Posts tagged ‘guidance’

New York State Issues Important Guidance on Virtual Currency and BSA Requirements

New York’s Department of Financial Services issued guidance yesterday emphasizing the unique BSA concerns raised by virtual currency.  While this guidance only applies to entities subject to the Department’s virtual currency license requirements as well as certain trust companies, categories which do not include credit unions, I would suggest anyone responsible for integrating virtual currency oversight into your credit unions compliance framework would be well advised to analyze New York State’s missive. 

In today’s blog, yours truly is not going to summarize the guidance but instead provide some context as to the considerations that regulators and financial institutions should take into account as they begin to dip their virtual toes into the virtual currency space.  In doing so I want to illustrate why I think the DFS guidance is important. 

What virtual currencies such as Bitcoin and Ether have in common is that they allow individuals to transfer these currencies between computers so long as the sender and receiver have set-up virtual wallets.  The key to this arrangement is Distributed-Ledger-Technology (DLT). 

With apologies to the technologically savvy out there, every time a request is made to send or receive “currency” from, or to, a wallet and the transaction is confirmed as valid, a notation is added to a computer program called a block-chain.  This technology is the key to the whole process since it provides a virtual ledger confirming the transfer of debits and credits. 

This means that without the use of a financial institution, any two individuals, using fictitious names, can transfer money.  Needless to say, since the emergence of the Bitcoin, there have been concerns raised about the utility of this technology to facilitate money laundering and other illicit activities (since we’re on the subject of money laundering, my wife and I have started binge watching Ozarks, which is the best show I’ve seen since I binged Breaking Bad, but I digress). 

These concerns have been partially vindicated since ransomware attacks typically include a demand for payment in Bitcoin.  But that may be changing.  Law enforcement is beginning to understand DLT.  For example, the ransomware attack on the Colonial Pipeline understandably got a lot of attention last year, but as significant as the attack itself, is the fact that the FBI was able to track down at least some of the culprits and retrieve much of the ransomed funds. 

Now, I’m not suggesting that credit unions or vendors need to be as savvy as the FBI in order to ensure compliance with BSA and AML requirements, but in the old days it was thought that the only way of deterring illicit activity was to make it as difficult as possible to convert Bitcoin and its prodigies into cold hard cash.  The DFS guidance emphasizes that even now there are basic steps that financial institutions can take as they begin to consider how to integrate virtual currency offerings into their lines of products or working with third party vendors as already permitted by the NCUA.  Besides, as virtual currencies become more widely accepted, there will be less and less need to convert them into fiat currency, but that’s a blog for another day.

April 29, 2022 at 10:20 am Leave a comment

DFS Issues Ransomware Guidance

Good afternoon folks, if you are like yours truly you may physically be working but your mind is drifting away in anticipation of a three day weekend: Snap out of it!

Yesterday the DFS issued ransomware guidance; the guidance applies to state chartered credit unions and CUSO’s.  That being said, federally chartered credit unions would be well-advised to also take a look at what DFS has to say, because the Department has a disproportionate influence when it comes to establishing industry standards regarding cyber security.

First, the DFS wants to justifiably scare the heck out of any institution, large or small, that hasn’t taken the time to address the ransomware threat.  I don’t believe it is overstating the situation the financial industry faces when it says that “a major ransomware attack could cause the next great financial crisis.” 

Against this backdrop, it is issuing this guidance while putting everyone on notice that it may be making additional changes to its existing regulations.  Furthermore, the Department expects all institutions, irrespective of their size, to address these issues.  Among the precautions the Department expects institutions to implement if they haven’t done so already, are:

  • Email Filtering and Anti-Phishing Training
  • Vulnerability/Patch Management
  • Multi-Factor Authentication
  • Disable Remote Desktop Protocol Access
  • Password Management
  • Privileged Access Management
  • Monitoring and Response
  • Tested and Segregated Backups
  • Incident Response Plan

Nothing on this list should surprise you; the reality is however, that many of the most devastating ransomware attacks directly result from failing to take these basic steps.  That means that it is not enough to have pristine policies and procedures; you need to periodically test whether or not they are actually being put into practice.  For example, how soon after your credit union receives notice of a new patch update does it integrate the patch?  Every minute that goes by is one more minute hackers can take advantage of a programming defect that is now known to a large portion of the IT industry.

