US Private Sector Privacy Chapter 09 Financial PDF
Document Details
Uploaded by SparklingCedar
Georgia Tech
2024
Tags
Summary
This chapter discusses financial privacy regulations, including the Red Flag Program Clarification Act of 2010 and the Gramm-Leach-Bliley Act (GLBA). It examines how these regulations impact financial institutions and consumer rights. The chapter also explores the role of technology in changing customer-bank interactions and the implications for financial privacy.
Full Transcript
MGT 6727 (Spring Semester 2024) at Georgia Tech Chapter 9 – as of 02/25/2024 © IAPP The Red Flag Program Clarification Act of 2010 was passed in response to concern that the definition of creditor extended to implicate unintended entities, such as attorneys and health providers, simply because they...
MGT 6727 (Spring Semester 2024) at Georgia Tech Chapter 9 – as of 02/25/2024 © IAPP The Red Flag Program Clarification Act of 2010 was passed in response to concern that the definition of creditor extended to implicate unintended entities, such as attorneys and health providers, simply because they allow customers to pay their bills after the time of service. 67 The clarification narrows the previously broad definition of creditor, as well as the circumstances under which they are covered by the rule. It eliminates entities that extend credit only “for expenses incidental to a service.” The rule still applies to entities that, regularly and in the course of business: Obtain or use consumer reports in connection with a credit transaction Furnish information to consumer reporting agencies in connection with a credit transaction Advance funds to or on behalf of someone, except for expenses incidental to a service provided by the creditor to that person 68 The new law also authorizes regulations that apply the rule to businesses whose accounts should be “subject to a reasonably foreseeable risk of identity theft.” The rule does not provide a checklist for specific red flags that must be included in the identity theft detection programs. Rather, the program should generally identify relevant patterns, practices and specific forms of activity that are red flags of possible identity theft, incorporate these flags into the program, and update the program regularly to reflect changes in risks. Each organization is required to develop its own list of red flags, but examples cited by the FTC include alerts, notifications or warnings from a consumer reporting agency; suspicious identification documents; suspicious personal identifying data; and unusual use of a covered account. 9.3 Gramm-Leach-Bliley Act Title V of the Financial Services Modernization Act of 1999 led to the promulgation of both a Privacy Rule and a Safeguards Rule. 69 GLBA was major legislation that reflected and codified the consolidation of the U.S. banking, securities and insurance industries in the late 1990s. As previously separate types of financial institutions began to merge, substantial concerns arose over how consumer data would be collected, used and shared among the newly formed holding companies and their subsidiaries within the financial sector. These privacy provisions were spurred by enforcement actions against major banks for controversial data practices. Prior to GLBA’s passage, some leading financial institutions were found to have shared detailed customer information, including account numbers and other highly sensitive data, with telemarketing firms. Subsequently, the firms used the account numbers to charge customers for unsolicited services. One of the most prominent cases involved U.S. Bancorp and the telemarketing firm MemberWorks. 70 The Minnesota attorney general’s office brought suit in 1999, as Congress was considering GLBA. The suit resulted in a $3 million settlement for allegations that the bank had sent detailed customer information to the telemarketing firm, including account numbers and related information that enabled the marketer to directly withdraw funds from the customer account. 71 The U.S. Bancorp/MemberWorks case focused popular and regulatory attention on the prevalence of data-sharing relationships between banks and third-party marketers. A group of 25 attorneys general brought additional actions against major financial institutions in an attempt to address these practices. Congress responded to these events by including significant privacy and 12 NOT FOR DISSEMINATION The materials in this course are provided only for the personal use of students in this class in association with this class. MGT 6727 (Spring Semester 2024) at Georgia Tech Chapter 9 – as of 02/25/2024 © IAPP security protections for consumers in GLBA and mandating further rulemaking on privacy and security by the FTC, federal banking regulators, and state insurance regulators. Financial institutions were required to substantially comply with GLBA’s requirements in 2001. The passage of GLBA led to major changes in the structure of the financial services industry