Posts filed under ‘Regulatory’

Could You Implement A Cybersecurity Program?

The state’s financial regulator has signaled two areas that will be getting special scrutiny to prevent cyber breaches like the one that compromised information involving 76 million JP Morgan Chase customers. One step is to scrutinize third party vendor relationships. The other may be mandated cyber-security programs for financial institutions.

Reuters reports that last Tuesday, DFS Superintendent Ben Lawsky sent a letter to “many banks” expressing concern about the “level of insight financial institutions have into the sufficiency of cyber-security controls of their third-party service providers.” He wants the banks to disclose any policies and procedures they have related to their third party relationships and “to outline all methods of protection used to safeguard sensitive data that is sent to, received from, or accessible to vendors.”
You should not be all that concerned about this potential mandate if you have paid attention to NCUA’s Due Diligence Guidance. To its credit, vendor management has been a key concern of NCUA for years now.

In addition to reviewing NCUA’s guidance, for my money, vendor management comes down to contract management. Your contract should:
(1) Give you the right to consult regularly with your third party vendor;
(2) Specify what security precautions the vendor will take to protect customer information and include specific documentation that such steps are being taken;
(3) Clearly outline responsibilities in the event of a security breach;
(4) Contain strong damage clauses; and
(5) Enable you to quickly get out of a contract in the event of a breach.

Finally, at least one person at your credit union should understand what the vendor is doing well enough to ask the right questions when it comes to assessing whether or not a vendor is living up to its side of the bargain. There is much more that you should ask for but by these clauses enable you to monitor your vendors as opposed to simply pass off a key part of your credit union’s operations and hope for the best.

I’m speculating a little at this point but I would expect that financial institutions will face state level mandates to have cyber-security policies and procedures in place. The State’s proposed regulations for the licensing of Bitcoin traders includes a section 200.16 that mandates that licensees implement cyber security programs. Such programs must insure the “availability and functionality” of the licensee’s electronic system and protect sensitive data stored on these systems from unauthorized access or tampering.  Specific requirements include written policies and procedures to recover from a cyber-breach or breakdown and a description of how data is protected. Furthermore, each licensee must have a designated cyber security officer.

Henry, you say, this is all very interesting but my credit union has about as much interest in trading Bitcoins as the President does in the Republicans taking over the U.S. Senate. Ah, but here’s the catch. In a speech on October 14th, the Superintendent conceded to critics of the proposed Bitcoin regulation that the proposed cyber-security rules imposed stiffer requirements on licensees than are imposed on financial institutions. But, he said this “is primarily because we are actually considering using them as models for our regulated banks and insurance companies.” This is a not-too-subtle indication that a cyber-security mandate is coming sometime soon.

Incidentally, the impetus for today’s blog came from a friend as I was watching Real Madrid demolish Barcelona in soccer this past Saturday. Even if you don’t like this sport, you should all visit Wolff’s Biergarten in downtown Albany at least once during a major soccer event. Not only does the crowd make you feel like you are actually at the game, but if you are lucky enough to bump into me, you can actually talk cyber-security. Dare to dream, have a nice day.

October 27, 2014 at 9:10 am Leave a comment

The Biggest News this Week

Although the finalization of QRM regulations on Tuesday garnered all of the media attention the week’s news that will have the biggest impact on your credit union is yesterday’s announcement by the Clearing House that it is committed to “a multi-year effort to build a real-time payment system to better meet consumers’ and businesses’ expectations in an increasingly digital economy.” The Clearing House is an association composed of the world’s largest banks; they own the world and process a good chunk of its payments. Considering the size and reach of these banks, whatever platform they develop will become the standard for all financial institutions.

Just how big a deal is this? For one thing their commitment to modernization is Spot-on. the payments system is woefully out of date. Its legal framework is derived from a time when there were no computers let alone smartphones. As a result the financial industry is still quibbling over midnight deadlines and signature recognition while Wall Street completes trades between anonymous counterparties in nano-seconds and college kids transfer funds between each other with the touch of a smart phone. The system is woefully antiquated  and out of touch with consumer expectations.

The announcement also shows just how quickly banking is getting away from banks and by extension credit unions. According to this morning’s press reports (see the links at the bottom of the blog) just two years ago the Clearinghouse was instrumental in killing a proposal to develop a real-time payments system. In the last two years Apple, GoBank and Wal-Mart just to name a few have shown just how easy it is to empower the consumer to expect seamless real-time financial transactions. The same consumer that can waive a smart phone to buy lunch isn’t going to tolerate a system where money is “provisionally credited” to his or her account. And don’t overlook the bitcoin. It’s demonized as if it’s a technological Ebola virus but it demonstrates that it is possible to exchange a currency without the use of a bank or credit union.

