Posts filed under ‘Compliance’

New York State Jumps On Politically Correct Banking Bandwagon

Yesterday, New York’s Department of Financial Services jumped on the politically correct banking bandwagon by issuing guidance reminding state chartered financial institutions that they “can play a significant role in promoting public health and safety in the communities they serve, thereby fulfilling their corporate social responsibility to those communities.” It encourages them to “review any relationships they have with the NRA or similar gun promotion organizations, and to take prompt actions to managing these risks and promote public health and safety.” They should also review their “codes of social responsibility.”

Don’t shoot the messenger so to speak but this is the guidance and as such should not be ignored by state level institutions in New York. Personally, I would review your existing policies and be able to explain to the public as well as examiners the criteria you use when determining whether or not to establish business accounts.

Now for my opinion. We are officially headed down an extremely slippery slope. Do we really want government using its powers to coerce financial institutions to bank or not bank with organizations and individuals who some people don’t like? Could guidance about the reputational risks of working with Starbucks be far behind? Then again, examiners like their hazelnut lattes more than they like guns.

I’m proudly not a member of the NRA and never will be but my views on gun control should have absolutely nothing to do with the advice I give credit unions or with the supervisory oversight to which they are subject.

NCUA Finalizes Advertising Regs

NCUA officially approved a subtle but meaningful changes that will help credit unions in their marketing efforts. When making a print ad, credit unions are currently required to use one of three methods to inform the public that they are federally insured by NCUA. Specifically, 12 CFR 740 provides that credit unions may include the statement “This credit union is federally insured by the National Credit Union Administration”; a shorter version, informing the public that this credit union is “Federally insured by NCUA”; or a shorter version simply stating “Federally Insured by the NCUA.” These notices must also be included in all radio, television and internet ads greater than 15 seconds in length.

The rule finalized yesterday gives credit unions the option of simply reproducing NCUA’s official sign provided it is “clearly legible and no smaller than the smallest font size used in other portions of the advertisement.” In addition, the signage requirement exemption for radio, television and internet ads has been extended to advertisements no more than 30 seconds in length. Those of you looking for specific advertising requirements for social media will have to wait for another day.

The NCUA also approved an amendment giving regulatory relief to credit unions with $10 billion dollars or more in assets that are subject to special stress testing requirements. I haven’t read the final rule yet so that’s all I’m going to say on the subject.

NCUA Responds To FOM Ruling

NCUA provided the Federal District Court in Washington with an explanation of how it intends to implement its ruling invalidating two components of NCUA’s field of membership expansion rule. In its notice to the court, NCUA explained that it will no longer permit federally chartered credit unions to expand, using the invalidated portions of the regulations or accept new members eligible under the invalidated provisions. It argued however that the court’s ruling does not retroactively invalidate the membership of persons who become credit union members as a result of these regulations.

Still no word on whether or not the NCUA intends to appeal the ruling.

GDPR Causes Hamlet Like Angst for Compliance Pros

To comply or not to comply with the GDPR? That is the question confronting credit unions as the May 25th deadline for complying with the European Union’s General Data Protection Regulation gets closer and closer. I know I have equivocated as much as anyone when it comes to complying with this regulation but unless you are a large credit union with extensive portion of EU citizens in your membership base, you have to take a reasoned and proportionate approach to this measure. I love this quote from an article earlier this week in the American Banker, “Big banks, fund companies, large insurance companies are all working through large GDPR compliance efforts,” said Jeff Sanchez, managing director, information security and privacy at Protiviti. “For smaller community and regional banks, it’s more dependent on their analysis of what their customer base looks like and what their exposure to European data subjects is.”


April 20, 2018 at 9:13 am Leave a comment

HR Beware: Cuomo Proposes To Ban Use Of Salary History

Yesterday, the Governor introduced proposed legislation that would prohibit employers in New York  State from inquiring about a job applicant’s salary history unless certain conditions are met.

Under the Governor’s program bill, employers would be prohibited from relying on or inquiring about a job applicant’s salary history. The prohibition would not apply when a job applicant voluntarily and without prompting discloses this information.

The Governor’s proposal follows on the heels of similar legislation which has already been enacted in localities including Albany. Supporters of these measures point out that women tend to get lower salaries than their male counterparts at the very start of their careers and that this pay gap grows over time. As the Governor argues in the accompanying memorandum, that his proposal would help eliminate the gender pay gap by making it illegal for employers to inquire about an applicant’s prior salaries.

