Federal Financial Institutions Examination Council Releases 2006

© Thomson/West Legalworks

40462177 © 2006 Thomson/West Legalworks

IN THIS ISSUE:

Federal Financial Institutions Examination Council Releases 2006 Revisions to the Bank Secrecy Act/Anti-Money Laundering Examination Manual..................1

From the Editor..............................................2

New EU Opinions Clarify Data Privacy And Third-Country Data Transfer Laws While Setting The Stage For More Regulation ..........................6

Frequently Asked Questions on FFIEC Guidance on Authentication in an Internet Banking Environment ................................11

Selected Regulatory Developments ............................................15

Federal Financial Institutions Examination Council Releases 2006

Revisions to the Bank Secrecy Act/Anti-Money

Laundering Examination ManualBy Kathryn Marks and Jonathan Winer

On July 28, 2006, the Federal Financial Institutions Examination Council (FFIEC), the interagency body created to ensure uniform treatment and examination of financial institutions by the fed-eral banking regulators, revised its Bank Secrecy Act/Anti-Money Laundering (BSA/AML) Examination Manual (2006 Manual).1 The revisions make significant changes to FFIEC guidance on risk assessment, the handling of ACH transactions, treatment of trade finance, suspicious activity reporting, politically exposed persons, private banking, due diligence, insurance products, stored value products, and other emerging money laundering risks. Some of the most important practical considerations include:

• For ACH transactions, both the originating and receiving institutions must have OFAC screens in place.

• In trade finance, institutions must adopt comprehensive con-sumer due diligence programs.

• Where the circumstances of a sale warrant, banks engaged in insurance agency activities may have to file SARs jointly with insurance providers.

• For stored value cards, institutions must adopt risk assessment and mitigation measures to address money laundering risk.

The 2006 Manual will be systematically relied upon by examiners as they carry out every bank examination in the United States, as well as laying the foundation for analysis by non-bank financial regulators for such sectors as broker/dealers, money services busi-nesses, and insurance companies. Accordingly, all banks and most U.S. financial institutions will need to undertake a careful review of the 2006 Manual, and prepare to update their existing AML policies and procedures to take into account its new provisions.

This article summarizes the most notable changes in the 2006 Manual.

September 2006, Volume 11, Number 7

2

Electronic Banking Law and Commerce Report © 2006 Thomson/West Legalworks

West Legalworks395 Hudson Street, 4th Floor

New York, NY 10014

Editorial Board

Please address all editorial, subscription, and other correspondence to the publishers at [email protected]

For authorization to photocopy, please contact the Copyright Clearance Center at 222 Rosewood Drive, Danvers, MA 01923, USA (978) 750-8400; fax (978) 646-8600 or West’s Copyright Services at 610 Opperman Drive, Eagan, MN 55123, fax (651) 687-7551. Please outline the specific material involved, the number of copies you wish to distribute and the purpose or format of the use.

This publication was created to provide you with accurate and authoritative information concerning the subject matter covered. However, this publication was not necessarily prepared by persons licensed to practice law in a particular jurisdiction. The publisher is not engaged in rendering legal or other profes-sional advice, and this publication is not a substitute for the advice of an attorney. If you require legal or other expert advice, you should seek the services of a competent attorney or other professional.

Copyright is not claimed as to any part of the original work prepared by a United States Government officer or employee as part of the person’s official duties.

One year subscription, 10 issues, $372.00(ISSN: 1090-8420)

Electronic Banking Law and Commerce Report

3

© 2006 Thomson/West Legalworks Vol. 11 No. 7, September 2006

From the Editor

In this issue we look at a couple of recent regulatory issues. Kathryn Marks and Jonathan Winer, of Alston & Bird, discuss the recent changes in the FFIEC’s Bank Secrecy Act/Anti-Money Laundering Examination Manual. The revisions make significant changes to FFIEC guidance on risk assessment, the handling of ACH transactions, treatment of trade finance, suspicious activity reporting, politically exposed persons, private banking, due diligence, insurance products, stored value products, and other emerging money laundering risks.

In another article, Jonathan Winer discusses new opinions published by the European Commission and the Article 29 Data Protection Working Party that express concern about compliance with EU privacy law applying to transfers of data outside the European Union.

We have also included the federal financial institution regulators’ recent list of Frequently Asked Questions on the FFIEC’s guidance entitled Authentication in an Internet Banking Environment, which addresses the scope of the guidance, risk assessments, the time frame for implementation and other issues.

David E. Brown, Jr., Alston & Bird

David A. BaltoRobins, Kaplan, Miller & Ciresi

Lawrence G. BaxterPresident and Chief e-Commerce Officer,Wachovia Corp.

Roland E. BrandelMorrison & Foerster LLP

Russell J. BruemmerWilmer Cutler PickeringHale & Dorr LLP

Thomas Hal ClarkeSenior Vice President and Deputy General Counsel,Wachovia Corp.

Kelly McNamara CorleySenior Vice President and General Counsel,Discover Financial Services, Inc.

Ellen d’AlelioSteptoe & Johnson

Melanie L. FeinGoodwin Procter L.L.P.

Paul R. GuptaMayer, Brown, Rowe & Maw LLP

Henry L. JudyKirkpatrick & Lockhart LLP

Sylvia KhatcherianManaging Director, Legal Department,Morgan Stanley

C. F. Muckenfuss IIIGibson, Dunn & Crutcher LLP

John C. Murphy, Jr.Cleary, Gottlieb, Steen & Hamilton

P. Michael NugentExecutive Vice President and General Counsel,IntelliRisk Management Corporation

Brian W. SmithLatham & Watkins LLP

Stuart G. SteinHogan & Hartson LLP

Thomas P. VartanianFried, Frank, Harris, Shriver & Jacobson

Mark A. WeissCovington & Burling

Richard M. WhitingGeneral Counsel and Executive Director,The Financial Services Roundtable

Chairman: John L. Douglas, Alston & Bird LLP

Editor-in-Chief: David E. Brown, Jr., Alston & Bird LLP

Contributing Editors: Scott A. Anenberg, Mayer, Brown, Rowe & Maw LLP; Richard M. McDermott, Alston & Bird LLP

Managing Editor: Elizabeth Thompson

2



New York, NY 10014

Editorial Board

Please address all editorial, subscription, and other correspondence to the publishers at [email protected]

For authorization to photocopy, please contact the Copyright Clearance Center at 222 Rosewood Drive, Danvers, MA 01923, USA (978) 750-8400; fax (978) 646-8600 or West’s Copyright Services at 610 Opperman Drive, Eagan, MN 55123, fax (651) 687-7551. Please outline the specific material involved, the number of copies you wish to distribute and the purpose or format of the use.

This publication was created to provide you with accurate and authoritative information concerning the subject matter covered. However, this publication was not necessarily prepared by persons licensed to practice law in a particular jurisdiction. The publisher is not engaged in rendering legal or other profes-sional advice, and this publication is not a substitute for the advice of an attorney. If you require legal or other expert advice, you should seek the services of a competent attorney or other professional.

Copyright is not claimed as to any part of the original work prepared by a United States Government officer or employee as part of the person’s official duties.

One year subscription, 10 issues, $372.00(ISSN: 1090-8420)

Electronic Banking Law and Commerce Report

3


payment (or subsequent payments) into accounts opened via the Internet, where there is no face-to-face contact; transactions originated through third-party service providers; and situations where neither the third-party service provider nor the originating financial institution performs the required due diligence on the entities for whom they are originating payments. The 2006 Manual also specifies certain types of ACH transactions that may be more prone to fraud or manipulation, including: originating financial institutions authorizing a third-party service provider to send ACH files to an ACH operator such that the originating financial institution is bypassed; originating and receiving financial institutions relying on each other to perform the required due diligence on customers; and processing of ACH transactions being highly automated with minimal opportunity for human review and/or analysis.

The 2006 Manual recommends risk mitigation through:

• Obtain sufficient customer due diligence (CDD) information.

• Develop and implement an effective risk-based sus-picious activity monitoring system that takes into consideration the characteristics and risks of ACH transactions.

• Review the suspicious activity monitoring policies and procedures of third-party service providers.

• Consider the layering and integration states of money laundering when assessing the risk of a particular ACH customer.

• Consider developing and implementing a separate process for reviewing international ACH transac-tions.

The 2006 Manual also discusses the Office of Foreign Assets Control (OFAC) requirements on originating and receiving financial institutions involved in ACH transactions. For the first time it specifies that both ends of a transaction must be subject to OFAC screening: the originating financial institution is responsible for making sure that the originator is not a blocked party; the receiving financial institution is similarly responsible with respect to the receiver. While this has previously been OFAC’s position, this is the first time the requirement has been expressly mandated within the examination process.

