News over the weekend that an international gang of Russian speaking cyber criminals pulled off what the NY Times described as one of the biggest bank heists of all time (approximately $1 billion) has once again exposed the fact that the financial system and its consumers are under attack and the bad guys are winning.
Although it appears that the breath of the attack may have been overestimated by initial reports, the Krebs on Security blog is reporting that, according to the Russia security firm that uncovered the heist, the cyber gang hit up to 100 banks worldwide in approximately 30 different countries involving 300 IP addresses.
If news reports are accurate this group patiently broke into computer systems using phishing techniques and once inside thoroughly learned how to mimic employee and system behavior. They may have even videotaped keyboards. By the time they struck they were able to make ATMs spit out money on command, inflate the size of accounts, and, of course, transfer money out of the institutions. As Krebs explains “ Most cyber crime targets consumers and businesses, stealing account information such as passwords and other data that lets thieves cash out hijacked bank accounts, as well as credit and debit cards,…but this gang specializes in hacking into banks directly, and then working out ingenious ways to funnel cash directly from the financial institution itself.”
Far from throwing up our hands in frustration there is much that can and should be done by individual institutions as well as governments and consumers.
- Assume that your computer system has been breached and ask yourself how you can minimize the damage? You won’t find this advice in a compliance manual but experts have been stressing for years now that your IT system is as vulnerable as your most careless employee. The more you limit access to key systems to those employees who need direct access the better off you will be. Another step you could take is mandating that only certain computers be used for certain functions. Finally change passwords frequently.
- A hallmark of cyber attacks these days is that criminals are patiently “casing” cyber infrastructures sometimes for several months before attacking. As a technological Luddite I want to know how these people know they can poke around the security systems of some of the world’s most sophisticated banks and not get exposed? It seems to me that we can’t prevent break-ins but we can shorten the amount of time that criminals have to carry out their crimes.
- Is it time for a cyber-security tax? I’m open to alternatives on this one but, just as what I pay for a plane ticket partially reflects the cost of security, it’s time that financial transactions have a similar tax to pay for cyber-security. Without a robust public security infrastructure cyber-security will become yet another cost that only larger institutions can absorb. This isn’t fair to the small guys,
- President Obama has recently taken some long overdue steps to nationalize the issue of cyber-Security. Now it’s time to make it an international issue. This is a crucial piece of cybersecurity. No one can be facilitating international cyber thefts of the size and sophistication we are now seeing without governments looking the other way. After all someone has to collect the money. We need an international treaty-modeled after the nuclear Non-Proliferation Treaty-in which countries would agree to adopt domestic cybersecurity protocols and consent to international inspection of their compliance efforts. Those countries that don’t comply would be subject to sanctions and those countries that choose not to participate in the agreement will give us a pretty good list of where most of the cyber crime is being facilitated. Remember that a vibrant safe electronic infrastructure is in the best interest of almost all businesses and all countries,
Here are some interesting stories on the heist.
Not too long ago I was at a party chatting with people in their 40’s and 50’s when someone mentioned that, outside of work, they had no friends in their twenty’s. My first alcohol lubricated thought was to suggest that they had to be more outgoing. Then they challenged me to name a friend in his or her twenties…Oh well they don’t know what they are missing. Now pass the scotch.
The conversation has stuck with me for several months now because I consistently argue that credit unions are playing chicken with a demographic time bomb when it comes to wooing the next generation of members.
But just how different are these millennials-those born between 1980 and 1994-when it comes to banking? Oh their different alright. In fact, if your credit union isn’t adjusting to the fact that these emerging consumers are fundamentally changing the way the consumer banking game is played it is destined for obsolescence.
Does this mean that all you have to do is update your apps and people in their twenty’s and thirty’s will flock to become members? If only was that easy. A second report released by the New York Fed provides further evidence that younger people are finding it harder than ever to get started on an independent financial life.
First the FICO survey: 54% of the surveyed millennials say are either using or likely to use non-traditional banking platforms such as PayPal in the next 12 months. In addition, an amazing 23% of millennials plan to use peer-to peer lending over the next 12 months compared to only 2% of those 50 and over According to FICO “For all age groups, customer satisfaction with a primary bank has no significant impact on consideration, with an equal number of satisfied and dissatisfied consumers now using non-traditional payment companies.”
