View
7
Download
0
Category
Preview:
Citation preview
BANKING LAW1 of 88
ICLEPROGRAM MATERIALS | March 1, 2019
BANKING LAW
Friday, March 1, 2019 ICLE: State Bar Series
BANKING LAW
6 CLE Hours including 1 Ethics Hour | 1 Trial Practice Hour
Sponsored By: Institute of Continuing Legal Education
BANKING LAW3 of 88
Printed By:
Copyright © 2019 by the Institute of Continuing Legal Education of the State Bar of Georgia. All rights reserved. Printed in the United States of America. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form by any means, electronic, mechanical photocopying, recording, or otherwise, without the prior written permission of ICLE.
The Institute of Continuing Legal Education’s publications are intended to provide current and accurate information on designated subject matter. They are off ered as an aid to practicing attorneys to help them maintain professional competence with the understanding that the publisher is not rendering legal, accounting, or other professional advice. Attorneys should not rely solely on ICLE publications. Attorneys should research original and current sources of authority and take any other measures that are necessary and appropriate to ensure that they are in compliance with the pertinent rules of professional conduct for their jurisdiction.
ICLE gratefully acknowledges the eff orts of the faculty in the preparation of this publication and the presentation of information on their designated subjects at the seminar. The opinions expressed by the faculty in their papers and presentations are their own and do not necessarily refl ect the opinions of the Institute of Continuing Legal Education, its offi cers, or employees. The faculty is not engaged in rendering legal or other professional advice and this publication is not a substitute for the advice of an attorney. This publication was created to serve the continuing legal education needs of practicing attorneys.
ICLE does not encourage non-attorneys to use or purchase this publication in lieu of hiring a competent attorney or other professional. If you require legal or other expert advice, you should seek the services of a competent attorney or other professional.
Although the publisher and faculty have made every eff ort to ensure that the information in this book was correct at press time, the publisher and faculty do not assume and hereby disclaim any liability to any party for any loss, damage, or disruption caused by errors or omissions, whether such errors or omissions result from negligence, accident, or any other cause.
The Institute of Continuing Legal Education of the State Bar of Georgia is dedicated to promoting a well organized, properly planned, and adequately supported program of continuing legal education by which members of the legal profession are aff orded a means of enhancing their skills and keeping abreast of developments in the law, and engaging in the study and research of the law, so as to fulfi ll their responsibilities to the legal profession, the courts and the public.
BANKING LAW4 of 88
Who are we?
SOLACE is a program of the State
Bar of Georgia designed to assist
those in the legal community who
have experienced some significant,
potentially life-changing event in their
lives. SOLACE is voluntary, simple and
straightforward. SOLACE does not
solicit monetary contributions but
accepts assistance or donations in kind.
Contact SOLACE@gabar.org for help.
HOW CAN WE HELP YOU?
How does SOLACE work?
If you or someone in the legal
community is in need of help, simply
email SOLACE@gabar.org. Those emails
are then reviewed by the SOLACE
Committee. If the need fits within the
parameters of the program, an email
with the pertinent information is sent
to members of the State Bar.
What needs are addressed?
Needs addressed by the SOLACE
program can range from unique medical
conditions requiring specialized referrals
to a fire loss requiring help with clothing,
food or housing. Some other examples
of assistance include gift cards, food,
meals, a rare blood type donation,
assistance with transportation in a
medical crisis or building a wheelchair
ramp at a residence.
A solo practitioner’s
quadriplegic wife needed
rehabilitation, and members
of the Bar helped navigate
discussions with their
insurance company to obtain
the rehabilitation she required.
A Louisiana lawyer was in need
of a CPAP machine, but didn’t
have insurance or the means
to purchase one. Multiple
members offered to help.
A Bar member was dealing
with a serious illness and in
the midst of brain surgery,
her mortgage company
scheduled a foreclosure on
her home. Several members
of the Bar were able to
negotiate with the mortgage
company and avoided the
pending foreclosure.
Working with the South
Carolina Bar, a former
paralegal’s son was flown
from Cyprus to Atlanta
(and then to South Carolina)
for cancer treatment.
Members of the Georgia and
South Carolina bars worked
together to get Gabriel and
his family home from their
long-term mission work.
TESTIMONIALSIn each of the Georgia SOLACE requests made to date, Bar members have graciously
stepped up and used their resources to help find solutions for those in need.
The purpose of the SOLACE program is to allow the legal community to provide help in meaningful and compassionate ways to judges, lawyers,
court personnel, paralegals, legal secretaries and their families who experience loss of life or other catastrophic illness, sickness or injury.
Contact SOLACE@gabar.org for help.
BANKING LAW6 of 88
iiiFOREWORD
Dear ICLE Seminar Attendee,
Thank you for attending this seminar. We are grateful to the Chairperson(s) for organizing this program. Also, we would like to thank the volunteer speakers. Without the untiring dedication and eff orts of the Chairperson(s) and speakers, this seminar would not have been possible. Their names are listed on the AGENDA page(s) of this book, and their contributions to the success of this seminar are immeasurable.
We would be remiss if we did not extend a special thanks to each of you who are attending this seminar and for whom the program was planned. All of us at ICLE hope your attendance will be benefi cial as well as enjoyable We think that these program materials will provide a great initial resource and reference for you.
If you discover any substantial errors within this volume, please do not hesitate to inform us. Should you have a diff erent legal interpretation/opinion from the speaker’s, the appropriate way to address this is by contacting him/her directly.
Your comments and suggestions are always welcome.
Sincerely, Your ICLE Staff
Jeff rey R. DavisExecutive Director, State Bar of Georgia
Tangela S. KingDirector, ICLE
Rebecca A. HallAssociate Director, ICLE
BANKING LAW7 of 88
AGENDA
PRESIDING: Gerald L. Blanchard, Program Chair; Retired Partner, Bryan Cave Leighton Paisner LLP, Atlanta
7:45 REGISTRATION AND CONTINENTAL BREAKFAST (All attendees must check in upon arrival. A removable jacket or sweater is recommended.)
8:25 WELCOME AND PROGRAM OVERVIEW Gerald L. Blanchard
8:30 PRIVACY DISCLOSURE AND DATA SHARING D. Barry Hester, Counsel, Bryan Cave Leighton Paisner LLP Atlanta Ronald P. “Ron” Whitworth, Chief Privacy Officer, SunTrust, Atlanta Scott B. Nardi, SVP, Chief Compliance Officer, Republic Bank, Jacksonville FL
9:45 FCRA CONSUMER PRIVACY DISPUTES Cindy D. Hanson, Partner, Troutman Sanders LLP, Atlanta
10:45 BREAK
11:00 CYBERSECURITY AND DATA BREACH LITIGATION Donald M. Houser, Partner, Alston & Bird LLP, Atlanta
12:00 LUNCH (included in registration fee.)
12:30 FINTECH DEVELOPMENTS James W. Stevens, II, Partner, Troutman Sanders LLP, Atlanta Michael J. Shumaker, First Vice President and Assistant General Counsel, SunTrust Bank, Atlanta
1:45 FARM BILL AUTHORIZATION FOR HEMP FARMING— IMPLICATIONS FOR FINANCIAL INSTITUTIONS William V. Custer, IV, Partner, Bryan Cave Leighton Paisner LLP, Atlanta Jennifer B. “Jen” Dempsey, Partner, Bryan Cave Leighton Paisner LLP, Atlanta Brandon W. Neuschafer, Partner, Bryan Cave Leighton Paisner LLP, Saint Louis, MO D. Barry Hester
2:15 BREAK
2:30 PROFESSIONALISM AND THE NEGOTIATION OF THE DEAL Chris Frieden, Partner, Alston & Bird LLP, Atlanta Jonathan S. Hightower, Partner, Bryan Cave Leighton Paisner LLP, Atlanta
3:30 ADJOURN
BANKING LAW8 of 88
TABLE OF CONTENTS
Foreword ................................................................................................................................................... 6
Agenda ....................................................................................................................................................... 7
BANKING LAW ..................................................................................................................................9- 88
Appendix: ICLE Board ................................................................................................................................................. 1Georgia Mandatory CLE Fact Sheet ................................................................................................ 2
Page
8:30 PRIVACY DISCLOSURE AND DATA SHARING D. Barry Hester, Counsel, Bryan Cave Leighton Paisner LLP Atlanta Ronald P. “Ron” Whitworth, Chief Privacy Officer, SunTrust, Atlanta Scott B. Nardi, SVP, Chief Compliance Officer, Republic Bank, Jacksonville FL
BANKING LAW10 of 88
Privacy Disclosure and Data Sharing
Ron Whitworth, Chief Privacy Officer, SunTrust Bank, Atlanta, GA
Scott Nardi, Chief Compliance Officer, Republic Bank & Trust Company, Louisville, KY
Barry Hester, Counsel, Bryan Cave Leighton Paisner LLP, Atlanta, GA
BANKING LAWSTATE BAR OF GEORGIA
INSTITUTE OF CONTINUING LEGAL EDUCATIONMARCH 1, 2019
• Introductions• Privacy Fundamentals• Selected US Rules and Regulations
– Third-Party Access Laws– GLBA/Regulation P; FCRA/Regulation V– Communications: TCPA and CAN-SPAM– Web privacy: CCPA and COPPA– State Data Security and Breach Laws
• Global Privacy Regulation– GDPR– PSD2
• Data Sharing Arrangements– Vendor Management– CFPB Principles– Aggregators– Open Banking/APIs
• Compliance Considerations
Overview
2
BANKING LAW11 of 88
• Ron Whitworth, Chief Privacy Officer, SunTrust
• Scott Nardi, Chief Compliance Officer, Republic Bank
• Barry Hester, Bryan Cave Leighton Paisner LLP
Introductions
3
• Is privacy a fundamental right in banking? • What constitutional rights or protections do bank
customers have in transaction or other banking data?
