Personally Identifiable Information

QUESTION 

We passed our information security review by our banking department. However, they found that our description of personally identifiable information was too narrow. 

We need to revise our policies and procedures and submit them to the banking department. Hopefully, you can offer a broader understanding of this area of customer privacy. 

What is a good working description of personally identifiable information for our policy? 

ANSWER 

Most people have heard of nonpublic personal information, called “NPI.” To be precise, as it relates to financial institutions, NPI is personally identifiable information (“PII”) that:

 

1.    The consumer provides to a financial institution;

2.    Results from a transaction or service provided for the consumer; or

3.    The financial institution otherwise obtains, and that is not publicly available.[i]

As a practical matter, most information that a financial institution collects from a consumer or customer is NPI. In fact, NPI also includes lists, descriptions or groupings of consumers, even if the data is publicly available, if the financial institution has derived the data from an individual’s nonpublic personal information. 

Personally identifiable information, PII, is any information a consumer or customer gives to a financial institution in connection with applying for or receiving a product or service.[ii] 

To broaden the foregoing description, PII is (1) any information that can be used to distinguish or trace an individual’s identity, such as name, social security number, date and place of birth, mother’s maiden name, or biometric records; and (2) any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information.[iii] 

Here are a few common examples of PII:

 

·     Name: full name, maiden name, mother’s maiden name, or alias;

·     Personal identification numbers: social security number (SSN), passport number, driver’s license number, taxpayer identification number, patient identification number, financial account number, or credit card number;

·     Personal address information: street address or email address;

·     Personal telephone numbers;

·     Personal characteristics: photographic images (particularly of face or other identifying characteristics), fingerprints, or handwriting;

·     Biometric data: retina scans, voice signatures, or facial geometry

·     Information identifying personally owned property: VIN or title number; and

·     Asset information: Internet Protocol (IP) or Media Access Control (MAC) addresses that consistently link to a particular person.

However, there are examples that, on their own, do not constitute PII, as more than one person could share these traits. But when linked or linkable to one of the above examples, the following could be used to identify a specific person:

 

·       Date of birth;

·       Place of birth;

·       Business telephone number;

·       Business mailing or email address;

·       Race;

·       Religion;

·       Geographical indicators;

·       Employment information;

·       Criminal history;

·       Medical information;[iv]

·       Education information;[v] and

·       Financial information.

Thus, PII refers to information that can be used to distinguish or trace an individual’s identity, either alone or when combined with other personal or identifying information linked or linkable to a specific individual. 

It is essential to note that the definition of PII is not anchored to any single category of information or technology.[vi] Rather, it requires a case-by-case assessment of the specific risk that an individual can be identified. In performing this assessment, the financial institution should recognize that “non-PII” – non-personally identifiable information – can become PII whenever additional information is made publicly available – in any medium and from any source – that, when combined with other available information, could be used to identify an individual. 

Indeed, there is even PII that is considered high risk, called “High Risk PII.” The Department of Energy describes High Risk PII as PII which, if lost, compromised, or disclosed without authorization, could result in substantial harm, embarrassment, inconvenience, or unfairness to an individual.[vii] Examples of High Risk PII include Social Security Numbers (SSNs), biometric records (i.e., fingerprints, DNA, etc.), health and medical information, financial information (i.e., credit card numbers, credit reports, bank account numbers, etc.), and security information (i.e., security clearance information). 

While all PII must be handled and protected appropriately, High Risk PII must be given greater protection and consideration – especially following a breach – because of the increased risk of harm to an individual if it is misused or compromised. 

Jonathan Foxx, Ph.D., MBA
Chairman & Managing Director 

Lenders Compliance Group

---

[i] 15 USC § 6809(4)

[ii] 16 USC § 313.3(o)(1)

[iii] Safeguarding Against and Responding to the Breach of Personally Identifiable Information, OMB Memorandum M-07-16, May 22, 2007

[iv] May be subject to HIPAA requirements

[v] May be subject to FERPA requirements

[vi] Op. cit. iii

[vii] Department of Energy Privacy Program, DOE O 206.1 Chg1 (MinChg), January 16, 2009

Debt Collection Acts and Regulations

QUESTION

I am an associate in the compliance department of a mortgage lender. We are a nonbank lender licensed in 40 states. Our company is involved in originating and servicing loans. 

