Keeping in mind that you have an obligation to monitor potential red flags of identity theft and mitigate evolving risks, here is some news worth reaching out to your IT vendor about. The NY Times reported earlier this week that “A Russian crime ring has amassed the largest known collection of stolen Internet credentials, including 1.2 billion user name and password combinations and more than 500 million email addresses. . .” What’s more, according to the security firm that uncovered the scheme, since the goal of the hackers was to steal password credentials as opposed to stealing from the compromised companies the hackers were targeting businesses of all shapes and sizes. Given the scope of the operation, you can bet a credit union or two or three is among the institutions that are being informed their websites have been compromised. As usual, an excellent source of additional information is this post from Krebs on Security.
First, on a purely practical note, this news showed me why it’s so dumb to use the same password for everything. The only reason this treasure trove of lifted passwords is valuable is because they can be used to access multiple online accounts and services.
The more I think about this news the angrier I am at our government. It may be ideologically edifying for some of our elected representatives to stand in the way of any government action, but there are some things that only the government can do. Cybersecurity should be a top national priority right now. In fact, Preet Bharara has correctly argued that cyber-attacks are this century’s Pearl Harbor. But our government is unable and or unwilling to pass meaningful legislation and make the investment necessary to have a truly robust defense against cyber-attacks.
What we are left with is a bunch of well-meaning but ultimately impotent attempts by regulators to do their part to help protect consumers. For example, earlier this year the FFEIC highlighted the need for smaller institutions to guard against cyber-attacks. As part of this effort, it’s conducting pilot cyber assessments and has held a Webinar geared towards community banks and credit unions. I just reviewed the slides and it has some good advice such as suggesting depository institutions ask themselves:
How is my organization identifying and monitoring cyber-threats and attacks both to my institution and to the sector as a whole? How is this information used to inform my risk assessment process?
Such well-meaning advice is tantamount to reminding kids not to play with guns in the middle of a war zone. Without a concerted national commitment, all but the largest businesses in America will find it increasingly impossible to offer cost effective cyber services. You are all being subject to a virtual shakedown and the only institution with the resources to effectively do anything about it is the federal government. Unfortunately, this is the same government that can’t pass meaningful cyber reforms such as imposing risk assessment obligations on merchants.
In the meantime, the nation is furious that the Government isn’t doing more to stop kids who are rushing to the nation’s borders for a better life. Why isn’t it furious that foreign criminals are making billions by ripping off businesses and consumers?
On that note, have a nice day.
Just how big a deal is the announcement late yesterday afternoon that the Federal Reserve Board and the FDIC have rejected the so-called “living wills” drawn up by the nation’s 11 largest financial institutions as inadequate to ensure that they can be liquidated in a cost effective manner? Depending on what happens next it could be like Vladimir Putin saying “I’m sorry” to the Ukrainians and giving them back Crimea, Tiger Woods suddenly getting healthy and winning the next five majors, or Congress actually passing meaningful legislation.
Dodd-Frank required systemically important banks to submit bankruptcy plans that explain to the Federal Reserve and the FDIC how their liquidation can be executed in bankruptcy court in the event they fail. Previous submissions have been accepted by regulators without amendment. But, yesterday, the Fed and FDIC told the 11 largest banks, each with more than $250 billion in assets, to go back to the drawing board and credibly demonstrate how they can fail without putting the American taxpayer on the hook.
The ostensible Dodd-Frank logic is that these plans will prevent the American public from extending an implicit guarantee to the behemoths that they are too big to fail. The statute provides that, in the event these plans are deficient, regulators can order these institutions to sell some of their assets and adhere to higher capital standards. But, as this recent exchange between Fed Chairman Yellen and Massachusetts Senator Warren demonstrates, it didn’t seem that regulators was taking these living wills seriously. Now they are or at least pretending like they are. The real test will be when the adjusted plans are resubmitted. If they don’t include asset divestitures than they aren’t serious proposals. But, the banks involved may be willing to gamble that, despite yesterday’s announcement, regulators will never force them to restructure their monstrosities. Time will tell.
