Compliance Corner - July 10, 2013
Compiled by John Atkinson, Tom Giltrow, and Nina Miller, members of Protiviti’s global financial services and regulatory risk consulting practice. FSA Times’ Compliance Corner is a resource for financial services auditors to keep up to date on changing regulations and requirements affecting internal audit.
FTC Amendments to COPPA Rule
After a two-year study of the provisions established in the Children’s Online Privacy Protection Act (COPPA) rule, the Federal Trade Commission (FTC) introduced in December 2012 significant expansions to the applicability of the regulation that become effective July 1, 2013. Since the FTC’s COPPA rule was issued in 1998, the landscape has been marked by rapidly evolving changes to the collection, use, and protection of consumer information with the increased use of social networks and smartphone and tablet applications. To modernize the protections initially afforded by the regulation, the revised provisions include, but are not limited to:
- Broadening of the definition of children’s personal information to include new types of identifying information such as usernames, Internet protocol addresses, geographical locations, photos, videos, and audio files.
- Extension of regulatory coverage to, and in certain instances operator liability for, the collection of information by third parties through an operator’s website or online service (e.g., online advertisers and website plug-ins).
- Development of “reasonable” procedures to maintain the confidentiality and security of information collected from children.
Internal auditors should validate that their financial institutions’ information collection practices, related procedures, and privacy policies appropriately address the revised COPPA requirements, including a review of data collection practices of tablet and smartphone applications and the data collection practices of third parties contracted by the institution.
Third-party Payment Processors
Enforcement actions, financial penalties, lawsuits, and reputation-damaging headlines continue to demonstrate the risks to financial institutions of having third-party payment processors as customers without also having the necessary risk management processes in place.
Third-party payment processors provide payment processing services to merchants and other business entities, typically initiating transactions on behalf of merchant clients that do not have a direct relationship with the financial institution. These payments include credit card payments, Automated Clearing House (ACH) debits, and creating and depositing remotely created checks or demand drafts.
The risks from third-party payment processors arise from their merchant customers who engage in consumer fraud or potentially illegal activities. Federal regulatory agencies have issued detailed guidance on several occasions outlining their expectations that financial institutions implement robust controls to manage this risk through:
- Rigorous due diligence that covers the underlying merchant base, prior bank references, beneficial owners and their backgrounds, consumer complaints or lawsuits, and site visits.
- Contractual agreements that provide access to necessary information timely and also protect financial institutions by providing for immediate account closure, contract termination, or similar action.
- Monitoring of rates of return of debit items due to unauthorized transactions.
- Establishing adequate reserve requirements to cover anticipated charge backs.
- Monitoring consumer complaints, including those lodged with consumer advocacy groups, online complaint websites or blogs, and governmental entities such as the FTC and state attorneys general.
Internal auditors should review their financial institutions’ due diligence and oversight of third-party payment processors to validate that appropriate controls exist to prevent and detect potential fraud or illegal activities.
Deposit Advance Product Regulatory Guidance
On April 22, 2013, the Office of the Comptroller of the Currency (OCC) and Federal Deposit Insurance Corporation (FDIC) proposed guidance on deposit advance products that addresses how such products should be managed by financial institutions to mitigate potential legal, reputational, consumer protection, compliance, and credit risks. A deposit advance product is a small-dollar, short-term loan that a depository institution (bank) makes available to a customer whose deposit account reflects recurring direct deposits. Concerned that such products involve high fees, are not underwritten using traditional banking practices to determine the customer’s ability to repay the loan and meet other necessary financial obligations, and are repeatedly used (“churned”) by customers, the agencies suggest that banks:
- Review a borrower’s repayment capacity to assess whether the borrower will be able to repay the loan without needing to incur further deposit advance loans.
- Monitor repeated or extended use of these products by its customers, and require cooling-off periods between extensions of credit.
- Maintain appropriate eligibility and underwriting criteria (consistent with other lending products).
- Require the board of directors to approve policies regarding the underwriting of these products.
- Implement effective compliance management systems, processes, and procedures to appropriately mitigate risks.
- Provide adequate management oversight over deposit advance products to minimize exposure to significant financial loss, reputation damage, and supervisory action.
- Categorize such loan products appropriately for evaluation of the adequacy of capital and allowances for loan and lease losses.
Internal auditors should evaluate their institutions’ deposit advance product offerings against the proposed guidance and the effectiveness of their institution’s internal controls to address and mitigate the risks highlighted in the regulatory guidance.