And how are banks doing communicating with their members? Not very well for any age group according to the survey, 46% of consumers across all age groups said their bank does not send marketing material relevant to their future marketing plans and nearly 75% of consumers said they don’t receive too many offers from their bank. Finally apps are helpful but these smartphone savvy users still expect a good website, the web is your new Conner branch.
My main takeaway: Marketing may help with your older members but it won’t keep you from losing out on the next generation of members unless you are wired up and quick to react to emerging payment trends like Apple Pay.
Here is another one: The growth of peer-to-peer lending poses unique challenges for credit unions. If these statistics are accurate the 30-year-old looking to start a small business is as likely to turn to a peer-to-peer lending sight as he is to the credit union for a loan. My advice? If you can’t beat them join them. We may have to work with regulators, but credit unions should develop CUSO driven websites with the look and feel of peer-to-peer lending sights and that use analytics to expand the number of unsecured loans credit unions are willing to make.
These statistics also underscore for me that people don’t dislike email, its irrelevant email that drives them nuts. (A dangerous admission for a guy who emails a blog every morning) People expect you to be able to anticipate what it is they want and deliver solutions right to their smartphones. Everyone is going to have to use analytics.
Now for the caveat to my otherwise enthusiastic embrace of millennials. In a recent report the New York Fed pointed out that “Young Americans’ living arrangements have changed strikingly over the past fifteen years.” They aren’t entering the housing market at anywhere near the rates of their predecessors and are “lingering longer in their parents’ households.” It concludes that we are seeing more at work here than the impact of an economic downturn. Instead, “while local economic growth, reflected in rising youth employment and escalating house prices, has mixed consequences for youth independence, the increasing magnitude of student debt among college graduates appears to be driving young people home and keeping them there.”
It may take your credit union longer than you expect for it to see the full return on its millennial investment.
Here are links to the information used in today’s blog. See you on Tuesday.
Maybe it’s because the desolate Albany landscape with its frozen mounds of exhaust-tinged snow and sub-zero temperatures makes me feel like I’m inhabiting a post-apocalyptic world, but a couple of days ago I got around to reading the FFEIC’s new appendix to its examination handbook dedicated to disaster preparedness entitled Strengthening the Resilience of Outsourced Technology Services. In all seriousness, it is a must-read for any credit union that has to have a business continuity plan (BCP) and contracts with third parties for services that should be integrated into this business plan. I bet that is almost every credit union.
Regulators have long emphasized the need for appropriate due diligence when entering into third-party relationships. In addition, Business Continuity Planning has been a major point of regulator emphasis since 9-11; not to mention that “once in a century storms” seem to be coming every other year. This new appendix zeros in on the importance to financial institutions of insuring that appropriate vendor services are integrated into BCP plans and testing. As the regulators commented in releasing the appendix, “a financial institution should ensure that its third-party service providers do not negatively affect its ability to appropriately recover IT systems and return critical functions to normal operations in a timely manner.“
The appendix highlights four key points of emphasis for examiners assessing third-party relationships.
(1) Third-party management addresses a financial institution management’s responsibility to control the business continuity risks associated with its third-party service providers (TSPs) and their subcontractors.
(2) Third-party capacity addresses the potential impact of a significant disruption on a third-party servicer’s ability to restore services to multiple clients.
(3) Testing with third-party TSPs addresses the importance of validating business continuity plans with TSPs and considerations for a robust third-party testing program.
(4) Cyber resilience covers aspects of BCP unique to disruptions caused by cyber events.
I don’t want anyone to break into a cold sweat thinking that a new compliance requirement is necessarily being imposed on them. If you don’t outsource core operational functions to third parties this appendix shouldn’t concern you much. But if your credit union can’t operate effectively unless a vendor is also on the job, then you have an obligation to work with that vendor and make sure that it has a Business Continuity Plan that is compatible with your own.
