A Federal Judge Drops a Bomb on the Federal Reserve, and Others

"Surveys show that politicians rank lower than lawyers and journalists in the public view".  Thomas Cole, Albuquerque Journal Article on New Mexico corruption. (August 12, 2013)

Before we get to the lead story,  a reader of my last Blog describing the "low income" designation for some credit unions that exempts them from the 12.25% of asset cap on member business loans asked what is the standard for  a "low income" member.  The NCAU regulations provide the following:

Low-income members are those members whose family income is 80% or less than the median family income for the metropolitan area where they live or national metropolitan area, whichever is greater, or those members who earn 80% or less than the total median earnings for individuals for the metropolitan area where they live or national metropolitan area, whichever is greater. NCUA will use the statewide or national, non-metropolitan area median family income instead of the metropolitan area or national metropolitan area median family income for members living outside a metropolitan area. Member earnings will be estimated based on data reported by the U.S. Census Bureau for the geographic area where the member lives. The term “low-income members” also includes those members enrolled as students in a college, university, high school, or vocational school.

I hope that helps you understand the standard.  It barely makes sense to me-- but I am lawyer, as my dear friend Pat Dee would say.

On July 31, 2013 Judge Richard Leon ruled that the Board of Governors of the Federal Reserve ("FED") "has clearly disregarded Congress's statutory intent by inappropriately inflating all debit card transactions by billions of dollars and failing to provide merchants with multiple unaffiliated networks for each debit card transaction". NACS v. Federal Reserve System, Civil Case No. 11-02075-RJL  (District of Columbia July 31, 2013).  The judge ruled that Fed used data it should not have used under Dodd-Frank in setting a cap on debit card transaction fees.  These fees are known as "swipe" fees.  Judge Leon  traced the history of debit card use in the U.S., but also tracked the ways in which Visa and MasterCard gained a market share exceeding 80%.  The FED's rule or cap permitted each issuer  to receive a fee as high as $0.21 per transaction plus an additional ad valorem amount of five basis points (0.05%). This standard was struck down.  In addition, the ruling dictates a merchant's choice between more than two unaffiliated networks (other than Visa, MasterCard) to increase competition.

 Judge Leon was highly critical of the FED rule making.  The FED was directed to revisit its rule making quickly.  The American Banking Association stated that the ruling would harm all banks "of all sizes".  On August  15, 2013 Judge Leon held a hearing on the remedies which might flow from his ruling.  He stated that not only would retailers bear lower "swipe fees" but retailers might be entitled to substantial refunds of unlawful fees paid.  He also demanded that the FED move quickly on re-writing the rule, stating that FED decision makers "can come back from Nantucket, ...or wherever they are on vacation..." and make decisions on the re-write of the rule.  The FED's General Counsel was directed to reply to the Court in a week concerning the time it would take to revise the rule.  The FED has not disclosed its intentions to appeal.  Judge Leon is an appointee of the first President Bush.  If an appeal is taken the District Judge would have to stay his decision, or on appeal the Circuit Court for the District of Columbia would have to do so.  Although the chances of an appeal to the U.S. Supreme Court is unknown, the FED might note that Judge Leon is a college classmate of Justice Howard Thomas.

Robert P. Tinnin, long time New Mexico labor and employment attorney, noted to me that the recent employment case of Yedidag, M.D. v. Roswell Clinic Corp., decided on July 3, 2013 by the N.M. Court of Appeals should be of concern to employers.  The case if of obvious concern to the medical community, since it holds that Dr. Yedidag could bring a lawsuit if the employer violated the N.M. Review Organization Immunity Act--an important part of the peer review process in hospitals and the medical profession.  But, Bob Tinnin says that the case does not stop there.  Indeed,  he maintains:

The main significance of the case is, of course, to the medical community because of the recognition of a private right of action against peer review organizations. However, the case also conveys a strong message to all employers about implied employment contracts. In this case, there was a strong at will disclaimer in the doctor's employment contract, which the employer argued would trump any implied contract argument under our "at will" doctrine. Without any substantive discussion, the Court summarily dismissed the argument, reinforcing the almost inescapable conclusion to be drawn from all NM appellate decisions in the recent past, that at will is effectively dead in NM because almost any claim of implied employment contract will be submitted to a jury for decision.   

