Posts filed under ‘Technology’

New York State Issues Important Guidance on Virtual Currency and BSA Requirements

New York’s Department of Financial Services issued guidance yesterday emphasizing the unique BSA concerns raised by virtual currency.  While this guidance only applies to entities subject to the Department’s virtual currency license requirements as well as certain trust companies, categories which do not include credit unions, I would suggest anyone responsible for integrating virtual currency oversight into your credit unions compliance framework would be well advised to analyze New York State’s missive. 

In today’s blog, yours truly is not going to summarize the guidance but instead provide some context as to the considerations that regulators and financial institutions should take into account as they begin to dip their virtual toes into the virtual currency space.  In doing so I want to illustrate why I think the DFS guidance is important. 

What virtual currencies such as Bitcoin and Ether have in common is that they allow individuals to transfer these currencies between computers so long as the sender and receiver have set-up virtual wallets.  The key to this arrangement is Distributed-Ledger-Technology (DLT). 

With apologies to the technologically savvy out there, every time a request is made to send or receive “currency” from, or to, a wallet and the transaction is confirmed as valid, a notation is added to a computer program called a block-chain.  This technology is the key to the whole process since it provides a virtual ledger confirming the transfer of debits and credits. 

This means that without the use of a financial institution, any two individuals, using fictitious names, can transfer money.  Needless to say, since the emergence of the Bitcoin, there have been concerns raised about the utility of this technology to facilitate money laundering and other illicit activities (since we’re on the subject of money laundering, my wife and I have started binge watching Ozarks, which is the best show I’ve seen since I binged Breaking Bad, but I digress). 

These concerns have been partially vindicated since ransomware attacks typically include a demand for payment in Bitcoin.  But that may be changing.  Law enforcement is beginning to understand DLT.  For example, the ransomware attack on the Colonial Pipeline understandably got a lot of attention last year, but as significant as the attack itself, is the fact that the FBI was able to track down at least some of the culprits and retrieve much of the ransomed funds. 

Now, I’m not suggesting that credit unions or vendors need to be as savvy as the FBI in order to ensure compliance with BSA and AML requirements, but in the old days it was thought that the only way of deterring illicit activity was to make it as difficult as possible to convert Bitcoin and its prodigies into cold hard cash.  The DFS guidance emphasizes that even now there are basic steps that financial institutions can take as they begin to consider how to integrate virtual currency offerings into their lines of products or working with third party vendors as already permitted by the NCUA.  Besides, as virtual currencies become more widely accepted, there will be less and less need to convert them into fiat currency, but that’s a blog for another day.

April 29, 2022 at 10:20 am Leave a comment

Getting Ready For The Legislature’s Stretch Run

Yours truly is back from his Carolina vacation and has caught up with enough e-mail to finally post again.  While there is a lot I want to get off my chest – there is only so much my wife wants to hear about the banking industry during an eight-hour car ride – I think I will start with a description of some of the key legislative and regulatory issues that will be impacting New York state credit unions in the coming weeks. 

Not only is this an election year, but it is an election year following the redrawing of the election map, meaning that the legislature will want to get out of town as quickly as possible, especially with primaries scheduled for June. 

One of the most important issues we are dealing with is a bill that would retroactively impose strict new requirements on lenders foreclosing on property (S5473D Sanders).  As many of our members have already explained to their representatives during our state GAC, as currently drafted, the retroactive application of this bill and the ambiguity regarding the right of lenders and borrowers to negotiate modifications without running out of time to foreclose on property will actually make it more difficult to work with delinquent borrowers.

We are also continuing to advocate for changes to a proposed data portability and privacy bill which does not currently exempt financial institutions (S6701A Thomas / A680B Rosenthal) as well as continuing to express a strong opposition to state level anti-trust legislation (S933A Gianaris) which could negatively impact the ability of credit unions to help provide communities banking services, particularly in underserved areas. 

All this is taking place as New York’s highest court hears an appeal of a case challenging the legality of New York’s redrawn Congressional map which could allow Democrats to pick up four additional seats as they struggle to keep their majority.  Expect a decision to come down shortly.

