Posts filed under ‘New York State’
And State Senator Griffo and Assemblywoman Robinson.
In the wee small hours of the morning the Governor officially signed legislation that gives state chartered credit unions greater flexibility in creating fields of membership. I’m not exaggerating when I say that this is the most significant piece of NYS legislation in at least the last fifteen years. It helps New York consumers by making it easier for them to join a credit union, it makes the atrophying state charter a viable option for credit unions and It helps out federally chartered institutions that benefit from a regulatory framework in which no single regulator has a monopoly. As the sponsor memo accompanying the bill explains ” A healthy dual chartering system and the ability for credit unions to reach as many New Yorkers in need of their products and services are essential elements toward their continued success.” Right now there are approximately 21 state charters
The legislation, (S 7112 Griffo, A 9408 Robinson) was vetoed last year and will be amended further in the coming months to address concerns raised by the Department of Financial Services. In its final form it allows state chartered credit unions to apply for Fields Of Membership(FOM) that combine the different FOM categories. For example a credit union composed of employees of the local library could apply to allow persons in the community in which the library is based to be credit union members. All FOMs will be subject to the approval of the DFS.
Contrary to the objections of our banking brethren the legislation doesn’t do away with traditional credit union membership requirements. No open charters are being created. Potential members will still have to belong to a category of persons a credit union is authorized to serve. However since state charters will now have more flexibility in designing their membership more consumers will have more flexibility to choose between financial institutions, As someone who believes that competition among financial institutions is the best consumer protection there is this legislation is a huge step in the right direction.
The bill takes effect in 90 days. Here is a link to the legislation.
No Fracturing in NY
New York State’s ban on high-powered hydraulic fracturing will stay in place after the state’s Acting Health Commissioner announced he was concerned by the health risks it posed. The DEC has already announced that it will defer to the commissioner’s findings, Fracturing involves shooting high volumes of water and chemicals into shale. The resulting cracks release natural gas deposits.
The Association has been following the issue closely because the leasing of mortgaged property for drilling raises concerns that should be addressed in mortgage documents and discussed with members. Remember if you provide mortgages in Pennsylvania you should already be addressing these issues.
New York State’s Department of Financial Services issued a letter to all New York State chartered and licensed banking institutions yesterday informing them that cybersecurity will be an increased emphasis of the examination process. The Department’s head, Benjamin Lawsky said: “the Department encourages all institutions to view cybersecurity as an integral aspect of their overall risk management strategy rather than solely as a subset of information technology.”
The heightened examinations include:
- An analysis of an organization’s reporting structure for cybersecurity related issues;
- An organization’s management of cybersecurity issues including the interaction between information security and core business functions;
- An examination of information policies and procedures as well as assessing whether such policies are periodically reviewed in light of changing risks; and
- A requirement for protections against intrusion including the use of multi-factor authentication.
This list is by no means definitive and you should take a look at the entire letter.
Although the letter is applicable to all of New York State’s charges, its more detailed requirements are clearly geared to the largest institutions DFS regulates. An accompanying press release explains that “institutions will be examined as part of new, targeted DFS cybersecurity preparedness assessments.” Nevertheless, all New York State credit unions should be ready to demonstrate that they have cybersecurity policies commensurate with the risk posed with the services they provide and the vulnerability of their systems to cyber attacks. As I explained in a previous blog, cybersecurity preparedness has become a major point of emphasis for the DFS. Remember, hackers are demonstrating an increased interest in attacking small to medium sized financial institutions.
Since I am on the subject of cyber security here’s a post from the Motley Fool investment site that is worth a look. It explains what it thinks investors should expect banks to be investing in when it comes to building and maintaining a cyber infrastructure.
On that note, have a nice day.
To political junkies Massachusetts Attorney General Martha Coakley is best known as the Democrat with an uncanny knack for snaring defeat from the jaws of victory. First she lost to Republican Scott Brown in an election to fill the Senate seat that was open following the death of liberal icon Ted Kennedy and this past November she lost in her race to become Governor of a state that has been overseen by two- term Democrat Deval L Patrick-So much for AG standing for Aspiring Governor. But Coakley has aggressively pursued data breaches and what Massachusetts does in this area is worth paying attention to.
