Posts filed under ‘Compliance’
If Nixon can go to China, then I can darn well compliment the American Bankers’ Association when it makes a good point. That is what I am doing today. Besides, if the bankers succeed in getting a petition approved the Federal Communications Commission (FCC), credit unions will benefit as well.
We all know that identity and data theft prevention are all the rage. Suppose that you are approached by a vendor with a great new system that will send out automated voice messages to a member’s cell phone anytime there is an indication that fraudulent activity may be taking place. Given the volume of potential fraud alerts, as well as the speed at which hackers can do their damage, using automated voice messaging and texting is the quickest, most cost effective way of getting the word out. In addition, since the cell phone has become an adult umbilical cord, it makes perfect sense to send the message right to the smart phone, provided that a member has given the number to the financial institution.
However, these services have run up against a compliance speed trap. The Telephone Consumer Protection Act (TCPA) generally prohibits companies from calling cell phones using an automatic dialer telephone system or artificial pre-recorded voice unless the call is “made with the prior consent of the party called.” See 47 USC 227(b)(1).
The problem is that Congress never defined prior expressed consent. As a result, banks and businesses fear that using pre-recorded voices to notify cell phone users of problems with their accounts may result in class action litigation. They have a point. There has already been litigation in this area and even though I think the courts would ultimately rule that a person who has provided financial institutions with a cell phone number has consented to these notifications, nobody should have to go through litigation to find out.
To resolve this issue, the American Bankers’ Association submitted a petition to the FCC, which enforces the TCPA. In the petition they are asking for the authority to send the following messages using either automated phone calls or text messages to a cell phone:
- Fraud and Identity Theft Alerts;
- Data and Security Breach Notices;
- Money Transfer Notifications and notifications of actions needed to arrange for receipt of pending money transfers; and
- Messages informing consumers of “steps they can take to prevent or remedy harm caused by data security breaches.”
Presumably, if the bankers’ petition is successful, credit unions would have the same authority. So in reality, this is a win-win. The proposal makes good sense: we should all be able to reach out and touch someone when doing so protects their assets.
How bad was Cleveland Quarterback Johnny Manziell in his first game as a starting quarterback? My brother summed it up well: He was so bad me made Geno Smith of the Jets look like a good quarterback. …
The Supreme Court on Friday decided to take two nuts-and- bolts bankruptcy cases that could have an operational impact on your credit union. As explained by the Fifth Circuit “A debtor who is unwilling or unable to continue paying creditors under a Chapter 13 plan may convert his case to a Chapter 7 liquidation at any time.11 U.S.C. § 1307(a). Because of the differences between a Chapter 13 estate and a Chapter 7 estate, such a conversion raises an inevitable question: does the Chapter 7 estate include all property held by the debtor at the time of conversion, or does it include only the property held at the time of the original Chapter 13 filing?” In Bullard v. Hyde Park Savings Bank the Court will decide if money in the possession of a Chapter 13 trustee can be distributed by that trustee after the debtor has converted to a chapter 7 bankruptcy or must be returned to the debtor? At least one court in New York that has examined the issue has held that a trustee is free to distribute funds to creditors- In re Bell, 248 B.R. 236 W.D.N.Y. 2000)- but other courts have disagreed.
A second case, Vieglelahn-v.-Harris–13-50374–5th-Cir.-2014, will rule on whether a debtor has a right to appeal a court’s refusal to confirm a bankruptcy plan. The case involves an underwater homeowner who filed for bankruptcy protection. The homeowner proposed a repayment plan which would have reduced the secured value of the mortgage loan. Hyde Park Savings Bank understandably objected and the court refused to confirm the plan instead ordering our homeowner to come up with another plan within 30 days. The Homeowner is seeking to appeal the court’s refusal to confirm his plan. It seems to me that if the Court rules in favor of the homeowner we face the prospect of even longer delays in resolving disputes involving delinquent mortgages. Oh Boy!
Starting today the Credit Union Association of New York is the New York Credit Union Association. Henceforth anyone who refers to the Association as CUANY can be shot on sight. This is bad news for me because it takes me about six months to remember anyone’s name and I still refer to the Tampa Bay Rays as the Devil Rays….
