Category: Financial Services Law

Regulators Release Guidance on Private Student Loans With Graduated Repayment Terms at Origination

Katten Muchin Rosenman LLP

On January 29, the federal financial regulatory agencies, in partnership with the State Liaison Committee of the Federal Financial Institutions Examination Council, issued guidance for financial institutions on private student loans with graduated repayment terms at origination. This guidance provides principles that financial institutions should consider in their policies and procedures for originating private student loans with graduated repayment terms. The principles, in brief, enunciated in the release issued by the Federal Deposit Insurance Corporation, are as follows:

  • Ensure orderly repayment. Private student loans should have defined repayment periods and promote orderly repayment over the life of the loans. Graduated repayment terms should ensure timely loan repayment and be appropriately calibrated according to reasonable industry and market standards based on the amount of debt outstanding. Graduated repayment terms should avoid negative amortization or balloon payments.

  • Avoid payment shock. Graduated repayment terms should result in monthly payments that a borrower can meet in a sustained manner over the life of the loan. Graduated increases in a borrower’s monthly payment should begin early in the repayment period and phase in the amortization of the principal balance to limit payment shock to the borrower.

  • Align payment terms with the borrower’s income. Graduated repayment terms should be based on reasonable assumptions about the ability to repay of the borrower and cosigner, if any. Lender underwriting should include an assessment of a borrower’s (and, if applicable, a cosigner’s) ability to repay the highest amortizing payment over the term of the loan.

  • Provide borrowers with clear disclosures. Financial institutions that offer private student loans with graduated repayment terms should provide borrowers with disclosures in compliance with all applicable laws and regulations.

  • Comply with all applicable federal and state consumer laws and regulations and reporting standards. Private student loans with graduated repayment terms must comply with all applicable consumer protection laws. These include, but are not limited to, the Electronic Fund Transfer Act, the Equal Credit Opportunity Act, federal and state prohibitions against unfair, deceptive, or abusive acts or practices, and the Truth in Lending Act.

  • Contact borrowers before reset dates. Before originating private student loans with graduated repayment terms, financial institutions should develop processes for contacting borrowers before the start of the repayment period and before each payment reset date.

The guidance has been criticized by industry representatives as both overly restrictive and opaque. Some representatives questioned the notion of gauging the ability of an 18-year-old college freshman to repay.

Read the press release here.

ARTICLE BY

Jeffrey M. Werthan
OF
Katten Muchin Rosenman LLP

European Union’s New Regulation to Attach Bank Accounts Pre and Post Judgment

HMB Chartered B

Applicable as of January 18, 2017, a recently adopted European regulation facilitates cross-border debt recovery by enabling creditors to obtain a “European Account Preservation Order” (the “EAPO”) given by one judge in a member state and attach a debtor’s bank accounts in another EU member state without further court proceeding. The EAPO will enable creditors to obtain an order (i) before the creditor initiates proceedings on the merits against the debtor, (ii) at any stage during the proceedings until a judgment or settlement is entered, and (iii) after a judgment or court settlement that requires the debtor to pay a claim. Before a judgment is entered, the national courts that have jurisdiction to rule on the merits will also have jurisdiction to issue an EAPO. If the creditor has already obtained a judgment, then jurisdiction lies with the courts of the member state where the judgment was obtained.

An EAPO is an alternative remedy. The order will only be available in matters that have cross-border implications and may only serve preservation purposes. This means the debtor’s bank account is provisionally frozen and the amount seized is transferred to a dedicated account kept by the competent enforcement authority. To get the pre-judgment order, the creditor must show that he will probably obtain a favorable judgment against the debtor in the proceedings on the merits. No notice is given in seeking the order. The debtor may also not be informed of the order before it is enforced. An EAPO will not apply where claims are against a debtor in bankruptcy and where funds are exempt from attachment under the laws of the member state of enforcement.

ARTICLE BY

Eric (Rick) S. Rein
OF
Horwood Marcus & Berk Chartered

Recent Trends in ESOP Litigation — Employee Stock Ownership Plan

There has been a lot of attention in the world of employee ownership plans to the 2014 Supreme Court Decision in Fifth Third Bancorp v. Dudenhoeffer. In that case, the Court ruled that “the law does not create a special presumption favoring ESOP (Employee Stock Ownership Plan) fiduciaries. Rather, the same standard of prudence applies to all ERISA fiduciaries, including ESOP fiduciaries, except that an ESOP fiduciary is under no duty to diversify the ESOP’s holdings.” This ruling overturns the so-called Moench rule that has been applied to plan fiduciaries for certain 401(k) plans investing in company stock and ESOPs. Moench gave a presumption of prudence to plan fiduciaries unless they knew or should have known the company was in dire financial circumstances.

As important as this ruling is, it actually has very little if any impact on the vast majority of ESOPs, over 95% of which are in closely held companies. The ruling is far more important for public companies with 401(k) plans or ESOPs that offer company stock as an investment choice.

First, it is important to distinguish between a statutory ESOP and what courts came, by a rather tortured logic, to call ESOPs—namely any defined contribution plan that had company stock in it. ESOPs were created as part of ERISA in 1974 and given not just the right but the requirement to invest primarily in employer securities. ESOPs were specifically created to encourage employers to share ownership with employees, and over the years Congress has given these plans a number of special tax benefits. Because fiduciaries are required to invest primarily in employer stock, standard fiduciary obligations concerning diversification in retirement plans would be impractical. The Moench presumption was created in a case involving a statutory ESOP.

The large majority of “stock drop” cases, however, have not involved statutory ESOPs, but 401(k) plans that either allowed employees to invest in company stock and/or matched in company stock. Some of these plans required fiduciaries to offer company stock; others made it optional. Defense attorneys argued that these plans were actually “ESOPs” too and were subject to the Moench presumption. Most district and circuit courts bought that argument, although some applied it only when company stock was required. That, I think, was unfortunate and inappropriate. 401(k) plans were never meant to be vehicles for sharing corporate ownership. They are intended to be safe, cost-effective retirement plans. ESOPs are a specific statutory creation with a specific set of rules and purposes.