Whether or not you agree or disagree with proposals such as this one, if we are going to have a state-wide law then it would be in everyone’s interest that it preempt competing local legislation. To the extent possible, employers should deal with uniform standards, particularly when it comes to something as nuanced and fact sensitive as the job hiring process. In addition, the Governor’s bill drafters deserve kudos for concise and straightforward drafting which would help avoid unnecessary litigation.

Joint Agency Statement Issued On Cyber Insurance

In my experience, the more people you have standing around the barbecue, the less flavor the meat ends up having. Similarly, the more regulators involved in drafting guidance, the blander and more obtuse the final product becomes. Yesterday’s joint statement issued by the Federal Financial Institutions Examination Council (FFIEC), which includes the NCUA, is no exception. According to the regulators, this guidance imposes no new regulatory expectations on financial institutions; nevertheless, I would certainly incorporate it into your due diligence protocols or at least document that you have discussed the guidance as opposed to just placing it in the to-do bin on your desk. Remember that my quick synopsis is not intended as a substitute to read the statement.

NCUA has indicated that cyber security is a top examination priority this year. So it is no coincidence that they and their fellow regulators feel the need to provide guidance on the propriety of the cyber security insurance. It stresses that while financial institutions are under no obligation to purchase such insurance it may, under appropriate circumstances “offset financial losses resulting from cyber incidents.” As a result, one of my takeaways is that depending on the size and sophistication of your credit union, it makes sense for you to periodically examine if now is the time to get cyber insurance or change the insurance you already have. For instance, the guidance points out that some insurance will only guard against so-called first-party losses which generally include the cost of direct losses to your institution. In contrast, third-party insurance can help guard against indirect claims such as one brought by a small business which suffered huge losses when a hacker compromised their account.

Another important takeaway from the guidance is the reminder that insurance doesn’t eliminate, but simply compliments a cyber security program. I’m always a little concerned when I come across some credit unions that think insurance translates into “someone else’s problem.” I’ve said it before and I’ll say it again, no matter what third-party you use to get your work done, your credit union remains ultimately responsible.

April 11, 2018 at 9:13 am Leave a comment

5 Things You Need To Know About Last Week

Increasingly it seems that there’s no down time for credit union news anymore, which is good if you’re a blogger but bad if you are a blogger who took an Easter break. So here in order of descending importance is a look back at some of the key developments that occurred last week with the understanding that I may expand further on these developments in the coming weeks.

DC Federal Court Strikes Down Key Provisions of NCUA’s Community Membership Rules

I know you’ve already heard about this one but considering that it takes about a week to read the decision, there’s still much more that needs to be said about Am. Bankers Ass’n v. Nat’l Credit Union Admin., No. CV 16-2394 (DLF), 2018 WL 1542049, (D.D.C. Mar. 29, 2018). Suffice it to say, that in its ruling the court held that NCUA overstepped its authority in defining a local community as any portion of a combined statistical area that contains no more than 2.5 million people. The court also ruled that the Board did not act rationally in defining a rural district as an area containing up to one million people. The court put a monkey wrench in many credit union expansion plans. Without getting this decision overturned or at least modified on appeal, community based credit unions will find it increasingly difficult to grow to meet member needs. On the bright side, portions of the rule were upheld and there may be a path forward for credit unions and NCUA, even if this decision is not reversed.

Prodigal Son Returns

When I left for vacation, an eight member democratic faction in the state Senate provided an independent power base at the state Capitol. When I came back, the Independent Democratic Caucus was no more. What’s more, Governor Cuomo was vociferously campaigning for Democrats in two upcoming special elections. The practical impact of this development was seen immediately as Senate Majority Leader John Flanagan replaced Jesse Hamilton as the Chair of the Senate Banks Committee with Long Island Republican Elaine Phillips. Remember, for the Democrats to take control of the Senate, they have to win two upcoming special elections in seats vacated by Democrats and convince Democrat Simcha Felder to caucus with them instead of the Republicans.

State Budget Impact

When the legislator finally got the budget deal done on Saturday, it contained a few provisions that will impact credit unions and their operations. S. 7508-C PART QQQQ creates a revolving loan fund for community development financial institution.

The bill imposed a $2.75 charge on ride sharing vehicles in Manhattan. A charge of $2.50 is imposed on medallion taxis. Why does this matter? Because critics of the approach argue that ride sharing vehicles are much more able to absorb the cost of the fee increase than are their medallion counterparts, making it even more difficult for the medallion industry to remain competitive.

This is the way the plan is described in the Governor’s budget press release: “Enact a $2.75 Surcharge on For-Hire Vehicles: To establish a long-term funding stream for the MTA and to reduce motor vehicle congestion, the FY 2019 Budget enacts a surcharge on for-hire vehicles below 96th Street. The surcharge is $2.75 for for-hire vehicles, $2.50 for yellow cabs, and $0.75 for pooled trips. This funding will go into an MTA “lock box,” and will provide long-term funding to sustain for the Subway Action Plan, outer borough transit improvements, as well as a NYC general transportation account.”

