Posts filed under ‘Legal Watch’
President Obama’s decision to grant resident status to more than 4 million undocumented aliens may well have a direct impact on your credit union’s operations and procedures. Specifically, you may want to take a look at your credit union’s BSA customer identification policies and procedures.
The ability of credit unions and banks to open accounts for undocumented aliens is one of the few compliance issues that gets the non-compliance geek fired up. Read this 2007 article from the Wall Street Journal and you’ll see what I mean. Under existing customer identification program requirements, credit unions must have policies and procedures in place to verify a customer’s identity. As explained in a FinCEN guidance, the CIP regulations do not provide a definitive list of the type of documents that banks and credit unions must use to verify the identity of an account holder. Instead, the ultimate requirement is that whatever forms of identification your credit union uses enables it to “form a reasonable belief that it knows the true identity of the customer.” The regulation provides that for a non-U.S Citizen an acceptable form of identification could include a government issued document evidencing nationality or residence so long as it has a photograph. See 31 CFR 1020.220. This flexibility in the regulation is what makes it acceptable for some financial institutions to accept consular identification cards while others do not. My guess is that with the President’s Executive Order you will see many states pass laws requiring financial institutions to accept specific types of identification.
The second stumbling block to opening accounts for undocumented persons involves tax-payer identification numbers. The regulations are unequivocal in requiring that persons opening accounts must either have or be applying for a tax-payer identification number. 31 CFR 1020.220. Since many undocumented aliens work off the books, this has been one of the biggest challenges to opening an account. The President’s Executive Order will allow qualifying individuals to legally have jobs and start paying taxes. I would hope that FinCEN will provide guidance to financial institutions explaining the type of documentation that may be available to individuals eligible for legal protections under the President’s Executive Action.
Whether or not you agree with the President’s Executive Action it is not the role of your credit union to get involved with the immigration debate. If you disagree with what the President did last night, write your Congressman, but don’t make it more difficult than it has to be for a person to go into a credit union and open an account. As for the argument that doing so is aiding lawbreakers, let’s make a common sense distinction between individuals who come into the country to earn a living and individuals who earn a living by breaking the law.
Good morning, if this headline got your attention, get your mind out of the gutter. Think in bankruptcy parlance. A “strip off” occurs when a court cancels a lien that is wholly unsecured.
On Monday, the Supreme Court decided to hear an important case to answer this question: can a court overseeing a Chapter 7 Bankruptcy cancel a junior lien on a residential mortgage where the value of the property is so low that there is no equity with which to pay back the subordinate lien holder? The Supreme Court decided to consolidate two cases from the 11th Circuit (Bank of America v. Caulkett and Bank of America v. Toledo-Cardona). Both cases deal with residential mortgages that tumbled in value once the Great Recession hit. The homes tumbled so much in value, in fact, that there wasn’t enough money in either house to pay back the holder of the principle mortgage, let alone the holders of home equity lines of credit taken out on the properties.
Most courts that have addressed this issue in other jurisdictions have concluded that a subordinate lien survives bankruptcy regardless of the amount of equity left in the residential property. In New York, for example, the leading case is Wachovia Mortgage v. Smoot, 478 B.R. 555 (E.D. NY 2012). The court provided an excellent explanation of why subordinate liens survive Chapter 7 Bankruptcy. In addition, at least three other circuit courts have reached the same conclusion.
In contrast, the 11th Circuit, which includes Florida, has reached the opposite conclusion. In the consolidated cases to be decided by the Supreme Court, the Florida homeowners were successful in getting their subordinate liens cancelled. Why does this matter? In depressed housing markets, it may not make much of a difference, but in states like New York, where it may take several years to foreclose on a property, a homeowner could see a sharp rise in their property values between the time when they declare bankruptcy and the time a house is foreclosed on. They would end up pocketing money to which the subordinate lien holder would otherwise be entitled. The Court will be issuing a decision in this case by June.
