Proposed Internet Gambling Regulation Would Require New Policies

REPO

RTEl

ectr

onic

Ban

king

Law

& C

omm

erce

Complete Table of Contents listed on page 2.

Content HIGHLIGHTS

Continued on PAGe 4

November 2007 n Volume 12 n Issue 9

Proposed Internet Gambling Regulation Would Require New Policies and Procedures for the U.S. Payments SystemB y J o n A t h A n W i n e r A n d K A t h r y n M A r K s

Jonathan Winer ([email protected]), a partner at Alston & Bird (www.alston.com), represents domestic and foreign clients on regulatory and enforcement matters as well as on a wide range of government affairs issues including money laundering, sanctions, national security, and data protection and manage-ment, and information security and privacy.

Kathryn Marks ([email protected]) is an associate in the Legislative and Public Policy Group in Alston & Bird’s Washington DC office. Her practice includes payment system issues, information privacy and data security.

40472193

OverviewOne year following the enactment of the

Unlawful Internet Gambling Enforcement Act of 2006 (“UIGEA”), the Federal Re-serve Board (“Fed”) and the Department of the Treasury (“Treasury”) (collectively, “federal regulators”), have released a joint notice of a proposed regulation implement-ing the law banning the use of the U.S. pay-ments system to process any illegal Internet gambling transaction.

The proposed regulation would require financial services companies subject to U.S. jurisdiction that participate in any of five types of payments — automated clearing house (“ACH”) activities, card payments, check collection, money transmission or wire transfers — to implement policies and procedures that are “reasonably designed”

to prevent or prohibit the processing of prohibited Internet gambling transactions. The proposed regulation contains limited exemptions for situations where identifi-cation and blocking of Internet gambling

Proposed Internet Gambling Regulation Would Require New Policies and Procedures for the U.S. Payments SystemBy Jonathan Winer and Kathryn Marks .....................1

Health Savings Accounts: An Overview By Timothy R. McTaggart and Andrew Maher ....... 13

Emerging Trends: Privacy Litigation Growing Concern for MerchantsBy Deborah Thoren-Peden ...................................... 16

Electronic Banking Law & Commerce Report

�

Please address all editorial, subscription, and other correspondence to the publishers at [email protected] authorization to photocopy, please contact the Copyright Clearance Center at 222 Rosewood Drive, Danvers, MA 01923, USA (978) 750-8400; fax (978) 646-8600 or West’s Copyright Services at 610 Opperman Drive, Eagan, MN 55123, fax (651) 687-7551. Please outline the specific material involved, the number of copies you wish to distribute and the purpose or format of the use. West Legalworks offers a broad range of marketing vehicles. For advertising and sponsorship related inquiries or for additional information, please contact Mike Kramer, Director of Sales. Tel: 212-337-8466. Email: [email protected] publication was created to provide you with accurate and authoritative information concerning the subject matter covered. However, this publication was not necessarily prepared by persons licensed to practice law in a particular jurisdication. The publisher is not engaged in rendering legal or other professional advice, and this publication is not a substitute for the advice of an attorney. If you require legal or other expert advice, you should seek the services of a competent attorney or other professional.Copyright is not claimed as to any part of the original work prepared by a United States Government officer or employee as part of the person’s official duties.

Electronic Banking Law & Commerce ReportWest Legalworks395 Hudson Street, 6th FloorNew York, NY 10014

One Year Subscription n 10 Issues n $408.00 (ISSN#: XXXX)

Editorial Board

Table of CONTENTS

EdITOR-IN-CHIEf:dAvId E. BROWN, JR.Alston & Bird LLPWashington, DC

MANAGING EdITOR:ELIzABETH THOMPSON

CONTRIBUTING EdITORS:SCOTT A. ANENBERGMeyer, Brown, Rowe & Maw LLPWashington, DC

KATHRyN MARKSAlston & Bird LLPWashington, DC

EdITORIAL BOARd:

ROLANd E. BRANdELMorrison & Foerster LLPSan Francisco, CA

RUSSELL J. BRUEMMERWilmer Cutler PickeringHale & Dorr LLPWashington, DC

THOMAS HAL CLARKESenior Vice President andDeputy General Counsel,Wachovia Corp.

KELLy MCNAMARA CORLEySenior Vice President andGeneral Counsel,Discover Financial Service, Inc.

ELLEN d’ALELIOSteptoe & JohnsonWashington, DC

JOHN L. dOUGLASPaul, Hastings, Janofsky & Walker LLP Atlanta, GA

PAUL R. GUPTAOrrick, Herrington & Sutcliffe LLPNew York, NY

HENRy L. JUdyKirkpatrick & Lockhart Preston Gates Ellis LLPWashington, DC

SyLvIA KHATCHERIANManaging Director, Legal DepartmentMorgan Stanley

C.f. MUCKENfUSS IIIGibson, Dunn & Crutcher LLPWashington, DC

JOHN C. MURPHy, JR.Cleary, Gottlieb, Steen & HamiltonWashington, DC

P. MICHAEL NUGENTExecutive Vice President and General CounselIntelliRisk Management Coporation

BRIAN W. SMITHLatham & Watkins LLPWashington, DC

STUART G. STEINHogan & Hartson LLPWashington, DC

THOMAS P. vARTANIANFried, Frank Harris, Shriver & JacobsonWashington, DC

MARK A. WEISSCovington & BurlingWashington, DC

RICHARd M. WHITINGGeneral Counsel and Executive DirectorThe Financial Services Roundtable

Online Editions Now AvailableWest Legalworks is pleased to announce that this

newsletter is now available on the Internet to Subscribers of the print edition.

The online version offers additional interactive capabilities that enhance the usefulness of your subscription including

Search features for current and archived articles and Links to other information and Westlaw® cases.

To take advantage of this service, please visit www.glwnewsletters.com/register.asp

to register or call 800.308.1700.

Free Service for Subscribers

Proposed Internet Gambling Regulation Would Require New Policies and Procedures for the U.S. Payments SystemBy Jonathan Winer and Kathryn Marks ...........................................1

from the EdITORDavid E. Brown, Jr., Alston & Bird LLP .........................................3

Health Savings Accounts: An Overview By Timothy R. McTaggart and Andrew Maher ..............................13

Emerging Trends: Privacy Litigation Growing Concern for MerchantsBy Deborah Thoren-Peden .............................................................16

Selected federal Legislative developmentsBy Kathryn Marks ..........................................................................18

Selected Regulatory developments By Scott Anenberg ..........................................................................19


�

A year after the Unlawful Internet Gambling Enforcement Act of 2006 was signed into law Jonathan Winer and Kathryn Marks of Alston & Bird take an in-depth look at the proposed regula-tion that would implement the law. They discuss areas of compliance uncertainty and some of the major policy issues financial institutions would face if the regulation was adopted. The regula-tions cover financial service companies subject to U.S. jurisdiction that participate in a number of types of payments. Interested parties have until December 12 to comment on the regulations.

In the wake of ChoicePoint’s and TJX’s data breaches, Deborah Thoren-Peden, of Pillsbury Win-throp Shaw Pittman, surveys recent developments in privacy litigation from merchants’ perspective.

Timothy McTaggart and Andrew Maher, of Pep-per Hamilton, provide an overview of health sav-ings accounts (HSAs). At the beginning of 2007, an estimated 3 million people were covered by HSAs, up from only 438,000 people in 2004. The Trea-sury Department expects that number to grow to between 14 and 21 million by 2010, representing a huge potential source of investable assets.

And finally, our regular columns summarize recent legislative and regulatory developments in-clude important updates regarding pending legis-lation to renew the Terrorism Risk Insurance Act, a recent court decision upholding a Connecticut ban on stored-value card dormancy fees, and re-cently issued FACT Act final regulations regarding identity theft red flags and affiliate marketing.

DAVID E . BROWN, JR . , ALSTON & B IRD LLP

From the EDITOR


�

payments may not be technologically feasible for some participants in the ACH system, check col-lection systems and wire transfers, based on their relationship to the flow of funds. Companies who implement the “reasonably designed” policies and procedures provided as examples in the proposed regulation would be deemed by federal regulators to be in compliance with the law.

The proposed regulation does not directly regulate institutions or transactions outside the United States. Accordingly, it is likely to encour-age circumvention through the use of payments systems outside the United States in the many ju-risdictions in which Internet gambling is lawful. These uses could include techniques to disguise restricted transactions or integrate them into lawful forms of funds, such as foreign bank ac-counts or stored value cards, prior to their repa-triation to the United States.

