Posts filed under ‘Regulatory’
The state’s financial regulator has signaled two areas that will be getting special scrutiny to prevent cyber breaches like the one that compromised information involving 76 million JP Morgan Chase customers. One step is to scrutinize third party vendor relationships. The other may be mandated cyber-security programs for financial institutions.
Reuters reports that last Tuesday, DFS Superintendent Ben Lawsky sent a letter to “many banks” expressing concern about the “level of insight financial institutions have into the sufficiency of cyber-security controls of their third-party service providers.” He wants the banks to disclose any policies and procedures they have related to their third party relationships and “to outline all methods of protection used to safeguard sensitive data that is sent to, received from, or accessible to vendors.”
You should not be all that concerned about this potential mandate if you have paid attention to NCUA’s Due Diligence Guidance. To its credit, vendor management has been a key concern of NCUA for years now.
In addition to reviewing NCUA’s guidance, for my money, vendor management comes down to contract management. Your contract should:
(1) Give you the right to consult regularly with your third party vendor;
(2) Specify what security precautions the vendor will take to protect customer information and include specific documentation that such steps are being taken;
(3) Clearly outline responsibilities in the event of a security breach;
(4) Contain strong damage clauses; and
(5) Enable you to quickly get out of a contract in the event of a breach.
Finally, at least one person at your credit union should understand what the vendor is doing well enough to ask the right questions when it comes to assessing whether or not a vendor is living up to its side of the bargain. There is much more that you should ask for but by these clauses enable you to monitor your vendors as opposed to simply pass off a key part of your credit union’s operations and hope for the best.
I’m speculating a little at this point but I would expect that financial institutions will face state level mandates to have cyber-security policies and procedures in place. The State’s proposed regulations for the licensing of Bitcoin traders includes a section 200.16 that mandates that licensees implement cyber security programs. Such programs must insure the “availability and functionality” of the licensee’s electronic system and protect sensitive data stored on these systems from unauthorized access or tampering. Specific requirements include written policies and procedures to recover from a cyber-breach or breakdown and a description of how data is protected. Furthermore, each licensee must have a designated cyber security officer.
Henry, you say, this is all very interesting but my credit union has about as much interest in trading Bitcoins as the President does in the Republicans taking over the U.S. Senate. Ah, but here’s the catch. In a speech on October 14th, the Superintendent conceded to critics of the proposed Bitcoin regulation that the proposed cyber-security rules imposed stiffer requirements on licensees than are imposed on financial institutions. But, he said this “is primarily because we are actually considering using them as models for our regulated banks and insurance companies.” This is a not-too-subtle indication that a cyber-security mandate is coming sometime soon.
Incidentally, the impetus for today’s blog came from a friend as I was watching Real Madrid demolish Barcelona in soccer this past Saturday. Even if you don’t like this sport, you should all visit Wolff’s Biergarten in downtown Albany at least once during a major soccer event. Not only does the crowd make you feel like you are actually at the game, but if you are lucky enough to bump into me, you can actually talk cyber-security. Dare to dream, have a nice day.
Although the finalization of QRM regulations on Tuesday garnered all of the media attention the week’s news that will have the biggest impact on your credit union is yesterday’s announcement by the Clearing House that it is committed to “a multi-year effort to build a real-time payment system to better meet consumers’ and businesses’ expectations in an increasingly digital economy.” The Clearing House is an association composed of the world’s largest banks; they own the world and process a good chunk of its payments. Considering the size and reach of these banks, whatever platform they develop will become the standard for all financial institutions.
Just how big a deal is this? For one thing their commitment to modernization is Spot-on. the payments system is woefully out of date. Its legal framework is derived from a time when there were no computers let alone smartphones. As a result the financial industry is still quibbling over midnight deadlines and signature recognition while Wall Street completes trades between anonymous counterparties in nano-seconds and college kids transfer funds between each other with the touch of a smart phone. The system is woefully antiquated and out of touch with consumer expectations.
