Posts filed under ‘Compliance’

MBL Proposal Will Only Be as Good as Its Guidance

The blog is going on its summer hiatus. I could say that I am using the upcoming week to help get the kids ready for school, but the truth is that with two fantasy football drafts to prepare for I need to take a break from analyzing credit union news and regulations to ponder really important questions like: Who will Green Bay’s primary receiver be this year? Are there any running backs worth drafting in the first round? And just how many weeks will Tom Brady miss?

But before I get started I wanted to remind you of NCUA’s proposed MBL amendments and why they are even more important than they appear to be.

In case you missed it, NCUA is proposing to give credit unions greater flexibility in making MBL loans. It is moving to what it describes as a principles-based approach under which the existing detailed mandates will be replaced with a requirement that credit unions actively engaged in making MBL loans, or that are over $200 million in assets, design and implement a broad range of policies and procedures addressing MBL lending. For example, the existing requirement that a credit union have at least one person with two years of experience underwriting its MBL loans would be replaced with a requirement that staff have experience directly related to the specific types of commercial lending in which the credit union is engaged. This is including, but not limited to, demonstrated experience in conducting commercial credit analysis and evaluating the risk of a borrowing relationship using a credit risk rating system.

Credit unions will be evaluated on the basis of “supervisory guidance to examiners, which would be shared with credit unions, to provide more extensive discussion of expectations in relation to the revised rule.” Which brings me to why this proposal is even more important than meets the eye: it will give both credit unions and the NCUA the opportunity to hash out once and for all the difference between supervisory guidance and regulations. Based on my reading of the case law-and keeping in mind this is my opinion- from a compliance standpoint there is no practical distinction between an agency’s interpretation of its regulation and a regulation itself.

For example, earlier this year the Supreme Court upheld the right of the DOL to issue an interpretation making mortgage originators nonexempt employees eligible for overtime. (Perez v. Mortgage Bankers Ass’n, 135 S. Ct. 1199, 1212, 191 L. Ed. 2d 186 (2015). The mortgage bankers argued that this “interpretation” was an amendment to a rule which could only be changed after notice and comment. The Supreme Court said that a regulation is only amended when language is changed. As Justice Scalia commented in a concurring opinion “[a]gencies may now use these rules not just to advise the public, but also to bind them. After all, if an interpretive rule gets deference, the people are bound to obey it on pain of sanction, no less surely than they are bound to obey substantive rules, which are accorded similar deference. Interpretive rules that command deference do have the force of law.”

Also remember that even when an agency interpretation is intended to give a credit union greater flexibility that same guidance gives examiners greater flexibility to determine if a credit union is acting properly.

Now don’t get me wrong. I’m not saying that NCUA isn’t genuinely interested in giving CUs greater flexibility. It is, and it deserves a tremendous pat on the back for its willingness to do so. But because the new MBL framework will only be as useful as NCUA’s guidance and examiner oversight, an ongoing dialogue with the agency is crucial. Everyone needs to be on the same page.

That’s why industry stakeholders, including the New York Credit Union Association, are urging NCUA to submit its MBL guidance to a formal notice and comment period. Doing so will help everyone understand just how much additional flexibility they have to make MBL loans. In addition, everyone has to understand that there will be bumps along the road. Adults have to be willing to sit around a table and talk out their differences.

On that note – see you next Tuesday as the blog marks its fourth anniversary.

August 27, 2015 at 9:08 am Leave a comment

What Can You Do About Those Late Credit Card Payments?

I am a firm believer in not making the same mistake twice; I prefer to make new ones instead.  In that vein, please do me a favor and double-check the way your credit union handles delinquent credit card accounts.

