Posts filed under ‘Legal Watch’

When It Comes to Protecting Your Data, How Well Do You Really Know Your Members?

When the Federal Financial Institutions Examination Council (FFIEC) issues guidance, all financial institutions should pay attention, irrespective of their size and risk profile. After all, the Council represents the combined wisdom, or at least the consensus of financial regulators, including the NCUA, on the issues of most pressing concern. Conversely, it is my ever so humble opinion that these documents are often written in such vague terms with so many qualifiers that they lack the clarity needed to make them truly useful documents.

With this caveat, I present to you a guidance, Authentication and Access to Financial Institution Services and Systems, issued by the FFIEC on August 11th in which it highlights the need for financial institutions to take a holistic approach to protecting unauthorized access to information by third parties. Specifically, this guidance “sets forth risk management principles and practices that can support a financial institution’s authentication of (a) users accessing financial institution information systems, including employees, board members, third parties, service accounts, applications, and devices (collectively, users) and (b) consumer and business customers.”

Whereas a decade ago your red flag risk assessment was primarily concerned with how to prevent unauthorized third parties from accessing your system, in today’s environment you’ll also face threats from within.  Your Board member, negligent customer and of course, your Luddite employee pose as great a potential threat as the most sophisticated hacker.  As a result, these threats should be considered as part of your ongoing risk assessments. Furthermore, layered security protections, which make individuals provide authentication more than once when inside a platform may inconvenience your members and employees but at the very least this inconvenience should be weighed against the need to protect the data on your system.

Remember, you should pay attention to this guidance for both legal and compliance reasons. Legally, these guidelines provide a concise source for courts to use in assessing whether a vendor or financial institution is taking reasonable measures to protect member information (see for example Shames-Yeakel v. Citizens Financial Bank; Bessemer System Federal Credit Union v. Fiserv Solutions, LLC). From a compliance standpoint, you have an obligation to make sure your credit union is periodically assessing and updating its cyber threat assessments. 12 CFR 748 Appendix A

On that note, enjoy your day.

August 30, 2021 at 9:47 am Leave a comment

Life After The CDC Eviction Ban

The Supreme Court yesterday ruled that the CDC exceeded its authority when it enacted a nationwide ban of evictions against tenants who claim to be suffering a COVID-19 related hardship.

The court’s ruling surprised absolutely no one who has been following the issue. Just weeks ago, the court signaled that a similar moratorium was most likely unconstitutional but allowed it to expire so that there was more time to distribute federal aid intended to help states like New York avoid the need for evictions.

The precise legal issue was whether the CDC had the regulatory authority to ban evictions absent Congressional action. The court explained that “it is indisputable that the public has a strong interest in combating the spread of the COVID–19 Delta variant. But our system does not permit agencies to act unlawfully even in pursuit of desirable ends…It is up to Congress, not the CDC, to decide whether the public interest merits further action here.”

The Court’s ruling put the focus squarely back onto the states. Although the Court recently invalidated a New York statute which prohibited evictions of individuals suffering a COVID-19 hardship, the Court’s emergency ruling was not a decision on the merits and the statute under review did not give landlords the ability to contest a hardship determination. 

Without further action by Congress the primary federal regulation of which credit unions have to be mindful is the CFPB’s regulation which takes effect on September 1st, mandating that servicers take additional steps to inform delinquent homeowners of loss mitigation options that may be available to individuals delinquent because of a COVID hardship. Crucially, unlike the eviction moratorium struck down by the Court, the CFPB’s new regulation does not mandate that specific relief be made available.

August 27, 2021 at 9:12 am Leave a comment

What FDA’s Vaccination Approval Means For Your Credit Union

The announcement yesterday that the FDA has given final approval to the Pfizer COVID-19 vaccine puts employers at the center of the debate about how to respond to the continuing COVID-19 health crisis.

The FDA’s decision provides further clarity regarding the rights of employers to mandate that employees get vaccinated as a condition of employment. Before yesterday’s announcement, vaccination opponents had argued, without legal success, that the emergency process used to initially approve the COVID-19 vaccine meant that individuals could not be forced to get vaccinated as a matter of federal law.