When reading the Supreme Court decision, as well as the arguments made before the Court, it is also clear that the justices were thinking entirely of public companies. There is virtually no discussion of ESOPs in closely held companies, and the key tests that the Court now requires plaintiffs to meet in stock drop cases largely do not apply to privately held companies. Since the original Moench decision in 1995, we at the National Center for Employee Ownership have only found two cases in closely held companies that were decided even in part based on that presumption.

The Court’s decision in the Fifth Third case laid out three key hurdles for plaintiffs to overcome to prevail. The first states that it is insufficient to argue that fiduciaries should be able to outguess the market based on publicly available information. The second issue is whether decisions to sell company stock in light of inside information could be prudently taken in light of their potential impact on the prices of company stock. Fiduciaries are also not obligated to violate securities laws. Finally, the Court said plaintiffs must allege a reasonable alternative course of action.

In ESOPs in closely held companies, fiduciaries have few options that could form the basis for plaintiffs arguing a plausible course of action. First, the law requires that ESOPs be primarily invested in company stock. Second, the only liquidity options are a company buy-back of shares, which is probably impractical if the company is already in financial distress, or a sale of the company. But a fire sale like that would mean an even lower price for plan participants. As noted in more detail below, none of the presumption of prudence cases has concerned closely held companies, probably because of these issues. Also note that Dudenhoeffer distinguished between relying on inside information to sell company stock (which it classified as illegal insider trading and thus not required by the duty of prudence) and refraining from buying more company stock (which might be a fiduciary violation). The purchase of shares by an ESOP is already subject to substantial statutory and case law requirements, and this decision is unlikely to change the way these cases are contested.

As a result of all this, the prudence presumption has so far not been an issue for closely held ESOP companies in court, and it is likely to continue not to be as plaintiffs would have a hard time indicating what fiduciaries should have done. Instead, cases will continue to focus, as they have been before where there are alleged problems, on the initial sale price of the shares of the ESOP, which is determined by the trustee and relies on an outside appraiser. It is possible that the Dudenhoeffer decision may embolden the plaintiffs’ bar to initiate more lawsuits, but we would expect that to continue to be primarily in public companies.

Beyond Fifth Third—ESOPs Law for the 97%

Valuations

The 97% of ESOP companies that are closely held will not be much affected by the Supreme Court decision, but the last 25 years of litigation on ESOPs reveals some important trends that should be considered.

In an analysis by the NCEO of the 224 decisions courts have made on ESOPs in closely held companies between 1990 and 2014, we found that many of the suits involved plan management issues, such as failing to make distributions. The most significant issues, however, concerned valuation, indemnification, and fiduciary duties.

The valuation decisions are mixed. Courts have focused more on process than outcome. Some processes are clearly unacceptable, such as not hiring an independent appraiser or influencing an appraiser’s report. Several key best practices have emerged. A recent settlement between the Department of Labor and GreatBanc Trust in a valuation case (Perez v. GreatBanc Trust Co., 5:12-cv-01648-R-DTB (C.D. Cal., proposed settlement agreement filed June 2, 2014) set out terms for GreatBanc to follow in future engagements that does a good job of summarizing the trends in the courts.

Key points in the settlement included:

  • Trustees must be able to show that they vetted the independence and qualifications of appraisers carefully.
  • Trustees must show that they have assessed the reasonableness of financial projections given to the appraiser. Some valuation advisors include disclaimers in their engagement agreements that the DOL reads as too broad, in that read literally the valuation advisor can rely on any information it receives from the plan sponsor company without inquiring as to its reasonableness, no matter how unreasonable the information. The use of these disclaimers will not absolve the trustee of responsibility and the trustee should document how the appraisal firm has analyzed just how reliable projections are.
  • The trustee should consider how plan provisions, such as those relating to puts, diversification, and distribution policies, might affect the plan sponsor’s repurchase obligation.
  • The trustee should consider the company’s ability to service the debt if projections are not met.
  • Documentation should be detailed. While documentation of the valuation analysis may appear to be burdensome, making the effort to document the valuation review process at the time of the transaction can only benefit the valuation advisor and the trustee in later years.

Indemnification

The other significant legal development for closely held company ESOPs in recent years concerns indemnification, ironically also in the case involving Sierra Aluminum and GrratBanc. In Harris v. GreatBanc Trust Co., Sierra Aluminum Co., & Sierra Aluminum ESOP, No. 5:12-cv-01648-R (C.D. Cal. Mar. 15, 2013), a district court ruled that GreatBanc could be indemnified for its role as the ESOP fiduciary. The decision is significant in that it occurred in the one circuit (the Ninth) that has taken the position that indemnification should not be allowed, especially in a 100% ESOP.  In Johnson v. Couturier, 572 F.3d 1067 (9th Cir. 2009), the court ruled that ESOP plan assets were not distinguishable from company assets. If plaintiffs prevailed but the company’s indemnification had paid out millions in legal fees to defendants (as was the case here), the plaintiffs would have a very hollow victory. In that same circuit, in Fernandez et al. v. K-M Industries Holding Co., No. C 06-7339 CW (N.D. Cal. Aug. 21, 2009), a court that an indemnification agreement did not apply in the case of a 42% ESOP because if alleged ERISA violations concerning an improper valuation were sustained, the indemnification would harm the value of participant stock.

These decisions seemed to make indemnification largely moot, but in the GreatBanc case the court ruled that regulations (29 C.F.R. § 2510.3-101(h)(3)) of ERISA Section 410 state that in the case of an ESOP, the plan’s assets and the company assets are treated as separate.  In Couturier, the Harris court said, the company had already been liquidated and was thus no longer an operating company. The court also distinguished this case from Couturier in that in Couturier, plaintiffs had already shown likelihood to prevail on fiduciary charges, something that could not be said of this case. Finally, the Couturier case involved no exceptions for breaches of fiduciary duty, as was the case here, but only for “gross negligence” and “willful misconduct.”