Where does all this leave credit unions? I honestly don’t know but I wish the industry was giving more thought to what it expects out of the payment system of the future. A changing payments system will mean technology upgrades, new legal obligations and regulations. Credit unions are stakeholders in the system and its time for credit unions of all shapes and sizes to jointly develop industry specific principals for what a new payments system will look like. Now is the time to think and think quickly.

 https://www.theclearinghouse.org/press-room/in-the-news/2014/10/20141022-tch-to-develop-real-http://www.americanbanker.com/issues/179_204/the-clearing-house-to-build-real-time-payments-system-1070764-1.htmltime-payments-system

http://www.finextra.com/news/fullstory.aspx?newsitemid=26617

October 23, 2014 at 8:59 am Leave a comment

Why QRMs are Important to You

Yesterday, the FDIC became the first agency to finalize qualified residential mortgage regulations mandated by Section 941 of the Dodd-Frank Act.  To understand how big a deal this is, think of those ridiculous Hollywood disaster movies where Earth narrowly avoids a speeding meteor the size of the Empire State Building that will end life as we know it. Yesterday’s announcement will have no direct impact on credit unions.  In fact, the NCUA is the only financial regulator not required to join in issuing QRM regulations because credit unions don’t issue asset-backed securities.  Nevertheless, yesterday’s actions have important consequences for any institution providing mortgages.

Here is some background. The CFPB was responsible for regulations defining qualified mortgages (QM). These are the regulations that have already taken affect. This blog discusses Qualified Residential Mortgages (QRM).

One of the major causes of the mortgage meltdown was an explosion of mortgage-backed securities.  Banks and mortgage companies lowered lending standards in part because of the insatiable appetite of Wall Street for mortgages.  Investment banks would package mortgages into securities, which were sold with painful consequences for many investors including the failed Corporates.  Critics of the system argued that securitizers, generally the investment banks that created these bonds, needed to have a financial stake in the bonds that they were selling.

Section 941 of the Dodd-Frank Act responded to this concern by establishing minimum risk retention requirements for issuers of mortgage-backed securities.  Specifically, securitizers are required to retain at least 5% of any asset-back security they issue.  But an important exception was made. Joint regulations were to be issued by the federal banking agencies, HUD and the FHFA defining what constitutes a qualified residential mortgage within 270 days of Dodd-Frank’s enactment (so much for deadlines).  The definition is crucial because the 5% risk retention requirement does not apply to mortgage-backed securities comprised of QRMs. Congress also mandated that the QRM definition could be no broader than the CFPB’s definition of a qualified mortgage (QM).

Here comes the speeding meteorite part of today’s blog. The regulators responded to their mandate by proposing that QRM mortgages be required to have a maximum loan-to-value ratio of 80%. Imagine a world in which only mortgage applicants with at least 20% to put down on a home could qualify for a mortgage. Level-headed people responded to this suggestion by proclaiming “the death of the American Dream.”

Yesterday’s actions officially put an end to this game of chicken with the trade-off that the CFPB is even more powerful than ever before. Why? At the end of the day, the regulators decided that a QRM is any mortgage that meets the Bureau’s definition of a qualified mortgage. This means that if you want the ability to sell your mortgages to a secondary market participant, your mortgages must meet either the CFPB’s qualified mortgage standards or be eligible for sale to the GSEs. Remember that you don’t have to underwrite to QM standards so long as you can document why a member has the ability to repay her mortgage loan and you are willing to retain the mortgage.

One editorial comment. The regulators did the right thing yesterday, but yesterday’s announcement is another example of how Dodd-Frank does precious little to address the underlying causes of the Great Recession. If you want to avoid reckless underwriting in the future, then by definition that means imposing more stringent underwriting standards.

October 22, 2014 at 8:33 am Leave a comment

Chip and PIN: The Next Big Compliance Deadline?

When a President has to react to a serious problem but doesn’t know what more he can do to solve it   he appoints a “Czar” as in a “Drug Czar” or “Ebola Czar.“ When a President has ideas about how to solve a problem but can’t get anyone to agree to his solution, he holds a summit.

