Does NY’s Cybersecurity Regulation Apply To Your Credit Union?

With the recent ransomware attack demonstrating how vulnerable the world is to cyberattacks, I spent part of my weekend looking back over NY’s regulations and to whom they apply to. These regulations took effect in March, but there is a six month transition period, with some requirements being phased in over the next year.

What follows is one man’s opinion and not a substitute for consultation with your own counsel and compliance team.

NY’s regulations apply to “any person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law or the Financial Services Law.” This definition clearly applies to state chartered credit unions and CUSO incorporated or licensed in New York State, such as a mortgage banking or title insurance business.

What if you have a federally chartered credit union that makes mortgage loans? Here is where people part ways with my analysis. Even though originators working for banks and credit unions are exempt from state licensing requirements under Section 12C of the banking law, they still must be registered with NYS as loan originators. (N.Y. Banking Law § 599-c(3)(a) (McKinney). On its face the regulation is broad enough to be triggered by this requirement.

Persons within the industry, which whom I have discussed the regulations reach, argue that even if my interpretation is correct it is hard to see how NYS could actually enforce the regulations against a federal chartered institution. To me this argument overlooks the fact that this regulation’s requirements will impact more than your compliance system. If it works the way I think it will, it will become an integral part of your most basic business relationships.

For example the regulation will impact your third party relationships. Entities covered by the regulations must identify and perform a risk assessment on all third party vendor relationships. They also must explain the minimum cybersecurity protocols for which they expect third party vendors to comply. This requirement is broadly consistent with third party vendor guidelines. If I was drafting a contract for your credit union, reference to NY’s cybersecurity requirements could provide a useful and precise baseline for the expectations that you expect vendors to meet. This is particularly true given the increasing importance that adequate encryption plays in your cybersecurity program.

Even if NYS’s regulation doesn’t apply to you today, you don’t have to be Nostradamus to figure out that similar regulations will soon be imposed on your credit union. The ransomware attack demonstrated just how vulnerable our county is. Like it or not, NY’s regulation provides a template upon which regulators can quickly build, and my guess is they will do so.

May 22, 2017 at 9:52 am Leave a comment

Mortgage Lending Mishap You Can Easily Avoid

Yours truly is in a particularly good mood today.

Not only is it Friday, it is a sunny and warm Friday, and as someone who would gladly go the rest of his life without seeing another snowflake, it doesn’t get better than this. Thirdly, and most important for our purposes, a settlement announced yesterday between JPMorgan Chase and homeowners provides a great example of why—whether you are a federal or state charted credit union—it can get awfully expensive to disregard state mortgage law.

Under NYS law (N.Y. Real Prop. Acts. § 1921(1); N.Y.Real Prop. § 275(1)) a lender/mortgagee must present a satisfaction of mortgage for recording within thirty (30) days of a mortgage being paid off. If the mortgagee does not, it is liable for statutory damages between $500-$1500 per violation. I was around when the Legislature imposed these fines. At the time, legislators were fed up with getting calls from frustrated constituents, desperate to locate their mortgage satisfactions, which they assumed were recorded years ago.

In Bellino v. JPMorgan Chase Bank (U.S. District Court, Southern District of New York, No. 14-cv-3139), a homeowner paid off her mortgage loan on May 14, 2012. Chase sent the satisfaction of mortgage to the Westchester County clerk by Fed Ex on June 13, 2012, but the payoff was not received by the county clerk until June 15. The homeowner brought a class action law suit against the bank, seeking damages on behalf of herself and all others who took out a mortgage with Chase between 2011-2016, for whom a certificate of discharge or satisfaction was not presented to the appropriate county officer within 30 days. Yesterday Chase agreed to settle this case for more than $8 million.

A few quick takeaways as there is more going on here than meets the eye: First, Chase never denied that it was tardy with its filing, but argued that the case should be dismissed because the homeowners suffered no real harm. The court flatly rejected this argument, underscoring that those pesky little penalties that legislators like to add at the end of consumer protection laws have created a cottage industry of lawyers making a pretty good living out of nickel-and-diming financial institutions.

Second, it all comes down to process. Chase easily could have avoided this lawsuit had it just had tighter processes.

Third, just to be clear, you are not obligated to make sure that the satisfaction is recorded in thirty days, just that it is received in thirty days.

I have always thought that the credit union industry is a bit obsessed with the distinction between federal and state intuitions, at least when it comes to mortgage lending. At the end of the day you will be impacted by the laws of the state in which you are located. There are of course numerous exceptions to this statement, but a healthy understanding of your states laws and how they impact your operations is a critical part of any compliance program.

On that note, yours truly is done blogging for the week! Enjoy your weekend. Peace Out.


May 19, 2017 at 10:14 am 1 comment

Household Debt Hits New Record

Far be it from me to tell anyone how to do their job, but if I was involved in lending for a living I would certainly take a close look at the New York Fed’s quarterly snapshot of household debt released yesterday. Its either (a) an infliction point signaling that sustained higher growth has taken hold; (b) a high point which masks some disturbing trends; or (c) something in-between.