I have been updating our debt collection policy. Reading through it, I found several gaps in areas covered by federal law. But I am not sure I’ve got them all! 

I need help getting a list of the laws involved in debt collection. I hope you can assist. 

What are the federal laws relating to debt collection? 

ANSWER

Many financial institutions and other entities engage in debt collection, including originating creditors, third-party collectors, debt buyers, and collection attorneys. 

Here is a non-comprehensive bullet list of the variety of such businesses: 

·       Originating creditors that attempt to obtain payment from the consumer, typically by sending letters and making telephone calls to convince the consumer to pay; 

·       Originating creditors that outsource the collection of debt to third-party collection agencies or attorneys or sell the debt to debt buyers after an account has been delinquent for a period of time; 

·       Third-party collection agencies that collect debt on behalf of originating creditors or other debt owners, often on a contingency fee basis; 

·       Debt buyers that purchase debt, either from the originating creditor or from another debt buyer, usually for a fraction of the balance owed; 

·       Debt buyers that sometimes use third-party collection agencies or collection attorneys to collect their debt but may also undertake their own collection efforts; 

·       Debt buyers that decide to sell purchased debt to another debt buyer. 

The Dodd-Frank Act (Act) gave the Consumer Financial Protection Bureau (CFPB) supervisory authority over various types of institutions that may engage in debt collection, including certain depository institutions and their affiliates, and nonbank entities in the residential mortgage, payday lending, and private education lending markets, as well as their service providers. The Act also gave the CFPB supervisory authority over “larger participants” of markets for consumer debt collection, as the CFPB defines by rule, and their service providers.[i] 

The CFPB issued a larger participant regulation in the consumer debt collection market.[ii] The consumer debt collection larger participant rule[iii] provides that a nonbank covered person is a larger participant in the consumer debt collection market if the person’s annual receipts from consumer debt collection – as defined in the rule – are more than $10 million. 

The entities that the CFPB supervises must comply with several primary laws to the extent applicable. I will provide a brief description of each. 

Fair Debt Collection Practices Act (FDCPA) 

The FDCPA governs collection activities and prohibits deceptive, unfair, and abusive collection practices. The FDCPA applies to entities that constitute “debt collectors,” which generally include: 

·       Third parties such as collection agencies and collection attorneys collecting on behalf of lenders; 

·       Lenders collecting their own debts using an assumed name; and 

·       Collection agencies that acquire debt at a time when it is already in default. 

The FDCPA applies to debts incurred or allegedly incurred primarily for the consumer’s personal, family, or household purposes. 

Fair Credit Reporting Act (FCRA) 

The FCRA and its implementing regulation, Regulation V, require that furnishers of information to consumer reporting agencies follow reasonable policies and procedures regarding the accuracy and integrity of data they place in the consumer reporting system. The FCRA and Regulation V require furnishers and consumer reporting agencies to handle disputes and impose other obligations on furnishers, consumer reporting agencies, and users of consumer reports. 

Gramm-Leach-Bliley Act (GLBA) 

The GLBA and its implementing regulation, Regulation P, impose limitations on when financial institutions can share nonpublic personal information with third parties. Also required under certain circumstances, financial institutions must disclose their privacy policies and permit customers to opt out of certain sharing practices with unaffiliated entities. 

Electronic Fund Transfer Act (EFTA) 

The EFTA and its implementing regulation, Regulation E, impose requirements if an institution obtains electronic payments from a consumer within the statute’s scope of coverage. 

The Equal Credit Opportunity Act (ECOA) 

The ECOA and its implementing regulation, Regulation B, apply to all creditors and prohibit discrimination in any aspect of a credit transaction based on race, color, religion, national origin, sex, marital status, age,[iv] receipt of public assistance income, or exercise in good faith of any right under the Consumer Credit Protection Act.[v] Credit transactions encompass “every aspect of an applicant’s dealings with a creditor regarding an application for credit or an existing extension of credit,” and include “revocation, alteration, or termination of credit” and “collection procedures.”[vi] 

A word about Unfair, Deceptive, or Abusive Acts or Practices (UDAAP). There are risks to consumers that may include potentially unfair, deceptive, or abusive acts or practices. In your debt collection policy, I suggest you have risk assessment procedures regarding UDAAP and include CFPB information about the legal standards and its approach to examining for UDAAP. The particular facts and circumstances in a case are crucial to determining UDAAP. Institutions should determine whether the applicable legal standards have been met before a UDAAP violation is cited.

