back to top ↑

Presented by: Subcommittee on Privacy
Chair: Patricia E.M. Covington, Hudson Cook, LLP, Hanover, MD
Vice Chair: Obrea Poindexter, Morrison & Foerster LLP, Washington, DC
Speakers: Anne Fortney, Hudson Cook, LLP, Washington, DC; Peter Gilbert, Capital One, McLean, VA; David Stein, Federal Reserve Board, Washington, DC; Rebecca Kuehn, Federal Trade Commission, Washington, DC


Though the compliance deadlines for complying with the Affiliate Marketing Rule and Red Flag Rules have come and gone, there continue to be questions surrounding what is required to comply. The panel discussed issues and questions that have arisen in connection with compliance with these new rules, and the federal agencies' interpretations of the requirements.

Red Flag Rules

Mr. Stein discussed coverage under the Red Flag Rules. The questions that need to be asked to determine whether an entity is covered by the rules are: (1) is the entity a "financial institution" or a "creditor" and (2) does the entity offer a "covered account," as those terms are defined in the rules, he said. Not every financial institution has to have a program.

Ms. Fortney mentioned that hospitals, universities and utilities, as well as traditional creditors, may be included within the definition of "creditor." Essentially, any entity that provides a product or service for which the consumer pays after delivery is covered. These are issues that have surprised everyone, she said.

If an account is a "covered account," the creditor has to develop a written red flag program, she said.

Ms. Covington asked whether retailers, as agents for creditors (eg., private label credit cards), are covered by the rules. Ms. Fortney said this issue is unresolved.

Third-party debt collectors may also be covered, depending on what they do, Ms. Kuehn said. If they renegotiate debt and set terms of credit, then they are covered. If they just send out notices and accept payment, they are not, she said.

Ms. Kuehn said that the Red Flag Rules also apply to municipalities, and the FTC has jurisdiction to enforce compliance.

Mr. Gilbert discussed the establishment of identity theft prevention programs. He said the definition of identity theft is broad, and some types of fraud are not identity theft. Capital One has reviewed every type of its accounts to see if there is a reasonable possibility of identity theft, he said. In developing the program, a creditor's actual experience is important.

The most difficult area in developing a program is business purpose loans, Mr. Gilbert said. Small business loans and accounts are covered, and large business accounts probably are not, but there is a lot of gray area in the middle, he said.

There is an ongoing requirement to update the program periodically, and Capital One does an annual assessment of its program, he said.

Mr. Stein said that when determining whether prepaid products are covered accounts, a creditor must go through the analysis to see whether the accounts fall within the definition in the rules. Gift cards are not covered, but payroll card accounts are covered, he said. Between these two types of accounts, there is a broad spectrum of prepaid products. Issuers will have to do an analysis on a case-by-case basis, and many products will be covered accounts, he said.

Ms. Kuehn said that there is overlap between data security laws, eg., Gramm-Leach-Bliley, and the Red Flag Rules. Creditors don't have to start from scratch but can look at existing data security programs and see which parts apply to reducing identity theft, she said.

Financial institutions and creditors may use automated systems, but the rules do not require any specific technology, Mr. Stein said. And an automated solution may only satisfy some obligations of the rule, he said. If all consumer contact is online, then an automated solution may be adequate. But if a creditor has walk-in consumers, its program will require "low tech" solutions, such as checking IDs.

The requirements for administration of the program are flexible, but there are particular requirements, Mr. Gilbert said. Oversight by the board of directors is required, as is oversight of service providers, he said.

The rules require a risk-based approach to vendor oversight, because the definition of "service provider" in the rules is broad, said Ms. Fortney. A creditor must exercise effective control over its service providers, and this is an ongoing process which requires assessment of whether the service providers have access to customers' account records. The rules do not provide much guidance as to what constitutes effective oversight, she said.

The relevant service providers are those that are doing what a financial institution would do that would be covered by the rules, eg., application intake, Mr. Stein said. In that instance, only the service provider could do an ID check.

The address discrepancy rule applies to the three national credit reporting agencies, Ms. Fortney said. It requires certain address verification and confirmation by users of consumer reports that receive a "notice of address discrepancy" from a credit reporting agency.

The receipt of such a notice requires action by the user of the consumer report, she said. Mr. Gilbert added that the costs of verification and confirmation are borne by the user.

