Posts filed under ‘Regulatory’

Cybersecurity Fine Against Carnival Is A Reminder To Take Your Cybersecurity Obligations Seriously

New York’s Department of Financial Services recently announced the imposition of a $5M fine against Carnival Corporation and its subsidiaries for failing to promptly report a series of data breaches and ransomware attacks and providing inadequate cybersecurity training to its staff.  The fine is the latest example of how New York is aggressively pursuing actions against “covered entities” that don’t comply with New York’s cybersecurity regulations.

I’ve decided to use Carnival’s misfortune as a pretext for reminding you of New York’s regulations.  Even if you are not a “covered entity”, you would be well advised to be aware of New York’s mandates as they are playing a leading role in shaping industry expectations when it comes to cybersecurity programs. 

Under New York State’s regulations, a “covered entity” is defined as “any person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law or the Financial Services Law” [23 CRR-NY 500.1(c)].  This definition means that state chartered institutions as well as CUSOs that are licensed by New York State must comply with this regulation.  For example, Carnival Corporation was licensed to provide insurance in New York State, a license it surrendered following this fine.

A cybersecurity event means any act or attempt, successful or unsuccessful, to gain unauthorized access to, disrupt or misuse an information system or information stored on such information system. [23 CRR-NY 500.1(d)]. 

Last, but not least, “covered entities” are responsible for implementing a cybersecurity framework which, at a minimum :

(1) Identifies and assesses internal and external cybersecurity risks that may threaten the security or integrity of nonpublic information stored on the covered entity’s information systems;

(2) Uses defensive infrastructure and the implementation of policies and procedures to protect the covered entity’s information systems, and the nonpublic information stored on those information systems, from unauthorized access, use or other malicious acts;

(3) Detects cybersecurity events;

(4) Responds to identified or detected cybersecurity events to mitigate any negative effects;

(5) Recovers from cybersecurity events and restore normal operations and services; and

(6) Fulfills applicable regulatory reporting obligations.

DFS’s latest action involved a series of data breaches and ransomware attacks against Carnival Corporation.  Carnival Corporation is a licensed insurance provider in New York State.  According to the Department, there were at least four separate cyber security incidents that were not reported to DFS within 72 hours as required under the regulations.  Covered entities must file notice of a cybersecurity event with the Department pursuant to the requirements of 23 NYCRR §§ 500.17(a)(1) and (a)(2). Section 500.17(a)(1) requires notice to the Superintendent, within 72 hours of determining there has been a cybersecurity event, when notices are “required to be provided to any government body, self-regulatory agency or any other supervisory body.” 

New York’s regulation also underscores why it is so important to understand the specific obligations in the states in which you operate.  New York has a particularly broad definition of what constitutes a reportable event since reporting obligations are triggered as soon as non-public information (NPI) is exposed to an unauthorized third party, regardless of whether or not there is evidence that the NPI was stolen or misused.  Furthermore, reporting obligations are triggered for any cybersecurity events “… that have a reasonable likelihood of materially harming any material part of the normal operation(s) of the covered entity”.  This is a broad net and the Department has repeatedly demonstrated that it has little patience for entities that don’t follow the 72 hour mandate.

Carnival Corporation’s other mistakes shouldn’t surprise anyone responsible for overseeing their credit union’s operations in this space.   For example, there was a period during which employees with access to NPI did not have to use multifactor authentication. 

Finally, remember that every year now, every “covered entity” has an individual personally verify that it is complying with these regulations.  New York State’s latest action is the latest example of why you must take this verification seriously. 

June 28, 2022 at 10:34 am Leave a comment

The Most Important Development in DC Last Week

While the Supreme Court sucked-up all the oxygen in the political universe last week, there are a couple of important regulatory developments that I wanted to highlight for you. 