and provided for the creation of new financial service holding companies that offer a full range of financial products. It eliminated legal barriers to affiliations among banks, securities firms, insurance companies, and other financial services companies. Under GLBA’s privacy provisions, financial institutions are required to: Store personal financial information in a secure manner Provide notice of their policies regarding the sharing of personal financial information Provide consumers with the choice to opt out of sharing some personal financial information In this discussion of financial data, it is important to note that technology has changed the interaction between customers and banks. Customers no longer need to travel to brick-and-mortar buildings or even to interact with the personnel employed by these banks, to withdraw money, deposit checks, or apply for loans. In 2000, the Electronic Signatures in Global and National Commerce Act (E-Sign Act) permitted customers to opt-in to online banking. 72 Online banking allows customers to access bank accounts through the internet, and mobile banking permits customers to engage in financial activities with their banks through the use of their cell phones. 73 By 2021, approximately 70 percent of Americans report that they most often access their bank accounts by online or mobile banking. 74 9.3.1 Scope and Enforcement of GLBA GLBA applies to “financial institutions,” which are defined broadly as any U.S. companies that are “significantly engaged” in financial activities. Financial institutions include entities such as banks, insurance providers, securities firms, payment settlement services, check-cashing services, credit counselors, and mortgage lenders, among others. GLBA regulates financial institution management of “nonpublic personal information,” defined as “personally identifiable financial information (i) provided by a consumer to a financial institution, (ii) resulting from a transaction or service performed for the consumer, or (iii) otherwise obtained by the financial institution.” Excluded from the definition are publicly available information and any consumer list that is derived without using personally identifiable financial information. 75 This encompasses a wide range of information that is not exclusively financial in nature. For example, the name of a financial institution’s customer is considered nonpublic personal financial information, covered under the act, because it indicates the existence of a relationship between the institution and the consumer that is financial in nature. GLBA requires financial institutions to protect consumers’ nonpublic personal information under privacy rules that were promulgated originally by the FTC and financial institution (FI) regulators. In 2011, with the passage of the Dodd-Frank Act, the CFPB assumed this rulemaking power, with exceptions for the Securities and Exchange Commission (SEC) and the Commodity Futures Trading Commission (CFTC). 13 NOT FOR DISSEMINATION The materials in this course are provided only for the personal use of students in this class in association with this class. MGT 6727 (Spring Semester 2024) at Georgia Tech Chapter 9 – as of 02/25/2024 © IAPP As enacted in 1999, federal financial regulators enforced GLBA for the institutions in their jurisdiction, such as for the Federal Reserve, Office of the Comptroller of the Currency, Federal Deposit Insurance Corporation (FDIC), and SEC. 76 Under GLBA, financial institutions can face civil penalties up to $100,000 per violation. Officers and directors of these financial institutions can face personal liability of up to $10,000 per violation. For intentional violations, owners and directors can face criminal penalties and imprisonment. 77 Banking and related financial institutions that fail to comply with GLBA requirements can also be subject to substantial penalties under the Financial Institutions Reform, Recovery and Enforcement Act (FIRREA). FIRREA penalties range from up to $5,500 for violations of laws and regulations; to a maximum of $27,500 if violations are unsafe, unsound or reckless; and to as much as $1.1 million for “knowing” violations. 78 For financial institutions not within the jurisdiction of one of the other agencies, the FTC originally had enforcement authority. Under the Dodd-Frank Act, the CFPB also now has enforcement authority for the GLBA Privacy and Safeguards Rules under its general enforcement powers, discussed further in Section 9.3.2 and 9.3.3. At the state level, state attorneys general can enforce GLBA. Stricter state laws are not preempted under GLBA. 79 The validity of stricter state laws, however, can be subject to challenge because there is limited preemption under FCRA, so courts would need to determine which federal financial privacy statute governs for a particular state law. Although there is no private right of action under GLBA, failure to comply with certain notice requirements may be considered a