BILL NUMBER: AB 1080 AMENDED
BILL TEXT
AMENDED IN ASSEMBLY MAY 4, 2011
AMENDED IN ASSEMBLY APRIL 25, 2011
INTRODUCED BY Assembly Member Charles Calderon
FEBRUARY 18, 2011
An act to add Section 1798.825 to the Civil Code, relating to
Internet transactions.
LEGISLATIVE COUNSEL'S DIGEST
AB 1080, as amended, Charles Calderon. Internet transactions:
verification: banking and financial services.
Existing law sets forth comprehensive provisions governing funds
transfers, as defined, including provisions related to the issuance
and acceptance of payment orders, requirements for verification, the
effect of errors, the effect of acceptance of a payment order, and
related provisions.
This bill would require a business that provides banking or other
financial services, as specified, over the Internet to implement and
maintain reasonable policies and procedures for authenticating and
verifying the legitimacy of a consumer transaction over the Internet,
as specified. The bill would authorize the imposition of a civil
penalty in the amount of $3,000 and the institution of a civil action
by a consumer for a violation of this requirement.
This bill would require a business that provides banking or other
financial services and that allows for the movement of specified
funds over the Internet to collect and report, on an annual basis,
information relating to unauthorized transfers of funds over the
Internet, and to post this report on its Internet Web site, as
specified.
Vote: majority. Appropriation: no. Fiscal committee: no.
State-mandated local program: no.
THE PEOPLE OF THE STATE OF CALIFORNIA DO ENACT AS FOLLOWS:
SECTION 1. Section 1798.825 is added to the
Civil Code , to read:
1798.825. (a) A business that provides banking and other
financial services and that allows for the movement of funds under
the ownership and control of a person or business over the Internet
shall collect and report, on an annual basis, the following
information:
(1) The number of instances in which an unauthorized transfer of
funds occurred over the Internet.
(2) The total sum of unauthorized funds transferred over the
Internet.
(b) The collection of these statistics shall be limited to
customers affected in California.
(c) The report shall be conspicuously posted on the Internet Web
site of the bank or financial institution.
SECTION 1. Section 1798.825 is added to the
Civil Code, to read:
1798.825. (a) A business that provides banking or other financial
services that allows movement of funds or change of personal account
information under the ownership or control of a person or business
over the Internet shall implement and maintain reasonable policies
and procedures for authenticating and verifying the legitimacy of a
consumer transaction made over the Internet.
(b) The policies and procedures that a business implements
pursuant to subdivision (a) shall, at a minimum, be consistent with
the best industry practices promulgated by the Federal Financial
Institutions Examination Council, as they may be updated from time to
time.
(c) The business providing banking or other financial services
that allows movement of funds or change of personal account
information under the ownership or control of a person or business
over the Internet shall utilize an out-of-band, two-factor
authentication solution to ensure strong authentication and identity
management of users performing transactions and accessing financial
account information over the Internet.
(d) Subdivisions (a), (b), and (c) shall apply to transactions
initiated via the Internet that result in any of the following:
(1) The movement of funds to a new entity, account, or destination
that is not a bill pay recipient recognized by the business in an
established list of payment recipients.
(2) A transfer to a previously established recipient account that
is inconsistent with prior payments sent to that account or that is
200 percent or greater than any previous payment to that account.
(3) An update of account information.
(4) The establishment of a new account or line of credit.
(e) A civil penalty in the amount of three thousand dollars
($3,000) may be imposed on a business that fails to conduct an
Internet transaction with a consumer in compliance with the policies
and procedures required pursuant to subdivisions (a), (b), and (c).
(f) Any consumer injured by a fraudulent transaction in violation
of the requirements specified in subdivisions (a), (b), and (c) may
institute a civil action to recover damages.
(g) The rights and remedies under this section are cumulative with
each other and with any other rights and remedies under law.
(h) Any entity regulated by the Department of Insurance is exempt
from the requirements of this section. However, this exemption does
not apply to any entity that is regulated by both the Department of
Insurance and the Department of Financial Institutions.
(i) For purposes of this section:
(1) "Accessing financial account information" shall mean any
change to the information associated with an account that risks
exposing the consumer to monetary loss.
(2) "Consumer" shall mean any person or entity that is a customer
of a business providing banking or other financial services.
(3) "Out-of-band, two-factor authentication" shall mean that the
manner of confirming the details of an online financial services
transaction and the identity of its initiator shall employ a
communications channel other than the Internet.
(4) "Payment order" shall mean either an actual, specific
instruction to pay a specific amount to a specific payee, or the
enrollment of that payee as an entity that is eligible for valid
payments at some future time. If the latter is authenticated by
multiple separate means as provided in this section, then subsequent
payments to that entity are not included in this definition and are
not subject to this section.
(5) "Strong authentication" shall mean the confirmation via a
communication channel other than the Internet of both the identity of
the initiator of a transaction and that the details of that
transaction are those intended by its initiator.
(6) "Update of account information" includes, but is not limited
to, a change in any of the following:
(A) Profile information, including addresses, telephone numbers,
and e-mail addresses.
(B) Payee or payroll information.
(C) Any other information that may place the account holder's
funds at risk.