Most importantly, it appears that the CFPB might be putting on the breaks when it comes to imposing restrictions on overdraft fees.  As summarized by the Regulatory Report (which, by the way, is essential reading for those of us responsible for tracking regulatory developments), regulation of overdraft was not included in the CFPB’s Spring 2022 Unified Agenda of Regulatory and Deregulatory Actions.  This does not necessarily mean that we won’t see some action taken on the issue, but it does seem to signal that the CFPB is taking a much less aggressive posture than it did when it suggested overdrafts were junk fees just months ago.  Similarly, the NCUA did not include overdraft action on its list of agenda items.  Remember that with or without regulatory action in this area, overdraft litigation is alive and well. 

But not all the regulatory developments were this positive.  The CFPB has issued an Advanced Notice of Proposed Rule Making with which it will be collecting information about credit card late fees and whether adjustments have to be made to the current regulatory framework created by the CARD Act.  To give you a flavor of what is under consideration, the CFPB is asking “whether, and if so how, you determine that the late fee amount is proportionate or otherwise related to the cost you incur from a late payment”.

None of this means that changes are imminent, but you may want to refresh yourself about how your credit union determines what it is going to charge for late fees.

June 27, 2022 at 9:22 am Leave a comment

CFPB’s Deceptively Important Guidance On “Black Box” Lending

The CFPB is issuing guidance at a hyperkinetic speed which means that it is easy to miss important statements that could impact standard operational practices.  The latest example of this trend is this circular explaining that the obligation of lenders to provide accurate reasons for the denial of credit to members extends to decisions based on complicated algorithms.  There’s more to this succinct interpretive ruling than meets the eye. 

One of the real interesting issues that I have blogged about in recent years involves the operational applicability of fair lending laws to increasingly complicated algorithms which rely on scores of data points to determine whether or not someone should get a loan.  On the one hand is the hope that integrating nontraditional data into lending decisions will increase the number of persons eligible for loans since it is often the poor or underserved who have the thinnest credit histories.  On the other hand, are those who argue that complex black box algorithms pose a threat to these borrowers by allowing lenders to deny credit based on algorithms which have the effect of discriminating against minority groups based on criteria that cannot be easily identified. In truth, we are nowhere near the point where we should be making definitive legislative or regulatory judgements on these issues, but that’s not stopping those on either side of the argument. 

Which brings us to the CFPB’s circular addressing so called “black box” lending.  It has three major implications which your credit union should keep in mind as it utilizes increasingly sophisticated algorithms. 

  • Most importantly, regardless of how sophisticated your lending criteria becomes, Regulation B still applies.  This means that you have to be able to provide your members with the principal reasons why credit was denied. 
  • Currently, most lenders meet their notice requirements by providing forms from Appendix C of Regulation B.  However, this guidance stresses that “… while Appendix C of Regulation B includes sample forms intended for use in notifying an applicant that adverse action has been taken, “[i]f the reasons listed on the forms are not the factors actually used, a creditor will not satisfy the notice requirement by simply checking the closest identifiable factor listed.””  In other words, don’t assume the existing Appendix provides you a safe harbor against legal and regulatory actions.
  • Based on these previous two points, the CFPB is basically saying that some algorithms may be too complicated for your credit union to use.  Not only that, but it also basically invites lawsuits to be brought against institutions that dare to engage with this sophisticated new technology by stating that “A creditor’s lack of understanding of its own methods is therefore not a cognizable defense against liability for violating ECOA and Regulation B’s requirements.”

Let’s hope that the CFPB plans to do more than issue this letter in addressing this core issue.  Rather than simply discourage innovative lending, let’s hope the CFPB is planning on finding the time to propose amendments to Regulation B and its accompanying Appendix C so we can have a truly thoughtful discussion about the proper role that artificial intelligence can play in the modern financial ecosystem. 

June 1, 2022 at 9:57 am Leave a comment

NCUA to Credit Unions:  Explore Distributed Ledger Technology, But Be Very, Very Careful

As I was reading NCUA’s industry guidance, giving credit unions the green light to explore the potential uses of Distributed Ledger Technology (DLT), I was  reminded of the scene in Young Frankenstein where Gene Wilder’s Dr. Frederick Frankenstein  and his assistant, Marty Feldman’s Igor, are about to go down to a dungeon from which they hear mysterious noises; Igor says “Master, it might be dangerous, you go first.” 

