Posts tagged ‘data privacy’

How Portable Is “Your” Data?

That is the question yours truly is pondering after reading through Colorado senate bill 21-190. When the bill takes effect Colorado will become the third state in the nation, following California and Virginia, to pass legislation mandating that consumers be given greater control over their electronically stored personal data.

Like Virginia’s, Colorado’s law exempts financial institutions from its requirements, but its passage underscores why your vendor management in general and your contract language in particular is more crucial than ever in the absence of federal guidelines. Here is one reason why:

Colorado has followed the lead of other states and Europe in mandating that businesses that process and control personal consumer data have the ability, among other things, to ensure that consumers have: the right to opt out of their personal data being used by third parties for targeted advertising; the right to know who has their information; the right to correct inaccurate information; the right to delete personal information; and the right to “data portability.”

I’ve been told by IT people that conforming to these requirements is not easy to put it mildly. But the tasks are made even more challenging in the absence of universal agreement as to who owns what data and what personal data is. As a result, even though financial institutions have been exempted from many of these laws, you should draft your contracts, particularly those dealing with your core processing functions, mindful of the need to easily access data on behalf of your credit union and members.

For instance, in reviewing contracts with your attorney, you should seek language stipulating that data will be stored in a universally available format. You also want to clearly delineate what data belongs to your credit union and what data belongs to your vendor. Your contract should also stipulate that vendors will only have access to data for the purpose of carrying out their obligations under the agreement.

Why is this or similar language so important? Because it will ensure that you have the ability to track who has access to the personal information of your members. Irrespective of what the law requires, members are going to increasingly expect to have greater control over their personal information. In addition, as I talked about in a recent blog, transferring from one core processor to another can be as acrimonious as a bad divorce. The clearer your contract specifies what information is to be transferred, the easier this process will be.

On that note, enjoy your weekend. For those of you who find soccer only slightly more exciting than watching paint dry, take a look at Sunday’s European Championship game between Italy and the UK. England is the Chicago Cubs of European Soccer minus a World Series win.

July 9, 2021 at 9:46 am Leave a comment

The Good, The Bad, and The Ugly as Albany’s Session Comes To A Close

Early this morning, the NYS Legislature came to its unofficial end as the Assembly passed the last measures of an extremely active session. Here is a first look at some of the key legislation that will impact CUs if it is approved by the Governor.

In a major legislative accomplishment, credit unions successfully lobbied for legislation which will allow them to participate in the Excelsior Linked Deposit program. The program gives lenders access to state deposits in return for making qualifying small business loans of up to two million dollars. Just how long have credit unions been seeking to participate in the program? Well, one of our volunteer board members lobbied for passage of the bill by showing legislators a letter he wrote in support of credit union participation to the Governor… Governor Pataki.

Credit Unions came up short on legislation which would allow municipalities to place their funds in credit unions but for the first time in at least 15 years, legislation has been voted out of the Senate and Assembly Banks committees. This means that the finance committees will be hearing from plenty of credit unions over the next year.

Finally, credit unions successfully lobbied for passage of legislation which will help bring banking into the 21st century by authorizing the use of remote online notarization. This bill is a win for consumers in general and the elderly and disabled, in particular, who will now be able to more easily get their documents notarized without having to go to a branch. The legislation would also make it easier to sell mortgages on the secondary market.

Now for the bad news. The legislature passed a measure to cap the interest that can be charged on judgements related to consumer debts at 2%. As drafted, the new interest rate would apply to judgements which have been filed but not yet executed prior to the bill becoming effective. If you think that is a recipe for a confusing mess, you’re correct.

Earlier this year, New York’s Court of Appeals wrote a series of decisions restoring a level of common sense to New York’s foreclosure process. The legislature passed a series of measures which chip away at these rulings. For example, Assembly 2502A imposes additional pleading requirements on lenders seeking to foreclose that could otherwise be waived by a homeowner.

Another bill passed by the legislature would extend CRA requirements to licensed mortgage bankers. Crucially, this bill would not apply to credit unions. It would apply to mortgage CUSOs.

Looking ahead, the table has been set for a debate over legislation to impose a California-style data protection framework on NYS. Legislation has been introduced and the Association is seeking to exempt GLB compliant institutions. Get your talking points ready for the trip to Albany next winter.

June 11, 2021 at 9:50 am Leave a comment

Data Privacy Emerges As Key Issue in NY’s Budget Debate

Among the highest-profile proposals in the Governor’s budget package this year is the New York Data Accountability and Transparency Act. It is the Governor’s first major foray into the issue of data protection, and it has already set off a debate among those who think the bill goes too far and those who think it doesn’t go far enough. Regardless of what side wins that debate, what’s clear is that this is a major legislative proposal which could have a major operational impact on your federal and state chartered credit unions that do business in New York.

The core part of the Governor’s proposal is to give consumers the right to opt out of information sharing. It also empowers the DFS to create a Consumer Data Privacy Bill of Rights. These rights would include:

  • The right to protection of their personal information by “covered entities;”
  • The right to exercise control over what personal information these entities collect from them and how it is used; and
  • The right to request that a covered entity “return, destroy, amend or otherwise alter” the personal information collected about them.

One of the main issues which we will be keeping an eye on is precisely what entities this proposal would apply to. Section 2 (b) (i) stipulates that this section shall not apply to personal information that is collected in accordance with the Gramm-Leach-Bliley Act. However, it is not entirely clear how wide a net this exemption casts, particularly since other aspects of the proposal, most notably the bill of rights, could be interpreted as giving consumers rights that goes beyond federal baselines. In addition, even if GLBA compliant entities are exempt from the statute, they would still need to make sure there was a structure in place to deal with data that doesn’t fall under the GLBA. The reach of the legislation is further restricted by the fact that it only applies to businesses that “(i) control or process the personal information of 100,000 consumers or more; or (ii) derives over fifty percent of its gross revenue from the sale, control or processing of personal information.” 

