What the FinCEN Files tell us about the AML framework

Recently, an international consortium of 108 media organizations reported the results of a 16-month investigation into how money is laundered through the financial system. The investigation was triggered after Buzzfeed received 2100 SARs (suspicious activity reports) filed by some of the world’s largest banks. The bottom line finding is that billions of dollars are generated by banks, which regularly process transactions on behalf of entities whom they suspect of suspicious activities. 

Not surprisingly, the findings have resulted in calls for greater scrutiny of anti-money laundering protocols. Yesterday, Linda Lacewell, Superintendent of New York’s Department of Financial Services, wrote a scathing analysis in Law360 (subscription required) based on the findings, in which she accused the largest banks of using suspicious activity reports as a “get out of jail free card,” enabling them to make huge amounts of money off of criminal activity. 

In addition, FinCEN has responded to the investigation by coming out with a statement reminding would-be leakers that the unauthorized disclosure of SARs is a federal crime and issuing an Advanced Notice of Proposed Rulemaking (ANPR) inviting industry stakeholders to suggest improvements to the AML framework. 

Here are some initial thoughts:

  • Too often when it comes to BSA regulations, smaller banks and credit unions are disproportionately impacted by the misdeeds of larger institutions. There is something fundamentally wrong with a framework that imposes the same basic standards on every institution, regardless of size and sophistication. Whatever changes come as a result of this report should be tied to an institution’s asset size and sophistication. 
  • Regulators and policymakers should take a realistic view of what financial institutions should be expected to do. Let’s face it – illegal activity generates a tremendous amount of money around the world. The current system is far from perfect, but it gives law enforcement officials and regulators insights into illicit activity to which they otherwise would not have access. 
  • Don’t forget about the right to financial privacy. Call me old-fashioned, but the existing SAR system attempts to strike a balance between a consumer’s right to privacy and law enforcement’s desire to track illicit activity. 

The bottom line is that we should take a serious, thoughtful look at our anti-money laundering framework, but by concentrating exclusively on the role of financial institutions, we run the risk of identifying a symptom rather than a cause of just why there is so much international corruption and what can be done to deter it. 

October 1, 2020 at 9:33 am Leave a comment

Everything You Need to Know about Foreclosures but have been Too Afraid to Ask

The only thing more confusing than the latest government pronouncements about the proper response to the pandemic has been trying to figure out the status of foreclosures in New York State. There has been a multitude of guidance ranging from emergency regulations to pronouncements by the Department of Financial Services on the state level to federal legislation and industry letters from the GSEs on the federal level. These competing orders each have their own end dates and nuances, creating the perfect storm for compliance departments trying to do the right thing. Fortunately, there are signs that the confusion is beginning to come to an end as the courts step in and clarify the scope of all these competing requirements. 

Against this backdrop, the case that I think you all should read this morning is Money Source, Inc. v. Mevs, in which Judge Thomas Whelan wrote an extensive analysis describing the state of foreclosure law in New York. Although a court decision in Suffolk county does not bind the rest of the state, it can be used as persuasive authority for those of you still trying to figure out how to deal with foreclosures during the pandemic. Before I get into the weeds, the Judge succinctly summarizes the state of New York’s foreclosure laws as follows: 

“(1) that the moratorium of the CARES Act has expired; (2) the Governor’s most current EO, that is, 202.48, only precludes enforcement of commercial foreclosure proceedings; and (3) the most recent and controlling AO from the CAJ, that is, AO/131/20 (as amended), only remains in effect for such time “as state and federal [*8]emergency measures addressing the COVID-19 pandemic amend or suspend statutory provisions governing foreclosure proceedings…” There is no longer any state prohibition on pre-COVID-19 residential foreclosure proceedings and the new state legislation, detailed above, is addressed to initiation of new proceedings.”

The first source of confusion were the Governor’s executive orders. To be clear, much of this confusion was unavoidable since executive orders must be renewed every 30 days, and must be amended to reflect changes in law. Originally, EO 202.14 prohibited residential foreclosure actions stipulating that there should be “no initiation of a proceeding or enforcement of a foreclosure action.” Yours truly has always read this order conservatively. Specifically, since the order applied not only to foreclosure actions, but to proceedings “leading to foreclosures,” it is my opinion that the order not only prevented foreclosures, but the sending of pre-foreclosure notices mandated by Section 1304 of New York’s Real Property and Proceedings Law. 