On that happy note, enjoy the rest of the afternoon.

July 1, 2021 at 2:40 pm Leave a comment

When Forbearances Aren’t the Best Option For Your Members

Within hours of New York State’s promulgation of emergency regulations, two grizzled veterans of loss mitigation gave me a call to vent. To set the stage, both of these individuals work with credit unions and understand that most credit unions are committed to going the extra mile when it comes to helping out troubled borrowers. Still, they made a very convincing argument that New York’s forbearance regulations and the national glorification of the forbearance option may actually do more harm than good for many homeowners. Here’s why.

Most importantly, a forbearance is not a loan modification. New York’s regulation does not provide a definition of forbearance. It is a term of art referring to a lender’s agreement to withhold enforcing repayment obligations for a specified period. Under New York’s regulation, that period is 90 days and under both Fannie and Freddie guidelines, the forbearances can go much longer. The key point to keep in mind and explain to the anxious borrowers who are calling both banks and credit unions by the thousands every day is that at the end of the forbearance period, the member owes the same amount he or she would have owed had they simply continued to make payments in the first place. In other words, your financially troubled borrower now immediately owes three months of payments. Do they understand this? Clearly, many of your members will end up having to formally modify their loans to remain in good standing.

This is what is getting my grizzled veterans so frustrated and concerned. Under New York’s regulation, it is now an unsafe and unsound practice to deny a forbearance to a qualified individual, although you can take the individual’s financial resources into account. In other words, there will be many instances in which it makes sense for a family to continue to make payments even if one of the spouses has been laid off. Hopefully, New York State regulators will understand that financial determinations are ultimately as unique as the individuals making the request. This may not be the intent of New York’s regulations, but I hope people like my grizzled veterans are not penalized for encouraging individuals to forgo forbearances that they may technically be eligible for when doing so is not in a member’s medium or long term interest.

This raises one obvious compliance point. Document, document, document. Document what was explained to the member. Document the criteria you use in making forbearance determinations. Also, make it crystal clear to the member that they are still responsible for the payments they skip during the forbearance period.

March 26, 2020 at 8:25 am Leave a comment

NCUA Committed To Gradual Phase In Of CECL

Greetings from Washington DC where I hope to see many of you at our Association Briefing today in preparation for tomorrow’s Hike The Hill.

Although the legislative stuff is a lot of fun to talk about, with Congress gridlocked the most important developments continue to be on the regulatory and legal front. At last Thursday’s Board meeting, NCUA approved a joint agency guidance explaining baseline examiner expectations for banks, credit unions and thrifts as they prepare to comply with the Current Expected Credit Loss Methodology we lovingly refer to as “Cecil” CECL. The best news I have to report in a while is that NCUA included a footnote in the preamble to the guidance in which it reiterated that it has the authority to phase in CECL Compliance over a three year period. In addition, speaking to a group of small credit unions on Sunday, Chairman Hood noted that phasing in CECL is one of his top priorities.

Why is this so important? Remember that the basic idea of CECL is that financial institutions should record expected credit losses earlier in the lending cycle. There are a number of credit unions for whom a decisive shift to this methodology would have extremely negative consequences. For example, how many credit unions would be harmed if they had to report medallion values under a CECL model? A phasing in of CECL compliance in addition to the already delayed effective date applied to credit unions is one more way that regulators can help smooth the transition.

That being said, the transition is coming and there is a lot of work to be done. Take a look at this guidance and you will see that CECL Compliance impacts much more than accounting. It impacts everything from your board governance to your off balance sheet investments. Now really is the time to get started.

Credit Unions Offer Good Mortgage Value

Here is one more point to raise when you talk to your Congressman tomorrow. Home buyers save thousands of dollars by getting their loans from credit unions. This is the conclusion of a report released by NCUA’s economist at Thursday’s Board meeting. It’s always been interesting to me that when consumers think about credit unions they are much more likely to mention a great rate they received on a car loan than a great mortgage they received. Perhaps this report can help broaden the focus of consumers and policy makers particularly as they consider how to ensure secondary mortgage access if Fannie and Freddie ever go away. On that note, have a nice day.