Late last week, a federal district court in Massachusetts ruled that American Airlines Federal Credit Union violated both the Truth in Lending Act and a similarly worded Massachusetts state law by seizing funds in the member’s account after she became delinquent on credit card payments due to the credit union.  A recurring question that the Association’s Compliance Department fields is just what steps credit unions can take to “offset” member funds when they fall behind on credit card payments.  The case provides a great opportunity for everyone to remember the basic rules and double-check their procedures.  (See Martino v. Am. Airlines Fed. Credit Union, No. 14-10310-DPW, 2015 WL 4920015, at *4 (D. Mass. Aug. 18, 2015)).

The most important thing to keep in mind is that the Truth in Lending Act extends added protections to credit card holders.  Consequently, if you want the option of claiming funds to recover delinquent credit card payments, there are several steps you must take ahead of time.  Fortunately, this is one area where the regulations are self-explanatory.

The best place to go is 12 CFR 1026.12(d)(2) and its official staff interpretation conveniently provided for us on the CFPB’s excellent website.  Most importantly, a credit card holder must affirmatively agree to a card issuer having a security interest to pay off delinquent credit card debts.  A technical but critical distinction is that the agreement must create a security interest, which defines with specificity the funds that can be accessed to pay off delinquencies.  For this security interest to be valid, the consumer must be aware that he is granting it.

There are three basic indicia to be reviewed in determining whether a consumer has been given adequate notice:

  1. Separate signature or initials on the agreement indicating that a security interest is being given.
  2. Placement of the security agreement on a separate page, or otherwise separating the security interest provisions from other contract and disclosure provisions.
  3. Reference to a specific amount of deposited funds or to a specific deposit account number.

Of these three indicia, perhaps the most challenging to implement involves referencing a specific amount of deposited funds.  In the American Airlines case, the court noted that courts are split as to how specific the reference language must be. In this case, the court held that reference to accessing “all” accounts is insufficient.  Instead, the credit union should have referred to a specific account number, or highlighted the full amount that could be taken in the event the security interest was executed.

So ends your compliance lesson for the day.  I hope you enjoyed your weekend.



August 24, 2015 at 9:03 am Leave a comment

Wednesday Potpourri

If at First You Don’t Succeed. . .

Visa and Target announced a settlement intended to compensate card issuers for the high profile data breach of the Minnesota retailer that compromised an estimated 40 million debit and credit cards. The price tag is reportedly $67 million. The agreement comes months after issuers, including credit unions, scuttled a proposed $19 million settlement with MasterCard. NAFCU’s Carrie Hunt is quoted in the WSJ: “This settlement is a step in the right direction, but it still may not make credit unions whole.”

Stay tuned. This will be an interesting issue to keep an eye on in the coming weeks as the specific terms are analyzed.

Foreclosures in New York: Alive and Well

NY’s foreclosure problems are far from resolved, especially in NYC’s suburban communities according to State Comptroller Thomas Dinapoli, who has the numbers to back it up. Between 2006 and 2009, the number of new foreclosure filings jumped 78%. They leveled off in 2011, hitting a low of 16,655, but shot up again. Filings climbed to 46,696 by 2013 before edging back to 43,868 in 2014, still well above pre-recession levels, according to the report.

By the end of 2015, there were over 91,000 pending foreclosures with Long Island and the Mid-Hudson accounting for a disproportionate share. The four counties with the highest foreclosure rates are all located downstate: Suffolk (2.82 percent, or one in every 35 housing units), Nassau (2.47 percent, or one in every 40 housing units), Rockland (2.26 percent, or one in every 44 housing units), and Putnam (2.10 percent, or one in every 48 housing units). Counties in Western New York and the Finger Lakes regions, in contrast, tended to have lower pending foreclosure rates and decreasing caseloads.

The good news is that these numbers most likely represent a backlog of delinquencies rather than a further deterioration of economic conditions. The Comptroller reports that there are fewer foreclosures at the beginning of the process while activity at the end of the process (notices of sale, notification that the property has been scheduled for public auction) is accelerating.