The proposed regulation may also raise con-cerns about regulatory burden due to the impact of implementation costs on U.S.-based participants in the payments system that are not applicable to similarly situated foreign firms. Its coverage of all forms of cards, including debit cards, stored-value cards and pre-paid cards as well as credit cards without any exemption for gift cards is un-precedented in scope. Many companies involved with selling such products have had little or no prior direct regulation by the federal government. Moreover, the proposed regulation mandates on-going monitoring by companies involved in card-related transactions and by money transmitters of the Web sites of their commercial users on a global basis. The proposed regulation would re-quire such monitoring to detect unauthorized use of the relevant designated payments system and the unauthorized use of the relevant designated payments system trademarks.

Domestic depository institutions may have concerns about complying with the proposed regulation’s request for intensified due diligence on foreign commercial companies making use of foreign correspondent banks for what might be restricted transactions. Domestic depository in-stitutions may also have concerns about the pro-posed regulation’s direction that they consider closing correspondent relationships with foreign

banks that handle restricted transactions involv-ing U.S. persons even when such transactions are lawful in the foreign jurisdiction where that bank is regulated.

This article provides an overview of the proposed regulation and on areas of compliance uncertain-ty arising from its failure to provide guidance on critical issues, such as assessing what transactions are “restricted transactions” given the failure of the law or regulation to specify which forms of Internet gambling are legal and which are illegal. This article also identifies some of the major pol-icy issues raised by the regulation, which include financial institutions’ concern about its extraterri-toriality, the problem of lawful circumvention and the regulation’s potential implications for areas of online gambling, especially horseracing, that re-main of uncertain (and disputed) legality.

Comments on the proposed regulation are due December 12, 2007. The proposed regulation in-vites those affected to address whether its provi-sions are likely to create undue regulatory burden and the feasibility of implementing the examples suggested by the federal regulators as mechanisms to achieve compliance. It also invites responses as to whether the exemptions in the proposed regu-lation could create opportunities for evading its goals. The federal regulators have proposed that the final regulation take effect six months after the final regulation is published, placing the likely ear-liest effective date into the final weeks of the Bush administration, or beyond to that of its successor.

definitionsThe proposed regulation adopts definitions

of some key terms, such as “automated clearing house,” “card system” and “money transmitting business,” provided in existing regulatory or stat-utory provisions. It does not define gambling-re-lated terms or provide guidance on which types of Internet gambling activities are legal or illegal.

Under the proposed regulation, the term “par-ticipant in a designated payment system” is de-fined very broadly to include essentially all par-ticipants in the payments system and all financial transaction providers, except to the extent such a participant is acting at the time as a customer or end-user of the transaction:

Continued froM PAGe 1


�

…an operator of a designated payment system, or a financial transaction provider that is a member of or, has contracted for financial transaction services with, or is otherwise participating in, a designated payment system. This term does not in-clude a customer of the financial trans-action provider if the customer is not a financial transaction provider otherwise participating in the designated payment system on its own behalf.1

This position parallels the current state of fed-eral law, which does not provide for criminal pen-alties for individuals that may gamble online, but rather prohibits gambling operators from accept-ing bets or wagers.

Covered Payments SystemsThe proposed regulation requires essentially all

participants in the payments system to impose ef-fective controls on prohibited Internet gambling payments, including those participating in the ACH system, card systems (including credit, debit and pre-paid cards or stored value cards), check collection systems, money transmitting busi-nesses or wire transfer systems. Federal regula-tors declined the authority given them by UIGEA to exempt any element of the payments system if it is not reasonably practical for it to prevent or prohibit a restricted transaction. Instead, the proposed regulation requires each covered en-tity to identify and block restricted transactions wherever it is feasible to do so, and then specifies certain situations in which a company would be understood, due to its location in the payments system, as not having sufficient information to take such steps.

Automated Clearing House SystemThe ACH system provides for the clearing and

settlement of batched electronic entries for partic-ipating financial institutions. Under the proposed regulation, ACH participants would be required to identify and block restricted transactions when-ever the ACH payment system participant has a direct customer relationship with the Internet gambling operator, but not in other cases. Thus, the proposed regulation requires the originating

depository financial institution (“ODFI”) in an ACH debit transaction and the receiving deposi-tory financial institution (“RDFI”) in an ACH credit transaction to prohibit restricted transac-tions. The federal regulators stated that in these two situations, the institution has a relationship with a customer engaged in an Internet gambling transaction and with reasonable due diligence could determine whether the customer’s business might involve restricted transactions. By contrast, the proposed regulation would exempt the ODFI in an ACH credit transaction and the RDFI in an ACH debit transaction from having to put trans-action blocking procedures in place for those transactions (except in cross-border transactions) given the difficulty of due diligence on such trans-actions.

Card SystemsThe proposed regulation requires participants

in card systems to block all prohibited Internet gambling transactions. Its coverage of the use of cards for Internet gambling is comprehensive, covering not only credit cards, but debit cards, pre-paid cards and stored-value products.

It defines card system as “…a system for clear-ing and settling transactions in which credit cards, debit cards, pre-paid cards, or stored value prod-ucts, issued or authorized by the operator of the system, are used to purchase goods or services or to obtain a cash advance.”2 Implicitly, this defi-nition includes gift cards, which previously have not been regulated by the federal government, and thus in theory would require that issuers of gift cards also have anti-Internet gambling con-trols applicable to the cards.3 According to the guidance provided by the proposed regulation, no authorization can occur for any of these types of card transactions without the authorization re-quest including (a) the card number, (b) transac-tion amount, (c) a merchant category code that describes generally the nature of the merchant’s business and (d) a transaction code, which indi-cates if the transaction was handled in person or remotely. According to the guidance, the coding process provides sufficient information to deter-mine if a transaction is a gambling transaction (from the merchant category code) and whether


�

a transaction was initiated over the telephone or Internet (as opposed to in a licensed casino, which would make the payment lawful). The federal regulators therefore found that all card transac-tions could be identified by the financial transac-tion provider as a restricted transaction and sub-sequently blocked.

These assessments by the federal regulators may be challenged by some market participants in the comment process. At present, there is no practical way to differentiate a telephone or In-ternet gambling transaction that may be lawful from one that is not. As stated previously, neither UIGEA nor the proposed regulation provides any guidance as to what types of Internet gambling may currently be legal. The Department of Justice (“DOJ”) considers all Internet gambling to be il-legal, but this position is at odds with the absence of enforcement activity by the DOJ against pari-mutuel betting operations that every day engage in transactions in the United States using most or all of the forms of payment mechanisms covered by the proposed regulation. If there is no way to dif-ferentiate pari-mutuel betting transactions from transactions that are by definition illegal (Inter-net sports gambling), one practical consequence might be that transactions that may well be legal will likely also be blocked under the proposed regulation. A similar problem potentially pertains to the use of payments mechanisms to pay for lawful brick-and-mortar transactions at casinos that are licensed by states or Indian tribes.

Check Collection SystemsThe proposed regulation defines check collec-

tion system as “an interbank system for collect-ing, presenting, returning, and settling checks or intrabank system for settling checks deposited in and drawn on the same bank.” The proposed regulation would require the institution serving as the depository bank to block transactions involv-ing prohibited Internet gambling transactions, as this particular institution would receive the check deposit directly from the gambling business and would therefore be in a position, through reason-able due diligence, to identify the nature of the business seeking to deposit the check.

Similar to ACH transactions, the proposed reg-ulation would, however, exempt participants in this payment system from being required to block prohibited Internet gambling transactions to the extent that the participant does not have a direct relationship with either the payor or the payee and is thus not in a position to identify the purpose or nature of a particular transaction. Thus, transac-tion blocking is not required under the proposed regulation for a check clearing house, the paying bank (unless it is also the depository bank), any collecting bank other than the depository bank or any returning bank.

Again, this provision of the regulation raises substantial issues about circumvention, as a U.S.-based gambler could in principle send funds by check to a depository bank in another jurisdic-tion, such as the United Kingdom, where Internet gambling is legal, thereby avoiding the prohibi-tion. The individual could receive any gambling proceeds by check for deposit through the U.S. depository bank so long as the check did not identify itself as relating to online gambling.

Money Transmitting BusinessesMoney transmitting businesses are defined by

federal regulation as businesses, other than de-pository institutions, that engage in the business of funds transmission either domestically or in-ternationally. Although the operational specifics may vary, the proposed regulation treats all mon-ey transmitting businesses the same. There are no exemptions for money transmitting businesses under the proposed regulation, reflecting the de-termination by the federal regulators that in every transaction, the money transmitting business will know the identity of the entity to which money is being transferred and therefore there is no reason for an exemption to be granted.