Other courts in other circuits have not weighed in on this issue. Certainly a good argument can be made that if indemnification means that plaintiffs will lose a substantial amount of a settlement agreement because there is no money to pay, it seems compelling indemnification should not apply. That would not be the case if the company had other available assets. In any event, ESOP advisors now caution clients that indemnification may have limited value and that they should rely primarily on adequate fiduciary insurance.

Conclusion

In recent years, the Department of Labor has been more aggressive in pursuing what it perceives as valuation abuses in ESOP companies. While there have been a few more court cases and settlements per year than normal, a typical year finds only a handful of these out of the 6,500 or so ESOPs in closely held companies. A comprehensive study by the NCEO found that the default rate on leveraged ESOPs (those that borrow money to buy stock, which most do) is just .2% per year, way below other LBOs. If valuations really were routinely excessive, this number would be higher as the debt burden would be unrealistic.

Other ESOP litigation has been relatively mundane, focusing either on administrative errors or the occasional fraudulent behavior. Indemnification could become a more important issue, but companies can (and should) resolve that with proper fiduciary insurance.

The future for company stock in public company retirement plans, mostly 401(k) plan, is far less certain. There has been a steady decline in how many companies offer this and how much those that do rely on it.  Even for advocates of employee ownership, however, this is not necessarily a bad thing. Good ESOP companies have secondary diversified retirement plans—in fact, ESOP companies are more likely to have a diversified retirement plan than other companies are to have any plan. That is a best practice we strongly encourage.

ARTICLE BY

Corey Rosen
OF
The National Center for Employee Ownership

New Year to Bring Increased Regulatory Focus on Cybersecurity for Financial Institutions

Having weathered the cybersecurity turbulence of 2014, the financial services sector can look forward to increased regulatory attention from federal, state and non-governmental regulators in 2015. First, in the wake of data breaches at major banks and financial institutions, and drawing upon its mid-2014 “Report on Cyber Security in the Banking Sector,”1 the New York Department of Financial Services (the “NYDFS” or the “Department”) has announced a New Cybersecurity Examination Process for the banks under its regulatory jurisdiction (the “Examination Letter”). Additionally, the Chairman of the federal Commodity Futures Trading Commission (“CFTC”) has testified before a Senate committee that the CFTC will increase its attention to cybersecurity during its upcoming examinations of clearinghouses and exchanges. Also, the Conference of State Bank Supervisors (“CSBS”) has issued a resource guide for bank executives on cybersecurity that community bank CEOs, senior executives and board members are being strongly encouraged to use to address cybersecurity threats at their banks.

These latest regulatory developments impacting financial institutions will likely affect the cybersecurity policies of other regulators, including enforcement actions against regulated entities that fail to implement adequate cybersecurity programs. Thus, even if your organization is not a financial institution regulated by the NYDFS, CFTC or a state banking regulator, the key takeaways discussed below will provide insight into the types of questions regulators will pose, and offer practical guidance for developing a compliant privacy and data security program to mitigate cybersecurity risks. The December 2014 ruling that retailer Target had an affirmative duty to protect its customers’ personal and financial information illustrates that these pronouncements provide important guidance not just to regulated entities, but to companies generally.

NYDFS’s Examination Letter

On December 10, 2014, the NYDFS issued the Examination Letter to all New York chartered and licensed banking institutions announcing the Department’s new, targeted cybersecurity preparedness assessment. In an effort to promote greater cybersecurity across the financial services industry, the NYDFS warned that it will expand its routine information technology examinations to include cybersecurity. However, as noted in an article in American Banker2, the Examination Letter provides no indication that the examinations will differentiate among banks by size, meaning a smaller community bank may be subject to the same cybersecurity requirements as multinational banks with significantly more resources.

The new examination procedures are designed to encourage “all financial institutions to view cybersecurity as an integral aspect of their overall risk management strategy, rather than as a subset of information technology.” According to Benjamin M. Lawsky, Superintendent of the NYDFS, new procedures are also intended to promote a “laser-like focus on this issue by both banks and regulators” given that regulatory examination rankings can have a significant impact on the operations of financial institutions, including their ability to enter into new business lines or make acquisitions.

The Examination Letter notes that the NYDFS will be incorporating the following new security-oriented topics into its pre-examination “First Day Letters” to assist in expediting the Department’s review of financial institutions’ cybersecurity preparedness:3

  • Corporate governance, including written information security policies and procedures, and the periodic reevaluation of such policies and procedures in light of changing risks;

  • Cybersecurity incident detection, monitoring and reporting processes;

  • Resources devoted to information security and overall risk management;

  • The risks posed by shared infrastructure;

  • Protections against intrusion, including multifactor or adaptive authentication, and server and database configurations;

  • Information security testing and monitoring, including penetration testing;

  • Training of information security professionals as well as all other personnel;

  • Vetting and management of third-party service providers; and

  • Cybersecurity insurance coverage and other third-party protections.

In addition to the information requested in the First Day Letter, the NYDFS stated that it will schedule IT/cybersecurity examinations following the risk assessments of each financial institution. The new IT/cybersecurity examinations will take a deeper look into the financial institution’s ability to prevent, detect and respond to data breaches and other cyber attacks by requesting:

  • The qualifications of the institution’s Chief Information Security Officer, or the individual otherwise responsible for information security;

  • Copies of the institution’s information security policies and procedures;

  • The institution’s data classification approaches and data access management controls;

  • The institution’s vulnerability management programs, including its consideration of applications, servers, endpoints, mobile, network and other devices;

  • The institution’s patch management program, including how updates, patches and fixes are obtained and disseminated;

  • The institution’s due diligence process regarding information security practices used to vet, select and monitor third-party service providers;

  • Application development standards used by the institution, including the extent to which security and privacy requirements are incorporated into application development processes;

  • The institution’s incident response program, including how incidents are reported, escalated and remediated; and

  • The relationship between information security and the organization’s business continuity program.

