Posts filed under ‘Compliance’
New York’s foreclosure law is one of the most complicated and time consuming in the country. Not only was the state one of the first in the nation to impose 90 day pre-foreclosure requirements and judicially imposed settlement conferences that provided a model for the CFPB but, as the housing crisis worsened, some courts became more and more aggressive in interpreting these and other laws for the benefit of delinquent borrowers.
To supporters of New York’s laws these protections are necessary to insure that homeowners have the legal protections necessary to keep their homes. To critics, a group whose ranks I have become an increasingly fervent member, state and federal protections are, when judged in the aggregate, not so much good faith borrower protections as they are procedural trip wires which slow down the foreclosure process to such an extent that they make owning a home in New York more expensive and contribute to urban blight.
The latest example of New York’s approach to housing policy is a bill drafted by the Attorney General to deal with the proper maintenance of abandoned “Zombie” property that has not yet been foreclosed on but has been abandoned by the homeowner. I have written other blogs about the proposal before, but I recently took another look at the legislation after it was officially introduced (A.6932\S.4781) on April 10th.
First, the good news is that the bill may make it easier to more quickly foreclose on abandoned property by making vacancy a ground for foreclosure and establishing courts specifically for such foreclosures. If you are going to make lenders maintain property than it makes sense to give them legal title as quickly as possible. It’s clear that supporters of this bill have listened to the critics. Its much more reasonable than it could have been.
Now for the bad news. It would mandate the establishment of a statewide abandoned property registry. Lenders may still find themselves on the hook for maintaining property they don’t own.
In addition, a provision in the bill demonstrates that legislators and regulators continue to have an absolute fetish when it comes to imposing notice requirements on lenders dealing with delinquent homeowners. The law would require lenders to send a notice to a delinquent borrower that “You are allowed by New York state law to continue living in your home regardless of any collection methods we pursue or oral or written statements made during the collections process, including the foreclosure process, until such time as you are ordered by a court to leave your property.”
This notice shall be sent within 15 days of property becoming 90 days delinquent that means that the homeowner not only is entitled to a 90 day pre foreclosure notice but now will receive this additional notice. This is, of course, in addition to the erstwhile summons and complaint that for hundreds of years has put people on notice that they are being sued.
In addition to these state specific mandates CFPB imposed regulations now require mortgage servicers to make a good faith effort to establish contact by 36 days after a homeowner misses a payment and provide written notice no later than 45 days after delinquency providing information about loss mitigation and counseling options. And of course federal regulations now prohibit a foreclosure action from being filed until the borrower is more than 120 days delinquent.
What astounds me is that anyone can look at these protections and conclude that homeowners need more notices or that greater legal burdens need to be imposed on borrowers.
Let’s not forget that the primary problem is people purchased homes they can no longer afford.
I’m off my soapbox, Have a good day,
To its credit, for almost a decade now NCUA has been emphasizing the need for due diligence when entering into third party relationships. Unfortunately, based on what I have seen, the quality of credit union oversight varies widely with too many credit unions continuing to place too little emphasis on a properly drafted contract which commits vendors to upholding privacy standards and establishes a framework whereby your credit union monitors vendor performance.
So, I’m not surprised with the results of a survey released last week by New York’s Department of Financial Services. The Department surveyed 40 financial institutions about their vendor management activities. Its findings are likely to result in proposed state regulations outlining vendor relationship requirements. It concluded that:
- Nearly 1 in 3 (approximately 30 percent) of the banks surveyed do not require their third-party vendors to notify them in the event of an information security breach or other cyber security breach.
- Fewer than half of the banks surveyed conduct any on-site assessments of their third-party vendors.
- Approximately 1 in 5 banks surveyed do not require third-party vendors to represent that they have established minimum information security requirements. Additionally, only one-third of the banks require those information security requirements to be extended to subcontractors of the third-party vendors.
- Nearly half of the banks do not require a warranty of the integrity of the third-party vendor’s data or products (e.g., that the data and products are free of viruses).
As I see it, one of the biggest problems is that businesses think of the contract as one of those last second details to be addressed after a vendor has been selected. It doesn’t have to be this way. For your larger vendor contracts you should ask your finalists to provide you with copies of their base contracts. You have leverage you should use if you find that one vendor has better terms than another. Furthermore, if one vendor is more committed than another to insuring data security then you can and should take this into account when making your final decision. Finally, you are being penny wise and pound foolish if you don’t pay for an attorney who has experience with vendor contracts and who is aware of pertinent regulatory requirements. By the way, the Association is willing and able to provide these services.
