Posts filed under ‘technology’

Are Fintech Lenders Less Biased?

To its supporters, technology has the ability to further egalitize the lending process by using unconventional data to assess the credit worthiness of underserved communities and removing human bias from lending decisions. To its critics, overly complex lending algorithms could further complicate the efforts of regulators to identify and clamp down on bias lending criteria. This debate is likely to have an increasingly large impact on credit unions, banks, and Fintechs as policy makers integrate 21st century technology into 20th century regulations. Recently released research underscores just how volatile this debate is destined to become.

The PPP program is a treasure trove for researchers of potential bias in lending decisions. Since the loans were guaranteed by the federal government, it is easier to evaluate what other factors led to businesses getting loans. Recently, a group of researchers at New York University concluded that: Fintech lenders were responsible for 53.6% of PPP loans to black owned businesses. According to the researchers “black owned businesses exhibit by far the most striking disparity among lender types when it comes to choosing Fintechs”.

In contrast, community banks with $2B or less in assets performed the worst when compared to all other financial institutions including CDFIs, credit unions and the largest banks.  In fact, the researchers conclude that larger banks demonstrated the least lender bias, underscoring their belief that automation contributed to more minority loans. Not surprisingly, this research has already drawn a heated response from community bankers who argue among other things that the research is flawed because it is based on assumptions about the race of borrowers.

Still, yours truly has been watching a lot of baseball recently and it seems to me that every game demonstrates that computer generated strike zones do a better job of calling balls and strikes than do umpires. As much as we like to extol the human element in decision making, common sense tells me that more automation not less can lead to an even fairer system for making lending judgements.

Chart depicting the proportion of PPP loans given to Black-Owned businesses  originated by financial institutions and Fintechs

October 19, 2021 at 10:40 am Leave a comment

New York Proposes Disclosure Regulations For Small Business Financing

New York’s Department of Financial Services yesterday issued proposed regulations outlining disclosure requirements for non-bank entities that provide financing of up to $2.5M for businesses. The regulations are the final step in a two year effort by the Legislature designed in part to regulate the activities of third-party lending platforms.

The legislation generally mandates that providers of commercial credit provide TILA like disclosures when offering commercial financing. It applies to a broad range of financing activity including factoring as well as traditional open-ended lines of credit and close-end loans. The mandated disclosure requirements must be provided by the Providers of these loans. So the key to understanding its reach starts with understanding what a Provider is. The legislation defines a Provider as:

“…a person who extends a specific offer of commercial financing to a recipient. Unless otherwise exempt, “provider” also includes a person who solicits and presents specific offers of commercial financing on behalf of a third party. For the avoidance of doubt the extension of a specific offer or provision of disclosures for a commercial financing, in and of itself, shall not be construed to mean that a provider is originating, making, funding or providing  commercial  financing.”

Crucially, for our purposes, the legislation specifically excludes credit unions and banks from the definition of a Provider. Nevertheless, those credit unions that work with lending platforms will see the impact of this new requirement. Many credit unions are already working with internet based platforms that connect businesses and lenders but don’t actually make loans. As explained in this analysis of the bill in the Banking Law journal ”even if the entity that makes a commercial loan or other commercial financing transaction is exempt from the New York Law’s requirements, a typical online lending platform would still have to comply. As such, fintech companies operating commercial lending platforms are required to comply with the new law even if they rely on a bank partner arrangement and the bank is exempt”.

We will be reading the proposed regulations in the coming days, to make sure that they don’t impose any additional requirements on credit unions and we will keep you posted on what we find.

September 22, 2021 at 9:33 am Leave a comment

Can You Answer These Questions?

Just like there are people out there who read the obituaries, taking silent satisfaction from the fact that they are not the ones being written about, let’s face it, there are those of us who are silently relieved when they read the latest blogs and trade press and confirm that their credit union has not been victimized in a way that makes the news. 

