When it comes to Patent Litigation, Winter is Here

In the Game of Thrones, White Walkers periodically return to the Realm, threatening civilization as we know it. For the last eight years, a Long Summer has kept patent trolls, the White Walkers of the financial sector, at bay. This peaceful period officially came to an end this month, and us here in King’s Landing have been none the wiser.

So what am I talking about? Let’s say a bank or a credit union contracts with a vendor to provide a cutting-edge technological service. After the program has been up and running for a couple of years, it receives a politely worded letter informing it that it’s service violates a patent. But today is your lucky day – you can continue to provide this service as long as you pay a licensing fee.

Without getting too much into the weeds, a Covered Business Method Patent Review was a transitional procedure put in place by Congress in Section 18 of the America Invents Act. The procedure created a fast-track method for parties being sued by patent trolls on questionable grounds. Here’s why this is important to credit unions. To be potentially eligible for this procedure, the alleged patent infringement must involve at least one claim directed to a method for performing data processing or other operations “used in the practice, administration or management of a financial product or service.” 

The bad news is that the program authorizing this review process expired on September 16th, although proceedings brought under the now-expired law prior to that date will still be considered. Credit unions need this law extended. COVID-19 (damn, I thought I was going to get through a blog without mentioning it) has accelerated the use of technology. This is no time to begin making it easier for patent trolls to bring questionable claims demanding the use of time and resources. 

According to this recent column in Law360 (subscription required), the CBM resulted in 4,093 patent claims being cancelled or found unpatentable. These claims touch on issues ranging from shopper discount cards to adjustable car insurance rates. 

So what can you do to protect yourself, assuming dragonglass is not effective? First, remember to always make sure your vendor contract includes rock-solid indemnification language. Another thing you can do is remind your local representative that Section 18 helps your credit union and should be renewed. Incidentally, this is one issue that the banks agree with us on, in much the same way that the Realm ultimately united against the White Walkers. 

September 25, 2020 at 9:30 am Leave a comment

NCUA is doing the right thing when it comes to assessments

As blog followers know, there are occasions when I like to remind everyone that the opinions I express are mine and mine alone. This is one of those times.

The NCUA Board has created a low-level stir within the industry by suggesting at its meeting last week that it may have to seek an assessment from credit unions to make up for shortfalls in the share insurance fund caused by the sudden infusion of deposits triggered by the pandemic. NAFCU even wrote this letter to the Board urging it to hold off on any assessments and instead consider increasing the range of investments that credit unions are allowed to make. 

In fact, the Board did exactly the right thing by publicly discussing the share insurance fund. Credit unions should hope for the best but prepare for the worst, and begin preparing now for an assessment in the coming months. 

First let’s make sure we’re all on the same page. As a matter of federal law, NCUA must impose a restoration plan if the equity ratio falls below 1.20%. Federal law also permits NCUA to establish a Normal Operating Level of between 1.20 and 1.50. 

The facts don’t lie. According to the NCUA, the Share Insurance Fund equity ratio has dropped to 1.22% as of June 2020. The primary reason for this sharp decrease has of course been an almost 13% growth in insured shares. The current ratio is well below the NCUA’s Normal Operating Level of 1.38%. But the numbers aren’t as bleak as they first appear. In October, the fund will receive an infusion of $1.5 billion from insured credit unions as part of their annual contributions. 

Strip away the numbers and what you have is yet another debate over just how long lasting the economic downturn is going to be. If you believe that the indestructible mortgage industry is going to continue to rumble along, that the unemployment numbers will continue to defy conventional wisdom and continue to decrease, and that members will be well positioned to pay back forbearances as a vaccine replaces the new normal with a real normal, then it makes sense for NCUA not to prematurely impose additional assessments. 

In contrast, if you are inclined to believe, as many officials at the Federal Reserve are, that the economy will peter out without further congressional stimulus, that a sizable number of forbearances will never be repaid, and that we may very well see a second wave of COVID economic lockdowns in the coming months, then NCUA would be derelict in it’s duty not to protect the share insurance fund. Incidentally, the FDIC has already had to impose a restoration plan on banks.  

