Posts filed under ‘Regulatory’
Benjamin Lawsky, Superintendent of New York’s Department of Financial Services, said yesterday that he expects the State to unveil regulations mandating the licensing of virtual currency operators by the end of May, according to Banking Law 360. These regulations, which have been the subject of extensive analysis since they were proposed last July, are essentially the first draft of an attempt to regulate virtual currencies since neither the federal government nor any other state has moved to regulate them, the most prominent of which is the Bitcoin. It’s not surprising, then, that the Superintendent indicated that the regulations may be modified in response to coordinate enforcement with other states, including California.
As currently proposed, the regulations shouldn’t have a direct impact on established credit unions or banks. It exempts entities already licensed by the Banking Department provided they get permission from the Superintendent prior to engaging in the business of virtual currency. But the question of how best to regulate virtual currencies will have a profound impact on how finance is transacted in the coming years. Here is why.
Follow the money: although the Bitcoin has gained most of its notoriety in this country as a potential facilitator of illegal transactions — which is why the DFS is seeking to impose state level requirements on Bitcoin operators to report suspicious activities – investors are intrigued by the technological possibilities behind the currency. In March, the WSJ reported that “[a] Silicon Valley startup has persuaded some of the biggest names in venture capital to put $116 million behind its plan to turn the technology behind bitcoin into a mass-marketed phenomenon.”
Nor is the money coming exclusively from a bunch of wealthy libertarian California dreamers. The staid Swiss Banking Giant UBS also recently announced that it will be investing in virtual currency research in London and the British Government has coupled its own calls for increased regulation with the promise of an additional 10 million pounds ($15 million) for a research initiative that will look into the blockchain technology behind digital currencies.
Silicon Valley types are making these investments as the Federal Reserve is prodding the banking industry with increasing urgency to think about how the currency processing system should be updated for the 21st Century. One Fed researcher has even suggested the creation of a Fed Bitcoin. In addition, NATCHA is in the process of expediting its clearing processes, which brings us back to New York State’s regulations.
It wasn’t too long ago that the only thing most regulators and politicians knew about virtual currencies was that they were convenient tools for criminals. The discovery of a silk road website where visitors could buy and sell a laundry list of drug paraphernalia seemed to vindicate this concern.
But times are changing. Virtual currencies demonstrate just how antiquated the traditional negotiation of currency has become. Don’t get me wrong. I am not predicting that the Bitcoin is going to rival the dollar as a currency any time soon; but I am predicting that the dollar bill of tomorrow will look a heck of a lot like today’s Bitcoins. Those regulators that strike the proper balance between appropriate oversight of this technology and fostering an environment that allows for innovation will be positioning their states and their countries to reap untold riches in the coming years, not to mention enabling them to remain in the forefront of financial regulation.
To its credit, for almost a decade now NCUA has been emphasizing the need for due diligence when entering into third party relationships. Unfortunately, based on what I have seen, the quality of credit union oversight varies widely with too many credit unions continuing to place too little emphasis on a properly drafted contract which commits vendors to upholding privacy standards and establishes a framework whereby your credit union monitors vendor performance.
So, I’m not surprised with the results of a survey released last week by New York’s Department of Financial Services. The Department surveyed 40 financial institutions about their vendor management activities. Its findings are likely to result in proposed state regulations outlining vendor relationship requirements. It concluded that:
- Nearly 1 in 3 (approximately 30 percent) of the banks surveyed do not require their third-party vendors to notify them in the event of an information security breach or other cyber security breach.
- Fewer than half of the banks surveyed conduct any on-site assessments of their third-party vendors.
- Approximately 1 in 5 banks surveyed do not require third-party vendors to represent that they have established minimum information security requirements. Additionally, only one-third of the banks require those information security requirements to be extended to subcontractors of the third-party vendors.
- Nearly half of the banks do not require a warranty of the integrity of the third-party vendor’s data or products (e.g., that the data and products are free of viruses).
As I see it, one of the biggest problems is that businesses think of the contract as one of those last second details to be addressed after a vendor has been selected. It doesn’t have to be this way. For your larger vendor contracts you should ask your finalists to provide you with copies of their base contracts. You have leverage you should use if you find that one vendor has better terms than another. Furthermore, if one vendor is more committed than another to insuring data security then you can and should take this into account when making your final decision. Finally, you are being penny wise and pound foolish if you don’t pay for an attorney who has experience with vendor contracts and who is aware of pertinent regulatory requirements. By the way, the Association is willing and able to provide these services.