Session not Lame for Banks
The banks did pretty well in the lame Duck session. The budget deal the Senate signed off on s Saturday waters down a swaps provision in Dodd Frank designed to prevent banks from gambling-I mean investing-with Insured deposits. Smaller bank holding companies will also benefit from legislation allowing those with $1 billion or less in assets more flexibility in the amount of debt they can take on before being subject to greater over site by the Federal Reserve .
Democracy is working better in some countries than in others. Conservative Japanese Prime Minister Shinzoe Abe scored a decisive victory in parliamentary elections he called just days after his country slipped back into recession. That’s right he won a decisive election weeks after it was confirmed that the world’s third largest economy is still in the tank. Why should you care? Because Abe is a proponent of quantitative easing and is likely to put off taxes meant to reduce Japan’s National debt in order to emphasize economic growth. In contrast the US is cutting back its government spending and ending quantitative easing on the assumption that the economy doesn’t need the stimulus. If our policymakers are wrong the economy is in for another five years of anemic economic growth even as corporate profits continue to grow
New York State’s Department of Financial Services issued a letter to all New York State chartered and licensed banking institutions yesterday informing them that cybersecurity will be an increased emphasis of the examination process. The Department’s head, Benjamin Lawsky said: “the Department encourages all institutions to view cybersecurity as an integral aspect of their overall risk management strategy rather than solely as a subset of information technology.”
The heightened examinations include:
- An analysis of an organization’s reporting structure for cybersecurity related issues;
- An organization’s management of cybersecurity issues including the interaction between information security and core business functions;
- An examination of information policies and procedures as well as assessing whether such policies are periodically reviewed in light of changing risks; and
- A requirement for protections against intrusion including the use of multi-factor authentication.
This list is by no means definitive and you should take a look at the entire letter.
Although the letter is applicable to all of New York State’s charges, its more detailed requirements are clearly geared to the largest institutions DFS regulates. An accompanying press release explains that “institutions will be examined as part of new, targeted DFS cybersecurity preparedness assessments.” Nevertheless, all New York State credit unions should be ready to demonstrate that they have cybersecurity policies commensurate with the risk posed with the services they provide and the vulnerability of their systems to cyber attacks. As I explained in a previous blog, cybersecurity preparedness has become a major point of emphasis for the DFS. Remember, hackers are demonstrating an increased interest in attacking small to medium sized financial institutions.
Since I am on the subject of cyber security here’s a post from the Motley Fool investment site that is worth a look. It explains what it thinks investors should expect banks to be investing in when it comes to building and maintaining a cyber infrastructure.
On that note, have a nice day.
To political junkies Massachusetts Attorney General Martha Coakley is best known as the Democrat with an uncanny knack for snaring defeat from the jaws of victory. First she lost to Republican Scott Brown in an election to fill the Senate seat that was open following the death of liberal icon Ted Kennedy and this past November she lost in her race to become Governor of a state that has been overseen by two- term Democrat Deval L Patrick-So much for AG standing for Aspiring Governor. But Coakley has aggressively pursued data breaches and what Massachusetts does in this area is worth paying attention to.
This brings me to the subject of today’s blog: Yesterday she announced an $825,000 settlement against TD Bank for failing to promptly notify her office of a March 2012 data security incident until October 2012. The settlement stemmed from a courier’s loss of account backup information. According to the press release, when TD found out that data backups it believed it had entrusted to couriers had not arrive at its storage facility it conducted an internal investigation and found no evidence of fraud or unauthorized access or use of the personal information involved in the incident.
The National Conference of State Legislators tells us New York is one of forty-seven states that have a data breach notification law. But these laws ostensibly leave much room for determining when notification requirements kick in, For instance, NY provides:
“Any person or business which conducts business in New York state, and which owns or licenses computerized data which includes private information shall disclose any breach of the security of the system following discovery or notification of the breach in the security of the system to any resident of New York state whose private information was, or is reasonably believed to have been, acquired by a person without valid authorization….. N.Y. Gen. Bus. Law § 899-aa (McKinney)
Personal information includes Social security numbers, account numbers, drivers licenses, and credit or debit card numbers in combination with any required security code.
What the Massachusetts settlement underscores for me is that you don’t have as much flexibility in deciding when the statute is triggered as you might think you do. For instance New York’s law applies when a data breach results in a “reasonable belief” that the breached data fell into the hands of an unauthorized person which is usually going to mean a third-party . I’m reading between the lines of the Massachusetts settlement but it appears that the bank was slow in reporting the breach in part because it concluded that the data loss did not compromise anyone’s privacy. It did an investigation, saw no indication that the misplaced data was misused, surmised it was misplaced by its vendor and moved on.