deceptive trade practice by state and federal authorities. Some states also have private rights of action for this type of violation. GLBA’s privacy protections generally apply to “consumers,” or individuals who obtain financial products or services from a financial institution to be used primarily for personal, family or household purposes. Many of the act’s requirements relate to the subset of consumers who are also “customers”—consumers with whom the organization has an ongoing relationship. Financial services companies that do not have such “consumer customers” are not subject to some of GLBA’s requirements, such as those related to notice. Major components of the GLBA Privacy Rule provide that financial institutions must: 1. Prepare and provide to customers clear and conspicuous notice of the financial institution’s information-sharing policies and practices. These notices must be provided when a customer relationship is established and annually thereafter. 2. Clearly provide customers the right to opt out of having their nonpublic personal information shared with nonaffiliated third parties (subject to significant exceptions, including for joint marketing and processing of consumer transactions). 3. Refrain from disclosing to any nonaffiliated third-party marketer, other than a consumer reporting agency, an account number or similar form of access code to a consumer’s credit card, deposit or transaction account. 4. Comply with regulatory standards established by certain government authorities to protect the security and confidentiality of customer records and information and protect against security threats and unauthorized access to or certain uses of such records or information. 14 NOT FOR DISSEMINATION The materials in this course are provided only for the personal use of students in this class in association with this class. MGT 6727 (Spring Semester 2024) at Georgia Tech Chapter 9 – as of 02/25/2024 © IAPP 9.3.2 The GLBA Privacy Rule The GLBA Privacy Rule establishes a standard for privacy notices under which a financial institution must provide initial and annual privacy notices to consumers on specific categories of information and must process opt-outs within 30 days. 80 The privacy notice itself must be a clear, conspicuous and accurate statement of the company’s privacy practices and must include the following: What information the financial institution collects about its consumers and customers With whom it shares the information How it protects or safeguards the information An explanation of how a consumer may opt out of having their information shared through a reasonable opt-out process 81 Provided this notice standard is met, a financial institution may share any information it has with its affiliated companies and joint marketing partners, which are other financial institutions with whom the entity jointly markets a financial product or service. 82 In addition, other than for defined exceptions, a financial institution may also share consumer information with nonaffiliated companies and other third parties, but only after disclosing information-sharing practices to customers and providing them with the opportunity to opt out. It should be noted that the GLBA prohibits financial institutions from disclosing consumer account numbers to nonaffiliated companies for purposes of telemarketing and direct mail marketing (including through email), even if the consumer has not opted out of sharing the information for marketing purposes. Also, a financial institution must ensure that service providers will not use provided consumer data for anything other than the intended purpose. There are certain situations in which the consumer has no right to opt out. For example, a consumer cannot opt out if: A financial institution shares information with outside companies that provide essential services like data processing or servicing accounts The disclosure is legally required A financial institution shares customer data with outside service providers that market the financial company’s products or services In 2009, eight federal regulatory agencies issued a model short privacy notice. 83 The model notice implemented the Financial Services Regulatory Relief Act (FSRRA) of 2006, which requires the agencies to propose a succinct and comprehensible model form that allows consumers to easily compare the privacy practices of different financial institutions. 84 Financial institutions that use the model notice satisfy the disclosure requirements for notices, but they are not required to use it. 9.3.3 The GLBA Safeguards Rule Along with privacy standards and rules, GLBA requires financial institutions to maintain security controls to protect the confidentiality and integrity of personal consumer information, including both electronic and paper records. The regulatory agencies established such standards in the form of a final rule, the Safeguards Rule, which became effective in 2003, and was most recently updated by the FTC in 2021. 