Is the Fed Getting Cold Feet?
The recent spate of lack luster economic news may keep the Fed from raising interest rates when it meets in June, according to an interesting WSJ article today. If this reporting is correct, a consensus is emerging that with inflation still below its 2% target range and employment still lagging, it makes sense to wait until later in the year before deciding to pull the trigger on the first rate increase since the Fed placed short term interest rates near 0 in December 2008.
Two quick thoughts, this is another great example of the Groundhog Day economy we have been stuck in for some time now. Economists confidently predict every Fall that the economy is finally on solid footing only to back away from the predictions following tepid economic growth in the first quarter. For what it’s worth, this blogger still believes the Fed will raise rates ever so slightly in June, if only to shift the debate away from when interest rates will rise to how high they should go. Low interest rates have artificially inflated equities for several years now by making the market the only place to get an adequate return.
On that note, have a nice weekend.
Verizon recently came out with its annual analysis of Data Breach Incidents Reports and it is a much read for at least one employee at every credit union. (http://www.verizonenterprise.com/DBIR/2015/?&keyword=p6922139308&gclid=CJXf_83Z-sQCFQqOaQodiIwAyw).
How effectively you deal with data breaches is an increasingly important factor in determining your credit union’s bottom-line. Verizon’s report is the best I have seen when it comes to providing an objective analysis of data breach trends. Here are my takeaways from the report:
Is greater information sharing the answer? One of the best ways to mitigate the negative consequences of data breaches is to get the word out about compromises as quickly as possible. We need more sharing of information. But rather than facilitating sharing within a given industry, the report concludes that greater emphasis has to be placed on sharing between industries that share common characteristics. In fact, it concludes that “our standard practice of organizing information-sharing groups and activities according to broad industries is less than optimal. It might even be counterproductive.” Greater inter-industry coordination is the type of mission that only government can facilitate and it’s fraught with a host of privacy issues. We are talking about sharing information about members over an array of businesses and industries inconceivable when Gramm–Leach–Bliley was passed.
Just how much are all of these data breaches costing us? The report attempts to quantify how much data breaches cost. It estimates that the average loss for a breach of 1,000 records is between $52,000 and $87,000. However, estimates vary widely based on the size of the breach, so the report also provides a chart on page 30 of the report providing a range of estimated costs based on the size of the breach.
Think of how valuable this information is and could be, particularly as the estimates get more accurate. For example, is it worth switching to EMV technology? Maybe, maybe not, depending on the scope and size of your potential data breach exposure. At least no one has to be groping around completely in the dark when making these decisions.
Is there anything that you can cost effectively do to help prevent or mitigate breaches? Here is some good news. Despite all the technological sophistication that goes into carrying out and preventing data breaches, a tremendous amount of data breach protection can be achieved by educating your own workforce and being as careful as you can be about who has access to information that could facilitate data breaches. For example, the report estimates that 55% of incidents stemmed from “privilege abuse.” In addition, employees aren’t all that quick when it comes to reporting data breaches. Perhaps it’s time for those “welcome to the new job” overviews HR gives to the new hires to include a talk about reporting potential phishing attacks. Another interesting factoid is that many data breaches involve compromises of software for which patches were available but not installed.
Whether or not you work in a unionized workplace, the National Labor Relations Board has used an expansive view of federal law to insert itself into , and implicitly attempt to micromanage, the American workplace in a way that is directly impacting your credit union operations.
Those of you who think I’m exaggerating and\or those of you whose job it is to manage employees would be well advised to review the NLRB’s recent guidance outlining language that can and can’t be in workplace handbooks(http://www.nlrb.gov/reports-guidance/general-counsel-memos Report of the General Counsel Concerning Employer Rules). On the one hand the memorandum is an attempt to provide a concise compendium of handbook dos and don’ts based on its prior rulings; on the other hand it reads like an “April Fools” joke. Unfortunately it isn’t.