3. Trade Finance Activities

The 2006 Manual finds that trade finance activities, which typically involve short-term financing to facilitate the import and export of goods, can present a risk because of the number of individuals, and financial institutions, involved. Additionally, the document-intensive nature of trade finance relative to other banking activities also

Summary of Changes and Revisions

1. Risk Assessment

The 2006 Manual contains a new separate section on risk assessment. The section expressly requires a comprehensive analysis of each institution’s BSA/AML risks by the AML officer in a process that includes and is understood by all relevant institution employers, officers and directors. Examiners are cautioned against requiring any particular format for a risk assessment.

The prescribed risk assessment consists of two main parts: identification of specific risk categories and a more detailed analysis and assessment of the risk posed by these particular categories. In evaluating an institution’s assess-ment of its risk categories, the examiner may find that the institution is involved in high-risk categories of products or services but that the institution’s BSA/AML program effectively mitigates those risks. Additionally, institutions are provided a certain level of flexibility in developing their BSA/AML risk assessments, as the Financial Crimes Enforcement Network (FinCEN) recognizes that the risk-factors are often bank specific. The guidance provides, by way of example, that a particularly high number of funds transfers may be viewed as higher risk, but not if those transfers are done primarily for long-term, well-known, domestic customers. Examiners are urged to consider not only the specific risks associated with specific products (e.g., stored value cards, money transfers, certain insurance products, trade finance activities) but also the manner in which the institution mitigates the potential risk (e.g., by enhanced due diligence programs, knowledge of customer and normal account usage, etc.).

Part two of the risk assessment requires a more detailed analysis of the information relating to the risk categories to determine the extent to which the items in those categories actually pose a risk, given the institution’s BSA/AML program. The guidance notes that the analysis should consider the following factors, as appropriate:

• the purpose of the account;

• the actual or anticipated activity in the account;

• the nature of the customer’s business;

• the customer’s location; and

• the types of products and services used by the cus-tomer.2

2. Automated Clearing House (ACH) Transactions

The new regulatory focus on the use of ACH transac-tions to launder money is reflected in a new section in the 2006 Manual, which specifies the risks associated with ACH transactions and provides guidance to financial institutions on how to mitigate those risks. The specified ACH risks include transactions involving the original

4


5


increases the potential risk. Accordingly, FFIEC recom-mends that financial institutions undertake comprehensive CDD programs for trade finance that enable an institution to be knowledgeable both about the persons involved and the jurisdictions involved in the transaction.

The 2006 Manual provides extensive guidance on the types of CDD that institutions should consider, including the use of background checks on individuals and the reviewing of paperwork and other documentation for potential red flags. Such red flags may include over- or under-charging for the value of the shipment, discrepancies in the description of the items being shipped, or other anomalies. The guidance notes that even though one of these anomalies may be present, it may not be necessary to file a suspicious activity report (“SAR”), but rather the institution should perform further investigation. Even when a SAR is required, the institution is not necessarily required to stop the transaction (although a transaction involving an OFAC violation must be stopped, of course).

4. Regulatory and Supervisory Guidance

a. Suspicious Activity Reporting

The 2006 Manual makes several key additions to the guidance provided on suspicious activity reporting, specifically related to the SAR decision-making process, the timing of a SAR filing, and the sharing of SARs with head offices and controlling companies.

The 2006 Manual continues to recognize that the decision to file a SAR is a subjective one, and continues to encourage banks to document SAR decisions. The new guidance, however, elaborates on the documentation issue. The guidance notes that that there is a wide variety of systems used by different institutions to monitor, track, and identify transactions, and that each SAR decision will likely involve a unique set of facts, there is no single form that should be required when a bank decides not to file a SAR. Thus, institutions maintain a certain level of flexibility in how they document their respective SAR filing decisions.

There is also additional guidance regarding the timing of a SAR filing. Specifically, the guidance elaborates on the phrase “initial detection” and clarifies that the phrase should not be interpreted to mean the very moment that a transaction is highlighted or flagged for review. Recogniz-ing that many completely normal transactions, such as a major purchase, an inheritance, or a gift, may be viewed by the BSA/AML system as being unusual or inconsistent with respect to a given account or customer, even though the transacting is completely legitimate. The flagging of such a transaction by the institution’s automated system should not be viewed as the “initial detection” of the transaction.

Interagency guidance issued in January 2006 regarding the sharing of SARs with head offices and controlling companies is incorporated into the 2006 Manual. The guidance provides that controlling company includes:

• a bank holding company (BHC), as defined in sec-tion 2 of the BHC Act;

• a savings and loan holding company, as defined in section 10(a) of the Home Owners’ Loan Act; or

• a company having the power, directly or indirectly, to direct the management policies of an industrial loan company or a parent company or to vote 25 percent or more of any class of voting shares of a industrial loan company or parent company.3

The incorporated guidance also confirms that a U.S. branch or agency of a foreign bank may disclose a SAR to its head office outside of the United States, and that a U.S. bank may disclose a SAR to controlling companies regard-less of whether they are domestic or foreign. It is important to note that the guidance does not permit banks to share SARs with affiliates other than a controlling company or head office, although the information underlying the SAR filing may be disclosed to affiliates.

b. Foreign Correspondent Account Recordkeeping and Due Diligence

In January 2006, FinCEN published a final regulation implementing due diligence requirements relating to foreign correspondent accounts.4 The 2006 Manual provides guidance in accordance with this new regula-tion, providing that due diligence policies, procedures, and controls must include:

• determining whether each such foreign correspon-dent account is subject to enhanced due diligence;

• assessing the money laundering risks presented by each such foreign correspondent account; and

• applying risk-based procedures and controls to each such foreign correspondent account reasonably designed to detect and report known or suspected money laundering activity, including a periodic re-view of the correspondent account activity sufficient to determine consistency with information obtained about the type, purpose, and anticipated activity of the account.5

In addition to the above requirements, the guidance notes that the regulation requires an institution’s due diligence program to include special procedures when appropriate due diligence cannot be performed with regard to a foreign correspondent account. Under 31 C.F.R. 103.176(a), the due diligence program must include criteria for when the bank should refuse to open

4


5


the account, suspect transaction activity, file a SAR, or close the account.6

Also in January 2006, FinCEN issued a Notice of Pro-posed Rulemaking that would implement enhanced due diligence requirements relating to certain foreign banks. As this regulation is not yet finalized, the 2006 Manual reiterates the guidance provided in the prior version of the BSA/AML Manual that institutions incorporate due diligence policies and procedures based on the statutory requirements of 31 U.S.C.A. 5318(i)(2).

c. Private Banking Due Diligence

The 2006 Manual provides new guidance relating to mitigating the risk of shell companies, including “maintaining control of bearer shares, entrusting the shares with a reliable independent third party, or requiring periodic certification of ownership.”7 The guidance allows, however, that an institution may distinguish its controls between new clients and long-term, well-known clients.

d. Insurance

Last November, FinCEN issued two final rules imposing AML requirements on insurance companies.8 The final rules cover only those insurance companies that sell products identified by FinCEN as being highly vulnerable to potential money laundering or terrorist financing activities. Specifically included are permanent life insurance policies, annuity contracts, and “[a]ny other insurance product with features of cash value or invest-ment.”9 The rule excludes insurance agents and brokers from the definition of “insurance company,” based on recognition that insurance companies bear the risk of the various products and that they are also better situated to absorb the cost of implementing an AML program.

The 2006 Manual provides that if a bank, acting as an agent of the insurance company, detects unusual or suspicious activity, it is permissible to file a joint SAR with the insurance company. The guidance also expanded on prior examples of suspicious insurance transactions to include purchasing insurance products through unusual methods such as currency or currency equivalents, or buy-ing products with insurance termination features without concern for the product’s investment performance.10

e. Politically Exposed Persons

Recognizing that it may be difficult to ascertain if a given individual qualifies as a “politically exposed person” (PEP), the guidance provides that institutions should take all reasonable steps to avoid unknowingly or unwittingly hiding or moving any proceeds of corruption by senior foreign political figures or associates. As with other BSA/AML requirements, the institution’s controls and procedures should be risk-based.

Noting that a title alone cannot be relied upon to determine that an individual is or is not a PEP, the 2006 Manual identifies several factors that an institution should consider when making such a determination, including: the official responsibilities of the individual’s office; the nature of the title (honorary or salaried); the level of authority over government activities or other officials; and access to significant government assets or funds.11 In determining whether a person is a “close associate” of a PEP, institutions are advised to focus primarily on relation-ships that are “widely and publicly known.” Although this is a somewhat limiting factor, the guidance also provides that where an institution has actual knowledge of a close relationship, even if it is not widely and publicly known, the institution is required to consider the person a PEP.

In keeping with the requirement that BSA/AML programs be risk-based, the guidance recognizes that not all PEPs present an identical level of risk. Factors to be considered in evaluating the level of risk posed by a particular PEP include: where the individual is, his or her position or authority, the size or complexity of the account relationship, and the products or services involved in the account relationship.

