Pub. 11 2016-2017 Issue 1

www.nebankers.org 16 Extraordinary Service for Extraordinary Members. For more information, contact Jeff Makovicka at Kutak Rock LLP at (402) 346-6000 or jeff.makovicka@kutakrock.com . Makovicka is a member of Kutak Rock LLP’s banking practice group where he concentrates on bank matters. even if representations are not an issue, the CFPB, like the FTC and other banking regulators, could nonethe- less target faulty data practices on unfairness theories. • Policies and procedures. Without quantifiable con- sumer harm, the CFPB’s basis for alleging “deceptive” acts and practices was based on purported deficien- cies in Dwolla’s data security representations. Banks should ensure that documented policies and proce- dures are in place regarding data security. Make sure your policies and procedures are aligned with your marketing. If not, change them. • Vendor management. Managing vendor risk is im- portant, especially in this area. Banks should develop, implement and maintain reasonable procedures for the selection and retention of service providers ca- pable of maintaining sound data security practices and appropriate safeguards. Constant communication with vendors is important as the service provided and the bank’smarketing communications (or representa- tions) must reconcile. • Doingwhat you say and updatingwhat you say. Pay special attention with regard to new rollouts. Banks are constantly trying to roll out new applications to create new functionality on their website or mobile platform. If the bank is not providing the same se- curity measures for every rollout before such service becomes live, then the bank may have potential risk. Banks should review and analyze all advertising and mar- keting materials as well as content displayed on the bank’s website and in the bank’s mobile application. Any statements or representations regarding data security and privacy should be evaluated to determine whether such statements accurately reflect the bank’s data security policies and procedures. Rolling out any new programs should necessarily include an analysis as to whether any data security representations should be updated in light of the new roll out.  1 See CFPB Consent Order, In the Mater of Dwolla Inc., March 2, 2016 (File No. 2016-CFPB-007) (the “Consent Order”). 2 Title X of the Dodd-Frank Act. 12 U.S.C. § 5481 et seq. 3 Although banks with less than $10 billion in assets are not subject to the CFPB’s direct supervision, community banks should pay attention to the CFPB. Since the creation of the CFPB along with its rule writing powers, prudential banking regulators have not only intensified their focus on consumer compliance, but are also seemingly modeling their strategies after the CFPB. The CFPB also has the authority and power to “notify the prudential regulator in writing and recommend appropriate action” for any community bank the CFPB believes has violated federal consumer financial law. See 12 U.S.C. § 5516. In short, the CFPB is having a real influence on the daily operations of banks, regardless of size. 4 The Payment Card Industry (PCI) Security Standards Council is an open global forum that issues the data security compliance standards for cardholder data adopted by some of the world’s largest payment card networks. 5 15 U.S.C. § 45(n). 6 F.T.C. v. Wyndham Worldwide Corp., 799 F.3d 236 (3d Cir. 2015).  Counselor’s Corner — continued from page 15