BILL ANALYSIS ��
AB 1080
Page 1
Date of Hearing: January 10, 2012
ASSEMBLY COMMITTEE ON JUDICIARY
Mike Feuer, Chair
AB 1080 (Calderon) - As Amended: January 4, 2012
SUBJECT : Internet Transactions: Banking and Financial Services
KEY ISSUE : Should banks ANd credit unions be required to
collect and make publicly available information about
unauthorized electronic transfer of funds from customers'
accounts?
FISCAL EFFECT : As currently in print this bill is keyed
non-fiscal.
SYNOPSIS
This bill, as currently in print, seeks to require a business
that offers banking and financial services to collect
information relating to the number of instances in which an
unauthorized electronic transfer of funds occurred.
Specifically, such businesses would be required to collect
information on the number of times which customers claimed to
have funds stolen through an unauthorized transfer; the number
of times that the business reimbursed a client for the
unauthorized electronic transfer of funds; and the number of
times that the business determined that funds had been stolen
through an unauthorized electronic transfer of funds. In
addition, covered businesses would be required to make an
aggregate summary of this information available to the public at
all of its locations, or make the aggregate information
available on its Internet Web site. The bill specifies that
these requirements would be limited to customers affected in
California, and prohibits the disclosure of personal information
or the method by which funds were inappropriately accessed.
According to the author, the purpose of the bill is to provide
policymakers with information about the scope and extent of
unauthorized transfer of funds over the Internet.
This bill was initially heard by the Committee last year. It
continues to be opposed by companies in the financial industry,
who point out, among other things, that customers are already
routinely reimbursed by banks and credit unions for unauthorized
transfer of funds. They contend that the kinds of information
�
AB 1080
Page 2
reported will do little to inform consumers and could create
misleading perceptions about the security of customer deposits.
They contend that the bill will create an increased burden
without any corresponding benefit to the consumer. They also
contend that the bill does not clearly define what businesses
are covered or what constitutes an "unauthorized" transfer.
The analysis suggests that in the event the Committee concludes
the measure is seeking potentially useful aggregate data, the
Committee may wish to amend the bill to provide needed
definitions as well as to direct the reporting process to the
Department of Financial Institutions, which is tasked with
considering this type of information to protect consumers,
rather than to consumers directly, as this information could, as
opponents note, be confusing and potentially deceptive on an
individual financial institution basis.
SUMMARY : Requires a bank or other financial institution that
provides electronic fund transfer services to its customers to
collect information relating to unauthorized electronic fund
transfer. Specifically, this bill :
1)Requires a business that provides banking and other financial
services and provides electronic fund transfer services to its
customers to collect, report, and update on a quarterly basis,
the following information:
a) The number of instances a client claimed to have had
funds stolen through the unauthorized use of the electronic
fund transfer service.
b) The number of instances a bank or financial institution
reimbursed funds a client claimed to have had stolen
through the unauthorized use of the electronic fund
transfer service.
c) The number of instances a bank or financial institution
determined that funds had been stolen through the
unauthorized use of the electronic fund transfer service.
d) The aggregate dollar amount of funds that clients
claimed to have had stolen through the unauthorized use of
the electronic fund transfer service.
e) The aggregate dollar amount of funds that a bank or
financial institution determined to have been stolen
through the unauthorized use of the electronic fund
transfer service.
f) The average and median amount of funds stolen through
�
AB 1080
Page 3
the unauthorized use of the electronic fund transfer
service.
1)Requires that the above information be summarized and made
available to the public at every location of the bank or
financial institution within the state, or on the bank's or
financial institution's Internet Web site.
2)Prohibits a bank or financial institution from disclosing any
personal information affecting a customer, nor disclose the
methods used to access the electronic fund transfer.
3)Specifies that the collection of the above statistics shall be
limited to consumers affected in California.
EXISTING LAW :
1)Sets forth, under regulations pursuant to the federal
Electronic Fund Transfer Act, the rights, liabilities, and
responsibilities of consumers who use electronic fund transfer
services and of financial institutions that offer those
services. (12 CFR Section 205.1.)
2)Requires, under the federal USA PATRIOT ACT, that banks,
savings associations, and credit unions verify the identity of
customers who open a new account. (31 USC Section 5318.)
3)Makes it unlawful to knowingly access and, without permission,
alter, damage, delete, destroy, or otherwise use any data,
computer, computer system, or computer network to (1) devise
or execute a scheme to fraud or extortion, or (2) wrongfully
control or obtain money, property, or data. (Penal Code
Section 502.)
