Posts filed under ‘Compliance’

What despots can teach us about student branching

Say what you want about your most successful despots and dictators they are almost all keen observers of the human condition.  Take for instance Lenin who once explained that, “Give  me four years to teach the children and the seed I have sown will never be uprooted.”

He is onto something that should serve as a reminder\wake-up-call   to your credit union about the importance of engaging kids in the financial system.  It’s good for the kids and good for business.  It’s good for the kids because the sooner people start learning that money doesn’t magically grow in Daddy’s wallet but almost as magically via compound interest the better off they  will be.  It’s good for business because brand loyalty starts to develop early.  Today’s seven year old with his two dollar deposit may very well be the erstwhile member, who turns to the credit union for her first mortgage twenty years from now.

So I was happy to see that the NCUA joined with other financial regulators in issuing a joint guidance on school branching.  I’ve always been a little surprised by how little legal guidance is actually available on the topic so anything is a step in the right direction The Guidance does a good job of explaining how federal laws can be complied with in a school setting. That being said NCUA could have done a much better job in the Guidance of answering some of the basic questions as well as highlighting its own resources

For instance where exactly do federal credit unions  get the right to conduct banking activities on school grounds anyway?  According to the Guidance the development of financial literacy programs is consistent with the mission of credit unions to promote thrift.  It explains that   “Applicable state law and the appropriate state supervisory authority determine branch application requirements, if any, for state-chartered credit unions.”  It is odd to me that NCUA didn’t also reference that federal credit unions have the right, but not the obligation, to accept minors as members.

For state chartered credit unions interested in providing branching services you have to start with your state law. For instance in NYS a state chartered credit union  may open up a student branch with the approval of  a school’s governing body. N.Y. Banking Law § 450-b (McKinney).  Membership is available to all the kids.

Does this mean that credit unions can offer normal branches on school grounds? This part of the blog is just my opinion but the answer is no.   NCUA authorizes federal credit unions to offer student branches in order to promote thrift.  NYS law specifically defines a student branch offered by state charters as “pertaining to the in-school services and financial education offered to students.”  There has to be an educational component to your student branching activities.  After all, how is an FCU  promoting thrift by students or a NY CU helping to educate students   if they just happen to go to a school with a branch?

I think credit unions would be well advised to follow one of the criterion used by banking regulators when approving banking activities on school grounds. Specifically branch applications on school grounds are not required for banks when:

“The principal purpose of the financial literacy program is educational. For example, a program is educational if it is designed to teach students the principles of personal economics or the benefits of saving for the future and is not designed for the purpose of profit-making.”

What form would that education take?  That might include getting students to help run the branch or having employees come in to talk about how the credit union works but it does mean that these are not normal branches

Another Guidance oversight is that it didn’t reference an informative 1999 NCUA opinion letter on student branching in which it answers these practical but important questions:

How do we show the accounts on the FCU books?

Should the accounts be in the student’s name with parent co-signing?

Should the accounts be in parent’s name as [or in] trust for the student?

Should the accounts be reflected as custodial accounts?



On that curmudgeonly   note I wish you all a fine weekend.

Here is the Guidance:




February 27, 2015 at 9:42 am 2 comments

Should CEO’s personally vouch for their BSA programs?

Should CEO’s have to personally attest to  the  adequacy of their Anti Money Laundering programs the same  way top executives have to vouch for the accuracy of their financial reports under Sarbanes-Oxley? That is an idea being considered by  Benjamin M. Lawsky, NY’s Superintendent of Financial Services for the State of New York’who outlined his proposal   in a speech on “Financial Federalism” at Columbia law school yesterday.

A recurring theme of Lawsky’s   public comments of  late has been his frustration with the unwillingness of major financial firms to change their practices even after they have been subjected to huge fines.  The former federal prosecutor argues that more has to be done to hold specific individuals and not just the corporations they run responsible for malfeasance that takes place on their watch.

For my money nowhere is this truer  than in the area of BSA and AML enforcement.  Just this morning BankingLaw360 reports that   Citigroup Inc. and its Banamex USA unit are under investigation by the Treasury and  California regulators  over their compliance with anti-money laundering requirements and the Bank Secrecy Act.

The truth is that even as the smallest of credit unions have made attempts to comply with BSA requirements some of the most  legally savvy, technologically advanced corporations  in the world have chosen to  ignore some of the most basic AML\BSA requirements.  It’s a national scandal that has gotten nowhere near the attention it deserves.  They write a big check when they get caught and then go about their business as if nothing ever happened.  Fines alone aren’t working.

