About

Comment Policy

Disclaimer

Bankerstuff Webinars

Sponsored Links

Share or Subscribe

Add me to your TypePad People list

Search BLB


  • Google

Banking Blogs

Law Bloggers

Stats

Blog powered by TypePad
Member since 03/2004

Outsourcing

August 07, 2011

Vendor Management: Another Regulatory Pressure Point

Pressure Vendor management has been a topic this blog has been gassing about since its earliest days. You'd think that by now, the subject would be "old hat." Unfortunately for bankers who fell asleep at the vendor management wheel, it's an evergreen source of regulatory sanctions.

Bank Safety and Soundness Advisor's Aaron Steinberg (sorry, a paid subscription is required) recently pointed out that regulatory interest in vendor management is on the rise because "you can outsource a process – but you cannot outsource the risk."

The immediate cause of this rising concern might be the loan servicing debacle that's made so many bad headlines for bumbling loan servicers, many of them the nation's largest too-big-to-fail banks. Unfortunately, it's raised a red flag with bank regulators, a flag that's likely to have examiners parsing the nuances of the vendor management programs of banks both large and small. As consultant Eric Holmquist warns, the topic is likely to be "one of the top items of focus this year when it comes to risk governance." Just what overburdened community bankers needed to hear, eh?

Other observers offer up the idea that community banks ought to take this increased scrutiny as an opportunity to save themselves some money.

Third party costs, separate from payroll, are among the heaviest for community banks, averaging 30% to 40% of non-interest expense. That presents opportunities for cost-cutting and improved efficiencies. With the economy still struggling, vendors may be willing to negotiate with you on price to hang on to your business as tough times continue.

“This is about taking the opportunity, which has been created by some regulatory requirements, to get back to some sound business practices,” says Paroon Chadha, co-founder and vice president of Passageways, an Indiana firm that provides vendor management and other services to credit unions and community banks. “If you can improve performance for 40% of your spending, that is easily the most underutilized opportunity you have in your playbook.”

“Most institutions are focused on ensuring that they meet regulatory guidelines. It boils down to a compliance activity,” says Rock Carter, chief executive of Credit Union Vendor Management, a Colorado-based firm that provides vendor management services to credit unions. “There is a hard dollar advantage to managing vendor relationships in a way that goes beyond the minimum to meet regulatory guidelines.”

“When you manage that vendor … you will often see these results in terms of enhanced service levels,” Carter says. “If you are on auto pilot, you are not going to see that the commitments made at sales time have gone unfulfilled.”

One of our clients is currently employing the services of a consulting firm to scour all of its third party vendor arrangements for cost savings and other areas of "improvement." Such consultants retain a percentage of the cost savings, so they're incentivized to maximize the reduction of expenses. Vendors hate to see those guys walking in the door, but life is tough all over these days, so they learn to live with it.

If you've got to live with the lemon of more regulatory scrutiny, you might as well use the occasion to try to make some lemonade.

09:48 PM in Compliance, Contracts, FFIEC, Outsourcing, Risk Management | | TrackBack (0)

December 09, 2010

Mortgage Brokers Are Checking Out

Time_is_running_out Last year, we detailed Colorado's "crisis" with respect to the "deactiviation" of mortgage brokerage licenses in that state because so many of the brokers couldn't pass a basic skills test. Colorado wasn't alone, inasmuch as previous posts over the last few years have related similar problems in Texas and Washington.

We learned yesterday that Florida is having its own mortgage broker fallout problem, but in the Sunshine State's case it's not due to dummies failing a test but because they haven't bothered to apply for a license under the new stringent licensing requirements mandated by the S.A.F.E. Act.

Less than 25 percent of mortgage industry professionals in Florida have submitted an application to the state to obtain licensing under new guidelines that will be implemented on January 1. With less than a month to go before more stringent requirements take effect, the state is now concerned that mortgage brokers throughout the state could find themselves ineligible to work.

[...]

The state said only 14 percent of the licensed mortgage companies and 23 percent of the licensed mortgage company branches in the state have submitted applications.

Those who submit applications after December 31 could be forced to wait up to three months to have new applications approved.

Maybe it's just me, but there appears to be a severe morale problem in the mortgage brokerage business. Perhaps that's due to the fact that since the subprime meltdown in 2007 and the general economic collapse in the fall of 2008, the mortgage business has...how shall we put it delicately..."sucked." We don't mean "sucked" in the sense that you might inhale somewhat more  vigorously after a brisk 10-minute walk to Starbucks. No, we mean "sucked" with force sufficient to draw a golf ball through six feet of garden hose.