Recently there has been a lot of talk in credit union land about the fired credit union employee who plead guilty to taking revenge on her former employer by destroying sensitive information maintained on the credit union’s computer network. The credit union apparently had the right procedures in place but the employee’s access to the computer network was not turned off, resulting in $10,000 in recovery costs.

While you may be relieved that your credit union is not the victim, the incident underscores that, irrespective of your credit union’s size, it is incumbent to know precisely where your information is, and who has access to it. By the way, this is important not only to guard against an employee going mad but because federal and state law will increasingly make it essential for your financial institution to know who has access to what information and why as well as to accommodate the requests of your member’s to transfer or delete information.

With that long winded lead-in, how would you answer these questions?

  • Does your computer network allow you to make distinctions between the level(s) of access provided to employees?
  • Assuming it does, who decides what person(s) get access to the different parts of the network?
  • In your vendor contracts, do you require that vendors only have access to the computer network that they need to perform their job?
  • That vendors will only use the information for the purposes for which they have contracted?
  • That they have protocols in place to ensure that access to your network is terminated when employees leave or the job is done?
  • Do you require your employees to use multi factor identification to access the computer network?
  • Do you hold employees accountable for repeatedly failing to comply with basic cyber security protocols such as repeatedly clicking on suspicious links?
  • Most importantly, do you think Toronto is going to pass the Yankees or the Red Sox to get a wild card spot? I asked that last question to see how many of you were still paying attention.

The point I’m trying to make with all these questions is that your credit union must design safety protocols which limit network access to employees that need the access; that allow you to track where your information is located and that allow you to quickly access this information. No one is capable of anticipating or guarding against all of the wacky ways your network may be attacked, but proper compartmentalization of data will help minimize damage and help prepare you for data portability standards.

September 9, 2021 at 9:57 am Leave a comment

Can Big Data Increase Home Ownership?

Good Morning, folks. The summer slumber is over and in case you missed it, the regulatory development that most intrigues me is Fannie Mae’s announcement that in a little more than a week from now it will start using a mortgage applicants’ history of consistently making rent payments to qualify first time home buyers for a mortgage.

Under the guidelines announced by the GSE on August 30th, borrowers must be able to document their rent payment history for the last 12 months. Acceptable documentation includes cancelled checks, bank statements, copies of money orders or other reasonable methods to document the timely payment of rent.

So why does this announcement intrigue me so much? One of the key emerging issues percolating in the Fintech/ banking industry is the extent to which the increasing availability of non-traditional data can and should be used to qualify lenders. A second key issue is what role the conserved GSE’s should play in the housing market?  This announcement has implications for both of these issues.

In announcing the use of the new criteria, Hugh Frater, Fannie Mae’s CEO, opined that this step would help address housing inequalities by making more African Americans eligible for home ownership. According to Frater approximately 20% of the US population has little or no credit history and the use of rent payment history is a safe and sound way of helping to address this issue. After all, as I have been told by many credit union underwriters, there are often members who are good lending risks even though their credit scores would indicate otherwise.

It remains to be seen just how positive an impact this expanded use of data will have. For example, should a member’s non-payment of rent be counted against her?

Furthermore, anytime new data is used to qualify borrowers there are of course new challenges to the application of fair lending laws. I hope that Fannie Mae keeps us updated on the impact that this change is having on the housing market.

September 7, 2021 at 9:23 am Leave a comment

When It Comes to Protecting Your Data, How Well Do You Really Know Your Members?

When the Federal Financial Institutions Examination Council (FFIEC) issues guidance, all financial institutions should pay attention, irrespective of their size and risk profile. After all, the Council represents the combined wisdom, or at least the consensus of financial regulators, including the NCUA, on the issues of most pressing concern. Conversely, it is my ever so humble opinion that these documents are often written in such vague terms with so many qualifiers that they lack the clarity needed to make them truly useful documents.

With this caveat, I present to you a guidance, Authentication and Access to Financial Institution Services and Systems, issued by the FFIEC on August 11th in which it highlights the need for financial institutions to take a holistic approach to protecting unauthorized access to information by third parties. Specifically, this guidance “sets forth risk management principles and practices that can support a financial institution’s authentication of (a) users accessing financial institution information systems, including employees, board members, third parties, service accounts, applications, and devices (collectively, users) and (b) consumer and business customers.”