Now that argument is irrelevant. Within minutes of the announcement several employers announced that vaccinations would now be mandatory for their employees. Federal guidance already authorizes vaccine mandates and the Supreme Court ruled more than 100 years ago that there is no constitutional right not to be vaccinated. The vaccine announcement also comes at a unique time for employers in New York State. We have a new Governor and in recent weeks the state has largely avoided imposing new statewide mandates. Once again, this means that as employers you have more flexibility than ever before.

Now don’t get me wrong, just because you can legally do something doesn’t mean it’s a smart thing to do. The goal should be to maximize the number of employees who are safe and vaccinated. Whether this goal is best accomplished with a carrot instead of a stick is a case-by-case decision. But now that the legalities have been dealt with, policies should be clarified. Time to get that HR attorney back on the phone.

August 24, 2021 at 9:21 am 1 comment

Another Important Foreclosure Case gives Lenders More Flexibility

A recent decision provides more clarity to New York’s Byzantine foreclosure process. For those of us who believe that the goal of foreclosure should be to ensure that the rights of homeowners are protected while at the same time ensuring that lenders can get access to homes that borrowers can no longer afford to be in, this is a good thing.

When you enter into a mortgage loan with a member, the member is agreeing to pay back the note in monthly installments.  If a member misses a payment, you can actually sue and demand payment for the past due installment, which would be a ludicrous waste of time.  Instead, a payment default is a violation of the repayment contract and the lender has the option of demanding that the member pay the full amount due on the mortgage note. New York has a six year statute of limitations for mortgage foreclosure actions. The six year time period starts when a bank or credit union makes an unequivocal demand on a delinquent homeowner to pay the entire amount due on a mortgage note. Since New York has one of the most intricate and time consuming foreclosure processes in the country, it is not uncommon for foreclosures to take several years to complete and there has been an explosion in litigation in which delinquent homeowners argue that the six years statute of limitations has expired.

As a result, a key issue is how and when a lender can stop the foreclosure clock from running out by withdrawing a demand for full payment of a delinquent mortgage loan. Earlier this year the Court of Appeals decided Freedom Mortgage Corporation v. Engel in which it clarified the circumstances under which lenders could deaccelerate a mortgage note on which a bank had made a demand for full payment. In making its ruling, the court made clear that lenders simply had to put borrowers on notice that they no longer were obligated to immediately pay the entire amount due on their mortgage.

Seems clear enough, but what happens when a homeowner can show that a bank or credit union’s decision to stop demanding full payment of the note was primarily motivated by a desire to simply keep the six years statute of limitations from running out? For example, in Milone v. US Bank a homeowner defaulted on a mortgage note on October 1, 2008 and a demand of full payment for the entire amount due was made in December of 2008. Fast forward to October 21, 2014 when the homeowner received a letter that the mortgage note was being deaccelerated and that its demand for immediate payment of the entire debt was withdrawn.  Instead, our homeowner simply had to start making the monthly installment of payments. 

But in March of 2015 the homeowner sued the bank claiming that it was entitled to have the mortgage note discharged because the six year statute of limitations had expired. The court agreed. It effectively ruled that a decision to halt a foreclosure action did not stop the six year statute of limitations when a financial institution’s primary motivation is not to cease demanding full payment of the debt but to simply stop the foreclosure clock.

Here is the good news.  In a recent decision, 53rd Street LLC v. U.S. Bank, the Court of Appeals for the Second Circuit flatly rejected this logic. So long as a lender unequivocally deaccelerates the amount due on a mortgage note, it has the option of commencing a subsequent foreclosure action, even if the subsequent foreclosure action is filed six years after the initial demand for full payment of the note.

August 18, 2021 at 9:47 am Leave a comment

SC Rules that New York’s Eviction Moratorium Goes Too Far

The Supreme Court on Thursday granted emergency relief to landlords challenging a New York State statute barring them from commencing eviction proceedings against tenants who certify that they are suffering a financial hardship as a result of COVID-19. Although the law in question was set to expire on August 31st, the Court’s decision could have important implications if and when the state chooses to take similar steps in the coming weeks or in response to a future economic downturn.

Part A of Chapter 381 of the laws of 2020 provided that individuals could avoid foreclosures by indicating that they were being harmed by the pandemic. A separate section of the bill which the Supreme Court’s decision did not address extended similar protections to homeowners facing foreclosure. In blocking New York State from enforcing this bill against landlords the court technically did not issue a decision on the merits of the case, but by granting the emergency order a majority of the court signaled that New York’s law was illegal. There was even a dissenting opinion.

