PaymentsCompliance: Data Protection In A ‘Post-Dwolla’ World: Industry Told To Up Standards


U.S. financial institutions that are well prepared for a cyber-attack could save millions of dollars if a breach occurs, legal experts have said, in an increasingly hostile regulatory environment.

Courtney Stout, an attorney at Davis Wright Tremaine law firm, told last week’s Emerging Payment Systems event in Washington, D.C. that the average cost of identifying a data breach in fewer than 100 days is $5.8m, compared with $8m for firms that act more slowly.

To control a breach in less than 30 days will cost on average of $5.2m, compared with $8.8m after 30 days, she added.

“Things that you can do to prepare your employees can save your company money,” Stout said.

“Data breaches can be prevented if you have all of the right people.”

Since online payment platform Dwolla was fined $100,000 by consumer protection authorities in March, despite there being no allegation that a data breach actually occurred, has been seen as a landmark case by cybersecurity experts.

The Consumer Finance Protection Bureau (CFPB) said Dwolla had “failed to employ reasonable and appropriate measures to protect data obtained from consumers from unauthorized access,” and so was liable for a financial penalty — the first it had ever issued on security grounds.

“We don’t know what started the Dwolla investigation,” Stout added. “It was one of the first cases that didn’t stem from a data breach.”

For New York lawyer Jessica Sklute, special counsel at Schulte Roth & Zabel, payments providers and other financial firms should ensure they are meeting requirements set out in the Gramm-Leach-Bliley Act (GLBA).

“GLBA is the primary U.S. law that governs privacy,” said Sklute.

“It’s meant to regulate financial institutions, but broadly covers many businesses.”

The act generally requires that financial institutions inform their customers annually on how they share customers’ non-public personal information.

If the institution shares this information with unaffiliated third parties in ways other than specified by statute, Sklute warned that the institution must notify customers of their right to opt out of sharing, and inform them how to do so.

The federal law consists of three sections:

  • The financial privacy rule, which regulates the collection and disclosure of private financial information.
  • The safeguards rule, which stipulates that financial institutions must implement security programs to protect such information.
  • The pretexting provisions, which prohibit the practice of accessing private information using false pretences.

The GLBA, particularly the safeguards rule, has been used by the CFPB and the Federal Trade Commission (FTC) to investigate and fine companies that violate standards when it comes to cybersecurity and data privacy.

Sklute said the FTC has settled more than 50 data security cases over the years under the GLBA.

She said that some of the best examples were cases involving Eli Lilly, Snapchat, and Wyndham Worldwide.

“The CFPB has been very aggressive,” said attorney Barrie VanBrackle, a partner with Orrick, Herrington & Sutcliffe.

“It takes a company down and a lot of others with it.”

For Sklute, the CFPB’s case against Dwolla using the safeguard provision of the GLBA means companies need to be careful of the promises they make about protecting customers from data breaches and other cybersecurity threats.

Among Sklute’s suggestions were maintaining communications between the legal and marketing teams, accurately reflecting policies and practices of the business, and avoiding consumer promises that are not legally or technically accurate.

Stout agreed, but focused her comments on how companies can mitigate the risk from a data incident.

She reminded event attendees it is not a matter of if, but when, a company deals with a data breach.

Among the factors that can decrease a financial firm’s exposure is creating an incident response team and training its employees.

What a business cannot control, Stout said, is the size and type of incident.

“Size is going to be one of the very few elements of a breach that are out of your control,” she said.


PaymentsCompliance: U.S. Money Transmission: Stitching Together The Patchwork Of State Regulations


Three years ago, Illinois told eight start-up financial companies to stop doing business in the state, arguing the companies were engaged in money transmission and so required a license.

Today, Square, a payments company with a card-reader that plugs into a tablet or smart phone, is doing business once again in the state.

A senior assistant attorney general said the incident highlights how broad the state’s statute that regulates the payment industry is.

“Any person who sells or issues a payment instrument needs to be licensed,” Thomas James, senior assistant attorney general with the Consumer Counsel-Consumer Fraud Bureau in the Illinois Attorney General’s office, said Thursday during a panel discussion at the 13th National Forum on Emerging Payment Systems in Washington, D.C.

“We have pretty broad statute,” Thomas said. “Illinois is also pretty draconian when it comes to penalties.

“The penalty for unlicensed money transfers equals four times the value. That’s bankruptcy for most businesses.”

Thomas reiterated that the agency has gone after anyone who they think is operating without a license, including new online companies.

At the time, Square was new in the emerging payments sector, where companies did what other banks and financial institutions did but using the Internet.

Square allows anyone to take a credit card payment without the fees associated with partnering with a bank.

Thomas said the state issued cease and desist orders to Square and other financial companies in 2013, but that “like the federal government, states go through regime change and one regime may not go after this as did the old regime”.

In New Hampshire, the state’s merchant payment process recognizes the Financial Crimes Enforcement Network (FinCEN) model, which regulates the receiving or sending of money or the selling or issuing of cards with a shared value.