4)Makes it unlawful to willfully use someone else's personal
identifying information for an unlawful purpose, including
obtaining or attempting to obtain credit, goods, services, or
medical information in the name of the other person without
that person's consent. (Penal Code Section 530.5.)
5)Requires a business that owns or licenses personal information
about a California resident to implement and maintain
reasonable security procedures and practices and requires a
business to provide a specified notice to consumers in the
event of a breach of that consumer's personal information.
�
AB 1080
Page 4
(Civil Code Sections 1798.81.5 and 1798.82.)
COMMENTS : As originally introduced this bill would have
required banks and other financial service companies that permit
customers to transfer funds over the Internet to develop
reasonable security policies in order to authenticate and verify
the legitimacy of a consumer's on-line transaction. The current
bill instead requires a business that offers electronic banking
or financial services to collect aggregate information on the
number and value of unauthorized of electronic fund transfers
and to make this information available, in summary form, to the
public. The bill expressly provides that this collection
requirement only applies to customers affected in California,
and the information available to the public shall only consist
of aggregate data that cannot be linked to any particular
individual and it shall not describe the means by which the
unauthorized transfer occurred to the extent it would provide
useful information to hackers.
In support of the bill, the author states on-line banking
accounts are becoming increasingly subjected to "sophisticated
hacking techniques." The author believes that the information
required by this bill is needed in order to determine the extent
of the problem and the best way of addressing the problem.
According to the author, with the technological "progression of
Trojan and Phishing malware, online bank accounts are becoming
increasingly subject to sophisticated hacking techniques." Yet,
unfortunately, "there is no clear data illustrating the extent
of the problem." The author believes that this bill will "help
provide the legislature and the public with accurate information
to better address the various issues of online security." The
author also states that this bill will provide consumers will
information about the extent of unauthorized electronic
transfers and thereby provide an important educational function.
Definitional Issues Needing Substantial Clarification : The
measure continues to contain a number of ambiguous terms that,
if it moves forward, need substantial clarification. These
ambiguous terms include:
The bill in print would require the business to report the
number of instances in which "an unauthorized" electronic
transfer of funds occurred, but it does not define the
critical terms "unauthorized" or "electronic fund transfer."
�
AB 1080
Page 5
While the general intent of the bill may be clear, for
purposes of drafting legislation "unauthorized transfer"
requires a much more precise definition, depending on exactly
what kinds of fraud the author seeks to identify. Presumably
"unauthorized transfer" would, at a minimum, mean an
electronic fund transfer that was done (1) by someone other
than the person or persons named on the account and (2)
without the knowledge or consent of the person or persons
named on the account. The suggested committee amendments
below seek to address these issues. The amendments proposed
below use the definition of "electronic fund transfer"
provided in federal Regulation E (12 CFR 205.3.)
As currently drafted, the bill applies to any "business that
provides banking and other financial services and provides
electronic fund transfers to its customers." Later in the
bill, however, the bill refers only to "banks and financial
institutions" even though many other types of businesses
provide banking and financial services that involve the
electronic transfer of funds from one account to another (e.g.
Pay Pal, Western Union, and, increasingly, many large
retailers ). The author's office has informed the Committee
that the intent of the bill is not to cover these other types
of businesses, but rather to protect saving and checking
accounts in banks and credit unions. Since this apparently is
the author's intent, the amendments suggested below seek to
restrict the bill's application to banks and credit unions,
and employs the definitions of "bank" and credit union" that
are used in Sections 103 and 165 of the Financial Code,
respectively.
Proposed Committee Amendments :
- On page 2 line lines 3-4 delete "A business that
provides banking or other financial services and" and
insert : A bank or credit union that
- On page 2 lines 14, 17, 24, 34, and 35 delete "financial
institution" and insert credit union
- On page 2 line 28 delete "banking and financial
institution" and insert: bank or credit union
- On page 2 line 36 delete "A bank or financial
institution may" and insert: Any report required by this
�
AB 1080
Page 6
section shall
- On page 2 after line 38 insert the following:
(c) For purposes of this section:
(1) A "bank" means any business incorporated to
engage in commercial banking business, as defined in
Section 109 of the Financial Code.
(2) A "credit union" means a corporation of the
type described in Code Section 14002 of the Financial
Code.
(3) An "electronic fund transfer" means any
transfer of funds from a bank or credit union account
that is initiated through an electronic terminal,
telephone, computer, or magnetic tape for the purpose
of ordering, instructing, or authorizing a financial
institution to debit or credit a consumer's account.
(4) An "unauthorized electronic fund transfer"
means any electronic fund transfer from a bank or
credit union account that is initiated by some someone
other than the person named on the account and without
the knowledge or consent of the person named on the
account.