The announcement also shows just how quickly banking is getting away from banks and by extension credit unions. According to this morning’s press reports (see the links at the bottom of the blog) just two years ago the Clearinghouse was instrumental in killing a proposal to develop a real-time payments system. In the last two years Apple, GoBank and Wal-Mart just to name a few have shown just how easy it is to empower the consumer to expect seamless real-time financial transactions. The same consumer that can waive a smart phone to buy lunch isn’t going to tolerate a system where money is “provisionally credited” to his or her account. And don’t overlook the bitcoin. It’s demonized as if it’s a technological Ebola virus but it demonstrates that it is possible to exchange a currency without the use of a bank or credit union.
Where does all this leave credit unions? I honestly don’t know but I wish the industry was giving more thought to what it expects out of the payment system of the future. A changing payments system will mean technology upgrades, new legal obligations and regulations. Credit unions are stakeholders in the system and its time for credit unions of all shapes and sizes to jointly develop industry specific principals for what a new payments system will look like. Now is the time to think and think quickly.
Yesterday, the FDIC became the first agency to finalize qualified residential mortgage regulations mandated by Section 941 of the Dodd-Frank Act. To understand how big a deal this is, think of those ridiculous Hollywood disaster movies where Earth narrowly avoids a speeding meteor the size of the Empire State Building that will end life as we know it. Yesterday’s announcement will have no direct impact on credit unions. In fact, the NCUA is the only financial regulator not required to join in issuing QRM regulations because credit unions don’t issue asset-backed securities. Nevertheless, yesterday’s actions have important consequences for any institution providing mortgages.
Here is some background. The CFPB was responsible for regulations defining qualified mortgages (QM). These are the regulations that have already taken affect. This blog discusses Qualified Residential Mortgages (QRM).
One of the major causes of the mortgage meltdown was an explosion of mortgage-backed securities. Banks and mortgage companies lowered lending standards in part because of the insatiable appetite of Wall Street for mortgages. Investment banks would package mortgages into securities, which were sold with painful consequences for many investors including the failed Corporates. Critics of the system argued that securitizers, generally the investment banks that created these bonds, needed to have a financial stake in the bonds that they were selling.
Section 941 of the Dodd-Frank Act responded to this concern by establishing minimum risk retention requirements for issuers of mortgage-backed securities. Specifically, securitizers are required to retain at least 5% of any asset-back security they issue. But an important exception was made. Joint regulations were to be issued by the federal banking agencies, HUD and the FHFA defining what constitutes a qualified residential mortgage within 270 days of Dodd-Frank’s enactment (so much for deadlines). The definition is crucial because the 5% risk retention requirement does not apply to mortgage-backed securities comprised of QRMs. Congress also mandated that the QRM definition could be no broader than the CFPB’s definition of a qualified mortgage (QM).
Here comes the speeding meteorite part of today’s blog. The regulators responded to their mandate by proposing that QRM mortgages be required to have a maximum loan-to-value ratio of 80%. Imagine a world in which only mortgage applicants with at least 20% to put down on a home could qualify for a mortgage. Level-headed people responded to this suggestion by proclaiming “the death of the American Dream.”
Yesterday’s actions officially put an end to this game of chicken with the trade-off that the CFPB is even more powerful than ever before. Why? At the end of the day, the regulators decided that a QRM is any mortgage that meets the Bureau’s definition of a qualified mortgage. This means that if you want the ability to sell your mortgages to a secondary market participant, your mortgages must meet either the CFPB’s qualified mortgage standards or be eligible for sale to the GSEs. Remember that you don’t have to underwrite to QM standards so long as you can document why a member has the ability to repay her mortgage loan and you are willing to retain the mortgage.
One editorial comment. The regulators did the right thing yesterday, but yesterday’s announcement is another example of how Dodd-Frank does precious little to address the underlying causes of the Great Recession. If you want to avoid reckless underwriting in the future, then by definition that means imposing more stringent underwriting standards.
