About UsWhy Choose GCG?ServicesResourcesProfilesContact UsHome

FINANCIAL SERVICES

GLBA Compliance Alert for Bankers

August 2, 2001

By Susan N. LeDuc and W. John Funk*
Prepared as an informational bulletin for the
New Hampshire Bankers Association

Gallagher, Callahan & Gartrell, P.A. would like to raise the awareness among bank members of the following legal and regulatory issues that arise from the Federal Gramm-Leach-Bliley Act ("GLB") and the various privacy regulations that have come to our attention. If you have any questions about these issues, please contact John Funk, Susan Hollinger, or Susan LeDuc.

Credit Score Ranges and Indirect Auto Dealers

Several banks, in the course of providing indirect loan buy-rates to auto dealers, are providing credit score ranges and their corresponding buy-rate. Once a consumer is approved for a loan, the bank provides to the auto dealership the buy-rate that the bank will offer for that loan. The auto dealer could go back to the rate sheet and determine that borrower's credit score range.

The Fair Credit Reporting Act does not permit the sharing of non-transaction or non-experience information unless the Bank is a consumer reporting agency. Credit score or credit score range is not based on experience or transaction with the bank, and therefore cannot be shared with a nonaffiliated third party. Most banks do not want to comply with the requirements for consumer reporting agencies.

We recommend that banks no longer provide credit score ranges as an indicator of a specific buy-rate to the auto dealers. Instead, we recommend that banks provide a range of buy-rates only.

Data Security and Contracts

Please be aware that the new data security regulation, among other elements, requires that data security be addressed in a bank's contract with any service provider that has access to customer information. The bank must (a) exercise due diligence in selecting service providers who have implemented appropriate administrative, technical and physical safeguards to protect the confidentiality of customer information, (b) determine what information is provided, (c) have a contract with each service provider that requires the service provider to implement appropriate measures to protect data security and (d) as needed, institute a monitoring program to determine compliance. This requirement is not limited to GLB §13 vendors, but applies to all vendors, including affiliates.

Contracts entered into before March 5, 2001 are grandfathered until July 1, 2003. However, contracts entered into on March 5, 2001 or later are expected to comply with this requirement by July 1, 2001. We recommend that banks review their contracts and ensure their compliance with this requirement as soon as possible.

Data Security and Background Checks

The data security regulations suggest that banks should evaluate current and potential employees to determine if they constitute a data security risk.

A number of banks have contacted us regarding applicant/employee background checks. While they currently run a credit report and a criminal background check on job applicants (with proper authorization of course), they are unclear as to standards for utilization of these reports and whether they should also run such checks on an annual basis on current employees. It is a very risky practice for an employer to run background checks with no standards for their use. Such a practice poses risk of claims of discrimination by applicants who are not hired on the basis of a check, and by third parties for liability if an applicant causes harm that was arguably foreseeable from a relevant bad record. Getting these reports, and having no standard for their use, is akin to reviewing a loan applicant's credit report without any standards on which the bank will approve or deny the credit request.

We are currently defending a claim brought against an employer resulting from denial of employment based on a negative credit report. The individual is asserting that her poor credit history, which was the basis for denying her employment, is the result of a recent divorce, and that a policy of refusing to employ persons with poor credit post-divorce has a disparate impact on females. Defense of this claim rests on proof that the employer's rule denying employment to anyone with a bad credit rating does not have a discriminatory effect on any class of individuals protected by state or federal law (race, color, sex, religion, national origin, sexual orientation, disability or veteran status), and/or is justified on the basis of business necessity.

Case law in this area is clear that the business necessity defense must be shown on a job-by-job basis. In other words, while we may be able to show that the job responsibilities of a teller in a bank are such that employing someone in such a position with a bad credit history or a criminal conviction for theft would pose a security risk to the bank and its customers, that may not be true for all positions in a bank. Furthermore, the business necessity at issue must be shown by actual evidence rather than stereotypical beliefs. In other words, factual evidence that a negative credit report is likely to lead to a crime such as theft would need to be shown in order to prevail in this defense.

Risk Management and Outsourcing of Technological Services

On November 28, 2000 the Federal Financial Institutions Examination Council (FFIEC) issued a guidance on financial institutions' management of risk sharing from technology services supplied by outside firms. Boards of directors and senior management are expected to oversee and manage outsourcing relationships.

First, the bank must understand the risks associated with outsourcing arrangements for technology services and ensure that effective risk management practices are in place. To accomplish this, the bank should assess how the outsourcing arrangement will support its objectives and strategic plans and how service provider relationships will be managed. Risks to be considered include threats to security, availability and integrity of systems and resources, confidentiality of information and regulatory compliance. The nature of services provided, such as bill payment, funds transfer or electronic services, may result in providers performing transactions on behalf of the bank, such as collection or disbursement of funds, that can increase levels of credit, liquidity, transaction and reputation risks. Special consideration should be given to risk management controls when services involve use of the Internet.

Second, once the risk assessment is completed, the bank should evaluate service providers to determine their ability, both operationally and financially, to meet the bank's needs.

Third, contracts with service providers should take into account business requirements and key risk factors identified during the risk assessment and due diligence phases. Legal counsel should review contracts prior to execution.

Fourth, the bank should implement and oversight program to monitor each service provider's controls, condition and performance.

*W. John Funk is admitted in New Hampshire and Massachusetts.

 

Return to top of page

Return to Financial Services Articles
Return to Firm Publications

 

 

 

 

 

 

See also:

Hot Topic:
Privacy

 

 

 

 

 

You may contact Susan LeDuc or John Funk at 603-228-1181.
About Us - Why Choose GCG? - Services - Resources - Professional Profiles - Contact Us - Home