• What kind of data are we talking about?• Who owns this data?
• Who needs or wants this data?
Privacy Fundamentals
4
BANKING LAW12 of 88
• Common law roots in trespass and assault• The “modern era” of privacy rights
[T]he protection afforded to thoughts, sentiments, and emotions, expressed through the medium of writing or of the arts, so far as it consists in preventing publication, is merely an instance of the enforcement of the more general right of the individual to be let alone.- Samuel D. Warren & Louis D. Brandeis, The Right of Privacy, 4 Harv. L. Rev. 193, 196 (1890)
• The tort of invasion of privacy (Pavesich v. New England Life Insurance Co., 50 S.E. 68 (Ga. 1905))
• Olmstead v. US, 277 U.S. 438 (1928) (Fourth and Fifth Amendments and wiretapping)
• The FTC and the Fair Credit Reporting Act (1970) (UDAP)
Privacy Fundamentals
5
• Government Access– Right to Financial Privacy Act (RFPA)– Bank Secrecy Act (BSA)
• Affiliate Access– Fair Credit Reporting Act (FCRA)/Regulation V
– Gramm-Leach-Bliley Act (GLBA)/Regulation P
• Third-Party Access Generally– GLBA/Regulation P
• Consumer (Credit) Reports– FCRA and similar state laws
• Communications Laws– Controlling the Assault of Non-Solicited Pornography and Marketing Act (CAN-SPAM)
– Telephone Consumer Protection Act (TCPA)
– Web privacy: California Consumer Privacy Act (CCPA), California Online Privacy Protection Act (CalOPPA), and the Children’s Online Privacy Protection Act (COPPA)
– Call recording laws
• Data Security– Safeguards Rule (16 CFR Part 314)
– State data security and breach notification laws
Key Banking Privacy Laws
6
BANKING LAW13 of 88
• GLBA/Regulation P privacy notices– Applies to “financial institutions” and differently to their
“consumer” and “customer” relationships– Provides for notice and opt-out– Exceptions
• State parallels (e.g., CA, VT)• FCRA/Regulation V
– Access to and contents of “consumer reports”– Sharing with affiliates for marketing purposes
• Electronic Fund Transfer Act (EFTA) and Regulation E• Web privacy policy laws
Privacy Disclosures
7
• EU General Data Protection Regulation
• Became applicable in all EU member states on May 25, 2018
• Expanded individuals’ rights with respect to data– Use with “consent” = “freely given, specific, informed and
unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”
– Privacy by design
– Subject Access Requests– Right to be forgotten
– Right of data portability– Penalties and breach requirements
• Exceptions
GDPR Basics
8
BANKING LAW14 of 88
• California Consumer Privacy Act• January 1, 2020 effective date• July 2, 2020 regulation due date
• Features consent, disclosure, opt-out, rights of access, rights of deletion, and other rights that are similar to components of the GDPR
• Stricter regulation of data sharing practices• Relationship to the California Online Privacy Protection
Act (CalOPPA)
CCPA Basics
9
• Consumer = natural person resident of California• Applies to any for-profit business that
(1) collects consumers’ personal information, or on the behalf of which such information is collected
(2) alone, or jointly with others, determines the purposes and means of the processing
(3) that does business in the State of California, and (4) meets certain threshold requirements (annual gross revenue
exceeds $25m; annually buys/shares/sells/receives the PI of > 50,000 consumers, households, or devices; or derives > 50% of its annual revenues from selling PI), and any entity that controls or is controlled by such a business.
CCPA Basics – Applicability
10
BANKING LAW15 of 88
• Services that gather information from various third-party websites, present the information to consumers in a consolidated format, and may allow consumer to initiate transactions– Intuit (Mint), Quovo, Plaid, Envestnet/Yodlee,
Morningstar/ByAllAccounts, Fiserv/CashEdge, Finicity, MX
• Have traditionally relied on screen-scraping• Future is APIs and tokenization• Issues:
– Behavioral advertising– Data security and consent– Liability for breach and unauthorized transactions under state law
and Regulations E and Z
Data Sharing: Aggregation
11
• Revised Payment Service Directive (PSD2)
• Open Banking (UK)
• Application Programming Interfaces (APIs)
• In the US– CFPB Consumer Protection Principles for Consumer-Authorized
Financial Data Sharing and Aggregation
– Dodd-Frank Section 1033
– July 2018 Treasury Report on Financial Innovation
– APIs already run the modern web
• Comparisons with cloud computing adoption
Data Sharing: Open Banking/Open APIs
12
BANKING LAW16 of 88
• OCC 2013-29 and similar guidance• Information security program requirements
• Vulnerability testing
• PCI-DSS• NIST Privacy Framework
• Data breach notification• Record retention and destruction
Data Sharing: Vendor Management
13
• The Target, Facebook, and Fintech effects• CCPA is the new normal; federal policy debate
• Open Banking may present new opportunities as well as new risks
• Key compliance considerations– Web and mobile app privacy policies– GLBA/FCRA notices– Vendor management – Consumer control over and access to financial data– Risk assessment and data inventory
Closing Thoughts
14
BANKING LAW17 of 88
• Ron Whitworth– ron.whitworth@suntrust.com
• Scott Nardi– snardi@republicbank.com
• Barry Hester– barry.hester@bclplaw.com
Questions?
Thank you!
15
9:45 FCRA CONSUMER PRIVACY DISPUTES Cindy D. Hanson, Partner, Troutman Sanders LLP, Atlanta
BANKING LAW19 of 88
Furnisher Duties Under the FCRACindy D. HansonTroutman Sanders LLPMarch 1, 2019
This information is not intended to be legal advice and may not be used as legal advice. Legal advice must be tailored to the specific circumstances of each case.
Every effort has been made to assure this information is up-to-date. It is not intended to be a full and exhaustive explanation of the law in any area, nor should it be used to replace the advice of your own legal counsel.
Any opinions expressed are the opinions of the speaker and not her organization.
Disclaimer
BANKING LAW20 of 88
• FCRA and Regulation V• Furnisher Basics
• Dispute Handling • Bankruptcy Issues• Compliance Strategies• Lessons from Litigation and Enforcement Actions
Agenda
• Businesses that furnish information to consumer reporting agencies have never been at more legal risk or faced more difficult compliance burdens
• Fair Credit Reporting Act (FCRA), can impose significant penalties:– $100 to $1000 per violation, punitive damages if willful, and attorney’s fees
• CFPB, FTC, and states have all made investigation and enforcement a top priority
Introduction
BANKING LAW21 of 88
• FCRA litigation is not declining – 2018 showed a continued increase in FCRA litigation:
• December 2018 Webrecon stats:– FCRA is up over 4.3% year over year:
Introduction
• Exposure, including private litigation, can be significant• $60M verdict in class action trial against a CRA
• Appellate decision reducing $2.5 million jury verdict against mortgage servicer to “only” $600,000
• CFPB enforcement action against large, national bank for deficiencies in reporting consumer information and handling disputes, including $4.6 million penalty
Introduction
BANKING LAW22 of 88
• FCRA (15 U.S.C. § 1681a, et seq.) includes a section outlining duties of
“furnishers of information”
• Furnishers provide information to a CRA to include in a report – report
on direct experiences with consumers
• Regulation V, Subpart E (12 C.F.R. §§ 1022.40-43) – the “Furnisher Rule”
• Regulation V expands on and details the furnisher obligations created
in the FCRA, including handling of direct disputes
FCRA AND REGULATION V
• Furnisher shall not furnish information if known or have “reasonable cause” to believe it is inaccurate
• “Reasonable cause” means something more than just the consumer saying it is inaccurate “that would cause a reasonable person to have substantial doubts about the accuracy
• Regulations require written policies regarding accuracy and integrity, with guidelines on what those should entail
• Cannot continue to furnish information if the consumer notifies you of inaccuracy and the consumer is in fact correct
FCRA AND REGULATION V
BANKING LAW23 of 88
• Furnishers are obligated to update and correct information on an ongoing basis
• If “regularly” furnish information to a CRA and learn information furnished is either (1) not complete or (2) inaccurate, must promptly notify the CRA and correct the information• If certain types of information are reported (credit limits, closed
accounts, delinquent accounts), there are specific rules around data elements that must accompany them• If information is directly disputed, cannot furnish it to a CRA without
noting the dispute status
Furnishing Basics
• Consumer can either lodge (1) direct dispute with furnisher or (2) indirect dispute with CRA
• In either case, furnisher needs written procedures for handling• Upon receipt of dispute, furnisher must reinvestigate, including
reviewing all relevant information from the CRA, report findings back, and provide corrected information to every other FCRA to whom you furnished the data• If item is inaccurate or incomplete, must modify, delete, or
permanently block its reporting
Dispute Handling Basics
BANKING LAW24 of 88
• Must report results to consumer within 30 days
• Must notify any CRA to which information later found inaccurate was previously furnished
• Not required to reinvestigate certain categories of items:
• Identifying information, public record information, information from another furnisher, etc.
