Posted on December 11, 2009 by Joseph I. Rosenbaum

H.R. 4173 = CFPA = Amend FTC Act. Why Should You Care?

Today, the U.S. House of Representatives is scheduled to vote (and likely pass) H.R. 4173. H.R. 4173, entitled the Wall Street Reform and Consumer Protection Act of 2009, but commonly referred to as the CFPA (Consumer Financial Protection Act), has been blogged about on Legal Bytes before (see Congressional Hammer Poised to Strike at Financial Advertising). The provisions to which advertisers might wish to pay particular attention are those that would amend the Federal Trade Commission Act.

Rather than summarizing industry concerns over this legislation, I’ve posted a copy of the Industry Letter, signed and sent to members of Congress on behalf of at least these twenty two (22) U.S. associations and coalitions: American Advertising Federation, American Association of Advertising Agencies, American Escrow Association, American Financial Services Association, American Herbal Products Association, Association of National Advertisers, Consumer Data Industry Association, Consumer Electronics Association, Direct Marketing Association, Direct Selling Association, Electronic Retailing Association, Financial Services Institute, Inc., Financial Services Roundtable, Interactive Advertising Bureau, International Franchise Association, Internet Commerce Coalition, National Association of Manufacturers, National Association of Professional Background Screeners, National Business Coalition on E-Commerce and Privacy, National Retail Federation, Natural Products Association, U.S. Chamber of Commerce.

If you need more information, or if you believe you should have a voice in this process and don’t already have one, Reed Smith is here to help. You can contact me (Joseph I. Rosenbaum) or, of course, any Reed Smith attorney with whom you regularly work.

Tags: , , , , ,
Posted on November 20, 2009 by Joseph I. Rosenbaum

Joe Rosenbaum - A Busy Week (Lexblog & American Banker)

Joseph I. ("Joe") Rosenbaum had a busy week. In an interview with the editors of Lexblog, Joe tells Lexblog why blogging on Legal Bytes is both fun and informative. You can read the entire interview on the Lexblog page "Real Lawyers Have Blogs".

Joe was also quoted in an article by Maria Aspan in the American Banker, about the announcement by American Express that it was acquiring Revolution Money - part of Amex' efforts to continue to evolve and provide a broader (and increasingly relevant online and digital) range of payment options for consumers and merchants. If you are interested, feel free to read Maria’s entire story, "Amex Tries to Buy a 'Revolution'".

Tags: , , , , ,
Posted on October 27, 2009 by Joseph I. Rosenbaum

Rosenbaum Quoted in American Banker

Joseph I. (“Joe”) Rosenbaum was recently interviewed by American Banker reporter Maria Aspan in connection with advertising and marketing consumer credit cards, and certain legal implications in brand marketing and advertising, including some of the more subtle viral and social media campaigns. Joe’s quotes appear in an article by Ms. Aspan entitled, "Barclaycard U.S. Taking Baby Steps in the Public Eye".

Tags: , , , , ,
Posted on October 15, 2009 by Joseph I. Rosenbaum

Congressional Hammer Poised to Strike at Financial Advertising

The late Will Rogers, that wonderful American humorist from Oklahoma, once said: "This country has come to feel the same when Congress is in session as when the baby gets hold of a hammer." Presumably, the image conjured up by that remark relates to just how much damage can be done before someone takes the hammer away! Well, in those days, Mr. Rogers lauded then-President Franklin D. Roosevelt for taking the hammer away from Congress before they did too much damage. If the strong response the newest Administration/Congressional initiative has evoked from the banking, advertising and media industries is any indication, one might conclude that President Obama has been providing too many hammers these days. This may be a little longer than my usual blog post, but read on . . . you won’t be disappointed.  

To provide a little context for the consternation, a few months ago, gift cards were inserted (for the first time) into federal legislation, ostensibly targeted at the practices of financial institutions applicable to credit cards. Where previously state legislation reigned supreme, the promotion of gift cards, disclosures regarding dormancy or inactivity fees, expiration dates, among other things, became part of U.S. federal law under the new Credit Card Act of 2009.. The legislation was intended to prevent abuses in the credit card industry and protect consumers, and in that spirit, a section covering gift cards seemed like a nice idea. But when it came to gift cards, it was unclear what problems had arisen that were not already (or couldn't be) dealt with by state law – what was broken that needed to be fixed by federal regulators. Is concentrating regulatory power and discretionary rulemaking in the hands of federal agencies, simply for the sake of control, always a good thing?