Without the possible carve outs mentioned above, this clearly would apply to large credit unions, but would also apply to credit unions of all sizes in New York, since all credit unions derive the majority of their income from processing personal information. It also would apply to many CUSOs. And for those of you breathing a sigh of relief that you aren’t headquartered in the Empire State, keep in mind that it would extend to any entity that “intentionally targets residents in New York State.”

We will keep you posted on developments. In the meantime, stay warm!

January 29, 2021 at 10:07 am Leave a comment

Gillibrand Proposes Data Protection Agency

Data protection is the legislative equivalent of the weather: everyone talks about it but no one does anything about it. So I was pleased to see that Senator Gillibrand unveiled a bold proposal yesterday to create a Data Protection Agency.

As of ten minutes ago the text of the bill was not yet available online but, according to her press release the DPA’s core responsibilities would be giving Americans greater control of their own data by creating and enforcing data protection rules—ensuring fair competition “within the digital marketplace” and preparing America for the Digital Age by advising Congress on emerging privacy and technical issues. This last proposal is a bit unsettling since I kind of thought that Congress knew we were already in the Digital Age and was reading up about it.

You don’t have to be Nostradamus to figure out that the agency would promulgate a California/European regulatory regime on companies and crackdown on potentially anti-competitive practices of Facebook, Google and Amazon. It would be overseen by a Director serving a five year term.

Now it’s way too early to say whether this is a good or bad idea. But let’s be honest, given the current political divide in Congress, this proposal has as much chance of becoming law any time soon as Donald Trump does of giving up tweeting for Lent. But in the eight years since U.S. Attorney for the Southern District in New York, Preet Bharara, warned of a WWII style cyber-attack against this country, the situation has only gotten worse, not better. We’ve grown so used to the idea of cyber breaches that news that the Chinese government stole personally identifiable information from almost half of America’s citizens is met with a shrug. Anything that wakes us up and gets us talking about taking on data protection issues on a national level is a step in the right direction even if some of the specifics need to be refined.

On that note, enjoy your Presidents’ Day Weekend. I will be back on Tuesday.

February 14, 2020 at 9:09 am Leave a comment

Happy Days: CECL Guidance Issued

With regulators continuing to be gun-shy about offering advice on preparing for the new Current Expected Credit Losses methodology (CECL) even as its implementation date draws closer, I suspect that the news that financial regulators, including the NCUA, issued an updated Q & A on the accounting standard yesterday will be gobbled up by compliance geeks everywhere, not to mention nervous CEO’s, quicker than city pigeons devour a piece of bread on the sidewalk.

Just in case you haven’t had your second cup of coffee – I’ve treated myself to a McDonald’s ice coffee this morning and it’s surprisingly good – here is a quick reminder of what I’m talking about. In June of 2016, the Financial Accounting Standards Board announced that it was implementing new accounting standards related to when financial institutions have to recognize a loan as impaired. Under existing accounting standards, loan losses have to be recognized when they become “probable” but under the CECL standards credit unions and banks will have to account for expected losses. This new approach is more forward-looking since it effectively requires financial institutions to base projected losses on past lending history and to reflect these changes in their ALL calculations.

The most practical result will be that many institutions will have to put aside more money to guard against losses than they have had to in the past. Despite the importance of this accounting change, regulators have been hesitant to assist credit unions because we are ultimately dealing with an accounting issue. Conversely, this is one accounting area that is clearly going to have an operational and safety and soundness impact.

Which brings me to why I was as pleased as a kid with a snow day when I got this link to an updated Q & A issued by federal regulators. I have consistently stressed to credit unions that if the standard is implemented properly, smaller credit unions should not find the new standard overly burdensome so I was pleased to see that in a new answer to Question 45, the regulators stressed that CECL is scalable to all institutions and that they anticipate a wide variety of methods used to implement its requirements which may be as simple as an institution’s updated spreadsheets.

I was a little less pleased but by no means surprised by the answer to the question: Will the agencies provide an approved formula or mandate a single approach for CECL implementation? Alas, the examiners explained that the agencies would not provide an aproved formula or mandate a specific approach but would instead be “closely monitoring” implementation practices. On a practical level this means that you and your accountant will be on your own in figuring out CECL but that examiners will ultimately have the right to second guess your methodology. This is precisely the kind of gray area which could lead to inconsistent examiner expectations but maybe this is inevitable given the fact that we are implementing an accounting standard as opposed to prescriptive regulations.

Movement On Data Privacy Legislation

Bloomberg News is reporting this morning that top republicans are “optimistic” about writing a federal privacy bill after a bipartisan group of Senators held their first meeting at the Capitol yesterday. As I’ve explained before, I’m cautiously optimistic that this might be the year, or at least the legislative cycle, when Congress passes a comprehensive privacy bill. Even the data mining giants that have the most to lose from regulation in this area have potentially more to gain if they can help influence the drafting of a single national standard that preempts far more aggressive state laws. Stay tuned.

April 4, 2019 at 9:32 am 1 comment


Authored By:

Henry Meier, Esq., Senior Vice President, General Counsel, New York Credit Union Association.

The views Henry expresses are Henry’s alone and do not necessarily reflect the views of the Association. In addition, although Henry strives to give his readers useful and accurate information on a broad range of subjects, many of which involve legal disputes, his views are not a substitute for legal advise from retained counsel.

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Join 726 other followers

Archives