• Disputes submitted by credit report organizations
• Not required to reinvestigate if consumer provides insufficient information, dispute is duplicative, or you already reinvestigated and consumer provided no new information
• This is a “frivolous” or “irrelevant” dispute
• Must inform the consumer within five days of that determination
Dispute Handling Basics
• Must have a process in place to respond to notices from CRAs of identity theft, including procedures to block re-reporting information resulting from identity theft
• If consumer submits identity theft report directly to furnisher, furnisher may not report information resulting from ID theft by any CRA unless the furnisher “knows” or is informed by the consumer that the information is correct
Dispute Handling Basics
BANKING LAW25 of 88
• It “would make little sense to conclude that, in creating a system intended to give consumers a means to dispute – and, ultimately, correct – inaccurate information on their credit reports, Congress used the term ‘investigation’ to include superficial, unreasonable inquiries by creditors.” Johnson v. MBNA Am. Bank, NA, 357 F.3d 426 (4th Cir. 2004)
Dispute Handling Basics
• Dispute Coding Issues:• Under Metro 2© Standards, compliance condition codes (CCCs) as well
as other codes (special comment codes, payment rating, CIIs, etc.) are used to communicate fundamental information about status of tradelines
• CCCs focus on whether tradeline is disputed
Dispute Handling
BANKING LAW26 of 88
• 2017 version of the CDIA Guide introduced new changes to its recommended standard. This remained in the 2018 Guide.
• According to the new Guide, CCCs “should not be reported in response to a consumer dispute investigation request from the consumer reporting agencies,” except in certain situations where it is required by the Fair Debt Collection Practices Act.
• But nearly every circuit court that has addressed the use (or lack thereof) of CCCs has taken a different position, and several cases decided this year continue the trend.
Dispute Handling Litigation
• Lack of clarity on which codes should be used and when they should be used in connection with disputes has led to increased litigation:
• XB – indicates an investigation is pending
• XC – indicates completed investigation but consumer disagrees
• XH – indicates account previously in dispute but investigation complete
Dispute Handling Litigation
BANKING LAW27 of 88
• Litigation challenging a furnisher’s use of a specific dispute code:• Gissler v. Pa. Higher Education Assistance Agency, No. 16-cv-1673, 2017
WL 4297444 (D. Colo. Sept. 28, 2017)
• Wood v. Credit One Bank, No. 3:15-cv-594, 2017 WL 4203551 (E.D. Va. Sept. 21, 2017)
• Fulton v. Equifax Info. Servs., LLC, No. 15-14110, 2016 WL 5661588 (E.D. Mich. Sept. 30, 2016)
Disputing Handling Litigation
• Armeni v. Trans Union LLC, Inc., No. 3:15-cv-066, 2016 WL 4098540 (W.D. Va. July 28, 2016)
• Matson v. Edfinancial Services LLC, No. 14-cv-1052-JPS, 2015 WL 5010515 (E.D. Wis. Aug. 21, 2015)
• Horton v. Trans Union, LLC, No. 12-2072, 2015 WL 1055776 (E.D. Pa. Mar. 10, 2015)
Disputing Handling Litigation
BANKING LAW28 of 88
• Historically, litigation has focused on inaccurate bankruptcy reporting as an FCRA violation
• Major class action against CRAs over bankrupcty reporting
• Also lawsuits, including class actions, alleging that consumer reporting is a violation of the automatic stay or discharge injunction
• Individual actions against furnishers generally, but bankruptcy remains a hot item and will surely lead to further class action filings
Bankruptcy Issues
• When reporting during a Chapter 13 bankruptcy but prior to the discharge, the Consumer Data Industry Association’s (CDIA) Credit Reporting Resource Guide indicates an account should be reported to reflect the terms of the Chapter 13 plan. However, in practice, this can prove to be difficult depending on the specifics of the plan.
Bankruptcy Issues
BANKING LAW29 of 88
• Under Metro 2, must have three elements for proper reporting:• Chapter
• Who – non-debtor co-obligor
• Status – filed, pending, dismissed
• Issues include reporting balance owed in Chapter 13 scenario – you can get sued either way!
Bankruptcy Issues
• Harris v. Experian Information Solutions Inc. et al., No. 5:16-cv-02162 (N.D. Cal. 2017)
• Messano v. Experian Info. Sols., Inc., 251 F. Supp. 3d 1309 (N.D. Cal. 2017)
• Mensah v. Experian Info. Sols., Inc., Nos. 16-cv-05689-WHO, 16-cv-05702-WHO, 16-cv-05715-WHO, 16-cv-06318-WHO, 16-cv-06358-WHO, 16-cv-06359-WHO, 2017 U.S. Dist. LEXIS 52553 (N.D. Cal. Apr. 5, 2017)
Bankruptcy Issues
BANKING LAW30 of 88
• CFPB alleged State Farm Bank violated FCRA, Regulation V, and the Consumer Financial Protection Act of 2010 by:
• obtaining consumer reports without a permissible purpose;
• furnishing to credit-reporting agencies (CRAs) information about consumers’ credit that the bank knew or had reasonable cause to believe was inaccurate;
• failing to promptly update or correct information furnished to CRAs;
• furnishing information to CRAs without providing notice that the information was disputed by the consumer;
• and failing to establish and implement reasonable written policies and procedures regarding the accuracy and integrity of information provided to CRAs.
• State Farm was required to “implement and maintain reasonable written policies, procedures, and processes to address the practices at issue in the consent order and prevent future violations.”
Enforcement Actions
• Enforcement against Security Group Inc., et al.• CFPB alleged lenders regularly furnished consumer information despite not
having written policies or procedures required by Regulation V
• CFPB alleged lenders made systematic and pervasive furnishing errors, were slow to update or correct information, and reported information they knew to be inaccurate
Enforcement Actions
BANKING LAW31 of 88
• Security Group Inc., et al. Cont’d• From Consent Order:
• $5 Million Civil Penalty
Enforcement Action
11:00 CYBERSECURITY AND DATA BREACH LITIGATION Donald M. Houser, Partner, Alston & Bird LLP, Atlanta
BANKING LAW33 of 88
Recent Trends and Developments in Cyber and Data Breach Litigation
Donald Houser1
Follow us: @AlstonPrivacy www.AlstonPrivacy.com 2
Recent Trends and Developments in Cyber & Data Breach Litigation
• Article III: Where do we stand?• Spokeo • Clapper
• Financial Institution Plaintiffs’ Bar• Data Breaches & Negligence Claims• The Economic Loss Rule• TCPA• Privileged Investigations• Offers of Judgment & Gomez• Recent Trends in Data Breach Settlements
BANKING LAW34 of 88
Follow us: @AlstonPrivacy www.AlstonPrivacy.com 3
Constitutional “case or controversy” requirement + new technology = Article III Renaissance?
Article III: Where do we stand?
Follow us: @AlstonPrivacy www.AlstonPrivacy.com 4
• Standing requires:(1) Injury in fact;(2) That is fairly traceable to the challenged conduct of a defendant; and(3) That is likely to be redressed by a favorable judicial decision.
Article III: Where do we stand?
BANKING LAW35 of 88
Follow us: @AlstonPrivacy www.AlstonPrivacy.com 5
• So, what is a data-based injury?- Spokeo, Inc. v. Robins, 136 S. Ct. 1540 (2016).- Clapper v. Amnesty Int'l USA, 568 U.S. 398 (2013).
Article III: Where do we stand?
