Is the tide turning in data breach cases? Can Captain Ahab really retire? Inquiring minds want to know.
Earlier this week, a federal district court in Minnesota ruled that a group of financial institutions including at least one credit union could go forward with its claim that Target was negligent in letting hackers steal credit and debit card information from more than 110 million consumers last year. (In re Target Corp. Customer Data Sec. Breach Litig., No. MDL 14-2522 PAM/JJK, 2014 WL 6775314, at *4 (D. Minn. Dec. 2, 2014)). The case follows a decision by the Court of Appeals for the Fifth Circuit to allow financial institutions to go forward with a similar claim against Heartland Payment Systems, which they allege negligently stored plastic card information also stolen by third-party hackers. (Lone Star Nat. Bank, N.A. v. Heartland Payment Sys., Inc., 729 F.3d 421, 426 (5th Cir. 2013)).
Both of these cases are welcome developments for credit unions. The industry has correctly argued for years now that there is too little responsibility placed on merchants when it comes to protecting against data breaches. However, these developments also underscore just how important it is to couple legal action with a multi-pronged push to achieve data breach protections on both the state and federal level.
Most importantly, any litigation in this area will ultimately depend on the interpretation of individual state laws and legal standards. For instance, Target is incorporated in Minnesota, which I believe was the first state in the nation to pass legislation imposing liability on merchants that negligently store debit and credit card information. In refusing to dismiss the case against Target, the district court noted that the claim of the financial institutions was “bolstered” by the statute, which underscored the state’s policy of expecting merchants to protect against data breaches. In the Hartland case, the circuit courts decision to allow the financial institutions to go forward was based on its interpretation of New Jersey case law.
The importance of state law and regulation to the outcome of these cases demonstrates that in this area more than others a coordinated attempt to pass data breach legislation on both the state and federal level is paramount for the industry. Every time financial institutions bring one of these cases it puts more pressure on merchants to consider coming to the negotiating table and agree to uniform data storage requirements. In addition, it’s impossible to predict what Congress will do in this area, but both the Hartland and Target decisions demonstrate that much could be done on the state level regardless of what machinations take place in D.C. The cases also raise an important issue for the industry to consider as it continues to push for data breach requirements. My guess is that the merchants will ultimately agree to data protection requirements in return for preemption of state laws. If the lawsuits continue to trend in favor of financial institutions, we may reach a point where the value of federal data breach standards is outweighed by the value of state-imposed liability.
Keith Leggett to Retire
Dr. Keith Leggett, Senior Vice President at the American Bankers Association and self-problaimed Captain Ahab to the credit union industry’s white whale, announced that he will be retiring early next year. Keith is a professional gad-fly to the credit union industry best known to many of you for writing his Credit Union Watch blog. He reportedly will continue to write this blog even in retirement, so we aren’t quite done with his cogent barbs.
I have a soft spot for anyone who reads my blog and a special soft spot for anyone who takes the time to respond to one of my tirades, even if they disagree with everything I’ve said. I’ve gotten to know Keith a little as a result of comments to my blogs. He even has been nice enough to give me the heads up on a typo or two. So Keith, I hope you have a better retirement than Captain Ahab and thanks for the input.
Governor Cuomo announced new regulations yesterday that impose extensive new requirements on debt collectors.
The good news is that they shouldn’t have a direct impact on your credit union’s practices but they will impose several new disclosure requirements on third-party debt collectors. In addition if you are from out-of-state and don’t think these regulations will impact you think again. The CFPB is likely to take steps to impose new debt collector requirements and New York’s regulations are already being described as a “model for the rest of the country.” (This morning’s Law360 blog).
First the good news: The regulations provide that a debt collector does not include “any officer or employee of a creditor while, in the name of the creditor, collecting debts for such creditor.” In other words if a car loan to a member turns sour these regulations don’t apply to your employees who try to collect the debt. Instead they apply to the third-party debt collector with whom you may contract to retrieve your delinquent loans.
