Posts filed under ‘technology’

How Portable Is “Your” Data?

That is the question yours truly is pondering after reading through Colorado senate bill 21-190. When the bill takes effect Colorado will become the third state in the nation, following California and Virginia, to pass legislation mandating that consumers be given greater control over their electronically stored personal data.

Like Virginia’s, Colorado’s law exempts financial institutions from its requirements, but its passage underscores why your vendor management in general and your contract language in particular is more crucial than ever in the absence of federal guidelines. Here is one reason why:

Colorado has followed the lead of other states and Europe in mandating that businesses that process and control personal consumer data have the ability, among other things, to ensure that consumers have: the right to opt out of their personal data being used by third parties for targeted advertising; the right to know who has their information; the right to correct inaccurate information; the right to delete personal information; and the right to “data portability.”

I’ve been told by IT people that conforming to these requirements is not easy to put it mildly. But the tasks are made even more challenging in the absence of universal agreement as to who owns what data and what personal data is. As a result, even though financial institutions have been exempted from many of these laws, you should draft your contracts, particularly those dealing with your core processing functions, mindful of the need to easily access data on behalf of your credit union and members.

For instance, in reviewing contracts with your attorney, you should seek language stipulating that data will be stored in a universally available format. You also want to clearly delineate what data belongs to your credit union and what data belongs to your vendor. Your contract should also stipulate that vendors will only have access to data for the purpose of carrying out their obligations under the agreement.

Why is this or similar language so important? Because it will ensure that you have the ability to track who has access to the personal information of your members. Irrespective of what the law requires, members are going to increasingly expect to have greater control over their personal information. In addition, as I talked about in a recent blog, transferring from one core processor to another can be as acrimonious as a bad divorce. The clearer your contract specifies what information is to be transferred, the easier this process will be.

On that note, enjoy your weekend. For those of you who find soccer only slightly more exciting than watching paint dry, take a look at Sunday’s European Championship game between Italy and the UK. England is the Chicago Cubs of European Soccer minus a World Series win.

July 9, 2021 at 9:46 am Leave a comment

DFS Issues Ransomware Guidance

Good afternoon folks, if you are like yours truly you may physically be working but your mind is drifting away in anticipation of a three day weekend: Snap out of it!

Yesterday the DFS issued ransomware guidance; the guidance applies to state chartered credit unions and CUSO’s.  That being said, federally chartered credit unions would be well-advised to also take a look at what DFS has to say, because the Department has a disproportionate influence when it comes to establishing industry standards regarding cyber security.

First, the DFS wants to justifiably scare the heck out of any institution, large or small, that hasn’t taken the time to address the ransomware threat.  I don’t believe it is overstating the situation the financial industry faces when it says that “a major ransomware attack could cause the next great financial crisis.” 

Against this backdrop, it is issuing this guidance while putting everyone on notice that it may be making additional changes to its existing regulations.  Furthermore, the Department expects all institutions, irrespective of their size, to address these issues.  Among the precautions the Department expects institutions to implement if they haven’t done so already, are:

  • Email Filtering and Anti-Phishing Training
  • Vulnerability/Patch Management
  • Multi-Factor Authentication
  • Disable Remote Desktop Protocol Access
  • Password Management
  • Privileged Access Management
  • Monitoring and Response
  • Tested and Segregated Backups
  • Incident Response Plan

Nothing on this list should surprise you; the reality is however, that many of the most devastating ransomware attacks directly result from failing to take these basic steps.  That means that it is not enough to have pristine policies and procedures; you need to periodically test whether or not they are actually being put into practice.  For example, how soon after your credit union receives notice of a new patch update does it integrate the patch?  Every minute that goes by is one more minute hackers can take advantage of a programming defect that is now known to a large portion of the IT industry.

On that happy note, enjoy the rest of the afternoon.

July 1, 2021 at 2:40 pm Leave a comment

The Good, The Bad, and The Ugly as Albany’s Session Comes To A Close

Early this morning, the NYS Legislature came to its unofficial end as the Assembly passed the last measures of an extremely active session. Here is a first look at some of the key legislation that will impact CUs if it is approved by the Governor.