Follow us: @AlstonPrivacy www.AlstonPrivacy.com 6
• Background– Spokeo is a search engine operator– Allegedly published inaccurate information about
plaintiff – Plaintiff filed FCRA class action lawsuit, seeking
maximum statutory damages– Theory of harm: Speculated that information
would affect employment, ability to obtain insurance
Article III: Where do we stand?/ Spokeo
BANKING LAW36 of 88
Follow us: @AlstonPrivacy www.AlstonPrivacy.com 7
Spokeo is a “people search engine” that aggregates personal information.
Article III: Where do we stand?/ Spokeo
Follow us: @AlstonPrivacy www.AlstonPrivacy.com 8
• Central District of California (Wright, J.)– No standing– “Alleged harm to Plaintiff's employment prospects
is speculative, attenuated and implausible. Mere violation of the Fair Credit Reporting Act does not confer Article III standing, moreover, where no injury in fact is properly pled.”
Article III: Where do we stand?/ Spokeo
BANKING LAW37 of 88
Follow us: @AlstonPrivacy www.AlstonPrivacy.com 9
• Ninth Circuit (O’Scannlain, J.)– Reversed district court– Court reasoned that:• Plaintiff alleged that Spokeo violated his statutory rights• Plaintiff’s personal interest in the handling of his credit
information is individualized rather than collective
Article III: Where do we stand?/ Spokeo
Follow us: @AlstonPrivacy www.AlstonPrivacy.com 10
• Supreme Court (Alito) – “Settled” that Congress cannot erase Article III
requirement by statute– Injury in fact must be both concrete and
particularized• Ninth Circuit focused only on particularization
– Concrete:• Tangible; AND• Intangible
Article III: Where do we stand?/ Spokeo
BANKING LAW38 of 88
Follow us: @AlstonPrivacy www.AlstonPrivacy.com 11
• Supreme Court (Cont’d)– What intangible harms sufficient?• History: Important role• Judgment of Congress: Important role
– “Congress may elevat[e] to the status of legally cognizable injuries concrete, de facto injuries previously inadequate at law”
– But…
Article III: Where do we stand?/ Spokeo
Follow us: @AlstonPrivacy www.AlstonPrivacy.com 12
• Impact of Spokeo?– Empirical research– 430 decisions– TCPA (72 decisions): 13% – FDCPA (77 decisions): 24%– FCRA (82 cases): 51%– FACTA (18 cases): 67%
Article III: Where do we stand?/ Spokeo
BANKING LAW39 of 88
Follow us: @AlstonPrivacy www.AlstonPrivacy.com 13
• Muransky v. Godiva Chocolatier, Inc., Case No. 16-16486 (11th Cir. October 3, 2018) – Plaintiffs alleged violations of FACTA after Godiva
gave a receipt showing more than four digits of a credit card.
– Held: Court found standing.
Article III: Spokeo in the 11th Circuit
Follow us: @AlstonPrivacy www.AlstonPrivacy.com 14
• Muransky (cont.)– Disclosing credit card numbers is similar to
common law tort of breach of confidence and resembles a modern claim for breach of implied bailment agreement.
– Concrete injury to plaintiffs is their “time (and wallet space)” used to “safely dispose of or keep the untruncated receipt so as to avoid someone finding their credit card number on their receipt.”
Article III: Spokeo in the 11th Circuit
BANKING LAW40 of 88
Follow us: @AlstonPrivacy www.AlstonPrivacy.com 15
• Nicklaw v. CitiMortgage, Inc., 855 F.3d 1265, 1266
(11th Cir. 2017)
– Held: Plaintiff failed to allege a concrete injury when he
filed his lawsuit two years after the lender’s failure to
record and alleged no harm outside of violating statutes.
– Dissent: Plaintiffs can satisfy the concrete harm
requirement by alleging “a risk of real harm.”
• “[A]ll eight Justices [in Spokeo] agreed that alleging a FCRA violation with
a risk of real harm was sufficient to meet the Article III standing
requirements.”
• Church v. Acccretive Health, Inc., 654 Fed. App’x 990
(11th Cir. 2016).
Article III: Spokeo in the 11th Circuit
Follow us: @AlstonPrivacy www.AlstonPrivacy.com 16
• Frank v. Gaos, 17-961– In November of 2018, the Supreme
Court ordered supplemental briefing requiring parties to address the justiciability of the underlying case.
– The district court’s order approving a settlement in the case pre-dated the 2016 Spokeo decision.
– This may be the Court’s chance to clarify the issues that currently split the Circuits.
Article III: Spokeo & And Beyond
BANKING LAW41 of 88
Follow us: @AlstonPrivacy www.AlstonPrivacy.com 17
• Obstacle to federal court• Ratliff v. LTI Trucking Servs., Inc., No. 4:18 CV
1032 RLW (E.D. Mo. Jan. 2, 2019)– FCRA claim started in federal court– Federal court dismissed for lack of concrete injury– Plaintiff refiled in state court– Defendant removed the case to federal court and
moved to dismiss action outright for lack of subject matter jurisdiction.
– Held: no outright dismissal, but remand to state court
Article III: Spokeo & the State Courts
Follow us: @AlstonPrivacy www.AlstonPrivacy.com 18
• Key Takeaways– Spokeo is not always a silver bullet– Impact driven by a number of factors• Nature of the statute• Nature of the information and how it was used
– Potential increase of statutory claims filed in state court
– Another trip to Supreme Court
Article III: Where do we stand?
BANKING LAW42 of 88
Follow us: @AlstonPrivacy www.AlstonPrivacy.com 19
• Clapper v. Amnesty Int'l USA, 568 U.S. 398 (2013)– Amnesty International and others challenged
constitutionality of amendments to FISA– Authorized surveillance of non-U.S. citizens believed
to be outside the U.S.– Alleged that amendment put them at risk that
potentially sensitive and privileged communications with colleagues and clients could be monitored
Article III: Clapper v. Amnesty Int'l USA
Follow us: @AlstonPrivacy www.AlstonPrivacy.com 20
• Supreme Court– Rejected “objectively reasonably likelihood” that
communications would be intercepted as sufficient– Imminence elastic but at minimum the injury must
be “certainly impending”– Costs incurred based on fear of hypothetical harm
do not create standing; such harm is not “certainly impending” and cannot be manufactured by plaintiffs
Article III: Where do we stand?/ Clapper
BANKING LAW43 of 88
Follow us: @AlstonPrivacy www.AlstonPrivacy.com 21
• Courts applied even greater scrutiny to allegations of harm and whether they rise to the level of “certainly impending”
• Many commentators and observers suggested that Clapper may result in significant reduction of data breach class actions
• In re Zappos (district court)
Article III: Clapper’s Immediate Aftermath – A Tailwind?
Follow us: @AlstonPrivacy www.AlstonPrivacy.com 22
• Seventh Circuit (Remijas v. Neiman Marcus)– Plaintiffs’ allegations of an increased risk of future fraudulent charges
and greater susceptibility to identity theft were sufficiently imminent to clear the hurdle Clapper set for determining whether allegations of future harm amount to an actual injury
• Sixth Circuit (Galaria v. Nationwide Mut. Insurance)– Cited Remijas favorably– “There is no need to speculate where Plaintiffs allege that their data has
already been stolen and is now in the hands of ill-intentioned criminals.”• In re Zappos.com, Inc. (Ninth Circuit)
– Found standing where plaintiffs alleged risk of harm due to identity theft.
Article III: Clapper Today – Pendulum Swing Back?
BANKING LAW44 of 88
Follow us: @AlstonPrivacy www.AlstonPrivacy.com 23
• Maybe So Maybe Not…
– Second Circuit
• Whalen v. Michaels Stores, Inc., 2017 WL 1556116
(2d Cir. May 2, 2017)
– Fourth Circuit
• Beck v. McDonald, 848 F.3d 262, 274 (4th Cir. 2017)
Article III: Clapper Today – Pendulum Swing Back?
Follow us: @AlstonPrivacy www.AlstonPrivacy.com 24
• Clapper is one of defense counsel’s best tools in the data breach context
• Standing in data breach cases remains highly fact-intensive
• Plaintiffs becoming increasingly creative in their attempts to allege harm
• State court remains an option
Article III: Clapper’s Key Takeaways
BANKING LAW45 of 88
Follow us: @AlstonPrivacy www.AlstonPrivacy.com 25
• Rise of the financial institution plaintiffs’ bar
• Financial institutions that issue payment cards allegedly compromised by breach are increasingly filing lawsuits against the breached company
• Seeking – “Incremental fraud” losses– Costs of card reissuance
Additional Developments & Trends/ Rise of the Financial Institution Plaintiffs’ Bar
Follow us: @AlstonPrivacy www.AlstonPrivacy.com 26
• Lawsuits are raising new and complex issues relating to:– Negligence/ duty– Standing– Card brand recovery processes– Class certification
Rise of the Financial Institution Plaintiffs’ Bar
BANKING LAW46 of 88
Follow us: @AlstonPrivacy www.AlstonPrivacy.com 27
• Negligence Claims– State law governs– Many states have not wrestled with
negligence in the data breach context– Foreseeable enough?– What about criminal attacker?– Duty to financial institutions?
