Posts filed under ‘Compliance’

Is PCI Compliance Failing?

Verizon came out with its annual report detailing compliance with voluntary Payment Card Industry(PCI) standards intended to make sure that merchants and financial service providers take steps to prevent data theft. The results are depressing with only 11 percent of surveyed companies fully PCI compliant. Despite the fact that PCI has been around for almost a decade the report concludes that the vast majority of organizations lack the ability to have a sustainable PCI protocol

In addition the report uses its bluntest language to date in acknowledging that many merchants aren’t doing enough to protect against data theft. Specifically the report acknowledges the complaints of critics who complain that only the largest merchants have to submit detailed annual compliance reports under the PCI protocols. As a result “while most merchants are striving to comply with (PCI compliance) in good faith” the lack of validation of these efforts “can be a problem.”

The system just isn’t working either because data theft is just too big a problem, or because voluntary compliance just doesn’t work or a combination of both.

Critics of congressional action on data protection correctly point out that codifying specific requirements could result in a system that doesn’t evolve quick enough to address emerging challenges. Conversely this report makes clear that voluntary efforts don’t go far enough. Merchants must be compelled to implement policies and procedures to identify and prevent data theft Just like credit unions. These policies would only have to be commensurate with a merchant’s size and sophistication.

There is no panacea but commonsense federal action would certainly be a step in the right direction.    

Here is a copy of the report.

April 23, 2014 at 9:39 am Leave a comment

4 Things to Ponder on Monday AM

If you are like me, you haven’t been paying much attention to the news over the past few days, so here are 4 things to ponder as you begin your credit union work week.

  • The CFPB recently issued a guide instructing lenders how to comply with the combined TILA-RESPA integrated disclosures that take effect August, 2015.  The CFPB does a phenomenal job with these guides in which it cuts through the more technical aspects of its regulations and provides lenders with practical tips on complying with some of its lending regulations.  I know some of you have understandably taken a break from obsessing about mortgages now that you have gotten your qualified mortgages policies and procedures up and running (you have, right?) but you should remember that the CFPB’s regulation introducing brand new lending application and closing disclosures will have a huge operational impact on those of you who provide mortgages.  For example, closing disclosures will generally have to be provided three business days before closing.  To me this remains one of the most foolish requirements promulgated by the CFPB, but I hope I am wrong with this prediction.  On the bright side I have always been disgusted by the needlessly complicated disclosure process we use when buying and selling houses and in my opinion these new integrated disclosures can’t be any worse that the current disclosures provided to home buyers.  Bottom line, take a look at the manual.  It is not too early to see how you are going to comply with these new requirements.
  • While we are on the topic of mortgages, there is a great article in the Wall Street Journal pointing out a silver lining in an otherwise atrocious mortgage origination market.  According to the Journal, credit unions and community banks are leading the way in loosening lending standards.  Specifically, the paper notes that many lending organizations, desperate to find income now that the low hanging fruit of mortgage origination is no longer available, have reduced requirements for, among other things, the size of mortgage down payments. It will be interesting to see if this trend continues and if it is robust enough to jolt some life into the mortgage market.  It has always been the hope of the CFPB that smaller credit unions and community banks will make mortgage loans using the same standards that they had in place before Dodd-Frrank and the qualified mortgage rules. 
  • The CFPB filed a brief on Wednesday defending itself against a long-shot lawsuit claiming that Congress violated the Constitution when it created it under the Dodd-Frank Act.  The lawsuit, centers on claims that Congress violated the separation of powers doctrine when it gave the Bureau the power to create regulations free of the oversight of Congress or the need for annual Congressional appropriations.  The lawsuit also argues it is illegal that the director cannot be removed at will by the President.  In October the federal District Court for the District of Columbia dismissed the lawsuit.  Morgan Drexen, Inc. et al v. Consumer Finance Protection Bureau, 13-5342.  
  • If Heather Anderson’s report in the CU Times is any indication, then NCUA can expect about as warm a reception as the one Congressmen received as they tried to defend Obama Care at town hall meetings.  OK, maybe I am exaggerating a little but after seeing reports that credit union executives asked pointed questions of the NCUA staff at a recent session dedicated to the Risk-Based Capital proposal at a NACUSO conference in Orlando, it appears that NCUA staff better get working on answering some basic questions.  Among the questions for which the audience did not receive satisfactory answers were how NCUA weighed the need to allow credit unions to take risks in search of higher returns against the perceived need for stricter capital requirements.   There are two basic issues being debated with NCUA’s risk-based capital proposal.  One is whether or not the proposal make sense for the credit union industry at this time.  Secondly, did the NCUA perform adequate due diligence in devising this specific plan?  I sincerely hope the answer to the second question is yes, but one of the most striking aspects of the published proposal is a lack of substantive explanations for the specific requirements it is seeking to impose on credit unions. 