As for the federal level, there is an interesting article in today’s WSJ reporting that privacy legislation may finally be getting traction in Congress.  This is potentially good news, provided the legislation does not impose additional requirements on credit unions and the legislation preempts state law.  But I still remain skeptical that Congress will be able to get legislation done this year.  Hopefully, I am wrong.

On the regulatory front, we are still waiting to see what will come out of the CFPB’s initiative against so-called “junk fees”.  The president of the American Bankers Association has already taken to publicly accusing the Bureau of going rouge.  My bet is that we are going to be hearing a lot about overdraft fees in the coming months. 

Last, but not least, let’s hope that the NCUA is going to be following up on its reach-out to credit unions by providing additional guidance as credit unions begin to explore the banking issues raised by distributed-ledger technologies and cyber currencies.  On May 11th yours truly will be discussing the state of regulation in this area and how it is going to impact your credit union as part of the Southern Tier’s Spring Chapter Event in Binghamton.  I noticed it’s at an Irish pub, so let’s share a half-and-half as we ruminate on how technology is once again upending the way banking is done.

Full disclosure, my wife and kids won’t be attending.  They already heard enough about how the NCUA needs to move more quickly and provide additional guidance in this area.  It was one of my favorite topics as we drove around North Carolina.

April 27, 2022 at 9:57 am Leave a comment

Why Overdraft Fees Are An Endangered Species

Good morning boys and girls, I want you all to grab a cup of coffee and gather around the virtual rug while I tell you a fascinating story about the history of overdraft protection programs and why a recent decision by the Court of Appeals for the Tenth Circuit is instructive for your credit union.

A long, long time ago, in an age before the internet and computers, banks and credit unions would decide on a case-by case basis whether to honor a member’s checks.  Let’s say Mrs. Jones didn’t have quite enough money to pay for the new vacuum she wrote out a check for. If they knew she was a good consistent member who deposited her paycheck every Friday, chances are they would cover the check. Everyone was happy, including the store owner who was dependent on checks to grow his business. 

Times changed.  Technology allowed financial institutions to automate overdraft decisions and financial institutions started charging fees for providing overdraft protection.  Financial institutions began to incorporate this practice into their account agreements and market them to their members. 

But marketing what used to be an ad-hock process into a financial product raised legal and regulatory concerns when that bank or credit union paid a check. For example, when that bank or credit union paid a check for Mrs. Jones’ granddaughter on the assumption that it would get the money back at a later date, wasn’t it extending credit, and if so, why wasn’t it providing more disclosures?   Never mind that some members absolutely loved this service.  For instance, Mrs. Jones’ granddaughter hardly knows what a checkbook is and couldn’t balance her account if her life depended on it.  After all, there are apps for this type of thing.

Responding to these concerns, in 2005, NCUA joined with bank regulators in issuing this guidance explaining the conditions under which financial institutions could provide overdraft protection services to their members and customers without running afoul of state usury laws or federal consumer protection laws, such as the Truth In Lending Act (TILA). The guidance established a common sense framework under which both federal and state credit unions were allowed to charge overdraft fees. The guidance also explained the conditions under which credit unions could offer overdraft lines of credit, but crucially, it explained that lines of credit triggered disclosure requirements under TILA. The OCC also authored an influential opinion letter for banks in 2007 in which it further explained that overdraft fees were part of a bank’s account maintenance activities for which fees could be charged, as opposed to debt collection activity subject to additional state and federal laws. 

Although overdraft fees remain controversial on a policy level, the fundamental premise of the above guidance remains good law.  Overdraft fees are not interest, so long as they are properly disclosed. In addition, members must affirmatively agree to overdraft protections when it comes to their debit cards. 

But just the other day, the Court of Appeals for the Tenth Circuit decided a case which took direct aim at this regulatory framework.  In Walker v. BOKF, National Association, 2022 WL 1052068 (C.A.10 (N.M.), 2022) involves an overdraft product under which the bank’s customers are charged an initial overdraft fee and an additional Extended Overdraft Fee of $6.50 per business day if the account remains overdrawn after five days.

