Posts filed under ‘Advocacy’
If Nixon can go to China, then I can darn well compliment the American Bankers’ Association when it makes a good point. That is what I am doing today. Besides, if the bankers succeed in getting a petition approved the Federal Communications Commission (FCC), credit unions will benefit as well.
We all know that identity and data theft prevention are all the rage. Suppose that you are approached by a vendor with a great new system that will send out automated voice messages to a member’s cell phone anytime there is an indication that fraudulent activity may be taking place. Given the volume of potential fraud alerts, as well as the speed at which hackers can do their damage, using automated voice messaging and texting is the quickest, most cost effective way of getting the word out. In addition, since the cell phone has become an adult umbilical cord, it makes perfect sense to send the message right to the smart phone, provided that a member has given the number to the financial institution.
However, these services have run up against a compliance speed trap. The Telephone Consumer Protection Act (TCPA) generally prohibits companies from calling cell phones using an automatic dialer telephone system or artificial pre-recorded voice unless the call is “made with the prior consent of the party called.” See 47 USC 227(b)(1).
The problem is that Congress never defined prior expressed consent. As a result, banks and businesses fear that using pre-recorded voices to notify cell phone users of problems with their accounts may result in class action litigation. They have a point. There has already been litigation in this area and even though I think the courts would ultimately rule that a person who has provided financial institutions with a cell phone number has consented to these notifications, nobody should have to go through litigation to find out.
To resolve this issue, the American Bankers’ Association submitted a petition to the FCC, which enforces the TCPA. In the petition they are asking for the authority to send the following messages using either automated phone calls or text messages to a cell phone:
- Fraud and Identity Theft Alerts;
- Data and Security Breach Notices;
- Money Transfer Notifications and notifications of actions needed to arrange for receipt of pending money transfers; and
- Messages informing consumers of “steps they can take to prevent or remedy harm caused by data security breaches.”
Presumably, if the bankers’ petition is successful, credit unions would have the same authority. So in reality, this is a win-win. The proposal makes good sense: we should all be able to reach out and touch someone when doing so protects their assets.
My challenge today is to see if I can write this blog in less time than Eli Manning takes on average to throw an interception. No easy task, but here goes.
There are two basic reasons to hold a hearing in Albany. The first reason is to react to an issue without actually doing anything about it. Typically you’ll see these hearings later in a legislative year when there simply isn’t enough time to get something accomplished. The second reason is to actually lay the groundwork for key issues the Legislature will deal with in an upcoming session.
On Friday, the Assembly’s Consumer Affairs and Protection Committee and its chairman Jeffrey Dinowitz held a hearing on legislation he proposed (A.10190) mandating that businesses in New York develop policies and procedures to deter data breaches. Given the controversy surrounding the issue, I wouldn’t concentrate too much on the specifics of the legislation at this point. But the mere fact that the Assemblyman has decided to hold a hearing on the issue demonstrates that the question of what to do about data breaches is sure to be a high profile issue in the upcoming legislative session.
The hearing featured the testimony of Ted Potrikus, the President of the Retail Council,. and an erstwhile Albany veteran. The way retailers tell the story, there really is no need for data breach mandates. The reputational risk to retailers from data breaches is more than enough to get them to put the necessary precautions in place.
However, data breaches are not a new phenomenon and merchants have so far been unwilling to invest the resources necessary to guard against data breaches. Every year, a survey is done assessing PCI compliance. As I explained in a previous blog, the most recent survey results indicate that businesses are still not making the commitment to guard against data breaches. Home Depot’s top executive recently conceded as much.
A second argument advanced by retailers is that they are as much victims of data breaches as are financial institutions. Again, this is not entirely accurate. First, it is banks and credit unions that have to bear the cost of replacing compromised debit and credit cards. Secondly, it is extremely difficult to make merchants legally responsible for their negligence in handling customer data. For example, many retailers contract with third-party processors. These companies aggregate plastic transactions on behalf of merchants and process their payments. Litigation involving Heartland has underscored just how difficult it is for card issuers to make these processes responsible for the cost of their negligence.