Affiliate Marketing Rule

The panel also discussed the Affiliate Marketing Rule.

The rule specifically defines "eligibility information," said Mr. Gilbert. But practically, any information that an affiliate would want to share will be considered "eligibility information," he said.

The rule defines "solicitation" as "the marketing of a product or service initiated by an affiliate to a consumer that is based on eligibility information from its affiliate and intended to encourage the consumer to purchase or attain a product or service."

The rule does not prohibit "constructive sharing" of eligibility information between a person and its affiliate for use in marketing consumers when the affiliate has a pre-existing business relationship with the consumer, as long as the rule's restrictions on the use of eligibility information are met.

back to top ↑

Moderator: Therese G. Franzén, Franzén & Salzano, P.C., Norcross, GA
Speakers: Kathleen Keest, Center for Responsible Lending, Durham, NC; Eldon Spencer, Leonard O'Brien Spencer Gale and Sayre, Ltd., Minneapolis, MN; Oliver I. Ireland, Morrison & Foerster, LLP, Washington, DC


Many factors have contributed to the financial meltdown. Has a lack of accountability (at least until now) been compounded by inadequate legal accountability? Did our concept of the role of lawyers shape our contribution to the crisis? In this program, the panel engaged in a lively discussion of these issues.

Most people trace the beginning of the current financial meltdown to October 2007. But it is probably traceable to the Gramm-Leach-Bliley Act in 1999, which repealed portions of the Glass-Steagall Act separating investment and commercial banking, Mr. Ireland said. As a result, portions of the consumer financial services industry were placed outside of the federal regulatory safety net, he said.

The panel did not focus on lawyers' roles in shaping policy issues. Rather, it focused on the lawyer's role in advising clients on a transactional compliance basis at the retail level.

Mr. Ireland said that clients need advice on legal compliance, but they also need practical advice. Lawyers could have advised their clients on underwriting issues, such as no documentation loans, stated income loans and loan-to-value issues, he said. One of the ways lawyers could have helped more was to help clients focus on the risks associated with these underwriting issues, not just whether they were in compliance with the law, he said.

Mr. Spencer commented that lawyers sometimes view their representation from the perspective of whether a particular transaction was successful or not. But he said that there is also the larger perspective that short-term gains sometimes outweigh long-term gains. That perspective may have been missing from mortgage brokers up to investors, he said.

He also said that some of the rush to action on the part of Congress will undermine lawyers, eg., by promulgating vague or inappropriate standards regarding the suitability of a particular loan for a particular consumer.

On a practical level, Mr. Spencer said that when serving as local counsel to a national bank, attorneys need to exercise discretion when counseling their clients. The bank may have a checklist of 40 things that it would like to see in its loan documentation, eg., a waiver of jury trial. But if there are too many anti-consumer provisions in the documentation, the judge likely will get irritated when the bank moves for summary judgment, he said.

Attorneys also need to counsel their clients to have their standards (eg., loan closing disclosures) written down and systematically enforced, he said.

Ms. Keest said the overall trend over the past couple of years of deregulation has negatively impacted the ability of lawyers to challenge certain practices. The asymmetric allocation of legal resources to consumer financial services entities, as opposed to consumers, also has been a problem, she said.

Fee-shifting provisions, class actions and public enforcement were intended to level the playing field by making attorneys available to consumers, she said. But over the past 30 years, these mechanisms have been made less effective by the courts and by political rhetoric, she said.

Ms. Keest also discussed the role of a lawyer as a counselor/advisor. Quoting Elihu Root, she said "About half the practice of a decent lawyer consists in telling would-be clients that they are damned fools and should stop."

back to top ↑

Speakers: Ryan S. Stinneford, Pierce Atwood LLP and Laura H. Brown, McGlinchey Stafford PLLC


At the Winter Meeting, Ryan S. Stinneford and Laura H. Brown, co-chairs of the Deposit Products and Payment Systems Subcommittee, provided a "hot topics" presentation that focused on three legislative and regulatory reactions to the recent events in the banking and financial world: (1) new insurance coverage issues for deposit and stored value products; (2) new rules to restrict internet gambling; and (3) new requirements and restrictions for overdraft protection products.