Is the Fed Getting Cold Feet?
The recent spate of lack luster economic news may keep the Fed from raising interest rates when it meets in June, according to an interesting WSJ article today. If this reporting is correct, a consensus is emerging that with inflation still below its 2% target range and employment still lagging, it makes sense to wait until later in the year before deciding to pull the trigger on the first rate increase since the Fed placed short term interest rates near 0 in December 2008.
Two quick thoughts, this is another great example of the Groundhog Day economy we have been stuck in for some time now. Economists confidently predict every Fall that the economy is finally on solid footing only to back away from the predictions following tepid economic growth in the first quarter. For what it’s worth, this blogger still believes the Fed will raise rates ever so slightly in June, if only to shift the debate away from when interest rates will rise to how high they should go. Low interest rates have artificially inflated equities for several years now by making the market the only place to get an adequate return.
On that note, have a nice weekend.
Verizon recently came out with its annual analysis of Data Breach Incidents Reports and it is a much read for at least one employee at every credit union. (http://www.verizonenterprise.com/DBIR/2015/?&keyword=p6922139308&gclid=CJXf_83Z-sQCFQqOaQodiIwAyw).
How effectively you deal with data breaches is an increasingly important factor in determining your credit union’s bottom-line. Verizon’s report is the best I have seen when it comes to providing an objective analysis of data breach trends. Here are my takeaways from the report:
Is greater information sharing the answer? One of the best ways to mitigate the negative consequences of data breaches is to get the word out about compromises as quickly as possible. We need more sharing of information. But rather than facilitating sharing within a given industry, the report concludes that greater emphasis has to be placed on sharing between industries that share common characteristics. In fact, it concludes that “our standard practice of organizing information-sharing groups and activities according to broad industries is less than optimal. It might even be counterproductive.” Greater inter-industry coordination is the type of mission that only government can facilitate and it’s fraught with a host of privacy issues. We are talking about sharing information about members over an array of businesses and industries inconceivable when Gramm–Leach–Bliley was passed.
Just how much are all of these data breaches costing us? The report attempts to quantify how much data breaches cost. It estimates that the average loss for a breach of 1,000 records is between $52,000 and $87,000. However, estimates vary widely based on the size of the breach, so the report also provides a chart on page 30 of the report providing a range of estimated costs based on the size of the breach.
Think of how valuable this information is and could be, particularly as the estimates get more accurate. For example, is it worth switching to EMV technology? Maybe, maybe not, depending on the scope and size of your potential data breach exposure. At least no one has to be groping around completely in the dark when making these decisions.
Is there anything that you can cost effectively do to help prevent or mitigate breaches? Here is some good news. Despite all the technological sophistication that goes into carrying out and preventing data breaches, a tremendous amount of data breach protection can be achieved by educating your own workforce and being as careful as you can be about who has access to information that could facilitate data breaches. For example, the report estimates that 55% of incidents stemmed from “privilege abuse.” In addition, employees aren’t all that quick when it comes to reporting data breaches. Perhaps it’s time for those “welcome to the new job” overviews HR gives to the new hires to include a talk about reporting potential phishing attacks. Another interesting factoid is that many data breaches involve compromises of software for which patches were available but not installed.
FICO), Lexis –Nexis Risk solutions and Equifax yesterday described the details of a pilot program currently underway to examine the creditworthiness of those who aren’t eligible for credit because there is no way of scoring them under traditional models. According to the press release the pilot program allows 12 of the largest credit card issuers in the U.S. to use alternative data to identify creditworthy individuals who would otherwise be unlikely to obtain traditional credit. (http://www.fico.com/en/fico-lexisnexis-risk-solutions-and-equifax-joining-to-generate-trusted-alternative-data-scores-for-millions-more-americans-04-02-2015).
There is more here than meets the eye. For one thing I didn’t realize just how many Americans are completely off the credit scoring radar. These “unscorables” don’t engage with the banking system and therefore can’t be scored . Yesterday’s press release put that number at 15 million but this may be on the low side. No matter what numbers you rely on, what everyone agrees on is that a disproportionately large segment of this group is composed of poorer minorities who are flocking to prepaid cards.
In order to assess the credit worthiness of these unbanked persons of modest means additional data has to be mined. The pilot program announced yesterday uses information such as cable and utility bill payments. These are potential members who have so far chosen to opt out of the financial system all together. Does the industry have an obligation to aggressively court these members? I say yes. Alternative scoring models can help.