So in case you haven’t heard, let’s talk about the newly proposed Consumer Finance Protection Agency (the “CFPA”). The CFPA is part of the Administration’s regulatory reform proposal submitted to Congress a few months ago, intended to provide a new regulatory framework for the financial services industry and, among other things, prevent practices and problems that led to the current crisis in the financial industry. Well, if you are a banker, broker-dealer, insurer or a financial officer, you probably already know the government is considering such major reforms and a restructuring of the current regulatory scheme.

BUT, have the finance folks told the marketing and advertising professionals to start worrying too? Perhaps now would be a good time to do so! In referring to the CFPA, Edward L. Yingling, President of the American Bankers Association, has said, “This agency would have broad powers that go beyond every consumer law that has ever been enacted.” You see, the newly proposed Consumer Financial Protection Agency Act of 2009, now fast-tracking its way through the U.S. House of Representatives, would restructure the Federal Trade Commission and give much of its current responsibility for regulating financial services-related advertising and marketing to a brand new regulatory agency - the newly proposed CFPA. I direct your attention to Subtitle C – Specific Authorities (Sections 131 - 139) of the Act, which would give the new CFPA the authority to review not only consumer lending practices, but also fraud and deceptive advertising, to determine and establish rules governing whether or not marketing practices and advertising are misleading, or if consumer financial products and services are being advertised and marketed fairly to consumers. By the way, the CFPA would also be empowered to interpret and enforce the new Credit Card Act of 2009 noted above. Would it surprise you that the Association of National Advertisers and the U.S. Chamber of Commerce would worry about what a new and potentially confusing and overlapping regulatory scheme, and a completely new regulatory agency, will mean for the advertising, agency and media industries?

If you thought all you had to worry about were things like privacy, behavioral advertising, free speech, blogger liability for claims, ‘Net neutrality, cloud computing, celebrity endorsements and social media - tweet, tweet – think again. Just yesterday, Advertising Age reported that some media industry professionals fear certain aspects of the new legislation will hold media liable for simply running advertisements related to financial services and products that the newly created CFPA believes are misleading. That would effectively push media into the role of de facto censors of advertising content. In other words, it would be a "safer" path (read less legal liability) to simply refuse to accept or run advertising that it determines might be too risky. One section of the proposed bill would empower the CFPA to create standards regarding what is or is not lawful in financial services advertising. Another section could be construed to extend liability to anyone in the chain of development, insertion, creation, displaying or broadcasting an unlawful advertisement. Could that be you?

Want an example? You have a co-branded credit card tied to a loyalty rewards program. You charge, pay the bill and earn points. Those points can be redeemed for television sets, trips to Steamboat Springs, hotel stays or Diamond Club tickets at Yankee Stadium for the World Series (just some wishful predictive thinking here). So credit card issuer A, co-branding partner B, and rewards program merchant participants C and D co-sponsor advertising promoting the use of the card, earning points and the wonderful rewards available. Not too far fetched is it? BUT, if the new CFPA determines these points really aren't "free" and neither are the rewards you "earn," but rather the costs and expenses are implicitly part of the credit card interest rates or annual fees that apply - does that mean everyone, including the media or network that ran the ads, is liable, too? Could be, at least the way the legislation is currently worded. Hmmmm. . . does it feel chilly yet?

Let us not forget that the Administration and Congress have been confronted with a regulatory framework that many would argue did not work and is not aligned with changes that have taken place in the financial services industries for decades. Let us also not discount the fact that with good intentions, both the Administration and Congress are seeking to provide a more effective and sensible regulatory framework for financial institutions and protection for consumers and business. But, much like the Credit Card Act of 2009 and its inclusion of gift cards, this new legislation would appear to go well beyond its intended purpose, in areas that have drawn significant criticism.

