Three Things You Need To Know About The Equifax Data Breach

New York’s Department of Financial Services has moved aggressively to regulate credit reporting agencies in the wake of the Equifax data breach fiasco.

It has proposed regulations that would extend its “first in the nation” cyber security regulations to credit reporting agencies. Specifically, the regulations would apply to every credit reporting agency that prepares a credit report on one or more New York consumers. The CRAs would have until February 1, 2018 to register with the state.

I’m curious to see how the CRAs respond to this development. On the one hand, they can argue that New York’s attempt to directly regulate them is preempted by Federal law. On the other hand, these are practices the CRAs should already have implemented. Furthermore, this is not exactly a good time for the CRAs to be arguing against baseline data protection requirements.

Yesterday afternoon, the DFS also issued guidance suggesting steps that both Federal and State chartered institutions should take in response to the breach. The most intriguing part of the guidance is the Department’s suggestion that if your credit union has an agreement with Equifax, it should “ensure that the terms of the arrangement receive a very high level of review and attention to determine any potential risk associated with the continued provision of data” to Equifax. This excellent suggestion is a reminder that the credit reporting agencies to which you provide information, are third-party vendors. Like all other vendors, you have an obligation to ensure that they are doing their job properly and to reassess your relationship with them if they are not.

Finally, KrebsOnSecurity is reporting that confidential notices sent out by VISA and MasterCard to financial institutions across the country “appear to suggest” that the Equifax hack may have started as early as November 2016. According to Equifax however, all the credit card information was stolen at the same time. KrebsOnSecurity is also reporting that the breach was the result of a vulnerability in a popular open source software package called Apache Struts.

Where Did My Branch Go?

If you think bank branches are disappearing, you are correct. In this interesting article, in yesterday’s WSJ, the paper is reporting that in recent years Bank of America has gotten rid of approximately 1,600 branches. It estimates that the reductions are the equivalent of shutting down all the City Group and Capital One Financial outlets in the U.S.

What’s troubling, but by no means surprising, is that the reductions have targeted rural areas and areas not located near major metropolitan areas. For example, Bank of America no longer has branches in and around Utica, New York, where it had 12 as late as 2009.



September 19, 2017 at 8:41 am Leave a comment

CFPB Gives Qualified thumbs Up To Alternative Lending Platform

Yesterday, the CFPB issued its first No-Action Letter providing a qualified green light to a lending platform which integrates non-traditional criteria into its lending model.

Upstart Network is a California based company which partners with Cross River Bank to provide personal loans using an online lending platform. According to the application it provided to the CFPB, it’s lending algorithm takes into account not only traditional lending criteria but also non-traditional factors such as an applicant’s level of education “and/or experience”. Although the loans are provided by the bank, investors help finance the loans.

There is more to this announcement than meets the eye. Most importantly, it is the first time the CFPB has used its power to issue No-Action Letters. In February 2016, the CFPB issued a final guidance explaining the purpose of these regulatory actions. It explained that, “Under the policy, companies can apply for a statement from Bureau staff on an innovative product or service that offers the potential for significant consumer benefit where there is substantial uncertainty about whether or how specific provisions of law would be applied.”

The uncertainty with this product involves the interplay between big data analytics and The Equal Credit Opportunity Act. With the emerging ability of lenders to identify correlations between a host of non-traditional lending criteria and an individual’s credit worthiness, one of the key issues that is going to face both lawyers, regulators and lenders in the coming years is how to distinguish between legitimate criteria and criteria which violates fair lending laws by discriminating against applicants on a protected basis.

Have a nice weekend, I’ll see you on Monday!

September 15, 2017 at 9:11 am Leave a comment

Are You Doing Your Levy And Restraints The Right Way?

Judging by the number of calls we get on the compliance hotline, the proper way to respond to the demands of third-party creditors to restrain accounts is the most vexing operational issue that credit unions have to deal with. As a result, I’ve decided to chat a little this morning about a case decided in the spring which deals with the key issue of how banks and credit unions should calculate whether or not a member has enough funds in their accounts to be subject to restraint.

Under New York’s law, a restraining notice “shall not apply to an amount equal to or less than the greater of two hundred forty times the federal minimum hourly wage prescribed in the Fair Labor Standards Act of 19381 or two hundred forty times the state minimum hourly wage prescribed in section six hundred fifty-two of the labor law as in effect at the time the earnings are payable (as published on the websites of the United States department of labor and the state department of labor N.Y. C.P.L.R. 5222 (McKinney).” In addition, this threshold amount increases if protected funds are direct deposited into the member’s account. The Department of Financial Services periodically updates the threshold amount.

The question is, when determining whether or not a member has enough money in the credit union to be restrained, should a credit union do an individual examination of each account held by a member or should it aggregate all the money held in all the accounts by a member and restrain amounts above that threshold? It has remained unanswered by the appellate courts even though the statute has been around since 2008.

