GAO Report Underscores Need For a National Fintech Framework

Image result for tracy wolfson in crowdTo understand this picture read more of the blog.

A recent report released by the GAO underscores why we need a comprehensive federal framework to regulate Fintech. Without such a framework, there will continued to be too many loopholes to harm competition and a lack of regulation that will ultimately harm consumers.

First we need a definition of what Fintech lending actually is. For the purposes of the report and an accompanying blog post, the GAO points out that Fintech technology refers to the use of technology and innovation to provide financial products and services. It further explains that “Fintech lenders are non-bank firms that operate online and may use alternative data…to help determine” credit worthiness. While the definition is a good start, it could easily be used to describe banks and credit unions as well since all lending institutions are using technology to expand lending platforms and many are taking into account increasingly sophisticated lending algorithms which consider criteria far beyond traditional lending frameworks.

What’s going on here is an amalgamation of lending and technology which calls for a new regulatory framework. Let’s face it, the companies providing alternative lending platforms are doing more than brokering loans and the banks that are increasingly relying on these partnerships are moving beyond the confines of traditional banking. They are more like Apple and less like City Bank every day.

Why does this matter? Why not just let the market evolve to accommodate the structure that best meets the needs of the modern banking consumer? Because there are too many competing interests at stake. Page 9 of the GAO’s report outlines the laws and regulations to which Fintech lenders are potentially subject but there’s no single regulator – including the CFPB – which can exercise appropriate oversight over these institutions. The result is that we are engaging in cutting edge lending practices without adequate regard for whether such practices violate fair lending laws for example or needlessly circumvent the policing of practices traditionally left to the states such as the activities of non-bank lenders like mortgage bankers and payday lenders.

Most Exciting Superbowl Moment

For me, the most exciting moment in last night’s Superbowl was finding out whether CBS sideline reporter Tracy Wolfson would safely get out of the mob surrounding Tom Brady and manage to interview him moments after he won yet another Superbowl. I’m all for a defensive football but I think I’d rather watch replays of Bobby Fisher beating Boris Spassky on the Wide World of Sports. At least then there is no hiding the fact that what we were really watching last night was a chess match between two coaching geniuses in Bill Bellchick and Wade Phillips.

Meet The New Boss

President Donald Trump nominated Democrat Todd Harper to take a seat on the NCUA board. If he is confirmed Harper will have no problem finding his way around the office. According to the CU Times, from 2011 to 2017 he directed the NCUA’s Office of Public and Congressional Affairs.


February 4, 2019 at 9:19 am Leave a comment

High Noon For NY Cybersecurity Compliance

Image result for high noonTo underscore the importance of New York’s cybersecurity regulations, departing Superintendent Maria Vullo issued a statement yesterday reminding entities subject to New York’s cybersecurity mandates that two key deadlines are fast approaching.

As readers of this blog know, om March 2017, DFS   required  state chartered banks, credit unions and other entities which are also subject to New York’s licensing and charter requirements such as title insurance companies and mortgage bankers to start implementing NY’s “first in the nation” cybersecurity regulations. These new regulations are comprehensive and mandate that covered entities implement extensive protocols to protect personal information from cyber-attacks. February 15th marks the second year that institutions subject to these regulations must show that they are in compliance with most of its provisions.

Here are the phasing periods according to a Q&A provided by the DFS: Covered Entities are  required to submit certification of compliance with the requirements of 23 NYCRR 500.04(b), 500.05, 500.06, 500.08, 500.09, 500.12, 500.13, 500.14 and 500.15 by February 15, 2019, and certification of compliance with 23 NYCRR 500.11 by February 15, 2020. I underlined this last section because it’s trickier than it seems. Although you don’t have to certify your compliance with 500.11 until 2020, that section actually becomes effective in March of this year (The transition periods are laid out in 500.22.)

The core of Section 500.11 is a requirement that your institution have policies and procedures in place to safeguard non-public information to which third-parties such as vendors have access. You have to implement this framework based on an assessment of each third-party’s risk. Due diligence and ongoing oversight are expected for your biggest risks. This could take the form of for example, mandating that your providers comply with relevant guidelines and updated contractual provisions coupled with appropriate review to make sure that the right safeguards are actually in place. Ultimately you should sit down with your compliance, IT and legal people and discuss what expectations you are going to impose based on a given vendor’s level of risk.

Enjoy the Superbowl, see you on Monday.


February 1, 2019 at 9:26 am 2 comments

Are The Stars Aligning for Sensible Data Privacy Reform?

That’s the question I have been asking myself lately and I am cautiously optimistic that the answer is yes.

