The Department of Labor’s Office of Federal Contract Compliance Programs (OFCCP) published a Final Rule on December 9, 2014, implementing Executive Order 13672, which prohibits federal contractors and subcontractors from discriminating against individuals on the basis of sexual orientation and gender identity. In accordance with the treatment of depository institutions under Executive Order 11246, the mere existence of federal deposit insurance is sufficient for a bank to be deemed a federal contractor under Executive Order 13672, without regard to the number of employees or other contractual relationships with the federal government. The new rule will take effect April 8, 2015.
Although the new rule does NOT include new reporting and information gathering mandates or require contractors to set hiring goals, it does require federal contractors and subcontractors (and thus all insured banks) to:
- Update Contracts. Contractors must update the equal opportunity clause in new or modified subcontracts and purchase orders to include sexual orientation and gender identity as protected characteristics.
- Update Job Solicitations. Contractors must update the equal opportunity language included in all job solicitations to notify applicants that they will not be discriminated against on the basis of their sexual orientation or gender identity.
- Ensure No Discrimination. Contractors must take steps to ensure that job applicants and employees are not discriminated against because of their sexual orientation or gender identity.
- Post Updated Notices. Contractors must post the new supplement to the EEO is the Law poster as soon as it is available on the OFCCP’s website.
- Ensure No Segregation. Contractors must ensure that facilities provided for use by their employees are not segregated on the basis of sexual orientation or gender identity.
- Notify OFCCP/State Department. Contractors must immediately notify the OFCCP and the State Department if they believe they cannot obtain a visa for an employee to a country in which, or with which, they do business because of the employee’s sexual orientation or gender identity.
On October 28, 2014, the CFPB amended the consumer privacy rules of Regulation P to allow financial institutions to post privacy notices online rather than mailing the required annual notice each year. Some institutions are already taking advantage of this alternate delivery method. There are conditions to this option, however, and some institutions might not be satisfying those conditions. It is important to confirm that your institution is meeting the following conditions if you have decided to take advantage of the new rule:
- No Opt Outs. The alternate delivery method can be used only if you do not share your customers’ information in any way for which the customer has the right to opt out under Regulation P or Section 603(d)(2)(A)(iii) of the Fair Credit Reporting Act (FCRA). This provision of the FCRA is the one under which information that otherwise would be a “consumer report,” such as credit experience with third parties, may be shared with an affiliate for other than marketing purposes so long as the consumer is given an opt-out right.
- Satisfy the FCRA Affiliate Sharing Rules. You must have previously satisfied the affiliate sharing rules of Section 624 of the FCRA or you do so other than by delivery of the annual Regulation P privacy notice. This provision seems to cause some confusion. Section 624 of the FCRA is the provision under which an affiliate of a financial institution that receives certain information (such as transaction information) may not use that information for marketing purposes unless the consumer is notified of such use and given a chance to opt out. The Section 624 notice would only need to be given one time so long as an institution honors consumers’ opt outs indefinitely, or could be delivered other than as part of a Regulation P privacy notice. Therefore, so long as you are not relying on the annual Regulation P privacy notice to satisfy Section 624, you satisfy this condition to the alternate method for delivery of your annual Regulation P notice.
- No Changes to the Notice. The privacy notice you post online cannot have changed since consumers received the immediately previous notice, other than to eliminate categories of information that you disclose or categories of third parties to whom you disclose information. So, for example, if you previously shared information in a way that required that you to offer the consumer an opt-out right, you could stop such sharing. This would allow you to satisfy the no opt-out rule described above and post your modified privacy notice online.
- Model Notice. You must use the model form of privacy notice included in Regulation P.
- Notify Consumers of the Posting. You must notify your customers each year that your privacy notice is available online and that it will be mailed to customers who request it by telephone. This notice can be provided on an account statement, coupon book, or any other notice or disclosure that you are required or expressly and specifically permitted to issue to the customer under any other provision of law.
- Post the Notice Continuously in a Public Location. Your privacy notice must be posted continuously and in a clear and conspicuous manner on a page of your Web site that consists only of the privacy notice and that can be accessed by consumers without having to log in, provide a password or agree to any conditions.
