InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
SPeRS Announces Release of Updated E-Commerce Compliance Guidelines
Recently, the Standards and Procedures for Electronic Records and Signatures version 2.0 (SPeRS 2.0) was released. This new version of SPeRS reflects current e-commerce business practices and updates applicable electronic record and signature case law and federal regulatory developments since SPeRS was originally published in 2003. The update also examines nationwide developments in the evolving area of electronic notarization laws. SPeRS is a technology-neutral set of guidelines and strategies for industry use in designing and implementing systems for electronic transactions under the federal Electronic Signatures in Global and National Commerce Act (ESIGN) and state adoptions of the Uniform Electronic Transactions Act (UETA). SPeRS 2.0 updates the groundbreaking guidance contained in SPeRS 1.0, developed by a broad cross-section of leading financial service companies and trade associations. More information about SPeRS is available at www.spers.org.
Third Circuit Upholds District Court's Order Enjoining Full Enforcement of New Jersey Gift Card Escheat Law
Recently, the U.S. Court of Appeals for the Third Circuit affirmed the district court's decision to enjoin New Jersey from fully applying and enforcing its gift card escheat law. N.J. Retail Merchs. Assoc. v. Sidamon-Eristoff, No. 10-4551, 2012 WL 19385 (3d Cir. Jan. 5, 2012). Retailers challenged the constitutionality of a 2010 amendment to New Jersey's unclaimed property statute that provided for the custodial escheat of store valued cards (SVCs or gift cards). Under New Jersey's Chapter 25, SVCs are presumed to be abandoned after two years of inactivity and issuers are required to transfer to the state the remaining value on the SVCs at the end of the two-year abandonment period. In addition, issuers are required to obtain the name and address of the purchaser or owner of each SVC issued or sold and, at a minimum, maintain a record of the zip code of the owner or purchaser, and there is a presumption that the address of the owner or purchaser is the same as the address of the place where the SVC was purchased or issued. This latter provision has the effect of causing unused funds to escheat to New Jersey, rather than to the state where the card issuer is domiciled, when the last known address of the purchaser is unknown. In response to challenges under the Supremacy Clause, the Due Process Clause, the Commerce Clause, the Contract Clause, and the Takings Clause of the U.S. Constitution, the Third Circuit upheld the district court's preliminary injunction enjoining the retroactive application of Chapter 25 to SVCs redeemable for merchandise or services that were issued before Chapter 25's enactment. It also upheld the district court's preliminary injunction enjoining the prospective enforcement of the place-of-purchase presumption. The court, however, declined to prospectively enjoin the data collection provision or the two-year abandonment provision, finding that SVC issuers failed to show a reasonable likelihood of success on the merits of these claims and that the data collection provision is severable from the place-of-purchase provision.
FINRA Issues Notice Regarding Increasing Account Attacks and Theft of Funds
On January 26, the Financial Industry Regulatory Authority (FINRA) issued Regulatory Notice 12-05, notifying institutions of an increase in reports of customer funds being stolen through improper access to customer email accounts and unauthorized electronic instructions to transfer or withdraw funds. FINRA urged firms to review policies and procedures to ensure protection of customer funds, particularly in cases where the request for funds and transmittal are handled electronically. FINRA recommends that policies and procedures include methods for confirming the identity of the requestor, as well as a system to identify and respond to “red flags.” Concurrent with the regulatory notice, FINRA issued an alert to investors warning about the increased account breach activity and providing tips for protecting account information and funds.
Third Circuit Affirms Partial Expiration Date on Receipt Violates FACTA
On January 24, the U.S. Court of Appeals for the Third Circuit affirmed a district court holding that printing of partial expiration dates does constitute a Fair and Accurate Credit Transactions Act (FACTA) violation, but held that the merchant, in this case, did not willfully violate FACTA by printing a portion of credit card expiration dates on customer receipts. Long v. Tommy Hilfiger U.S.A., Inc., No. 11-1554, 2012 WL 180874 (3rd Cir. Jan. 24, 2012). The consumer alleged, on behalf of a putative nationwide class, that the merchant’s practice of printing receipts that included the expiration month, but not year, willfully violated FACTA’s prohibition against printing “more than the last five digits of a credit card number or the expiration date upon any receipt provided” at the time of a transaction. On appeal, the court considered two questions: (i) whether the consumer properly alleged a FACTA violation, and (ii) whether the merchant’s alleged conduct constituted a willful violation of FACTA. The court held that FACTA prohibits printing of partial expiration dates, and that therefore plaintiff did properly allege a FACTA violation. The court explained that “expiration date” is not defined in the law, and found that “the most natural reading of the phrase” prohibits merchants from printing any of the numbers that appear in the expiration date field on a credit or debit card. If Congress had intended to allow partial expiration dates, the court stated, it would have used language similar to that used with regard to partial credit card numbers. However, the court held that the consumer could not recover statutory damages of $100 to $1,000 per violation, punitive damages, and attorneys fees, because the merchant’s action was not willful. Relying on a standard set in Safeco Insurance Company of America v Burr, 551 U.S. 47 (2007), the court held that the merchant’s interpretation that the statute permits partial expiration dates was not “objectively unreasonable”, because the statute does not provide a definition for “expiration date” and the interpretation has some foundation in the statutory text. According to the court, although the merchant’s interpretation of FACTA was wrong, it did not constitute a willful violation of the law.