The NYDFS’s Examination Letter is essentially a “take-home test” for any New York chartered or licensed banking institution or regulated firm preparing for an NYDFS examination or conducting its own internal audit to strengthen its cybersecurity practices and incident response preparedness. Additionally, although the new examination procedures do not impose cybersecurity requirements on regulated entities per se, the NYDFS is essentially announcing the standards and practices it expects to be adopted in any compliant cybersecurity program. For now, the new cybersecurity examination procedures are limited to banks, but it is likely that the NYDFS will extend these same types of procedures to the other financial services firms it regulates, such as insurance companies and investment companies.

CFTC’s Increased Focus on Cybersecurity

On December 10, 2014, CFTC Chairman Timothy Massad testified before a Senate Agriculture Committee hearing that cybersecurity is “perhaps the single most important new risk to financial stability.” As a result, cybersecurity will become an increasingly important aspect of the CFTC’s oversight for futures and swaps markets.

Chairman Massad testified that the CFTC requires clearinghouses, swap execution facilities, designated contract markets and other market infrastructures to implement system safeguards, which must include four elements: (1) a program of risk analysis and oversight to identify and minimize sources of cyber and operational risks; (2) automated systems that are reliable, secure and scalable; (3) emergency procedures, backup facilities and a business continuity/disaster recovery plan; and (4) regular, objective, independent testing to verify that the system safeguards are sufficient. Each CFTC-regulated entity must also have a risk management program that addresses seven key elements, including information security, systems development, quality assurance and governance. Furthermore, these entities must notify the CFTC promptly of cybersecurity incidents.

Although the CFTC does not conduct independent testing of its cybersecurity requirements, it reviews evidence provided for satisfaction of the requirements. Chairman Massad testified that the CFTC’s upcoming examinations will focus on the following areas:

  • Governance—Are the board of directors and top management devoting sufficient attention to cybersecurity?

  • Resources—Are sufficient resources and capabilities being devoted to monitor and control cyber-related risks across all levels of the organization?

  • Policies and Procedures—Are adequate plans and policies in place to address information security, physical security, system operations and other critical areas? Is the regulated entity actually following its plans and policies, and considering how plans and policies may need to be amended from time to time in light of technological, market or other security developments?

  • Vigilance and Responsiveness to Identified Weaknesses and Problems—If a weakness or deficiency is identified, does the regulated entity take prompt and thorough action to address it? Does it not only fix the immediate problem, but also examine the root causes of the deficiency?4

CSBS Guidance for Financial Services Officers and Directors

On December 17, 2014, the CSBS issued “Cybersecurity 101: A Resource Guide for Bank Executives” (the “CSBS Resource Guide”), which is designed to aid chief executive officers, senior executives and board members in their understanding, oversight and implementation of effective cybersecurity programs. The CSBS Resource Guide is organized according to the five core cybersecurity functions of the Commerce Department’s National Institute of Standards and Technology’s Framework for Improving Critical Infrastructure Cybersecurity: (1) identify internal and external cybersecurity risks; (2) protect organizational systems, assets and data; (3) detect systems intrusions, data breaches and unauthorized access; (4) respond to a potential cybersecurity event; and (5) recover from a cybersecurity event by restoring normal operations and services. For each of these core functions, the CSBS Resource Guide provides questions that chief executive officers should ask, as well as training guidance and a model checklist to follow in the event of a data breach.

Takeaways

In light of these developments, banks and other financial institutions should consider undertaking the following steps and customizing them to their specific circumstances and risks:

1. Conducting Periodic Cybersecurity Risk Assessments

  • Identify potential cybersecurity threats (including physical security threats) to security, confidentiality and integrity of personal and other sensitive information (both customer and internal) and related systems;

  • Evaluate effectiveness of current controls in light of identified risks;

  • Prioritize resources, assets and systems corresponding to the nature and level of threats and vulnerabilities, and revise procedures and controls, as necessary and appropriate, to address and mitigate areas of risk; and

  • Determine whether existing insurance policies will cover the threats identified in the risk assessment, and determine whether separate cyber coverage is needed.

2. Evaluating Potential Third-Party Vendor Risks

  • Review due diligence procedures for selecting vendors and procedures for approval/monitoring of vendor access to networks, customer data or other sensitive information;

  • Obtain copies of vendors’ written information security plans or certifications of compliance with applicable standards; and

  • Determine whether contracts with vendors include appropriate security measures, including incident response notification procedures and cyber insurance coverage.

3. Developing and Periodically Testing a Comprehensive Incident Response Plan

  • Implement a comprehensive, written incident response plan to respond proactively to actual or suspected cybersecurity events; and

  • Conduct periodic “table top” exercises of mock cybersecurity events with IT, legal, compliance, human resources and other business stakeholders.

ARTICLE BY

John C. Cleary
Bruce A. Radke
OF
Vedder Price

1 See http://www.dfs.ny.gov/about/press2014/pr1405061.htm
2 See http://www.americanbanker.com/news/bank-technology/new-york-cybersecurity-exams-will-be-tougher-than-ffiecs-1071603-1.html
3 The NYDFS’s new cybersecurity questions and topics are similar to the comprehensive cybersecurity questionnaire attached to the Securities and Exchange Commission’s Office of Compliance Inspections and Examinations’ (“OCIE”) Risk Alert, issued on April 15, 2014, as part of the OCIE’s cybersecurity examinations of registered investment advisors and broker-dealers. Click here.
4 The NYDFS and the CFTC are certainly not the only banking and financial services regulators that have intensified their focus on cybersecurity. Indeed, during her December 10, 2014 testimony before the U.S. Senate Committee on Banking, Housing and Urban Affairs, Valerie Abend, chair of the Federal Financial Institutions Examination Council (“FFIEC”) Cybersecurity and Critical Infrastructure Working Group, said the FFIEC’s interagency cybersecurity guidelines “require banks to develop and implement formal information security programs that are tailored to a bank’s assessment of the risks it faces, including internal and external threats to customer information and any method used to access, collect, store, use, transmit, protect, or dispose of the information.”

Four Ways For A Financial Institution To Minimize Losses Related To A Data Breach

vonBriesen

The explosive growth of electronic credit and debit card transactions has increased the possibility of data breaches for financial institutions. The ongoing data breach litigation by financial institutions against Target is just one example of what could be the new normal with card-swipe electronic transactions now dominating commerce: according to Javelin Strategy and Research, only about twenty-five percent (25%) of point-of-purchase sales are currently made with cash, and that percentage is expected to continue to decline in the coming years.

This surge has been beneficial to the bottom line of many financial institutions, but the spike in electronic transactions has also increased the potential for data breaches and related liability. According to the Ponemon Institute’s 2014 Cost of Data Breach Study: Global Analysis1 the average cost of a data theft from financial services companies in 2013 was $236 per customer account. The primary reason for the increase is the loss of customers following the data breach. Financial services providers continue to be most susceptible to high rates of customer defections as a result of data breaches. (Ponemon, 2014)

As the volume of electronic transactions has increased, hackers and cybercriminals have become more sophisticated and successful, as evidenced by recent high-profile data breaches involving Target, Neiman Marcus, eBay, and Jimmy John’s. While mega-breaches tend to grab the headlines, most data losses involve fewer than 10,000 customer records. (Ponemon, 2014) Nonetheless, these data losses can be costly, averaging $5.9 million per breach incident in 2013. (Ponemon, 2014)

What can financial institutions do to minimize their losses, when both large and small institutions can fall victim? Below are four proactive steps that may be taken by any size institution:

1. Preparation

Statistically, four factors are most important to reducing the cost of a data breach: a strong pre-incident security posture, a current incident response plan, business continuity management involvement, and leadership by a Chief Information Security Officer. Together, these can reduce the per capita cost of a data breach as much as 30%. (Ponemon, 2014) Good preparation should also include data security audits and breach response exercises to test preparedness.

2. Purchasing Data Breach and Other Insurance

One in three companies has insurance to protect against data breach losses (Marsh LLC, Benchmarking Trends: Interest in Cyber Insurance Continues to Climb, 2014)2. Covered risks typically include disclosure of confidential data, malicious or accidental loss of data, introduction of malicious codes or viruses, crisis management and public relations expenses, business interruption expenses, and data or system restoration. In 2013, cyber insurance policies sold to retailers, hospitals, banks, and other businesses jumped significantly. (Marsh LLC, 2014) Given the potentially tremendous costs associated with a data breach, cyber insurance policies are no longer a niche or specialty product, and are quickly becoming a necessity in the financial services industry and a key component of risk management for financial institutions.

In addition to policies specifically covering data breaches, it is important to consider whether an institution’s losses may be covered under the terms of an existing policy. Some courts have found that traditional policies include coverage for data breach claims. In Netscape Communications Corp. v. Federal Insurance Co., decided in 2009, the Ninth Circuit Court of Appeals held that personal and advertising injury coverage in a commercial general liability (“CGL”) policy applied to claims alleging that the insured had violated the plaintiff’s right of privacy in private online communications. In Retail Ventures, Inc. v. National Union Fire Insurance Co., the Sixth Circuit Court of Appeals found that coverage may also apply under a financial institution’s crime policy. In WMS Industries, Inc. v. Federal Insurance Co., the Fifth Circuit Court of Appeals affirmed the district court’s holding that all-risk and first-party property policies may provide coverage for data damage and business interruption arising out of data breaches. Lastly, in Retail Systems, Inc. v. CNA Insurance Companies, the Minnesota Court of Appeals found that an insured’s loss of a computer tape containing third-party data was “property damage” and, therefore, was covered by CGL insurance.

Even if there may be a question as to whether coverage is available, notice of the breach should be given to the insurer immediately. Financial institutions should consider consulting with their insurance providers to confirm whether or not their standard policies cover data breaches and, if so, whether there are any coverage limits or exclusions. “Too often, the close scrutiny of policy coverage does not occur until after a claim is made. This makes misunderstanding and disappointment a distinct, and potentially costly, risk. Even sophisticated companies stumble. In 2011, SONY suffered a series of cyber security breaches affecting data in its online gaming systems. The SONY insurer said the company did not have a cyber insurance policy, that SONY’s existing policies only covered tangible property damage, not cyber incidents, and therefore the insurer would not provide any coverage for the company’s nearly $200 million loss. SONY spokespersons contested these statements, expressing their belief that at least some of the losses were covered. (Mark F. Foley, Digital Lex: Insurance Coverage for the Cyber World (Feb. 19, 2013), at http://www.WTNNews.com. See, Insurance Against Cyber Attacks Expected to Boom, New York Times online, December 23, 2011)

Banks, or their counsel, should also proactively review vendor or third-party contractor agreements to confirm that the vendor or third party contractor has an obligation to indemnify the financial institution for losses related to a data breach, and that the financial institution is named as an additional insured under the vendor’s or third-party contractor’s insurance policy covering such breaches. Contracts that do not provide these protections should be updated.

3. Using Regulatory Tools and Guidance

In September 2014, FDIC Chairman Martin Gruenberg stated that “internet cyber threats have rapidly become the most urgent category of technological challenges facing our banks.” As a result, the FDIC now defines cybersecurity as “an issue of highest importance” for itself and the Federal Financial Institutions Examination Council.

The FFIEC recently formed a Cybersecurity and Critical Infrastructure Working Group that works with the intelligence community, law enforcement and the Department of Homeland Security on cybersecurity issues. The Working Group is currently assessing the banking sector’s preparedness to combat and respond to cybersecurity threats. The report will include a regulatory self-assessment to evaluate readiness and identify areas requiring additional attention.

The FDIC also created a “Cyber Challenge” online resource that features videos and a simulation exercise. As part of this effort, the FDIC also requires third-party technology service providers (TSPs) to update financial institutions on operational threats the FDIC identifies at a TSP during an examination.

The rollout of these resources, coupled with the recent guidance from the OCC and the Fed regarding the management of third party relationships (for a more in-depth discussion, please see our January 2014 Commercial Law Update, “Managing Third Party Relationships: New Regulatory Guidance for Banks“), demonstrates the increased scrutiny regulators are giving to these issues and why they are hot-button topics for financial institutions to tackle.

