Posts filed under ‘General’

Are CFPB’s Performance Reviews “Acceptable?”

Yesterday, the CFPB, which prides itself on being a statistics-driven, cutting edge agency of the 21st Century, announced a new rating system for its employees which deemphasizes statistics.  For several months now, the CFPB has been dogged by increasingly strident accusations that its managers engaged in discriminatory practices.  These accusations were bolstered by an internal report highlighted in yesterday’s CU Times showing statistical disparities based on race in the performance review process.  For example, 20.3 percent of white employees received the highest rating (a 5 on a 1-5 scale), while only 10.5% of African-American employees received this rating.  The CFPB is responding to this “proof” of racial disparity by implementing a pass-fail system of employee evaluations, doing away with those troublesome numbers.  Instead, employees will retroactively be classified as either solid performers or unacceptable ones. 

CFPB’s retreat speaks volumes about statistics and their limits.  Disparity impact analysis, where regulators and litigators argue that a facially neutral lending policy can be proven to discriminate against individuals based on statistical analysis, is predicated on the assumption that statistics don’t lie.  Advocates of this approach argue that at some point statistical disparities demonstrate that even facially neutral policies reflect discriminatory undertones and/or practices. 

On the other end of the spectrum, on which I would place myself, are those who take a jaundiced view of disparate impact analysis.  Statistics only tell a fraction of the story.  For instance, the CFPB’s statistical chart can’t tell you about how often an employee had to be pushed to get his work done.  Similarly, statistics alone can’t capture the full extent of negotiations that went on between a mortgage originator and a consumer who happened to be African-American.  Nevertheless, the explosion of data makes it more, not less, likely that statistics will be used to judge the effectiveness of anti-discrimination laws.  This is why I find the CFPB’s response so telling.  Rather than defend its evaluations, it implicitly assumes that its managers must be racially biased.  Remember, these are the same people who will ultimately be reviewing lending trends and using increased HMDA data to spot discrimination.   

The pre-eminence of disparate analysis is going to have real life consequences.  For instance, the reality is that as lenders heighten their underwriting standards to make sure that they can document why a borrower can repay a mortgage loan or decide to only make so-called qualified mortgages, these decisions will have a disproportionately negative impact on minority groups that, in the aggregate, have less income. 

What will be the response of legislators and regulators?  Will they look at these statistics and realize that they reflect deep-seated, complex problems that simply can’t be assumed to only reflect racial animus?  Or will they do what the CFPB has done and simply water down evaluation standards so that the difficult issues raised can be “solved” instead of addressed.   

August 28, 2014 at 8:43 am 1 comment

No Silver Bullet For Data Protection

On Friday, the Department of Homeland Security issued an advisory urging organizations, “regardless of size,” to “proactively check” for possible infection of their point of sale technology by a data theft virus which steals debit and credit card information as purchases are being made. The catch is that the computer virus that Homeland Security wants merchants to look for has been compromising purchases since at least October 2013 with the result that an estimated 1,000 businesses have been compromised. Brace for phone calls from concerned members and the expense of replacing cards…again!

The latest developments in the data theft wars mean that Target was just the canary in the coal mine and de facto scape goat for failing to recognize that its Point Of Sale equipment had been compromised during the holiday rush. Now, let’s hope that policy makers and industry leaders don’t make the mistake of thinking that a single technology can prevent systemic breaches from happening again. But I have my doubts.

A lot of analysts were quoted over the weekend as hoping that the latest disclosures will be the straw that broke the camel’s back and force merchants of all sizes to convert to payment processors that accept so-called EMV or chip technology. The basic idea is that chip enabled cards combined with PIN verification provide dynamic protection of payment information.  In contrast, that strip on the back of the credit and debit card contains static information and firewalls. Once it is breached, it can be used over and over again by anyone with the ability to replicate the magnetic strip.

A typical quote I read over the weekend was this one in the Times: “The weakness is the magnetic stripe,” said Avivah Litan, a security analyst for Gartner Research. “I can buy a mag stripe reader on eBay and easily read all the data from your credit card. It’s an antiquated technology from the ’60s.”

To be sure, EMV technology is long overdue but it is no panacea in part because it has already been around so long. Magnetic cards have been around since the ‘60s, but chip technology has been around since the ‘90’s. Two decades is like a million dog years when it comes to technology. And the cracks in the wall are beginning to show. As this post for the excellent FICO blog demonstrates, cyber theft is creeping back up in Europe again after dramatically declining with the introduction of EMV technology.

In addition, card theft is just one component of cybercrime. As retail migrates to cyberspace, passwords are becoming as good as gold as I pointed out in this blog about a huge criminal operation intent on stealing as many passwords as possible.