While the distinction is an important one, if I was working at a credit union I would certainly want to make sure that any third-party collector I am using is aware of these requirements and is preparing to comply with them. In addition at least some of the disclosures mandated by the State can’t be complied with unless you and your debt collector are working together
For example, a debt collector has to have procedures in place for knowing if the statute of limitations for collecting a debt has expired. If it has expired the debt collector must, among other things, inform the consumer in writing that he is “not required to provide the debt collector with an admission, affirmation, acknowledgment of the debt, a promise to pay the debt, or a waiver of the statute of limitations; and if the consumer makes any payment on a debt for which the statute of limitations has expired or admits, affirms, acknowledges, or promises to pay such debt, the statute of limitations may restart.” That’s right debt collectors must now inform debtors when they don’t have to pay back a debt. I’m dubbing this requirement the Debt Collector Miranda Requirement.
Other provisions in the regulation require debt collectors to provide:
Written disclosures, within five days of initially contacting a consumer, disclosure detailing a debtor’s rights; different disclosures would be required when seeking repayment of “charged off debt.”
Additional disclosures for consumers who agree to pay off a debt;
A requirement that consumers contesting debts be informed of their right to have the debts confirmed. There are exceptions to this requirement.
The regulations also specify when email may be used to communicate with a debtor.
Depending on when they are posted in the State Register, most of the regulation will take effect in March but provisions related to contacting individuals with charged-off debt and the substantiation of debt claims will take effect in approximately nine months.
Here is a link to the regulation:
There has been an awful lot of talk about the increase of economic inequality. Specifically does it reflect a normal cyclical adjustment following a recession in which banks lent too much and people spent too much or does it reflect a longer term more fundamental shift in the economy?
First let’s acknowledge that the economic statistics aren’t reflecting the everyday reality of many of our members. The economy is growing but not everyone is benefiting. In a great piece of analysis in yesterday’s WSJ, the paper studied Labor Department statistics and an extensive survey of consumer spending habits to gauge how households earning between $18,000 and $95,000 a year are spending their money. Its conclusions are worth quoting at length:
“The data show they are losing ground. Overall spending for the group rose by about 2.3% over the six-year period from 2007, even as inflation totaled about 12%. At the same time, income for the group stagnated, rising less than half a percent. With health care and other costs rising, these consumers spent less on furniture, entertainment, clothing and even child care, the Journal analysis found.”
Now I know some of you are thinking that these statistics reflect the normal ebb and flow of the business cycle. After all, Americans now know what happens when banks lend and people spend irresponsibly. However the statistics say that more is going on here than the economic cycle. As pointed out by Erik Brynjolfsson Andrew McAfee in their book “The Second Machine Age: Work, Progress, and Prosperity in a Time of Brilliant Technologies” median household income hit its high in 1999 and has dramatically fallen since then. In addition you have to go back since before the Great Depression to find another period when the top 10% of wage earners earned more than 50% of total income. By the way the top one percent are earning 22% of the income pie.
Economics 101 tells us that greater productivity leads to higher wages. If this is the case than we should be seeing upward pressure on wages but as the WSJ article makes clear this is not happening and by some measures this linkage between productivity ad wages has been weakening for decades.
Is it possible, as the authors suggest, that technology has created an economic system where there is no longer a linkage between productivity and wages? Where computers take over the tasks previously performed by humans and makes those employees that remain more efficient at a cheaper cost? I’m not convinced yet but all you have to do is look at the most modern branches and ATMS to see that we need fewer employees than we used to.
I’ve always thought that the best way to find out if the country’s economic downturn is over isn’t to pay too much attention to the economic statistics but to listen to your members. Are they talking with pride about the school their kids got accepted to or are they wondering how they are going to pay for college? Are they enjoying their work or wondering how they are ever going to retire? Do they have a career or a job they settled for months after being laid off? I think most American’s would be shocked to find out that the economy in which they are struggling to make ends meet is the envy of most of the world: inflation is nonexistent, productivity is growing and unemployment is tumbling but it sure doesn’t feel that great to the average consumer.
What is going on here? Something that the statistics aren’t capturing.
If you were sitting around the Thanksgiving table struggling to come up with things to be thankful for, then here’s one for you, after the fact: be thankful you are not associated with the North Dade Community Development Federal Credit Union located in Miami, Florida.