Lawsky’s solution is to bring about more personal accountability:

“First, we are considering random audits of our regulated firms’ transaction monitoring and filtering systems, employing the same methodology our independent monitor used to spot deficiencies.

Second, since we cannot simultaneously audit every institution, we are also considering making senior executives personally attest to the adequacy and robustness of those systems.

This idea is modeled on the Sarbanes-Oxley approach to accounting fraud.”

In theory I love the idea,   Our nation’s BSA framework is only as effective as our largest banks are willing to make it.  Executives should generally  understand what transactions are being red flagged and why.

But  if this proposal gets  implemented I don’t want to see smaller institutions get sucked into the vortex.  Just as Sarbanes Oxley’s personal attestation provisions only applies to larger corporations a BSA attestation mandate should only apply to the largest banks.  The evidence shows that the vast majority  of credit unions and smaller banks  have committed resources to complying with federal anti- money laundering laws.  It’s the big guys who need to be reminded that violating the law isn’t in their personal or corporate best interest.

The entire speech is worth a read.  Here is a link.

Is another minimum wage hike on the way?

Governor Cuomo is pushing hard for legislation that would increase the State’s minimum wage to  $11.50 in New York City and $10.50 elsewhere.  Even if this wouldn’t directly impact your credit union’s  pay scale remember that NY law generally shields the higher of 240 times the state’s minimum wage or the federal minimum wage  from levy and restraint by private sector creditors  even for those members who  don’t have  government funds directly deposited into their accounts.   (N.Y. C.P.L.R. 5222). So as the minimum wage goes up so too does the amount of money in a member’s account shielded from creditors.    That’s right: The more money Government mandates people get paid the more money people get to  shield from their creditors.   Here is an article on the Gov’s minimum wage push.



February 26, 2015 at 8:51 am Leave a comment

Now What?

As expected, at yesterday’s board meeting the NCUA proposed raising the cap below which a credit union is considered a small credit union for regulatory relief purposes from $50 to $100 million. According to NCUA, the increase means that an additional 745 credit unions will be eligible for potential relief from future regulations for a total of approximately 4,869.

Great job by the agency in coming forward with the proposal; but we won’t really know how much this helps the industry for some time to come. First, the agency has already exempted credit unions below the threshold from onerous mandates including those dealing with enhanced protections against interest rate risk and the proposed enhanced Risk-Based Capital framework. Second, many of the biggest mandates are out of NCUA’s hands. For example,the CFPB has been willing to extend mandate relief to institutions with as much as $2 billion dollars in assets, but these exemptions come with strings attached – such as a requirement that exempted institutions hold most of their mortgages. Thirdly, the fact that NCUA justifiably feels the need to dramatically raise the small credit union designation after having raised it from $10 million approximately two years ago shows you how quickly the industry is changing and not for the better. NCUA examined rates of deposit growth, rates of membership growth, rates of loan origination growth, and the ratio of operating costs to assets and determined that credit unions below $100 million are at a “competitive disadvantage” to their peers.

The branch is dead! Long live the branch!

I actually found myself muttering in disagreement as I read a report issued by the FDIC yesterday. It concluded, based on an analysis of bank branching patterns from as far back as 1935, that:

“New tech­nologies have certainly created convenient new ways for bank customers to conduct business, yet there is little evidence that these new channels have done much to replace traditional brick-and-mortar offices where banking relationships are built. Convenient, online services are here to stay, but as long as personal service and relationships remain important, bankers and their customers will likely continue to do business face-to-face. “

Maybe the researchers who came to this conclusion can use their Blackberries to see if RadioShack could use their help. More on this in a future blog, but for those of you who still believe the branch model is alive and well, read away.

What would Karl Malden say?

Yesterday, the Justice Department scored a major antitrust victory when a federal judge in New York found American Express guilty of anti-trust violations. I haven’t read the 100+ page decision yet, but if I was Amex I would have gone to trial too.

One of the touchstones of antitrust law is market dominance. Amex isn’t exactly a card that your typical merchant has to accept these days if he wants to stay in business. It has been a long time since Karl Malden convinced consumers that they shouldn’t leave home without their American Express Card.    The win underscores just how dominant a hand merchants have when it comes to demanding changes to the plastics industry.