FDIC Coverage Changes

Mr. Stinneford highlighted the recent changes to federal deposit insurance coverage amounts and requirements. The first change involves a temporary increase in the Standard Maximum Deposit Insurance Amount ("SMDIA") from $100,000 to $250,000. The change became effective on October 3, 2008 and sunsets on December 31, 2009. In connection with this change, the FDIC issued the following language for customer-facing communications:

On October 3, 2008, FDIC deposit insurance temporarily increased from $100,000 to $250,000 per depositor through December 31, 2009.

On October 14, 2008, the SMDIA on non-interest bearing accounts was also temporarily increased through the Temporary Liquidity Guarantee Program ("Liquidity Program"). As of that date, all balances on non-interest bearing transaction accounts are fully insured, without regard to the SMDIA cap and without charge to the depository institution until November 12, 2008. Non-interest bearing accounts include Interest on Lawyers Trust Accounts ("IOLTAs") and Negotiable Order of Withdrawal ("NOW") accounts with interest rates less than or equal to 0.50%.

Unless a depository institution opted-out of the Liquidity Program by December 5, 2008, the institution will remain enrolled until December 31, 2009 and will be charged a special assessment equal to 10-basis points on deposit amounts over $250,000 in non-interest bearing accounts, including IOLTA and NOW accounts. The special assessment is retroactive to November 13, 2008.

The Liquidity Program also affects the treatment of sweep programs and retail repurchase agreements. The Liquidity Program relies on FDIC rules regarding failed institutions to determine whether funds are in a non-interest bearing account. Generally, the FDIC will treat the funds as being in the account to which they are swept or transferred. However, funds transferred from a non-interest bearing transaction account to a non-interest bearing savings product will be treated as being in the non-interest bearing transaction account and will be eligible for full coverage under the Liquidity Program.

Effective December 19, 2008, two types of disclosures are required: (1) lobby notices regarding participation in the Liquidity Program if the institution offers non-interest bearing transaction accounts; and (2) notices to sweep and reclassification customers. The FDIC has provided model language only for the first type of notice. In November 2008, the FDIC provided supplemental information regarding disclosures of non-conventional situations. The only example given was official checks dawn on another depository institution.

On September 30, 2008, the FDIC issued an Interim Final Rule, which simplifies the coverage requirements for revocable trust accounts. The new rule removes the prior requirement that the beneficiary of the trust be the spouse, child, grandchild, parent or sibling of the account owner. Now, the beneficiary may be any natural person, charity or non-profit. The new rule also simplifies the coverage calculation if the beneficial interests are unequal. If the account is less than or equal to $500,000, coverage is determined by multiplying the number of beneficiaries by the SMDIA. Otherwise, coverage is the greater of $500,000 or the sum of all beneficial interests in the account (capped at the SMDIA per beneficiary). The new rule also provides coverage for each life estate interest in a revocable trust up to the SMDIA. Finally, the new rule keeps the coverage calculation for a revocable living trust even if the account becomes irrevocable due to the death of the account owner.

On October 10, 2008, deposit insurance coverage on mortgage servicer accounts was also simplified. Under the new rule, which is permanent and became effective immediately, coverage is provided to lenders and investors as a collective group based on the cumulative amount of principal and interest payments in the account by each borrower, up to the SMDIA. Insurance coverage is not aggregated with other accounts held by the borrowers(s) at the institution holding the mortgage servicer accounts. The new rule only affects the coverage calculation for principal and interest payments hold by mortgage servicers. It does not change the rules for tax and insurance amounts held by a servicer in escrow, which are insured on a pass-through basis as the funds of the borrower.

In July 2008, the FDIC adopted an Interim Rule for determining deposit balances at failed institutions, which became effective on August 18, 2008. The Interim Rule establishes the following practices: (1) the FDIC will treat deposits in accordance with their underlying obligations based on the end-of-day ledger balance for the account, taking into account the bank's normal posting and cutoff procedures; (2) as a receiver, the FDIC will attempt to stop inbound and outbound transfers or new liabilities or the extinguishing of existing liabilities for the institution; and (3) the FDIC will establish a cutoff point as to which time these transfers will be stopped, irrespective of the bank's normal cutoff point. Calculation of account balances is also subject to the following provisions: (1) adjustment to account balances for uncollectible items; (2) sweeps of funds to internal non-deposit investment accounts that are scheduled to take place for the end-of day balance calculation will be processed only if they occur before the FDIC cutoff point.