September 24, 2020 at 9:36 am Leave a comment

Don’t Overlook Your Overdraft Practices

As many credit unions across the country are painfully aware, class action lawsuits alleging improper disclosures of overdraft opt-in programs are all the rage. A 50-page consent order the CFPB entered into with TD Bank provides yet another example of how financial institutions can run afoul of this seemingly straightforward regulatory requirement. When it comes to enticing members to opt in to ATM protection programs, it’s not just what you disclose, but when you disclose it that matters. 

Under 1005.17 (b), a financial institution cannot charge a fee for paying an ATM or one-time debit transaction pursuant to an overdraft service unless it first provides the consumer with a written notice of the option (which can be provided electronically to consumers that consent to being notified this way) and it gives the consumer a reasonable opportunity to consent or opt-in to the service. 

TD Bank had a fairly typical overdraft program. When new members applied to open accounts, they would be given three overdraft options for their checking accounts. One, a standard overdraft option which covered transactions not protected under 12 CFR 1005.17 (b), such as checks, ACH transactions and recurring debit card transactions; two, the option to cover ATM transactions covered by regulations; and a third option – to decline all overdraft protections. 

To me, the most intriguing defect cited by the CFPB is the fact that consumers would be asked about the program they wanted to utilize without first being given a written notice of the opt-in option. Instead, the employee opening the account would print out a form reflecting the member’s choice, along with the written opt-in notice. The CFPB concluded that this did not constitute compliance with the requirements, under which members must be provided the notice prior to being asked whether or not they wanted to opt-in to overdraft protections. 

This is the kind of nuanced distinction which can easily be overlooked. Now that the CFPB has provided a road map for regulators and litigators alike, I think it is worth your time to double check your credit union’s practices against this order. Remember, the CFPB considers regulatory actions as binding precedents when it comes to the interpretation of the regulations it oversees.

September 23, 2020 at 9:23 am Leave a comment

How secure are your home offices?

As the person ultimately responsible for mitigating both legal and compliance risks to your credit union, you don’t need to know all the answers, but you need to know what questions to ask. One of the questions you should be asking your IT team about is how safe your virtual private network (VPN) is. 

Recently, the FBI and the CISA issued a joint guidance warning companies in high-profile industries, including the financial sector, that they are being targeted by increasingly sophisticated attempts to gain access to virtual private networks. Think about it – a little more than six months ago, we were all concerned about personally identifiable information being sold on the dark web. According to these reports, there is a growing market for VPN identification. Given the sudden movement towards remote work, this trend was inevitable, but the more remote work becomes the norm rather than the exception, the more examiners will be expecting to see what steps your credit union is taking to prepare. 

As explained in this joint examiner guidance released in June, “examiners will review the steps management has taken to assess and implement effective controls for new and modified operational processes. Examiners will assess actions management has taken to adapt fraud and cybersecurity controls to manage heightened risks related to the adjusted operating environment. Examiners will also review how management has assessed institutions’ third parties’ controls and service delivery.” In addition, NCUA has emphasized that information technology remains a top priority during the pandemic. 

Some of the techniques being used can be guarded against regardless of the size and sophistication of your institution. For example, the highly influential KrebsOnSecurity posted a blog in August describing increasingly brazen vishing attacks in which hackers contact employers pretending to be from the company’s IT department, requesting login information to access the employee’s account. According to Krebs, this technique is particularly effective against newer employees, who are interacting with their IT department for the first time.

Finally, some of the classics are also being used. Good old fashioned emails requesting login information are still being responded to, reminding us yet again that our computer systems are only as safe as our most technologically inept employees allow them to be. Full disclosure – there are weeks when I talk to the IT department more than I talk to my own kids. 

What this means for your day today is that you may want to remind employees not only that they should be aware of suspicious emails, but also who they are talking to, particularly if they receive a proactive phone call. In addition, this is yet another example of why one of the trickiest parts of remote working is going to be onboarding new employees. My personal suggestion is that even if an employee is going to work remotely, a lot of the orientation process should still be done live and in-person. 

September 22, 2020 at 9:51 am Leave a comment

To Pay or Afterpay, That is the Question

When it comes to financial innovation, the land down under is the equivalent of a financial services petri dish, especially when it comes to consumer credit. So humor me this morning as I delve into one of the hottest financial services stocks, Afterpay. 