By the way, if you are wondering what to do this weekend as you try to stay warm, On the Waterfront, starring Karl Malden and Marlon Brando, would be an excellent movie pick.  It’s one of those cultural reference movies and includes the classic line “I could have been a contender.”

February 20, 2015 at 8:47 am Leave a comment

From Russia with Love

News over the weekend that an international gang of Russian speaking cyber criminals pulled off what the NY Times described as one of the biggest bank heists of all time (approximately $1 billion) has once again exposed the fact that the financial system and its consumers are under attack and the bad guys are winning.

Although it appears that the breath of the attack may have been overestimated by initial reports, the Krebs on Security blog is reporting that, according to the Russia security firm that uncovered the heist, the cyber gang hit up to 100 banks worldwide in approximately 30 different countries involving 300 IP addresses.

If news reports are accurate this group patiently broke into computer systems using phishing techniques and once inside thoroughly learned how to mimic employee and system behavior.  They may have even videotaped keyboards.   By the time they struck they were able to make ATMs spit out money on command, inflate the size of accounts, and, of course, transfer money out of the institutions. As Krebs explains    “ Most cyber crime targets consumers and businesses, stealing account information such as passwords and other data that lets thieves cash out hijacked bank accounts, as well as credit and debit cards,…but this gang specializes in hacking into banks directly, and then working out ingenious ways to funnel cash directly from the financial institution itself.”

Far from throwing up our hands in frustration there is much that can and should be done by individual institutions as well as governments and consumers.

  1. Assume that your computer system has been breached and ask yourself how you can minimize the damage? You won’t find this advice in a compliance manual but experts have been stressing for years now that your IT system is as vulnerable as your most careless employee. The more you limit access to key systems to those employees who need direct access the better off you will be. Another step you could take is mandating that only certain computers be used for certain functions. Finally change passwords frequently.
  2. A hallmark of cyber attacks these days is that criminals are patiently “casing” cyber infrastructures sometimes for several months before attacking. As a technological Luddite I want to know how these people know they can poke around the security systems of some of the world’s most sophisticated banks and not get exposed? It seems to me that we can’t prevent break-ins but we can shorten the amount of time that criminals have to carry out their crimes.
  3. Is it time for a cyber-security tax? I’m open to alternatives on this one but, just as what I pay for a plane ticket partially reflects the cost of security, it’s time that financial transactions have a similar tax to pay for cyber-security. Without a robust public security infrastructure cyber-security will become yet another cost that only larger institutions can absorb. This isn’t fair to the small guys,
  4. President Obama has recently taken some long overdue steps to nationalize the issue of cyber-Security. Now it’s time to make it an international issue. This is a crucial piece of cybersecurity. No one can be facilitating international cyber thefts of the size and sophistication we are now seeing without governments looking the other way. After all someone has to collect the money.     We need an international treaty-modeled after the nuclear Non-Proliferation Treaty-in which countries would agree to adopt domestic cybersecurity protocols and consent to international inspection of their compliance efforts. Those countries that don’t comply would be subject to sanctions and those countries that choose not to participate in the agreement will give us a pretty good list of where most of the cyber crime is being facilitated. Remember that a vibrant safe electronic infrastructure is in the best interest of almost all businesses and all countries,


Here are some interesting stories on the heist.



February 17, 2015 at 8:50 am Leave a comment

Preparing for the Worst, Hoping for the Best

Maybe it’s because the desolate Albany landscape with its frozen mounds of exhaust-tinged snow and sub-zero temperatures makes me feel like I’m inhabiting a post-apocalyptic world, but a couple of days ago I got around to reading the FFEIC’s new appendix to its examination handbook dedicated to disaster preparedness entitled Strengthening the Resilience of Outsourced Technology Services. In all seriousness, it is a must-read for any credit union that has to have a business continuity plan (BCP) and contracts with third parties for services that should be integrated into this business plan. I bet that is almost every credit union.

Regulators have long emphasized the need for appropriate due diligence when entering into third-party relationships. In addition, Business Continuity Planning has been a major point of regulator emphasis  since 9-11; not to mention that “once in a century storms” seem to be coming every other year. This new appendix zeros in on the importance to financial institutions of insuring that appropriate vendor services are integrated into BCP plans and testing. As the regulators commented in releasing the appendix, “a financial institution should ensure that its third-party service providers do not negatively affect its ability to appropriately recover IT systems and return critical functions to normal operations in a timely manner.“

The appendix highlights four key points of emphasis for examiners assessing third-party relationships.