Jonathan Foxx, Ph.D., MBA
Chairman & Managing Director 

Lenders Compliance Group

---

[i] 12 USC 5514(a)(1)(B)

[ii] On October 24, 2012

[iii] 12 CFR Part 1090, effective January 2, 2013

[iv] Provided the applicant has the capacity to contract.

[v] 12 CFR 1002.2(z), 1002.4(a)

[vi] 12 CFR 1002.2(m)

UDAAP Violations caused by Insufficient Data Protection

QUESTION

Last year, we were criticized by our regulator for not “safeguarding consumer data.” We revamped our policies and procedures for several weeks, hired an IT company, did penetration testing, and even hired a law firm to check our system. They brought in a firm such as yours to do an overview of our policies. So, we thought we covered all the bases. 

We have just received a letter from the regulator. They are requesting an on-site visit soon. This was expected. But as we got ready for the examination, we learned that the CFPB is going after consumer protection violations, such as connecting to UDAAP violations. 

Since we covered everything – or thought we did! – it would be great if you could fill in any possible blanks to prepare for the coming examination. 

What important actions can we take to double-check our consumer data security? 

ANSWER

Safeguarding consumer data requires constant vigilance. Some companies dwell on the digital aspects, but that is certainly not enough, nor is it so narrowly adduced. I think your question is best understood in the context of insufficient data protection because insufficient data protection may indeed lead to UDAAP violations. 

The nexus to UDAAP violations is likely what the CFPB has in mind concerning safeguarding sensitive consumer information.[i] While the prohibitions in UDAAP are fact-specific, failure to implement common data security practices will significantly increase the likelihood that a firm may be violating UDAAP. 

The CFPB issuance you mention is meant to increase the focus on potential misuse and abuse of personal financial data. As part of this effort, the CFPB is explaining how and when firms may be violating the Consumer Financial Protection Act (CFPA) with respect to data security. Specifically, financial companies are at risk of violating the CFPA if they fail to have adequate measures to protect against data security incidents. 

I am going to describe the CFPB’s view of conduct that typically meets the first two elements of a UDAAP claim, that is, (1) the likeliness to cause substantial injury to consumers and (2) that it is not reasonably avoidable by consumers, which then increases the risk that an entity’s conduct triggers liability under the CFPA’s prohibition of unfair practices. 

To put this in stark, declarative terms: 

Inadequate data security can be an unfair practice in the absence of a breach or intrusion.[ii] 

Note that the linkage to UDAAP does not only involve inadequate data security, but also it pertains even in the absence of a breach or intrusion. How did we get here? 

Past data security incidents did it! For instance, the 2017 Equifax data breach led to the harvesting of sensitive personal data of hundreds of millions of Americans. In some cases, these incidents violated the CFPA and other laws. In the case of Equifax, the CFPB alleged that Equifax violated the CFPA’s prohibition on unfair acts or practices.[iii] The Federal Trade Commission (FTC) also alleged that Equifax violated the FTC Act and the FTC’s Safeguards Rule, which implements Section 501 of the Gramm-Leach-Bliley Act (GLBA) and establishes certain requirements that nonbank financial institutions must adhere to for the protection of financial information.[iv] 

Providers of consumer financial services are subject to specific requirements to protect consumer data. 

Safeguards 

In 2021, the FTC updated its Safeguards Rule, implementing section 501(b) of the GLBA to set forth specific criteria relating to the safeguards that certain nonbank financial institutions must implement as a part of their information security programs. 

Among other things, these safeguards include: 

·     Limiting who can access customer information. 

·     Require the use of encryption to secure such information. 

·     Require the designation of a single qualified individual to oversee an institution’s information security program, who reports at least annually to the institution’s board of directors or equivalent governing body. 

The federal banking agencies also have issued interagency guidelines to implement section 501 of the GLBA. 