Don’t get me wrong, no retailer wants to see their business victimized by data breaches. But as the law stands right now, they simply don’t have enough skin in the game to incentivize the creation and implementation of the policies and procedures Assemblyman Dinowitz wants to mandate. Finally, the retailers correctly argue that the battle against data breach is a constantly shifting one. A business may invest in the best technology possible today only to find that the bad guys have made it obsolete tomorrow. But this argument misses the point. Precisely because there is no magic bullet technology that will prevent all data breaches, legislators need to ensure that merchants are legally obligated to take baseline steps to protect against data breaches.
It could, of course, be argued that a national problem such as data breaches should best be dealt with on a federal level. I would love to see national legislation addressing this problem. But a state as large and important as New York has the authority and the ability to finally impose baseline responsibilities on all businesses. After all, credit unions and banks, for that matter, have already been required to have regulations and policies in place for years now, but without the help of merchants they are fighting with one hand tied behind their back.
Hurricane Sandy slammed into New York’s coastline on October 29, 2012 and despite the billions of dollars being spent on reconstruction there are still homeowners, some of whom undoubtedly have credit union mortgages, struggling with insurance companies to get claims resolved.
Given the scope of the storm some delays and disputes are inevitable but a disturbing article in this morning’s New York Law Journal is making me sick to my stomach. It reports that at least one engineering company hired to assess insurance claims is accused of doctoring reports in an effort to avoid compensating homeowners on legitimate claims. According to the federal magistrate overseeing the dispute there has been “reprehensible gamesmanship by a professional engineering company that unjustly frustrated efforts by two homeowners to get fair consideration of their claims. Worse yet, evidence suggest that these unprincipled practices may be widespread.” In addition the judge concluded that an attorney for the insurance company, Wright National Flood Insurance Co, violated discovery rules by failing to disclose a draft report favorable to the homeowner’s claims.
The case which has stirred the magistrate’s ire is Deborah Raimey and Larry Raisfeld vs. National Flood Insurance Co., 14 CV 461. It involves owners of Long Beach rental property that was damaged in Hurricane Sandy. It has exposed the practice of “peer reviews.” You will see why I’m using quotes in a second.
Following the hurricane the plaintiff’s made an insurance claim with Wright National Flood Insurance Company. In a Draft report the engineer concluded:
1) The physical evidence observed at the property indicated that the subject building was structural [sic] damaged by hydrodynamic forces associated with the flood event of October 29, 2012. The hydrodynamic forces appear to have caused the foundation walls around the south-west corner of the building to collapse.
2) The extent of the overall damages of the building, its needed scope of repair combined with the age of the building and its simple structure, leads us to conclude that a repair of the building is not economically viable
However the homeowners/plaintiffs never received this report. Instead the report’s conclusions were changed after an engineer “peer reviewed the report.” Despite the fact that this second engineer never physically inspected the damaged property the final report made available to homeowners and their attorney concluded:
1) The physical evidence observed at the property indicated that the subject building was not structurally damaged by hydrodynamic forces, hydrostatic forces, scour or erosion of the supporting soils, or buoyancy forces of the floodwaters associated with the subject flood event.
2) The physical evidence observed at the subject property indicated that the uneven roof slopes, leaning exterior walls and the uneven floor surfaces within the interior of the building, were the result of long term differential movement of the building and foundation that was caused by long-term differential movement of the supporting soils at the site and long-term deflection of the building framing.
Based on these findings the insurance company decided not to pay the homeowners. Imagine if you held this mortgage?
Reasonable minds can differ. Maybe two honest engineers reached different conclusions. But the report was written by the same engineer who changed his conclusions following a phone conversation with another engineer for a company retained by the insurance company.
At the very least this case exposes conflicts of interest inherent in a system where third parties are retained by insurance companies to decide what claims should be honored. Homeowners shouldn’t have to sue to get both sides of the story. The case also underscores the difficult issues raised by discovery requests.
But what disturbs me most of all is that the case is yet another example of how this country is suffering from a crisis in ethics coming not just from Wall Street but Main Street. People are being forced to choose between doing the honest thing, such as reporting a car defect or disclosing BSA violations, and the financially expedient thing. Every day the newspaper’s report on how someone chooses the financially expedient option.
Abraham Lincoln once said “That every man has a price and you are getting dangerously close to mine.” I wonder if the economic downturn has made people a little more willing than they use to be to put their ethics aside to keep their paychecks secure.
