Financial

Question 1

Define:

Fair Credit Reporting Act

Answer 1

• enacted in 1970 to regulate consumer reporting industry and provide privacy rights in consumer reports
• mandates accurate and relevant data collection, provides consumers with ability to access and correct their info, and limits the use of consumer reports to defined permissible purposes

Question 2

What entities does the FCRA regulate?

Answer 2

• any consumer reporting agency (CRA) that furnishes a consumer report
• users of consumer reports: lenders, insurers, employers and others that use consumer reports
• furnishers: lenders, retailers and others that furnish credit history or other personal information to the CRAs
• companies that extend credit to consumers must implement Red Flags Rule program to detect and deter identity theft

Question 3

Define:

consumer reporting agency

FCRA

Answer 3

any person or entity that compiles or evaluates personal information for the purpose of furnishing consumer reports to third parties for a fee

Question 4

Define:

consumer report

Answer 4

any witten, oral, or other communication of any information by a CRA related to an individual that pertains to the person’s credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics or mode of living which is used in whole or in part for the purpose of serving as a factor in establishing a consumer’s eligibility for credit, insurance, employment or other business purpose

Question 5

What are the three main requirements under the FCRA?

Answer 5

• CRAs must provide consumers access to the information contained in their consumer reports as well as the opportunity to dispute any inaccurate information
• CRAs must take reasonable steps to ensure the maximum possible accuracy of information in the consumer report
• CRAs must not report negative information that is outdated

Question 6

What information is “outdated” under the FCRA?

Answer 6

typically account data > 7yo or bankruptcies > 10yo

Question 7

What are the two main types of requirements for users under the FCRA?

Answer 7

1. requirements to obtain credit report from CRA
2. notice requirements on user after user makes a negative decision (adverse action), based at least in part on consumer information covered by the FCRA, which can be obtained from a CRA, third party or affiliate

Question 8

What are the requirements to obtain a credit report from a CRA under the FCRA?

Answer 8

• user must have permissible purpose for obtaining a consumer’s credit report
• user must provide certifications where they certify the purpose and that the report won’t be used for any other purpose

Question 9

What are “permissible purposes” under the FCRA for a user to obtain a recredit report?

Answer 9

such purposes include obtaining reports:
* as instructed by consumer in writing
* for extension of credit as a result of an application from a consumer, or the review or collection of a consumer’s account
* for employment purposes where consumer has given written permission
* for underwriting of insurance as result of application from consumer
when there is a legitimate business need, in connection with a business transaction that is initiated by the consumer
* to review a consumer’s account to determine whether the consumer continues to meet the terms of the account
* to determine a consumer’s eligibility for a license or other benefit granted by a governmental instrumentality required by law to consider an applicant’s financial responsibility or status
* for use by a potential investor or servicer, or current insurer, in a valuation or assessment of the credit or prepayment risks associated with an existing credit obligation
* for use by state and local officials in connection with determination of child support payments
* in response to court order or subpoena
* creditors or insurers may obtain certain consumer report info for purpose of making “prescreened” unsolicited offers of credit or insurance

Question 10

Define:

adverse action

under FCRA

Answer 10

includes all business, credit and employment actions affecting consumers that can be considered to have a negative impact

Question 11

What are three types of “adverse actions”?

under FCRA

Answer 11

• adverse actions based on info obtained from CRA
• adverse actions based on info obtained from 3Ps that are not consumer reporting agencies
• adverse actions based on info obtained from affiliates

Question 12

What is a user required to do if taking an adverse action based on info obtained from a CRA?

under FCRA

Answer 12

must notify the consumer in writing, orally or by electronic means, and contain following elements:
* name, address and phone # of CRA that provided report
* statement that CRA did not make the adverse decision and can’t explain why decision was made
* statement setting forth consumer’s right to obtain a free disclosure of the consumer’s file from the CRA if the consumer makes a request within 60 days
* statement setting forth the consumer’s right to dispute directly with the CRA the accuracy or completeness of any information provided by the CRA

Question 13

What is a user required to do if taking an adverse action based on info obtained from 3Ps that are not CRAs?

under FCRA

Answer 13

if info is covered by the FCRA, user required to clearly and accurately disclose to the consumer their right to be informed of the nature of the information that was relied upon if the consumer makes a written request within 60 days of notification

• user must then respond within reasonable period of time

Question 14

What is a user required to do if taking an adverse action based on info obtained from affiliates?