When a President has to react to a serious problem but doesn’t know what more he can do to solve it he appoints a “Czar” as in a “Drug Czar” or “Ebola Czar.“ When a President has ideas about how to solve a problem but can’t get anyone to agree to his solution, he holds a summit.
The President is a smart guy who knows that cybersecurity is a major issue about which Congress has failed to act. Last year, 100 million consumers were victims of data breaches. So this past Friday, the President announced that he would be hosting a cybersecurity summit.
While the bully pulpit only goes so far, the actions announced by the President and major retailers on Friday underscore that, for card issuing credit unions, October 2015 looms as one of the biggest compliance deadlines. As you probably already know, October 2015 is when that liability shifts for card issuers and merchants accepting Visa and MasterCard that don’t have chip-and-pin technology.
Starting in October of 2015 a merchant with a payment terminal that doesn’t use chip-and-pin technology will be liable for the costs of any unauthorized Point of Sale transactions involving a member with a chip-and-pin card. Conversely, if a card issuer can’t process EMV transactions, it is on the hook for the liability. The shift was first unveiled in 2012 to give everyone more than adequate time to adopt the new technology but, until recently, I was skeptical of just how important the deadline would be. Making the shift costs money. Issuing chip embedded plastic isn’t cheap compared to the erstwhile magnetic strip and retrofitting payment terminals isn’t cheap for merchants.
But the days of mutually assured indifference are over. Speaking before employees at the CFPB on Friday, the President unveiled an Executive Order mandating that credit cards and credit-card readers issued by the United States government come equipped with chip-and-pin technology starting next year. The President also announced that he was ordering federal law enforcement to share more information with the private sector when they discover identity theft rings.
Finally, the President announced that “a group of retailers that include some of our largest — Home Depot, Target, Walgreens, Walmart — and representing more than 15,000 stores across the country, all of them are pledging to adopt chip-and-pin technology by the beginning of next year.”
Now, I have said it before and I will say it again. Industry-wide adoption of chip-and -pin is no panacea. The technology is already old and does nothing to prevent online fraud. But the events of Friday underscore that it is time to get moving on adopting this technology if you haven’t done so already.
Here are some links for additional information:
Is the Bankruptcy Code to blame for difficulties students experience modifying their private student loan obligations? That is the implicit question posed by the CFPB in its annual report analyzing the student loan industry. According to the report, which summarizes data from complaints received by the CFPB over the previous year, students seeking repayment options for private student loans are facing many of the same obstacles homeowners face after falling behind on their mortgages.
According to the report, since the Bureau began accepting private student loan complaints in 2012, the most common complaint comes from borrowers seeking to avoid default when they face financial hardship. According to the Bureau, its findings suggest that lenders and servicers “have yet to address the need for loan workout in a fulsome manner.”
What would the CFPB do? In 2005, one of the changes made to the bankruptcy code was to make private student loans non-dischargeable in bankruptcy. At the time of this change, similar protections had already been granted to federally subsidized student loans. The CFPB is recommending that Congress revisit the PSL exemption “to determine whether the special bankruptcy protection afforded to lenders should be limited to those who offer certain loan modification options.” Remember, the CFPB has already put in place a regulatory framework mandating that lenders work in good faith with homeowners who are struggling to make their mortgage payments.
The nation’s rising level of student loan debt is a serious and growing problem. As I’ve pointed out in a previous blog, there is even growing evidence that student debt is holding back the housing recovery by making it more difficult for people to afford their first house. What concerns me about the CFPB’s recommendation is that it adds fodder to an increasingly ideological and divisive debate about the root causes of student debt.
Let’s look at issues surrounding education finance. But let’s not analyze the issue in isolation. College tuition has skyrocketed and shows no signs of letting up. Looking at the amount of debt being amassed in this country to get an education and focusing exclusively on lenders is tantamount to blaming the woes of the NY Jets on their quarterback, Geno Smith: it might be comforting, but there are some issues for which there are no easy solutions.