Whereas a decade ago your red flag risk assessment was primarily concerned with how to prevent unauthorized third parties from accessing your system, in today’s environment you’ll also face threats from within.  Your Board member, negligent customer and of course, your Luddite employee pose as great a potential threat as the most sophisticated hacker.  As a result, these threats should be considered as part of your ongoing risk assessments. Furthermore, layered security protections, which make individuals provide authentication more than once when inside a platform may inconvenience your members and employees but at the very least this inconvenience should be weighed against the need to protect the data on your system.

Remember, you should pay attention to this guidance for both legal and compliance reasons. Legally, these guidelines provide a concise source for courts to use in assessing whether a vendor or financial institution is taking reasonable measures to protect member information (see for example Shames-Yeakel v. Citizens Financial Bank; Bessemer System Federal Credit Union v. Fiserv Solutions, LLC). From a compliance standpoint, you have an obligation to make sure your credit union is periodically assessing and updating its cyber threat assessments. 12 CFR 748 Appendix A

On that note, enjoy your day.

August 30, 2021 at 9:47 am Leave a comment

Lawsuit Settlement Shows Who Really Controls Your CU

Earlier this week Plaid reached a $58 million settlement in a class action lawsuit alleging that the company’s business practices violated several state and federal laws related to the privacy of member account information and proper disclosures. The settlement is little more than a speeding ticket for Plaid and similar companies which specialize in helping third parties access the account information of your members.

Understanding what this company does is key to understanding just how obsolete technology is making traditional financial institutions. Increasingly, your institution does nothing more than hold information for the benefit of other financial intermediaries.

You may not have heard of this company but you have probably used its technology, your members certainly have. Plaid specializes in transferring member account information to third party app providers such as Venmo and Paypal. In 2016 Plaid developed a new technique. Let’s say you signed up for Venmo, in the early days of the company you’d be asked to login to your bank account. Doing so would provide Plaid a token with which they could access your account information. Starting in 2016 Plaid centralized the process even further. An individual applying for a Venmo account would select their financial institution but instead of being directed to go to their credit union’s website, they would instead be directed to a website controlled by Plaid which looked just like the credit union’s website.

In other words, Plaid was able to further centralize the data collection process by using illegal phishing techniques, or so the plaintiffs in this case argued.

In settling the lawsuit Plaid agreed to make better disclosures and to do a better job of only keeping the information it needs to do its job. It also is going to more prominently provide consumers disclosures about what it does and how it does it.

But in one form or another, the system is here to stay. Tucked away in the Dood-Frank Act is 12 USCA § 5533. It gives consumers the right to mandate that banks and credit unions share their account information with third parties of their choosing. One of the primary purposes of the provision was to make it easier for consumers to switch financial institutions by allowing a new bank or credit union to gather their account information.

Unfortunately while federal law has encouraged innovation in this area it has done little to update the consumer protection framework. Just about every major consumer protection law centers on the checking account and the loan provider. In fact, there are scores of companies accessing and using account information every day without any traditional consumer protection constraints.

August 11, 2021 at 9:08 am Leave a comment

How Square’s Purchase of Afterpay May Impact Your CU

The announcement that Square will purchase Afterpay for a mere $29 B is more than just another business story. Look under the hood and the transaction shows: how the payment space is fundamentally changing; the way transactions are executed; raises questions about the continued utility of the existing regulatory framework; and demonstrates yet again that financial institutions, which do nothing more than hold money and keep consumer’s income safe, are becoming increasingly minor cogs in consumer financial transactions.

First, what is Afterpay and what does it do? As I explained in this blog, Afterpay is an online payment platform started in Australia less than a decade ago which specializes in facilitating buy-now, pay-later transactions. Merchants agree to pay a fee to facilitate in-store purchases; consumers agree to repay the purchase with a limited number of payments; and Afterpay agrees to purchase the sales installment contract.