5. Emerging Money Laundering Risks – Stored Value Cards

The U.S. Money Laundering Threat Assessment (Threat Assessment), issued in December 2005, evalu-ated the potential money laundering risk of stored value cards and other electronic cash instruments. The 2006 Manual incorporates some of the information covered by the Threat Assessment, noting the various methods by which criminals have utilized stored value cards to move illicit funds without detection. The guidance warns institutions that because stored value cards are easy to fund, easy to transport, and create no paper trail, they are often attractive to criminals – for example, drug dealers who send loaded, prepaid cards to drug suppliers effectively send “cash” with little to no risk of detection. Thus, the 2006 Manual provides the first direction to examiners to include within their examination process a review of whether the financial institution has undertaken an adequate risk assessment and mitigation measures to address money laundering risk associated with stored value cards.

6. Reorganization of the Manual

In addition to the substantive additions and changes noted above, the 2006 Manual is also reorganized and reformatted to improve usability. The most significant change is the combining of the “Overview” and “Ex-amination Procedures” sections – previously, the first half of the manual contained the general guidance, or “Overview,” for each subject area and the “Examination Procedures” were in the latter half. By combining the two

6


7


with respect to each subject area, compliance officers and counsel will be able to more efficiently view the guidance and the associate examination issues together. The index is also more clearly marked, and stylistic changes to the text improve readability.

Kathryn Marks ([email protected]) is an associate in the Legislative and Public Policy Group at Alston & Bird LLP (www.alston.com). Jonathan Winer ([email protected]), a partner at Alston & Bird, represents domestic and foreign clients on regulatory and enforcement matters as well as on a wide range of government affairs issues including money laundering, sanctions, national security, and data protection and management, and information security and privacy.

1. The 2006 Manual is available online at http://www.ffiec.gov/bsa_aml_infobase/default.htm.

2. FFIEC BSA/AML Examination Manual (July 28, 2006) p. 23.3. FFIEC BSA/AML Examination Manual (July 28, 2006) p. 68.4. 31 C.F.R. 103.176. It is worth noting that the regulation

applies to foreign correspondent accounts established on or after July 5, 2006. For foreign correspondent accounts established prior to July 5, 2006, the effective date of the regulation is October 2, 2006.

5. FFIEC BSA/AML Examination Manual at 109.6. FFIEC BSA/AML Examination Manual at 111.7. FFIEC BSA/AML Examination Manual (July 28, 2006) p. 247.8. 31 C.F.R. 103.137 and 31 C.F.R. 103.16. For an in-depth

analysis of these rules, see “New FinCEN Regulations Require Insurance Companies to Implement Anti-Money Laundering Programs and File Suspicious Activity Reports,” November 11, 2005, located at http:/www.alston.com/articles/05-400%20InsuranceCompanyAML.pdf.

9. 70 Fed. Reg. 66755 and 70 Fed. Reg. 66763.10. FFIEC BSA/AML Examination Manual (July 28, 2006) p. 228.11. FFIEC BSA/AML Examination Manual at 262.

New EU Opinions Clarify Data Privacy And Third-Country Data Transfer Laws While Setting The

Stage For More Regulation By Jonathan Winer

Summary

The European Commission (the “Commission”) and its Article 29 Data Protection Working Party (the “Article 29 Committee”) have published new opinions expressing concern about compliance with EU privacy law applying to transfers of data outside the European Union (“EU”). Taken as a whole, the opinions point toward greater EU scrutiny of data security practices and further regulation of data transferred to and from the EU.1

Early in 2006, the Commission signaled its strong preference for more widespread reliance on the stringent privacy protections contained in its standard contractual clauses, which have been widely criticized by companies as being impractical in many real-life business situations involving trans-Atlantic data transfers.2 In response, the Commission is considering whether to impose more stringent reporting on cross-border data transfers, a move that could have a chilling impact on commercial data flows to the U.S..

The Article 29 Committee has issued opinions pushing back against new EU rules requiring telecommunications providers to retain traffic data for law enforcement pur-poses.3 The Article 29 Committee also issued an opinion narrowing the basis upon which Internet Service Providers (“ISPs”) and Email Service Providers (“ESPs”) can scan the content of emails and attachments.4 Here, the Article 29 Committee found that anti-virus and anti-spam software was justified under both the “e-Privacy Directive”5 and the “Data Protection Directive,”6 but only if the confidential-ity of emails and attachments is maintained and there is no scanning for predetermined content without specific authorization. The Article 29 Committee expressly warned that any person using email scanning and data transfer programs such as “Did they read it?” software, which allows the sender to track the usage and onward transfer of an email without the recipient’s knowledge, on EU-related data would violate EU law.

The Article 29 Committee also addressed simultane-ous compliance by publicly traded companies with the whistleblower requirements of Sarbanes-Oxley legislation (“SOX”)7 and existing EU data privacy law, setting out general guidelines on how whistleblower schemes can be made compliant with EU data security law. The Article 29 Committee encourages using confidential, versus anonymous, reporting and establishing additional protections for the accused.8 As discussions between the EU and U.S. government on this subject are ongoing, it is expected that more concrete and binding requirements will be issued in the near future.

Finally, both the Commission and Article 29 Com-mittee have commented on the recent decision by the European Court of Justice (the “Court”) that annulled the existing agreement between the EU and U.S. to share certain airline passenger data in an effort to prevent terrorism.9 While a new agreement will likely be created shortly, a disagreement between the Commission and the European Parliament over the types of personal data to be transferred and the adequacy of data security could lead to additional litigation.

6


7


Using Standard Contractual Clauses for “Third Country” Data Transfers

On January 20, 2006, the Commission issued a “Staff Working Document” on the status of standard contractual clauses used to ensure the security and privacy of personal data transferred from the EU to non-EU countries (“third countries”).10

In 2001 and 2002, the Commission adopted two decisions that provided standardized language to help facilitate the safe transfer of personal data.11 In 2004, the Commission also approved a list of business-specific standard contractual clauses,12 which were designed to be more efficient but which businesses have found difficult to apply. However, the Commission has taken the lack of records on the use and effectiveness of such clauses to imply that personal data is not being adequately protected, and if standard contractual clauses are not more widely utilized it is likely that additional reporting requirements may result. Indeed, the Commission is already consider-ing consolidation of the business clauses with its other standard contractual clauses into a single instrument that would also include a standardized procedure for depositing copies of such contracts with EU Member States.

The Commission continues to encourage companies to use standard contractual clauses as an alternative to the derogations provided for in Article 26(1) of the Data Protection Directive, as contractual clauses provide greater control of data once it leaves the EU for a third country and potentially beyond. The Commission is concerned that current data protection law does not cover data that is forwarded by an approved third country data recipient on to another party not covered by the initial contract. The Article 29 Committee is currently investigating this loophole and further regulations are likely.

The Commission also stated that:

• Standard contractual clauses must be modified to reflect the requirements of a particular transfer.

• While the Commission does not object to the subscription of standard contractual clauses by several data exporters or importers as a group, the information provided should be at the same level of clarity and specificity that is required for a single data exporter and a single data importer.

• Parties utilizing standard contractual clauses must be prepared to supply an authenticated copy of the contract in the national language of the requesting EU member state.

Data Retained from Publicly Accessible Networks for Law Enforcement Purposes

Opinion 3/2006, adopted March 25, 2006,13 is the Article 29 Committee’s response to concerns about the European Council’s Directive that traffic data from publicly accessible communications networks can be retained for the purpose of combating serious crime.14 The Directive has proved controversial and unevenly applied by EU Member States and the Article 29 Committee calls for more safeguards to protect the “vital interests of the individual,” in particular the right to confidential electronic communication.15

To narrow the impact on privacy of the new data retention rules, the Article 29 Committee opinion found that under EU law:

• Public electronic communication service or network providers may not process data retained for public order purposes.

• Systems for storing data retained for public order purposes should be separate from those systems used for ordinary business purposes.

• Minimum technical and organizational security measures should be developed though the Article 29 Committee does not specify what those standards should be.

• The amount and type of data to be retained should be minimized, though the Article 29 Committee provides no details.

• Only select police authorities may be granted access to retained data, with a list of authorized parties made public and logs kept by supervisory authori-ties to ensure effective oversight.

• Access to retained data should be authorized by judicial authorities on a case-by-case basis, though additional access may be allowed in those countries where authorized by law.

• Law enforcement agencies are not allowed to engage in large-scale data mining of the travel and com-munication patterns of people unsuspected by law enforcement authorities.

