Consumer Financial Services Alert - August 9, 2011

People’s United Bank, the nation’s largest regional bank headquartered in New England, won a key victory in a data security breach case that had been followed for two years by the national banking associations, as well as by American Banker and other industry publications.

Patco Construction Company Inc., a commercial customer of the bank, brought suit alleging that the bank was responsible when third-party cybercriminals allegedly breached Patco’s computer system, stealing passwords and challenge question answers allegedly through the use of keylogging malware, and executed a series of fraudulent withdrawals from Patco’s checking account. Patco filed suit against People’s United in 2009, alleging negligence, breach of contract, breach of fiduciary duty, unjust enrichment and conversion.

In May 2011, Magistrate Judge John Rich recommended that the court grant People’s United’s motion for summary judgment on all six counts and deny Patco’s cross-motion for summary judgment. In a detailed, 70-page opinion, Rich found that People’s United had “demonstrated that the security procedures that it had in place as of May 2009 were commercially reasonable” under Article 4A of the UCC and that the rest of Patco's claims were preempted. On August 3, 2011, Judge Brock Hornby upheld the Magistrate’s recommendation.

“This was one of the first cases of its kind in the United States to deal with online hacking of bank accounts,” said Goodwin partner Brenda Sharton, who led the litigation team representing People's United “People's United Bank’s online banking security system is state of the art and among the best in use. Through this decision, the court recognized the commercial reasonableness of that system under the law.” You can contact Brenda at 617.570.1214 to discuss this case.

Click here for the Magistrate's opinion.

The Consumer Financial Protection Bureau issued an interim final rule that establishes its procedures for conducting investigations. The rule specifies procedures for civil investigative demands (similar to subpoenas), written reports and answers to questions (similar to interrogatories), and investigational hearings (similar to depositions). The rule went into effect on July 28, 2011, and comments must be received by September 26, 2011. Click here for the rule.

The Consumer Financial Protection Bureau issued an interim final rule that establishes its practices for adjudication proceedings. The Consumer Financial Protection Act of 2010 authorizes the CFPB to use administrative adjudications to enforce compliance with the provisions of the Act, rules promulgated by the CFPB, and any other Federal law or regulation that the CFPB enforces. The rule is modeled on the uniform rules and procedures for administrative hearings adopted by the federal banking regulators and the rules of practice currently used by the SEC and FTC. The rule went into effect on July 28, 2011, and comments must be received by September 26, 2011. Click here for the rule.

 

The Consumer Financial Protection Bureau issued an interim final rule that permits state housing creditors (i.e., state-chartered or state-licensed creditors) to rely on the federal Alternative Mortgage Transaction Parity Act to make alternative mortgage transactions in compliance with federal law until the CFPB issues permanent rules. The interim final rule implements the amendments to the Alternative Mortgage Transaction Parity Act contained in the Dodd-Frank Wall Street Reform and Consumer Protection Act, which transferred rule-making authority to the CFPB on July 21 and permitted state housing creditors to make alternative mortgage transactions under the Alternative Mortgage Transaction Parity Act after July 21 if they comply with rules issued by the CFPB. Because the CFPB did not have rule-making authority before July 21, the interim final rule was considered necessary to avoid suspending the Alternative Mortgage Transaction Parity Act, which would have prevented state housing creditors from entering into alternative mortgage transactions in states where such transactions are prohibited. Clickhere for the interim final rule.

FinCEN issued a final rule amending Bank Secrecy Act provisions regarding money services businesses. The rule renames “stored value” as “prepaid access” without changing the meaning of the term. The obligations of parties that distribute “prepaid access" have been expanded by replacing the terms “issuer” and "redeemer" of stored value with a new, broader category of participant termed “providers of prepaid access.” The rule puts in place suspicious activity reporting and customer and transaction information recordkeeping requirements on both "providers" and "sellers" of prepaid access. The rule exempts from its coverage (1) prepaid access products of $1,000 or less and payroll products if they cannot be used internationally, do not permit transfers among users, and cannot be reloaded from a non-depository source; (2) closed-loop prepaid access products sold in amounts of $2,000 or less; and (3) government funded and pre-tax flexible spending for health and dependent care funded prepaid access programs. Under the rule, “providers of prepaid access" must register with FinCEN. The rule becomes effective September 27, 2011, and compliance is mandatory on January 29, 2012. Click here for the rule.