Answer 14

if info is covered by the FCRA and info obtained from an entity affiliated with the user of the information by common control or ownership, user required to clearly and accurately disclose to the consumer their right to be informed of the nature of the information that was relied upon if the consumer makes a written request within 60 days of notification

• user must then respond within 30 days after receiving request

Question 16

What are the main requirements for a furnisher under FCRA (Furnisher Rule)?

Answer 16

• must provide accurate info
• must correct and update info by notifying CRA
• must provide notice of dispute to CRA
• must respond to a RA report related to information resulting from identity theft info

Question 17

What activities require special disclosure under the FCRA?

Answer 17

1. risk-based pricing (using creditworthiness to determine a borrower’s interest rate)
2. use of creditworthiness for employment purposes

Question 18

Define:

Risk-Based Pricing Rule

under FCRA

Answer 18

• requires those offering credit to notify customers if they are receiving less favorable terms because of their credit report
• requires disclosure by all persons who use credit scores in making or arranging loans secured by residential real property to provide credit scores and other information about credit scores to applicants
• if a consumer report is used by an individual or organization in connection with an application for credit or a grant, extension or provision of credit to a consumer on terms less favorable than what is available to a substantial proportion of consumers acquiring loans from or through that person → person offering credit must provide a risk-based pricing notice to the consumer in accordance with regulations jointly prescribed by the Consumer Finance Protection Bureau (CFPB) and Federal Reserve Board

Question 19

What requirements apply if an organization intends to use consumer report information for employment purposes?

Answer 19

• make clear and conspicuous written notification to the consumer before the report is obtained, in a document that consists solely of the disclosure that a consumer report may be obtained by the employer
• obtain prior written consumer authorization in order to obtain a consumer report
• authorization to access reports during term of employment may be obtained at time of employment
• certify to CRA that above steps have been followed, that info being obtained won’t be used in violation of any federal or state equal opportunity law or regulation, and that, if any adverse action is to be taken based on the consumer report, a copy of the report and a summary of the consumer’s rights will be provided to the consumer
• before taking an adverse action, provide a copy of the report + summary of consumer’s rights (from CRA) to the consumer
• adverse action notice should be provided after adverse action taken

Question 20

What types of investigations does the FCRA provide special procedures for, and what are the requirements?

Answer 20

investigations of suspected misconduct by an employee for:
1. compliance with federal, state or local laws or rules of a self-regulatory organization or
2. compliance with written policies of the employer

Employer must:
1. comply with procedures set forth in the act
2. not use any credit information
3. provide a summary describing the nature and scope of the inquiry to the employee if adverse action is taken based on the investigation

Question 21

Define:

investigative consumer reports

under FCRA

Answer 21

• contain information about a consumer’s character, general reputation, personal characteristics, and mode of living
• info obtained through personal interviews by entity or person that is a CRA

Question 22

What is the requirement for investigative consumer reports under the FCRA?

Answer 22

if a user intends to obtain an investigative consumer report, FCRA requires the user of the report disclose its use to the consumer and the disclosure is subject to following requirements:
* consumer must be informed that an investigative consumer report may be obtained
* disclosure must be made in writing and must be mailed/otherwise delivered to consumer sometime before report is obtained, but no later than five days after the date on which the report was first requested
* disclosure must include statement informing consumer of their right to request additional disclosures of the nature and scope of the investigation, and the summary of consumer rights required by the FCRA
* user must certify to CRA that required disclosures made and user will make necessary disclosure to the consumer
* upon written request of consumer made w/in reasonable period of time after required disclosures, user must make complete disclosure of nature and scope of investigation
* nature and scope disclosure must be made in written statement that is mailed/delivered to consumer no later than 5 days after the later of (i) date on which request was received from consumer and (ii) date on which report was first requested

Question 23

What limits does the FRCA place on use of medical information obtained from CRAs?