Fortunately, this is no longer a valid concern. On June 7th, the Governor issued EO 202.48, which recognized that the executive orders were now superseded by the creation of Section 9-x of the Banking Law. This law applies to individuals in need of residential mortgage forbearances beginning in March 2020 and will be in existence on a county by county basis until there are no restrictions on non-essential gatherings of any size in the county in which the residence is located. According to the court, “there is little doubt that the new statute is designed to address mortgages affected by the COVID-19 pandemic, and should not apply to borrowers who defaulted before March 7, 2020.” Remember, where the law does apply, lenders seeking to go forward with foreclosures must demonstrate that they have complied with 9-x. 

Section 9-x does not apply to federally-backed mortgages. In other words, if you are servicing a mortgage loan and holding it in your portfolio, 9-x applies, but if you are simply servicing a loan that has been sold off to the GSEs, federal standards apply. 

This seems clear enough at first. After all, the CARES Act only provided a moratorium on foreclosures through May 15, 2020. The GSEs, however, are technically private companies that can set their own standards. I say technically because they are also bankrupt and are overseen by the Congressionally created Federal Housing Finance Agency. The FHFA recently announced they would not foreclose on property until at least December 31, 2020.

September 29, 2020 at 9:39 am Leave a comment

When it comes to Patent Litigation, Winter is Here

In the Game of Thrones, White Walkers periodically return to the Realm, threatening civilization as we know it. For the last eight years, a Long Summer has kept patent trolls, the White Walkers of the financial sector, at bay. This peaceful period officially came to an end this month, and us here in King’s Landing have been none the wiser.

So what am I talking about? Let’s say a bank or a credit union contracts with a vendor to provide a cutting-edge technological service. After the program has been up and running for a couple of years, it receives a politely worded letter informing it that it’s service violates a patent. But today is your lucky day – you can continue to provide this service as long as you pay a licensing fee.

Without getting too much into the weeds, a Covered Business Method Patent Review was a transitional procedure put in place by Congress in Section 18 of the America Invents Act. The procedure created a fast-track method for parties being sued by patent trolls on questionable grounds. Here’s why this is important to credit unions. To be potentially eligible for this procedure, the alleged patent infringement must involve at least one claim directed to a method for performing data processing or other operations “used in the practice, administration or management of a financial product or service.” 

The bad news is that the program authorizing this review process expired on September 16th, although proceedings brought under the now-expired law prior to that date will still be considered. Credit unions need this law extended. COVID-19 (damn, I thought I was going to get through a blog without mentioning it) has accelerated the use of technology. This is no time to begin making it easier for patent trolls to bring questionable claims demanding the use of time and resources. 

According to this recent column in Law360 (subscription required), the CBM resulted in 4,093 patent claims being cancelled or found unpatentable. These claims touch on issues ranging from shopper discount cards to adjustable car insurance rates. 

So what can you do to protect yourself, assuming dragonglass is not effective? First, remember to always make sure your vendor contract includes rock-solid indemnification language. Another thing you can do is remind your local representative that Section 18 helps your credit union and should be renewed. Incidentally, this is one issue that the banks agree with us on, in much the same way that the Realm ultimately united against the White Walkers. 

September 25, 2020 at 9:30 am Leave a comment

NCUA is doing the right thing when it comes to assessments

As blog followers know, there are occasions when I like to remind everyone that the opinions I express are mine and mine alone. This is one of those times.

The NCUA Board has created a low-level stir within the industry by suggesting at its meeting last week that it may have to seek an assessment from credit unions to make up for shortfalls in the share insurance fund caused by the sudden infusion of deposits triggered by the pandemic. NAFCU even wrote this letter to the Board urging it to hold off on any assessments and instead consider increasing the range of investments that credit unions are allowed to make. 

In fact, the Board did exactly the right thing by publicly discussing the share insurance fund. Credit unions should hope for the best but prepare for the worst, and begin preparing now for an assessment in the coming months. 

First let’s make sure we’re all on the same page. As a matter of federal law, NCUA must impose a restoration plan if the equity ratio falls below 1.20%. Federal law also permits NCUA to establish a Normal Operating Level of between 1.20 and 1.50. 

The facts don’t lie. According to the NCUA, the Share Insurance Fund equity ratio has dropped to 1.22% as of June 2020. The primary reason for this sharp decrease has of course been an almost 13% growth in insured shares. The current ratio is well below the NCUA’s Normal Operating Level of 1.38%. But the numbers aren’t as bleak as they first appear. In October, the fund will receive an infusion of $1.5 billion from insured credit unions as part of their annual contributions. 