The backlog of foreclosures reflects not only the aftershocks of the Great Recession but also the inevitable result of a foreclosure process that is hopelessly byzantine and invites delay. Maybe there will be a grand bargain in which state policymakers take steps to expedite foreclosures in return for lenders having to comply with one of the nation’s most onerous and lengthy foreclosure processes. In the meantime, I’m curious if the trends persisting in New York began to spread nationally thanks to the adoption of New York style regulations on the national level. Here is a link to the report.

Time Extended for Two-Cents on Online Lenders

You have more time to sound off about the extent to which online marketplace lenders should be regulated if you are so inclined. The Treasury has extended until September 30th the deadline for responding to its Request for Information on the proper regulation of online lenders. The RFI asks a series of questions related to companies operating in three general categories of online lending: (1) balance sheet lenders that retain credit risk in their own portfolios and are typically funded by venture capital, hedge fund, or family office investments; (2) online platforms (formerly known as “peer-to-peer”) that, through the sale of securities such as member-dependent notes, obtain the financing to enable third parties to fund borrowers; and (3) bank-affiliated online lenders that are funded by a commercial bank, often a regional or community bank, originate loans and directly assume the credit risk.

Are these flash-in-the-pan industries that will fold with the next economic downturn or innovative disruptors of the banking model? If they are the later they may hit credit unions particularly hard. According to the Treasury, small businesses are already more likely than their larger peers to go online for their products and services. Online lending may provide them with a means to quickly access the cash that traditional lenders are reluctant to provide them during economic downturns.

August 19, 2015 at 8:53 am 1 comment

Are You The King Of Your Cyber Security Domain?

That is the question that a tool released by the FFIEC, an organization of federal bank regulators including the NCUA, released late in June.  It is currently available on NCUA’s website.  I would strongly suggest your credit union go through the process for assessing its credit risk outlined by the FFIEC. When it comes to protecting against hackers, the areas the regulators want examined are areas you either have already examined or better start examining.

The FFIEC defines Cybersecurity as the process of protecting consumer and bank information by preventing, detecting, and responding to attacks. What the FFIEC is attempting to do with this assessment tool is prod institutions of all sizes into adopting a standardized approach to periodically reviewing the likelihood that they will be attacked and consider whether they have the appropriate level of resources to deter and defend against such an attack. It’s similar to what credit unions are already expected to do as part of assessing their BSA risks and the Red Flags of Identity Theft, only this assessment is intended to zero in specifically on Cybersecurity. The key is not only doing the assessment but making sure it is periodically reviewed. After all, cyber threats evolve almost as quickly as Donald Trump can find a new group of people to insult and your credit union is dealing with more and more technology.

How do you ascertain your credit union’s Inherent Risk Profile? By reviewing and ranking your credit union’s technologies and connection types (e.g. the number of Internet Service providers and third party connections); delivery channels (e.g. do you provide person to person transfers or do all cash transactions have to be facilitated by a teller?); its mobile and online products and services; organizational characteristics (e.g. how many direct employees and third party providers can access your IT system); and its external threats (e.g. the number of attempted and successful cyber-attacks). You then give each one of these categories a risk level ranging from lowest to highest risk faced by your credit union.

Once you create the risk profile, you assess your credit union’s “maturity” or sophistication in five areas of Cybersecurity. These areas are 1) Cyber Risk Management and Oversight; 2) Threat Intelligence and Collaboration; 3) Cybersecurity Controls; 4) External Dependency Management; and 5) Domain Cyber and Incident Management and Resilience.

According to the FFIEC, it is not concerned with an overall aggregate score. What it wants financial institutions to do is assess whether they are properly aligning their resources. For example, a credit union that is large enough to house its own technology doesn’t need as sophisticated a system for overseeing its “external dependency management” as does a credit union that outsources all its technology. In contrast, a credit union that oversees its own hardware needs a dedicated staff of IT professionals.

