Posts filed under ‘Advocacy’

New York State Should Make Merchants Do More To Prevent Data Breaches

My challenge today is to see if I can write this blog in less time than Eli Manning takes on average to throw an interception.  No easy task, but here goes.

There are two basic reasons to hold a hearing in Albany.  The first reason is to react to an issue without actually doing anything about it.  Typically you’ll see these hearings later in a legislative year when there simply isn’t enough time to get something accomplished.  The second reason is to actually lay the groundwork for key issues the Legislature will deal with in an upcoming session.

On Friday, the Assembly’s Consumer Affairs and Protection Committee and its chairman Jeffrey Dinowitz held a hearing on legislation he proposed (A.10190) mandating that businesses in New York develop policies and procedures to deter data breaches.  Given the controversy surrounding the issue, I wouldn’t concentrate too much on the specifics of the legislation at this point.  But the mere fact that the Assemblyman has decided to hold a hearing on the issue demonstrates that the question of what to do about data breaches is sure to be a high profile issue in the upcoming legislative session.

The hearing featured the testimony of Ted Potrikus, the President of the Retail Council,. and an erstwhile Albany veteran.  The way retailers tell the story, there really is no need for data breach mandates.  The reputational risk to retailers from data breaches is more than enough to get them to put the necessary precautions in place.

However, data breaches are not a new phenomenon and merchants have so far been unwilling to invest the resources necessary to guard against data breaches.  Every year, a survey is done assessing PCI compliance.  As I explained in a previous blog, the most recent survey results indicate that businesses are still not making the commitment to guard against data breaches.  Home Depot’s top executive recently conceded as much.

A second argument advanced by retailers is that they are as much victims of data breaches as are financial institutions.  Again, this is not entirely accurate.  First, it is banks and credit unions that have to bear the cost of replacing compromised debit and credit cards.  Secondly, it is extremely difficult to make merchants legally responsible for their negligence in handling customer data.  For example, many retailers contract with third-party processors. These companies aggregate plastic transactions on behalf of merchants and process their payments. Litigation involving Heartland has underscored just how difficult it is for card issuers to make these processes responsible for the cost of their negligence.

Don’t get me wrong, no retailer wants to see their business victimized by data breaches. But as the law stands right now, they simply don’t have enough skin in the game to incentivize the creation and implementation of the policies and procedures Assemblyman Dinowitz wants to mandate. Finally, the retailers correctly argue that the battle against data breach is a constantly shifting one. A business may invest in the best technology possible today only to find that the bad guys have made it obsolete tomorrow. But this argument misses the point. Precisely because there is no magic bullet technology that will prevent all data breaches, legislators need to ensure that merchants are legally obligated to take baseline steps to protect against data breaches.

It could, of course, be argued that a national problem such as data breaches should best be dealt with on a federal level. I would love to see national legislation addressing this problem. But a state as large and important as New York has the authority and the ability to finally impose baseline responsibilities on all businesses. After all, credit unions and banks, for that matter, have already been required to have regulations and policies in place for years now, but without the help of merchants they are fighting with one hand tied behind their back.

November 17, 2014 at 8:10 am Leave a comment

On flood victims and profits

Hurricane Sandy slammed into New York’s coastline on October 29, 2012 and despite the billions of dollars being spent on reconstruction there are still homeowners, some of whom undoubtedly have credit union mortgages, struggling with insurance companies to get claims resolved.

Given the scope of the storm some delays and disputes are inevitable but a disturbing article in this morning’s New York Law Journal is making me sick to my stomach. It reports that at least one engineering company hired to assess insurance claims is accused of doctoring reports in an effort to avoid compensating homeowners on legitimate claims. According   to the federal magistrate overseeing the dispute there has been “reprehensible gamesmanship by a professional engineering company that unjustly frustrated efforts by two homeowners to get fair consideration of their claims. Worse yet, evidence suggest that these unprincipled practices may be widespread.” In addition the judge concluded that an attorney for the insurance company, Wright National Flood Insurance Co, violated discovery rules by failing to disclose a draft report favorable to the homeowner’s claims.

The case which has stirred the magistrate’s ire is Deborah Raimey and Larry Raisfeld vs. National Flood Insurance Co., 14 CV 461. It involves owners of Long Beach rental property that was damaged in Hurricane Sandy. It has exposed the practice of “peer reviews.” You will see why I’m using quotes in a second.

Following the hurricane the plaintiff’s made an insurance claim with Wright National Flood Insurance Company. In a Draft report the engineer concluded:

1) The physical evidence observed at the property indicated that the subject building was structural [sic] damaged by hydrodynamic forces associated with the flood event of October 29, 2012. The hydrodynamic forces appear to have caused the foundation walls around the south-west corner of the building to collapse.