In a major legislative accomplishment, credit unions successfully lobbied for legislation which will allow them to participate in the Excelsior Linked Deposit program. The program gives lenders access to state deposits in return for making qualifying small business loans of up to two million dollars. Just how long have credit unions been seeking to participate in the program? Well, one of our volunteer board members lobbied for passage of the bill by showing legislators a letter he wrote in support of credit union participation to the Governor… Governor Pataki.

Credit Unions came up short on legislation which would allow municipalities to place their funds in credit unions but for the first time in at least 15 years, legislation has been voted out of the Senate and Assembly Banks committees. This means that the finance committees will be hearing from plenty of credit unions over the next year.

Finally, credit unions successfully lobbied for passage of legislation which will help bring banking into the 21st century by authorizing the use of remote online notarization. This bill is a win for consumers in general and the elderly and disabled, in particular, who will now be able to more easily get their documents notarized without having to go to a branch. The legislation would also make it easier to sell mortgages on the secondary market.

Now for the bad news. The legislature passed a measure to cap the interest that can be charged on judgements related to consumer debts at 2%. As drafted, the new interest rate would apply to judgements which have been filed but not yet executed prior to the bill becoming effective. If you think that is a recipe for a confusing mess, you’re correct.

Earlier this year, New York’s Court of Appeals wrote a series of decisions restoring a level of common sense to New York’s foreclosure process. The legislature passed a series of measures which chip away at these rulings. For example, Assembly 2502A imposes additional pleading requirements on lenders seeking to foreclose that could otherwise be waived by a homeowner.

Another bill passed by the legislature would extend CRA requirements to licensed mortgage bankers. Crucially, this bill would not apply to credit unions. It would apply to mortgage CUSOs.

Looking ahead, the table has been set for a debate over legislation to impose a California-style data protection framework on NYS. Legislation has been introduced and the Association is seeking to exempt GLB compliant institutions. Get your talking points ready for the trip to Albany next winter.

June 11, 2021 at 9:50 am Leave a comment

When Does Your Credit Union Make ACH Credits Available?

The repeated rounds of stimulus checks and the practices of many FinTechs have underscored the fact (subscription required) that there is often a time lapse between the time a credit union receives ACH credits and the settlement date that the originator (ODFI) stipulates those funds be made available.  Does your credit union make these funds available immediately?  If so, is it increasing its own risk?

These are the questions NACHA is asking financial institutions to consider as it analyzes the existing payment framework and considers placing more responsibility on financial institutions that choose to credit accounts prior to the specified settlement date. 

Here is a very basic example of what I am talking about.  The federal government sends out a high volume of ACH credits reflecting payments on tax refunds, social security payments and those stimulus checks.  According to NATCHA, the settlement date can often be three or four business days after these funds are received by your credit union.  My sense is that many credit unions make these funds immediately available.  Technically, however, the credit union is actually advancing its own money assuming that it can simply reclaim its advances when the credits actually become effective.  Legally, this assumption is a safe one to make.  While there are exceptions to every rule, a bedrock principle of the NATCHA system is that the originator of an ACH is warranting that the money will be available on the settlement date.  (See NATCHA rules Subsection 2.4.1) 

Crucially, these warrantees are made at the time that a file is transmitted, not at the specified settlement date.  This means that if a receiving depository financial institution advances its own funds to make funds such as directly deposited paychecks available sooner than the settlement date, it has recourse against the originating institution in the event there are insufficient funds at settlement. 

In its request for comment, NATCHA is asking if the existing rules do not adequately allocate the risk of loss.  It points out, for example, that files are occasionally sent in error and creating lag time between when a file is transmitted and when it becomes available for use gives the originating institution time to request that its payment be reversed.  But this is a classic example of a seemingly arcane compliance debate that has big implications for consumers and customer service.  It seems to me that there are now millions of consumers out there who expect payments to be made available to them immediately.  The existing framework creates a black and white rule putting the originating financial institution on notice of its responsibilities the second it hits the send button. 