In the immortal words of Elaine from Seinfeld is it time for you to attempt conversion?
Right now card issuers are liable for the costs of POS fraud involving both credit and debit cards. In October 2015 Visa and MasterCard shift this liability to merchants that can’t process chip based EMV transactions. This creates a huge incentive for merchants to invest in new terminals but the benefits aren’t quite as clear-cut for your credit union. After all if the vast majority of merchants can accept EMV by next October than you will be as liable as you are right now for card fraud.
To find out more about conversion issues yesterday I attended an excellent conference on EMV technology hosted by Covera. (Full disclosure: Covera is an affiliate of the Association). The most important lesson I learned is that, if you start planning today, credit unions have more flexibility than I thought they did in deciding when and how to make the migration to EMV. Deciding on how much of a push your credit union should make is ultimately an individual decision unique to each credit union’s circumstances. The more time you give yourself the better off you will be. Here are some of the key questions I would ask after attending the conference.
What is your timeframe for migrating to EMV? It’s going to take more than six months (optimistically) to roll out chip based cards. If you aren’t planning now than your plan is not to convert anytime soon.
How much card fraud do you have?
The switch to EMV is only helpful if data theft is an issue for your credit union. You are at no greater risk legally after October of next year if you choose not to go forward with an EMV conversion unless you think that the merchants your members shop with won’t be ready to accept EMV cards or you feel that the lack of EMV will make your CU more of a target.
Should you take a piece meal approach or integrate EMV all at once? One of the real interesting realizations for me was that credit unions have more flexibility in introducing EMV cards than the October 2015 date suggests. A credit union could start with a conversion to EMV credit cards, for example, see how the conversion goes, and then convert their debit cards.
How much money do you have to budget? These cards are estimated to be 2.5 times more expensive than traditional cards. That is a lot of money for technology that won’t prevent all fraud and that the bad guys will eventually make obsolete. In addition, there is a lot of staff training and member outreach that is involved in introducing EMV. All of this costs money.
Do you have a lot of international travelers in your field of membership? EMV technology is the industry standard in most other parts of the world.
Having read my list you may think that I am telling you not to go forward with EMV. Not at all. My Personal opinion is that consumers will eventually demand that financial institutions use the safest technology available. In addition legislators and regulators may eventually mandate that you adopt the technology whether you want to or not.
My challenge today is to see if I can write this blog in less time than Eli Manning takes on average to throw an interception. No easy task, but here goes.
There are two basic reasons to hold a hearing in Albany. The first reason is to react to an issue without actually doing anything about it. Typically you’ll see these hearings later in a legislative year when there simply isn’t enough time to get something accomplished. The second reason is to actually lay the groundwork for key issues the Legislature will deal with in an upcoming session.
On Friday, the Assembly’s Consumer Affairs and Protection Committee and its chairman Jeffrey Dinowitz held a hearing on legislation he proposed (A.10190) mandating that businesses in New York develop policies and procedures to deter data breaches. Given the controversy surrounding the issue, I wouldn’t concentrate too much on the specifics of the legislation at this point. But the mere fact that the Assemblyman has decided to hold a hearing on the issue demonstrates that the question of what to do about data breaches is sure to be a high profile issue in the upcoming legislative session.
The hearing featured the testimony of Ted Potrikus, the President of the Retail Council,. and an erstwhile Albany veteran. The way retailers tell the story, there really is no need for data breach mandates. The reputational risk to retailers from data breaches is more than enough to get them to put the necessary precautions in place.
However, data breaches are not a new phenomenon and merchants have so far been unwilling to invest the resources necessary to guard against data breaches. Every year, a survey is done assessing PCI compliance. As I explained in a previous blog, the most recent survey results indicate that businesses are still not making the commitment to guard against data breaches. Home Depot’s top executive recently conceded as much.