Strip away the numbers and what you have is yet another debate over just how long lasting the economic downturn is going to be. If you believe that the indestructible mortgage industry is going to continue to rumble along, that the unemployment numbers will continue to defy conventional wisdom and continue to decrease, and that members will be well positioned to pay back forbearances as a vaccine replaces the new normal with a real normal, then it makes sense for NCUA not to prematurely impose additional assessments. 

In contrast, if you are inclined to believe, as many officials at the Federal Reserve are, that the economy will peter out without further congressional stimulus, that a sizable number of forbearances will never be repaid, and that we may very well see a second wave of COVID economic lockdowns in the coming months, then NCUA would be derelict in it’s duty not to protect the share insurance fund. Incidentally, the FDIC has already had to impose a restoration plan on banks.  

September 24, 2020 at 9:36 am Leave a comment

Don’t Overlook Your Overdraft Practices

As many credit unions across the country are painfully aware, class action lawsuits alleging improper disclosures of overdraft opt-in programs are all the rage. A 50-page consent order the CFPB entered into with TD Bank provides yet another example of how financial institutions can run afoul of this seemingly straightforward regulatory requirement. When it comes to enticing members to opt in to ATM protection programs, it’s not just what you disclose, but when you disclose it that matters. 

Under 1005.17 (b), a financial institution cannot charge a fee for paying an ATM or one-time debit transaction pursuant to an overdraft service unless it first provides the consumer with a written notice of the option (which can be provided electronically to consumers that consent to being notified this way) and it gives the consumer a reasonable opportunity to consent or opt-in to the service. 

TD Bank had a fairly typical overdraft program. When new members applied to open accounts, they would be given three overdraft options for their checking accounts. One, a standard overdraft option which covered transactions not protected under 12 CFR 1005.17 (b), such as checks, ACH transactions and recurring debit card transactions; two, the option to cover ATM transactions covered by regulations; and a third option – to decline all overdraft protections. 

To me, the most intriguing defect cited by the CFPB is the fact that consumers would be asked about the program they wanted to utilize without first being given a written notice of the opt-in option. Instead, the employee opening the account would print out a form reflecting the member’s choice, along with the written opt-in notice. The CFPB concluded that this did not constitute compliance with the requirements, under which members must be provided the notice prior to being asked whether or not they wanted to opt-in to overdraft protections. 

This is the kind of nuanced distinction which can easily be overlooked. Now that the CFPB has provided a road map for regulators and litigators alike, I think it is worth your time to double check your credit union’s practices against this order. Remember, the CFPB considers regulatory actions as binding precedents when it comes to the interpretation of the regulations it oversees.

September 23, 2020 at 9:23 am Leave a comment

How secure are your home offices?

As the person ultimately responsible for mitigating both legal and compliance risks to your credit union, you don’t need to know all the answers, but you need to know what questions to ask. One of the questions you should be asking your IT team about is how safe your virtual private network (VPN) is. 

Recently, the FBI and the CISA issued a joint guidance warning companies in high-profile industries, including the financial sector, that they are being targeted by increasingly sophisticated attempts to gain access to virtual private networks. Think about it – a little more than six months ago, we were all concerned about personally identifiable information being sold on the dark web. According to these reports, there is a growing market for VPN identification. Given the sudden movement towards remote work, this trend was inevitable, but the more remote work becomes the norm rather than the exception, the more examiners will be expecting to see what steps your credit union is taking to prepare. 

As explained in this joint examiner guidance released in June, “examiners will review the steps management has taken to assess and implement effective controls for new and modified operational processes. Examiners will assess actions management has taken to adapt fraud and cybersecurity controls to manage heightened risks related to the adjusted operating environment. Examiners will also review how management has assessed institutions’ third parties’ controls and service delivery.” In addition, NCUA has emphasized that information technology remains a top priority during the pandemic. 

Some of the techniques being used can be guarded against regardless of the size and sophistication of your institution. For example, the highly influential KrebsOnSecurity posted a blog in August describing increasingly brazen vishing attacks in which hackers contact employers pretending to be from the company’s IT department, requesting login information to access the employee’s account. According to Krebs, this technique is particularly effective against newer employees, who are interacting with their IT department for the first time.