February 25, 2020 at 8:49 am Leave a comment

Does The GDPR Apply To Your Credit Union?

Few issues in recent years have unsettled credit unions as much as the General Data Protection Regulations adopted by the European Union in 2016 which took effect last April. For the companies to which it is applicable, the regulations usher in a radical new conception empowering consumers to better control who has access to their  data and it comes with hefty potential fines for entities that violate its mandates.  Furthermore, by its very terms the regulation was designed to apply not simply to companies in the European Union but to companies outside of the union which have European consumers. Consequently, while I have always felt that your average credit union did not have much to fear from the GDPR, I have never been able to opine unequivocally which credit unions would and would not conceivably find themselves subject to its mandates.

Fortunately, proposed guidance is currently pending which applies a commonsensical framework to the GDPR’s application. If the guidance is finalized as proposed, the vast majority of credit unions can return to worrying about regulations on this side of the Atlantic.

First some background. The GDPR is an important new regulation which aims to implement a regulatory framework for consumers to control who has access to their data, generally referred to as data portability; give consumers increased ability to know how that data is being used and who it is being given to; establish “the right to be forgotten” whereby internet companies must have the ability to wipe information about an individual off the internet and impose transnational data breach notification requirements.

As explained in this pending guidance the European Union wanted to make the regulation reach as far as possible. Consequently, Article III of the regulation stipulates that it applies to any entity that targets EU members irrespective of where they are located as well as to establishments that process EU data. Of these two criteria, the one that credit unions need to be concerned about is the targeting criteria.

Several months ago I was talking to a compliance specialist in the metropolitan area. In response to the EU regulations the credit union had done some due diligence and discovered that 150 of its members actually lived in the European Union. They were a combination of Europeans living abroad and students studying abroad. Does this mean that the GDPR applied to this credit union? Under the pending guidance the answer is no. The proposed guidance stresses that “the processing of personal data of EU citizens or residents that takes place in a third country does not trigger the application of the GDPR, so long as the processing is not related to a specific offer directed at individuals in the EU or to a monitoring of their behavior in the Union.”

You can tell that credit unions weren’t the only ones concerned about the GDPR’s applicability because the proposed guidance includes this handy example, “a bank in Taiwan has customers that are residing in Taiwan but hold German citizenship. The bank is active only in Taiwan; its activities are not directed at the EU market. The bank’s processing of personal data of its German customers is not subject to the GDPR.” Amen brother.

In fact, credit unions are further shielded from the GDPR’s mandates because their field of memberships by and large limit them to individuals within this country. There are of course exceptions to this general rule but those exceptions clearly don’t apply to your average credit union. Now get back to those regulations on this side of the Atlantic. I will tell you when this is finalized.


May 6, 2019 at 9:37 am Leave a comment

Why The CFPB’s Latest HMDA Guidance Is So Important

The CFPB has released an extremely important guidance outlining what HMDA data will be made available to the public this year and under what conditions. If you are a credit union subject to HMDA reporting requirements, this is good news. But even if you’re credit union isn’t subject to it you should pay attention. This is  a new stage in the country’s seemingly never-ending debate about how best to determine the extent of racial bias embedded in the home buying process and how best to deter and minimize this bias in the future.

It’s a discussion which should be getting more attention than it is. On one side are those who believe that racial bias is endemic in the home buying process and that greater access to key underwriting data will prove their claims. On the other side are those who take a John Adams “dam lies and statistics” approach when it comes to this type of data. They are concerned that with enough data, even legitimate practices will be made to look discriminatory.

This debate is nothing new when it comes to The Home Mortgage Disclosure Act (HMDA) which was passed by Congress in 1975 as a way of assessing mortgage lending to minorities. It accomplishes this goal by making HMDA institutions fill out a Loan Application Register (LAR) detailing characteristics of all mortgage applicants and applications. This information is available to examiners and to anyone in the general public with the gumption to request it from a bank branch.

Dodd-Frank made two crucial changes to this LAR. First, it added several additional data points that now have to be collected. The result is an explosion in the collection of highly detailed information about mortgage applications. The second crucial policy shift was to mandate that financial institutions send this information to the CFPB. Starting this year, HMDA data will be available to researchers and plaintiff lawyers with the touch of a button. This is a big deal.