I routinely wonder about what makes credit unions unique and how they can communicate these unique attributes to their members and policy makers. I’m no Pollyanna but I believe that most credit unions are dedicated to treating people not just legally but fairly. Ethics count. Let’s not be one of those industries that push them aside in pursuit of higher profits.
A link to the case is available at:
Last Friday, the Supreme Court granted an appeal in the case of King v. Burwell. This move has gotten a lot of attention because if the Court rules against the Administration, Obamacare is gutted. Let’s face it, healthcare has joined politics and religion as a subject you don’t discuss at dinner parties – unless, of course, you’re really bored and want to liven things up a bit. So maybe it’s not surprising that lost in all the media coverage is the fact that whether you support or oppose Obamacare, the case is directly relevant to any institution subject to federal regulation.
The case will give the Court the opportunity to delineate precisely how much flexibility agencies have when making regulations intended to implement federal legislation. I know that doesn’t sound quite as interesting as saying the case could gut Obamacare, but it means that this case is much more likely to impact the regulatory environment in which credit unions operate than the first challenge to Obamacare upheld in 2012. The GAO estimates that the federal government promulgates between 2,500 and 4,500 regulations on an annual basis. Any time the Supreme Court weighs in on how much power agencies have to promulgate these rules, it’s worth paying attention to.
A core component of the Affordable Care Act (ACA) is the establishment of exchanges through which individuals can purchase health insurance. Section 1311 provides that “each state shall, not later than January 1, 2014, establish an American Health Benefit Exchange.” However, a subsequent section provides that if a state chooses not to establish an exchange, the Secretary of Health and Human Services is required to establish an exchange within that state. Only 16 states, including New York, and the District of Columbia established health care exchanges.
Crucially, tax credits are provided for millions of individuals to help offset the cost of health insurance purchased through the exchanges. Specifically, the Act provided that such subsidies are available to a tax payer enrolled in a health plan “through an exchange established by the State.” The IRS was given responsibility for implementing this provision. It decided that the statute was designed to make health care subsidies available to all eligible individuals who purchased health insurance through an exchange regardless of whether that exchange was run by the federal or state government. The issue in this case is how much flexibility the IRS had to interpret the pertinent language as applying to both federal and state exchanges.
This is the part of the debate relevant to credit unions. As we are all too aware, Congress routinely passes huge statutes with vague language. How much flexibility agencies have in interpreting these provisions is governed by a well-established judicial framework. Where a statute is clear, agencies are responsible for implementing its plain meaning. However, where a statute is susceptible to more than one interpretation, courts defer to the agency’s interpretation so long as it is reasonable. This is the reason, for example, why the Court of Appeals for the District of Columbia Circuit ruled that the Federal Reserve acted within its power when it determine the criteria to be used when establishing the debit interchange cap. Critics of so-called Chevron deference argue that this approach gives agencies too much flexibility. This case gives the Court’s conservative wing a high profile case in which to criticize or limit an agency’s discretion in writing statutes.
Why does all this matter? Because every day credit unions and their associations lobby Congress and make good faith efforts to comply with regulations spawned by Congressional enactments. The less flexibility regulators have, the more important the legislative process becomes. Conversely, the more flexibility agencies have then the more the legislation passed by Congress is simply the first stage of an increasingly convoluted law making process.
Speaking of court cases, the NCUA has filed another lawsuit seeking to recoup losses to the Share Insurance Fund stemming from the purchase of mortgage-backed securities. This lawsuit is against Deutsche Bank National Trust Company. It alleges that the company failed to properly exercise oversight over the purchase of mortgage-backed securities purchased by U.S Central, WesCorp, Members United, Southwest and Constitution between 2004 and 2007.
Any vendor that can make itself relevant to the financial services industry since 1859 is worth paying attention to because it clearly knows how to change with the times. That’s why this post from the Motley Fool about Diebold caught my attention. At a recent electronics conference in Sin City, Diebold unveiled its vision of the branch of the future.
Diebold envisions what it describes as a “responsive banking concept” in which tellers are eliminated and branches become smaller but much more high tech. You can go into the branch for simple ATM transactions, or if you want to make more sophisticated transactions using virtual tellers, you can do that, as well. Let’s say your member is interested getting a home or car loan. Another virtual touch board would allow the member to easily communicate with a live person via two-way video.