Failure to comply with these requirements may violate the CFPA’s prohibition on unfair acts or practices in certain circumstances. 

Here’s a Rule of Thumb for defining an unfair act or practice: it is an act or practice 

·       That causes or is likely to cause substantial injury to consumers, 

·       Which is not reasonably avoidable by consumers, and 

·       Is not outweighed by countervailing benefits to consumers or competition.

Turning to insufficient data protection, there are at least three safeguards you can implement that may serve to overcome allegations of not sufficiently protecting sensitive consumer data. I will discuss them briefly here. However, your policies and procedures must require them, and you must test their implementation regularly. 

Safeguard Number One: Multi-Factor Authentication 

Multi-factor authentication (MFA) is a security enhancement that requires multiple credentials (factors) before an account can be accessed. There are three satisfactory types of MFA: 

1.       Something you know, like a password. 

2.       Something you have, like a token. 

3.       Something you are, like your fingerprint. 

Many of our clients use a common MFA setup that supplies both a password and a temporary numeric code to log in. Another MFA factor is the use of hardware identification devices. There are levels of security. MFA greatly increases the level of difficulty for adversaries to compromise enterprise user accounts and thus gain access to sensitive customer data. MFA solutions that protect against credential phishing – like using the web authentication standard supported by web browsers – are especially important.

Nonpublic Personal Information: Lead Generation Minefield

QUESTION

We used a lead generator. We belatedly found out the lead generation company used nonpublic personal information. Our regulator picked up on it in an examination and cited us for violations for every single one of the leads. 

Our CEO fired the lead generator, even though they are big and highly recommended. But now we’re forced to deal with the regulator doing special monitoring as well as the penalties. 

I am an associate in the compliance department. Our Compliance Manager asked me to write you for some advice on how we can go about distinguishing between a customer’s nonpublic personal information and public information. We are revising our policy for lead generators. Your feedback would be really helpful. 

How do we distinguish between nonpublic personal information and public information? 

ANSWER 

Lead generation companies can be a regulatory minefield. Over the years, we have been approached by lead generation companies to offer guidance. Many of these companies do not operate with sufficient regulatory scrutiny. They fly under the radar, grabbing customer information from many obvious and not-so-obvious sources. 

The Gramm-Leach-Bliley Act (GLBA) governs an institution’s distribution of nonpublic personal information (“NPI”) related to consumers. If the information is considered nonpublic personal information, distributing that information to third parties is subject to the GLBA. Information not deemed nonpublic personal information is not subject to GLBA and may be used without regard to the restriction. 

I published an article on this topic a few years ago, entitled The Lead Generation Company: Managing the Risks. Go ahead and download it here. The article offers quite a lot of solid information, including my Four Rules for lead generation marketing. It also provides my Three Concerns about online lead generation companies. I give tips on an institution’s policy and procedures and how to plan for a regulator’s visit. 

Also, request a presentation of our Privacy Tune-up, which evaluates GLBA compliance.

If you use a lead generation company, I suggest you contact a competent compliance professional. There are just too many pitfalls, regulatory traps, and exceedingly high compliance and legal risks to viewing lead generation as a mere marketing matter. 

Let’s start with the concept of Nonpublic Personal Information.[i] There are essentially two interlocking definitions: 

·    Personally identifiable financial information, and 

·    Any list, description, or other grouping of consumers (and publicly available information pertaining to them) that is derived using any personally identifiable financial information. 

This definition does not include any publicly available information. 

I will discuss consumer lists momentarily. First, however, let’s review essential terminology. 

The term “personally identifiable financial information” is broadly interpreted.[ii] What is considered personally identifiable financial information includes information: 

·    Provided by a consumer to the institution to obtain a financial product or service from the institution when applying for a financial product or service; 

·    About a consumer resulting from transactions between the institution and the consumer involving a financial product or service; and 

·    Otherwise obtained about a consumer in connection with a financial product or service. 