The reason that mortgage brokers aren't re-taking educational tests or applying for a new license might just be that many of them have found other useful employment, such as asking me whether I'd like "fries with that" or "a blueberry scone to go with that latte."  Perhaps I'm wrong, but I think these phenomena are due more to mortgage brokers having left the mortgage business in droves so they can earn a steady income than they are to some total ignorance of regulatory requirements or space aliens shooting their heads full of pellets that cause a sudden onset of Asperger's syndrome. If it turns out that, all of a sudden, the mortgage lending needs of Joe and Jane Sixpack are not being adequately served, we can always find some folks offshore, like the very polite and efficient customer service representative I spoke to yesterday on a technology problem and who identified himself, without cracking up once, as "Brandon" (but who definitely sounded more like "Mujibar") to fill in the gaps until our home-grown mortgage brokers get their collective act together again. 

09:21 PM in Compliance, Employment, Federal Legislation, Lending, Life (In General), Mortgage Banking, Outsourcing, State Law, The Economy | | TrackBack (0)

January 05, 2010

Too Little, Too Late

Experts consulted by Atlanta Business Chronicle reporter J. Scott Trubey tell like it too often is: small banks often wait too long to deal with problem commercial loans and, by the time they do finally address the problem loans, they lack the internal skill set to deal with them properly. Georgia is ground zero for this issue, with 30 banks in the state having already failed and with over a third of the state's banks under regulatory enforcement orders of some sort.

Small lenders, with limited personnel, often do not have talent with the depth of experience to handle the complexity and sheer volume of problems the current financial crisis has thrown at them, experts say.

Some are turning instead to outside consultants who are resorting to creative measures to salvage value out of busted real estate bets.

[...]

“What you’ll find with lenders is they’ll drag their feet and drag their feet until their problems catch up to them,” said Joe Waites, a bank consultant and partner with Minerva Consulting LLC. “[Small banks] don’t have the talent and in most cases they don’t have the right resources.”

Small banks by their nature are deeply embedded in their communities. Often borrowers and bankers go to the same church or golf club and their children play on the same soccer team. They need independent, third parties to make the hard choices, while not breaking those bonds.

“You can’t convert lenders into workout experts,” Waites said. Lenders spend months and years building relationships with borrowers. When the loan starts to sour, the bank itself may not see that the loan is going south until it’s too late.

“Literally the losses get larger and larger,” Waites said.

As commercial real estate problems continue to worsen, the prospects are only going to get bleaker for those banks that play "wait and pray."

The next wave — commercial real estate — will also hit community banks that bet on retail centers and small office buildings.

With vacancy rising and property values falling, many underwater borrowers will need to inject equity to keep projects alive, Waites said.

According to industry sources, many banks have not been proactive and engaging their borrowers to find workout solutions before problems worsen.

This is one area where thinking you can handle whatever comes down the tracks may very well result in you being run over. Even if a community bank with problem commercial loans thinks it can weather the storm without hiring outside help, it might be worthwhile to talk to outside consultants who have a track record of dealing with troubled assets (there are a number of folks who gained much hard-earned expertise during the mid-60-late 1980s and early 1990s and who are still kicking) to see what they have to offer. At the very least, you will be able to say you considered hiring outside help to assist the bank in dealing with its problem loans and rejected that course of action for whatever logical business reasons might be relevant. That's better than facing your board and shareholders with the bank rapidly sliding down the hill into a bottomless pit and admitting (or being forced to admit) that you didn't explore all the alternatives.

Not every consultant will be able to add sufficient value, but it never hurts to turn over all the stones in sight.

09:38 PM in Commercial Lending, Lending, Outsourcing, Real Estate | | TrackBack (0)

July 23, 2009

Barney Ain't To Blame

A reader sent me a link to a video of an interview with Barney Frank in which Barney engages in rapid-fire rewriting of history, and asked me what I thought of it. I thought it was business as usual for a slug like Frank, who wouldn't know the truth if it ran up and bit him in the hind quarters. Revisionist history inside The Beltway is just politics as usual.

In Frank's case, he's been doing it for awhile. Larry Doyle at Sense on Cents fisked Frank's lies about home-ownership-versus-subsidized-rental-housing a few months ago. It's as if these clowns don't understand that there's this technology called "television," and when you stand in front of a TV camera and you're recorded saying one thing in 2003, 2004, or 2005, there's a record of it, so that when a few years later you tell a completely different story, your lies are rendered completely transparent.

It's likely that Frank feels comfortable in the fact that there's nothing he can do except not bring home the pork that would cost him his seat in Congress. The bottom line is that he doesn't care. Like Humpty Dumpty, a word means whatever he says it means. His constituents apparently deserve him, since they return him every two years, no matter what he says, does, or doesn't do.

Frank's not the only cynical sack of utter uselessness cluttering the corridors of the nation's capitol. He's just low-hanging fruit that's easy to pick off. When  your time to blog is limited, low-hanging fruit is attractive.

As the truth commissions begin the arduous task of assigning blame for the current mess in strict accordance with political ideology, expect the duck-and-run-for-cover reprobates of both parties to all be singing the same basic song. Rome burns, Nero fiddles.

09:49 PM in Fannie Mae, Freddie Mac, Lending, Outsourcing | | TrackBack (0)

May 21, 2009

It's All About Leverage

Leverage The problems that many smaller (and even some bigger) banks have in obtaining meaningful protection in contracts with third-party technology service providers is one near to my heart. The Tech Law Guy, Tom Hall, put up a post yesterday that gives businesses of all types, including banks, useful tips to deal with the process of negotiating a contract with a technology vendor.

Tom's basic premise is that the purchaser's options may be limited by the "leverage" that it has or does not have entering into the negotiations, and that leverage is usually a matter of whether or not the business has the option to walk away from a vendor and find another vendor for the same or a similar service. Increased leverage could also result from the fact that a business does not need to engage in the activity with which the vendor is going to assist the business. If the business terms or legal terms of the contract imposed by the vendor are too unfavorable to the purchaser, the business can say "No Thanks."

As Tom notes, times have changed in the technology services business.

I can recall when, many years ago, “negotiating” with IBM for data services meant haggling over volume discounts and service hours. There were competitors in the market, but none of them rivaled IBM’s reputation for service and cutting edge technology. With little competition, IBM had no incentive to change its standard terms and conditions

Today there is vigorous competition in most sections of the IT market. Few companies dominate their fields, giving Customers room to negotiate.

That ought to be the case, but I find that many banks fall in love with the product or service, hash out the basic business terms with the vendor, then get their lawyer involved to review the contractual terms. At that point, there often exists an emotional commitment by the client's business people to "the deal" that results in the bank agreeing to knuckle under when the vendor digs in its heels. Often,  the bank rationalizes the granting of concessions in some fundamental contractual benefits or protections that it wouldn't have to give if it, too, "dug in its heels." In essence, the bank begins to negotiate with itself, a process that seldom ends well for the bank. Tom recognizes this danger and suggests a solution.

Once Customer has said “You’ve got the deal,” Vendor has no incentive to make concessions. Better to award the contract only after the competing vendors have made their best offer on price and terms and standards and service levels and warranties, etc. Also, consider requiring vendors to comment on your standard contract terms as part of RFP. Vendors who request unreasonable changes, or an unreasonable number of changes, may be weeded out early in the process. Time spent on needless negotiation will only delay project completion and a difficult negotiation may portend a difficult relationship.

Doing an RFP makes sense for most major technology transactions, but some banks either lack the attention span or the in-house expertise to manage this process and won't spring for the cost of a third-party consultant to manage the RFP process for them. At the very least, the bank should have at least one alternative vendor in mind, and senior management ought to sit down with  the bank's legal counsel, before the business negotiations start, decide upon the "have-to-have" risk allocation and other critical contract provisions, and make those contractual requirements available to both vendors at the outset. The reactions of the vendors to those requests can make (or, at least, SHOULD make) a difference in the overall evaluation of the ultimate "winner." I've been involved in a number of transactions where the resistance of the vendor to the bank's customary risk allocation provisions (or other standard terms and conditions) was the deciding factor, even trumping price. In one transaction, the CEO of the bank observed that it appeared to him that at one specific vendor, the "legal tail seems to wag the business dog and they've forgotten who's the customer and who's the service provider. I don't want to deal with an organization like that." Of course, that observation is also a lesson to all bank lawyers as to how savvy clients view the role of lawyers for the bank who unreasonably scrap over every phrase in a contract. They might find their telephone silent when the next deal rolls around.

Again, as Tom says, it's all about "leverage."

Legend has it Archimedes said “Give me a lever and I will move the world.” The business lawyer might well say “Give me more leverage and I’ll get you a better deal.”

A little bit of forethought and preparation in setting up the process to purchase technology services so that contractual terms are thrown into the mix early, not late, can often add more leverage and, in the end, result in a better deal for the bank.

