Posts filed under ‘Compliance’

Do Vacation Policies Help Prevent Fraud?

In 1996 New York’s Banking Department issued a guidance strongly encouraging financial institutions to mandate two weeks of consecutive vacation for employees holding sensitive positions.  Its rationale was that two weeks would provide adequate time to uncover malfeasance on the part of employees who would not be able to cover up their mismanagement away from the office. 

It seems that about for as long as the policy has been in existence, state chartered credit unions and banks have argued that the guidance is an outdated relic of a bygone era which needlessly burdens financial institutions and does little to accomplish its laudable goal of detecting insider abuse. 

So yours truly was pleased to see that on January 4th DFS issued this request for information seeking feedback from financial institutions about potential changes to this guidance.  The Association has already talked to some of our state charters and will certainly be commenting to the DFS as it considers changes. 

Just rereading the guidance demonstrates how outdated it truly is.  For example, it explains that mandatory vacation policies should apply to “… those officers and employees involved or engaged in transactional business or having the ability to change the official records of the institution. This policy should also cover all other staffers who are capable of influencing or causing such activities to occur.”

Suffice it to say that a lot has changed since 1996.  Many of us still did not know what the internet was, let alone conceived of online banking.  It was 11 years before Steve Jobs introduced the iPhone!  And today, average consumers can electronically deposit checks and expect almost immediate access to their funds.  As a result, virtually every employee can, on some level, be considered a key employee who holds a sensitive position and a fraudster can do in a matter of minutes what used to take two weeks. 

The NCUA manages to address the same issues that New York addresses without adopting a stringent two week requirement.  It’s time DFS follows suit.  The existing guidance hinders both big and small institutions. 

January 20, 2022 at 9:22 am 1 comment

Use This Flexibility While You Have the Chance

Yours truly has been under the weather, but now that I’m back in the saddle, there’s a lot to talk about. 

My sleeper pick for the most important regulatory amendment that no one is talking about is the NCUA’s decision to extend for another year the increased flexibility given to credit unions during the pandemic to purchase eligible obligations and loan participations. 

Loan participations, which allow credit unions to purchase parts of loans they did not originate, and eligible obligations, which permit credit unions to purchase entire loans, provide an essential means of liquidity for the industry.  When used properly, they allow credit unions to avoid excessive concentration risk by selling all or portions of some loans and permitting other credit unions to get into the action by purchasing these loans. 

There are, of course, important restrictions on both of these products.  First, when it comes to loan participations, federal regulations limit the amount of participations that can be purchased from any one lender.  Secondly, when it comes to eligible obligations, the borrower must either be a member of the purchasing credit union or the loan must be refinanced within 60 days of purchase so that the borrower is a member. There are exceptions to this rule for qualifying credit unions purchasing the assets of liquidating credit unions. 

Let’s not forget that in March 2020 the economy was put into a self-induced economic coma.  The NCUA responded by, among other things, temporarily raising the maximum aggregate amount of loan participations that a FICU may purchase from a single originating lender to the greater of $5,000,000 or 200% of the credit union’s net worth and temporarily suspending certain limitations on the types of eligible obligations that a FICU may purchase and hold. In one of its last acts of 2021, the Board concluded that the continued economic uncertainty justified continuing these regulations for another year.  This conclusion has already been vindicated as the economy continues to produce contradictory smoke signals on a weekly basis. 

These temporary amendments provide potential benefits that go beyond the immediate economic situation.  The existing eligible obligation regulations are too restrictive now that more and more platform lenders are getting into the business of facilitating loan participations and eligible obligations.  While the explosion of these services offers expanded opportunities, particularly for smaller credit unions looking for a way to use all those deposits, credit union membership requirements continue to place restrictions on the use of these platforms by the industry.  By extending flexibility for another year, credit unions can further demonstrate that traditional regulations are needlessly restrictive and actually inhibit safety and soundness.

On that note, stay warm and enjoy your day.

January 10, 2022 at 9:31 am Leave a comment

RBC Reg Highlights End of Year Conclave

Like all those college kids rushing to get their term papers in, even though they had the entire semester to work on them, the NCUA Board’s last meeting of the year included the approval of next year’s budget, and a range of regulations dealing with subordinated debt, mortgage servicing rights and risk based capital.  The risk based capital (RBC) regulation is the one I find the most intriguing. 

First, for those of you nowhere near $500M in assets, you do not have to worry about a word of what I am about to say.  Since 2013, NCUA has worked on developing an enhanced RBC framework for federally insured “complex credit unions.”  The rule was originally finalized in 2015.  This has been quite the saga.  Along the way, we have seen debates over what constitutes a complex credit union, the legal authority for NCUA to implement this framework, the policy rationale of its supporters, and ultimately, when it should take effect.  I am here to report that all these debates are finally over.  Starting on January 1, 2022 the RBC rule will take effect.