Email Screening Services

Most ISPs and ESPs use anti-virus and anti-spam filter-ing tools to protect their networks and servers, and in more limited cases to inspect communications for commercial reasons. In Opinion 2/2006, adopted on February 21, 2006, 16 the Article 29 Committee clarified that scans by ISPs and ESPs for viruses and spam are lawful intercep-tions17 of private communications and justified under both the Data Protection Directive and the e-Privacy Directive,

8


9


subject to certain limitations. However, the Article 29 Committee also stated that screening for predetermined content and the use of “Did they read it?” programs are almost never permitted under EU law.

Virus Scanning

As viruses can shut down an ISP or ESP’s services and damage the end user’s computer, virus scanning is justified under Article 4 of the e-Privacy Directive, which requires ISPs and ESPs to take “appropriate technical and organizational measures to safeguard security of [their] services.”18 Moreover, virus scanning is also justified under Article 7b of the Data Protection Directive as such scanning is “necessary for the performance of a contract to which the data subject is a party … .”19 However, ISPs and ESPs must ensure that the content of emails and at-tachments are kept confidential at all times. If anti-virus and anti-spam programs are designed to scan the content of an email, the contents of the message or attachment can only be analyzed for that purpose.

Spam Filtering

Like virus scanning anti-spam scanning is permitted under Article 7b of the Data Protection Directive as not preventing the proliferation of spam could slow down networks and prevent ISPs and ESPs from providing the services for which they have been contracted. Moreover, because the security of ISPs or ESPs may become a problem insofar as spam affects service, the use of anti-spam filters and the blocking of emails sent from certain addresses is further justified under Article 4 of the e-Privacy Directive.20 Since blocking email addresses can impact the free transfer of information the Article 29 Committee recommends that ISPs and ESPs allow a user to: (1) opt out of the spam filter; (2) decide what kind of spam to filter out; (3) opt back into spam scanning later on; and (4) read those messages labeled as spam.

Scanning for Predetermined Content

The Article 29 Committee makes clear that ISPs and ESPs are not generally permitted to scan electronic com-munication for predetermined content, as Article 5(1) of the e-Privacy Directive prohibits “all listening, tapping, storage or other kinds of interception or surveillance of communications and the related traffic data without the consent of the user concerned,” unless such actions are an “appropriate and proportionate measure” to safeguard national security … .”21 While EU Member States cannot endorse ISPs and ESPs to generally monitor communica-tions in such a way, the Article 29 Committee notes that ISPs and ESPs may offer content scanning as a “value added” service for their subscribers.

“Did They Read It?” Software

The Article 29 Committee expressed its “strongest opposition” to the use of “Did they read it?” processing software, which secretly tracks if an email recipient has read an email, when and how many times it was read, if and to which email server it has been transferred, and what type of web browser was used to open the email. Without the unambiguous consent of the email recipient, such a program is contradictory to the Data Protection Directive and is not permitted.

Duty to Inform

Under the Data Protection Directive, an ISP or ESP also has a duty to inform a subscriber of its virus, spam, and other information processing policies,22 but the Article 29 Committee determines that such notification can be ad-equately contained in the contractual conditions of service. Providers of publicly available electronic communication services and networks must also inform subscribers of any particular risks or breaches to network security and what the subscriber can do to fix a breach if the service provider cannot. Also, while actively working to ensure the privacy of personal communication and data, ISPs and ESPs must take positive measures to ensure privacy rights can be exercised.

SOX Whistleblower Schemes

On February 1, 2006, the Article 29 Committee issued Opinion 1/200623 to provide general guidelines on how companies can comply with both the whistleblower requirements of SOX and EU data privacy law.24 The opinion is strictly limited to whistleblower schemes involving accounting, internal accounting controls, audit-ing matters, fights against bribery, banking and financial crime, and is not a final opinion on whistleblower schemes in general. Whistleblower requirements already exist in most EU states as regards banking and combating bribery, and many states have national laws which mirror SOX provisions. However, the legal obligation laid down by a foreign government (e.g., SOX) does not itself create the legal justification required under the Data Protection Directive to authorize the collection and storage of personal data.

Under EU law, whistleblower schemes are only legitimately established if their purpose is in compliance with either Articles 7(c) or 7(f) of the Data Protection Directive. Article 7(c) authorizes data collection and processing if it is necessary to comply with a legal obligation to which the data controller is subject. Article 7(f) allows for the establishment of a whistleblower scheme if necessary for the purposes of a “legitimate interest pursued by the controller” or by the third party to whom the data is disclosed. Companies that wish to establish whistleblower schemes should obtain a detailed

8


9


legal analysis, complemented by checks with local data protection authorities to ensure compliance with all local data protection laws that may be more detailed than the Article 29 Committee’s guidelines.

While not a final set of rules, the Article 29 Commit-tee provides a number of suggestions on how to make whistleblower schemes compliant with EU law:

• There should be limitations on who can file a whistleblower complaint and who can be reported as having committed a violation.

• The scheme should emphasize confidential, as op-posed to anonymous, reporting by accusers. Anony-mous reports can be allowed if the whistleblower scheme does not encourage them and if it is broadcast that an accuser’s identity will be kept confidential un-less required for investigative or judicial purposes.

• Data collected must be limited to the purpose of the investigation, and companies must limit the infor-mation gathered to accounting, internal accounting controls, anti-bribery, auditing matters, or banking or financial crime issues.

• Any information gathered that is not covered by the whistleblower scheme can be forwarded to the proper officials of the company when the “vital interests of the data subject or moral integrity of employees” are at stake, or when required under national law.

• All parties that receive the report must provide the same guarantees of security as required of the local EU company under EU law.25

• All data collected must be promptly deleted, usu-ally within two months of the completion of the investigation, though such data should be kept for the duration of any criminal or other judicial pro-ceedings that may result, including appeals.

• The accused must be notified that data collection has been completed on him, though if notifying the accused might result in the destruction or alteration of evidence such notification can be delayed.26

• The notification must inform the accused of which entity is responsible for the whistleblower scheme, the facts he is accused of, all departments or services that might receive the report, and how to exercise his rights to access and rectify any mistakes in the report.

• The identity of the accuser should remain confiden-tial unless the initial report is found to be malicious, in which case the accuser’s identity can be revealed so that libel proceedings may proceed.27

Passenger Name Record (PNR) Sharing With The U.S.

On May 30, 2006, the European Court of Justice (the “Court”) struck down European Council Decision 2004/496/EC28 (the “PNR Decision”), created to share data on trans-Atlantic airline passengers with the U.S. Bureau of Customs and Border Protection in an effort to prevent terrorism.29 As the data transfer and processing in question fell outside the scope of the Data Protection Directive, the Court determined that the PNR Decision had no legal basis. In the wake of the ruling, the Article 29 Committee adopted Opinion 5/2006 on June 14, 2006, calling for a new EU-wide agreement to be adopted before the now annulled PNR Decision runs out on September 30, 2006, and incorporating the following suggestions:

• Strict limits to the onward transfer of PNR data elements.30

• Reductions in the number of data elements trans-ferred.

• Institution of a “push system,” whereby airlines send the U.S. government PNR data, rather than the U.S. government maintaining its access to, and ability to extract data directly from, airline reserva-tion databases.

• Maintain at least the current levels of data protection.

• Last no longer than the end of November 2007, with regular reviews.

On June 19, 2006, the Commission also passed two initiatives to help move the EU toward creating a new PNR data transfer agreement.31 Of significance is the Commission’s suggestion that the new agreement be created under Article 38 of Title VI of the Treaty of the European Union, which allows EU Member States to create and adopt the agreement without the involvement of the European Parliament. This is a politically sensitive move, as it was the European Parliament which challenged the original PNR Decision in the courts. Also, as the Court did not find it necessary to address the PNR Decision’s content in order to annul it, the Commission suggests using essentially the same language and legal safeguards as contained in the original PNR Decision. However, unless EU Member States incorporate the European Parliament’s data security and policy concerns, such as through those measures outlined in the Article 29 Committee’s Opinion, it is likely that the European Parliament will again chal-lenge the new agreement in the courts and delay resolution of the issue.

Implications:

The recent Commission and Article 29 Committee opinions make clear that more requirements on the handling and transfer of personal data across borders

10


11


will be forthcoming. In light of the growing pressure for greater regulation, U.S. firms may wish to consider whether they need to review and update their data pro-tection practices for any data transferred to or from the EU. Fresh consideration of participation in the U.S.-EU Safe Harbor program or binding corporate rules may be appropriate as alternatives to model contracts or ad hoc clauses. At the very least, all companies should ensure that contractual clauses used are specifically tailored enough to the transfer to avoid allegations of non-compliance. Moreover, companies involved transferring data from the EU or approved data recipients in third countries may want to begin requiring stricter data security measures from any third party data controllers or processors they utilize, to ease integration with new security requirements that are all but certain to be passed.