09:42 PM in Outsourcing, Practice of Law, Risk Management, Web/Tech | | TrackBack (0)

January 07, 2009

Mad For Loan Mods

Brilliant Although often berated as a prime example of the "Liberal Main Stream Media" that conservative radio talk show hosts love to loathe, the latest issue of Time magazine sang the praises of a company that's often been labeled as one of the biggest of the bad boys when it comes to loan servicers who live solely to foreclose on widows, orphans, the halt and the lame: Ocwen.

Time's inamorata is praised for its aggressive loan modification program, one, surprisingly, not sprung form the fruitful loins of Mother Bair. In fact, compared to Ocwen's loan modification, the FDIC's so-called "systematic" approach is found distressingly flawed.

The big problem is that no one has figured out a systematic way to stop the rot. Federal agencies and private lenders have rolled out one loan-modification program after another--scattershot and largely timid attempts to make existing mortgages more affordable and keep neighborhoods intact.

Then there is Ocwen, which has already revised 16% of its 340,000 mortgages, in many cases cutting monthly payments 20% to 40%. Based in West Palm Beach, Fla., the company handles some of the worst loans Wall Street kicked up during the housing boom and isn't about to win any popularity contests among consumers--in the past, it's been the target of complaints about unresponsiveness and excessive fees. Nevertheless, good ideas can come from unlikely places, and as more borrowers--including a growing number with prime loans--fall behind on payments, there are lessons to be learned from the firm that has done more than almost anyone else to keep struggling homeowners in their houses.

The secret to Ocwen's success is all in the computer modeling. When home prices began dropping below the amount of the loan balance in some areas of the country, Ocwen called in its programmers.

So the company reprogrammed its computer models, which determine how to extract the most value from each loan, to allow much more substantial changes--lowering a mortgage's interest rate, docking its principal balance, converting an adjustable rate to a fixed one, stretching out the life of a loan. With many mortgages "upside down" (when the loan is larger than the home's current value) and the economy sagging, changes often have to be drastic to make the math work, but Ocwen has largely found a way, devising an affordable payment plan 90% of the time.

More importantly,however, Ocwen apparently doses itself with loan servicer Viagra.

What really sets Ocwen apart, though, is its vigor. From doing just a couple of hundred modifications a month in the first half of 2007, Ocwen was up to 4,000 a month by the beginning of 2008, with 77% involving a reduction of the interest rate and 20% including a permanent write-down of the principal balance. Is it working? Six months after receiving an Ocwen modification, 21% of homeowners have again fallen behind on their payments by 60 days or more. That compares with a 37% redefault rate nationally, according to data from federal regulators--a figure that also includes much more stable prime loans.

How is Ocwen avoiding the dreaded "loan investor lawsuit" risk? Because, unlike the Blair plan, which involves a simplified "one-size-fits-all" modification scheme, Ocwen actually has the sophistication to prove, by virtue of its computer modeling, that the loan modification (or no foreclosure) option selected for the particular borrower is likely to yield the most financial return to the investor, given the specific set of facts applicable to the specific borrower and the specific collateral.

Ocwen has also answered a key question for other would-be modifiers: whether it's possible to pass major losses to investors without getting sued. Paul Koches, Ocwen's general counsel, holds that the company is not only permitted to take such steps but obligated to--if that's what it takes to squeeze the most money out of a loan for the long term. That's the case executives make when angry investors call--and they do call, especially when a principal reduction chokes off cash flow in a particular month.

Make no mistake: Ocwen has a nearly messianic focus on the goal of maximizing returns for investors. "In most cases, that means keeping people in their homes and getting them to pay their mortgages," says Ocwen CEO Bill Erbey. In foreclosure, investors typically recoup only 60¢ on the dollar.

In a way, Ocwen was uniquely situated to jump ahead on modifications. Erbey, who used to run General Electric's mortgage-insurance operation, started buying nonperforming loans with his partners in the early 1990s. Ever since, Ocwen has been refining its computer models--we're talking sophisticated stuff, like vectors and artificial intelligence--to better whip delinquent loans into shape. When the housing slump hit and defaults started to rise, Ocwen wasn't some afterthought unit of a mortgage originator caught with its pants down; it was in its element, in a position to immediately scale up.

That's why, unlike a lot of loan-modification programs, such as those rolled out by Citigroup and IndyMac Bank, Ocwen's doesn't use broad guidelines--for instance, assuming that homeowners should be able to contribute 38% of their income to paying their mortgage. When Ocwen rewrites a loan, it starts from scratch, with an agent at one of its four call centers--two in Florida, two in India--following an adaptive script to reconstruct a borrower's financial data. (The script changes, based on not only what a borrower says but also how he says it; since hiring a director of consumer psychology last summer, Ocwen has been handling embarrassed callers differently than, say, angry ones.)