85 15 NOT FOR DISSEMINATION The materials in this course are provided only for the personal use of students in this class in association with this class. MGT 6727 (Spring Semester 2024) at Georgia Tech Chapter 9 – as of 02/25/2024 © IAPP The GLBA Safeguards Rule requires financial institutions to develop and implement a comprehensive “information security program,” which is defined as a program that contains “administrative, technical and physical safeguards” to protect the security, confidentiality and integrity of customer information. 86 The program must be appropriate for the size, complexity, nature and scope of the activities of the institution. Thus, like the GLBA Privacy Rule, the Safeguards Rule distinguishes the concepts of security, confidentiality and integrity but suggests that all three concepts are integral to a complete understanding of security. The information security program required under the rule must contain certain elements, including a designated employee to coordinate the program, audit systems to determine risk, and certain procedures to take with service providers to ensure that the security of the information is maintained. Under the GLBA Safeguards Rule, a financial institution must provide the following three levels of security for consumer information: 1. Administrative security, which includes program definition, management of workforce risks, employee training, and vendor oversight. 2. Technical security, which covers computer systems, networks, and applications in addition to access controls and encryption. 3. Physical security, which includes facilities, environmental safeguards, business continuity, and disaster recovery. Pursuant to the Safeguards Rule, the administrative, technical and physical safeguards to be implemented must be reasonably designed to (1) ensure the security and confidentiality of customer information, (2) protect against any anticipated threats or hazards to the security or integrity of the information, and (3) protect against unauthorized access to or use of the information that could result in substantial harm or inconvenience to any customer. 87 Maintaining the security of this information essentially means protecting the confidentiality and integrity of information and restricting access to it. The Safeguards Rule does allow for flexibility in implementing a security program, stating that the program must contain safeguards that are “appropriate” to the entity’s size and complexity, the nature and scope of the entity’s activities, and the sensitivity of any customer information at issue. 88 The Safeguards Rule requires that certain basic elements be included in a security program. Each institution must: Designate an employee to coordinate the safeguards Identify and make a written assessment of the risks to customer information in each relevant area of the company’s operation and evaluate the effectiveness of the current safeguards for controlling those risks Design and implement a safeguard program and regularly monitor and test it Select appropriate service providers and enter into agreements with them to implement safeguards 16 NOT FOR DISSEMINATION The materials in this course are provided only for the personal use of students in this class in association with this class. MGT 6727 (Spring Semester 2024) at Georgia Tech Chapter 9 – as of 02/25/2024 © IAPP Evaluate and adjust the program in light of relevant circumstances, including changes in business arrangements or operations, or the results of testing and monitoring of safeguards 89 With this discussion of security, it is worth pointing out that digital approaches to banking leave customers’ financial data susceptible to the vulnerabilities of the technologies at issue: internetconnected computers and cell phones. 90 Methods to address concerns regarding online banking and mobile banking require a combination of measures by the financial institution (such as careful design and updating of the relevant software) and education of the individual consumer, with steps including carefully choosing an operating system; selecting an appropriate internet browser; using firewalls, antivirus programs, and anti-malware programs; and employing strong passwords and encryption. 91 A similar combination of enterprise-side and user-side practices are important to addressing security and privacy concerns for mobile banking. 92 Practitioners should make sure to take into account these online banking and mobile banking concerns when designing programs to comply with the Safeguards Rule. 9.3.4 State Requirements Related to Financial Privacy and Security Because GLBA does not preempt states from regulating in this area, numerous states have put in place laws or rules specifically focused on financial privacy and security. 