This is big news in itself.  This means that federally insured credit unions with $500M or more in assets must either abide by a the RBC framework or opt in to a complex credit union leverage ratio (CCULR) which the NCUA just approved yesterday.  Under this alternative framework, credit unions otherwise subject to the RBC requirement will have to meet increased capital requirements of 9% or more.  Effectively, NCUA is giving complex credit unions the option of either complying with the enhanced RBC framework or stash away more capital.  Of course, this is a simplistic overview and someone on your team should be taking a break from holiday merriment to go over the nuances of this new framework as well as assess the impact that last second changes to some of the risk ratings could have on your credit union.

What surprises me so much about yesterday’s announcement is not that this regulation was finalized but that NCUA is so determined to get the RBC framework up and running that it is going to take effect without a further delay.  Keep in mind, however, that your credit union is not bound by its initial decision.  You can opt in and out of the competing frameworks on a quarterly basis.

On that note, yours truly must get on with the rest of his day.  I still can’t believe that Christmas Eve is next Friday.  Don’t tell my wife I haven’t gotten her present yet.

December 17, 2021 at 9:20 am Leave a comment

NCUA’s Shared Service Rule Is a Potential Game Changer

Yesterday the NCUA gave final approval to a regulation that will make it easier for credit unions of all shapes and sizes to provide services to their members. In fact, it could be one of the most important regulations the NCUA has passed in years. Here’s why:

Credit Unions across the country participate in shared branching networks, such as New York’s UsNET, which permits members belonging to a credit union within a network to perform banking services at any of the network’s branches. For example, my sister on Long Island uses the network to deposit her paycheck at an affiliated branch saving her extra drive time. Under existing regulations, multiple common bond credit unions can use these networks to satisfy shared facility requirements provided that they are an owner of the network.

Under the changes approved yesterday, these credit unions will now be able to satisfy branching requirements so long as they participate in the network. This is a potential boom for smaller credit unions which now have a cost-effective means of expanding services to more groups. Joining a shared branching network is as simple as signing a contract. Even if your credit union doesn’t plan on expanding, it’s a great service to offer your membership.

The regulation isn’t a complete slam dunk for the industry.  The board dropped plans to permit credit unions to satisfy branching requirements in underserved areas by allowing members to access an ATM. The final regulations clarify that shared branching facilities in underserved areas must allow members to make deposits and withdraw funds.

Aside from the practical benefits of the new rule, the new framework is one of the best examples I’ve seen of the credit union industry harnessing its combined resources to benefit the industry as a whole. I continue to be befuddled as to why the industry doesn’t do more to pull its resources together. You may say that I’m a dreamer, but like John Lennon, I still hope for a day in which credit unions maximize their bargaining power and back office synergies by adopting a standard core operating system.  (By the way, thinking of John Lennon made me think of that awful Christmas song he sings with Yoko Ono; I’d rather listen to fingernails scratching a chalkboard, but I digress.)

On that note, enjoy your weekend.

November 19, 2021 at 9:28 am Leave a comment

Fast And Furious: New COVID Guidance

Remember how in early July we were deluding ourselves into thinking that we were fast approaching a post-COVID nirvana in which we could all frolic freely without needing face masks, debating vaccine mandates or worrying about holding backyard barbecues?

Fast forward to mid-November and regulators are adjusting to a world in which COVID is a chronic condition and we have to adjust to this new normal. For credit unions in general, and compliance folks in particular, this means updating policies and procedures to make sure that you are keeping up with the latest COVID inspired dictates. Here are some of the latest developments I’ve spotted over the last week and a half:

  • The NCUA announced that it was extending the authority of federal credit unions to hold meetings remotely provided they have adopted the appropriate bylaws and send the appropriate notices to their membership. Remote flexibility is one of the good things to come out of the pandemic and I for one am glad to see that credit unions can continue to take advantage of this common sense measure.
  • Federal regulators, including the NCUA, recently announced that mortgage servicers were no longer going to be given a “get out of jail free card” when it comes to complying with RESPA’s mortgage servicing rules.

              In April of last year the same group of regulators issued a joint statement explaining that, “the current crisis could cause temporary business disruptions and challenges for mortgage servicers, including staffing challenges.” As a result, the regulators announced that they were giving servicers greater flexibility to comply with Regulation X. The same group of regulators now feels that the adjustment period has ended. The other day they announced that “servicers have had sufficient time to adjust their operations… agencies will apply their respective supervisory and enforcement authority to address any non-compliance with Regulation X”.  This one is a bit of a head scratcher to me because I could swear there is still plenty of evidence that staffing shortages persist and that members are still in need of enhanced forbearance assistance.  At least according to the CFPB.   

