Posts filed under ‘Regulatory’
The CFPB continued its incredibly frenzied pace yesterday. In the same day, it proposed federal regulations on prepaid cards and fined Franklin Loan Corporartion, a California-based mortgage banker for illegally compensating its loan originators. In the pre-Dodd-Frank days, either one of these would have been among the biggest news of the year for one of our federal regulators. But for our good friends at the Bureau that Never Sleeps, it’s all in a day’s work.
First, let’s talk about the illegal compensation settlement. In 2010, the Federal Reserve Board imposed restrictions on the way loan originators could be compensated. Specifically, the Federal Reserve Board promulgated regulations prohibiting compensating originators based on a term or condition of a mortgage loan. The CFPB is now responsible for enforcing this provision and to avoid making this discussion any more complicated than it has to be, my references are to the re-codified regulation. Before the Board’s prohibition, Franklin had a straightforward compensation system in which originators would get a percentage of each mortgage loan they closed. The compensation would be based on the total cost of the loan, which included an originating fee, discount points and the retained cash rebate associated with the loan. As a result, loans with higher interest rates generated higher commissions. After the Board passed it prohibition in 2010, Franklin instituted a new system. All loan officers were given an upfront commission for each loan they closed. However, on a quarterly basis, they would receive the difference, if any, between the adjusted total commission, which was based in part on the interest rate of the mortgage, and the upfront commission. In other words, the higher the interest rate the more a Franklin originator would be compensated.
The originator clearly crossed the line with its compensation structure. But remember, the regulation isn’t as clear cut as it first appears. Take a look at the official staff commentary accompanying 12 CFR 1026.36(d)(1)(I):
- Permissible methods of compensation. Compensation based on the following factors is not compensation based on a term of a transaction or a proxy for a term of a transaction:
- The loan originator’s overall dollar volume (i.e., total dollar amount of credit extended or total number of transactions originated), delivered to the creditor. See comment 36(d)(1)–9 discussing variations of compensation based on the amount of credit extended.
- The long-term performance of the originator’s loans.
- An hourly rate of pay to compensate the originator for the actual number of hours worked.
- Whether the consumer is an existing customer of the creditor or a new customer,
Whether or not the way you compensate your originators is acceptable is a fact-specific analysis. The bottom line is this: in trying to comply with this prohibition it is best to keep in mind what the CFPB is seeking to prevent. It doesn’t want to create an incentive for originators to provide mortgages with higher interest rates and transaction costs than a member needs to pay in order to get an appropriate mortgage.
As for the CFPB’s proposed regulation of prepaid cards, in concept anyway, this is a proposal that is long overdue. More than a decade ago, legislation was introduced in the NYS Assembly that placed restrictions on prepaid cards which were increasingly being used by employers. At the time, one of the primary arguments against the proposal was that regulation of prepaid cards should be done on the federal and not the state level. Prepaid cards are increasingly being used as de facto bank accounts, particularly for the poor and young. It makes sense both from a competition standpoint and from a consumer protection standpoint that consumers that choose to use these cards get basic protections. I will undoubtedly have more to say about this regulation as a I read through its specific provisions. I know you can’t wait.
In the meantime, have a great weekend.
Last Friday, the Supreme Court granted an appeal in the case of King v. Burwell. This move has gotten a lot of attention because if the Court rules against the Administration, Obamacare is gutted. Let’s face it, healthcare has joined politics and religion as a subject you don’t discuss at dinner parties – unless, of course, you’re really bored and want to liven things up a bit. So maybe it’s not surprising that lost in all the media coverage is the fact that whether you support or oppose Obamacare, the case is directly relevant to any institution subject to federal regulation.
The case will give the Court the opportunity to delineate precisely how much flexibility agencies have when making regulations intended to implement federal legislation. I know that doesn’t sound quite as interesting as saying the case could gut Obamacare, but it means that this case is much more likely to impact the regulatory environment in which credit unions operate than the first challenge to Obamacare upheld in 2012. The GAO estimates that the federal government promulgates between 2,500 and 4,500 regulations on an annual basis. Any time the Supreme Court weighs in on how much power agencies have to promulgate these rules, it’s worth paying attention to.
A core component of the Affordable Care Act (ACA) is the establishment of exchanges through which individuals can purchase health insurance. Section 1311 provides that “each state shall, not later than January 1, 2014, establish an American Health Benefit Exchange.” However, a subsequent section provides that if a state chooses not to establish an exchange, the Secretary of Health and Human Services is required to establish an exchange within that state. Only 16 states, including New York, and the District of Columbia established health care exchanges.