My point is that there is no silver bullet technology. EMV technology makes sense but if it comes at the expense of another generation of merchant inaction, it’s not a price worth paying. At the risk of being redundant to my faithful readers, we need: a true national commitment to fighting cybercrime both in terms of increased government spending on a robust security infrastructure and laws that make merchants responsible for using reasonable care to prevent and deter data breaches. This standard will force merchants to change security protocols as the technology does or face the consequences.    

August 25, 2014 at 8:56 am Leave a comment

Separating Fact From Fiction On Auto Loans

I had a longer commute than usual into work today (if I wanted to spend an hour and a half in the car on a Monday morning I would live in Long Island and not in suburban Albany, thank you), but it helped me decide what I should do my blog on this morning.  Actually, the latest commercial from upstate’s ubiquitous car dealer bragging about how he once got credit for a dead person clinched it for me. 

As I pointed out in a previous blog, there has been increasing concern that subprime auto lending is the next mortgage crisis in waiting.  The argument goes that with larger banks increasingly securitizing auto loans, dealerships and banks, credit unions and financers they work with have a huge incentive to qualify even the most irresponsible borrowers. 

Is the perception reality?  An analysis performed by the Federal Reserve Bank of New York answers the question with a qualified yes.  Looking at data from the Fed’s Quarterly Report on Household Debt and Credit, researchers point out that there has actually been a smaller percentage of auto loans being originated for borrowers with credit scores below 620.  Currently, these borrowers represent 23% of all originated car loans, which is actually lower than the 25% to 30% witnessed in the years prior to 2007.  So, is the conventional wisdom wrong?  Not really.  According to the researchers “the dollar value of originations to people with credit scores below 660 has roughly doubled since 2009.”  What’s more, this gain in origination value reflects an increase in the average size of loans being made to these borrowers.  In other words, larger loans are being made to people with bad credit and financial institutions are more than willing to spread out the length of repayments.

However, it’s important to differentiate between banks and credit unions — which the analysis groups together — and auto finance companies.  Since the recession “ended” in 2009, finance companies have been the ones most aggressively catering to subprime borrowers while banks and credit unions have been lending to these borrowers at rates lower than historical trends.  Interestingly, the report indicates that the auto loan 30-day delinquency rate for banks and credit unions has been about 1% in recent years, but about 2.5% for finance companies.  Two take-aways from this report: one, it underscores the fact that Dodd-Frank missed the mark when it tied the hands of the CFPB to regulate car buying activity to the same extent it can regulate other consumer lending.  It also serves as a warning that examiners should not let media reports about a new subprime lending bubble drive them into placing more scrutiny on credit union car lending than is actually justified by the numbers. 

August 18, 2014 at 8:53 am Leave a comment

When It Comes To Enforcement, NYS Is The New Sheriff In Town

In his first State-of-the State address, Governor Cuomo criticized lax state oversight of the banking industry as one of the reasons for the recklessness that led to the Mortgage Meltdown. He proposed to combine the State’s Insurance and Banking Departments into a Department of Financial Services and put one of his top aides, a former federal prosecutor, in charge of running the new department.  I would argue that there has been no area of public policy where the Governor has been better able to translate his vision into reality. A look at this morning’s news provides further proof for my case.

Yesterday, CFPB director Richard Cordray unveiled a consumer warning about virtual currencies. The CFPB isn’t telling people not to use bitcoins and other types of virtual currencies but … “Virtual currencies are not backed by any government or central bank, and at this point consumers are stepping into the Wild West when they engage in the market.” Oh boy, sign me up!

What’s the New York tie in? In a blog last week, I mentioned how New York’s DFS unveiled bitcoin regulations making it the first regulator in the country to propose a framework for the licensing of bitcoin activity. As surmised by this morning’s BankingLaw 360:

With the Consumer Financial Protection Bureau accepting complaints on bitcoin businesses and intimating that new rules for virtual currencies may be on the way, companies should expect increased federal scrutiny that will complement and strengthen regulations being developed in New York State. . .

Another Payday lending crackdown: Manhattan DA Cyrus Vance became the latest NY law enforcement official to crack down on payday lending. I haven’t seen a copy of the indictment, but media reports indicate that a Tennessee businessman is accused of establishing a network of companies with the ultimate goal of charging interest on loans in violation of the state’s usury laws at 25%. Both the AG and the DFS have already taken action against payday lenders, most notably companies associated with Indian tribes, which they accuse of violating New York Law.

BSA violations and foreign banks. If you look at the track record of BSA enforcement it seems clear that when it comes to the largest banks, the acronym is one letter too long. For years, behemoth banks have been able to ignore the BSA. In those rare instances where they got caught, they paid a fine large enough to get headlines without anything to prevent them from violating it again.