Here again, opportunities for circumvention could undermine the purposes of the proposed regulation and UIGEA through the use of foreign-based third parties who could transmit funds to and from gamblers and Internet gambling estab-lishments, acting as middle-men in compliance with applicable laws in their own jurisdictions.


�

Wire Transfer SystemsThe proposed regulation defines wire transfer

system as “a system through which an uncondi-tional order to a bank to pay a fixed or determin-able amount of money to a beneficiary upon re-ceipt, or on a day stated in the order, is transmitted by electronic or other means through the network, between banks, or on the books of a bank.”4 The beneficiary’s bank, as the institution receiving the wire transfer on behalf of the gambling operator, would be required to put into effect blocking mech-anisms as it would be in a position to determine the nature of the customer’s business and could there-fore determine if that business involved restricted transactions. The proposed regulation would ex-empt the originator’s bank and intermediary banks from these requirements, as the federal regulators view them not to be in a position to assess the na-ture and purpose of the transactions.

Again, circumvention issues could arise to the extent that beneficiary banks were located out-side the United States, Internet gambling is law-ful in the jurisdiction in which they are regulated and they chose not to honor UIGEA outside the United States.

Other Payments SystemsThe federal regulators are requesting comments

on whether there are other emerging payments sys-tems that should be included in the scope of the regulation, and whether there are non-traditional payments systems that could be used to circum-vent the prohibition on processing restricted trans-actions. The federal regulators have stated that as technology develops, the proposed regulation could be updated to address changes in existing systems and development of new payments systems.

Reasonably designed Policies and ProceduresGeneral Overview

Section 6 of the proposed regulation provides examples of policies and procedures for the cov-ered payments systems that the federal regulators consider to be reasonably designed to prevent or prohibit unlawful Internet gambling transactions. In general, the policies and procedures should in-

volve due diligence in the commercial customer relationship so that the payments system operator can ensure that the commercial customer is not originating or receiving restricted transactions. Additionally, the policies and procedures must in-clude a response to the discovery that a particular customer is using the payments system to engage in restricted transactions.

The federal regulators call for payments system participants to implement due diligence policies and procedures similar to those required by the Bank Secrecy Act, using a flexible risk-based approach to assess whether a particular commercial customer might be involved in Internet gambling activities. Additionally, the federal regulators are seeking com-ment on whether to explicitly include a requirement that payments system participants periodically con-firm the nature of their customers’ business as part of the overall due diligence requirements.

The proposed regulation also requires pay-ments system participants to have policies and procedures in place to address situations in which a commercial customer is found to be engaging in restricted transactions. Such policies and proce-dures could include fines, restricting access to the payments system or terminating the customer’s account. Additionally, the regulation requires ap-propriate remedial action to be taken against any business, whether a customer or not, if the pay-ments system participant knows that the business is engaging in restricted transactions and is using the payments system participant’s trademark to promote the restricted transactions.

Additional monitoring of card systems and money transmitting businesses would be required under the regulation, including monitoring and analyzing payment patterns to identify any suspi-cious activity and monitoring of commercial Web sites on a global basis to detect use of the payments system involving its trademark, as might be done by a foreign gambling operator advertising that a particular payments mechanism involving the United States could be used to handle its transac-tions. The federal regulators expressly stated that since unlawful Internet gambling businesses could also use individuals as agents to receive restricted transactions to avoid the due diligence procedures required of the payments system, monitoring for


�

such activity would be required of card systems and money transmitting businesses. The proposed regulation does not contain a similar requirement for ACH, check collection and wire transfer sys-tems because those systems, unlike the card and money transmitting systems, do not have the func-tionality required to perform such monitoring and analysis of payment patterns and other use.

The federal regulators recognize that most Internet gambling operators are outside of the United States and the operators do not have rela-tionships with U.S. banks, thus restricted transac-tions are likely to come from foreign financial in-stitutions. However, the proposed regulation still requires card systems and money transmitting businesses to ensure that their policies and pro-cedures address both domestic and international transactions. Essentially, the proposed regulation imposes a knowledge-based requirement for par-ticipants in these payments system, such that the participant in the payments system that has the direct relationship with the gambling operator would be responsible for preventing or prohib-iting restricted transactions. For example, with respect to ACH transactions, the responsibility to block a restricted transaction would rest with the first participant in the United States receiving a transaction directly from a foreign institution. Other participants in ACH, check collection and wire transfer systems would largely be given a free pass, absent specific knowledge that a pay-ment constitutes a restricted transaction.

Although the federal regulators have indicated that some of UIGEA’s requirements will not be im-posed on certain payments systems due to techno-logical issues, there are repeated statements in the proposed regulation that technology will be moni-tored and evaluated such that at some point in the future, additional requirements may be imposed on the previously exempted payments systems.

Examples of Policies and Procedures by Payments System

The proposed regulation provides “non-exclu-sive” examples of policies and procedures that designated payments systems could implement for identifying, blocking, or otherwise prevent-ing or prohibiting the processing of a restricted

transaction as means of complying with UIGEA. The examples are structured so as to function as a “safe harbor” for designated payments systems, making their adoption per se compliant with the proposed regulation, and leaving in doubt wheth-er in practice any alternatives would be deemed by regulators to be sufficient.

ACH ExamplesUnder the proposed regulation, the policies and

procedures of the ODFI and any third-party sender in an ACH debit transaction and the RDFI in an ACH credit transaction would be deemed to have reasonable policies and procedures to identify and block restricted transactions if they perform appro-priate due diligence with respect to establishing or maintaining customer relationships. The proposed regulation indicates that appropriate due diligence would include the screening of potential commer-cial customers to determine the nature of their busi-ness and the use of contract terms prohibiting the commercial customer from engaging in restricted transactions. Additionally, the proposed regula-tion requires that they should have in place policies and procedures in the event it is discovered that the commercial customer is engaging in restricted transactions. Such policies and procedures would include the imposition of fines, restricting the com-mercial customer’s ability to originate ACH debit transactions, or closing the account.

The proposed regulation would require that policies and procedures of receiving gateway op-erators and third-party senders seeking to submit ACH debit transactions on behalf of a foreign bank, foreign third-party processor, or foreign originating gateway operator be similar to those outlined above for ACH participants engaged in wholly domestic transactions. Where foreign senders are determined to have sent ACH debit entries for restricted transactions to the receiving gateway operator or third-party sender, the pro-posed regulation suggests that ACH services to the foreign sender be denied and that in certain circumstances, the cross-border arrangements should be terminated.

Finally, under the proposed regulation, an orig-inating gateway operator that receives an ACH credit transaction containing instructions to send


�

a credit entry to a foreign bank (either directly or through a foreign receiving gateway operator) should have policies and procedures in place to respond when the transaction is identified as a re-stricted transaction. In such situations, the origi-nating gateway operator should consider whether the ACH credit transactions for the foreign bank or through the foreign gateway operator should be denied or whether the circumstances warrant the termination of the cross-border arrangements with the foreign bank.

The implications of this approach could well be the subject of extensive comment, given its poten-tial to require complex due diligence procedures for participants in the ACH system.

Card System ExamplesCard system operators, merchant acquirers and

card issuers will be deemed to have reasonably designed policies and procedures for identifying and blocking restricted transactions if they:• screen potential merchant customers to deter-

mine the nature of their business and include language in the merchant customer agreement that the merchant may not receive any restrict-ed transactions through the card system;

• establish transaction codes and merchant or business category codes that will enable the card system or card issuer to identify and deny authorization for restricted transactions;

• perform ongoing monitoring or testing to de-termine whether authorization requests are coded correctly and to detect suspicious pat-terns or volumes of transactions relating to a merchant customer; and

• have a response plan in place to address situ-ations in which the merchant customer be-comes aware that a merchant has received re-stricted transactions, including assessing fines or denying access to the card system.

The applicability of these approaches to the use of cards to make payments to non-U.S. based merchant customers whose relationships are with foreign card systems operators, merchant acquir-ers and card issuers may constitute an area for comment by U.S. participants in the card systems that are uncertain about the extent to which their due diligence obligations could be deemed to

reach payments involving foreign Internet gam-bling operators whose immediate relationship is with a foreign financial institution, rather than any domestic participant in the card system.