Crucially, tax credits are provided for millions of individuals to help offset the cost of health insurance purchased through the exchanges. Specifically, the Act provided that such subsidies are available to a tax payer enrolled in a health plan “through an exchange established by the State.” The IRS was given responsibility for implementing this provision. It decided that the statute was designed to make health care subsidies available to all eligible individuals who purchased health insurance through an exchange regardless of whether that exchange was run by the federal or state government. The issue in this case is how much flexibility the IRS had to interpret the pertinent language as applying to both federal and state exchanges.
This is the part of the debate relevant to credit unions. As we are all too aware, Congress routinely passes huge statutes with vague language. How much flexibility agencies have in interpreting these provisions is governed by a well-established judicial framework. Where a statute is clear, agencies are responsible for implementing its plain meaning. However, where a statute is susceptible to more than one interpretation, courts defer to the agency’s interpretation so long as it is reasonable. This is the reason, for example, why the Court of Appeals for the District of Columbia Circuit ruled that the Federal Reserve acted within its power when it determine the criteria to be used when establishing the debit interchange cap. Critics of so-called Chevron deference argue that this approach gives agencies too much flexibility. This case gives the Court’s conservative wing a high profile case in which to criticize or limit an agency’s discretion in writing statutes.
Why does all this matter? Because every day credit unions and their associations lobby Congress and make good faith efforts to comply with regulations spawned by Congressional enactments. The less flexibility regulators have, the more important the legislative process becomes. Conversely, the more flexibility agencies have then the more the legislation passed by Congress is simply the first stage of an increasingly convoluted law making process.
Speaking of court cases, the NCUA has filed another lawsuit seeking to recoup losses to the Share Insurance Fund stemming from the purchase of mortgage-backed securities. This lawsuit is against Deutsche Bank National Trust Company. It alleges that the company failed to properly exercise oversight over the purchase of mortgage-backed securities purchased by U.S Central, WesCorp, Members United, Southwest and Constitution between 2004 and 2007.
A day after the CU Times reported that NACUSO issued a call-to-arms urging credit unions to help fund regulatory and potential legal actions designed to protect CUSOs against regulatory encroachments by the NCUA, it is being reported that Home Depot’s data theft was much more serious than initially reported. Not only were a mere 56 million credit card accounts compromised, but 53 million email addresses were also stolen. It now appears that access to the system came from a password stolen from one of the company’s vendors. Just how many issues does this raise? Let me count them.
- Look to you left, look to your right. Then look down the hallway. Think about the most technologically incompetent person you have working for your credit union. Realize that your data security is only as safe as that employee can make it. Data security starts with your employees. Only give access to databases to those who truly need it. The hackers are so sophisticated now that once they have access to a password, they can virtually sneak around your system and find more and more vulnerabilities.
- I’ve said it once and I’ll say it again, and I expect NCUA will be saying it to you shortly: your vendor contracts are absolutely crucial. Given the explosion of technology, it is only natural that credit unions are going to turn to vendors. If they don’t they won’t be able to provide the type of services that members expect. But turning to the vendor doesn’t absolve the credit union of ultimate responsibility for the services the vendor is providing or the continuing need to protect member information. Consequently, just like Warren Buffet never invests in a business he doesn’t understand, your credit union should never contract for technology it doesn’t comprehend. Your vendor relationships must include ongoing monitoring by knowledgeable employees on your staff. You should make sure that your vendors document on an ongoing basis that they are compliant with the latest data security standards.
- CUSOs provide a crucial mechanism for credit unions to pool resources. Given the importance of vendor management, is it really that unreasonable for NCUA to seek a more holistic view of the CUSO industry? Personally, I don’t think so. The problem is that NCUA has sought to exercise powers it doesn’t yet have. Mandating that credit unions force their CUSOs to agree to NCUA audits is a blatant attempt to boot strap its jurisdiction. But at the end of the day, it makes sense for NCUA to have a clear picture of what a CUSO is doing, Not only are these organizations providing services for credit unions, but their financial success or failure directly impacts credit unions’ bottom line. The middle ground is for everyone to be a lot less dogmatic and a lot more pragmatic. NCUA should seek specific legislative authority to regulate CUSOs. But it should only exercise enhanced oversight over those CUSOs that represent a truly systemic risk to the industry. This means that NCUA should base its enhanced auditing not on the type of services the CUSO provides, but on how many credit unions use its services. In addition, NCUA should reduce its proposed risk rating for CUSOs. Credit unions should be encouraged to use CUSOs as opposed to third-party vendors with no connection to the industry.
The state’s financial regulator has signaled two areas that will be getting special scrutiny to prevent cyber breaches like the one that compromised information involving 76 million JP Morgan Chase customers. One step is to scrutinize third party vendor relationships. The other may be mandated cyber-security programs for financial institutions.
