Legislative Update

October – December 2005

Recent Developments

DSW Reaches Settlement with FTC

Shoe retailer DSW Inc. reached a consent agreement with the Federal Trade Commission (FTC) after the FTC charged that the retailer had neglected to properly safeguard its customers’ personally identifying and payment information. In March 2005, DSW reported that credit card and other purchase information stored on its computer networks had been stolen. A month later, the company announced that checking account and driver’s license numbers had also been stolen. In all, close to 1.5 million credit and debit cards were compromised, along with about 96,000 checking accounts and driver’s license numbers. A number of these accounts were subsequently subject to fraud, and some customers were forced to close their checking accounts and incur expenses to open new ones.

The FTC noted five ways in which DSW endangered its customers’ information. First, the company was found to have stored information for which it no longer had a business need. Next, despite having wireless access to its system, the company did not appropriately safeguard the wireless network from intruders. The company also stored information in unencrypted files that could be easily accessed using only a user ID and password. In addition, the company was found to have not adequately limited the ability of in-store networks to connect to computers on other in-store and corporate networks. Finally, the company did not have sufficient measures to detect unauthorized access to its networks.

As part of the consent agreement, DSW will establish and maintain a data security program to protect its customers’ personal information. The company will designate one or more employees to be responsible for the program, and the program must identify risks that threaten the confidentiality of consumer information. Further, the company must outline procedures to guard against the risks, and these procedures must be tested periodically to ensure their effectiveness. Finally, DSW must modify its data security program in response to this testing, or if it believes new circumstances might impair the effectiveness of the program.

DSW must also submit to a twice-annual assessment of its data security program by an independent third party, which must certify that the program is effective and satisfies the requirements of this consent agreement. These assessment reports must be retained by the company for three years following the review. In addition, the company must provide the results of each assessment to its board of directors, officers, managers, and any other person having supervisory responsibility. DSW is subject to the terms of this consent agreement for 20 years.

Summary of Federal Legislation – New Legislation

Financial Data Protection Act of 2005 (H.R. 3997)

Introduced by Rep. LaTourette (R-Ohio) on October 6, 2005.
Status: Referred to the House Subcommittee on Financial
Services and Consumer Credit.

This legislation would require consumer reporters to develop procedures that ensure the confidentiality of sensitive consumer financial information. The bill defines a consumer reporter as a consumer reporting agency, financial institution, or any person who receives compensation for assembling, evaluating, or furnishing consumer reports. Once a consumer reporter becomes aware of a breach of data security, it is required to determine the nature and scope of the breach, the specific financial information that was involved, and the potential harm the consumer may suffer as a result. If a consumer reporter believes that a consumer is likely to suffer great harm or inconvenience, the consumer reporter must notify its federal regulator, the U.S. Secret Service, the consumer’s financial institutions, each nationwide credit reporting agency, and any other crucial third party. In addition, the consumer reporter must also attempt to repair the breach and restore security.

If a consumer reporter receives or maintains financial data on behalf of a third party and believes that a breach of security has occurred, the consumer reporter is required to notify the third party, conduct a coordinated investigation with the third party, and notify the affected consumer. If a third party is unwilling to submit to these conditions, consumer reporters are not permitted to maintain financial data for, or submit financial data to, the third party.

Upon learning of a breach of data security, a consumer reporter’s notice to affected consumers must describe the nature and scope of the breach, including naming the specific information involved, and provide a phone number for consumers to call to receive more information. At the request of a law enforcement agency, consumer reporters may delay notifying consumers of a breach if doing so would disrupt a criminal or civil investigation.

Within 90 days of receiving notification of a breach of data security, a consumer may request that the consumer reporter provide, for at least six months, a credit monitoring service that monitors nationwide credit activity. This service is to be provided at no cost to the consumer.

The bill requires the Secretary of the Treasury, the Board of Governors of the Federal Reserve System, and the Federal Trade Commission to jointly issue rules to implement this law, and all federal banking regulators are required to enforce it.