 Beneficial Owner Q&A Release

Regulations requiring credit unions and banks to identify the beneficial owners of accounts must be complied with by May 11, 2018. Although many credit unions may not deal with the type of sophisticated entities that this regulation is designed to address, you still need policies and procedures in place to know who the beneficial owner of an account is. You should definitely take a look at this Q&A if you haven’t done so already.

State Treasurers Want Cannabis Meeting With Sessions

With confusion continuing to reign regarding the legal status of marijuana proceeds in states that have legalized its use, a group of state treasurers wrote a letter last Thursday to Attorney General Jeff Sessions requesting a meeting with him to discuss this issue. Since withdrawing the Cole Memorandum in November, the AG has imposed radio silence on how financial institutions should deal with this issue.



April 9, 2018 at 8:59 am Leave a comment

Overdrafts Continue To Trip Up Financial Institutions

Overdraft litigation is alive and well. Recently, the United States District Court of New Hampshire refused to dismiss a punitive class action brought against Northeast Credit Union involving claims that the credit union did not adequately disclose the way in which it determines how much money is available in a member’s account. As a result, the member claims that persons are made liable for overdraft charges to which the credit union is not entitled. This litigation is by no means unique to credit unions but it does represent an ongoing problem that can be mitigated if the appropriate disclosures are in place.

The facts in Walbridge v. Northeast Credit Union, No. 17-cv-434-JD, 2018 BL 77521 (D.N.H. Mar. 07, 2018) are fairly typical. Walbridge alleges that on March 15, 2016, he had an actual balance in his Northeast checking account [*2] of $111.09. He made a debit card payment of $32.43, which left a balance of $78.66. Northeast, however, determined that he had insufficient funds and charged an overdraft fee of $32.00. Northeast then assessed additional overdraft fees of $32.00 on March 29 and March 30, 2016. Walbridge contends that the overdraft fees were improper.

As I explained in this earlier blog, there are two basic methods for calculating fund availability in accounts. The actual or ledger balance method refers to all money currently in a member’s account or the available method which refers only to those funds actually available for use by the member minus pending debits. Almost all these cases argue that the actual balance method is deceptive or not adequately disclosed by the financial institution since it makes a member think that they have more money available for debit transactions than they actually do.

But remember, no court has argued that one method is legal and another method is not. What is getting credit unions in trouble is that they fail to adequately disclose how their accounts are calculated. For instance, contrast this case with a ruling by a Federal court in DC which rejected claims that NASA Federal Credit Union’s Account Disclosure Statements were ambiguous.

The bottom line is this: Courts have come to differing conclusions based on very similar language. However, one commonality is that the more accurately and plainly you can describe your balance calculation method, the safer you will be. Given the continuing presence of this litigation, I would once again take a look at your disclosures and make sure they accurately describe the method your credit union uses and puts your member on notice when overdrafts are charged.

There’s Big Money In Credit Freezes

This just doesn’t seem right to me. Krebs on Security reported last week that nearly 20% of Americans froze their credit after the Equifax data breach at a collective cost of $1.4 billion to the consumer. That’s right, Equifax made more than a billion dollars off of a breach of its systems. Interestingly, Krebs also reported that the younger you are, the more likely you were to freeze your credit. 32% of millennials, 16% of GenExers, and 12% of baby boomers froze their credit. I would have reversed these numbers.

March 26, 2018 at 9:20 am Leave a comment

What Your Credit Union Needs To Know About The GDPR And Why It Needs To Know It

One of the toughest questions I’ve dealt with since I’ve been with the Association is this seemingly straight forward one: Does my credit union have to comply with the GDPR and if so, what can we do? Impacted companies must be in compliance by May 18th. Keeping in mind that the opinions that I express belong to me alone and are not intended as a substitute for legal advice from a lawyer of your choosing, the purpose of this blog is to give you some further thoughts on the subject as well as to explain why I think the Facebook fiasco will ultimately make the GDPR more relevant to all of us. I apologize for its length but there’s no way to boil this down to a few paragraphs.

What is the GDPR? The General Data Protection Regulations (GDPR) are landmark requirements promulgated by the European Union, designed to give consumers firm control of their electronic data and give the European Union enhanced authority to impose these requirements beyond its borders. Violators face potentially severe penalties.