The DFS is changing this cycle by inserting itself into BSA investigations and threatening banks with the loss of their authority to conduct business in New York. The latest example that this aggressive approach is paying dividends comes from this article, which is reporting that the British bank Standard Chartered, which has already paid $670 million to state and federal regulators, is reviewing millions of transactions to insure it is not violating Bank Secrecy Act regulations yet again. A monitor installed by the DFS as part of the earlier settlement has apparently raised some red flags about some of the bank’s compliance practices.

As a result of the latest problem, Standard Chartered is once again under scrutiny from the DFS, the bank disclosed when announcing its earnings last week. A penalty of more than $100 million and an extension of the monitorship is possible beyond its anticipated end in early 2015.

>>>>>>>>>>>>>>>>>>

The news that Robin Williams, my favorite comedian, committed suicide yesterday got me thinking about some of the funniest appearances I ever saw on TV.  Williams often teamed up with Johnathan Winters on either Johnny Carson’s or David Letterman’s late night shows.  Here’s a sample from YouTube of one such appearance.

August 12, 2014 at 9:01 am Leave a comment

What Credit Unions Can Learn From Rory McIlroy

untitledFor those of you who think that golf is about as exciting as going to knitting class with your grandmother, you obviously didn’t watch the final round of the PGA Championship in Valhalla, Kentucky yesterday.  In a scene worthy of Bill Murray in Caddyshack, the tournament wasn’t decided until 25 year old Rory McIlroy from Northern Ireland two-putted against the backdrop of a wrath-of-God sky that made seeing the ball impossible.  In fact, the announcers all suggested that the smart play was for McIlroy to finish the game this morning.  But when you’re 25, two putting in the dark to beat out a generational icon by the name of Phil Mickelson is no big deal.

So what does this have to do with credit unions?  Plenty.  As anyone who reads this blog knows, I’m in the change or die school when it comes to the future of the credit union movement.  Technology and demographics are fundamentally changing the way financial services are provided and the way consumers approach financial institutions, including credit unions.  You can take false comfort in the fact that credit unions now have approximately 100 million members, that your relatively old membership base isn’t clamoring for the newest technology and that succession planning isn’t all that important since it’s all but impossible to attract volunteers to serve on credit union boards anyway.

The problem with this thinking is that by the time your credit union realizes how misguided it is, it will be too late.  The example I keep thinking about is Kodak.  It can be forgiven for not recognizing that the smart phone was going to put it out of business, but ten years from now those credit unions that don’t recognize that Apple and Amazon are going to change the way financial services are provided will be guilty of a fundamental lack of foresight.

Which brings us back to Rory.  With his fourth major and more to come, Rory is already one of the all time greats of the game worthy of being mentioned with Jack Nicklaus and Tiger Woods.  But remember, this past April his golf game was so bad, he was actually beaten in one round at the Masters by an amateur whose job it was to round out the field.  In fact, it looked as if a generational shift away from Tiger and Phil might not come after all.  This morning, such speculation is foolish. 

I hope that your credit union is changing to meet changing times before it is too late.

Incidentally, here is a great article from the Harvard Business Review about the impact that the pace of change is having on corporate decision making.

FDIC Provides NYS Snapshot 

On Friday, the FDIC released a state-by-state snapshot of banking activity.  The report provides a useful baseline for comparison for credit unions in the tri-state area.

August 11, 2014 at 8:08 am 2 comments

The Virtual Spy Next Door

Keeping in mind that you have an obligation to monitor potential red flags of identity theft and mitigate evolving risks, here is some news worth reaching out to your IT vendor about. The NY Times reported earlier this week that “A Russian crime ring has amassed the largest known collection of stolen Internet credentials, including 1.2 billion user name and password combinations and more than 500 million email addresses. . .” What’s more, according to the security firm that uncovered the scheme, since the goal of the hackers was to steal password credentials as opposed to stealing from the compromised companies the hackers were targeting businesses of all shapes and sizes. Given the scope of the operation, you can bet a credit union or two or three is among the institutions that are being informed their websites have been compromised. As usual, an excellent source of additional information is this post from Krebs on Security.

First, on a purely practical note, this news showed me why it’s so dumb to use the same password for everything. The only reason this treasure trove of lifted passwords is valuable is because they can be used to access multiple online accounts and services.

The more I think about this news the angrier I am at our government. It may be ideologically edifying for some of our elected representatives to stand in the way of any government action, but there are some things that only the government can do. Cybersecurity should be a top national priority right now. In fact, Preet Bharara has correctly argued that cyber-attacks are this century’s Pearl Harbor. But our government is unable and or unwilling to pass meaningful legislation and make the investment necessary to have a truly robust defense against cyber-attacks.

