Posts filed under ‘General’
I’m here to tell you this morning that you will be breached and if you have been already, you will be again. Cybercriminals are chameleons and they have the money to quickly adjust to the latest techniques meant to stop them.
For example, remember when “dual authentication” of your customer accounts was all the rage in IT security circles? The FFEIC even came out with a guidance mandating that depository institutions implement systems that demonstrate two forms of identification. It was originally updated in 2005 and updated again in 2012 to emphasize the need to “layer” your IT security.
To what do I owe my gloomy morning forecast? Two informative posts, one by the CU Times and the other by the Information Technology Website underscored just how fast moving the game of cyber security cat and mouse is and unfortunately the bad guys win fairly often. Specifically, hackers have broken into 34 banks in Asia and Europe by bypassing a dual authentication system developed by Android and used for online banking. Check with your IT people to get the technical details, but the basic idea is that they used email requests to lure customers to a fake website. Marks opened the door to hackers by opening the email and going to the site through which the hackers could steal all the information they needed to get by the dual authentication system. What is astounding the experts is that the banks used SMS technology, which requires a customer to enter a new password every time they access an account. This is above and beyond what most U.S. credit unions and banks require.
So, is there anything you can do to mitigate the risk beyond making sure that you have a good computer person on speed dial? In looking at cases examining the liability of financial institutions for data breaches, here are some of the points I would keep in mind. Although many of them are most relevant to those of you who offer business accounts, NCUA regulations require all of you to identify and monitor the “red flags” of identity theft on an ongoing basis.
- Member and staff education is key. Your security is only as effective as your most careless employee or technologically “savvy” member.
- In assessing commercial reasonableness of online business accounts, which are regulated by Article 4A of the UCC, courts consider (1) security measures that the credit union and customer agree to implement, and (2) security measures that the credit union offers to the customer but the customer declines. Make sure this is in writing and, if possible, attached to the contract.
- You must respond to changing threats by offering new mitigation techniques. For example, remember now that hackers can electronically impersonate an employee, dual control and not dual authentication is becoming the baseline standard. This way, hackers have to obtain the login information for two employees before transferring money.
- Here is the good news. Commercially reasonable and regulatory standards vary depending the size and sophistication of your credit union. However, this means that the policies and procedures you adopt must be unique to your credit union based on its resources and risk profile. This is one area where cutting and pasting a colleague’s policies the day before the examiner comes calling won’t cut it in the long run.
- Similarly, the vendor contract really matters. Most of you will use vendors to implement your cyber banking. How much must the vendor indemnify you if its negligence causes a breach? Are both parties legally obligated to monitor developments in cybercrime and update protocols when appropriate? Are these changes integrated into your security procedures? These are all questions that, if asked, can help mitigate losses and maintain member confidence in your electronic banking.
Second Quarter GDP Growth Stronger Than Expected
A few minutes ago, news came out that second quarter GDP growth grew at a 4% rate, beating the expectations of economists. In addition, the Government is reporting that household spending increased by 2.5%.
There are some issues that are hanging over the industry like a sword of Damocles. This morning an article in the Wall Street Journal provides further evidence for those who feel that the CFPB should do more to regulate overdraft fees.
According to a survey conducted by the paper, hundreds of small, regional banks, and credit unions are “clinging to the practice” of processing checks on a high to low basis. The paper’s survey revealed that smaller depository institutions are continuing this practice even as larger institutions are backing away from it.
What exactly to do about overdraft fees has been debated for more than a decade now. In 2010, the Federal Reserve promulgated regulations requiring that members opt in to bank payment on debit card overdrafts. I was silly enough to think that this would put the issue to a close, but it hasn’t. For example, in a statement accompanying a 2013 report on overdraft processing, CFPB warned that if “policies and practices do not protect consumers in accordance with consumer protection law, it will use it authorities to provide such protection.”
The more I look at the issue, the more I feel that overdraft fees are the most misunderstood practices engaged in by depository institutions. Do they represent an important source of income for many banks and credit unions? Absolutely, but I bet if you asked your average consumer if they are willing to pay more to make sure that their mortgage or car payment doesn’t bounce, they’d agree. In other words, overdraft fees are a product that some consumers want and need.