April 21, 2014 at 8:26 am Leave a comment

CFPB Extends Remittance Transfer Exception For Five Years

The CFPB proposed a regulation yesterday to extend for five years, until July 2020, a rule permitting depository institutions, including credit unions, to estimate certain fees and taxes when making disclosures to members making international wire remittances. 

Under the Dodd-Frank Act, the CFPB was required to promulgate regulations mandating that consumers be given detailed information about the cost of an international remittance.  In implementing the rule, the CFPB exempted institutions that make 100 or fewer international remittances a year.  Nevertheless, the regulation has been among the most closely watched by the credit union industry.  Under the proposal, providers of remittances must, among other things, include prepayment disclosures that inform the sender of the transfer amount in the sender’s currency, transfer fees, the total amount of the transaction in the sender’s currency, and an estimate of the exchange rate. 

They also must include other fees imposed by entities other than the remittance transfer provider that will be deducted from the amount transferred by the consumer.  These fees are almost impossible for depository institutions to ascertain since many of them do not have pre-existing relationships with the institutions that will be receiving the remittances.  As a result, depository institutions and credit unions were given the authority to estimate these fees (fees and exchange rates) until January 21, 2015.  The most important part of yesterday’s proposed regulation is that it extends this exception for another five years until 2020. 

Once again, remember that this rule only applies to institutions that make more than 100 international remittance transfers a year.  Those of you who are impacted should take a look at the actual proposal since the exceptions granted by the CFPB while important are limited.  One final note, for many credit unions the CFPB has become the institution they love to hate.  But, yesterday’s change reflects the Bureau at its best, it considers arguments on their merits and does a better job of explaining its proposed regulations than any agency out there.

April 16, 2014 at 8:39 am Leave a comment

The Good, The Bad and The Ugly

The Good

Good things come to those who wait. . .and wait. . .and wait.  Nearly four years after deciding not to appeal federal court rulings holding that the IRS wrongly tried to tax certain state chartered credit union activities, the IRS has finally gotten around to issuing a memorandum to its examiners confirming that state chartered credit unions are exempt from most UBIT taxes. 

It’s been a while since UBIT was a big issue, so here’s a quick refresher. The Unrelated Business Income Tax (UBIT) taxes the activities of not-for-profit tax-exempt organizations which are not substantially related to the activities for which an organzation was given tax exempt status.  Federal credit unions are explicitly exempt from this tax.  In two cases brought in federal district court and decided in 2009 and 2010, credit unions successfully argued that contrary to the IRS’s opinion, most of the products and services commonly offered by state chartered credit unions are exempt from the UBIT tax.including the sale of credit life and credit disability insurance, GAP auto insurance, ATM “per-transaction fees FROM MEMBERS,” interest on loans and the sale of checks from a check printing company to members. 

The decisions and the recently released memorandum are not a complete victory for state-chartered credit unions.  For instance, the sale of automobile warranties, accidental death and dismemberment insurance, life insurance and ATM “per-transaction fees FROM NON MEMBERS” are subject to UBIT.  I’ve included a link to the IRS memorandum so you can take a look at the entire list.  All in all, though, this is the biggest victory for credit unions in the last decade. 

The Bad

Credit unions are mainly concerned with the enormous power the CFPB has to promulgate consumer regulations.  But to really get a feel for just how powerful the Bureau is, you should keep in mind that it also has the authority to take legal action against financial institutions engaging in deceptive financial practices.  The latest institution to run afoul of the CFPB is Bank of America, which has agreed to pay approximately $727 million in refunds and $20 million in fines in relation to allegations that it engaged in deceptive practices when selling 1.4 customers credit cards and so-called “add-on services.”  A separate agreement was reached with the OCC.