But this is just the opinion of one middle aged attorney who is distracted by dreams of watching his Islanders beat the Boston Bruins tonight.  The Association will be sending out a request for comments on this proposal to gauge credit union sentiment.  We’re curious to learn your thoughts.

June 9, 2021 at 9:50 am 1 comment

Court: NY Jumps Gun on FinTech litigation

For the second time in less than four years, a federal court ruled yesterday that New York committed the legal equivalent of a false start when it filed a lawsuit against the Office of the Comptroller of the Currency (OCC) after it announced that it would begin accepting charter applications from non-depository FinTechs interested in obtaining federal bank charters. If you think you’re suffering from deja vu, you’re not. In 2017, a district court dismissed an earlier lawsuit New York’s Department of Financial Services filed against the OCC on the same grounds.

One of the key legal issues in banking is whether or not the OCC has the authority to grant federal bank charters to FinTechs even if they do not accept deposits. In the early 2000s, the OCC promulgated regulations permitting companies to apply for bank charters provided they engage in activities such as executing payment transactions. If the OCC has this power, it will enable many FinTechs to provide services traditionally regulated by the states, such as payday lending and perhaps even mortgage banking.

In Lacewell v. Office of Comptroller of Currency NYS is arguing that the OCC is acting beyond its authority by considering granting charters to non-depositories. It claims to be harmed by the revenue it would lose from licensing non-depositories and that New York consumers will be harmed by banking products which aren’t subject to New York’s consumer protection laws, such as its cap on interest rates.

But in yesterday’s ruling the court held that in the absence of a charter actually being granted, New York could not demonstrate it had been harmed enough to give it access to the federal courts.

Enjoy your weekend, folks!

June 4, 2021 at 10:03 am Leave a comment

It’s a Scary Time for CUs, Cyber Attacks, and Insurance

Warren Zevon once called on his dad to bring him “lawyers, guns, and money.” Given the sharp increase in cyber-attacks, your average credit union CEO should be asking for lawyers, money, and better cyber insurance policies.

Recently, an article in The American Banker proclaimed that these are scary times for small banks and credit unions, some of which have recently been the target of ransomware attacks. Yours truly is highlighting this trend not simply because I want to scare you into action but because I believe that for many financial institutions the question is not if, but when you will find your credit union’s data being held by hackers who want money in return for allowing you to access your client’s personally identifiable information.

One of the most basic steps you can take to help protect yourself against ransomware and data theft attacks is to buy insurance. This is an issue that yours truly is also becoming increasingly obsessed about because there is a lack of clear guidelines as to precisely what a policy provides your credit union and even if your regulators are going to penalize you for using insurance proceeds to recover from ransomware payments.

My paranoia has been fueled by this recent GAO report describing an insurance industry that is scrambling to adjust to the rapidly evolving and increasingly expensive niche of cyber-attacks. For your credit unions that means that it is absolutely crucial that you get competent counsel to provide new guidance as to what is and is not covered under your policy. It also means that you should not assume that general language in your existing policy already provides you insurance protection. There are more and more cases in which this precise issue is being litigated. For example, I recently came across this case, West Bend Mutual Insurance Company v. Krishna Schaumburg Tan, Inc., in which an insurance company tried to deny coverage to a business that was sued after providing biometric data of customers to third parties.

In the medium to long term these issues will resolve themselves. Courts will scrutinize and effectively standardize basic terms. The problem is that this is little comfort to those of you confronting these issues right now. Time to call the lawyers and bring the money.

May 26, 2021 at 9:16 am Leave a comment

Resisting The DarkSide

The successful dark side ransomware attack in which hackers were able to disrupt a major pipeline providing gas to states throughout the east coast has once again brought the issue of cyber security to the forefront.  Here are some of the lessons your credit union can learn from this event:

Don’t forget the basics. These are highly sophisticated attacks that start with very basic mistakes. On Wednesday, the FBI and the CISA issued a joint memorandum. The first three steps it suggested companies take to mitigate the threat of ransomware are to require multi-factor authentication, enable strong spam filters, and implement a user training program and simulated attacks for spear phishing.

