Posts tagged ‘DFS’

NSF Liability Hinges On A Few Key Words

Overdraft and NSF litigation is all the rage.  A recent decision by New York’s federal district court In Manhattan demonstrates how subtle differences in account agreements can make all the difference when it comes to potentially costly class action litigation.  

The following language was applicable to Municipal’s FasTrack Checking Account as outlined in its account agreement.

“NSF Fee: Each time an ACH debit request or bill payment you authorize, or check (share draft) you draw, is presented and returned as unpayable for any reason, a $32.00 service charge will be assessed.” Thompson v. Municipal Credit Union, 2022 WL 2717303, at *6 (S.D.N.Y., 2022)

Municipal, like so many larger credit unions, was sued by a member who claimed that the credit union violated the terms of its account agreement every time it charged an NSF fee for multiple ACH presentments for the same item.  In all this litigation, the legal issue is not whether multiple NSF charges can be levied but whether or not the language adequately explains when multiple NSF fees will be charged.  The good news is that a fair amount of case law involving this issue now provides some bright line guidance of which the Municipal case is the latest example.

Last week, a court dismissed the lawsuit against Municipal.  Its reasoning is worth examining for anyone responsible for making sure your account agreement adequately protects your credit union.  First, the court found that the agreement was structured in a way that made it clear to members which fees applied to which products.  For example, the above cited language was included specifically in the description of the FastTrack Account product.  

Secondly, plaintiff argued, as is typical in these cases, that the account agreement was ambiguous.  As I explained in this blog, they contend members are not given adequate notice that multiple NSF fees may result from a single merchant transaction because merchants may make multiple ACH payment requests for the same transaction or item.  Municipal’s language doesn’t even refer to an item.  It is a model of grammatical simplicity that would warm the heart of any 5th grade English teacher. 

“The Court need not consider whether the “per item” language is ambiguous. The NSF language applicable to FasTrack Checking Accounts is unambiguous and permits Defendant to assess a new fee each time a debit request or check is presented for payment, regardless whether that same debit request or check previously has been presented for payment and rejected for insufficient funds.”

Incidentally, this case was decided within days of DFS’s Overdraft/NSF Guidance imposing more disclosure requirements on state charters than would otherwise be required.  For example, state charters are now expected to provide NSF disclosures with each account statement and a direct point of contact. 

There is a lot going on in this space both legally and regulatorily, so this week please join yours truly and my Compliance Compadres as we discuss the latest developments in overdraft and NSF fee regulations, litigation, and legislation on Wednesday July 27th at 10:00am.  You can register at 2022 First Look Webinar: Overdraft Under the Microscope.

July 25, 2022 at 9:48 am Leave a comment

NY’s DFS Declares Certain Overdraft Practices To Be Unfair And Deceptive

New York’s Department of Financial Services took an aggressive stand against certain overdraft and NSF practices yesterday, issuing a guidance  prohibiting state regulated institutions from continuing to offer certain types of overdraft services. 

While the DFS’s guidance just applies to state regulated institutions, federal credit unions should pay attention to this development as New York often is a bellwether for the sentiments of other blue state regulators and the CFPB is continuing to examine so-called “junk fees”. 

In the guidance, the DFS provided notice to state-chartered institutions that examiners would be penalizing credit unions that engage in any one of the following practices:

  • Overdraft Fees Relating to Authorize Positive, Settle Negative (“APSN”) Transactions
  • Double Fees Arising from Futile Overdraft Protection Transfers
  • NSF Fees Relating to Representments

Impacted institutions should immediately examine their existing core processor systems to see how they process their payments.  For example, if your credit union uses a batch system and settles transactions hours or days after they have been authorized, you will have to make changes to your system.  This is just one basic example of the operational issues raised by this guidance.   

