Posts filed under ‘General’

NCUA Dips Its Toes Into The cryptocurrency Waters

In late December, NCUA issued its most significant guidance to date on cryptocurrency, explaining in this letter to credit unions that federally insured credit unions can facilitate third-party relationships between cryptocurrency providers and their members pursuant to the incidental powers of federal credit unions. At the same time, however, it detailed some of the classic third-party considerations that credit unions must consider when establishing relationships offering non-depository financial products and reminded state-chartered institutions that NCUA’s green light is subject to state law.

In recent months, yours truly has used this space to urge NCUA to follow the lead of other financial regulators and detail the conditions upon which financial institutions can enter the cryptocurrency space. While a much more rigorous framework needs to be provided, this opinion letter clarifies that credit unions can start working with third parties who may be approaching them about marketing various cryptocurrency services. The good news is that credit unions can approach these discussions the same way they approach any other discussions with third parties, but the guidance makes clear that this is an area to handle with care. Credit unions are expected to adhere to a documented, rigorous third-party oversight process that demonstrates an awareness of the compliance and legal risks associated with cryptocurrency. 

Accordingly, I would pay special attention to these following reminders offered by NCUA:

When selling, advertising, or otherwise marketing uninsured digital assets to members, members should be informed that the products offered:

  • are not federally insured;
  • are not obligations of the FICU;
  • are not guaranteed by the FICU;
  • are or may be heavily speculative and volatile;
  • may have associated fees;
  • may not allow member recourse; and
  • are being offered by a third party.

One final note: Don’t be penny wise and pound foolish. Have an attorney involved in the contract drafting process and make sure the credit union is adequately protected in the event that the crypto craze ends up being the modern day equivalent of the Tulip Frenzy.

January 13, 2022 at 9:19 am Leave a comment

CFPB and Overdrafts: No More Mr. Nice Guy

Yesterday, the CFPB released two reports detailing the overdraft fee practices of both large and small banks and credit unions. While this in itself is not all that surprising, after all the CFPB has grumbled about overdraft fees since its inception, when coupled with the statements of Director Chopra, it’s clear that overdrafts are going to be a major focus of the Bureau in the coming months.

In fact, the Director sounded very much like a former member of the FTC, when on a conference call with reporters, he reportedly described the continued reliance of big banks and overdraft fees as a market failure which regulators had to address.

While it is not clear what steps the Bureau will take, institutions directly subject to the CFPB’s oversight can expect increased scrutiny. He even suggested that this scrutiny may extend to individual executives who approve practices.

A second noteworthy aspect of the Bureau’s announcement yesterday is a use of core processor data to analyze the practices of smaller banks and credit unions. Specifically, one of the reports is based on the settings used by banks and credit unions to trigger overdraft payments. This information was obtained not from financial institutions but from going directly to their core processors. 

The bottom line is that your credit union should continue to anticipate a world in which it must be less reliant on overdraft fees and in which disclosures accurately describe when overdraft fees will be triggered.

On that note, I am heading to Buffalo where I hope to talk to some of you at this evening’s chapter event.

December 2, 2021 at 9:47 am Leave a comment

Why Executive Orders Don’t Apply To Your Credit Union

Since President Biden issued an executive order in September mandating that Executive Branch employees and their contractors get vaccinated against COVID-19 the industry has parsed the text with an intensity worthy of a Talmudic scholar, hoping to divine whether or not credit union employees are federal contractors for purposes of this mandate. After all, as drafted, an argument can be made that share insurance is a government contract to which credit unions are subject.

But the truth is much more straightforward: because credit unions are not subject to this or any other executive order issued by this or any other president. The NCUA, as an independent agency, is not an executive agency subject to the president’s executive orders. Instead, NCUA was created by congress to exercise independently of the president and make its own policy judgments. 

