Posts filed under ‘Technology’

Court: NY Jumps Gun on FinTech litigation

For the second time in less than four years, a federal court ruled yesterday that New York committed the legal equivalent of a false start when it filed a lawsuit against the Office of the Comptroller of the Currency (OCC) after it announced that it would begin accepting charter applications from non-depository FinTechs interested in obtaining federal bank charters. If you think you’re suffering from deja vu, you’re not. In 2017, a district court dismissed an earlier lawsuit New York’s Department of Financial Services filed against the OCC on the same grounds.

One of the key legal issues in banking is whether or not the OCC has the authority to grant federal bank charters to FinTechs even if they do not accept deposits. In the early 2000s, the OCC promulgated regulations permitting companies to apply for bank charters provided they engage in activities such as executing payment transactions. If the OCC has this power, it will enable many FinTechs to provide services traditionally regulated by the states, such as payday lending and perhaps even mortgage banking.

In Lacewell v. Office of Comptroller of Currency NYS is arguing that the OCC is acting beyond its authority by considering granting charters to non-depositories. It claims to be harmed by the revenue it would lose from licensing non-depositories and that New York consumers will be harmed by banking products which aren’t subject to New York’s consumer protection laws, such as its cap on interest rates.

But in yesterday’s ruling the court held that in the absence of a charter actually being granted, New York could not demonstrate it had been harmed enough to give it access to the federal courts.

Enjoy your weekend, folks!

June 4, 2021 at 10:03 am Leave a comment

It’s a Scary Time for CUs, Cyber Attacks, and Insurance

Warren Zevon once called on his dad to bring him “lawyers, guns, and money.” Given the sharp increase in cyber-attacks, your average credit union CEO should be asking for lawyers, money, and better cyber insurance policies.

Recently, an article in The American Banker proclaimed that these are scary times for small banks and credit unions, some of which have recently been the target of ransomware attacks. Yours truly is highlighting this trend not simply because I want to scare you into action but because I believe that for many financial institutions the question is not if, but when you will find your credit union’s data being held by hackers who want money in return for allowing you to access your client’s personally identifiable information.

One of the most basic steps you can take to help protect yourself against ransomware and data theft attacks is to buy insurance. This is an issue that yours truly is also becoming increasingly obsessed about because there is a lack of clear guidelines as to precisely what a policy provides your credit union and even if your regulators are going to penalize you for using insurance proceeds to recover from ransomware payments.

My paranoia has been fueled by this recent GAO report describing an insurance industry that is scrambling to adjust to the rapidly evolving and increasingly expensive niche of cyber-attacks. For your credit unions that means that it is absolutely crucial that you get competent counsel to provide new guidance as to what is and is not covered under your policy. It also means that you should not assume that general language in your existing policy already provides you insurance protection. There are more and more cases in which this precise issue is being litigated. For example, I recently came across this case, West Bend Mutual Insurance Company v. Krishna Schaumburg Tan, Inc., in which an insurance company tried to deny coverage to a business that was sued after providing biometric data of customers to third parties.

In the medium to long term these issues will resolve themselves. Courts will scrutinize and effectively standardize basic terms. The problem is that this is little comfort to those of you confronting these issues right now. Time to call the lawyers and bring the money.

May 26, 2021 at 9:16 am Leave a comment

Resisting The DarkSide

The successful dark side ransomware attack in which hackers were able to disrupt a major pipeline providing gas to states throughout the east coast has once again brought the issue of cyber security to the forefront.  Here are some of the lessons your credit union can learn from this event:

Don’t forget the basics. These are highly sophisticated attacks that start with very basic mistakes. On Wednesday, the FBI and the CISA issued a joint memorandum. The first three steps it suggested companies take to mitigate the threat of ransomware are to require multi-factor authentication, enable strong spam filters, and implement a user training program and simulated attacks for spear phishing.

Expect insurance costs to spike. The attack comes as regulators and stakeholders debate the best way to deal with ransomware attacks and the role that the insurance should play. This past fall, FINCEN issued guidance warning financial institutions and insurance companies that they might be violating federal law if they help a company facilitate a ransomware payment. In addition, New York State’s Department of Financial Services recently reached a multi-million dollar settlement with an insurance company for violating the state’s cyber security regulations. The settlement has gotten the attention of the legal community since it included a stipulation that insurance proceeds would not be used to pay the settlement. 