Reuters reports that last Tuesday, DFS Superintendent Ben Lawsky sent a letter to “many banks” expressing concern about the “level of insight financial institutions have into the sufficiency of cyber-security controls of their third-party service providers.” He wants the banks to disclose any policies and procedures they have related to their third party relationships and “to outline all methods of protection used to safeguard sensitive data that is sent to, received from, or accessible to vendors.”
You should not be all that concerned about this potential mandate if you have paid attention to NCUA’s Due Diligence Guidance. To its credit, vendor management has been a key concern of NCUA for years now.
In addition to reviewing NCUA’s guidance, for my money, vendor management comes down to contract management. Your contract should:
(1) Give you the right to consult regularly with your third party vendor;
(2) Specify what security precautions the vendor will take to protect customer information and include specific documentation that such steps are being taken;
(3) Clearly outline responsibilities in the event of a security breach;
(4) Contain strong damage clauses; and
(5) Enable you to quickly get out of a contract in the event of a breach.
Finally, at least one person at your credit union should understand what the vendor is doing well enough to ask the right questions when it comes to assessing whether or not a vendor is living up to its side of the bargain. There is much more that you should ask for but by these clauses enable you to monitor your vendors as opposed to simply pass off a key part of your credit union’s operations and hope for the best.
I’m speculating a little at this point but I would expect that financial institutions will face state level mandates to have cyber-security policies and procedures in place. The State’s proposed regulations for the licensing of Bitcoin traders includes a section 200.16 that mandates that licensees implement cyber security programs. Such programs must insure the “availability and functionality” of the licensee’s electronic system and protect sensitive data stored on these systems from unauthorized access or tampering. Specific requirements include written policies and procedures to recover from a cyber-breach or breakdown and a description of how data is protected. Furthermore, each licensee must have a designated cyber security officer.
Henry, you say, this is all very interesting but my credit union has about as much interest in trading Bitcoins as the President does in the Republicans taking over the U.S. Senate. Ah, but here’s the catch. In a speech on October 14th, the Superintendent conceded to critics of the proposed Bitcoin regulation that the proposed cyber-security rules imposed stiffer requirements on licensees than are imposed on financial institutions. But, he said this “is primarily because we are actually considering using them as models for our regulated banks and insurance companies.” This is a not-too-subtle indication that a cyber-security mandate is coming sometime soon.
Incidentally, the impetus for today’s blog came from a friend as I was watching Real Madrid demolish Barcelona in soccer this past Saturday. Even if you don’t like this sport, you should all visit Wolff’s Biergarten in downtown Albany at least once during a major soccer event. Not only does the crowd make you feel like you are actually at the game, but if you are lucky enough to bump into me, you can actually talk cyber-security. Dare to dream, have a nice day.
Although the finalization of QRM regulations on Tuesday garnered all of the media attention the week’s news that will have the biggest impact on your credit union is yesterday’s announcement by the Clearing House that it is committed to “a multi-year effort to build a real-time payment system to better meet consumers’ and businesses’ expectations in an increasingly digital economy.” The Clearing House is an association composed of the world’s largest banks; they own the world and process a good chunk of its payments. Considering the size and reach of these banks, whatever platform they develop will become the standard for all financial institutions.
Just how big a deal is this? For one thing their commitment to modernization is Spot-on. the payments system is woefully out of date. Its legal framework is derived from a time when there were no computers let alone smartphones. As a result the financial industry is still quibbling over midnight deadlines and signature recognition while Wall Street completes trades between anonymous counterparties in nano-seconds and college kids transfer funds between each other with the touch of a smart phone. The system is woefully antiquated and out of touch with consumer expectations.
The announcement also shows just how quickly banking is getting away from banks and by extension credit unions. According to this morning’s press reports (see the links at the bottom of the blog) just two years ago the Clearinghouse was instrumental in killing a proposal to develop a real-time payments system. In the last two years Apple, GoBank and Wal-Mart just to name a few have shown just how easy it is to empower the consumer to expect seamless real-time financial transactions. The same consumer that can waive a smart phone to buy lunch isn’t going to tolerate a system where money is “provisionally credited” to his or her account. And don’t overlook the bitcoin. It’s demonized as if it’s a technological Ebola virus but it demonstrates that it is possible to exchange a currency without the use of a bank or credit union.
Where does all this leave credit unions? I honestly don’t know but I wish the industry was giving more thought to what it expects out of the payment system of the future. A changing payments system will mean technology upgrades, new legal obligations and regulations. Credit unions are stakeholders in the system and its time for credit unions of all shapes and sizes to jointly develop industry specific principals for what a new payments system will look like. Now is the time to think and think quickly.
Yesterday, the FDIC became the first agency to finalize qualified residential mortgage regulations mandated by Section 941 of the Dodd-Frank Act. To understand how big a deal this is, think of those ridiculous Hollywood disaster movies where Earth narrowly avoids a speeding meteor the size of the Empire State Building that will end life as we know it. Yesterday’s announcement will have no direct impact on credit unions. In fact, the NCUA is the only financial regulator not required to join in issuing QRM regulations because credit unions don’t issue asset-backed securities. Nevertheless, yesterday’s actions have important consequences for any institution providing mortgages.