The plaintiff in this case does not challenge the bank’s right to charge the original overdraft fee. He instead argues that the reoccurring charges for nonpayment amounts to interest. Interest which far exceeds the state interest rate cap of 8%. 

Stop yawning kids.  This argument takes direct aim at the core legal premise which allows financial institutions to charge overdraft fees. Remember how the bank used to honor Mrs. Jones’s checks even though there wasn’t enough money in her account? If the bank’s actions where actually classified as a loan, then virtually any fee would exceed NCUA’s interest rate cap not to mention state usury laws. The case in question was not challenging overdraft fees, but if the plaintiff in this case was successful, the next round of litigation would challenge the premise that overdraft protections are fees and not loans. The case is also crucial because it invites the courts to rule that bank regulators misinterpreted the law in 2005 and 2007 when they decided that overdraft fees should not be considered interest. Fortunately for us, the argument was rejected.

So what is the moral of the story? First, if you offer any products which charge both a fee and then recurring charges if the account remains overdrawn for a period of time, prepare yourself for a potential legal challenge.  Litigation like this does not happen in a vacuum. 

But here is an even scarier thought.  Right now the CFPB is considering taking action against so-called Junk Fees.  The distinction between interest rates and fees is a regulatory distinction developed long before the CFPB was conceived by an obscure Harvard law professor by the name of Elizabeth Warren. If the CFPB decides to aggressively challenge the existing regulatory framework, it most likely has the legal authority to do so. What one regulator can give, another can simply take away. Congress may have to be the ultimate arbiter of the overdraft debate.

On that happy note, yours truly is heading south in search of warm weather.  I will return a week from Monday.

April 14, 2022 at 9:32 am Leave a comment

CDFIs, DFS Among the Winners In State Budget

With one eye on the final round of the Masters, yours truly did an initial review of the legislation included in New York’s budget plan for this fiscal year and my initial take is that CDFIs and the Department of Financial Services are among the biggest winners.  This is of course good news for those New York State chartered credit unions which have CDFI designations. 

Last year the Association was successful in getting legislation passed allowing credit unions to participate in the Excelsior Linked Deposit program.  This program allows participating lenders to receive state deposits in return for making subsidized low interest loans to eligible small businesses.  Language included in the budget makes any loan involving a CDFI eligible for the program.  The budget also makes CDFIs eligible to receive loans.  This is a huge incentive for CDFI credit unions to get qualified to participate in the program.  Give me a call if you want to further discuss potential opportunities. 

As Washington dithers over how best to regulate crypto currencies, New York moved decisively to give DFS regulatory power over those portions of the industry based in New York.  The budget amends the Financial Services Law to authorize the DFS to examine “persons engaged in the virtual currency business” and to make the industry pay for the cost of such examinations, just like other state regulated institutions currently do. 

What is also striking about this new power is that DFS is also given the authority to promulgate regulations defining what entities are going to be subject to this new framework.  While this type of regulatory handoff is normal in Washington, it is unusual in New York where a new authority such as this would typically be accompanied with a detailed statute. 

Finally, the legislature approved the creation of a $250M public/private fund for the purpose of providing money for social equity licensees who are seeking to open retail cannabis businesses.  This is a smartly drafted piece of legislation since it permits the state to enter into subleases with cannabis retail businesses.  One of the key challenges for businesses where cannabis has been legalized is acquiring retail space. 

Of course, this just underscores yet again why the federal government must act on the SAFE Act, but you folks already know how I feel about that.   

Perhaps Masters winner Scottie Scheffler would be interested in contributing to the state cannabis fund.  His Masters win is his fourth tournament victory in six weeks, a feat that has been worth approximately $8.6M.  Not bad for a 25 year old.   

April 11, 2022 at 9:23 am Leave a comment

Five Things You Need to Know As You Start Your Credit Union Week

Here is a surprising long list of things you need to know that happened over the past few days.  Most of these would be worthy of a blog on their own, and may in fact expanded upon at a future date.  I am sure you can’t wait.