Answer 23

consumer must provide consent if:
* medical info is to be used for an insurance transaction
* if report to be used for employment purposes or in connection with a credit transaction (and medical info must be relevant)

Question 24

Define:

prescreening

under FCRA

Answer 24

creditors and insurers obtaining limited consumer report information for use in connection with firm unsolicited offers of credit or insurance

Question 25

What are the requirements under the FCRA for a user that intends to use prescreened lists?

Answer 25

• before offer is made, establish the criteria that will be relied upon to make the offer and grant credit or insurance
• maintains such criteria on file for 3-year period from date of offer to each consumer
• include with each written solicitation a clear and conspicuous statement that states:
  1. info contained in a consumer’s CRA file was used in connection with the transaction
  2. consumer received the offer because they satisfied criteria for creditworthiness or insurability used to screen for the offer
  3. credit or insurance may not be extended if, after the consumer responds, it is determined that the consumer does not meet the criteria used for screening or any applicable criteria bearing on creditworthiness or insurability, or the consumer does not furnish required collateral
  4. consumer may prohibit the use of info in their file in connection with future prescreened offers of credit or insurance by contacting the notification system established by the CRA that provided the report (+ address and phone # of appropriate notification system)
  5. easy-to-understand language explaining that consumer can opt out of receiving such offers

Question 26

How can the FCRA be enforced?

Answer 26

• dispute resolution
• private right of action
• government actions

Question 27

How does dispute resolution under the FCRA work?

Answer 27

consumer can fill a request with the CRA to dispute the accuracy of information and then require the CRA to investigate the consumer’s complaint

Question 28

How does the private right of action under the FCRA work?

Answer 28

• civil penalties: actual damages + statutory damages of $1k per violation, a max penalty of $4705 per willful violation
• criminal penalties: officer or employer of CRA who, both knowingly and willingly, provides info concerning an individual from the company’s files to someone who isn’t authorized to receive that info can face criminal penalties and imprisonment

Question 29

Who can bring government actions under FCRA?

Answer 29

• can be brought by FTC, CFPB and state AG
• state AGs have had concurrent enforcement authority but are generally required to give notice to FTC prior to filing suit and the FTC retains authority to intervene

Question 30

Define:

Fair and Accurate Credit Transactions Act

Answer 30

FACTA (2003) amended FCRA → stricter state laws preempted in most areas, although states retain some powers to enact laws addressing identity theft

Question 31

What consumer protections did FACTA enact?

Answer 31

• required truncation of credit and debit card numbers
• gave consumers new rights to explanation of their credit scores
• gave individuals right to request a free annual credit report from each of three national consumer credit agencies, Equifax, Experian and Transunion
• added identity theft protections and required regulators to promulgate a Disposal Rule and Red Flags Rule

Question 32

Define:

Disposal Rule

under FACTA

Answer 32

requires any individual or entity that uses a consumer report (or info derived from one) for a business purpose to dispose of that consumer info in a way that prevents unauthorized access and misuse of the data
* standard = practices “reasonable” to protect against unauthorized access and misuse of the data

Question 33

Define:

disposal

under FACTA

Answer 33

any discarding, abandonment, donation, sale or transfer of information

Question 34

Who has enforcement power over the Disposal Rule?

under FACTA

Answer 34

enforced by FTC, federal banking regulators and CFPB

Question 35

Define:

Red Flags Rule

under FACTA

Answer 35

requires agencies that regulate financial institutions and creditors to develop and implement written identity theft detection programs that can identify and respond to the “red flags” that signal identity theft

Question 36

Who has rulemaking and enforcement authority over the Red Flags Rule?

under FACTA

Answer 36

CFPB

Question 37

Define:

Red Flag Clarification Act of 2010

Answer 37

• passed in response to concern that definition of creditor extended to implicate unintended entities, such as attorneys and health providers, simply because they allow customers to pay their bills after the time of service
• eliminates entities that extend credit only “for expenses incidental to a service”

Question 38

What types of entities does the Red Flags Rule apply to?

