Posts filed under ‘General’

Time To Close Breach Disclosure Loopholes

According to the Recode  blog, Yahoo will shortly be publicly disclosing a massive data breach involving hundreds of millions of user names, passwords, personal information like birth dates and other email addresses. Yahoo has been investigating the breach since August when it discovered that a hacker named “Peace” was selling the information on the “dark” web for nearly $ 1,800. The story is intriguing because (1)I am shocked that yahoo still has that many users, and (2)The story shows yet again why state data breach disclosure laws need to be tightened and  Federal standards need to be enacted.

New York has a fairly typical disclosure notification statue. Section 899-aa of the General Business Law  mandates that companies disclose data breaches “ in the most expedient time possible, and without unreasonable delay” but “consistent with the legitimate needs of law enforcement” and “any measures necessary to determine the scope of the breach and restore the reasonable integrity of the system ” When this legislation was passed, these broad disclosure guidelines made sense.  The thinking was that premature disclosures might disrupt investigations and even encourage additional breaches before security vulnerabilities could be remedied.  Incidentally, in 2011 the SEC issued guidance for publicly traded companies to disclose data breaches  But since such breaches must only be disclosed when they have a “material impact” on a company’s stock, publicly traded companies have a tremendous amount of flexibility in determining  what needs to be disclosed and when.

Times have certainly changed Businesses not only know of breaches long before they tell the public but the bad guys know that they know and they don’t care. For instance, a savvy hacker like “Peace” knows that among the people shopping for his treasure trove of information are businesses surfing the “dark” web to see if there information has been stolen. When reporter Brian Krebs disclosed the Target data breach he confirmed the story by talking to a fraud analysts at a major bank, whose team had independently purchased hacked information.

Sophisticated hackers like “Peace” probably aren’t stealing personal information so that they can break into a bank or a credit union the next day. They are simply putting the information on the black market and getting the best price they can from criminal  retailers who will be the ones stealing from  accounts. The result is that the true impact of massive data breaches  is  only felt over  time.  It also means that the sooner consumers have as much information as possible about data breaches the more they can do to protect themselves. Presently consumers are the  last to know that their personal information is compromised.   If the public can be enlisted to hunt down  terrorists  surly it  can be trusted  with timely information about  data breaches

What we need are hard deadlines for mandated disclosures with exceptions only when a company can demonstrate that a disclosure would result in direct immediate and substantial harm.

September 22, 2016 at 9:19 am 1 comment

Real Economic Development Starts At Home

To the lamb and the leopard lying down together, we now must add credit unions and banks at least when it comes to Lawrence, Massachusetts.

I normally am very skeptical of stories highlighting how well credit unions and banks would get along but for all those politicians and trade associations that get in the way. Credit unions shouldn’t forget that it is the ultimate goal of the banking industry to strangle credit union growth.

But there is a great article in the American Banker this morning about how 6 banks and 4 credit unions have created a $2.5 million dollar fund to offer credit to start-ups in Lawrence. It has already closed seven deals totaling $500,000 and it expects to have all the monies lent out in the next 12-18 months. The fund may be recapitalized.

I love this and similar stories like it for many reasons. First, this is real economic development. Lawrence is a classic Empire Falls community; it is one of those aging little towns, so common in the northeast, filled with fading emblems of bygone dynamism. It is the type of place that needs investment. While the government can help, true economic development almost always is organically led by private businesses. Government doesn’t underwrite so much as throw money at problems and see what sticks. Besides, I have repeatedly been told that with government help comes a pile of red tape. How else to explain the lack of all but the largest credit unions participating in SBA loan programs.

What I also love about this story and stories like it is that you have local business leaders doing what is best for the community in which they live. It demonstrates that we really do lose something when financial institutions become regional and national businesses. as opposed to remaining tethered to the communities from which they grew. Economies of scale make this trend inevitable but there really is something valuable being lost along the way.

September 21, 2016 at 8:53 am Leave a comment

NYS Clarifies HSA Regulation

I have some good news to report.  Yesterday, the DFS clarified what we had long suspected but could not state with unequivocal confidence:  state-chartered credit unions have the authority to offer Health Savings Accounts as part of their incidental powers. 

For more than a decade, federally chartered credit unions have been authorized to offer HSAs to their members as part of their incidental powers.  It was logical to assume that since the state’s credit union trust powers are already more expansive than those provided to federal credit unions that state charters could also offer these accounts.  Yesterday, Community First Credit Union received confirmation that it could offer this service.  Thank God I can finally put this file to rest.  It was getting kind of thick.

Incidentally, in a 2002 letter, the State opined that pursuant to section 454(34) of the New York State Banking Law, state credit unions have the same incidental powers as their federal counterparts as of 2002.  They are also authorized to request any incidental power granted to their federal counterparts.  HSAs are now a recognized incidental power of state charters.