The DarkSide may bring congress to its senses. Call me a cock-eyed optimist but if the ability of hackers to shut down a major energy pipeline affecting states throughout the country doesn’t jolt congress into passing comprehensive cyber security regulations then nothing will. This would seem like an issue that can overcome the great ideological divide but only time will tell. 

May 17, 2021 at 9:20 am Leave a comment

Fed Proposes giving merchants more choices when processing online payments

Good morning folks, last week the Federal Reserve board proposed regulations that would interpret the Durbin amendment as mandating the type of technology your credit union uses to access debit card networks.

There are two basic types of technologies used to process debit card payments: Single-Message systems send a single message to facilitate a payment transaction while a Dual-Message system uses– you guessed it– two messages. When the Durbin amendment was passed more than ten years ago, either of these approaches could easily accommodate in-store transactions, but SMS technology was not able to accommodate card-not-present technology.  Fast forward to the present day and, according to merchants, some of the largest issuers still don’t accommodate online transactions even though technology now makes it possible to do so. This distinction has grown in importance as online transactions have grown on average 17 percent a year not including the dreaded 2020.

Not surprisingly, the merchants are complaining. They argue, and the Federal Reserve agrees, that since many issuers do not offer the use of SMS to process online transactions they often find themselves unable to choose a competing network. In response to these concerns, the Fed has proposed adding commentary to Regulation II specifying that card-not-present transactions are a specific type of transaction for which a merchant must have access to at least two unaffiliated networks.

After reading the preamble, I’m curious if this will have any impact, particularly on smaller credit unions, or if the Federal Reserve’s new mandate can be accomplished with a touch of a button. If it is the former situation, then get the word out to you association ASAP; if it is the latter, well it was only a matter of time before regulators caught up to the huge shift towards online shopping.

May 10, 2021 at 9:08 am Leave a comment

Gov Approves HERO’s Act

Good morning folks, with a special shout out to those of you who work in the great state of New York.

The Governor has approved the HERO Act, legislation which mandates that all businesses in NYS implement policies addressing a wide range of issues related to airborne illnesses, such as COVID. For those of you with ten or more employees, you also must give your employees the option of creating committees to address work place health related issues on an ongoing basis.

The bill is phased-in over a six month period with the first requirements taking effect in 30 days. Adopting an approach similar to what we saw when the state passed sexual harassment legislation, the state will be providing sample policies that your credit union can adopt.

One other piece of good news is a reminder that this law applies to both federal- and state-chartered credit unions.

Stay tuned, the Association will be hosting a webinar next Wednesday to take a first look at this important new mandate.

Remote Notarization Hearing Today

At 10 o’clock today, the Assembly will be holding a virtual hearing to analyze issues related to authorizing remote notarization on a permanent basis in New York. Remote notarization refers to the ability of a notary to verify the authenticity of a signature without the signer being physically present. Lisa Morris from Hudson Valley Credit Union will be testifying for the Association.

He’s Back!

The former Benign Dictator of Consumer Finance is back. Ricard Cordray has been given a high profile job at the U.S. Department of Education from which he will oversee issues related to the federal student loan program.  Not coincidentally, his portfolio gives him a high-level platform to address one of the key issues the Biden administration is being pressured to address — whether to forgive or not to forgive all of those student loans — while not being so high as to require Senate confirmation.

California Chimes In

California joined  Illinois’s  financial regulator in prohibiting lending platform Chime from implying in its advertisements and websites that it was a bank as opposed to a lending platform that passes through loans. The state’s actions come as federal and state regulators continue to grapple with the issue of when FinTechs should be classified as banks with the accompanying regulatory requirements that this classification would impose.

Earlier this week the Federal Reserve board issued proposed guidance for the Federal Reserve banks to consider when deciding whether or not FinTechs should be given access to the Federal Reserve System. Don’t underestimate this power: remember it was a Federal Reserve Bank which blocked Colorado from starting a state-level bank to provide marijuana banking services.

Captain obvious here: this is an issue that Congress needs to address sooner rather than later.

On that note, enjoy your weekend. If all goes according to plan, yours truly will be gathering with a group of vaccinated middle age men to play his first round of in-person poker in more than a year.

May 7, 2021 at 9:35 am 1 comment

How Much Legal Risk Does Accidentally Exposing Personal Information Put Your CU In?