93 These states notably include both California and New York. 9.3.4.1 California The California Financial Information Privacy Act (CFIPA), also known as California SB-1, expands the financial privacy protections afforded under GLBA. 94 CFIPA increases the disclosure requirements of financial institutions and grants consumers increased rights with regard to the sharing of information. Violation of CFIPA in cases of negligent noncompliance can be punished with statutory damages of $2,500 per consumer, up to a cap of $500,000 per occurrence. In cases of willful noncompliance, there is no $500,000 damage cap. Under the legislation, opt-in and opt-out requirements exist for financial institutions as follows: written opt-in consent is required for a financial institution to share personal information with nonaffiliated third parties. Opt-in provisions must be presented on a form titled “Important Privacy Choices for Consumers” and be written in simple English. Additionally, CFIPA grants consumers the ability to opt out of information sharing between their financial institutions and affiliates not in the same line of business. A financial institution does not, however, need to obtain consumer consent in order to share nonmedical information with its wholly owned subsidiaries engaged in the same line of business—insurance, banking or securities—if they are regulated by the same functional regulator. With the passage of the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA), 95 banks and other financial institutions will likely need to review their practices for compliance with the privacy and security requirements of that law. Although the CCPA and the CPRA include a specific provision that intends to avoid conflict with GLBA and CFIPA, experts caution that banks and other financial institutions will need to review their data, dataset by dataset, to determine whether it is covered by GLBA or CFIPA. The concern is that the exemption applies to datasets, and not more generally to the organization that holds that dataset—meaning only the data specifically covered by GLBA or CFIPA will be exempt from the requirements of the CCPA. 96 17 NOT FOR DISSEMINATION The materials in this course are provided only for the personal use of students in this class in association with this class. MGT 6727 (Spring Semester 2024) at Georgia Tech Chapter 9 – as of 02/25/2024 © IAPP 9.3.4.2 New York In 2017, the New York Department of Financial Services (NYDFS) put in place comprehensive and strict cybersecurity regulations for its vast financial industry. 97 Although entities covered by GLBA are already subject to these types of requirements, the New York regulations was the first statelevel regulation that went far beyond the requirements of GLBA at the time of the implementation of the state regulations. 98 The New York state financial regulations impose cybersecurity mandates on all covered financial institutions. Covered institutions include state-chartered banks, credit unions, investment companies, licensed lenders, mortgage brokers, life insurance companies, private bankers, commercial banks, and savings and loan associates. 99 These regulations are in line with the provisions of the National Institute of Standards and Technology (NIST) Cybersecurity Framework. 100 Under the regulations, covered financial institutions are required to implement cybersecurity programs with the following: risk assessments, documentation of security policies, designation of a chief information security officer, limitations on data retention, incident response plan, and audit trails. 101 For entities already subject to GLBA, it is worth noting several distinctions between the federal law and the New York requirements. The state regulations define nonpublic information more broadly than GLBA’s designation of personally identifiable financial information. In addition, the New York regulations have key requirements not included in GLBA related to the following topics: personnel, reporting obligations, documentation obligations, and third-party service providers. 102 It is worth noting that the NYDFS also began regulating virtual currencies in 2015 via its “BitLicense” regulation. Individuals or businesses who receive, transmit, control, administer, issue, exchange, or maintain custody of virtual currencies must obtain a BitLicense before engaging in these, and related activities. 103 The NYDFS also specifies which virtual currencies licensed individuals and businesses can offer to their customers. As of April 2023, there are 33 virtual currency coins on the NYDFS “Greenlist” which permit any licensed business to use these coins for their approved purpose i.e., to maintain custody of or to list on their platform. 104 If licensed businesses have an approved coin-listing policy, they may also self-certify that proposed adoption or listing of new coins complies with NYDFS requirements. This allows individuals and businesses to offer new coins to their customers without undergoing a more in-depth review from the NYDFS. 