Because the state issued a guidance as opposed to a regulation following a public comment period, there are other important compliance issues not specifically addressed in the state’s pronouncement.  For example, the guidance does not address how financial institutions should comply with the Authorized Positive Settle Negative prohibition when the initial debit transaction does not reflect the amount the be charged to the member.  In contrast, when the Federal Reserve issued regulations implementing overdraft opt-in requirements for debit transactions more than a decade ago, it recognized that there are situations when it is impossible to know what the size of a debit is going to be at the time it is made [Electronic Fund Transfers, 74 FR 5212-01]. For example, when a member uses a debit card at a gas station, a hold is put on the transaction which may or may not reflect the amount of money ultimately charged; a spouse filling-up her Acura is going to be paying less than the spouse filling up the SUV.  The guidance does not explain how financial institutions should address these discrepancies. 

DFS is presumably interpreting the authority of state regulators to utilize UDAAP powers granted under the Dodd-Frank Act as outlined in a recent opinion letter issued by the CFPB.  But given the importance of the issues that DFS is addressing, one would hope that additional guidance explaining their legal rationale would be forthcoming.  This is all the more important in New York where the Attorney General, and not the DFS, has UDAAP authority.

What we know for sure is that the relative handful of credit unions in New York that choose to be chartered by the state now face a host of compliance issues which their counterparts regulated exclusively by the NCUA do not.

July 13, 2022 at 10:55 am Leave a comment

What CFPB Guidance Means For New York

Last week the CFPB issued an interpretive ruling clarifying the power that state regulators and attorneys general have to enforce provisions of the Consumer Financial Protection Act (CFPA) against both state and federally chartered institutions.  It could have important implications for those of us living in states such as New York with an aggressive enforcement approach to consumer protections. 

12 USC § 5552 is one of the most important provisions of the CFPA.  Prior to the Act, federal bank regulators, most notably the OCC, had aggressively preempted state law which they argued interfered with the federal bank charter.  NCUA was pulled in a similar direction but has never interpreted preemption as aggressively as its banking counterparts.  This section, entitled “Preservation of enforcement powers of States” was designed to reverse this trend.  Most importantly, for our purposes, it gives states the authority to bring legal actions against both state and federally chartered institutions for violations of regulations enforced by the CFPB.

The law hasn’t been amended in more than a decade and regulators such as New York’s Superintendent Adrienne Harris, who helped promulgate the initial regulations are certainly aware of this provision.  So why the need for this interpretation?  First, it underscores that the CFPB is encouraging states to take a more active role in enforcement.  (The problem is that those of us who live in the states most likely to be inspired by this encouragement don’t feel that additional encouragement is necessary.) 

The most important aspect of this guidance is that it explains that states not only have the authority to enforce specific regulations but that they also have the authority to utilize the CFPB’s unfair, deceptive, or abusive acts or practices (UDAAP) powers as part of their enforcement efforts [see section 1036(a)(1)(B)].  This is a big deal.  New York’s DFS does not currently have UDAP powers as a matter of state law.  The CFPB just clarified that it has this more flexible enforcement tool when it comes to enforcing key federal consumer protections. 

May 26, 2022 at 7:00 am 1 comment

CDFIs, DFS Among the Winners In State Budget

With one eye on the final round of the Masters, yours truly did an initial review of the legislation included in New York’s budget plan for this fiscal year and my initial take is that CDFIs and the Department of Financial Services are among the biggest winners.  This is of course good news for those New York State chartered credit unions which have CDFI designations. 

Last year the Association was successful in getting legislation passed allowing credit unions to participate in the Excelsior Linked Deposit program.  This program allows participating lenders to receive state deposits in return for making subsidized low interest loans to eligible small businesses.  Language included in the budget makes any loan involving a CDFI eligible for the program.  The budget also makes CDFIs eligible to receive loans.  This is a huge incentive for CDFI credit unions to get qualified to participate in the program.  Give me a call if you want to further discuss potential opportunities. 

As Washington dithers over how best to regulate crypto currencies, New York moved decisively to give DFS regulatory power over those portions of the industry based in New York.  The budget amends the Financial Services Law to authorize the DFS to examine “persons engaged in the virtual currency business” and to make the industry pay for the cost of such examinations, just like other state regulated institutions currently do. 