 Among the sins highlighted by the Bureau were the fact that some consumers were led to wrongly believe that the first 30 days of coverage for certain add-on credit card services were free and aggressive enrollment practices which led consumers to believe that they were simply obtaining additional information about a product when in fact they were agreeing to buy it.  These enforcement actions provide a pretty good signal of where the CFPB thinks additional regulation is necessary, so even though Bank of America’s misdeeds may not affect you today, they may impact the work load of your compliance officer tomorrow.

The Ugly

Just how bad is it for mortgage lenders out there?  According to the Wall Street Journal, mortgage originations in February “fell to their lowest level in 14 years due to the months long plunge in refinancing activity and weak demand for loans to purchase new homes.”  The Journal also reports that the share of mortgage applications for refinances hit their lowest level since 2009.  Remember, this is all taking place as the FED is winding down its bond buying program and tougher lending regulations are taking effect.  Unless we see a huge surge of consumer confidence and economic growth in the near future, this is shaping up as one heck of a depressing year for the mortgage market.

On that happy note, have a nice day!

April 10, 2014 at 8:50 am Leave a comment

Beware of Unlimited Operations

Yesterday the FFIEC, the regulatory body comprised of all the major federal financial regulators including the NCUA, issued two guidances related to the expected risk-mitigation efforts to be taken by financial institutions regarding automated teller machine (ATM) card authorization schemes and distributed denial of service attacks (DDoS).  Don’t toss these statements into the bin on the corner of the desk.  Efforts taken by financial institutions to mitigate cyber attacks are a point of emphasis for all examiners, including the NCUA. 

The Joint Statement on cyber attacks on ATM card authorization systems is particularly noteworthy.  Under an increasingly popular form of cyber theft called “unlimited operations,” crooks use basic phishing techniques to gain access to employee passwords.  Over time, hackers are able to infiltrate a financial institution’s debit card authorization system.  With this knowledge, they eliminate limits placed on the amount of money that can be taken from debit and pre-paid debit cards.  In one scam highlighted by federal prosecutors in New York, cyber criminals distributed debit card information to co-conspirators in several countries who pulled more than $40 million from customer accounts.

Denial of service attacks have gotten a lot of attention lately because of the increasing evidence that they are being used by countries and cyber terrorists to disrupt the online services of major financial institutions.  But these attacks designed to disrupt services are also commonly used to mask good, old-fashioned cyber crime.  As explained by security analyst Avivah Litan:

“Once the DDoS is underway, this attack involves takeover of the payment switch (e.g. wire application) itself via a privileged user account that has access to it. Now, instead of having to get into one customer account at a time, the criminals can simply control the master payment switch and move as much money from as many accounts as they can get away with until their actions are noticed.”

Yesterday’s statements also underscore the need for all institutions, irrespective of asset size, to take steps to guard against cyber assault.  In fact, the guidance on ATM takeovers notes that unlimited operations specifically target web-based controls used by small and medium sized financial institutions. 

Also, keep in mind that while these statements are new, the need for credit unions to take appropriate steps consistent with their size and sophistication to guard against cyber crime is not new.  You should periodically be taking a look, at 12 CFR 748 to make sure that your credit union is implementing an appropriate program of loss mitigation.

While all institutions should be required to make reasonable, good faith efforts regarding cyber crime, let’s face it, this is a high-tech game of Whack-A-Mole.  Any successful efforts to mitigate a certain type of security breach will quickly be circumvented by hackers with the brains and the financial motivation to take other people’s money. 

The federal government has to take the lead in developing an appropriate cyber defense scheme in this country.  But with Congress unable or unwilling to impose basic security measures on merchants, this is about as likely to happen as the Yankees winning the World Series this year . . .that’s right after just two games I am willing to say that’s an awfully expensive mediocre team.  On that note, enjoy your day.

April 3, 2014 at 8:39 am 1 comment

NCUA Makes Share Insurance Fund Safest In The World!

As readers of this blog will know, there are days when the amount of news is so great that I do away with my normal commentary to highlight the latest developments.  This is one of those days.