If you think your credit union is too small to worry about conducting this assessment, you are out of luck. The tool is intended for use by both big and small credit unions, a point underscored by NCUA’s Office of Small Credit Unions when it hosted a webinar on the basics of Cybersecurity that provided a preview of the tool and how credit unions could use it to strengthen their Cybersecurity.

Using this tool makes sense. An online survey conducted by NCUA as part of the Cybersecurity webinar revealed that only 52% of the participating credit unions had a cyber-security policy. It’s time to put one in place and this assessment can help. If your credit union already has a Cybersecurity protocol than answering the questions being posed by the regulators should not be that difficult.

August 13, 2015 at 8:57 am Leave a comment

Banker Hypocrisy And Municipal Deposits

One of the first arguments the banks regurgitate in opposition to municipal deposit legislation is that tax dollars shouldn’t go to institutions that don’t pay taxes.  First, we all know that credit unions do pay taxes; but, more importantly for this post, banks have never quite explained why their for-profit tax status automatically makes them better protectors of the public Fisc than credit unions.

That question is worth asking the Legislature next year in light of the New York Bankers Association successful efforts to keep New York City from scrutinizing the community investment performance of banks holding the City’s deposits.  On Monday, a federal court ruled that a NYC ordinance mandating that banks holding or wishing to hold municipal deposits be subject to a local review of their investment activities was preempted by federal law and could not be enforced.  (The New York Bankers Association, Inc., v. The City of New York, 15 Civ. 4001).

The Responsible Banking Act had its roots in the worst days of the Great Recession.  NYC council members grew frustrated by the juxtaposition of mounting foreclosures and shoddy banking practices even as billions of dollars of public money was being deposited into banks for safe keeping.  The bill established an advisory board that would report on how well banks were doing meeting financial benchmarks.  The report would be used in evaluating institutions wishing to hold municipal deposits from the City.

To be fair, the information the advisory board was seeking was much more extensive than what needed to be supplied under the Community Reinvestment Act.  For example,  the banks were to be evaluated on  how they addressed serious material and health and safety deficiencies in the maintenance and condition of their foreclosed property; developed and offered financial services needed by low and moderate income individuals throughout the city, and how much funding they provided for affordable housing.

Mayor Bloomberg hated the bill so much that he vetoed it and refused to appoint members to the advisory board after his veto was overridden.  When Mayor DeBlasio was elected, he embraced the idea and the advisory board came to life.  It was time to call in the lawyers.

In arguing against the legislation, the Bankers Association argued that both Federal and State law preempted the ordinance.  They pointed out that the Community Reinvestment Act was intended to establish the framework for nationally chartered banks to be assessed for their community works.  On the state level the Banking Law gave the Department of Financial Services  broad powers of regulation to control and police the banking institutions under their supervision.

In response, the City argued that it was not regulating bank activity; but simply carrying out a proprietary function.  It should be able to establish its own standards for deciding who gets the city’s money the same way it gets to decide what companies are awarded city contracts.  It also argued that the activities undertaken by the Advisory Board were “purely informational.”  Its findings were not binding on anybody deciding where the money should be placed.

Southern District Judge Katherine Polk Failla ruled in favor of every major issue raised in opposition to the bill concluding that “the RBA’s very structure secures compliance through public shaming of banks and/or threatening to withdraw deposits from banks that do not provide information to the CIAB. The Court sees no reason why regulation through coercive power, rather than by explicit demand or stricture, should be immune from preemption scrutiny.”

While the lawsuit may have solved the immediate legal problem facing banks it doesn’t change the fact that banks didn’t do enough in return for their public bailout.  Nor does it change the fact that there are local leaders who feel that banks still don’t do enough for the communities in which they operate.  Giving localities the ability to work with credit unions. which by their very structure invest in the communities in which they operate,  would be a perfectly legal way of ending the banker monopoly and perhaps make these banks more responsive to local concerns.

Epilogue A Failure To communicate?