The company started in 2017, and it is now beginning to get a foothold in the American market, with potential competitors, including Visa, which is soon to follow suit. What intrigues me so much is that Afterpay has brought fintech to a buy-now, pay-later consumer product, that avoids the grasp of the Truth in Lending Act (TILA). I’m curious how much longer it will be able to pull off this feat. 

This is the basic idea of how Afterpay works. On the retail side, it enters into agreements whereby it pays the full amount due, while the consumer commits to make payments in no more than four installments. The retailers pay a fee to Afterpay in return for the knowledge that the transaction is complete. Eligible consumers agree to repay Afterpay in increments. Not all consumers are eligible to enter into these agreements, and Afterpay has the right to deny the purchase request. 

The catch from a regulatory standpoint is that this is not considered credit under TILA because repayments must be made in four or fewer installments. TILA only kicks in on the fifth installment. Isn’t that clever?

According to the Financial Times, the stock is taking off. Analysts have predicted that the model wouldn’t survive the severe downturn in retail shopping caused by COVID. What they didn’t foresee was that the system works just as well, if not better, for online shopping. It appeals to millennials who want to avoid taking out credit cards, but could use short-term credit options. 

But one business’s financial innovation is another regulator’s gaping loophole. This article in Law360 (subscription required) highlights regulatory action which California is already seeking to take against Afterpay, alleging that it has to be properly licensed as a lender as a matter of state law. Pure speculation on my part, but you can probably bet New York State is looking into doing a similar analysis. 

Besides, the company can only grow as big as the number of retailers willing to participate. Time will tell how many of them decide it is in their financial interest to partner with Afterpay.

September 21, 2020 at 9:18 am Leave a comment

Are We Getting Enough Bang for our Cybersecurity Buck?

Good morning, folks. Sorry for the late start, but the Islanders went to overtime last night. 

According to the GAO, the Treasury is doing an inadequate job of monitoring how successfully the financial services sector has handled protecting the cybersecurity infrastructure. What’s more, the Treasury agrees, but argues that it lacks the authority to appropriately monitor the efforts made by financial institutions, including credit unions, in protecting the country against cybersecurity threats. 

Since 9/11, the government has emphasized the need for industry wide coordination to protect vital infrastructure. This effort picked up steam in 2013 when the White House issued Critical Infrastructure and Resilience Policy Directive 21. The overarching goal of this new directive was to strengthen functional relationships across the federal government to enable better communication about cybersecurity threats, and to coordinate better planning between industries. As part of this directive, the Treasury was given responsibility for coordinating the financial industry structure. 

As credit unions are well aware, there has been no shortage of regulations on the federal and even state level to protect against cyber threats. But, according to the GAO, the Treasury does not have the structure in place to adequately assess how successful these regulations have been. The Treasury says that it simply does not have the authority to get the information it needs.

This might seem like an awfully arcane piece of bureaucratic minutiae to write about on a Friday, but yours truly is just a little concerned that these findings will result in yet more regulations that will impact your everyday operations. In addition, given the amount of time, money and resources credit unions and other financial institutions must now commit to cybersecurity, I’m more than a little bit surprised that the Treasury is so willing to admit that a lack of coordination is deluding the effectiveness of these efforts. 

NCUA Holds Monthly Meeting

Yesterday, the NCUA held its monthly board meeting. I will follow up once I have the chance to take a closer look at what was agreed to.

September 18, 2020 at 10:18 am Leave a comment

Don’t Forget About LIBOR  

Now that the compliance induced frenzy triggered by the pandemic has stabilized (knock on wood), I wanted to remind you of one of those meddlesome compliance changes that seemed so far away when it was first announced in early 2017, but is fast approaching.

I am talking about the end of the London Interbank Offered Rate (LIBOR) which is the index that many financial institutions and credit unions use to set interest rates for their adjustable rate mortgages and credit cards.  If you start working now, you still have enough time to easily make the necessary adjustments.  If you wait any longer, a simple problem will become increasingly troublesome, just like those college papers that some people—of course not readers of this blog—put off to the day before it was due.  Some of you actually got an adrenaline rush from doing this.  But to this day, yours truly is a morning person.

