On Friday, access to major websites, including twitter, Netflix and the New York Times, was shut down as the result of a massive distributed denial-of-service attack just after 7 a.m. When Twitter couldn’t be reached officials originally thought that Donald Trump was simply sending out too many tweets complaining about media bias following his botched debate performance and cratering poll numbers but the attack was actually a sophisticated assault on a New Hampshire company called Dyn that helps direct internet traffic. Just joking about the Trump stuff. The bad guys would never want to shut down Trump.
Why should you care? Because the attacks demonstrate the (1)importance of cybersecurity mitigation based on the size and complexity of your credit union operations (2) The need for contracts that memorialize vendor liability and oversite and (3)the need for policymakers to take a holistic approach to cybersecurity that involves all industries shouldering responsibility to mitigate cyber threats. Your credit union might not be directly at risk but your vendor very well could be.
First some background. Distributed denial-of-service attacks are nothing new. Basically hackers search the internet for devices to take over. Once they discover a vulnerable device and its password they can redirect these machines to send data at targeted sites. The more devices that can be used in the attack the larger they are going to be.
When it was just computers that were hooked up these attacks were bad enough but with the explosion of devices hooked up to the internet these attacks have become that much more lethal. Security experts have been sounding the alarm for months that not enough security precautions are being taken when gadgets such as DVR’s and cameras are hooked up to the web. According to krebs on Security the problem is exacerbated by standard factory password settings. He further reports that even if these passwords are changed, its relatively easy for hackers to get around these changes.
So what can and should you do? As luck would have it on Thursday the Federal Financial Institutions Examination Council released a “frequently asked questions” document about the cyber security assessment tool unveiled by the Council last year.
The assessment tool provides financial institutions with a framework for assessing an institution’s cybersecurity risk profile and its preparedness to mitigate cybersecurity attacks. In addition, it says that institutions may customize the assessment for their individual needs. While I have never been against the assessment I was concerned that regulators were imposing the same analytical framework requirements on Citibank and a $20 million credit union. So I was pleasantly surprised that regulators clarified state that no institution is mandated to use the assessment. It is no more and no less than a “voluntary tool that institution management may use to determine and institution’s inherent risk and cyber security preparedness.”
In this environment there are three main steps the industry has to take. First we have to ensure that, whatever additional mandates are imposed on businesses provide institutions the flexibility they need to establish cyber protections consistent with their own risk profile. The assessment is a good place to start. Secondly we have to continue to explain to regulators and policymakers the steps that financial institutions and their regulators have already taken for several years to protect against cyber assaults. Europe has already suggested baseline cybersecurity standards for manufacturers and financial institutions have a stake in advocating for this country to impose similar standards Thirdly, all businesses, including merchants, have to be subject to cyber security protocols. Mechanisms have to be put in place to hold them accountable when they fail to do so. Finally do you know who your vendor uses to provide you with the computer services your member’s expect? If you don’t then you don’t know how vulnerable your credit union is to cyberattacks. One thing you may want to do is to ask your vendors to take the risk assessment and tell you the results.
if you woke up early watch the Giants game on Sunday you did more than the Giants who won despite sleepwalking through one of the most boring, uninspired football games I have ever seen them play. Anyone who tells me how much more exciting football is then baseball hasn’t been watching the Chicago Cubs make it to the World Series.
By the way the Cubs last won the World Series in 1908, the same year St. Mary’s Cooperative credit union was founded in Manchester New Hampshire. In other words North America’s credit union industry is as old as the cubs losing streak. I hope a Cub’s victory in the World Series isn’t a bad omen for the next hundred years.
Perception is reality. Although I think that the US is in the best economic shape of any major country in the world right now, many of your members would say I’m nuts.
Something strange is going on here. Economic growth isn’t being translated into economic security. The latest example of this schizophrenia comes from a survey released earlier this week by The MarketPlace radio show.
The unemployment rate is down to five percent, GDP is growing, albeit sluggishly, and there are indications that workers on the lower end of the economic ladder are finally seeing economic growth translated into bigger paychecks.
Meanwhile, the show’s Economic Anxiety Index has risen 20%; 30% of Americans are very fearful that they will lose their job in the next six months, up from 10 percent a year ago, and more than 39% say their personal financial situation causes them to lose sleep.