Why does it matter? Because if credit unions have to comply with Dodd-Frank it isn’t asking too much for a financial system to be put in place that prevents the banking system from getting sucked down another sinkhole anytime soon and taking credit unions down with it.
The eight largest banks hold assets equal to 65% of the nation’s GDP. In addition, these banks are given a competitive advantage by virtue of the fact that the Government has to bail them out, or so it believes. As I said before – and I know this is hardly an original thought – Dodd-Frank does too little to reign in the biggest banks. After all, next week’s crisis may not be triggered by mortgages but as long as a handful of institutions are allowed to suck up a disproportionate amount of the nations’ economy something bad is bound to happen, right? Maybe, just maybe, the Fed will prove me wrong.
What is so fascinating about the Fed’s announcement is that it is ordering the behemoths not to simply write up better contingency plans, but to restructure their operations to accommodate a liquidation. In its own words, by July 2015 they all must:
- Establish a rational and less complex legal structure that would take into account the best alignment of legal entities and business lines to improve the firm’s resolvability;
- Develop a holding company structure that supports resolvability;
- Amend, on an industry-wide and firm-specific basis, financial contracts to provide for a stay of certain early termination rights of external counterparties triggered by insolvency proceedings;
- Ensure the continuity of shared services that support critical operations and core business lines throughout the resolution process; and
- Demonstrate operational capabilities for resolution preparedness, such as the ability to produce reliable information in a timely manner.
In addition, look at the language used by the members of the FDIC, and it’s clear that there are regulators annoyed that too little has been done to prevent another disaster. For instance, in supporting yesterday’s decision FDIC board member Jeremiah O. Norton argued that “achieving a credible and workable framework for resolving large and complex financial institutions would be the pinnacle accomplishment in the wake of the 2008 financial crisis.“
And Vice Chairman Thomas M. Hoenig, who has long been a vocal critic of too big to fail banks, pointed out that the economy today is more, not less dependent on these institutions which are still highly leveraged and noted:
“Some parties nurture the view that bankruptcy for the largest firms is impractical because current bankruptcy laws won’t work given the issues just noted. This view contends that rather than require that these most complicated firms make themselves bankruptcy compliant, the Government should rely on other means to resolve systemically important firms that fail. This view serves us poorly by delaying changes needed to assert market discipline and reduce systemic risk, and it undermines bankruptcy as a viable option for resolving these firms. These alternative approaches only perpetuate “too big to fail.”
Maybe real banking reform isn’t just a blogger’s pipe dream after all.
I want to thank the American Bankers Association for letting me be an honorary member for this post today. As I looked around for stuff to write about what struck me as most interesting and informative came from the banker’s side of the aisle.
That was the question the Federal Reserve tried to answer in its most recent Survey of Senior Loan Officers and the results provide support for both opponents and proponents of the mortgage lending rule changes. (Incidentally, I would love to report on the same type of survey results for credit unions, our industry should take this on).
Most importantly, while banks are certainly loosening the spigot on mortgage lending, if you don’t qualify for a conforming loan you aren’t going to find it anywhere near as easy to qualify for a mortgage as you did before the meltdown. As summarized by the Federal Reserve: “[t]he majority of banks reported that the new rule has had no effect on the approval rate of prime conforming mortgages, in part because those loans qualify for a safe harbor under the exemption for loans that meet the underwriting criteria of the government-sponsored housing enterprises (GSEs). In contrast, about half of the respondents indicated that the ATR/QM rule has reduced approval rates on applications for prime jumbo home-purchase loans and nontraditional mortgages.“
Dodd-Frank is having a pronounced impact with 47.8% of respondents indicating that they would be approving more prime mortgages but for the QM rules. Interestingly, that is almost the same response the banks gave when asked about not-traditional mortgages.
The parts of the survey that concern me most are those indicating that smaller banks are pulling the reigns in tighter than larger ones. For instance, 33% of larger banks are making fewer nontraditional loans while 61% of all other banks are tightening standards.
Bottom-line: the stated goal of Dodd-Frank was to cut back on reckless underwriting. So far, so good. The hope of the CFPB was that it could accomplish this goal with minimal impact to smaller credit unions and community banks. This may ultimately prove to be an impossible challenge. After all, larger banks are better able to absorb real estate losses and legal costs than smaller depository institutions ever will be.