By asking "if it’s not broken why fix it," critics argue that it makes no sense to move much of the authority of the FTC, which currently regulates financial services fraud, and unfair, misleading and deceptive advertising practices, to an entirely new agency with even broader powers. On the other hand, supporters, including John Taylor, President of the National Community Reinvestment Coalition, believes that “It’s obvious from the history of the last 20 years that the regulators never understood that protecting consumers is also a way of ensuring the safety and soundness of financial institutions.” Regardless of which viewpoint you subscribe to, in my view, whether the financial regulatory system is broken and needs fixing isn’t even the right question to ask. Instead we should be asking why we should regulate or re-regulate more than is necessary, and invite confrontation. We should ask if Congress seeks to make changes for the sake of change, or are there actual or perceived failings – at the FTC, among financial regulators, or in the enforcement of existing advertising and media regulations - that require new or re-regulation? If you listen to the debate, no less than free speech, freedom of the press, interstate commerce, and states’ rights issues are at stake. At a minimum, it would seem the inclusion of sweeping, and potentially contentious and/or confusing, changes - to the regulators, to the regulatory framework, and to the allocation of legal risk and liability – are a needless distraction from an already complex and difficult challenge: financial regulatory reform. Ignoring these issues may trigger another two laws - Murphy’s Law and the Law of Unintended Consequences.

Need to understand more? Want to have a voice in the process? Need experienced counsel or guidance? Call me, Joseph I. Rosenbaum, or Douglas J. Wood or Leonard A. Bernstein, or the Reed Smith attorney with whom you regularly work.
Tags: , , , , , , ,
Posted on August 20, 2009 by Joseph I. Rosenbaum

Credit Card Act of 2009: Act I, Scene 1

A few months ago, Legal Bytes noted the progress of the Credit Card Act of 2009 (the “Act”), and when it was signed into law, we updated that blog post with a note about the inclusion, for the first time in federal law, of coverage of gift cards.

Today, some of the credit card protections the Act affords consumers go into effect. First, credit card bills must be mailed to the consumer at least 21 days before payment is due. Second, significant changes to the rates or fees that apply to credit cards can’t be implemented unless consumers are given at least 45 days’ notice. In both cases, this represents an elongation of the prior regulations (14 days and 15 days, respectively). 

Provisions of the Act also in effect now prohibit credit card issuers from raising their fees and interest rates without any notice if a credit card account holder fails to make a payment on time or goes over their credit limit. In most cases, such a charge would have required approval from the issuing institution anyway.

Most of the other significant provisions of the Act come into effect next February (e.g., restrictions on increases in interest rates for existing credit card balances), and by July 2010, the Federal Reserve Board is to have crafted and approved new rules covering consumer disclosures (i.e., advertising, application forms, etc.).

If you need to know more about compliance and credit cards—offline or online—contact me (Joseph I. Rosenbaum) or the Reed Smith attorney with whom you regularly work. We are happy to help.

Tags: , , , ,
Posted on June 2, 2009 by Keri S. Bruce

Gift Cards Tag Along with Credit Card Legislation

We previously reported its progress in Legal Bytes and last week, President Obama signed into law the Credit Card Act of 2009. Although the bulk of the Act (and the bulk of the publicity surrounding its enactment and passage) deals with credit cards, it also amends the Electronic Funds Transfer Act and implements federal regulation of general use pre-paid cards, gift certificates and store (retail) gift cards. The new law is scheduled to take effect Aug. 21, 2010, and substantively deals with dormancy fees (so-called “inactivity” or service fees) and expiration dates. 

In the area of dormancy or inactivity fees, the new law prohibits them unless there has been no activity for 12 months. In addition, in order to impose any such fees, certain disclosures must be made to the consumer prior to purchase. The new law also prohibits expiration dates of less than five years, and requires clear and conspicuous disclosure of the expiration date, if any. In addition, gift certificates issued as part of an award, loyalty or promotional program (i.e., no money or other consideration is given) are, as is the case with many state laws, excluded. And speaking of state laws, the Act specifically does not pre-empt state laws that provide greater consumer protection. 