105 9.4 Dodd-Frank Wall Street Reform and Consumer Protection Act In response to the financial crisis that became acute in 2008, Congress enacted the Dodd-Frank Act, which was signed into law in June 2010. Along with numerous other reforms, Title X of the act created the CFPB as an independent bureau within the Federal Reserve. The CFPB oversees the relationship between consumers and providers of financial products and services. It holds broad authority to examine, write regulations, and bring enforcement actions concerning businesses that provide financial products or services, including service providers. 106 The CFPB has assumed rulemaking authority for specific existing laws related to financial privacy and other consumer issues, such as the FCRA, GLBA and Fair Debt Collection Practices Act. 107 It has enforcement authority over all nondepository financial institutions, and over all depository 18 NOT FOR DISSEMINATION The materials in this course are provided only for the personal use of students in this class in association with this class. MGT 6727 (Spring Semester 2024) at Georgia Tech Chapter 9 – as of 02/25/2024 © IAPP institutions with more than $10 billion in assets. 108 For depository institutions with assets of $10 billion or less, CFPB promulgates rules, but enforcement power remains with banking regulators. 109 One potentially important innovation in the act is a change in the usual language about “unfair and deceptive” acts or practices. As discussed in multiple places in this book, the FTC and state attorneys general have long had the power to enforce against unfair and deceptive acts and practices. The CFPB also can now bring enforcement actions for unfairness and deception. In addition, the CFPB has a new power to enforce against “abusive acts and practices.” An abusive act or practice: Materially interferes with the ability of a consumer to understand a term or condition of a consumer financial product or service or Takes unreasonable advantage of— ° A lack of understanding on the part of the consumer of the material risks, costs, or conditions of the product or service; ° The inability of the consumer to protect its interests in selecting or using a consumer financial product or service; or ° The reasonable reliance by the consumer on a covered person to act in the interests of the consumer. 110 Because this is relatively new statutory language, the precise meaning of abusive act or practice will only become known over time. By its terms, however, enforcement actions for abusive acts or practices may well apply to privacy notices and other aspects of privacy and security protections by financial institutions. CFPB enforcement authority includes the ability to conduct investigations and issue subpoenas, hold hearings, and commence civil actions against offenders. 111 As of the writing of this book, civil penalties vary from $6,813 per day for federal consumer privacy law violations to $34,065 per day for reckless violations and $1,362,567 for knowing violations. 112 Further, state attorneys general are also authorized to bring civil actions in enforcement of the law or regulations. 113 9.5 Regulation E of the Electronic Fund Transfer Act (1978) In 1978, the Electronic Fund Transfer Act (EFTA) was enacted to establish rights of consumers as well as the responsibilities of companies involved in electronic fund transfers. The rule known as Regulation E implements the EFTA. In 2011, the rulemaking authority for EFTA was transferred from the Federal Reserve Board to the Consumer Financial Protection Bureau (CFPB) pursuant to the Dodd-Frank Wall Street Reform and Consumer Protection Act. 114 The term “electronic fund transfer” (EFT) is defined as any transfer of funds that is initiated through an electronic terminal, telephone, computer, or magnetic tape for the purpose of ordering, instructing, or authorizing a financial institution to debit or credit a consumer’s account.” 115 Examples include ATM transfers, direct deposits, point-of-sale transfers, and transfers using a debit card. The definition of a “financial institution” includes 19 NOT FOR DISSEMINATION The materials in this course are provided only for the personal use of students in this class in association with this class. MGT 6727 (Spring Semester 2024) at Georgia Tech Chapter 9 – as of 02/25/2024 © IAPP banks, savings associations, credit unions any person that directly or indirectly holds an account belonging to a consumer any person that issues an access device and agrees with a consumer to provide electronic fund transfer (EFT) services. 116 In 2021, CFPB issued guidance that Regulation E covered person-to-person payments when they met the definition of EFT, such as those made using companies such as Zelle and Venmo. CFPB clarified that unauthorized EFTs are the responsibility of the financial institution, not the consumer. 