NY Proposes “First in Nation” Cybersecurity Requirements

Updated-Because of a technical glitch(i.e. I forgot to press the send button) today’s post was never sent out.  Here it is; better late than never .

With a special shout-out to those of you who attended the Legal & Compliance Conference at the beautiful Turning Stone Casino,  good morning.

In case you missed it, on Tuesday, New York State made big news when Governor Cuomo announced that the state was imposing Cyber Security Requirements on Financial Service Businesses. This is just a proposal but it is the culmination of years of work by the DFS in this area.  Those of you affected will only have six months to get up to speed, so pay attention.

First, the real basic stuff. The regulation would apply to any person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the banking law, the insurance law or the financial services law.  A “person” means any individual, partnership, corporation, association or any other entity.  A carve out from many, but not all, of its requirements is made for entities with fewer than 1,000 customers in each of the last three calendar years, less than $5,000,000 in gross annual revenue in each of the last three fiscal years, and less than $10,000,000 in year-end total assets.

What are the requirements?  Institutions would be required to have a cybersecurity program that addresses six major functions, including: the identification of cybersecurity threats based on the sensitivity of the nonpublic information stored by the institution; an infrastructure for defending against cyberattacks; the ability to detect cyberattacks; the ability to respond to and mitigate attacks; plans for recovering from attacks; and procedures for meeting new regulatory reporting obligations.

It’s really hard to argue with the general thrust of this proposal.  There is very little being suggested that you shouldn’t already be doing.  In fact, I would like to see the DFS clarify the extent to which procedures that financial institutions already have in place can be used to satisfy many of these requirements.  For example, both state and federal credit unions are already required to have policies that implement “administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of member information.”  (12 C.F.R. § Pt. 748, App. A).

Stay tuned and feel free to give me feedback as the Association ponders what comments it should make to the DFS.

Epilogue

If Wells Fargo thought it was out of the woods by firing over 5,000 low level employees and giving a $124 million “sorry we had to fire you” severance to a departing executive, it may have miscalculated.  The WSJ is reporting that Federal Prosecutors are in the early stages of investigating possible criminal malfeasance on the part of the bank.

 

September 15, 2016 at 12:04 pm Leave a comment

NY Proposes “First in Nation” Cybersecurity Requirements

With a special shout-out to those of you who attended the Legal & Compliance Conference at the beautiful Turning Stone Casino,  good morning.

In case you missed it, on Tuesday, New York State made big news when Governor Cuomo announced that the state was imposing Cyber Security Requirements on Financial Service Businesses. This is just a proposal but it is the culmination of years of work by the DFS in this area.  Those of you affected will only have six months to get up to speed, so pay attention.

First, the real basic stuff. The regulation would apply to any person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the banking law, the insurance law or the financial services law.  A “person” means any individual, partnership, corporation, association or any other entity.  A carve out from many, but not all, of its requirements is made for entities with fewer than 1,000 customers in each of the last three calendar years, less than $5,000,000 in gross annual revenue in each of the last three fiscal years, and less than $10,000,000 in year-end total assets.

What are the requirements?  Institutions would be required to have a cybersecurity program that addresses six major functions, including: the identification of cybersecurity threats based on the sensitivity of the nonpublic information stored by the institution; an infrastructure for defending against cyberattacks; the ability to detect cyberattacks; the ability to respond to and mitigate attacks; plans for recovering from attacks; and procedures for meeting new regulatory reporting obligations.

It’s really hard to argue with the general thrust of this proposal.  There is very little being suggested that you shouldn’t already be doing.  In fact, I would like to see the DFS clarify the extent to which procedures that financial institutions already have in place can be used to satisfy many of these requirements.  For example, both state and federal credit unions are already required to have policies that implement “administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of member information.”  (12 C.F.R. § Pt. 748, App. A).

Stay tuned and feel free to give me feedback as the Association ponders what comments it should make to the DFS.

Epilogue

If Wells Fargo thought it was out of the woods by firing over 5,000 low level employees and giving a $124 million “sorry we had to fire you” severance to a departing executive, it may have miscalculated.  The WSJ is reporting that Federal Prosecutors are in the early stages of investigating possible criminal malfeasance on the part of the bank.

 

 

 

 

 

 

 

September 15, 2016 at 10:30 am Leave a comment

three Quick Notes For Tuesday

I’m about to leave for the Association’s Annual Legal & Compliance conference, at the Turning Stone Casino, but there are Three things I want to give you a  heads- up on.