What else should you know. First, plastic cards and payment code devices used solely for telephone services or that are reloadable, are not marketed or labeled as gift cards or certificates, not marketed to the general public, and issued in paper form only (including those that apply to tickets and events), are not covered by the requirements of the new Act.  Second, the law authorizes the Board of Governors of the Federal Reserve, in consultation with the FTC, to develop requirements concerning the amount of dormancy fees that can be charged (only once each month), and to more carefully seek to define which provisions of the Electronic Fund Transfer Act and Regulation E apply in this context. 

So, for states that have had no, or lesser, consumer protections, the Act clearly establishes a minimum federal threshold for the imposition of dormancy fees and the prohibition of expiration dates earlier than five years. For states that already have or may yet impose more stringent requirements, those requirements are specifically permitted under the Act, so you will still have to keep track of state requirements in this area. 

If you need to know, you need to contact Keri Bruce or Joseph Rosenbaum – or your favorite Reed Smith attorney – who will be more than happy to help you.

Tags: , , , , ,
Posted on May 20, 2009 by Joseph I. Rosenbaum

Give Credit (Card), No Give a Gift (Card)! Why Not Give Both?

Although consumer credit regulation is hardly new – Regulation E, the Fair Credit Reporting Act, Regulation Z and laws regulating disclosures, debt collection practices, billing statements and the like have been around for decades – for the first time in U.S. history, Federal legislation is tackling pricing, rate modifications, advertising disclosures and fees, and adding a gift card angle as well. 

While the House has not yet passed this or any other version of the legislation, those in the know believe a similar, if not identical, bill will be approved by the House of Representatives and that the President is likely to sign it. 

Are you a bank, payment card association, credit union or financial institution that issues credit cards or gift cards? Here are highlights of the bill that passed the Senate:

  • When marketing, a card issuer would not be permitted to increase any advertised ‘teaser’ rates for at least a year after a new account was opened for the consumer, and promotional rates advertised to consumers must remain in effect for at least six month;
  • Unless the credit-issuing institution can get proof that anyone under 21 can actually repay their credit card debt, credit cards can only be issued to individuals under the age of 21 if a parent, legal guardian or guarantor agrees in writing to be responsible for the debts;
  • If a consumer pays more than the minimum balance due, the excess must be applied to the balance with the highest interest rate;
  • Card issuers will not be allowed to change rates retroactively on existing balances (there is an exception where the consumer is past due by 60 days – which, I guess, presumes that when a consumer can’t afford to pay their balance within 60 days, it’s ok to raise their rates since they probably won’t be able to afford to pay a higher rate either);
  • Bills for balances due must be sent at least three weeks (21 days) before their due date;
  • Card issuers will no longer be able to charge additional fees to consumers for alternate payment mechanisms (e.g., by mail, telephone, online, electronic, wire transfers), unless the consumer requests and the issuer offers some type of ‘expedited’ service;
  • Consumers must be asked if they want to allow ‘over-limit’ credit transactions and if they do not affirmatively consent, the card issuer will not be permitted to charge a fee if the issuer still authorizes the transaction (e.g., your credit limit is $1,000 and you charge something for $1,001 and the authorization system approves the transaction anyway);
  • Changes in the terms and conditions that apply to consumer cardholders will require at least 45 days’ notice; and
  • The minimum amount of time a gift card must remain valid for use will be 5 years. First, it is likely this will apply to gift cards that are consumer-oriented and where full value is paid, and not to discounted, bulk sales, non-consumer, incentive, employer or promotional gift cards – but then the legislation isn’t final yet, is it? Furthermore, the Federal legislation is not likely to preempt more consumer-friendly State law (e.g., California prohibits any expiration date on such gift cards), but it will place a minimum level of consumer protection against earlier expiration, even in States that have no applicable regulation.

