BILL NUMBER: AB 1080 INTRODUCED BILL TEXT INTRODUCED BY Assembly Member Charles Calderon FEBRUARY 18, 2011 An act to add Section 1798.825 to the Civil Code, relating to Internet transactions. LEGISLATIVE COUNSEL'S DIGEST AB 1080, as introduced, Charles Calderon. Internet transactions: verification: banking and financial services. Existing law sets forth comprehensive provisions governing funds transfers, as defined, including provisions related to the issuance and acceptance of payment orders, requirements for verification, the effect of errors, the effect of acceptance of a payment order, and related provisions. This bill would require a business that provides banking or other financial services, as specified, over the Internet to implement and maintain reasonable policies and procedures for authenticating and verifying the legitimacy of a consumer transaction over the Internet, as specified. The bill would authorize the imposition of a civil penalty, as specified, and a civil action for a violation of this provision, as specified. Vote: majority. Appropriation: no. Fiscal committee: no. State-mandated local program: no. THE PEOPLE OF THE STATE OF CALIFORNIA DO ENACT AS FOLLOWS: SECTION 1. Section 1798.825 is added to the Civil Code, to read: 1798.825. (a) A business that provides banking or other financial services that allows access to or movement of funds under the ownership or control of a person or business over the Internet shall implement and maintain reasonable policies and procedures for authenticating and verifying the legitimacy of a consumer transaction made over the Internet. (b) The business providing banking or other financial services that allows access to or movement of funds under the ownership or control of a person or business over the Internet shall utilize an out-of-band, two-factor authentication solution to ensure strong authentication and identity management of users performing transactions and accessing financial account information over the Internet. (c) A civil penalty in the amount of three thousand dollars ($3,000) may be imposed on a business that fails to conduct an Internet transaction with a consumer in compliance with the policies and procedures required pursuant to subdivisions (a) and (b). (d) Any consumer injured by a fraudulent transaction in violation of the requirement specified in subdivisions (a) and (b) may institute a civil action to recover damages. (e) The rights and remedies under this section are cumulative with each other and with any other rights and remedies under law. (f) Any entity regulated by the Department of Insurance is exempt from the requirements of this section. However, this exemption does not apply to any entity that is regulated by both the Department of Insurance and the Department of Financial Institutions. (g) For purposes of this section: (1) "Accessing financial account information" shall mean any change to the information associated with an account that risks exposing the consumer to monetary loss. (2) "Consumer" shall mean any person or entity that is a customer of a business providing banking or other financial services. (3) "Out-of-band, two-factor authentication" shall mean that the manner of confirming the details of an online financial services transaction and the identity of its initiator shall employ a communications channel other than the Internet. (4) "Payment order" shall mean either an actual, specific instruction to pay a specific amount to a specific payee, or the enrollment of that payee as an entity that is eligible for valid payments at some future time. If the latter is authenticated by multiple separate means as provided in this section, then subsequent payments to that entity are not included in this definition and are not subject to this section. (5) "Strong authentication" shall mean the confirmation via a communication channel other than the Internet of both the identity of the initiator of a transaction and that the details of that transaction are those intended by its initiator.