The American consumer is still cautious about taking on more debt, but the spending they are doing is making credit unions an even more attractive option.
On what am I basing this pronouncement? The New York Federal Reserve released its quarterly report on consumer spending on August 13th. It indicates that auto loan origination reached a ten-year high at $119 billion. America’s aggregate auto loan balance now stands at $1 trillion. Credit unions have seen a surge in auto loans over the last year and these statistics would seem to indicate that the surge is continuing.
Another bright spot for credit unions has to do with mortgage loan originations. According to a survey, credit unions share of mortgage originations increased from 7% to 11% comparing the first quarter of 2013 with that of 2015. What interests me about this statistic is that the surge in credit union home lending is occurring even as banks continue to impose tougher lending standards on home loan applicants.
According to the consumer report, less than 8% of new mortgage originations were given to borrowers with credit scores below 660. The TransUnion survey speculates that credit unions, having lent more prudently during the recession, are now better positioned than their banking counterparts to make mortgage loans.
Are EMV Cards Being Skimmed
Krebs on Security is reporting that hackers have come up with a creative way of skimming information from EMV Chip cards. The ever reliable Krebs reports that Mexican authorities have discovered an ATM skimming device that is inserted into an ATM and is capable of recording the data that is transmitted between an EMV chip and the ATM. This is further evidence that anyone who thinks of chip-based technology as a silver bullet to prevent card fraud is sadly mistaken.
That is the question that a tool released by the FFIEC, an organization of federal bank regulators including the NCUA, released late in June. It is currently available on NCUA’s website. I would strongly suggest your credit union go through the process for assessing its credit risk outlined by the FFIEC. When it comes to protecting against hackers, the areas the regulators want examined are areas you either have already examined or better start examining.
The FFIEC defines Cybersecurity as the process of protecting consumer and bank information by preventing, detecting, and responding to attacks. What the FFIEC is attempting to do with this assessment tool is prod institutions of all sizes into adopting a standardized approach to periodically reviewing the likelihood that they will be attacked and consider whether they have the appropriate level of resources to deter and defend against such an attack. It’s similar to what credit unions are already expected to do as part of assessing their BSA risks and the Red Flags of Identity Theft, only this assessment is intended to zero in specifically on Cybersecurity. The key is not only doing the assessment but making sure it is periodically reviewed. After all, cyber threats evolve almost as quickly as Donald Trump can find a new group of people to insult and your credit union is dealing with more and more technology.
How do you ascertain your credit union’s Inherent Risk Profile? By reviewing and ranking your credit union’s technologies and connection types (e.g. the number of Internet Service providers and third party connections); delivery channels (e.g. do you provide person to person transfers or do all cash transactions have to be facilitated by a teller?); its mobile and online products and services; organizational characteristics (e.g. how many direct employees and third party providers can access your IT system); and its external threats (e.g. the number of attempted and successful cyber-attacks). You then give each one of these categories a risk level ranging from lowest to highest risk faced by your credit union.
Once you create the risk profile, you assess your credit union’s “maturity” or sophistication in five areas of Cybersecurity. These areas are 1) Cyber Risk Management and Oversight; 2) Threat Intelligence and Collaboration; 3) Cybersecurity Controls; 4) External Dependency Management; and 5) Domain Cyber and Incident Management and Resilience.
According to the FFIEC, it is not concerned with an overall aggregate score. What it wants financial institutions to do is assess whether they are properly aligning their resources. For example, a credit union that is large enough to house its own technology doesn’t need as sophisticated a system for overseeing its “external dependency management” as does a credit union that outsources all its technology. In contrast, a credit union that oversees its own hardware needs a dedicated staff of IT professionals.
If you think your credit union is too small to worry about conducting this assessment, you are out of luck. The tool is intended for use by both big and small credit unions, a point underscored by NCUA’s Office of Small Credit Unions when it hosted a webinar on the basics of Cybersecurity that provided a preview of the tool and how credit unions could use it to strengthen their Cybersecurity.
Using this tool makes sense. An online survey conducted by NCUA as part of the Cybersecurity webinar revealed that only 52% of the participating credit unions had a cyber-security policy. It’s time to put one in place and this assessment can help. If your credit union already has a Cybersecurity protocol than answering the questions being posed by the regulators should not be that difficult.
One of the first arguments the banks regurgitate in opposition to municipal deposit legislation is that tax dollars shouldn’t go to institutions that don’t pay taxes. First, we all know that credit unions do pay taxes; but, more importantly for this post, banks have never quite explained why their for-profit tax status automatically makes them better protectors of the public Fisc than credit unions.
That question is worth asking the Legislature next year in light of the New York Bankers Association successful efforts to keep New York City from scrutinizing the community investment performance of banks holding the City’s deposits. On Monday, a federal court ruled that a NYC ordinance mandating that banks holding or wishing to hold municipal deposits be subject to a local review of their investment activities was preempted by federal law and could not be enforced. (The New York Bankers Association, Inc., v. The City of New York, 15 Civ. 4001).
The Responsible Banking Act had its roots in the worst days of the Great Recession. NYC council members grew frustrated by the juxtaposition of mounting foreclosures and shoddy banking practices even as billions of dollars of public money was being deposited into banks for safe keeping. The bill established an advisory board that would report on how well banks were doing meeting financial benchmarks. The report would be used in evaluating institutions wishing to hold municipal deposits from the City.
To be fair, the information the advisory board was seeking was much more extensive than what needed to be supplied under the Community Reinvestment Act. For example, the banks were to be evaluated on how they addressed serious material and health and safety deficiencies in the maintenance and condition of their foreclosed property; developed and offered financial services needed by low and moderate income individuals throughout the city, and how much funding they provided for affordable housing.
Mayor Bloomberg hated the bill so much that he vetoed it and refused to appoint members to the advisory board after his veto was overridden. When Mayor DeBlasio was elected, he embraced the idea and the advisory board came to life. It was time to call in the lawyers.
In arguing against the legislation, the Bankers Association argued that both Federal and State law preempted the ordinance. They pointed out that the Community Reinvestment Act was intended to establish the framework for nationally chartered banks to be assessed for their community works. On the state level the Banking Law gave the Department of Financial Services broad powers of regulation to control and police the banking institutions under their supervision.
In response, the City argued that it was not regulating bank activity; but simply carrying out a proprietary function. It should be able to establish its own standards for deciding who gets the city’s money the same way it gets to decide what companies are awarded city contracts. It also argued that the activities undertaken by the Advisory Board were “purely informational.” Its findings were not binding on anybody deciding where the money should be placed.
Southern District Judge Katherine Polk Failla ruled in favor of every major issue raised in opposition to the bill concluding that “the RBA’s very structure secures compliance through public shaming of banks and/or threatening to withdraw deposits from banks that do not provide information to the CIAB. The Court sees no reason why regulation through coercive power, rather than by explicit demand or stricture, should be immune from preemption scrutiny.”
While the lawsuit may have solved the immediate legal problem facing banks it doesn’t change the fact that banks didn’t do enough in return for their public bailout. Nor does it change the fact that there are local leaders who feel that banks still don’t do enough for the communities in which they operate. Giving localities the ability to work with credit unions. which by their very structure invest in the communities in which they operate, would be a perfectly legal way of ending the banker monopoly and perhaps make these banks more responsive to local concerns.
Epilogue A Failure To communicate?
NCUA officials have fallen into the habit lately of making bold statements one day that have to be clarified the next. First, we had Chairman Matz’s clarification of her Congressional testimony that credit union CEOs aren’t representing their members when they advocate for budget hearings. Yesterday NCUA felt the need to clarify to the CU Times its position on how much information the public is entitled to about the Overhead Transfer Rate methodology following the release of a letter from its General Counsel to NASCUS on that very subject(See yesterday’s blog). I think it’s fair to say that NCUA is suffering from some communication problems.
The article quotes Board renegade Mark McWatters, who is emerging as a much needed voice of reason, as saying that “The agency will make the final determination as to the calculation of the OTR and I see no harm in subjecting the agency’s OTR methodology to public comment as a proposed rule under the APA,” Here is a link
NCUA’s obstinate and myopic refusal to submit its budget to a formal and open public process took another bizarre turn yesterday. To put it nicely, the agency is demonstrating everything that can go wrong when an independent agency has too little oversight.
The ostensible issue is about the Overhead Transfer Rate. The real issue is fast becoming how much power an independent agency has to spend other people’s money without oversight.
The OTR represents money that the NCUA takes from the NCUA Share Insurance Fund to cover “Insurance Related Expenses.” According to the National Association of State Credit Union Supervisors the OTR increased 40.1% from $67.0 million in 2013 to $93.9 million for 2015. NASCUS argues that “By shifting a portion of FCUs’ share of NCUA expenses to the NCUSIF, the OTR reduces out-of-pocket expenses incurred by FCUs. The resulting reduction in FCU Operating Fees provides a singular advantage to FCUs and adversely affects the competitive position of FISCUs relative to FCUs.”
A similar debate happens in New York State every year with industry stakeholders grousing that fees ostensibly paid to fund oversight of specific industries are swept for unrelated purposes. In New York State – no paragon of transparency – you can look up the budget numbers and get a pretty good idea of how much is being swiped for other expenses. But NCUA is an independent agency with no formal budget process. What’s more, NCUA has guarded the precise methodology it uses to calculate the OTR with the gusto of a retired CIA director tasked with guarding Coke’s secret formula, or, for those of you who admit to watching Sponge Bob with your kids, the formula for making Krusty Krab burgers.
NASCUS grew so frustrated with NCUA’s obstinacy that it retained a Washington law firm to analyze the issue. The resulting opinion letter opined that the adoption of the OTR formula is a regulation that can only be promulgated by the NCUA following a Notice and Comment period.
NCUA’s General Counsel Michael McKenna responded in a July 30th letter by noting that NCUA already does put a lot of information about the OTR on its website and that NCUA’s lawyers believe that the OTR is not subject to notice and comment requirements. Fair enough: reasonable people can differ.
But the letter goes off the rails with gusto: he explains that “courts, not public forums are best suited to resolve such complex legal issues.” What? This is a lot like saying the law is too important to leave to juries. Is NCUA really saying that the OTR is too complicated for the public to understand?
He also explains that forcing NCUA to divulge its advice about the applicability of the APA to the OTR formula would require NCUA to divulge the work product of its attorneys and ultimately chill its ability to receive candid analysis. I’m not unsympathetic to this argument in theory but it rings hollow considering that the NCUA and other banking regulators refuse to extend attorney work product exemptions to the institutions they oversee. Wouldn’t credit unions benefit from unfettered legal advice to the same extent as NCUA? Furthermore, legal discussions surrounding the OTR may be privileged but the actual formula and the rational for how it is constructed and implemented certainly isn’t. Why else do regulations have preambles?
Bottom line: NCUA is doing a great job of making a mole hill into a mountain. In her testimony before Congress the Chairman was dismissive of Congressional calls for greater budget transparency and questioned the motives of anyone who would dare request greater openness. With this letter to an organization of fellow regulators NCUA is doubling down: arguing that federal law shields it from explaining to the public how it allocates the money it receives from credit unions and that technical issues are best not discussed publicly. If its interpretation of the law is correct then its time for the law to change.
The agency is coming across as politically tone-deaf and hopelessly arrogant.
Here are some links so you can decide for yourself if you think I am exaggerating or if NCUA has to calm down.
The Bureau That Never Sleeps unveiled the latest fruits of its messianic zeal to make the world a more consumer friendly place on Wednesday by releasing the results of a pilot study it performed to analyze the impact that greater use of electronics could have on the mortgage closing process. For those of you considering expanding the use of technology in closings the report is an informative case study that will help your credit union integrate technology into your closing processes. It’s a good piece of work and very much worth a read. For those of you looking for the Holy Grail of consumer awareness, more research has to be done before you convince me and other skeptics that digitization equals a substantially more informed consumer.
The CFPB prides itself on being a data driven organization. It has been intrigued with the potential consumer benefits that could come with electronic closings virtually since its inception and it wanted to analyze the impact that technology could have on consumer empowerment and understanding of the closing process as well as how it make closings more efficient. It recruited seven financial institutions with varying degrees of sophistication to integrate technology into their closing processes. Interviews were conducted with participating consumers.
Here are my takeaways:
Its overarching finding was that borrowers who participated in e-closings reported a greater sense of empowerment and knowledge about their closings than did consumers who went through traditional paper closings. Interestingly perception didn’t match up that squarely with reality. The findings also suggest that many consumers participating in e-closings think they are much more informed than they actually are.
A great point in the report is that expanded use of technology isn’t an all or nothing proposition. You can decide what parts of the process will remain computer free and what parts could be improved by going paperless. For example, you may not be comfortable with digital notarization but that doesn’t mean you can’t push for the more frequent use of email to send out closing documents.
it’s possible that more efficient e-closings may generate savings. Closings went quicker when borrowers got their closing papers days before closings via email and were provided with links to CFPB background information. Consumers identified errors before closings and understood what they were doing. This finding makes it even less likely that the Bureau will come to its senses and further modify its mandate for final disclosures to be received three business days before CONSUMMATION.