What we are left with is a bunch of well-meaning but ultimately impotent attempts by regulators to do their part to help protect consumers.  For example, earlier this year the FFEIC highlighted the need for smaller institutions to guard against cyber-attacks. As part of this effort, it’s conducting pilot cyber assessments and has held a Webinar geared towards community banks and credit unions. I just reviewed the slides and it has some good advice such as suggesting depository institutions ask themselves:

How is my organization identifying and monitoring cyber-threats and attacks both to my institution and to the sector as a whole? How is this information used to inform my risk assessment process?

Such well-meaning advice is tantamount to reminding kids not to play with guns in the middle of a war zone. Without a concerted national commitment, all but the largest businesses in America will find it increasingly impossible to offer cost effective cyber services. You are all being subject to a virtual shakedown and the only institution with the resources to effectively do anything about it is the federal government. Unfortunately, this is the same government that can’t pass meaningful cyber reforms such as imposing risk assessment obligations on merchants.

In the meantime, the nation is furious that the Government isn’t doing more to stop kids who are rushing to the nation’s borders for a better life. Why isn’t it furious that foreign criminals are making billions by ripping off businesses and consumers?

On that note, have a nice day.

 

 

 

 

 

August 7, 2014 at 8:52 am 1 comment

5 Steps to Minimize Your Cyber-liability

I’m here to tell you this morning that you will be breached and if you have been already, you will be again.  Cybercriminals are chameleons and they have the money to quickly adjust to the latest techniques meant to stop them.

For example, remember when “dual authentication” of your customer accounts was all the rage in IT security circles? The FFEIC even came out with a guidance mandating that depository institutions implement systems that demonstrate two forms of identification. It was originally updated in 2005 and updated again in 2012 to emphasize the need to “layer” your IT security.

To what do I owe my gloomy morning forecast?  Two informative posts, one by the CU Times and the other by the Information Technology Website underscored just how fast moving the game of cyber security cat and mouse is and unfortunately the bad guys win fairly often. Specifically, hackers have broken into 34 banks in Asia and Europe by bypassing a dual authentication system developed by Android and used for online banking. Check with your IT people to get the technical details, but the basic idea is that they used email requests to lure customers to a fake website. Marks opened the door to hackers by opening the email and going to the site through which the hackers could steal all the information they needed to get by the dual authentication system. What is astounding the experts is that the banks used SMS technology, which requires a customer to enter a new password every time they access an account. This is above and beyond what most U.S. credit unions and banks require.

So, is there anything you can do to mitigate the risk beyond making sure that you have a good computer person on speed dial?  In looking at cases examining the liability of financial institutions for data breaches, here are some of the points I would keep in mind. Although many of them are most relevant to those of you who offer business accounts, NCUA regulations require all of you to identify and monitor the “red flags” of identity theft on an ongoing basis.

  • Member and staff education is key. Your security is only as effective as your most careless employee or technologically “savvy” member.
  • In assessing commercial reasonableness of online business accounts, which are regulated by Article 4A of the UCC, courts consider (1) security measures that the credit union and customer agree to implement, and (2) security measures that the credit union offers to the customer but the customer declines. Make sure this is in writing and, if possible, attached to the contract.
  • You must respond to changing threats by offering new mitigation techniques. For example, remember now that hackers can electronically impersonate an employee, dual control and not dual authentication is becoming the baseline standard. This way, hackers have to obtain the login information for two employees before transferring money.
  • Here is the good news. Commercially reasonable and regulatory standards vary depending the size and sophistication of your credit union. However, this means that the policies and procedures you adopt must be unique to your credit union based on its resources and risk profile. This is one area where cutting and pasting a colleague’s policies the day before the examiner comes calling won’t cut it in the long run.
  • Similarly, the vendor contract really matters. Most of you will use vendors to implement your cyber banking. How much must the vendor indemnify you if its negligence causes a breach? Are both parties legally obligated to monitor developments in cybercrime and update protocols when appropriate? Are these changes integrated into your security procedures? These are all questions that, if asked, can help mitigate losses and maintain member confidence in your electronic banking.

Second Quarter GDP Growth Stronger Than Expected

A few minutes ago, news came out that second quarter GDP growth grew at a 4% rate, beating the expectations of economists.  In addition, the Government is reporting that household spending increased by 2.5%.

 

 

July 30, 2014 at 9:21 am Leave a comment

Older Posts


Authored By:

Henry Meier, Esq., Associate General Counsel, Credit Union Association of New York

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Join 323 other followers

Archives


Follow

Get every new post delivered to your Inbox.

Join 323 other followers