Enter your email address to receive new posts in your inbox:

Delivered by FeedBurner


Like what you see? Share!

Our Attorneys

Entries in Electronic Transactions (11)


New England Financial Institutions Face Increased Cybersecurity Risks

Noted cyber security blogger and journalist Brian Krebs recently gained an exclusive interview with a New England bank that reported a sharp rise in fraudulent charges on debit cards. The scammers were making purchases on stolen card numbers from plain-old magnetic strip cards but making them look like they were made on EMV (“chip”) cards, although the bank had not yet issued such cards. This “EMV-spoofing” technique had been picked up by Canadian banks earlier this year and traced to Brazil.

“The recent EMV-spoofing cases point to the continued need for fraud detection mechanisms that even small banks and credit unions must implement to protect themselves,” said Ande Smith, a principal at the forensics and data security firm Deer-Brook, with whom Verrill Dana works closely in data breach cases. “During the transition phase, which may take years, the mish-mash of magnetic and chip/pin point-of-sale systems in the US will create opportunities to mask fraudulent activity.”

A recent report by the Federal Financial Institutions Examination Council (FFIEC) supports this call for improved risk management at regional banks and other financial Institutions.  The results of the FFIEC’s 2014 survey of 500 community financial institutions indicate that these institutions have room to improve in terms of employee education and training on cyber risks; improving cybersecurity controls; understanding their vendors’ cybersecurity risks; and establishing incident management procedures, among other things.

Rita Heimes is a privacy and cybersecurity attorney in Verrill Dana’s Intellectual Property & Technology practice group. She and her team help companies with comprehensive information risk management programs including privacy policies, incident response plans, third-party contracts, employee training, and breach response.


Financial Institutions May Now Post Annual Privacy Policies Online

Under the Gramm-Leach-Bliley Act and regulations promulgated by the Bureau of Consumer Financial Protection (Bureau), financial institutions are required to provide customers with an annual disclosure of their privacy policies. The cost of mailing paper copies to consumers is significant. The Bureau therefore promulgated a new rule effective October 28, 2014, that allows financial institutions to post their notices via alternative delivery means, including on their websites, provided certain conditions are met.

Financial institutions can avoid considerable compliance costs by using this alternative notice method.
Among the qualifications: (1) the privacy notice must not trigger any opt-out rights and the institution must have previously provided opt-out notices as required; (2) information included in the privacy notice must not have changed since the prior notice; and (3) the financial institution must use the Bureau’s model form as its annual privacy notice. Other qualifications also apply, including (but not limited to) notification to customers that the privacy policy is located online at least annually through a statement mailed to them.

For more complete information about qualifying for the alternative annual privacy policy delivery option, view the final rule here or contact Verrill Dana’s Banking Law group.


FDIC "Supervisory Insights Journal" Now Out: Mobile Payments Highlighted

For the second year in a row, the winter edition of the FDIC’s Supervisory Insights Journal includes an article discussing the risks associated with mobile payment services. Last year’s article, which focused primarily on security and fraud concerns, was reviewed in a blog post last December. This year’s article highlights a broader range of risks associated with mobile payments. These risks arise in part from the fact that mobile payments require interactions between numerous entities in the payment process. In addition, much of the innovation in the market is driven by young, entrepreneurial companies that may not be familiar with the supervisory framework applicable to depository institutions.

Click to read more ...


FinCEN Issues Advisory on Third-Party Payment Processor Risk

The Financial Crimes Enforcement Network (FinCEN) recently issued an advisory bulletin warning financial institutions on the risks associated with maintaining deposit accounts for third-party payment processors (“Payment Processors”). Payment Processors are companies that initiate payment transactions on behalf of their own customers, typically merchants and other businesses, where these customers lack a direct relationship with the financial institution. Payment processors may service domestic or foreign businesses that are conventional bricks-and-mortar establishments or internet-based.

Click to read more ...


Federal Agencies Publish Guidance On Technology Outsourcing

The FFIEC and several federal banking agencies (the Federal Reserve, FDIC, and OCC) recently announced the publication of new and revised guidance on the use of third-party technology service providers (“TSPs”) by federally-regulated financial institutions...

Click to read more ...