The Court of Appeals for the Second Circuit, which has jurisdiction over credit unions in New York State, recently provided guidance to businesses that face potential data breaches which of course is every credit union employing someone reading this blog. It also took the opportunity to explain how much legal risk the office luddite (you know the person who continually responds to emails instructing her to buy gift certificates with company money) is putting your credit union in.

As my hardcore faithful readers know, a key concept to understand in evaluating your credit union’s legal risk is standing. The very basic idea is that one of the things that someone is seeking to sue you in federal court has to show is that they have been injured enough to justify being compensated by a court for the harm allegedly caused by your actions. While this issue is easy enough to figure out, in the case of a car accident or property damage, it is much more difficult to determine how much harm there has been in the context of data breaches.

In McMorris v. Carlos Lopez & Assocs., LLC, No. 19-4310 (2d Cir. 2021) the court heard an appeal from employees of a company who are part of a group of individuals whose personally identifiable information was exposed when a spreadsheet was sent to 65 fellow employees. They wanted to bring a class action lawsuit against their employer based on this negligent mishap. They couldn’t point to specific instances of the exposed information being misused, but they feared that it might be and wanted the company to pay for detection services.

The Second Circuit used these facts to address when potential future harm caused by a data breach triggers legal liability. It held that courts should consider the following factors in evaluating harm. Remember that these are the same factors your insurance company will be considering when pricing your data breach policies and that you should be discussing with your outside counsel the next time one of your employees mistakenly exposes personally identifiable information to third-parties;

(1) whether the plaintiffs’ data has been exposed as the result of a targeted attempt to obtain that data; (2) whether any portion of the dataset has already been misused, even if the plaintiffs themselves have not yet experienced identity theft or fraud; and (3) whether the type of data that has been exposed is sensitive such that there is a high risk of identity theft or fraud.

In the context of this case the court determined that our would-be class action plaintiffs could not establish standing. The personally identifiable information was exposed because of a mistake as opposed to the intentional acts of a hacker; there was no evidence that the compromised data had been misused and some but not all of the information was not particularly sensitive. It included, for example, phone numbers and dates-of-hire.

As for the fact that some of the victims felt the need to pay for services to monitor their accounts, the court held that self-inflicted harm cannot provide the basis for standing in federal courts.

On that note, grab another cup of coffee and continue going through your email secure in the knowledge that honest mistakes won’t necessarily result in a successful lawsuit against your credit union.

May 6, 2021 at 9:49 am Leave a comment

Governor Extends Vaccine Eligibility as CDC Extends Eviction Moratorium

In case you haven’t already heard, Governor Cuomo announced yesterday that starting today individuals 30 years and older can schedule vaccinations and individuals 16 years and older can start scheduling appointments on April 6th.

Is the CDC Guilty of Regulatory Overreach?

The Governor’s announcement came the same day that the Center for Disease Control announced that it would be extending a moratorium on evictions.  Aside from its practical significance, the CDC’s aggressive use of its regulatory authority may provide a vehicle for federal courts to further chip away at the judicial deference that has been afforded to agency determinations over the last 30 years.  As readers of this blog know, as the most heavily regulated financial institutions in the country, credit unions have a keen interest in any litigation dealing with the extent to which agencies can regulate in the absence of explicit congressional authority.

If you’re wondering why the CDC has the authority to block evictions in the first place, you are not alone.  Yesterday the United States Court of Appeals for the Sixth Circuit refused to issue a stay of a lower court ruling that ruled the CDC had exceeded its authority when it extended the eviction moratorium without Congressional authorization (Tiger Lily, LLC v United States Dept. of Hous. and Urban Dev., 21-5256, 2021 WL 1165170, at *3 [6th Cir Mar. 29, 2021]).  The ruling sets the stage for further litigation which may impact the status of evictions nationwide and could produce important rulings on how much authority agencies have to interpret federal laws.  Remember, that no matter what the court decides, states such as New York have the authority to issue eviction and foreclosure moratoriums and have done so.   