First, the NLRB correctly reminds us that handbook language violates federal law when “employees would reasonably construe the rule’s language to prohibit” concerted activity be it in a unionized or non-unionized workplace. The problem is that the mythical employee the NLRB is protecting apparently has a law degree, is utterly devoid of commonsense, behaves like an out-of-control teenager who has just been told she has to be home by 11:00PM and works for the NLRB. No other workplace could function in the workplace as pictured by the Board
In the-“ You can’t make this stuff up category” the NLRB explains that a workplace policy “that prohibits employees from engaging in. “disrespectful,” “negative,” “inappropriate,” or “rude” conduct towards the employer or management, absent sufficient clarification or context, will usually be found unlawful… Moreover, employee criticism of an employer will not lose the Act’s protection simply because the criticism is false or defamatory.”
Apparently the NLRB doesn’t think your average employee has a rudimentary grasp of the English language or can be expected to have the etiquette of a kindergartener.
But wait there’s more. Did you know that a policy banning “Disrespectful conduct or insubordination, including, but not limited to, refusing to follow orders from a supervisor or a designated representative.” Or another prohibiting “Chronic resistance to proper work-related orders or discipline, even though not overt insubordination will result in discipline.” Is illegal?
I want to give the NLRB the benefit of the doubt. Maybe it is so committed to protecting the Norma Rae’s of the world chafing under employer misconduct that it wants to give complaints about management malfeasance the widest possible protection. The problem is that its prohibitions also prohibit language intended to regulate employee to employee civility. For example it found the following policy to also violate the FLSA.
“Material that is fraudulent, harassing, embarrassing, sexually explicit, profane, obscene, intimidating, defamatory, or otherwise unlawful or inappropriate may not be sent by e-mail. …”We found the above rule unlawful because several of its terms are ambiguous as to their application to [concerted] activity—”embarrassing,” “defamatory,” and” otherwise . . . inappropriate.” We further concluded that, viewed in context with such language, employees would reasonably construe even the term “intimidating” as covering Section 7 conduct”
Finally even where the NLRB tries to be reasonable the distinctions it draws between lawful and unlawful conduct is so paper-thin that a properly designed handbook needs more qualifiers than a Viagra Ad. For example the following language is unlawful “ Do not discuss “customer or employee information” outside of work, including “phone numbers [and] addresses.” But this policy is legal “Misuse or unauthorized disclosure of confidential information not otherwise available to persons or firms outside [Employer] is cause for disciplinary action, including termination.”
Just as you should have a plan to rapidly recover your credit union operations in the event of a natural disaster, so too should you have a plan to rapidly get up and running in the event your credit union is victimized by a cyberattack. That’s my main take-away from a joint guidance issued yesterday by the FFEIC, a group of financial regulators that of course includes the NCUA.
In addition to underscoring the importance of cyberattack recovery, the regulators are using the guidance to emphasize the importance of ongoing assessments and monitoring of your existing computer systems. For example, you are expected to maintain an ongoing risk assessment system that considers new and evolving threats and conduct regular audits to review who has access to vital systems.
Now for some more general points, in light of the Supreme Court’s recent decision upholding the right of the Department of Labor to reinterpret existing law simply by issuing a new letter, guidances of all types, including those issued by the FFEIC, are as binding on your credit union as if a new regulation had just been promulgated. The FFEIC typically claims that it is doing nothing more than synthesizing existing requirements, but at the very least make reviewing this memo a compliance priority.
In addition, notice how the regulators are not going to let smaller institutions off the hook. Obviously, the steps a $20 million credit union takes to both guard against and recover from malware attacks are not going to be as extensive as the steps taken by a $1 billion institution, but steps need to be taken nonetheless. The regulators have a point since the bad guys have demonstrated an increasing willingness to go after the data stored by smaller institutions, I’m concerned that without a serious attempt on the part of the industry to pool resources, increasing computer costs in conjunction with existing compliance mandates will make it that much more difficult for any small credit unions, or true community banks for that matter, to survive.
Today, our friends at the Bureau That Never Sleeps (AKA the CFPB) take their first formal but cautious steps towards regulating not only payday loans, but what I am going to describe as medium- term loans. If you’re thinking that your credit union doesn’t do payday loans, you may be right. But everyone who makes loans has an interest in understanding the parameters that the Bureau ultimately puts around lending products.