Summary of Federal Regulations – Board of Governors of the Federal Reserve System

Remotely Created Checks (11/28)

The Board of Governors of the Federal Reserve System (the Board) issued a final rule to define remotely created checks and to transfer warranties for them to the bank that presents the check for payment. A remotely created check is created by someone other than the paying bank, and it does not bear a signature applied by the customer on whose account it is drawn. An example is when a customer authorizes a check over the phone with an entity other than the bank where his or her account is held.

When the payee bank (the bank that is to receive payment) presents a remotely created check to the paying bank (the bank at which the customer’s account is held), the payee bank warrants the check. This means that the payee bank accepts responsibility for the check’s legitimacy, attesting that the paying bank’s customer authorized the check for the amount payable. Should the paying bank file a breach of warranty, the payee bank can defend itself by offering evidence that the customer authorized the check.

This final rule will become effective on July 1. For more information, see 70 Federal Register, pp. 71218-26.

Truth in Lending (10/17)

The Board of Governors of the Federal Reserve System (the Board) issued an advanced notice of a proposed rule, requesting comments on ways to update Regulation Z, which implements the Truth in Lending Act (TILA). A similar proposed rulemaking was issued in December of 2004 (see Banking Legislation and Policy, October-December 2004) as part of the Board’s regular review of its regulations. Soon after, the Bankruptcy Abuse Prevention and Consumer Protection Act of 2005 (see Banking Legislation and Policy, April-June 2005) became law. It made several amendments to the TILA, causing the Board to seek additional comments on the law’s effects on Regulation Z.

Specifically, the Board sought comments on the following: 1) introductory rate disclosures; 2) Internet-based credit card solicitations; 3) disclosures related to payment deadlines and late payment penalties; 4) disclosures for mortgage loans that may exceed the dwelling’s fair-market value; and 5) a prohibition on terminating accounts for failure to incur finance charges. In addition, the Board sought comment on minimum payment disclosures, including whether some accounts should be exempt from them and whether they must explain the method that was used to calculate the minimum payment.

Comments on this proposed rule were due December 16. For more information, see 70 Federal Register, pp. 60235- 44.

Office of the Comptroller of the Currency

Medical Information Sharing (11/22)

The Office of the Comptroller of the Currency, the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, the Office of Thrift Supervision, and the National Credit Union Administration (together, the Agencies) issued a final rule to implement sections of the Fair and Accurate Credit Transactions Act (see Banking Legislation and Policy, October-December 2003) that govern the use of medical information sharing. The rule defines medical information as any information that relates to the past, current, or future health of a consumer, including any health care that was provided to the consumer or any payments the consumer made for the provision of health care. In general, the rule forbids creditors from using medical information in any decision about a consumer’s eligibility for credit. The rule does not prohibit using medical information in decisions about a person’s qualification for employment, insurance (except credit insurance products), or other noncredit products or services.

A creditor is not in violation of this rule if it receives unsolicited medical information, as long as the information is not used in any determination about a consumer’s eligibility for credit. However, this does not prohibit creditors from using the information in credit decisions if the information is the type that is routinely used in credit decisions (such as information about debts, expenses, benefits, or income) and if the information is used in the same manner and to the same extent as nonmedical information. And, as always, creditors may not take a consumer’s physical, mental, or behavioral health into consideration when making decisions about eligibility for credit.

Creditors may use medical information in decisions about credit in the following circumstances: 1) to determine whether a person has the legal capacity to make decisions or whether power of attorney is necessary; 2) to comply with applicable laws and regulations; 3) to determine, at the request of the consumer, if he or she qualifies for special credit programs; 4) to identify and prevent fraud; 5) to determine whether a person is eligible for credit for medical products or services; 6) if the consumer or his or her attorney requests the information to be used; and 7) to determine if the consumer’s medical condition triggers provisions of a forbearance program, debt cancellation contract, debt suspension agreement, or a credit insurance product.

If a depository institution receives medical information about a consumer from one of its affiliates or a consumer reporting agency, the institution is prohibited from disclosing the information to any other party, except when it’s necessary in order to achieve the purpose for which the information was originally disclosed.