Because the information now being retrieved is so granular, the CFPB is responsible for determining what, if any, data should be withheld from the public so as to protect individual privacy interests. The guidance recently released by the CFPB details the data points that will be shielded from public review and the criteria that it used in making this determination.

Under the approach taken by the CFPB, the disclosure of loan level HMDA data creates risks to applicant and borrower interests where at least one data field or a combination of data fields “substantially facilitates the identification of an applicant or borrower” and at least one data field or combination of data fields discloses information about the applicant or borrower that is not public and “may be harmful and sensitive.” Among the information to be withheld from the public or modified before its release are data fields detailing the borrower or applicant’s debt to income ratio; the Universal Loan Identifier; the application date; the property address; the credit score relied on in making the lending decision and the “result generated by the automated underwriting system” used in making the lending determination (the executive summary contains a chart of the exclusions).

The CFPB also signaled that it would be considering making additional amendments to Regulation C later this year. All of this is sure to get the attention of democratic policy makers and promises to once again heighten the debate over how best to monitor home buying in this country.

January 8, 2019 at 9:31 am 1 comment

New York State Finalizes Sexual Harassment Requirements

Well, a guy doesn’t blog for a day and all hell breaks loose. First, in the better-late-than-never category, New York State released the final version of its much anticipated guidance and model policies to implement comprehensive sexual harassment training requirements imposed by the State Legislature last session.

First, let’s talk about the sexual harassment policy, which I just finished reading last night. Common sense prevailed and employers have until October 9, 2019 to receive the state mandated sexual harassment training. That being said, the legislation requires that by October 9, 2018, you have to have policies and procedures in place to comply with New York State law. As originally drafted, employers would have had to get this done by January of next year.

  • The new training has to be “inter-active.” This requirement can be satisfied for web-based purposes if an employee has questions at the end of a section, it must select the right answer. Another example provided is if the employees had the option to submit a question online and receive an answer immediately.
  • A point of emphasis in New York’s laws and regulations is that the actions of third-party vendors can subject you to harassment claims. This does not mean you have to provide training for such employees but “posting a copy of your policy in an area that is highly visible further communicates your efforts as a responsible employee.” Translation: Post your policy in a highly visible place.
  • This next provision is something to talk about with your HR attorney. Employers must adopt a sexual harassment prevention policy that meets various baseline requirements. You can either use the state’s model form or you can integrate requirements into your existing policy. If you simply go with the state’s model policy, a footnote is quick to remind you that simple use of the policy does not shield you from liability. Furthermore, there are many other aspects of New York State’s anti-discrimination laws that have to be provided to your employees. Most importantly, the policy requires that you have procedures in place for investigating sexual harassment complaints. In other words, you have a lot to do even if you choose to simply adopt the model sexual harassment policy.
  • Finally, I would pay particular attention to the baseline investigations that New York wants you to conduct as an employer. Most importantly, it specifies in bold that all complaints or information about sexual harassment will be investigated and such investigations will be conducted in a timely manner. Furthermore, it stipulates that you will create written documentation of your investigation including a list of all relevant documents received; a list of those interviewed along with a detailed summary of their statements; a timeline of events; and a summary of prior relevant incidents, just to name a few. This documentation better be thorough. Done properly, it could protect you against sexual harassment claims. Done improperly, it could expose you to increased liability.

On that happy note, have a great day.

October 3, 2018 at 10:32 am Leave a comment

What The Joint Letter On Supervisory Guidance Means For Your Credit Union

On September 11th the major federal bank regulators, including both the CFPB and the NCUA issued a joint statement “clarifying the role of supervisory guidance.” Many of us have been complaining for years that regulators have abused the Administrative Procedure Act by issuing guidance which for all practical purposes has the effect of law but have not been issued pursuant the rule making process. This is one of the most symbolically important developments of the Trump era. You literally have government bureaucrats unilaterally giving up a lot of their power.

That being said, it is not entirely clear precisely how big an impact this statement will have on your credit union and its operations.

First let me start with what is clear about the statement and its impact. Most importantly, it includes a really clear pronouncement that supervisory guidance, no matter what form they take (e.g. Q & A’s and bulletins just to name a couple) do not have the force and effect of law. Only statutes and promulgated rules get this distinction.