Additional Developments & Trends/ Negligence Claims
Follow us: @AlstonPrivacy www.AlstonPrivacy.com 28
• McConnell v. Dep't of Labor, 345 Ga. App. 669, 678 (2018)
– Looked to legislature to find that no general duty exists to safeguard personal information of others.
– “It is beyond the scope of judicial authority, however, to move from aspirational statements of legislative policy to an affirmative legislative enactment sufficient to create a legal duty.”
• Georgia Supreme Court granted Cert in November of 2018.
Negligence in Georgia: a Duty to Protect Information?
BANKING LAW47 of 88
Follow us: @AlstonPrivacy www.AlstonPrivacy.com 29
• Plaintiffs are attempting to weaponize Section 5 of FTC Act’s Unfair Practices Prong– “[U]nfair or deceptive acts or practices in or
affecting commerce...are...declared unlawful.”– Courts are in agreement that there is no private
right of action under Section 5 itself• Extremely limited case law addressing this
issue directly
Negligence Per Se
Follow us: @AlstonPrivacy www.AlstonPrivacy.com 30
• Economic Loss Rule (“ELR”)– Absent personal injury or property damage, a plaintiff
suffering only economic harm is limited to recovery in contract (subject to certain exceptions)
– State law governs• Many states have not addressed in data breach context• Some states have limited the application to products liability
– Strength of ELR in consumer versus financial institution litigation
– In re Community Bank of Trenton v. Schnuck Mkts., Inc., 887 F.3d 803, 817-18 (7th Cir. 2018)
– Case to watch: Selco Community Credit Union v. Noodles & Co., 16-cv-2247 (D. Co.)
Economic Loss Rule
BANKING LAW48 of 88
Follow us: @AlstonPrivacy www.AlstonPrivacy.com 31
• Explosion of TCPA cases peaked in 2016 but declined in 2017 and 2018– 14 cases filed in 2008– 4,860 cases filed in 2016– 4,380 cases filed in 2017– 3,803 cases filed in 2018
• Spokeo?• The stakes are high– $500/ $1,500 per text/ call/ fax– Class actions and individual actions are common– Large settlements
Trends of TCPA cases
Follow us: @AlstonPrivacy www.AlstonPrivacy.com 32
• In re Experian Data Breach Litigation, 15-1592
(C.D. Cal. May 18, 2017)
– Plaintiffs moved to compel production of documents
created by Experian’s investigator
– Held: documents were considered work product
• Documents were created “because of” litigation
• In re Shore Financial Services LLC
“Privileged” Investigations
BANKING LAW49 of 88
Follow us: @AlstonPrivacy www.AlstonPrivacy.com 33
• Fed. R. Civ. P. 68(a):– a defending party to a claim may serve the
opposing party an offer to allow judgment on specified terms.
– If the opposing party accepts the offer, the claim is rendered moot.
– Both parties’ standing in relation to that claim is therefore extinguished because there no longer exists a case or controversy.
Offers of Judgment
Follow us: @AlstonPrivacy www.AlstonPrivacy.com 34
• Campbell-Ewald v. Gomez, 136 S. Ct. 663 (2016)– TCPA case involving recruiting texts for the Navy. – Before certification, Defendant made an offer of
judgment to Plaintiff. Plaintiff did not accept.– Campbell moved to dismiss on the grounds that
the offer of judgment mooted Plaintiff's individual claim by providing him with complete relief.
– District Court denied Campbell’s motion – The Ninth Circuit reversed.
Gomez and Offers of Judgment
BANKING LAW50 of 88
Follow us: @AlstonPrivacy www.AlstonPrivacy.com 35
• Supreme Court: – “[A]n unaccepted settlement offer has no
force. Like other unaccepted contract offers, it creates no lasting right or obligation. With the offer off the table, and the defendant’s continuing denial of liability, adversity between the parties persists.”
Gomez and Offers of Judgment
Follow us: @AlstonPrivacy www.AlstonPrivacy.com 36
• Court did not address what happens when Defendant doesn’t just make an offer, but actually tenders money. – “We need not, and do not, now decide whether
the result would be different if a defendant deposits the full amount of the plaintiff's individual claim in an account payable to the plaintiff, and the court then enters judgment for the plaintiff in that amount."
The Gomez Loophole
BANKING LAW51 of 88
Follow us: @AlstonPrivacy www.AlstonPrivacy.com 37
• Post-Gomez strategies:– Respond to complaint with a cashier’s check for
full amount of individual damage claim – Deposit of settlement amount directly into
plaintiff’s account – Use offer of judgment to attack adequacy of
representation
The Gomez Loophole
Follow us: @AlstonPrivacy www.AlstonPrivacy.com 38
• Strategy has been largely unsuccessful: – Lary Jr. v. Rexall Sundown Inc., No. 15-601 (2d Cir.)– Geismann v. ZocDoc Inc., No. 14-3708 (2d Cir.) • Footnote leaving open Gomez full payment strategy
– Conway v. Portfolio Recovery Associates, No. 15-5925 (6th Cir.)
– Chen v. Allstate Insurance Co., No. 13-16816 (9th Cir.)
The Gomez Loophole
BANKING LAW52 of 88
Follow us: @AlstonPrivacy www.AlstonPrivacy.com 39
• Some defendants were successful– Bank v. Alliance Health Networks LLC (2d Cir.)• Defendant’s offer of judgment mooted plaintiff’s TCPA
claims because check for full amount was cashed by plaintiff
• Split in courts’ acceptance of the GomezLoophole is likely to continue until SCOTUS addresses issue
The Gomez Loophole
Follow us: @AlstonPrivacy www.AlstonPrivacy.com 40
• Stein v. Buccaneers L.P., 772 F.3d 698 (11th Cir. 2014)
– Pre-Gomez case shuts down mooting strategy
– Held: Even if a defendant could moot an individualplaintiff’s claims during a class action, “the class
claims remain live, and the named plaintiffs retain the
ability to pursue them.”
– Combined with Gomez, closes the door on using Rule
68 to moot class claims.
Gomez in the 11th Circuit
BANKING LAW53 of 88
Follow us: @AlstonPrivacy www.AlstonPrivacy.com 41
• 11th Circuit District Courts deny tactic:– Eisenband v. Credit Pros Int'l Corp., No. 18-cv-
60053-BB, 2018 U.S. Dist. LEXIS 61725 (S.D. Fla. Apr. 10, 2018);
– Family Med. Pharmacy, LLC v. Perfumania Holdings, Inc., No. 15-0563-WS-C, 2016 U.S. Dist. LEXIS 87028 (S.D. Ala. July 5, 2016);
– Evey v. Creative Door & Millwork, Ltd. Liab. Co., No. 2:15-cv-441-FtM-29MRM, 2016 U.S. Dist. LEXIS 46011 (M.D. Fla. Apr. 5, 2016).
Gomez and Offers of Judgment
Follow us: @AlstonPrivacy www.AlstonPrivacy.com 42
– Neiman Marcus (consumer)• $1.6M on about 350,000 customers/ cards
– Anthem • $115M on about 78 million customer records
– Experian• $47 million
– Kmart (financial institution)• $5.2M on about 8.1 million cards
– Target (financial institution/ consumer)• $10M on at least 40 million cards for consumer litigation• $39.3 million for financial institution litigation
Recent Data Breach Settlements
BANKING LAW54 of 88
Follow us: @AlstonPrivacy www.AlstonPrivacy.com 43
• But it is not only data breaches
• From 2006 to 2019, there have been more than $600M+ in privacy-related class action settlements (excludes enormous number of individual actions)– Kinder v. Meredith Corp (2016)
– $7.5M arising due to violations of Michigan’s Video Rental Privacy Act
Recent Trends in Settlements
Follow us: @AlstonPrivacy www.AlstonPrivacy.com 44
• Target Data Breach/ Consumer Settlement
– In Target consumer case, proposed class settlement
of $10M
– Eighth Circuit vacated
• “We hold that the district court abused its discretion by
failing to rigorously analyze the propriety of certification,
especially once new arguments challenging the adequacy
of representation were raised after preliminary
certification.”
– Potential implications going forward for consumer
data breach settlements?
Recent Trends in Settlements
12:30 FINTECH DEVELOPMENTS James W. Stevens, II, Partner, Troutman Sanders LLP, Atlanta Michael J. Shumaker, First Vice President and Assistant General Counsel, SunTrust Bank, Atlanta
BANKING LAW56 of 88
1
FinTech Investments and Partnerships for Financial Institutions
Banking LawState Bar of Georgia
March 1, 2019
Michael J. ShumakerSunTrust Bank
Atlanta, GA
James W. StevensTroutman Sanders LLP
Atlanta, GA
2
• “When we think about fintech, we go through a ‘build/buy/partner’ evaluation to decide how we can get to market most efficiently,” said Jennifer Roberts, head of Chase Pay, in a release at the time.