For instance, the following information about a consumer is personally identifiable financial information: 

·    Information that a consumer provides on an application to obtain a loan, credit card, insurance, or other financial product or service, including, among other things, medical information; 

·    Account balance information, payment history, overdraft history, and credit or debit card purchase information; 

·    The fact that an individual is or has been a customer or has obtained a financial product or service from the institution, unless that fact is derived using only publicly available information, such as government real estate records or bankruptcy records; 

·    Other information about a consumer if disclosed in a manner that indicates the individual is or has been a customer of the institution (such as a list of consumers who have loans or deposit accounts with the institution); 

·    Any information provided by a consumer or otherwise obtained by the institution or an agent of the institution in connection with collecting on a loan or servicing a loan; 

·    Any information the institution collects through an Internet cookie (an information-collecting device from a web server); and 

·    Information from a consumer report (i.e., a credit report or other report subject to the FCRA). 

In other words, virtually all the information a financial institution has about consumers with whom it does business is personally identifiable financial information under the applicable rule, including the fact that the consumer even conducts business with the institution. 

The only type of information that would not be considered personally identifiable financial information would be whatever information the institution would obtain outside the relationship involving a financial product or service. For instance, personally identifiable financial information does not include: 

·    A list of names and addresses of customers of an entity that is not a financial institution, such as a magazine subscription list, and 

·    Information that does not identify a consumer, such as aggregate information or blind data that does not contain personal identifiers like account numbers, names, or addresses. (An example of this would be something similar to the Home Mortgage Disclosure Act (HMDA) data available to the public. The HMDA list contains a substantial amount of specific information about individual consumer mortgage loans, but it identifies individual loans by random numbers rather than by name, loan number, social security number, and so forth.)

Annual Privacy Disclosure Rules

QUESTION 

As a result of a banking examination, we found out that we failed to provide an annual privacy disclosure on our portfolio loans. These are closed-end, portfolio loans that we do not sell to the secondary market. 

We thought our privacy policy made sure this would not happen. That said, the regulator was not particularly thrilled with our privacy policy. 

In updating the policy, we would like some guidance to consider for the section devoted to the annual disclosure. 

What are some aspects of the annual privacy disclosure that are important to include in our policy? 

ANSWER 

As I have said multiple times, a policy is useless if not implemented. And if it is implemented but not monitored, it’s also meaningless. Just because you have a policy does not mean you have taken the appropriate compliance actions needed to both implement and monitor the requirements thereunder. A policy bereft of implementation and monitoring is no more than dysfunctional pontification. So, understand, even if you claim to be implementing, you must also be monitoring. 

Under the applicable regulations,[i] an institution must provide a disclosure of its privacy policy at least annually during the continuation of the customer relationship. 

An institution may define the 12-consecutive-month period however it wants, but the institution must apply it to the customer on a consistent basis. Consistency matters, and it will be determined in a banking examination. 

By “annually” is meant at least once in any period of 12 consecutive months during which that relationship exists. An institution is required to provide the annual disclosure only during the term of the customer relationship with the consumer and is not required to provide an annual notice to a customer with whom the institution no longer has a continuing relationship. 

So, when does a consumer no longer have a continuing relationship with an institution? When any of the following situations occur: 

·      In the case of a deposit, share, or share draft account, the account is considered inactive (i.e., dormant) under the institution’s rules. (Any state law test for dormancy does not apply in this situation; only the state law policy is used.) 

·      In the case of a closed-end loan, the consumer pays the loan in full, the institution charges off the loan, or the institution sells the loan without retaining servicing rights or transfers the servicing rights. 

·      In the case of a credit card relationship or other open-end credit relationship, the institution no longer provides any statements or notices to the consumer concerning that relationship, or the institution sells the credit card receivables without retaining servicing rights. 

·      For other types of relationships, the institution has not communicated with the consumer about the relationship for a period of 12 consecutive months, other than to provide annual notices of privacy policies and practices or other promotional materials. Therefore, the fact that the institution continues to send the consumer promotional material will not require that a privacy policy be sent annually if there is no communication with the customer about the customer relationship. 

·      In the case of a credit union, an individual is no longer a member as defined in its bylaws. 

And, of course, this is regulatory compliance, so there may be exceptions! For instance, you are not required to deliver an annual privacy notice if you: 

·     Provide nonpublic personal information to non-affiliated third parties only under the exceptions in these regulations:[ii] 

o   Exception to opt-out requirements for service providers and joint marketing [12 CFR § 1016.13]; 

o   Exceptions to notice and opt-out requirements for processing and servicing transactions [12 CFR § 1016.14]; and 

o   Other exceptions to notice and opt-out requirements [12 CFR § 1016.15]. 