Now, don’t get me wrong.  I am not minimizing the importance of the letter and I think NCUA deserves credit for coming out with this opening guidance.  It accomplishes two main goals.  First, it ensures that credit unions can at least explore the potential uses of DLT without running afoul of their regulator.  Secondly, as explained by the Agency, “[t]his letter also signals to the broader financial and technology communities that credit unions are a market to consider when designing products, considering partnerships, or making investments.”  This is a particularly important announcement for an industry comprised of institutions who will almost all have to work with vendors. 

On the one hand, NCUA recognizes that credit unions have to feel free to consider using DLT, the problem is that no one knows precisely what those uses are going to be or how they may evolve.  As a result, NCUA’s letter is understandably simply a first step in what promises to be an increasingly complex regulatory process, and any credit union thinking seriously about integrating DLT should make sure they do so only after working with their regional regulators.   

Nevertheless, for those of you looking for specificity at this point, you will be disappointed.  Most notably, the memo does not provide a definition of DLT; instead, it includes a footnote providing further background information from other sources including information from the National Institute of Standards and Technology.  The information provided by these sources will create as many questions as answers for those of you in charge of evaluating this issue. 

As I have explained in this blog, virtual currencies may come and go quicker than Elon Musk can decide to buy Twitter and then announce he doesn’t want to buy Twitter, only to confirm that he does want to buy Twitter, but DLT is going to transform any industry that stores and transfers information.  It provides a mechanism for a network of computers to confirm and store proof of transactions without the need for third parties such as credit unions and banks.

Nothing else in the guidance should surprise you.  Similar to the letter released earlier this year authorizing credit unions to partner with third-party virtual currency vendors, the letter emphasizes the need for due diligence and compliance with all applicable state and federal law.  This means that even though this guidance applies to both federal and state-chartered institutions, state charters should also reach out to New York’s Department of Financial Services to clarify the conditions under which they can provide similar services. 

On that note, enjoy your three-day weekend.  Next week is the end of the State Legislative Session so stay tuned for any updates and recaps that the Association will be providing in the days ahead. 

May 27, 2022 at 9:26 am Leave a comment

What CFPB Guidance Means For New York

Last week the CFPB issued an interpretive ruling clarifying the power that state regulators and attorneys general have to enforce provisions of the Consumer Financial Protection Act (CFPA) against both state and federally chartered institutions.  It could have important implications for those of us living in states such as New York with an aggressive enforcement approach to consumer protections. 

12 USC § 5552 is one of the most important provisions of the CFPA.  Prior to the Act, federal bank regulators, most notably the OCC, had aggressively preempted state law which they argued interfered with the federal bank charter.  NCUA was pulled in a similar direction but has never interpreted preemption as aggressively as its banking counterparts.  This section, entitled “Preservation of enforcement powers of States” was designed to reverse this trend.  Most importantly, for our purposes, it gives states the authority to bring legal actions against both state and federally chartered institutions for violations of regulations enforced by the CFPB.

The law hasn’t been amended in more than a decade and regulators such as New York’s Superintendent Adrienne Harris, who helped promulgate the initial regulations are certainly aware of this provision.  So why the need for this interpretation?  First, it underscores that the CFPB is encouraging states to take a more active role in enforcement.  (The problem is that those of us who live in the states most likely to be inspired by this encouragement don’t feel that additional encouragement is necessary.) 

The most important aspect of this guidance is that it explains that states not only have the authority to enforce specific regulations but that they also have the authority to utilize the CFPB’s unfair, deceptive, or abusive acts or practices (UDAAP) powers as part of their enforcement efforts [see section 1036(a)(1)(B)].  This is a big deal.  New York’s DFS does not currently have UDAP powers as a matter of state law.  The CFPB just clarified that it has this more flexible enforcement tool when it comes to enforcing key federal consumer protections. 

May 26, 2022 at 7:00 am Leave a comment

What The Zelle Is Going On Here?