First there is Banking Chairman Mike Crapo’s list of his key priorities to this legislative session. Right after housing reform (more on that in future blogs) and further reforms to capital markets comes data protection, privacy and security. Courtesy of our good friends at Facebook, Russian hackers and massive data breaches such as that which occurred with Equifax, the American public has woken up to the dangers of unregulated data markets and poorly protected personal information.

Why is this important? Because for too long this debate has been framed as one between merchants who don’t think they should be subject to increased data security requirements and credit unions and banks which correctly argue that the current system imposes baseline federal and state data security standards on them which unregulated businesses simply undermine due to their lax in security standards.

In addition, this is a concern that is crossing party lines. Facebook’s image as the hip kid on the block has taken a huge hit not only because of the Russian campaign scandal but because of its hardball tactics employed against competitors who dare to criticize their business model.

Bottom-line: This is one of the few areas where we might be able to forge bipartisan support. Expect one of the big sticking points to be preemption. To me it makes sense to have a unified set of baseline data security standards and notification requirements but in talking to congressional staffers last year it’s safe to say that some in the House of Representatives vehemently disagree with this approach. They point to the cyber security regulations imposed on state chartered institutions in New York as an example of the type of regulations that shouldn’t be blocked by federal law.

Finally, recent rulings dealing with the Equifax data breach demonstrate why one of the issues that both state and federal legislators have to take a look at is standing. Before you can sue someone you have to demonstrate you are harmed by their actions. Although many litigants were recently allowed to continue their lawsuits against Equifax, the same Georgia court also ruled that only financial institutions which issued compromised cards that had to be replaced or which resulted in fraudulent transactions could demonstrate actual harm. (IN RE EQUIFAX, INC., CUSTOMER DATA SECURITY BREACH LITIGATIONMDL DOCKET NO. 2800 1:17-md-2800-TWT) The problem with this standard is that it does not adequately account for the harm done to banks and consumers simply by the fear that their compromised personal information may be used against them at a future time.

On that note, stay warm and enjoy the rest of your day.


January 31, 2019 at 9:29 am Leave a comment

Final Regulation Triggers Important Changes For Flood Insurance

Image result for floodIt’s been a long and winding road but regulators including the NCUA have finally promulgated a final regulation outlining the conditions under which lenders will be required to accept “private flood insurance.” Just how big of a deal is this? These regulations have been under discussion since 2013 shortly after Congress passed the Biggert-Waters Act which is subsequently amended.

The National Flood Insurance Program mandates that persons who purchase homes in flood zones, have flood insurance. Since its passage in 1968, this requirement has become increasingly controversial, particularly with free market conservatives who rightly argue that the program distorts the true cost of real estate in flood zones by subsidizing risky residential purchases at tax payer expense. Funding for the program has become a challenge.

Biggert-Waters was passed in one of the few spasms of bipartisanship we have seen in the last decade. It requires lenders to accept private insurance provided it is at least as broad as policies provided under the National Flood Insurance Program as well as meets other conditions. For the last several years regulators have struggled to explain what exactly that means.

The final rule is a huge help. It stipulates that lenders must accept private flood insurance “if the policy or an endorsement to the policy states that the policy complies with the statute.” In other words, credit unions can stay out of the insurance analysis business and rely on representations made on the face of policies.

A second question which was posed by our congressional representatives was: Did the statute authorize lending institutions to accept flood insurance which was not as broad as comparable insurance mandated under the Flood Insurance Program? The regulators have concluded that the answer is yes and laid out the conditions under which lenders can exercise this discretion and accept certain policies even if they do not meet the definition of private flood insurance.

I want to reiterate this last point one more time because there’s been some confusion about what the act does and does not do. Starting on July 1st lenders must accept private flood insurance which, as determined under these regulations, is at least as broad as NIFP mandated insurance. Lenders have discretion to accept insurance which does not meet this definition provided the insurance meets certain conditions also outlined in this final regulation. All lenders must still mandate flood insurance for property in flood zones.

There are other nuances in the final regulations which I’m sure someone at your credit union will love to start digging into and operationalize in the coming months. So get to work and remember the clock is ticking. The summer will be half way over before we know it.

January 29, 2019 at 9:16 am Leave a comment

PenFed/Progressive Merger Shows Why Emergency Powers Are So Important

The Independent Community Bankers were up to their old tricks last week urging Congress to take a look at NCUA’s use of its emergency powers to approve the merger of New York State credit union, Progressive and PenFed. This is a classic example of an argument in search of facts. Far from being an example of a “regulatory power grab”, NCUA’s decision to approve the merger is a text-book example of why all financial regulators have to have important roles to play in mergers involving financially ailing institutions.