Answer 38

entities that, regularly and in the course of business:
* obtain or use consumer reports in connection with a credit transaction
* furnish information to consumer reporting agencies in connection with a credit transaction
* advance funds to or on behalf of someone, except for expenses incidental to a service provided by the creditor to that person

Question 39

Red Flags Rule also authorized reulgations that apply the rule to…

under FACTA

Answer 39

businesses with accounts that should be “subject to a reasonably foreseeable risk of identity theft”

Question 40

What are the requirements for an identity theft protection program under the Red Flags Rule?

under FACTA

Answer 40

program should generally identify relevant patterns, practices and specific forms of activity that are red flags of possible identity theft, incorporate these flags into the program, and update the program regularly to reflect changes in risks

Question 41

Define:

Gramm-Leach-Bliley Act

Answer 41

reflect and codified consolidation of the U.S. banking, securities and insurance industries in the late 1990s

Question 42

Define:

Electronic Signatures in Global and National Commerce Act “E-Sign Act”

Answer 42

permitted customers to opt in to online banking (2000)

Question 43

Who does GLBA apply to?

Answer 43

financial institutions: defined broadly as any U.S. company that is “significantly engaged” in financial activities (including banks, insurance providers, securities firms, payment settlement services, check-cashing services, credit counselors, and mortgage lenders)

Question 44

What does the GLBA regulate?

Answer 44

financial institution management of nonpublic personal information: personally identifiable financial information (i) provided by a consumer to a financial relationship, (ii) resulting from a transaction or service performed for the consumer, or (iii) otherwise obtained by the financial institution

Question 45

What does the GLBA require?

Answer 45

financial institutions to protect consumers’ nonpublic personal information under privacy rules that were promulgated originally by the FTC and financial institution (FI) regulators

Question 46

Define:

consumer

under GLBA

Answer 46

individuals who obtain financial products or services from a financial institution to be used primarily for personal, family or household purposes

Question 47

Who has rulemaking power under the GLBA?

Answer 47

in 2011, with passage of Dodd-Frank Act, CFPB assumed this rulemaking power, with exceptions for the SEC and Commodity Future Trading Commission (CFTC)

Question 48

What are the penalties under GLBA?

Answer 48

• financial institutions can face civil penalties of up to $100k per violation and owners/directors of financial institutions can face personal liability of up to $10k per violation
• banking and related financial institutions that fail to comply with GLBA requirements can also be subject to substantial penalties under the Financial Institutions Reform, Recovery, and Enforcement Act (FIRREA)

Question 49

Does GLBA preempt state laws?

Answer 49

state AGs can enforce GLBA and stricter state laws are NOT preempted under GLBA

Question 50

Is there a private right of action under the GLBA?

Answer 50

no

Question 51

What are the major components of the GLBA Privacy Rule?

Answer 51

financial institutions must:
* prepare and provide to customers clear and conspicuous notice of the financial institution’s information-sharing policies and practices when a customer relationship is established and annually thereafter
* clearly provide customers right to opt out of having their nonpublic personal information shared with nonaffiliated third parties (subject to significant exceptions)
* refrain from disclosing to any nonaffiliated third-party marketer, other than a consumer reporting agency, an account number or similar form of access code to a consumer’s credit card, deposit or transaction account
* comply with regulatory standards established by certain government authorities to protect the security and confidentiality of customer records and information, and protect against security threats and unauthorized access to or certain uses of such records or information

Question 52

What should the privacy notice contain?

under GLBA

Answer 52

• what info the financial institution collects about its consumers and customers
• with whom it shares nonpublic personal information
• how it protects or safeguards such information
• an explanation of how a consumer may opt out of having their info shared through a reasonable opt-out process

Question 53

Who can financial institutions share nonpublic peresonal information with?