That jury decision in conservative Chavez County resulted in Dr.  Yedidag's receiving $970,000 in actual damages and $3,000,000 in punitive damages.  Such a result should warn any employer that employment contracts need to be reviewed for options when the  at will doctrine is gone.  There are options, but they sometimes are not attractive to business.

Do Good,

Marshall G. Martin
505-982-4611 (office)
505-228-8506 (cell)

Cyber Crime and Cyber Insurance

"I bear no grudges. I have a mind that retains nothing." Bette Midler

Although it is old news, the confirmation of Richard Cordray as Director of the Consumer Financial Protection Bureau saves CFPB from some uncertain times. However, it guarantees that the financial service business will continue to face the certainty of more regulation.

As most business people know, there has been an increase in credit union "member business" lending. At least one, and possibly more, New Mexico credit unions are not subject to the limit on business loans of 12.25% of total assets. They have taken advantage of the NCUA's "low income designation" which permits a credit union with more than 51% low income membership to be exempt from the statuory asset cap on business lending. Indeed, in one case, a New Mexico credit union, New Mexico Educators Federal Credit Union, just made a sizeable loan for the purchase of the Albuquerque Downtown Hyatt and reportedly has made sizeable loans for other business purposes. The credit union is reportedly one of the 2000 credit unions nationwide who have recieved the NCAU low income designation. To the author's knowledge, no state chartered credit union has recieved the low income designation, which must be approved by the state Financial Services Division Director.

Often the most sophisticated security system can be hacked if not frequently updated and checked by good IT security personnel. The criminal computer minds who operate in the cyber shadows can by-pass or invade passwords and other fancy FINCEN requirements.

What do you do? Well, first you should have a competent IT staff well versed in all areas of internet security. But, suppose that all that effort fails on one day and one of your customer's payroll accounts is drained of funds. She does not notice the loss until five days later. Despite your best efforts, the customer sustains a significant loss. Or, for example, a rogue employee takes confidential customer information covered by Gramm-Leach-Bliley's privacy provisions from your system and puts it on his hard drive. He may sell it or just keep it, but you may not be able to discovery what he did with it. (In my experience an overworked and sequestered F.B.I. may not help you at all).

In the first example, your general liability policy may not cover the claim. Your professional liability E&O policy may not cover the claim. Advertising and personal injury coverage may be triggered, but that is not certain. You can be certain of coverage only if you have legal counsel review your policies, in conjunction with your insurance agent. Is this worth it?  If you suffer a hacker attack and your customer loses $500,000, the litigation cost and reputational risk will make that advance review cheap by any measure.  Plus you may find you have other insurance.

In the second example, there is very little chance that the reputational damage, the remediation cost (cost to notify customer) etc., the damage to the data on the system, etc. will be covered by any policy except a Cyber Risk Insurance policy. Any bank should explore Cyber Risk Insurance in this era of cyber crime.

When the coverage surfaced in the last decade it was spotty and claims adjusting was imperfect. In one case, in which the author was consulted, the bank was subject to a rogue employee invading the system and engaging in identity theft. The bank engaged in remediation to customers concerning any loss and gave customers notice that they could have free identity theft protection for a year. However, the claims process was so tedious and expensive to collect that the bank gave up--the cost of meeting picky insurance demands for data exceeded the remediation cost. Since then the claims process has improved.

In many reports of identity theft,  plaintiff have filed class action suits with signficant recoveries. However, bankers should be aware there is no private right of action to sue for breach of the Gramm-Leach-Bliley privacy provisions--a data breach alone may not expose a bank to litigation. However, if the identity theft results in monetary damage to the customer, a customer may have a cause of action for the loss.  Most bank litigation involved to date, involves identity theft in cases where the hackers were able to invade accounts or ATMs and cause monetary loss.

With the right Cyber Risk policy a bank can be covered for data loss, hacker vandalism (not a small risk),remediation, failures of technology or security systems, slander or libel (may be covered elsewhere as well), cyber extortion, and customer loss of funds. A good insurance agent can insure that your Cyber Risk Insurance fits in with the other coverage you have and  to avoid needless costs or over-coverage (although most knowledgeable lawyers would doubt you can be "over-covered").

You may find that you do not need Cyber Risk Insurance.  However, if you do, find out now and not when you have a claim.

My thanks to Charlie Wheeler of Hub International for information on current Cyber Risk Insurance.

Do good.

MARSHALL G MARTIN
Comeau, Maldegen, Templeman & Indall, LLP
505-228-8506 (cell)505-982-4611