So why am I a little squeamish? I’ve talked about how “Big Data” has the ability to both revolutionize lending and create a host of legal challenges that simply weren’t anticipated when fair lending laws were passed, For example, let’s say that this pilot scoring system proves to be a reliable indicator of creditworthiness. How many years will lenders have to start using this new model without being accused of violating lending laws? After all, FICO has now demonstrated that traditional scoring systems have the effect of reducing credit to poorer often minority. credit worthy applicants and that an alternative system can be used.
Then there are the broader policy implications. Is extending credit to people who have so far chosen to live without it or who can’t afford it under traditional measures really a good thing? In 2007, on the eve of the Great Recession, America had a personal savings rate of 1.7%. Today it has skyrocketed to 5.5%which still puts us well behind most developed nations. In addition, your average 401K barely has enough in it to pay a retiree’s bus fare for his ride to his job at Walmart.
The financial industry will be devising more and more creative and accurate ways of reviewing credit worthiness for years to come. Used wisely and monitored by regulators within the appropriate legal framework, much good can come of this innovation. Conversely, right now the technology is racing too far ahead of the policy. Just because an alcoholic can pay for his drink doesn’t mean he should be having one. As a nation we are too dependent on credit and enabling the poorest among us to take on debt doesn’t seem to be the best way of encouraging thrift.
On that note, your faithful blogger is off next week to take the family on a visit to the nation’s capital and Southern Pines, North Carolina, to go to my niece’s wedding and finds some warm weather. Enjoy the holiday.
Just as you should have a plan to rapidly recover your credit union operations in the event of a natural disaster, so too should you have a plan to rapidly get up and running in the event your credit union is victimized by a cyberattack. That’s my main take-away from a joint guidance issued yesterday by the FFEIC, a group of financial regulators that of course includes the NCUA.
In addition to underscoring the importance of cyberattack recovery, the regulators are using the guidance to emphasize the importance of ongoing assessments and monitoring of your existing computer systems. For example, you are expected to maintain an ongoing risk assessment system that considers new and evolving threats and conduct regular audits to review who has access to vital systems.
Now for some more general points, in light of the Supreme Court’s recent decision upholding the right of the Department of Labor to reinterpret existing law simply by issuing a new letter, guidances of all types, including those issued by the FFEIC, are as binding on your credit union as if a new regulation had just been promulgated. The FFEIC typically claims that it is doing nothing more than synthesizing existing requirements, but at the very least make reviewing this memo a compliance priority.
In addition, notice how the regulators are not going to let smaller institutions off the hook. Obviously, the steps a $20 million credit union takes to both guard against and recover from malware attacks are not going to be as extensive as the steps taken by a $1 billion institution, but steps need to be taken nonetheless. The regulators have a point since the bad guys have demonstrated an increasing willingness to go after the data stored by smaller institutions, I’m concerned that without a serious attempt on the part of the industry to pool resources, increasing computer costs in conjunction with existing compliance mandates will make it that much more difficult for any small credit unions, or true community banks for that matter, to survive.
That seems to be the attitude of many millennials based on the number of surveys that consistently report that those born between 1982 to 2000 are at best indifferent and at worst skeptical when it comes to financial institutions.
For example, according to recent research conducted by Goldman-Sachs, 33% of millennials don’t think they will need a bank in the near future. In addition, 50% of the surveyed millennials are counting on tech startups to overhaul banks. Interestingly, this group is not only skeptical of banking, but profoundly impacted by the Great Recession. According to this survey, less than half of them have a credit card.
This is consistent with what I’ve described in previous blogs: a generation that will make its banking relationship decisions in a vastly different way than any previous generation. In addition, this is a generation that is more than willing to scrap traditional banking models. After all, Facebook announced recently that it is debuting an App to allow its users to make account to account transfers. Can you imagine the previous generation so willing to transfer cash without breaking out the checkbook or walking down to the bank.
I came across this survey as I was taking one more look at a proposal by the CFPB to make reloadable general purpose prepaid cards subject to Regulation E. I just can’t make up my mind when it comes to the proper role of regulation and the prepaid card. On the one hand, as an advocate for credit unions, it makes sense that as prepaid cards provide consumers with almost all the same benefits they get from a traditional banking accounts and debit cards that these accounts be subject to the same regulatory requirements such as disclosures and overdraft protections. On the other hand, the growth in prepaid cards reflects, in part, a generational shift away from traditional banking. Like them or not, the availability of these cards in stores such as Walmart have provided access to financial products for a group of people who may have otherwise chosen to forego or at least delay entering traditional banking relationships.