This is not a radical pronouncement but simply a common sense application of prevailing law. Since Humphrey’s Ex’r v. U.S., 55 S.Ct. 869, 874, 295 U.S. 602, 629 (U.S. 1935) the Supreme Court has recognized the right of congress to create independent agencies specifically designed to be free of direct executive branch oversight. Furthermore, the court has taken a very narrow view of the president’s power to issue executive orders and apply them beyond the executive branch. As the court explained in Youngstown Sheet & Tube Co. v. Sawyer, 72 S.Ct. 863, 867, 343 U.S. 579, 587–88 (U.S. 1952) “The Constitution limits his functions in the lawmaking process to the recommending of laws he thinks wise and the vetoing of laws he thinks bad. And the Constitution is neither silent nor equivocal about who shall make laws which the President is to execute.” Congress.

Against this backdrop, there is a long line of examples of independent agencies pushing back against executive branch encroachments on their power. For example, the general counsel of the Securities and Exchange Commission once wrote a 24 page “Declaration of Independence” from a Carter administration proposal that regulations be submitted in plain English for public review, on the grounds that the order could set a precedent to undermine the agency’s independence

In short, a credit union can choose to follow an executive order’s mandates if it chooses to do so, but is not required to do so. In fact, an argument to the contrary has as much validity as suggesting that the credit union down the street can mandate what policies your credit union follows. 

One caveat: The exemption just applies if the only basis for complying is your connection to the NCUA. If your CU rents space from a federal agency for example, then you are a federal contractor.

November 22, 2021 at 10:00 am Leave a comment

Is Your Credit Union Impacted By New Security Standards?

I have some good news and some bad news for you this morning. The good news is that the regulation I’m about to talk about does not apply to your credit union. The bad news is that it might apply to your credit unions CUSO. 

Yesterday the Federal Trade Commission (FTC) finalized regulations imposing enhanced requirements on financial institutions under its jurisdiction to implement information security programs. For example, the new regulations require, among other things, that entities designate an individual responsible for implementing and overseeing its data security program; develop procedures to ensure that the board of directors is periodically informed about data security developments; perform risk assessments that identify the entities’ data security vulnerabilities; implements dual-factor identification; and perform penetration testing to guard against third party intrusions. 

Nothing in these new requirements should come as a surprise to anyone reasonably aware of existing industry standards for data security, particularly if you are an entity subject to New York’s cybersecurity regulations. In fact, the really shocking thing is how many businesses are not currently subject to these baseline requirements. This is why both CUNA and NAFCU were generally supportive of these proposals. 

But your compliance team is not completely out of the woods. There are some CUSOs such as mortgage bankers which are subject to these requirements. And NCUA is likely to expand the type of activity in which CUSOs could engage. This is important because while federal law explicitly exempts the subsidiaries of national banks from the FTC’s oversight, no such provision is explicitly made for credit union CUSOs. As a result, you should review these regulations, assess the extent to which they could impact your CUSO, and update your policies and procedures accordingly.  

On that note, enjoy your weekend and I’ll be back on Monday. 

October 29, 2021 at 9:17 am Leave a comment

Climate Change is Bad: Now What?

As yours truly read through the Financial Stability Oversight Council’s (FSOC) climate risk report yesterday, I was bracing for a series of absurd mandates in which credit unions would have to join larger more sophisticated institutions in complying with a host of new requirements, and yet another loss by the New York Giants. I was pleasantly surprised on both counts. The report is an exercise in bureaucratic reasonableness, which gives NCUA plenty of flexibility to respond appropriately and not hysterically to the threats posed by climate change to the credit union industry.

The FSOC is comprised of 10 voting members, including the NCUA, and five non-voting members representing interested stakeholders such as state regulators. Its goal is to identify emerging risks within the financial system. At the time of its creation, there was a debate as to whether or not credit unions should even be included in a group which represented investment banks, the largest depository institutions in the world and the Securities and Exchange Commission.

When I heard that it was going to come out with a climate change risk report mandated by an executive order, I expected to see the outline of new regulations which would impose new reporting requirements on credit unions of all shapes and sizes. The report got the headline it was looking for when it proclaimed that climate change is an emerging and increasing threat to financial stability. But, the resulting action items included the following language:

“As part of their supervisory activities, the depository institution regulators expect to review within traditional prudential risk categories, as relevant, how effectively institutions incorporate climate-related financial risks into their risk management systems and frameworks, appropriate to their size, complexity, risk profile, and location.”

