A Crash Course on Data Breach and Cyber Security
The recent disclosure by the Georgia Secretary of State of voter’s Social Security Numbers has caused a number of our clients – particularly those based in Georgia – to request additional information concerning how to prevent and respond to data security incidents.
To that end we have gathered together our recorded materials on effective breach prevention and response into a suggested week long training program with one suggested hour of programming every day the week following Thanksgiving. Celesq, the company that maintains the recordings of our programs, has agreed to waive the fee for any of our clients that wish to access them during the week.
- Monday, November 30th: Data Security Boot Camp: A Crash Course in the Law
- Tuesday, December 1st: Investigating Data Breaches: A Guide for In-House Counsel
- Wednesday, December 2nd: Cyber-Insurance
- Thursday, December 3rd: Data Breach Litigation
- Friday, December 4th: Ethics and Data Breach Investigation
Invoking memories of Apple’s famed 1984 Superbowl commercial, a group called the American Action Network aired an anti-CFPB spot during last night’s Republican presidential debate. If nothing else, the spot should encourage further discussion of the role and impact of the Consumer Financial Protection Bureau.
The spot certainly portrays the CFPB in an evil light that is sure to please many in the banking industry, but its broader impact is less certain. A well-written piece by the American Banker offers several reasons why the ad could backfire, not the least of which is the hyperbolic nature of (and shortcuts taken by) the spot.
And former FDIC Chair Sheila Bair seems to agree.
@ABWashBureau Not smart. This will solidify CFPB supporters and imply GOP is anti-consumer, which it isn't.
— Sheila Bair (@SheilaBair2013) November 10, 2015
On September 10, 2015, a divided Second Circuit appeals court held in Berman v. Neo@Ogilvy LLC, that an employee who reports wrongdoing internally to management is considered a “whistleblower” under the Dodd-Frank Act, thereby strengthening retaliation protections for employee whistleblowers.
There has been a history of tension between the Dodd-Frank statutory definition of “whistleblower” and the applicability of the Dodd-Frank anti-retaliation provisions to employees who report suspected misconduct internally. The Act defines a “whistleblower” as “any individual who provides…information relating to a violation of the securities laws to the Commission…” However, section 78u-6(h)(1)(A)(iii) of the Act prohibits retaliation against “a whistleblower” who makes disclosures “required or protected” by the Sarbanes-Oxley Act. The U.S. Securities and Exchange Commission’s regulations interpret the term “whistleblower” to include for retaliation purposes employees who report or disclose potential wrongdoing either internally or to the SEC (SEC Rule 21F-2(b)(1)). This has led to a Circuit split among federal courts as to whether or not Dodd-Frank protects against retaliation only if the whistleblower reports the wrongdoing to the SEC, or if its protections also extend to whistleblowers who report misconduct internally to management.
Everyone has that pile of objects in the basement or the attic that over the years just keeps growing in size. It could be old toys no longer used but saved for use by the grandchildren, old clothes you think you might wear again someday, or the furniture from your parents’ house that you hated to give up but really had no room for in your own house. In the banking context, the pile of objects closely resembles the cash management agreements many banks use. Many of these agreements were first put in use years ago when the bank decided to offer ACH services in addition to the normal commercial deposit account. Eventually the bank added wire transfer and a money market sweep account to the suite of options. Oftentimes banks use a separate form for each of the available services, some of which may or may not conflict with the other forms that were developed over a 10- or 20-year period.
Technology, cyber-risks and the ways people initiate transfers of funds have changed over time and will continue to change in the near future. If you haven’t updated your cash management agreements in several years, now may be a good time to review that pile of documents and agreements and consider what items needs to be addressed. A good way to handle such a review is to combine the separate agreements into one master agreement. Consolidating the documents in such a manner ensures that all of the definitions are consistent and any security processes are addressed across the entire platform.