First, although a drop dead date for LIBOR’s demise has not been announced, the keepers of the index are still committed to stop publishing some time in 2021.  There are important compliance considerations tied to the drop dead date.  Most importantly, adjustable rate mortgage indexes can be switched without notice provided that the replacement index is substantially similar to the old one.  The CFPB has proposed regulations and guidance which would make this transition straightforward by providing examples of comparable indexes and providing specific dates when the transition can take place irrespective of what the actual drop dead date ends up being.

If you provide adjustable rate mortgages for sale for the secondary market, then your compliance deadline is fast approaching.  Fannie Mae will no longer be offering LIBOR based products effective September 30, 2020.  Freddie Mac will no longer be offering LIBOR based floating rate products after this year.  These deadlines do not impact your ability to continue to service existing loans using LIBOR.

Then there are those pesky adjustable rate credit cards.  The CFPB proposes to permit creditors for home equity lines of credit (HELOCs) and credit card issuers to replace a LIBOR index with a replacement index on or after March 15, 2021, if certain conditions are met.

While a specific new index is not being required, unless you have a baseline level of sophistication which allows you to compare competing indexes, regulators are implicitly encouraging you to replace the LIBOR with the Secured Overnight Financing Rate (SOFR) which is the new index of choice for the GSEs.

On the bright side, it is quite possible that your credit union has no LIBOR based products.  I would still document that your credit union took the time to confirm that LIBOR has no impact on your compliance framework.

Peace out!

September 17, 2020 at 9:26 am Leave a comment

Four Things To Know On A Beautiful Tuesday Morning  

You can tell that the COVID summer of 2020 has come to an unofficial end.  This morning is the first one in a while in which I want to highlight several recent developments, any one of which is worthy of a blog in the future.

DOL Releases New Regs on Emergency Leave Authorization

The US Department of Labor on Friday issued updated regulations, which among other things, are intended to clarify when an employee can take intermediate paid family leave and when an employee is eligible for leave even when there is no work available for the employee to perform.  These updated regulations are in response to an August 3rd ruling by a New York Federal judge that the Department of Labor exceeded its authority when it promulgated the initial regulations which implemented key provisions of the Families First Coronavirus Response Act.  I will have more about this by the end of the week.

Realtor Practices Under The Microscope

The State Senate announced that it would be holding a second joint hearing on Thursday investigating allegations that realtors on Long Island discriminate against minority homebuyers by steering them to houses in minority communities.  The hearing will be the second to examine the issue, which was the subject of an expose by Long Island Newsday last year.  This hearing is unusual in that some witnesses had to be subpoenaed in order to testify.

One Heck Of A Loophole

In the “Better Late Than Never” category, FinCEN has proposed regulations mandating that banks, credit unions and trust companies which currently fall outside the jurisdiction of federal regulators, must now comply with Bank Secrecy Act (BSA) requirements, including implementing appropriate Customer Identification Procedures.  I was more than a little surprised after reading this regulation that entities, including credit unions which use private share insurance instead of participating in the National Credit Union Share Insurance Fund (NCUSIF), have not been subject to the BSA framework even though it has been the top priority of regulators since the 9/11 attacks.

The Big Question

The last six months have changed almost everything, so why do my New York football Giants look like the same lousy football team which has amassed the fewest victories in the NFL over the last three years?

September 15, 2020 at 9:29 am Leave a comment

Is Your Credit Union Afraid To Call Its Members?

This may seem like a ridiculous question but the ridiculous part is that existing federal law has been so mangled beyond recognition that it is a question that any credit union concerned about complying with the Telephone Consumer Protection Act (TCPA) should be asking itself.

The need to clarify the reach and scope of this statute is underscored in a brief submitted by CUNA on Friday in a case pending before the Supreme Court.  The case, Facebook, Inc. v. Duguid, Noah, involves an appeal by Facebook challenging the scope of the TCPA, an issue which has split courts around the country.  CUNA was one of several prominent organizations which filed briefs to the court explaining how an expansive interpretation of the TCPA does more harm than good to consumers.

