, monitoring of unauthorized users, and encryption of all nonpublic information.  As DFS Superintendent Maria Vullo explained: “Regulated entities will be held accountable and must annually certify compliance with this regulation by assessing their specific risk profiles and designing programs that vigorously address those risks.”

Among other notable requirements, the regulations further mandate that banks notify New York’s Department of Financial Services of any material data breach within 72 hours of the breach.  The regulations come at the time when cybersecurity attacks are on the rise.  The proposed rules also follow on the heels of recent legislative initiatives in 4 other states to bolster their cybersecurity laws, as we previously discussed.

The regulations are sweeping in nature in that they potentially affect not only New-York-based companies but also insurers, banks, and financial institutions who conduct business in New York or have customers who are New York residents.  If you are unsure about your company’s obligations and the impact of the proposed rules on your industry, contact Mintz Levin privacy team for a detailed analysis.

©1994-2016 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C. All Rights Reserved.

New Year to Bring Increased Regulatory Focus on Cybersecurity for Financial Institutions

Having weathered the cybersecurity turbulence of 2014, the financial services sector can look forward to increased regulatory attention from federal, state and non-governmental regulators in 2015. First, in the wake of data breaches at major banks and financial institutions, and drawing upon its mid-2014 “Report on Cyber Security in the Banking Sector,”1 the New York Department of Financial Services (the “NYDFS” or the “Department”) has announced a New Cybersecurity Examination Process for the banks under its regulatory jurisdiction (the “Examination Letter”). Additionally, the Chairman of the federal Commodity Futures Trading Commission (“CFTC”) has testified before a Senate committee that the CFTC will increase its attention to cybersecurity during its upcoming examinations of clearinghouses and exchanges. Also, the Conference of State Bank Supervisors (“CSBS”) has issued a resource guide for bank executives on cybersecurity that community bank CEOs, senior executives and board members are being strongly encouraged to use to address cybersecurity threats at their banks.

These latest regulatory developments impacting financial institutions will likely affect the cybersecurity policies of other regulators, including enforcement actions against regulated entities that fail to implement adequate cybersecurity programs. Thus, even if your organization is not a financial institution regulated by the NYDFS, CFTC or a state banking regulator, the key takeaways discussed below will provide insight into the types of questions regulators will pose, and offer practical guidance for developing a compliant privacy and data security program to mitigate cybersecurity risks. The December 2014 ruling that retailer Target had an affirmative duty to protect its customers’ personal and financial information illustrates that these pronouncements provide important guidance not just to regulated entities, but to companies generally.

NYDFS’s Examination Letter

On December 10, 2014, the NYDFS issued the Examination Letter to all New York chartered and licensed banking institutions announcing the Department’s new, targeted cybersecurity preparedness assessment. In an effort to promote greater cybersecurity across the financial services industry, the NYDFS warned that it will expand its routine information technology examinations to include cybersecurity. However, as noted in an article in American Banker2, the Examination Letter provides no indication that the examinations will differentiate among banks by size, meaning a smaller community bank may be subject to the same cybersecurity requirements as multinational banks with significantly more resources.

The new examination procedures are designed to encourage “all financial institutions to view cybersecurity as an integral aspect of their overall risk management strategy, rather than as a subset of information technology.” According to Benjamin M. Lawsky, Superintendent of the NYDFS, new procedures are also intended to promote a “laser-like focus on this issue by both banks and regulators” given that regulatory examination rankings can have a significant impact on the operations of financial institutions, including their ability to enter into new business lines or make acquisitions.