Check Collection System ExamplesAs stated previously, most participants in a

check collection system are exempted by the pro-posed regulation, as imposing the requirements on these participants would be too costly and burdensome. However, the proposed regulation would apply to the depository bank, because the depository bank is in a position to know if the customer’s business is an Internet gambling op-eration. Depository banks will be deemed to have reasonable policies and procedures to identify and block restricted transactions if they:• conduct due diligence in establishing or main-

taining a customer relationship by screening potential commercial customers to determine the nature of their business and include lan-guage in commercial customer agreements that the customer may not deposit checks that are restricted transactions; and

• implement procedures for addressing situa-tions in which the depository bank becomes aware that the customer has deposited checks involving restricted transactions, including when checks should be refused and if the ac-count should be closed.

To be deemed to have reasonable policies and procedures where a depository bank receives a check directly from a foreign bank, the deposi-tory bank should:• conduct similar due diligence with respect to

the foreign bank to ensure that it will not send checks representing restricted transactions to the depository bank for collection and includ-ing in contractual agreements with the foreign bank that the foreign bank will have corre-sponding policies and procedures in place to ensure that checks involving restricted trans-actions will not be processed; and

• implement a response plan to address situa-tions in which the foreign bank is determined to have sent checks involving restricted transactions to the depository bank, includ-ing when check collection services should be


10

denied and when the correspondent account should be closed.

Interestingly, the proposed regulation does not make mention of the fact that many foreign banks are located in jurisdictions where Internet gambling is a legal activity, and thus there is no prohibition of the foreign bank accepting trans-actions involving Internet gambling operations of what might be considered a restricted transaction in the United States. Additionally, the proposed regulation does not address the attempt to impose U.S. law on these foreign banks by including con-tract language that requires the foreign banks to not accept transactions that are unlawful in the United States (but that are lawful in the jurisdic-tion in which the foreign bank operates).

The burden imposed on the U.S. depository bank is not insignificant either, as the depository bank will have to continually monitor the cor-respondent banking relationship to determine if the foreign bank is submitting checks involving restricted transactions. Additionally, since deposi-tory banks must identify circumstances in which the correspondent account should be closed if the foreign bank submits checks involving restricted transactions, it is possible that long-term corre-spondent banking relationships could be termi-nated over the failure of a foreign bank to submit to U.S. law.

For these reasons, the check collection exam-ples may also give rise to significant comment by those potentially affected, given that it is not obvious that alternatives to the “examples” pro-vided would be deemed reasonable alternatives by financial institution examiners.

Money Transmitting ExamplesThe policies and procedures of money transmit-

ters will be deemed to be reasonably designed to identify and block restricted transactions if they conduct sufficient due diligence in establishing and maintaining the customer relationship. Such due diligence involves screening potential commercial subscribers to determine the nature of their busi-ness and including contract language prohibiting commercial subscribers from receiving restricted transactions. The money transmitter should also implement ongoing monitoring and testing pro-

cedures to detect restricted transactions, to detect suspicious payment activity and to detect unau-thorized use of the money transmitter’s business. The money transmitter should also have in place procedures to impose fines on the commercial subscriber, deny access to the system, or close the account in the event the commercial subscriber is found to be using the money transmitter for pro-cessing restricted transactions.

The regulation does not address how the money transmitter is to determine whether a transaction is restricted or how to assess funds transmissions to foreign commercial aggregators who may be engaged in retransmission of funds to or from an operator.

Wire Transfer ExamplesAs stated previously, the only participant in

a wire transfer that is covered by the proposed regulation is the beneficiary’s bank, because only the beneficiary’s bank is in a sufficient position to know the nature of the commercial customer’s business. The policies and procedures of the bene-ficiary’s bank will be deemed to be reasonably de-signed to identify and block restricted transactions if they require sufficient due diligence in establish-ing and maintaining the customer relationship to ensure that the commercial customer will not receive restricted transactions. Such due diligence includes screening potential commercial custom-ers to determine the nature of their business and prohibiting the commercial customer through the commercial customer agreement from receiving re-stricted transactions. Similar to other types of pay-ments systems, the beneficiary’s bank should also implement policies and procedures to address situ-ations in which the commercial customer is found to have received restricted transactions and when access to the wire transfer system should be denied or the account closed entirely.

With respect to an originator’s bank or interme-diary bank sending or crediting a wire transfer to a foreign bank, the policies and procedures will be deemed reasonable if they include procedures to address situations in which the foreign bank is found to have received from the originator’s bank or intermediary bank wire transfers that consti-tute restricted transactions.


11

EnforcementThe proposed regulation follows the provisions

of UIGEA exactly as to enforcement, providing for functional regulation by the federal functional regulators with respect to covered payments sys-tems and the Federal Trade Commission for pay-ments systems not otherwise under the jurisdic-tion of the federal functional regulators.

Small EntitiesThe proposed regulation provides no exemp-

tions for smaller payments systems. The guidance accompanying the proposed regulation states that Treasury does not know how many small entities will be affected by the proposed regulation. With-out specifying the basis for its analysis, Treasury found that the proposed regulation “would not have a significant economic impact on a substan-tial number of regulated small entities.” Treasury further found that as the requirement to identify and block restricted transactions comes directly from UIGEA, any economic impact would flow from UIGEA rather than the regulation, thus a regulatory flexibility analysis was not required.

Small businesses and their representatives, may express other views through the comment process.

Broader Policy ConsiderationsImmunity from Liability for Identifying and Blocking

Under UIGEA, designated payments systems are provided immunity from liability for block-ing transactions that are in fact lawful, if there is a reasonable basis to believe that the transac-tion may be a restricted transaction.5 The law also requires the regulation to ensure that lawful transactions are not blocked as being a restricted transaction.6 The proposed regulation reiterates both of these provisions without elaboration and without providing guidance to enable covered en-tities to avoid blocking lawful activity. It does not address the fact that certain transactions, such as those involving pari-mutuel betting, may be law-ful but may nevertheless be blocked by financial transaction providers.

The immunity provisions have the potential of exacerbating the existing dispute between the DOJ, which takes the position that all Internet gambling is illegal under the Wire Act of 1961,7 and the horseracing industry and its congressional supporters, who state that the Interstate Horserac-ing Act8 (“IHA”) permits pari-mutuel betting that occurs via telephone or Internet, provided the ac-tivity is lawful in each state involved. Although UIGEA included language expressly stating that it did not have any effect on the IHA, the proposed regulation may well result in financial transac-tion providers blocking payments for pari-mutuel betting under the theory that the transactions are unlawful Internet gambling transactions. Finan-cial transaction providers may block such trans-actions arguing that they are justified in doing so based on the DOJ’s position and that they are not liable for blocking a permitted transaction under the immunity provision.

Since neither UIGEA nor the proposed regula-tion addressed the need to define or clarify what is and is not legal, there is likely to continue to be disagreement and dispute over the issue. The com-ment process could result in participants in the horseracing industry seeking express exclusion of their transactions from the regulation, or object-ing to the language preventing them from seeking redress from financial transaction providers that block these transactions, if they are in fact legal.

Notably, such requests could further complicate U.S. efforts to address its multibillion dollar lia-bility in the World Trade Organization (“WTO”) arising from its prohibition of Internet gambling offered to U.S. persons by foreign operators, which the WTO found discriminatory in light of the availability of Internet gambling domestically in relationship to horseracing.

Circumvention of UIGEA and the Proposed Regulation

Although the proposed regulation covers five major payments systems, the federal regulators are also requesting comment on whether there are other payments systems that should be covered. Additionally, there is in indication in the proposed regulation that as technology develops, those par-ticipants in the designated payments systems that


1�

are exempted might subsequently be included if it becomes technologically and economically fea-sible to do so.

Despite the regulatory effort to prevent all un-lawful Internet gambling transactions, even under the proposed regulation it would still be possible for a U.S. resident to gamble online. The most ob-vious way would be for a U.S. resident to open a foreign bank account in a jurisdiction where In-ternet gambling is legal. Such an account could be used for a variety of things, including Internet gambling, as would a normal banking account. At such time as the individual wanted to repatri-ate the funds, the individual could simply transfer all or part of the money to the United States. Pro-vided that the U.S. resident reported the bank ac-count to appropriate U.S. authorities, there is no federal prohibition on an individual gambler hav-ing the account or using it for lawful purposes un-der the law of the jurisdiction where the account is located. Thus, whether the U.S. resident wanted to use the funds in the account to gamble online, pay bills, or make purchases, he or she would be free to do so subject to applicable state laws.