NCUA officials have fallen into the habit lately of making bold statements one day that have to be clarified the next.  First, we had Chairman Matz’s   clarification of her Congressional testimony that credit union CEOs  aren’t representing their members when they advocate for budget hearings. Yesterday NCUA felt  the need to clarify to the CU Times its  position on how much information the  public is entitled to about the Overhead Transfer Rate methodology following the release of a letter  from its General Counsel to NASCUS on that very subject(See yesterday’s blog).  I think it’s fair to say that NCUA is suffering from some communication problems.

The article  quotes Board renegade Mark McWatters, who is  emerging as a much needed voice of reason, as saying  that “The agency will make the final determination as to the calculation of the OTR and I see no harm in subjecting the agency’s OTR methodology to public comment as a proposed rule under the APA,” Here is a link


August 12, 2015 at 8:47 am Leave a comment

The Case of the Bitcoin, the Credit Union and AML

In her recent appearance before Congress, Chairman Matz was asked which regulations she gets the most complaints about from credit unions. Her answer was the Bank Secrecy Act.

I think there are two reasons for this. First, most people have better things to do with their time than memorize the regulatory alphabet. So when they are asked by a regulator what regulations most harm their credit union, the one everyone seems to remember is the BSA acronym. A second, more substantial reason, is that smaller credit unions don’t see the value in imposing the same regulatory framework on their smaller operations as are imposed on the largest banks and credit unions.

The second point has a certain facial appeal, but the reality is that technology has blurred the line between big and small financial institutions. When it comes to BSA, there really are no small credit unions. Those of you who think I am overstating the case should pay attention to a case brought by the U.S. Attorney for the Southern District of New York. It demonstrates why small financial institutions are becoming increasingly attractive and vulnerable targets to tech savvy criminals seeking a place to hide their criminal activity. Plus, it actually reads like a pretty good movie script.

In 2013, bank accounts were opened in the name of the Collectables Club. It claimed to be a members-only association of collectable and trading enthusiasts dedicated to discussing collectible items such as cars, coins and stamps. A small fee was charged to everyone who wanted to join. In fact, the Collectables Club was a front for an illegal Bitcoin exchange called Coin.Mix, which facilitated the exchange of money for Bitcoins. This was illegal both because it was operating as an unlicensed Bitcoin exchange and because its operators knew that the exchange was being used to launder criminal proceeds. For example, one customer who wanted to transfer $100,000 into the account was told to stop the transfer and instead wire most of the money to an account in Bulgaria. An email quoted by the complaint explained that “we hope you understand the concerns. If the US wasn’t so damned screwed up about this stuff, we wouldn’t have to deal with this.”

Remember that the Bitcoin is particularly attractive to criminals because it is almost impossible to trace. Electronic “coins” are transferred computer to computer over the Internet. According to the complaint, thousands of incoming deposits in varying amounts used these accounts to make payments in Bitcoins.

Business was apparently going well. In late 2014, the creators of the illegal exchange took control of a 107 member credit union in New Jersey with no full time employees in order to process ACH transactions. The complaint’s not clear as to how this control was achieved, but the Bitcoin operators took control of the board. When the NCUA learned that this low-income credit union was suddenly engaged in a high volume of ACH processing, specifically $30 million in transfers a month, it became suspicious and stopped the credit union from continuing to offer these services. It also required the credit union to remove the new board members.

A couple of quick points. Press reports have highlighted the fact that the exchange controlled a credit union. The facts, however, demonstrate that the criminals were able to utilize both a traditional bank account and a credit union to facilitate its illegal activity. Secondly, the system worked. NCUA recognized the red flags and took actions to shut down the operation. Thirdly, some credit unions have turned to money service businesses as an attractive source of income. When they do so, they must understand that they take on heightened due diligence responsibilities. When one credit union is used for money laundering, the reputation of the entire industry can suffer. Finally, there is no such thing as a small credit union when it comes to money laundering. It is now easier for criminals to plug into the financial system using a credit union in New Jersey or a bank account in Florida as it is to open a bank account in mid-town Manhattan.