Here is some background. The CFPB was responsible for regulations defining qualified mortgages (QM). These are the regulations that have already taken affect. This blog discusses Qualified Residential Mortgages (QRM).
One of the major causes of the mortgage meltdown was an explosion of mortgage-backed securities. Banks and mortgage companies lowered lending standards in part because of the insatiable appetite of Wall Street for mortgages. Investment banks would package mortgages into securities, which were sold with painful consequences for many investors including the failed Corporates. Critics of the system argued that securitizers, generally the investment banks that created these bonds, needed to have a financial stake in the bonds that they were selling.
Section 941 of the Dodd-Frank Act responded to this concern by establishing minimum risk retention requirements for issuers of mortgage-backed securities. Specifically, securitizers are required to retain at least 5% of any asset-back security they issue. But an important exception was made. Joint regulations were to be issued by the federal banking agencies, HUD and the FHFA defining what constitutes a qualified residential mortgage within 270 days of Dodd-Frank’s enactment (so much for deadlines). The definition is crucial because the 5% risk retention requirement does not apply to mortgage-backed securities comprised of QRMs. Congress also mandated that the QRM definition could be no broader than the CFPB’s definition of a qualified mortgage (QM).
Here comes the speeding meteorite part of today’s blog. The regulators responded to their mandate by proposing that QRM mortgages be required to have a maximum loan-to-value ratio of 80%. Imagine a world in which only mortgage applicants with at least 20% to put down on a home could qualify for a mortgage. Level-headed people responded to this suggestion by proclaiming “the death of the American Dream.”
Yesterday’s actions officially put an end to this game of chicken with the trade-off that the CFPB is even more powerful than ever before. Why? At the end of the day, the regulators decided that a QRM is any mortgage that meets the Bureau’s definition of a qualified mortgage. This means that if you want the ability to sell your mortgages to a secondary market participant, your mortgages must meet either the CFPB’s qualified mortgage standards or be eligible for sale to the GSEs. Remember that you don’t have to underwrite to QM standards so long as you can document why a member has the ability to repay her mortgage loan and you are willing to retain the mortgage.
One editorial comment. The regulators did the right thing yesterday, but yesterday’s announcement is another example of how Dodd-Frank does precious little to address the underlying causes of the Great Recession. If you want to avoid reckless underwriting in the future, then by definition that means imposing more stringent underwriting standards.
When a President has to react to a serious problem but doesn’t know what more he can do to solve it he appoints a “Czar” as in a “Drug Czar” or “Ebola Czar.“ When a President has ideas about how to solve a problem but can’t get anyone to agree to his solution, he holds a summit.
The President is a smart guy who knows that cybersecurity is a major issue about which Congress has failed to act. Last year, 100 million consumers were victims of data breaches. So this past Friday, the President announced that he would be hosting a cybersecurity summit.
While the bully pulpit only goes so far, the actions announced by the President and major retailers on Friday underscore that, for card issuing credit unions, October 2015 looms as one of the biggest compliance deadlines. As you probably already know, October 2015 is when that liability shifts for card issuers and merchants accepting Visa and MasterCard that don’t have chip-and-pin technology.
Starting in October of 2015 a merchant with a payment terminal that doesn’t use chip-and-pin technology will be liable for the costs of any unauthorized Point of Sale transactions involving a member with a chip-and-pin card. Conversely, if a card issuer can’t process EMV transactions, it is on the hook for the liability. The shift was first unveiled in 2012 to give everyone more than adequate time to adopt the new technology but, until recently, I was skeptical of just how important the deadline would be. Making the shift costs money. Issuing chip embedded plastic isn’t cheap compared to the erstwhile magnetic strip and retrofitting payment terminals isn’t cheap for merchants.
But the days of mutually assured indifference are over. Speaking before employees at the CFPB on Friday, the President unveiled an Executive Order mandating that credit cards and credit-card readers issued by the United States government come equipped with chip-and-pin technology starting next year. The President also announced that he was ordering federal law enforcement to share more information with the private sector when they discover identity theft rings.
Finally, the President announced that “a group of retailers that include some of our largest — Home Depot, Target, Walgreens, Walmart — and representing more than 15,000 stores across the country, all of them are pledging to adopt chip-and-pin technology by the beginning of next year.”
Now, I have said it before and I will say it again. Industry-wide adoption of chip-and -pin is no panacea. The technology is already old and does nothing to prevent online fraud. But the events of Friday underscore that it is time to get moving on adopting this technology if you haven’t done so already.
Here are some links for additional information: