Archive Links

Consumer Archive
CU System Archive
Market Archive
Products Archive
Washington Archive

Washington Archive


Metsger discusses card security changes in first NCUA Report article

 Permanent link
ALEXANDRIA, Va. (1/30/14)--"The United States is the leader in point-of-sale vulnerability and a veritable playground for enterprising hackologists," but the recent Target data breach can be the catalyst for changes that improve data security, National Credit Union Administration Board Member Richard Metsger wrote in his first NCUA Report piece.

The Target data breach resulted in the theft of 40 million debit and credit cards, and encrypted PIN data, and the names, mail and email addresses, and phone numbers of up to 70 million individuals. Some financial institutions are buying consumer information back from the hackers that stole it to prevent further fraud from occurring, Metsger noted.

The impact on credit unions and others continues to grow, Metsger said, and credit unions across the country are assessing damage, reissuing cards and intensifying member outreach efforts.

While the Target breach is the most publicized breach in some time, it is not the only one to occur recently, the NCUA official said. One analysis has found as many as 600 reported breaches in 2013.

However, Metsger wrote, the national attention given to the Target breach can serve as a reminder of "how critical it is that all data systems, both internal and external, must be constantly evaluated and modernized to address evolving risks."

One improvement that could be made is conversion to a chip-and-PIN system. Many have resisted such a move, citing regulatory uncertainty. Metsger added that the U.S. has a plethora of financial stakeholders that struggle over when and how to convert. And, what's more, "the business case has been, at least up to now, not compelling enough for most retailers, processors and financial institutions to collectively invest the billions of dollars needed to make the switch."

The Credit Union National Association has noted that switching to chip-and-PIN cards would help address data security issues, but has also said that such a switch would not be a panacea.

For more of this month's NCUA Report, use the resource link.

Target breach investigation needed, Sen. Schumer tells CFPB

 Permanent link
WASHINGTON (1/30/14)--Sen. Charles Schumer (D-N.Y.) has called on the Consumer Financial Protection Bureau to investigate the recent Target data breach. And U.S. Attorney General Eric Holder said the Department of Justice is committed to finding the perpetrators of these sorts of data breaches.

"Despite issuing statements promising the problem has been fixed, Target has yet to reveal exactly what system was breached, how it happened, and what steps they are taking to prevent another breach in the future," Schumer said in a release.

The breach resulted in the theft of 40 million debit and credit cards, and encrypted PIN data, and the names, mail and email addresses, and phone numbers of up to 70 million individuals. Credit unions have already incurred costs estimated to be in the range of $25 million to $30 million as a result of the Target stores data security breach, a Credit Union National Association survey has shown.

Schumer called for a transparent federal probe that reveals the full details of the Target breach to the public, and results in recommendations for how all stores can keep consumer credit card information safe. "Without a full investigation into what happened--and a subsequent issuing of clear guidelines for stores moving forward--there is no reason why such a large-scale breach of payment information will not happen again," Schumer said.

The senator also said the CFPB should play an active role in ensuring that retailers have adequate systems in place to protect consumers' data and identities. He asked the bureau to take a closer look at whether retailers systems should be required to transfer credit and debit card information as encrypted data.

The Federal Bureau of Investigation in recent weeks has warned retailers these breaches will become more common, and arts and crafts store Michaels this week launched its own investigation into a potential data breach at its stores.

U.S. Attorney General Holder also spoke on data security issues on Wednesday, telling members of the Senate Judiciary Committee that the U.S. Department of Justice is investigating the Target data breach, and is "committed to working to find not only the perpetrators of these sorts of data breaches--but also any individuals and groups who exploit that data via credit card fraud."

CUNA was among the first trade groups to communicate with members of Congress following the breach, seeking hearings on the issue. The Senate Banking Committee and Senate Judiciary Committee have set separate data security hearings for next week, and other members of the U.S. Congress are considering holding hearings of their own.

CUNA CompBlog clears up small issuer QM questions

 Permanent link
WASHINGTON (1/30/14)--New Consumer Financial Protection Bureau mortgage rules define "small creditor" in several ways, and how the definition impacts your credit union's practices depends on which provision you are working with, the Credit Union National Association's CompBlog notes.

"There is a definition for small creditor in the CFPB's qualified mortgage rule, and a variation of that definition for balloon payments. The CFPB has also referred to the escrow account exemption as a small creditor exemption. And at times the small servicer definition gets mixed up in the confusion," CUNA Senior Compliance Counsel Mike McLain notes in a CompBlog post.

In his post, McLain attempts to clear up some of the confusion surrounding these definitions.

The QM rule, and portions of the QM rule addressing balloon payments, defines small creditor this way:
  • During the preceding calendar year, the credit union and its affiliates together originated 500 or fewer first-lien, closed-end mortgage loans; and
  • As of the end of the preceding calendar year, the credit union had total assets of less than $2.028 billion. This threshold will adjust automatically every year by the CFPB.
Creditors must generally hold loans in their portfolios for three years to maintain their QM status.

These rules will be tweaked after Jan. 10, 2016, and those changes are outlined in the blog.

For more small issuer definitions, including definitions related to small creditor escrow accounts and small servicer mortgage servicing, use the resource link.

Alleging insurance kickbacks, CFPB takes action against PHH Corp.

 Permanent link
WASHINGTON (1/30/14)--The Consumer Financial Protection Bureau has filed an administrative proceeding against New Jersey-based PHH Corp. and certain subsidiaries, alleging that the firm has participated in a mortgage insurance kickback scheme.

The filing is against PHH Corp. and residential mortgage origination subsidiaries PHH Mortgage Corp. and PHH Home Loans LLC, and PHH's wholly owned subsidiaries, Atrium Insurance Corp. and Atrium Reinsurance Corp.

The CFPB has charged that once mortgages were originated, PHH referred consumers to mortgage insurers with which it partnered. These insurers would then purchase "reinsurance" from PHH's subsidiaries. While reinsurance is meant to protect mortgage insurers from losses, the CFPB said PHH took the reinsurance fees as kickbacks. This is a violation of the Real Estate Settlement and Procedures Act.

The CFPB said this PHH scheme resulted in consumers paying more in mortgage insurance premiums. PHH received as much as 40% of these premiums, resulting in millions of dollars in kickbacks, according to the CFPB. PHH also allegedly overcharged borrowers that did not buy mortgage insurance from one of its kickback partners.

The bureau in the administrative proceeding is seeking:
  • A civil fine;
  • A permanent injunction to prevent future violations; and
  • Victim restitution.
The CFPB in 2013 settled with five mortgage insurers that took part in similar schemes. The bureau noted that the PHH proceeding is not a finding, or a ruling that the defendants have actually violated the law.

For the full CFPB release, use the resource link.

Atlanta Fed address changes for paper items

 Permanent link
WASHINGTON (1/30/14)--Starting Feb. 4--next Tuesday--all  paper items currently sent to the Federal Reserve Bank of Atlanta should be sent to a new address.

The Fed Bank of Atlanta is closing the Defoor Hills mail processing facility.  The new address is:

Federal Reserve Bank of Atlanta
Attention: Check Operations
1000 Peachtree Street, NE
Atlanta, GA 30309-4470

This change affects items sent via mail, courier, or overnight delivery, and includes forward and return items, savings bonds, U.S. Treasury Department items, postal money orders, foreign items, over-the-counter on-us processing work, and paper adjustments.