For those of you scoring at home (that’s a baseball reference since opening day is just two days away), in March of 2020 the CARES Act imposed an eviction moratorium that expired on July 25, 2020.  The CDC director extended this moratorium through December of last year.  Congress extended the moratorium until January 31st and when this authority expired, the CDC director extended the moratorium until March 31st and further extended it yesterday.  In exercising this authority, in the absence of congressional authorization, the director is relying on 42 USC § 264 which authorizes the CDC, acting through the Surgeon General to make and enforce regulations that “in his judgement are necessary to prevent the introduction, transmission or spread of communicable diseases.”  The logic of the CDC is that, in the absence of a nationwide eviction moratorium an increase in homelessness and crowded living arrangements will contribute to the spread of the disease. 

In refusing to uphold the CDC’s previous order, the Sixth Circuit explained that “…we cannot read the Public Health Service Act to grant the CDC the power to insert itself into the landlord-tenant relationship without some clear, unequivocal textual evidence of Congress’s intent to do so. Regulation of the landlord-tenant relationship is historically the province of the states.”

NACHA Releases List of Top ODFIs

Just in time for this morning’s blog, Nacha has issued this press release detailing the most active financial institutions when it comes to ACH transactions over the past year.  This year’s statistics are more intriguing than usual because they provide a snapshot of how the pandemic has accelerated the trend towards electronic payment options.  According to Nacha the top 50 originating financial institutions processed more than $23B in payments last year, an 8.4% increase and the top 50 receiving institutions witnessed an 11% increase.  What I find intriguing about these numbers is how the ACH network continues to be dominated by a relative handful of financial institutions even as the Nacha network becomes more ubiquitous. 

March 30, 2021 at 9:55 am 2 comments

Are You In Compliance With The Durbin Amendment?

For an industry of debit card issuers the Durbin amendment is like a bad back; you can learn to live with it but there is always enough chronic pain to remind you that there is something a little off. So it is that once again the Amendment is back in the news and once again large debit card issuers and Visa are in the crosshairs of merchants and the Department of Justice: Here is why.

The Durbin amendment had two major components: First, it capped the interchange fees that financial institutions with $10B or more in assets could charge the merchants; secondly it required that all debit card issuers give merchants the ability to process payments through two unaffiliated networks (e.g. Visa and NYCE).  

The problem is that the system was designed in the ancient times of a decade ago when only futurists were talking about online shopping doing away with retail.  PIN based authentication to trigger Point-Of-Sale transactions has long been an industry standard.  However, PIN based authorization is of course not an option for the wine sipping, sweatpants wearing consumer buying toiletries online on a Friday night.  Networks such as NYCE can now process such transactions but critics argue that large issuers and the Visa networks have been slow to turn on these updated systems.  As explained in this blog “…there is a fundamental issue with Bank Identification Number (BIN) enablement, preventing the growth of PINless. In a nutshell, many issuers are not switching on PINless functionality when they issue bank cards, which means merchants are unable to use it for a large proportion of transactions. In our experience, a merchant is unlikely to be able to use PINless more than 50% of the time.”

Not surprisingly, this complaint has gotten the attention of Senator Durbin and Congressman Welch  who wrote this letter to the Federal Reserve urging it to take a look at whether large issuers and Visa are violating Durbin.

Of course, the Durbin amendment is only relevant to the extent that a transaction involves a debit card.  There are now FinTechs that specialize in scraping up a consumer’s financial information—with their permission— and allowing them to quickly provide this information to a wide range of businesses such as financial planners.  One of the leading companies in this area is Plaid.  Plaid has an ingenious business model in which it will allow consumers to replace debit card transactions with ACH payments.  It has a growing network of merchants who are willing to accept the occasional ACH transaction from individual consumers.  Suffice it to say, ACH transactions are a lot cheaper for merchants than are interchange fees.  Visa decided it was worth buying Plaid for $5B.  DOJ moved to block the deal and with the case on the verge of going to trial last summer, Visa and Plaid decided it was best to leave each other at the altar. 

The scrutiny is increasing.  The WSJ was one of several papers reporting on Friday that Visa is being investigated over its debit card practices.  With Senate democrats in control of hearing agendas, brace yourself for another round of payment processing investigations as merchants once again claim to be victimized by the debit card processing system.   Cue the violins.

March 22, 2021 at 10:00 am Leave a comment

When should you report a data breach?

That is the question I hope you all have policies and procedures to answer.  A recent enforcement action by New York’s Department of Financial Services (DFS) underscores that the Department is deadly serious about ensuring that institutions subject to its licensing requirements comply with the State’s cutting edge cyber security regulations.  For those of you not subject to New York State’s dictates, keep in mind that New York State’s regulations are becoming a national model. 