On that happy note, enjoy your weekend and I would feel sorry for all you Bills fans, but my brother is a lifelong Jets fan and I think an 0-2 start would have put him in a bad mood for the next several months.

September 16, 2016 at 8:32 am Leave a comment

NY Proposes “First in Nation” Cybersecurity Requirements

With a special shout-out to those of you who attended the Legal & Compliance Conference at the beautiful Turning Stone Casino,  good morning.

In case you missed it, on Tuesday, New York State made big news when Governor Cuomo announced that the state was imposing Cyber Security Requirements on Financial Service Businesses. This is just a proposal but it is the culmination of years of work by the DFS in this area.  Those of you affected will only have six months to get up to speed, so pay attention.

First, the real basic stuff. The regulation would apply to any person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the banking law, the insurance law or the financial services law.  A “person” means any individual, partnership, corporation, association or any other entity.  A carve out from many, but not all, of its requirements is made for entities with fewer than 1,000 customers in each of the last three calendar years, less than $5,000,000 in gross annual revenue in each of the last three fiscal years, and less than $10,000,000 in year-end total assets.

What are the requirements?  Institutions would be required to have a cybersecurity program that addresses six major functions, including: the identification of cybersecurity threats based on the sensitivity of the nonpublic information stored by the institution; an infrastructure for defending against cyberattacks; the ability to detect cyberattacks; the ability to respond to and mitigate attacks; plans for recovering from attacks; and procedures for meeting new regulatory reporting obligations.

It’s really hard to argue with the general thrust of this proposal.  There is very little being suggested that you shouldn’t already be doing.  In fact, I would like to see the DFS clarify the extent to which procedures that financial institutions already have in place can be used to satisfy many of these requirements.  For example, both state and federal credit unions are already required to have policies that implement “administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of member information.”  (12 C.F.R. § Pt. 748, App. A).

Stay tuned and feel free to give me feedback as the Association ponders what comments it should make to the DFS.


If Wells Fargo thought it was out of the woods by firing over 5,000 low level employees and giving a $124 million “sorry we had to fire you” severance to a departing executive, it may have miscalculated.  The WSJ is reporting that Federal Prosecutors are in the early stages of investigating possible criminal malfeasance on the part of the bank.








September 15, 2016 at 10:30 am Leave a comment

Consider Yourself Warned

As the saying goes “problems” flow downhill, so as I started reading the details of the Wells Fargo account opening scandal and the $100 million fine imposed on it by the Consumer Financial Protection Bureau, I wondered how this might impact the operations of credit unions.  The Bureau has already had an interest in account issues and, suffice it to say, you can bet that examiners and regulators will be taking a closer look at how your credit union opens and manages member accounts.

In case you missed it, on Friday the Bureau That Never Sleeps announced that it had imposed a $100 million fine on the bank.  Employees opened up to 2 million accounts without customer permission and shifted funds into these accounts on behalf of customers without their knowledge or approval in order to meet cross selling targets and get bonuses. Frankly, what the Bureau describes goes beyond civil misconduct and I hope its allegations are being investigated by prosecutors.  This is identity theft on a grand scale.

First some practical advice.  The Federal Credit Union Act requires supervisory committees – or their designated representatives – to verify member accounts with your credit union’s records at least once every two years.  As explained in Chapter 24 of NCUA’s Supervisory Committee Guide – which I strongly suggest all supervisory committee members take a look at – “the purpose of the verification is to detect errors and it is also a good control to prevent fraud.”  You can either verify all accounts or rely on a statistical sample, but the basic idea is that you send selected members a confirmation letter or request in their monthly statement asking them to confirm their account status. 

Another thing I would consider reviewing are your abandoned property procedures.  Members are expected to use accounts and you have no obligation to keep inactive accounts open indefinitely.  Fee orphaned accounts out of their misery.  They are costing you money and are ideal for abuse.  Here is one of my favorite opinion letters on the topic.

Finally, do you have a culture that emphasizes doing the right thing?  I can’t stand it when I give advice and I’m told that it’s not what everyone else is doing. We owe it to ourselves and the people we hire to make sure that we have a culture that, in the immortal words of Vince Lombardi, encourages people to play to win but to play within the rules.  Wells Fargo employees were in a culture where breaking the rules was the norm.

September 12, 2016 at 8:37 am 2 comments

Is Bigger Always Better For The CU Industry?

I found myself getting more and more annoyed by a well-researched and well written paper on CU merger trends recently highlighted in the CU Times.  The authors argue convincingly that, given pressures facing the industry, mergers can have positive consequences for members of the merged credit union in terms of services and financial stability.  In fact, to these authors the benefits of consolidation are so obvious that they are ultimately dismissive of those of us who see in this consolidation trend the seeds of the industry’s demise.