• Decision driven by, among other things:– Desire to deliver wanted products and services to customers– Add new sources of revenue– Lower costs– Improve processes– Obtain talent
Bank and FinTech Company Collaboration
BANKING LAW57 of 88
3
• Banks completed 41 technology company acquisitions in 2016 with a $14.4 billion deal value
• But challenges exist:
– Difficult for banks to value a start up Fintech company
– A technology company’s culture may not mesh with the bank’s
– Difficult due diligence and integration
– May make it difficult to keep bank competitors as customers
• Buying is growing but lags partnerships, some of which may involve an investment by the bank
Buying
4
• Partnering usually involves a commercial agreement between the bank and the FinTech company where a bank engages a FinTech company to license or provide a product or service in exchange for fees
• Such arrangements are governed by a written agreements that set forth the respective rights and obligations of the parties, which we will discuss later
• These partnerships may also involve a controlling or non-controlling investment by the bank or its bank holding company
Partnering
BANKING LAW58 of 88
5
• Investments can include investing in more than equity, including:– Merchant banking authority– Loans and debt instruments– SBA loans
• Reasons for an investment beyond a commercial agreement:– Exciting tech, but no product – investing can meet FinTech’s need
for working capital and industry input– Shaping product trajectory – a bank’s involvement can make a
great idea even more interesting– Condition precedent to a commercial agreement– Stake out – get a place at the front of the line when the FinTech
company is ready to sell
Investments
6
Bank Holding Company and Bank Investment Authority
TypeFederal
Approval RequiredDegree of Control Type of Activities Other
Limitations
Ban
k H
oldi
ng C
ompa
ny Controlling
60 days prior notice to Federal Reserve for approval unless BHC and Bank well-capitalized, well-managed and no formal enforcement action in last 12 months. In such case, notice within 10 days is required.
Any Must be closely related to banking.
In all cases, will need to determine if state approval required if the bank is a state bank.
Non-Controlling
No prior notice or approval of Federal Reserve required.
None. Should limit deemed control by having voting stockconvert to non-voting above 4.9% threshold and avoid exercising a controlling influence.
No limitation on activities if under 5%. Must be for a permissible purpose under 12 CFR 225.28 if over 5%.
Ban
k
Controlling No prior notice or approval of federal regulator required.
Required Only permissible bank activities.
Non-Controlling
No prior notice or approval of federal regulator required.
Any • Must limit acitivites to “permissible activities”
• Must be able to prevent other activities or terminate investment
• Must have limited liability Must be useful to carrying out bank business
BANKING LAW59 of 88
7
• Most minority investors prefer to invest through a bank holding company or a bank holding company subsidiary because, if the investment is for less than 5% of the voting power of the company and there is no “control,” there is no limitation on the activities of the company and generally no prior federal approval
• Controlling bank holding company investments and any bank investment are essentially limited to “permissible activities”
• Financial holding companies can invest in a broader range of permissible activities but still subject to limitations on control
• Non-controlling bank investments are also required to include bank-friendly terms that most FinTech’s would not agree to absent a true joint venture type arrangement
Investments
8
• Control means that the bank:– Owns or controls, directly or indirectly, 25% or more of any class
of the voting securities of a company;– Controls the election of a majority of the trustees or directors of a
company; or– Has a “controlling influence” over the management or policies of
the company.
• The meaning of having a “controlling influence” under prong three has been subject to extensive regulatory guidance and interpretation and the analysis is “lore passed on from shaman to novice,” Randall Quarles, Vice Chair of the FRB Board of Governors
• Thus, the controlling influence analysis applies any time a bank holding company desires to purchase 5% or more of the voting power in a FinTech company or, even if the bank holding stays below 5% voting, there are other indicia of control, such as the proposed ownership of non-voting stock that exceeds the 5% voting threshold
BHC Investments - Control
BANKING LAW60 of 88
9
• Controlling influence analysis looks at:– Director representation– Voting v. non-voting equity and total equity ownership– Ability to consult with management– Covenants that substantially limit the discretion of management over
major policies and decisions or give other control to the investor– Business relationships between the Bank and the FinTech company– Ability to control disposition of voting stock
• You can also have provisions that do not indicate control:– Covenants prohibiting senior securities or borrowing– Covenants prohibiting the impairment of the rights of the investor
without its consent– Call rights on the investor’s investment
BHC Investments - Controlling Influence
10
• For a financial or bank holding company, the safest option is to acquire less than 5% of a class of voting securities of the company
• Federal Reserve will allow companies to create a feature in their articles or operating agreement that permits investors to make a one-time election to have any voting shares above 5% of a class of securities treated as non-voting stock.
• To be considered non-voting, the ability to convert the non-voting equity to voting equity must be limited
BHC Investments - Controlling Influence
BANKING LAW61 of 88
11
• Larger banks are subject to a provision of Dodd-Frank known as the Volcker Rule (Section 619), which generally prohibits banks and their holding companies from conducting investment activities with their own accounts and limits their dealing with “covered funds”
• “Covered funds” is broadly defined, so while the Volcker Rule was meant to limit bank investment in hedge funds and P/E funds, it can also cause problems with FinTech investments.
• Any company allocating 40% or more of its assets in “investment securities” (as defined by the Investment Company Act of 1940) can be considered a covered fund.
BHC Investments - Other Considerations
12
• Activities of bank investors must be limited to “permissible activities”
• Bank subsidiaries may conduct in an operating subsidiary activities that are permissible for a national bank to engage in directly either as part of, or incidental to, the business of banking, as determined by the OCC, or otherwise under other statutory authority
• OCC publishes lists and interepretations of those actitivies and those lists and interpretations are followed by all federal regulators
Permissable Activities
BANKING LAW62 of 88
13
• Written notice prior to, or within 10 days after, acquiring or establishing an operating subsidiary if:– The bank is “well-capitalized” and “well-managed”;– The bank has the ability to control the management and
operations of the subsidiary;– Majority control; – The bank required to consolidate its financial statements;
and– Subsidiary only engages in a listed set of vanilla banking
activities.
National Banks – Regulatory Approval
14
• No notice required for a well-capitalized and well-managed bank to establish or invest in a new operating subsidiary if the activities of a new subsidiary are limited to those activities previously reported by the bank in connection with the establishment or acquisition of a prior operating subsidiary
• Otherwise, prior OCC approval is required for an operating subsidiary
• Prior OCC approval is always required for a financial subsidiary that engages is something beyond those activities persmissable for operating subsidiaries
National Banks – Regulatory Approval
BANKING LAW63 of 88
15
• Georgia law always requires approval of the establishment or investment in a bank subsidiary
• Banks chartered in other states will have to look at their applicable state law
• State will act on it within 10 days if eligible for expedited treatment and 30 days if not
• Under the regulations and policies of the DBF, a bank can obtain expedited treatment if it is:– Well-capitalized;– CAMELS 1 or 2;– Has a satisfactory or better CRA rating, and– No enforcement actions.
• If eligible for expedited treatment, deemed approved if no objection in 10 days
State Banks – Regulatory Approval
16
• If regulated by the FDIC, federal rules like OCC rules:– Need to seek FDIC approval if a financial subsidiary or if an
operating subsidiary and not well-managed and well-capitalized – If well-managed and well-capitalized, will not need to seek
approval if an operating subsidiary
• If regulated by the Federal Reserve, no separate approval of subsidiaries is required
• The Federal Reserve does, however, require subsequent notice on Form Y-10
State Banks - Regulatory Approval
BANKING LAW64 of 88
17
• Must file an application and obtain prior approval before acquiring or establishing any subsidiary, or performing a new activity in any existing subsidiary, if the bank does not control or otherwise does not own more than 50% of the voting (or similar type of controlling) interest of the subsidiary.
Non-controlling Investments by National Banks
18
• Georgia - always requires approval of the establishment of or investment in a subsidiary
• Banks chartered in other states will have to look at their applicable state law
• FDIC -– Always have to get approval of a financial subsidiary or any subsidiary if
not well-managed and well-capitalized– If well-managed and well-capitalized, can form an operating subsidiary
without approval as long as, with respect to a noncontrolling investment, • Can prevent impermissible activities;• Limited liability; and• Investment is convenient or useful to the bank in carrying out its
business and not a mere passive investment unrelated to that bank's banking business.
