CBA Publications >> CBA Regulatory Compliance Bulletin >> Vol 2003 No.07
June 23, 2003

Vol 2003 No. 07 June 23, 2003

June 2003 Legal/Regulatory Update

Computer intrusion notification law. This July 1, last year's AB 700, discussed in CBA Regulatory Compliance Bulletin 2002-18, will go into effect. The bill requires notification to affected persons of any security breach where personal consumer data is reasonably believed to have been acquired by an unauthorized person. The notice of breach must be made "in the most expedient time possible and without unreasonable delay. Because the bill creates an exception where the covered data is protected by encryption, banks should determine with counsel the extent to which they can avail themselves of this provision. Also, banks should ensure that agreements with third party processors include the legal requirement that the processor notify the bank immediately of such a breach.

Social security numbers relating to EFTs. July 1 also marks the expiration of the one-year relief from the prohibition against printing social security numbers on statements sent to customers where the information is imbedded in electronic fund transfers. The printing and publication of SSNs generally is prohibited under SB 168, a law passed two years ago. Banks have been grappling with the challenge of suppressing or truncating SSNs on an automated basis without the help of the National Association of Clearing House Associations (NACHA), which had decided against amending its clearing house rules to disallow originators from including SSNs numbers in electronic fund transfers. Treasury, too, has not taken efforts to exclude SSNs.

The bill does not include enforcement provisions, and does not create a private right of action for violations. However, an action potentially may be brought in California under the state's Unfair Competition Law (Business & Professions Code Section 17200 et. seq.) The result of the law is that some banks have resorted to suppressing entire fields that may also include information that customers find either useful or necessary.

Force Order Insurance. A California court of appeal recently held that a bank's force order insurance program (FOI) violates the state's Unfair Competition Law (Business & Professions Code Section 17200). The class action case involved borrowers who had failed to maintain hazard insurance on loan collateral, requiring the bank to force place insurance purchased from an insurer selected by the bank. The borrowers claimed that, in accordance with the relevant deeds of trust, the bank was entitled to advance funds on behalf of borrowers only to the extent necessary to protect the bank's rights.

As with most force order insurance programs, the bank's insurer charged higher premiums than that normally available to individual borrowers, and provided administrative services associated with tracking hazard insurance coverage on the bank's portfolio of loans. The defendant bank earned no commissions on replacement policies. The court determined that the bank was not permitted under the deed of trust to charge borrowers any amount more than what the bank incurred in premiums for the replacement coverage. Because the bank charged premiums that included tracking costs related to the bank's entire loan portfolio, including loans to which the FOI program could not apply, the bank's actions were deemed to be fraudulent and unfair under Section 17200.

Banks that force place insurance should review their documentation to ensure that the relevant provisions do not limit their authority to charge borrowers only for the cost of replacement insurance premiums.

No federal preemption. The appellate court also found no federal preemption under the Home Owners' Loan Act (HOLA) and Office of Thrift Supervision (OTS) regulations. The court reasoned that, while HOLA and its underlying regulations preempt state laws that govern the business of lending, plaintiffs' claims arise from contractual duties voluntarily undertaken by the parties. The court reasoned that federal laws and regulations do not prevent a party from enforcing a contractual duty not to refrain from unfair or deceptive business practices.

Excessive bank fees. Litigation that the industry has been following regarding a requirement under California Insurance Code Section 12413.5, which mandates that title companies pay to parties to an escrow any interest earned on escrowed funds, has been resolved largely in banks' favor. Plaintiff borrowers alleged that their title companies earned interest from banks on funds that the borrowers placed in escrow, and that the title companies failed to pass the interest along to them in violation of the Insurance Code. The court found that the banks' services to the title companies did not constitute interest, and that the banks did not violate the Federal Reserve's Regulation Q prohibiting the payment of interest on corporate deposit accounts.

Unfortunately, the court unexpectedly allowed plaintiffs to proceed against the banks on a claim that the banks overcharged title companies for banking services, resulting directly in borrowers being overcharged for escrow services. This bizarre ruling would insert California courts into the business of regulating pricing, not only of banks but all other businesses. Moreover, the liability for "overcharging" would extend to the customers of the overcharged entity, the plaintiff borrowers in this case. The court noted that plaintiffs had alleged a profit margin on some services to exceed 50%, apparently setting a limit on how much profit any company may make without being subject to judicial scrutiny.

Financial privacy update. SB 1, the state financial privacy bill did not pass out of the Assembly Banking Committee. The proposed bill would have required separate state privacy notices, would have created uncertainty about the availability of transactional exceptions, and included penalty provisions for each violation. If the bill is not revived and passed this year, it is likely that a statewide financial privacy initiative will be introduced next year.

The fate of financial privacy ordinances passed in several cities and counties in the San Francisco Bay Area is in the hands of a federal district court, which is deliberating on a summary judgment motion. If the industry's attempt to dismiss the suit is not granted, some of those ordinances may become effective immediately or by January 1, 2004.

Revised FDIC examination process. The FDIC has revised its examination process applicable to examinations for which an on-site review is scheduled to begin on or after June 30, 2003. Two new chapters will be incorporated into the FDIC Compliance Examination Manual introducing the new procedures.

The new procedures will focus on banks' compliance management system, consisting of: board and management oversight, policy and procedures, monitoring, training, and response to customer complaints, and audit. The information and document requests sent to banks are combined into one new document, the "Compliance Information and Document Request." The document will request information to enable examiners to begin an off-site evaluation of an institution's compliance management system. The expanded use of pre-examination reviews is intended to create efficiencies by allowing examiners to build on previous examinations and focus attention primarily on what has changed in between examinations.

There will be a single examination report focusing on banks' compliance management systems, and only significant violations will be included. Other violations will continue to be provided to management, and tracked by the FDIC. For further information, go to the FDIC's website at: http://www.fdic.gov/news/news/financial/2003/fil0352.html.

Section 326 reconsidered. In response to concerns raised by House Judiciary Committee Chairman James Sensenbrenner (R-Wis.), the Treasury Department will seek comments on whether banks should be required to retain photocopies of identification documents relied upon to verify identity under the USA Patriot Act's Section 326, and whether there are situations when Section 326 should preclude reliance on certain forms of foreign government-issued identification. This comes shortly after the federal banking agencies had already issued its final rules that require neither retention nor verification of identification cards. So far, the October 1, 2003 compliance date of the Section 326 final regulations remains in effect.

Regulatory burden relief proposal. The federal banking regulators are embarking on an effort to streamline the regulations affecting banks. The first three of twelve categories of regulations that the agencies seek comments about are applications and reporting, powers and activities, and international operations. CBA is soliciting comments to be incorporated in its letter. Please contact Leland Chan at 415-284-6999 ext. 214 or lchan@calbankers.com. The proposal may be viewed at: http://www.fdic.gov/regulations/laws/federal/03EGPRA.html.

The information contained in this CBA Regulatory Compliance Bulletin is not intended to constitute, and should not be received as, legal advice.  Please consult with your counsel for more detailed information applicable to your institution.