I’ve been AWOL for a couple of days and based the volume of work that regulators pumped out over the last week it’s obvious that many of our regulatory overlords intend on being AWOL for most of August. Here are a couple of regulatory proposals to review in preparation for Fall.
CFPB’s HMDA Proposal Empowered by the Dodd-Frank Act , the Bureau that never sleeps is proposing revisions to the Home Mortgage Disclosure Act. It may not sound like a page turner, but for those credit unions that have to comply with it, properly reporting mortgage loan information can be one of the great compliance headaches. If the regulation goes forward as proposed the types of mortgages subject to reporting requirements will be expanded to include “all mortgage loans secured by a dwelling, regardless of the purpose of the loan” including HELOCS and commercial loans secured by a home. Here is a link.
NYS moves to regulate Bitcoin New York State’s Department of Financial Services is rushing ahead of federal and state regulators by proposing licensing requirements and a comprehensive regulatory framework for institutions that buy, sell, transfer or store virtual currencies. Here’s a link to NYS’s proposal.
I have a potpourri of newsworthy tidbits to start your credit union day.
Viva Las Vegas – I would have gladly wagered money yesterday that NCUA Chairwoman Debbie Matz could get nothing more than polite applause out of the attendees of NAFCU’s annual convention, but that was before I knew that the Chairwoman would be using her appearance to outline some regulatory relief proposals that NCUA plans to propose at its July meeting. According to the Chairwoman, NCUA will propose “effectively eliminating” the fixed asset rule. Currently, NCUA regulation caps at 5% of a credit union’s shares and returned earnings the amount that can be spent on fixed assets absent a waiver from NCUA. As CUNA pointed out in a comment letter last year advocating for scrapping the cap “The rule restricts investments not only in real property, but also in technology and systems that are increasingly central to the success of all financial institutions. Overly restricting investments in these items—or subjecting the relevant decisions to a slow and unpredictable process — does not facilitate credit unions’ use of online and mobile banking technologies even though the utilization of such technologies is more important now than ever.”
Two other mandate relief proposals will deal with member business lending and updating appraisal provisions. The proposals aren’t out yet and the devil is in the details; but it’s nice to be able to compliment NCUA again. It wasn’t all that long ago that it was aggressively pushing mandate relief reforms such as the streamlining of low-income credit union designations. Maybe the Chairman should spend more time in Sin City.
Having “The Talk” – What’s the single most uncomfortable talk that parents have with their kids? It’s not about the Birds and the Bees, it’s about money. Great article in MarketWatch reporting that a recent survey indicates that “[p]arents in their 50s and 60s think they’ve done a bang-up job talking with their adult kids about their estate and retirement plans. Their kids think just the opposite. It’s the new Generation Gap. Specifically, nearly two-thirds of parents and adult kids (64%) disagree on the best time to start talking about things like wills, estate planning, eldercare and covering retirement expenses. Many credit unions do a great job providing financial education to their members and this might be one more area to highlight. Making sure everyone is on the same page when it comes to maximizing retirement assets can save a lot of heart ache down the road and is a great way of stretching those retirement savings. Besides, like the World’s Most Interesting Man, you really can give your father The Talk.
Just where does all that settlement money go anyway? Billion dollar settlements with major banks are becoming about as commonplace as low scoring baseball games. (Maybe they really are laying off the steroids after all). This morning’s article from Reuters paints a not too flattering picture of how at least some of the money – which is ostensibly sought for mortgage and foreclosure relief – is actually being spent by state and federal officials. Reuters reports that since May alone there has been $18.5 billion in settlements – $5 billion of which goes to New York. It suggests that the guidelines on how this money is to be allocated are so broad that at least some people are concerned that there are perverse incentives to drive up the size of settlements. Personally, any incentive Government has to crack down on blatantly illegal activity is OK with me.
That’s the question posed by the New York Times in an article yesterday in which it seeks to sound the alarm: in a nutshell it argues that, just like the mortgage meltdown, major banks are loosening lending standards in an effort to ensure they have enough automobiles to meet Wall Street’s growing demand for securities comprised of auto loan pools. This is one of those times where I am glad that credit unions aren’t mentioned alongside the banks.
This is the type of article that gets regulators thinking that more needs to be done, so you may want to take a quick look to see how appropriate your underwriting standards are for auto lending. Here are some things to keep in mind.