On October 8, 2015, the CFPB announced new “Guidance About Marketing Services Agreements,” publishing a Compliance Bulletin on the subject of RESPA Compliance and Marketing Services Agreements. The Bulletin is lacking in clear “guidance,” at least in the sense of outlining regulatory standards, but it does provide an unequivocal warning that marketing services agreements (MSAs) in the mortgage industry are much less likely to pass regulatory scrutiny than in the past.
The CFPB expresses “grave concerns” about the use of MSAs to evade the requirements of RESPA, and they note that certain mortgage industry participants have already stopped entering into MSAs given the RESPA compliance burdens. To ensure that the industry is getting the message, they warn that careful consideration of the legal and compliance risks “would be in order” for all industry participants, especially in light of the increase in whistleblower complaints under RESPA.
Every MSA must comply with the RESPA Section 8 prohibition on the payment or receipt of any fee, kickback or other “thing of value” for the referral of mortgage loan or other “settlement services” business. However, compensation for goods or facilities actually furnished or services actually performed is permissible under Section 8, at least so long as the compensation reflects the fair market value of the goods, facilities or services. The industry has long attempted to rely on this exception for the payments for services actually performed as a means to avoid Section 8 violations. This has usually worked in the past, but it’s going to be much harder to make this work in the future.
The CFPB has issued another enforcement action exceeding the half-billion dollar mark against a large bank for its add-on product offerings. Citibank and its subsidiaries were penalized for alleged deceptive marketing, unfair billing and deceptive debt collection involving its credit card add-on products and services. This marks the tenth public enforcement action that the CFPB has announced for practices associated with marketing or administering add-on products in its four-year history.
As part of the settlement Citi was ordered to pay $700 million in restitution to about 8.8 million consumers who were impacted by the add-on product offerings. The company also must pay the CFPB a $35 million civil penalty. Further, the Bank was required to end alleged unfair billing practices and submit a compliance plan to the CFPB before continuing to market any add-on products by telephone or point of sale, or attempting to retain add-on product customers by telephone.
In the 57-page order the CFPB refers to an add-on product as “any consumer financial product or service…offered to Cardholders as an optional addition to credit card accounts issued by [Citibank].” The CFPB put several of Citibank’s add-ons at issue, which were for consumer services such as such as debt cancellation or deferral products, credit monitoring or credit report retrieval services, and services to notify credit and debit card issuers when a consumer reports cards lost or stolen.
On August 5, 2015, in a 3-2 vote, the SEC adopted the rule implementing the controversial pay ratio requirement pursuant to the Dodd-Frank Act. The rule requires companies to disclose:
- the median of the annual total compensation of all employees, excluding the principal executive officer, or CEO;
- the annual total compensation of the CEO (which is already required to be disclosed); and
- the ratio of these two amounts.
The new rule applies to companies required to provide executive compensation disclosure under Item 402(c)(2)(x) of Regulation S-K in proxy statements or annual reports on Form 10-K, as well as registration statements or other filings. Most companies are required to report the pay ratio disclosure for their first fiscal year beginning on or after January 1, 2017.
Last week we looked at the state of banking in Georgia based on the FDIC’s latest summary of deposits information, and now we turn our focus to Atlanta. The overall number of banks in the Atlanta Metropolitan Statistical Area (the 9th largest MSA in the country), fell from 138 to 97, a 30% decline. As in broader Georgia, this number overstates the decline of independent banking organizations, as the number of holding companies operating multiple bank charters in the Atlanta area fell from 4 to 1, with the number of unaffiliated financial institutions falling from 126 to 96 (a 24% decline).
The total amount of deposits assigned to branches in the Atlanta MSA rose from $95 billion to $146 billion, a 54% increase (as compared to a 43% increase for the entire state, and an increase of only 23% in the state but outside the Atlanta MSA). The total number of branches in the MSA fell from 1,342 to 1,294, a 4% decline. These effects combined to increase the average amount of deposits per branch in Atlanta from $71 million to $113 million, a 60% increase.
