Posts filed under ‘Regulatory’

Time To Close Breach Disclosure Loopholes

According to the Recode  blog, Yahoo will shortly be publicly disclosing a massive data breach involving hundreds of millions of user names, passwords, personal information like birth dates and other email addresses. Yahoo has been investigating the breach since August when it discovered that a hacker named “Peace” was selling the information on the “dark” web for nearly $ 1,800. The story is intriguing because (1)I am shocked that yahoo still has that many users, and (2)The story shows yet again why state data breach disclosure laws need to be tightened and  Federal standards need to be enacted.

New York has a fairly typical disclosure notification statue. Section 899-aa of the General Business Law  mandates that companies disclose data breaches “ in the most expedient time possible, and without unreasonable delay” but “consistent with the legitimate needs of law enforcement” and “any measures necessary to determine the scope of the breach and restore the reasonable integrity of the system ” When this legislation was passed, these broad disclosure guidelines made sense.  The thinking was that premature disclosures might disrupt investigations and even encourage additional breaches before security vulnerabilities could be remedied.  Incidentally, in 2011 the SEC issued guidance for publicly traded companies to disclose data breaches  But since such breaches must only be disclosed when they have a “material impact” on a company’s stock, publicly traded companies have a tremendous amount of flexibility in determining  what needs to be disclosed and when.

Times have certainly changed Businesses not only know of breaches long before they tell the public but the bad guys know that they know and they don’t care. For instance, a savvy hacker like “Peace” knows that among the people shopping for his treasure trove of information are businesses surfing the “dark” web to see if there information has been stolen. When reporter Brian Krebs disclosed the Target data breach he confirmed the story by talking to a fraud analysts at a major bank, whose team had independently purchased hacked information.

Sophisticated hackers like “Peace” probably aren’t stealing personal information so that they can break into a bank or a credit union the next day. They are simply putting the information on the black market and getting the best price they can from criminal  retailers who will be the ones stealing from  accounts. The result is that the true impact of massive data breaches  is  only felt over  time.  It also means that the sooner consumers have as much information as possible about data breaches the more they can do to protect themselves. Presently consumers are the  last to know that their personal information is compromised.   If the public can be enlisted to hunt down  terrorists  surly it  can be trusted  with timely information about  data breaches

What we need are hard deadlines for mandated disclosures with exceptions only when a company can demonstrate that a disclosure would result in direct immediate and substantial harm.

September 22, 2016 at 9:19 am 1 comment

NYS Clarifies HSA Regulation

I have some good news to report.  Yesterday, the DFS clarified what we had long suspected but could not state with unequivocal confidence:  state-chartered credit unions have the authority to offer Health Savings Accounts as part of their incidental powers. 

For more than a decade, federally chartered credit unions have been authorized to offer HSAs to their members as part of their incidental powers.  It was logical to assume that since the state’s credit union trust powers are already more expansive than those provided to federal credit unions that state charters could also offer these accounts.  Yesterday, Community First Credit Union received confirmation that it could offer this service.  Thank God I can finally put this file to rest.  It was getting kind of thick.

Incidentally, in a 2002 letter, the State opined that pursuant to section 454(34) of the New York State Banking Law, state credit unions have the same incidental powers as their federal counterparts as of 2002.  They are also authorized to request any incidental power granted to their federal counterparts.  HSAs are now a recognized incidental power of state charters.

On that happy note, enjoy your weekend and I would feel sorry for all you Bills fans, but my brother is a lifelong Jets fan and I think an 0-2 start would have put him in a bad mood for the next several months.

September 16, 2016 at 8:32 am Leave a comment

NY Proposes “First in Nation” Cybersecurity Requirements

With a special shout-out to those of you who attended the Legal & Compliance Conference at the beautiful Turning Stone Casino,  good morning.

In case you missed it, on Tuesday, New York State made big news when Governor Cuomo announced that the state was imposing Cyber Security Requirements on Financial Service Businesses. This is just a proposal but it is the culmination of years of work by the DFS in this area.  Those of you affected will only have six months to get up to speed, so pay attention.

First, the real basic stuff. The regulation would apply to any person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the banking law, the insurance law or the financial services law.  A “person” means any individual, partnership, corporation, association or any other entity.  A carve out from many, but not all, of its requirements is made for entities with fewer than 1,000 customers in each of the last three calendar years, less than $5,000,000 in gross annual revenue in each of the last three fiscal years, and less than $10,000,000 in year-end total assets.

What are the requirements?  Institutions would be required to have a cybersecurity program that addresses six major functions, including: the identification of cybersecurity threats based on the sensitivity of the nonpublic information stored by the institution; an infrastructure for defending against cyberattacks; the ability to detect cyberattacks; the ability to respond to and mitigate attacks; plans for recovering from attacks; and procedures for meeting new regulatory reporting obligations.