Finally, some of the classics are also being used. Good old fashioned emails requesting login information are still being responded to, reminding us yet again that our computer systems are only as safe as our most technologically inept employees allow them to be. Full disclosure – there are weeks when I talk to the IT department more than I talk to my own kids. 

What this means for your day today is that you may want to remind employees not only that they should be aware of suspicious emails, but also who they are talking to, particularly if they receive a proactive phone call. In addition, this is yet another example of why one of the trickiest parts of remote working is going to be onboarding new employees. My personal suggestion is that even if an employee is going to work remotely, a lot of the orientation process should still be done live and in-person. 

September 22, 2020 at 9:51 am Leave a comment

To Pay or Afterpay, That is the Question

When it comes to financial innovation, the land down under is the equivalent of a financial services petri dish, especially when it comes to consumer credit. So humor me this morning as I delve into one of the hottest financial services stocks, Afterpay. 

The company started in 2017, and it is now beginning to get a foothold in the American market, with potential competitors, including Visa, which is soon to follow suit. What intrigues me so much is that Afterpay has brought fintech to a buy-now, pay-later consumer product, that avoids the grasp of the Truth in Lending Act (TILA). I’m curious how much longer it will be able to pull off this feat. 

This is the basic idea of how Afterpay works. On the retail side, it enters into agreements whereby it pays the full amount due, while the consumer commits to make payments in no more than four installments. The retailers pay a fee to Afterpay in return for the knowledge that the transaction is complete. Eligible consumers agree to repay Afterpay in increments. Not all consumers are eligible to enter into these agreements, and Afterpay has the right to deny the purchase request. 

The catch from a regulatory standpoint is that this is not considered credit under TILA because repayments must be made in four or fewer installments. TILA only kicks in on the fifth installment. Isn’t that clever?

According to the Financial Times, the stock is taking off. Analysts have predicted that the model wouldn’t survive the severe downturn in retail shopping caused by COVID. What they didn’t foresee was that the system works just as well, if not better, for online shopping. It appeals to millennials who want to avoid taking out credit cards, but could use short-term credit options. 

But one business’s financial innovation is another regulator’s gaping loophole. This article in Law360 (subscription required) highlights regulatory action which California is already seeking to take against Afterpay, alleging that it has to be properly licensed as a lender as a matter of state law. Pure speculation on my part, but you can probably bet New York State is looking into doing a similar analysis. 

Besides, the company can only grow as big as the number of retailers willing to participate. Time will tell how many of them decide it is in their financial interest to partner with Afterpay.

September 21, 2020 at 9:18 am Leave a comment

Are We Getting Enough Bang for our Cybersecurity Buck?

Good morning, folks. Sorry for the late start, but the Islanders went to overtime last night. 

According to the GAO, the Treasury is doing an inadequate job of monitoring how successfully the financial services sector has handled protecting the cybersecurity infrastructure. What’s more, the Treasury agrees, but argues that it lacks the authority to appropriately monitor the efforts made by financial institutions, including credit unions, in protecting the country against cybersecurity threats. 

Since 9/11, the government has emphasized the need for industry wide coordination to protect vital infrastructure. This effort picked up steam in 2013 when the White House issued Critical Infrastructure and Resilience Policy Directive 21. The overarching goal of this new directive was to strengthen functional relationships across the federal government to enable better communication about cybersecurity threats, and to coordinate better planning between industries. As part of this directive, the Treasury was given responsibility for coordinating the financial industry structure. 

As credit unions are well aware, there has been no shortage of regulations on the federal and even state level to protect against cyber threats. But, according to the GAO, the Treasury does not have the structure in place to adequately assess how successful these regulations have been. The Treasury says that it simply does not have the authority to get the information it needs.

This might seem like an awfully arcane piece of bureaucratic minutiae to write about on a Friday, but yours truly is just a little concerned that these findings will result in yet more regulations that will impact your everyday operations. In addition, given the amount of time, money and resources credit unions and other financial institutions must now commit to cybersecurity, I’m more than a little bit surprised that the Treasury is so willing to admit that a lack of coordination is deluding the effectiveness of these efforts. 

NCUA Holds Monthly Meeting

Yesterday, the NCUA held its monthly board meeting. I will follow up once I have the chance to take a closer look at what was agreed to.

