Federal regulators published guidance Monday regarding the application of customer identification program (CIP) requirements to holders of prepaid cards and other types of prepaid access. Although the guidance is meant to clarify longstanding CIP rules—issued in 2003 to implement USA PATRIOT Act amendments to the Bank Secrecy Act (BSA)—the guidance has the effect of setting new standards for banks that issue prepaid access. This includes prepaid cards that third-party program managers sell and distribute, as well as cards that are used to provide employee wages, healthcare, and government benefits. Continue Reading Federal Regulators Release BSA/AML Guidance for Prepaid Products
Erin Fonté assists clients with a broad range of matters related to payments/payment systems, digital commerce, banking and financial services (including related legal and regulatory issues), technology/Internet products, privacy and data protection laws, and general corporate matters. Erin regularly advises financial institutions and alternative payment providers regarding mobile banking, mobile payments and mobile wallet products and services. She has been involved in the creation of new payment networks and has worked extensively on products, services and network operating rules related to emerging and mobile payment systems.
The FTC’s focus on data security appears to be expanding, with the agency now investigating the processes by which private industry measures data security compliance. On March 7, 2016, the FTC ordered nine different companies who are “Qualified Independent Assessors” to provide detailed information about how they assess their clients’ compliance with the Payment Card Industry Data Security Standards (“PCI DSS”). The nine companies receiving orders range from large accounting firms such as PricewaterhouseCoopers, LLP, to security-focused companies such as Foresite MSP, LLC. They must respond to the Commission within 45 days (absent any extensions that the Commission might grant). The FTC did not state that the orders were issued in connection with any apparent breach or other specific problem, and the agency’s ultimate goal for this inquiry remains to be seen.
As has been reported in the news recently, there is increasing litigation asserting that the websites of some commercial enterprises, including financial institutions, are not accessible to consumers with disabilities. The Americans with Disabilities Act was adopted before widespread adoption of the internet, but the Department of Justice and many courts have taken the position that the ADA’s prohibition of discrimination against anyone on the basis of disability in the use of “accommodations of any place of public accommodation” applies to websites as well as physical establishments. Continue Reading Watch for Litigation Concerning Website Accessibility to the Disabled to Rise
The Consumer Financial Protection Bureau (“CFPB”) made headlines last week by taking action against Dwolla, an online and mobile payments platform. The CFPB imposed a $100,000 penalty against Dwolla, and while the dollar amount of the penalty may appear to be small compared to other civil money penalties, the action is significant because it is the first action the CFPB has taken in the data security area and provides insight into future enforcement activities surrounding data security by the CFPB. It also serves as a notable reminder of the CFPB’s broad enforcement powers, which go beyond financial institutions to non-FI companies that deliver financial products and services to consumers. While the CFPB lacks authority over the substantive data security requirements that are enforced by the federal financial regulators, that poses no obstacle to the CFPB’s ability to take an action, like this, initiated under its authority to police “deceptive” acts or practices.