Tsibouris & Associates Home | Practice Areas | Attorneys | Contact | Publications | Clients | Blog Home

Tuesday, July 26, 2011

FinCEN Releases Final Rules on Stored Value and Money Services Businesses

By Mehmet Munur

The Financial Crimes Enforcement Network of the Department of Treasury released final regulations relating to money services businesses and stored value that amend Bank Secrecy Act regulations.  The final regulations provide clarity, incorporate previous administrative rulings, and create exclusions from the definition of MSBs for activities that pose low risk for money laundering.

FinCEN’s final rules regarding MSBs is more of a clarification in nature than a broadening of the existing regulations.  For example, the final rules specifically incorporate previous FinCEN rulings and guidance relating to exceptions to MSBs for payment processors, armored cars, and gift cards. The regulations also provide some clarification regarding agents, the meaning of “doing business,” and MSBs located outside of the US.

The final rules regarding stored value redefine that term as prepaid access. The regulations also retain a facts-and-circumstances test, but introduce helpful criteria that may help determine whether an entity is a provider or seller of prepaid access. In addition, FinCEN has chosen to create a $2,000 threshold for closed loop stored value that will be excluded from stored value programs.  As a result, those excluded entities will not be subject to the AML program obligations that go along with stored value programs.  Other exclusions to stored value programs relate to flexible spending and dependent care funds and payroll programs that do not (i) allow international transfers, (ii) transfers among users, and (iii) loading additional sources from non-depository sources.

As a result of the various comments by the industry and law enforcement, FinCEN has created a regulatory scheme that focuses on the risks of money laundering while leaving many of the schemes that are unlikely to result in money laundering risk unregulated.


Saturday, July 23, 2011

Will your insurance actually cover losses from your cyber attack?

Reuters reports that Zurich American Insurance Company is suing both its insured customer Sony and other of Sony's co-insurers to obtain a ruling that it does not have to pay claims by Sony for damages resulting from its recent cyberattack resulting in the loss of personal data from its PlayStation Network. The article summarizes the hack:

"In April, hackers accessed personal data for more than 100 million users of Sony's online video games. Sony has said it could not rule out that some 12.3 million credit card numbers had been obtained during the hacking."

The ruling may hinge on whether Sony simply obtained a general liability policy, which is unlikely to cover more than property damage, or if it obtained coverage against cyber risks - which is normally a supplemental form of coverage. Currently the White House is encouraging the growth of the cyberinsurance market as a way to encourage companies to obtain financial protection from loss and as an incentive to enhance their own systems as a consideration for underwriting.

Have you checked your policy to see if claims from cyberattacks are specifically covered? Your policy summary from your commercial underwriter may not show enough detail to know - you need to read the policy itself to be sure, including the exclusions, deductibles, and amounts.

Labels: , ,


Friday, July 15, 2011

Article 29 Working Party Publishes Opinion on the Definition of Consent

By Mehmet Munur

On July 13, the Article 29 Working Party published an opinion on the definition of consent. The document expands on the Working Party’s previous definition of consent and now includes the following elements: indication, freely given, specific, unambiguous, explicit, and informed.

The document also includes recommendations for the upcoming review of the EU Data Protection Directive.  Those recommendations relate to specifically defining unambiguous consent, as opposed to implicit consent; controls for data controllers; quality and accessibility of information forming the basis for consent; and other suggestions regarding minors.  Similar to the Working Party’s definition of controllers, this new opinion contains example scenarios. These examples include everything from Bluetooth ads, to e-health records, to body scanners.  You may find the opinion here.