That is the question yours truly has been pondering since I read the complaint in a class action lawsuit recently filed against Navy Federal Credit Union. Those of you who promote the use of payment apps should watch this case closely because if it is successful, it will provide a roadmap to sue financial institutions for years to come. The case is Wilkins v. Navy Federal Credit Union, case number 2:22-cv-02916 which was recently highlighted by Law360.

Zelle is a payment app started in 2017 by a group of the nation’s largest banks. Like Venmo, it provides members a convenient way of electronically transferring funds to other network users. Typically, these transactions are facilitated with the use of a member’s debit card.

The plaintiff in this case received a voicemail from her utility company putatively informing her that her electric bill was overdue and that if it did not receive an immediate payment that her service could be cut off. The voicemail provided the plaintiff with a number to “Zelle transfer” her overdue balance. In fact, New Jersey had a moratorium on utility payments and PSE&G would not make such a request, but the panicked plaintiff sent fraudsters $998 using Zelle believing she was transferring the money to the utility. When she called up the phony utility number, she was told that they never received the initial transfer and that she should send an additional payment.

This is the part that has me bemused and bewildered: the plaintiff isn’t contending that the credit union is strictly liable for the transaction under Regulation E, which would most likely lead to a legal dead end; instead, they argue that the credit union deceptively marketed Zelle to its members by not adequately explaining the risks of using Zelle. She argues that, had she been aware of the risks inherent in using Zelle, she never would have signed up for the product in the first place.

This is a not-so-subtle attempt to evade Regulation E, which generally provides reimbursement for consumers whose debit cards are used without their permission [§ 1005.2(m)].  In this case, Navy can argue that the debit card transaction used to facilitate the fraudulent conduct was clearly authorized by the member who initiated it using Zelle.  While the CFPB has suggested that this type of transaction is in fact subject to Regulation E’s protections, the Bureau’s interpretation is open to dispute.  In contrast, if the plaintiffs successfully sue Navy Federal, the nettlesome issue of what the law and regulation actually requires becomes largely irrelevant.

In an ideal world, Congress would step in and update the Electronic Funds Transfer Act (EFTA) to reflect the radically different world we now bank in, as compared to when the law was passed in the late 70s.  Of course, the world is not ideal which means that it is time to start reviewing your account and marketing language to see if they are vulnerable to the same legal arguments being made against Navy FCU.

May 25, 2022 at 7:00 am Leave a comment

Bitcoin is Dead.  Long Live the Bitcoin!

With an impeccable sense of timing, last Tuesday I gave a presentation on the future of virtual currency at a chapter event in which I proclaimed that the technology is going to fundamentally change the way banking is carried out only to read headlines the next morning detailing how investors are running for the exit when it comes to virtual currency. 

A colleague of mine who was at the event even emailed me to ask me if I wanted to change my opinion: my answer is a resounding No.  To be clear, many virtual currencies will go the way of the tulip in 17th century Holland, but the technology makes so much sense that in the coming years, financial institutions will either have to adopt it as their own or be left behind. 

When we talk about virtual currency, it’s important that we all agree on the terms to be used, particularly in the absence of regulatory definitions.  When I’m referring to virtual currency, I am talking about an electronic store of value which is traded electronically using Distributed Ledger Technology (DLT).  By DLT, I am referring to a system of network computers which validates transactions involving virtual currencies using advanced cryptography without the use of a third-party intermediary.

I have no idea what the bitcoin is going to be worth a week from now; but I do know that, as we speak, companies large and small are thinking of ways to apply DLT.  For example, imagine a world in which the job of the county clerk to record home purchases and liens is usurped by DLT which creates a chain, which everyone can access, recording every single transaction involving that piece of property. Imagine a world in which overdraft transactions are a vestige of a bygone era because transactions are executed immediately. 

This is also a world in which there is less and less need for third party intermediaries such as credit unions.  Remember, a DLT network validates and records transactions. 

But this is not one of those “credit unions are obsolete” blogs.  Instead, for those of you who understand the technology, there are many things you can do to integrate your institution into this new technology and benefit your members along the way.  For example, the OCC has already authorized banks to act as electronic wallets– effectively, safety deposit boxes – for consumers who want a central place to store those passwords and electronic keys they need to access all those transactions recorded on those distributed ledger chains.  In addition, this technology will make the NACHA network about as antiquated as rabbit ears on a black and white television. 