The Examination Letter notes that the NYDFS will be incorporating the following new security-oriented topics into its pre-examination “First Day Letters” to assist in expediting the Department’s review of financial institutions’ cybersecurity preparedness:3

  • Corporate governance, including written information security policies and procedures, and the periodic reevaluation of such policies and procedures in light of changing risks;

  • Cybersecurity incident detection, monitoring and reporting processes;

  • Resources devoted to information security and overall risk management;

  • The risks posed by shared infrastructure;

  • Protections against intrusion, including multifactor or adaptive authentication, and server and database configurations;

  • Information security testing and monitoring, including penetration testing;

  • Training of information security professionals as well as all other personnel;

  • Vetting and management of third-party service providers; and

  • Cybersecurity insurance coverage and other third-party protections.

In addition to the information requested in the First Day Letter, the NYDFS stated that it will schedule IT/cybersecurity examinations following the risk assessments of each financial institution. The new IT/cybersecurity examinations will take a deeper look into the financial institution’s ability to prevent, detect and respond to data breaches and other cyber attacks by requesting:

  • The qualifications of the institution’s Chief Information Security Officer, or the individual otherwise responsible for information security;

  • Copies of the institution’s information security policies and procedures;

  • The institution’s data classification approaches and data access management controls;

  • The institution’s vulnerability management programs, including its consideration of applications, servers, endpoints, mobile, network and other devices;

  • The institution’s patch management program, including how updates, patches and fixes are obtained and disseminated;

  • The institution’s due diligence process regarding information security practices used to vet, select and monitor third-party service providers;

  • Application development standards used by the institution, including the extent to which security and privacy requirements are incorporated into application development processes;

  • The institution’s incident response program, including how incidents are reported, escalated and remediated; and

  • The relationship between information security and the organization’s business continuity program.

The NYDFS’s Examination Letter is essentially a “take-home test” for any New York chartered or licensed banking institution or regulated firm preparing for an NYDFS examination or conducting its own internal audit to strengthen its cybersecurity practices and incident response preparedness. Additionally, although the new examination procedures do not impose cybersecurity requirements on regulated entities per se, the NYDFS is essentially announcing the standards and practices it expects to be adopted in any compliant cybersecurity program. For now, the new cybersecurity examination procedures are limited to banks, but it is likely that the NYDFS will extend these same types of procedures to the other financial services firms it regulates, such as insurance companies and investment companies.

CFTC’s Increased Focus on Cybersecurity

On December 10, 2014, CFTC Chairman Timothy Massad testified before a Senate Agriculture Committee hearing that cybersecurity is “perhaps the single most important new risk to financial stability.” As a result, cybersecurity will become an increasingly important aspect of the CFTC’s oversight for futures and swaps markets.

Chairman Massad testified that the CFTC requires clearinghouses, swap execution facilities, designated contract markets and other market infrastructures to implement system safeguards, which must include four elements: (1) a program of risk analysis and oversight to identify and minimize sources of cyber and operational risks; (2) automated systems that are reliable, secure and scalable; (3) emergency procedures, backup facilities and a business continuity/disaster recovery plan; and (4) regular, objective, independent testing to verify that the system safeguards are sufficient. Each CFTC-regulated entity must also have a risk management program that addresses seven key elements, including information security, systems development, quality assurance and governance. Furthermore, these entities must notify the CFTC promptly of cybersecurity incidents.

Although the CFTC does not conduct independent testing of its cybersecurity requirements, it reviews evidence provided for satisfaction of the requirements. Chairman Massad testified that the CFTC’s upcoming examinations will focus on the following areas:

  • Governance—Are the board of directors and top management devoting sufficient attention to cybersecurity?

  • Resources—Are sufficient resources and capabilities being devoted to monitor and control cyber-related risks across all levels of the organization?

  • Policies and Procedures—Are adequate plans and policies in place to address information security, physical security, system operations and other critical areas? Is the regulated entity actually following its plans and policies, and considering how plans and policies may need to be amended from time to time in light of technological, market or other security developments?