Fortunately, this precise issue was addressed by New York’s Appellate Division in Jackson v. Bank of America 53 N.Y.S.3d 71, (2nd Dept. 2017). BOA was being sued in a class action lawsuit by plaintiffs who argue that the bank improperly aggregates all the accounts held by a member in determining whether or not the restraint thresholds are breached. In ruling that the class action could go forward, the court held that, while N.Y. C.P.L.R. 5222 (i) is ambiguous. The legislative history lead the court to conclude that banks and credit unions have to individually examine each account held by a member without reference to any other funds held in that credit union. For those of you who already have interpreted the statute this way, you are in the clear. But for those of you who haven’t, you should really take a look at this case and have a discussion with your attorney.

One more takeaway. If the court’s interpretation is upheld, expect to see more clever members trying to avoid restraining notices, opening up more accounts at your credit union. Under the court’s interpretation, someone with $25,000 in savings could avoid being restrained simply by making sure that each individual account they open is below the restraint threshold.


Credit unions notched an impressive and crucial victory last night with the approval of an amendment defeating a proposal that would have made the NCUA subject to the federal budget appropriations process. As I explained in my blog just two days ago, I don’t think it is possible to understate the danger of this proposal. In addition, it simply isn’t a cost-effective way of doing business and it would have resulted in greater costs for credit unions.


September 14, 2017 at 8:44 am Leave a comment

Do You Know The Answer To This Data Breach Question?

Here is today’s Final Jeopardy question: Are the number of lawsuits related to data breaches going up, going down or remaining about the same?

We’re back from the commercial break. And the answer is that in 2016 there was actually a decrease in data litigation lawsuits as a percentage of reported data breaches. This is the astounding finding of Bryan Cave’s 2017 Data Breach Litigation report which analyzes federal court litigation. The report underscores several important and troubling trends.

Here are some of the highlights:

  • Approximately 3.3% of publicly reported data breaches led to class action litigation. Unlike in prior years, in which the percentage of class action lawsuits has remained relatively steady at 4 or 5% of publicly reported breaches, 2016 saw a slight decrease in litigation relative to the number of breaches.
  • The percentage of class action lawsuits involving credit card breaches remain relatively constant accounting for roughly 21% of the data breach litigation. This represented a 2% decrease in such litigation. Interestingly, the report’s author speculates that this relatively flat year for credit card litigation may reflect not only a decrease in high-profile retail data breaches but “difficulties by plaintiffs’ attorneys proving economic harm following such breaches, and relatively small awards and settlements in previous credit card related litigation.”
  • The author concludes “despite the fact that data breaches do not appear to be going away anytime soon, the risk that a company will face litigation following a data breach remains relatively low year-after-year. The reason is likely tied to the difficulty plaintiffs continue to face establishing that they were injured by a breach and, therefore, have standing as a matter of law to bring suit.”
  • Finally, beware of the lighting rod effect. There are normally several lawsuits to high-profile data breaches. While this is understandable, it creates the impression that there is more data breach litigation than there actually is.

Why does this matter? Most importantly, it provides confirmation that too many companies responsible for guarding private information do not have adequate legal incentives to commit the type of resources necessary to keep information safe. In the meantime, credit unions and banks are left holding the bag when it comes to providing new debit and credit cards. In addition, there is also the very real risk that lenders are guilty by association in the public’s mind…it was nice seeing those of you who attended the annual Compliance and Legal Conference. Let’s keep in touch!



September 13, 2017 at 9:10 am Leave a comment

Proposed Legislation Would Deal Fatal Blow To The Industry

This is one of those blogs where I have to remind you all that the opinions I express, are mine and mine alone.

Why do I feel the need to make that qualifier today? Because in my opinion, the credit union industry faces it’s most credible legislative threat to its long-term existence than it has in at least the decade I have been involved in the industry.

The proposal to which I am referring (§9 H.R. 3280) would subject the NCUA to the congressional budget process. Why is this such a pernicious threat? Because through the budget process, the Banker’s Association, aided and abetted by their allies in Congress, would gradually strip the NCUA of needed resources and use the appropriations process to stifle needed regulatory reforms. For example, an agency subject to the congressional appropriations process would be much less likely to champion Field of Membership improvements that help credit unions serve more members.

Supporters of this bill would tell you that NCUA is being treated no differently than other independent agencies that House Republicans are proposing should be subject to its oversight. This argument has a certain facial appeal. After all, a strong argument can be made that independent agencies like the CFPB are unconstitutional. But in reality, this proposal has nothing to do with constitutional niceties. Unlike the CFPB, a multi-member board already oversees NCUA’s operations.

Our trade associations are right on the money to sound the alarm about this legislation. It must be defeated or the industry as we know it will, over time, cease to exist. On that note, I will see you tomorrow.