COVID Order Lifted by Department of Health

On Friday, the Department of Health announced that it was no longer designating COVID-19 as “an airborne infectious disease that presents a serious risk of harm to the public health under the HERO Act.”  This means that you may stop taking all those additional precautions outlined under your HERO Act workplace safety plan.  Let’s hope that we don’t have to reinstate these precautions in the near future, but remember that you have an ongoing obligation to ensure that your business is prepared to activate these plans.  As a matter of fact, you may want to see if there are any adjustments that should be made based on your experience implementing this mandate.

Service Facility Guidance Issued

On Friday, the NCUA issued this letter to credit unions providing additional guidance to multiple common-bond federal credit unions seeking to use shared service facilities, such as New York’s USNET, to satisfy field of membership and/or underserved area requirements. 

Prior to the regulation’s adoption, only multiple common-bond credit unions that had an ownership interest in a shared branch network could use network facilities to satisfy branch requirements when taking on a new membership group or moving into an underserved area.  The regulation extended this authority to any multiple common bond credit union that participates in a shared branching network.

The letter notes that:

For multiple common-bond federal credit unions adding occupational or associational groups, a service facility must allow a member to deposit shares, submit loan applications, or receive loan proceeds. For multiple common-bond federal credit unions adding an underserved area, a service facility in the underserved area must allow a member to deposit shares, submit loan applications, and receive loan proceeds.

New York State Strengthens Sexual Harassment Laws

On March 16, Governor Hochul signed legislation to further strengthen protections against individuals who claim they have been retaliated against by their employer for either reporting or assisting others in reporting harassment and anti-discrimination claims under state law.  Specifically, Chapter 140 of the Laws of 2022 explicitly makes it unlawful to disclose an individual’s personnel file in retaliation for testifying or bringing a harassment claim against an employer.  The law is already in effect and authorizes the Attorney General to take action she suspects of violating this provision.

Medical Bills to be Excluded from Credit Reports

In a classic example of claiming victory and conceding defeat the Wall Street Journal reported (subscription required) on Saturday that most disputed medical bills will be excluded from credit reports. 

Beginning in July, the companies will remove medical debt that was paid after it was sent to collections. These debts can stick around on a consumer’s credit report for up to seven years, even if they are paid off. New unpaid medical debts won’t get added to credit reports for a full year after being sent to collections.

The announcement comes at a time when the CFPB has repeatedly questioned the accuracy of credit reports and has a director who isn’t shy about highlighting examples of what he perceives as inappropriate conduct against consumers.

New York State to Hold Series of Cybersecurity Symposia

Last, but not least, New York State’s Department of Financial Services announced that it will be hosting a series of cybersecurity symposia to mark the five year anniversary of New York’s Cybersecurity regulations.  Happy Anniversary!  Something tells me this is more than an academic exercise.  The DFS is examining ways in which it may update these regulations and these virtual discussions could provide an early indication of where it is headed.  The first symposium is scheduled to take place March 29, 2022.

March 21, 2022 at 8:25 am Leave a comment

And The Most Important Regulatory Action of The Year Is…

Not even a close call, people: The most important regulatory action so far this year is the Security and Exchange Commission’s $100 million settlement announced February 14 with crypto lender BlockFi, in which the SEC alleged that the company was illegally refusing to register under federal securities law. 

The hundred million dollars given to the SEC and 32 states is chump change; but the fact that the SEC was willing to successfully and aggressively pursue litigation designed to signal crypto lenders that they are in fact, subject to laws and regulations is a key moment in the evolution of the crypto lending industry [Law360 subscription required]. It is also an important first step to helping credit unions and banks compete against these non-banks on a more level playing field. Let me explain.

According to the SEC order, starting in 2019 BlockFi has offered everyday investors BlockFi Interest Accounts (BIA) accounts. Members receive different interest rates on these accounts based on the type of currency being deposited by the member. In return BlockFi uses this pool of crypto currencies to make loans. Members are promised quick and easy access to their crypto funds. 