 The authors don’t dispute estimates that within 20 years there might be a total of 1,500 credit unions.  Instead they argue, “what’s the big deal?  If these numbers do indeed come to fruition and population growth remains relatively steady, it would mean that one in three people in the U.S. would belong to a credit union by the end of this period (Pilcher, 2012).  So why all the gloom and doom?  So what if less than ten percent of credit unions will have less than one hundred million in assets twenty years from now? The industry is experiencing the biggest boom in its history in terms of assets and members, but to hear some individuals within the industry talk about it, you would think that we were two decades from suffering the same fate as the savings and loan industry.”

First, I agree with some of what the authors are saying.  Consolidation is inevitable.  Mature industries consolidate and credit unions aren’t immune from this reality.  Plus, businesses either grow or die; there is no in between.  When I see credit unions hoarding their capital without a realistic plan for growth, I know it’s only a matter of time before the urge to merge kicks in. 

Where I part company with these researchers is their belief that credit unions can survive so long as they continue to provide great service and products.  They argue that “All sides can agree that credit unions were initially organized to positively affect the lives and financial situations of those residing within each organization’s respective field of membership, and this is the lens through which the impact of mergers on the movement should be analyzed.”

This simply isn’t true. There are many banks that do a great job of positively affecting their members’ lives.  Credit unions were sanctioned and given a not-for profit mission because everyone needs access to financial resources, particularly those of modest means, and that a cooperative structure allowing people with similar needs to pool their resources together is a sensible way of achieving that goal.

We won’t keep our tax exempt status because we are cooperatives; we will keep our tax exempt status because  we are cooperatives that do things that banks can’t or won’t do.  To be clear, larger credit unions have ample resources to meet this challenge but only if they don’t content themselves with providing the same services as banks or better.  As they grow they have to somehow keep their committed to an ethic of realizing that the little guy is still out there and he needs a helping hand.      

With that, I am putting the blog on its annual hiatus.  See you after Labor Day. 

August 26, 2016 at 8:12 am Leave a comment

New GSE Application Can Help With HMDA Compliance

I had a great time the other night hanging out with the Association’s Young Professionals Commission.  I even got to celebrate the birthday of one of their newest members.  Regardless of age, one of the questions that always comes up at such gatherings is what issues are lurking out there to sneak up on the unsuspecting credit union.  The one I keep coming back to is HMDA and yesterday Fannie and Freddie took a huge step to help those of you who have to comply with this data reporting regulation be ready when the expanded mandate becomes effective in January of 2018.

The uniform residential loan application which you may know as either Form 1003 or Freddie Mac Form 65 is a standardized document that has been around for 20 years.  So many mortgages are connected in some way to Fannie and Freddie that the application is used by almost all lenders in the country.  Yesterday, the GSEs announced that they have created a new, redesigned URLA form.  Most importantly, for my purposes, the form includes the expanded data fields that impacted lenders will have to fill out to comply with the HMDA regulation.  In addition, if the GSEs are correct, the new form will be easy to integrate into your existing lending systems and better suited for an online application process.  For those of you dinosaurs who still rely on paper, the updated URLA will still be available in a hard copy.

Even though the form doesn’t become effective for over a year, you can use it as an easy way to cross reference the information you collect now against the information you will need to gather in the relatively near future.  Don’t underestimate just how much more information you will have to collect.  According to a summary provided by the CFPB, the new HMDA reporting requirements include data points for applicant or borrower age, credit score, automated underwriting system information, unique loan identifier, property value, application channel, points and fees, borrower-paid origination charges, discount points, lender credits, loan term, prepayment penalty, non-amortizing loan features, interest rate, and loan originator identifier as well as other data points. The HMDA Rule also modifies several existing data points.

The good news is that the CFPB narrows the scope of the institutions to which HMDA applies.  Starting in 2018, if your institution didn’t originate 25 covered mortgage loans in each of the preceding two years, or at least 100 open-end lines of credit in each of the preceding two calendar years, HMDA doesn’t apply to you regardless of your asset size.  Still, this is not the type of regulation you want to keep to the last second.  The CFPB and Congress want this additional information for a reason and I doubt regulators are going to have much patience for those of you who aren’t prepared for this mandate.  The new and approved application is a great way to get ready to comply.

August 24, 2016 at 8:23 am Leave a comment

Older Posts

Authored By:

Henry Meier, Esq., General Counsel, New York Credit Union Association.

The views Henry expresses are Henry’s alone and do not necessarily reflect the views of the Association.

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Join 408 other followers