The Tuesday before Thanksgiving the $4 million credit union was slapped with a $300,000 fine for significant Bank Secrecy Act (BSA) violations. According to FinCEN, from 2009-2014, the credit union had significant deficiencies in all aspects of its anti-money laundering (AML) program, even as it processed close to $2 billion in transactions for money service businesses (MSB). FinCEN’s fine follows a 2013 Cease and Desist order issued against the credit union by NCUA.
If this were simply the story of one rogue credit union that let the income it was generating from MSBs blind it to its regulatory obligations, the story wouldn’t be worth a second look. But that’s not all that is going on here. Most importantly, regulators are increasingly concerned about credit unions that work with MSBs within their fields of membership. For instance, in January of this year, the NCUA listed oversight of credit union MSB relationships as one of its top regulatory priorities. In addition, a BSA Webinar hosted by the Office of Small Credit Union Initiatives emphasized the enhanced obligations that credit unions have when their membership includes MSBs. More generally, since 2005, regulators have stressed that when any financial institution provides services to an MSB, it takes on additional due diligence obligations.
But wait, there’s more. The credit union was also cited for its disregard of 314(a) FinCEN information requests. Under the Patriot Act, law enforcement officials at both the state and federal level are authorized to request that FinCEN forward the names of individuals about whom they are seeking information. These requests come out approximately once every two weeks. Credit unions are obligated to check their own accounts to see if they have any information FinCEN is seeking. This obligation is independent of a credit union’s responsibilities under OFAC (31 CFR 1010.520).
I’ve been quick to criticize financial regulators for their tepid approach to BSA enforcements. Don’t let the large fines fool you. Large institutions are able to get away with blatant BSA violations for years before anyone acknowledges that the inmates are running the asylum. But the fact that BSA may be enforced unfairly doesn’t change the fact that in today’s interconnected world a five person credit union that doesn’t follow through on its BSA obligations can pose a real and dramatic threat to the Country’s AML efforts.
Those of you who choose to take on more sophisticated accounts have an obligation to the entire industry to ensure that you conform with basic BSA requirements. This is one of those areas where the missteps of one credit union reflect on the industry as a whole.
Shoppers Not Feeling Jolly
If the initial press reports are any indication, Black Friday is loosing its appeal to shoppers. The National Retail Federation reported that 55.1% of consumers shopped between Thursday and Sunday. That is down from 58.7% last year. It also reported that total spending was $50.9 billion, a decrease of 11% from last year. The Meier family took its annual sojourn into the city and based on our experience the statistics matched the reality: the train ride from Manhasset on the LIRR was notably less crowded and the store fronts were not as jammed. On that note, have a nice day.
With snow coming the Meier family has decided to head over the river and through the woods to Grand Ma’s house on Long Island a little earlier than originally planned (I can hear someone in Buffalo saying “Snow! They call six inches Snow!”). There is a fair amount I want to tell you about before my hiatus so here goes.
Will NCUA approve a pot CU?
Now that Colorado has approved a state charter for a credit union dedicated to providing financing for the state’s nascent marijuana industry NCUA will have to decide whether or not to federally insure the institution. I’ve written several blogs about the legal difficulties of providing pot financing. Marijuana remains illegal as a matter of federal law and even though federal prosecutors have indicated that they would turn a blind eye to institutions providing banking services in states where pot use is legal, finding financial institutions willing to open up businesses for ganja related businesses has proven to be difficult.
I have no idea what NCUA’s ultimate decision will be but I would love to see it deny federal insurance for credit unions created to circumvent federal law.
There is a huge disconnect going on here. Heroin use is on the rise and a culture that glorifies pot use inevitably contributes to that rise by making drug use that much more acceptable. To those who extol pot’s medical benefits I would point out that few of the states that have legalized pot limit its possession to medical uses and one that has ostensibly done so-California-has made a mockery of these limits (Maybe New York will be the exception).
Let’s be honest, national groundswells for improved healthcare don’t catch fire just because some people want better healthcare-if they did than President Obama would be the most popular President in history.
To my peers who think that pot use is no big deal I say grow up and think about your kids. College is over. Here is a link to a’s CU Times article and some previous blogs I’ve done on the subject.