In the matter of Residential Mortgage Services, Inc., DFS announced a $1.5 million fine against a mortgage license company headquartered in Maine that was licensed to do mortgages in New York State.  As part of a routine audit, the Department discovered that the mortgage banker was subject to a data breach it had not disclosed to the State.  It also did not have adequate policies and procedures in place to do the type of periodic risk assessments that New York State requires under these regulations.  The breach DFS was concerned about involved an employee who notified her IT team, but only after she had given a hacker posing as a vendor access to her email.  The employee handled sensitive mortgage information.

Should the company have notified DFS?  Under 23 NYCRR 500.17, covered entities are required to report cybersecurity events within 72 hours.  A cybersecurity event means any act or attempt, successful or unsuccessful, to gain unauthorized access to, disrupt or misuse an Information System or information stored on such Information System.  This settlement underscores that when in doubt you should report a breach.  However, this is an incredibly broad definition since any IT person will tell you that even the smallest of businesses is bombarded with attempted break-ins all the time.  In the accompanying Q and A, DFS explains that “notice to the Department under 23 NYCRR Section 500.17(a)(2) would generally not be required if, consistent with its Risk Assessment, a Covered Entity makes a good faith judgment that the unsuccessful attack was of a routine nature.”  This explanation of course gives you little discretion in the event that a data breach is successful. 

March 8, 2021 at 9:44 am Leave a comment

Could Your Vendor Hold Your Data Hostage?

In states across the country, including New York, data protection is all the rage. If Governor Cuomo has his way, the Department of Financial Services will be establishing a bill of rights, which will include the right of consumers to exercise control over what personal information is collected, and the right to have this information “returned and destroyed.” But the emerging legal framework presupposes that your credit union knows where your information is located and has control over how it is used. Recent events have underscored that this assumption is far from accurate, and that existing contract language can only go so far to protect the interests of your credit union and its members. 

First we have the high-profile example of FiServ being unable to provide core services to credit unions in the Northeast because of a winter storm in Texas. A less well-known but equally important development is a recent legal action in which Caliber, a prominent national servicer of mortgage loans, went to federal court and alleged that the provider of its core technology, Sagent, responded to Caliber’s decision to migrate its services to a new core processor by threatening “to hold Caliber’s data hostage, causing massive and irreparable damage to Caliber’s business and relationships, as well as to hundreds of thousands of mortgage borrowers across the country.” Far from working in good faith to help Caliber to migrate over to a new system, Sagent insisted that the company enter into a new contract with even more onerous terms than the previous agreement. The case has since been settled. What would your credit union be able to do in the same situation? Imagine how much more difficult your decision could be two years from now if this type of negotiation takes place as you’re trying to comply with new state data portability requirements. 

I’ve talked to a couple of legal colleagues about lessons to be drawn from this case, and obviously it underscores the importance of the contract drafting process. Just like any good coach knows the day they are hired, they will someday be fired. You should draft your major vendor agreements with an eye towards the day when you will want to migrate services to another company. As a result, it is crucial that when addressing issues relating to transitioning to a new vendor that respective requirements are made as specific as possible. Among the issues which should be addressed are the cost involved with a transition of services, a clear delineation of what information belongs to your credit union and a stipulation that your information will be maintained according to commercially reasonable standards. The importance of this last requirement was underscored in the Caliber dispute. Sagent argued that it was not able to transfer information to the new vendor. 

Caliber is a sophisticated company well aware of how to draft a good contract and still had trouble transitioning to a new vendor. Perhaps it is time for the credit union industry to reconsider its opposition to legislation allowing NCUA to have more oversight over CUSOs and other third-party vendors. My concern is that your average credit union simply does not have the negotiating leverage to insist on the baseline protections needed to ensure that it can have easy access to member data and enter into cost-effective agreements.

On that note, enjoy your weekend – see you all on Monday.

February 26, 2021 at 9:38 am Leave a comment

Older Posts Newer Posts


Authored By:

Henry Meier, Esq., Senior Vice President, General Counsel, New York Credit Union Association.

The views Henry expresses are Henry’s alone and do not necessarily reflect the views of the Association. In addition, although Henry strives to give his readers useful and accurate information on a broad range of subjects, many of which involve legal disputes, his views are not a substitute for legal advise from retained counsel.

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Join 757 other followers

Archives