January 30, 2016

Thanks, y'all!

Thanks, y'all!  I am very honored to be named, along with a number of fine lawyers across the state, in Business North Carolina's 2016 "Legal Elite"  as well as in Thompson Reuters' Super Lawyers for 2016.

What is the "Legal Elite"? 

This year I was listed in the "Business" category of the Legal Elite, as well as the "Young Guns" category (which is reserved for young lawyers in any practice area).  Each year, Business North Carolina magazine surveys more than 20,000 North Carolina lawyers by asking the following question: "Whom would you rate among the current best in these categories of law?"   The results are compiled, and fewer than 3% of the lawyers in North Carolina are then named to the list.

What is "Super Lawyers"? Super Lawyers' uses a rigorous method that is intended to create a credible, comprehensive listing of outstanding attorneys in each state.  Super Lawyers compiles its list each year using 
peer nominations from lawyers around the state, peer evaluations, and independent, third-party research.  Each candidate receiving sufficient nominations from across the state is evaluated on 12 criteria of professional achievement.  The selection process for the "Super Lawyers--Rising Stars" list is the same, with one exception: to be eligible for inclusion in Rising Stars, a candidate must be 40 years old or younger or in practice for 10 years or less.  The idea is that it is very difficult for young lawyers to develop a significant statewide reputation within the first ten years of practice, so a separate process is used for them.  While up to 5 percent of the lawyers in the state are named to Super Lawyers, no more than 2.5 percent of eligible lawyers are named to the Rising Stars list.

I am so very blessed to have worked with so many exceptional lawyers across North Carolina, and I appreciate each of you who participated in these and similar peer review processes.  I sincerely appreciate your friendship and trust.  I consider it a privilege to be able to recommend several of you for well-deserved recognition, and I am pleased to see some very deserving names on this year's list (although there are several others I wish had also been included but were inexplicably absent from the lists).   May this new year bring each of you the success and recognition you have earned!

December 16, 2015

New European Privacy Plan Announced

Earlier this week, the European Parliament and Council announced they have (finally) agreed upon a new General Data Protection Regulation (the GDPR).  This is really big news for all U.S. companies that do business in Europe or with Europeans.

The GDPR has not yet been voted into law, but the agreed-upon language is probably quite close to the final law.  The International Association of Privacy Professionals (of which I'm a certified member) has published a great, concise list of the key provisions, which I commend to you:

• The law applies to any controller or processor of EU citizen data, regardless of where the controller or processer is headquartered.

• Notification of a data breach that creates significant risk for the data subjects involved must be made within 72 hours of the discovery of the breach.

• New powers are provided to data protection authorities, including the ability to fine organizations up to four percent of their annual revenue.

• Many organizations will now be required to appoint a data protection officer.

• Personal data may only be collected for “specified, explicit and legitimate purposes."  The text also introduces principles of “data minimization,” “accuracy,” “storage limitation” and “integrity and confidentiality.”

• The GDPR requires “accountability,” which means the “controller shall be responsible for and be able to demonstrate compliance” with the law.

• Processing of data will only be allowed with explicit consent, to perform a contract, to comply with a legal obligation, to protect the vital interests of the data subject, or to perform a task in the public interest.

• That consent has to be demonstrable upon demand, can be retracted by the data subject at any time.

• There will still be variation from member state to member state.

• Children under the age of 16 will need to get parental approval to give consent unless the member nation passes a law to lower the age no lower than 13.

• Special categories of personal data are established that include genetic, biometric, health, racial and political data, among others.

• Data controllers have to provide any information they hold about a data subject free of charge and within one month of request.

• A “right to erasure” is established, where controllers are required to delete personal data...even if the data has been made public already.

The next legislative step is for the EU Parliament’s Committee on Civil Liberties, Justice and Home Affairs ("LIBE Committee") to vote on the text tomorrow  (December 17) and if it passes, the full Parliament is expected to vote in January.

There is much more to come on this very significant development. 