The NCUA deserves credit for raising concerns about indirect auto lending long before it was trendy. The banks highlighted in the article are accused of hiding behind dealer practices when asked about questionable sales techniques and underwriting standards. But remember “the dealer made me do it” is no defense. This is particularly true for credit unions that have the added requirement of ensuring that any person taking out a car loan is a qualified member. As summarized succinctly in this indirect lending guidance from the NCUA from 2011:
Indirect lending standards should be consistent with the credit union’s direct (internal) loan underwriting standards. The standards should be reviewed at least annually or more often if risk levels increase or if negative trends begin to surface. Exceptions to the indirect loan policy should be infrequent. All exceptions should be approved by credit union personnel responsible for administering the indirect lending program and reported to the board of directors for their review.
One other quick point about the article. Not all securitization is bad. Financial institutions, and especially smaller ones, need a vibrant secondary market to sell off loans and make new ones to members. The Times is right to highlight the negative influence that demand for higher yielding securities may be having on auto lending standards, but I just hope that regulators don’t overreact and throw the baby out with the bath water.
I’ve done this blog long enough now that every so often I feel like Steve Martin in The Lonely Guy. When the new phone book is delivered, he runs down the street yelling: I’m in the book, I’m in the book. I was excited to find out this morning that the Annual Review of SAR Filings had been published by FinCEN. California and New York lead the way when it comes to depository institutions filing Suspicious Activity Reports.
On that note, have a nice day.
Those wacky kids at the CFPB are out it again. This time they want to go Wiki leaks with consumer complaints. They are proposing that the CFPB’s consumer complaint database be expanded to include consumer narratives of complaints consumers agree to publicize. The allegedly offending company would be given the option of responding with its own competing narrative. According to the CFPB, publishing narratives would “be impactful by making the complaint data personal (the powerful first person voice of the consumer talking about their experience), local (the ability for local stakeholders to highlight consumer experiences in their community), and empowering (by encouraging similarly situated consumers to speak up and be heard)” Let Freedom Ring!
Cut through the hyperbole and what you are left with is a debate about the value of empowerment of which I am proudly on the losing side. Amazon just celebrated its twentieth anniversary and, in addition to providing us books and consumer goods with great service at a lower price, it gave us the consumer narrative review. I have never used one of the narratives to buy anything of value. Given the choice I will look at Consumer Reports before I buy a TV or read a book review written by an expert when deciding what to read next. To me these are more reliable than on someone so enamored or annoyed about a product or service that they actually took the time to sit down and write a review. The internet indeed can “empower” anyone to think they are an expert but that doesn’t make them one..
But I am a dinosaur . More and more people are as likely to get their news from Facebook as from the New York Times. The whole idea of an information hierarchy is viewed with suspicion. What is the big deal they say? After all if someone doesn’t find an internet review-or an association blog for that matter -credible than they can just ignore it. They can just ignore a complaint they find on the CFPB’s website.
The problem is that the mere fact the complaint is on a government database is going to be giving complaints much more credence than they deserve. I was against the CFPB granting public access to its credit card complaint data base because I believe that the CFPB has an obligation to investigate complaints before throwing them out to the general public. Unsubstantiated allegations can do a lot more harm than good. A Government website isn’t a free market place of ideas. Unlike those reviews on Amazon it has the government’s imprimatur.
Not to worry says the CFPB; the accused company will always have the right to respond. But responding takes time and resources and the mere fact that a response is made to an allegation doesn’t mean that the damage is undone. For instance let’s say someone accuses XYZ credit union of discrimination after being denied a car loan. Publishing a response that the member was subject to the same race neutral criteria as everyone else won’t undue the seriousness of the allegation.
CFPB should pull the plug on this idea but it won’t. Here is a compromise: Lets recognize that not all financial institutions have the time to respond to a consumer narrative or the resources it takes to martial an effective PR campaign against serious but unsubstantiated allegations. Let’s establish a threshold for company size below which the narrative won’t be made public. It will still be sent to the CFPB which can investigate it; it will still be sent to the institution for a response and the consumer will still have all the legal rights and remedies he has today but smaller institutions won’t have to choose between letting an allegation fester or engaging in a public dispute with a disgruntled consumer at the same time they are trying to run a business. Here is a link to the proposal Institutions have 30 days after publication to respond.