Expect insurance costs to spike. The attack comes as regulators and stakeholders debate the best way to deal with ransomware attacks and the role that the insurance should play. This past fall, FINCEN issued guidance warning financial institutions and insurance companies that they might be violating federal law if they help a company facilitate a ransomware payment. In addition, New York State’s Department of Financial Services recently reached a multi-million dollar settlement with an insurance company for violating the state’s cyber security regulations. The settlement has gotten the attention of the legal community since it included a stipulation that insurance proceeds would not be used to pay the settlement. 

The DarkSide may bring congress to its senses. Call me a cock-eyed optimist but if the ability of hackers to shut down a major energy pipeline affecting states throughout the country doesn’t jolt congress into passing comprehensive cyber security regulations then nothing will. This would seem like an issue that can overcome the great ideological divide but only time will tell. 

May 17, 2021 at 9:20 am Leave a comment

Fed Proposes giving merchants more choices when processing online payments

Good morning folks, last week the Federal Reserve board proposed regulations that would interpret the Durbin amendment as mandating the type of technology your credit union uses to access debit card networks.

There are two basic types of technologies used to process debit card payments: Single-Message systems send a single message to facilitate a payment transaction while a Dual-Message system uses– you guessed it– two messages. When the Durbin amendment was passed more than ten years ago, either of these approaches could easily accommodate in-store transactions, but SMS technology was not able to accommodate card-not-present technology.  Fast forward to the present day and, according to merchants, some of the largest issuers still don’t accommodate online transactions even though technology now makes it possible to do so. This distinction has grown in importance as online transactions have grown on average 17 percent a year not including the dreaded 2020.

Not surprisingly, the merchants are complaining. They argue, and the Federal Reserve agrees, that since many issuers do not offer the use of SMS to process online transactions they often find themselves unable to choose a competing network. In response to these concerns, the Fed has proposed adding commentary to Regulation II specifying that card-not-present transactions are a specific type of transaction for which a merchant must have access to at least two unaffiliated networks.

After reading the preamble, I’m curious if this will have any impact, particularly on smaller credit unions, or if the Federal Reserve’s new mandate can be accomplished with a touch of a button. If it is the former situation, then get the word out to you association ASAP; if it is the latter, well it was only a matter of time before regulators caught up to the huge shift towards online shopping.

May 10, 2021 at 9:08 am Leave a comment

Gov Approves HERO’s Act

Good morning folks, with a special shout out to those of you who work in the great state of New York.

The Governor has approved the HERO Act, legislation which mandates that all businesses in NYS implement policies addressing a wide range of issues related to airborne illnesses, such as COVID. For those of you with ten or more employees, you also must give your employees the option of creating committees to address work place health related issues on an ongoing basis.

The bill is phased-in over a six month period with the first requirements taking effect in 30 days. Adopting an approach similar to what we saw when the state passed sexual harassment legislation, the state will be providing sample policies that your credit union can adopt.

One other piece of good news is a reminder that this law applies to both federal- and state-chartered credit unions.

Stay tuned, the Association will be hosting a webinar next Wednesday to take a first look at this important new mandate.

Remote Notarization Hearing Today

At 10 o’clock today, the Assembly will be holding a virtual hearing to analyze issues related to authorizing remote notarization on a permanent basis in New York. Remote notarization refers to the ability of a notary to verify the authenticity of a signature without the signer being physically present. Lisa Morris from Hudson Valley Credit Union will be testifying for the Association.

He’s Back!

The former Benign Dictator of Consumer Finance is back. Ricard Cordray has been given a high profile job at the U.S. Department of Education from which he will oversee issues related to the federal student loan program.  Not coincidentally, his portfolio gives him a high-level platform to address one of the key issues the Biden administration is being pressured to address — whether to forgive or not to forgive all of those student loans — while not being so high as to require Senate confirmation.