September 12, 2017 at 8:30 am 1 comment

Another Day, Another Massive Data Breach

Equifax, one of the big three credit reporting agencies, yesterday disclosed a “massive data breach” that may impact half the U.S. population. The breach includes the compromise of social security numbers, birth dates and up to 290,000 credit card numbers.

Let’s face it. It’s the same old song with a different tune. This is yet another example of why we need national standards and a national framework for dealing with data breaches and their consequences. In fairness to Equifax, it’s too early to know if the breach was a result of mistakes on its part or simply the end result of some talented hacking carried out in spite of adherence to prudent safeguards. But when I hear Equifax’s CEO explain that he is “deeply disappointed” by the break in, my guess is a lawsuit isn’t too far away.

Unfortunately, it’s far from clear precisely how much liability Equifax will face even if it was negligent in safeguarding this sensitive information. In 2016, the Supreme Court held in Spokeo, Inc. v. Robbins 136 S.CT. 1540 (2016) that in order for a plaintiff to have standing to sue in Federal court, the harm caused must be “concrete and particularized and actual or imminent, not conjectural or hypothetical.”

The standard has been a particularly tricky one for the courts to deal with in the context of data breaches. In a decision in August, Attias v. Carefirst, Inc., 865 F.3d 620 (D.C. Cir. 2017), the U.S. Court of Appeals for the D.C. Circuit held that the lawsuit against health insurer, Care First, Inc. could go forward. It ruled that so long as customers could prove that their names, birth dates and email addresses were compromised, they were being harmed by the imminent risk of a data breach. Similar logic was adopted by the 3rd Circuit In re Horizon Healthcare Servs. Inc. Data Breach Litig., 846 F.3d 625 (3d Cir. 2017)

However, not all circuits agree. In re SuperValu, Inc., No. 16-2378, 2017 WL 3722455, at *1 (8th Cir. Aug. 30, 2017), the 3rd Circuit Court ruled that consumers whose information may have been compromised by a data breach, lacked standing to sue the company. A reason that a mere possibility that an individual’s data may be used against them does not constitute enough harm to bring a lawsuit.

My guess is, the Supreme Court will take up this issue, maybe as early as this upcoming term. In the meantime, at some point Congress will come to its senses and pass meaningful comprehensive data breach protection legislation…and people say I’m cynical.

NCUA Releases Second Quarter Performance Data

The industry received its second quarter report card. It continues to show strong performance by the credit unions in the aggregate but it also continues to show that if you’re not big, there’s a good chance that your credit union is struggling. On that cynical note, I expect you all to enjoy your weekend and do nothing on Sunday but watch football. I hope to see some of you Monday at our annual Legal and Compliance Conference.


September 8, 2017 at 8:48 am 1 comment

Will Credit Unions Have Access To A Faster Payments System?

While everyone supports the goal of a payment system that has the ability to process and settle almost all payments in real-time, not everyone is in agreement about the role that the Federal Reserve Board should play in implementing and overseeing whatever system is ultimately developed. On the one hand, bigger banks are already developing real-time payment processing systems and don’t need the Federal Reserve to be all that involved. On the other hand, credit unions and small banks are concerned that without the Fed’s active involvement, they won’t be given an on-ramp to the payment system’s highway. A progress report on the Fed’s efforts to assist in the development of a faster payment system released yesterday will do little to assuage the fears of the smaller guys.

As I’ve talked about in previous blogs, the Federal Reserve has for several years now been working with a wide variety of industry stake holders about steps that need to be taken to develop a 21st Century payment system. At the same time, our trade organizations have joined with the independent bankers in expressing the concern that, without the Fed’s continuing involvement in the payment system, small credit unions and banks may find themselves unable to process payments at anywhere near the speed of their large counterparts. As they explained in this letter to Fed Chairman Yellen this April, “Without the Federal Reserve linking together the nation’s financial institutions and/or playing a significant operational role in the creation and implementation of the new faster payments rail for the country, the much-needed goals of safety, equitable access, and ubiquity will not be effectively achieved.”

As the American Banker reports this morning, the report released yesterday does not squarely address the issue of ensuring access to small institutions. On the other hand, at least it acknowledges that the issue needs to be addressed. The report notes that, “The Federal Reserve’s involvement could help to ensure inclusion of a broad range of stakeholder perspectives, manage productive collaboration among stakeholders with divergent interests, and provide needed coordination and facilitation for critical foundational work.”

Fed Chairman Fischer To Resign

In a surprise announcement, Federal Reserve Board Vice Chairman Stanley Fischer announced that he would be resigning in October. The move means that President Trump will be able to appoint four of the Federal Reserve Board’s seven members. In addition, Chairman Yellen’s term expires next February. On that note, have a good day.

September 7, 2017 at 8:50 am Leave a comment

Older Posts

Authored By:

Henry Meier, Esq., General Counsel, New York Credit Union Association.

The views Henry expresses are Henry’s alone and do not necessarily reflect the views of the Association.

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Join 449 other followers