Think about it: if your vendor backs up all your account information at a facility down the block from your credit union, your BCP plan has some serious holes.
Don’t Fire Until You See the Whites of Their Eyes
Yesterday, the CU Times reported that Sen. Richard Shelby (R-Ala.), chairman of the Senate Banking, House and Urban Affairs Committee, would not rule out doing away with the credit union tax exemption as part of an overhaul of the tax code.
Shelby’s equivocation on the tax exemption underscores that tax reform poses dangers for credit unions, but his stance should hardly surprise anyone, nor should it send us scrambling to the ramparts as if the industry is in imminent danger. The fact is that in any push to overhaul the tax code a prominent veteran lawmaker like Shelby isn’t going to take anything off the table. There is a lot of negotiating to be done, if and when we ever get to a tax reform end game.
Should the industry be vigilant? Absolutely. But, in my ever so humble opinion (and I stress only my opinion), in recent years the industry has overreacted to the threat of tax reform with the result that it has not pushed aggressively enough for other parts of its agenda. There may come a time when we need to activate the grassroots in a major push to save the exemption, but that time is not here yet. In the meantime, let’s not let the bankers sideline our agenda every time they advocate for ending the exemption or draw too many conclusions every time a legislator gives less than 100 percent support for the industry.
In Congressional testimony yesterday, NCUA’s Larry Fazio announced that the agency would propose regulations providing regulatory relief to credit unions with less than $100 million in assets. Specifically, NCUA will be changing the definition of what constitutes a small entity credit union from one with $50 million in assets to one with less than $100 million in assets. Federal law gives NCUA the responsibility to consider the impact that proposed regulations have on smaller credit unions and to exempt such institutions from regulatory mandates when appropriate.
In January of 2013, NCUA amended the definition of the small entity from those with less than $10 million to those with less than $50 million in assets. At the time, NCUA estimated that this change meant that 67.8% of federally insured credit unions were designated as “small entities.” If NCUA follows through with its latest proposal, Fazio estimated that 77% of all credit unions would be eligible for enhanced regulatory relief.
Credit unions have already gotten a preview of how important such a shift could be with NCUA’s announcement that it is proposing to increase the threshold for Risk-Based Capital compliance from $50 to $100 million. In addition, credit unions with less than $50 million in assets were exempted from enhanced interest-rate risk policies. Going forward we won’t know for sure precisely what regulatory relief credit unions will entitled to until the regulation is finalized. At the very least, credit unions with less than $100 million in assets will be eligible for increased assistance from NCUA’s Office of Small Credit Union Initiatives and a framework has now been put in place to extend regulatory relief to a large majority of credit unions.
Now, don’t get me wrong. I think NCUA’s proposal is a great idea; but, the more the industry codifies distinctions between big and small credit unions, the more challenging it becomes to ensure that fundamental baseline distinctions between all credit unions and banks remain intact. You can bet a bank lobbyist will soon be arguing that if large credit unions are so different than small ones, why shouldn’t they be taxed. In addition, while regulatory relief is a welcome and important step by the NCUA, it will likely do little to halt the long term consolidation of the industry or the fact that those with $500 million or more in assets are the ones driving its aggregate growth.
As a result, I would like to see the industry couple the NCUA’s push for regulatory relief with an emphasis on recruiting the next generation of executives. I see a tremendous amount of enthusiasm displayed by people in their twenties and early thirties. I also see a fair number of people in their late fifties and early sixties nearing retirement. Mergers and consolidations are inevitable, but let’s make sure that credit unions don’t dissolve or merge because of a lack of potential leadership.
On that note, enjoy your day.
“Buying a home is easier if you’re white” reported CNN yesterday based on the findings of a research report put together by Zillow with a forward by the National Urban League. The report, which was much more measured in its conclusions than some of the news headlines it generated, makes these headline grabbing assertions in its executive summary:
-Fewer minorities apply for conventional mortgages. Although Hispanics and Blacks make up 17 percent and 12 percent of the U.S. population, respectively, they represented only 5 percent and 3 percent of the conventional Mortgage application pool.