117 The CFPB issued this clarification in part because of the significant amount of fraud that consumers have fallen victim to using person-to-person payments such as mobile financial apps. 118 9.6 Required Disclosure Under Anti-Money-Laundering Laws The privacy and security rules discussed above typically restrict uses and disclosures of personal information. Financial institutions are also subject to a variety of requirements to retain records and, in some instances, disclose personal financial information to the government. Financial institutions in general have intricate accounting and control systems to document transactions and reduce the risk of fraud. Banks have also long been closely supervised by the government, both to ensure the safety and soundness of the banks and for other reasons. Financial institutions thus have more detailed record retention rules than most other kinds of companies. In recent decades, anti-money-laundering laws have become a major additional basis for record retention and mandatory disclosure to the government. U.S. anti-money-laundering laws stem from the Bank Secrecy Act of 1970, which targeted organized crime groups and others who used large cash transactions. The laws became stricter as part of the USA PATRIOT Act of 2001, with its focus on antiterrorism efforts. The fundamental goal of anti-money-laundering laws is to “follow the money.” 119 The idea of thorough record-keeping is that it will help detect and deter illegal activity and provide evidence for proving illegality. 120 Fines for violations of anti-money laundering laws can be significant. In 2022, the Office of the Comptroller of Currency (OCC) and Financial Crimes Enforcement Network (FinCEN) issued civil penalties totaling $200 million against a federal savings bank for willfully failing to comply with antimoney laundering requirements. 121 9.6.1 The Bank Secrecy Act of 1970 The Bank Secrecy Act of 1970 (BSA), also known as the Currency and Foreign Transaction Reporting Act of 1970, authorizes the U.S. treasury secretary to issue regulations that impose extensive record-keeping and reporting requirements on financial institutions. 122 Specifically, financial institutions must keep records and file reports on certain financial transactions, including currency transactions in excess of $10,000, which may be relevant to criminal, tax or regulatory proceedings. The BSA applies broadly to its own definition of financial institutions, which uses different language than GLBA and so may differ in some cases. The BSA applies to banks, securities brokers and dealers, money services businesses, telegraph companies, casinos, card clubs, and other entities subject to supervision by any state or federal bank supervisory authority. 123 The scope of 20 NOT FOR DISSEMINATION The materials in this course are provided only for the personal use of students in this class in association with this class. MGT 6727 (Spring Semester 2024) at Georgia Tech Chapter 9 – as of 02/25/2024 © IAPP covered institutions has expanded over time to address the problem that criminals have an incentive to exploit whatever institutions are not already covered by the anti-money-laundering laws. Under the BSA, financial institutions that handle cryptocurrencies are frequently classified as money service businesses. This includes institutions that provide Peer-to-Peer exchanges, hosted wallet providers, as well as anonymizing service providers like mixers and tumblers. However, some cryptocurrency-related business models may be exempt from the BSA such as decentralized exchanges and mining pools. 124 The BSA contains regulations relating to currency transactions, transportation of monetary instruments and the purchase of currency-like instruments. For example, the BSA generally requires currency transactions of $10,000 or more to be reported to the IRS per the regulations, using a Currency Transaction Report, Form 4789. Similarly, the BSA regulations cover purchases of bank checks, drafts, cashier’s checks, money orders, traveler’s checks, and cryptocurrency transactions of $3,000 or more in currency. The rules require that the entity collect and report information, including the name, address, and Social Security number of the purchaser; the date of purchase; type of instrument; and serial numbers and dollar amounts of the instruments. The BSA regulates certain wire transfers, including funds transfers and transmittals of funds by financial institutions. Certain funds transfers are exempted from the regulation, however, including funds transfers governed by the Electronic Funds Transfer Act (EFTA) and those made through an automated clearinghouse, ATM, or point-of-sale system. 9.6.1.1 Record Retention Requirements As part of the overall anti-money-laundering strategy, financial institutions are required to retain categories of records for use in investigations or enforcement actions. Financial institutions are required to maintain records of all extensions of credit in excess of $10,000, but this does not include credit secured by real property. Not all records must be maintained—only those with a “high degree of usefulness.” 