Ocwen also doesn't disrespect speculators. If it will yield more to the loan investor to modify a loan made to a home investor, then Ocwen will modify the loan. That may not be in line with the popular cant of the day by the chowder heads in Washington, but, then, Ocwen's all about dollars and cents, not hot air.

In bucking the general disdain for bailing out investment properties, Ocwen realizes that cash is cash, whether it comes from an owner-occupied mortgage payment or one fed by rent, and that a foreclosure displaces a family and blights a neighborhood whether the occupants are owners or tenants.

Which just goes to show that moneymaking and good economic policy aren't necessarily incongruous. As much as capitalism--especially in the mortgage industry--has gotten a bad rap of late, it might just prove useful yet.

Praise for capitalism? Break out my skates: Hell just froze over.

If, in fact, the loan-by-loan computer-driven analysis approach taken by Ocwen can provide evidence that it works better than the broad "systematic" approach championed by the FDIC's Sheila Bair and those who follow her lead, then will loan investors have an argument that taking the Bair approach is, in and of itself, a breach of the servicer's obligations under the relevant serving agreements? One article in a popular weekly news magazine isn't going to settle that question, but it's food for thought, especially if you're a class action litigator fishing for claims.

09:00 PM in Federal Legislation, Lending, Litigation, Outsourcing, Politics, Risk Management, The Economy, Web/Tech | | Comments (0) | TrackBack (0)

November 05, 2008

This Is The Change We Have Been Waiting For

Runaway train Everyone: can we all chant in unison, "Yes, We Can!"?

We can? Cool!

I'm not talking about Barack Obama, I'm talking about a federally-mandated 90-day foreclosure moratorium. The kind being pushed by Chris Dodd. The kind being pushed by "The Governator" in California and already enacted in other states. The kind that scares the pajamas off of mortgage loan servicers (free registration required). With Obama in the White House, the prospects for all of the pet projects of the Democratic powers-that-be in the Senate and the House look so much brighter.

With pressure mounting for Congress to enact a 90-day moratorium on home foreclosures, mortgage servicers are warning that the move could have the perverse effect of prolonging the housing downturn.

"A foreclosure moratorium would make a correction take much longer and have unintended consequences on servicers who already have liquidity constraints," said Dennis Stowe, the president of Residential Credit Solutions, a buyer and servicer of distressed mortgages.

Here's the problem for loan servicers: mortgage servicers advance delinquent loan payments, costs of collection, and foreclosure costs. They recoup those costs when the loan goes into foreclosure, and by delaying foreclosures, you increase the amounts of advances that servicers must make. To fund those advances, servicers are borrowing on their own lines of credit, and paying interest on those advances. That's good for the lenders who fund those advances, but not good for the servicers.

Critics like Senator Dodd, and his bitty buddy Barney Frank in the House, argue that servicers are deliberately forcing loans into foreclosure to limit the time during which they must make advances and to more quickly recoup the advances made (limiting their own financing costs) and, it is alleged, to pile on fees for additional foreclosure-related services. Rep. Frank has been especially critical of the fact that servicers aren't responsive to loan modification requests made by delinquent borrowers and, when they have them, the borrowers' representatives. That criticism appears to have a basis, but it seems due more to lack of staffing than it does to malice.

[Matt Stadler, the CFO of a servicer of distressed loans,] likened the state of the servicing industry to the "I Love Lucy" episode in which Lucy is furiously grabbing chocolates off a fast-moving conveyor belt.

"The borrowers are just piling up, and servicers are inundated and overwhelmed with calls they can't answer, short sales they can't complete, and not enough staff," he said. "They need more manpower."

If Matt had only had more time to parse the nuances of his last statement, I'm certain that he would have opted for a more politically correct contention, that what is needed is "more person power." You need to jump on board with the new world order, Matt, or the folks who will control two of the three branches of the federal government come next January will be screaming at folks like you: "No, You Can't!" And since you're fond of references to the old "I Love Lucy" show, hear me now and believe me later when I say to you that "you'll have some 'splainin' to do."

It's not likely that a moratorium will suddenly free up gazillions of servicing personnel who handle foreclosures and who will then miraculously be transformed into skilled loan modifiers.

When delinquency rates were below 2%, servicers mainly acted as collection agents, making automated phone calls to defaulted borrowers. As delinquencies rise, many loss-mitigation specialists lack the skills to handle the complexities of offering options to borrowers, Mr. Stadler said.