What’s so clever about this arrangement? Merchants get their money free and clear even if the fee they pay seems an awful lot like an interchange fee. What’s in it for the consumer? Apparently, Millennials really do hate debt. Good for them. The installment plans give them reasonable payment flexibility without using a credit card. Afterpay avoids the federal disclosure requirements mandated by the Truth In Lending Act (TILA) by limiting payment to four installments. A fifth installment would trigger TILA. The model also gives Afterpay a huge volume of retail installment contracts to buy and sell. You can easily imagine these things packaged into securities.

Square is a more traditional peer-to-peer payment platform started way back in the teens of this century. It specializes in giving merchants easy access to payment platforms and of course, getting a piece of each transaction.

The amazing thing about all these developments is how little these entities are regulated. Afterpay did enter into a consent decree with California in which it agreed to comply with state level license requirements for retail lending. But one states licensing requirements do not level the playing field.

One more thought.  Recently the Biden Administration announced it was going to take a more aggressive view of mergers under our antitrust laws. In reviewing this proposed purchase, I’m assuming the Justice Department will be asking itself whether the real purpose of this transaction by Square is to buy up a potential competitor in a payment space it ultimately hopes to monopolize, as opposed to helping consumers by bringing resources to a company whose unique payment model expands choices for consumers.  Call me cynical, but I have my doubts.

August 3, 2021 at 10:34 am Leave a comment

How Portable Is “Your” Data?

That is the question yours truly is pondering after reading through Colorado senate bill 21-190. When the bill takes effect Colorado will become the third state in the nation, following California and Virginia, to pass legislation mandating that consumers be given greater control over their electronically stored personal data.

Like Virginia’s, Colorado’s law exempts financial institutions from its requirements, but its passage underscores why your vendor management in general and your contract language in particular is more crucial than ever in the absence of federal guidelines. Here is one reason why:

Colorado has followed the lead of other states and Europe in mandating that businesses that process and control personal consumer data have the ability, among other things, to ensure that consumers have: the right to opt out of their personal data being used by third parties for targeted advertising; the right to know who has their information; the right to correct inaccurate information; the right to delete personal information; and the right to “data portability.”

I’ve been told by IT people that conforming to these requirements is not easy to put it mildly. But the tasks are made even more challenging in the absence of universal agreement as to who owns what data and what personal data is. As a result, even though financial institutions have been exempted from many of these laws, you should draft your contracts, particularly those dealing with your core processing functions, mindful of the need to easily access data on behalf of your credit union and members.

For instance, in reviewing contracts with your attorney, you should seek language stipulating that data will be stored in a universally available format. You also want to clearly delineate what data belongs to your credit union and what data belongs to your vendor. Your contract should also stipulate that vendors will only have access to data for the purpose of carrying out their obligations under the agreement.

Why is this or similar language so important? Because it will ensure that you have the ability to track who has access to the personal information of your members. Irrespective of what the law requires, members are going to increasingly expect to have greater control over their personal information. In addition, as I talked about in a recent blog, transferring from one core processor to another can be as acrimonious as a bad divorce. The clearer your contract specifies what information is to be transferred, the easier this process will be.

On that note, enjoy your weekend. For those of you who find soccer only slightly more exciting than watching paint dry, take a look at Sunday’s European Championship game between Italy and the UK. England is the Chicago Cubs of European Soccer minus a World Series win.

July 9, 2021 at 9:46 am Leave a comment

DFS Issues Ransomware Guidance

Good afternoon folks, if you are like yours truly you may physically be working but your mind is drifting away in anticipation of a three day weekend: Snap out of it!

Yesterday the DFS issued ransomware guidance; the guidance applies to state chartered credit unions and CUSO’s.  That being said, federally chartered credit unions would be well-advised to also take a look at what DFS has to say, because the Department has a disproportionate influence when it comes to establishing industry standards regarding cyber security.