First, NCUA Yesterday released a letter reminding credit unions that guidance was issued on August 26 intended to clarify questions surrounding Military Lending Act Regulations that take effect on October 3rd.  I would make fun of NCUA for coming out with guidance on guidance but your blogger must shamefully admit that he actually didn’t realize that this guidance was even issued in the closing days of summer.

The MLA regulations are a big deal. As I have explained in a previous blog, almost all consumer credit transactions subject to Regulation Z  involving military personnel and their dependents will now be subject to greatly enhanced consumer protections, including a Military APR  interest rate cap of 36%.  Since this APR is calculated differently than a traditional APR under Regulation Z,  this creates yet a new level of complexity when it comes to consumer lending.  You may not serve many members of the armed forces but remember  since  the regulation now  applies to so many different products all credit unions should put procedures in place for identifying members to whom this regulation applies.  Frankly, I  think the guidance creates as many questions as it answers but I will let  you hard-core compliance folks out there decide for yourselves.

Is This The Credit Card Of  The Future?

Everything I have read about millennials is that they are debt averse so take the time to read this intriguing article in the New York Times explaining why millennials are so interested in a new credit card being offered by J.P Morgan Chase with an annual fee of $450. Are they crazy?  Or just crazy like foxes?

You Have To Know When To Fold Em

Finally if you find yourself tempted by the Turning Stone’s poker tables tonight remember: Those who chase straights and flushes arrive on planes but leave on busses.

On that note, I hope to see you at the Turning Stone, if our paths cross please be sure to say hello! I will be back on Thursday.

 

 

 

 

 

September 13, 2016 at 8:31 am Leave a comment

Consider Yourself Warned

As the saying goes “problems” flow downhill, so as I started reading the details of the Wells Fargo account opening scandal and the $100 million fine imposed on it by the Consumer Financial Protection Bureau, I wondered how this might impact the operations of credit unions.  The Bureau has already had an interest in account issues and, suffice it to say, you can bet that examiners and regulators will be taking a closer look at how your credit union opens and manages member accounts.

In case you missed it, on Friday the Bureau That Never Sleeps announced that it had imposed a $100 million fine on the bank.  Employees opened up to 2 million accounts without customer permission and shifted funds into these accounts on behalf of customers without their knowledge or approval in order to meet cross selling targets and get bonuses. Frankly, what the Bureau describes goes beyond civil misconduct and I hope its allegations are being investigated by prosecutors.  This is identity theft on a grand scale.

First some practical advice.  The Federal Credit Union Act requires supervisory committees – or their designated representatives – to verify member accounts with your credit union’s records at least once every two years.  As explained in Chapter 24 of NCUA’s Supervisory Committee Guide – which I strongly suggest all supervisory committee members take a look at – “the purpose of the verification is to detect errors and it is also a good control to prevent fraud.”  You can either verify all accounts or rely on a statistical sample, but the basic idea is that you send selected members a confirmation letter or request in their monthly statement asking them to confirm their account status. 

Another thing I would consider reviewing are your abandoned property procedures.  Members are expected to use accounts and you have no obligation to keep inactive accounts open indefinitely.  Fee orphaned accounts out of their misery.  They are costing you money and are ideal for abuse.  Here is one of my favorite opinion letters on the topic.

Finally, do you have a culture that emphasizes doing the right thing?  I can’t stand it when I give advice and I’m told that it’s not what everyone else is doing. We owe it to ourselves and the people we hire to make sure that we have a culture that, in the immortal words of Vince Lombardi, encourages people to play to win but to play within the rules.  Wells Fargo employees were in a culture where breaking the rules was the norm.

September 12, 2016 at 8:37 am 2 comments

Independent Bankers Sue NCUA Over Pending MBL Regs.; Plus My Top-Secret Plan For CU Growth

Today was going to be a real special blog post.   I was not only going to  reveal my top-secret plan for defeating ISIS,  but, as an added bonus,  my top-secret plan guaranteeing  the credit union industry grows and prospers without a single merger for the next 50 years.  But I’ve  decided that I will only reveal these plans after you elect me President.

In the meantime, I  will content myself with  telling you that the Independent Community Bankers filed a lawsuit in Northern Virginia yesterday alleging that NCUA abused its discretion when it promulgated regulations revising Member Business Loan regulations. Strip away all of its hyperbole, and the complaint comes down to an assertion  that NCUA doesn’t  have the authority to exclude loan participation interests from the calculation of the  credit union MBL loan cap. The bankers are seeking to block the regulations from taking effect in January.