This final rule becomes effective on April 1. For more information, see 70 Federal Register, pp. 70664-96.

Community Reinvestment Act (11/10)

The Office of the Comptroller of the Currency, the Board of Governors of the Federal Reserve System, and the Federal Deposit Insurance Corporation (together, the Agencies) issued a notice of a proposed rule that revises Community Reinvestment Act (CRA) regulations. Among the changes is a proposal to extend the length of time an area will be considered a designated disaster area. For one year after an area’s disaster status expires by law, the Agencies will continue to reward CRA “community development” credit to lenders who help to stabilize or revitalize the area.

Comments on this proposed rule were due January 9. For more information, see 70 Federal Register, pp. 68450-6.

Risk-Based Capital (10/6)

The Office of the Comptroller of the Currency, the Federal Reserve System, the Federal Deposit Insurance Corporation, and the Office of Thrift Supervision (together, the Agencies) issued a proposed rule to revise the existing risk based capital framework to enhance risk sensitivity. These revisions would apply to Basel I-based capital regulations, which deal mostly with credit risk, rather than the Basel II framework, which, among other things, takes into account operational risk.

The Agencies propose making several changes to the existing Basel I framework. Currently, there are five riskweight categories: 0, 20, 50, 100, and 200 percent. The Agencies propose increasing the number of categories to nine, adding 35, 75, 150, and 350 percent. Risk weights are multiplied by an institution’s assets to determine its riskweighted assets. A percentage of a bank’s risk-weighted assets must be held as a minimum level of capital.

Next, the Agencies are considering using credit ratings by nationally recognized statistical rating organizations (NRSROs) to help determine the risk-based capital charge for NRSRO-rated exposures. If an exposure has multiple, differing NRSRO ratings, the exposure will be assigned the risk weight that corresponds with the lowest NRSRO rating. The Agencies propose assigning a 20 percent risk weight to exposures rated AAA/AA; 35 percent to A; 50 percent to BBB+; 75 percent to BBB; 100 percent to BBB-; 200 percent to BB+, BB, and BB-; and 350 percent to exposures rated B or lower. The Agencies plan to retain the 0 percent risk weight for U.S. government and agency exposures and the 20 percent risk weight for U.S. government-sponsored entities. The Agencies reserve the right to override the use of ratings on certain exposures, either on a case-by-case basis or through additional regulation.

The Agenices also plan to expand the list of collateral that would qualify an exposure for a lower risk weight. Currently, the only forms of collateral that are accepted are cash on deposit at the organization; securities issued or guaranteed by U.S. government agencies, governmentsponsored enterprises, or central governments of countries that are members of the Organization for Economic Cooperation and Development; and securities issued by multilateral lending institutions or regional development banks. The expanded list would include short- or longterm debt securities (like mortgage-backed securities) that are rated at least investment grade by an NRSRO. The security would then be assigned a risk weight corresponding to the NRSRO rating, using the same conversions that are outlined above. To take advantage of the expanded list of collateral, institutions would be required to have collateral management systems capable of tracking collateral and readily determining its value.

Currently, one- to four-family, first-lien mortgages receive a 50 percent risk weight. However, the Agencies are considering several alternatives that would allow the weights to be adjusted according to the level of risk. One alternative involves using the loan-to-value ratio (LTV) to assign a risk weight. The LTV would be determined by a private mortgage insurance issuer with an NRSRO rating of A or higher. An LTV ratio of 91 to 100 would be assigned a 100 percent risk weight; 81 to 90, a 50 percent risk weight; 61 to 80, a 35 percent risk weight; and 60 or below, a 20 percent risk weight. The Agencies are also considering another option that, in addition to the LTV, would take into consideration a person’s credit score. Furthermore, the Agencies are considering assigning higher risk weights to interest-only loans.

For multifamily residential mortgages, the current rules require a 100 percent risk weighting, but some mortgages can qualify for a 50 percent risk weighting. The Agencies are considering lowering the risk weight for all multifamily residential mortgages to below 100 percent. Under current rules, delinquent loans also receive a risk weight of 100 percent. However, the Agencies propose assigning a higher risk weight to loans that are 90 days or more past due and those in nonaccrual status. The risk weight may be reduced by any reserves specifically allocated to cover potential losses on the exposure.