Most importantly, NCUA announced late last evening that it would modify its Risk Based Capital proposal to both accommodate credit union concerns for greater flexibility and NCUA concerns about protecting the all important Share Insurance Fund.  NCUA has decided to scrap its proposed placement of credit union assets into ten risk-rated categories.  Instead, all assets held by credit unions will be given asset ratings of 1250%.  This means that all credit unions will have to back up all their loans with 100% collateral. 

For example, if you want to make a $100,000 member business loan, the member will have to provide you with collateral equal to 100% of the loan. Chairman Matz pointed out that the new system will make the SIF the safest of all bank insurance systems in the world.  In addition, whereas the initial proposal effectively penalized credit unions for holding concentrations of residential mortgages and investing in CUSOs, the new system doesn’t discriminate against any type of lending activity.  When asked how credit unions could survive under this new regime, Matz responded that “the key is going to be volume, lots and lots of volume.”

“Besides,” she explained, “NCUA’s ultimate responsibility is to protect the Share Insurance Fund, not credit unions.”


Following up on a ground-breaking speech yesterday in which she tried to convince people that the Federal Reserve Board really does care about Joe Six Pack when it artificially depresses interest rates that could otherwise be used to help fund retirements and help credit unions and community banks make more mortgages, Chairman Yellen announced that she would be converting the Federal Reserve Banks to credit unions.  She explained that credit unions really do care about their local communities and if they modeled the Fed after the credit union corporate system, what could possbily go wrong?  If the conversion goes through, it will reflect a trend where banks are converting to credit unions by the thousands to take advantage of the credit unions’ tax exempt status.  Once the conversion is finalized, Yellen will be stepping down and her job will be taken over by credit union expert Keith Leggett.  I have a soft-spot for Keith since he’s one of the few people I am certain consistently read this blog.  His new job as head of the credit unions will enable him to take advantage of the low rates and great service offered by credit unions without being fired by the Bankers’ Association. 


Speaking of new jobs, CUNA has responded to the clear, decisive guidance of credit unions by publicly announcing the criteria it will be using to recruit a new CEO.  Specifically, CUNA has been tasked with finding someone who’s a cross between Mother Teresa and Karl Rove.  Rumor has it that CUNA already reached out to Pope Francis about taking the job, but he declined explaining that Popes cannot resign.  Another early candidate was Oprah Winfrey but she declined as one of the few candidates for whom the CUNA job would represent a pay cut.


Yesterday was the drop dead deadline for the American public to sign up for health insurance or be required to pay a fine — I mean tax, sorry Judge Roberts – for refusing to purchase health insurance.  But if you haven’t signed up yet, don’t worry.  The Department of Health and Human Services is expected to announce later today new regulations under which only the politically popular parts of Obamacare will take effect and the public can ignore those aspects it doesn’t like.  The HHS explained that while the regulation may seem broad, it is perfectly consistent with the President’s power to do whatever he wants to do when Congress refuses to go along with his proposals.


Speaking of Congress, House Republicans reacted with anger to Chairman Yellen’s speech yesterday.  They announced their own policies to increase employment highlighted by a bill to do away with all unemployment benefits.  They explained that by completely eliminating government handouts people will have to go out and finally get a job. 




Finally, New York State passed an on time budget for the fourth year in a row late last night.  This is no joke, although if I said this just a few years ago, it would have been.  The truth is your erstwhile blogger can remember sitting around the Capitol on Easter Sundays watching the Ten Commandments while Legislative leaders tried to hammer out a budget.

On that note, enjoy your April Fools Day.

April 1, 2014 at 8:04 am Leave a comment

Are you making a subprime loan?

One of the most amazing things about watching the legislative process in New York State is that, as a friend of mine once explained, key staff people in the Capitol tend to draw their powers from the night.  As a result, almost all the important legislation passed in New York State is negotiated in the wee small hours of the morning when any normal group of people would be in bed.  Therefore, it is amazing to me that there arent’ as many drafting mistakes as you would expect given New York’s proclivity for late night hijinks.

This came to my mind yesterday as I read a recently finalized regulation from the State’s Department of Financial Services, which provides guidance for the interpretation of Section 6-m of the Banking Law — New York’s subprime loan law.  As anyone who has tried to comply with the myriad of disclosures tied to mortgage loans these day knows, timing is everything.  For instance, in New York State, a subprime loan is a first lien mortgage, the rate for which exceeds the weekly primary market survey for comparable mortgages by one and three quarters percentage points. 