·     Have not changed your policies and practices with respect to disclosing nonpublic personal information from the policies and practices that were disclosed to the customer under certain sections of 12 CFR § 1016.6 (Information to be included in Privacy Notices), specifically sections 1016.6(a)(2) through (5) and (9)[iii], since your most recent initial privacy notice provided to customers. 

Now, if you change your policies or practices so that you no longer meet the requirements for the exception, you must comply with one of the following, as applicable: 

·     Changes that required a revised privacy notice. 

If you no longer meet the requirements for the exception, and the change required you to issue a revised privacy notice under section 1016.8 of Regulation P (Revised Privacy Notices), you must provide an annual privacy notice by treating the date of the revised privacy notice as the initial privacy notice date. 

·     Changes not preceded by a revised privacy notice. 

If you no longer meet the requirements for the exception, but you are not required to provide a revised privacy notice, you must provide an annual privacy notice within 100 days of the change in your policies or practices that causes you to no longer meet the requirements of the exception. 

I realize this seems confusing. So, here’s an example. Let’s say you change your policies and practices in such a way that you no longer meet the requirements for the exception effective April 1 of year 1. Assuming you define the 12-consecutive-month annual notice period as a calendar year, if you were required to provide a revised privacy notice under section 1016.8 and you provided that notice on March 1 of year 1, you must provide an annual privacy notice by December 31 of year 2. If you were not required to provide a revised privacy notice under section 1016.8, you must provide an annual privacy notice by July 9 of year 1. 

The procedures should ensure that you change your policies and practices in such a way that you no longer meet the requirements for the exception and so provide an annual notice to your customers. After providing the annual notice to your customers, you once again meet the requirements for the exception to the annual notice requirement. You do not need to provide additional annual notices to your customers until such time as you again no longer meet the requirements for the exception.

Jonathan Foxx, Ph.D., MBA
Chairman & Managing Director
Lenders Compliance Group

---

[i] 12 CFR § 1016.5

[ii] See Title 12 - Banks and Banking, Chapter X, Bureau of Consumer Financial Protection, Part 1016, Privacy of Consumer Financial Information (Regulation P), Subpart C - Exceptions

[iii] See subsections (2) The categories of nonpublic personal information that you disclose; (3) the categories of affiliates and nonaffiliated third parties to whom you disclose nonpublic personal information, other than those parties to whom you disclose information under §§ 1016.14 and 1016.15; (4) the categories of nonpublic personal information about your former customers that you disclose and the categories of affiliates and nonaffiliated third parties to whom you disclose nonpublic personal information about your former customers, other than those parties to whom you disclose information under § 1016.14 and § 1016.15; (5) if you disclose nonpublic personal information to a nonaffiliated third party under § 1016.13 (and no other exception in § 1016.14 or § 1016.15 applies to that disclosure), a separate statement of the categories of information you disclose and the categories of third parties with whom you have contracted; (9) any disclosure that you make under § 1016.6(b) (regarding a description of nonaffiliated third parties subject to exceptions).

Elder Financial Abuse: Disclosure, Schemes, and “Red Flags”

QUESTION 

Elder abuse is a big issue because we serve a demographic in Florida consisting of senior citizens and the elderly. Each year, we have incidences of elder abuse. We train our employees on how to identify and report elder financial abuse. But it seems that there’s no end to it. 

We are now updating our policies relating to elder abuse. We have three questions, and we hope you will provide some guidance. We have plenty of advice from our regulator. However, we would like information based on your firm’s experience. Here are our questions. 

· What are we permitted to disclose about an incident of elder financial abuse?

· What are some of the schemes you have encountered to commit elder abuse?

· What are some indicators of elder financial exploitation you often come across?

 ANSWER 

As you likely know, tellers, financial services representatives, and others who regularly interact with customers are in the best position to identify and report this type of problem. Consider them your front line! 