- Mail Upon Request. If any customer requests a copy of the privacy notice by telephone, you must mail it to him or her within 10 days.
This alternate method for delivery of the annual Regulation P privacy notice will be attractive to many financial institutions, but don’t forget these conditions to this method.
March 12, 2015
The term “Big Data” has become synonymous with the ability to rapidly analyze large volumes of data to predict outcomes and draw other insights. Big Data has grown exponentially as the insights reaped from data analysis have become crucial to the success of many companies. With this growth have come a number of data security and data privacy considerations and requirements for companies involved with big data. Join Jason Haislmaier of Bryan Cave LLP for a discussion of these considerations and requirements, including established and emerging legal standards, regulatory requirements, and best practices for data privacy and data security in a “Big Data” world.
Jason D. Haislmaier, Esq. is a partner in the Boulder, CO office of Bryan Cave LLP. Mr. Haislmaier represents emerging and established companies in technology and intellectual property transactions, with an emphasis on developing strategies for protecting, managing, and commercializing technology and intellectual property assets. He has developed a special area of expertise involving open source software licensing and compliance and works with clients in the U.S. and abroad to develop and implement open source software license compliance strategies. Mr. Haislmaier, who frequently lectures on topics involving open source software, cloud computing and other areas of intellectual property, is currently the Board Chair of the Silicon Flatirons Center for Technology and Entrepreneurship, Intellectual Property & Information Technology, and he has been recognized in Colorado Super Lawyers, 2011–2013 and The Best Lawyers in America 2014.
May 4, 2015 – May 5, 2015
The Ritz-Carlton, Atlanta
181 Peachtree Street Northeast
Atlanta, GA 30303
Sponsor(s): Hosted by Bryan Cave LLP, OTC Markets Group, Banks Street Partners, and Stock Cross Financial Services
We are pleased to announce the inaugural Financial Institutions Stock Liquidity Conference in Atlanta, Georgia. The conference will begin with a cocktail reception on Monday evening, May 4th from 6:00 – 9:00 p.m., at the College Football Hall of Fame, where interactive and personalized tours will be offered to conference attendees. The conference will continue on Tuesday, May 5th from 8:00 a.m. – 4:00 p.m., with a full day of presentations and panel discussions that will explore the universe of liquidity options available to financial institutions and opportunities to access the capital markets.
On October 28, 2014, the Consumer Financial Protection Bureau (“CFPB”) issued a final rule amending Regulation P (the “Amendment”), which implements the consumer privacy provisions of the Gramm-Leach-Bliley Act (“GLBA”). In most cases prior to the amendment, Regulation P required financial institutions to mail paper copies of the annual privacy disclosure, which many in the financial industry felt was overly costly and needlessly burdensome. The new rule permits covered institutions to publish privacy notices electronically on their websites, but only after satisfying the following conditions:
- The financial institution does not disclose nonpublic personal information to nonaffiliated third parties other than for the exception purposes that do not allow for consumer opt-outs, such as for servicing or processing the consumer’s account;
- The financial institution’s information sharing practices do not trigger opt-out rights pursuant to Regulation P or Section 603 of the Fair Credit Reporting Act (“FCRA”);
- The requirements of the affiliate sharing provisions of FCRA Section 624, as applicable, were previously satisfied or the annual privacy notice is not the only notice provided to satisfy those requirements;
- The information contained in the privacy notice has not changed since the customer received the previous notice, except for changes to eliminate categories of information the institution disclosures or categories of third parties to whom the information is disclosed;
- The financial institution uses the model form provided in Regulation P as its annual privacy notice;
- The financial institution must make its customers aware that its privacy notice is available on its website, that it will mail a paper copy of the notice to customers who request it by calling a specific number, and that the notice has not changed since the prior year’s version. The financial institution can satisfy this requirement by inserting, at least once per year, a clear and conspicuous statement on an account statement, a coupon book, or on a notice or disclosure required by any provision of law. The statement must include a specific URL that can be used to access the website;
- The financial institution must continuously post the annual privacy notice in a clear and conspicuous manner on a page of its website, without requiring a login or similar steps or agreement to any conditions to access the notice; and
- The financial institution must mail, within ten days of a request, a paper copy of the notice to any customer who makes such request by telephone.