To me this sounds an awful lot like a depository institution. Maybe someday we will see the Federal Reserve or the OCC move to regulate crypto businesses such as these, or maybe Congress will update federal banking law, but I’m not holding my breath.

In contrast to the timidity of others in Washington, since taking over at the SEC, Chairman Gensler has described crypto finance as the Wild West.  In announcing this settlement, he explained that:

“This is the first case of its kind with respect to crypto lending platforms. Today’s settlement makes clear that crypto markets must comply with time-tested securities laws, such as the Securities Act of 1933 and the Investment Company Act of 1940.”

With the SEC’s action against BlockFi, it signaled that there really is a new sheriff in town. Under the settlement, BlockFi’s quasi deposit accounts will have to register as securities and average consumers will be provided greater notice that they are making investments as opposed to depositing their hard-earned funds in federally insured accounts.

History is repeating itself and let’s hope regulators strike an appropriate balance between fostering innovation and maintaining a safe and secure financial system. In the early 1970’s, non-bank financial firms introduced the widespread use of money market mutual funds. At the time regulation Q placed caps on the interest that banks could give to account holders. 

In 1977 Merrill Lynch pushed the envelope even further when it began offering cash management accounts which allowed members to use money market funds as functional bank accounts against which they could write checks. In the mirror image of the debate playing out today, the banking industry pleaded with federal regulators to regulate these accounts and the businesses that offered them as banks. They argued that companies offering NOW accounts were acting as banks without being subject to bank regulation. The issue wasn’t definitively settled until the Supreme Court struck down regulations issued by the Federal Reserve Board intended to regulate money markets. 

In hindsight, this was one of the watershed moments in the demise of the Glass-Steagall inspired banking era. (see Taming the Mega Banks: Why We Need a New Glass-Steagall Act, pages 151-153)

On that note, I’m off to prepare for my fantasy baseball draft.  Enjoy your weekend.

March 11, 2022 at 9:20 am Leave a comment

If You’re Hit By A Cyber Attack, Which Regulators Are You Going To Call and When?

The world truly is flat. Russian troops march into the Ukraine and your credit union could be victimized by a cyberattack. This point was driven home by NCUA which has festooned the home page of it’s website with a red banner informing the industry that current geographical events increased the likelihood of imminent cyberattacks.

NCUA is not exaggerating.  We could be on the verge of the first wide scale international cyberwar, in which all financial institutions, irrespective of their size, could find themselves targets of sophisticated cyberattacks.

From a legal and compliance standpoint, an increasingly important question to consider is precisely who your credit union is going to contact in the event it finds itself subject to a cyberattack, and how quickly the information is going to be provided. In the context of Ukraine, the information provided by the NCUA clearly lays out that it expects you to promptly contact both the Agency and law enforcement.

But more generally, the question of precisely who to notify in the event of your more typical cyberattack is one of the key issues over which you should consult with legal counsel.  While many financial institutions have given consideration to when their members need to be contacted, an equally important and related question is when to contact regulators and other government officials.  The standard is evolving.  There are now fifty different state data breech notification requirements in effect, each of which has slightly different notification requirements. For example, New York State’s data breach notification law exempts federally chartered financial institutions complying with GLB from most, but not all reporting requirements. It still expects institutions to contact key state offices, including the Attorney General. Furthermore, state chartered credit unions are subject to the data notification requirements included within the Part 500 cyber security regulations. DFS has put regulated institutions on notice that it expects the 72 hour notification of data breach requirements to be followed.

Once you have assured compliance with state law, all federally insured credit unions are subject to GLB’s requirements as codified in Part 748 of NCUA’s regulations. As explained by NCUA in this article:

 “Appendix B to Part 748 of NCUA’s Rules and Regulations also states that a credit union’s response program should contain procedures for notifying the appropriate NCUA regional director. A federally insured, state-chartered credit union should also have procedures to notify their state supervisory authority as well. Notification should occur as soon as possible after the credit union becomes aware of an incident involving unauthorized access to or use of sensitive member information.”