Why is the GDPR such a big deal? On a policy level it represents a totally different conception of the use and monetization of electronic information than has developed in this country. The US has allowed e-commerce to develop organically. The implicit premise has been that, in return for allowing companies like Facebook to easily access our information, consumers receive an enhanced e-commerce experience. In fact, this has happened.

Conversely, the GDPR represents a conception of personal information as the property of the consumer, control over which the consumer never completely surrenders. Under the European approach, at least in theory, members would know that their personal data was sent to Cambridge Analytica and could simply withdraw their consent for the company to use it.

How do the regulations accomplish this goal? By mandating that consumers affirmatively opt in to providing consent before giving away their personal information AND by mandating that companies be able to both transfer information to another company at a consumer’s request as well as remove a person’s electronic footprint. These rights are known as the “right to be forgotten” and the “right to portability.”

Does the GDPR apply to my credit union? This is the part of my blog that’s going to drive people nuts. On paper the answer is yes. As I explained in a previous post, Article 3, paragraph 1 of the Regulation stipulates that it applies to “the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.” So on paper the regulation extends to any institution processing and holding data belonging to a citizen of an EU country, regardless of where that consumer happens to be located. For instance, I talked to a downstate credit union that was surprised to find out it had more than a hundred accounts belonging to members who lived in the EU.

Why is this such a big deal? After all, some form of these mandates have already been in effect in Europe. For one thing, this is the first time Europe is trying to impose these mandates outside of its borders. In addition, I’ve read and been told by IT people that, without a serious investment of time and money, these nice sounding mandates are difficult to achieve. They require companies to have the ability to effectively disaggregate data even as more and more of it is being aggregated into the big data hodgepodge. After all, the more information Cambridge Analytica has about Facebook users, the more it can confirm correlations between the type of car they drive, the coffee they drink and their views on gun controls. (I made this example up, but this is exactly the type of research that’s being done).

Can I be sued for not complying with the GDPR? The more I look at the issue, the more I think that the GDPR is likely to become increasingly relevant to your credit union’s compliance efforts, not because of formal action taken against individual companies by the European Union but because courts in this country, rightly or wrongly, recognize the GDPR as the base line standard of care when it comes to protecting a person’s private electronic data. This could happen in one of two ways. First, the GDPR includes a private right of action for consumers who feel their rights under the regulations have been violated.

Secondly, appellate courts may, over time, accept the argument that in an interconnected world, where everything from an individual’s playlist to what they buy when they go shopping could very well be stored on a server in Ireland, it is reasonable to expect companies to recognize the GDPR as the standard of care to which they should be holding themselves.

And let’s keep in mind as legislators seek to react to Facebook and Cambridge Analytica, the GDPR represents a model upon which to create their own system of mandates.

How concerned should my credit union be? Again, this is my opinion, but let’s be a little practical. Regardless of what the EU claims, its ability and desire to impose fines on a credit union that has no physical presence in Europe or does not even advertise its services to Europe is highly questionable. Furthermore, the intent behind the regulation is to put large multi nationals on notice that, to the extent they do business in Europe, then they have to abide by the GDPR. On a practical level, given everything your credit union has to do, investing time and money to comply with the GDPR should be at the bottom of the list unless you actively interact with the European Union.

What’s the bottom line? Unless you are a very unique credit union, I wouldn’t panic about the approaching deadline but I would consider putting a GDPR policy in place since some of what the regulation requires includes measures that your credit union is already taking such as data breach notification protocols. In the medium to longer term, credit unions should be mindful of the GDPR and begin to think of ways that they could comply with its overarching mandates, if not its specific requirements.

The recent Facebook fiasco has finally made people realize that their private information is worth protecting and they’re going to demand that GDPR type restrictions be placed on all companies in financial institutions regardless of where they are located.

March 23, 2018 at 9:55 am 1 comment

New York CU Authorized To Offer Lease Escrow Accounts

The other day, one of my most helpful readers forwarded to me a copy of a NCUA legal opinion which provides good news to New York based credit unions and may provide a road map for credit unions in other states to follow.

First, some background. Interest on lawyer trust accounts (IOLTA) are escrow accounts that many states mandate attorneys establish in order to place a client’s funds in escrow. Prior to 2015, credit unions were extremely limited in their ability to offer such accounts because membership eligibility was based on the qualifications of each individual person who’s funds were being escrowed rather than the membership eligibility of the attorney opening the account. This meant that most credit unions could not provide the share insurance necessary to house such accounts.

Many readers may recall that all this changed in 2015 when Congress passed the Credit Union Share Insurance Parity Act permitting credit unions to offer IOLTA accounts so long as the attorney qualified for membership. If he or she did, then share insurance coverage would be passed through to the clients whose funds were being aggregated. Crucially, for purposes of this fascinating post, this statute not only permits credit unions to offer IOLTA’s but “other similar escrow accounts.”