A second argument advanced by retailers is that they are as much victims of data breaches as are financial institutions. Again, this is not entirely accurate. First, it is banks and credit unions that have to bear the cost of replacing compromised debit and credit cards. Secondly, it is extremely difficult to make merchants legally responsible for their negligence in handling customer data. For example, many retailers contract with third-party processors. These companies aggregate plastic transactions on behalf of merchants and process their payments. Litigation involving Heartland has underscored just how difficult it is for card issuers to make these processes responsible for the cost of their negligence.
Don’t get me wrong, no retailer wants to see their business victimized by data breaches. But as the law stands right now, they simply don’t have enough skin in the game to incentivize the creation and implementation of the policies and procedures Assemblyman Dinowitz wants to mandate. Finally, the retailers correctly argue that the battle against data breach is a constantly shifting one. A business may invest in the best technology possible today only to find that the bad guys have made it obsolete tomorrow. But this argument misses the point. Precisely because there is no magic bullet technology that will prevent all data breaches, legislators need to ensure that merchants are legally obligated to take baseline steps to protect against data breaches.
It could, of course, be argued that a national problem such as data breaches should best be dealt with on a federal level. I would love to see national legislation addressing this problem. But a state as large and important as New York has the authority and the ability to finally impose baseline responsibilities on all businesses. After all, credit unions and banks, for that matter, have already been required to have regulations and policies in place for years now, but without the help of merchants they are fighting with one hand tied behind their back.
Hurricane Sandy slammed into New York’s coastline on October 29, 2012 and despite the billions of dollars being spent on reconstruction there are still homeowners, some of whom undoubtedly have credit union mortgages, struggling with insurance companies to get claims resolved.
Given the scope of the storm some delays and disputes are inevitable but a disturbing article in this morning’s New York Law Journal is making me sick to my stomach. It reports that at least one engineering company hired to assess insurance claims is accused of doctoring reports in an effort to avoid compensating homeowners on legitimate claims. According to the federal magistrate overseeing the dispute there has been “reprehensible gamesmanship by a professional engineering company that unjustly frustrated efforts by two homeowners to get fair consideration of their claims. Worse yet, evidence suggest that these unprincipled practices may be widespread.” In addition the judge concluded that an attorney for the insurance company, Wright National Flood Insurance Co, violated discovery rules by failing to disclose a draft report favorable to the homeowner’s claims.
The case which has stirred the magistrate’s ire is Deborah Raimey and Larry Raisfeld vs. National Flood Insurance Co., 14 CV 461. It involves owners of Long Beach rental property that was damaged in Hurricane Sandy. It has exposed the practice of “peer reviews.” You will see why I’m using quotes in a second.
Following the hurricane the plaintiff’s made an insurance claim with Wright National Flood Insurance Company. In a Draft report the engineer concluded:
1) The physical evidence observed at the property indicated that the subject building was structural [sic] damaged by hydrodynamic forces associated with the flood event of October 29, 2012. The hydrodynamic forces appear to have caused the foundation walls around the south-west corner of the building to collapse.
2) The extent of the overall damages of the building, its needed scope of repair combined with the age of the building and its simple structure, leads us to conclude that a repair of the building is not economically viable
However the homeowners/plaintiffs never received this report. Instead the report’s conclusions were changed after an engineer “peer reviewed the report.” Despite the fact that this second engineer never physically inspected the damaged property the final report made available to homeowners and their attorney concluded:
1) The physical evidence observed at the property indicated that the subject building was not structurally damaged by hydrodynamic forces, hydrostatic forces, scour or erosion of the supporting soils, or buoyancy forces of the floodwaters associated with the subject flood event.
2) The physical evidence observed at the subject property indicated that the uneven roof slopes, leaning exterior walls and the uneven floor surfaces within the interior of the building, were the result of long term differential movement of the building and foundation that was caused by long-term differential movement of the supporting soils at the site and long-term deflection of the building framing.
Based on these findings the insurance company decided not to pay the homeowners. Imagine if you held this mortgage?
