Posts tagged ‘GAO’

It’s a Scary Time for CUs, Cyber Attacks, and Insurance

Warren Zevon once called on his dad to bring him “lawyers, guns, and money.” Given the sharp increase in cyber-attacks, your average credit union CEO should be asking for lawyers, money, and better cyber insurance policies.

Recently, an article in The American Banker proclaimed that these are scary times for small banks and credit unions, some of which have recently been the target of ransomware attacks. Yours truly is highlighting this trend not simply because I want to scare you into action but because I believe that for many financial institutions the question is not if, but when you will find your credit union’s data being held by hackers who want money in return for allowing you to access your client’s personally identifiable information.

One of the most basic steps you can take to help protect yourself against ransomware and data theft attacks is to buy insurance. This is an issue that yours truly is also becoming increasingly obsessed about because there is a lack of clear guidelines as to precisely what a policy provides your credit union and even if your regulators are going to penalize you for using insurance proceeds to recover from ransomware payments.

My paranoia has been fueled by this recent GAO report describing an insurance industry that is scrambling to adjust to the rapidly evolving and increasingly expensive niche of cyber-attacks. For your credit unions that means that it is absolutely crucial that you get competent counsel to provide new guidance as to what is and is not covered under your policy. It also means that you should not assume that general language in your existing policy already provides you insurance protection. There are more and more cases in which this precise issue is being litigated. For example, I recently came across this case, West Bend Mutual Insurance Company v. Krishna Schaumburg Tan, Inc., in which an insurance company tried to deny coverage to a business that was sued after providing biometric data of customers to third parties.

In the medium to long term these issues will resolve themselves. Courts will scrutinize and effectively standardize basic terms. The problem is that this is little comfort to those of you confronting these issues right now. Time to call the lawyers and bring the money.

May 26, 2021 at 9:16 am Leave a comment

Are We Getting Enough Bang for our Cybersecurity Buck?

Good morning, folks. Sorry for the late start, but the Islanders went to overtime last night. 

According to the GAO, the Treasury is doing an inadequate job of monitoring how successfully the financial services sector has handled protecting the cybersecurity infrastructure. What’s more, the Treasury agrees, but argues that it lacks the authority to appropriately monitor the efforts made by financial institutions, including credit unions, in protecting the country against cybersecurity threats. 

Since 9/11, the government has emphasized the need for industry wide coordination to protect vital infrastructure. This effort picked up steam in 2013 when the White House issued Critical Infrastructure and Resilience Policy Directive 21. The overarching goal of this new directive was to strengthen functional relationships across the federal government to enable better communication about cybersecurity threats, and to coordinate better planning between industries. As part of this directive, the Treasury was given responsibility for coordinating the financial industry structure. 

As credit unions are well aware, there has been no shortage of regulations on the federal and even state level to protect against cyber threats. But, according to the GAO, the Treasury does not have the structure in place to adequately assess how successful these regulations have been. The Treasury says that it simply does not have the authority to get the information it needs.

This might seem like an awfully arcane piece of bureaucratic minutiae to write about on a Friday, but yours truly is just a little concerned that these findings will result in yet more regulations that will impact your everyday operations. In addition, given the amount of time, money and resources credit unions and other financial institutions must now commit to cybersecurity, I’m more than a little bit surprised that the Treasury is so willing to admit that a lack of coordination is deluding the effectiveness of these efforts. 

NCUA Holds Monthly Meeting

Yesterday, the NCUA held its monthly board meeting. I will follow up once I have the chance to take a closer look at what was agreed to.

September 18, 2020 at 10:18 am Leave a comment

GAO Report Underscores Need For a National Fintech Framework

Image result for tracy wolfson in crowdTo understand this picture read more of the blog.

A recent report released by the GAO underscores why we need a comprehensive federal framework to regulate Fintech. Without such a framework, there will continued to be too many loopholes to harm competition and a lack of regulation that will ultimately harm consumers.

First we need a definition of what Fintech lending actually is. For the purposes of the report and an accompanying blog post, the GAO points out that Fintech technology refers to the use of technology and innovation to provide financial products and services. It further explains that “Fintech lenders are non-bank firms that operate online and may use alternative data…to help determine” credit worthiness. While the definition is a good start, it could easily be used to describe banks and credit unions as well since all lending institutions are using technology to expand lending platforms and many are taking into account increasingly sophisticated lending algorithms which consider criteria far beyond traditional lending frameworks.