The Agencies are also considering changing the risk weights assigned to commercial real estate exposures and small business loans. Specifically, acquisition, development, and construction (ADC) commercial real estate loans may be assigned risk weights that are higher than the current 100 percent level. However, ADC loans could still be assigned a 100 percent risk weight if the exposure meets the Interagency Real Estate Lending Standards regulations and if the project is supported by a substantial amount of borrower equity for the duration of the facility.

Small business loans are also currently assigned a 100 percent risk weight, but the Agencies are considering lowering the risk weight to 75 percent for consolidated loans under $1 million made to a single borrower. The loans would also be subject to several other underwriting, performance, and collateralization requirements in order to qualify.

Finally, the Agencies are also considering applying a risk-based capital charge to securitizations of retail credit exposures with early amortization clauses, which require debt to be paid off more quickly if certain negative events occur. This could be done either by assessing a flat conversion factor (such as 10 percent) or by applying an early amortization capital charge based on key indicators of risk (such as excess spread levels, which are finance charge collections minus certificate interest, fees, and charge-offs) to determine the appropriate risk weights.

Comments on this proposed rule were due January 18. For more information, see 70 Federal Register, pp. 61068-78.

Federal Deposit Insurance Corporation

Interstate Banking (10/14)

The Federal Deposit Insurance Corporation (FDIC) issued a proposed rule to preempt certain state laws for FDIC-insured interstate banking organizations and their affiliates. The rule permits interstate banking organizations to follow their home states’ laws even when conducting business in other states. The rule allows a bank’s out-ofstate branches to conduct any activity that is permissible in that state or in the bank’s home state. Furthermore, when determining interest on loans, an interstate banking organization can adhere to interest rate laws of the state where the loan’s approval, disbursal, and extension of credit occurred.

When these activities occur in multiple branches in different states, the institution should adhere to the interest rate laws of the home state. As an alternative, when these activities occur in different states, the institution can choose to adhere to the interest rate laws of one of the other states, besides the home state, in which the functions occur, as long as the loan has a clear tie to that state.

Comments on this proposed rule were due December 13. For more information, see 70 Federal Register, pp. 60019- 31.

Summary of Judicial Developments

Bad-Debt Buyers May Charge the Same Rate of Interest as the Original Creditors

On December 9, the U.S. Court of Appeals for the Seventh Circuit determined that a loan assignee, or a buyer of delinquent loans, can charge the same rate charged by the original creditor, even if the assignee is not licensed to do so by the state in which it operates (Olvera v. Blitt, No. 04-3734). The case involves two borrowers, Enrique Olvera and Jeffrey Dawson, whose delinquent accounts were bought from the original creditor by bad-debt buyers. The original creditors charged Dawson 22.99 percent interest and charged Olvera at least 20.95 percent interest. Upon buying the loans from the original creditors, the assignees charged Dawson 19.7 percent interest and Olvera 18.2 percent interest, both of which were reduced rates in comparison with the original creditors’ rates. However, Olvera and Dawson claimed that these rates, although lower, violated the Fair Debt Collection Practices Act (FDCPA).

The FDCPA forbids debt collectors from collecting “any amount (including any interest, fee, charge, or expense incidental to the principal organization) unless such amount is expressly authorized by the agreement creating the debt or permitted by state law.” The plaintiffs argued that the assignees’ rates were not permitted by state law, as the Illinois Interest Act prohibits nonlicensed creditors, except for banks, from charging interest higher than 9 percent.

The court ruled that while the plaintiffs made a technically good claim, based on semantics, their interpretation would make the credit market operate less efficiently, pushing debt collectors out of business and requiring credit card companies to collect their own bad debt, incurring higher costs in the process and passing them on to consumers. The court said that it is unreasonable for consumers to expect that if they default on a loan, their rates will fall. For these reasons, the court affirmed the district court’s dismissal of the case.