See you Monday
Governor Cuomo made it official yesterday: he held a bill signing ceremony to mark approval of legislation (A.6357-e) making New York the latest state in the nation legalizing the medical use of marijuana. Its use will be ramped up over the next 18 months as the state promulgates the necessary regulations.
Despite what I have seen in the blogosphere, it is not time to stack up on the munchies. Unlike states such as Washington and Colorado, which have legalized marijuana possession, and other states, such as California, that have legalized the “medical” use of marijuana, the legislation is drafted in a way that medical use of marijuana will be limited to people with designated illnesses and only available in forms prescribed by doctors.
The use of medical marijuana in New York will be highly regulated. According to the Governor’s memo, the law allows for five registered organizations that can each operate up to four dispensaries statewide. Registrations for organizations will be issued over the next 18 months unless DOH or the Superintendent of State Police certifies that the new program could not be implemented in accordance with public health and safety interests. Because it is so regulated, chances are your credit union won’t be asked to open up a business account for these organizations, and if it is the organizations are so highly regulated that much of your due diligence will be easily obtainable. This means that, at least in the short term, legalization of the drug won’t present financial institutions with the legal question of how to comply with federal laws banning the possession and sale of marijuana and bank secrecy act requirements mandating that credit unions and banks monitor their accounts for potentially illegal activity with state law declaring marijuana use to be legal.
This is not to say that your credit union won’t be impacted by this law. Under the legislation a certified caregiver or patient can’t be subject to any civil or disciplinary action by a business or licensing board solely because of their lawful use of marijuana. In addition, eligible users are classified as disabled under New York’s human rights law. At the very least, we now know that there are going to be employees legally entitled to be taking marijuana. So, if you have a policy of categorically prohibiting employee drug use, this is going to have to be modified.
Conversely, it doesn’t mean that an employee can come into work today and get stoned at lunch time. The state is going to have a registry of patients. The key is not to make changes tomorrow. If you heard the Governor speak yesterday, then you heard a person who is dead serious about making sure that this legislation truly is for medical purposes and not a backdoor means of legalizing pot smoking. The regulatory process will be a serious one and given the number of issues that need to be addressed, I’m sure the concerns of employers will be taken into account. In the meantime, it appears that New York financial institutions have avoided the legal quagmire that comes from a more unregulated approach.
There are some things that just make no sense to me. For example, why can’t a country of 270 million sports loving citizens, many of whom grew up playing soccer, find 23 people good enough to make us one of the best soccer teams in the world? I’m sorry, there’s only so much pride I can take in beating Ghana.
Another mystery of more practical concern is trying to figure out how great a risk resetting Home Equity Lines of Credit (HELOC) pose to financial institutions in particular and the economy as a whole. Since the start of the Great Recession, pundits have been predicting a second wave foreclosure crisis as the draw periods on HELOCS come to an end. With so many people still struggling and interest rates likely to rise, it seems logical to assume that problems are on the horizon. But, so far, the worst case scenarios haven’t materialized.
Nevertheless, if I was a regulator, I would be a little nervous, which is why I’m not surprised that a joint guidance was issued yesterday instructing financial institutions, including credit unions, to take steps to mitigate against the risks posed by HELOCS which are coming to the end of their draw periods. Among other things, examiners will generally be reviewing how cognizant your credit union is of its HELOC portfolio and the risks posed by pending repayment periods. The amount of scrutiny will vary depending on your credit union’s size, but examiners will be reviewing, among other things, if your credit union is:
- Developing a clear picture of scheduled end-of-draw period exposures;
- Ensuring a full understanding of end-of-draw contract provisions;
- Evaluating near-term risks;
- Contacting borrowers through outreach programs;
- Ensuring that refinancing, renewal, workout, and modification programs are consistent with regulatory guidance and expectations, including consumer protection laws and regulations;
- Establishing clear internal guidelines, criteria, and processes for end-of-draw actions and alternatives; and
- Documenting the link between ALLL methodologies and end-of-draw performance.
This is not a definitive list, but you get the idea.