This dour mood explains our politics better than anything else I have seen. One thing that almost two thirds of Americans agree on is that the economy is rigged in favor of the other guy. However, 66% of Trump supporters say the economy is rigged for people who receive government assistance, compared to only 32% of Clinton supporters who believe the same thing. Conversely, 62% of Clinton supporters believe the economy is rigged for whites while only twenty one percent of Trump supporters believe this is the case.
I hope I am wrong, but I don’t see things getting much better any time soon. Statistically speaking we are at the back end of a typical an economic expansion and, more importantly, it will be more, not less, divided on November 9th whomever wins the election.
I am no marketing guru, but it seems to me that those financial institutions that are able to speak most directly to the economic anxiety of consumers are going to be the ones best positioning themselves to increase their membership.
Bank Regulators Propose Cyber Security Regulations
New York is no longer alone among government agencies in proposing enhanced cybersecurity regulations.
Yesterday, the OCC, Federal Reserve, and FDIC issued an Advanced Notice of Proposed Rulemaking discussing a potential framework for enhanced cybersecurity. Even though the regulation doesn’t impact credit unions, it intrigues me for two reasons.
First, these federal banking regulators are looking to limit its application to entities with $50 billion or more in assets. In contrast, New York State’s proposal would apply to almost every state chartered credit union.
Secondly, it may increase the pressure on NCUA to unveil a similar mandate. It’s what all the cool kids are doing. Will NCUA follow suit or will it correctly conclude that credit unions are already subject to enough cybersecurity requirements? Time will tell.
Does the accounting firm retained to do your audit owe your credit union a fiduciary obligation? That was the question pondered by the Supreme Court of North Carolina. In a decision released in late September that state’s highest court said the answer is No. (CommScope Credit Union v. Butler & Burke, LLP, No. 5PA15, 2016 WL 5335250 (N.C. Sept. 23, 2016)
CommScope Credit Union sued Butler & Burke, LLP, the certified public accounting firm that the CU hired to conduct annual independent audits of its financial statements for its failure to find that the credit union’s manager had not filed an IRS Form 990 from 2001-09. The oversight resulted in IRS penalties of $374,000 and the credit union wanted the firm to pay. One of the arguments it made was that, in failing to inform the credit union about the missing forms the firm breached its fiduciary duty to the credit union. Hold on, said the accounting firm, auditors typically don’t owe a fiduciary obligation to the businesses they audit and credit unions are no exception.
(Although this argument involved an interpretation of North Carolina law the credit union’s argument resonated across the country as can be seen by the fact that the US Chamber of Commerce and the National Association of State Boards of Accountancy filed briefs).
What’s the big deal? As the court explained “All fiduciary relationships are characterized by “a heightened level of trust and the duty of the fiduciary to act in the best interests of the other party” The higher the duty the firm owed to the credit union the more responsible it becomes for the 990 mishap.
The credit union won at the appellate level and the firm appealed to North Carolina’s highest court. It successfully argued that audits are conducted in part for the benefit of the public to insure investors that they can trust the financial disclosures being made by businesses. This obligation to the public as well as the credit union means that an auditor doesn’t have the obligation of undivided loyalty that typifies fiduciary relationships.
The credit union could have created a fiduciary relationship with the auditor as part of its engagement agreement but did not do so. By agreeing to perform the audit consistent with accepted audit standards the firm “agreed to find internal control deficiencies only to the extent necessary to perform its audits. Because defendant did not agree to affirmatively search for deficiencies outside of the performance of its audits, it did not agree to do anything beyond what an independent auditor normally does.”
The case isn’t over yet. The credit union can still argue that the firm’s failure to spot the missing 990’s amounted to negligence. But no matter what the ultimate outcome the accounting industry notched an important victory.
Before your supervisory committee sends out its next engagement letter it might be worth it to review what you expect to get out of your audit and the language that you have been relying on to get you there. If you thought your auditor was a fiduciary responsible for noticing that basic forms haven’t been filed think again. Put your expectations in writing. At the very least, you will start a discussion with your auditor about precisely what you are getting when you pay for its services.
The most interesting statistic I heard last week at the Association’s annual Northeast Economic Forum was that 48% of new mortgages last year were originated by nonbanks. Technology has come to mortgage lending and the companies that emphasize electronic mortgage applications and processing are beating the pants off lenders that rely on having people apply at their brick-and-mortar branches.
I was thinking about this factoid this morning as I read an interview with the OCC’s General Counsel, Amy Friend, in the American Banker. The OCC is rolling out plans for creating a special charter for fintech companies. Now here is a regulator that sees the writing on the wall and wants to remain relevant.