The President is a smart guy who knows that cybersecurity is a major issue about which Congress has failed to act. Last year, 100 million consumers were victims of data breaches. So this past Friday, the President announced that he would be hosting a cybersecurity summit.

While the bully pulpit only goes so far, the actions announced by the President and major retailers on Friday underscore that, for card issuing credit unions, October 2015 looms as one of the biggest compliance deadlines. As you probably already know, October 2015 is when that liability shifts for card issuers and merchants accepting Visa and MasterCard that don’t have chip-and-pin technology.

Starting in October of 2015 a merchant with a payment terminal that doesn’t use chip-and-pin technology will be liable for the costs of any unauthorized Point of Sale transactions involving a member with a chip-and-pin card. Conversely, if a card issuer can’t process EMV transactions, it is on the hook for the liability. The shift was first unveiled in 2012 to give everyone more than adequate time to adopt the new technology but, until recently, I was skeptical of just how important the deadline would be. Making the shift costs money. Issuing chip embedded plastic isn’t cheap compared to the erstwhile magnetic strip and retrofitting payment terminals isn’t cheap for merchants.

But the days of mutually assured indifference are over. Speaking before employees at the CFPB on Friday, the President unveiled an Executive Order mandating that credit cards and credit-card readers issued by the United States government come equipped with chip-and-pin technology starting next year.  The President also announced that he was ordering federal law enforcement to share more information with the private sector when they discover identity theft rings.

Finally, the President announced that “a group of retailers that include some of our largest — Home Depot, Target, Walgreens, Walmart — and representing more than 15,000 stores across the country, all of them are pledging to adopt chip-and-pin technology by the beginning of next year.”

Now, I have said it before and I will say it again. Industry-wide adoption of chip-and -pin is no panacea. The technology is already old and does nothing to prevent online fraud. But the events of Friday underscore that it is time to get moving on adopting this technology if you haven’t done so already.

Here are some links for additional information:

http://www.whitehouse.gov/the-press-office/2014/10/17/remarks-president-protecting-american-consumers

http://phys.org/news/2014-10-obama-unveils-stem-identity-theft.html

http://usa.visa.com/download/merchants/bulletin-us-participation-liability-shift-080911.pdf

http://usa.visa.com/download/merchants/bulletin-us-participation-liability-shift-080911.pdf

October 20, 2014 at 8:46 am Leave a comment

CFPB: Bankruptcy Code Harms Student Borrowers

Is the Bankruptcy Code to blame for difficulties students experience modifying their private student loan obligations?  That is the implicit question posed by the CFPB in its annual report analyzing the student loan industry.  According to the report, which summarizes data from complaints received by the CFPB over the previous year, students seeking repayment options for private student loans are facing many of the same obstacles homeowners face after falling behind on their mortgages.

According to the report, since the Bureau began accepting private student loan complaints in 2012, the most common complaint comes from borrowers seeking to avoid default when they face financial hardship.  According to the Bureau, its findings suggest that lenders and servicers “have yet to address the need for loan workout in a fulsome manner.”

What would the CFPB do?  In 2005, one of the changes made to the bankruptcy code was to make private student loans non-dischargeable in bankruptcy.  At the time of this change, similar protections had already been granted to federally subsidized student loans.  The CFPB is recommending that Congress revisit the PSL exemption “to determine whether the special bankruptcy protection afforded to lenders should be limited to those who offer certain loan modification options.” Remember, the CFPB has already put in place a regulatory framework mandating that lenders work in good faith with homeowners who are struggling to make their mortgage payments.

The nation’s rising level of student loan debt is a serious and growing problem.  As I’ve pointed out in a previous blog, there is even growing evidence that student debt is holding back the housing recovery by making it more difficult for people to afford their first house.  What concerns me about the CFPB’s recommendation is that it adds fodder to an increasingly ideological and divisive debate about the root causes of student debt.

Let’s look at issues surrounding education finance.  But let’s not analyze the issue in isolation.  College tuition has skyrocketed and shows no signs of letting up.  Looking at the amount of debt being amassed in this country to get an education and focusing exclusively on lenders is tantamount to blaming the woes of the NY Jets on their quarterback, Geno Smith: it might be comforting, but there are some issues for which there are no easy solutions.

Well I’m off to enjoy my morning yogurt.  It’s going to taste extra good now that Governor Cuomo has signed legislation  naming it the official state snack.