Since I’m channeling my inner-banker today let me compliment the American Bankers Association on a recent letter to the Bureau requesting clarification on notice requirements for delinquent real estate loans, as well as other areas where guidance would be helpful. You now must wait 120 days before commencing a foreclosure action. The ABA asks how this requirement applies to “rolling delinquencies” where a member pays off some but not all of the debt over the 120 day period. As the ABA explains “[e]ven though the borrower may resume making scheduled monthly payments, s/he never becomes fully current on the loan and is unresponsive to loss mitigation outreach efforts. The CFPB’s servicing regulations do not specify how a servicer is to calculate delinquency for purposes of the 120-Day Rule.”
If you are thinking of selling your debt to third-party debt collectors then you might want to take a look at this Guidance warning depositors to be mindful of the operational and reputational risks that come with such sales. Now I’m talking specifically about companies that buy your debt and then pursue payment not the run-of-the mill third-party collector that all creditors have to turn to occasionally.
Third-party debt purchasers have really moved up the depth chart of groups that consumer advocates love to hate in recent months. As I explained in a previous blog, NYS has also proposed regulations limiting third-party collection practices.
On Friday, the CFPB released its latest report of consumer overdraft practices and it confirmed what I’ve heard from credit unions for years. A disproportionate number of overdraft fees are incurred by a relatively small number of members who choose to incur the added expense of overdraft protection to avoid the embarrassment and inconvenience of a bounced check. At the risk of sounding like a lackey for “The Man,” overdraft fees are legitimate products that some members want. As long as members are knowingly opting into receiving such coverage – and they are – let’s move on to other more relevant consumer protection issues.
We should be so lucky. Richard Cordray, who heads the Bureau that never sleeps, looks at the same survey results – which were gleaned from a large sampling of the account activities of the large banks it oversees – and concludes: “[t]oday’s report shows that consumers who opt in to overdraft coverage put themselves at serious risk when they use their debit card. . . Despite recent regulatory and industry changes, overdrafts continue to impose heavy costs on consumers who have low account balances and no cushion for error. Overdraft fees should not be ‘gotchas’ when people use their debit cards.”
The CFPB noted that since your average debit card overdraft is $24 or less and is quickly replenished by the account holder, your typical fee is equivalent to a loan with an APR of 17,000%. It noted with approval that some credit unions and banks don’t charge fees for overdrafts below a certain amount and cap the amount of fees that can be charged on a given day.
Before I get too sarcastic, the Bureau deserves credit for looking beyond the generalities and gathering actual data on important issues. I just wish it would reach more logical conclusions about its own research.
As I have explained before, the Bureau proudly proclaims itself the first agency that is trying to put behavioral economics to work for the benefit of the American consumer. Proponents of this approach point to the impact that subtle changes such as making employees affirmatively “opt out” of retirement plans or making consumers “opt in” to more expensive banking services can have on consumer behavior. Fair enough. But, I’ve always been suspicious that adherents of this view will remain so only as long as consumers make what they consider the “right” decision.
For example, the overdraft study results show that a relatively small number of young people account for a disproportionate amount of overdraft fees. As people get older they opt in to debit overdrafts in much lower numbers and incur fewer overdraft fees. Is the relative handful of serial over drafters simply not getting the right nudge? Are they being victimized by financial institutions looking to maximize their non-interest income? Or is it possible that your average young person today fresh out of college and handling finances for the first time doesn’t balance his checkbook, uses the debit card almost exclusively and logically concludes that, a friendly nudge notwithstanding, overdraft protection is for them?
I think Chairman Matz may have gotten a little carried away by the lights of Vegas the other day when she announced fixed asset mandate relief at NAFCU’S convention. I can’t get excited by mandate relief that replaces one mandate, the requirement to get preapproval of property investments exceeding five percent of assets, with another replete with a new acronym.
If you thought your days of not having to worry about the fixed asset rule were over, then you are going to be disappointed by NCUA’s mandate relief proposal.