Source: https://iapp.org/news/a/gdpr-we-have-agreement/

December 1, 2015

PSA: New North Carolina Laws Become Effective Today (December 1, 2015)

The law is ever-changing, which is part of the reason I find it fascinating.  Several new North Carolina laws become effective today, December 1st.  Many of them are criminal laws, but some that may be of interest to business owners and managers including the following:
 - Electronic signature and notarization on vehicle titles [SL 2015-270 / SB 370]
 - An omnibus regulatory reform bill [SL 2015-286] that, among other things:
  • Repeals the offense of "using profane or indecent language on public highways, except in certain counties;
  • Repeals the offense of refusing to relinquish party telephone line in emergency;
  • Exclusion of volunteers and officers of certain nonprofits from the definition of "employee" for purposes of the Worker's Compensation statute;
  • An expansion of the "Good Samaritan" law to allow well-intentioned people to break into a car, boat or aircraft to assist a person in need; and
  • Numerous environmental law changes.

 - Privacy law enhancements (including the so-called "revenge porn" law) [SL 2015-250 / HB 792] (See www.PrivacyLawNC.com for more.)

You can find out more about each of these laws and more in the N.C. General Assembly's summary, available here.


October 6, 2015

The EU/US Safe Harbor Is No Longer Safe!

Today, Europe's top court, the European Court of Justice, ruled that a 15-year-old pact between the United States and the European Union which allowed American organizations to handle the personal data of Europeans (the EU/US Safe Harbor) was invalid.  The decision will have massive, far-reaching implications for American businesses and organizations that are active in Europe.

The Backdrop

Trans-Atlantic data transfers involving the personal information of Europeans must comply with the Data Protection Directive, which is a European pact that has been adopted by each member state (i.e., most of Europe, but not Switzerland).  The Directive requires that a transfer of personal data to a non-EU country may take place only if that country ensures an adequate level of data protection and privacy. The Directive also provides that the EU Data Protection Commission may determine that a non-EU country ensures an adequate level of protection as a result of that country's own domestic privacy laws or an international treaty.  
Paris business district.
by Loïc Lagarde flickr

The Facts

The challenge to the Safe Harbor arose in legal proceedings between an Austrian citizen, Mr. Maximilian Schrems, and the Irish Data Protection Commissioner concerning the Commissioner's refusal to investigate a complaint made by Schrems.  Schrems has been a Facebook user since 2008, and some or all of the data provided by Schrems to Facebook was transferred from Facebook’s Irish subsidiary to servers located in the United States. Schrems lodged a complaint with the Irish Commissioner, alleging that, in the light of the revelations made in 2013 by Edward Snowden concerning the activities of the US intelligence services (specifically the NSA), the law and practice of the United States do not offer sufficient protection against surveillance. 

The Issues

In response to Schrems' allegations, Facebook pointed out that it was fully compliant with the EU/US Safe Harbor and the US Department of Commerce's requirements for participation in the Safe Harbor.  The Irish Commissioner refused to consider the complaint because the EU Data Protection Commission had long ago ruled (in 2000) that the EU/US Safe Harbor was a valid basis for the trans-Atlantic transfer of personal data of European citizens.  (As a technical legal matter, the case was a challenge of the validity of Commission Decision 2000/520/EC (26 July 2000) pursuant to Directive 95/46 on the adequacy of the protection provided by the safe harbor privacy principles and related FAQ issued by the US Department of Commerce.)

The Court's Conclusions

The Court concluded that the decision by the EU Data Protection Commission that the EU/US Safe Harbor is valid did not preclude a member nation's Data Protection Commissioner (in this case Ireland) from reaching the opposite conclusion.  The Court ruled that the Irish Commissioner should have heard the complaint and made an independent determination whether the EU/US Safe Harbor provides adequate protection of the personal information of EU citizens in light of the fact that the US government's surveillance programs might not respect the privacy of EU citizens as interpreted under EU law. 