There is also consideration being given to removing any current legal and contractual restrictions on merchants that would allow them to differentially price their products and services based on the incremental costs (or savings) of accepting different forms of payment. When credit and debit cards were scarce and cash was king (cash, as in ‘currency’), regulation and industry groups frowned upon differential pricing, arguing that allowing a merchant to charge more for the use of a credit card was discriminatory to the consumer – even though the cost of accepting such payment instruments was higher (the merchant pays a fee (discount rate) to the card-issuing enterprise for the privilege of accepting the particular brand of card). Furthermore, the growth of corporate and purchasing cards and the use of payment instruments in B2B transactions has resulted in situations where a manufacturer accepts a purchasing card (procurement-based credit card) in payment of sales to distributors, wholesalers and retailers – a fee is charged to the manufacturer for the card transaction. This chain continues until a consumer makes a retail purchase, and if any or all of these transactions involve branded payment instruments and not cash, travelers’ checks, bearer bonds or two goats and a chicken, today, a fee would most likely accrue on each payment-card transaction at each step of the way . . . significantly raising the cost to everyone and ultimately the consumer. Stay tuned.

So: Consumer Credit? Co-branded promotions? Loyalty Rewards Programs? Gift Cards? Premiums and Incentives? Retail Promotions? Payment Card Industry (PCI) Data Security Standards? Privacy & Data Protection? Identity Theft? Data Breach? Pre-Screening? Online Digital Payment Systems? Corporate Cards? Purchasing Cards? E-Commerce? Regulation E? Regulation Z? Statement Insert Advertising; Credit/Demographic Market Segmentation? Free? APR? Limited Time Offer?

Any of these sound familiar? It’s what we do? Our Advertising Technology & Media Law Group; our Financial Institutions Group; our Data Security and Identity Theft Group . . . need we say more . . . If you need help (or you are just over stimulated by the flurry of legislation, regulation and excitement), call us or email me at jrosenbaum@reedsmith.com. We can help.

Tags: , , , , , , , ,
Posted on July 15, 2008 by Joseph I. Rosenbaum

Who Pays For the Data Security Breach?

Have you received one of those “data security breach” letters? Quick, call the credit bureau and bank. Change the checking, credit card and license numbers. Most financial institutions have absorbed the cost of reissuing payment cards or providing new checks, even when these financial institutions had nothing to do with the security breach. When B.J.’s Wholesale Club disclosed that a theft of credit card information had occurred, two financial institutions sued to recover the costs that resulted from that breach. The institutions claimed B.J.’s breached its legal obligation to maintain the security of the financial institution and should be liable for the damages. Those claims were initially rejected, but have now been revived by the U.S. Court of Appeals for the Third Circuit, which has issued a decision holding these financial institutions were intended third-party beneficiaries of the contract among the retailer, its merchant bank, and the payment card industry, to keep customer data safe. If the retailer breached data protection rules imposed by the payment card industry and the financial institutions were third-party beneficiaries of that  agreement, then any damage and loss could be recovered based on contract law claims. Stay tuned.

Tags: , , , ,
Posted on July 2, 2007 by Joseph I. Rosenbaum

What Do DSS, GLB and SOX Have in Common?

If you carry, accept, use, issue or have anything to do with the world of credit cards, debit cards, gift cards, smart cards, stored value cards, pre-paid cards—need I go on?—you need to pay attention to DSS. That is the Payment Card Industry’s Data Security Standards that apply to all types of payment cards issued by the major card-issuing companies. The PCI DSS, in case you hadn’t heard, requires, as an example, that personally identifiable card data be rendered unreadable (truncated, encrypted, firewalled, decapitated—is anyone reading) whenever it is potentially exposed to a third party, when it’s stored, transmitted, used or processed. If you are a merchant with significant card-transaction volumes. encryption can be expensive or time-consuming or both—and no one wants to slow down transactions at the point of sale or at the point of billing. The DSS also requires audit records be kept so breaches can be detected, compromises traced and data integrity monitored. Yes, there are DSS Audit Guidelines from the PCI as well. Not to mention the fact that more than 30 U.S. states already have some form of data breach legislation that requires disclosure, notice and, in some cases, that some remedies be made available to consumers who are or potentially might be the victims of lapses in data protection.

Acquiring institutions—those financial institutions and card processors that have the relationships with merchants that accept and process cards—have until year-end to bring their systems and relationships into compliance, and some card associations are offering rewards for early compliance, but stiff penalties for delays and failure to comply.