Why are our regulatory overlords releasing this guidance now? For one thing, resets on HELOCS are expected to accelerate this year and peak between now and 2017, according to this article in National Mortgage News which warns that there is little the Government can do if the housing sector experiences a wave of second-lien induced foreclosures.
Then, of course, there is the fear that rising interest rates will squeeze consumers since most HELOC payments are tied to interest rates. Last, but not least, is the reality that people are again turning to HELOCS to tap equity in their homes. According to the WSJ, HELOCS are up 8% this year and “While that is still far below the peak of $113 billion during the third quarter of 2006, this year’s gains are the latest evidence that the tight credit conditions that have defined mortgage lending in recent years are starting to loosen. Some lenders are even reviving old loan products that haven’t been seen in years in an attempt to gain market share.” Oh, boy.
Is this yet more proof that consumers and many lenders didn’t learn a darn thing from the last seven years? You bet. Enjoy your Fourth. I will be back on Monday.
Buffalo, New York, has the most stable housing market in America. According to research conducted on behalf of Bloomberg.com, Buffalo is followed by Pittsburgh, Louisville, Nashville and Raleigh, NC.
Working with Zillow, Bloomberg analyzed housing prices since 1979 for the 50 largest housing markets using a five year rolling average to calculate changes in home prices. The result shows that you may not strike it rich buying that home in Buffalo, but you won’t lose your shirt either. The data shows that over the last 35 years, Buffalo homeowners had “virtually no chance” of losing money on their house. In contrast, the same can’t be said for Hartford, Connecticut at the bottom of the list.
Some of those areas on the least stable list are awfully nice places to live so what’s the difference? One agent pointed out that your typical Buffalo buyer is planning to stay in the area for the long-term. Buffalo isn’t where you go to invest in a second home or flip houses.
By the way, in commenting to NCUA many NY credit unions argued that NCUA’s proposed risk weightings for mortgage concentrations were too severe because they didn’t take into account a credit union’s track record in making well performing mortgages. This research provides one more piece of evidence that not all mortgage loans are equal. Hopefully, NCUA will take that into account in finalizing its RBC framework.
Court Says Localities Can Block Hydro-fracking
Remember when high powered hydro-fracking was a big issue, with New York’s Department of Environmental Conservation analyzing the potential impact of its widespread use in the Southern Tier? There hasn’t been much movement on the issue since the Department of Health was tasked with analyzing its health effects in 2012 and has yet to reach its conclusions. In the meantime, a statewide moratorium on the process remains in effect.
But yesterday, the NY Court of Appeals — our highest Court — ruled that localities could use local zoning laws to block hydro-fracking even if the state authorizes it.
This may be another setback for drillers or it might actually allow the state to lift the moratorium because only towns that want the drilling are going to get it. Remember, the issue is important to credit unions that should insure their interest in mortgaged property is adequately protected in the event that a member wants to lease out their property for oil drilling.
The OCC released its semiannual review of the risks facing the banking industry and even though it doesn’t apply to credit unions it provides an excellent synopsis of the trends within the financial industry and the perceived threats highlighted by examiners. This is by no means a definitive list; I’m simply highlighting a few of the issues that might be most relevant to your credit union.
- Cyber security continues to be on everyone’s mind. The reality is that everyone knows what hackers can do and we are waiting to see just how much more destructive and creative they can get at stealing people’s money. This is no longer just a problem for the largest big name financial institutions. As the OCC explains: “Business lines and functional areas within banks must perform thorough risk and control self-assessments, analyze operational events, and identify, assess, monitor, and mitigate emerging risks. Risk management is balancing resource constraints, retention of key talent, and overall capability to monitor the breadth of change.” Translating: ongoing implementation of your BSA risk assessments is more important today than ever before. In addition, if your vendor contracts don’t appropriately apportion responsibility for monitoring risk, they need to be amended.
- Banks are already feeling the pressure to reduce underwriting standards not only for their mortgage loans but for car loans as well. Why is this so intriguing to me? Because, contrary to popular belief, nothing in Dodd-Frank or the CFPB’s regulations prevents financial institutions from making exactly the type of mortgage loans that got us into this mess in the first place. Instead, the regulations are designed to incentivize better underwriting standards both by increasing penalties such as foreclosure defenses and monetary damages and providing incentives such as “safe harbors.” Credit unions can benefit from banker uncertainty if they are willing to make the same loans that they have in the past, particularly if they had the ability to hold on to more of their mortgages. It also means that credit unions, like banks, have to have clearly delineated underwriting standards, as well as an understanding of when it is appropriate to make exceptions to the standards. As for car loans, could financial institutions be pushing out loan terms so far that we could experience a car loan bubble?