Interestingly – at least for those of us who have decided to make a living through compliance – Part 748 does not impose a specific timeline for reporting data breaches to a regional director or members. In contrast, the OCC, FDIC, and the Federal Reserve recently issued a joint rule requiring banks to notify their primary federal regulator of any “computer-security incident” that rises to the level of a “notification incident,” as soon as possible and no later than 36 hours after the banking organization determines that a notification incident has occurred.(Computer-Security Incident Notification Requirements for Banking Organizations and Their Bank Service Providers, 86 FR 66424-01).

This new regulation does not apply to credit unions.  This means that federally chartered credit unions in New York still have discretion in determining who to contact and when in the event of a cyberattack.  But the events in Ukraine have underscored that cybersecurity policy and procedures have national implications.  My guess is that you will see a stronger push for national reporting standards to which regulators will expect strict adherence. 

On that note, I’m looking forward to seeing many of you in DC.  Remember to join us for networking on Sunday evening, if you can.  Time to go snow blow.

February 25, 2022 at 9:28 am Leave a comment

Is Your Credit Union Responsible For Your Member’s “Unauthorized” Person to Person Transfer?

This is the question the CFPB zeroed in on when it released its Supervisory Highlights in December.  You’re not going to like its answer. 

First, let’s make sure we are using the same terminology.  Digital wallets are all the rage but they have subtle and important differences that your members could not care less about but lawyers and compliance officers are going to be obsessing and litigating over as long as Congress refuses to update the Electronic Fund Transfer Act.  After all, in 1978 an ATM was cutting edge technology.  Now, we walk around with ATMs on our wrists. 

When the CFPB updated Regulation E in 2016, it made an important and reasonable distinction between services such as Apple Pay which simply hold a member’s debit and credit card information and allow a member to effectively activate these cards, and P2P services like Venmo and certain Google products which allow members to use directory information such as an email or phone number to seamlessly transfer money to a person’s account.  Crucially, P2P services such as Venmo allow members to store money outside of their traditional accounts and the CFPB concluded that these accounts made P2P providers subject to Regulation E and its error resolution requirements. 

This distinction seemed clear enough, but in the highlights, the CFPB muddied the waters.  Specifically, it said that when a member claims that a P2P transfer was sent to the wrong party, a bank or credit union must do more than simply confirm that the money was transferred consistent with a member’s instructions.  According to the Bureau,

Examiners found that, in certain cases, due to inaccurate or outdated information in the digital payment network directory, consumers’ electronic fund transfers (EFTs) were misdirected to unintended recipients, even though the consumer provided the correct identifying token information for the recipient, i.e., the recipient’s current and accurate phone number or email address. These misdirected transfers are referred to as “token errors.” Token errors are incorrect EFTs because the funds are not transferred to the correct account. 14 Examiners found that institutions violated Regulation E by failing to determine that token errors constituted “incorrect” EFTs under Regulation E.

In other words, notwithstanding the fact that you did exactly as instructed by a member who willingly provided her account information to a third party, your credit union has obligations under Regulation E including providing provisional credit. Also in December, the CFPB released a series of updated FAQs further clarifying your responsibilities with regard to mobile wallets and EFTs.  Clearly, this is an area where legislators and regulators have to step in.    In a recent letter to the CFPB, NAFCU outlined in detail issues that can and should be addressed.  In my compliance fantasy world, there needs to be mechanisms put in place, similar to the existing check negotiation system, allowing financial institutions to reclaim lost funds from digital wallet providers whose directory information has become a lynch pin of the entire consumer finance ecosystem.

February 17, 2022 at 9:40 am Leave a comment

When Do State Interest Rate Caps Apply To A Bank’s Loans?

Expect to hear increased grumbling and calls for reform in response to a ruling yesterday by a federal district court in California upholding a regulation promulgated by the FDIC and OCC clarifying that interest rates that exceed state usury caps remain valid even after the loan is sold by a bank to a non-bank.  To be abundantly clear here, nothing I am going to talk about deals directly with credit unions but the issue of interest rates and more generally what happens to loans that are sold to third parties is one that is likely to receive increased scrutiny.  It behooves anyone in banking to have at least a basic understanding of how the law operates for banks.