How complex does it get? Well, imagine that a merchant opts to mask all credit card numbers, even though address information is unencrypted—but the numbers aren’t visible within any systems and therefore can’t be cross-referenced. PCI compliant? Probably? BUT, that won’t comply with Gramm-Leach-Bliley, the privacy statute applicable to banks and financial institutions that requires otherwise. What about SEC regulations regarding customer data and, of course, Sarbanes-Oxley, which says, “You must control access to your information.”

It’s enough to give anyone a headache. That’s why Reed Smith has a Financial Services, Corporate & Securities, Intellectual Property and, of course, an Advertising Technology & Media Law practice—so you get one seamless solution to your problems, no matter how complex the world gets.

Tags: , , ,
Posted on July 31, 2006 by Joseph I. Rosenbaum

Disclosures, Decency and Data Security

For the record, privacy, data protection, information security and international law have officially converged with management, compliance and marketing. More than 30 U.S. states have now passed legislation in one form or another that requires businesses to notify consumers if an actual or potential breach of data security may lead to the compromise of personally identifiable information. This comes on the heels of several years of the government tightening its own policies regarding data security breaches and instances of compromised security.

Recently, the Office of Management & Budget, which oversees U.S. federal agencies, announced a tougher policy for government, requiring agencies to follow the security procedures checklist prepared by the National Institute of Standards and Technology (“NIST”) to protect data. An internal OMB memo recommends that data on mobile computers and devices carrying agency data be encrypted, and suggests two-factor authentication (one being separated from the actual computer obtaining access to the data).

As noted in prior issues of Legal Bytes, requirements and compliance obligations for commercial enterprises doing business across state lines and national boundaries vary, although many have common themes. If you are concerned—and you should be—contact us. We can help you sort out your current compliance obligations and help you keep track of the changing privacy and data protection landscape, both domestically and internationally. Even if you choose not to inject your views into the regulatory process, you must keep abreast of developments or risk action by consumers and regulators.

This whole area is churning with activity and, like the migration of computers from technology organizations to mainstream business management decades ago, privacy and data protection are evolving from a technology problem to an issue throughout the world of management, marketing and business process. On a global scale, disharmony in legal systems is a major roadblock to everything from the war on terrorism and money laundering, to the simple acceptance of credit cards by merchants and air transportation. Recently, Europe’s highest court ruled an agreement made in 2004 that allowed airlines to share 34 items of information about every passenger flying from Europe to the United States—in an effort to fight terrorism—is illegal. The United States threatened to strip air carriers of landing rights if an agreement was not reached, and now the European Court of Justice has allowed the arrangement to continue only until September 30 so the parties can forge a new arrangement.

A New York Senator has proposed legislation that might concern marketing professionals (Privacy Rights and Oversight for Electronic and Commercial Transactions Act of 2006, S. 3713). In addition to requiring notice to consumers, the act allows them to place a permanent security hold on credit information; requires opt-in consent by consumers to financial institutions before sharing information with third parties; and contemplates a private right of action for damages, and—if identity theft occurs—damages up to $5,000 per person.

Several years ago, the Payment Card Industry, comprised of the major credit card and payment instrument issuers and processors, announced Data Security Standards and Audit Guidelines. Requiring encryption and secure storage of personally identifiable payment transactional and related data, merchants are faced with certifying, documenting and ensuring compliance or being deprived of the ability to accept payment instruments issued by the card industry issuers and processors. This is hardly an esoteric issue.

Visa fined BJ’s credit card processor upon discovering the processor’s system improperly kept magnetic-stripe data after sales were consummated, in violation of Visa’s operating regulations. Reissuing new account numbers and cards—in addition to covering unauthorized charges—created damages for Sovereign Bank (among others), and Sovereign sued BJ’s and its processor. A U.S. District Court in Pennsylvania has ruled Sovereign may not recover losses from its payment processor and is not a third party beneficiary of Visa’s agreements with the processor. In dismissing the breach of contract claim against the processor, the court concluded that simply because Visa U.S.A. had contracts with processors to protect its payment processing system does not mean the bank, or any other entity that touches the system, is an intended beneficiary of that agreement. This is not the only, not the first and likely not the last case involving allocation of risk and the protection of information and data flowing through virtually every merchant, financial institution and government system in the world today.
Tags: , , ,