Abuse and exploitation of the elderly are statutorily defined at the state level. Federal guidelines have been issued not only by the federal prudential regulators but also the CFPB, FinCEN, FHA, VA, USDA, and the GSEs. Several states have certain requirements, such as mandatory reporting of suspected issues. You should consult your local bank or credit union association if you do not know your state’s laws. Be sure you are receiving ongoing guidance from compliance professionals. 

I have written extensively on elder financial exploitation. Here’s an article with downloads and links to some of my writing on this subject. 

I will take your questions one by one. 

What are we permitted to disclose about an incident of elder financial abuse? 

Various federal and state authorities either require or encourage reporting this type of information to the appropriate agency. However, many financial institutions were concerned that they might violate their privacy policy and the provisions of the Gramm-Leach-Bliley Act (GLBA) if they reported their suspicions, especially if their state law was mute on the subject. So in 2013, the federal banking agencies and the National Credit Union Administration (NCUA) issued guidance to clarify that reporting suspected financial abuse of older adults to appropriate local, state, or federal agencies does not, in general, violate the privacy provisions of the GLBA or its implementing regulations. 

In point of fact, specific privacy provisions of the GLBA and its implementing regulations permit the sharing of this type of information under appropriate circumstances without complying with notice and opt-out requirements. The guidance set forth exceptions to the GLBA’s notice and the opt-out requirement that, to the extent applicable, would permit the sharing of nonpublic personal information about consumers with local, state, or federal agencies for the purpose of reporting suspected financial abuse of older adults without the consumer’s authorization and without violating the GLBA. 

Those exceptions are: 

·    A financial institution may disclose nonpublic personal information to comply with federal, state, or local laws, rules, and other applicable legal requirements, such as state laws that require reporting by financial institutions of suspected abuse; 

·    A financial institution may disclose nonpublic personal information to respond to a properly authorized civil, criminal, or regulatory investigation, or subpoena or summons by federal, state, or local authorities, or to respond to judicial process or government regulatory authorities having jurisdiction for examination, compliance, or other purposes as authorized; and 

·    A financial institution may disclose nonpublic personal information to protect against or prevent actual or potential fraud, unauthorized transactions, claims, or other liability. For instance, this exception generally would allow a financial institution to disclose to appropriate authorities nonpublic personal information to report incidents that result in taking an older adult’s funds without actual consent or in reporting incidents of obtaining an older adult’s consent to sign over assets through misrepresentation of the intent of the transaction. 

To the extent specifically permitted or required under other provisions of law, a financial institution may also disclose nonpublic personal information to law enforcement and regulatory agencies or for an investigation on a matter related to public safety. 

What are some of the schemes you have encountered to commit elder abuse?

I could probably fill several spreadsheets with the number of schemes. We’ve come across many in our audits. It seems that the schemers continue to pop up with new ways to commit elder financial abuse. Here are a few schemes that we’ve found over the years.

Misappropriation of income or assets

Perpetrator obtains access to an elder’s social security checks, pension payments, checking or savings accounts, credit or automated teller machine (ATM) card, or withholding portions of checks cashed for an elder.

Charging excessive rent or fees for service

Perpetrator charges an elder an excessive rent or unreasonable fees for basic care services, such as transportation, food, or medicine.

Obtaining money or property by undue influence, misrepresentation, or fraud

Perpetrator coerces an elder into signing over investments, real estate, or other assets through manipulation, intimidation, or threats.

Improper or fraudulent use of the power of attorney or fiduciary authority

Perpetrator improperly or fraudulently uses the power of attorney or fiduciary authority to alter an elder’s will, borrow money using an elder’s name, or dispose of an elder’s assets or income.

Phishing Scams

QUESTION
We had training on protecting our emails from being scammed. 

On the subject of phishing, some of us were disappointed because we learned what phishing is but not how to protect ourselves from it. 

We don’t feel there is an organized effort to doing enough to stop phishing scams. There must be Best Practices, yet we can’t even get the trainer to give us a list of them. 

What are some Best Practices for preventing the phishing of our emails?

ANSWER
Phishing has been trending up for a long time, evincing greater sophistication and ingenuity. Such scams adversely affect business relationships, transactions, customer relations, and cause compromised interactions in the loan flow process. We are heavily dependent on emails to conduct business, yet phishing continues to invade email interactions with increasing frequency 

So, how does a phishing scam work? 