Credit cards, stored-value cards, pre-paid cards and debit cards issued by foreign financial institu-tions for multi-purposes could function similarly for circumvention.

AssessmentThe proposed regulation seeks to identify the

participants in designated payments systems that are in the best position to determine whether or not a transaction is a restricted transaction and to exempt those who are not in a position to make that determination. However, the proposed regu-lation does impose significant additional burdens and responsibilities on the covered payments system participants, as they must now develop new policies and procedures that require them to gather more information about their custom-ers’ business. The proposed regulation also risks creating significant tension between domestic and foreign financial institutions, as U.S. institutions must require their foreign counterparts to agree not to process transactions that may be legal in the foreign jurisdiction — and to terminate the re-lationship if the foreign bank does not comply. In

addition, there continues to be ambiguity about the underlying definition of which transactions are legal and which are not, creating uncertainty for financial institutions required to identify and block unlawful transactions.

Congress mandated that the regulation imple-menting UIGEA be in place within 270 days of its enactment October 12, 2006. More than one year later, only this proposed regulation has been issued amid renewed congressional consideration of alternative approaches to Internet gambling, such as the regulatory approach advocated by House Financial Services Chairman Barney Frank (D-MA) in H.R. 2046. In its current form, the proposed regulation would add substantial regu-latory burden to a wide scope of participants in the U.S. financial services sector, without being likely to prevent the activity they seek to prohibit. They would also be likely to drive further under-ground and off-shore payments relating to Inter-net gambling, potentially making risk assessments for U.S. participants in the payments system even more difficult.

U.S. financial services companies with concerns about potential compliance exposure, commer-cial injury and regulatory burden arising from the proposed regulation may wish to consider the ex-tent to which they are in a position to offer alter-native language or solutions to that provided in the proposed regulation. Such language could in-clude, for example, suggestions that any final reg-ulation provide for an even-playing field between U.S.-based and foreign operators, through defer-ring the imposition of the controls until the U.S. negotiates mechanisms with foreign governments to secure enforcement on an international basis. Other formulations could seek language specify-ing that examiners not treat what the regulation terms as “examples” providing a safe-harbor for compliance as mandatory in practice, so long as the relevant entities are not knowingly handling restricted payments. One approach would be to seek expansion of the safe harbor to include any mechanism put into place by the financial services company that is sufficient to avoid knowingly processing restricted transactions, while remain-ing in compliance with other provisions of federal law, such as know-your-customer requirements.


1�

NOTES1. Proposedregulation1�C.F.R.§�(q).�. Proposedregulation1�C.F.R.§�(d).�. Thisismorethanatheoreticalissue,inthatgift

cardscanbesoldbyaretailerforredemptionbythatretaileronaglobalbasis,suchasbyahotelchain or entertainment company, which mightotherwisepermitInternetgamblingatanyofitsfacilities in a jurisdiction where such activity islawful.Undertheregulation,amerchantissuingsuch a card would need to have policies andprocedures in place to restrict its use by a U.S.personengagedinInternetgambling.

�. ProposedRegulation1�C.F.R.§�(u).�. ��(d)�. ��(b)(�)�. 1�U.S.C.§10��.�. 1�U.S.C.§�000etseq.

Health Savings Accounts: An Overview B y t i M o t h y r . M C t A G G A r t A n d A n d r e W M A h e r

Timothy R. McTaggart ([email protected]) is a partner in the Washington, DC, office of Pepper Hamil-ton LLP. Mr. McTaggart is the former Delaware state bank commissioner and the immediate past chairman of the American Bar Association’s banking law subcommittee on Trust and Investment Services.

Andrew Maher ([email protected]) is an associate in the Financial Services Practice Group of Pepper Hamilton LLP, resident in the Philadelphia office. Mr. Maher’s practice encompasses work involving a variety of investment man-agement as well as public and project finance matters.

Financial institutions have many opportunities to become more involved in offering Health Sav-ings Accounts (HSAs). HSAs are relatively new, but are expected to grow rapidly over the next de-cade, particularly as a result of legislative changes made last year. HSAs continue to be a favorite topic for policy makers seeking methods to in-crease retirement savings and to react to health

care costs. Also, state led initiatives and market-based activity continue to emerge with new ap-proaches for HSAs.

While it is not a perfect analogy, some believe that the growth in HSAs will be similar to the growth experienced in connection with Indi-vidual Retirement Accounts (IRAs). IRAs gained popularity and traction after early market educa-tional efforts and related technical changes were implemented in a manner similar to the process underway with HSAs.

What is a Health Savings Account?An HSA is a tax-exempt trust or custodial ac-

count that is set up with a qualified HSA adminis-trator, acting as either a trustee or a custodian, to pay or reimburse certain medical expenses. HSAs were created by the Medicare Prescription Drug, Improvement and Modernization Act signed into law by President Bush on December 8, 2003.

How prevalent are HSAs?As of the beginning of 2007, 3.2 million people

were covered under 1.9 million HSAs. In 2004, only 438,000 people were covered.

Who can contribute to an HSA?Employers and employees may contribute to an

HSA, so long as the combined annual contribu-tions do not exceed the pertinent maximum legal limits. Any employer contribution to an employee HSA must be made on a non-discriminatory basis. Otherwise, employer contributions are subject to an excise tax equal to 35 percent of the aggregate amount contributed to employee HSAs.

What are the benefits of an HSA?HSA benefits include:

• contributions made to an HSA by an individ-ual are tax-deductible, even if that individual does not itemize his or her deductions;

• employer contributions to an employee’s HSA are excludable from gross income and wages for employment tax purposes;

• contributions made to HSAs can accumulate in the account and can be rolled over from year to year until they are used for qualified


1�

medical expenses. Qualified medical expenses include expenses for diagnosis, cure, mitiga-tion, treatment or prevention of disease;

• interest and other earnings on the assets in the account are tax free

• distributions from HSAs for qualified medi-cal expenses are excludable from the account holder’s gross income, including for distribu-tions that are for the account holder’s spouse or dependents; and

• an HSA is portable and is owned by the ac-count holder if he or she changes jobs or leaves the workforce.

Who is eligible to set up an HSA?To be eligible to set up an HSA, an individual

must: • Be enrolled in a high deductible health plan

that, for 2007, has a deductible that is at least $1,100 for self-only coverage or $2,200 for family coverage. The deductible minimum in future years is indexed for inflation under law.

• Be enrolled in a high deductible health plan which has an out-of-pocket expense limit that is less than $5,500 for self-only coverage and $11,000 for family coverage. Out-of-pocket expenses include deductibles, co-payments and other amounts (other than premiums) that the individual must pay for covered ben-efits under the plan. The out-of-pocket ex-pense limits are indexed for inflation.

• Not be covered by any other non-high de-ductible health plan.

• Not be enrolled in Medicare.• Not be claimed as a dependent by someone

else.

Have there been any changes to HSAs since their inception in 2003?

On December 20, 2006, President Bush signed into law the Tax Relief and Health Care Act of 2006. This provided for a number of changes to HSAs in order to facilitate the growth and accessi-bility of these accounts. These changes included: • Simplification of the annual contribution lim-

it requirements. The inflation indexed contri-bution limit for 2007 is $2,850 for self-only

coverage and $5,650 for family coverage. Contributions made in excess of the limit are subject to a 6 percent excise tax.

• Permitting a one-time tax-free irrevocable rollover from an IRA into an HSA, as long as the amount rolled-over does not exceed the HSA annual contribution limits. If an indi-vidual thereafter loses HSA eligibility within 12 months of the rollover, the IRS will deem the money rolled-over as taxable income and charge an additional 10 percent penalty.

• Permitting certain funds in health Flexible Spending Arrangements (FSA) or Health Reimbursement Accounts (HRA) to be dis-tributed directly into an HSA. Such a transfer must be the lesser of either: the balance of the health FSA or HRA as of September 21, 2006; or the balance in the health FSA or HRA as of the date of distribution. These transfers may be made in excess of the legal HSA an-nual contribution limits, but they may not be deducted from gross income. These transfers must be made before January 1, 2012.

• The IRS issued Publication 553 in March 2007, which set the contribution limit and out-of-pocket expense limit for 2007. On June 1, 2007, the IRS proposed regulations regarding contributions to HSAs by employers. These regulations have not yet been adopted.

Who can serve as an HSA administrator?