Another important stipulation is that examiners “will not criticize” a financial institution for the violation of a supervisory guidance. Instead, they have to be able to point to a specific violation of law, regulation, or enforcement order. Don’t underestimate how useful it is to have this in writing. We have advised credit unions for years that when they disagree with an examiner they should ask for a citation detailing precisely what the credit union is doing wrong. Now you have a codification of this very important principle.

Pursuant to the letter, the regulators are going to strive to make supervisory guidance less prescriptive. Again, this is a great development. When a guidance talks about specific numbers and thresholds which should be taken into account by credit union, it feels very much like a regulation no matter what the regulators choose to call it. Does a notice and comment period transform a supervisory guidance into a rule? No.

Agencies have occasionally requested public comment on proposed guidance the letter explains that while agencies can continue to take this approach, “seeking public comment on supervisory guidance does not mean that it is intended to be a regulation or have the force and effect of law.”

Here are the questions I think the guidance leaves unanswered: What exactly do the regulators mean by supervisory guidance? Specifically, is a supervisory guidance any document of advice issued by a financial institution that is not promulgated pursuant to the rule making process such as an opinion of counsel or does it simply refer to those guidance’s issued to aid examiners in examining a financial institution’s operations?

And how exactly does this relate to the distinction that the Administrative Procedures Act makes between “interpretive rulings” which are not subject to notice and comment requirements as a matter of law (5 USC 553 (b)(A)) and all other rules which are subject to a notice and comment (5 USC 553 (c))?

One more thing. This is not an invitation to ignore the next guidance that comes out from NCUA. You are still expected to be aware of what the supervisors are thinking and what they consider to be the best ways of complying with regulations. But you now have more flexibility to push back against examiners who conflate their view of the best way to comply with what the regulations and laws actually require

September 13, 2018 at 9:43 am Leave a comment

Eight Trends that will impact CUS in 2016

I like to use my final blog of the year to look ahead to the trends that will most impact the industry next year.  Here is my list of educated guesses.

Accounting for the next disaster.  The Federal Accounting Standards Board is poised to finalize accounting standards that will directly impact how credit unions and banks account for potential loses.  The proposal could have a bigger impact on credit unions than the Risk Based Capital rules, so get your accountant on speed dial.

Overdraft Overhaul. Are you ready to have your members opt in to all overdraft services?  How about limits on the size and number of overdraft fees?  What about new disclosures?  All of these are possible when the CFPB formally looks to limit the use of overdraft services this year.

China Syndrome. World events have had more and more of an impact on the economic environment in which credit unions operate.  My nominee for this year’s Greece is China.  If the slowdown in the Chinese economy ends up being  more sustained and severe than pundits currently suspect we could be looking at a recession in the U.S. and political instability in an increasingly nationalistic China for years to come.  In a worst case scenario think Putin on steroids.

Political Fantasy. Donald Trump offers a blanket insult to everyone in America and his poll numbers skyrocket because of his level-headed even handedness.  Not to be outdone, Senator Cruz insults the entire world.  Jeb Bush performs surprisingly well in New Hampshire and gets enough momentum to stick around.  Speculation rises that Republican Party elders hope that no one gets the delegates they need to secure the party’s nomination.  In a brokered convention, Paul Ryan emerges as the consensus candidate and narrowly defeats Hilary after Trump and Ben Carson both run as independents.  My point is, Silly Season is fast approaching.  Don’t expect to see anything useful accomplished in Congress next year.

Will the industry hang together or hang separately? With dual membership requirements being phased out, I certainly hope that whatever new structure emerges continues to emphasize the need for a coherent and unified voice on credit union issues.  I would hate to see a circular fire squad emerge that would benefit no one but banking lobbyists.

The year of Guidance.  With the overhaul of MBL regulations and further regulatory tutorials on interest rate risk on the horizon, we will start finding out just how much more flexibility credit unions have when complying with general mandates as opposed to black and white regulations.

FOM Reform.  NCUA’s proposed FOM reforms are out for comment and, although they are a step in the right direction, my guess is that the industry will find that not enough can be done by amending regulations.  Congress needs to act, but don’t hold your breath. In the meantime, state policy makers are where credit unions will have to turn if they want greater FOM flexibility.