2) The extent of the overall damages of the building, its needed scope of repair combined with the age of the building and its simple structure, leads us to conclude that a repair of the building is not economically viable

However the homeowners/plaintiffs never received this report. Instead the report’s conclusions were changed after an engineer “peer reviewed the report.” Despite the fact that this second engineer never physically inspected the damaged property the final report made available to homeowners and their attorney concluded:

1) The physical evidence observed at the property indicated that the subject building was not structurally damaged by hydrodynamic forces, hydrostatic forces, scour or erosion of the supporting soils, or buoyancy forces of the floodwaters associated with the subject flood event.

 

2) The physical evidence observed at the subject property indicated that the uneven roof slopes, leaning exterior walls and the uneven floor surfaces within the interior of the building, were the result of long term differential movement of the building and foundation that was caused by long-term differential movement of the supporting soils at the site and long-term deflection of the building framing.

Based on these findings the insurance company decided not to pay the homeowners. Imagine if you held this mortgage?

Reasonable minds can differ. Maybe two honest engineers reached different conclusions. But the report was written by the same engineer who changed his conclusions following a phone conversation with another engineer for a company retained by the insurance company.

At the very least this case exposes conflicts of interest inherent in a system where third parties are retained by insurance companies to decide what claims should be honored. Homeowners shouldn’t have to sue to get both sides of the story. The case also underscores the difficult issues raised by discovery requests.

But what disturbs me most of all is that the case is yet another example of how this country is suffering   from a crisis in ethics coming not just from Wall Street but Main Street. People are being forced to choose between doing the honest thing, such as reporting a car defect or disclosing BSA violations, and the financially expedient thing. Every day the newspaper’s report on how someone chooses the financially expedient option.

Abraham Lincoln once said “That every man has a price and you are getting dangerously close to mine.” I wonder if the economic downturn has made people a little more willing than they use to be to put their ethics aside to keep their paychecks secure.

I routinely wonder about what makes credit unions unique and how they can communicate these unique attributes to their members and policy makers. I’m no Pollyanna but I believe that most credit unions are dedicated to treating people not just legally but fairly. Ethics count. Let’s not be one of those industries that push them aside in pursuit of higher profits.

A link to the case is available at:

http://www.propertyinsurancecoveragelaw.com/uploads/file/Raimey-v-Wright-National-Flood-Insurance-Memorandum-and-Order.pdf

 

 

November 13, 2014 at 9:46 am Leave a comment

Why The Challenge To Obamacare Matters To You?

Last Friday, the Supreme Court granted an appeal in the case of King v. Burwell.  This move has gotten a lot of attention because if the Court rules against the Administration, Obamacare is gutted.  Let’s face it, healthcare has joined politics and religion as a subject you don’t discuss at dinner parties – unless, of course, you’re really bored and want to liven things up a bit.  So maybe it’s not surprising that lost in all the media coverage is the fact that whether you support or oppose Obamacare, the case is directly relevant to any institution subject to federal regulation.

The case will give the Court the opportunity to delineate precisely how much flexibility agencies have when making regulations intended to implement federal legislation.  I know that doesn’t sound quite as interesting as saying the case could gut Obamacare, but it means that this case is much more likely to impact the regulatory environment in which credit unions operate than the first challenge to Obamacare upheld in 2012.  The GAO estimates that the federal government promulgates between 2,500 and 4,500 regulations on an annual basis.  Any time the Supreme Court weighs in on how much power agencies have to promulgate these rules, it’s worth paying attention to.

A core component of the Affordable Care Act (ACA) is the establishment of exchanges through which individuals can purchase health insurance.  Section 1311 provides that “each state shall, not later than January 1, 2014, establish an American Health Benefit Exchange.”  However, a subsequent section provides that if a state chooses not to establish an exchange, the Secretary of Health and Human Services is required to establish an exchange within that state.  Only 16 states, including New York, and the District of Columbia established health care exchanges.

Crucially, tax credits are provided for millions of individuals to help offset the cost of health insurance purchased through the exchanges.  Specifically, the Act provided that such subsidies are available to a tax payer enrolled in a health plan “through an exchange established by the State.”  The IRS was given responsibility for implementing this provision.  It decided that the statute was designed to make health care subsidies available to all eligible individuals who purchased health insurance through an exchange regardless of whether that exchange was run by the federal or state government.  The issue in this case is how much flexibility the IRS had to interpret the pertinent language as applying to both federal and state exchanges.