First, the “good” news. The American consumer is back baby! The New York Fed tells us that household debt achieved a new peak in the first quarter of 2017, rising by $149 billion to $12.73 trillion—$50 billion above the previous peak reached in the third quarter of 2008. Balances climbed in several areas: mortgages (1.7 percent); auto loans (0.9 percent); and student loans (2.6 percent). Considering that consumer spending accounts for at least 70% of the nation’s economic growth all this spending is good news. Despite the growth, credit card balances fell 1.9 percent this quarter.

Secondly, there is evidence that we have learned our lesson According to this accompanying research the country still has less mortgage debt than it did a decade ago and lenders have actually followed the credit union lead in lending to more credit worthy borrowers.

So why am I a little skeptical? It doesn’t feel like it but by historical standards we are at the back end of the growth cycle. As none other than Ben Bernanke pointed out in a speech yesterday that from a historical standpoint a recession is due in the next two to four years.   In addition much of the current economic hype is predicated on a “Trump bump” but don’t expect major Reg Relief let alone tax reform until Robert Mueller completes his Russia investigation.

Supreme Court Makes Important Bankruptcy Rule

One of the CFPB’s real pet peeves has to do with debt collectors who continue to seek repayment of debts even after the statute of limitation for their collection has expired. In addition, inquiring minds want to know if it is legal for debt collectors to submit proofs of claim in Chapter 13 bankruptcy proceedings for the repayment of such debts. Earlier this week the Supreme Court provided guidance on this issue. It ruled that debt collectors do not engage in an unfair and deceptive practice, under the Fair Debt Collections Practices Act, by submitting claims for stale debts.

MIDLAND FUNDING, LLC v. JOHNSON dealt with a creditor who submitted a proof of claim for repayment of a 10 year old credit card debt. The debtor argued that this was an unfair and deceptive practice since the debt was not collectible. Alabama has a six year statute of limitations. The Court explained that the parties to a Chapter 13 bankruptcy are sophisticated. Most importantly the bankruptcy is responsible for reviewing the validity of all claims. The court effectively held that, while a trustee has every right to reject a stale loan there is nothing to keep the debt collector from seeing if he can slip one by the goalie.

Baseball Hot Dogs, Apple Pie and Uber

Nothing says summer like hailing a ride from Uber or Lyft, or at least that is what some New York lawmakers think. They recently proposed legislation to push up the effective date of New York’s law authorizing ride hailing services from July 9th to July 3rd, just in time to get a cheap ride home from the beer infused family Fourth of July party.

May 18, 2017 at 9:18 am Leave a comment

Reports of CFPB’s Demise have been greatly exaggerated

Last Thursday, Congressional efforts to kill regulations set by the CFPB extending certain protections currently given to debit cards to pre-paid card holders quietly died; the regulations take affect April 2018. Even if you don’t offer pre-paid cards this speaks volumes about the regulatory environment in which we will find ourselves for years to come.

First, a slight digression since I really enjoy this subject. In 1996 Congress passed and Hillary Clinton’s husband signed into law the Congressional Review Act (5 U.S.C. § 801-808). Under this legislation final regulations must be submitted to congress and it has 60 days – excluding certain breaks- to pass a resolution blocking them from taking effect. Since regulators have way too much power, this statue sounds great, but its bark is much worse than its bite. After all, in order for a regulation to be blocked both houses of congress would have to vote to repeal it, and there is always the possibility of a veto.

With Congress and the presidency in Republican hands, the act has become a potent weapon with which to undue many regulations promulgated in the final days of the Obama administration. Since Donald Trump took office in January (yes it has only been 4 months) Reuter’s reports that congress has used the Congressional Review Act to kill 14 pending regulations.

This brings me back to the CFPB’s prepaid card regulation. In early February, Senator Perdue of Georgia introduced a joint resolution to block the regulation. He complained in a press release that “If the CFPB wants to continue to impose rules and regulations that impact every American’s financial well-being, it must answer to the American people.” In the same press release Senator Cotton of Arkansas called the rule “a disaster for consumers attempting to access prepaid cards,” In short, the regulation seemed like precisely the type of CFPB mandate that the free market, anti-regulation congress would quickly make go away. But on Thursday the deadline for repealing this bill came and went.

Consumer groups are right to point to this failure as a strong indication that the CFPB, or at least the regulations it has promulgated to date, are alive and well. After all, if congress doesn’t have the appetite to repeal an esoteric regulation dealing with a specific segment of the consumer finance market, then hopes of forging a bi-partisan consensus on changes to the CFPB seem doomed.

I have a sneaking suspicion we are seeing a reemergence of the same pattern that has made it so difficult for Republicans to “Repeal and Replace” Obamacare. Republicans were unified in their opposition to Obamacare until they had to explain to their constituents that they would lose coverage under the Republican alternative. Now Republicans might be growing skittish over taking on the CFPB if that means repealing consumer protection regulations that consumers like.