Well I’m off to enjoy my morning yogurt. It’s going to taste extra good now that Governor Cuomo has signed legislation naming it the official state snack.
When I saw that the CFPB was holding a conference on the use of account screening companies by credit unions and banks, I thought I had a slam-dunk for today’s blog. First, I could provide you with news you needed to know to start your day and second, I had a strong opinion as to whether or not the CFPB was engaging in appropriate use of its time, energy and resources. The news is still important, but the issues CFPB raised aren’t as clear-cut as I first thought.
First, the part you need to know. The CFPB is zeroing in on the use by banks and credit unions of what it describes as specialty consumer reporting agencies to determine whether or not to open a checking account or provide membership. As many credit unions know, these companies provide information on a consumer’s check writing and account history. According to Director Cordray:
First, we are concerned about the information accuracy of these reports. Second, we are concerned about people’s ability to access these reports and dispute any incorrect information they may find. Third, we are concerned about the ways in which these reports are being used.
The way the CFPB works, you can assume that regulations and or legal actions will be forthcoming, imposing greater consumer access to these reports and scrutinizing the accuracy of the information provided by these companies.
Here’s why I originally thought the opinion part of this blog was going to be a slam dunk. The CFPB is coming dangerously close to crossing the line between deterring illegal and/or deceptive practices that harm consumers and instead substituting its judgment for that of banks and credit unions. Banks are in business to make money and there is nothing wrong with that. Credit unions are not-for-profit institutions operating in a free market system. They have an obligation to maintain and grow assets if they are going to be around to meet member needs. Contrary to popular belief, accounts cost institutions money. This is why legislators should consider secondary capital reform and why regulators need to be careful with risk-based capital regulations, but those are blogs for other days. In an era when fees are being restricted, a strong argument can be made that it is prudent business practice for financial institutions to figure out if someone can handle an account responsibly before extending the opportunity.
But here is why I am so conflicted about today’s blog. Most importantly, credit unions have a unique ethical and legal obligation to extend banking services to employees and community members looking for access to financial services. The industry must never lose sight of the fact that its creation on the federal level was a direct reflection of the fact that Depression ravaged consumers, first and second generation immigrants and Dust-Belt migrants from rural communities were being intentionally excluded from the financial system. We aren’t in a Great Depression today, but as the CFPB press release noted, there are 10 million people without access to a banking account (this is probably a very conservative estimate).
In addition, whenever I tried to distinguish a community credit union from its banking counterpart down the street, to me, the difference comes down to the extent to which the credit union and its employees are willing to give people a second chance and more affordable products that they may not get at other financial institutions. This does not mean that someone should automatically be given access to loans simply because they have joined a credit union. In addition, credit unions have the authority, and they should use it, to restrict the privileges of a member who has caused them a loss. In the end, all members are entitled to is a share and a vote. But, if the Director is correct, and a substantial number of credit unions are effectively pre-screening individuals for membership, what they are doing runs counter to the very purpose that the credit union charter was created for in the first place.
How can these two conflicted views be reconciled? First, the CFPB prides itself on being a data-driven organization. Let’s find out how widespread the use of these account screening services are and, more importantly, how large a role they are playing in keeping people unbanked. My guess is that these services play a miniscule role in keeping people from opening bank accounts or becoming credit union members. Second, those credit unions that see the need for these services should establish criteria through which they weed out only those individuals who have a history of chronically abusing membership services. I don’t know where exactly this line would be drawn, but common sense tells you there is a distinction between the individual who bounced checks prior to declaring bankruptcy three years ago and the individual who has opened two previous accounts with other credit unions only to close them down after causing those institutions losses that had to be born by the membership.
On that conflicted note, I am going to be taking a long weekend, so I will see you back in the blogosphere on Tuesday. Remember, the views I express are mine alone.