Demand outstrips supply. We've previously suggested that since bureaucrats and politicians have all this figured out, they should simply volunteer their staffs to make up the loan workout personnel shortages. Obviously, the government workers haven't got enough to keep themselves busy, inasmuch as they've plenty of time to meddle in matters that are well above their pay grade. Like running the residential mortgage loan industry.

As we and others have repeatedly pointed out, delaying foreclosures simply delays the inevitable, while compounding the ultimate losses. There's a certain element of "magical thinking" that goes into assuming that a 90-day foreclosure moratorium will somehow resolve a foreclosure crisis; that all those foreclosures-in-process will be transformed into loan modifications or refinancings because...well...just because! Let's face it, if a borrower's broke today, he or she is likely to be just as broke 90 days hence. Also, as Mr. Stadler observes, "[a] moratorium doesn't fundamentally change anything since many of these borrowers in the late stages of default have already abandoned the property."

More often, servicers put borrowers on repayment plans, which let borrowers catch up on arrears over six to 18 months. Unlike modifications, these plans are not restricted by investor requirements.

A crucial problem is that many loan modification agreements ultimately fail. "It's well known within the industry that modified loans have a recidivism rate of 50%," said [Keefe, Bruyette and Woods chief equity strategist Fred] Cannon.

Then there are the long term effects of a foreclosure moratorium to consider. An analysis recently released by David Wheelock of the Federal Reserve Bank of St. Louis alleges that those effects upon borrowers are not good.

During the Great Depression, state and local governments responded to the rise in mortgage foreclosures primarily by changing their laws. Several states enacted temporary moratoria on foreclosure, while others made permanent changes that limited the rights or incentives of lenders to foreclose on mortgaged property.

Wheelock's report shows that 27 states adopted foreclosure moratoria during the Great Depression, particularly in the Midwest.

[...]

“Although the economic and societal benefits of lower foreclosure rates are difficult to measure, research shows that the foreclosure moratoria of the Great Depression imposed costs on future borrowers.”

He cited several studies that suggest foreclosure moratoria tend to encourage lenders to reduce the supply of loans and may lead to higher average interest rates for subsequent borrowers.

"The evidence from the use of foreclosure moratoria during the Great Depression demonstrates how legislative actions to reduce foreclosures can impose costs that should be weighed against potential benefits," Wheelock said.

Evidence? Congress don't need no stinkin' evidence! This freight train's barreling down the tracks and facts and statistics will end up blown aside like a station wagon load of nuns stuck on the tracks and praying for mercy. The Dodd-Frank express stops for no obstacles and refuses to be derailed. Obey the signals at all road crossings!

A national foreclosure moratorium: Yes We Can!

10:13 PM in Banking Law-General, Consumer Law-General, Federal Legislation, Lending, Litigation, Outsourcing, Politics, State Law | | TrackBack (0)

September 14, 2008

Bank's Confidential Info "eBayed"

Ebay It's one thing for Gov. Palin to try to sell the Alaskan state government's jet on E-Bay. It's quite another thing for your run-of-the-mill bank vendor to sell your personal information (including your banking information) through the same service.

An investigation is under way into how a computer containing bank customers' personal data was sold on eBay.

The computer, bought by IT manager Andrew Chapman for £77, had the sensitive details on its hard drive.

Mr Chapman, from Oxford, said the machine contained information on several million bank customers.

Details of customers of three companies, including the Royal Bank of Scotland (RBS) and its subsidiary, Natwest, were involved.

RBS said an archiving firm told it the computer had been "inappropriately sold on via a third party".

It said historical information relating to credit card applications for its bank and others had been on the machine.

The information is said to include account details and in some cases customers' signatures, mobile phone numbers and mothers' maiden names.

[...]

Mr Chapman said anyone with a basic knowledge of computer software would have been able to find the data fairly simply.

"The information was in back-up CDs and in ISO files so it would have been possibly quite easy to find if you know something about computers," he said.

Why a "backup" business allowed sensitive information of one of the bank's that it services to exist on a laptop, encrypted or unencrypted, is a question I'm certain that RBS and Natwest have been asking the vendor.

I hope for the sake of RBS and Natwest (and American Express, the third company involved) that their agreements with the archiving firm contained strong contractual obligations to protect such confidential information, and provided adequate remedies to those firms in the event those obligations were breached. Knowing Amex's standard practices, I assume that they do. Of course, they won't save the banks and Amex from the public relations hit to their reputation caused by articles such as the one linked above. However, they should give them financial recourse against the vendor.

