Posts filed under ‘Regulatory’
This morning’s American Banker is reporting on a “novel” solution that banks are employing to deal with the compliance burden. It’s reporting that five community banks in Kansas are sharing the cost of hiring a compliance person. This is a great idea, but it’s not new. It’s one that the credit union industry has already been using for at least a decade. Your credit union may already be able to participate.
In New York, we have two compliance people who work with a group of credit unions to provide compliance services. One specialist is in Central New York; one is in the Western part of the State. We are currently interviewing for a third person who will work with credit unions in the Westchester-Rockland region. We got the idea from talking to our counterparts in Georgia and Texas, and I’m sure there are other states that have jumped on the bandwagon.
In New York, the Association facilitates discussions with a group of credit unions that are willing to share the cost of a compliance specialist. If there is enough interest, the Association hires a person in that region. Our compliance department is responsible for training the specialists and is always there as a backup to help with difficult questions and projects. The program provides a cost effective way for smaller credit unions to not just complain about the compliance burden but actually do something about it. It also provides larger credit unions the opportunity to use a compliance person to take on specific tasks.
Regular readers of this blog know that its purpose is not to plug credit union services. But I feel so strongly about this model that if your Association doesn’t offer to facilitate shared compliance services, you should ask it to look into it. It’s a win-win.
Big Day at the NCUA Today
Compliance specialists should be sure they have enough coffee because today could be a long one. The NCUA has scheduled a busy board meeting that will provide plenty of required reading. Most importantly, if all goes according to plan, the Board will finalize amendments to field-of-membership requirements for FCUs and have a board briefing on supplemental capital. Later today, NCUA will also be holding a budget hearing. I will try to find the best highlights for tomorrow’s blog. I bet you can’t wait.
When the benign dictator of consumer protection says he’s “gravely concerned” about something, it’s best to pay attention to what’s on his mind. So, this morning I want to give you a heads up about screen-scraping.
There are individuals and companies that authorize third parties to collect information from their online accounts so that it can easily be used for other purposes. For instance, it might be helpful for your financial planner to be able to plug-in data from your bank accounts.
But big banks are increasingly frustrated by these legal poachers. In his letter to shareholders in April, Jamie Dimon explained that “One item that I think warrants special attention is when our customers want to allow outside parties to have access to their bank accounts and their bank account information. Our customers have done this with payment companies, aggregators, financial planners and others. We want to be helpful, but we have a responsibility to each of our customers, and we are extremely concerned.”
Speaking at the at the Money 20/20 convention in Sin City yesterday, Director Richard Cordray was not to be outdone in the concern department. He said he was “gravely concerned by reports that some financial institutions are looking for ways to limit, or even shut off, access to financial data rather than exploring ways to make sure that such access, once granted, is safe and secure.”
That’s right. When it comes to screen scraping it’s the banks arguing for more privacy protection and the CFPB warning against placing too many burdens on consumers who want to share their information. Paging Alice in Wonderland. Why do I think that credit unions and community banks could get caught in this crossfire of competing concerns?
On Friday, access to major websites, including twitter, Netflix and the New York Times, was shut down as the result of a massive distributed denial-of-service attack just after 7 a.m. When Twitter couldn’t be reached officials originally thought that Donald Trump was simply sending out too many tweets complaining about media bias following his botched debate performance and cratering poll numbers but the attack was actually a sophisticated assault on a New Hampshire company called Dyn that helps direct internet traffic. Just joking about the Trump stuff. The bad guys would never want to shut down Trump.
Why should you care? Because the attacks demonstrate the (1)importance of cybersecurity mitigation based on the size and complexity of your credit union operations (2) The need for contracts that memorialize vendor liability and oversite and (3)the need for policymakers to take a holistic approach to cybersecurity that involves all industries shouldering responsibility to mitigate cyber threats. Your credit union might not be directly at risk but your vendor very well could be.
First some background. Distributed denial-of-service attacks are nothing new. Basically hackers search the internet for devices to take over. Once they discover a vulnerable device and its password they can redirect these machines to send data at targeted sites. The more devices that can be used in the attack the larger they are going to be.
When it was just computers that were hooked up these attacks were bad enough but with the explosion of devices hooked up to the internet these attacks have become that much more lethal. Security experts have been sounding the alarm for months that not enough security precautions are being taken when gadgets such as DVR’s and cameras are hooked up to the web. According to krebs on Security the problem is exacerbated by standard factory password settings. He further reports that even if these passwords are changed, its relatively easy for hackers to get around these changes.
So what can and should you do? As luck would have it on Thursday the Federal Financial Institutions Examination Council released a “frequently asked questions” document about the cyber security assessment tool unveiled by the Council last year.
The assessment tool provides financial institutions with a framework for assessing an institution’s cybersecurity risk profile and its preparedness to mitigate cybersecurity attacks. In addition, it says that institutions may customize the assessment for their individual needs. While I have never been against the assessment I was concerned that regulators were imposing the same analytical framework requirements on Citibank and a $20 million credit union. So I was pleasantly surprised that regulators clarified state that no institution is mandated to use the assessment. It is no more and no less than a “voluntary tool that institution management may use to determine and institution’s inherent risk and cyber security preparedness.”