ARGUMENTS IN OPPOSITION : The California Credit Union League
(CCUL) believes that this bill "would impose onerous and
misleading reporting of unauthorized electronic fund transfers."
While CCUL notes that it would support - and in the past has
supported - legislation to protect customer accounts from
breaches, it believes that AB 1080 would "provide consumers with
misleading information while placing the blame solely on
financial institutions for data breaches of all kinds."
Specifically, CCUL raises the following points:
The bill does not provide a clear and consistent
definition of which businesses that provide banking and
financial services would have to report unauthorized
electronic fund transfers. CCUL also notes that the bill
fails to provide a definition of "electronic fund
transfer," though it notes that under Federal Regulation E
(12 USC Section 205.3) an electronic fund transfer refers
to more than just "Internet" transaction; it refers to any
transaction that is initiated by electronic terminal,
telephone, computer, or magnetic tape for the purpose
�
AB 1080
Page 7
ordering, instructing, or authorizing a financial
institution to debit or credit a consumer's account.
Credit unions are already required by state and federal
law to ensure the safety and soundness of electronic fund
transfers and adopt reasonable security policies.
Moreover, CCUL points out that, to protect both their own
and the customer's interest, credit unions "prioritize
protecting and properly securing our members' financial
information." CCUL adds that its members follow the
standard industry practice of provisionally crediting a
customer's account in the event of an unauthorized transfer
until an investigation is completed, and if it determines
that an unauthorized transfer has occurred fully reimburses
the customer.
Finally, CCUL argues that this bill will only provide
customers with "misleading" information. That is,
financial institutions would be required to report
unauthorized transfers even though someone else caused the
breach, such as a retail merchant or an employer who made a
payroll error. Yet, CCUL contends, placing the onus on the
financial institution will mislead "our members and the
general public to unfairly distrust the safety and
soundness of the financial institution."
The California Chamber of Commerce, the California Bankers
Association, and other financial and technology associations
oppose this bill for substantially the same reasons as those
given by the CCUL. However, a joint letter of opposition by
these groups adds that the reporting system required by this
bill is based on "customer claims that may not be accurate," as
well as the number of times a customer has been reimbursed.
Opponents contend that customers frequently have claims reversed
(and funds reimbursed) "notwithstanding the veracity of the
claim." This would, opponents contend, "result in inflated
unauthorized activity reports and the dollars associated with
those claims. Consequently, the general public is provided
inaccurate information and an unnecessary cause of concern."
Finally, the opposition's joint letter cites two additional
issues. First, the bill does not apply to governmental entities
which allow the payment of fees and fines on-line, and thus from
their standpoint unfairly singles out businesses. In this
regard, opponents note that existing data security laws apply to
�
AB 1080
Page 8
both businesses and government entities where both pose a
similar risk to consumers. "If the general public is going to
be truly educated on unauthorized use of financial
transactions," opponents contend, "they should cover all
entities that process financial transactions, including the
government." Second, opponents note that the bill is silent on
penalties for failure to comply. Opponents fear, however, that
a violation of the bill's provisions potentially exposes
businesses to lawsuits under Business & Professions Code Section
17200, and create "sizable penalties for a vaguely worded and
ambiguous bill."
Possible Additional Committee Amendment : In light of the
possibility that this bill, as currently drafted, will provide
potentially misleading information to consumers, the Committee
may wish to discuss with the author amending the bill to have
the collected information transmitted to the Department of
Financial Institutions (DFI), rather than made directly
available to members of the public, at this time. One of the
primary missions of the DFI is to ensure public confidence in
financial institutions. This data could be potentially useful
to the Department in determining whether there is indeed a
substantial consumer issue that needs to be addressed. This
approach might be found by the Committee to provide a
potentially helpful pilot-type approach to addressing the
author's concerns. Should the Committee and the author find
this alternative reporting approach acceptable, majority and
minority Committee counsel can work with the author's staff to
craft the needed amendments to accomplish this new approach.
Bill to Be Returned to Committee If Subsequently Amended :
Consistent with the Committee's rules and practice, this measure
shall be returned to the Committee for further review in the
event it is amended in the future.
REGISTERED SUPPORT / OPPOSITION :
Support
None on file
Opposition
American Express
California Bankers Association
�
AB 1080
Page 9
California Chamber of Commerce
California Credit Union League
California Independent Bankers Association
California Mortgage Bankers Association
TechAmerica
TechNet
Analysis Prepared by : Thomas Clark / JUD. / (916) 319-2334