This is the part of the debate relevant to credit unions.  As we are all too aware, Congress routinely passes huge statutes with vague language.  How much flexibility agencies have in interpreting these provisions is governed by a well-established judicial framework.  Where a statute is clear, agencies are responsible for implementing its plain meaning.  However, where a statute is susceptible to more than one interpretation, courts defer to the agency’s interpretation so long as it is reasonable.  This is the reason, for example, why the Court of Appeals for the District of Columbia Circuit  ruled that the Federal Reserve acted within its power when it determine the criteria to be used when establishing the debit interchange cap.  Critics of so-called Chevron deference argue that this approach gives agencies too much flexibility.  This case gives the Court’s conservative wing a high profile case in which to criticize or limit an agency’s discretion in writing statutes.

Why does all this matter?  Because every day credit unions and their associations lobby Congress and make good faith efforts to comply with regulations spawned by Congressional enactments.  The less flexibility regulators have, the more important the legislative process becomes.  Conversely, the more flexibility agencies have then the more the legislation passed by Congress is simply the first stage of an increasingly convoluted law making process.

Speaking of court cases, the NCUA has filed another lawsuit seeking to recoup losses to the Share Insurance Fund stemming from the purchase of mortgage-backed securities.  This lawsuit is against Deutsche Bank National Trust Company.  It alleges that the company failed to properly exercise oversight over the purchase of mortgage-backed securities purchased by U.S Central, WesCorp, Members United, Southwest and Constitution between 2004 and 2007.

November 12, 2014 at 7:41 am Leave a comment

How Smart Is Your Branch?

Any vendor that can make itself relevant to the financial services industry since 1859 is worth paying attention to because it clearly knows how to change with the times.  That’s why this post from the Motley Fool about Diebold caught my attention.  At a recent electronics conference in Sin City, Diebold unveiled its vision of the branch of the future.

Diebold envisions what it describes as a “responsive banking concept” in which tellers are eliminated and branches become smaller but much more high tech.  You can go into the branch for simple ATM transactions, or if you want to make more sophisticated transactions using virtual tellers, you can do that, as well.  Let’s say your member is interested getting a home or car loan.  Another virtual touch board would allow the member to easily communicate with a live person via two-way video.

Similarly, IBM recently announced that it was partnering with the Bank of China to create a flagship technology branch.  This branch will not be entirely virtual since members will have the ability to call over bank representatives when they need them, but the basic idea is the same:  members will use cell phones or codes to execute transactions with minimal involvement from tellers.

What intrigues me so much about these prototype branches is what they portend about the future of banking.  Even if you are an advocate of the brick-and-mortar branch, you have to recognize that the branch itself is going to become more virtual.  Tomorrow’s member is going to expect a seamless transition between the banking she conducts on her cell phone and that she carries out in her branch.

In addition, the virtual branch will make Big Data analytics an essential tool for all financial institutions. For instance, the branch being constructed by IBM allows bank executives to get real time information about what consumers are interested in.  Consumers can even be encouraged to go to less crowded branches that may be near by.  In other words, going digital will provide your marketing department with more information about your members’ needs and desires than you could ever have anticipated. The institutions that are best equipped to analyze this information and translate it into financial products and services will be the ones most prepared to prosper going forward.

Comptroller Urges Retailers to Take Responsibility for Data Breaches

The need for retailers to take on more of the burden for preventing data breaches got a high level endorsement on Friday. Speaking before an audience of community bankers, Comptroller of the Currency Thomas J. Curry pointed out that data breaches impose a particularly heavy burden on smaller financial institutions, responsible for reissuing compromised debit and credit cards. Data breaches also “demonstrate why we need to level the playing field between financial institutions and merchants. The same expectations for security of customer information and customer notification when breaches occur should apply to all institutions. And when breaches occur in merchant systems, it seems only fair to me that they should be responsible for some of the expenses that result.”

Well said.  On that note, have a great day.

November 10, 2014 at 8:28 am Leave a comment

When It Comes To CUSO Regulation, Can’t We All Just Get Along?

A day after the CU Times reported that NACUSO issued a call-to-arms urging credit unions to help fund regulatory and potential legal actions designed to protect CUSOs against regulatory encroachments by the NCUA, it is being reported that Home Depot’s data theft was much more serious than initially reported.  Not only were a mere 56 million credit card accounts compromised, but 53 million email addresses were also stolen.  It now appears that access to the system came from a password stolen from one of the company’s vendors.  Just how many issues does this raise?  Let me count them.