Under federal law, federally chartered banks are allowed to charge the interest rate permitted by the state in which they are based.  The interest rate is valid even if the loan is made to an individual located in the state which has a usury cap lower than the interest rate charged on a bank’s loans.  Similar protections are extended to state chartered banks by the FDIC.  This “valid where made” rule is why so many credit card banks are located in states that don’t have usury laws.    Incidentally, for federally chartered credit unions, which are already subject to NCUA’s interest rate cap, the law is more clear-cut, authorizing them to make loans without reference to state usury limits.   

But what happens when a loan is sold to a non-bank? In 2015 the Court Of Appeals for the 2nd Circuit created quite the uproar.  In Madden v. Midland Funding, LLC, the court ruled that a debt collector who had bought a package of loans from a federal bank could be sued for violating a state’s interest rate cap because the preemption afforded to banks did not extend to non-bank entities. 

This is not an arcane debate.  Many fintech lending models are based on obtaining packages of loans from originating banks and then selling or participating out portions of these loans.  This entire model is much less attractive if loans purchased by these fintechs are subject to one of the 43 state usury limits.

The OCC responded by promulgating a rule effectively overturning the Midland decision and clarifying that the validity of an interest rate is determined by its legality when it was originally made by a bank.  Debt collectors and other third parties that purchase loans did not have to worry about state lending caps. 

Which brings us to the punchline in today’s blog.  New York and other states brought a lawsuit challenging the new regulations.  They argued that the FDIC and OCC did not have the authority to extend interest rate protections to non-bank entities.  Yesterday, Round 1 went to the national banks.  In a fairly straightforward analysis of administrative law, the district court upheld the new federal regulations.  The case will, of course, be appealed but the issue could be addressed either by federal legislation or if the OCC and FDIC, both of which are under new leadership, withdraw or amend the regulation.

On that note, enjoy your day.

February 9, 2022 at 9:42 am Leave a comment

Is Mobile Betting Worth The Risk?

In the week before the first round of the NFL playoffs, New York regulators finalized the regulatory framework authorizing selected companies to start offering mobile betting to New Yorkers following passage of legislation this past April [Part Y of S2509-C].  The timing was not a coincidence and it underscores that when it comes to legalized betting, there is inevitable tension between state legislators rushing to capitalize on this potential source of fiscal wealth and increasingly outdated federal laws and regulations which continue to place severe restrictions on the conditions under which betting services can be provided. 

Not surprisingly, lawyers and chief risk officers have been caught in the middle as they try to balance a desire to accommodate throngs of members anxious to lose their money on “can’t miss” bets, while keeping their credit union in compliance.  Judging by the number of phone calls the Association has fielded on this issue, this is an issue keeping compliance people up at night.  I think it’s worth taking a deep dive. 

In today’s blog, I’m going to provide a primer on the broader legal context in which New York is now providing mobile gambling because understanding this context is crucial as credit unions consider how to respond to members who want to use credit and debit cards to quickly open their betting accounts. 

With the usual caveat that what follows is simply one man’s analysis and not a legal opinion that should replace a call to your own counsel, let me first get to the punchline; provided proper procedures are followed, your credit union can, if it chooses to, legally provide credit and debit card access for mobile betters in New York.  However, doing so is not without enhanced compliance risk.  Therefore, your credit union’s compliance team should clearly understand the law and its nuances before deciding to enhance member options.  Given the explosion of mobile banking, it would be nice to see regulators come out with official guidance on some of the nuanced banking issues it triggers in the not too distant future.   

First There Were the Dinosaurs…

It wasn’t too long ago that betting was considered a national vice best contained to Sin City and New Jersey.  Federal law has long reflected this bias.  For example, the Federal Wire Act in 18 U.S.C. § 1084(a) makes it a crime to use “wires” to facilitate illegal betting activity, unless it is legal in both states.  When this law was originally passed, it was designed to capture your friendly neighborhood bookie who took bets from your Uncle Joe over the phone, but has since been applied to the internet.  In 2019 the Department of Justice underscored just how important this statute continues to be when it held that states could not facilitate lotteries through the use of computer servers located in states where betting is illegal. 