This brings me to the subject of today’s blog: Yesterday she announced an $825,000 settlement against TD Bank for failing to promptly notify her office of a March 2012 data security incident until October 2012. The settlement stemmed from a courier’s loss of account backup information. According to the press release, when TD found out that data backups it believed it had entrusted to couriers had not arrive at its storage facility it conducted an internal investigation and found no evidence of fraud or unauthorized access or use of the personal information involved in the incident.
The National Conference of State Legislators tells us New York is one of forty-seven states that have a data breach notification law. But these laws ostensibly leave much room for determining when notification requirements kick in, For instance, NY provides:
“Any person or business which conducts business in New York state, and which owns or licenses computerized data which includes private information shall disclose any breach of the security of the system following discovery or notification of the breach in the security of the system to any resident of New York state whose private information was, or is reasonably believed to have been, acquired by a person without valid authorization….. N.Y. Gen. Bus. Law § 899-aa (McKinney)
Personal information includes Social security numbers, account numbers, drivers licenses, and credit or debit card numbers in combination with any required security code.
What the Massachusetts settlement underscores for me is that you don’t have as much flexibility in deciding when the statute is triggered as you might think you do. For instance New York’s law applies when a data breach results in a “reasonable belief” that the breached data fell into the hands of an unauthorized person which is usually going to mean a third-party . I’m reading between the lines of the Massachusetts settlement but it appears that the bank was slow in reporting the breach in part because it concluded that the data loss did not compromise anyone’s privacy. It did an investigation, saw no indication that the misplaced data was misused, surmised it was misplaced by its vendor and moved on.
This is a good legal argument since it had no evidence that anyone other than an authorized vendor or a bank employee accessed the information.
But don’t put yourself in the position of having to make this argument. When it doubt follow the statute’s requirements. Consumers are sensitive to data breaches and AG’s are getting more and more sensitive to the issue.
Governor Cuomo announced new regulations yesterday that impose extensive new requirements on debt collectors.
The good news is that they shouldn’t have a direct impact on your credit union’s practices but they will impose several new disclosure requirements on third-party debt collectors. In addition if you are from out-of-state and don’t think these regulations will impact you think again. The CFPB is likely to take steps to impose new debt collector requirements and New York’s regulations are already being described as a “model for the rest of the country.” (This morning’s Law360 blog).
First the good news: The regulations provide that a debt collector does not include “any officer or employee of a creditor while, in the name of the creditor, collecting debts for such creditor.” In other words if a car loan to a member turns sour these regulations don’t apply to your employees who try to collect the debt. Instead they apply to the third-party debt collector with whom you may contract to retrieve your delinquent loans.
While the distinction is an important one, if I was working at a credit union I would certainly want to make sure that any third-party collector I am using is aware of these requirements and is preparing to comply with them. In addition at least some of the disclosures mandated by the State can’t be complied with unless you and your debt collector are working together
For example, a debt collector has to have procedures in place for knowing if the statute of limitations for collecting a debt has expired. If it has expired the debt collector must, among other things, inform the consumer in writing that he is “not required to provide the debt collector with an admission, affirmation, acknowledgment of the debt, a promise to pay the debt, or a waiver of the statute of limitations; and if the consumer makes any payment on a debt for which the statute of limitations has expired or admits, affirms, acknowledges, or promises to pay such debt, the statute of limitations may restart.” That’s right debt collectors must now inform debtors when they don’t have to pay back a debt. I’m dubbing this requirement the Debt Collector Miranda Requirement.
Other provisions in the regulation require debt collectors to provide:
Written disclosures, within five days of initially contacting a consumer, disclosure detailing a debtor’s rights; different disclosures would be required when seeking repayment of “charged off debt.”
Additional disclosures for consumers who agree to pay off a debt;
A requirement that consumers contesting debts be informed of their right to have the debts confirmed. There are exceptions to this requirement.