Importantly, if the financial institution changes its privacy practices or engages in information-sharing activities for which customers have a right to opt-out, it must use one of the permissible delivery methods that predated the rule change (paper notices or electronic with E-Sign consent).
In connection with the effectiveness of BASEL III, most banks are required to decide whether to elect to opt-out of the inclusion of Accumulated Other Comprehensive Income (“AOCI”) in their Common Equity Tier 1 Capital. All non-advanced approaches institutions (i.e. banks less than $250 billion in total assets with less than $10 billion in on-balance sheet foreign exposure) will need to indicate whether they are making the AOCI opt-out in their March 31, 2015 Call Reports. This is a one-time election and generally irrevocable, except in the limited cases of subsequent mergers between institutions with different elections.
As a reminder, AOCI includes such items as unrealized gains and losses on certain securities.
For institutions that opt out, most AOCI items will not be included in the calculation of Common Equity Tier 1 Capital (and thus Tier 1 Capital generally). In other words, most AOCI items will be treated, for regulatory capital purposes, in the same manner in which they were prior to BASEL III. (Unrealized gains and losses on available-for-sale debt securities will continue to be excluded from regulatory capital; unrealized losses on available-for-sale equity securities will continue to be recognized in regulatory capital; and up to 45% of unrealized gains on available-for-sale equity securities will continue to be recognized in Tier 2 capital.)
For institutions that do not opt out, most AOCI items will be included in the calculation of Common Equity Tier 1 Capital (and thus Tier 1 Capital generally). (Unrealized gains and losses on available-for-sale debt and equity securities will be recognized in Common Equity Tier 1 Capital.)
With many U.S. markets experiencing slow loan growth, some boards of directors looking to increase the size of their institutions have turned to acquisitions to capture greater scale and efficiencies. While asset growth is important, directors should also consider the deposits acquired as part of a merger. Many banks have found that a careful evaluation of the deposits of the selling bank can spot unexpected issues and also drive earnings for the combined institution. The issues and opportunities raised by the liability side of the balance sheet have implications for both buyers and sellers going forward, particularly as they seek to maximize the scope and franchise value of their institutions.
Gaining Deposit Share and Margin
With many growth opportunities centered in more densely-populated areas, some financial institutions plan to use an acquisition to establish a “beachhead” in a growing market. Unfortunately, many have found that a beachhead may not be enough, particularly with ferocious competition for quality loans in many metro markets. Other banks have taken a different approach by either consolidating market share in their home or adjacent markets, or by acquiring banks in rural areas that have solid earnings performance. For these banks, acquiring lower-cost deposits in slower-growth markets may help generate earnings that can fund loan growth in more competitive markets. What’s more, some banks have been able to diversify their CRE-heavy loan portfolio by picking up agricultural and other types of lending products through these acquisitions.
State and federal law enforcement agencies are now taking aim, on both the consumer protection and fraudulent loan securitizations fronts, at what they consider to be questionable practices by automobile lenders.
On the consumer protection front, the Consumer Financial Protection Bureau (CFPB) initially dipped a toe into this area through a bulletin in May 2013, claiming that lenders that offer auto loans through dealerships are responsible for unlawful, discriminatory pricing. According to the CFPB, the main culprits are indirect auto lenders that allow the dealer to charge a higher interest rate than the rate the lender offers the dealer, with the result that the lender shares a portion of this markup with the dealer. Under the Dodd Frank Act, such a practice would be illegal if it involved payments to mortgage brokers that sell their customers into higher rate mortgage loans. The auto lending industry, however, was not similarly regulated by Dodd Frank. The CFPB suggests it will seek to attack such practices in the auto loan industry as illegal discrimination if it finds that protected minorities have been charged higher rates as a result.
In September 2014, the CFPB proposed rules that would extend its supervision authority to the larger participants of the nonbank auto finance market. The proposal would allow the CFPB to supervise finance companies with respect to federal consumer financial laws if those companies make, acquire, or refinance 10,000 or more loans or leases in a year. The CFPB estimates 38 auto finance companies, which originate about 90 percent of nonbank auto loans and leases, would be subject to this new jurisdiction.