(1) Third-party management addresses a financial institution management’s responsibility to control the business continuity risks associated with its third-party service providers (TSPs) and their subcontractors.

(2) Third-party capacity addresses the potential impact of a significant disruption on a third-party servicer’s ability to restore services to multiple clients.

(3) Testing with third-party TSPs addresses the importance of validating business continuity plans with TSPs and considerations for a robust third-party testing program.

(4) Cyber resilience covers aspects of BCP unique to disruptions caused by cyber events.

I don’t want anyone to break into a cold sweat thinking that a new compliance requirement is necessarily being imposed on them. If you don’t outsource core operational functions to third parties this appendix shouldn’t concern you much. But if your credit union can’t operate effectively unless a vendor is also on the job, then you have an obligation to work with that vendor and make sure that it has a Business Continuity Plan that is compatible with your own.

Think about it: if your vendor backs up all your account information at a facility down the block from your credit union, your BCP plan has some serious holes.

Don’t Fire Until You See the Whites of Their Eyes

Yesterday, the CU Times reported that Sen. Richard Shelby (R-Ala.), chairman of the Senate Banking, House and Urban Affairs Committee, would not rule out doing away with the credit union tax exemption as part of an overhaul of the tax code.

Shelby’s equivocation on the tax exemption underscores that tax reform poses dangers for credit unions, but his stance should hardly surprise anyone, nor should it send us scrambling to the ramparts as if the industry is in imminent danger. The fact is that in any push to overhaul the tax code a prominent veteran lawmaker like Shelby isn’t going to take anything off the table. There is a lot of negotiating to be done, if and when we ever get to a tax reform end game.

Should the industry be vigilant? Absolutely. But, in my ever so humble opinion (and I stress only my opinion), in recent years the industry has overreacted to the threat of tax reform with the result that it has not pushed aggressively enough for other parts of its agenda. There may come a time when we need to activate the grassroots in a major push to save the exemption, but that time is not here yet. In the meantime, let’s not let the bankers sideline our agenda every time they advocate for ending the exemption or draw too many conclusions every time a legislator gives less than 100 percent support for the industry.

February 12, 2015 at 9:16 am Leave a comment

When are state laws preempted?

The news that Wells Fargo entered into a $4 million consent decree with NYS’s Department of Financial Services typically wouldn’t be blog worthy.  After all, $4 million ($2 million fine and $2 million in restitution to 1,300 NY Consumers) is cushion change for your average mega bank and by some measures Wells Fargo is the biggest of the Big.  But when the settlement involves one of the most unique operational constraints placed on New York State chartered financial institutions and touches on how and when state laws are preempted, it is worth taking a look at.

Section 413 of NYS’s Personal Property Law prohibits the use of credit cards secured by real property. As a result, state chartered institutions, including credit unions, are prohibited from offering HELOCS that can be accessed with cards with credit features, as explained in this legal opinion letter from the Department of Financial Services.

New York’s prohibition against credit card HELOCS is arguably the most significant operational difference between state and federal credit unions.  NCUA has clearly preempted such laws as applied to federal credit unions.  For example, this opinion letter from NCUA noted that a Connecticut law that banned HELOC credit cards was preempted by federal law.  As the letter explained:

“NCUA’s lending regulation expressly recognizes that FCUs are subject to state law in certain matters, including insurance laws, issues related to the establishment and transfers of security interests, issues of default and so forth. 12 C.F.R. §701.21(b)(2). The Connecticut statute is not within the area of permissible regulation by the states because it affects conditions related to the purpose of the loan and the distribution of loan proceeds. ”  RE: PREEMPTION OF CONNECTICUT OPEN-END MORTGAGE LAW, 2002.

What caught my eye about the settlement and has sent me scrambling through the legal opinion letters is that Wells Fargo is a nationally chartered Bank.  Why would it be subject to New York’s Personal Property Law?  As it turns out, Wells Fargo had brought  the line of business from a non- bank entity that wasn’t federally chartered.

The bottom line:  federally chartered institutions are no more subject to New York’s HELOC prohibition today than they were yesterday but if you are state chartered, the state is serious about enforcing its HELOC limitations. If you are a federal charter don’t assume that the exemptions that apply to your credit union automatically apply to your CUSOs.