The bottom line is: even as you chuckle at that crazy cousin who just lost all that money investing in a virtual currency which exists only in cyberspace, keep on planning for a world in which the technology that powers that, currency changes the way virtually all important financial mediation is done. 

May 17, 2022 at 9:32 am 1 comment

Required Reading for the Compliance Geek

Yours truly is always a little ambivalent when someone gives me a reading suggestion; on the one hand, I love a good recommendation, on the other, there’s an implicit pressure that comes with the suggestion lest you have to sheepishly explain why you haven’t gotten to the book the next time you run into the recommender.  
So, with apologies to those of you who already have a list of compliance material piling up in your virtual in-box, there are two recent publications that all good compliance people should take the time to peruse. 

Most importantly, the CFPB released its Quarterly Compendium Of Supervisory Highlights which it uses to put financial institutions on notice as to its areas of regulatory emphasis in the coming months.  The Spring issue includes many topics with which I have seen credit unions grapple in the past, including mandatory re-evaluation of increased credit card interest rates under the Credit Card Accountability Responsibility and Disclosure Act of 2009 (Credit CARD Act) and continued concerns about the reporting practices of financial institutions under the Fair Credit Reporting Act.  But the issue that the CFPB decided to highlight that I think credit unions would be well advised to look at most closely has to do with GAP car insurance and the refund of excess payments.  This has already been the subject of lawsuits and if the issue is highlighted by the CFPB you can bet it’s one that class action lawyers will continue to scrutinize.   

A second document you should review is one of my personal favorites.  A new Consumer Compliance Outlook report has been issued by the Philadelphia Federal Reserve.  This issue provides you with a comprehensive overview of CDFIs and how to become one.  I know this is an area that many a credit union has been examining and, as usual, the report is concise and useful. 

On that surprisingly upbeat note, enjoy your day.  For the five of you who care about hockey out there in the blogosphere, I am predicting a Tampa Bay-Calgary Stanley Cup but was unfortunately not able to get this certified as acceptable collateral, as my hockey predictions are even worse than those for other sports. 

May 3, 2022 at 9:02 am Leave a comment

New York State Issues Important Guidance on Virtual Currency and BSA Requirements

New York’s Department of Financial Services issued guidance yesterday emphasizing the unique BSA concerns raised by virtual currency.  While this guidance only applies to entities subject to the Department’s virtual currency license requirements as well as certain trust companies, categories which do not include credit unions, I would suggest anyone responsible for integrating virtual currency oversight into your credit unions compliance framework would be well advised to analyze New York State’s missive. 

In today’s blog, yours truly is not going to summarize the guidance but instead provide some context as to the considerations that regulators and financial institutions should take into account as they begin to dip their virtual toes into the virtual currency space.  In doing so I want to illustrate why I think the DFS guidance is important. 

What virtual currencies such as Bitcoin and Ether have in common is that they allow individuals to transfer these currencies between computers so long as the sender and receiver have set-up virtual wallets.  The key to this arrangement is Distributed-Ledger-Technology (DLT). 

With apologies to the technologically savvy out there, every time a request is made to send or receive “currency” from, or to, a wallet and the transaction is confirmed as valid, a notation is added to a computer program called a block-chain.  This technology is the key to the whole process since it provides a virtual ledger confirming the transfer of debits and credits. 

This means that without the use of a financial institution, any two individuals, using fictitious names, can transfer money.  Needless to say, since the emergence of the Bitcoin, there have been concerns raised about the utility of this technology to facilitate money laundering and other illicit activities (since we’re on the subject of money laundering, my wife and I have started binge watching Ozarks, which is the best show I’ve seen since I binged Breaking Bad, but I digress). 