The Court went further to evaluate the 2000 decision of the EU Data Protection Commission.  It determined that in the US, national security, public interest and law enforcement interests prevail over the Safe Harbor scheme, so that United States organizations are required by US law to disregard the protective rules laid down by the Safe Harbor when they conflict with US policy interests.  The Court then concluded that US law, and the Safe Harbor, enable interference by United States national security and law enforcement authorities with the fundamental rights of Europeans. This interference is incompatible with the Directive, said the Court.

Having reached these conclusions, the Court held that the Irish Commissioner was required to evaluate Schrems’ complaint "with all due diligence" and following its "investigation, " was obligated to "decide whether, pursuant to the Directive, transfer of the data of Facebook’s European subscribers to the United States should be suspended on the ground that that country does not afford an adequate level of protection of personal data."  The Court essentially remanded the case to the Irish Commissioner with instructions to evaluate the issues, and with the subtext that the EU/US Safe Harbor is inadequate.

You can read the Court's decision here, and the Court's press release here.

No appeal is possible, because the European Court of Justice is the equivalent of the U.S. Supreme Court--the court of last resort.  Simultaneously, European leaders and US officials are negotiating a new agreement on trans-Atlantic data transfers.  Today's decision will no doubt create a new degree of urgency in those talks.

What Does It Mean to Your Organization?

In other words, the Safe Harbor is no longer SAFE at all!The likely outcome of this decision is that transfers of personal data made under the auspices of the Safe Harbor may violate European data protection laws.  In other words the Safe Harbor is not really "safe" after all.  Without the Safe Harbor, each country in the EU could reach different conclusions as to whether US privacy laws and practices satisfy the EU's Directive, which would require US companies to address each member nation's laws individually rather than satisfying a single set of EU requirements.  This could create enormous obstacles to US organizations doing business in Europe.

As a result, organizations are well-advised to take a belt-and-suspenders approach (or "belt-and-braces" as they say across the Atlantic) by ensuring that data transfers are justified on another basis (in addition to compliance with the Safe Harbor). Those other bases include "binding corporate resolutions" (in which the organization essentially passes a binding corporate resolution and to comply with EU law with respect to EU personal data) and "model clauses" (which are contractual obligations to comply with EU privacy requirements).  The binding corporate resolutions and model clauses have frequently been deemed more onerous for US organizations than the Safe Harbor's requirements.  As a result, fewer US organizations have these measures in place.  Many will be scrambling to adopt them in light of the new uncertainty of the "Safe" Harbor. 

August 8, 2015

The Law of Prize Drawings: It's All Fun and Games, Until...

photo by Elliotphotos / foter

Everyone loves a game. Games activate the creative, imaginative portions of our minds in ways that captivate our attention. Games can help organizations engage with people, which is why marketing professionals love games. Businesses, governments and nonprofits have found tremendous success in garnering attention through various sorts of contests and games. Ancient rulers used games to win the allegiance of their subjects.  In more recent times...well, who among us hasn't played McDonald's Monopoly?

The uncertainty of outcomes is part of what makes games fun. Unfortunately, nefarious characters have also used games in unethical ways, causing state and federal governments to enact laws governing the use of certain games. Anyone who wishes to sponsor a game should give thought to whether these laws apply, in order to avoid running afoul of regulatory authorities and being sued in a class action. The following is a basic overview of the federal and North Carolina laws governing games and contests.