According to the statute, you would review the survey posted in the week prior to which the lender provided the good faith estimate.  The new regulation provides useful guidance as to how this should be interpreted on an operational level.  For example, let’s say a member comes in on a Friday afternoon.  Do you base your subprime loan determination on the survey posted a day ago or a week ago?  Since the primary mortgage market survey is posted on Thursdays, the relevant survey to be used for purpose of determining whether or not a loan is sub-prime “is the one published on the Thursday prior to receiving the Good Faith Estimate.”  This means that, for the example above, you would look at the survey published the day prior.

What happens if a new GFE is provided to the member?  That triggers a new look back period to determine whether or not we have a subprime loan on our hands.

I apologize for giving you this information before you have had your second cup of coffee, but there is no area of lending where attention to detail matters as much as in mortgage lending..

March 25, 2014 at 8:40 am Leave a comment

Credit Unions Score Major Victory

Credit unions scored a major victory on Friday when a federal appeals court in Washington reversed the decision of a district court and upheld regulations promulgated by the Federal Reserve Board to implement the dreaded Durbin Amendment.  The victory means that debit card issuing credit unions don’t have to spend this morning shopping around for additional payment networks.  It also means that you don’t have to worry about even lower debit interchange fees for larger institutions indirectly impacting your bottom line.

As many of you no doubt recall, the Durbin Amendment has two major components.  First, it calls on the Federal Reserve Board to limit debit interchange fees that could be collected by institutions with $10 billion or more in assets to an amount that is proportional to the cost incurred by the issuer with respect to a transaction.  It also prohibited limiting the number of payment card networks on which debit cards can be processed to one network.  The Federal Reserve interpreted these statutory mandates with regulations mandating that card issuers offer at least one PIN-network and one unaffiliated signature debit card network.  The Board also capped debit interchange fees for larger institutions at approximately $0.24 per transaction.

In a somewhat amusing twist of fate, many of our merchant friends ended up losing money as a result of the new regulations.  They went to court and in one of the most sarcastic decisions you are ever going to read, a federal district court in Washington concluded that the Federal Reserve misread the clear intention of the statute and ordered the Federal Reserve to go back to the drawing board and devise a debit card cap which included a narrower definition of transaction costs.  In addition, the judge ordered issuers to provide merchants with two networks for PIN-based debit transactions and two networks for signature-based debit transactions. 

I’ll spare you the gory details of the Appellate Court’s analysis, which hinged, among other things, on the difference between “which” and “that,” but the bottom line is that whereas the District Court saw the Durbin Amendment as a clearly drafted legislative mandate, the Appellate Court saw that it was a poorly drafted 11th hour amendment to Dodd-Frank.  As a result, the Fed was justified in interpreting the statute more liberally than the merchants would have liked.

NCUA Board Meeting

I didn’t get to blog as often as I normally do last week, but since we’re on the topic of Legislative interpretation, I want to make one comment about last week’s NCUA monthly board meeting.  At the meeting, the Board proposed joint regulations establishing a framework for the regulation of appraisal management companies.  This joint regulation is mandated by Dodd-Frank. 

Appraisal management companies are those that serve as intermediaries for appraisers and lenders.  Interestingly, while the NCUA issued the proposal, Chairman Matz complained that NCUA is “unable to enforce it,”  According to the Chairman, “NCUA remains the only financial services regulator lacking the necessary authority to examine vendors for safety and soundness in compliance with laws and regulations.” 

This is an important admission on the part of NCUA since many of us have been criticizing it for seeking to exercise oversight over third party vendors without jurisdiction.

American Hustle

As those of you with young children no doubt appreciate, with babysitters more costly than loan sharks and a night at the movies requiring a home equity loan, this is a key time of year for my wife and I as the Oscar nominees hit the pay-per-view circuit.  On Saturday night, we watched American Hustle and all I have to say is Twelve Years a Slave better be a pretty good movie because American Hustle is one of the best movies I’ve seen in years.  In fact, it is the best movie of its genre since The Sting starring Robert Redford and Paul Newman. 

On that note, have a pleasant day.

