Posts tagged ‘DFS’

NY Extends CRA Requirements to Licensed Mortgage Bankers

As expected, Governor Hochul signed legislation yesterday extending a state level Community Reinvestment Act (CRA) requirement on non-depository, state licensed mortgage banks.  The legislation does not apply to your credit union, but does apply to a credit union’s mortgage CUSO. 

Under the legislation, the Superintendent is given broad authority to assess, in writing, an institution’s record of performance “in helping to meet the credit needs of its entire community, including low and moderate income neighborhoods, and consistent with safe and sound operation of the mortgage  banker.”  Among the specific areas that DFS is to consider are the activities undertaken to assess the credit needs of its community; communicate its services; and the geographic distribution of its credit applications, extensions and denials. 

The law takes effect in a year so DFS will presumably promulgate regulations to flesh out the details.  The legislation was passed this past session following an investigation by the Department examining lending practices by mortgage bankers in the Western New York area. 

On that note, don’t forget to vote.

November 2, 2021 at 8:58 am Leave a comment

DFS Issues Cyber Security Guidance For Affiliates

Yours truly has a busy day today but I wanted to take a break from my arc building to give you a heads up about cyber security guidance issued by New York State yesterday evening.

Pursuant to 23 NYCRR part 500, New York State imposes baseline cyber security requirements on entities licensed or chartered by New York State’s Department of Financial Services. In this guidance, DFS provides further clarification about the obligations of covered entities that rely on affiliates to comply with these regulations. The guidance should be reviewed by any New York State licensed CUSO which relies on a federally chartered credit union to meet New York State’s requirements.

For example, the guidance notes that while it is acceptable for covered entities to rely on affiliates it “may not delegate responsibility for compliance with the Cybersecurity Regulation to an affiliate.” This means that DFS must be given access and the authority to review an affiliate’s cyber security program even if an affiliate is not directly regulated by DFS. For example, a federally chartered credit union is not subject to these regulations, but to the extent a CUSO is relying on a federal charter’s cyber security, DFS must be given the right to review this program.

I’ve read it a few times now and there is nothing in this guidance that should surprise anyone. While any credit union can utilize third parties and vendors for a variety of functions, you can never outsource your credit union’s ultimate responsibility to comply with relevant regulations.

On that note, enjoy your day and remember that all this rain may turn to snow in a few weeks.

October 26, 2021 at 8:45 am Leave a comment

Levy and Restraint Protocols Impacted by NY’s Minimum Wage

Your faithful blogger has just turned the heat on meaning that fall has officially arrived and it’s a good time to remind you of the impact that New York’s minimum wage law has on your levy and restraint protocols.

In 2016 New York approved Legislation with the ultimate goal of phasing in a $15 state wide minimum wage.  But in order to account for regional differences, different regions of the state, New York City, Long Island and Westchester and Upstate were subject to different wage scales.  In addition, the state was given authority to scale back mandated wage increases depending on their economic impact.  On September 22, the Division of the Budget released the mandated regional assessment and confirmed that the minimum wage will rise to $15 on Long Island and Westchester in 2022, joining New York City which already has a $15 minimum wage.  In contrast, the minimum wage for the “Upstate Area” will be $13.20 for the 2020 calendar year. 

Not only do these changes impact your credit union as a New York State employer, but it has an impact on your levy and restraint practices as well.  Under the Exempt Income Protection Act (EIPA) a minimum amount equal to 240 times of the state minimum hourly wage is exempt from levy and restraint.  As a result, in this 2017 guidance, DFS advised banks and credit unions “…that they should, to the extent practicable, calculate the exempt amount based on the account holder’s address and the size of the employer.  However, if, after reasonable due diligence, this information is unavailable, DFS has advised banks to exempt from collection an amount that corresponds to the highest minimum wage in effect in the State at the time of the calculation”, which is now going to be $15.

On that note, enjoy your weekend.

October 1, 2021 at 9:07 am Leave a comment

New Governor Moves Quickly To Extend Foreclosure Protections

Good morning, Folks. New York Governor Hochul convened an Extraordinary Session yesterday in which the legislature extended foreclosure and eviction protections for individuals claiming COVID related hardships until January 15th of next year. The measures impact both state and federally chartered credit unions that start foreclosure actions against delinquent homeowners and businesses.

Notice that I did not say that the legislation simply extends New York’s eviction and foreclosure ban. In response to recent rulings by the Supreme Court, landlords and lenders now have the ability to challenge an individual’s assertion that they are delinquent because of a COVID related hardship. The hardship exception applies to mortgages that are held by state or federally chartered credit unions. It does not apply to mortgages held by GSE’s.