  • Never to be ignored, on October 28th New York’s Department of Financial Services issued its own guidance detailing its continuing expectations for mortgage servicers to work with consumers impacted by the pandemic. The guidance also encouraged servicers to participate in a new program being unveiled to provide financial support for eligible borrowers. I will have more about this program in the coming days.

On that note, visualize your post-COVID happy place and get to work.

November 16, 2021 at 9:24 am Leave a comment

Suing for Consumer Debts Just Got More Complicated

It’s been a busy week for yours truly, but I wanted to give you at least one piece of important information before the weekend.  Suing to collect consumer debts in New York State is about to involve a heck of a lot more procedural hurdles.  Those of you who sue to collect these debts should be setting up a phone call with the law firm you use and start discussing what additional steps will need to be taken in the debt collection process. 

Let’s start with the basics.  Section 105(1)(f) of New York Civil Practice Laws and Rules defines a consumer credit transaction as a  “transaction wherein credit is extended to an individual and the money, property, or service which is the subject of the transaction is primarily for personal, family or household purposes.”

A2382/S153 (Weinstein/Thomas) has been germinating in the legislative hopper since at least 2009.  Its overriding goal is to reduce perceived abuses in the debt collection process involving consumer credit transactions.  The bill generally does this by reducing the statute of limitations to bring such actions from six to three years; ensuring that consumers receive extensive notices explaining that they are being sued; and providing them resources with which to defend themselves against such claims. 

How much it directly impacts your credit union’s operations will depend in part on your credit union’s existing record keeping processes.  For example, Rule 3016 of the Civil Practice Law and Rules is amended by adding a new section (j) addressing these lawsuits to require that the complaint include a copy of the contract upon which the action is based or, in the case of revolving credit accounts, the charge off notice.  In addition, the member must be informed of the original creditor.  This last requirement might not seem like a big deal, but since credit card accounts, like mortgage loans, are often sold in bulk to third parties, it may not be as easy to find the original creditor.  My guess is that this new law will trigger increased emphasis on chain-of-custody record keeping for consumer loans.

Parts of the bill take effect immediately, but other sections are phased in over the next six months. 

On that note, have a good weekend.  I will be celebrating my eldest daughter’s 19th birthday.  Incidentally she has already contributed to the credit union movement by transcribing the occasional blog.

November 12, 2021 at 9:38 am Leave a comment

What OSHA’s Vaccine Standard Means For Your Credit Union

It’s here! OSHA’s Emergency Temporary Standard mandating that businesses with 100 or more employees establish vaccination or regular testing policies, a regulatory pronouncement that has been more eagerly anticipated than a red wagon on Christmas morning, now starts the clock on additional workplace requirements. 

Here are some of the highlights after my initial review of this regulation:

  • Most importantly, this only applies to those of you with 100 or more employees. That being said, however, OSHA is accepting comments on whether or not it should extend this mandate to smaller employers.

If your credit union has determined that it is going to comply with the Executive Order mandating that employees of all federal contractors be vaccinated, then it does not have to comply with this regulation. However, NCUA has never taken the position that credit unions are federal contractors simply because they accept share insurance. I will provide further details on why I think this is so important to your credit union’s vaccination decisions in an upcoming blog.

  • This mandate does not apply to everyone. The preamble makes it clear that it does not apply to employees who work “exclusively” from home. In addition, remember that even with OSHA’s mandate, employees still get the protection of federal law when it comes to religious accommodations and the ADA.

This morning, I’ve already heard some mischaracterizations regarding precisely what is now mandated.  

  • Employers can mandate that all their workplace employees get vaccinated; mandate that all their employees either get vaccinated or get weekly COVID-19 tests or have a policy which mandates that some employees get vaccinated while others either provide proof of vaccination or weekly COVID tests.

In other words, you can make distinctions based on how isolated an employee’s job is. If you choose to allow employees to undergo regular testing those employees must agree to wear facemasks in the workplace.

If you choose the ongoing test option, the regulation does not mandate that the employer will cover the cost. It does not, however, preclude state law from mandating employer coverage.

Regardless of what policy you choose to adopt, you must obtain and maintain records on the vaccination status of all your employees. There are specific protocols you should follow for securing this information and this is one of the issues you should be sure to address with your HR attorney.