Why would companies want to be regulated by the OCC? The OCC says that the idea has appeal to a lot of companies that don’t want to be regulated by fifty different state regulators. Anyone who has taken a look at New York’s proposed cybersecurity regulations can understand why.
She explains that “We can provide a single charter with some uniformity, and that makes it very appealing. But, we also take that authority very seriously, and understand its implications. The comptroller has made it clear that if we decide to grant a national charter in this area, the institution that receives the charter will be held to the same high standards of safety, soundness and fairness that other federally chartered institutions must meet.” She further explains that institutions might want to get both a traditional bank charter and take deposits in which case they will also need to be regulated by the FDIC. Why not the NCUA as well?
The plan is still in the conceptual stages but in March the OCC released a white paper on supporting financial innovation in the banking system and last month it proposed regulations clarifying its authority to wind-down bankrupt non-depository financial institutions that are not insured by the Federal Deposit Insurance Corporation . The regulation is seen as a first step in explaining how the OCC could oversee bankrupt Fintech charters.
More on Navy
In Thursday’s blog I highlighted the CFPB’s consent order against Navy Federal and the impact it could have on credit unions who suspend services to members who have caused them a loss. Judging by the number of readers I really hit a nerve.
According to the Bureau, it was an unfair and deceptive practice for Navy to freeze electronic account services to members who were delinquent on loan payments. That simply isn’t true-at least according to the NCUA. To add a little fuel to the fire here is a 1997 opinion from the NCUA in which it explains that credit unions may restrict services to members who are delinquent:
“In the past, we have allowed for suspension of services when the member caused a loss as a result of bankruptcy, an NSF check or a charged-off loan, but we have never addressed the issue of a delinquent loan. You advise that a delinquent loan increases the FCU’s collection costs resulting in a loss to the credit union. As long as the FCU has a rational basis for limiting services, we would have no legal objection.”
So how can Navy be fined, in part, for adopting practices explicitly authorized by its primary regulator for almost thirty years? Is this another example of CFPB overreach? Inquiring minds want to know.
On Tuesday the CFPB announced an enforcement order against Navy Federal Credit Union for engaging in unfair and Deceptive collection practices against delinquent members whose accounts were delinquent. One of the violations cited by the Bureau raises questions about one of the most fundamental precepts of credit union law: The right to restrict services to members who have caused a loss.
According to the Bureau, Navy engaged in Unfair and Deceptive Practices by denying electronic account access and services for about 700,000 accounts after members became delinquent on a Navy Federal Credit Union credit product. As explained in the press release “ This meant delinquency on a loan could shut down a consumer’s debit card, ATM, and online access to the consumer’s checking account. The only account actions consumers could take online would be to make payments on delinquent or overdrawn accounts.”
To be clear, this practice was just one of a group of hardball collection practices some of which, if true, violated the Fair Debt Collections Practices Act. But the CFPB’s finding on Navy’s account practices is hard to square with one of the bedrock rules of credit union land. As the NCUA has explained in opinion letters over the years . “Long standing legal interpretation is that an FCU may limit services to a member who has caused a loss” so long as the member retains the right to vote at the annual meeting and maintain a share draft account.
Against this backdrop, If a member has caused Navy a loss then how is it unfair and deceptive to limit his use of electronic account services? Before yesterday I would have told you that electronic services are a privilege of membership, not a right.
If this is no longer the case then NCUA should put credit unions on notice of this fundamental policy shift. If the law hasn’t changed then NCUA should consult with the Bureau and explain how Navy’s actions are distinguishable from what other credit unions do and why. We need guidance…quickly.
You can be forgiven if, upon seeing the initial headlines yesterday morning that the CFPB was ruled unconstitutional, you allowed yourself to drift into a world of no TRID, no HMDA amendments and no short-term loan restrictions, and you are a little disappointed this morning with the news that, even with yesterday’s ruling in PHH CORPORATION, ET AL., PETITIONERS v. CONSUMER FINANCIAL PROTECTION BUREAU, RESPONDENT, No. 15-1177, 2016 WL 5898801,(D.C. Cir. Oct. 11, 2016), the Bureau that never sleeps is alive and well. In the short- term this decision, if it is upheld by the Supreme Court, will have no impact on your compliance burden.