Finally, one of the greatest obstacles to technology is unease on the part of compliance people that the law actually does authorize electronic notaries and mortgage documents. This is one area where the legislature has apparently moved faster than business. I think I will do a future blog about electronic signatures.
I can hardly wait….
Here is a link.
I can’t resist a quick note about the first primetime Republican debate last night. After all, its one of the reasons today’s blog is so late. I watched it and went to bed too late since I had to vent First I’m pretty sure there are more people wanting to get the Republican presidential nomination than I have friends. Oh well.
Second , Donald Trump is performing an invaluable service to the American public by proving that you can be really rich, Really crude and really dumb.
Third there was also precious little talk about economic policy-I only heard one mention of Dodd-Frank reform, As amusing as Donald Trump is, at some point his poll numbers will drop as people get serious about picking the person for the most important job in the world. The presidency is going to be won by the person who best identifies with the economic anxiety being experienced by Americans across almost all of the socioeconomic spectrum and offers a coherent plan to get things back on track. The serious candidates all missed an opportunity to make their pitch last night but the ones who came closest to the mark were Ohio Governor John Kasich and Florida Senator Marco Rubio.
In her recent appearance before Congress, Chairman Matz was asked which regulations she gets the most complaints about from credit unions. Her answer was the Bank Secrecy Act.
I think there are two reasons for this. First, most people have better things to do with their time than memorize the regulatory alphabet. So when they are asked by a regulator what regulations most harm their credit union, the one everyone seems to remember is the BSA acronym. A second, more substantial reason, is that smaller credit unions don’t see the value in imposing the same regulatory framework on their smaller operations as are imposed on the largest banks and credit unions.
The second point has a certain facial appeal, but the reality is that technology has blurred the line between big and small financial institutions. When it comes to BSA, there really are no small credit unions. Those of you who think I am overstating the case should pay attention to a case brought by the U.S. Attorney for the Southern District of New York. It demonstrates why small financial institutions are becoming increasingly attractive and vulnerable targets to tech savvy criminals seeking a place to hide their criminal activity. Plus, it actually reads like a pretty good movie script.
In 2013, bank accounts were opened in the name of the Collectables Club. It claimed to be a members-only association of collectable and trading enthusiasts dedicated to discussing collectible items such as cars, coins and stamps. A small fee was charged to everyone who wanted to join. In fact, the Collectables Club was a front for an illegal Bitcoin exchange called Coin.Mix, which facilitated the exchange of money for Bitcoins. This was illegal both because it was operating as an unlicensed Bitcoin exchange and because its operators knew that the exchange was being used to launder criminal proceeds. For example, one customer who wanted to transfer $100,000 into the account was told to stop the transfer and instead wire most of the money to an account in Bulgaria. An email quoted by the complaint explained that “we hope you understand the concerns. If the US wasn’t so damned screwed up about this stuff, we wouldn’t have to deal with this.”
Remember that the Bitcoin is particularly attractive to criminals because it is almost impossible to trace. Electronic “coins” are transferred computer to computer over the Internet. According to the complaint, thousands of incoming deposits in varying amounts used these accounts to make payments in Bitcoins.
Business was apparently going well. In late 2014, the creators of the illegal exchange took control of a 107 member credit union in New Jersey with no full time employees in order to process ACH transactions. The complaint’s not clear as to how this control was achieved, but the Bitcoin operators took control of the board. When the NCUA learned that this low-income credit union was suddenly engaged in a high volume of ACH processing, specifically $30 million in transfers a month, it became suspicious and stopped the credit union from continuing to offer these services. It also required the credit union to remove the new board members.
A couple of quick points. Press reports have highlighted the fact that the exchange controlled a credit union. The facts, however, demonstrate that the criminals were able to utilize both a traditional bank account and a credit union to facilitate its illegal activity. Secondly, the system worked. NCUA recognized the red flags and took actions to shut down the operation. Thirdly, some credit unions have turned to money service businesses as an attractive source of income. When they do so, they must understand that they take on heightened due diligence responsibilities. When one credit union is used for money laundering, the reputation of the entire industry can suffer. Finally, there is no such thing as a small credit union when it comes to money laundering. It is now easier for criminals to plug into the financial system using a credit union in New Jersey or a bank account in Florida as it is to open a bank account in mid-town Manhattan.