The Professional and Amateur Sports Protection Act (PASPA) [28 U.S. Code § 3702 et. seq.] made it illegal for states to authorize sports betting within their boundaries, giving the federal government exclusive decision making power on which states could legally offer sports books. 

With the growth of the internet, enterprising individuals tried to get around these prohibitions by setting up gambling operations in other countries.  They argued that bets made in the U.S. were legal because the betting operations placed the bets in a foreign jurisdiction.  In 2006, Congress responded to this trend by passing the Unlawful Internet Gambling Enforcement Act (UIGEA).  This is the legislation which continues to have the most direct impact on compliance for financial institutions.  It mandates that credit card issuers block unlawful gambling activity over the internet. Its accompanying regulation is Regulation GG, which I bet is a regulation you haven’t thought about much until recently.  

As of 2018, things were straight forward from a compliance standpoint.  Your credit union had to identify commercial businesses that were engaged in online betting and ensure that it took steps to block the use of debit and credit cards to facilitate betting over the internet since any use of the internet to gamble in New York would be unlawful under any of these laws.  Since betting was illegal under almost all circumstances, your Bank Secrecy Act obligations were also straight forward.  If a credit union thought that the financial transactions of your Uncle Joe’s bookie were suspicious, it had an obligation to file Suspicious Activity Reports and examiners had to be on the lookout for such illegal activity. As NCUA explained in its UIGEA Guidance,

“If any depository institution suspects that a customer is processing illegal transactions, including restricted transactions, through the depository institution’s facilities, the depository institution should file a SAR with the appropriate authorities”.

Then things started to get real complicated real quick.  Most importantly, in Murphy, Governor Of New Jersey, et al. v. National Collegiate Athletic Assn. et al., the Supreme Court ruled that PASPA unconstitutionally prevented states from licensing gambling activity.  States like New York have now rushed to take advantage of this ruling, even as UIGEA and the federal Wire Act remain intact.  In other words, mobile gambling is now legal, but only in states where it has been authorized and completely contained within its borders.  No wonder then that some major credit card issuers have remained hesitant to provide easy access to mobile betting for their consumers. 

Against this backdrop, New York legislators tried to make the gray areas a little less murky.  For example, New York’s statute specifies that:

All mobile sports wagering initiated in this state shall be deemed to take place at the licensed gaming facility where the server or other equipment used by a mobile sports wagering licensee to accept mobile sports wagering is located, regardless of the authorized sports bettor’s physical location within this state”

It tries to entice financial institutions to participate by explicitly specifying that:

“Authorized sports bettors may deposit and withdraw funds to and from their account on a mobile sports wagering operator through electronically recognized payment methods, including but not limited to credit cards and debit cards, or via any other means approved by the commission; provided however, that in the case of credit card payments, each authorized sports bettor’s account per operator shall be limited to a credit card spending amount of two thousand five hundred dollars per year”

In contrast, other states have forbid the use of credit cards.

While this language is helpful, rulings by federal courts in both Florida and California underscore that the determination of where a bet is made, and therefore whether it is legal under federal law, is a fact sensitive determination that will ultimately be made by the courts.

My guess is that the use of credit and debit cards will become commonplace.  It is something your members will expect as part of their membership.  The important point to keep in mind is that a compliance framework based on a holistic understanding of both federal and state law in this area is the best way to devise a proper system of checks and balances for your credit union.

January 27, 2022 at 1:22 pm Leave a comment

Older Posts


Authored By:

Henry Meier, Esq., Senior Vice President, General Counsel, New York Credit Union Association.

The views Henry expresses are Henry’s alone and do not necessarily reflect the views of the Association. In addition, although Henry strives to give his readers useful and accurate information on a broad range of subjects, many of which involve legal disputes, his views are not a substitute for legal advise from retained counsel.

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Join 772 other followers

Archives