Like Georgia more broadly, between increasing total deposits and industry consolidation, Atlanta saw an increase in the number of larger institutions operating within the MSA. The number of institutions with more than $2 billion in deposits increased from 6 institutions to 12, while the number of institutions with between $500 million and $2 billion declined slightly from 10 to nine. The number of institutions with between $250 million and $500 million in deposits fell from 23 to 14, a 39% decline, the number of institutions with between $100 million and $250 million in deposits fell from 41 to 27, a 34% decline, and the number of institutions with less than $100 million in deposits fell from 42 to 30, a 29% decline. Consistent with these trends by asset size, but potentially inconsistent with a broader message of unending industry consolidation, the number of banks in the Atlanta MSA with more than 1% of the total deposits in the MSA increased from 9 to 14 banks (and the number of Georgia-based institutions with more than 1% of total deposits increased from 5 to 8).
Today’s economy presents numerous challenges to community bank profitability—compressed net interest margins, increased regulation, and management teams fatigued by the crisis. In response to these obstacles, many boards of directors are exploring new ways to reduce expenses, retain qualified management teams, and offer opportunities for liquidity to current shareholders short of a sale or merger of the institution.
For many family-owned banks, their deep roots in the community and a desire to see their banks thrive under continued family ownership into future generations can cause these challenges to be felt even more acutely. In particular, recruiting and retaining the “next generation” of management can be difficult. Cash compensation is often not competitive with the compensatory packages offered by publicly-traded institutions, and equity awards for management officials are unattractive given the limited liquidity of the underlying stock. All the while, these institutions should ensure that their owners have reasonable assurances of liquidity as needs arise or as investment preferences change. In combination, these challenges can often overwhelm a family-owned bank’s desire to remain independent.
Depending on the condition of the institution, implementing an employee stock ownership plan, or ESOP, may help a board address many of these challenges. While the ESOP is first a means of extending stock ownership to the institution’s employees, an ESOP can have other applications for family-owned banks.
The United States Court of Appeals for the Fourth Circuit, which governs North and South Carolina as well as Virginia, West Virginia and Maryland, has issued an important ruling in FDIC v. Rippy, a lawsuit brought by the FDIC against former directors and officers of Cooperative Bank in Wilmington, North Carolina. As it has done in dozens of cases throughout the country, the FDIC alleged that Cooperative’s former directors and officers were negligent, grossly negligent, and breached their fiduciary duties in approving various loans that caused the bank to suffer heavy losses. The evidence showed the FDIC had consistently given favorable CAMELS ratings to the bank in the years before the loans at issue were made. The trial court entered summary judgment in favor of all defendants, criticizing the FDIC’s prosecution of the suit as an exercise in hindsight. The Fourth Circuit, however, vacated the ruling as it applied to the ordinary negligence claims against the officers. In its opinion, the court held that the evidence submitted by the FDIC was sufficient to rebut North Carolina’s business judgment rule and thus allow the case to go to trial. The Court found that the evidence indicated that the officers had not availed themselves of all material and reasonably available information in approving the loans.
The decision is specific to North Carolina-chartered banks and is based on the historical development of the business judgment rule in that state. Nonetheless, there are certainly comparisons to be drawn to decisions from other states. The emphasis on allegations of negligence in the decision-making process echoes last year’s decision in FDIC v. Loudermilk, in which the Georgia Supreme Court held that it was possible to bring an ordinary negligence claim against bank directors and officers who engage in a negligent process in making a decision. While the Georgia Supreme Court in Loudermilk seemed to be of the view that it would permit claims to go forward against directors and officers who completely avoided their duties and acted as mere figureheads, the Rippy decision shows that in North Carolina, at least, the distinction between a viable case and one barred by the business judgment rule may be very fine indeed. For instance, the FDIC’s evidence consisted largely of expert testimony that Cooperative’s officers failed to act in accordance with generally accepted banking practices by, among other things, approving loans over the telephone before they had examined all relevant documents, and by failing to address warnings and deficiencies in the bank’s (generally positive) examination reports.