While companies involved in internet and email service provision are now assured that anti-virus and anti-spam scanning are legally justified, they must ensure that they do not scan emails and attachments for predetermined content or allow for “Did they read it?” software unless the users provide unambiguous consent. Also, companies that provide publicly available electronic communication services or networks must ensure that all data retained for law enforcement purposes is stored separately from normal business data, and is only processed by select law enforcement agents under strictly controlled conditions.

For companies listed on U.S. stock exchanges, compli-ance with SOX and EU data privacy law is possible though the law is unsettled in both the U.S. and EU. Until more clarifications are announced, companies should obtain careful analysis of both EU and local law, supplemented by consultations with relevant Data Protection Authori-ties, to tailor their particular needs in order to maintain compliance with both the opportunities created by the SOX whistleblower rules and the current limitations of the EU’s application of the Data Protection Directive to the whistleblower element of SOX.

Finally, as regards transfers of PNR data from European airlines to the U.S. government, it is all but certain that a new agreement will be created shortly. However, given the political context, unless the Commission and EU Member States modify the original PNR Decision text to address the European Parliament’s concerns over data security and the U.S. government’s access to airline databases, it is likely that the European Parliament will challenge the new agreement in the courts and further delay any final decision.

Jonathan Winer ([email protected]), a partner at Alston & Bird (www.alston.com), represents domestic and foreign clients on regulatory and enforcement matters as well as on a wide range of government affairs issues including money laundering, sanctions, national security, and data protection and management, and information security and privacy.

1. For the purpose of this advisory, the term “EU” refers not only to the 25 Member States of the EU but to all other countries in the European Economic Area (EEA) covered by the Directives mentioned, which include Iceland, Liechtenstein, Norway, the Channel Islands, and the Isle of Man.

2. European Commission Staff Working Document on the implementation of the Commission decisions on standard contractual clauses for the transfer of personal data to third countries (2001/497/EC and 2002/16/EC), PARL. EUR. DOC. SEC (2006) 95, January 20, 2006.

3. Article 29 Data Protection Working Party Opinion 3/2006 on the Directive 2006/24/EC of the European Parliament and of the Council on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks and amending Directive 2002/58/EC (WP 119), March 25, 2006. Data Protection Working Party Documents are available at http://ec.europa.eu/justice_home/fsj/privacy/workinggroup/wpdocs/2006_en.htm.

4. Article 29 Data Protection Working Party Opinion 2/2006 on privacy issues related to the provision of email screening services (WP 118), February 21, 2006.

5. Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector, 2002 O.J. (L 201) (the “e-Privacy Directive”), available at Alston & Bird’s International Privacy Library http://www.alston.com/abresourcecenter/resource_digest.aspx?s=3&r=679.

6. Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data, 1995 O.J. (L 281) (the “Data Protection Directive”).

7. Article 29 Data Protection Working Party Opinion 1/2006 on the application of EU data protection rules to internal whistleblowing schemes in the fields of accounting, internal accounting controls, auditing matters, fight against bribery, banking and financial crime (WP 117), February 1, 2006.

8. The opinion is limited to accounting, internal accounting controls, anti-bribery, auditing matters, or banking or financial crime issues.

9. Council Decision 2004/496/EC on the Conclusion of an Agreement Between the European Community and the United States of America on the Processing and Transfer of PNR Data By Air Carriers to the United States Department of Homeland Security, Bureau of Customs and Border Protection, 2004 O.J. (L 183).

10. Data Privacy Directive, 1995 O.J. (L 281). Under the Data Privacy Directive, transfers of personal data from an EU member state to a third country may only take place when: (1) the subject of the data unambiguously agrees to the transfer; (2) the Commission has made an “adequacy finding,” whereby pursuant to Article 25(6) of the Data Protection Directive the Commission assesses the third country’s domestic law or other international commitments as relate to protection of individual privacy rights; (3) the transfer is authorized under one of the derogations listed in Article 26(1) of the Data Protection Directive; or (4) the data exporter and importer have drafted a contract, utilizing either ad hoc language or one of the standard contractual clauses developed by the Commission, to guarantee adequate data security.

11. The first Directive, 2001/497/EC, applies to transfers of data from data controllers in the EC to data controllers in third

10


11


countries, 2001 O.J. (L 181) 19-31. The second Directive, 2002/16/EC, applies to transfer of data from data controllers in the EC to data processors in third countries, 2002 O.J. (L 6) 52-62.

12. The business clauses are published at 2004 O.J. (L 385) 74-84.

13. Article 29 Data Protection Working Party Opinion 3/2006 on the Directive 2006/24/EC of the European Parliament and of the Council on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks and amending Directive 2002/58/EC (WP 119), March 25, 2006.

14. Council Directive 2006/24/EC on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks services and amending Directive 2002/58/EC, 2006 O.J. (L 105) 54.

15. e-Privacy Directive, 2002 O.J. (L 201) 37.16. Article 29 Data Protection Working Party Opinion 2/2006

on privacy issues related to the provision of email screening services (WP 118), February 21, 2006.

17. The European Convention on Human Rights authorizes member states to carry out a lawful interception under three conditions, as laid out in Article 8(2): that there is a “legal basis, the need for such a measure in a democratic society, and conformity with one of the legitimate aims listed in the Convention.” An interception is defined as when “a third party acquiring access to the content and/or traffic data related to private communications between two or more correspondents, including traffic data concerning the use of electronic communication services that constitutes a violation of an individual’s right to privacy and to confidentiality of correspondence.”

18. e-Privacy Directive, 2002 O.J. (L 201) 37.19. Data Protection Directive, 1995 O.J. (L 281).20. e-Privacy Directive, 2002 O.J. (L 201) 37.21. e-Privacy Directive, 2002 O.J. (L 201) 37. Article 15(1)

allows for member state to restrict the scope of the rights provided for in Article 5 if such a restriction is “a necessary, appropriate and proportionate measure within a democratic society to safeguard national security (i.e. State security), defense, public security, and the prevention, investigation, detection and prosecution of criminal offences or of unauthorized use of the electronic communication system.”

22. Article 10 of the Data Protection Directive, 1995 O.J. (L 281).

23. Article 29 Data Protection Working Party Opinion 1/2006 on the application of EU data protection rules to internal whistleblowing schemes in the fields of accounting, internal accounting controls, auditing matters, fight against bribery, banking and financial crime (WP 117), February 1, 2006.

24. The status of the law, as SOX applies to European subsidiaries of U.S. companies or European companies listed on U.S. stock exchanges is unsettled, however, as the 1st Circuit U.S. Court of Appeals held that SOX provisions on the protection of whistleblowers do not apply to foreign citizens working outside the U.S. for foreign subsidiaries of companies required to comply with the remaining provisions of SOX.

25. This compliance can be established by a U.S. company’s membership in the U.S. Safe Harbor program, the use of standard contractual clauses, or through the development of

corporate data privacy rules that have been pre-approved by the relevant data protection authorities. For more information on Standard Contractual Clauses, see http://europa.eu.int/eur-lex/pri/en/oj/dat/2001/l_181/l_18120010704en00190031.pdf.

26. Article 11 of the Data Protection Directive, 1995 O.J. (L 281). The Working Party did not set a time limit of how long a delay was permissible under such a scenario.

27. Article 12 of Data Protection Directive, 1995 O.J. (L 281).28. Council Decision 2004/496/EC, on the conclusion of an

Agreement between the European Community and the United States of America on the processing and transfer of PNR data by Air Carriers to the United States Department of Homeland Security, Bureau of Customs and Border Protection, 2004 O.J. (L 183).

29. Joined Cases C-317/04 and C-318/04, European Parliament v. Council of the European Union and v. Commission of the European Union, see http://ec.europa.eu/justice_home/fsj/privacy/docs/adequacy/pnr/judgement_ecj_30_05_06_pnr_en.pdf.

30. “Data elements” are the fields of information in an airline’s PNR system, of which 34 are currently being transferred, including name, reservation date, travel agent, itinerary, form of payment, flight number, and seating information. See http://www.usembassy.org.uk/terror673.html. According to the EU, the U.S. Bureau of Customs and Border Protection has undertaken to continue not to use any PNR data that is defined as “sensitive” in article 8.1 of the Data Protection Directive, including information on race, religion, or health status. See http://ec.europa.eu/comm/external_relations/us/intro/pnrmem03_53.htm.

31. Press release, European Union Delegation of the European Commission to the U.S.A, EU Commission Adopts Initiatives to Open New Talks with the U.S. on Passenger Name Records (No. 50/06, June 19, 2006), available at http://www.eurunion.org/news/press/2006/20060050.htm.

Frequently Asked Questions on FFIEC Guidance on Authentication

in an Internet Banking Environment

Purpose

The staffs of the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corpora-tion, the National Credit Union Administration, the Office of the Comptroller of the Currency, and the Office of Thrift Supervision (the Agencies) have jointly developed the attached frequently asked questions (FAQs) to assist financial institutions and their technology service providers in understanding the Federal Financial Institu-tions Examination Council’s (FFIEC’s) guidance entitled Authentication in an Internet Banking Environment (the guidance).