The biggest action item in the report is for bank regulators to augment their existing staff and develop greater expertise when it comes to assessing climate change risk. 

For its part, NCUA explained how it has established a series of working groups to address climate change. Its “ultimate goal” is to ensure that the system remains resilient in the face of climate related risk.

You can recognize climate change for the threat it is while also questioning the value of imposing additional mandates on depository institutions which do not engage in the type of activity that can mitigate climate change’s worst effects on a systemic level. If the FSOC’s report represents the approach ultimately taken by the NCUA and other depository regulators, we can all breathe a sigh of relief.

October 25, 2021 at 8:54 am Leave a comment

Are Fintech Lenders Less Biased?

To its supporters, technology has the ability to further egalitize the lending process by using unconventional data to assess the credit worthiness of underserved communities and removing human bias from lending decisions. To its critics, overly complex lending algorithms could further complicate the efforts of regulators to identify and clamp down on bias lending criteria. This debate is likely to have an increasingly large impact on credit unions, banks, and Fintechs as policy makers integrate 21st century technology into 20th century regulations. Recently released research underscores just how volatile this debate is destined to become.

The PPP program is a treasure trove for researchers of potential bias in lending decisions. Since the loans were guaranteed by the federal government, it is easier to evaluate what other factors led to businesses getting loans. Recently, a group of researchers at New York University concluded that: Fintech lenders were responsible for 53.6% of PPP loans to black owned businesses. According to the researchers “black owned businesses exhibit by far the most striking disparity among lender types when it comes to choosing Fintechs”.

In contrast, community banks with $2B or less in assets performed the worst when compared to all other financial institutions including CDFIs, credit unions and the largest banks.  In fact, the researchers conclude that larger banks demonstrated the least lender bias, underscoring their belief that automation contributed to more minority loans. Not surprisingly, this research has already drawn a heated response from community bankers who argue among other things that the research is flawed because it is based on assumptions about the race of borrowers.

Still, yours truly has been watching a lot of baseball recently and it seems to me that every game demonstrates that computer generated strike zones do a better job of calling balls and strikes than do umpires. As much as we like to extol the human element in decision making, common sense tells me that more automation not less can lead to an even fairer system for making lending judgements.

Chart depicting the proportion of PPP loans given to Black-Owned businesses  originated by financial institutions and Fintechs

October 19, 2021 at 10:40 am Leave a comment

What The Postal Service Could Learn From Google

Even as the world was struggling to survive several hours yesterday untethered to social media, the postal system was making a big splash with news of a small pilot program which could be the first step in reintroducing postal banking. While the post office was dabbling with banking, Google was quietly announcing that it was pulling the plug on its plan announced two years ago to work with banks and credit unions to provide google bank accounts. The two announcements have more in common than you might think. The announcements also contain important warnings for the credit union industry as it tries to navigate an uncertain future.

An article in the American Prospect reported that four postal branches in Washington D.C, Baltimore, Falls Church, Virginia, and the Bronx, NY were now allowing individuals to convert business or payroll checks of $500 or less onto a single-use gift card for a $5.95 purchase fee. The announcement was lauded by, among others, New York Senator Kirsten Gillibrand, a prominent supporter of postal banking.

It’s easy to dismiss the proposal. After all, it’s somewhat laughable to think that a business which cannot cost-effectively provide its core service to the American public, even though it has enjoyed a virtual monopoly for much of the country’s existence, will find its niche in cost effectively providing banking services.

This is where Google comes in. Your faithful blogger continues to believe that today’s Fintechs are tomorrow’s banks but in pulling the plug on its banking project Google discovered what many other Fintech wunderkinds have also discovered; providing cost-effective consumer financial services in a heavily regulated, highly competitive financial system is not easy. It takes a level of skill and knowledge that you don’t learn simply by attending business school or delivering the mail.