The vendor should be sweating bullets.

A spokeswoman for data processing company Mail Source, which is part of the archiving firm Graphic Data, said it was investigating how the computer equipment had been removed from a secure location.

"The IT equipment that appeared on eBay was neither planned nor instructed by the company to be disposed," she said.

The incident was "extremely regrettable" and the firm was "taking every possible step" to retrieve the data and ensure it was an isolated incident, she added.

"Extremely regrettable." That was said with typical British understatement. I think that Graphic Data will, indeed, "extremely regret" this information security breach. Even more than Americans, Europeans take their privacy seriously. At least, they seem to where private businesses are concerned. On the other hand, they appear to love Big Brother a lot more than the libertarians who populate the U.S.A.

Luckily for the banks and Amex, the purchaser of the laptop turned out to be not only a knowledgeable IT professional, but also an honest man. While legal fines may be imposed by the appropriate government authority, at this point it appears that any such fines would be imposed on the vendor, not on the banks and Amex. Also, it does not appear that there has been any wrongful use of the personal information.

Once again, the lesson is hammered home: Don't allow sensitive data to be downloaded to a laptop unless it's encrypted. Yes, I know, encryption can make the performance of the laptop less speedy and the employees will bitch and moan. Believe me, they'll get over it.

09:58 PM in Banking Law-General, Compliance, Crime, Litigation, Outsourcing, Risk Management, Web/Tech | | TrackBack (0)

September 04, 2008

Litigation River Overflows Its Banks

Sue_the_bastards Yet more evidence comes our way that proves that what are proving to be lean times for bankers are "phat" times for trial lawyers.

Attorneys practicing in a host of areas are now inundated with work related to the subprime mortgage crisis, and some predict they will continue to have their hands full for the next five years.

Over the past year, subprime mortgage litigation has reached record levels, threatening to surpass that of the 1990s savings and loans crisis, according to a Navigant Consulting, Inc., study. The number of subprime-related cases filed in federal courts over the 15-month period ending March 31 totaled 448, 46% of which were multi-plaintiff class action lawsuits.

Many attorneys in a range of practice areas -- including commercial real estate, securities and lending -- are feeling the surge. Attorney Ellen Vergos, a partner at Wyatt, Tarrant & Combs LLP, says 30-35 of the law firm's 200 attorneys are involved in subprime-related cases.

"Subprime is bigger than just foreclosures," says Vergos, who focuses her law practice on business bankruptcy and commercial litigation. "Different disciplines and cases are involved, including bankruptcy, creditors' rights, class action, investor lawsuits, securities and professional liability claims."

As might be expected, the largest slice of the litigation pie is securities litigation. According to Navigant's study, 26% of the litigation is related to "securities cases." Although the article doesn't clarify exactly what types of claims are covered by the term "securities cases," we assume that they mean suits by holders of securities backed by subprime mortgages and investors in various companies that have participated in the subprime mortgage business and have been negatively impacted. Atlanta attorney Ellen Vergos gives a list that demonstrates the variety of claims: "bankruptcy, creditors' rights, class action, investor lawsuits, securities and professional liability."

All of that is red meat to litigators.

As the number and size of the cases grow, so, too, grows the demand for bodies to plow through the evidence (in some cases consisting of tens of millions e-mail messages and other electronic documents).

Bringing in contract lawyers is something that's done by law firms all around the country to help them cope with the growing workload, says adviser to law firms Robert Denney, principal of Robert Denney Associates, Inc. In addition, law firms conduct crash training for attorneys in the financial fields and create groups of lawyers from various disciplines to work on subprime cases, he says. Firms specializing in securities, commercial litigation, bankruptcy and restructuring are the busiest.

"Bankruptcy practices are busy across the country," Denney says. "Bankruptcy attorneys are overworked now."

The best part of using contract attorneys is that they're easily disposable. Wipe once, then discard.

For some reason, I expect that there will still be plenty of dry eyes in executive offices across the nation, notwithstanding the prospect of overworked bankruptcy attorneys expiring right and left, even as we speak (or read). At an average billable hourly rate of, say, $500 or more, the deceased's kin should be able to throw a doozy of a funeral and still have plenty left over for that second home in Cabo.

As with many silver linings, there also exists the dark cloud to which the lining is attached. In this case, it's the transactional attorneys who are trying to survive in the "dog-eat-dog" world of big law firm compensation pie-slicing while their litigation brethren gobble the biggest pieces.

But not all real estate attorneys are swamped with work as a result of the subprime mortgage crisis and the subsequent housing slump. Some real estate attorneys, including closing attorneys, are feeling the pinch.