The regulations also specify when email may be used to communicate with a debtor.
Depending on when they are posted in the State Register, most of the regulation will take effect in March but provisions related to contacting individuals with charged-off debt and the substantiation of debt claims will take effect in approximately nine months.
Here is a link to the regulation:
With snow coming the Meier family has decided to head over the river and through the woods to Grand Ma’s house on Long Island a little earlier than originally planned (I can hear someone in Buffalo saying “Snow! They call six inches Snow!”). There is a fair amount I want to tell you about before my hiatus so here goes.
Will NCUA approve a pot CU?
Now that Colorado has approved a state charter for a credit union dedicated to providing financing for the state’s nascent marijuana industry NCUA will have to decide whether or not to federally insure the institution. I’ve written several blogs about the legal difficulties of providing pot financing. Marijuana remains illegal as a matter of federal law and even though federal prosecutors have indicated that they would turn a blind eye to institutions providing banking services in states where pot use is legal, finding financial institutions willing to open up businesses for ganja related businesses has proven to be difficult.
I have no idea what NCUA’s ultimate decision will be but I would love to see it deny federal insurance for credit unions created to circumvent federal law.
There is a huge disconnect going on here. Heroin use is on the rise and a culture that glorifies pot use inevitably contributes to that rise by making drug use that much more acceptable. To those who extol pot’s medical benefits I would point out that few of the states that have legalized pot limit its possession to medical uses and one that has ostensibly done so-California-has made a mockery of these limits (Maybe New York will be the exception).
Let’s be honest, national groundswells for improved healthcare don’t catch fire just because some people want better healthcare-if they did than President Obama would be the most popular President in history.
To my peers who think that pot use is no big deal I say grow up and think about your kids. College is over. Here is a link to a’s CU Times article and some previous blogs I’ve done on the subject.
New York classifies application of it sub prime loan statute
In 2013 the Federal Housing Finance Administration changed its policies to mandate that insurance premiums on FHA insured loans be collected over for the entire length of a mortgage. This change meant that some loans would be considered subprime loans under New York law making them all but impossible to sell in the secondary market. Legislation signed by the governor establishes a separate formula for calculating sub- prime loans insured by the FHA. The law is an important amendment for mortgage lenders but it does mean that there is now an additional formula that has to be calculated when determining how a mortgage loan should be classified under the state and federal Law. Chapter 469 of 2014 takes effect immediately.
Speaking of New York laws, in the same batch of legislation the Governor also approved a bill clarifying the authority of parents guardians to request that credit reporting agencies preemptively place security freezes on the credit reports of persons 16 years or younger. Most importantly the bill authorizes parents to request that a freeze be placed on a child’s credit information even if the child has no file. This means that it will be more difficult for identity thieves to use a stolen social security card to create an alternate identity with which they can take out loans and sign up for credit cards for example. The legislation is Chapter 441 of 2014.
FHFA maintains Confirming loan limits
The FHFA, which oversees Fannie Mae and Freddie Mac announced yesterday that it was maintaining confirming loan limit at $417,000. The confirming loan limit is the maximum price above which a residential property will not be purchased by the GSE’s. For my downstate brethren who think that this is a pretty low number remember that conforming house values are higher in certain parts of the country, including much of the downstate area. Here is a link to the announcement and a link to a list of conforming value limits.
Good morning, if this headline got your attention, get your mind out of the gutter. Think in bankruptcy parlance. A “strip off” occurs when a court cancels a lien that is wholly unsecured.
On Monday, the Supreme Court decided to hear an important case to answer this question: can a court overseeing a Chapter 7 Bankruptcy cancel a junior lien on a residential mortgage where the value of the property is so low that there is no equity with which to pay back the subordinate lien holder? The Supreme Court decided to consolidate two cases from the 11th Circuit (Bank of America v. Caulkett and Bank of America v. Toledo-Cardona). Both cases deal with residential mortgages that tumbled in value once the Great Recession hit. The homes tumbled so much in value, in fact, that there wasn’t enough money in either house to pay back the holder of the principle mortgage, let alone the holders of home equity lines of credit taken out on the properties.