  • Vigilance and Responsiveness to Identified Weaknesses and Problems—If a weakness or deficiency is identified, does the regulated entity take prompt and thorough action to address it? Does it not only fix the immediate problem, but also examine the root causes of the deficiency?4

CSBS Guidance for Financial Services Officers and Directors

On December 17, 2014, the CSBS issued “Cybersecurity 101: A Resource Guide for Bank Executives” (the “CSBS Resource Guide”), which is designed to aid chief executive officers, senior executives and board members in their understanding, oversight and implementation of effective cybersecurity programs. The CSBS Resource Guide is organized according to the five core cybersecurity functions of the Commerce Department’s National Institute of Standards and Technology’s Framework for Improving Critical Infrastructure Cybersecurity: (1) identify internal and external cybersecurity risks; (2) protect organizational systems, assets and data; (3) detect systems intrusions, data breaches and unauthorized access; (4) respond to a potential cybersecurity event; and (5) recover from a cybersecurity event by restoring normal operations and services. For each of these core functions, the CSBS Resource Guide provides questions that chief executive officers should ask, as well as training guidance and a model checklist to follow in the event of a data breach.

Takeaways

In light of these developments, banks and other financial institutions should consider undertaking the following steps and customizing them to their specific circumstances and risks:

1. Conducting Periodic Cybersecurity Risk Assessments

  • Identify potential cybersecurity threats (including physical security threats) to security, confidentiality and integrity of personal and other sensitive information (both customer and internal) and related systems;

  • Evaluate effectiveness of current controls in light of identified risks;

  • Prioritize resources, assets and systems corresponding to the nature and level of threats and vulnerabilities, and revise procedures and controls, as necessary and appropriate, to address and mitigate areas of risk; and

  • Determine whether existing insurance policies will cover the threats identified in the risk assessment, and determine whether separate cyber coverage is needed.

2. Evaluating Potential Third-Party Vendor Risks

  • Review due diligence procedures for selecting vendors and procedures for approval/monitoring of vendor access to networks, customer data or other sensitive information;

  • Obtain copies of vendors’ written information security plans or certifications of compliance with applicable standards; and

  • Determine whether contracts with vendors include appropriate security measures, including incident response notification procedures and cyber insurance coverage.

3. Developing and Periodically Testing a Comprehensive Incident Response Plan

  • Implement a comprehensive, written incident response plan to respond proactively to actual or suspected cybersecurity events; and

  • Conduct periodic “table top” exercises of mock cybersecurity events with IT, legal, compliance, human resources and other business stakeholders.

ARTICLE BY

OF

1 See http://www.dfs.ny.gov/about/press2014/pr1405061.htm
2 See http://www.americanbanker.com/news/bank-technology/new-york-cybersecurity-exams-will-be-tougher-than-ffiecs-1071603-1.html
3 The NYDFS’s new cybersecurity questions and topics are similar to the comprehensive cybersecurity questionnaire attached to the Securities and Exchange Commission’s Office of Compliance Inspections and Examinations’ (“OCIE”) Risk Alert, issued on April 15, 2014, as part of the OCIE’s cybersecurity examinations of registered investment advisors and broker-dealers. Click here.
4 The NYDFS and the CFTC are certainly not the only banking and financial services regulators that have intensified their focus on cybersecurity. Indeed, during her December 10, 2014 testimony before the U.S. Senate Committee on Banking, Housing and Urban Affairs, Valerie Abend, chair of the Federal Financial Institutions Examination Council (“FFIEC”) Cybersecurity and Critical Infrastructure Working Group, said the FFIEC’s interagency cybersecurity guidelines “require banks to develop and implement formal information security programs that are tailored to a bank’s assessment of the risks it faces, including internal and external threats to customer information and any method used to access, collect, store, use, transmit, protect, or dispose of the information.”

Four Ways For A Financial Institution To Minimize Losses Related To A Data Breach

vonBriesen

The explosive growth of electronic credit and debit card transactions has increased the possibility of data breaches for financial institutions. The ongoing data breach litigation by financial institutions against Target is just one example of what could be the new normal with card-swipe electronic transactions now dominating commerce: according to Javelin Strategy and Research, only about twenty-five percent (25%) of point-of-purchase sales are currently made with cash, and that percentage is expected to continue to decline in the coming years.

