For the second year in a row, the winter edition of the FDIC’s Supervisory Insights Journal includes an article discussing the risks associated with mobile payment services. Last year’s article, which focused primarily on security and fraud concerns, was reviewed in a blog post last December. This year’s article highlights a broader range of risks associated with mobile payments. These risks arise in part from the fact that mobile payments require interactions between numerous entities in the payment process. In addition, much of the innovation in the market is driven by young, entrepreneurial companies that may not be familiar with the supervisory framework applicable to depository institutions.
Entries in Information Security (11)
First Circuit Reverses Patco v. People’s United: Internet Banking Security Procedures were not Commercially Reasonable
On July 3, 2012, a three-judge panel of the the First Circuit Court of Appeals reversed the summary judgment granted to People’s United Bank in the case of Patco Construction Co., Inc. v. Peoples United Bank, --- F.3d ----, 2012 WL 2543057 (C.A. 1 (Me.)). The case has been widely followed in the banking industry, there being few court decisions analyzing the legal framework for liability with respect to unauthorized internet banking transactions. The original grant of summary judgment by the Federal District Court of the District of Maine was considered a victory for the bank, but the First Circuit’s decision negates most of this victory.
A special Electronic Crimes Task Force formed by the United States Secret Service and the Texas Department of Banking recently issued a report entitled “Best Practices: Reducing the Risks of Corporate Account Takeovers” (the “Report”). The Report details nineteen recommended processes and controls that focus on the core elements of a risk-management framework developed by the Secret Service, the FBI, the Internet Crime Complaint Center, and the Financial Services Information Sharing and Analysis Center: protect, detect, and respond. The Report expands on the standards set forth in the FFIEC’s Supplement to Authentication in an Internet Banking Environment issued in June of 2011, which we discussed in a prior blog post.
The value of the Report lies in the specificity of its recommendations. Each of its nineteen recommended processes and controls is accompanied by detailed examples and “best practices” for consideration. The Report also provides a number of references and sample forms, including for risk assessment and employee/customer training. Although certain best practices may not be appropriate in a particular circumstance, the Report can serve as a useful checklist and resource in developing risk assessment and mitigation programs.
Maine Banker, the trade magazine for the Maine Bankers Association, recently published an article entitled Internet Banking: Six (or so) Key Lessons in its March-April 2012 edition. The article was co-authored by James Cohen and Alistair Raymond of Verrill Dana, LLP. The article addresses a number of key considerations for banks when managing their Internet banking platforms.
As you may know, the Commonwealth of Massachusetts requires that all persons who “own or license” the personal information of Massachusetts residents implement safeguards to protect such information from unauthorized acquisition or use. See 201 CMR 17.00 (the “Regulations”). March 1 was the deadline for persons covered by the Regulations to require by contract that third-party service providers with access to protected personal information implement and maintain appropriate security safeguards. Although the Regulations’ underlying statute provides a limited carve-out for federally-regulated entities, the Commonwealth enforced the Regulation against a state-chartered bank in 2011.
For years, banks have been subject to a similar contract requirement with respect to third-party service providers pursuant to Gramm-Leach-Bliley, as well as obligations with respect to due diligence and monitoring. The recent March 1 deadline, however, is a reminder to review service provider contracts and consider additional protections. For example, in addition to implementation of appropriate safeguards, a contract may include protections such as indemnification for a data breach suffered by the service provider, data breach insurance coverage, the right to audit for compliance, and preapproval of subvendors with access to personal information.