In a terse explanation of its decision, the majority explained that New York’s statute violated the “longstanding teaching that no man can be a judge in his own case.” In other words, any future law seeking to block evictions has to give landlords the ability to show that a tenant is not suffering from a financial hardship.

Like I said, although this case dealt specifically with evictions, the same argument could easily be made as applied to New York’s foreclosure ban, also set to expire on August 31st, which provides no mechanism for mortgage holders to contest a homeowner’s financial hardship.

                                                Hochul Transition Picks Up Pace

New York’s Superintendent of the Department of Financial Services announced that she would be resigning on August 24th, the same day the Governor has indicated he will hand over power to Lt. Governor Kathy Hochul. Before becoming the Superintendent, Lacewell served as a top aide to the Governor and remained an active advisor.

As for the Governor-in-waiting, she spent Sunday morning appearing on two Sunday news shows demonstrating, yet again, that in politics a week really is a long time. Virtually overnight, she has catapulted from the lowest profile statewide position in New York State government to a nationally significant politician. 

August 16, 2021 at 9:19 am Leave a comment

Lawsuit Settlement Shows Who Really Controls Your CU

Earlier this week Plaid reached a $58 million settlement in a class action lawsuit alleging that the company’s business practices violated several state and federal laws related to the privacy of member account information and proper disclosures. The settlement is little more than a speeding ticket for Plaid and similar companies which specialize in helping third parties access the account information of your members.

Understanding what this company does is key to understanding just how obsolete technology is making traditional financial institutions. Increasingly, your institution does nothing more than hold information for the benefit of other financial intermediaries.

You may not have heard of this company but you have probably used its technology, your members certainly have. Plaid specializes in transferring member account information to third party app providers such as Venmo and Paypal. In 2016 Plaid developed a new technique. Let’s say you signed up for Venmo, in the early days of the company you’d be asked to login to your bank account. Doing so would provide Plaid a token with which they could access your account information. Starting in 2016 Plaid centralized the process even further. An individual applying for a Venmo account would select their financial institution but instead of being directed to go to their credit union’s website, they would instead be directed to a website controlled by Plaid which looked just like the credit union’s website.

In other words, Plaid was able to further centralize the data collection process by using illegal phishing techniques, or so the plaintiffs in this case argued.

In settling the lawsuit Plaid agreed to make better disclosures and to do a better job of only keeping the information it needs to do its job. It also is going to more prominently provide consumers disclosures about what it does and how it does it.

But in one form or another, the system is here to stay. Tucked away in the Dood-Frank Act is 12 USCA § 5533. It gives consumers the right to mandate that banks and credit unions share their account information with third parties of their choosing. One of the primary purposes of the provision was to make it easier for consumers to switch financial institutions by allowing a new bank or credit union to gather their account information.

Unfortunately while federal law has encouraged innovation in this area it has done little to update the consumer protection framework. Just about every major consumer protection law centers on the checking account and the loan provider. In fact, there are scores of companies accessing and using account information every day without any traditional consumer protection constraints.

August 11, 2021 at 9:08 am Leave a comment

What the CDC’s Announcement Means for Your Credit Union

The CDC’s announcement that it was altering its guidance to encourage vaccinated individuals to wear masks indoors in areas with substantial and high transmission rates may very well result in your credit union having to refine its workplace policies and procedures. The Governor issued a statement indicating that the state is reviewing the announcement. In the past the state has used CDC guidance to establish the baseline expectations for businesses in New York. Here is what we know for sure.

The state lifted its mask mandate for fully vaccinated individuals because, as of June 15th, 70% of New Yorkers had received at least one dose of the vaccine. What’s changed? The Delta variant of the virus has proven to be particularly tenacious and evidence is emerging that even fully vaccinated individuals can transmit the disease. Plus there are still a substantial number of individuals reluctant to get vaccinated. As can be seen from this map issued by the CDC, New York State has substantial numbers of new COVID cases.

The surging virus has forced employers to reconsider legal options when it comes to keeping their workplace safe. For example, the Veterans Administration announced that it was mandating that some of its employees get vaccinated and New York City is taking similar steps. The shift to a more aggressive posture reflects the mounting number of administrative rulings and judicial decisions which have reinforced that employers can mandate employee vaccinations provided they are mindful of genuine and sincere religious objections as well as the need for ADA accommodations.