Today’s blog provides a good example of how well-intentioned people can end up doing more harm than good. The Department of Defense recently proposed expanding the coverage of consumer protection laws that currently apply to pay-day loans, refund anticipation loans and vehicle title loans to most consumer loans covered by the Truth in Lending Act. It would not apply to loans to purchase a vehicle or a home. If the DOD isn’t careful, it will dry up the swamp of creditors who prey on our service members, which of course is a good thing, but do so in a way that will make it more difficult for members of the armed forces to get access to consumer credit, especially from credit unions. Here’s why.
Back in 2007, responding to wide spread reports of predatory lending activities targeting the military, Congress passed the Military Lending Act. The Act empowered the Department of Defense to define and regulate consumer credit products provided to active duty members of the armed forces and their dependents. It gave the military wide discretion in determining what products would be subject to the enhanced regulatory restrictions. Under the regulations promulgated by the DOD, a 36% interest rate cap was placed on refund anticipation loans, pay-day loans, and vehicle title loans. In addition, the cap is calculated based on the Military Annual Percentage Rate (MAPR), which is succinctly summarized by the CFPB to include interest, fees, credit service charges, credit renewal charges, credit insurance premiums and other fees related to credit products sold in connection with the loan. Creditors selling these loans have to provide enhanced disclosures, as well as take affirmative steps to identify eligible consumers.
At the time the legislation was enacted, credit unions and other financial institutions were concerned that if regulations were written too broadly, they would require the wide-spread adoption of two types of consumer loan products: one for the military and one for civilians. However, the final regulations were narrow enough in scope so that they didn’t impact the vast majority of credit unions, most of which would have no desire to offer these types of products in the first place, even if located in states where they were permitted to do so.
The statute as it has been implemented by the DOD made sense, at least until last Friday. The DOD is proposing regulations that would expand the definition of products covered under the statute to include credit cards and other consumer loans covered under the Truth in Lending Act. As a result, credit cards offered to members of the military and their dependents would be subject to a 36% cap calculated by a refined MAPR. To be fair, the military recognizes that a poorly drafted regulation runs the risk of denying mainstream credit to members of the armed forces, so it is refining the MAPR to, for example, exclude customary and reasonable fees. But the calculation of an MAPR would still differ for members of the military and civilians. Furthermore, by expanding the reach of the MLA to most consumer loans except home mortgages and car loans, the military will make it more difficult for credit unions to provide legitimate loans to service members.
In fact, the proposal is such a bad idea that NCUA took the highly unusual step of issuing a statement critical of the proposal the same day it was announced. It pointed out that NCUA’s pay-day lending alternative was designed specifically to fit within the Department’s existing regulations.
Current NCUA regulations allow federal credit unions to offer payday alternative loans with an interest rate of up to 28 percent and an application fee of up to $20. Under the Military Lending Act regulations, consumer credit to covered borrowers is subject to a 36 percent cap on the military annual percentage rate, or military APR, which includes application fees. If these regulations are revised to cover payday alternative loans, the rate and fee for many payday alternative loans would be higher than the military APR cap.
Conversely, our good friends at the bureau that never sleeps, the CFPB, thinks the Department’s proposal is a swell idea. Proponents of the DOD’s approach point out that it is extremely easy to avoid compliance with the MLA. For example, a loan with a 91-day repayment period isn’t classified as a pay-day loan under the regulations, but a 90-day loan could be. They argue that by expanding the size of the jurisdictional net, it will be easier to catch those creditors who prey on members of our armed forces. The problem with larger fishing nets, of course, is that they scoop up everything in their wake, including fish that no one wants to catch in the first place.
Perhaps DOD should consider expanding the definition of the existing products covered under the MLA rather than grabbing everything into its jurisdiction. Another alternative, which it notes in the preamble that it is open to considering, is to exempt certain types of institutions from coverage of the expanded regulations. Considering that federal credit unions are already subject to an interest rate cap on loans and that the vast majority of credit unions are places that members of the military looking for a fair deal should be encouraged to patronize, an exemption makes sense to me.