But don’t be too depressed. The Court’s ruling is a significant victory for those of us who believe that Congress gave too much power to one person. It makes the Bureau more accountable to the political process and, by implication, potentially more receptive to the concerns of the credit union industry. It also clarifies some important RESPA issues that I will address in a future blog
The case dealt with the legality of a $109 million fine imposed on PHH by an administrative law judge after the CFPB alleged it was violating the anti-kickback provisions of RESPA. Originally PHH just wanted the fine vacated but in appealing the ruling it broadened its argument to challenge the constitutionality of the Bureau itself. It argued that the separation of powers mandated by the constitution was violated because the CFPB’s Director could only be removed by the President “for cause.” Congress has created, and the Courts have approved , independent agencies but these agencies have been overseen by boards of individuals; not a single director empowered to promulgate whatever rules and take whatever enforcement actions he or she deems appropriate.
The Court agreed. “The single-Director structure of the CFPB represents a gross departure from settled historical practice. Never before has an independent agency exercising substantial executive authority been headed by just one person.” It ruled that the CFPB as structured was unconstitutional.
But its remedy was as simple as its application of precedent was straightforward: Rather than disband the Bureau it simply invalidated that portion of Dodd Frank which stipulated that the Director could only be removed “for cause.” This means that the President could give Director Cordray his walking papers today, no questions asked.
Does this matter to you? In the long-term I think it does. I am fond of calling the Director the Benign Dictator of Consumer Protection. From now on credit unions can blame the president for not doing enough to distinguish between the Big Banks and credit unions. And it’s probable that an agency no longer insulated from politics will be more willing than the Bureau has been recently to listen to legitimate industry concerns before promulgating regulations in the first place.
Frankly, the Bureau has grown more arrogant and intrusive with each passing month. Anything that constrains the actions it can take is a step in the right direction.
NY Issues Incentive Based Compensation Guidance
The only regulator pumping out mandates quicker than the CFPB lately is New York State’s Department of Financial Services. That’s not a good thing for those of us who want to maintain a viable state charter.
Reacting to the Wells Fargo Account Opening Scandal, the DFS released a guidance yesterday on Incentive Compensation Arrangements applicable to state chartered banks and credit unions. Here is one of its highlights:
“The Department advises all regulated banking institutions that no incentive compensation may be tied to employee performance indicators, such as the number of accounts opened, or the number of products sold per customer without effective risk management oversight and control.”
On that note get busy implementing all those Bureau regulations. I hope I see you this week at the Economic Forum.
An international security consulting firm, has created quite the stir across the pond by reporting that hackers have already figured out not only how to steal biometric data from ATM machines but also how to commercialize the sale of devices facilitating its capture.
On September 22, 2016, Kaspersky Lab reported there are already at least 12 sellers offering skimmers capable of stealing victims’ fingerprints from ATMs. In addition, at least three underground sellers are already researching devices that could illegally obtain data from palm vein and iris recognition systems. By the way. this is in addition to reports demonstrating that it is possible for hackers to steal information stored on EMV chip cards.
The news caused one British regulator to write a letter to banks telling them to report on the steps that they are taking to secure biometrics. What makes this report so disturbing is that, whereas compromised ATM and credit cards can be reissued, you can’t change someone’s biometric data. If it really is as easy to steal this information as it appears it will be, then the use of biometric passwords will offer convenience to people like your faithful blogger, who is frustrated by an ever-growing list of passwords, but will be an expensive dead-end when it comes to security.
From now on I’m going to tell my wife to follow Kim Kardashian’s lead and take millions of dollars in jewelry with her wherever she goes instead of using a safety- deposit box. What could possibly go wrong?
The report also underscores just how behind the curve this country is when it comes to cyber theft. Merchants are merchants are still grumbling about the use of chip readers and a major Presidential candidate is encouraging cyber-hacking his opponent while Europe is already debating the merits of biometric security. I can’t believe that this is the best the country that created Google, Facebook and Microsoft can do.
Which brings me to my proposed one sentence guidance for all regulators , financial institutions and businesses to follow: “Every business must have a cybersecurity plan, but one which is tailored to its size, complexity and cyber vulnerability. Any mandate more prescriptive than this will be outdated in days and deny institutions the flexibility they need to weigh cybersecurity costs against other expenditures eating away at the bottom line.
Extended Exam Cycle, Right Around The Corner
NCUA announced yesterday that well managed credit unions with assets of less than $1 billion could move to an extended examination cycle, beginning next year, subject to board approval. The recommendation is among ten put forward by an agency working group on exam flexibility.
On that note enjoy your long weekend, I will be back on Tuesday!