BILL NUMBER: AB 1080 INTRODUCED
BILL TEXT
INTRODUCED BY Assembly Member Charles Calderon
FEBRUARY 18, 2011
An act to add Section 1798.825 to the Civil Code, relating to
Internet transactions.
LEGISLATIVE COUNSEL'S DIGEST
AB 1080, as introduced, Charles Calderon. Internet transactions:
verification: banking and financial services.
Existing law sets forth comprehensive provisions governing funds
transfers, as defined, including provisions related to the issuance
and acceptance of payment orders, requirements for verification, the
effect of errors, the effect of acceptance of a payment order, and
related provisions.
This bill would require a business that provides banking or other
financial services, as specified, over the Internet to implement and
maintain reasonable policies and procedures for authenticating and
verifying the legitimacy of a consumer transaction over the Internet,
as specified. The bill would authorize the imposition of a civil
penalty, as specified, and a civil action for a violation of this
provision, as specified.
Vote: majority. Appropriation: no. Fiscal committee: no.
State-mandated local program: no.
THE PEOPLE OF THE STATE OF CALIFORNIA DO ENACT AS FOLLOWS:
SECTION 1. Section 1798.825 is added to the Civil Code, to read:
1798.825. (a) A business that provides banking or other financial
services that allows access to or movement of funds under the
ownership or control of a person or business over the Internet shall
implement and maintain reasonable policies and procedures for
authenticating and verifying the legitimacy of a consumer transaction
made over the Internet.
(b) The business providing banking or other financial services
that allows access to or movement of funds under the ownership or
control of a person or business over the Internet shall utilize an
out-of-band, two-factor authentication solution to ensure strong
authentication and identity management of users performing
transactions and accessing financial account information over the
Internet.
(c) A civil penalty in the amount of three thousand dollars
($3,000) may be imposed on a business that fails to conduct an
Internet transaction with a consumer in compliance with the policies
and procedures required pursuant to subdivisions (a) and (b).
(d) Any consumer injured by a fraudulent transaction in violation
of the requirement specified in subdivisions (a) and (b) may
institute a civil action to recover damages.
(e) The rights and remedies under this section are cumulative with
each other and with any other rights and remedies under law.
(f) Any entity regulated by the Department of Insurance is exempt
from the requirements of this section. However, this exemption does
not apply to any entity that is regulated by both the Department of
Insurance and the Department of Financial Institutions.
(g) For purposes of this section:
(1) "Accessing financial account information" shall mean any
change to the information associated with an account that risks
exposing the consumer to monetary loss.
(2) "Consumer" shall mean any person or entity that is a customer
of a business providing banking or other financial services.
(3) "Out-of-band, two-factor authentication" shall mean that the
manner of confirming the details of an online financial services
transaction and the identity of its initiator shall employ a
communications channel other than the Internet.
(4) "Payment order" shall mean either an actual, specific
instruction to pay a specific amount to a specific payee, or the
enrollment of that payee as an entity that is eligible for valid
payments at some future time. If the latter is authenticated by
multiple separate means as provided in this section, then subsequent
payments to that entity are not included in this definition and are
not subject to this section.
(5) "Strong authentication" shall mean the confirmation via a
communication channel other than the Internet of both the identity of
the initiator of a transaction and that the details of that
transaction are those intended by its initiator.