125 Records that are maintained must include the borrower’s name and address, credit amount, purpose of credit, and date of credit. Such records must be maintained for five years. As to deposit account records, a financial institution must keep the depositor’s taxpayer identification number, signature cards, and checks exceeding $100 that are drawn or issued and payable by the bank. With regard to certificates of deposit, the financial institution must obtain the customer name and address, a description of the CD, and the date of the transaction. For wire transfers or direct deposits, a financial institution must maintain all deposit slips or credit tickets for transactions exceeding $100. 126 Additionally, the BSA includes detailed rules regarding information that banks must retain in connection with payment orders. 9.6.1.2 Suspicious Activity Reports Financial institutions must file a Suspicious Activity Report (SAR) in defined situations. The rationale is that SARs can alert government agencies to potentially suspicious transactions. A SAR must be filed with the U.S. Department of the Treasury’s Financial Crimes Enforcement Network (FinCEN) in the following circumstances: (1) when a financial institution suspects that an insider is committing (or aiding the commission of) a crime, regardless of dollar amount; (2) when the entity detects a possible crime involving $5,000 or more and has a substantial basis for identifying a suspect; (3) when the entity detects a possible crime involving $25,000 or more (even if it has no substantial 21 NOT FOR DISSEMINATION The materials in this course are provided only for the personal use of students in this class in association with this class. MGT 6727 (Spring Semester 2024) at Georgia Tech Chapter 9 – as of 02/25/2024 © IAPP basis for identifying a suspect); and (4) when the entity suspects currency transactions aggregating $5,000 or more that involve potential money laundering or a violation of the act. 127 9.6.1.3 BSA Enforcement As of the writing of this book, penalties for violations of the BSA and its regulations include the following: civil penalties, including fines up to the greater of $25,000 or the amount of the transaction (up to a $100,000 maximum) as well as penalties for negligence ($500 per violation); additional penalties up to $5,000 per day for failure to comply with regulations; penalties of up to $25,000 per day for failure to comply with the information-sharing requirements of the USA PATRIOT Act; and penalties up to $1 million against financial institutions that fail to comply with due diligence requirements. Criminal penalties include up to a $100,000 fine and/or one-year imprisonment and up to a $10,000 fine and/or five-year imprisonment. 128 While countless enforcement actions have been taken against traditional financial institutions these potential penalties also extend to financial institutions offering cryptocurrencyrelated services. In 2020 a $60 million civil penalty was levied against the founder of two cryptocurrency mixers and in 2021 the operator of the longest-running cryptocurrency mixer was arrested for failing to satisfy their obligations under the BSA. 129 9.6.2 The International Money-Laundering Abatement and Anti-Terrorist Financing Act of 2001 As part of the USA PATRIOT Act, the International Money Laundering Abatement and Anti-Terrorist Financing Act of 2001 expanded the reach of the BSA and made other significant changes to U.S. anti-money-laundering laws. 130 The act gave the U.S. treasury secretary the ability to promulgate broad rules to implement modified Know Your Customer requirements and to otherwise deter money laundering. For covered financial services companies, the major USA PATRIOT Act compliance issues can be grouped into the following categories: Information-sharing regulations and participation in the cooperative efforts to deter money laundering, as required by Section 314 Know Your Customer rules, including the identification of beneficial owners of accounts— procedures required by Section 326 Development and implementation of formal money-laundering programs as required by Section 352 Bank Secrecy Act expansions, including new reporting and record-keeping requirements for different industries (such as broker-dealers) and currency transactions 131 Going forward, privacy professionals in the financial services sector should be alert to the continuing development of documentation requirements, where the organization may be required to gather and retain personally identifiable information for regulatory purposes. For example, the Foreign Account Tax Compliance Act of 2010 (FATCA) seeks to target noncompliance with U.S. tax laws for U.S. taxpayers with foreign accounts. To deter tax evasion and require greater withholding of income to these taxpayers, FATCA requires more detailed “know your customer” documentation for both domestic and foreign financial institutions. 132 22 NOT FOR DISSEMINATION The materials in this course are provided only for the personal use of students in this class in association with this class.