This surge has been beneficial to the bottom line of many financial institutions, but the spike in electronic transactions has also increased the potential for data breaches and related liability. According to the Ponemon Institute’s 2014 Cost of Data Breach Study: Global Analysis1 the average cost of a data theft from financial services companies in 2013 was $236 per customer account. The primary reason for the increase is the loss of customers following the data breach. Financial services providers continue to be most susceptible to high rates of customer defections as a result of data breaches. (Ponemon, 2014)

As the volume of electronic transactions has increased, hackers and cybercriminals have become more sophisticated and successful, as evidenced by recent high-profile data breaches involving Target, Neiman Marcus, eBay, and Jimmy John’s. While mega-breaches tend to grab the headlines, most data losses involve fewer than 10,000 customer records. (Ponemon, 2014) Nonetheless, these data losses can be costly, averaging $5.9 million per breach incident in 2013. (Ponemon, 2014)

What can financial institutions do to minimize their losses, when both large and small institutions can fall victim? Below are four proactive steps that may be taken by any size institution:

1. Preparation

Statistically, four factors are most important to reducing the cost of a data breach: a strong pre-incident security posture, a current incident response plan, business continuity management involvement, and leadership by a Chief Information Security Officer. Together, these can reduce the per capita cost of a data breach as much as 30%. (Ponemon, 2014) Good preparation should also include data security audits and breach response exercises to test preparedness.

2. Purchasing Data Breach and Other Insurance

One in three companies has insurance to protect against data breach losses (Marsh LLC, Benchmarking Trends: Interest in Cyber Insurance Continues to Climb, 2014)2. Covered risks typically include disclosure of confidential data, malicious or accidental loss of data, introduction of malicious codes or viruses, crisis management and public relations expenses, business interruption expenses, and data or system restoration. In 2013, cyber insurance policies sold to retailers, hospitals, banks, and other businesses jumped significantly. (Marsh LLC, 2014) Given the potentially tremendous costs associated with a data breach, cyber insurance policies are no longer a niche or specialty product, and are quickly becoming a necessity in the financial services industry and a key component of risk management for financial institutions.

In addition to policies specifically covering data breaches, it is important to consider whether an institution’s losses may be covered under the terms of an existing policy. Some courts have found that traditional policies include coverage for data breach claims. In Netscape Communications Corp. v. Federal Insurance Co., decided in 2009, the Ninth Circuit Court of Appeals held that personal and advertising injury coverage in a commercial general liability (“CGL”) policy applied to claims alleging that the insured had violated the plaintiff’s right of privacy in private online communications. In Retail Ventures, Inc. v. National Union Fire Insurance Co., the Sixth Circuit Court of Appeals found that coverage may also apply under a financial institution’s crime policy. In WMS Industries, Inc. v. Federal Insurance Co., the Fifth Circuit Court of Appeals affirmed the district court’s holding that all-risk and first-party property policies may provide coverage for data damage and business interruption arising out of data breaches. Lastly, in Retail Systems, Inc. v. CNA Insurance Companies, the Minnesota Court of Appeals found that an insured’s loss of a computer tape containing third-party data was “property damage” and, therefore, was covered by CGL insurance.