    • Look to you left, look to your right.  Then look down the hallway.  Think about the most technologically incompetent person you have working for your credit union.  Realize that your data security is only as safe as that employee can make it.  Data security starts with your employees.  Only give access to databases to those who truly need it.  The hackers are so sophisticated now that once they have access to a password, they can virtually sneak around your system and find more and more vulnerabilities.
    • I’ve said it once and I’ll say it again, and I expect NCUA will be saying it to you shortly:  your vendor contracts are absolutely crucial.  Given the explosion of technology, it is only natural that credit unions are going to turn to vendors.  If they don’t they won’t be able to provide the type of services that members expect.  But turning to the vendor doesn’t absolve the credit union of ultimate responsibility for the services the vendor is providing or the continuing need to protect member information.  Consequently, just like Warren Buffet never invests in a business he doesn’t understand, your credit union should never contract for technology it doesn’t comprehend.  Your vendor relationships must include ongoing monitoring by knowledgeable employees on your staff.  You should make sure that your vendors document on an ongoing basis that they are compliant with the latest data security standards.
    • CUSOs provide a crucial mechanism for credit unions to pool resources. Given the importance of vendor management, is it really that unreasonable for NCUA to seek a more holistic view of the CUSO industry? Personally, I don’t think so. The problem is that NCUA has sought to exercise powers it doesn’t yet have. Mandating that credit unions force their CUSOs to agree to NCUA audits is a blatant attempt to boot strap its jurisdiction.  But at the end of the day, it makes sense for NCUA to have a clear picture of what a CUSO is doing, Not only are these organizations providing services for credit unions, but their financial success or failure directly impacts credit unions’ bottom line. The middle ground is for everyone to be a lot less dogmatic and a lot more pragmatic. NCUA should seek specific legislative authority to regulate CUSOs. But it should only exercise enhanced oversight over those CUSOs that represent a truly systemic risk to the industry. This means that NCUA should base its enhanced auditing not on the type of services the CUSO provides, but on how many credit unions use its services.  In addition, NCUA should reduce its proposed risk rating for CUSOs.  Credit unions should be encouraged to use CUSOs as opposed to third-party vendors with no connection to the industry.

November 7, 2014 at 8:26 am Leave a comment

Are you asking questions about cyber security?

The Federal Financial Institutions Examination Council (FFIEC), which reflects the combined wisdom of all the financial regulators including the NCUA, released a “statement” yesterday in which it strongly recommended that financial institutions participate in the Financial Services Information Sharing and Analysis Center (FS-ISAC) as part of their efforts to enhance the cyber security of their institutions. The call for greater information sharing is the biggest takeaway from a report and statement the FFEIC released yesterday based on an assessment of the steps that 500 financial institutions are taking to deal with cyber threats.

Although regulators stressed that the report’s observations were not to be treated as official Guidance, don’t believe them, they may not be binding on you, but they easily could be required of you in the near future. Plus, the report provides some great advice to help develop a more robust cyber security program. For example, the report is filled with questions that board members and executives should be asking about their cyber security preparedness and steps that institutions should consider taking to mitigate risk. Among the questions that boards should be asking are:

  • What is the process for ensuring ongoing and routine discussions by the board and senior management about cyber threats and vulnerabilities to our financial institution?

 

  • How is accountability determined for managing cyber risks across our financial
    institution? Does this include management’s accountability for business decisions that may introduce new cyber risks?

 

  • What is the process for ensuring ongoing employee awareness and effective response to cyber risks?  

What I would suggest doing is actually asking yourself these and the other questions outlined in the report and see what vulnerabilities your credit union has and can realistically guard against given its size and sophistication. Furthermore, ask these questions at least once a year. Cyber security is a dynamic threat and has to be monitored constantly.

As for getting involved with FS-ISAC, this organization is designed to get information about cyber threats out to financial institutions as quickly as possible and act as a repository of emerging cyber threats. Here is a link to the site: https://www.fsisac.com/

One editorial comment: The way this information was released underscores a growing problem with the way credit unions and apparently other financial institutions are being regulated. By issuing “Guidance,” “Statements” and “Reports” without clearly delineating what obligations these documents are imposing on credit unions, regulators are adding a degree of confusion to compliance that doesn’t have to be there. Here is a simple solution: All documents directed at financial institutions should include a sentence explaining what statutory power an agency is exercising in publishing the material. Regulations always include a reference to the statute pursuant to which a regulation is being promulgated and the same procedure should have to be followed when it comes to issuing reports with recommendations that sound an awful lot like examiner commandments.

Here is a link to the material: http://www.ncua.gov/News/Pages/NW20141103FFIEC.aspx  

According to this morning’s CU Times, NCUA officials have officially decided that interest rate risk would be removed as a focus of NCUA’s Risk Based capital proposal. Instead IRR would be dealt with in a separate proposal.