Answer 53

if it meets the notice standard, with ffiliated companies and joint marketing partners: other financial institutions with whom the entity jointly markets a financial product or service

Question 54

Financial institutions are prohibited from disclosing, even if they give consumers the right to opt out…

under GLBA

Answer 54

disclosing consumer account numbers to nonaffiliated companies for purposes of telemarketing and direct mail marketing

Question 55

Consumer cannot opt out of sharing of their information with nonaffiliated third parties by a financial institution if…

under GLBA

Answer 55

• financial institution shares info with outside companies that provide essential services like data processing or servicing accounts
• disclosure is legally required
• financial institution shares customer data with outside service providers that market the financial company’s products or services

Question 56

Define:

GLBA Safeguards Rule

Answer 56

• effective in 2003 and updated by FTC in 2021
• requires financial institutions to develop and implement a comprehensive information security program: program that contains administrative, technical and physical safeguards to protect the security, confidentiality and integrity of customer information

Question 57

What are the three levels of security for consumer information?

under GLBA

Answer 57

• administrative security which includes program definition, management of workforce risks, employee training, vendor oversight
• technical security which covers computer systems, networks and applications in addition to access controls and encryption
• physical security which includes facilities, environmental safeguards, business continuity and disaster recovery

Question 58

Safeguards must be…

under GLBA

Answer 58

reasonably designed to:
1. ensure the security and confidentiality of customer information
2. protect against any anticipated threats or hazards to the security or integrity of the information and
3. protect against unauthorized access to or use of the information that could result in substantial harm or inconvenience to any customer

Question 59

What basic elements must the information security program contain?

under GLBA

Answer 59

• designate employee to coordinate safeguards
• ID and make a written assessment of the risks to customer information in each relevant area of the company’s operation and evaluate the effectiveness of the current safeguards for controlling those risks
• design and implement safeguard program and regularly monitor and test it
• select appropriate service providers and enter into agreements with them to implement safeguards
• evaluate and adjust the program in light of relevant circumstances, including changes in business arrangements or operations, or results of testing and monitoring of safeguards

Question 60

Define:

California Financial Information Privacy Act (CFIPA)

Answer 60

expands financial privacy protections under GLBA by increasing disclosure requirements of financial institutions and granting consumers increased rights w.r.t. sharing of information
* written opt-in consent required for a financial institution to share personal information with nonaffiliated third parties
* consumers can opt out of information sharing between their financial institutions and affiliates not in the same line of business

Question 61

Define

NY regulations on financial privacy and security

Answer 61

• impose cybersecurity mandates on all covered financial institutions in line with NIST Cybersecurity Framework
• definition of nonpublic information broader than GLBA
• has key requirements not in GLBA on personnel, reporting obligations, documentation obligations and third-party service providers

Question 62

Define

CFPB

Answer 62

independent bureau within the Federal Reserve that oversees relationship between consumers and providers of financial products and services

Question 63

What does CFPB have authority over?

Answer 63

• holds broad authority to examine, write regulations and bring enforcement actions concerning businesses that provide financial products or services, including service providers
• has assumed rulemaking authority for specific laws such as FCRA, GLBA and Electroni Fund Transfer Act Reg E
• has enforcement authority over all nondepository financial institutions and all depository financial institutions with more than $10 billion in assets
• for depository institutions with assets of $10b or less, CFPB promulgates rules but banking regulators retain enforcement power
• can also bring enforcement actions for unfairness and deception + power to enforce against “abusive acts and practices”

Question 64

Define

abusive act or practice

CFPB

Answer 64

abusive act or practice (1) materially interferes with the ability of a consumer to understand a term or condition of a consumer financial product or service or (2) takes unreasonable advantage of
* a lack of understanding on the part of the consumer of the material risks, costs or conditions of the product or service;
* the inability of the consumer to protect its interests in selecting or using a consumer financial product or service; or
* the reasonable reliance by the consumer on a covered person to act in the interests of the consumer

Question 65

What does CFPB enforcement authority entail?