October 17, 2014 at 8:24 am Leave a comment

Military Misfires on Consumer Protection

Today’s blog provides a good example of how well-intentioned people can end up doing more harm than good.  The Department of Defense recently proposed expanding the coverage of consumer protection laws that currently apply to pay-day loans, refund anticipation loans and vehicle title loans to most consumer loans covered by the Truth in Lending Act. It would not apply to loans to purchase a vehicle or a home.  If the DOD isn’t careful, it will dry up the swamp of creditors who prey on our service members, which of course is a good thing, but do so in a way that will make it more difficult for members of the armed forces to get access to consumer credit, especially from credit unions.  Here’s why.

Back in 2007, responding to wide spread reports of predatory lending activities targeting the military, Congress passed the Military Lending Act.  The Act empowered the Department of Defense to define and regulate consumer credit products provided to active duty members of the armed forces and their dependents.  It gave the military wide discretion in determining what products would be subject to the enhanced regulatory restrictions.  Under the regulations promulgated by the DOD, a 36% interest rate cap was placed on refund anticipation loans, pay-day loans, and vehicle title loans.  In addition, the cap is calculated based on the Military Annual Percentage Rate (MAPR), which is succinctly summarized by the CFPB to include interest, fees, credit service charges, credit renewal charges, credit insurance premiums and other fees related to credit products sold in connection with the loan.  Creditors selling these loans have to provide enhanced disclosures, as well as take affirmative steps to identify eligible consumers.

At the time the legislation was enacted, credit unions and other financial institutions were concerned that if regulations were written too broadly, they would require the wide-spread adoption of two types of consumer loan products:  one for the military and one for civilians.  However, the final regulations were narrow enough in scope so that they didn’t impact the vast majority of credit unions, most of which would have no desire to offer these types of products in the first place, even if located in states where they were permitted to do so.

The statute as it has been implemented by the DOD made sense, at least until last Friday.  The DOD is proposing regulations that would expand the definition of products covered under the statute to include credit cards and other consumer loans covered under the Truth in Lending Act.  As a result, credit cards offered to members of the military and their dependents would be subject to a 36% cap calculated by a refined MAPR.  To be fair, the military recognizes that a poorly drafted regulation runs the risk of denying mainstream credit to members of the armed forces, so it is refining the MAPR to, for example, exclude customary and reasonable fees.  But the calculation of an MAPR would still differ for members of the military and civilians.  Furthermore, by expanding the reach of the MLA to most consumer loans except home mortgages and car loans, the military will make it more difficult for credit unions to provide legitimate loans to service members.

In fact, the proposal is such a bad idea that NCUA took the highly unusual step of issuing a statement critical of the proposal the same day it was announced.  It pointed out that NCUA’s pay-day lending alternative was designed specifically to fit within the Department’s existing regulations.

Current NCUA regulations allow federal credit unions to offer payday alternative loans with an interest rate of up to 28 percent and an application fee of up to $20. Under the Military Lending Act regulations, consumer credit to covered borrowers is subject to a 36 percent cap on the military annual percentage rate, or military APR, which includes application fees. If these regulations are revised to cover payday alternative loans, the rate and fee for many payday alternative loans would be higher than the military APR cap.

Conversely, our good friends at the bureau that never sleeps, the CFPB, thinks the Department’s proposal is a swell idea.  Proponents of the DOD’s approach point out that it is extremely easy to avoid compliance with the MLA.  For example, a loan with a 91-day repayment period isn’t classified as a pay-day loan under the regulations, but a 90-day loan could be.  They argue that by expanding the size of the jurisdictional net, it will be easier to catch those creditors who prey on members of our armed forces.  The problem with larger fishing nets, of course, is that they scoop up everything in their wake, including fish that no one wants to catch in the first place.

Perhaps DOD should consider expanding the definition of the existing products covered under the MLA rather than grabbing everything into its jurisdiction.  Another alternative, which it notes in the preamble that it is open to considering, is to exempt certain types of institutions from coverage of the expanded regulations.  Considering that federal credit unions are already subject to an interest rate cap on loans and that the vast majority of credit unions are places that members of the military looking for a fair deal should be encouraged to patronize, an exemption makes sense to me.

At ease.

October 1, 2014 at 8:30 am Leave a comment

Older Posts


Authored By:

Henry Meier, Esq., Associate General Counsel, Credit Union Association of New York

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Join 340 other followers

Archives


Follow

Get every new post delivered to your Inbox.

Join 340 other followers