Similarly, IBM recently announced that it was partnering with the Bank of China to create a flagship technology branch. This branch will not be entirely virtual since members will have the ability to call over bank representatives when they need them, but the basic idea is the same: members will use cell phones or codes to execute transactions with minimal involvement from tellers.
What intrigues me so much about these prototype branches is what they portend about the future of banking. Even if you are an advocate of the brick-and-mortar branch, you have to recognize that the branch itself is going to become more virtual. Tomorrow’s member is going to expect a seamless transition between the banking she conducts on her cell phone and that she carries out in her branch.
In addition, the virtual branch will make Big Data analytics an essential tool for all financial institutions. For instance, the branch being constructed by IBM allows bank executives to get real time information about what consumers are interested in. Consumers can even be encouraged to go to less crowded branches that may be near by. In other words, going digital will provide your marketing department with more information about your members’ needs and desires than you could ever have anticipated. The institutions that are best equipped to analyze this information and translate it into financial products and services will be the ones most prepared to prosper going forward.
Comptroller Urges Retailers to Take Responsibility for Data Breaches
The need for retailers to take on more of the burden for preventing data breaches got a high level endorsement on Friday. Speaking before an audience of community bankers, Comptroller of the Currency Thomas J. Curry pointed out that data breaches impose a particularly heavy burden on smaller financial institutions, responsible for reissuing compromised debit and credit cards. Data breaches also “demonstrate why we need to level the playing field between financial institutions and merchants. The same expectations for security of customer information and customer notification when breaches occur should apply to all institutions. And when breaches occur in merchant systems, it seems only fair to me that they should be responsible for some of the expenses that result.”
Well said. On that note, have a great day.
A day after the CU Times reported that NACUSO issued a call-to-arms urging credit unions to help fund regulatory and potential legal actions designed to protect CUSOs against regulatory encroachments by the NCUA, it is being reported that Home Depot’s data theft was much more serious than initially reported. Not only were a mere 56 million credit card accounts compromised, but 53 million email addresses were also stolen. It now appears that access to the system came from a password stolen from one of the company’s vendors. Just how many issues does this raise? Let me count them.
- Look to you left, look to your right. Then look down the hallway. Think about the most technologically incompetent person you have working for your credit union. Realize that your data security is only as safe as that employee can make it. Data security starts with your employees. Only give access to databases to those who truly need it. The hackers are so sophisticated now that once they have access to a password, they can virtually sneak around your system and find more and more vulnerabilities.
- I’ve said it once and I’ll say it again, and I expect NCUA will be saying it to you shortly: your vendor contracts are absolutely crucial. Given the explosion of technology, it is only natural that credit unions are going to turn to vendors. If they don’t they won’t be able to provide the type of services that members expect. But turning to the vendor doesn’t absolve the credit union of ultimate responsibility for the services the vendor is providing or the continuing need to protect member information. Consequently, just like Warren Buffet never invests in a business he doesn’t understand, your credit union should never contract for technology it doesn’t comprehend. Your vendor relationships must include ongoing monitoring by knowledgeable employees on your staff. You should make sure that your vendors document on an ongoing basis that they are compliant with the latest data security standards.
- CUSOs provide a crucial mechanism for credit unions to pool resources. Given the importance of vendor management, is it really that unreasonable for NCUA to seek a more holistic view of the CUSO industry? Personally, I don’t think so. The problem is that NCUA has sought to exercise powers it doesn’t yet have. Mandating that credit unions force their CUSOs to agree to NCUA audits is a blatant attempt to boot strap its jurisdiction. But at the end of the day, it makes sense for NCUA to have a clear picture of what a CUSO is doing, Not only are these organizations providing services for credit unions, but their financial success or failure directly impacts credit unions’ bottom line. The middle ground is for everyone to be a lot less dogmatic and a lot more pragmatic. NCUA should seek specific legislative authority to regulate CUSOs. But it should only exercise enhanced oversight over those CUSOs that represent a truly systemic risk to the industry. This means that NCUA should base its enhanced auditing not on the type of services the CUSO provides, but on how many credit unions use its services. In addition, NCUA should reduce its proposed risk rating for CUSOs. Credit unions should be encouraged to use CUSOs as opposed to third-party vendors with no connection to the industry.