Fewer but Larger Credit Unions.  Are credit unions an endangered species?  No, but expect their number to decline and the survivors to get even bigger.  In 2014, the majority of credit unions lost members.  In addition, at the end of October, CUNA Mutual reported that there were 6,264 CUs in operation, down 36 credit unions from one month earlier.  Year-over-year, the number of credit unions declined by 316, more than the 254 lost in the 12 months ending in October 2014.  There is no good reason to think that this trend won’t continue or even accelerate.  (

On a happier note, thanks for reading, Happy Holidays and I will be back blogging next year. Now it’s off to Grandma’s house I go.

December 23, 2015 at 10:40 am 1 comment

More Guidance on Guidance

When you find out a final regulation has been published, most of you do a good job of figuring out how to comply.  Let’s say a “Guidance” on the same subject came across your desk.  Do you:

  1. Place the notice in your to-do bin where it gathers dust along with that great article on mortgage lending that came out in January 2007?
  2. Skim the cover page, breathe a sigh of relief it isn’t a regulation, and toss it into the garbage?
  3. Assign someone to implement its dictates the same way you would a promulgated regulation?
  4. Use it as a place mat for your lunch?

Readers of this blog know where I am going on this one.  There is too little conformity in how regulatory guidance from NCUA is issued.  This leads to a great deal of unnecessary confusion among regulators, examiners, and credit unions about how much weight Guidance should be given and when a Guidance can be used by an agency instead of the more formal regulatory process.  The problem isn’t unique to NCUA but reflects a need to amend federal law to give regulators more guidance on Guidance.

Yesterday, the Government Accountability Office (GAO) released a report detailing the procedures used by four agencies in deciding when to issue a “significant” Guidance as opposed to a new regulation.  Although the NCUA was not among the analyzed agencies – the Agriculture Department (USDA), Education Department (ED), Health and Human Services (HHS), and the Department of Labor (DOL) – the report’s conclusions were hardly surprising to anyone who has delved into the regulatory morass and tried to make sense of the regulation/Guidance dichotomy.

The Agencies did not use standard terminology for guidance.  For instance some used a Q &A format while others used an Industry Letter format.  “They often based the decision between guidance and regulation on whether the direction was meant to be binding (in which case they issued a regulation). In some cases, issued guidance clarified existing regulations, educated the public, addressed particular circumstances, or shared leading practices.”

The problem is that there is little consistency and a dearth of criteria used when determining when an issue should be dealt with as a regulation as opposed to a guidance.  For instance, the Education Department and the USDA’s written procedures explained the approval and clearance procedures for significant guidance.  DOL officials said they did too but that these procedures “were not readily available” during the GAO audit.  I’m going to go out on a limb and say that not too many DOL employees know these procedures exist.

Like it or not, we live in a regulatory state.  Things were already bad but the Supreme Court’s decision earlier this term in Perez v. Mortgage Bankers Ass’n, No. 13-1041, slip. op (U.S. Mar.9, 2015) upholding the right of the DOL to issue an opinion letter classifying mortgage originators as nonexempt employees gives all regulators even more power and flexibility.  It may not win many votes come election time  but a constructive change that may have bipartisan support would be to amend the Administrative Procedures Act to implement standard procedures for the promulgation of Guidance and to clarify precisely how much legal weight a Guidance has as opposed to a regulation vetted via the rule making process.


Nothing to do with credit unions, but here is a great question from Rep. Jeb Hensarling, (R-Texas) Chairman of the House Financial Services Committee, who is leading the charge against the reauthorization of the Export Import Bank.  “How are we ever going to reform the social welfare state if we can’t reform the corporate welfare state?…Success in America  ought to depend on how hard you work on Main Street not who you know in Washington.”



May 19, 2015 at 9:32 am 1 comment

Older Posts

Authored By:

Henry Meier, Esq., Senior Vice President, General Counsel, New York Credit Union Association.

The views Henry expresses are Henry’s alone and do not necessarily reflect the views of the Association. In addition, although Henry strives to give his readers useful and accurate information on a broad range of subjects, many of which involve legal disputes, his views are not a substitute for legal advise from retained counsel.

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Join 772 other followers