California Chimes In

California joined  Illinois’s  financial regulator in prohibiting lending platform Chime from implying in its advertisements and websites that it was a bank as opposed to a lending platform that passes through loans. The state’s actions come as federal and state regulators continue to grapple with the issue of when FinTechs should be classified as banks with the accompanying regulatory requirements that this classification would impose.

Earlier this week the Federal Reserve board issued proposed guidance for the Federal Reserve banks to consider when deciding whether or not FinTechs should be given access to the Federal Reserve System. Don’t underestimate this power: remember it was a Federal Reserve Bank which blocked Colorado from starting a state-level bank to provide marijuana banking services.

Captain obvious here: this is an issue that Congress needs to address sooner rather than later.

On that note, enjoy your weekend. If all goes according to plan, yours truly will be gathering with a group of vaccinated middle age men to play his first round of in-person poker in more than a year.

May 7, 2021 at 9:35 am 1 comment

How Much Legal Risk Does Accidentally Exposing Personal Information Put Your CU In?

The Court of Appeals for the Second Circuit, which has jurisdiction over credit unions in New York State, recently provided guidance to businesses that face potential data breaches which of course is every credit union employing someone reading this blog. It also took the opportunity to explain how much legal risk the office luddite (you know the person who continually responds to emails instructing her to buy gift certificates with company money) is putting your credit union in.

As my hardcore faithful readers know, a key concept to understand in evaluating your credit union’s legal risk is standing. The very basic idea is that one of the things that someone is seeking to sue you in federal court has to show is that they have been injured enough to justify being compensated by a court for the harm allegedly caused by your actions. While this issue is easy enough to figure out, in the case of a car accident or property damage, it is much more difficult to determine how much harm there has been in the context of data breaches.

In McMorris v. Carlos Lopez & Assocs., LLC, No. 19-4310 (2d Cir. 2021) the court heard an appeal from employees of a company who are part of a group of individuals whose personally identifiable information was exposed when a spreadsheet was sent to 65 fellow employees. They wanted to bring a class action lawsuit against their employer based on this negligent mishap. They couldn’t point to specific instances of the exposed information being misused, but they feared that it might be and wanted the company to pay for detection services.

The Second Circuit used these facts to address when potential future harm caused by a data breach triggers legal liability. It held that courts should consider the following factors in evaluating harm. Remember that these are the same factors your insurance company will be considering when pricing your data breach policies and that you should be discussing with your outside counsel the next time one of your employees mistakenly exposes personally identifiable information to third-parties;

(1) whether the plaintiffs’ data has been exposed as the result of a targeted attempt to obtain that data; (2) whether any portion of the dataset has already been misused, even if the plaintiffs themselves have not yet experienced identity theft or fraud; and (3) whether the type of data that has been exposed is sensitive such that there is a high risk of identity theft or fraud.

In the context of this case the court determined that our would-be class action plaintiffs could not establish standing. The personally identifiable information was exposed because of a mistake as opposed to the intentional acts of a hacker; there was no evidence that the compromised data had been misused and some but not all of the information was not particularly sensitive. It included, for example, phone numbers and dates-of-hire.

As for the fact that some of the victims felt the need to pay for services to monitor their accounts, the court held that self-inflicted harm cannot provide the basis for standing in federal courts.

On that note, grab another cup of coffee and continue going through your email secure in the knowledge that honest mistakes won’t necessarily result in a successful lawsuit against your credit union.

May 6, 2021 at 9:49 am Leave a comment

Older Posts Newer Posts


Authored By:

Henry Meier, Esq., Senior Vice President, General Counsel, New York Credit Union Association.

The views Henry expresses are Henry’s alone and do not necessarily reflect the views of the Association. In addition, although Henry strives to give his readers useful and accurate information on a broad range of subjects, many of which involve legal disputes, his views are not a substitute for legal advise from retained counsel.

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Join 756 other followers

Archives