In this environment there are three main steps the industry has to take. First we have to ensure that, whatever additional mandates are imposed on businesses provide institutions the flexibility they need to establish cyber protections consistent with their own risk profile. The assessment is a good place to start. Secondly we have to continue to explain to regulators and policymakers the steps that financial institutions and their regulators have already taken for several years to protect against cyber assaults. Europe has already suggested baseline cybersecurity standards for manufacturers and financial institutions have a stake in advocating for this country to impose similar standards Thirdly, all businesses, including merchants, have to be subject to cyber security protocols. Mechanisms have to be put in place to hold them accountable when they fail to do so. Finally do you know who your vendor uses to provide you with the computer services your member’s expect? If you don’t then you don’t know how vulnerable your credit union is to cyberattacks. One thing you may want to do is to ask your vendors to take the risk assessment and tell you the results.
if you woke up early watch the Giants game on Sunday you did more than the Giants who won despite sleepwalking through one of the most boring, uninspired football games I have ever seen them play. Anyone who tells me how much more exciting football is then baseball hasn’t been watching the Chicago Cubs make it to the World Series.
By the way the Cubs last won the World Series in 1908, the same year St. Mary’s Cooperative credit union was founded in Manchester New Hampshire. In other words North America’s credit union industry is as old as the cubs losing streak. I hope a Cub’s victory in the World Series isn’t a bad omen for the next hundred years.
The Bureau that never sleeps is at it again.
Yesterday it released final regulations extending basic account protections and to prepaid cards. The regulations take effect next October. The rule generally applies to general use reloadable prepaid cards. It is intended to provide card users with protections against loss and unauthorized use similar to those provided to credit card users.
Conceptually, Director Cordray has a point on this one. For an increasing number of Americans prepaid cards are their bank accounts. Right now these are the most unregulated consumer financial product in the country. It makes sense to ensure that they have the some of the basic rights and protections afforded to traditional account holders. As always. however, we wont know the regulation’s full impact until stakeholders have time to go over the 1,600 pages accompanying the final rule.
Incidentally in crafting the rule the CFPB spent a lot of time analyzing and discussing overdraft protections. For those of us who are convinced that it is only a matter of time before the Bureau enacts generally applicable regulations in this area you may want to look at an interesting discussion of overdrafts that begins on page 59 of the link I gave you. The Bureau points out that “Although Congress did not exempt overdraft services or similar programs offered in connection with deposit accounts when it enacted TILA, the Board in issuing Regulation Z in 1969 carved financial institutions’ overdraft programs (also then commonly known as “bounce protection programs”) out of the new regulation.” In other words the Bureau is well within its rights to impose further overdraft restrictions simply by amending Regulation Z.
Whether it should do this is of course another issue.
NCUA Issues Letter Detailing MLA Examinations
The NCUA released a letter to credit unions informing them that examiners will be expecting credit unions to make “reasonable and good faith efforts” to comply with the Military Lending Act now that the regulations have taken effect. This is the regulatory equivalent of giving an “A for effort “so long as a credit union is familiar with the regulation, is making an effort to implement it and has appropriate policies and procedures in place.
Remember your gumption might get you off the hook with NCUA but it doesn’t relieve you of your ongoing obligations to military personnel and their dependents.
Today is the first Monday in October; which means it is the first day of the new Supreme Court term; which means you get deluged with articles describing the year’s most important cases; which means that your faithful blogger doesn’t want to miss out on the fun.
Here is my sleeper pick for a case that could have a profound impact on the way the credit card system works and the way associations operate: Osborn v. Visa Inc., 797 F.3d 1057, 1061 (D.C. Cir. 2015), cert. granted, 136 S. Ct. 2543 (2016) .
Visa and MasterCard rules stipulate that no ATM operator may charge customers whose transactions are processed on Visa or MasterCard networks a greater access fee than that charged to any customer whose transaction is processed on an alternative ATM network. Thus as the appellate court noted, under the Access Fee Rules, operators cannot say to cardholders: “We will charge you $2.00 for a MasterCard or Visa transaction, but if your card has a Star or Credit Union 24 bug on it, we will charge you only $1.75.” A group of independent nonbank ATM operators and a consumer who paid debit card fees assert that these rules illegally restrain the efficient pricing of ATM services. They characterize the Access Fee Rules as constituting an “anti-steering” regime that prevents independent ATM operators from incentivizing cardholders to choose and use cards “that are more efficient and less costly than either Visa or MasterCard’s.”
On appeal, the court made two rulings that will be reviewed: (1) that the economic harm caused by consumers who had to pay higher ATM fees was sufficient harm to challenge the legality of the ATM fees and (2) whether card issuers have violated antitrust laws by merely agreeing to the Visa and MasterCard rules.
In other words, depending on how this case is decided the ability of card issuers to be on a level playing field with each other when it comes to honoring all card requirements could be in jeopardy. In addition, card issuers could face litigation over Visa and Mastercard rules not just from merchants and ATM operators but from disgruntled consumers, Finally, just how much can Association’s do in coordinating industrywide activity without running afoul of the antitrust laws? It may not be the type of case that gets the family arguing with each other over the dinner table but it could impact the way everyone reading this post does business.