We will have to see how this new framework is implemented. But if your credit union is interested in pursuing this option it should start identifying cases where this new exception might be applicable.

Guidance Issued On Lending To Same-sex Couples

In another important move, the Department of Financial Services issued guidance detailing steps lenders should take to prevent lending bias when making loans to same-sex couples. DFS has been working on the guidance for weeks. I will be providing more information about its specifics in a future blog. This guidance just applies to state chartered entities and licensed institutions such as state chartered credit unions and mortgage CUSO’s.

Hochul Nominates New DFS Superintendent

The above guidance was issued the same day that the Governor announced that she had chosen Adrienne Harris to lead New York’s Department of Financial Services. Harris replaces Linda Lacewell who resigned when Governor Cuomo left office.

Judging by her resume, Harris, a Columbia law school graduate, has a broad range of experience. She has served as an economic advisor during the Obama administration and as an adviser to Fintechs.

New York State’s Superintendent has historically been among the highest profile state regulators in the country. She not only oversees the banking industry but the insurance industry as well.

September 2, 2021 at 9:33 am 1 comment

New York’s DFS Stresses the Need For Diversity In Corporate Governance

New York’s Department of Financial Services released an Industry Letter yesterday stressing that the Department expects both depository and non-depository institutions to take concrete steps to increase diversity within their governance structures.  The guidance applies to state chartered banks and to state-licensed institutions, which include CUSOs formed by federally-chartered institutions. 

“While the public statements from Regulated Banking Institutions and Regulated Non-Depository Financial Institutions in support of DEI (Diversity, Equity and Inclusion) initiatives are significant and necessary, it is time to act on those words and make good on good intentions to begin to achieve real change. This industry letter is aimed at supporting existing DEI efforts while outlining DFS’s expectation that New York-regulated financial institutions make the diversity of their leadership a business priority and a fundamental component of their corporate governance.”

Although the letter does not include specific mandates, the Superintendent points out that under Section 37 of the New York Banking Law, she has the authority to mandate that regulated institutions report to the Department on steps taken to address DEI.

On that note, enjoy your weekend!

July 30, 2021 at 9:10 am Leave a comment

DFS Issues Ransomware Guidance

Good afternoon folks, if you are like yours truly you may physically be working but your mind is drifting away in anticipation of a three day weekend: Snap out of it!

Yesterday the DFS issued ransomware guidance; the guidance applies to state chartered credit unions and CUSO’s.  That being said, federally chartered credit unions would be well-advised to also take a look at what DFS has to say, because the Department has a disproportionate influence when it comes to establishing industry standards regarding cyber security.

First, the DFS wants to justifiably scare the heck out of any institution, large or small, that hasn’t taken the time to address the ransomware threat.  I don’t believe it is overstating the situation the financial industry faces when it says that “a major ransomware attack could cause the next great financial crisis.” 

Against this backdrop, it is issuing this guidance while putting everyone on notice that it may be making additional changes to its existing regulations.  Furthermore, the Department expects all institutions, irrespective of their size, to address these issues.  Among the precautions the Department expects institutions to implement if they haven’t done so already, are:

  • Email Filtering and Anti-Phishing Training
  • Vulnerability/Patch Management
  • Multi-Factor Authentication
  • Disable Remote Desktop Protocol Access
  • Password Management
  • Privileged Access Management
  • Monitoring and Response
  • Tested and Segregated Backups
  • Incident Response Plan

Nothing on this list should surprise you; the reality is however, that many of the most devastating ransomware attacks directly result from failing to take these basic steps.  That means that it is not enough to have pristine policies and procedures; you need to periodically test whether or not they are actually being put into practice.  For example, how soon after your credit union receives notice of a new patch update does it integrate the patch?  Every minute that goes by is one more minute hackers can take advantage of a programming defect that is now known to a large portion of the IT industry.

On that happy note, enjoy the rest of the afternoon.

July 1, 2021 at 2:40 pm Leave a comment

Resisting The DarkSide

The successful dark side ransomware attack in which hackers were able to disrupt a major pipeline providing gas to states throughout the east coast has once again brought the issue of cyber security to the forefront.  Here are some of the lessons your credit union can learn from this event:

Don’t forget the basics. These are highly sophisticated attacks that start with very basic mistakes. On Wednesday, the FBI and the CISA issued a joint memorandum. The first three steps it suggested companies take to mitigate the threat of ransomware are to require multi-factor authentication, enable strong spam filters, and implement a user training program and simulated attacks for spear phishing.

