Privacy - Boston Financial Data Services
Download
Report
Transcript Privacy - Boston Financial Data Services
Webcast Series 2009
featuring . . .
Operational Considerations on
Regulatory Issues
December 8, 2009
Welcome
Introduction
Craig Hollis
Vice President and AML Officer
Meeting Logistics
Keep Webcast to 60 minutes
Ask a question
Click on the Q&A window in the lower right hand portion
of the screen
Type your question into the dialog box
Click the Send button
Following today’s Webcast
Redirected to a brief survey
Link via email to access a recording of today’s Webcast
If you experience any technical difficulties during the
presentation
Submit a question through the Q&A
Contact WebEx Technical Support at 1 (866) 229-3239
Agenda
Jeff Cook
Joan Dowd
Chief Compliance Officer
Director of Regulatory Compliance
Boston Financial Data Services
DST Systems
Privacy
Massachusetts Data Protection Law
FTC Identify Theft Prevention (Red Flags Rule)
Data Masking
Summary Prospectus
International ACH Transactions (“IAT”)
New California Law: State Backup Withholding
Massachusetts Data Protection Law
Compliance Date
Extended to March 1, 2010
Background
Massachusetts Office of Consumer Affairs and Business Regulation Adopt
Standards – September 2008
Original Law Exceeded Authority – Rigid Standards
Multiple Public and Private Hearings
Two Significant Revisions – August 2009
Final Regulation Issued – October 30, 2009
Massachusetts Data Protection Law
Compliance Date
Extended to March 1, 2010
Requirements
For those maintaining or storing “personal information” of
Massachusetts Residents:
Have a written information security program adhering to promulgated
standards
Comply with specified system security requirements
Take “reasonable steps” to ensure third party service provider compliance
Massachusetts Data Protection Law
Revisions to the Law …
Listened and responded to industry concerns
Built more flexibility into the rules
Still requires each business to have a comprehensive information security
program but can now be tailored to the following:
Size, scope, and type of business
Available resources
Amount of stored data
Need for security and confidentiality of consumers and employee information
Must take reasonable steps to ensure their third party providers protect
shareholder information, but written certification is no longer required
Massachusetts Data Protection Law
Our Support Structure
Compared the revised MA law with our Security Program
Periodically review our program to ensure compliance with regulations
Annual training and awareness regarding information security
Enhanced due diligence of third party providers/vendors
Daily monitoring
Use multi-factor authentication to provide information for phone inquiries
Encrypt e-mail and secure FTP for file transmission
Provide clients an overview of internal security policies
FTC Red Flags Rule
Enforcement Date Extended to June 1, 2010
Requirements
Develop and implement a written Identity Theft Prevention Program
Designed to detect, prevent, and mitigate identity theft
One definition of financial institution is one that has “transaction accounts”
An account from which the account owner can direct payments to third
parties
Check-writing; debit cards; wires to third parties
Written or telephone instructions directing money to third parties (or to
bank accounts not on file)
FTC Red Flags Rule
Our Support Structure
Initial program provided in 2008; subsequent updates added
Placed program on Boston Financial Compliance Corner or issued directly to
clients
Provide certification as part of our quarterly 38a-1 statement
Two Future Program Enhancements
A file that contains SSN/TIN discrepancies from the CIP verification process to
run against the IRS TIN Match Program
A new report that contains only address discrepancies is being created with a
procedural workflow to review and analyze for fraud, identity theft is in
development
Data Masking
DST Online Masking Projects
DST TA2000 3270, Desktop, SmartDesk, Vision, and FANWeb screens have
been identified and provided to RCAG Steering Committee for review
Reports – FANWeb, Vision, Voice, and DST reports have been identified
and masking is ongoing
Our Support Structure
SSNs have been removed from transcripts, confirmation statements, and new
account welcome kits
Fund, Account and SSN have been removed from correspondence
Encourage not returning original documents to shareholders as these may
contain personal information
Validate reports and screens during testing phase
Tax Form Masking
IRS Notice 2009-93
Requirements
Creates a pilot program allowing the masking of SSNs
For tax years 2009 and 2010 on paper payee statements only
IRS approval is not needed
The notice is effective immediately; masking is voluntary
Applies to paper payee statements (not electronic statements)
Only applies to Form 1098 series, Form 1099 series, and Form 5498 series.