  • Employees must provide you with documentation of their coverage. In the event that an employee insists they have been vaccinated but cannot provide adequate documentation, there is the option of having them sign an affidavit. However, this is not a loophole. The specific language in the affidavit is specified in the regulation and puts the signer on notice that if they are lying they are violating federal law.

The clock has started to tick.  You now have 30 days to put a policy in place and 60 days to start the mandatory testing if you choose to go that route.  Let the lawsuits begin!  I sure do hope this is the year I get my red wagon.

November 5, 2021 at 9:05 am 1 comment

New York Imposes Notice Requirement To Aid Visually Impaired Borrowers

Starting on November 7th, creditors, including credit unions, will now have to notify borrowers taking out consumer loans that they are entitled to receive written communications in alternative formats chosen by the creditor such as large print, braille, and audio compact disks and a phone number that the consumer may call to make such a request.  The statute indicates what information should be included in this disclosure. 

S737 applies to any debt arising in any transaction involving money, property, or insurance for personal, family, or household purposes. It was signed by the Governor on October 8th.  Under this new requirement, notice of potential accommodations must be provided in the initial communication with a new borrower. 

A couple days ago I talked to a member of the Fellowship Of Astute Compliance People in New York State and he was not overly concerned about this new mandate. He was going to comply with it by informing individuals of this right in the welcome package that mortgage borrowers receive. I would take a similar approach with other types of consumer loans. 

On that note, enjoy your day.

November 4, 2021 at 9:16 am 2 comments

Is Your Credit Union Impacted By New Security Standards?

I have some good news and some bad news for you this morning. The good news is that the regulation I’m about to talk about does not apply to your credit union. The bad news is that it might apply to your credit unions CUSO. 

Yesterday the Federal Trade Commission (FTC) finalized regulations imposing enhanced requirements on financial institutions under its jurisdiction to implement information security programs. For example, the new regulations require, among other things, that entities designate an individual responsible for implementing and overseeing its data security program; develop procedures to ensure that the board of directors is periodically informed about data security developments; perform risk assessments that identify the entities’ data security vulnerabilities; implements dual-factor identification; and perform penetration testing to guard against third party intrusions. 

Nothing in these new requirements should come as a surprise to anyone reasonably aware of existing industry standards for data security, particularly if you are an entity subject to New York’s cybersecurity regulations. In fact, the really shocking thing is how many businesses are not currently subject to these baseline requirements. This is why both CUNA and NAFCU were generally supportive of these proposals. 

But your compliance team is not completely out of the woods. There are some CUSOs such as mortgage bankers which are subject to these requirements. And NCUA is likely to expand the type of activity in which CUSOs could engage. This is important because while federal law explicitly exempts the subsidiaries of national banks from the FTC’s oversight, no such provision is explicitly made for credit union CUSOs. As a result, you should review these regulations, assess the extent to which they could impact your CUSO, and update your policies and procedures accordingly.  

On that note, enjoy your weekend and I’ll be back on Monday. 

October 29, 2021 at 9:17 am Leave a comment

DFS Issues Cyber Security Guidance For Affiliates

Yours truly has a busy day today but I wanted to take a break from my arc building to give you a heads up about cyber security guidance issued by New York State yesterday evening.

Pursuant to 23 NYCRR part 500, New York State imposes baseline cyber security requirements on entities licensed or chartered by New York State’s Department of Financial Services. In this guidance, DFS provides further clarification about the obligations of covered entities that rely on affiliates to comply with these regulations. The guidance should be reviewed by any New York State licensed CUSO which relies on a federally chartered credit union to meet New York State’s requirements.

For example, the guidance notes that while it is acceptable for covered entities to rely on affiliates it “may not delegate responsibility for compliance with the Cybersecurity Regulation to an affiliate.” This means that DFS must be given access and the authority to review an affiliate’s cyber security program even if an affiliate is not directly regulated by DFS. For example, a federally chartered credit union is not subject to these regulations, but to the extent a CUSO is relying on a federal charter’s cyber security, DFS must be given the right to review this program.

I’ve read it a few times now and there is nothing in this guidance that should surprise anyone. While any credit union can utilize third parties and vendors for a variety of functions, you can never outsource your credit union’s ultimate responsibility to comply with relevant regulations.

On that note, enjoy your day and remember that all this rain may turn to snow in a few weeks.

October 26, 2021 at 8:45 am Leave a comment

Older Posts

Authored By:

Henry Meier, Esq., Senior Vice President, General Counsel, New York Credit Union Association.

The views Henry expresses are Henry’s alone and do not necessarily reflect the views of the Association. In addition, although Henry strives to give his readers useful and accurate information on a broad range of subjects, many of which involve legal disputes, his views are not a substitute for legal advise from retained counsel.

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Join 757 other followers