Answer 65

ability to conduct investigations and issue subpoenas, hold hearings and commence civil actions against offenders

Question 66

What are the penalties CFPB can lay?

Answer 66

civil penalties vary from $6813/day for federal consumer privacy law violations to $34,065 per day for reckless violations to $1.3 for knowing violations

Question 68

Define:

Electronic Fund Transfer Act (EFTA) (1978)

Answer 68

enacted to establish rights of consumers as well as responsibilities of companies involved in electronic fund transferred

Question 69

Define:

electronic fund transfer (EFT)

Answer 69

any transfer of funds that is initiated through an electronic terminal, telephone, computer or magnetic tape for the purpose of ordering, instructing or authorizing a financial institution to debit or credit a consumer’s account (including person-to-person payments like Zelle and Venmo)

Question 70

Define

financial institution

under Electronic Fund Transfer Act

Answer 70

• banks, savings associations, credit unions
• any person that directly or indirectly holds an account belong to a consume
• any person that issues an access device and agrees with a consumer to provide EFT services

Question 71

What is the goal of anti-money-laundering laws?

Answer 71

to “follow the money” to help detect and deter illegal activity and provide evidence for proving illegality

Question 72

Define

Bank Secrecy Act / Currency and Foreign Transaction Reporting Act of 1970

Answer 72

authorized the U.S. treasury secretary to issue regulations that impose extensive recordkeeping and reporting requirements on financial institutions to keep records and file reports on certain financial transactions which may be relevant to criminal, tax or regulatory proceedings

Question 73

Define:

financial institutions

under Bank Secrecy Act

Answer 73

banks, securities brokers and dealers, money services businesses (including financial institutions handling cryptocurrencies), telegraph companies, casinos, card clubs and other entities subject to supervision by any state or federal bank supervisory authority

Question 74

What kind of transactions does the BSA regulate?

Answer 74

• currency transactions (wire transfers, direct deposits)
• transportation of monetary instruments (traveler’s checks, money orders, etc.)
• purchase of currency-like instruments (like CDs)
• extensions of credit in excess of $10k (excluding credit secured by real property)

Question 75

When does a financial institution need to file a suspicoius activity report?

under Bank Secrecy Act

Answer 75

• financial institution suspects that an insider is committing a crime, regardless of $ amount
• when entity detects possible crime involving $5k or more and has substantial basis for identifying a suspect
• when entity detects possible crime involving $25k or more even if no substantial basis for identifying a suspect
• when entity suspects currency transactions aggregating $5k or more that involve potential money laundering or a violation of the act

Question 76

What are the penalties under the Bank Secrecy Act?

Answer 76

civil penalties include:
* fines up to greater of $25k or amount of transactions up to $100k max
* penalties for negligence ($500/violation)
* additional penalties up to $5k/day for failure to comply with regulations
* penalties of up to $25k per day for failure to comply with information-sharing requirements of PATRIOT Act
* penalties up to $1m against financial institutions that fail to comply with due diligence requirements

criminal penalties include up to $100k fine and/or one-year imprisonment and up to a $10,000 fine and/or five-year imprisonment

Question 77

Define:

The International Money-Laundering Abatement and Anti-Terrorist Financing Act of 2001

Answer 77

• part of PATRIOT Act and expanded reach of BSA, including new reporting and recordkeeping requirements for different industries (e.g., broker-dealers) and currency transactions
• gave U.S. treasury secretary ability to promulgate broad rules to implement Know Your Customer (KYC) requirements and to otherwise deter money laundering

Question 78

Define:

Foreign Act Tax Compliance Act of 2010

Answer 78

targets non compliance with U.S. tax laws for U.S. taxpayers with foreign accounts

Question 79

Define:

Anti-Money Laundering Act of 2020 (AML ACT)

Answer 79

expanded key definitions to explicitly include virtual currencies in scope of BSA, updated whistleblower incentives and protections, and extended subpoena authority for foreign banks with U.S. correspondent accounts