Banks, credit unions and any other institutions that offer IRAs are permitted to offer HSAs. In 2006, 35 percent of HSAs were administered by community banks, 30 percent of HSAs were ad-ministered by specialty banks (which are banks that specialize in administering HSAs or are banks established by insurance companies to administer HSAs), 20 percent of HSAs were administered by large banks and credit unions administered the re-maining 15 percent of HSAs. Additional entities wishing to become approved HSA administrators must get permission from the IRS.


1�

What is the difference between a custodian and a trustee?

This is a distinction made under state law. Gen-erally, if an HSA administrator is deemed to be a custodian, then the administrator is obliged to hold HSA funds, to ensure safekeeping of HSA funds, to maintain accurate records, not to co-mingle funds in an HSA account with funds in any other account and to respond to the account holder’s instructions.

Generally, if an HSA administrator is deemed to be a trustee, then the administrator acting as trustee has some level of discretionary authority over the funds in the HSA. The trustee has a fi-duciary obligation to use that discretionary au-thority only in the best interest of the beneficiary account holder.

What rules can a custodian or trust-ee set for account administration?

The administrator may set requirements for minimum deposits, minimum balance, minimum distribution, distribution timing, and account fees. In July 2007, the average HSA account balance was $1,327, up from $1,178 in January 2007.

What distribution mechanisms may be used?

HSA holders may pay directly for qualified expenses. They then would be reimbursed with a distribution from the HSA once receipts have been presented to the administrator. Alternatively, distributions may also be made using a healthcare payment card, which is used like a debit card. The card allows for direct access to HSA funds to pay for qualified expenses, though receipts still must be presented to the administrator. Use of the payment card is generally preferred since it can be programmed to be used only for payment of qualified medical expenses.

Can administrators invest HSA funds?Yes, but with the same investment restrictions

as IRAs. This means that HSA administrators may not invest HSA funds in collectibles such as: antiques; rugs; artwork; metals (with certain

exceptions for bullion); gems; stamps; coins; al-coholic beverages; and certain other tangible personal property. HSA administrators acting as trustees may further restrict the kind of invest-ments made with HSA funds in accordance with their fiduciary obligations. HSA administrators acting as custodians may restrict the kinds of in-vestments they make by contract, but are under no obligation to do so.

What investment advice may be given in connection with HSA investments?

HSA administrators acting as trustees must manage each HSA in the best interests of each ac-count holder, meaning any administrator acting as a trustee may not invest or advise that HSA funds be invested in a manner that is imprudently risky for the account holder.

What is the growth potential of HSAs?The Treasury Department projects that by

2010, there may be between 14 million and 21 million HSAs covering between 25 million and 40 million people.

The growth of HSAs may present to banks and other financial institutions a significant business opportunity going forward. Banks and other fi-nancial institutions that offer HSAs to their cus-tomers must remember that if they are deemed to be trustees, as opposed to custodians, under state law they are obligated to manage an HSA in the best interest of the account holder. This may present difficulties as banks and other financial institutions hold many HSAs for people with very different financial needs and risk tolerances. Any HSA administrator that is deemed to be a trustee is well advised to develop a structure under which HSAs are managed in a manner that does not leave the administrator liable for violating fidu-ciary obligations with regard to any individual account holder. Any institution that is deemed to be a custodian under state law is well advised to develop a structure to ensure that it does not co-mingle HSA funds from one account with funds of other accounts, that it keeps accurate records and that the funds in each HSA are kept safely.


1�

Emerging Trends: Privacy Litigation Growing Concern for MerchantsB y d e B o r A h t h o r e n - P e d e n

Deborah Thoren-Peden ([email protected]) is a partner in the Los Angeles office of Pillsbury Winthrop Shaw Pittman, LLP. She is the co-leader of the firm’s Consumer & Retail industry team, and her practice focuses on banking, electronic commerce, privacy, anti-money laundering and the Office of Foreign Assets Con-trol regulations. Prior to joining Pillsbury, Thoren-Peden was the Chief Privacy Officer and general counsel for Pay-MyBills.com and she has served on the Privacy Task Force of the American Bankers Association.

Every day, millions of consumers swipe their cred-it and debit cards to buy groceries, coffee and gas. And while such cards add ease and speed to these purchases, privacy issues are causing headaches for consumers and retailers alike. With data security breaches, identity theft, data mining and fraud con-tinuing to rise, many state, federal and international agencies have added new, and sometimes conflict-ing, rules to protect consumers’ privacy.

In the following Q&A, Pillsbury Winthrop Shaw Pittman partner Deborah Thoren-Peden talks about new developments in this rapidly evolving area of the law.

Q. Some privacy laws have been on the books since the early 1970s. What’s new today?

Thoren-Peden: Congress and various states have now enacted rules designed to make it more difficult for data thieves to access and use credit card numbers.

Most recently, the state of Minnesota passed a significant new law that makes any merchant retaining credit card information directly liable for any credit card breaches. The law, the Plastic Card Security Act or the Minnesota Data Reten-tion Law, requires that after August 1, 2007, mer-

chants doing business with customers in that state must not keep credit card security codes, the PIN numbers or the contents of any magnetic stripe for longer than 48 hours after a transaction has been authorized.

This rule has attracted national attention be-cause it could affect any merchant, including on-line retailers, doing business with customers in Minnesota. And the penalties for data breaches could be enormous, as merchants would have to reimburse financial institutions for any losses caused by the breaches. The provisions imposing liability will become effective August 1, 2008.

Q. What else do merchants need to worry about?

Thoren-Peden: Thirty-eight states and many foreign countries have passed laws to protect customer and employee data, and some states are considering even stricter laws. Moreover, the Fed-eral Trade Commission has become more aggres-sive in bringing privacy actions, and a number of state attorney generals have filed lawsuits against companies that have security breaches.

California enacted its first security breach law in 2005, which requires that customers whose per-sonal information may have been compromised due to a security breach be notified in writing by the entity that experienced the breach. It has also passed a number of laws that require appropri-ate destruction of records containing sensitive or personal financial data. In addition, California is beginning to consider laws that explicitly impose liability on merchants whose security breaches cause damages.

The European Union has even more stringent rules regulating data, and several Asian countries have passed their own rules or are contemplating doing so in the near future. The People’s Republic of China, for instance, is now ramping up its own privacy efforts, and India, too, is becoming more sensitive to the issue, particularly as so many U.S. customer call centers have been outsourced there.

The real problem for merchants is keeping track of all of these rules, many of which are new and, in some cases, vague. The penalties for not doing so can be enormous.


1�

Q. How did we get here?Thoren-Peden: Several prominent security

breaches have driven much of the recent legisla-tion. ChoicePoint Inc., which processes, analyzes and sells consumer information, was recently hit for $15 million in penalties by the FTC for send-ing information on 265,000 consumers to identi-ty thieves posing as legitimate entities. In another high profile account earlier this year, discount retailer TJX Companies allowed online access to data covering some 45 million credit and debit cards. The costs of that breach are estimated at over $150 million.

In addition to severe penalties from oversight agencies, merchants have also faced class action lawsuits. And just the cost of direct mailing alone related to the expense of disclosing breaches to affected customers can be in the millions.

There’s also an issue of trust and reputation. Consumers, of course, are more likely to do busi-ness with companies who they can trust will keep their information secure. Some studies show that up to 20 percent of customers will not do busi-ness with a company that has breached its data security and up to 58 percent will think about changing their business to another company.

Data thieves, too, have been increasingly so-phisticated. We have seen very savvy identity theft gangs crop up in Russia and elsewhere, and given today’s global economy, the technological and personnel costs of keeping information safe is also rising.

For all these reasons, more and more businesses are paying attention to the need to keep informa-tion protected.

Q: Tell me more about privacy-related litigation.

Thoren-Peden: Well, that’s actually gotten a little bit better for merchants than a few years ago because plaintiffs must now prove actual dam-ages caused by breaches.

Still, plaintiffs’ lawyers have really jumped on the bandwagon and are pursuing merchants with great vigor. Earlier this year, for instance, more than 200 merchants were sued for alleged violations of the federal Fair and Accurate Credit

Transactions Act or FACTA, which requires mer-chants to truncate credit card transaction con-sumer receipts to the last four digits of a credit card number and prohibits inclusion of the card’s expiration data on the receipt. These nationwide class actions seek enormous damages and most are still in litigation.

Pillsbury is representing several defendants in these cases – most of which were filed in the Central District of California (Los Angeles) or the Northern District of California (San Francisco)--and has been successful in getting a number of the cases dismissed. Nonetheless, the costs and risks associated with a lawsuit greatly concerns retailers, particularly those who operate on very tight margins.