What is also striking about this new power is that DFS is also given the authority to promulgate regulations defining what entities are going to be subject to this new framework.  While this type of regulatory handoff is normal in Washington, it is unusual in New York where a new authority such as this would typically be accompanied with a detailed statute. 

Finally, the legislature approved the creation of a $250M public/private fund for the purpose of providing money for social equity licensees who are seeking to open retail cannabis businesses.  This is a smartly drafted piece of legislation since it permits the state to enter into subleases with cannabis retail businesses.  One of the key challenges for businesses where cannabis has been legalized is acquiring retail space. 

Of course, this just underscores yet again why the federal government must act on the SAFE Act, but you folks already know how I feel about that.   

Perhaps Masters winner Scottie Scheffler would be interested in contributing to the state cannabis fund.  His Masters win is his fourth tournament victory in six weeks, a feat that has been worth approximately $8.6M.  Not bad for a 25 year old.   

April 11, 2022 at 9:23 am Leave a comment

Does New York’s Commercial Lending Law Apply To Your Credit Union?

Greetings folks, today I am the bearer of good news. 

Lately, it seems to me that a New York State law passed in 2020 has gotten a lot of attention; at least I’ve gotten a concerned phone call and have seen some recent analysis (Law360 subscription required) of this important new requirement.  I’m here to reassure you that it does not apply to either state or federal credit unions in New York. 

Take a look at State Financial Services Law starting at section 801. The article creates a comprehensive framework for the disclosure of commercial loans of $2.5M or less made by non-bank entities.  The law is called the New York Financial Services Law (the “Commercial Finance Disclosure Law” or “CDFL”).  Under this new framework, these commercial lenders will have to provide disclosures similar to those mandated by the Truth in Lending Act.  The law technically took effect in January but DFS issued this guidance explaining that the statute will be enforced once the accompanying regulations take effect later this year.  It’s enough to make anyone in charge of commercial lending break into a hives for fear that they’ve missed the boat on getting ready for these new requirements.

But breathe easy.  Section 802 of the law makes it clear that this article does not apply to financial institutions, a term that includes both state and federally chartered credit unions and banks.  Still, yours truly will be keeping a close eye on developments in this area of the law.  In recent years, consumer groups have expressed concern that existing federal law does not do enough to protect small businesses, particularly those that are women and minority owned.  New York’s law is based on a similar measure already in effect in the great state of California.    In short, I would look at this framework and ask yourself how difficult it would be for your credit union to meet similar requirements. 

On that concise note, I wish you all a happy and warm Tuesday… peace out!

March 29, 2022 at 9:09 am Leave a comment

Why Mandatory Vacation Time Makes No Sense

I’m back from D.C and firmly focused on the great state of New York. March 7th was the deadline for submitting letters to New York’s Department of Financial Services regarding changing the State’s existing guidance mandating fourteen continuous days of time off for employees holding “sensitive” positions. The 1996 guidance, which applies to all state regulated financial institutions, is not only an antiquated vestige of a bygone era, but it burdens financial institutions of all shapes and sizes while placing regulatory emphasis on the wrong issues. 

As I’ve pointed out in a previous blog, making key employees take a two-week vacation made sense when it took almost two weeks to negotiate checks, but makes no sense when money is transferred with a single click. Instead of emphasizing vacations, the emphasis should be on the internal protocols an institution has in place to prevent, detect, and mitigate insider abuse. For smaller institutions with basic products, this might be as simple as ensuring that one person doesn’t control the keys to the castle; for larger institutions, sophisticated technology with dedicated staff might be an entirely appropriate expectation. 

This is the approach taken by the NCUA. Chapter 4, page 6 of the Agency’s Examination Guide lays out several potential approaches for boards to prevent mismanagement of credit union resources and only encourages mandatory vacation time where such a policy is “practical” for a given credit union.  For example, this criterion makes more sense to me than New York’s existing guidance: “…an appropriate level of management should approve and authorize all transactions over a specified limit, and authorization should require dual signatures…”

Given the lack of complaints I have heard from federal credit unions over the years, it is clear that NCUA does not place anywhere near as much emphasis on vacation time as does New York. Unless there’s evidence that New York State charted credit unions are less susceptible to insider abuse then their federal counterparts, it’s time for DFS to take a more flexible approach. 