California Federal Court Dismisses Data Loss Class Action Because No Immediate Harm Exists
On January 20, the U.S. District Court for the Eastern District of California dismissed a putative class action brought on behalf of California residents against a company that lost multiple server drives containing personal and medical information. Whitaker v. Health Net of Cal., Inc. No. 11-910, 2012 WL 174961 (E.D. Cal. Jan. 20, 2012). The named plaintiff alleged that the loss of the drives and personal information violated California’s Confidentiality of Medical Information Act. Relying on Ninth Circuit decisions in Krottner v. Starbucks Corp., 628 F.3d 1139 (9th Cir. 2010) and Ruiz v. Gap Inc., No. 09-15971, 380 F. Appx. 689 (9th Cir. May 28, 2010), the plaintiff argued that the threat of harm naturally stems from a loss of data alone. The court held, however, that there is a difference between theft and loss of data. Unlike those prior cases in which personal data was obtained by hacking or data breach, loss of data does not present any actual or immediate harm, only conjectural or hypothetical harm. The court held that the plaintiff lacked standing and dismissed the case with leave to amend because the possibility of harm is not sufficient to meet the constitutional injury-in-fact standard.
CFPB Finalizes Amendments to Remittance Transfer Rules (Regulation E)
On January 20, the CFPB issued a final rule to amend regulations applicable to consumer remittance transfers of over fifteen dollars originating in the United States and sent internationally. Generally, the final rule requires remittance transfer providers to (i) provide written pre-payment disclosures of the exchange rates and fees associated with a transfer of funds, as well as the amount of funds the recipient will receive, and (ii) investigate consumer disputes and remedy errors. The rulemaking stems from a Dodd-Frank Act provision that expanded the scope of the Electronic Fund Transfer Act to cover international money transfers, and concludes an effort started by the Federal Reserve Board (FRB) that was transferred to the CFPB last year. The final rule closely tracks the proposed FRB rule, but among other things, provides (i) a thirty-minute cancellation period for consumers, as opposed to the proposed one-day period, (ii) additional compliance guidance for specific circumstances, including for transactions conducted by mobile applications, and (iii) revised model disclosure forms. Concurrent with the final rule, the CFPB issued a request for comment on additional revisions to the regulations, including comments and information for use in (i) setting a specific safe harbor for remittance transfer providers that do not provide such services “in the normal course of business”, and (ii) applying the new disclosure and cancellation requirements in cases where the request is made several days in advance of the transfer date. Comments on the proposal will be accepted for sixty days following publication in the Federal Register.
Upromise Settles with FTC Over Collection of Consumers' Personal Information
On January 5, the FTC announced that Upromise had agreed to settle charges that its collection of consumers’ personal information was deceptive and an unfair practice, and that the collection violated federal law. Upromise’s website offered consumers a “TurboSaver Toolbar” download with a “Personalized Offers” feature to tailor savings opportunities to the consumer. The FTC alleged that the feature collected and transmitted, without encryption, the names of websites consumers visited, which links they clicked on, and information entered into webpages such as search terms, user names, and passwords. According to the FTC, the information collected also included credit card and financial account numbers, security codes and expiration dates, and Social Security numbers. Upromise’s privacy statement, however, stated that (i) the toolbar would only infrequently and inadvertently collect personal identifying information, (ii) personal information would be removed before the data was transmitted, and (iii) Upromise automatically encrypts users’ sensitive information. The proposed settlement requires in part that Upromise (i) destroy data collected, (ii) update its disclosures, (iii) notify consumers regarding the type of information collected and how to disable the toolbar, and (iv) obtain a biennial independent audit for the next twenty years. The proposed settlement is open for public comment through February 6.