Reasonable minds can differ. Maybe two honest engineers reached different conclusions. But the report was written by the same engineer who changed his conclusions following a phone conversation with another engineer for a company retained by the insurance company.
At the very least this case exposes conflicts of interest inherent in a system where third parties are retained by insurance companies to decide what claims should be honored. Homeowners shouldn’t have to sue to get both sides of the story. The case also underscores the difficult issues raised by discovery requests.
But what disturbs me most of all is that the case is yet another example of how this country is suffering from a crisis in ethics coming not just from Wall Street but Main Street. People are being forced to choose between doing the honest thing, such as reporting a car defect or disclosing BSA violations, and the financially expedient thing. Every day the newspaper’s report on how someone chooses the financially expedient option.
Abraham Lincoln once said “That every man has a price and you are getting dangerously close to mine.” I wonder if the economic downturn has made people a little more willing than they use to be to put their ethics aside to keep their paychecks secure.
I routinely wonder about what makes credit unions unique and how they can communicate these unique attributes to their members and policy makers. I’m no Pollyanna but I believe that most credit unions are dedicated to treating people not just legally but fairly. Ethics count. Let’s not be one of those industries that push them aside in pursuit of higher profits.
A link to the case is available at:
Last Friday, the Supreme Court granted an appeal in the case of King v. Burwell. This move has gotten a lot of attention because if the Court rules against the Administration, Obamacare is gutted. Let’s face it, healthcare has joined politics and religion as a subject you don’t discuss at dinner parties – unless, of course, you’re really bored and want to liven things up a bit. So maybe it’s not surprising that lost in all the media coverage is the fact that whether you support or oppose Obamacare, the case is directly relevant to any institution subject to federal regulation.
The case will give the Court the opportunity to delineate precisely how much flexibility agencies have when making regulations intended to implement federal legislation. I know that doesn’t sound quite as interesting as saying the case could gut Obamacare, but it means that this case is much more likely to impact the regulatory environment in which credit unions operate than the first challenge to Obamacare upheld in 2012. The GAO estimates that the federal government promulgates between 2,500 and 4,500 regulations on an annual basis. Any time the Supreme Court weighs in on how much power agencies have to promulgate these rules, it’s worth paying attention to.
A core component of the Affordable Care Act (ACA) is the establishment of exchanges through which individuals can purchase health insurance. Section 1311 provides that “each state shall, not later than January 1, 2014, establish an American Health Benefit Exchange.” However, a subsequent section provides that if a state chooses not to establish an exchange, the Secretary of Health and Human Services is required to establish an exchange within that state. Only 16 states, including New York, and the District of Columbia established health care exchanges.
Crucially, tax credits are provided for millions of individuals to help offset the cost of health insurance purchased through the exchanges. Specifically, the Act provided that such subsidies are available to a tax payer enrolled in a health plan “through an exchange established by the State.” The IRS was given responsibility for implementing this provision. It decided that the statute was designed to make health care subsidies available to all eligible individuals who purchased health insurance through an exchange regardless of whether that exchange was run by the federal or state government. The issue in this case is how much flexibility the IRS had to interpret the pertinent language as applying to both federal and state exchanges.
This is the part of the debate relevant to credit unions. As we are all too aware, Congress routinely passes huge statutes with vague language. How much flexibility agencies have in interpreting these provisions is governed by a well-established judicial framework. Where a statute is clear, agencies are responsible for implementing its plain meaning. However, where a statute is susceptible to more than one interpretation, courts defer to the agency’s interpretation so long as it is reasonable. This is the reason, for example, why the Court of Appeals for the District of Columbia Circuit ruled that the Federal Reserve acted within its power when it determine the criteria to be used when establishing the debit interchange cap. Critics of so-called Chevron deference argue that this approach gives agencies too much flexibility. This case gives the Court’s conservative wing a high profile case in which to criticize or limit an agency’s discretion in writing statutes.