Even if there may be a question as to whether coverage is available, notice of the breach should be given to the insurer immediately. Financial institutions should consider consulting with their insurance providers to confirm whether or not their standard policies cover data breaches and, if so, whether there are any coverage limits or exclusions. “Too often, the close scrutiny of policy coverage does not occur until after a claim is made. This makes misunderstanding and disappointment a distinct, and potentially costly, risk. Even sophisticated companies stumble. In 2011, SONY suffered a series of cyber security breaches affecting data in its online gaming systems. The SONY insurer said the company did not have a cyber insurance policy, that SONY’s existing policies only covered tangible property damage, not cyber incidents, and therefore the insurer would not provide any coverage for the company’s nearly $200 million loss. SONY spokespersons contested these statements, expressing their belief that at least some of the losses were covered. (Mark F. Foley, Digital Lex: Insurance Coverage for the Cyber World (Feb. 19, 2013), at http://www.WTNNews.com. See, Insurance Against Cyber Attacks Expected to Boom, New York Times online, December 23, 2011)

Banks, or their counsel, should also proactively review vendor or third-party contractor agreements to confirm that the vendor or third party contractor has an obligation to indemnify the financial institution for losses related to a data breach, and that the financial institution is named as an additional insured under the vendor’s or third-party contractor’s insurance policy covering such breaches. Contracts that do not provide these protections should be updated.

3. Using Regulatory Tools and Guidance

In September 2014, FDIC Chairman Martin Gruenberg stated that “internet cyber threats have rapidly become the most urgent category of technological challenges facing our banks.” As a result, the FDIC now defines cybersecurity as “an issue of highest importance” for itself and the Federal Financial Institutions Examination Council.

The FFIEC recently formed a Cybersecurity and Critical Infrastructure Working Group that works with the intelligence community, law enforcement and the Department of Homeland Security on cybersecurity issues. The Working Group is currently assessing the banking sector’s preparedness to combat and respond to cybersecurity threats. The report will include a regulatory self-assessment to evaluate readiness and identify areas requiring additional attention.

The FDIC also created a “Cyber Challenge” online resource that features videos and a simulation exercise. As part of this effort, the FDIC also requires third-party technology service providers (TSPs) to update financial institutions on operational threats the FDIC identifies at a TSP during an examination.

The rollout of these resources, coupled with the recent guidance from the OCC and the Fed regarding the management of third party relationships (for a more in-depth discussion, please see our January 2014 Commercial Law Update, “Managing Third Party Relationships: New Regulatory Guidance for Banks“), demonstrates the increased scrutiny regulators are giving to these issues and why they are hot-button topics for financial institutions to tackle.

4. Filing Lawsuits Against Parties Responsible for Data Breaches

A recent example of financial institutions going on the offensive with regard to a data breach by a service provider is the lawsuit brought by several banks against Target, In re Target Corporation Customer Data Security Breach Litigation, Case No. 14-md-02522, which is currently pending in Minnesota federal district court. The banks are seeking class-action status for banks across the country arising out of the compromise of at least 40 million credit cards, which affected up to 110 million people whose personal information, such as email addresses and phone numbers, were stolen.

The banks seek millions of dollars of damages to recover money spent reimbursing fraudulent charges and issuing new credit and debit cards.

The court recently denied Target’s motion to dismiss all of the claims, concluding that Target played a “key role” in the data breach. In denying the motion, the court held that “Plaintiffs have plausibly alleged that Target’s actions and inactions – disabling certain security features and failing to heed the warning signs as the hackers’ attack began – caused foreseeable harm to plaintiffs” and also concluded that “Plaintiffs have also plausibly alleged that Target’s conduct both caused and exacerbated the harm they suffered.” At this stage, the banks are proceeding with claims for negligence and violations of Minnesota’s Plastic Security Card Act.

As illustrated by the Target litigation, if losses are not covered by insurance or if the institution otherwise cannot be made whole, a financial institution should consider trying to recover damages through litigation. However, the Target case is still being litigated, and the law is not settled as to whether third parties, such as merchants who process credit and debit cards, may be held liable to an issuing financial institution for damages arising out of the merchant’s data breach.

Financial institutions would be well-served by utilizing these resources to protect against cyber attacks and should keep a close eye on upcoming regulatory guidance in this area as it is clear that the regulators are focusing on ways to protect against, and minimize the number of, data breaches and their effect on financial institutions.

ARTICLE BY

OF