March 8, 2022 at 9:17 am Leave a comment

If You’re Hit By A Cyber Attack, Which Regulators Are You Going To Call and When?

The world truly is flat. Russian troops march into the Ukraine and your credit union could be victimized by a cyberattack. This point was driven home by NCUA which has festooned the home page of it’s website with a red banner informing the industry that current geographical events increased the likelihood of imminent cyberattacks.

NCUA is not exaggerating.  We could be on the verge of the first wide scale international cyberwar, in which all financial institutions, irrespective of their size, could find themselves targets of sophisticated cyberattacks.

From a legal and compliance standpoint, an increasingly important question to consider is precisely who your credit union is going to contact in the event it finds itself subject to a cyberattack, and how quickly the information is going to be provided. In the context of Ukraine, the information provided by the NCUA clearly lays out that it expects you to promptly contact both the Agency and law enforcement.

But more generally, the question of precisely who to notify in the event of your more typical cyberattack is one of the key issues over which you should consult with legal counsel.  While many financial institutions have given consideration to when their members need to be contacted, an equally important and related question is when to contact regulators and other government officials.  The standard is evolving.  There are now fifty different state data breech notification requirements in effect, each of which has slightly different notification requirements. For example, New York State’s data breach notification law exempts federally chartered financial institutions complying with GLB from most, but not all reporting requirements. It still expects institutions to contact key state offices, including the Attorney General. Furthermore, state chartered credit unions are subject to the data notification requirements included within the Part 500 cyber security regulations. DFS has put regulated institutions on notice that it expects the 72 hour notification of data breach requirements to be followed.

Once you have assured compliance with state law, all federally insured credit unions are subject to GLB’s requirements as codified in Part 748 of NCUA’s regulations. As explained by NCUA in this article:

 “Appendix B to Part 748 of NCUA’s Rules and Regulations also states that a credit union’s response program should contain procedures for notifying the appropriate NCUA regional director. A federally insured, state-chartered credit union should also have procedures to notify their state supervisory authority as well. Notification should occur as soon as possible after the credit union becomes aware of an incident involving unauthorized access to or use of sensitive member information.”

Interestingly – at least for those of us who have decided to make a living through compliance – Part 748 does not impose a specific timeline for reporting data breaches to a regional director or members. In contrast, the OCC, FDIC, and the Federal Reserve recently issued a joint rule requiring banks to notify their primary federal regulator of any “computer-security incident” that rises to the level of a “notification incident,” as soon as possible and no later than 36 hours after the banking organization determines that a notification incident has occurred.(Computer-Security Incident Notification Requirements for Banking Organizations and Their Bank Service Providers, 86 FR 66424-01).

This new regulation does not apply to credit unions.  This means that federally chartered credit unions in New York still have discretion in determining who to contact and when in the event of a cyberattack.  But the events in Ukraine have underscored that cybersecurity policy and procedures have national implications.  My guess is that you will see a stronger push for national reporting standards to which regulators will expect strict adherence. 

On that note, I’m looking forward to seeing many of you in DC.  Remember to join us for networking on Sunday evening, if you can.  Time to go snow blow.

February 25, 2022 at 9:28 am Leave a comment

Meet the New Boss

Yesterday, the New York State Senate Finance Committee squeezed in time before it begins the annual budget hearings to interview and advance the nomination of Adrienne A. Harris to serve as New York’s first African-American Superintendent of the Department of Financial Services.  With her top academic pedigree, her work as a top aide in the Obama Administration helping coordinate financial service issues, including the implementation of Dodd-Frank, and her work as a General Counsel for Fintech Doma, Inc., she is more than qualified for the job.  In fact, New York is lucky that she wants it.  Although state level nomination hearings are nowhere near as politically charged as their counterparts on the federal level, here is what I think we can gleam from yesterday’s discussion. 