On July 17, 2008, the FDIC adopted a Final Rule that provides new requirements for certain large depository institutions to modernize the insurance claims process and make it easier for the FDIC to calculate deposit insurance coverage quickly, and provide depositors faster access to their funds after a large bank failure.

Stored Value Cards

On November 13, 2008, the FDIC issued a new version of General Counsel Opinion No. 8, which replaces the prior version issues in 1996. Effective immediately, the new General Counsel Opinion No. 8 declares all funds underlying stored-value products, including gift cards, payroll cards, prepaid cards and governmental benefit cards, and other non-traditional access mechanisms to be "deposits" under the FDIA if the funds are placed with an insured depository institution. Accordingly, depository institutions will be assessed insurance premiums on such fund balances. As Mr. Stinneford noted, however, General Counsel Opinion No. 8 raises new issues regarding the application of Regulations D, E, CC and DD, for example.

Internet Gambling

The second "hot topic" involved the Unlawful Internet Gambling Enforcement Act of 2006 (the "Act"). Ms. Brown explained that the Federal Reserve Board ("FRB") and Department of Treasury (collectively "Agencies") jointly adopted identical regulations implementing the Act. Compliance with the new regulations becomes mandatory on December 1, 2009. Ms. Brown explained that the scope and effect of the new regulations are minimal. State and federal law continue to determine what is illegal, the new regulations simply place new "policing" duties on banks and financial institutions.

Specifically, the Act prohibits banks from knowingly processing "restricted transactions," meaning payments related to another person's participation in unlawful internet gambling. "Restricted transactions" may include: (1) credit extended to person engaged in unlawful internet gambling (including credit card transactions); (2) an EFT transmitted by/through money transmitting business; and (3) a check drawn by/on behalf of person engaged in unlawful internet gambling. However, "restricted transactions" only involve funds going to commercial customers. Pursuant to the Act, the Agencies identified the following Designated Payment Systems ("DPS"): (1) ACH systems; (2) card systems (credit, debit, prepaid cards or stored value products); (3) check collection systems; (4) money transmitting businesses that permit customers to remotely initiate money transmission transactions; and (5) wire transfer systems. The new regulations exempt all participants in DPS except for those with a customer relationship with a commercial customer.

The new regulations require non-exempt DPS participants to create policies and procedures that are reasonably designed to identify and block restricted transactions. Non-exempt participants also must notify all commercial customers that restricted transactions are prohibited from being processed. The new regulations also require due diligence procedures that vary depending on the risk level of the customer.

Overdraft Protection

The last "hot topic" involved new requirements and restrictions for overdraft protection products. In May 2008, the FRB proposed to amend Regulations AA and DD to condition a bank's ability to charge a fee for overdraft services on providing the consumer with notice and right to opt-out of overdraft service. On December 18, 2008, the Fed issued final changes to Regulation DD, including periodic and year-to-date aggregate fee disclosure requirements and balance disclosure rules. However, after considering comments and results of consumer testing, the FRB concluded that overdraft service opt-out rules should be located in Regulation E. Accordingly, the FRB published another proposed rule under Regulation E.

Under the proposed rule, the FRB proposed two alternatives regarding overdraft services. The first alternative involves an "opt-out" process through which the consumer must receive notice of right to opt-out of overdraft service for ATM withdrawals and one-time debit card transactions before a bank charges an overdraft fee. This opt-out notice would be required at account opening and for each periodic statement cycle in which the consumer pays an overdraft fee. The opt-out process would not apply to: (1) checks; (2) preauthorized EFTs; or (3) ACH transactions. Under the opt-out alternative, the bank must provide notice and wait 30 days before assessing an overdraft fee when paying an ATM withdrawal or one-time debit card transaction and provide notice before or at account opening and require consumer to make an opt-out decision as a necessary step to opening an account. The opt-out notices would not be required if: (1) the institution has a policy of declining to pay ATM/debit card transactions if its believes the consumer has insufficient funds; or (2) the institution requires the consumer to opt-in before assessing any fees for paying ATM/debit card overdrafts. The second alternative involves an "opt-in" process by which the consumer must opt-in to an overdraft service for ATM withdrawals and one-time debit card transactions before a bank can charge an overdraft fee. The opt-in must be written, and the institution could send the consumer written confirmation of the opt-in.

back to top ↑

back to top ↑