Why does all this matter? Because every day credit unions and their associations lobby Congress and make good faith efforts to comply with regulations spawned by Congressional enactments. The less flexibility regulators have, the more important the legislative process becomes. Conversely, the more flexibility agencies have then the more the legislation passed by Congress is simply the first stage of an increasingly convoluted law making process.
Speaking of court cases, the NCUA has filed another lawsuit seeking to recoup losses to the Share Insurance Fund stemming from the purchase of mortgage-backed securities. This lawsuit is against Deutsche Bank National Trust Company. It alleges that the company failed to properly exercise oversight over the purchase of mortgage-backed securities purchased by U.S Central, WesCorp, Members United, Southwest and Constitution between 2004 and 2007.
The Federal Financial Institutions Examination Council (FFIEC), which reflects the combined wisdom of all the financial regulators including the NCUA, released a “statement” yesterday in which it strongly recommended that financial institutions participate in the Financial Services Information Sharing and Analysis Center (FS-ISAC) as part of their efforts to enhance the cyber security of their institutions. The call for greater information sharing is the biggest takeaway from a report and statement the FFEIC released yesterday based on an assessment of the steps that 500 financial institutions are taking to deal with cyber threats.
Although regulators stressed that the report’s observations were not to be treated as official Guidance, don’t believe them, they may not be binding on you, but they easily could be required of you in the near future. Plus, the report provides some great advice to help develop a more robust cyber security program. For example, the report is filled with questions that board members and executives should be asking about their cyber security preparedness and steps that institutions should consider taking to mitigate risk. Among the questions that boards should be asking are:
- What is the process for ensuring ongoing and routine discussions by the board and senior management about cyber threats and vulnerabilities to our financial institution?
- How is accountability determined for managing cyber risks across our financial
institution? Does this include management’s accountability for business decisions that may introduce new cyber risks?
- What is the process for ensuring ongoing employee awareness and effective response to cyber risks?
What I would suggest doing is actually asking yourself these and the other questions outlined in the report and see what vulnerabilities your credit union has and can realistically guard against given its size and sophistication. Furthermore, ask these questions at least once a year. Cyber security is a dynamic threat and has to be monitored constantly.
As for getting involved with FS-ISAC, this organization is designed to get information about cyber threats out to financial institutions as quickly as possible and act as a repository of emerging cyber threats. Here is a link to the site: https://www.fsisac.com/
One editorial comment: The way this information was released underscores a growing problem with the way credit unions and apparently other financial institutions are being regulated. By issuing “Guidance,” “Statements” and “Reports” without clearly delineating what obligations these documents are imposing on credit unions, regulators are adding a degree of confusion to compliance that doesn’t have to be there. Here is a simple solution: All documents directed at financial institutions should include a sentence explaining what statutory power an agency is exercising in publishing the material. Regulations always include a reference to the statute pursuant to which a regulation is being promulgated and the same procedure should have to be followed when it comes to issuing reports with recommendations that sound an awful lot like examiner commandments.
Here is a link to the material: http://www.ncua.gov/News/Pages/NW20141103FFIEC.aspx
According to this morning’s CU Times, NCUA officials have officially decided that interest rate risk would be removed as a focus of NCUA’s Risk Based capital proposal. Instead IRR would be dealt with in a separate proposal.
We have to see what NCUA is actually going to propose but in concept this is a very positive development. Many of the proposed risk weightings – most noticeably those dealing with mortgage concentrations – seemed to have been designed to make it structurally impossible for credit unions to take on too many long-term loans and investments even if this meant making it difficult for them to offer sound products that members wanted.
In addition, by the middle of next year, we should have a better idea of how risky the interest rate environment is. The Fed will either start raising short-term rates by the middle of next year or the economy will continue to be so sluggish that only the clinically paranoid will fear a sudden spike.
I know it’s a cliché, but people all over the world die for the right to vote. Don’t be lazy. Vote today.