On the securitization front, subprime auto lender Consumer Portfolio Services disclosed earlier this month that it had received a subpoena from the U.S. Department of Justice (DOJ) requesting documents relating to its auto lending and securitization activities. In December 2014, Ally Financial Inc. had received a similar request from the DOJ, and in October, the Securities and Exchange Commission (SEC) began an investigation into Ally’s lending and securitization practices. GM Financial announced in November that it had received document requests from the SEC relating to its securitization practices. Santander Consumer USA Holdings Inc. announced in August that it also was under DOJ investigation, and in November the New York Department of Consumer Affairs announced that it was looking into Santander’s lending practices.
It appears that these investigations, which include potential criminal enforcement, are looking into whether these lenders are securitizing and packaging loans for sale to investors without ensuring the quality of loans or fully disclosing their risks. If so, this would suggest that they may be engaging in some of the same practices that were alleged against the mortgage industry. Those ultimately led to numerous settlements between prosecutors and many of the large mortgage lenders.
Auto loan quality and risks could be impacted by lending discrimination, failure to comply with consumer protection regulations, or lax underwriting standards. If these risks are not being appropriately disclosed to investors, auto lenders could face the same enforcement liability as were a number of the mortgage lenders.
The risks to the global economy of risky auto loan securitizations may not be as high as they were for mortgage loan securitizations, given that it is easier to repossess a car than it is to foreclose on a mortgage, and given the generally smaller dollar amounts involved. This time, however, it appears that federal regulators will not be waiting until an economic crash before attempting to address the problems the problems they suspect, and costly criminal and civil actions may be more aggressive and occur more quickly.
Bryan Cave’s Data Privacy and Security Team will hold a teleconference on Friday, February 6, to discuss the impact of the Anthem Data Breach on firm clients. Topics include:
- What information is known,
- What information is not known,
- How the breach might impact employees, and
- What steps companies should consider taking.
The teleconference will be held tomorrow, Friday, February 6, 2015, at 1 ET / 12 CT / 11 MT / 10 PT, and is open to any firm client.
If you would like to join the conference, please send an email to Audrey.Brekel@bryancave.com and she will provide the dial-in information.
David Zetoony is the leader of the firm’s Data Privacy and Security Team.
Back in the days when “phishing” was just something your spell checker changed back to “fishing,” everyone thought they understood how the risk of loss was apportioned between a bank and its customers if a third party fraudulently obtained money from someone’s deposit account. With few exceptions, the risk of loss was born by someone else besides the bank customer. Fast forward to today when there are so many different ways for bank customers to move money in and out of their accounts besides just a paper check. Several years ago the drafters of the UCC adopted a brand new Article 4A to address the dramatic increase in wire and other electronic transfers between commercial accounts.
Article 4A continues the traditional risk allocation framework in that unless certain exceptions exist, the bank bears the risk of loss for fraudulent transfers from a commercial deposit account. The major exception is where the bank and its customer have agreed upon certain commercially reasonable security procedures. In that instance the risk of loss for fraud will reside with the customer if the bank proves that it accepted a fraudulent payment order (1) in good faith, and (2) in compliance with the security procedure and any written agreement or instruction of the customer restricting acceptance of payment orders issued in the name of the customer. Further, if a bank has established security procedures that a customer has declined to use, and the customer instead agrees in writing to be bound by payment orders issued in its name and accepted by the bank in accordance with another security procedure, then the customer will bear the risk of loss from a fraudulent payment order if the declined procedure was commercially reasonable.
A recent decision from the 8th US Circuit Court of Appeals, Choice Escrow and Land Title, LLC v. Bancorp South Bank, applied the provisions of Article 4A to what is becoming a common occurrence today. An employee of Choice clicked on an attachment to an email, which then placed a computer virus on their computer system. Over a period of time the virus gave an unknown third party access to the employee’s username and password and allowed the third party to mimic the computer’s IP address and other characteristics. The thieves wired out $440,000 to an account in the Republic of Cyprus. Suffice it to say that when money is fraudulently transferred to an account in the Republic of Cyprus, it never comes back. The customer demanded that the bank reimburse it for the loss and the bank refused. The matter ended up in litigation in federal court.