It’s really hard to argue with the general thrust of this proposal.  There is very little being suggested that you shouldn’t already be doing.  In fact, I would like to see the DFS clarify the extent to which procedures that financial institutions already have in place can be used to satisfy many of these requirements.  For example, both state and federal credit unions are already required to have policies that implement “administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of member information.”  (12 C.F.R. § Pt. 748, App. A).

Stay tuned and feel free to give me feedback as the Association ponders what comments it should make to the DFS.


If Wells Fargo thought it was out of the woods by firing over 5,000 low level employees and giving a $124 million “sorry we had to fire you” severance to a departing executive, it may have miscalculated.  The WSJ is reporting that Federal Prosecutors are in the early stages of investigating possible criminal malfeasance on the part of the bank.








September 15, 2016 at 10:30 am Leave a comment

three Quick Notes For Tuesday

I’m about to leave for the Association’s Annual Legal & Compliance conference, at the Turning Stone Casino, but there are Three things I want to give you a  heads- up on.

First, NCUA Yesterday released a letter reminding credit unions that guidance was issued on August 26 intended to clarify questions surrounding Military Lending Act Regulations that take effect on October 3rd.  I would make fun of NCUA for coming out with guidance on guidance but your blogger must shamefully admit that he actually didn’t realize that this guidance was even issued in the closing days of summer.

The MLA regulations are a big deal. As I have explained in a previous blog, almost all consumer credit transactions subject to Regulation Z  involving military personnel and their dependents will now be subject to greatly enhanced consumer protections, including a Military APR  interest rate cap of 36%.  Since this APR is calculated differently than a traditional APR under Regulation Z,  this creates yet a new level of complexity when it comes to consumer lending.  You may not serve many members of the armed forces but remember  since  the regulation now  applies to so many different products all credit unions should put procedures in place for identifying members to whom this regulation applies.  Frankly, I  think the guidance creates as many questions as it answers but I will let  you hard-core compliance folks out there decide for yourselves.

Is This The Credit Card Of  The Future?

Everything I have read about millennials is that they are debt averse so take the time to read this intriguing article in the New York Times explaining why millennials are so interested in a new credit card being offered by J.P Morgan Chase with an annual fee of $450. Are they crazy?  Or just crazy like foxes?

You Have To Know When To Fold Em

Finally if you find yourself tempted by the Turning Stone’s poker tables tonight remember: Those who chase straights and flushes arrive on planes but leave on busses.

On that note, I hope to see you at the Turning Stone, if our paths cross please be sure to say hello! I will be back on Thursday.






September 13, 2016 at 8:31 am Leave a comment

Consider Yourself Warned

As the saying goes “problems” flow downhill, so as I started reading the details of the Wells Fargo account opening scandal and the $100 million fine imposed on it by the Consumer Financial Protection Bureau, I wondered how this might impact the operations of credit unions.  The Bureau has already had an interest in account issues and, suffice it to say, you can bet that examiners and regulators will be taking a closer look at how your credit union opens and manages member accounts.

In case you missed it, on Friday the Bureau That Never Sleeps announced that it had imposed a $100 million fine on the bank.  Employees opened up to 2 million accounts without customer permission and shifted funds into these accounts on behalf of customers without their knowledge or approval in order to meet cross selling targets and get bonuses. Frankly, what the Bureau describes goes beyond civil misconduct and I hope its allegations are being investigated by prosecutors.  This is identity theft on a grand scale.

First some practical advice.  The Federal Credit Union Act requires supervisory committees – or their designated representatives – to verify member accounts with your credit union’s records at least once every two years.  As explained in Chapter 24 of NCUA’s Supervisory Committee Guide – which I strongly suggest all supervisory committee members take a look at – “the purpose of the verification is to detect errors and it is also a good control to prevent fraud.”  You can either verify all accounts or rely on a statistical sample, but the basic idea is that you send selected members a confirmation letter or request in their monthly statement asking them to confirm their account status. 

Another thing I would consider reviewing are your abandoned property procedures.  Members are expected to use accounts and you have no obligation to keep inactive accounts open indefinitely.  Fee orphaned accounts out of their misery.  They are costing you money and are ideal for abuse.  Here is one of my favorite opinion letters on the topic.

Finally, do you have a culture that emphasizes doing the right thing?  I can’t stand it when I give advice and I’m told that it’s not what everyone else is doing. We owe it to ourselves and the people we hire to make sure that we have a culture that, in the immortal words of Vince Lombardi, encourages people to play to win but to play within the rules.  Wells Fargo employees were in a culture where breaking the rules was the norm.

September 12, 2016 at 8:37 am 2 comments

NY’s DFS “encourages” acceptance of Municipal IDs

I swear we have been through this before.