What’s going on here is an amalgamation of lending and technology which calls for a new regulatory framework. Let’s face it, the companies providing alternative lending platforms are doing more than brokering loans and the banks that are increasingly relying on these partnerships are moving beyond the confines of traditional banking. They are more like Apple and less like City Bank every day.

Why does this matter? Why not just let the market evolve to accommodate the structure that best meets the needs of the modern banking consumer? Because there are too many competing interests at stake. Page 9 of the GAO’s report outlines the laws and regulations to which Fintech lenders are potentially subject but there’s no single regulator – including the CFPB – which can exercise appropriate oversight over these institutions. The result is that we are engaging in cutting edge lending practices without adequate regard for whether such practices violate fair lending laws for example or needlessly circumvent the policing of practices traditionally left to the states such as the activities of non-bank lenders like mortgage bankers and payday lenders.

Most Exciting Superbowl Moment

For me, the most exciting moment in last night’s Superbowl was finding out whether CBS sideline reporter Tracy Wolfson would safely get out of the mob surrounding Tom Brady and manage to interview him moments after he won yet another Superbowl. I’m all for a defensive football but I think I’d rather watch replays of Bobby Fisher beating Boris Spassky on the Wide World of Sports. At least then there is no hiding the fact that what we were really watching last night was a chess match between two coaching geniuses in Bill Bellchick and Wade Phillips.

Meet The New Boss

President Donald Trump nominated Democrat Todd Harper to take a seat on the NCUA board. If he is confirmed Harper will have no problem finding his way around the office. According to the CU Times, from 2011 to 2017 he directed the NCUA’s Office of Public and Congressional Affairs.


February 4, 2019 at 9:19 am Leave a comment

Three Examples Where Doing Nothing Is a Bad Idea

Social scientists will tell you that when faced between two difficult choices, the natural inclination is to choose to do nothing. That is why, for example, umpires hate to call ball four when the count is 3-0. Realistically however, when policy makers decide to do nothing to solve obvious problems, they are making a decision, and it often has negative consequences for everyone involved. Today’s news has three examples on how inaction is hurting consumers in the financial industry.

  • Later today I will be contributing my two cents to a panel discussion dealing with issues faced by the financial industry in providing services to marijuana-related businesses. One of the points I’ll be making is that whether you agree or disagree with the legalization of pot, the status quo is in no one’s interest. For example, it’s dumb that we can’t even agree on a legal way to transport the money. I recently heard about a company that has to drive a van full of cash from New York to New Jersey in order to find a financial institution willing to provide it services. In addition, it’s not using a traditional Brinks armored truck. Since many of these traditional companies refuse to transport cash derived from marijuana businesses, it’s only a matter of time before we see a cottage industry of bad guys who make a living off robbing these vehicles. By doing nothing to clarify the interplay between state and federal laws, policy makers are simply making the marijuana business less efficient, more costly and more dangerous for everyone involved.
  • A second example where doing nothing is a really bad idea has to do with failing to make it easier for the banking behemoths to fail. To me, its common sense that if a bank is too big to fail, it’s too big. Dodd-Frank ostensibly addressed this issue by making the largest banks develop plans for the orderly resolution of their assets using the existing bankruptcy code. This never seemed like a credible plan to me. Yesterday, the GAO released this interesting report in which it pointed out the existing inadequacies of the current bankruptcy structure but suggested changes that Congress could make to more credibly wind down failed banking behemoths. Currently, the banking behemoths plan on having their holding companies declare bankruptcy, but only after infusing their subsidiaries with adequate capital. This sounds reasonable enough, but the GAO points out that this approach is only partially effective since creditors have the right to go after the money given to the subsidiaries. One possible solution would be to shield subsidiaries from creditors, at least for a short time period. This still smells of too big to fail but at least it’s better than nothing.
  • Finally, the House Oversight Committee released a damning report in which it concluded that the Equifax data breach was entirely avoidable and criticized the company’s IT oversight. Talk is cheap. Companies like Equifax have to be subject to tighter regulations and greater legal liability for the mistakes they make. Otherwise, we will just see more and more data breaches happening on a larger and larger scale.


December 11, 2018 at 9:26 am Leave a comment

Is CU vendor management a cybersecurity threat?

I finally got around to reading a Government Accountability Office report released last week assessing the effectiveness of financial regulators in overseeing   the  cybersecurity infrastructures of banks and credit unions. After reading the GAO’s conclusions, I was as surprised as a Japanese soccer fan who missed the first seventeen minutes of last night’s World Cup Final.