Currently, the aggregate of all a credit union’s investments in fixed assets must not exceed five percent of its shares and retained earnings without a waiver from NCUA. In addition, since much of your standard Information technology investments count against this cap, CUNA and others have pointed out that the rule can restrict needed investments. The good news is that if this proposal goes forward credit unions would be able exceed the cap without getting a waiver. But, credit union boards exceeding the threshold will have to develop an effective Fixed Assets Management (FAM) program. In addition, the your credit union must have analyzed and determined that the investment in fixed assets in excess of the five percent limit is appropriate, safe and sound, and supported by its FAM program.
The FAM must include a “prudent” aggregate limit for the FCU; be accompanied by a board resolution detailing the board’s approval of the expansion and internal controls to assure proper oversight of the program. The resolution is quite detailed since it must include:
(i) The board’s analysis of the purpose for the investment;
(ii) The board’s analysis, supported by reasonable growth assumptions, of the federal credit union’s pro-forma balance sheet and income statement projections; and
(iii) For an investment in real property, the board’s consideration of the future marketability of the premises, in the event the federal credit union needs or wants to sell the premises in the future.
FCUs with an existing waiver would not have to implement a FAM on the existing project.
Are these pro forma requirements? No. Even though you no longer need prior approval for exceeding the 5% limit, the preamble to the proposal states that NCUA may, “in the discretion of the appropriate Regional Director, prohibit a FCU from making any further fixed assets acquisitions and require the FCU to reduce fixed asset levels. . .”
Currently, when a FCU acquires improved property it has three years to partially occupy the premises and if it acquires unimproved land it has up to six years to partially occupy the property. The proposed rule would establish a single five year timeframe to partially occupy all property. FCUs would still have to seek a waiver from NCUA to exceed these limits.
The Association will be sending out a survey on this proposal and I’m curious how many of you are as underwhelmed by it as I am or if I am just being too cynical on this beautiful summer day. Speaking of which, I am off to entertain my kids, enjoy your weekend.
There are some issues that represent such an important shift in the way the broader financial sector operates that they are important to know about even if they don’t impact credit unions directly. Besides, they are just interesting.
One of these developments comes in the form of news that Argentina is on the verge of defaulting on its government bonds. This is no run of the mill default as it could be precedent-setting by giving U.S. courts the upper hand in enforcing judgments against nations. Not only that, it underscores just how powerful those information subpoenas you receive are, provided they are valid.
There is a long history of foreign governments refusing to enforce judicial rulings by U.S. courts seeking to enforce money judgments. As far back as 1832 when Chief Justice John Marshall ruled that the federal government and not the states had authority to negotiate with tribes to purchase land owned by Indian tribes in Georgia (Worcester v. Georgia (1832), President Jackson allegedly responded with his famous retort, Marshall made his ruling, now let him try to enforce it.
Similarly, when it comes to bonds issued by a foreign nation the conventional wisdom has been that there is only so much bondholders can do to redeem assets to pay off bond defaults. So when the Argentinian government defaulted on its bonds in the first years of this century, the vast majority of bondholders took the reduced payouts reasoning that it’s better to get half a loaf than no bread at all. However, a handful of bondholders held out for full payment. With the aid of some of the best lawyering you are ever going to see, these holdouts have backed the Government of Argentina into a corner.
Typically, Argentina would pay the American bondholders who accepted the modified payouts independent of what it owes to the hold outs. However, Judge Gleason of the Federal Court for the Southern District of New York issued an order mandating that, as explained by the New York Law Journal, “the next time the ‘exchange’ debt holders are paid by Argentina, and the country is expected to pay them $900 million, the country must pay one of the hold outs $1.3 billion, plus interest, or about $1.5 billion.” Presumably, if Argentina chooses to ignore this order, the holdouts could attach any payouts to other bondholders.