12


13


Overview

The guidance, issued on October 12, 2005, updates the FFIEC’s guidance entitled Authentication in an Electronic Banking Environment issued in 2001. It addresses the need for risk based assessments, customer awareness, and enhanced security measures to authenticate customers us-ing Internet-based products and services that process high risk transactions involving access to customer information or the movement of funds to other parties. The attached FAQs are a representation of questions the Agencies have received from financial institutions, Agency examiners, and technology service providers and they address the scope of the guidance, risk assessments, the time frame for implementation, and other issues.

Institutions should review these FAQs in conjunction with the guidance as they assess risks in their Internet-based products and services and determine appropriate authentication solutions for permitting access to systems that process high risk transactions involving the move-ment of funds to other parties or access to customer information.

Frequently Asked Questions on FFIEC Guidance on Authentication in an Internet Banking Environment Scope

Q-1 What was the impetus for the regulators providing guidance regarding how customers should access electronic banking systems?

A-1 Since 2001 there have been improvements in authentication technologies, increasing incidents of fraud (including identity theft), and significant legal and technological changes regarding the protection of customer information.

Q-2 Does the guidance apply to telephone banking systems?

A-2 While the guidance focuses on Internet banking systems, its principles apply to all forms of electronic banking, including telephone banking systems.

Q-3 Do the Agencies maintain a list of “approved” solutions?

A-3 No, the Agencies do not maintain a list of approved solutions.

Q-4 Is the Appendix to the guidance an “exclusive” list of solutions?

A-4 No, the Appendix is only a brief discussion of some of the technologies that the Agencies were aware of that could be used to address this issue.

Q-5 Does the guidance require the use of multifactor authentication?

A-5 No, the guidance does not call for the use of multifac-tor authentication. The use of multifactor authentication is one of several methods that can be used to mitigate risk as discussed in the guidance. However, the guidance identifies circumstances under which the Agencies would view the use of single-factor authentication as the only control mechanism as inadequate and conclude that additional risk mitigation is warranted.

Q-6 Does the guidance apply to both retail and com-mercial customers?

A-6 Yes, the guidance applies to both retail and com-mercial customers.

Q-7 Does the guidance apply to the retail use of credit and debit cards, including over the Internet?

A-7 No, the guidance does not apply to the use of credit or debit cards.

Q-8 Does the guidance apply to correspondent banking?

A-8 The guidance applies to correspondent banking if the correspondent banking relationship uses an electronic banking system with high-risk functionality as described in the guidance.

Q-9 Does the guidance specify the use of hardware tokens for authentication?

A-9 No, the use of hardware tokens is one possible method for enhancing controls surrounding the authentication of customers.

Q-10 Are the Agencies recommending multifactor authentication over layered security or other compensating controls?

A-10 No, any of these controls may be an effective method to mitigate risk in accordance with the guidance, if properly implemented.

Q-11 Are there banking applications where single-factor authentication as the only control mechanism would be adequate?

A-11 Single-factor authentication alone would be adequate for electronic banking applications that do not process high-risk transactions, e.g., systems that do not allow funds to be transferred to other parties or that do not permit access to customer information.

Q-12 Does the guidance apply to loan service companies?

A-12 The guidance applies to all financial institutions regulated by the Agencies.

Q-13 Does the guidance apply to securities brokers?

A-13 The guidance applies to the same entities and information covered by the Interagency Guidelines Establishing Information Security Standards. See ∂1.A of

12


13


the Guidelines. The Securities and Exchange Commission has its own regulation on safeguarding customer informa-tion. See 17 C.F.R. 248.30.

Q-14 Can an institution perform a risk assessment and conclude that stronger authentication is not warranted?

A-14 An institution’s risk assessment may conclude that existing controls are appropriate. However, such a conclu-sion would not be justified if the institution’s electronic banking systems use single-factor authentication as their only control for high-risk transactions involving access to customer information or the movement of funds to other parties.

Q-15 If a financial institution has not experienced financial fraud or identity theft originating from its online banking system, should it nonetheless undertake risk mitigation steps in accordance with the guidance?

A-15 Yes, the guidance states that a financial institution’s risk assessment should consider appropriate risk-mitiga-tion steps for both current and future risks. (Please refer to question 14.)

Q-16 Does the guidance apply to loan or deposit account ap-plications submitted over the Internet by non-customers?

A-16 The guidance does not apply to applications submitted by non-customers. As the appendix to the guidance explains, customer verification during account origination is a related but separate process from that of authentication.

Q-17 Does the guidance address mutual (e.g., institution-to-customer) authentication?

A-17 No, the guidance does not specifically address mutual authentication. However, mutual authentication may be an effective host authentication control mechanism and may be part of a layered security program.

Q-18 Would an institution meet the expectations of the guidance if it permits high-risk transactions through a system that relies on single-factor authentication as its only control mechanism provided that the institution chooses to reimburse customers for any losses associated with Internet fraud?

A-18 No, making customers whole for losses is not a substitute for adopting appropriate authentication measures or other controls described in the guidance.

Q-19 Does the guidance apply to call centers?

A-19 The principles of the guidance apply if a financial institution permits high-risk services to be performed through its call center.

Timing

Q-1 What do the Agencies expect institutions to have accomplished by year-end 2006?

A-1 The Agencies expect that institutions will complete the risk assessment and will implement risk mitigation activi-ties by year-end 2006. The Agencies are not considering any general extension of the timing associated with this guidance.

Q-2 What if the financial institution or its technology service provider cannot implement a solution by year-end 2006?

A-2 The Agencies’ examiners will assess the adequacy of each financial institution’s authentication controls on a case-by-case basis.

Definitions

Q-1 Can you further clarify high-risk transactions involv-ing the movement of funds to other parties and access to customer information?

A-1 The term “customer information” is defined in footnote 2 of the guidance by reference to the Interagency Guidelines Establishing Information Security Standards. Financial institutions may also want to review the Interagency Guidance on Response Programs for Unau-thorized Access to Customer Information and Customer Notice. The term “movement of funds to other parties” includes bill payment applications as well as the ability to transfer funds to a separate account maintained at the same depository institution but owned by a different party. Thus, any system that permits the movement of funds to other parties and/or the access to customer information, as defined previously, is “high-risk” necessitating stronger authentication or additional controls.

Q-2 What does the guidance mean when it refers to “layered security or other controls reasonably calculated to mitigate those risks?”

A-2 The term “layered security” includes other risk-mitigating controls that would not strictly be considered multifactor authentication. The reference to “other controls” includes other mitigating controls that exist today or that may be introduced in the future.

Risk Assessment

Q-1 What type of documentation is contemplated for the risk assessment? Do the Agencies have a template that financial institutions should use?

A-1 The guidance is not specific in this regard and the Agencies do not have a template for such risk assess-ments. However, financial institutions seeking general information on risk assessments may refer to the Small Entity Compliance Guide for the Interagency Guidelines

14


15


Establishing Information Security Standards and the FFIEC IT Examination Handbook, Information Security Booklet.

Q-2 Can a financial institution rely on its Internet banking system provider to perform the risk assessment?

A-2 Yes, however, the institution is ultimately responsible for managing risk and should perform appropriate due diligence as required when selecting a service provider. The institution may accept a risk assessment performed by the service provider after the institution has ensured that the assessment is accurate and the solutions are sufficient to mitigate the risks to the financial institution and its customers.

Q-3 Does the guidance provide that financial institutions will assess the risks regarding authentication on a yearly basis?

A-3 No, however the Interagency Guidelines Establishing Information Security Standards require that an institution’s information security program be monitored, evaluated, and adjusted as appropriate in light of changes in technol-ogy, the sensitivity of customer information, internal and external threats to information, the institution’s changing business arrangements, and changes to customer informa-tion systems. These same criteria apply to re-evaluating the institution’s Internet banking controls.

Q-4 Can a financial institution forgo the risk assessment and move immediately to implement additional authen-tication controls?

A-4 No, because the guidance is risk-based, a risk assess-ment that sufficiently evaluates the risks and identifies the reasons for choosing a particular control should be completed.

Q-5 Should the risk assessment specifically consider the risks of phishing, pharming, and malware?

A-5 Yes, these are some of the vulnerabilities that are specifically mentioned in the guidance. Other factors ap-propriate for consideration in the risk assessment include reputation risk, harm to the customer, transaction risk, and other reasonably foreseeable threats.

Customers

Q-1 May an institution permit customers to “opt-out” of additional authentication controls?

A-1 No, the Agencies believe that permitting customers to opt-out is not an effective risk mitigation strategy and would undermine the effectiveness of the control. In addition, this would not address reputation risk to the institution. However, an institution may permit customers to choose between different authentication options provided the options offered are consistent with the guidance.

Q-2 The guidance also discusses a customer awareness program that includes periodic evaluations. How do the Agencies envision that this would be implemented?

A-2 An institution may implement a customer awareness program in a number of ways, including making informa-tion available on the institution’s website, in statement stuffers or other direct mail communication, or at branch offices. The institution may track the number of times customers click on an information security hotlink or the amount of written material disseminated. The Agencies understand that institutions cannot force customers to access or read such information.

Technology Service Providers

Q-1 Will the Agencies assess the progress of technology service providers prior to yearend 2006?

A-1 The Agencies are assessing efforts being made by technology service providers to conform with the guidance as part of the ongoing interagency supervisory process.

Q-2 Should an institution rely on the authentication technique chosen by its service provider?

A-2 The institution remains ultimately responsible for the adequate authentication of transactions involving access to customer information or movement of funds to other parties. This responsibility includes ensuring that the authentication techniques chosen by its service providers are appropriate for the institution’s services.

Appendix

Q-1 Would two-factor authentication include using two of the same type of factor (e.g., two different passwords) if they are used at different points in the applications?

A-1 By definition true multifactor authentication requires the use of solutions from two or more of the three cat-egories of factors. Using multiple solutions from the same category at different points in the process may be part of a layered security or other compensating control approach, but it would not constitute multifactor authentication.

Q-2 Is a user logon ID considered one of the factors in multifactor authentication?

A-2- No, because user logon IDs are not secret.

Q-3 Are there authentication methods that an institution can implement without customer involvement?

A-3 An institution can implement authentication controls with varying degrees of customer involvement. Some solutions can be implemented with virtually no customer interaction while others require significantly more.

14


15


Selected Regulatory Developments

By Scott Anenberg

OCC Issues Gift Card Guidance

On August 14, 2006, the Office of the Comptroller of the Currency (“OCC”) published a bulletin which provides guidance to national banks on the unique disclosure and marketing issues presented by gift cards. The OCC action comes as gift card usage and consumer complaints about them continue to increase, and represents an interesting contrast to the approach recently taken by the OCC’s sister agency, the Office of Thrift Supervison (“OTS”), which issued an opinion preempting state law restrictions on gift cards (please see this column in the July-August 2006 issue).

Gift cards are prepaid or stored value cards that are designed to be purchased by one consumer and presented as a gift to a second consumer. According to the OCC, the fact that the individual purchasing the gift card is usually different than the individual using it is a key consideration in attempting to craft effective disclosure requirements. Even if full and proper disclosures are made to a gift card purchaser, those disclosures may not reach the gift card recipient, leading to confusion regarding costs, terms and other conditions.

Gift cards fall into two main categories: retail gift cards (e.g., cards issued by a book store for use in that book store) and bank-issued gift cards. The OCC’s guidance focuses on bank-issued gift cards, which are typically bank products in which the bank enters into an agreement with the consumer and sets the fees and terms associated with the cards. A bank-issued gift card typically carries the logo of a payment card network such as VISA, MasterCard, or American Express, and can be used at any of the various locations that accept cards from that network.

The OCC bulletin makes clear that national banks issuing gift cards must take appropriate steps to ensure that certain key information is provided in a form that is likely to be accessible by both purchasers and recipients of the cards. To achieve that goal, the OCC described the disclosures it expects to see both on the gift card itself and in a separate information form that is designed to be included along with the gift card when presented to the recipient.

Basic disclosures that should be provided on the gift card itself include:

• the expiration date of the card (which, consistent with existing practices for credit and debit cards,

should be presented clearly on the front of the card);

• the existence and amount of any monthly mainte-nance, dormancy, usage, or similar fees; and

• a toll-free number, Web address or other method by which consumers may obtain additional information about their cards.

Other important information that is less essential but that the OCC recommends should be highlighted in a form accompanying the gift card includes:

• the name of the bank issuer;

• additional fees applied to services such as card replacement, balance inquiry or foreign currency conversion;

• places where the card can be used;

• the importance of tracking the card’s remaining bal-ance, how to do so, and the ability to redeem any unused minimal balance;

• the bank’s obligation to authorize transactions through use of the card, and examples of the cir-cumstances under which it may refuse to do so;

• dispute and complaint procedures; and

• when applicable, the issuer’s ability to revoke or change the terms of the gift card agreement.

Finally, the OCC reminds national banks that they should avoid marketing or promotional practices that might mislead consumers about the terms and conditions of the cards. Examples of misleading marketing include advertising the gift card as having “no expiration date” if monthly service or maintenance fees, or similar charges, can consume the card balance and therefore effectively cause the card to expire.

In issuing its June 9, 2006, preemption opinion with respect to state gift card disclosure requirements and other restrictions, the OTS attempted to address consumer concerns by noting several federal requirements that govern the issuance of gift cards by federal savings associations, including general federal prohibitions against misleading or deceptive advertising or marketing. The OCC apparently has concluded that more specific gift card disclosure guidance was necessary, and it remains to be seen whether release of this guidance may be a precursor to a determination by the OCC to preempt state gift card restrictions for national banks.

To access the OCC’s Bulletin which provides guidance to national banks on gift card disclosure and marketing issues, please use the following link: http://www.occ.treas.gov/ftp/bulletin/2006-34.doc

16


17


FFIEC Issues FAQs Clarifying Internet Banking Authentication Guidance

In October 2005, the Federal Financial Institutions Examination Council (“FFIEC”) issued updated guidance on “Authentication in an Internet Banking Environment,” (please see this column in the November 2005 issue). In response to the various questions raised after release of the guidance, the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, the National Credit Union Administration, the OCC, and the OTS (“the Agencies”) jointly developed and published on August 16, 2006, a list of frequently asked questions (“FAQs”) to provide additional guidance.

The FAQs address topics such as the scope of the new guidance, timing requirements for implementation, and clarification of definitions. In addition, the FAQs provide some additional guidance concerning the risk assessment that banks are required to perform under the guidance, and the role of an institution’s technology service pro-vider. Among the more significant clarifications are (i) an explicit statement that single-factor authentication is not adequate for electronic systems that either permit funds transfers to third parties or that permit access to customer information; and (ii) confirmation that risk assessments and implementation of risk mitigation activities must be completed by year-end 2006 and that no extensions of that deadline are being considered.

The FAQs have been published in full elsewhere in this issue. They also can be accessed using the following link: http://www.fdic.gov/news/news/financial/2006/authentication_faq.pdf. To access the “FFIEC Guidance on Authentication in an Internet Banking Environment” itself, please use the following link: http://www.ffiec.gov/pdf/authentication_guidance.pdf

FFIEC Revises Information Security Booklet

On July 27, 2006, the FFIEC issued an updated version of its 2003 “Information Security Booklet” which is one of the 12 booklets comprising the FFIEC “Information Technology Examination Handbook” (“IT Handbook”). (Please see this column in the March 2003 issue for a discus-sion of the original Information Security Handbook.)

The 12 booklets of the IT Handbook replaced the 1996 FFIEC “Information Systems Examination Handbook” and were originally released over a period of 18 months ending in 2004. Each of the 12 booklets focuses on a specific topic and was drafted by one of the agencies, with input from the other agencies and various FFIEC subcommittees and subject experts.

The updated Information Security Booklet addresses various changes in technology, risk assessments, mitigation strategies and regulatory guidance that have occurred in the three years since its original publication. The nearly 100-

page booklet provides detailed guidance on maintaining an ongoing information security risk assessment program, developing an appropriate information security strategy, implementing various types of security controls (with over 50 pages of discussion of a variety of specific controls and issues), monitoring security, and monitoring and updating the information security program. In addition to examina-tion procedures and a glossary of key terms, an appendix to the guidance provides a list of laws, regulations and guidance relating to information security that have been issued by each of the bank regulatory agencies.

Some of the specific subject areas that have been updated include authentication strategies and require-ments, information about software trustworthiness, and new guidance on malware, wireless banking and remote access.

In terms of authentication issues, the Information Security Booklet emphasizes that financial institutions should use effective authentication methods appropriate to the level of risk associated with the particular applications or services being considered. Examples of authenticators include passwords, personal identification numbers, digital certificates and biometric templates. Institutions should first select authentication mechanisms based on assessed risk, then consider whether multi-factor authentication is appropriate for each application under consideration, and make sure to encrypt the transmission and storage of authenticators.

Regarding software trustworthiness, the Information Security Booklet notes that software can contain code that is either inadvertently or intentionally erroneous and that introduces security risks into systems and applications. That code can cause unauthorized access to editing capabilities or private data, and circumvent the financial institution’s control structure and procedures (such as its authentication practices). Therefore, institutions are urged to assess carefully the integrity of their software. Assessments of both in-house-developed and externally purchased software should consider the development process, the source code, and the history and reputation of the developers or vendors.