-Blacks experience the highest loan application denial rates. 1 in 4 blacks willbe denied their conventional loan application, as opposed to 1 in 10 whites.
-Wide disparities in homeownership rates among ethnic groups persist.73.9 percent of whites own a home, whereas 60.9 percent of Asians, 50.9percent of Hispanics and 46.5 percent of blacks own.
-The rise and subsequent fall of home values in the U.S. housing bubble disproportionately affected black and Hispanic homeowners, measured by indexed home values between the peak of the market and the bottom, or“trough.”
Look beyond the bullet points and a more nuanced picture emerges. Economics not race is what really determines how difficult it is to buy a home For instance, while not precluding the possibility that stark differences in homeownership may be a reflection of racial bias the report notes that on average White Americans, earn $62,000 thousand per household. In comparison, black American households earn $39.000 thousand and Hispanics $43,000. As the report notes “lower incomes mean a greater share of earnings goes towards living expenses and less towards savings. It is then unsurprising that blacks and Hispanics are less likely to have the savings needed to apply for a mortgage to make a home purchase,”
The report notes that racial disparities are less pronounce among applicants for FHA loans since these applicants tend to have fewer savings irrespective of race.
What troubles me so much about the headlines reports such as these generate is that they lend themselves to quick conclusions and simple solutions to complicated problems If you want to believe that lenders are a cabal of racists conspiring to deny homeownership to people based on how they look than you can get on with your day; these statistics speak for themselves.
But the truth behind these numbers is much more complicated. To suggest that racial animus is at the core of our housing disparity is to overlook the legal, moral and operational changes that lending has undergone in the last 50 years. Intentional housing discrimination is illegal and lawsuits are rightly brought when discrimination is uncovered; socially we live in a much more tolerant society than we used to. Technologically the vast majority of lending decisions are made by computers based on mathematical formulas where race can’t be used as a factor.
None of this is to suggest that we live in a colorblind world free of racism: We never have and unfortunately never will. What I’m suggesting is the problems with lending disparities underscored by this report reflect societal complexities that go well beyond underwriting practices and standards. In the last 50 years a lot has been done to reform lending for the better. It is time to acknowledge these improvements and grapple with the complicated economic and social issues that will make this country even better 50 years from now.
I have complained in this blog that the Government subsidized secondary housing market sets up a seller beware system. Under this system the terms that banks and credit unions must abide by strict underwriting terms when they sell a mortgage to a GSE or get it insured by the FHA and have been forced to buyback mortgages that may have performed just fine for years before the Great Recession. Once a mortgage goes into foreclosure a GSE can scrub a loan file and force a lender to repurchase a loan based on small mistakes in the underwriting process that bear no relationship to why a mortgage went into foreclosure. The lender has to put a loan back on its books. Is there any wonder why financial institutions are gun-shy about selling their mortgages?
I have good news this morning. The WSJ is reporting that the FHA is considering loosening its own standards so that “banks continue to be liable for high damages on significant underwriting errors but not for smaller mistakes that wouldn’t have affected the decision to extend the loans.” Here is a link to the article:
As someone who subscribes to the glass half-empty view of the U.S. economy, even I have to admit that Friday’s jobs report is a good indication that we will probably be seeing the Fed raise short term interest rates by the middle of this year.
The most important number to look at in terms of the employment numbers are those that assess wage and workforce participation growth. On both of these fronts, the news was moderately encouraging. Average hourly earnings rose by $0.12 to $24.75 in January. This is encouraging if only because average hourly wages actually dropped by $0.12 in December. Over the last twelve months, wages have grown a tepid 2.2%, but at least it is headed in the right direction.
As for my favorite statistic, the workforce participation rate, this increased to 62.9% in January, following a slight decline last month. Similarly, it’s actually a good sign that the unemployment rate ticked up slightly to 5.7%. This means that more people are actually looking for work. Remember the unemployment rate just represents the number of adults actively looking for work. The more long term unemployed you have, the less reliable it becomes as an indicator of economic growth.
Hanging together, or Hanging Separately
What to do as the big get bigger and the small stay small? As I’ve talked about in a previous blog, the Great Recession accentuated the divide between big and small credit unions. It’s an understatement to say that a disproportionate amount of the industry’s growth is coming from credit unions with $500 million or more in assets.