First, the DFS wants to justifiably scare the heck out of any institution, large or small, that hasn’t taken the time to address the ransomware threat.  I don’t believe it is overstating the situation the financial industry faces when it says that “a major ransomware attack could cause the next great financial crisis.” 

Against this backdrop, it is issuing this guidance while putting everyone on notice that it may be making additional changes to its existing regulations.  Furthermore, the Department expects all institutions, irrespective of their size, to address these issues.  Among the precautions the Department expects institutions to implement if they haven’t done so already, are:

  • Email Filtering and Anti-Phishing Training
  • Vulnerability/Patch Management
  • Multi-Factor Authentication
  • Disable Remote Desktop Protocol Access
  • Password Management
  • Privileged Access Management
  • Monitoring and Response
  • Tested and Segregated Backups
  • Incident Response Plan

Nothing on this list should surprise you; the reality is however, that many of the most devastating ransomware attacks directly result from failing to take these basic steps.  That means that it is not enough to have pristine policies and procedures; you need to periodically test whether or not they are actually being put into practice.  For example, how soon after your credit union receives notice of a new patch update does it integrate the patch?  Every minute that goes by is one more minute hackers can take advantage of a programming defect that is now known to a large portion of the IT industry.

On that happy note, enjoy the rest of the afternoon.

July 1, 2021 at 2:40 pm Leave a comment

The Good, The Bad, and The Ugly as Albany’s Session Comes To A Close

Early this morning, the NYS Legislature came to its unofficial end as the Assembly passed the last measures of an extremely active session. Here is a first look at some of the key legislation that will impact CUs if it is approved by the Governor.

In a major legislative accomplishment, credit unions successfully lobbied for legislation which will allow them to participate in the Excelsior Linked Deposit program. The program gives lenders access to state deposits in return for making qualifying small business loans of up to two million dollars. Just how long have credit unions been seeking to participate in the program? Well, one of our volunteer board members lobbied for passage of the bill by showing legislators a letter he wrote in support of credit union participation to the Governor… Governor Pataki.

Credit Unions came up short on legislation which would allow municipalities to place their funds in credit unions but for the first time in at least 15 years, legislation has been voted out of the Senate and Assembly Banks committees. This means that the finance committees will be hearing from plenty of credit unions over the next year.

Finally, credit unions successfully lobbied for passage of legislation which will help bring banking into the 21st century by authorizing the use of remote online notarization. This bill is a win for consumers in general and the elderly and disabled, in particular, who will now be able to more easily get their documents notarized without having to go to a branch. The legislation would also make it easier to sell mortgages on the secondary market.

Now for the bad news. The legislature passed a measure to cap the interest that can be charged on judgements related to consumer debts at 2%. As drafted, the new interest rate would apply to judgements which have been filed but not yet executed prior to the bill becoming effective. If you think that is a recipe for a confusing mess, you’re correct.

Earlier this year, New York’s Court of Appeals wrote a series of decisions restoring a level of common sense to New York’s foreclosure process. The legislature passed a series of measures which chip away at these rulings. For example, Assembly 2502A imposes additional pleading requirements on lenders seeking to foreclose that could otherwise be waived by a homeowner.

Another bill passed by the legislature would extend CRA requirements to licensed mortgage bankers. Crucially, this bill would not apply to credit unions. It would apply to mortgage CUSOs.

Looking ahead, the table has been set for a debate over legislation to impose a California-style data protection framework on NYS. Legislation has been introduced and the Association is seeking to exempt GLB compliant institutions. Get your talking points ready for the trip to Albany next winter.

June 11, 2021 at 9:50 am Leave a comment

Older Posts


Authored By:

Henry Meier, Esq., Senior Vice President, General Counsel, New York Credit Union Association.

The views Henry expresses are Henry’s alone and do not necessarily reflect the views of the Association. In addition, although Henry strives to give his readers useful and accurate information on a broad range of subjects, many of which involve legal disputes, his views are not a substitute for legal advise from retained counsel.

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Join 742 other followers

Archives