Law and Order NY Style

For political junkies our morning political blogs are reading more like crime blotters.

Fresh on the heels of the Silver indictment former Senate Majority Leader Malcolm Smith was found guilty of trying to bribe his way onto the ballot as a Republican in his still-born run for NYC Mayor in last year’s election. His successor, John Sampson is awaiting trial. Meanwhile a $580,000 settlement involving alleged  sexual harassment of staffers by former Assemblyman Vito Lopez has been reached.  Taxpayers will be on the hook for $545,000 of the settlement.




February 6, 2015 at 9:25 am Leave a comment

In the race against the machines the machines are winning

If today’s blog has a theme it’s how technology is continuing to evolve much quicker than our ability to properly regulate it.

Anthem breach likely to produce nervous members

Anthem Health Insurance disclosed yesterday that personal information involving tens of millions of customers have been compromised,  According to a company press release,  hackers gained   unauthorized access to  personal information from  current and former members such as their names, birthdays, medical IDs/social security numbers, street addresses, email addresses and employment information, including income data.  However  the company has no evidence that “ credit card or medical information, such as claims, test results or diagnostic codes were targeted or compromised. ”Although the exact number of compromised records isn’t known the WSJ is reporting that the hackers gained access to data bases containing information on  about 80 million customers.

Obviously expect calls from nervous members today wondering if they have been victimized by identity theft.  The good news is that since Anthem decided to quickly disclose the breach the public may be better positioned than usual to prevent data thieves  from taking full  advantage of this treasure trove  of personal data. Remember that under New York Law consumers may request that credit reporting agencies place a freeze on access to their credit reports. N.Y. Gen. Bus. Law § 380-t (McKinney).

Here is the company’s press release:

Durbin’s Folly

Given the pressing need to improve our nation’s cyber security infrastructure you might thing that a law that deters financial institutions from adopting  the latest security is a bad idea.  That is exactly what the Durbin amendment is doing.  In an interview published by BankInfo Security  Kimberly Lawrence, Senior VP  of Global Corporate Initiatives for Visa estimates that by the end of 2015 70 percent of credit cards will be EMV chip enabled but only close to  40 percent of debit cards  will be.

Why the difference? One reason is that Durbin makes EMV chip migration more   expensive and challenging.  It requires merchants to have a choice of two unaffiliated networks for processing transactions.  EMV was never designed to interact with more than one network at a time so workarounds have had to be created .  In addition, with merchant litigation challenging the Federal Reserve’s implementation of Durbin only recently concluded the regulatory environment has remained unsettled.  Incidentally Lawrence , estimates that 50% of merchants will be able to accept the cards.

Remember that starting in October Visa and Mastercard shift liability for unauthorized transactions from an issuer  that uses EMV cards to a merchant who does not.  There is no requirement that both Debit and credit cards be EMV  enabled at the same time You could even decide to forego EMV conversion completely if you decide the  costs of conversion outweigh its benefits.  Here is an article and interview.


Silk Road Founder Guilty

Ross Ulbricht, aka Dread Pirate Roberts, was found guilty yesterday of several counts related to drug trafficking and money  laundering.  As I explained in a previous blog ( by using   the so called “hidden internet” he was able to offer an ebay like service  for purchasing  drug  paraphernalia .  Prosecutors alleged that he took a commission on all the sales, which were paid for with Bitcoins.   His arrest underscored the concerns of public officials who argue that the computer generated  currency   could be  a handy   means of executing illegal transactions and should be closely monitored.

In a statement,  US Attorney  Preet Bharara proclaimed that Ulbricht’s conviction and  the  seizure of millions of dollars of Silk Road Bitcoins “ should send a clear message to anyone else attempting to operate an online criminal enterprise. The supposed anonymity of the dark web is not a protective shield from arrest and prosecution.”

Preet’s enthusiasm notwithstanding,  with the amount of money to be made and the technology to make it possible I don’t think we have seen the last of the internet’s Silk Roads.  This is your faithful blogger, AKA   Dread Pirate Roberts, wishing  all of you a pleasant day.

February 5, 2015 at 9:13 am Leave a comment

Older Posts

Authored By:

Henry Meier, Esq., Associate General Counsel, New York Credit Union Association

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Join 358 other followers



Get every new post delivered to your Inbox.

Join 358 other followers