Our industry is driven by an enormous amount of  laws and regulations of the federal government.  We are highlighting some of these such as the Fact Act which concerns  medical information, and Wire Transfers which concerns the use of sound controls.  And, of course, a lot of attention is placed on authentication over Internet Banking and other forms of electronic banking, which leads us to our last topic of discussion about  It Issues.

FACT ACT — Medical Information:

Just when we thought there was enough regulation to overwhelm even a seasoned compliance professional, we have more to digest and follow.  On November 17, 2005, the Final Rules to implement section 411 of the FACT Act were published. The Final Rules are effective April 1, 2006 and are incorporated into Regulation V.

Section 411 of the FACT Act generally limits the ability of creditors to obtain or use medical information in connection with credit eligibility determinations, the ability of consumer reporting agencies to disclose medical information, and restricts the sharing of medical information and other “medically related information” with affiliates.  Though your first thought may be, “We do not obtain or use medical information, so this is a non-issue,” think twice.  Medical information is all around you: information may be contained in a consumer report; the loan purpose may be medically related; the customer may offer unsolicited information about an upcoming medical procedure; a customer’s checks may reveal medical information (e.g., based on payee), etc.

Before we get into the specific requirements under Regulation V, we need to look at the revised definition of medical information under the FCRA/FACT Act.  “Medical Information” means information or data, whether oral or recorded, in any form or medium, created by or derived from a health care provider or the consumer, that relates to the past, present or future physical, mental or behavioral health or condition of an individual, the provision of health care to an individual, or the payment for the provision of health care to an individual.  The term does not include the age or gender of a consumer, demographic information about the consumer (including residence or e-mail address) or any other information about a consumer that does not relate to the physical, mental or behavioral health or condition of a consumer, including the existence or value of any insurance policy.

Simply put, “Medical Information” is comparable to a prohibited basis (e.g., sex, race, color) under Regulation B. Under the Regulation, a bank may obtain and use medical information pertaining to a consumer in connection with any determination of the consumer’s eligibility or continued eligibility for credit so long as:

• The type of information is routinely used in making credit eligibility determinations (i.e., information relating to debts, expenses, income, benefits, assets, collateral or the purpose of the loan), including the use of proceeds;
• The bank uses the medical information in a manner and to an extent that is no less favorable than it would use comparable information that is not medical information;
• The bank does not take the consumer’s physical, mental, or behavioral health, condition or history, type of treatment, or prognosis into account as part of any determination.

Medical information is not 100% off limits. The Regulation includes general and specific examples in which a bank may use medical information in making its credit decision. The general examples include:

• Medical debts—the dollar amount, repayment terms, repayment history and similar information about medical debts may be considered to calculate, measure or verify the repayment ability of the consumer, the use of proceeds or the terms for granting credit;
• The value, condition, and lien status of a medical device that may serve as collateral for the loan;
• The dollar amount and continued eligibility for disability income, workers’ compensation income or other benefits related to health or a medical condition that is used as a source of repayment for the loan;
• The identity of creditors to whom outstanding medical debts are owed in connection with an application for credit, including but not limited to a transaction involving the consolidation of medical debts.

The Regulation includes three specific examples in which medical information is obtained yet are not considered violations. One of the three examples is listed below:

• A consumer includes on an application for credit information about two $20,000 debts. One debt is to a hospital and the other is to a retailer. The bank contacts the hospital and retailer to verify the amount and payment status of the debts. The bank learns that both are more than 90 days past due. Any two debts of this size that are more than 90 days past due would disqualify the consumer under the Bank’s underwriting criteria. The bank denies the application due to poor repayment history on outstanding debts.

Under the scenario described above, the bank did not use the medical information in a manner and to the extent that is less favorable than it would to a comparable nonmedical transaction. Therefore, a violation did not take place.

Conversely, the Regulation also contains three examples in which the use of medical information did result in a violation. One of the three examples is listed below:

• A consumer meets with a loan officer of a bank to apply for a mortgage loan. During the loan application process, the consumer orally informs the loan officer that she has a potentially terminal disease. The consumer meets the bank’s established requirements for the requested mortgage loan. The loan officer recommends to the loan committee that the application be denied because the applicant has a potentially terminal disease.

In this case, the bank used medical information in a manner inconsistent with the allowable exceptions by taking into consideration the consumer’s physical, mental, or behavioral health, condition or history, type of treatment or prognosis as part of a determination of eligibility or continued eligibility for credit.  The Regulation contains limits on redisclosure of medical information. If a bank receives medical information about a consumer from a consumer reporting agency or its affiliate, that information may not be disclosed to any other person, except as necessary to carry out the purpose for which the information was initially disclosed, or as otherwise permitted by statute, regulation or order.

Finally, the Regulation addresses six exceptions which allow for the sharing of medical information with affiliates:

• In connection with the business of insurance or annuities;
• For any purpose permitted without authorization under HIPAA;
• For any purpose referred to in Section 1179 of HIPAA (Processing Payment Transactions by Financial Institutions);
• For any purpose described in Section 502(e) of GLBA (general exceptions to the disclosure of nonpublic personal information);
• In connection with the allowable exceptions contained within the Regulation (described above);
• As otherwise permitted by the Bank’s functional regulator.