• Federal Reserve - no separate approval of subsidiaries is required
Non-controlling Investments by State Banks
BANKING LAW65 of 88
19
• Activities must be limited to:– Check and deposit sorting and posting, – Computation and posting of interest and other credits and charges, – Preparation and mailing of checks, statements, notices, and similar items, – Any other clerical, bookkeeping, accounting, statistical, or similar functions
performed for a depository institution, or– Other activities that would be permissible for a bank holding company to
perform
• National banks can invest in one of these without approval if only engaging in the first 4 of those activities. Otherwise, the investment will require approval of the OCC.
• If an FDIC regulated state bank, these are regulated like operating subsidiaries or financial subsidiaries depending on their activities and subject to the same approval
Bank Service Companies
20
• Intellectual property diligence/internal controls of code and technology by FinTech
• Employment contracts and non-competition covenants
• Challenges relating to corporate opportunities and complications from board participation by larger institutions
Investments - Other Considerations
BANKING LAW66 of 88
21
• Banks partnering with FinTech companies in commercial arrangements must engage in an assessment of their contractual rights and obligations
• These arrangements must be managed through an effective third party risk management process
• Bank should seek appropriate legal counsel to review these agreements before they are finalized to determine rights, obligations and limitations
• Banks must perform due diligence before and during the relationship and this due diligence should not itself be outsourced
• The due diligence should extend to each third party the bank is relying on and should include an assessment of the third party’s financial capacity as well as their business reputation, experience and compliance with applicable law
Commercial Agreement Issues
22
• Compliance – banks are at risk of failing to comply with the law when they outsource activities to third parties
• Concentration – banks are at risk when they outsource services or products to third parties that are one of only a small number of similar service providers
• Reputation – poor performance of a third party service provider can have a negative impact on a bank
• Transactional – product or service delivery can be impacted by third parties by causing transactions not to occur or unauthorized transactions
• Operational – banks are exposed to losses due to inadequate or failed controls and processes of the third party
• Legal – banks can be exposed to the expense of legal proceedings when they are outsourcing to third parties
Contracts - Third Party Risks
BANKING LAW67 of 88
23
• Outsourcing does not relieve a bank or its management from their obligations to conduct the bank in a safe and sound manner and in compliance with applicable law
• As a result, banks need to have detailed written policies and procedures in place to manage the risks posed by these outsourcing arrangements
Oversight of Third Party Vendors
24
• Third party vendor management policies need to provide:– That the bank will engage in and document its evaluation of
the risks posed by a particular third party agreement– What types of due diligence the bank will engage in before
entering into one of these arrangements– The requirements the bank has with respect to the contracts
with its vendors– How the bank will monitor and evaluate the arrangement
and the vendors, and– Provisions to address business continuity and other
contingency plans
Contracts - Oversight of Third Party Vendors
BANKING LAW68 of 88
25
• Scope – the contracts should clearly identify the rights and responsibilities of each party
• Costs – the contracts should describe all applicable fees and charges and not improperly incentivize the third party to take imprudent risks on behalf of the bank
• Audit rights – the bank should be able to audit the service provider and have access to audit reports
• Performance standards – agreements should have measurable performance standards and describe what happens when they are not met
Mandated Contractual Terms
26
• Confidentiality and security terms – these contracts should spell out how the service provider will ensure the security and confidentiality of the bank’s and its customers’ information. The contracts need to contain terms that will ensure that the bank can comply with its obligations under Gramm Leach Bliley and other applicable law
• Ownership – agreements should define who owns information and how it may be used by each party
• Indemnification – each agreement should provide for indemnification of the bank by the service provider
Mandated Contractual Terms
BANKING LAW69 of 88
27
• Default provisions – agreements need to define when a default occurs and include acceptable remedies with respect to such defaults
• Termination provisions – these agreements need to define each party’s termination rights that include provisions related to transition assistance and the return of information in connection with a termination
• Dispute resolution – agreements should have dispute resolution procedures that enable expedited problem solving
• Limits on liability – in response to the desire that service providers often have to limit their liability, banks should carefully consider whether the limits are reasonable
Mandated Contractual Terms
28
• Insurance – agreements should contain agreements about what insurance the service provider should have and provide for notifications when it changes
• Customer complaints – these agreements should specify the responsibilities of the parties with respect to customer complaints
• Business resumption and contingency plan – the agreements should address how service will be resumed and continued in the event of operational failures and back up measures the service provider will take
Mandated Contractual Terms
BANKING LAW70 of 88
29
• Foreign-based service providers – if the service provider is based in another country, the regulators have said that extra provisions should be added to address choice of law and jurisdiction for disputes and that the banks should seek out foreign-based counsel to review the contracts
• Subcontracts – finally, if the vendor may use subcontractors, the contract shall make it clear that the vendor is responsible for their actions and address the selection and monitoring of the work of these subcontractors
Mandated Contractual Terms
30
• Banks that do vendor management well document the risks posed by the arrangement and identify how they are mitigating and lessening the risks
• They also consider carefully which vendor is the right one and poses the least risk for the cost and think on the front end about how they will manage and monitor the relationship
• Banks that are doing a good job in this area also revisit their initial risk assessment at intervals throughout the arrangement and adjust the assessment as necessary
Best Practices
BANKING LAW71 of 88
31
• Banks should make sure they thoroughly understand who they are going to do business with and their reputation and standing in their industry before they sign a contract to outsource services to them
• Banks should also understand the financial condition of third party vendors, check references and make sure that it is not engaged in existing regulatory or legal issues
• Banks should also understand what kind of insurance coverage they have for the risks they may pose to the bank
• Banks should also evaluate the operational capabilities of the service provider
Best Practices
32
• Banks should also evaluate the operational capabilities of the service provider
• Banks also need to have the appropriate in-house personnel to monitor the performance under these arrangements
• Banks also need to continue to pay close attention to the financial condition of these service providers, especially if they are handling the bank’s or their customers’ funds
Best Practices
BANKING LAW72 of 88
33
Michael J. ShumakerSunTrust Bank
Atlanta, GAMichael.J.Shumaker@SunTrust.com
(404) 724-3604
James W. StevensTroutman Sanders LLP
Atlanta, GAJames.Stevens@troutman.com
(404) 885-3721
1:45 FARM BILL AUTHORIZATION FOR HEMP FARMING— IMPLICATIONS FOR FINANCIAL INSTITUTIONS William V. Custer, IV, Partner, Bryan Cave Leighton Paisner LLP, Atlanta Jennifer B. “Jen” Dempsey, Partner, Bryan Cave Leighton Paisner LLP, Atlanta Brandon W. Neuschafer, Partner, Bryan Cave Leighton Paisner LLP, Saint Louis, MO D. Barry Hester
BANKING LAW74 of 88
11
Industrial Hemp Farming
Highlighting the Key Changes in the 2018 Farm Bill
and Important Considerations for Financial Institutions
2
HEMP AND THE FARM BILL EXPLAINED
Part I
BANKING LAW75 of 88
3
The History of Hemp in United States
•Jamestown settlement grows hemp to make ropes, sails, and clothing
1616
• Abraham Lincoln uses hemp seed oil to fuel his household lamps.
1860 •Henry Ford builds an experimental car body out of hemp
•USDA initiates the "Hemp for Victory" Program
1942
• The Controlled Substances act classifies hemp as an illegal Schedule I substance
1970 •The 2014 Farm Bill created federal pilot programs that allowed small scale hemp farming
2014
4
Hemp • Hemp is a variety of the cannabis sativa
plant.
• Hemp contains negligible amounts of THC (~0.3%).
• Hemp contains more CBD than marijuana. CBD is a non-intoxicating compound with medical applications.
• Hemp plants tend to grow much taller than marijuana plants and are much more stalky.
Marijuana• Marijuana is a variety either the cannabis
sativa or the cannabis indica plant.
• Marijuana contains significant amounts of THC (5%-10%) which is the substance that creates a “high”
What is Hemp? How does it differ from marijuana?
BANKING LAW76 of 88
5
Hemp can be used in:
• Textiles
• Fuel
• Food
• Rope
• Medicine
• Skincare
• Protein Source
• Animal Feed
• Paper
The Uses of Hemp
2018 “Uses of Industrial Hemp” Midwest Industrial Hemp Association
6
• Cultivation and use of “industrial hemp” after the 2014 Farm Bill was limited
• 2018 Farm Bill redefines and reclassifies hemp under the Controlled Substances Act (CSA)– the plant Cannabis sativa L. and any part of that plant, including
the seeds thereof and all derivatives, extracts, cannabinoids, isomers, acids, salts, and salts of isomers, whether growing or not, with a delta-9 tetrahydrocannabinol [THC] concentration of not more than 0.3 percent on a dry weight basis
• Keep in mind that states still have a say in this matter –the 2018 Farm Bill expressly does not preempt state law
The 2018 Farm Bill Shakes Everything Up
BANKING LAW77 of 88
7
• A lot of work remains to actually enable cultivation and processing of hemp– USDA regulations– State programs
• Use of hemp derivatives (like CBD oil) in FDA-regulated products (e.g., food, food ingredients, dietary supplements) is a very different inquiry and should not be confused with the Farm Bill impacts– FDA position– GRAS: hulled hemp seeds, hemp seed protein, hemp seed oil– State positions – California, Washington, etc.