4. Filing Lawsuits Against Parties Responsible for Data Breaches

A recent example of financial institutions going on the offensive with regard to a data breach by a service provider is the lawsuit brought by several banks against Target, In re Target Corporation Customer Data Security Breach Litigation, Case No. 14-md-02522, which is currently pending in Minnesota federal district court. The banks are seeking class-action status for banks across the country arising out of the compromise of at least 40 million credit cards, which affected up to 110 million people whose personal information, such as email addresses and phone numbers, were stolen.

The banks seek millions of dollars of damages to recover money spent reimbursing fraudulent charges and issuing new credit and debit cards.

The court recently denied Target’s motion to dismiss all of the claims, concluding that Target played a “key role” in the data breach. In denying the motion, the court held that “Plaintiffs have plausibly alleged that Target’s actions and inactions – disabling certain security features and failing to heed the warning signs as the hackers’ attack began – caused foreseeable harm to plaintiffs” and also concluded that “Plaintiffs have also plausibly alleged that Target’s conduct both caused and exacerbated the harm they suffered.” At this stage, the banks are proceeding with claims for negligence and violations of Minnesota’s Plastic Security Card Act.

As illustrated by the Target litigation, if losses are not covered by insurance or if the institution otherwise cannot be made whole, a financial institution should consider trying to recover damages through litigation. However, the Target case is still being litigated, and the law is not settled as to whether third parties, such as merchants who process credit and debit cards, may be held liable to an issuing financial institution for damages arising out of the merchant’s data breach.

Financial institutions would be well-served by utilizing these resources to protect against cyber attacks and should keep a close eye on upcoming regulatory guidance in this area as it is clear that the regulators are focusing on ways to protect against, and minimize the number of, data breaches and their effect on financial institutions.

ARTICLE BY

Mark E. Schmidt
Brion T. Winters
Mark F. Foley
William E. Taibl
OF
von Briesen & Roper, S.C.

Currency Conversion Concerns: New York Issues Guidance on Virtual Currencies

Mcdermott Will Emery Law Firm

On December 5, 2014, the New York Department of Taxation and Finance (Department) released TSB-M-14(5)C, (7)I, (17)S.  This (relatively short) bulletin sets forth the treatment of convertible virtual currency for sales, corporation and personal income tax purposes.  The bulletin follows on a notice released by the Internal Revenue Service (IRS) in March of this year, Notice 2014-21.

The IRS Notice indicates that, for federal tax purposes, the IRS will treat virtual currency as property, and will not treat it as currency for purposes of foreign currency gains or losses.  Taxpayers must convert virtual currency into U.S. dollars when determining whether there has been a gain or loss on transactions involving the currency.  When receiving virtual currency as payment, either for goods and services or as compensation, the virtual currency is converted into U.S. dollars (based on the fair market value of the virtual currency at the time of receipt) to determine the value of the payment.

The IRS Notice only relates to “convertible virtual currency.”  Virtual currency is defined as a “digital representation of value that functions as a medium of exchange, a unit of account, and/or a store of value.”  Convertible virtual currency is virtual currency that “has an equivalent value in real currency, or that acts as a substitute for real currency.”

The Department’s bulletin also addresses only convertible virtual currency, and uses a definition identical to the IRS definition.  The Department indicates that it will follow the federal treatment of virtual currency for purposes of the corporation tax and personal income tax.

For sales and use tax purposes, the bulletin states that convertible virtual currency is intangible property and therefore not subject to tax.  Thus, the transfer of virtual currency itself is not subject to tax.  However, the exchange of virtual currency for products and services will be treated as a barter transaction, and the amount of tax due is calculated based on the fair market value of the virtual currency at the time of the exchange.

The Department should be applauded for issuing guidance on virtual currency.  It appears that these types of currencies will be used more and more in the future, and may present difficult tax issues.

However, the Department’s guidance is incomplete.  There are a couple of unanswered questions that taxpayers will still need to ponder.

First, the definition of convertible virtual currency is somewhat broad and unclear.  The Department and the IRS define “convertible” virtual currency as currency that has an “equivalent” value in real currency, but equivalent is not defined in either the IRS Notice or the bulletin.  Many digital products and services use virtual currency or points that cannot be legally exchanged for currency to reward users, and the IRS and the Department should be clearer about the tax treatment of those currencies.

Second, although the Department will follow the federal treatment for characterization and income recognition purposes, the bulletin does not discuss apportionment.  This is likely a very small issue at this point in time, but the Department will, some day, need to address how receipts from gains in the exchange of virtual convertible currencies are apportioned.

Virtual currencies will create issues not only in the tax world, but also in the unclaimed property world.  The Uniform Law Commission has begun its efforts to rewrite the Uniform Unclaimed Property Act, and the treatment of virtual currency will be an issue discussed during the rewrite.  Companies that use virtual currencies, convertible or not, should follow the rewriting process to make sure the drafters are informed of all of the issues these companies will face.

ARTICLE BY

Mark Yopp
OF
McDermott Will & Emery

Former JPMorgan Chase Insider Blows the Whistle

Bilzin_logo300 dpi

Matt Taibbi of Rolling Stone recently profiled the woman JPMorgan Chase paid one of the largest fines in American history to keep from talking in his article, The $9 Billion Witness: Meet JPMorgan Chase’s Worst Nightmare. Alayne Fleischmann, a former Chase manager, revealed the true reason why JPMorganChase settled the claims brought by the DOJ for such a seemingly staggering amount — cash in exchange for secrecy.

Magnifying Glass Investigation

On the eve of a civil complaint being filed against Chase, Jamie Dimon called federal prosecutors and negotiated a quiet resolution, keeping many details regarding Chase’s misconduct hidden from the public. Expecting to be called as a key witness in a criminal prosecution against Chase executive officers, Fleischmann says that she was stood up by the government, despite her ability to present ample evidence with time remaining before the statute of limitations expired on a claim for wire fraud. By coming forward now, Fleischman seeks to prevent the “biggest financial cover-up in history.”