First some background. NCUA does have substantial power when dealing with a credit union that is in danger of insolvency. Most importantly, it can approve mergers without regard to field of membership restrictions. But this is not an arbitrary process.

What triggers danger of insolvency oversight? Last year NCUA updated its criteria to reflect its experience with insolvent credit unions during the Great Recession. Specifically, NCUA must consider whether:

1. The credit union’s net worth is declining at a rate that will render it insolvent within 30 months.

2. The credit union’s net worth is declining at a rate that will take it under two percent (2%) net worth within 18 months.

3. The credit union’s net worth, as self-reported on its Call Report, is significantly undercapitalized, and NCUA determines that there is no reasonable prospect of the credit union becoming adequately capitalized in the succeeding 36 months. In making its determination on the prospect of achieving adequate capitalization, NCUA will assume that, if adverse economic conditions are affecting the value of the credit union’s assets and liabilities, including property values and loan delinquencies related to unemployment, these adverse conditions will not further deteriorate.

4. The credit union has been granted or received assistance under section 208 of the Federal Credit Union Act, 12 U.S.C. 1788, in the 15 months prior to the Region’s determination that the credit union is in danger of insolvency. §208 permits credit unions to get financial assistance from the NCUA board with the aim of keeping a credit union solvent. NCUA can, among other things, purchase loans and make loans to troubled credit unions.

All of these are logical criteria, especially when one looks at the trajectory of Progressive Credit Union. It had lost $69.5 million in 2018 on top of the $65.5 million it had lost in the previous year. All of this was of course caused by the precipitous decline in the value of taxi medallions. In fact, NCUA would have been derelict in its duties had it not looked for a credit union willing to take on this credit union and its assets. There are only a relative handful of credit unions in the country that can take on this responsibility. By maintaining Progressive’s open charter, NCUA was maximizing the number of credit unions that could realistically merge with Progressive and continue its operations. As a result, New York continues to have access to the services previously offered by Progressive and the industry as a whole is on better financial footing than it would have been had NCUA simply waited for the credit union’s inevitable liquidation.


January 28, 2019 at 9:36 am Leave a comment

CU’s Have a Problem That They Need To Address

Good morning folks. First a friendly reminder that the opinions I express are mine and mine alone.

NCUA hit the trifecta yesterday. CUNA, NAFCU and NASCUS all came out against its proposal to impose more responsibility on credit union boards and their supervisory committees when it comes to overseeing their fidelity bond coverage. NCUA’s proposed regulation would apply to both state and federally insured credit unions. Among other things, it would require boards to review all applications for the purchase or renewal of fidelity bond coverage and to pass a resolution approving such actions. The proposal would also require a board to delegate one member who is not an employee of the credit union to sign the attestation for the purchase or renewal of the coverage. But wait, there’s more. If your credit union has a functioning supervisory committee, it would be explicitly required to review fidelity bond coverage. I say explicitly because in my ever so humble opinion, the oversight powers of supervisory committees are already broad enough for them to exercise this power if they choose to do so.

CUNA opposed the rule because it would place an additional burden on volunteer board members that is inconsistent with the NCUA’s stated aim of removing unnecessary mandates. I get it and I understand why the industry opposes this proposal.

But at the same time, proposals such as this are yet another example of how when it comes to issues of oversight the industry is whistling past the graveyard. We are at a critical moment for our industry. As credit unions grow bigger and the financial services that they must provide become more sophisticated. It’s not simply enough for the industry to oppose specific provisions aimed at increasing oversight or for the NCUA to nibble around the edges of real reform. Instead, we should be taking this opportunity to have a thoughtful and wide-ranging debate about our existing oversight model and the steps that the industry should proactively propose to help prevent continued instances of gross financial mismanagement.

You think this is overstating the case? First, NCUA notes in the preamble to its fidelity coverage proposal, as of June 2018 the National Credit Union Share Insurance Fund has already lost an excess of $10 million from fidelity bonds that were voided due to the signatory being aware of fraudulent activities. This is just the direct financial cost. It doesn’t calculate how much the credibility of all credit unions is diminished every time financial mismanagement is discovered. And let’s face it, not a week goes by without some high-ranking credit union official being arrested for financial mismanagement.

To be fair, part of the issue that needs to be addressed is not only the performance of credit unions in overseeing their member’s finances but also the performance of NCUA in also failing to quickly recognize blatant examples of fraud. For example, earlier this week a decision was issued in NCUA v. Ciuni and Painichi, Inc. in which NCUA is suing outside auditors for failing to spot what the court describes as a “massive, multi-year fraud” committed by a long time employee who overstated his credit union’s assets by over $9 million. The judge agreed that the outside auditors were grossly negligent. What does that say about the auditors who examined the credit union?