While trying not to oversimplify the regulatory requirements under Regulation V—if a bank approaches medical information as “Regulation B” meets “GLBA” (e.g., Privacy), the chance for violations should be minimized.

Wire Transfers – The Importance of Sound Controls:

Over the past year and one half, the “Internal Control” articles in this newsletter have been rather broad in topic (e.g., Segregation of Duties, Dual Control).

As we have addressed having a sound internal control structure, backed by sound corporate governance strategies and ethics policies, it is time to “peel back the onion” so to speak to look at specific examples as to why internal controls are so important.

In this quarter’s issue, we will address customer outgoing wire transfers.  Wire transfers are a popular way for customers (and the bank) to send money.  However, the bank has the potential to suffer significant losses from unauthorized wires, not to mention damage to the bank’s reputation if operational risk factors (the risk of direct or indirect loss resulting from inadequate or failed internal processes, people and/or systems, or from external events) are not properly addressed and mitigated.  Core controls over the wire transfer process include: establishing approval and authorization requirements for wire transfers to ensure that an appropriate level of management is aware of the wire transfer, hence establishing accountability, and establishing callback procedures, passwords, funds transfer agreements and other authentication controls over wire transfer requests.

Outgoing wire transfer requests may be initiated in many ways (e.g., in person, by fax via e-mail, via the Bank’s Internet Banking Product) and there are unique risks and controls to consider with each.

• In Person—Even if the individual initiating the wire is in the Bank, a written wire transfer request/ agreement should be executed and the individual’s signature should be verified against his/her signature on file (on the signature card).
• Fax—As it is difficult, if not impossible, to determine whether a faxed request is original or has been altered, stringent additional controls should be implemented if the bank accepts faxed wire transfer requests. For example, written funds transfer agreements should be executed, and clearly describe the limitations and liability for accepting faxed requests, and callback verifications should be performed.
• E-mail—Before accepting wire transfer requests via e-mail, the bank should ensure that procedures exist to prevent the receipt of unauthorized messages and prevent the interception and possible manipulation of authorized messages. At a minimum, a) incoming messages must only be accessible by authorized employees, b) a return message, confirming the receipt of the request, should be sent to the customer. This message should be sent to the customer’s e-mail address on file, even if the wire was initiated from another e-mail address, and c) ensure that the wire is not executed if any information is missing (i.e., customer should be immediately notified by telephone).
• Internet Banking—Before you jump right in and allow your customers to initiate wires via the Bank’s Internet Banking product, the following should be considered/implemented: Ensure that the bank has a strong CIP program under the BSA and that it has reasonable assurance as to the identity of its customers; ensure that the initial sign-in process is strong and does not allow for generic/simple passwords, ensure that an account monitoring process is in place to detect suspicious activity; perform callbacks on all wires over a certain amount (established by management) prior to transmission; and provide written confirmations (letter/e-mail) to the respective customers.

This article is not meant to provide a complete list of risks and recommended controls for outgoing wires, but rather to emphasize the risks associated with wires and the need for strong internal controls in processing them.

IT Issues — System Access and Authentication:

There has been a lot of attention placed on authentication over Internet Banking and other forms of electronic banking. However, sufficient authentication processes are critical in other areas of the bank as they pertain to safeguarding customer information (e.g., identifying internal/ external threats and key controls in place to mitigate the identified threats). One of the key controls in safeguarding customer information is restricting staff access, based on need and position, to various systems and/ or system capabilities.

Though most banks address the level of access to the bank’s network and core system, internal threats are not completely identified if the bank does not broaden its understanding of the guidance on safeguarding customer information and authentication to include all systems and applications that may contain nonpublic customer information. Therefore, banks should begin by identifying which systems and applications it has in place and where and what type of customer nonpublic information is housed and processed.

Frequently, such systems/applications are not identified as the particular system/application is not “governed” under the bank’s IS or IT department, but rather under a “user” department. A perfect example is Laser Pro and other similar packages. These application systems have very specific use and usually contain customer non-public information that requires protection. However, even when they are used at full strength they typically do not emulate today’s best practices.  The authentication process provided within the system is not as strong as the network and/or core processing applications and the users are not usually aware of the need for similar levels of protection.

So what should you do to ensure the authentication measures over these systems/application is sufficient?  First, when user access is granted (and maintained), the authorization should clearly include and delineate what systems (operating, core processing applications or peripheral processing applications) a person will have. A common technique for authorization is using role based authorizations, (e.g. tellers, CSR, loan operations, etc. would get specific and predefined access, approved by Management, based on their job). If role based is not used, then individual accesses should be clearly defined, documented and approved in accordance with bank policy.

Management should be aware of the need to protect nonpublic customer information, regardless of where it is housed/processed and should document (e.g., as part of the Bank’s Information Security Program) what nonpublic customer information is in the bank’s “possession”, and where it is stored and processed. Finally, a documented annual review of the access levels/authorizations to the bank’s various systems/applications should be performed in order to help identify any possible accesses that may have been improperly assigned or implemented.