My concern is that by making prepaid cards more like traditional accounts from a regulatory perspective, we run the risk of squelching innovation. Rather than imposing traditional account regulations on prepaid cards, let’s assume that in the aggregate your average consumer opting for the prepaid card knows what he or she is doing, and is willing to take the risk in return for a different kind of consumer product. After all, from a generational standpoint, millennials have seen what traditional banking can do to their parents. Who can blame them if they are not all that impressed.
NCUA Sues HSBC
HSBC became the latest investment bank to be sued by NCUA over its alleged failure to properly scrutinize mortgage-backed securities purchased by bankrupt corporates. This time, NCUA is headed to Manhattan Federal Court.
HSBC was a trustee for 37 trusts that issued residential mortgage-backed securities. As with almost all its other cases, NCUA is arguing that HSBC breached its fiduciary obligation to properly assess the quality of the mortgages it used to create these securities. As alleged in the complaint, “an overwhelming number of events alerted defendants to the fact that the trusts suffered from enormous problems, yet it did nothing.” Money recovered in these and other lawsuits after legal payouts will be used to reduce credit union costs related to losses to the Share Insurance Fund.
Typically, your faithful blogger likes to prepare posts first thing in the morning to provide you with the most up-to-the-minute information that is going to impact your credit union day. Today, I’m cheating. As you read this post, there is a good chance that I am still sleeping, having binged on a late night college hoop extravaganza. Later today, I will be playing poker with 25 fellow hooky players. I must be rested and sharp for such a day’s work.
Why am I telling you this? I just watched an Internet broadcast of yesterday’s NCUA board meeting and I couldn’t resist giving you my take on some very good news. In fact, I am as pleased as I would be if I got dealt a Straight Flush on the River.
In the latest example of how an infusion of new blood has given the agency enthusiasm for real mandate relief, the NCUA has decided to go forward with plans to eliminate the Fixed-Assets Cap. This cap currently limits federal credit union expenses for buildings, furniture, equipment – including computer hardware and software, and real property to 5% of a credit union’s shares and retained earnings unless they get a waiver. The really good news is that NCUA is proposing to far exceed its initial proposal made in July of 2014 and not only eliminate the cap, but do so without a requirement that credit unions submit a fixed asset management program (FAM).
When NCUA initially proposed eliminating the fixed asset cap, it coupled this proposed reform with a requirement that credit unions submit a highly detailed plan and mandating procedures to insure a board’s involvement in the project. Credit unions and associations, including NYCUA, argued that while they supported elimination of the cap in concept the FAM was so onerous that the proposed “reform” was of little value. Yesterday, the agency proposed doing away with both the cap and the proposed FAM. Instead, guidance will be issued to give credit unions and regulators a sense of when a credit union is taking on too much risk.
This means that NCUA should and will have the authority to question building plans, but that credit unions should be able to execute expansion dreams so long as they can justify them. In yesterday’s board meeting, NCUA’s Larry Fazio quoted the Gospel of Luke – I’m not kidding – for the following proposition:
“Suppose one of you wants to build a tower. Will he not first sit down and estimate the cost to see if he has enough money to complete it? For if he lays the foundation and is not able to finish it, everyone who sees it will ridicule him, saying, ‘This fellow began to build and was not able to finish.’(14:28-30).
Regardless of what your religious beliefs are, with or without a formal cap, NCUA always has had and always will have the authority to question building plans on safety and soundness grounds. NCUA may not be requiring credit unions to develop a detailed FAM, but credit unions should be able to demonstrate that they have thoroughly analyzed the cost and benefits of their project by, for example, doing cost projections. They also should be able to show that the board was actively involved in the building decision. Neither of these conditions are unreasonable and I would much rather credit unions be prepared to demonstrate how their projects reflect their unique needs instead of being required to comply with inflexible regulations.
The Board also decided to go forward with an amendment establishing a standard occupancy requirement. Under existing regulations, an FCU must partially occupy the buildings acquired for future expansion within three years and unimproved property within six years. NCUA is going forward with plans to require credit unions to partially occupy property within 5 years of its acquisition whether or not it is improved. NCUA is going to put these new changes out for a 30-day comment period.
On that note, enjoy the basketball and remember people who chase straights and flushes arrive on planes and leave on buses.