Authorities said they generally attempt to adopt a business-friendly approach.

“If we deal with fraud with a cease and desist letter it is to protect the consumer,” said Maryam Torben Desfosses, hearings examiner with the New Hampshire Banking Department.

Desfosses said the state “likes to be fair” with its orders, especially with unlicensed activity, carrying a fine of $1,500 to $2,500 per transaction.

“I don’t want to bankrupt your company,” Desfosses said.

But she said New Hampshire has identified payment processing companies doing business unlicensed for six months, and even companies doing business for five years without a license.

She did not identify the companies.

Desfosses and Thomas took part in a panel discussion with three other regulators and attorneys titled “Ensuring Compliance with the Increasingly Aggressive State Regulatory and Enforcement Framework Governing Emerging Payment Systems.”

Desfosses cited the example of one company, which was subject to a consent order after illegal payments were discovered, but insisted the door is open for the company to re-apply once it is ready.

“We’ll resolve the issues of [know your customer] or [anti-money laundering] policy,” Desfosses said.

“We don’t want to ding the license. We want your company to come back. They were a young company and we liked them.”

Illinois and New Hampshire are two of the 49 states that regulate money transmissions; the only state that does not is Montana, according to Donald Mosher, a partner with the law firm Schulte Roth & Zabel.

Mosher said Massachusetts has a law that regulates international money transmission, but while a bill to regulate state transmission is introduced every year, it repeatedly falls short of passage.

Both South Carolina and New Mexico recently passed new laws regulating money transmitters, both of which take effect in 2017.

Money transmission is defined as “selling or issuing payment instruments, stored value, or receiving money or monetary value for transmission”.

“These laws are there to protect consumers,” Mosher said.

James agreed, saying businesses need to be extremely cautious when wiring money.

He described many of the unlicensed money transmitters as “thieves”, with a tremendous opportunity to make lots of money.

GamblingCompliance: Court Dismisses Challenge To North Fork Tribe’s Casino


A federal judge in Washington, D.C. has rejected a wide-ranging legal challenge to the North Fork Rancheria of Mono Indians’ casino, clearing what could be the last road block placed in front of the development just north of Madera in central California.

In her 170-page ruling, U.S. District Court Judge Beryl Howell dismissed a number of the arguments raised by casino opponents, who have been trying to block the project for more than seven years.

“While the plaintiffs’ many concerns about the impending casino development are understandable, the law is not on their side,” Howell wrote.

The lawsuit was brought by Stand Up for California, several Madera-area church related groups and thePicayune Rancheria of the Chukchansi Indians, whose members operate their own casino — Chukchansi Gold Resort and Casino – some 31 miles from Madera.

“To stop the casino from coming to fruition, [opponents] have initiated both state and federal litigation as well as state-wide political efforts over the past seven-plus years, setting in their own words, ‘high legal and political hurdles,’” Howell wrote.

She added that “this case is one of those efforts to halt the North Fork tribe’s casino developments.”

Howell’s decision could clear the way for the tribe to build a casino and resort on 305-acres with “2,500 gaming devices, six bars, three restaurants, a five-tenant food court, a 200-rooom hotel, and 4,500 parking spaces.”

“The casino will undoubtedly have a significant impact on the people and the land in that county, with the hope that it will benefit economically the Indian tribe undertaking its development,” Howell wrote.

As of Friday, no appeal had been filed.

Cheryl Schmit, director of Stand Up California, told GamblingCompliance they intend to appeal the judge’s ruling.

“We are disappointed by the court’s result, but are determined to continue our opposition to this casino and the expansion of gambling to other off-reservation areas,” Schmit said. “ The people of California have spoken loudly that they are behind us in this effort.  Our attorneys are still evaluating the issues in this very lengthy judicial opinion, and we intend to appeal.”

Charles Altekruse, a spokesman for the North Fork Rancheria, said the tribe prevailed on all six claims filed by opponents challenging the gaming project.

Stand Up for California and other opponents of the North Fork casino challenged multiple federal decisions, going back to the U.S. Department of the Interior’s September 2011 approval of the tribe’s casino plans.

The legal challenges dismissed Tuesday were initially filed in 2012. The lawsuit was the biggest hurdle to the tribe building its casino on land some seven miles north of Madera.

Howell rejected the Picayune tribe’s argument that the North Fork Rancheria lack any historical connection to the Madera County land. In her ruling, Howell cited the “historical record,” which includes a treaty in 1851.

Howell also upheld the Interior Department’s conclusion that any “negative impacts” from the casino development “would not be, overall, detrimental to the surrounding community.”

Chairwoman Maryann McGovern said the tribe was “delighted and satisfied” with the court’s ruling.

“After finally overcoming so many legal and political challenges, we are ready to start developing our project so that we can bring jobs and economic opportunity to our tribal members, the community and this region,” McGovern said in a statement.

The Interior Department on August 1 approved a federal gaming compact with the North Fork Rancheria.