What Would You Do If You knew You Had Five Minutes To Live?
That was the question posed by Rabbi Kenneth Berger in a Yom Kippur sermon he delivered in the aftermath of the Challenger shuttle tragedy in which the astronauts are believed not to have died until the shuttle crashed into the sea. The sermon was highlighted in this article over the weekend and I’ve been thinking about it ever since. Here is my favorite quote:
“The explosion and then five minutes. If only I… If only I… And then the capsule hits the water, it’s all over. Then you realize it’s all the same — five minutes, five days, 50 years. It’s all the same, for it’s over before we realize. “‘If only I knew’ — yes, my friends, it may be the last time. ‘If only I realized’ — yes, stop, appreciate the blessings you have. ‘If only I could’ — you still can, you’ve got today.”
The Supreme Court has decided to hear an appeal of a case challenging NY’s ban on credit card surcharges on the grounds that it violates the First Amendment. The Association submitted an amicus in the case in support of the surcharge ban when it was before the Second Circuit, pointing out that in Australia a decision to authorize credit card surcharges simply resulted in higher consumer costs.
New York General Business Law §518 bans merchants from surcharging credit card purchases but allows merchants to offer cash discounts. The law hasn’t gotten that much attention over the years because surcharging was also banned under credit card network rules. When the network ban was eliminated as part of a deal settling antitrust claims, attention turned to the ten states, including NY, that impose surcharge bans.
In Expressions Hair Design v. Schneiderman, 808 F.3d 118 (2d Cir. 2015), five retailers argued that the law prevented them from accurately explaining their pricing policies to their members. The Second Circuit upheld the ban, reversing a lower court ruling that it violated the First Amendment rights of the merchants.
In their appeal the merchants asked the Court to decide “whether these state no-surcharge laws unconstitutionally restrict speech conveying price information (as the Eleventh Circuit has held), or do they regulate economic conduct (as the Second and Fifth Circuits have held)?”
We will know the answer to this question by the end of this term. If the Court were to split 4-4, the Second Circuit’s ruling is upheld.
Red Sox Awakening
Congratulations to the Red Sox and their fans for backing into the American League playoffs despite losing to the Yankees on a walk off grand slam Wednesday night. Wait till next year.
Life was a lot more fun when you knew the Red sox were going to fall just short. It was a real life version of the football being pulled away from Charlie Brown with the added benefit of always being able to win any argument against Boston fans just by motioning the Red Sox.
By the way, as much as I don’t like the Red Sox how great would a Cubs Red Sox series be? It would be like watching Theo Epstein, the former GM of the Sox and current GM of the Cubs playing himself in Fantasy baseball but with live players.
According to the Recode blog, Yahoo will shortly be publicly disclosing a massive data breach involving hundreds of millions of user names, passwords, personal information like birth dates and other email addresses. Yahoo has been investigating the breach since August when it discovered that a hacker named “Peace” was selling the information on the “dark” web for nearly $ 1,800. The story is intriguing because (1)I am shocked that yahoo still has that many users, and (2)The story shows yet again why state data breach disclosure laws need to be tightened and Federal standards need to be enacted.
New York has a fairly typical disclosure notification statue. Section 899-aa of the General Business Law mandates that companies disclose data breaches “ in the most expedient time possible, and without unreasonable delay” but “consistent with the legitimate needs of law enforcement” and “any measures necessary to determine the scope of the breach and restore the reasonable integrity of the system ” When this legislation was passed, these broad disclosure guidelines made sense. The thinking was that premature disclosures might disrupt investigations and even encourage additional breaches before security vulnerabilities could be remedied. Incidentally, in 2011 the SEC issued guidance for publicly traded companies to disclose data breaches But since such breaches must only be disclosed when they have a “material impact” on a company’s stock, publicly traded companies have a tremendous amount of flexibility in determining what needs to be disclosed and when.
Times have certainly changed Businesses not only know of breaches long before they tell the public but the bad guys know that they know and they don’t care. For instance, a savvy hacker like “Peace” knows that among the people shopping for his treasure trove of information are businesses surfing the “dark” web to see if there information has been stolen. When reporter Brian Krebs disclosed the Target data breach he confirmed the story by talking to a fraud analysts at a major bank, whose team had independently purchased hacked information.
Sophisticated hackers like “Peace” probably aren’t stealing personal information so that they can break into a bank or a credit union the next day. They are simply putting the information on the black market and getting the best price they can from criminal retailers who will be the ones stealing from accounts. The result is that the true impact of massive data breaches is only felt over time. It also means that the sooner consumers have as much information as possible about data breaches the more they can do to protect themselves. Presently consumers are the last to know that their personal information is compromised. If the public can be enlisted to hunt down terrorists surly it can be trusted with timely information about data breaches
What we need are hard deadlines for mandated disclosures with exceptions only when a company can demonstrate that a disclosure would result in direct immediate and substantial harm.