Well, maybe not that surprised.  After all, the US scored four goals  in twenty minutes which is more unusual than the Mets scoring four  runs in in a nine  inning  baseball game or maybe  in a week.  Still the GAO’s conclusions are important if a bit overstated.

Its first recommendation was for regulators to do a better job of collecting cyber-threat data and sharing it more quickly among themselves and with financial institutions. No surprise there.

Its Second proposal was to urge Congress to give NCUA the same authority to directly examine third- party vendors already exercised by the other financial regulators including the OCC.   It contends that. ”Without authority to examine third-party service providers,  NCUA risks not being able to effectively monitor the safety and soundness of regulated credit unions.” The GAO contends that this lack of direct vendor oversight is particularly harmful to smaller credit unions which both lack the authority and resources to have in-house IT staff or the financial leverage to demand changes to vendor practices.

First, a reality check.  In an  age when some banks have IT budgets larger than most credit unions and  government coordinated  attacks on US financial institutions are commonplace,  to suggest that one of the key actions that Congress needs to take for cybersecurity  is to give NCUA greater vendor oversight  overstates the case.  GAO has argued for increased vendor oversight by NCUA for more than a decade now and so far Congress has turned a deaf ear.

That being said, and with the caveat that the opinions I put forward are mine alone, I’ve come to believe that the GAO and NCUA have a point. Why shouldn’t NCUA have the same power to directly oversee vendors as do the other financial regulators?

Giving NCUA this power would take away a potential cudgel from the banking industry.  The retired but still blogging Keith Leggett has already highlighted the GAO’s report in his Credit Union Watch blog. The credit union industry is one negligent vendor and a cyber attack away   from being put on the defensive over cybersecurity. If this happens it will be a self-inflicted wound.

What exactly is the big deal anyway? If credit unions are using established vendors these vendors are most likely working with banks and are already subject to examiner oversight.  If they are using CUSO’s they shouldn’t be afraid of demonstrating the safety and soundness of these organizations.

One more thing NCUA is right about: Enhanced vendor oversight would help protect smaller credit unions from cyber threats precisely when small and medium sized institutions are becoming more attractive cyber targets.

None of this is to say that vendor oversight is an industry panacea. In fact. if NCUA was given this authority tomorrow it is doubtful that it  would have the manpower or expertise to maximize its benefits  According to the GAO,   NCUA  has 40 to 50 subject-matter IT examiners, as well as 12 IT specialists in regional offices and 4 in headquarters. These staff focus primarily on the largest credit unions.  In addition, “regular” examiner staff consult with the specialists on IT issues that arise at reviews of other institutions. The report points out that those examiners with the most expertise are examining the largest institutions.  While this makes sense given limited resources it also means that small and medium size credit unions don’t get the benefit of expert IT examinations.

NCUA plans to offer web-based training to help get examiners up-to-speed, but given the importance of cyber-security this isn’t exactly reassuring.  To be fare the problem of staff expertise is hardly unique to NCUA.  The Federal Reserve, which regulates more than 5,500 institutions, has 85 IT examiners who have information security or advanced IT expertise and focus primarily on examinations of the largest institutions.

NCUA also does not do well at what the GAO calls “data analytics” but I call data collection.  Surprisingly, it does not “maintain a centralized database on data breach reports—each region holds the data—but periodically reviews incident reports.”  It told GAO that it “has been has been working to expand its analytic capabilities in this area.” I would hope so.  This seems kind of basic to me if we want to know if there are credit union specific vulnerabilities and what can be done about them.


July 6, 2015 at 9:39 am Leave a comment

More Guidance on Guidance

When you find out a final regulation has been published, most of you do a good job of figuring out how to comply.  Let’s say a “Guidance” on the same subject came across your desk.  Do you:

  1. Place the notice in your to-do bin where it gathers dust along with that great article on mortgage lending that came out in January 2007?
  2. Skim the cover page, breathe a sigh of relief it isn’t a regulation, and toss it into the garbage?
  3. Assign someone to implement its dictates the same way you would a promulgated regulation?
  4. Use it as a place mat for your lunch?

Readers of this blog know where I am going on this one.  There is too little conformity in how regulatory guidance from NCUA is issued.  This leads to a great deal of unnecessary confusion among regulators, examiners, and credit unions about how much weight Guidance should be given and when a Guidance can be used by an agency instead of the more formal regulatory process.  The problem isn’t unique to NCUA but reflects a need to amend federal law to give regulators more guidance on Guidance.