September 18, 2020 at 10:18 am Leave a comment

Don’t Forget About LIBOR  

Now that the compliance induced frenzy triggered by the pandemic has stabilized (knock on wood), I wanted to remind you of one of those meddlesome compliance changes that seemed so far away when it was first announced in early 2017, but is fast approaching.

I am talking about the end of the London Interbank Offered Rate (LIBOR) which is the index that many financial institutions and credit unions use to set interest rates for their adjustable rate mortgages and credit cards.  If you start working now, you still have enough time to easily make the necessary adjustments.  If you wait any longer, a simple problem will become increasingly troublesome, just like those college papers that some people—of course not readers of this blog—put off to the day before it was due.  Some of you actually got an adrenaline rush from doing this.  But to this day, yours truly is a morning person.

First, although a drop dead date for LIBOR’s demise has not been announced, the keepers of the index are still committed to stop publishing some time in 2021.  There are important compliance considerations tied to the drop dead date.  Most importantly, adjustable rate mortgage indexes can be switched without notice provided that the replacement index is substantially similar to the old one.  The CFPB has proposed regulations and guidance which would make this transition straightforward by providing examples of comparable indexes and providing specific dates when the transition can take place irrespective of what the actual drop dead date ends up being.

If you provide adjustable rate mortgages for sale for the secondary market, then your compliance deadline is fast approaching.  Fannie Mae will no longer be offering LIBOR based products effective September 30, 2020.  Freddie Mac will no longer be offering LIBOR based floating rate products after this year.  These deadlines do not impact your ability to continue to service existing loans using LIBOR.

Then there are those pesky adjustable rate credit cards.  The CFPB proposes to permit creditors for home equity lines of credit (HELOCs) and credit card issuers to replace a LIBOR index with a replacement index on or after March 15, 2021, if certain conditions are met.

While a specific new index is not being required, unless you have a baseline level of sophistication which allows you to compare competing indexes, regulators are implicitly encouraging you to replace the LIBOR with the Secured Overnight Financing Rate (SOFR) which is the new index of choice for the GSEs.

On the bright side, it is quite possible that your credit union has no LIBOR based products.  I would still document that your credit union took the time to confirm that LIBOR has no impact on your compliance framework.

Peace out!

September 17, 2020 at 9:26 am Leave a comment

Four Things To Know On A Beautiful Tuesday Morning  

You can tell that the COVID summer of 2020 has come to an unofficial end.  This morning is the first one in a while in which I want to highlight several recent developments, any one of which is worthy of a blog in the future.

DOL Releases New Regs on Emergency Leave Authorization

The US Department of Labor on Friday issued updated regulations, which among other things, are intended to clarify when an employee can take intermediate paid family leave and when an employee is eligible for leave even when there is no work available for the employee to perform.  These updated regulations are in response to an August 3rd ruling by a New York Federal judge that the Department of Labor exceeded its authority when it promulgated the initial regulations which implemented key provisions of the Families First Coronavirus Response Act.  I will have more about this by the end of the week.

Realtor Practices Under The Microscope

The State Senate announced that it would be holding a second joint hearing on Thursday investigating allegations that realtors on Long Island discriminate against minority homebuyers by steering them to houses in minority communities.  The hearing will be the second to examine the issue, which was the subject of an expose by Long Island Newsday last year.  This hearing is unusual in that some witnesses had to be subpoenaed in order to testify.

One Heck Of A Loophole

In the “Better Late Than Never” category, FinCEN has proposed regulations mandating that banks, credit unions and trust companies which currently fall outside the jurisdiction of federal regulators, must now comply with Bank Secrecy Act (BSA) requirements, including implementing appropriate Customer Identification Procedures.  I was more than a little surprised after reading this regulation that entities, including credit unions which use private share insurance instead of participating in the National Credit Union Share Insurance Fund (NCUSIF), have not been subject to the BSA framework even though it has been the top priority of regulators since the 9/11 attacks.

The Big Question

The last six months have changed almost everything, so why do my New York football Giants look like the same lousy football team which has amassed the fewest victories in the NFL over the last three years?

September 15, 2020 at 9:29 am Leave a comment

Older Posts


Authored By:

Henry Meier, Esq., Senior Vice President, General Counsel, New York Credit Union Association.

The views Henry expresses are Henry’s alone and do not necessarily reflect the views of the Association. In addition, although Henry strives to give his readers useful and accurate information on a broad range of subjects, many of which involve legal disputes, his views are not a substitute for legal advise from retained counsel.

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Join 680 other followers

Archives