"With the real estate market suffering, there are fewer transactions," says attorney Doug Shipman of The Law Offices of O. Douglas Shipman PC, which specializes in commercial and residential real estate and commercial banking law. "Compared with last year, we're not seeing as many closings coming through the door."

Doug, I'd shift to bank regulatory enforcement actions for the next few years. You ought to weather the storm just fine.

09:09 PM in Bankruptcy, Commercial Lending, Lending, Litigation, Mortgage Banking, Outsourcing, Practice of Law, Real Estate, The Economy | | TrackBack (0)

June 12, 2008

The Bozo Factor

Bozo Twenty plus years ago, I had been recruited by a large law firm as a lateral hire. At my first quarterly firm dinner, I was sitting next to an especially acerbic fellow lateral hire (and, therefore, one of my favorite co-toilers at the firm) when a senior partner waltzed in wearing a navy blue blazer, pink dress shirt, red-and-green plaid pants and a paisley tie. I watched him walk across the room, booming loudly and obnoxiously every step of the way. My mate, reading the "WTF?" look on my face, turned to me and deadpanned, "The Bozo Factor: every firm's got it."

According to Ben Worthen of the Business Technology Blog, many businesses have it and it applies to IT professionals as well as to legal professionals. It's not clown-like dress and behavior that Worthen's discussing, however. it's incompetence, the kind that causes security breaches.

Hackers enjoy a reputation as computer whizzes who can break into the most sophisticated systems. They may be whizzes, but the reason for their success is that businesses rely on defenses filled with holes big enough to drive a truck through.

A new study by Verizon’s Business Risk team, which performs post-breach forensics, looked at the causes of more than 500 data-loss incidents and concluded that sloppy security procedures were partly to blame in almost every one. (The study didn’t take into account incidents where a laptop containing sensitive data was lost or stolen, because the cause of the breach is self-evident and these incidents rarely result in fraud or identity theft.) In fact, stupid mistakes are so common that forensics work is getting boring. "The most difficult thing for me and my team is that we see company after company fall victim because of the same basic flaws," Bryan Sartin, vice president of investigative response at Verizon, tells the Business Technology Blog. These include failing to update or misconfiguring systems.

What about the "professional hacker" that this blog and others have hyped for the last year – you know, the guy who tricks employees into disclosing sensitive information, which he then uses to make off with reams of data? Turns out he isn’t that big a threat. Verizon concludes that only 17% of the attacks it investigated were committed by a highly-skilled hacker, while 54% required little or no technical skill. And only 15% of attacks committed by outsiders were targeted. More often, a hacker cast a wide net looking for any company with weak defenses.

While hackers accounted for 73% of all data breaches – an indication of how poor defenses are – these outsiders didn’t make off with as much data as insiders, who accounted for just 18% of breaches, and business partners – outsourcers, consultants, call-center workers – who accounted for 39% of breaches. (The total is more than 100% because some breaches were committed by multiple parties.) In fact, when the number of attacks and amount of data stolen are combined, business partners are the biggest threat of all.

Sartin says that in these cases, too, lax security is an issue – a contractor saw weak defenses and treated them like an opportunity. In almost every breach he’s investigated the thief "took the path of least resistance."

I was thinking about "The Bozo Factor" recently while assisting a client in formulating vendor management policies and procedures. One of the principles that the client was adamant about building into its procedures, especially with respect to technology vendors who would have access to customer information, was that due diligence on those vendors had to be rigorous. The institution also would require that a legal review of all contracts with vendors was essential to make certain that the institution was adequately protected from the results of the vendor's negligence because, no matter how good the due diligence, "stuff happens." Although we didn't label it "The Bozo Factor," we discussed the fact that even those vendors with great reputations can suffer security breaches. Worthen's observation that "business partners" are the biggest threat when it comes to security breaches only serves to confirm the client's cautious approach.

Unfortunately, no amount of vendor due diligence will protect a bank from a truely "inside job." The fact that insiders make off with more from security breaches than outside "hackers" is no surprise. We've blogged about that "nightmare" previously, where "The Bozo Factor" involved an apparent failure to shut off access to the computer system of the business after the employees' services were terminated. Of course, even  without any apparent incompetence, "rogue employees" can breach security and even the biggest of the big boys are susceptible. Venality and greed can often trump the best security.

10:23 PM in Crime, Outsourcing, Privacy, Risk Management, Web/Tech | | Comments (2) | TrackBack (0)

Next »

Recent Posts

Archives

More...

Categories

Business News

Regulators

Resources