Form W-2 is not included
Does not apply to any information return filed with the IRS
Applies to tax forms to individuals only (SSN format only)
Does not apply to accounts registered as entities (those with EIN format of 999999999) - paper payee statements for these accounts must include full TIN
IRS Notice 2009-93
Requirements
Substitute and composite/combined payee statements are in scope
The identifying number must be truncated by replacing the first five digits of
the nine-digit number with asterisks or Xs
For example, a social security number 123-45-6789 would appear on the paper
payee statement as ***-**-6789 or XXX-XX-6789)
Entire social security number for individuals and/or tax identification
number for entities are still required on files sent to IRS
The Notice is available at http://www.irs.gov/pub/irs-drop/n-09-93.pdf. The
IRS is accepting comments until May 1, 2010, with regard to the current
notice and go forward strategy
IRS Notice 2009-93
Our Support Structure
We will work to have the TA2000 programming ready for systematic
masking the SSNs for tax year 2010
Distinguishing and separating the masking for SSN and EIN formats is
necessary
Interfering with the YE platform at this late date is not recommended
Working with DST Output for a 2009 masking solution that will not involve
changes to the YE platform
Summary Prospectus
Summary Prospectus
3/31/2009: SEC Effective Date (optional)
1/01/2010: Mandatory Filing
Requirements
Three or four-page, “plain English” summary
Updated annually
Can be sent in lieu of statutory prospectus
Must be incorporated into the statutory prospectus
Must have Internet availability of compliance materials
Summary Prospectus, statutory prospectus, SAI, and shareholder
reports
Must send statutory prospectus if requested
International ACH
Transactions (“IAT”)
International ACH Transactions (“IAT”)
Effective Date: September 18, 2009
Background
What is IAT?
A new ACH transaction type, International ACH Transaction or “IAT”
This new payment code and record layout will be used to identify an ACH
credit or debit that is part of a payment transaction that involves a financial
agency's office that is not located within the territorial jurisdiction of the US
It allows for the identification and facilitation of IAT transactions
It enables financial institutions to comply with OFAC obligations regarding
international transactions
The territorial jurisdiction of United States includes all 50 states, U.S.
territories, U.S. Military bases and U.S. embassies in foreign countries
International ACH Transactions (“IAT”)
Our Support Structure
Incoming IATs - project complete
Worked with Banks that have an interface with DST
DST receives ACH file from bank that contains the new code and new
record layout
DST created a report that is executed daily that contains ACH transactions
with IAT code and transaction information
Operations receives the report and scans information against the OFAC
database
If there is not an OFAC hit, transaction is processed same day
If there is an OFAC match the transaction is not processed and operations contact
the originating bank
Worked with banks who do not have an interface with DST
Reviewed the bank reports to identify any IAT transactions
Process follows that noted above
International ACH Transactions (“IAT”)
Our Support Structure
Outgoing IATs - project underway
All outgoing ACH transactions are run against the OFAC
database
A report that identifies outgoing systematic ACH transactions
for accounts with foreign addresses is printed daily
Currently DST is developing a systematic solution to include the
IAT code and transaction information
Boston Financial/DST are retaining reports until the process is
automated
If destination bank contacts Boston Financial/DST, transaction
information will be provided
International ACH Transactions (“IAT”)
Systematic Solution for Outgoing IAT
Flag outbound ACHs as IAT for all accounts with a foreign address based
on country code
Update the ACH layout with the new IAT layout
Provide a front-end method for users to flag the account as IAT when
setting up a new ACH
Project was rated as highest priority by RCAG Steering Committee
New California Law
State Backup Withholding
New California Law:
State Backup Withholding
Signed into law on July 28, 2009
Effective Date: January 1, 2010
Requirements
There is a 7% state backup withholding for California residents on transactions
that are subject to federal backup withholding (28%)
Exclusions include:
Those accounts or transactions not subject to federal backup withholding
Money Market Funds – (not subject to withholding)
Interest and dividend payments or release of loans
Accounts with uncertified or missing TINs, and B-Notices, California backup
withholding will apply to redemption and long-term capital gains only
Accounts with C-Notices, California backup withholding applies only to longterm capital gains
New California Law
State Backup Withholding
Our Support Structure
We will continue the analysis of the Bill and work to begin identifying
potential impacts to determine necessary long-term system changes
Analyzing possible solutions
Efforts involved in taking the withholding automatically on
applicable payments, remitting withholding, and reporting to
California residents
Due to the short time-frame, a full systematic process will not be
available on January 1, 2010
DST programming is developing a short-term solution that will
involve minimal manual effort until the long-term systematic
solution is available
Questions
Craig Hollis
Vice President, AML Officer, Boston Financial
Thank You