State laws restrict lotteries for two primary reasons. First is the potential for harm to the public (especially "problem gamblers"). Second, a state may create a government monopoly on lotteries, which allows it to raise money without competition. The penalties for violating these laws can be significant.
A lottery is generally defined by three elements: a chance for a prize for a price. Not all lotteries are easy to identify. A cash entry fee is certainly a telltale sign of a lottery, however, purchase requirements and noncash entry "prices" can also cause a game to be deemed a lottery. If a purchase is required to enter into a drawing or other game of chance, the event may well be a lottery. Courts in some other states have held that merely requiring participants to travel to the sponsor's premises to register is a sufficient "price" to cause the promotion to be deemed a lottery, even if the participants are not required to buy anything. North Carolina courts have never gone that far, but it should be remembered that nonfinancial, performance-based conditions to entry might cause a promotion to be considered a lottery.
A "raffle" is nothing more than a specific type of lottery. It is a game in which the prize is won by random drawing of the name or number of one or more persons purchasing chances. For-profit entities are prohibited by North Carolina law from hosting a raffle. A tax-exempt nonprofit organization, candidate, political committee, or government entity is permitted to host up to two (2) raffles per year. If a nonprofit hosts the raffle, a certain percentage of the net proceeds must be used for charitable, religious, educational, civic, or other nonprofit purposes. There are also some specific items that the net proceeds of the raffle cannot be used to pay.
Sweepstakes/Prize Drawings
Under federal law, a chance to win a prize for which no money or other item of value is paid is called a "sweepstakes." (Often we see or hear these advertised on television or radio, and the announcer rattles off "no purchase necessary to enter.") There are federal requirements regarding the disclosure of terms and conditions, and other specific items. North Carolina law covers the same subject, although the term "sweepstakes" is not used. The requirements of North Carolina and federal law are similar, but there are a few differences. 
The sponsor of a prize drawing should disclose to each participant the following information: 
  • the name of the organization conducting the contest and its principal business address
  • all conditions that a participant must meet
  • an accurate description of each prize to be awarded
  • the retail value of each prize
  • the number of each prize to be awarded
  • the odds of receiving each prize
The law also contains requirements for the precise placement of certain disclosures on any advertisements.
A disclaimer should be included in all materials related to a sweepstakes or drawing that explains in clear terms that no purchase is necessary to enter or win, and that a purchase will not increase the chances of winning.
In addition to these statutory requirements, there are additional considerations that a drawing or contest sponsor will want to address in order to limit its liability under contract law and tort law. 
Tax Reporting Requirements
The Internal Revenue Code and U.S. Treasury regulations require an organization awarding a prize to file informational returns with the IRS when the prize is valued at a certain amount (currently $600), and to withhold a certain percentage of the winnings (currently 25%) if the value exceeds another amount (currently $5,000). Failing to file or withhold can result in the organization being held liable for the tax.
Alcoholic Beverage Law
North Carolina law addresses the sale or consumption of alcoholic beverages in connection with a game of chance. Sale or consumption of alcohol cannot occur in the same room while a raffle or bingo game is "being conducted." The statute does permit a drawing to occur in an adjacent room where alcohol is not sold nor consumed. Specifically, no alcohol may be sold, served or consumed in a room when any of the following activities are ongoing: when a "prize is won," a "random drawing by name or number" occurs, a person "purchases chances," winners are announces, or prizes are awarded.
Time to Play!
By complying with the applicable state and federal laws, an organization can reap the benefits of a game without the risks. An expert who knows these rules and how to implement them can help an organization quickly and efficiently plan an event that will be fun and effective for everyone.

photo by torbakhopper / foter

Raleigh Attorney Matt Cordell has been named among the best lawyers in North Carolina by numerous organizations and peer surveys. 


July 3, 2015

What Does It Mean To Be "Certified" In Privacy And Information Security?

I recently became certified by the IAPP in information privacy and received the CIPP/US designation. "What does that mean?" you ask? Good question!

What is the CIPP/US designation?

The International Association of Privacy Professionals (IAPP) is a nonprofit association of privacy professionals--the largest in the world. The IAPP issues the Certified Information Privacy Professional (CIPP) designations, which are the most recognized information privacy certifications globally. The CIPP/US credential demonstrates an understanding of privacy and security concepts, best practices, and international norms, with a specific emphasis on U.S. privacy and information security laws. Applicants are tested to ensure they have the requisite knowledge in the following areas:

I. The U.S. Privacy Environment
A. Structure of U.S. Law
i. Constitutions
ii. Legislation
iii. Regulations and rules
iv. Case law
v. Common law
vi. Contract law
c. Legal definitions
d. Regulatory authorities
i. Federal Trade Commission (FTC)
ii. Federal Communications Commission (FCC)
iii. Department of Commerce (DoC)
iv. Department of Health and Human Services (HHS)
v. Banking regulators
vi. State attorneys general
vii. Self-regulatory programs and trust marks
e. Understanding laws
i. Scope and application
ii. Analyzing a law
iii. Determining jurisdiction
iv. Preemption
B. Enforcement of U.S. Privacy and Security Laws
a. Criminal versus civil liability
b. General theories of legal liability
i. Contract
ii. Tort
iii. Civil enforcement
c. Negligence
d. Unfair and deceptive trade practices (UDTP)
e. Federal enforcement actions
f. State enforcement (Attorneys General (AGs), etc.)
g. Cross-border enforcement issues (Global Privacy Enforcement Network (GPEN))
h. Self-regulatory enforcement (PCI, Trust Marks)
C. Information Management from a U.S. Perspective
a. Data classification
b. Privacy program development
c. Incident response programs
d. Training
e. Accountability
f. Data retention and disposal (FACTA)
g. Vendor management
i. Vendor incidents
h. International data transfers
i. U.S. Safe Harbor
ii. Binding Corporate Rules (BCRs)
i. Other key considerations for U.S.-based global multinational companies
j. Resolving multinational compliance conflicts
i. EU data protection versus e-discovery
II. Limits on Private-sector Collection and Use of Data
A. Cross-sector FTC Privacy Protection
a. The Federal Trade Commission Act
b. FTC Privacy Enforcement Actions
c. FTC Security Enforcement Actions
d. The Children’s Online Privacy Protection Act of 1998 (COPPA)
B. Medical
a. The Health Insurance Portability and Accountability Act of 1996 (HIPAA)
i. HIPAA privacy rule
ii. HIPAA security rule
b. Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009
C. Financial
a. The Fair Credit Reporting Act of 1970 (FCRA)
b. The Fair and Accurate Credit Transactions Act of 2003 (FACTA)
c. The Financial Services Modernization Act of 1999 ("Gramm-Leach-Bliley" or GLBA)
i. GLBA privacy rule
ii. GLBA safeguards rule
d. Red Flags Rule
e. Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010
f. Consumer Financial Protection Bureau
D. Education
a. Family Educational Rights and Privacy Act of 1974 (FERPA)
E. Telecommunications and Marketing
a. Telemarketing sales rule (TSR) and the Telephone Consumer Protection Act of 1991 (TCPA)
i. The Do-Not-Call registry (DNC)
b. Combating the Assault of Non-solicited Pornography and Marketing Act of 2003 (CAN-SPAM)
c. The Junk Fax Prevention Act of 2005 (JFPA)
d. The Wireless Domain Registry
e. Telecommunications Act of 1996 and Customer Proprietary Network Information
f. Video Privacy Protection Act of 1988 (VPPA)
g. Cable Communications Privacy Act of 1984
III. Government and Court Access to Private-sector Information
A. Law Enforcement and Privacy
a. Access to financial data
i. Right to Financial Privacy Act of 1978
ii. The Bank Secrecy Act
b. Access to communications
i. Wiretaps
ii. Electronic Communications Privacy Act (ECPA)
1. E-mails
2. Stored records
3. Pen registers
c. The Communications Assistance to Law Enforcement Act (CALEA)
B. National Security and Privacy
a. Foreign Intelligence Surveillance Act of 1978 (FISA)
i. Wiretaps
ii. E-mails and stored records
iii. National security letters
b. Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001 (USA-Patriot Act)
i. Other changes after USA-Patriot Act
C. Civil Litigation and Privacy
a. Compelled disclosure of media information
i. Privacy Protection Act of 1980
b. Electronic discovery
IV. Workplace Privacy
A. Introduction to Workplace Privacy
a. Workplace privacy concepts
i. Human resources management
b. U.S. agencies regulating workplace privacy issues
i. Federal Trade Commission (FTC)
ii. Department of Labor
iii. Equal Employment Opportunity Commission (EEOC)
iv. National Labor Relations Board (NLRB)
v. Occupational Safety and Health Act (OSHA)
vi. Securities and Exchange Commission (SEC)
c. U.S. Anti-discrimination laws
i. The Civil Rights Act of 1964
ii. Americans with Disabilities Act (ADA)
iii. Genetic Information Nondiscrimination Act (GINA)
B. Privacy before, during and after employment
a. Employee background screening
i. Requirements under FCRA
ii. Methods
1. Personality and psychological evaluations
2. Polygraph testing
3. Drug and alcohol testing
4. Social media
b. Employee monitoring
i. Technologies
1. Computer usage (including social media)
2. Location-based services (LBS)
3. Mobile computing
4. E-mail
5. Postal mail
6. Photography
7. Telephony
8. Video
ii. Requirements under the Electronic Communications Privacy Act of 1986 (ECPA)
iii. Unionized worker issues concerning monitoring in the U.S. workplace
c. Investigation of employee misconduct
i. Data handling in misconduct investigations
ii. Use of third parties in investigations
iii. Documenting performance problems
iv. Balancing rights of multiple individuals in a single situation
d. Termination of the employment relationship
i. Transition management
ii. Records retention
iii. References
V. State Privacy Laws
A. Federal vs. state authority
B. Marketing laws
C. Financial Data
a. Credit history
b. California SB-1
D. Data Security Laws
a. SSN
b. Data destruction
E. Data Breach Notification Laws
a. Elements of state data breach notification laws
b. Key differences among states