Current Status of Hemp and Hemp Products
8
State Status of Industrial Hemp Farming
BANKING LAW78 of 88
9
THE STATUS OF HEMP IN GEORGIA
Part II
10
• Currently, industrial hemp farming is illegal in Georgia.
• Georgia has a small program allowing medical use of “low-THC oil” for approved patients. However, no one in the state may produce or sell low-THC oil.
• Currently, there is no statutory provision against CBD oil that contains no THC.
Current Status of Hemp in Georgia
BANKING LAW79 of 88
11
• In 2019, the Georgia legislature is likely to consider bills:
– Allowing Industrial Hemp Farming in Georgia
– Allowing Georgia farmers to grow and sell low-yield THC oil
• Brian Kemp stated in a recent interview that he
“sympathizes and empathizes” with the desire for a
broader medical marijuana program and supports a
“research based expansion” of medical marijuana.
Status of Hemp in Georgia Going Forward
12
• Specifically in 2018, the Georgia House of Representatives led a bipartisan study committee on Industrial Hemp.
• The Committee recommended: – Legalizing industrial hemp farming in Georgia– Educating law enforcement on how to differentiate hemp from
marijuana plants – Creating a licensing scheme in conjunction with the Georgia
Department of Agriculture– Partnering the Georgia Department of Agriculture with the University
of Georgia to test industrial hemp so farmers can identify which seeds comport with federal requirements
• There is still discussion about whether this bill will come forward in the current legislative session.
Study Committee on Industrial Hemp
BANKING LAW80 of 88
13
CONSIDERATIONS FOR FINANCIAL INSTITUTIONS
PART III
14
• New Business – Under the new law, banks will be able to lend to hemp farmers and allow them to open deposit accounts like farmers of other crops.
• Collateral – What will banks use as collateral for hemp farmers?
• Auditing – How will lenders audit compliance with federal laws of its borrowers?
Key Considerations for Financial Institutions
BANKING LAW81 of 88
15
• Customer Due Diligence – What steps should institutions
take to ensure that customers are operating under a
license or other legal framework?
• Transaction Monitoring – FinCEN’s 2014 guidance
describes Bank Secrecy Act expectations in relation to
“marijuana” as defined by the CSA. Applicability to a
hemp business?
• Reputational Considerations – How do communities and
bank regulators perceive this business?
Key Considerations for Financial Institutions
16
2:30 PROFESSIONALISM AND THE NEGOTIATION OF THE DEAL Chris Frieden, Partner, Alston & Bird LLP, Atlanta Jonathan S. Hightower, Partner, Bryan Cave Leighton Paisner LLP, Atlanta
BANKING LAW83 of 88
Chris Frieden | chris.frieden@alston.com | 404.881.7457
Ethics and Professionalism Issues in Negotiations
Jonathan Hightower| jonathan.hightower@bclplaw.com | 404.572.6669
2
Quick Hypotheticals
§ Multiple clients pursuing the same opportunity at the same time, whether part of an organized process or otherwise
BANKING LAW84 of 88
3
Quick Hypotheticals
§ Buyer and Seller are both clients
4
Quick Hypotheticals
§ One client considering a transaction with a larger group that may or may not include another client
BANKING LAW85 of 88
5
Quick Hypotheticals
§ Former clients / former transactions ▸What knowledge can be shared from prior deals?
§ Rule 1.9 – Dealing with Former Clients; See also Rule 1.6
§ Cannot be adverse to former clients in “the same or a substantially related matter”
§ No confidential information can be shared without the consent of the client who owns the confidential information
§ Language in merger agreements
6
Confidentiality Agreements
§ Understanding and abiding by the terms▸ Pay Attention
§ Binding upon “representatives”
§ Electronic materials – how to handle …
BANKING LAW86 of 88
7
Letters of Intent
§ Relying on the non-binding nature of a letter of intent to bury a material provision at the bid state
§ Stocking horse bids – staying in the flow of information – is this ethical?
8
Due Diligence
§ Oops – Too much information in data room
§ Stray emails that compromise confidentiality
§ Surfacing material issues related to your client
§ The perils of cataloging problems …
BANKING LAW87 of 88
9
Definitive Agreements
§ Implied Estoppel form Prior Negotiations – what to do when you can’t accept a provision you’ve agreed to before
§ The tension between clean reps and the confidentiality of supervisory information
§ Dealing with the less experienced counsel
10
General
§ When your client wants to be more aggressive with limiting disclosure than you feel is appropriate
§ Deal rumors – appropriate to share rumors when it’s not your deal?▸ Consider the source and the image you want to build for yourself.
§ Busted deals – what becomes of all of the e-mails and documents
§ Dealing with crude conduct in the working group
BANKING LAW88 of 88
11
Bringing in Business
§ Marginal clients are a big risk to your firm
§ Conflicts can be created by potential clients as well
§ Be careful about how much you learn
§ Referrals: probably not covered by the rules, but think about your reputation
Appendix
APPENDIX
Ms. Carol V. Clark Member 2019
Mr. Harold T. Daniel, Jr. Member 2019
Ms. Laverne Lewis Gaskins Member 2021
Ms. Allegra J. Lawrence Member 2019
Mr. C. James McCallar, Jr. Member 2021
Mrs. Jennifer Campbell Mock Member 2020
Mr. Brian DeVoe Rogers Member 2019
Mr. Kenneth L. Shigley Member 2020
Mr. A. James Elliott Emory University 2019
Mr. Buddy M. Mears John Marshall 2019
Daisy Hurst Floyd Mercer University 2019
Mr. Cassady Vaughn Brewer Georgia State University 2019
Ms. Carol Ellis Morgan University of Georgia 2019
Hon. John J. Ellington Liaison 2019
Mr. Jeffrey Reese Davis Staff Liaison 2019
Ms. Tangela Sarita King Staff Liaison 2019
ICLE BOARD
Name Position Term Expires
Member 2019
Member 2019
Member 2018
Member 2019
Member 2018
Member 2020
Member 2018
Member 2020
2019
2019
2019
2019
2018
Carol V. Clark
Harold T. Daniel, Jr.
Laverne Lewis Gaskins
Allegra J. Lawrence
C. James McCallar, Jr.
Jennifer Campbell Mock
Patrick T. O'Connor
Kenneth L. Shigley
A. James Elliott
Buddy M. Mears
Dean Daisy Hurst Floyd
Carol Ellis Morgan
Hon. Harold David Melton
Jeffrey Reese Davis
Tangela Sarita King
2018
Appendix1 of 2
Emory University
John Marshall
Mercer University
University of Georgia
Liaison
Staff Liaison
Staff Liaison 2018
Cassady Vaughn Brewer Member 2019
Appendix2 of 2
GEORGIA MANDATORY CLE FACT SHEET
Every “active” attorney in Georgia must attend 12 “approved” CLE hours of instruction annually, with one of the CLE hours being in the area of legal ethics and one of the CLE hours being in the area of professionalism. Furthermore, any attorney who appears as sole or lead counsel in the Superior or State Courts of Georgia in any contested civil case or in the trial of a criminal case in 1990 or in any subsequent calendar year, must complete for such year a minimum of three hours of continuing legal education activity in the area of trial practice. These trial practice hours are included in, and not in addition to, the 12 hour requirement. ICLE is an “accredited” provider of “approved” CLE instruction.
Excess creditable CLE hours (i.e., over 12) earned in one CY may be carried over into the next succeeding CY. Excess ethics and professionalism credits may be carried over for two years. Excess trial practice hours may be carried over for one year.
A portion of your ICLE name tag is your ATTENDANCE CONFIRMATION which indicates the program name, date, amount paid, CLE hours (including ethics, professionalism and trial practice, if any) and should be retained for your personal CLE and tax records. DO NOT SEND THIS CARD TO THE COMMISSION!
ICLE will electronically transmit computerized CLE attendance records directly into the Offi cial State Bar Membership computer records for recording on the attendee’s Bar record. Attendees at ICLE programs need do nothing more as their attendance will be recorded in their Bar record.
Should you need CLE credit in a state other than Georgia, please inquire as to the procedure at the registration desk. ICLE does not guarantee credit in any state other than Georgia.
If you have any questions concerning attendance credit at ICLE seminars, please call: 678-529-6688
BANKING LAW93 of 88
Follow ICLE on social media:
http://www.facebook.com/iclega
bit.ly/ICLELinkedIn
#iclega
INSTITUTE OF CONTINUING LEGAL EDUCATION
Recommended