No longer muzzled by the fear of retribution, Fleischman tells the story of what she calls a “massive criminal securities fraud” that Chase’s stipulated Statement of Facts (part of its public settlement with the DOJ) only hints at. As a transaction manager, Fleischmann functioned as a quality-control officer ensuring that lower quality “scratch and dent” loan products were not cleared to be re-sold and securitized into mortgage pools marketed as being above subprime. However, Fleischman contends that is exactly what occurred despite her numerous attempts to alert and dissuade her supervisors. Fleishmann was then laid off in February 2008.

Fleischmann states that despite initial reports by her colleagues advising superiors that the loans being re-sold contained a high incidence of “material misrepresentations” due to overstated income, diligence managers pressured the team until loans began to clear. Perhaps most indicative of the fact that Chase knew what it was doing and intended on keeping its misdeeds secret was what Fleischmann referred to as a “no e-mail” policy. After speaking with the DOJ, Fleishmann realized that the government intended on using the new evidence that she could provide as leverage in negotiations to extract a larger settlement from Chase in order to keep her testimony concealed.

Significance of Chase’s Misconduct for Correspondent Lenders

Despite its lack of specifics in some respects, Chase’s 10-and-a-half-page Statement of Facts to its settlement with the DOJ can be cited by correspondent lenders in defending mortgage put-back cases brought by Chase. Contrary to the position it takes in many ongoing buyback cases, Chase acknowledged its widespread practice of conducting pre-purchase quality control reviews prior to acquiring loans from originators and re-selling or securitizing its loan products. Moreover, Chase often deliberately purchased loans it knew or suspected were non-compliant with its own guidelines without regard for the ability of correspondent lenders to bear the burden of repurchasing defaulted loans, and without regard for its obligation to timely notify correspondent lenders of defects.  These facts have numerous potentially favorable implications for parties fighting repurchase and make-whole claims made by Chase.

SEC Sanctions Operator of Unregistered Virtual Currency Exchanges

Katten Muchin Law Firm

On December 8, the Securities and Exchange Commission sanctioned a computer programmer for operating two online exchanges that traded securities using virtual currencies without registering them as broker-dealers or stock exchanges. The programmer, Ethan Burnside, operated the two exchanges through his company, BTC Trading Corp., from August 2012 to October 2013. Account holders were able to purchase securities in virtual currency businesses using bitcoins on BTC Virtual Stock Exchange and using litecoins on LTC-Global Virtual Stock Exchange. The exchanges were not registered as broker-dealers but solicited the public to open accounts and trade securities. The exchanges also were not registered as stock exchanges but enlisted issuers to offer securities to the public for purchase and sale. Burnside also offered shares in LTC-Global Virtual Stock Exchange itself, as well as interests in a separate Litecoin mining venture, LTC-Mining, in exchange for virtual currencies. The SEC charged Burnside with willful violations of Sections 5(a) and 5(c) of the Securities Act of 1933 and Burnside and BTC Trading Corp. with willful violations of Sections 5 and 15(a) of the Securities Exchange Act of 1934. Burnside cooperated with the SEC’s investigation and settled, paying more than $68,000 in profits plus interest and a penalty. The SEC also barred Burnside from the securities industry.

The action may indicate that the SEC is taking a closer look at decentralized platforms for trading virtual currency using cryptocurrency technology, but the SEC has neither confirmed nor denied such speculation. In recent months, the SEC has reportedly sent voluntary information requests to companies and online “crypto-equity exchanges” offering equity and related interests denominated in virtual currency and websites offering digital tokens for programming platforms. A discussion of the SEC’s voluntary information sweep is available here.

Click here to read the SEC Press Release and here to read the SEC order.

ARTICLE BY

Evan L. Greebel
Kathleen H. Moriarty
Michael M. Rosensaft
Claudia Callaway
Robert Loewy
Gregory E. Xethalis
OF
Katten Muchin Rosenman LLP

Court-Appointed Experts: The Future of Litigation?

IMS_expert_blktype-transparent

After black-market dealing for approximately two years in relative anonymity, the secretive Silk Road drug-dispensing site was targeted by U.S. federal authorities and was subsequently shut down. Its alleged owner and operator was arrested.

However, one lawyer and technology expert is claiming that the FBI is lying about how it found the Silk Road server that allowed authorities to seize the site as well as millions of dollars in cyber coinage. It is a complicated question of computer evidence, one which the courts may not be capable of fully understanding.

As the worlds of cybercrime, criminal law, economics, and evidence continue to collide, the technological war between law enforcement and crypto-criminals is requiring prosecutors to enter a new realm of trial advocacy and courtroom tactics – one in which tech experts and computer specialists are vital for judicial clarity and jury instructions.

At a time when iron bars and jailhouse walls can do little to stop crimes and communications from taking place over the intangible and worldwide web connections, stopping cybercrime is one thing, but explaining it to a judge or jury is a much different task.

From Drug Money to Bonafied Bitcoins

Earlier this month, after Silk Road 2.0’s alleged owner and operator, Blake “Defcon” Benthall, was arrested by the FBI, the defendant reportedly began tweeting, just hours after his arrest, from jail and requesting bitcoin donations. Many law enforcement officials didn’t even know what this meant or what the defendant was soliciting.

Bitcoin is a form of cryptocurrency that has garnered international recognition in the last couple of years after it was revealed to be the form of monetary tender used to purchase drugs from the original Silk Road website.

However, the currency also opened the eyes of legitimate businessmen, economists, and financial experts as well – some of whom believe that bitcoin and other cryptocurrencies could become the money form of the future. Our BullsEye blog examined the world of bitcoins in a March 2014 article entitled “What The #!$% Is Bitcoin?”

Three months after that article’s publication, the U.S. Marshal’s Service held an online auction and sold nearly 30,000 of the bitcoins it had seized from Silk Road. At the time, the value was approximately $18 million. They were purchased by American venture capitalist Tim Draper, who has just brought in former SEC Chairman Arthur Levitt as an advisor for his new bitcoin-investor platform rebranded as “Mirror.”