August 5, 2015 at 8:37 am Leave a comment

What Concerns Me Most About TRID Compliance

What Concerns me most about the integrated disclosure requirements  that take effect in October isn’t the new disclosures or the timeline for providing them,   as troublesome as they are.  No, what concerns me most about TRID is encapsulated nicely in a headline in this morning’s American Banker:” Realty Agents, Builders Clueless about New Mortgage Disclosures.”

Why does this concern me? Because to correctly  and cost effectively  implement TRID your credit union must establish a new framework for dealing with third parties ranging from real-estate agents to mortgage brokers all of whom must understand that the mortgage world has fundamentally changed.  If they understand why   new procedures are being put in place you can get on with mortgage lending.  If you don’t get their buy-in than you can bet that they will blame you for every inevitable bump along the mortgage road and your credit union’s reputation will unfairly suffer.

For example, I’m sure many of you know that TRID generally requires a  closing disclosure to be received three business  days before a mortgage loan is consummated.  What happens if your member’s real estate agent doesn’t know this or doesn’t care? The first time one of her clients has a closing delayed she will start looking for other lenders to whom she can refer clients.

What about the erstwhile closing attorney who you have used for years? You have always strived to accommodate his schedule. His last second rushes to get closing disclosures to you is office legend.  At the end of the day his closings take place and we all live happily ever after.

In the post-TRID  world  the attorney can no longer drive the ship.  If he doesn’t get the closing material to you on time the closing can’t take place.  This means that you have to reassess what can and should be done by the credit union’s staff.  In addition, you should not assume that your closing attorney has had the time to dissect TRID and fully understands its practical implications.  Amendments to your retainer agreements may even be in order so that the attorney is on the hook for the cost of closing delays caused by his tardiness.

What about the appraiser and title agent your credit union always recommends? The new early disclosures have even stricter rules about when and by how much the price of a service disclosed on the Loan Estimate  can vary from the amount ultimately charged the member in the Closing Disclosure depending on how closely you work with your third-party service providers.  For instance, if you require members to use a specific appraiser than  the amounts disclosed on the initial loan Estimate  and the amount charged on the Final Disclosure can’t vary. There is a bit more disclosure flexibility provided to lenders who permit your mortgage applicants to shop for settlement services (§ 1026.19(e)(1)(vi)).

But no matter what approach you take the onus is on you to put your providers on notice that the days of increased charges for unexpected glitches are over   As the  Bureau recognized in the TRID  preamble  a “creditor originating a loan in a geographical area with which it is unfamiliar may have less familiarity with the mortgage market in that area, but the Bureau believes that the creditor nonetheless has better access to information than the consumer about settlement service providers in the geographical area.”

Here are just three examples of how simply educating your lending staff about TRID does not go far enough.  Real estate agents don’t care about compliance as much as they do about closing the deal; they are going to recommend the originator that can close the quickest.  Vendors want to be paid for the work they perform and lawyers don’t like to be told how to do their job.  By explaining how the new rules impact your credit union’s obligations you may  avoid a race to the bottom in which third parties give their business to the mortgage lender must willing to bend the rules.

Happy Days Are Here again?

As an unabashed member of the “Glass is Half Empty Club” when it comes to the economy I’m not all that surprised by the latest economic news as summarized by the WSJ “Personal spending, which measures what consumers spend on everything from doughnuts to dishwashers, rose 0.2% from a month earlier, the smallest gain since February, the Commerce Department said Monday. In May, spending rose a revised 0.7%” In addition personal income grew a less than inspiring 0.4%.  (



August 4, 2015 at 9:28 am Leave a comment

Older Posts

Authored By:

Henry Meier, Esq., Associate General Counsel, New York Credit Union Association

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Join 372 other followers



Get every new post delivered to your Inbox.

Join 372 other followers