One bellwether case that the legal community is watching is Bridges v. Houston Methodist Hospital, 2021. The case involves a nurse who was fired by the hospital after refusing to get vaccinated. The case is one of the first in which a federal court has directly addressed an argument, popularized on the internet, which contends that since the vaccines were approved on an emergency basis by the Secretary of Health and Human services they can’t be mandated by employers. The plaintiff also contends that the status of the vaccines mandates that employers explain the potential benefits and risks of taking the vaccine.

The district court swiftly rejected this argument. According to the court, federal law permits the Secretary of Health and Human services to authorize the vaccines on an emergency basis. Crucially, according to the court, “it neither expands nor restricts the responsibilities of private employers; in fact, it does not apply at all to private employers like the hospital in this case.”  This case is currently up on appeal before the Fifth Circuit.  If this case doesn’t give employers confidence to mandate vaccinations, the Secretary of Health is expected to approve the vaccine on a non-emergency basis sometime in the fall.

In addition to this case, in May the EEOC issued guidance authorizing employers to mandate vaccinations consistent with Federal Civil Rights Law.

And then of course there is New York State’s Hero Act. At this point the law requires nothing more than for employers to have an infectious airborne disease plan in place by August 5th. The plan only needs to be activated in the event that the Commission of Health issues a declaration that an airborne infectious disease presents a serious risk of harm to the public health. No such announcement has been made but recent events underscore the need to make sure you are ready to comply with NY’s law.

July 28, 2021 at 9:40 am Leave a comment

NCUA to CUs: Don’t Forget About New CFPB Foreclosure Regs

Yours truly is back from a recent visit to God’s country (aka Long Island) and this morning I have credit cards, mortgage regulations and class action lawsuits on my mind.

The NCUA has sent out this letter to credit unions reminding them that new regulations have been issued by the CFPB requiring mortgage servicers to take additional steps to ensure that individuals impacted financially by COVID-19 are vetted for potential loan modifications. These new amendments take effect on August 31st. As I explained in a previous blog, among other things these new regulations apply to homeowners who suffer a financial hardship due, directly or indirectly to the national emergency for the COVID-19 pandemic declared on March 13th 2020.

This announcement got me thinking about one of my favorite topics: The interplay between compliance and litigation, particularly for you bigger guys out there.

NCUA’s announcement is more than just a reminder of what needs to be done on your compliance to-do-list; it is in fact a warning that when you go to foreclose on someone for years to come both borrower attorneys and class action lawyers will be scrutinizing your compliance with these regulations to argue that but for your credit union’s failure to properly comply with these regulations, your member would still own their house.

For example, this morning Law360 reported on how a federal judge in California has increased the number of persons eligible for settlement money from a lawsuit alleging that Wells Fargo failed to properly evaluate borrowers for eligibility in the HAMP program. You may recall that the federal government responded to the mortgage meltdown which started a little over a decade ago by creating the Home Affordable Modification Program (HAMP) under which delinquent borrowers could seek modifications of their mortgage loans. Wells Fargo used a computer program that miscalculated eligibility requirements leading to hundreds of persons either losing their homes or spending more money than they otherwise would have had to. In other words, this is a classic example of how a compliance failure leads to a litigation mess.

Where New Yorkers Stands With Credit Card Debt

Here’s an interesting factoid for you: New Yorkers have among the most sustainable credit card debt in the country with median credit card balances of $1,854 and a median income of $54,588 with which to pay off that debt. These are among the findings of this report issued by WalletHub Today.

See you tomorrow, enjoy your day.

July 27, 2021 at 9:32 am Leave a comment

How Portable Is “Your” Data?

That is the question yours truly is pondering after reading through Colorado senate bill 21-190. When the bill takes effect Colorado will become the third state in the nation, following California and Virginia, to pass legislation mandating that consumers be given greater control over their electronically stored personal data.

Like Virginia’s, Colorado’s law exempts financial institutions from its requirements, but its passage underscores why your vendor management in general and your contract language in particular is more crucial than ever in the absence of federal guidelines. Here is one reason why:

Colorado has followed the lead of other states and Europe in mandating that businesses that process and control personal consumer data have the ability, among other things, to ensure that consumers have: the right to opt out of their personal data being used by third parties for targeted advertising; the right to know who has their information; the right to correct inaccurate information; the right to delete personal information; and the right to “data portability.”