As a result, now more than ever before, credit unions have to combine resources. A great example of how this can be done comes from an article in today’s Wall Street Journal reporting that a group of small banks are joining together with Lending Club to expand their ability to offer consumer loans.
Participations are clearly a key element in any strategy to combine resources. In addition, websites like Lending Club are radically changing underwriting models. Increasingly, if banks and credit unions aren’t willing to provide uncollateralized loans, there is someone on the Internet who will. Of course, these raise huge compliance issues, most notably indirect lending doesn’t absolve a bank or a credit union from assessing the quality of a loan in which it participates. In addition, with credit unions, such loans can raise membership issues as well.
Still something needs to be done quickly. The WSJ points out that in 1994, banks and thrifts with less than $10 billion in assets held about 69% of U.S. consumer loans; that number has dropped to 9% as of 2014.
Last, But Not Least
I have advocated in this blog space for NCUA to provide live broadcasts of its board meetings. After all, for those of us who track regulations for a living, real time information about where the board members stand is a helpful indicator of what to expect in the future. Therefore, I want to give a belated thumbs up to the agency for announcing last week that starting with its February 19th board meeting, it will begin broadcasting these get-togethers live. Watch out C-SPAN.
Now that the blog’s done, I am going to have to tackle all that snow in my driveway. Amazingly, the snow didn’t magically disappear between the time I went to bed and got up. . .it’s days like this that I wonder why I live in the Northeast.
The news that Wells Fargo entered into a $4 million consent decree with NYS’s Department of Financial Services typically wouldn’t be blog worthy. After all, $4 million ($2 million fine and $2 million in restitution to 1,300 NY Consumers) is cushion change for your average mega bank and by some measures Wells Fargo is the biggest of the Big. But when the settlement involves one of the most unique operational constraints placed on New York State chartered financial institutions and touches on how and when state laws are preempted, it is worth taking a look at.
Section 413 of NYS’s Personal Property Law prohibits the use of credit cards secured by real property. As a result, state chartered institutions, including credit unions, are prohibited from offering HELOCS that can be accessed with cards with credit features, as explained in this legal opinion letter from the Department of Financial Services.
New York’s prohibition against credit card HELOCS is arguably the most significant operational difference between state and federal credit unions. NCUA has clearly preempted such laws as applied to federal credit unions. For example, this opinion letter from NCUA noted that a Connecticut law that banned HELOC credit cards was preempted by federal law. As the letter explained:
“NCUA’s lending regulation expressly recognizes that FCUs are subject to state law in certain matters, including insurance laws, issues related to the establishment and transfers of security interests, issues of default and so forth. 12 C.F.R. §701.21(b)(2). The Connecticut statute is not within the area of permissible regulation by the states because it affects conditions related to the purpose of the loan and the distribution of loan proceeds. ” RE: PREEMPTION OF CONNECTICUT OPEN-END MORTGAGE LAW, 2002.
What caught my eye about the settlement and has sent me scrambling through the legal opinion letters is that Wells Fargo is a nationally chartered Bank. Why would it be subject to New York’s Personal Property Law? As it turns out, Wells Fargo had brought the line of business from a non- bank entity that wasn’t federally chartered.
The bottom line: federally chartered institutions are no more subject to New York’s HELOC prohibition today than they were yesterday but if you are state chartered, the state is serious about enforcing its HELOC limitations. If you are a federal charter don’t assume that the exemptions that apply to your credit union automatically apply to your CUSOs.
Law and Order NY Style
For political junkies our morning political blogs are reading more like crime blotters.
Fresh on the heels of the Silver indictment former Senate Majority Leader Malcolm Smith was found guilty of trying to bribe his way onto the ballot as a Republican in his still-born run for NYC Mayor in last year’s election. His successor, John Sampson is awaiting trial. Meanwhile a $580,000 settlement involving alleged sexual harassment of staffers by former Assemblyman Vito Lopez has been reached. Taxpayers will be on the hook for $545,000 of the settlement.