This is a good legal argument since it had no evidence that anyone other than an authorized vendor or a bank employee accessed the information.
But don’t put yourself in the position of having to make this argument. When it doubt follow the statute’s requirements. Consumers are sensitive to data breaches and AG’s are getting more and more sensitive to the issue.
Governor Cuomo announced new regulations yesterday that impose extensive new requirements on debt collectors.
The good news is that they shouldn’t have a direct impact on your credit union’s practices but they will impose several new disclosure requirements on third-party debt collectors. In addition if you are from out-of-state and don’t think these regulations will impact you think again. The CFPB is likely to take steps to impose new debt collector requirements and New York’s regulations are already being described as a “model for the rest of the country.” (This morning’s Law360 blog).
First the good news: The regulations provide that a debt collector does not include “any officer or employee of a creditor while, in the name of the creditor, collecting debts for such creditor.” In other words if a car loan to a member turns sour these regulations don’t apply to your employees who try to collect the debt. Instead they apply to the third-party debt collector with whom you may contract to retrieve your delinquent loans.
While the distinction is an important one, if I was working at a credit union I would certainly want to make sure that any third-party collector I am using is aware of these requirements and is preparing to comply with them. In addition at least some of the disclosures mandated by the State can’t be complied with unless you and your debt collector are working together
For example, a debt collector has to have procedures in place for knowing if the statute of limitations for collecting a debt has expired. If it has expired the debt collector must, among other things, inform the consumer in writing that he is “not required to provide the debt collector with an admission, affirmation, acknowledgment of the debt, a promise to pay the debt, or a waiver of the statute of limitations; and if the consumer makes any payment on a debt for which the statute of limitations has expired or admits, affirms, acknowledges, or promises to pay such debt, the statute of limitations may restart.” That’s right debt collectors must now inform debtors when they don’t have to pay back a debt. I’m dubbing this requirement the Debt Collector Miranda Requirement.
Other provisions in the regulation require debt collectors to provide:
Written disclosures, within five days of initially contacting a consumer, disclosure detailing a debtor’s rights; different disclosures would be required when seeking repayment of “charged off debt.”
Additional disclosures for consumers who agree to pay off a debt;
A requirement that consumers contesting debts be informed of their right to have the debts confirmed. There are exceptions to this requirement.
The regulations also specify when email may be used to communicate with a debtor.
Depending on when they are posted in the State Register, most of the regulation will take effect in March but provisions related to contacting individuals with charged-off debt and the substantiation of debt claims will take effect in approximately nine months.
Here is a link to the regulation:
If you were sitting around the Thanksgiving table struggling to come up with things to be thankful for, then here’s one for you, after the fact: be thankful you are not associated with the North Dade Community Development Federal Credit Union located in Miami, Florida.
The Tuesday before Thanksgiving the $4 million credit union was slapped with a $300,000 fine for significant Bank Secrecy Act (BSA) violations. According to FinCEN, from 2009-2014, the credit union had significant deficiencies in all aspects of its anti-money laundering (AML) program, even as it processed close to $2 billion in transactions for money service businesses (MSB). FinCEN’s fine follows a 2013 Cease and Desist order issued against the credit union by NCUA.
If this were simply the story of one rogue credit union that let the income it was generating from MSBs blind it to its regulatory obligations, the story wouldn’t be worth a second look. But that’s not all that is going on here. Most importantly, regulators are increasingly concerned about credit unions that work with MSBs within their fields of membership. For instance, in January of this year, the NCUA listed oversight of credit union MSB relationships as one of its top regulatory priorities. In addition, a BSA Webinar hosted by the Office of Small Credit Union Initiatives emphasized the enhanced obligations that credit unions have when their membership includes MSBs. More generally, since 2005, regulators have stressed that when any financial institution provides services to an MSB, it takes on additional due diligence obligations.
But wait, there’s more. The credit union was also cited for its disregard of 314(a) FinCEN information requests. Under the Patriot Act, law enforcement officials at both the state and federal level are authorized to request that FinCEN forward the names of individuals about whom they are seeking information. These requests come out approximately once every two weeks. Credit unions are obligated to check their own accounts to see if they have any information FinCEN is seeking. This obligation is independent of a credit union’s responsibilities under OFAC (31 CFR 1010.520).