I’ve been told by IT people that conforming to these requirements is not easy to put it mildly. But the tasks are made even more challenging in the absence of universal agreement as to who owns what data and what personal data is. As a result, even though financial institutions have been exempted from many of these laws, you should draft your contracts, particularly those dealing with your core processing functions, mindful of the need to easily access data on behalf of your credit union and members.

For instance, in reviewing contracts with your attorney, you should seek language stipulating that data will be stored in a universally available format. You also want to clearly delineate what data belongs to your credit union and what data belongs to your vendor. Your contract should also stipulate that vendors will only have access to data for the purpose of carrying out their obligations under the agreement.

Why is this or similar language so important? Because it will ensure that you have the ability to track who has access to the personal information of your members. Irrespective of what the law requires, members are going to increasingly expect to have greater control over their personal information. In addition, as I talked about in a recent blog, transferring from one core processor to another can be as acrimonious as a bad divorce. The clearer your contract specifies what information is to be transferred, the easier this process will be.

On that note, enjoy your weekend. For those of you who find soccer only slightly more exciting than watching paint dry, take a look at Sunday’s European Championship game between Italy and the UK. England is the Chicago Cubs of European Soccer minus a World Series win.

July 9, 2021 at 9:46 am Leave a comment

HUD Proposes Reinstating Disparate Impact Rule

On Friday the Department of Housing and Urban Development (HUD) announced that it was proposing regulations to reinstate an Obama era regulation scuttled by the Trump Administration which was designed to outline what had to be proven by individuals claiming a violation of the Fair Housing Act which prohibits discrimination on the basis of race, color, sex, and other protected classifications. Given the level of political discourse in this country, I suspect there will be a great deal of emotional debate. Here is a primer on the actual issues involved:

The core issue is how expansive HUD’s authority is to interpret the FHA and the regulation being debated is 24 CFR 100.500 which outlines how disparate impact in the provision of housing can be proven. Behind this ostensibly esoteric announcement lurks one of the most emotional and important debates that the nation will be having in the coming years; one that I suspect will only grow more intense: how much proof should be required to prove housing discrimination and should intent matter where policies have the effect of discriminating against someone on the basis of race?

In 2013, HUD issued regulations designed to “implement the Fair Housing Act’s discriminatory effect standards” (78 FED. REG. 11460. 2013). Even the title was loaded. At the time some lawyers argued that disparate impact analysis was not even authorized under the FHA.  In 2015, this issue was addressed by the Supreme Court in Texas Dept. of Housing and Community Affairs v. Inclusive Communities Project. The Supreme Court ruled that it was within HUD’s authority to promulgate a disparate impact standard but the issue was still not settled. Ultimately, the Trump administration repealed these regulations and replaced them with a new standard that made it more difficult for plaintiffs to win (see 85 FR60288-01, 2020).

It was back to the courts again. A district court ruled that these regulations clearly made it more difficult for plaintiffs to prove discriminatory impact.  For example, these regulations required plaintiffs to “sufficiently plead facts” to support.  “[T]hat the challenged policy or practice is arbitrary, artificial, and unnecessary to achieve a valid interest or legitimate objective such as a practical business, profit, policy consideration, or requirement of law.” Massachusetts Fair Housing Center v. United States Department of Housing and Urban Development. In this decision, the federal district court in Massachusetts issued an injunction against the Trump era regulations.  Today you can still read these regulations, but they exist in a regulatory twilight zone with no one quite sure of what the legal standard is. 

There is undoubtedly more to come as the issues being debated ping pong between regulators and the courts. This is yet another issue that our system needs congress to resolve and its inability or unwillingness to do so creates a vacuum which leaves financial institutions unsure of what they can and cannot do.  

July 7, 2021 at 10:40 am Leave a comment

Older Posts Newer Posts


Authored By:

Henry Meier, Esq., Senior Vice President, General Counsel, New York Credit Union Association.

The views Henry expresses are Henry’s alone and do not necessarily reflect the views of the Association. In addition, although Henry strives to give his readers useful and accurate information on a broad range of subjects, many of which involve legal disputes, his views are not a substitute for legal advise from retained counsel.

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Join 756 other followers

Archives