Which brings us to the present day. On February 1st, NCUA sent this letter to ESL Federal Credit Union in New York, authorizing to offer escrow services for “lease security accounts.” Under New York law, landlords holding security deposits are required to place such deposits in escrow. See NY General Obligation Law §7-103 et. seq. The NCUA agreed with ESL Federal Credit Union that such accounts are similar to traditional IOLTA’s. At the same time it stressed that it’s “analysis does not apply to other similarly named accounts where the factual and legal circumstances differ, even slightly, from those presented in the subject instance. Rather, the conclusions reached in this opinion are expressly limited to the specific facts and circumstances surrounding the subject account.” Still, it’s a nice victory for New York Credit Unions and is clearly beneficial to other credit unions seeking to offer a similar product in other states.

CFPB Releases Servicing Reg Q&A

As a follow-up to my blog from the other day, I’m happy to report that the CFPB has released a helpful Q&A further explaining how financial institutions are to implement the successor in interest/bankruptcy regulations which take effect on April 19, 2018. I’m glad to see I’m not the only one more than a little confused about the seemingly straightforward requirements.

The Q&A is extremely helpful but it underscores that credit unions are not out of the woods when it comes to complying with both these regulations and the bankruptcy law. Here’s what I’m talking about. One of the questions asked is, “Does a servicer receive a safe harbor under the Bankruptcy Code by sending periodic statements in compliance with the Bureau’s rules?” The answer won’t exactly fill you with confidence: “A servicer does not receive a safe harbor under the Bankruptcy Code by sending periodic statements to a borrower in bankruptcy in compliance with Regulation Z, § 1026.41(e) and (f)” the Bureau explains because it does not have authority over the bankruptcy law. But it goes on to explain that, “Based on this research and outreach, the Bureau does not believe that a servicer is likely to violate the automatic stay by providing a periodic statement in circumstances required by § 1026.41(a) and (e) that contains the information required by § 1026.41(c) and (d) as modified for bankruptcy by § 1026.41(f).”

Translation: Get ready to push back against the attorney who accuses you of violating his client’s automatic stay.

March 21, 2018 at 9:07 am Leave a comment

Why Friday Was A Good Day For Your Credit Union

It just got a little safer to call or text your members.

Although the ADA has captured most of the industries’ attention, it’s the Telephone Consumer Protection Act that will ultimately have the biggest impact on your operations, at least if regulators get their way. A statute that was intended to deter telemarketers from interrupting your day with unwanted solicitations has morphed into a litigation tripwire, potentially applicable to almost all businesses in America including your CU.

For almost three decades the TCPA has, with limited exceptions dealing with the collection of government debt and emergencies, made it illegal for persons to make phone calls or send texts without first getting the receiver’s permission when communicating with the help of an Automatic Telephone Dialing System (ATDS.)

What exactly is an ATDS? The TCPA defines it as “equipment which has the capacity—(A) to store or produce telephone numbers to be called, using a random or sequential number generator; and (B) to dial such numbers.” 47 U.S.C § 227(a) (1). In 2015 the FCC further refined this definition with a declaratory ruling explaining that an ATDS is any device that can potentially make random or sequential number generated calls with modifications. Just about every smartphone meets this definition since software can be downloaded giving it this capability.

This means that, unless they still use a rotary, just about every time your employees use a phone, chances are the TCPA is applicable. They better have to have a member’s permission before calling them or be willing to pay a $500 fine for each violation.

On Friday The Federal Court of Appeals DC ruled that the FCC went too far. CUNA and the bankers submitted a brief in opposition to the 2015 clarification.

“The Commission’s interpretation of the term ‘capacity’ in the statutory definition of an ATDS,” the Court decided, is “utterly unreasonable in the breadth of its regulatory inclusion. Nothing in the TCPA countenances concluding that Congress could have contemplated the applicability of the statute’s restrictions to the most commonplace phone device used every day by the overwhelming majority of Americans.”

That’s the good news. The bad news is I have read the decision twice and if I were a credit union, I wouldn’t change my call policies anytime soon. We are a long way from getting regulatory clarity as to when the TCPA applies and to what equipment. As the Law360 blog put it in its headline this morning:

“DC Circ. Delivers Relief, But Not Clarity, With TCPA Ruling”

March 19, 2018 at 10:01 am Leave a comment

Older Posts

Authored By:

Henry Meier, Esq., General Counsel, New York Credit Union Association.

The views Henry expresses are Henry’s alone and do not necessarily reflect the views of the Association.

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Join 483 other followers