- Not surprisingly interest-rate risk remains a primary concern of the OCC, as it is with the NCUA. Yes, someday the sky will fall. As a result, the OCC is concerned by “increased exposure to interest rate risk (IRR) at some banks related to concentrations of agency-issued mortgage-backed securities (MBS) and unsupported non-maturity deposit assumptions.” It’s the last part of that statement that intrigues me the most. Let’s face it, credit unions aren’t seeing record membership growth just because people are annoyed with banks or because credit unions provide great service. There aren’t many places to safely put your money these days and get a decent return. Like corporations, consumers are hoarding their cash. While we can all disagree about how far and how quickly interest rates will rise, two questions your credit union should be asking are: how much and how quickly could your credit union stand to lose its core deposits? And, what steps is your credit union taking to convert short-term depositors into longer-term contributors to the credit union?
Of course, the issue of core deposits would not be quite so important to credit unions if they could all have access to secondary capital. But that’s a blog for another day.
Incidentally, everyone should be allowed to take an early lunch today and root for a tie against Germany. A tie gets the United States into the single elimination knockout round. Why am I rooting for a tie? Because I’m a realist. All Germany has to do is tie to guarantee a spot in the next round. Sure, a win would be nice but the U.S. beating the Germans in soccer is about as likely as Munich cancelling Oktoberfest.
NCUA has proposed important changes to its Chartering and Field of Membership Manual regarding how and if an Association qualifies for inclusion in a credit union’s field of membership. I know many of you have put in yeoman’s work responding to NCUA’s risk-based capital proposal and find the idea of taking a look at this proposed regulation about as tantalizing as a follow-up visit to the dentist to get a cavity filled, but there are some important issues at stake and more of you may want to comment before the June 30 deadline.
NCUA is concerned that some credit unions are forming associations for the primary purpose of gaining access to new members. In its own words, “As a threshold matter, when reviewing an application to include an association in an FCU’s FOM, NCUA will determine if the association has been formed primarily for the purpose of expanding credit union membership. If NCUA makes such a determination, then the analysis ends and the association is denied inclusion in the FCU’s FOM. If NCUA determines that the association was formed to serve another separate function as an organization, then NCUA will apply the totality of the circumstances test to determine if the association satisfies the associational common bond requirements.”
There are two basic problems with this approach. First, while NCUA has a list of criteria – which it is adding to under this proposal – to determine if a credit union meets the associational common bond requirements, the regulation provides precious little suggested criteria about how NCUA will determine if a perfectly valid association was actually formed for the purpose of increasing membership. This is another example of NCUA seeking to give itself the authority to substitute examiner judgment for the plain language of the regulation on a case-by-case basis. Second, so long as an association is a valid, legal entity separate and distinct from a credit union, the motivations of a credit union in helping to form it are irrelevant. If a credit union forms an association to Save the Amazon Rainforest, provide aid to service members, or to lobby for a moratorium on any new reality TV shows – I am a charter member of this one, so long as these associations actively further these goals by holding meetings and sponsoring events, communities are benefitting.
Right now the tireless gadfly and blog devotee Keith Leggett is one of only six people to have commented on this proposal. Even if you disagree with me, please take a look at this proposal and consider dropping NCUA a line or two if, like me, you think it is going to have important consequences for the industry.
Credit Unions Hit Hard by Target Breach
The Target Breach provided fresh evidence for why Congress and State Legislatures have to re-examine the way liability is allocated between merchants and card issuers for data breaches. Despite the fact that card issuing credit unions and banks in no way contributed to causing the Target Breach, financial institutions, particularly smaller ones, were hit hard financially by the theft, according to a report released by PULSE yesterday. The report also indicates that more and more Americans are using plastic to transact business, meaning that if you haven’t already seen a decline in your debit card income, you will probably start seeing it soon.
On that happy note, enjoy your day.