Ultimately however, it is the industry’s responsibility to properly regulate itself. Here are some steps that I would take.

First, while I don’t believe paying board members is the answer, I also don’t believe that people are  qualified to oversee a sophisticated financial institution simply because they are well-intentioned volunteers. I would mandate that all credit unions have an acting supervisory committees; that committee members meet baseline supervisory requirements and that – here’s the catch – boards be authorized to compensate supervisory committee members as a means of making sure they can get qualified people to serve on supervisory committees.

As for the board itself, as I like to say, board members don’t need to know the answers but they need to know what questions to ask. Members are already required to develop a baseline competency for overseeing credit unions but there’s no true enforcement mechanism. I would be in favor of empowering NCUA to remove specific board members who have not taken the steps to obtain the basic financial knowledge needed to oversee a credit union. Furthermore, these requirements should vary based on the size and sophistication of a credit union.

I know that these ideas will probably go over like a lead balloon and I certainly would appreciate your feedback. We need to start having a thoughtful, honest discussion. If not now, when? If not us, then who? On that happy note, enjoy your weekend.

January 25, 2019 at 9:17 am Leave a comment

Pay Stubs? We Don’t Need No Stinkin’ Pay Stubs

Image result for badges we don't need no stinking badgesThis is one of those stories that made me mumble at my Kindle on my bus ride in to work this morning. The Wall Street Journal picked up a story by Inside Mortgage Finance reporting that a mere ten years after the Great Mortgage Meltdown, more and more lenders are making questionable loans to asset rich, cash poor individuals who don’t qualify for traditional conforming loans.

The Journal reports that lenders issued $34 billion in these unconventional mortgages in the first three-quarters of 2018, a 24% increase from the same period a year earlier. The Journal notes that while this only accounts for 3% of mortgage lending, it is sure to grow as lenders look for qualified borrowers during a time when all other types of mortgage lending is decreasing.

The hot new unconventional product is the asset depletion or asset dissipation loan. I went onto a couple of mortgage lender websites who offer this “product” and the basic idea seems to be that lenders rely heavily on the rate at which a member would deplete his or her assets in making mortgage payments. For example, one website described how to underwrite a retiree with plenty of assets in the bank but very little income coming in. The WSJ profiled a graduating nursing student who was able to qualify for a five-year arm based in part on money she expects to receive from inheritance. She plans on refinancing the loan as soon as she gets a job. Of course she does but I’m not holding my breath. The OCC is concerned enough that in December it questioned the underwriting standards being used by some lenders qualifying borrowers based on this underwriting method.

Now don’t get me wrong. I’m not saying that all asset depletion loans are bad. Of course it’s crucial to take into account a mortgage applicant’s assets. Furthermore, I believe that underwriters should have the ability to take into account a given mortgage applicants unique lending profile in determining if they can afford a mortgage. Requirements which are too stringent one way or another have the effect of denying people houses they can afford.

Besides, even the CFPB recognizes that there are situations when it is perfectly acceptable to extrapolate a person’s assets over a 12 month period. As it explains in its Ability To Repay Compliance Guide, “you could verify a Christmas tree farmer’s income via tax returns showing that the farmer earned $50,000 a year during the past three Decembers and nothing else the rest of the year and divide that $50,000 evenly across 12 months.” (See Page 22 of the Ability to Repay and Qualified Mortgage Rule, Small Entity Compliance Guide explaining how to determine an individual’s ability to repay under 1026.43(c)(1). The problem is that I don’t think anyone anticipated that a small but growing group of lenders would rely so heavily on asset depletion rates to qualify consumers to get a mortgage.

Of course proponents who are seeing their revenue grow argue that times have changed and that these members actually do have the ability to repay their loans. The problem is, we won’t know if they are right until these homeowners try to make payments in an economic downturn which may be right around the corner.

RIP Russell Baker

Nothing at all to do with credit unions but for my money one of the best newspaper columnists ever, Russell Baker passed away a couple of days ago. If you’re looking for a great read, you could do a lot worse than reading “Growing Up” by Russell Baker in which he describes what life was like for a child being raised by a single mother during the depression. Baker would eventually become a columnist for the New York Times.

January 24, 2019 at 9:25 am Leave a comment

Older Posts Newer Posts

Authored By:

Henry Meier, Esq., General Counsel, New York Credit Union Association.

The views Henry expresses are Henry’s alone and do not necessarily reflect the views of the Association. In addition, although Henry strives to give his readers useful and accurate information on a broad range of subjects, many of which involve legal disputes, his views are not a substitute for legal advise from retained counsel.

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Join 564 other followers