The basic approach is to impose ability-to-repay requirements on lenders making loans of 45 days or less, as well as certain longer medium-term loans with an APR of 36% or greater. Lenders would have the option of establishing that borrowers have the “ability-to-repay the loan when due – including interest, principal, and fees for add-on products – without defaulting or re-borrowing.” An alternative approach would relax the underwriting standards so long as a consumer’s income is verified and, among other things, the loan would not result in the consumer receiving more than three loans in a sequence and six covered short-term loans from all lenders in a rolling 12-month period. This approach also could not result in the consumer being in debt on covered short-term loans with all lenders for more than 90 days in the aggregate during a rolling 12-month period.
The Bureau is also considering imposing restrictions on lending and debt collection practices for what the Director describes as “high-cost, longer-term credit products of more than 45 days where the lender collects payments through access to the consumer’s deposit account or paycheck, or holds a security interest in the consumer’s vehicle, and the all-in (including add-on charges) annual percentage rate is more than 36 percent.” The good news is that credit unions making the short term loans authorized by NCUA regulations are already satisfying potential requirements. The CFPB wants to impose NCUA’s parameters on other lenders.
Why do I describe the CFPB’s approach as cautious? Because it didn’t announce proposed rules yesterday or technically even propose an Advanced Notice of Proposed Rulemaking. Instead it released a 30 page outline of what it is thinking about proposing and why. I’ve never seen anything quite like it and I love it. It enables stakeholders to quickly understand the general direction of where the Bureau is headed and comment on it without having to delve into hundreds of pages of mind numbing detail – that can come later. What we have now is a proposed proposal.
Incidentally, the CFPB stressed in the outline that it is not seeking to regulate overdrafts with this proposal.
That seems to be the attitude of many millennials based on the number of surveys that consistently report that those born between 1982 to 2000 are at best indifferent and at worst skeptical when it comes to financial institutions.
For example, according to recent research conducted by Goldman-Sachs, 33% of millennials don’t think they will need a bank in the near future. In addition, 50% of the surveyed millennials are counting on tech startups to overhaul banks. Interestingly, this group is not only skeptical of banking, but profoundly impacted by the Great Recession. According to this survey, less than half of them have a credit card.
This is consistent with what I’ve described in previous blogs: a generation that will make its banking relationship decisions in a vastly different way than any previous generation. In addition, this is a generation that is more than willing to scrap traditional banking models. After all, Facebook announced recently that it is debuting an App to allow its users to make account to account transfers. Can you imagine the previous generation so willing to transfer cash without breaking out the checkbook or walking down to the bank.
I came across this survey as I was taking one more look at a proposal by the CFPB to make reloadable general purpose prepaid cards subject to Regulation E. I just can’t make up my mind when it comes to the proper role of regulation and the prepaid card. On the one hand, as an advocate for credit unions, it makes sense that as prepaid cards provide consumers with almost all the same benefits they get from a traditional banking accounts and debit cards that these accounts be subject to the same regulatory requirements such as disclosures and overdraft protections. On the other hand, the growth in prepaid cards reflects, in part, a generational shift away from traditional banking. Like them or not, the availability of these cards in stores such as Walmart have provided access to financial products for a group of people who may have otherwise chosen to forego or at least delay entering traditional banking relationships.
My concern is that by making prepaid cards more like traditional accounts from a regulatory perspective, we run the risk of squelching innovation. Rather than imposing traditional account regulations on prepaid cards, let’s assume that in the aggregate your average consumer opting for the prepaid card knows what he or she is doing, and is willing to take the risk in return for a different kind of consumer product. After all, from a generational standpoint, millennials have seen what traditional banking can do to their parents. Who can blame them if they are not all that impressed.
NCUA Sues HSBC
HSBC became the latest investment bank to be sued by NCUA over its alleged failure to properly scrutinize mortgage-backed securities purchased by bankrupt corporates. This time, NCUA is headed to Manhattan Federal Court.
HSBC was a trustee for 37 trusts that issued residential mortgage-backed securities. As with almost all its other cases, NCUA is arguing that HSBC breached its fiduciary obligation to properly assess the quality of the mortgages it used to create these securities. As alleged in the complaint, “an overwhelming number of events alerted defendants to the fact that the trusts suffered from enormous problems, yet it did nothing.” Money recovered in these and other lawsuits after legal payouts will be used to reduce credit union costs related to losses to the Share Insurance Fund.