Why did you decide to get the CIPP/US certification?

More and more people are claiming to be privacy experts these days, including a number of lawyers. Although very few law firms advertised a privacy practice group as of just a few years ago, almost all large law firms do now...with varying degrees of credibility. Some lawyers are holding themselves out as privacy experts when their expertise is limited to a couple of privacy laws and a specific context. They are nonetheless re-branding themselves as "privacy" lawyers. While there certainly are more lawyers who are competent in a range of privacy and information security issues than ever before, they remain few and far between. The CIPP/US certification is perhaps the best way to clearly and immediately demonstrate an understanding of the core concepts and legal issues of privacy and information security.

Does the CIPP/US designation guarantee expertise?

The CIPP/US designation does not guarantee expertise in any particular area of privacy law. The certification tests (there are currently two) do not require the depth of understanding that a true expert must have. For example, the study guides and tests cover financial privacy issues at a level of depth just beyond the surface. There is much more to know about financial privacy law and practice.  Furthermore, there are very accomplished lawyers in these spaces who are not certified by IAPP.   However, the CIPP/US designation does provide assurance that the certificate holder is at least aware of the salient issues and knows where to find answers or guidance, and those two items are very important. Furthermore, certification requires ongoing learning. Mainting IAPP CIPP certification requires the holder to fulfill 20 hours of continuing privacy education (CPE) per two-year period, to ensure the holder's knowlege remains up to date.

The CIPP/US certification is no guarantee of true legal expertise, but it does provide an independent confirmation of basic competence across a broad spectrum of privacy and information security law. It also tells you that the holder is continuing to build upon his or her knowledge in these areas.

* The N.C. State Bar, the regulatory body that supervises and disciplines lawyers licensed in North Carolina, prohibits a lawyer from using the term "specialized" to describe anything other than a N.C. Bar-issued certificate of specalization in one of a very limited number of fields of law.  There is no specalization available from the N.C. State Bar for privacy, information security, or any related field of law.  