Expect insurance costs to spike. The attack comes as regulators and stakeholders debate the best way to deal with ransomware attacks and the role that the insurance should play. This past fall, FINCEN issued guidance warning financial institutions and insurance companies that they might be violating federal law if they help a company facilitate a ransomware payment. In addition, New York State’s Department of Financial Services recently reached a multi-million dollar settlement with an insurance company for violating the state’s cyber security regulations. The settlement has gotten the attention of the legal community since it included a stipulation that insurance proceeds would not be used to pay the settlement. 

The DarkSide may bring congress to its senses. Call me a cock-eyed optimist but if the ability of hackers to shut down a major energy pipeline affecting states throughout the country doesn’t jolt congress into passing comprehensive cyber security regulations then nothing will. This would seem like an issue that can overcome the great ideological divide but only time will tell. 

May 17, 2021 at 9:20 am Leave a comment

When should you report a data breach?

That is the question I hope you all have policies and procedures to answer.  A recent enforcement action by New York’s Department of Financial Services (DFS) underscores that the Department is deadly serious about ensuring that institutions subject to its licensing requirements comply with the State’s cutting edge cyber security regulations.  For those of you not subject to New York State’s dictates, keep in mind that New York State’s regulations are becoming a national model. 

In the matter of Residential Mortgage Services, Inc., DFS announced a $1.5 million fine against a mortgage license company headquartered in Maine that was licensed to do mortgages in New York State.  As part of a routine audit, the Department discovered that the mortgage banker was subject to a data breach it had not disclosed to the State.  It also did not have adequate policies and procedures in place to do the type of periodic risk assessments that New York State requires under these regulations.  The breach DFS was concerned about involved an employee who notified her IT team, but only after she had given a hacker posing as a vendor access to her email.  The employee handled sensitive mortgage information.

Should the company have notified DFS?  Under 23 NYCRR 500.17, covered entities are required to report cybersecurity events within 72 hours.  A cybersecurity event means any act or attempt, successful or unsuccessful, to gain unauthorized access to, disrupt or misuse an Information System or information stored on such Information System.  This settlement underscores that when in doubt you should report a breach.  However, this is an incredibly broad definition since any IT person will tell you that even the smallest of businesses is bombarded with attempted break-ins all the time.  In the accompanying Q and A, DFS explains that “notice to the Department under 23 NYCRR Section 500.17(a)(2) would generally not be required if, consistent with its Risk Assessment, a Covered Entity makes a good faith judgment that the unsuccessful attack was of a routine nature.”  This explanation of course gives you little discretion in the event that a data breach is successful. 

March 8, 2021 at 9:44 am Leave a comment

Four Key Issues to Know As You Start Your Credit Union Day

This morning has provided your faithful blogger with a treasure trove of important tidbits to pass on to you as you begin your credit union day. So with the caveat that many of these issues are worthy of future expansion, here goes…

Wells Fargo Folds and Settles Patent Litigation

In one of the highest-profile patent litigation cases in more than a decade, according to Law360, Wells Fargo has agreed to pay $300 million to USAA to settle claims that it violated patents related to remote deposit capture technology. The litigation was seen as a key bellwether of the extent to which financial institutions would have to enter into licensing agreements regarding this technology. Yours truly is no patent attorney, but this announcement should trigger a call to your legal counsel to discuss next steps for your credit union, particularly if it has been subject to a letter from USAA requesting that it license its RDC technology. 

Biden Administration Announces Additional Mortgage Forbearances

The Biden Administration announced yesterday that it was extending mortgage forbearance opportunities for certain government-backed mortgage loans. As a result of the announcement, the Department of Housing and Urban Development, the VA and the Department of Agriculture will extend mortgage forbearance and foreclosure relief, which were otherwise due to expire in March, until June 30th of 2021. Similar steps were recently announced by Fannie Mae and Freddie Mac. New York State has also extended forbearances for non-federally backed mortgage loans for individuals impacted by COVID-19. Let’s hope that the additional stimulus that Congress is expected to provide to consumers will allow policymakers to phase out these protections by the end of this year. Believe it or not, a properly functioning mortgage lending system is in the best interest of consumers.