These concerns have been partially vindicated since ransomware attacks typically include a demand for payment in Bitcoin.  But that may be changing.  Law enforcement is beginning to understand DLT.  For example, the ransomware attack on the Colonial Pipeline understandably got a lot of attention last year, but as significant as the attack itself, is the fact that the FBI was able to track down at least some of the culprits and retrieve much of the ransomed funds. 

Now, I’m not suggesting that credit unions or vendors need to be as savvy as the FBI in order to ensure compliance with BSA and AML requirements, but in the old days it was thought that the only way of deterring illicit activity was to make it as difficult as possible to convert Bitcoin and its prodigies into cold hard cash.  The DFS guidance emphasizes that even now there are basic steps that financial institutions can take as they begin to consider how to integrate virtual currency offerings into their lines of products or working with third party vendors as already permitted by the NCUA.  Besides, as virtual currencies become more widely accepted, there will be less and less need to convert them into fiat currency, but that’s a blog for another day.

April 29, 2022 at 10:20 am Leave a comment

Getting Ready For The Legislature’s Stretch Run

Yours truly is back from his Carolina vacation and has caught up with enough e-mail to finally post again.  While there is a lot I want to get off my chest – there is only so much my wife wants to hear about the banking industry during an eight-hour car ride – I think I will start with a description of some of the key legislative and regulatory issues that will be impacting New York state credit unions in the coming weeks. 

Not only is this an election year, but it is an election year following the redrawing of the election map, meaning that the legislature will want to get out of town as quickly as possible, especially with primaries scheduled for June. 

One of the most important issues we are dealing with is a bill that would retroactively impose strict new requirements on lenders foreclosing on property (S5473D Sanders).  As many of our members have already explained to their representatives during our state GAC, as currently drafted, the retroactive application of this bill and the ambiguity regarding the right of lenders and borrowers to negotiate modifications without running out of time to foreclose on property will actually make it more difficult to work with delinquent borrowers.

We are also continuing to advocate for changes to a proposed data portability and privacy bill which does not currently exempt financial institutions (S6701A Thomas / A680B Rosenthal) as well as continuing to express a strong opposition to state level anti-trust legislation (S933A Gianaris) which could negatively impact the ability of credit unions to help provide communities banking services, particularly in underserved areas. 

All this is taking place as New York’s highest court hears an appeal of a case challenging the legality of New York’s redrawn Congressional map which could allow Democrats to pick up four additional seats as they struggle to keep their majority.  Expect a decision to come down shortly.

As for the federal level, there is an interesting article in today’s WSJ reporting that privacy legislation may finally be getting traction in Congress.  This is potentially good news, provided the legislation does not impose additional requirements on credit unions and the legislation preempts state law.  But I still remain skeptical that Congress will be able to get legislation done this year.  Hopefully, I am wrong.

On the regulatory front, we are still waiting to see what will come out of the CFPB’s initiative against so-called “junk fees”.  The president of the American Bankers Association has already taken to publicly accusing the Bureau of going rouge.  My bet is that we are going to be hearing a lot about overdraft fees in the coming months. 

Last, but not least, let’s hope that the NCUA is going to be following up on its reach-out to credit unions by providing additional guidance as credit unions begin to explore the banking issues raised by distributed-ledger technologies and cyber currencies.  On May 11th yours truly will be discussing the state of regulation in this area and how it is going to impact your credit union as part of the Southern Tier’s Spring Chapter Event in Binghamton.  I noticed it’s at an Irish pub, so let’s share a half-and-half as we ruminate on how technology is once again upending the way banking is done.

Full disclosure, my wife and kids won’t be attending.  They already heard enough about how the NCUA needs to move more quickly and provide additional guidance in this area.  It was one of my favorite topics as we drove around North Carolina.

April 27, 2022 at 9:57 am Leave a comment

Older Posts

Authored By:

Henry Meier, Esq., Senior Vice President, General Counsel, New York Credit Union Association.

The views Henry expresses are Henry’s alone and do not necessarily reflect the views of the Association. In addition, although Henry strives to give his readers useful and accurate information on a broad range of subjects, many of which involve legal disputes, his views are not a substitute for legal advise from retained counsel.

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Join 775 other followers