Yesterday, the Government Accountability Office (GAO) released a report detailing the procedures used by four agencies in deciding when to issue a “significant” Guidance as opposed to a new regulation.  Although the NCUA was not among the analyzed agencies – the Agriculture Department (USDA), Education Department (ED), Health and Human Services (HHS), and the Department of Labor (DOL) – the report’s conclusions were hardly surprising to anyone who has delved into the regulatory morass and tried to make sense of the regulation/Guidance dichotomy.

The Agencies did not use standard terminology for guidance.  For instance some used a Q &A format while others used an Industry Letter format.  “They often based the decision between guidance and regulation on whether the direction was meant to be binding (in which case they issued a regulation). In some cases, issued guidance clarified existing regulations, educated the public, addressed particular circumstances, or shared leading practices.”

The problem is that there is little consistency and a dearth of criteria used when determining when an issue should be dealt with as a regulation as opposed to a guidance.  For instance, the Education Department and the USDA’s written procedures explained the approval and clearance procedures for significant guidance.  DOL officials said they did too but that these procedures “were not readily available” during the GAO audit.  I’m going to go out on a limb and say that not too many DOL employees know these procedures exist.

Like it or not, we live in a regulatory state.  Things were already bad but the Supreme Court’s decision earlier this term in Perez v. Mortgage Bankers Ass’n, No. 13-1041, slip. op (U.S. Mar.9, 2015) upholding the right of the DOL to issue an opinion letter classifying mortgage originators as nonexempt employees gives all regulators even more power and flexibility.  It may not win many votes come election time  but a constructive change that may have bipartisan support would be to amend the Administrative Procedures Act to implement standard procedures for the promulgation of Guidance and to clarify precisely how much legal weight a Guidance has as opposed to a regulation vetted via the rule making process.


Nothing to do with credit unions, but here is a great question from Rep. Jeb Hensarling, (R-Texas) Chairman of the House Financial Services Committee, who is leading the charge against the reauthorization of the Export Import Bank.  “How are we ever going to reform the social welfare state if we can’t reform the corporate welfare state?…Success in America  ought to depend on how hard you work on Main Street not who you know in Washington.”



May 19, 2015 at 9:32 am 1 comment

Are largest banks getting a Dodd-Frank pass? You bet.

People are justifiably outraged by the incompetence with which the Government has rolled out the Affordable Care Act.  From cancellation notices to botched websites, the Government has played right into the hands of those who argue that it isn’t competent enough to get too involved in people’s lives.

But what I am more than a little bemused by is why the American public hasn’t saved at least a little of its outrage against the elected officials and regulators who have done next to nothing to address the core issues that led to the financial crisis.  Millions of people were thrown out of work as a direct result of activities carried out by some of our largest banks and more than five years after the meltdown began, the Government has still not done enough to implement even the relatively modest reforms Congress was able to agree to.

This is not blogger hyperbole. The GAO concludes in the first of two reports it will be releasing analyzing Government support for the largest bank holding companies, that while agencies have made progress, key regulations intended to limit the “too big to fail” safety net for our largest banks have yet to be fully implemented (  In addition, it is yet to be determined how effective these regulations will ultimately be even if they are implemented.

Isn’t it great that there’s more of a political consensus, at least within the Republican Party, for cutting food stamps and unemployment benefits than there is to making fundamental changes to the way our largest banks are regulated?  If you really believe in the free market, then the only way to truly regulate these behemoths is to put their share holders and executives on notice that they are not too big to fail.  According to the GAO, the largest four U.S. holding companies each had at least 2,000 separate legal entities as of June 30, 2013.  Does anyone really think an entity that big can be effectively managed, let alone regulated?  Does anyone really think that if these banks are allowed to stay this large that they will be allowed to fail if and when they mess up again?

Meanwhile, credit unions, and to be fair, many small banks, are bombarded with a never-ending supply of CFPB initiatives.  Something’s not right here.  I’ve said this before, and I’ll say it again.  No credit union or bank should be subject to any new regulations issued by the CFPB until all the Dodd-Frank provisions and regulations intended to be imposed on the nation’s largest financial institutions are actually implemented and operational.  I know this could never happen, but even getting a proposal like this introduced would show just how much the country has missed he mark with it comes to cleaning up the financial industry.