Q: The world is growing smaller and more companies are doing business overseas. How does this affect them?

Thoren-Peden: A number of countries are ex-panding their privacy laws. Some of these rules make it challenging for companies to transmit employee information from one country to an-other even if it is for human resource reasons or even to consider an employee for a promotion or bonus. Some countries even prohibit or limit such things as employee name tags and internal telephone listings. Clearly, with so many rules affecting the transfer of employee and customer information between companies and their affili-ates or third party vendors, privacy has become a major topic of discussion in every outsourcing arrangement.

Q: What’s next?Thoren-Peden: The international regulatory

environment isn’t settled yet. More countries are enacting privacy laws and regulations. We expect there to be a tremendous amount of activity in establishing new rules and enforcement schemes in the next couple of years, so companies will re-ally have to keep on their toes to comply. As for a U.S. law relating to privacy, numerous bills have been proposed in Congress, and it is likely many more privacy laws, both federal and state, will be enacted in the next few years.


1�

In February, Congressmen Bobby Rush (D-Ill.) and Cliff Stearns (R-Fla.) introduced The Data Ac-countability and Trust Act, which would require any business that houses personal information to implement specific security practices, including methods for dealing with disposal of “obsolete” information. It would also mandate notification requirements in the event of a breach of personal data on a nationwide basis.

It is very important for all businesses, large and small, to be very careful about how they collect information on their employees, customers and vendors, how they keep that information and how they destroy it. There is no simple way to be compliant with all of this.

In fact, there are more laws being enacted in privacy than in virtually any other area of law, and that will likely continue for a number of years. The risks to companies can be substantial, even if breaches are unintentional.

Selected Federal Legislative DevelopmentsB y K A t h r y n M A r K s

Kathryn Marks ([email protected]) is an associate in the Legislative and Public Policy Group in Alston & Bird’s Washington, DC, office. Her practice includes payment sys-tem issues, information privacy and data security.

Terrorism Risk InsuranceOn October 17, 2007, the Senate Banking Com-

mittee approved legislation reauthorizing the Ter-rorism Risk Insurance Act for an additional seven years. The program is set to expire on December 31, 2007. The House passed its version of the leg-islation in September.

Although both bills retain the current 20 per-cent deductible, the two bills differ in several re-

spects. The House bill sets the “trigger” for the program at $50 million, while the Senate version maintains the current $100 million threshold. The House version expands coverage under the pro-gram to nuclear, biological, chemical and radio-logical attacks, but the Senate version contains no such provision. The House version also provides coverage for group life insurance, but the Sen-ate version does not. Finally, the House version would extend the program for 15 years, while the Senate extension is only for seven years.

Senate Banking Committee Chairman Dodd had wanted to make the program permanent, but faced strong opposition from the White House, which supports a temporary extension and even-tual phase-out of the program in favor of the pri-vate market.

Internet Tax Moratorium Extended for 7 years

President Bush on October 31, 2007, signed into law H.R. 3678, the “Internet Tax Freedom Act Amendments Act of 2007.” The law provides for a seven year extension of the moratorium on state and local government Internet access taxes and multiple and discriminatory taxes on elec-tronic commerce that was first enacted in 1998.

The House had previously passed a four-year extension, but with the expiration date of No-vember 1, 2007, looming, the House on October 30 passed the Senate version, which provided for a seven-year extension, sending the measure to the president who signed the bill into law. The new moratorium will expire on November 1, 2014.

do Not CallThe House Energy and Commerce Committee

on October 30, 2007, adopted the “Do-Not-Call Improvement Act of 2007” (H.R. 3541), which would make the Do-Not-Call registry permanent. The bill would also require the Federal Trade Commission (“FTC”) to “scrub” the list twice per month to de-list phone numbers that are discon-nected or no longer in service. Under the federal rules establishing the list, consumers are required


1�

to list their phone number every five years or the

numbers will be removed from the list.

The FTC has indicated that it will not remove

any phone numbers from the list pursuant to ex-

piration of the five-year period pending the out-

come of legislation to make registration perma-

nent. If the FTC determines that a phone number

on the list has been disconnected, the phone num-

ber may be removed from the list.

Internet SafetyThe House Energy and Commerce Commit-

tee on October 30, 2007 passed H.R. 3461, the

“Safeguarding America’s Families by Enhanc-

ing and Reorganizing New and Efficient Tech-

nologies Act of 2007” (“SAFER NET Act”) by

voice vote.

The legislation requires the FTC to carry out a

nationwide program to increase public awareness

and provide education regarding Internet safety

for families, businesses, organizations and other

users. The program will utilize existing resources

and efforts of federal, state and local government,

nonprofits, and private companies, including fi-

nancial companies, Internet service providers and

others. Aspects of the program will include:

• identifying, promoting and encouraging best

practices for Internet safety;

• establishing and carrying out a national out-

reach and education campaign regarding In-

ternet safety utilizing various media and In-

ternet-based resources;

• facilitating access to, and the exchange of,

information regarding Internet safety to pro-

mote up to-date knowledge regarding current

issues; and

• facilitating access to Internet safety education

and public awareness efforts the commission

considers appropriate to states, units of local

government, schools, police departments, non-

profit organizations and such other entities.

Selected Regulatory Developments B y s C o t t A n e n B e r G

Scott Anenberg ([email protected]) is a partner in the financial services regulatory and enforcement prac-tice in the Washington, D.C. office of Mayer Brown LLP. He represents foreign and domestic financial institutions on a wide variety of regulatory and compliance issues.

Internet Bank Placed in Receivership

On Friday, September 28, the Office of Thrift Supervision (“OTS”) closed Netbank, headquar-tered in Georgia, and appointed the Federal De-posit Insurance Corporation (“FDIC”) as receiv-er. Netbank, which had no physical branches and operated solely through the Internet, had $2.5 billion in total assets and $2.3 billion in deposits, of which $1.5 billion were insured. The insured deposits were assumed by ING Bank FSB. The failure is expected to cost the FDIC $110 million, and is the latest example of the challenges faced by Internet-only banks.

According to the OTS, Netbank was closed be-cause of “early payment defaults on loans sold, weak underwriting, poor documentation, a lack of proper controls, and failed business strategies.” The bank had been experiencing problems for some time, and shortly before its closing, EverBank, of Jacksonville, Florida, had abandoned its plans to purchase Netbank’s Internet banking division.

The OTS press release regarding Netbank: http://www.ots.gov/docs/7/777071.html.

Proposed Rule Issued Under Unlawful Internet Gambling Enforcement Act

On October 1, the Federal Reserve Board (the “Board”) and the Treasury Department (the “Treasury”) proposed a rule to implement statu-tory restrictions on payments involving unlawful Internet gambling. Mandated by the Unlawful


�0

Internet Gambling Enforcement Act of 2006, the proposal would require U.S. financial institutions that use certain designated payment systems to establish policies and procedures to reasonably identify and block payments to illegal gambling entities. The designated payment systems would include automated clearing house (“ACH”) sys-tems; credit, debit and/or pre-paid cards or stored value products; check collection systems; and wire transfer and money transmission systems.

However, the proposed rule also contains ex-emptions designed to exclude many of the par-ticipants in these payment systems that do not maintain a direct customer relationship with an Internet gambling business, and thus would not be in a position to obtain information sufficient to determine whether a particular transaction should be restricted. In general, ACH system op-erators, as well as the originating and receiving depository financial institutions (depending on whether the ACH transaction is a debit or credit transaction); check clearing houses, paying, col-lecting and returning banks; and the network operators as well as the originating and interme-diary banks involved in wire transfers all would be exempted. However, most processors of card payments, originating (in an ACH debit transac-tion) and receiving (in an ACH credit transaction) banks, beneficiary banks in a wire transfer, and depository banks in the case of checks would be subject to the requirements.

The Treasury and the Board are requesting com-ment on both the proposed rule as well as related matters, such as whether to establish a master list of all unlawful Internet gambling businesses. Comments are due by December 12, 2007.

For a more in-depth discussion of this proposal, please see the feature article. Text of the proposal: http://www.federalreserve.gov/newsevents/press/bcreg/20071001a.htm.

federal Court Upholds State Ban on Gift Card dormancy fees

The U.S. Court of Appeals for the Second Cir-cuit has upheld a Connecticut law that prohibits the use of dormancy fees on gift cards sold in that state. SPGGC, LLC v. Blumenthal, 2007 U.S. App. LEXIS 24436, (2d Cir. 2007). The court

held that the plaintiff, Simon Properties, a seller of gift cards and shopping mall operator, was not a national bank or a national bank subsidiary and that, therefore, the Connecticut fee restric-tions were not preempted by federal law. Simon Properties offers consumers a prepaid, stored-value payment card, known as The Simon Card, that can be used in stores located in Simon malls across the country.