New York classifies application of it sub prime loan statute
In 2013 the Federal Housing Finance Administration changed its policies to mandate that insurance premiums on FHA insured loans be collected over for the entire length of a mortgage. This change meant that some loans would be considered subprime loans under New York law making them all but impossible to sell in the secondary market. Legislation signed by the governor establishes a separate formula for calculating sub- prime loans insured by the FHA. The law is an important amendment for mortgage lenders but it does mean that there is now an additional formula that has to be calculated when determining how a mortgage loan should be classified under the state and federal Law. Chapter 469 of 2014 takes effect immediately.
Speaking of New York laws, in the same batch of legislation the Governor also approved a bill clarifying the authority of parents guardians to request that credit reporting agencies preemptively place security freezes on the credit reports of persons 16 years or younger. Most importantly the bill authorizes parents to request that a freeze be placed on a child’s credit information even if the child has no file. This means that it will be more difficult for identity thieves to use a stolen social security card to create an alternate identity with which they can take out loans and sign up for credit cards for example. The legislation is Chapter 441 of 2014.
FHFA maintains Confirming loan limits
The FHFA, which oversees Fannie Mae and Freddie Mac announced yesterday that it was maintaining confirming loan limit at $417,000. The confirming loan limit is the maximum price above which a residential property will not be purchased by the GSE’s. For my downstate brethren who think that this is a pretty low number remember that conforming house values are higher in certain parts of the country, including much of the downstate area. Here is a link to the announcement and a link to a list of conforming value limits.
Statistics indicate that approximately half of all marriages end in divorce. What’s more, according to the Center for Disease Control in Atlanta, one hundred percent of your members are going to die someday. In spite of these facts, the procedures used by financial institution when dealing with a “successor in interest,” someone who obtains property by operation of law, varies widely. Some credit unions know that Mrs. Jones has been dead for years without trying to figure out who is making her mortgage payments, while others stop accepting payments once they hear of a member’s death.
The CFPB has heard these stories too and wants to waive its magic consumer wand to establish national standards that mortgage servicers must adhere to when dealing with successors in interest to real property. This proposal is just one of several substantive amendments the CFPB proposed last week with regard to the Servicing regulations that took effect last January. The successor in interest proposal is what I am most interested in because I think the general approach taken by the CFPB is a good one with or without additional regulations. You don’t have to wait until these amendments have been finalized to make sure you have policies in place that are consistent with existing law.
First of all, do you think the death of a borrower constitutes a default of the mortgage? If you said the answer is yes, think again. Since 1982, federal law has preempted mortgage contracts that apply “due on sale” provisions to property transfers that result from a bequest in a will, the death of a joint tenant, transfer to a relative upon death, or a transfer resulting from a divorce or legal separation agreement, among other things. A key component of the CFPB’s servicer regulations is to require lenders to provide delinquent borrowers with prompt information about loss mitigation possibilities. Even before its mortgage servicing rules took effect in 2014, the CFPB has been concerned about how its loss mitigation requirements would be applied to successors in interest. As a result, in October of 2013 it released a guidance to its final RESPA and mortgage servicing rules imposing procedures that servicers must maintain regarding the identification and communication with any successor in interest of a deceased borrower with respect to mortgage loans he or she held. The CFPB’s proposal released last week would extend this guidance to all types of successors in interest.
Most importantly, a new section, 1024.36(i), stipulates that when a financial institution receives a written request from a person that indicates that the person “may be a successor in interest,” a servicer is mandated to respond to this written notification “by providing the potential successor in interest with information regarding the documents the servicer requires to confirm the person’s identity and ownership interest in the property.”
As the English commentators on the Soccer matches I like to watch on Saturday mornings like to say, I think the CFPB is “spot on” on this one. By extending a servicer’s obligation to communicate with potential successors in interest, the regulations would empower financial institutions to communicate with ex-spouses and children, for example, without running afoul of privacy concerns. In addition, by making it clear to everyone what papers a person claiming to have an ownership interest in property must provide, the regulation will ideally facilitate the resolution of potentially complicated estate issues in a more expedient manner.
One thing to keep in mind: whether or not a person is a valid successor in interest, the mortgage lien that your credit union has on the property remains valid and enforceable. As a result, just because a deceased mother legally transferred ownership of her home to her son doesn’t mean that any delinquencies owing on the mortgage are wiped out. All this regulation does is help ensure that there are procedures in place to help clarify what parties ultimately remain responsible for a mortgage.