New York’s Department of Financial Services Superintendent Maria T Vullo recently sent a letter to my boss, the inimitable William Mellin,  president of the New York Credit union Association  and Michael P Smith, his counterpart with the Bankers encouraging state chartered and licensed banks and credit unions to accept New York City’s Municipal Identification Card as valid identification for purposes of satisfying the requirement that they know their customer or member when they open an account.

The Guidance explains that   “The CIP rule does not prescribe a specific type of government-issued identification card for use by institutions. Institutions that rely on documentary forms of evidence to verify a customer’s identity should have procedures in place to identify the types of documents the institution will accept for such verification. Accordingly, it is the Department’s position that institutions may accept the Municipal ID as a means of documentary verification as provided in the institutions’ CIP procedures.” It goes onto encourage state chartered and licensed financial institutions to accept the municipal IDs.

First, I’m sure the Department is pleased to know that I agree 100  percent with its legal analysis. As described in a FinCen Q&A , your credit union’s responsibility is to “verify enough information to form a reasonable belief that it knows the true identity of the customer.”

The purpose of the CIP rules is to have procedures in place so you can know who your member is and establish a baseline of expected account activity for account monitoring purposes. After all,  a twenty-something investment banker is going to have different account activity than his eighty year-old grandma.  So long as a government issued ID tells you that a member is who she says she is it satisfies your CIP requirements.

Where the Department’s Guidance makes me a little nervous is in its encouragement to use these IDs.  I hope we don’t start hearing reports of institutions that may not wish to accept  these IDs being pressured to do so.  We are dealing with federal laws and regulations that give institutions flexibility to choose appropriate identification.  Nothing the Superintendent says changes that.

There is really nothing new here, just the same old song with a different tune. Every so often the issue of bank identification flares up in tandem with debates over immigration.  More than a decade ago  Governor  George Pataki, a Republican who was smart enough to know that you won’t win many more elections in America pandering to embittered white males, pushed for the acceptance of   matricula consular  identification cards and NCUA opined that the use of such identification was acceptable.

Let’s be honest about what we are really talking about here: illegal aliens.   To those of you whose views on illegal immigration make you uncomfortable accepting non- traditional forms of Identification I say:  Get Over It.  Your  credit union doesn’t have a dog in this fight. To those of you with well-established policies that have worked well for your credit union and that you don’t feel like changing I say: stick to your guns. Your ultimate responsibility is to run a well- functioning credit union not advance political agendas coming from either  side of the political  spectrum.

September 7, 2016 at 9:05 am Leave a comment

New GSE Application Can Help With HMDA Compliance

I had a great time the other night hanging out with the Association’s Young Professionals Commission.  I even got to celebrate the birthday of one of their newest members.  Regardless of age, one of the questions that always comes up at such gatherings is what issues are lurking out there to sneak up on the unsuspecting credit union.  The one I keep coming back to is HMDA and yesterday Fannie and Freddie took a huge step to help those of you who have to comply with this data reporting regulation be ready when the expanded mandate becomes effective in January of 2018.

The uniform residential loan application which you may know as either Form 1003 or Freddie Mac Form 65 is a standardized document that has been around for 20 years.  So many mortgages are connected in some way to Fannie and Freddie that the application is used by almost all lenders in the country.  Yesterday, the GSEs announced that they have created a new, redesigned URLA form.  Most importantly, for my purposes, the form includes the expanded data fields that impacted lenders will have to fill out to comply with the HMDA regulation.  In addition, if the GSEs are correct, the new form will be easy to integrate into your existing lending systems and better suited for an online application process.  For those of you dinosaurs who still rely on paper, the updated URLA will still be available in a hard copy.

Even though the form doesn’t become effective for over a year, you can use it as an easy way to cross reference the information you collect now against the information you will need to gather in the relatively near future.  Don’t underestimate just how much more information you will have to collect.  According to a summary provided by the CFPB, the new HMDA reporting requirements include data points for applicant or borrower age, credit score, automated underwriting system information, unique loan identifier, property value, application channel, points and fees, borrower-paid origination charges, discount points, lender credits, loan term, prepayment penalty, non-amortizing loan features, interest rate, and loan originator identifier as well as other data points. The HMDA Rule also modifies several existing data points.

The good news is that the CFPB narrows the scope of the institutions to which HMDA applies.  Starting in 2018, if your institution didn’t originate 25 covered mortgage loans in each of the preceding two years, or at least 100 open-end lines of credit in each of the preceding two calendar years, HMDA doesn’t apply to you regardless of your asset size.  Still, this is not the type of regulation you want to keep to the last second.  The CFPB and Congress want this additional information for a reason and I doubt regulators are going to have much patience for those of you who aren’t prepared for this mandate.  The new and approved application is a great way to get ready to comply.

August 24, 2016 at 8:23 am Leave a comment

Older Posts

Authored By:

Henry Meier, Esq., General Counsel, New York Credit Union Association.

The views Henry expresses are Henry’s alone and do not necessarily reflect the views of the Association.

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Join 408 other followers