Simon Properties had argued that Connecticut’s gift card laws were preempted because a nation-al bank, Bank of America, was the issuer of the cards and approved the cards’ terms and fees. The court held that state regulation of these fees did not interfere with the national bank’s ability to exercise its powers because Simon Properties col-lected and retained the fees associated with the cards, and because Simon Properties was neither a national bank nor an operating subsidiary of a national bank. However, the court also ruled that state law restrictions on gift card expiration dates may in fact be preempted to the extent that the inability to impose an expiration date could preclude a national bank from issuing the cards under applicable rules of the VISA card system. This issue was remanded to the district court for further consideration.

In a similar case also involving Simon Properties gift cards, the First Circuit Court of Appeals ear-lier this year found that gift card restrictions un-der New Hampshire’s consumer protection laws were in fact preempted by federal law. However, in refusing to find that similar restrictions under Connecticut law were preempted, the Second Cir-cuit distinguished that earlier First Circuit case on the basis that it was the national bank that issued those gift cards, rather than Simon Properties, that established and collected the associated fees. For a further discussion of that case please see this column in the June 2007 issue.

Agencies Approve final fACT Act Rule on Identity Theft Red flags

On October 31, the federal financial regulatory agencies (the Board, Office of the Comptroller of the Currency (“OCC”), FDIC, OTS and the Na-tional Credit Union Administration (“NCUA”)) released a final rule implementing sections 114 and


�1

315 of the FACT Act, which relate to identity theft. The rule takes effect January 1, 2008, and compa-nies must comply with it by November 1, 2008.

The rule will:• require financial institutions and creditors to

develop and implement an identity theft pre-vention program;

• establish guidelines for these programs;• require credit and debit card issuers to assess

the validity of a request for a change of ad-dress, under certain circumstances; and

• establish the policies and procedures that a user of consumer reports should employ upon receiving a notice of address discrep-ancy from a consumer reporting agency.

The rule also includes a list of 26 enumerated “red flags” that indicate possible identity theft, including credit report discrepancies and alerts from consumers.

The final rule adopts a flexible risk-based ap-proach to regulating identity theft prevention programs, similar to the approach used in the Interagency Guidelines Establishing Information Security Standards. However, four basic elements must be included in any prevention program. The program must contain “reasonable policies and procedures” to:• identify relevant red flags for covered ac-

counts and incorporate those red flags into the prevention program;

• detect those red flags that have been incorpo-rated;

• respond appropriately to any such detected red flags in order to prevent and mitigate identity theft; and

• ensure the program is updated periodically to reflect changes in the risks of identity theft to customers, financial institutions and creditors.

While the final rule is substantially similar to the version originally proposed in 2006, there were a few substantive changes. Under the final rule, only financial institutions that maintain “covered accounts” – accounts primarily for fam-ily, personal or household expenses and accounts where there is a reasonably foreseeable risk of harm from identity theft – must establish a pre-vention program. In addition, some of the more

detailed aspects of the proposed regulation have been incorporated as guidelines in the final rule, in order to provide institutions with more flexibil-ity in establishing an appropriate program. For further discussion of the proposed rule, please see this column in the June 2006 issue.

The interagency rule on identity theft: http://www.fdic.gov/news/news/press/2007/pr07089.html.

Agencies Approve final fACT Act Rule on Affiliate Marketing

On October 25, the federal financial regulatory agencies released a final rule that implements re-quirements in section 214 of the Fair and Accu-rate Credit Transactions (“FACT”) Act of 2003 to provide consumers with notice and the ability to “opt-out” of marketing conducted by affiliated financial institutions. The rule takes effect Janu-ary 1, 2008, and companies must comply by Oc-tober 1, 2008.

Section 214 of the FACT Act, which added section 624 of the Fair Credit Reporting Act (“FCRA”), provides a consumer with the ability to limit the circumstances under which an insti-tution may use “eligibility information” received from an affiliate to market products to the con-sumer. Eligibility information, as defined in the final rule, includes information on a consumer’s account history and data gathered from consum-er reports or applications. Under the final rule, an affiliate that receives eligibility information from an affiliated financial institution may not use that information to market to the consumer until the consumer has:• been provided with a notice that information

may be transferred among affiliates for mar-keting purposes;

• been provided with a reasonable opportunity to opt-out; and

• has not opted out within the time period in-cluded in the notice.

The notice provided to the consumer must be “clear, conspicuous and concise,” and the method of opting out must be “simple.” The opt-out must be effective for at least five years and a consumer who opts out is entitled to a subsequent notice


��

and opportunity to extend the opt-out period be-fore any affiliate can use eligibility information for marketing purposes. However, the rule contains several exceptions to the notice and opt-out re-quirements, including, in particular, an exception for marketing to a consumer with whom the af-filiate has a “pre-existing business relationship.” The rule defines “pre-existing relationship” to in-clude a relationship based on an existing financial contract; the purchase, rental or lease of goods or services or a financial transaction within 18 months before the solicitation is sent; or an in-quiry or application by the consumer regarding a product or service within three months of the solicitation. The final rule contains examples ap-plying these standards.

The final rule is substantially similar to the pro-posal issued in July 2004. Significantly, however, the final rule does not contain the controversial proposed restriction on “constructive sharing,” which would have required an opt-out notice if the financial institution sent an affiliate’s market-ing materials to its own customers. For further discussion of the proposed rule, please see this column in the July/August 2004 issue.

The interagency rule on affiliate marketing: http://www.fdic.gov/news/news/press/2007/pr07087.html.

SEC Releases New Resource for Alerting Investors to Unregistered Securities Solicitors

The SEC has proposed a new program, to be known as PAUSE (for Public Alert: Unregistered Soliciting Entities), to alert investors about prob-lems with certain unregistered entities that im-properly solicit individuals to purchase securities. According to the SEC, the single largest number of investor complaints received by the agency’s

Office of Investor Education and Advocacy concern solicitations involving high-pressure or misleading sales tactics by unregistered entities, sometimes referred to as “boiler rooms.” Specifi-cally, the PAUSE program would be designed to address some common methods used by these en-tities to mislead investors: • impersonating U.S. registered securities firms

by, for example, using the same or a similar name or providing an address that closely re-sembles that of a registered firm;

• making false references or false claims of en-dorsement by government agencies and inter-national organizations; and

• claiming endorsements or making other ref-erences to government agencies and interna-tional organizations that sound official, but do not exist.

Under the PAUSE program, the SEC would com-pile a list of solicitors that have been the subject of investor complaints and that either (1) use a name that does not correspond to a registered securities firm, or (2) fraudulently use the name of a registered firm with which the soliciting persons have no af-filiation. This list would be made publicly available on the SEC’s website. In addition, each entry on the list would have a comments section that would allow SEC staff to add relevant information on an ongoing basis. These comments could be used to report the results of any investigation of the entity or may provide further information on the entity’s use of false names and addresses.

Comments on the proposal were due by No-vember 1, 2007.

The SEC press release and proposed no-tice of rulemaking: http://www.sec.gov/news/press/2007/2007-202.htm.


��

FIRST CLASSU.S.POSTAGE

PAIDWEST

West Legalworks 395 Hudson Street, 6th FloorNew York, NY 10014

Electronic Banking Law & Commerce REPORT

West Legalworks395 Hudson Street, 6th Floor, New York, NY 10014Phone:212-337-8444 or 800-308-1700Fax:212-337-8445 E-mail:[email protected]:www.westlegalworks.com

Electronic Banking Law & Commerce REPORT

YES! Rush me Electronic Banking Law & Commerce Report and enter my one-year trial subscription (10 issues) at the price of $408.00. After 30 days, I will honor your invoice or cancel without obligation.

Postage charged separately. All prices are subject to sales tax where applicable.

Name METHOD OF PAYMENT

Company ®Check enclosed (to West Legalworks)

Street Address ®BILL ME ®VISA ®MASTERCARD ®AMEX

City/State/Zip Account #

Phone Exp. Date

Fax Signature

E-mail

Proposed Internet Gambling Regulation Would Require New Policies

Documents

Transcript of Proposed Internet Gambling Regulation Would Require New Policies