November 18, 2013 at 7:47 am 1 comment

GAO Report Frames Credit Union Tax Debate

A recent report released by the Government Accountability Office (GAO) underscores just how tenuous the credit union tax exemption may be.  The report, combined with the Obama Administration’s description of the credit union tax exemption as a tax expenditure that costs the American taxpayer $9.5 billion over four years, demonstrates why the tax debate, if it ever does get going in earnest, is so perilous to the industry.

The worst case scenario has always been that the credit union tax exemption gets swept into the vortex of a larger tax reform package.  Like I have said before, credit unions would never lose an up or down vote on the importance of their not-for-profit status but they are potentially vulnerable to inclusion in a larger compromise package of so-called tax reforms.  In some respects, this is already happening.  For example, the fact that the credit union tax exemption is now being described as government spending underscores that credit unions are vulnerable to being included in a larger debate on the need to overhaul corporate taxes.  Simply put, very few congressional Republicans will come out in favor of tax increases, but they are in favor of cutting loop holes even if the effect is the same.

According to the GAO, the credit union tax exemption is part of a category of 24 tax expenditures with only estimated corporate revenue losses.  In other words, while there are many more than 24 exemptions for corporations, according to the GAO, only 24 benefit corporations exclusively.  The GAO estimates that the credit union exemption cost the public fisc $1.1 billion annually.  The expenditure by itself is peanuts compared to the combined estimate of the entire category, which is about $59 billion.  Interestingly enough, the single biggest culprit in the GAO’s category of 24 is deferral of income from controlled foreign corporations.  One would hope that Congress would be willing and able to make a common sense distinction between major corporations hiding money overseas to keep it out of the hands of the federal government and cooperatives dedicated to helping people and providing competition to commercial banks, but based on what I’ve seen in Congress lately, you can’t be too sure.

The GAO report is also noteworthy because it highlights the fact that credit unions, unlike other depository institutions that have long since lost their tax exempt status, have been allowed to maintain their exemption because of their unique cooperative, not-for-profit structure and their commitment to people of modest means.  You don’t have to be Nostradamus to see where this debate is headed.  Be ready to explain to Congress that not all tax exemptions are evil and that the need for credit unions is as important today as it was when the exemption was first granted.  Along the way we may want to point out that the credit union tax exemption is not only for credit unions but the tens of millions of Americans who have sought credit unions out for better rates, better service and maybe even to work in cooperation with their neighbor or colleague.

April 16, 2013 at 8:21 am 3 comments

Corporate Numbers Add Up

NCUA is entitled to pat itself on the back this morning or at least carry a bit of a smirk and an “I told you so” countenance. 

Yesterday, it released a letter from the General Accounting Office confirming that its estimate of the projected costs for paying off the corporate bailout adds up.  In a September 2011 report, NCUA estimated that the total remaining cost of the stabilization ranged from $1.9 billion to $6.2 billion.  However, when the General Accounting Office conducted a Congressionally mandated review of the NCUA’s corporate stabilization efforts, it raised a red flag throughout the industry by calling on the Office of Inspection General to verify where NCUA was getting its numbers.

The letter released yesterday confirms that this review has taken place and that the numbers are credible.  Given the frenzy that GAO’s initial recommendation caused in the industry, this is welcome news.  But, let’s keep in mind that the wide range of potential outcomes shows that we can’t quite yet breathe a sigh of relief:  unforseen economic difficulties could still make the bailout more expensive than anticipated.

Trades Give IRS a Heads Up

As you may unfortunately already know, the IRS has been mistakenly sending out letters to state chartered credit unions informing them that they are losing their tax-exempt status because they have not filed their Form 990s.  At least state chartered credit unions have to file 990s.  

Federal credit unions seeking a health insurance premium tax credit now have to file the Form 990T.  Yesterday the industry sent a letter to the IRS because the trades and CUNA Mutual are concerned that this filing will trigger an additional round of revocation letters.  The bottom line is that if you are a federally-chartered credit union and you get one of these letters, don’t panic, you haven’t lost your tax exempt status.   

May 22, 2012 at 7:38 am Leave a comment

Authored By:

Henry Meier, Esq., Senior Vice President, General Counsel, New York Credit Union Association.

The views Henry expresses are Henry’s alone and do not necessarily reflect the views of the Association. In addition, although Henry strives to give his readers useful and accurate information on a broad range of subjects, many of which involve legal disputes, his views are not a substitute for legal advise from retained counsel.

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Join 756 other followers