Several lawsuits are pending, but Howell’s ruling also puts an end to the questions surrounding the federal government’s authority to put the off-reservation land into trust for the tribe’s casino project.

The compact was opposed by the Chukchansi tribe, which have filed lawsuits trying to stop it and the casino project.

In 2012, Governor Jerry Brown approved a compact with the North Fork tribe that included revenue sharing payments estimated at $3m to $5m annually with other non-gaming tribes.

Under the compact, the Chukchansi tribe would get money from the North Fork tribe to compensate for casino revenue losses. Chukchansi officials have argued North Fork’s casino would reduce its revenue by 38 percent.

However, in 2014 California voters rejected the compact by voting down Proposition 48 -61 percent to 48 percent. In November 2015, North Fork’s casino proposal was saved when a federal judge ordered that the compact be sent to a mediator.

In February, the mediator selected the tribe’s compact over Governor Brown’s. Brown did not ratify the compact supported by the mediator, which left approval up to the Interior Department.

Tribal gaming is big business in the United States, especially in California.

According to financial data compiled by GamblingCompliance, California and northern Nevada was the fastest growing region in 2015, adding three casinos and $601.9m in revenue, with total gross gaming revenue of $7.9bn.


GamblingCompliance: Nevada’s USFantasy Eyes Pennsylvania For Potential Expansion


Nevada’s first licensed fantasy sports operator will launch its contests at about a dozen casinos on Thursday just in time for the start of a new NFL season, before expanding into a total of 49 casinos by week three, the company confirmed Tuesday.

The Las Vegas-based company’s fantasy football product uses NFL players but is based on pari-mutuel betting, a pool style of wagering used for horse and dog racing. USFantasy plans to expand to baseball, basketball, hockey, golf and NASCAR, according to a listing on its website.

USFantasy is different from DraftKings, Yahoo or FanDuel where players assembly a fantasy team and try to generate a collective score higher than other players.

The Nevada Gaming Commission approved the company’s pari-mutuel model in June.

Nevada is unique in that it has regulated daily fantasy sports (DFS) without passing new legislation, instead requiring fantasy sports companies to receive a full gaming license before they are allowed to do business in the state.

“We decided with our business model that we were going to go through the front door and not the back door,” Michael Knapp, co-founder and COO of USFantasy, told GamblingCompliance. “We saw that being licensed was an advantage.”

Knapp said there is plenty of competition in Nevada for a consumer’s gambling dollar, but that the company has been well received by casinos state-wide.

Even as USFantasy prepares to launch in Nevada, company executives have been talking with Pennsylvania lawmakers, who have been debating DFS regulations, about how the new form of fantasy sports might be licensed.

“I met with the owners of USFantasy and their lobbyists,” Republican state Rep. George Dunbar told GamblingCompliance Tuesday in a phone interview. “The concept makes a lot of sense. But right now, we haven’t even licensed DFS.”

Dunbar said he did not think lawmakers would do anything with USFantasy “until we saw how well it works in Nevada.”

He said company executives also wanted to know how pari-mutuel fantasy sports could work under his DFS bill — House Bill 2150 — that is currently sitting in the state Senate waiting to be acted upon.

House members voted 114-85 in favor of HB 2150, which forms part of a larger House budget package.

Dunbar said the current bill does not include pari-mutuel fantasy sports, but the state could certainly consider having its Horse Racing Commission regulate the company.

“Let me get DFS passed in the legislature and we can talk about it later,” said Dunbar, who is also a member of the House Gaming Oversight Committee. “We need to regulate DFS. It needs to get done. Any gambling legislation will have DFS attached.”

Knapp agreed, saying how USFantasy is regulated in Pennsylvania is a “little out of our control.” He did say USFantasy “was willing and able to do anything [regulators] ask.”

Knapp said if Pennsylvania wants USFantasy to be regulated by the gaming commission, “we are able to do that,” but if it should be the racing commission than “we are able to do that too.”

USFantasy offers pari-mutuel-style fantasy games where contests are based on a single position. Players can choose from a pool of players, betting on them to “win,” “place,” or “show.”

Exactas and trifectas are offered with higher payout for selecting the winner of two or three events in correct order. Other common wagers that gamblers see at the racetrack include Daily Doubles or Pick 3s.

All wagers are placed in a pari-mutuel pool and distributed after all player performances are completed and tabulated.

For fantasy football, a $1m progressive jackpot Pick 7 contest is planned for correctly selecting the winners of seven different categories.

That is compared to DraftKings offering free play with a customer’s first deposit and $5m in total prize money for week one of the NFL season. On FanDuel’s website, the company offers a money back guarantee and five free beginner NFL entries with a first deposit.

“Pennsylvania would be ideal for us,” Knapp said. “There are racetracks, off-track betting and casinos. There is a lot of potential there.”

However, just six of the 12 casinos in Pennsylvania can accept pari-mutuel wagers.

“We are starting to get calls and interest from other states,” Knapp said. “Our focus right now is Nevada.”