Just as Fintechs think they can easily handle the banking part of things, there are those, predominantly in the progressive wing of the Democratic party, who think that banking is as easy as setting up a branch and allowing individuals with no training as tellers to cost effectively provide banking services in a way which protects union jobs.

Common sense and history tells you that this is simply not the case. Postal banking is not a radical new concept but an idea that has been seriously debated since the 1800’s. In fact, between 1911 and 1966 Americans could open up postal banking accounts and at its height an estimated 10% of deposits were held in the postal system. But, as banking options became more widely available, and federal insurance stabilized the banking system, the system was put out of its misery by President Johnson in 1966. While I don’t think we have much to fear from postal banking, I do think that the industry has to recognize that proposals such as these are the result of frustration among some policy makers that the financial system has not done enough to help people of modest means. We must do a better job of telling our story and making sure our elected officials realize that the way to increase financial inclusion is not to get the government more involved in banking but to allow credit unions to provide more services to a larger group of people.

October 5, 2021 at 9:35 am Leave a comment

Just what is an “Item” anyway?

A former President got impeached after quibling over the definition of “is” and today CUS and banks are being sued over the definition of “item.”

That is one of the key questions confronting both credit unions and banks as they continue to make a handful of consumer plaintiff law firms wealthy because of inaccurate disclosures in their account agreements. On a practical level this means that you should review your account agreements to ensure that it actually defines what an item is. This is particularly true if your credit union is large enough to be targeted for class action litigation.

I’ve done blogs for several years now detailing how both credit unions and banks are being sued for inaccurately disclosing how account balances are determined for purposes of generating overdraft fees. For example, if your member has $50 in an account at the time she uses her debit card to pay for her Starbucks latte but 49 of those dollars are subject to pending transactions has your member been given adequate notice that an overdraft fee will be charged based on how the account balance is actually calculated?

A more recent permantation of this litigation has to do with the proper disclosure of NSF fees generated by repeated presentments for payments made by merchants using the NACHA network. Specifically, does your credit union charge a fee every time a merchant presents a transaction for payment and if so is this practice properly disclosed? In Richard v. Glens Falls National Bank, 2021 WL 810218, at *1 (N.D.N.Y., 2021,) the bank charged a separate fee every time a merchant represented an item for payment. The bank’s fee schedule disclosed that an NSF fee could be charged “per item” but did not define what an item was. As a result the account owner argued that the bank was only entitled to charge a single NSF fee irrespective of how many times a merchant presented an item for payment. 

The good news is that your credit union can avoid a similar fate by simply amending its account agreement. For example, the Navy federal credit union got a similar claim dismissed because its account agreement contained language defining what an item was and putting members on notice that they could be charged each time an item is presented for payment. Lambert v. Navy Federal Credit Union

Here is the punchline: your credit union should be having its account agreement periodically reviewed by an outside law firm, preferably one that specializes in defending against consumer class action lawsuits. Consider it an investment especially since I can guarantee you that your account agreement has been reviewed by attorneys looking to sue you over language which may comply with the latest regulations but does not reflect the latest case law. 

On that note, enjoy your day.

September 21, 2021 at 2:06 pm Leave a comment

Sonic Case Demonstrates How Merchants Put Consumer Privacy At Risk

For those of you in Washington this week, a recent decision in the Sonic data breach litigation underscores why merchants need to comply with baseline data breach prevention standards. On September 7th a group of credit unions survived Sonic’s motion to dismiss claims that its negligence facilitated yet another massive data breach resulting in credit unions costs, such as the need to reissue cards, for which Sonic should be responsible (SONIC CORP. CUSTOMER DATA SECURITY BREACH LITIGATION).  And let’s not forget the thousands of consumers who were inconvenienced as a result of Sonic’s alleged negligence. 