U.S. Supreme Court Rules Credit Repair Organizations Act Does Not Override Arbitration Agreements
On January 10, the U.S. Supreme Court ruled (8-1) that the Credit Repair Organizations Act (CROA) does not override the Federal Arbitration Act’s (FAA) broad requirement that arbitration agreements be enforced according to their terms. CompuCredit Corp. v. Greenwood, No. 10-948, 2012 WL 43514 (Jan. 10, 2012). This case involves a proposed class of consumers alleging CompuCredit violated the CROA when it marketed and provided a no-deposit credit card to consumers with poor credit and then charged fees against the credit limit. CompuCredit sought to compel arbitration to enforce the terms of the card agreement, which mandated individual arbitration of disputes. The district court and Ninth Circuit both sided with the proposed class, finding the arbitration clause in conflict with the CROA’s “right to sue” provision and therefore void. On appeal, the consumer respondents urged the Supreme Court to follow the Ninth Circuit and hold that because the CROA requires a disclosure that a consumer has the right to sue a violating credit repair organization, and because the CROA prohibits waiver of any right given under the CROA, the right to file suit cannot be waived by an arbitration agreement. The Supreme Court rejected the Ninth Circuit’s line of reasoning and reversed, holding instead that (i) the FAA establishes a liberal policy requiring enforcement of arbitration agreements according to their terms, (ii) the CROA is silent on arbitration and its disclosure provisions do not create a right to sue that overrides the broad FAA mandate, and (iii) Congress could have specifically prohibited arbitration provisions in the CROA.
Washington District Court Rules ISP Contract Terms Were Not Reasonably Conspicuous
On January 3, the U.S. District Court for the Western District of Washington denied an Internet service provider’s (ISP) motion to compel arbitration, holding in part that the ISP’s terms of service agreement containing the arbitration clause was not reasonably conspicuous. Kwan v. Clearwire Corp., No. C09-1392JLR, 2012 WL 32380 (W.D. Wash. Jan. 3, 2012). In this case, plaintiffs filed suit on behalf of a putative class against an ISP and its debt-collection vendors for violations of federal and state consumer-protection laws based on the defendants’ repeated attempts to collect payments the ISP claimed it was due under mobile Internet service contracts. The ISP moved to compel arbitration, asserting (i) that its customers are required to acknowledge and agree to certain terms of service, including an agreement to arbitrate disputes, before using the ISP’s services (i.e., a so-called “clickwrap agreement”); and (ii) that the ISP sent to customers order-confirmation e-mails that also included a link to the terms of service (i.e., a so-called “browsewrap agreement”).
Relying on the Second Circuit’s analysis in Specht v. Netscape Comms. Corp., 605 F.3d 17 (2nd Cir. 2002), the court identified as the central issue whether the consumer had notice of and access to the terms and conditions of the contract prior to the conduct that allegedly indicated the consumer’s assent. With regard to the confirmation e-mail, the court found that the e-mail did not contain a direct link to the terms of service but rather a link to the ISP’s homepage that provided subsequent links to the terms of service. Further, the link that was provided in the confirmation e-mail did not appear until the third page of the e-mail. Thus, the court held that access to the terms of service did not constitute sufficient or reasonably conspicuous notice of those terms. However, the court also held that the consumers’ acceptance of terms through the clickwrap agreement would have bound them to the terms of service and the arbitration clause, but that issues of fact exist as to whether the named plaintiffs actually clicked to accept the terms. The court deferred resolution of those issues for a factual hearing, as well as a decision on whether a consumer who specifically declines to accept the terms of service is still bound by those terms by virtue of simply accessing the terms of service.
FTC Obtains Agreement from Payment Processor to Prohibit Use of New Payment Method
On January 5, the FTC announced a settlement with a payment processor and two of its principals that will prohibit the company from using a new payment method, through which accounts were debited without account-holder consent. The FTC alleged that the company actively promoted the method as a way to avoid scrutiny associated with other payment methods, and ignored red flags - such as payment-rejection rates exceeding 80 percent - that its merchant customers were seeking to defraud account-holders. As a result, according to the FTC, consumers incurred significant costs, including for overdraft fees. In addition to banning the use of this payment process, the settlement requires, among other things, that the company monitor client return rates and investigate rates exceeding 2.5 percent.