As readers of this blog know, the TCPA was well intended legislation passed by Congress in the early 90s to cut down on those obnoxious dinner time conversations you get from telemarketers and those disconcerting pre-recorded pitches that are left on your cell phone in the middle of the most important meeting of your day.  The basic idea is that consumers should not be subject to a deluge of automated marketing pitches without first giving their consent.

Unfortunately, as readers of this blog also know, this well intended concept has transformed into a tripwire of litigation with boundaries that are so unclear that many credit unions simply avoid using any technology which could potentially trigger TCPA compliance concerns.  According to CUNA’s Supreme Court amicus, 76% of credit unions responding to a 2017 survey reported that it is very difficult or somewhat difficult to determine whether or not their communications are TCPA compliant.  The result, according to the survey, is that 75% of responding credit unions have curtailed the use of more efficient technology simply to avoid running afoul of the TCPA and its strict liability for penalties of $500 per violation.  In fact, American Airlines federal credit union has abandoned the use of automatic technology altogether.  This is a remarkable concession from a $5.6 billion credit union with 235,000 members.

The core of the confusion comes down to the answer to that classic School House Rock ditty “Conjunction Junction, what’s your function?”  Under §227 (a) an “automatic telephone dialing system” means equipment which has the capacity (A)to store or produce telephone numbers to be called, using a random or sequential number generator; and (B)to dial such numbers.

As succinctly explained in CUNAs brief, the court is being asked to decide whether the TCPA encompasses any device that can store and automatically dial telephone numbers, even if it does not use a random sequential generator.  If the answer is yes, then virtually any communications device this side of the iPhone triggers TCPA compliance.

September 14, 2020 at 9:32 am Leave a comment

New York and OCC Battle Over What Is A Bank

When is a bank a bank?  The answer to this question is not simply of interest to your faithful blogger.  It has real important practical consequences for your credit union and the competition it will be facing in the coming years.  Simply put, at what point do the Apples of the world become so intertwined with traditional banking activity that they should be subject to at least some of the same safety and soundness constraints as banks and credit unions?

The answers to some of these questions will begin to be answered sooner than you might think and New York’s Department of Financial Services is playing a leading role in the debate.  Politico has reported that Acting Comptroller of the Currency Brian Brooks plans on shortly allowing payment processors to apply for federal charters with the OCC.  It is not entirely clear from the article, but the OCC is either prepared to argue that payment processors can be licensed under its proposed FinTech charter or can be granted a separate charter unique to their business model.

This news comes as New York is suing the OCC over its authority to charter FinTechs which help process bank transactions but don’t hold deposits.  A case is before the Court of Appeals for the 2nd Circuit.  DFS argues that the OCC has no authority to grant charters to FinTechs because they don’t accept deposits.  The OCC argues that deposit taking is not a mandatory criterion to be chartered by the OCC.

Even as a decision in the lawsuit is pending, the OCC and DFS have continued their increasingly public debate.  On Wednesday (Law360 subscription required) acting OCC Comptroller of the Currency Brian Brooks and DFS Superintendent Linda Lacewell both appeared at a forum sponsored by the Cato Institute.  Brooks took the opportunity to argue that there is nothing in the national bank act which precludes the OCC from chartering non-depositories.

If he is correct, then over time you will see the nationalization of businesses such as mortgage bankers and licensed lenders who have historically been subject to state consumer protection laws which are generally more extensive than federal requirements.

No matter which side ultimately wins the debate, recent events have underscored just how loosely regulated the payment processing industry is, even as it continues to be free of the traditional regulatory oversight imposed on financial institutions. Recently the CEO of one of the most high profile payment processors, German based Wisecard, was arrested after the company was unable to account for $2.1 billion missing from its balance sheet.

September 11, 2020 at 12:46 pm Leave a comment

Older Posts Newer Posts

Authored By:

Henry Meier, Esq., Senior Vice President, General Counsel, New York Credit Union Association.

The views Henry expresses are Henry’s alone and do not necessarily reflect the views of the Association. In addition, although Henry strives to give his readers useful and accurate information on a broad range of subjects, many of which involve legal disputes, his views are not a substitute for legal advise from retained counsel.

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Join 683 other followers