With apologies to those of you for whom  this is as basic as the arithmetic my second grader will be learning this year, since 1998 the Federal Credit Union Act has limited  the aggregate amount of member business loans   a federally insured credit union can make at any time to the lesser of 1.75 times the actual net worth of a credit union; or  1.75 times the minimum net worth required for a credit union to be well capitalized. (12 USCA 1757A).  Under existing regulations participation interests in member business loans and member business loans purchased from other lenders count against a credit union’s aggregate limit on net member business loan balances.  CUs can  purchase participation interests that put them over the MBL cap but only  with NCUA’s permission. 12 CFR 723.16(b).

So, what has our banking counterparts so fired up?  The regulations that start to take effect in January stipulate that participation interests in business loans held by credit unions will be classified as commercial loans as opposed to MBL loans and will no longer be counted against the cap.   The change only  applies to loans that a credit union does not originate.

According to the independent bankers, this regulatory change amounts to a violation of the Administrative Procedures Act which prohibits regulators from promulgating rules “not in accordance with the law.” They argue that based on NCUA’s previous interpretation a cu holding a participation interest  should be counted against the cap.

The problem is that the Supreme Court recently reaffirmed that regulators have the right to change their regulatory interpretations even without going through a formal comment and review process. Perez v. Mortgage Bankers Ass’n, 135 S. Ct. 1199, 1210, 191 L. Ed. 2d 186 (2015).  In addition, NCUA’s new regulation is consistent with the English language.  According to Merriam Webster online Making is defined as   “the action or process of producing or making something.” A cu that originates a loan is making a loan; a cu that purchases a portion of that loan isn’t producing anything.

And the Independents won’t even get  to the merits of their case unless they can show how their members have been harmed in very specific ways.  This is a tough one: There is plenty of evidence to suggest that small businesses are having a tough time finding banks willing to make them loans. Are bankers really being squeezed out of the market because some credit unions purchase participation interests? Whaat?

Pure speculation on my part but I suspectt  that the Independents are laying the groundwork for a further legal assault on the NCUA if and when it finalizes FOM regulations. Plus, even if they lose this lawsuit they will  use it as another example to Congress  of how the NCUA helps credit unions  too much.  I guess they have forgotten about the imposition of sophisticated risk based capital requirements on larger credit unions.

For credit unions  it’s important not to overreact to this latest banker provocation. It’s just the latest example of the banking industry seeking to limit the choices  of Main Street America so that it can maximize its own profits.

 

 

September 8, 2016 at 8:51 am Leave a comment

NY’s DFS “encourages” acceptance of Municipal IDs

I swear we have been through this before.

New York’s Department of Financial Services Superintendent Maria T Vullo recently sent a letter to my boss, the inimitable William Mellin,  president of the New York Credit union Association  and Michael P Smith, his counterpart with the Bankers encouraging state chartered and licensed banks and credit unions to accept New York City’s Municipal Identification Card as valid identification for purposes of satisfying the requirement that they know their customer or member when they open an account.

The Guidance explains that   “The CIP rule does not prescribe a specific type of government-issued identification card for use by institutions. Institutions that rely on documentary forms of evidence to verify a customer’s identity should have procedures in place to identify the types of documents the institution will accept for such verification. Accordingly, it is the Department’s position that institutions may accept the Municipal ID as a means of documentary verification as provided in the institutions’ CIP procedures.” It goes onto encourage state chartered and licensed financial institutions to accept the municipal IDs.

First, I’m sure the Department is pleased to know that I agree 100  percent with its legal analysis. As described in a FinCen Q&A , your credit union’s responsibility is to “verify enough information to form a reasonable belief that it knows the true identity of the customer.”

The purpose of the CIP rules is to have procedures in place so you can know who your member is and establish a baseline of expected account activity for account monitoring purposes. After all,  a twenty-something investment banker is going to have different account activity than his eighty year-old grandma.  So long as a government issued ID tells you that a member is who she says she is it satisfies your CIP requirements.

Where the Department’s Guidance makes me a little nervous is in its encouragement to use these IDs.  I hope we don’t start hearing reports of institutions that may not wish to accept  these IDs being pressured to do so.  We are dealing with federal laws and regulations that give institutions flexibility to choose appropriate identification.  Nothing the Superintendent says changes that.

There is really nothing new here, just the same old song with a different tune. Every so often the issue of bank identification flares up in tandem with debates over immigration.  More than a decade ago  Governor  George Pataki, a Republican who was smart enough to know that you won’t win many more elections in America pandering to embittered white males, pushed for the acceptance of   matricula consular  identification cards and NCUA opined that the use of such identification was acceptable.