Let’s illustrate using a simple order to change wiring instructions. You can extrapolate this illustration to many other business interactions. So, we’ll use it as a proxy for other areas that phishing scams can compromise. 

Although there are non-email ways of handling the change order, thousands of institutions use email, and email is ripe for attack. To change the wiring instructions, the bad actor first obtains access to the communications containing the instructions. 

The more individuals on an email thread, the greater the likelihood that one of them will be compromised unknowingly. And it only takes one person to open the gate to the scammer. In effect, the thread is only as strong as the weakest link! 

Once the bad actor has access to a target’s email, the attacker learns the details of the pending transaction and mimics the parties’ written communications. The attacker then takes over or “spoofs” certain email addresses and interposes itself in the email traffic, often starting with innocuous communications to build trust. 

Ultimately, the attacker is ready to announce a change in fund transfer details due to a bank “audit” or similar justification or no justification at all. If the attacker’s deception is undetected, the payment will transfer to the attacker’s account instead of the intended recipient. And unless the transfer is caught and reversed within 24 hours, it can be very complicated, if not impossible, to claw the funds back, resulting in a significant financial loss. 

Subsequently, there is often an investigation and a dispute regarding who bears the financial responsibility for the loss. In the meantime, the loss is all too real, fees pile up, the transaction is destabilized, and legal costs skyrocket. 

So, what are some practices to protect yourself from phishing scams? 

If you think that you can cover all possibilities to prevent phishing scams, be advised, that is not possible. The scammers tend to be one step ahead of even IT people. Indeed, whole U.S. government agencies have been hacked via phishing scams! Therefore, no single security tactic is going to thwart all attacks, given that the attackers have many targets to choose from among all of the parties involved in a transaction 

There are few steps you can take to reduce the likelihood of a successful attack. I’m not sure if we can call them Best Practices since dozens of proposed ways are constantly being found to prevent phishing attacks. That said, I think a viable list of Best Practices should contain some of the following safeguards. 

- Maintain strong payment authorization procedures by requiring a review of wire transfers, particularly those above a certain amount, to limit the chance of making a payment to a fraudulent account. I suggest multiple approval thresholds, obtaining verbal confirmations of wires, and educating affected personnel on the prevalence of these scams. The theme here is to be on “high alert” for any change in protocol. 

- Some companies insert the label “EXTERNAL” in all emails from external sources, thereby reminding employees to exercise caution. This label may help to identify a purported internal email coming from a spoofed email address. 

- Develop a checklist of “Red Flag” issues that require further due diligence, such as procedures for wiring to new recipients or previously unused destination accounts or any other change in the standard protocol. 

- Implement Multi-factor Authentication for emails, which can help prevent many, although not all, phishing attacks. Multi-factor Authentication is not foolproof, but it is strong protection. This authentication method requires the user to provide two or more verification factors to access a resource such as an application, an online account, or a VPN. Rather than just asking for a username and password, the user must provide one or more additional verification factors. 

- Periodically train and test employees to identify and report phishing attempts. Teach them to follow “email security hygiene,” such as checking email domains and not following links, opening documents, providing credentials, or sending payments without verifying the source. 

- You might want to get cyber insurance because it may include, among other things, the coverage for misdirected funds transfers, loss of business due to a cyber event. 

If you are snared in a phishing scam, it’s a good idea to consider the following actions: 

- Change account passwords for all employees on the impacted email chain and, if possible, everyone in the entire company; 

- Check relevant email accounts for any auto-forwarding rules, which attackers may create, given that they can remain running even after passwords are reset; 

- Contact counsel familiar with cyberattacks to determine appropriate steps to investigate and contain the incident, including, if needed, retaining a forensic consultant and, where possible, coordinating with other financial institutions to attempt to block the transfer of funds. 

- Contact law enforcement to assist in the recovery of the funds. While recovery can be challenging if funds have already been transferred, agencies such as the FBI do try to help; and, 

- If any accounts have been compromised, determine whether any other information was affected, such as personal information for which there could be a breach notification obligation.

Jonathan Foxx, Ph.D., MBA
Chairman & Managing Director

Lenders Compliance Group