Don’t get me wrong. The pre-paid card rule has its defects. And, with or without changes to the CFPB’s structure, we will eventually have a CFPB director appointed by President Trump. Unfortunately however, needed regulatory changes may not be as a dramatic or come as quickly as we would like to see.

May 17, 2017 at 10:19 am Leave a comment

Are NCUA’s Lending Standards Too Tough?

When state chartered credit union Melrose CU was placed in conservatorship in February, New York’s Department of Financial Services put NCUA in control. Fast forward to Friday: The WSJ is reporting that the Committee for Taxi Safety, a Long Island City-based organization advocating for the medallion industry, sent a letter to NCUA Chairman J. Mark McWatters complaining that, in the aftermath of NCUA’s takeover, Melrose’s medallion loan terms have become too severe. It is demanding large down payments, imposing high interest rates and seeking peoples’ homes as collateral. Neither NCUA nor the DFS was willing to respond publicly to these concerns. According to the committee’s President David Beier, medallion owners can survive, but only if lenders (i.e. NCUA) show more flexibility.

The letter comes at a key time for the medallion industry. One medallion sold for a new low of $241,000, but many within the industry argue that this sale was an outlier and that medallion prices are stabilizing at approximately $550,000.

Department of Homeland Security Issues Warning on Ransomware Attacks

With the world- wide ransomware cyberattack threats likely to continue today, here is a press release from the DHS urging all persons and business to do the following;

  • Update your systems to include the latest patches and software updates.
  • Do not click on or download unfamiliar links or files in emails.
  • Back up your data to prevent possible loss, whether you are at a home, work or school computer.

Movie night at the Meier house

I watched The Founder starring Michael Keaton on pay-per-view last night. Great movie for anyone interested in business, ethics, fast food or really good acting.

May 15, 2017 at 9:21 am Leave a comment

NYC Makes Compensation History Off limits for Prospective Employers

NYC Mayor Bill de Blasio signed a measure making it illegal for NYC employers to base a salary offer on an applicant’s salary history. This prohibition also makes it illegal to inquire about or research a prospective employee’s compensation history. It takes effect in 180 days. Let’s face it this is the type of measure that makes so many employers breath a sigh of relief that they don’t work in NYC.

Here is some of the language; It will be illegal “to rely on the salary history of an applicant in determining the salary, benefits or other compensation for such applicant during the hiring process, including the negotiation of a contract.” Employers can however discuss the compensation that comes with the job.

Incidentally this measure does not extend to union contracts. What a surprise.

With over half of the Assembly comprised of NYC democrats passage of this measure will provide a further impetus to impose this mandate on the rest of the state. For example Assemblyman Crespo, who has proposed a statewide measure, praised passage of the measure.

May 12, 2017 at 9:10 am Leave a comment

Could a Blind Person Use Your Website?

One of the tricky things about dispensing compliance/legal advice to institutions as diverse in size as credit unions is the need to balance providing a heads up about emerging issues against helping credit unions prioritize truly pressing concerns.

With this sanctimonious lead, one of your faithful blogger’s take aways from this year’s Mortgage Bankers Association Legal and Compliance Conference is that it is time for your credit union to begin viewing its website as an extension of your physical infrastructure that is subject to the American’s with Disabilities Act (ADA).  I have been hesitant to talk about this issue for several months because the exact legal framework that your credit union is operating under remains unsettled.  For example, key regulations promised over and over again by the Department of Justice have never been finalized. It is still an open question when a public website is subject to public accommodations for the disabled.

Conversely, there are plenty of anecdotes that website lawsuits are on the rise. In one break out session, most of the audience indicated they had received letters threating legal action over their websites.

Ok Henry, how exactly do I make my website accessible? The standard is something called the Web Content Accessibility Guidelines 2.0 (WCAG 2.0 ). The basic idea is to ensure that your website can accommodate persons with sensory and physical disabilities that make it difficult for them to use a mouse, for example, or read text. If you haven’t already discussed this framework with your IT department and/or vendor, you should. The reality is that as more and more of your services are predicated on your members interacting with your website, it not only makes good compliance sense but simply good business sense to make sure that your member can interface with the products and services that you offer.

Ultimately, no two credit unions could or should address this issue the same way, but we have reached a point where they should be addressed in an ongoing and systematic way. Remember, your physical branch activities are already subject to the ADA reasonable accommodation standards such as 28 CFR 32.303(a), with the caveat that you never have to take steps that would cause an undue burden on your institution. In other words, this is an area where size and resources are going to shape your legal requirements.

May 10, 2017 at 11:08 am Leave a comment

Older Posts

Authored By:

Henry Meier, Esq., General Counsel, New York Credit Union Association.

The views Henry expresses are Henry’s alone and do not necessarily reflect the views of the Association.

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Join 437 other followers