Let’s be honest about what we are really talking about here: illegal aliens.   To those of you whose views on illegal immigration make you uncomfortable accepting non- traditional forms of Identification I say:  Get Over It.  Your  credit union doesn’t have a dog in this fight. To those of you with well-established policies that have worked well for your credit union and that you don’t feel like changing I say: stick to your guns. Your ultimate responsibility is to run a well- functioning credit union not advance political agendas coming from either  side of the political  spectrum.

September 7, 2016 at 9:05 am Leave a comment

Beware Of Catspaw Liability

My first blog in September is a fable.

Once upon a time,

There was a smart monkey and his friend the cat. They loved to eat and one day they saw chestnuts burning on an open fire.  The monkey flattered the cat into thinking that only it was quick enough to get   the chestnuts.

She took up the challenge but only by burning her paws.  Meanwhile the monkey ate the chestnuts as quickly as the cat could reach them. And who do you think got into  trouble when their Master spotted the cat’s singed paws?

What does this Aesop fable have to do with anything? For those of you who handle the HR you should remember this as the story behind catspaw liability.  As I look back on what happened over the past week during my hiatus,  a case decided by the Court of Appeals for the Second Circuit, imposing “catspaw” liability on New York employers is the development that may  have the biggest impact on your credit union.

First let’s remember some basics.  Generally, If a supervisor is sexually  harassing  a subordinate then your credit union is automatically liable for the offending conduct.  In contrast   If a worker sexually harasses a coworker by making unwanted sexual advances then you will be held liable to the extent you tolerate the offending conduct.  You need to have a procedures  for the  employee to report the misconduct,  to ensure that your credit union investigates the allegation and that it  takes appropriate action.

Vasquez v. Empress Ambulance Serv., Inc., No. 15-3239-CV, 2016 WL 4501673,  (2d Cir. Aug. 29, 2016) addressed the issue of whether or not an employer could be legally responsible for coworker  harassment where it  had all the proper procedures in place but was manipulated into firing someone based on wrong information? The Court of Appeals for the Second Circuit  held that an employer acting in good faith in response to harassment allegations could still be liable if it was negligent in carrying out its responsibilities.

Ms. Vasquez complained to a supervisor after being repeatedly harassed by a coworker. The last straw came when the harassing coworker followed in the footsteps of Bret Farve and Anthony Weiner and texted her a picture  of his anatomy.

Empress did everything right,  up to a point.  After Vasquez  put a supervisor on notice of the misconduct who told her to file a complaint.  Following a review of the complaint she was assured that this kind of conduct wasn’t tolerated and the information was sent to a committee charged with dealing with harassment claims.

Meanwhile, the harassing coworker came to the realization that he went too far. He manipulated text messages to make it look as if she welcomed his advances and even doctored a photo to make it appear that she was the one sending him sexually suggestive material.  He gave this material to the committee  investigating her claim and when they saw this evidence they fired Ms. Vasquez for lying.  They did this without letting her see the incriminating evidence.  The employer became the catspaw,  manipulated into doing something wrong on behalf of a guilty worker.

The harassed and fired Vasquez sued claiming she was retaliated against for making a sexual harassment claim  As sympathetic as the facts are in the case-no one would deny that if her allegations are true Ms.  Vasquez is a victim- it wasn’t clear that Empress did anything wrong.  In fact the trial court she brought the case to concluded  that employers who make a good faith effort to comply with the law but who make a mistake by drawing the wrong conclusion haven’t  the  law;  after all they don’t tolerate a sexually hostile workplace.

Last week the Court of Appeals reversed this ruling. It held that when,  as a result of its own negligence, an employer gives effect to the retaliatory intent of one of its—even low-level—employees. It can be held responsible for the misconduct.  

This is a holding you should discuss with our HR attorney. Based on this ruling you may very well have to do more to document not only that you have appropriate procedures in place but what steps are taken to confirm the accuracy of your HR investigation. In an age when a desperate employee  can  manipulate  digital evidence in a matter of minutes. this new standard increases the challenges for your HR and legal help.  Hopefully we won’t see the evolution of increasingly stringent investigatory requirements that increase your legal exposure.

The End

September 6, 2016 at 9:16 am Leave a comment

Older Posts Newer Posts


Authored By:

Henry Meier, Esq., General Counsel, New York Credit Union Association.

The views Henry expresses are Henry’s alone and do not necessarily reflect the views of the Association.

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Join 407 other followers

Archives