June 27, 2015

A New Role with the YLD, the Future of the Legal Profession

Those of you know me well or who read this blog regularly know that I believe in the Young Lawyers Division of the North Carolina Bar Association and the more than 6,400 young lawyers who belong to it.  In the past eight years, I have witnessed young lawyers volunteer to help thousands of people with significant legal needs and do important work to improve the legal profession.  This is a great group of people, and I am immensely honored that they have elected me to lead them.  I will take office as Chair of the YLD in June of 2016.  In the meantime, if you are a service-minded lawyer under 36, or if you have ideas about what the YLD can do to further its missions (service to the public, service to the bar, and leadership training), please let me know

June 15, 2015

Five Simple Steps You Can Take to Protect Your Loved Ones on Elder Abuse Awareness Day

This post is a PSA.  Those of you who know me well (or read this blog regularly) know that I have spent a considerable amount of of time and energy trying to help people prevent elder financial abuse.  The elderly in the United States lose an estimated $2.6 billion annually due to elder financial abuse and exploitation.  Today is the eighth annual Elder Abuse Awareness Day, which seems like an appropriate time to suggest a few simple steps you can take to help protect your loved ones from elder financial abuse.

1.  If his or her bank offers the opportunity (and is in North Carolina), ask your loved one to provide the bank with a list of trusted persons to whom the bank may speak in the case of suspicious activity.  I've written and spoken about this topic frequently, and you can read my comments here, here, here, here and here.

2.  Encourage your loved one to talk to an elder law attorney about naming a trustworthy person as attorney-in-fact to look after your loved one's interests.  Discourage your loved one from granting a power of attorney to anyone who is not 100% trustworthy and competent.

3.  A small number of unscrupulous telemarketers prey on the elderly.  One way to reduce the potential for this kind of abuse it to put your loved one's telephone number(s) on the national Do Not Call registry by filling out the form available here

4.  Social media is not just for young people.  Many older adults have social media accounts these days.  Fraudsters sometimes use information gathered from social media to help them perpetrate frauds, such as spearphishing attacks.  Ask your loved ones to allow you to set privacy settings on their social media accounts so that strangers (and anyone else they shouldn't trust) will not be able to gain access to information that would help in such attacks.

5.  Encourage your loved one to obtain their free annual credit report and help them review the report for evidence of identity theft.  I have written about how to get a free credit report (as well as how to respond to identity theft) here.

Thank you for taking the time to read this post.  I hope this information will help you as you try to protect your loved ones from the growing threat of elder financial exploitation. 

June 2, 2015

Potential Opportunities for Cost Sharing by Community Banks

At the North Carolina Bankers Association's Annual Convention today, Kris Kiefer, Deputy Comptroller at the OCC, and John Henrie, Regional Director of the FDIC, referenced a recent OCC paper regarding bank pooling of resources to obtain better services at lower cost. 

The paper, titled “An Opportunity for Community Banks: Working Together Collaboratively,” describes ways in which community banks might collaborate to lower costs and obtain specialized expertise. The paper outlines how community banks can structure cooperative arrangements, and emphasizes the need for effective oversight of those arrangements.

Community banks can collaborate in several ways, according to the OCC, such as:
  • exchanging information and ideas;
  • jointly purchasing materials or services;
  • sharing back-office or other services;
  • sharing a specialized staff member or team;
  • jointly owning a service organization;
  • participating in disaster mitigation agreements; and
  • jointly providing/developing products and services.
In some cases, community banks will want to form an entity (such as an LLC) to engage in activies. The regulatory issues to be addressed in those situations will be whether the activities are permissible and whether the investment by the banks in the entity are permitted.  The OCC has its own rules and guidance for permissible activies, and has published guidance based on prior decisions.  State chartered banks may generally follow those rules and guidance, despite being regulated by other agencies.  Often the entities will be considered "noncontrolling investments" or "bank service companies," which are different from a regulatory standpoint than the "bank operating subsidiaries" that many banks may be more familiar with.  Often an application will be required.

As with loan participations and syndications, the guidance makes clear that bank collaborations should be documented in a binding agreement that allocates the resposibilities and risks associated with the activity. 

Ideally, collaboration in areas in which it makes sense would enable community banks to achieve better outcomes at lower costs, increase their range of services, and enhance the expertise available to them.