Most courts that have addressed this issue in other jurisdictions have concluded that a subordinate lien survives bankruptcy regardless of the amount of equity left in the residential property. In New York, for example, the leading case is Wachovia Mortgage v. Smoot, 478 B.R. 555 (E.D. NY 2012). The court provided an excellent explanation of why subordinate liens survive Chapter 7 Bankruptcy. In addition, at least three other circuit courts have reached the same conclusion.
In contrast, the 11th Circuit, which includes Florida, has reached the opposite conclusion. In the consolidated cases to be decided by the Supreme Court, the Florida homeowners were successful in getting their subordinate liens cancelled. Why does this matter? In depressed housing markets, it may not make much of a difference, but in states like New York, where it may take several years to foreclose on a property, a homeowner could see a sharp rise in their property values between the time when they declare bankruptcy and the time a house is foreclosed on. They would end up pocketing money to which the subordinate lien holder would otherwise be entitled. The Court will be issuing a decision in this case by June.
My challenge today is to see if I can write this blog in less time than Eli Manning takes on average to throw an interception. No easy task, but here goes.
There are two basic reasons to hold a hearing in Albany. The first reason is to react to an issue without actually doing anything about it. Typically you’ll see these hearings later in a legislative year when there simply isn’t enough time to get something accomplished. The second reason is to actually lay the groundwork for key issues the Legislature will deal with in an upcoming session.
On Friday, the Assembly’s Consumer Affairs and Protection Committee and its chairman Jeffrey Dinowitz held a hearing on legislation he proposed (A.10190) mandating that businesses in New York develop policies and procedures to deter data breaches. Given the controversy surrounding the issue, I wouldn’t concentrate too much on the specifics of the legislation at this point. But the mere fact that the Assemblyman has decided to hold a hearing on the issue demonstrates that the question of what to do about data breaches is sure to be a high profile issue in the upcoming legislative session.
The hearing featured the testimony of Ted Potrikus, the President of the Retail Council,. and an erstwhile Albany veteran. The way retailers tell the story, there really is no need for data breach mandates. The reputational risk to retailers from data breaches is more than enough to get them to put the necessary precautions in place.
However, data breaches are not a new phenomenon and merchants have so far been unwilling to invest the resources necessary to guard against data breaches. Every year, a survey is done assessing PCI compliance. As I explained in a previous blog, the most recent survey results indicate that businesses are still not making the commitment to guard against data breaches. Home Depot’s top executive recently conceded as much.
A second argument advanced by retailers is that they are as much victims of data breaches as are financial institutions. Again, this is not entirely accurate. First, it is banks and credit unions that have to bear the cost of replacing compromised debit and credit cards. Secondly, it is extremely difficult to make merchants legally responsible for their negligence in handling customer data. For example, many retailers contract with third-party processors. These companies aggregate plastic transactions on behalf of merchants and process their payments. Litigation involving Heartland has underscored just how difficult it is for card issuers to make these processes responsible for the cost of their negligence.
Don’t get me wrong, no retailer wants to see their business victimized by data breaches. But as the law stands right now, they simply don’t have enough skin in the game to incentivize the creation and implementation of the policies and procedures Assemblyman Dinowitz wants to mandate. Finally, the retailers correctly argue that the battle against data breach is a constantly shifting one. A business may invest in the best technology possible today only to find that the bad guys have made it obsolete tomorrow. But this argument misses the point. Precisely because there is no magic bullet technology that will prevent all data breaches, legislators need to ensure that merchants are legally obligated to take baseline steps to protect against data breaches.
It could, of course, be argued that a national problem such as data breaches should best be dealt with on a federal level. I would love to see national legislation addressing this problem. But a state as large and important as New York has the authority and the ability to finally impose baseline responsibilities on all businesses. After all, credit unions and banks, for that matter, have already been required to have regulations and policies in place for years now, but without the help of merchants they are fighting with one hand tied behind their back.