I’ve been quick to criticize financial regulators for their tepid approach to BSA enforcements. Don’t let the large fines fool you. Large institutions are able to get away with blatant BSA violations for years before anyone acknowledges that the inmates are running the asylum. But the fact that BSA may be enforced unfairly doesn’t change the fact that in today’s interconnected world a five person credit union that doesn’t follow through on its BSA obligations can pose a real and dramatic threat to the Country’s AML efforts.
Those of you who choose to take on more sophisticated accounts have an obligation to the entire industry to ensure that you conform with basic BSA requirements. This is one of those areas where the missteps of one credit union reflect on the industry as a whole.
Shoppers Not Feeling Jolly
If the initial press reports are any indication, Black Friday is loosing its appeal to shoppers. The National Retail Federation reported that 55.1% of consumers shopped between Thursday and Sunday. That is down from 58.7% last year. It also reported that total spending was $50.9 billion, a decrease of 11% from last year. The Meier family took its annual sojourn into the city and based on our experience the statistics matched the reality: the train ride from Manhasset on the LIRR was notably less crowded and the store fronts were not as jammed. On that note, have a nice day.
With snow coming the Meier family has decided to head over the river and through the woods to Grand Ma’s house on Long Island a little earlier than originally planned (I can hear someone in Buffalo saying “Snow! They call six inches Snow!”). There is a fair amount I want to tell you about before my hiatus so here goes.
Will NCUA approve a pot CU?
Now that Colorado has approved a state charter for a credit union dedicated to providing financing for the state’s nascent marijuana industry NCUA will have to decide whether or not to federally insure the institution. I’ve written several blogs about the legal difficulties of providing pot financing. Marijuana remains illegal as a matter of federal law and even though federal prosecutors have indicated that they would turn a blind eye to institutions providing banking services in states where pot use is legal, finding financial institutions willing to open up businesses for ganja related businesses has proven to be difficult.
I have no idea what NCUA’s ultimate decision will be but I would love to see it deny federal insurance for credit unions created to circumvent federal law.
There is a huge disconnect going on here. Heroin use is on the rise and a culture that glorifies pot use inevitably contributes to that rise by making drug use that much more acceptable. To those who extol pot’s medical benefits I would point out that few of the states that have legalized pot limit its possession to medical uses and one that has ostensibly done so-California-has made a mockery of these limits (Maybe New York will be the exception).
Let’s be honest, national groundswells for improved healthcare don’t catch fire just because some people want better healthcare-if they did than President Obama would be the most popular President in history.
To my peers who think that pot use is no big deal I say grow up and think about your kids. College is over. Here is a link to a’s CU Times article and some previous blogs I’ve done on the subject.
New York classifies application of it sub prime loan statute
In 2013 the Federal Housing Finance Administration changed its policies to mandate that insurance premiums on FHA insured loans be collected over for the entire length of a mortgage. This change meant that some loans would be considered subprime loans under New York law making them all but impossible to sell in the secondary market. Legislation signed by the governor establishes a separate formula for calculating sub- prime loans insured by the FHA. The law is an important amendment for mortgage lenders but it does mean that there is now an additional formula that has to be calculated when determining how a mortgage loan should be classified under the state and federal Law. Chapter 469 of 2014 takes effect immediately.
Speaking of New York laws, in the same batch of legislation the Governor also approved a bill clarifying the authority of parents guardians to request that credit reporting agencies preemptively place security freezes on the credit reports of persons 16 years or younger. Most importantly the bill authorizes parents to request that a freeze be placed on a child’s credit information even if the child has no file. This means that it will be more difficult for identity thieves to use a stolen social security card to create an alternate identity with which they can take out loans and sign up for credit cards for example. The legislation is Chapter 441 of 2014.
FHFA maintains Confirming loan limits
The FHFA, which oversees Fannie Mae and Freddie Mac announced yesterday that it was maintaining confirming loan limit at $417,000. The confirming loan limit is the maximum price above which a residential property will not be purchased by the GSE’s. For my downstate brethren who think that this is a pretty low number remember that conforming house values are higher in certain parts of the country, including much of the downstate area. Here is a link to the announcement and a link to a list of conforming value limits.