Expect state level action on the regulation of Fintechs. Almost all the members who spoke were refreshingly honest in admitting that they are still trying to understand the complexity of issues ranging from crypto-currencies to lending platforms.  Conversely, they all agreed that these trends raise consumer protection and level playing field concerns that New York should not wait for the federal government to address.  This creates a perfect opening for the Superintendent, given her work with a San Francisco based Fintech. 

Get Ready to Hear about Expanded UDAAP Power.  Since the inception of the DFS, there has been a tug of war over precisely how much power the DFS needs to perform its functions, especially when one considers how much authority New York’s AG has to police questionable Wall St. practices (remember Eliot Spitzer?).  Yesterday, the Superintendent made it clear that she will be pushing for the legislature to grant her Department increased powers in this area.  This is something we will have to keep an eye on, particularly since it may come as a surprise to New York State entities that DFS fells it needs more enforcement authority. 

Finally, expect to hear more about cyber security.  New York’s existing cyber security regulations already provide it with a national leadership platform when it comes to this all important issue.  Harris’ extensive federal work in this area will only enhance the state’s credibility when it comes to cyber security.

January 25, 2022 at 8:56 am 1 comment

Do Vacation Policies Help Prevent Fraud?

In 1996 New York’s Banking Department issued a guidance strongly encouraging financial institutions to mandate two weeks of consecutive vacation for employees holding sensitive positions.  Its rationale was that two weeks would provide adequate time to uncover malfeasance on the part of employees who would not be able to cover up their mismanagement away from the office. 

It seems that about for as long as the policy has been in existence, state chartered credit unions and banks have argued that the guidance is an outdated relic of a bygone era which needlessly burdens financial institutions and does little to accomplish its laudable goal of detecting insider abuse. 

So yours truly was pleased to see that on January 4th DFS issued this request for information seeking feedback from financial institutions about potential changes to this guidance.  The Association has already talked to some of our state charters and will certainly be commenting to the DFS as it considers changes. 

Just rereading the guidance demonstrates how outdated it truly is.  For example, it explains that mandatory vacation policies should apply to “… those officers and employees involved or engaged in transactional business or having the ability to change the official records of the institution. This policy should also cover all other staffers who are capable of influencing or causing such activities to occur.”

Suffice it to say that a lot has changed since 1996.  Many of us still did not know what the internet was, let alone conceived of online banking.  It was 11 years before Steve Jobs introduced the iPhone!  And today, average consumers can electronically deposit checks and expect almost immediate access to their funds.  As a result, virtually every employee can, on some level, be considered a key employee who holds a sensitive position and a fraudster can do in a matter of minutes what used to take two weeks. 

The NCUA manages to address the same issues that New York addresses without adopting a stringent two week requirement.  It’s time DFS follows suit.  The existing guidance hinders both big and small institutions. 

January 20, 2022 at 9:22 am 2 comments

NY Extends CRA Requirements to Licensed Mortgage Bankers

As expected, Governor Hochul signed legislation yesterday extending a state level Community Reinvestment Act (CRA) requirement on non-depository, state licensed mortgage banks.  The legislation does not apply to your credit union, but does apply to a credit union’s mortgage CUSO. 

Under the legislation, the Superintendent is given broad authority to assess, in writing, an institution’s record of performance “in helping to meet the credit needs of its entire community, including low and moderate income neighborhoods, and consistent with safe and sound operation of the mortgage  banker.”  Among the specific areas that DFS is to consider are the activities undertaken to assess the credit needs of its community; communicate its services; and the geographic distribution of its credit applications, extensions and denials. 

The law takes effect in a year so DFS will presumably promulgate regulations to flesh out the details.  The legislation was passed this past session following an investigation by the Department examining lending practices by mortgage bankers in the Western New York area. 

On that note, don’t forget to vote.

November 2, 2021 at 8:58 am Leave a comment

Older Posts

Authored By:

Henry Meier, Esq., Senior Vice President, General Counsel, New York Credit Union Association.

The views Henry expresses are Henry’s alone and do not necessarily reflect the views of the Association. In addition, although Henry strives to give his readers useful and accurate information on a broad range of subjects, many of which involve legal disputes, his views are not a substitute for legal advise from retained counsel.

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Join 785 other followers