In addition, the legal wrangling underscores just how powerful those third-party information subpoenas are. In a 2012 case before the Second Circuit, which has jurisdiction over New York credit unions, The holdouts argued that subpoenas against third-party banks holding assets in a foreign country are valid-even if the money sought is ultimately out of the creditors reach. Why does this matter? Because as the Court explained, “New York State’s post-judgment discovery procedures, made applicable to proceedings in aid of execution by Federal Rule 69(a)(1), have a similarly broad sweep. The New York Civil Practice Law and Rules provides that a “judgment creditor may compel disclosure of all matter relevant to the satisfaction of the judgment.” N.Y. C.P.L.R. § 5223; see David D. Siegel, New York Practice § 509 (5th ed. 2011) (describing § 5223 as “a broad criterion authorizing investigation through any person shown to have any light to shed on the subject of the judgment debtor’s [**6] assets or their whereabouts”).
But remember, an information subpoena under NY law is only valid if it is properly issued and that includes mandating that the creditor have a good faith reason for thinking that money may be stowed away in your accounts.
By the way, I would still bet that the issue will be resolved sometime today short of default, but no matter what happens the power of U.S. courts and creditor subpoenas have been given a big shot in the arm. Can you imagine if Europe had to negotiate with New York judges before restructuring Greek debt? This is the type of power we are talking about. As former Presidential Advisor James Carville once quipped, when he comes back to life he wants it to be as the bond market.
I’m here to tell you this morning that you will be breached and if you have been already, you will be again. Cybercriminals are chameleons and they have the money to quickly adjust to the latest techniques meant to stop them.
For example, remember when “dual authentication” of your customer accounts was all the rage in IT security circles? The FFEIC even came out with a guidance mandating that depository institutions implement systems that demonstrate two forms of identification. It was originally updated in 2005 and updated again in 2012 to emphasize the need to “layer” your IT security.
To what do I owe my gloomy morning forecast? Two informative posts, one by the CU Times and the other by the Information Technology Website underscored just how fast moving the game of cyber security cat and mouse is and unfortunately the bad guys win fairly often. Specifically, hackers have broken into 34 banks in Asia and Europe by bypassing a dual authentication system developed by Android and used for online banking. Check with your IT people to get the technical details, but the basic idea is that they used email requests to lure customers to a fake website. Marks opened the door to hackers by opening the email and going to the site through which the hackers could steal all the information they needed to get by the dual authentication system. What is astounding the experts is that the banks used SMS technology, which requires a customer to enter a new password every time they access an account. This is above and beyond what most U.S. credit unions and banks require.
So, is there anything you can do to mitigate the risk beyond making sure that you have a good computer person on speed dial? In looking at cases examining the liability of financial institutions for data breaches, here are some of the points I would keep in mind. Although many of them are most relevant to those of you who offer business accounts, NCUA regulations require all of you to identify and monitor the “red flags” of identity theft on an ongoing basis.
- Member and staff education is key. Your security is only as effective as your most careless employee or technologically “savvy” member.
- In assessing commercial reasonableness of online business accounts, which are regulated by Article 4A of the UCC, courts consider (1) security measures that the credit union and customer agree to implement, and (2) security measures that the credit union offers to the customer but the customer declines. Make sure this is in writing and, if possible, attached to the contract.
- You must respond to changing threats by offering new mitigation techniques. For example, remember now that hackers can electronically impersonate an employee, dual control and not dual authentication is becoming the baseline standard. This way, hackers have to obtain the login information for two employees before transferring money.
- Here is the good news. Commercially reasonable and regulatory standards vary depending the size and sophistication of your credit union. However, this means that the policies and procedures you adopt must be unique to your credit union based on its resources and risk profile. This is one area where cutting and pasting a colleague’s policies the day before the examiner comes calling won’t cut it in the long run.
- Similarly, the vendor contract really matters. Most of you will use vendors to implement your cyber banking. How much must the vendor indemnify you if its negligence causes a breach? Are both parties legally obligated to monitor developments in cybercrime and update protocols when appropriate? Are these changes integrated into your security procedures? These are all questions that, if asked, can help mitigate losses and maintain member confidence in your electronic banking.
Second Quarter GDP Growth Stronger Than Expected
A few minutes ago, news came out that second quarter GDP growth grew at a 4% rate, beating the expectations of economists. In addition, the Government is reporting that household spending increased by 2.5%.