We have to see what NCUA is actually going to propose but in concept this is a very positive development. Many of the proposed risk weightings – most noticeably those dealing with mortgage concentrations – seemed to have been designed to make it structurally impossible for credit unions to take on too many long-term loans and investments even if this meant making it difficult for them to offer sound products that members wanted.

In addition, by the middle of next year, we should have a better idea of how risky the interest rate environment is. The Fed will either start raising short-term rates by the middle of next year or the economy will continue to be so sluggish that only the clinically paranoid will fear a sudden spike.

A link to the article is right here: http://www.cutimes.com/2014/11/03/ncua-drafts-separate-irr-rule?eNL=5458bb8e140ba0ad359ec5bf&utm_source=Daily&utm_medium=eNL&utm_campaign=CUT_eNLs&_LID=127666171

 

I know it’s a cliché, but people all over the world die for the right to vote. Don’t be lazy. Vote today.

November 4, 2014 at 9:28 am Leave a comment

Don’t tax my S-Corporation!

My guess is that as soon as the elections are over and the Republicans take control of the Senate-Don’t delude yourselves Dems. this is going to happen – you will hear talk about tax reform again.

Now don’t get me wrong this is not one of those premature “Don’ Tax My Credit Union” call to Arms. The industry has more important things to do heading into a new year of legislating than man the barricades every time someone somewhere raises questions about the credit union tax exemption. But my guess is that there are enough legislators who secretly want to actually demonstrate to the American Public that they can legislate. I’m also guessing that tax reform will be a big issue over the next two years especially since the President has signaled a willingness to talk about the issue in the past and still has two years to accomplish something. So let’s have a thoughtful fact based discussion about the advantages and disadvantages of various tax policies.

A recently posted Liberty Street Blog by researchers at the New York Fed is a good place to start. 

First I  want to squelch at the earliest possible moment any talk of reforming the tax code so that fewer banks can effectively avoid paying corporate income taxes by becoming S- corporations    As this recent post by the New York Federal Reserve Liberty Street Blog points out:

“S-Corporations currently account for 3.7 percent of total banking industry assets . Excluding the fifty largest banks, S-Corporations account for a more sizable 19.9 percent of aggregate commercial bank assets. As a rule, the higher the percentage of corporate income to be distributed, the more beneficial it is to elect S-status. So the S-Corporation best benefits an existing profit-making corporation that doesn’t reinvest earnings, or cannot do so because of an accumulated earnings problem, and expects to distribute substantially all of its income to shareholders. “

I know what you are thinking. Those banks are stealing money that could be used to reduce the deficit.  Besides how many of these tax dodging banks have really done enough to deserve their tax status?

But I say   calm down and think logically. These are smaller banks and it’s not as if  they don’t pay a host of other taxes.   I Say the value of helping institutions stay in local communities is much better than having them fade away.

Besides S-Corporations have been around since the late 50’s but commercial banks weren’t eligible for the treatment until 1997. S-Corporations can have up to 175 shareholders. They are allowed to pass through income and losses to the individual shareholders. Let’s say you’re an $800 million asset community bank with healthy profits, What the S-Corp allows you to do is avoid double taxation since the shareholders but not the bank corporation will be taxed on the profit. If this sounds a lot like the tax exempt status of   credit unions it’s because it is: In fact according to the bloggers one of the arguments for expanding the S- corp. was that community banks needed a level playing field on which to compete with credit unions.

Has the S-Corp bank been worth it? I’d say so. For example according to the Blog’s authors, S-Corps are more likely to stay independent as opposed to merging with larger banks. My guess is that their favorable tax status combined with the fact that they have access to capital creates enough of an incentive for shareholders and board members to stay independent rather than give up the fight against their larger competitors.

This is worth pondering. It means that at a time when both the banking and credit union industries are struggling to keep smaller lending institutions with viable growth plans alive.  the S- Corp provides a great example of how tax exemptions, narrowly employed and coupled with the right incentives can help local financial institutions grow and serve the needs of the communities in which they are located.  Wouldn’t it be ridiculous to waste time arguing against smart tax policy? I certainly think so.

Here is the Post

 http://libertystreeteconomics.newyorkfed.org/2014/11/evolution-of-s-corporation-banks.html

November 3, 2014 at 9:26 am Leave a comment

Older Posts


Authored By:

Henry Meier, Esq., Associate General Counsel, Credit Union Association of New York

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Join 343 other followers

Archives


Follow

Get every new post delivered to your Inbox.

Join 343 other followers