The FBI, however, claims that the auctioned bitcoins that Draper purchased represent less than a quarter of those seized from Silk Road and its alleged mastermind Ross William Ulbricht. Thirty-year-old Ulbricht, of Austin, Texas, is alleged to be the original Silk Road founder, who called himself “Dread Pirate Roberts,” named after the sword-wielding character in the movie The Princess Bride.

In a September 2013 interview with Forbes magazine, the libertarian-minded Dread Pirate Roberts is quoted as saying, “We’ve won the State’s War on Drugs because of Bitcoin.”

Ulbricht was arrested in San Francisco just days after the article was published. He was charged with money laundering, computer hacking, conspiracy to traffic narcotics, and attempted murder of witnesses. His federal trial is expected to begin in January in Manhattan.

The FBI said that it is holding on to the 144,342 bitcoins seized from Ulbricht’s computer until after the resolution of the criminal trial. Presumably, if Ulbricht is convicted and the seizure is deemed valid, the bitcoins will be auctioned off to the public. The approximate value of that cache of bitcoins is over $56 million today.

Cybercrime Confusing Courts

Expert witness and attorney Joshua J. Horowitz, however, claims in court documents released last month that the FBI is lying about how it accessed the Silk Road back-end server. In an 18-page declaration filed with the U.S. District Court for the Southern District of New York, Horowitz writes about “Nginx access logs,” “tarball mtimes” and “phpmyadmin virtual host site configurations,” claiming that he can show that the FBI could not have infiltrated Silk Road via the manner that it claims in the indictment and other court documents.

“[B]ased on the Silk Road Server’s configuration files provided in discovery, former Special Agent [Christopher] Tarbell’s explanation of how the FBI discovered the server’s IP address is implausible,” Horowitz states.

However, much of Horowitz’s technologically sophisticated declaration is unreadable and incomprehensible to an average attorney or jurist. With many of these issues being evidentiary in nature, the question of whether certain physical evidence is admitted at trial will be left up to one judge.

How will a federal judge – many of whom were middle-aged well before Steve Jobs and Steve Wozniak began tinkering away inside a garage in 1976 – be capable of ruling on these evidentiary issues based on court documents and legal arguments that are communicated in a specialized, seemingly foreign, language?

“The critical configuration lines from the live-ssl file are: ‘allow 127.0.0.1; allow 62.75.246.20; deny all;.’ These lines tell the web server to allow access from IP addresses 127.0.0.1 and 65.75.246.20, and to deny all other IP addresses from connecting to the web server.… Based on this configuration, it would have been impossible for Special Agent Tarbell to access the portion of the .49 server containing the Silk Road market data, including a portion of the login page, simply by entering the IP address of the server in his browser,” Horowitz writes, seemingly in an attempt to “dumb down” the explanation of the process.

While the Kentucky-born, Yale-educated U.S. District Judge J. Paul Oetken is very young compared to his life-appointed colleagues, to assume that the 49-year-old jurist (or even his law clerk) can understand even the basics of Horowitz’s argument is unlikely. In order for him to rule on these evidentiary issues properly, one would assume that technology experts will need to be hired by the courts to examine the specific allegations and pretrial disputes.

Unlike the decision to admit or deny expert witnesses in federal court, during which the judge must determine whether the witness is qualified enough to proffer evidence to the jury, the decision to entirely admit or deny the actual physical evidence that was searched and seized is solely up to the judge. In the case of the Ulbricht prosecution, one would assume that allowing the FBI’s evidence gathered from the Silk Road site to be admissible at trial would be far more critical than any other issues presented before the jury once the evidence is deemed admissible.

This will not be an easy decision for the judge.

“The active phpmyadmin configuration file contained in Item 1 of discovery contains the following lines: ‘listen 80; root /usr/share/phpmyadmin; allow 127.0.0.1;.’ These lines direct the phpmyadmin virtual host to listen on port 80, which is the standard port for web traffic, and also tells Nginx to serve files from the phpmyadmin folder. The absence of ‘deny all’ means that it would be possible for an IP address outside the Tor network to connect to the .49 server. However, an IP address outside the Tor network would have been able to access only the login page for phpmyadmin and the files contained in the phpmyadmin folder, not any part of the Silk Road market or even the login screen, as claimed in the Tarbell Declaration,” Horowitz explains further.

If Judge Oetken thinks this is confusing, just wait until the experts start explaining what a bitcoin is.

When it comes to complicated technological issues that are procedural in nature and that are therefore not intended for the jury, will courts now need to hire experts to explain and inform judges? Or do today’s judges really have no business making these highly specialized decisions on evidence?

ARTICLE BY

Ryan Thompson, Esq.
OF
IMS ExpertServices

Attend the 2nd Annual Bank and Capital Markets Tax Institute West – December 2-3 in San Francisco

The National Law Review is please to give you information on the 2nd Annual Bank and Capital Markets Tax Institute WestBank and Captial Markets Tax Institute Dec 2-3 San Francisco, CA - Register Now!

Register today!

WHEN

December 2-3, 2-14

WHERE

San Francisco, CA

Due to the success of last year’s first ever west coast Bank and Capital Markets Tax Institute (BTI), we are proud to announce that BTI West will be coming back for a second year! For 48 years the annual BTI East in Orlando has provided bank and tax professionals from financial institutions and accounting firms in-depth analysis and practical solutions to the most pressing issues facing the industry, and from now on professionals on the west coast can expect the same benefits on a regular basis

The tax landscape is continually changing; you need to know how these changes affect your organization and identify the most efficient and effective plan of action. At BTI West you will have access to the same exceptional content, networking opportunities and educational value that have made the annual BTI East the benchmark event for this industry.

In an industry that thrives on both coasts, we will continue to offer exceptional educational and networking opportunities to ALL of the hard-working banking and tax professionals across the country. Join us at the 2nd Annual Bank and Capital Markets Tax Institute WEST, where essential updates will be provided on key industry topics such as General Banking, Community Banking, GAAP, Tax and Regulatory Reporting, and much more.