March 24, 2014 at 8:44 am Leave a comment

Just How Much Is Compliance Costing Your Credit Union?

A recent survey compiled by George Mason University provides the most detailed evidence I’ve seen of how much increased compliance responsibilities are imposing financial burdens on small lending institutions.  Although the survey just included banks with assets of $10 billion or less, the results are consistent with what we’ve all been hearing anecdotally about the impact Dodd-Frank is having on credit union budgets.

For example, in the aftermath of Dodd-Frank, most of these banks have:

  • hired an additional compliance person;
  • changed their mortgage lending offerings as a result of QM regulations in the case of 60% of respondents; and
  • experienced an increase in their annual compliance cost at a rate of at least 5% since 2010.

Another statistic that I found interesting was that 65% of the respondents feel that Dodd-Frank is now more burdensome to comply with than the dreaded Bank Secrecy Act.

What can we make of these survey results beyond the fact that it is a great time to be in compliance?  The researchers point out that increased compliance costs are an inevitable result of Dodd-Frank.  Even though the statute was intended to address practices of larger banks, small banks can’t spread out the cost of new compliance mandates over as many employees.  I know many of you did not go into the business to deal with compliance officers all day and you view the increased regulatory burden as a distraction from the core goals of your credit union.

Conversely, since I started working with compliance issues about seven years ago, I have always been of the opinion that some credit unions have underinvested in compliance.  To the extent that Dodd-Frank has forced those credit unions to devote more staff and time to compliance, this is not a bad thing..  the better your compliance staff the more efficient your operations will be and that will positively impact your bottom line.

March 19, 2014 at 8:44 am 2 comments

How Does The CFPB Figure Out Who’s Violating The Law, Anyway?

When it comes to the CFPB and the House Financial Services Committee, I have taken the Committee’s criticisms of the Bureau with two grains of salt: from an ideological perspective the Committee and the Bureau are cats and dogs in Washington. 

But, this morning the Bureau committed to openness is facing a justifiable heap of criticism for refusing to respond to a letter from the House Financial Services Committee asking it to explain how it determines which institutions are guilty of violating the Equal Credit Opportunity Act by engaging in indirect auto lending practices that have a disparate impact on minorities. Considering that this has been a point of emphasis since the Bureau released a Guidance on the issue and has subsequently brought enforcement actions against lenders for disparate impact violations, it seems more than reasonable that the Bureau should be willing and able to share this information.   It is more than a little troubling that it has not done so.

 Perhaps it is using the same public relations firm retained by the Malaysian government.

Why should credit union’s care?  Because every time your credit union makes a lending decision, it must comply with Regulation B and other similar laws.  From both a compliance and operational standpoint, the clearer disparate impact analysis is the better off all lenders are.  For example, if your credit union is  losing business to a car dealership down the street that always offers to beat your credit union’s financing terms, it makes perfect sense to have a policy in which you reserve the right to match or exceed that dealership’ s terms on a case-by-case basis.  Assuming that your credit union doesn’t engage in overt discrimination, the policy does not violate federal law. It is open to all persons who meet the credit union’s lending criteria.

However, let’s say a year into the policy you review your files and realize that African-Americans are less likely to get the benefit of the policy than are your white members.  The burden is still on your credit union to demonstrate why the statistical anomaly reflects reasons other than racial animus.  For example, the unfortunate reality may be that a disproportionate number of African-American members poorer credit than white members.

Which brings us back to the letter from Congressman Hensarling the response of which is forthcoming.  The Equal Credit Opportunity Act and other anti-discrimination statutes are crucial pieces of legislation and I am not for one minute questioning the need for federal legislation banning lending discrimination or the vigorous enforcement of those laws.  However, claims of discrimination should not be made lightly and lenders have the right to know the rules of the road. If the CFPB is hesitant to respond to the Congressman in part because disparate impact enforcement is as much an art as it is a science, then perhaps it’s time to have a mature public debate in this country about anti-discrimination laws and their limits.  


March 17, 2014 at 9:03 am Leave a comment

Older Posts

Authored By:

Henry Meier, Esq., Associate General Counsel, Credit Union Association of New York

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Join 311 other followers



Get every new post delivered to your Inbox.

Join 311 other followers