In a related part of the guidance, financial institu-tions are warned against the risk of malicious code, or malware, which includes viruses, worms, Trojan horses, and programs such as spyware. The Information Security Booklet advises institutions to develop controls at the host level, the network level and the user level to protect against the introduction and spread of malicious code.

Finally, with more and more users accessing networks remotely, and often through wireless networks, the guid-ance addresses both of those issues in separate sections. Suggestions for dealing with wireless networks include:

16


17


• treating wireless networks as untrusted networks, allowing access only through protective devices similar to those used to shield the internal network from the Internet environment;

• using end-to-end encryption in addition to the en-cryption provided by the wireless connection;

• using strong authentication controls and configura-tion controls at the access point and with all clients; and

• monitoring and responding to unauthorized wireless access points and clients.

Financial institutions should secure remote access to and from their systems by:

• disabling remote communications if no business need exists;

• tightly controlling access through management ap-provals and subsequent audits;

• implementing robust controls over configurations at both ends of the remote connection to prevent malicious use;

• logging and monitoring all remote access commu-nications;

• securing remote access devices; and

• using strong authentication and encryption to secure communications in general.

In addition to the updated Information Security Booklet, the FFIEC released an “Executive Summary” which provides synopses of each of the 12 booklets comprising the IT Handbook. The Executive Summary also describes the process used to develop and maintain the booklets.

To access the FFIEC’s revised Information Security booklet, one of 12 booklets comprising the FFIEC’s IT Handbook, please use the following link: http://www.ffiec.gov/ffiecinfobase/booklets/informa-tion_security/information_security.pdf

To access the FFIEC’s “Executive Summary” of the IT Handbook, please use the following link: http://www.ffiec.gov/ffiecinfobase/booklets/HandbookExecutive%20SummaryFinalDraft10.pdf

FTC and Federal Reserve Report to Congress on Consumer Dispute Provisions of FCRA

On August 9, 2006, the Federal Trade Commission (“FTC”) and the Federal Reserve Board (“Board”) issued a joint report to Congress that evaluates compliance with the consumer dispute provisions of the Fair Credit Reporting Act (“FCRA”). This report was required by the

Fair and Accurate Credit Transactions Act of 2003 (“the FACT Act”) and the bulk of the report discusses in detail the process by which a consumer submits a dispute to a consumer reporting agency (“CRA”), the CRA forwards the dispute to its furnisher of information, the furnisher investigates the dispute and replies to the CRA, and the CRA reviews the furnisher’s response and conveys the results to the consumer. The report is based on over 120 comment letters from consumers, creditors, and CRAs received in response to the Board’s August 10, 2004, re-quest for comments, meetings with consumer and industry representatives, reviews of consumer complaints received by and examination reports prepared by the FTC and bank regulatory agencies, reviews of existing literature, and studies by Board economists.

The report’s central finding is that, while most disputes are processed within the timeframe set by the relevant statutes, there is disagreement regarding the adequacy of the investigations performed by the CRAs and the fur-nishers of the information. However, the report does not recommend specific actions to address the issue. Instead, it suggests that new FACT Act requirements designed to improve the consumer dispute process be given a chance to be implemented and assessed before considering any further statutory or regulatory actions.

The report is probably of most interest for its detailed description of the dispute resolution process, which contains useful statistics, discussions of the statutory and regulatory requirements (including the new FACT Act requirements designed to enhance the process), and assessments of the efficacy of the process from all the major components of the credit reporting system.

For a copy of the joint report regarding the con-sumer dispute provisions of the FCRA, please use the following link: http://www.federalreserve.gov/boarddocs/rptcongress/fcradispute/fcradispute200608.pdf

New FinCEN Director Pulls Plug on BSA Direct

With the implementation of the Bank Secrecy Act (“BSA”) and its various amendments and revisions, the amount of data that financial institutions collect regarding financial crime has grown exponentially. The Department of the Treasury’s Financial Crimes and Enforcement Network (“FinCEN”) is the agency with the statutory responsibility to administer the BSA, and therefore has the task of managing the more than 14 million BSA forms or reports that are filed by more than 200,000 financial institutions and money services businesses each year. That same data is shared with law enforcement and regulatory agencies, and FinCEN faces the challenge of effectively storing and tracking the data, and also extracting the necessary information.

Currently, FinCEN relies on the Internal Revenue Service’s (“IRS’s”) Detroit Computing Center (“DCC”)

18


to provide a repository for the vast amounts of BSA data. FinCEN uses the IRS’ data retrieval system, the Currency and Banking Retrieval System (“CBRS”), to access the relevant data. However, in 2003, the agency developed the concept of the “BSA Direct Retrieval and Sharing System” in recognition of the fact that a separate system would allow BSA data to be consolidated into a single, integrated data set, and could facilitate a more flexible and effective retrieval system accessible through a Web interface.

However, despite the obvious benefits of such a plan, the project experienced cost overruns and ongoing schedule delays, due in part to an overly aggressive push to meet a completion date that was set before the project even began. On March 15, 2006, FinCEN’s new Director issued a temporary stop-work order in order to perform both an independent technical assessment and a more comprehensive internal assessment of the BSA Direct program. Those assessments took place over a period of 120 days, and on July 13, 2006, the agency announced that it was ending the program.

The Assessment Team reviewed the results of the two evaluations and came up with three options: continue with the current contractor; terminate the current contract and select a new contractor to continue the project; or terminate the contract and reassess the project. The As-sessment Team recommended, and FinCEN has decided to pursue, the third option, noting that the underlying purpose of the BSA Direct program still has merit. As a result, FinCEN will develop a revised planning effort for BSA Direct, continue with efforts to work with the IRS to improve access to existing data, determine whether any aspects of the BSA Direct project to date can and should be salvaged, and develop a plan to achieve BSA Direct through a multi-step approach.

Banking industry trade groups have pointed to the decision to abandon BSA Direct as further support for their objections to other FinCEN initiatives such as the proposal to require reports to be filed on all cross-border wire transactions (please see this column in the April 2006 issue).

For a copy of the FinCEN BSA Direct Retrieval and Sharing Assessment Report, please use the following link: http://www.fincen.gov/bsa_direct_report_071306.pdf

Board Approves Final Payroll Card Revisions to Regulation E

The Board of Governors of the Federal Reserve System (“Board”) on August 24, 2006, approved a final rule confirming the treatment of payroll cards as “accounts” subject to Regulation E, which implements the Electronic Fund Transfer Act. The final rule is substantially similar to the interim final rule adopted in January 2006 (see this column in the February 2006 issue), with a few clarifica-tions based on comments received on the interim rule, particularly with respect to satisfaction of Regulation E’s error resolution procedures for financial institutions that elect to use the rule’s alternatives to providing periodic statements. In the only significant change, however, the Board reversed its earlier decision and generally exempted employers and third-party service providers from coverage as “financial institutions” under the regulation because they do not typically hold payroll card accounts, or issue payroll cards. However, if an employer or a service provider were to provide either of these functions, it would be defined as a financial institution and be subject to the rule.

The Board also issued interim final amendments designed to correct an “oversight” in its January 10, 2006, final regulations to Regulation E governing electronic check conversion transactions.

To access the final rule amending Regulation E, please use the following link: http://www.federalreserve.gov/boarddocs/press/bcreg/2006/20060824/attachment.pdf

To access the interim final rule correcting electronic check conversion transactions, please use the following link: http://www.federalreserve.gov/boarddocs/press/bcreg/2006/20060824/attachment2.pdf

Scott Anenberg ([email protected]) is a partner in the Washington DC office of Mayer, Brown, Rowe & Maw LLP (www.mayerbrownrowe.com). He represents foreign and domestic financial institutions on a wide variety of regulatory and compliance issues.

18


West Legalworks 395 Hudson Street, 4th Floor, New York, NY 10014Phone: 212-337-8444 or 800-308-1700Fax: 212-337-8445E-mail: [email protected]: www.thomsonlegalworks.com

YES! Rush me Electronic Banking Law and Commerce Report and enter my one-year trial subscription (10 issues) at the price of $372.00. After 30 days, I will honor your invoice or cancel without obligation.

Method of PaymentName: _____________________________ Check enclosed (to Legalworks)

Company: __________________________ Bill Me

Street Address: _____________________ Visa Master Card AMEX

City/State/Zip: ______________________

Phone: _____________________________ Account #: ____________________________________

Fax:________________________________ Exp Date: _____________________________________

E-Mail: _____________________________ Signature:_____________________________________

Postage and handling included.All prices are subject to NJ sales tax where applicable.

First ClassU.S. Postage

PAIDWest


New York, NY 10014

Electronic Banking Lawand Commerce Report

Electronic Banking Lawand Commerce Report