Between April and October of 2017, hackers used malware installed at 762 Sonic restaurants to steal transaction payment card data. Franchises generally were allowed to use two different types of processing systems. The hacks occurred in franchises that use the PAYS system to process transactions. Sonic facilitates payments by setting up a VPN to facilitate remote access to the system. The VPN system was set up so poorly that it allowed hackers to access unencrypted payment card data. The list of defects reads like a “What Not-To-Do List” when it comes to protecting customer data:

  • They did not use multi factor identification to authorize access to the system.
  • The stolen data was not always subject to end-to-end encryption.
  • Sonic even facilitated the storing of unencrypted data on business servers.

If a New York State bank or credit union treated data this way, it would be in violation of several provisions of New York State’s cyber security regulations which mandate that sensitive data be encrypted when it is in transit and that it be adequately protected when it is being held on its server. Furthermore, a failure to use multi factor identification has already resulted in fines under the framework. Even if you do not have the good fortune of living in New York, the Gramm Leach Bliley Act and a host of regulations outlaws this type of conduct for financial institutions. 

In contrast, there is no corresponding regulatory framework for businesses like Sonic; the only way to hold Sonic and similar companies accountable is through lawsuits. The problem is that not all states give financial institutions the right to sue merchants for purely economic harm. In short, we continue to have a hodge-podge of regulatory enforcement which incentivizes merchants to under-invest in their cybersecurity infrastructure.

September 15, 2021 at 9:15 am Leave a comment

The Day After Tomorrow is Here, Now What?

Wednesday’s dramatic and tragic flash floods in the New York City Metropolitan area are the latest example that man-made climate change is here and will continue to impact the business climate in which credit unions operate. If I had told you a week ago that New York State had to start preparing for the consequences of hurricanes slamming into the Gulf Coast you would have told me to go look at a map. This morning businesses and policy makers would be nuts not too.

In 2018 the Union of Concerned Scientists issued a report in which it claimed that more than 300,000 of today’s coastal homes with a market value of about $117.5 billion were at risk of “chronic inundation by flooding” by the year 2045. They pointed out that this could impact the value of homes underwritten for 30 year mortgages.  After Wednesday night’s storm, I’m wondering if they underestimated the problem; perhaps we should also be concerned about the value of 15 year mortgages?

Even as we are hopefully done debating whether or not climate change is a real and growing problem, the tough part is deciding what to do about it. Contrary to popular belief, confronting climate change will require large disruptions to certain parts of the economy and a huge amount of investment. Simply put, dreams of a green economy won’t come fast enough for the coal miner in West Virginia and we need massive investments in our energy infrastructure in order to reconfigure our energy system.

So what does all this have to do with credit unions?  Most importantly, we need to engage with policymakers and regulators using certain key principles as our guide posts.  For example, even as no one questions the need to address climate change, there has to be a recognition that costs and benefits should be taken into account.  Secondly, as institutions dedicated to helping persons of modest means we are uniquely positioned to warn against proposals which disproportionately impact poorer individuals.  Thirdly, we should point out that this is a national problem for which we need national solutions.

What would be the tangible consequences of these principles?  We need to make sure that common sense distinctions are made between banks which provide lines of credit to energy companies and credit unions struggling to make cost effective loans to small businesses. This is not the time for one size fits all mandates which weigh down the economy while providing no real benefit.

Secondly, as an industry dedicated to helping persons of modest needs, we have to be willing to point out that improperly implemented climate change policies can have a disproportionately negative impact on the poor and underserved communities. For example, the wealthier you are the more you can afford paying higher premiums for flood insurance.

Finally, with the usual caveat that I speak for no one but myself when I write this blog, as an industry, credit unions should be in favor of dramatic infrastructure investments on a national scale which expedite infrastructure improvements needed in response to climate change while minimizing the need for additional mandates on small lenders. On that note, enjoy your weekend.

September 3, 2021 at 10:01 am 1 comment

Older Posts


Authored By:

Henry Meier, Esq., Senior Vice President, General Counsel, New York Credit Union Association.

The views Henry expresses are Henry’s alone and do not necessarily reflect the views of the Association. In addition, although Henry strives to give his readers useful and accurate information on a broad range of subjects, many of which involve legal disputes, his views are not a substitute for legal advise from retained counsel.

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Join 757 other followers

Archives