New York’s Department of Financial Services Issues Cybersecurity Fraud Alert

The DFS issued a cybersecurity fraud alert informing its regulated entities that it has “recently learned of an aggressive campaign to exploit cybersecurity flaws in public facing websites to steal non-public information.” Although the guidance primarily focuses on websites designed to give consumers quick insurance quotes, the DFS is also reporting that similar attacks have been lobbed against mortgage companies. The focus of these threats is apparently to steal information such as licenses, which consumers are sometimes asked to provide when getting instant quote information. DFS is reporting that at least some of the stolen information is being used to engage in fraudulent attempts to obtain pandemic-related unemployment benefits in New York. Remember, under New York’s cybersecurity regulation (NYCRR 500.1 (g)), information that is considered “non-public” includes a name, number, personal mark or other identifier which can be used in conjunction with a social security number, drivers license, account, credit or debit card number in identifying an individual. Incidentally, you should pass this on to your vender to make sure they are aware of your New York State-based obligations. 

NCUA IG Investigates Consumer Complaint Process

As many readers of this blog know, Board Chairman Todd Harper supports increasing NCUA’s scrutiny of credit union compliance with consumer protection laws. Many individuals, including your faithful blogger, have questioned what evidence there is that compliance with consumer protection laws is lacking within the industry. An esoteric report recently issued by the inspector general investigating NCUA’s complaint review process may take on exaggerated importance in this debate. I haven’t read the entire report yet, but the inspector general is suggesting that NCUA should do a better job of making sure that examiners are aware of complaints issued against a credit union. 

On that note, enjoy your day. I would also like to extend a special thank you to the Buffalo Sabres. Two nights ago, my NY Islanders did not surrender a single shot on goal to the Sabres. This was the first time the Islanders had ever shut a team out this way since they started in the early 70s. In the immortal words of Wayne Gretzky, “you miss 100% of the shots you don’t take.”

Image result for michael scott wayne gretzky

February 17, 2021 at 10:02 am Leave a comment

Preparing for the COVID-19 Endemic

“Vaccination drives hold out the promise of curbing Covid-19, but governments and businesses are increasingly accepting what epidemiologists have long warned: The pathogen will circulate for years, or even decades, leaving society to coexist with Covid-19 much as it does with other endemic diseases like flu, measles, and HIV.”

So said the Wall Street Journal earlier this week. This reality several important legal issues for your credit union to manage as it transitions from pandemic to endemic operations. For instance, one of the key questions with which you should all be grappling, if you haven’t done so already, is whether or not to mandate that your employees receive the vaccine. As I explained in this blog, the EEOC has provided guidance for those institutions which choose to make the vaccine mandatory. Keep in mind that this is a very fluid area of the law. For example, one case that will provide some guidance to New York State businesses on the interplay between the Americans With Disabilities Act (ADA) and vaccine requirements is Norman v. NYU Langone Health System. The district court ruled in September that an employee’s allergy did not qualify them for an exemption from a mandatory vaccination under the ADA. But this case is being appealed, giving the court the opportunity to explain its thinking on this important area of the law just as businesses look to determine their new policies. 

Another important source of information is this guidance issued by OSHA within days of the Biden Administration taking over. It suggests that employers should make COVID-19 vaccinations available to eligible employees, as well as to provide information and training on the benefits and safety of vaccinations. Against this backdrop, you should all consider updating your policies to – at the very least – encourage your employees get voluntarily vaccinated. A voluntary policy avoids many of the legal complications involved with a vaccine mandate while still effectively stressing the importance of workplace safety. In the meantime, the Association has stressed to both the Department of Financial Services and the Governor’s office the importance of making frontline financial workers eligible for the vaccine as soon as possible. 

Another issue for your credit union to consider as it learns to live with COVID is to recognize that even after vaccination becomes widespread, many of the new conditions you put in place are here to stay. As the Wall Street Journal pointed out, there are already burgeoning industries based on that assumption. In the future, rapid testing – not only for COVID-19, but for the flu – will probably become par for the course.  What this means is that one should not assume that the conditions you have put in place today like increased social distancing and an emphasis on healthier buildings will disappear with the pandemic. 

On that note, enjoy your long weekend. Yours truly has no idea what he will do with all the free time he has now that the football season has come to an end.

February 12, 2021 at 9:30 am Leave a comment

Older Posts


Authored By:

Henry Meier, Esq., Senior Vice President, General Counsel, New York Credit Union Association.

The views Henry expresses are Henry’s alone and do not necessarily reflect the views of the Association. In addition, although Henry strives to give his readers useful and accurate information on a broad range of subjects, many of which involve legal disputes, his views are not a substitute for legal advise from retained counsel.

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Join 756 other followers

Archives