New Mexico has a long history of conflict over Spanish and Mexican land grants. Who can forget the violence and turmoil which arose out of Reies Lopez Tijerina's 1967 raid on the Rio Arriba courthouse? Spanish and Mexican land grants have a long history in the state. Under Spanish rule the Governor of New Mexico made private land grants to individuals for their service to the crown or for other reasons. This practice continued under the Mexican Government (an individual grant). A second type of land grant, the community grant, was made to communities, town, colonies or pueblos or to individuals for the purpose of founding a town or community. When the United States defeated Mexico in the Mexican-American war, the 1848 Treaty of Guadalupe Hidalgo sought to preserve the land grants ownership by a system of private land claims courts. The results were mixed. For example the famous Beaubien Miranda Grant (better known as the Maxwell Land Grant) allegedly grew from a few thousand acres to a vast holding of several hundred thousand acres (now owned by Ted Turner).
The most recent chapter in the land grant wars is occuring in Taos and is bringing real estate transactions, lending on real estate collateral and the real estate business in Taos to an almost total halt. Two old Spanish land grants are involved. The Cristobal de la Serna grant is about 22,000 acres and covers much of the town of Taos. The other grant is the Arryo Hondo grant, which occupies an area to the North and West of the town. Because of its location, I will deal principally with the Serna grant. In late 2010 an individual granted to the Trustees of the Serna grant and to the heirs of grantees of the Serna grant, a warranty deed and quit claim deeds which purports to convey the Cristobal de la Serna grant to the Trustees and the heirs. Similar action occurred on the Arryo Hondo grant.
The town's two title companies began issuing commitments which excepted claims by the trustees or heirs to the two grants. Bank lending on real estate within the town boundaries and within the Serna grant effectively ceased. Several transactions for sale of Taos proprieties were terminated.
On April 14 the Town of Taos filed suit against the grantor of the Serna warranty deed and quitclaim, the five trustees of the Serna grant and "the Heirs of the La Merced de la Serna, Diego Romero and their assigns." The suit seeks a declaratory judgment that the deeds are void and should be set aside. Most interestingly, the person who signed and recorded the deeds and the five trustees have all signed waivers of service and consent to the declaratory judgment as sought by the Town.
Is it over? No. There are several hurdles ahead, most likely all navigable with skill, but consider the following factors. The judge assigned to the case, Judge Sanchez has resigned under pressure from the N.M. Supreme Court. The alleged "heirs of Serna and Romero and their assigns" must be served in manner acceptable to New Mexico rules and court precedent. Service upon those people, whoever they are, may not effective unless care is taken. A hearing date must be set for those heirs to appear and contest the Taos complaint and then the judge must be satisfied. One bright spot: in 1984 a respected Taos judge held that the Serna grant was a private grant and the trustees or heirs had no standing to make any claim against the then owners. Whether that decision will have any impact in the present dispute cannot be assured.
Will the title companies be satisfied? A recent quote in the April 25 Taos News quoted one of the title company management as being unsure, depending on how the heirs responded and the procedures used. And as every banker and businessman knows if the title companies will not change their attitude toward this dispute, the freeze on real estate transactions will continue. Even it the title companies are satisfied, the course of serving the heirs in person or by publication, the hearing and final decision could take months.
Land grants are mainly a feature of the Spanish colonization down the Rio Grande and therefore the Taos land grant battle is not likely to have any direct impact on real estate lending in other parts of the state. However, when an important art and tourist center of the State is effectively put in a situation where normal commerce cannot go forward, all of the state suffers.
This Blog was written with the assistance of Paula Cook and Michael R. Comeau , partners in Comeau, Maldegen, Templeman and Indall, LLP. Ms/ Cook (pcook@cmtissantafe.com) practices extensively in complex real estate and title matters and Mr. Comeau (mcomeau@cmtissantafe.com) is a litigator in bank and complex litigation.
Marshall G. Martin
Comeau, Maldegen, Templeman and Indall, LLP
(505) 982 4611
mmartin@cmtisantafe.com
Tuesday, April 26, 2011
Friday, April 15, 2011
Emails, Harry Truman and a Free Form
I realized when I reviewed the last few blogs that they might not fulfill the pledge that this Blog would have "forms, tips and some funny stories". I will try to meet my promise here.
You may ask what Harry S. Truman has to do with e-mails. One of the most controversial , but funny events in the Truman presidency, demonstrates the risks of unreviewed e-mails sent on the spur of the moment. Truman's public gaffe came at the darkest days of the Korean war-- his approval ratings plummeting. Truman was an enthusiastic piano player, concert goer and devoted to his young daughter Margaret, who was a classically trained singer bent on an operatic career. She began a tour, starting with Washington's Constitutional Hall. She sang Mozart, Shubert and others and was applauded. The next day the Washington Post's music critic wrote a scathing review of Margaret's performance. Harry Truman reacted with a father's emotion writing to the critic that the critic was a "frustrated old man" (Truman was 68 and the critic 38) and hoped for a personal meeting at which the critic would "need a new nose, a lot of beefsteak for black eyes, and perhaps a supporter below". Harry sent the letter. Truman had a history of firing off intemperate letters to people who offended him but a system was in place in which such letters were intercepted by a long time friend. The aide had died just days before the famous "music critic" letter. The letter appeared on the front page of the Post. The event--which we might now consider understandable and funny, especially in the era of Obama and Bush, caused a big controversy. (The Truman letter events are set out in David McCullough's 1992 book on Truman.)
Truman's letter is similar to many e-mails that one sees produced in litigation; they are either the product of anger, stupidity or plain lack of forethought. Generally all of them suffer from the "Truman Effect"--they were not held and reviewed by the sender or someone else. In most cases if the writer had waited until morning to send the e-mail or had a colleague read the e-mail the e-mail would not be a problem. E-mails are worse than the Truman letter because they are impersonal, easy to compose and rarely read or re-read before sending--experts on e-discovery have observed that people say things in e-mails that they would never say in person,on the telephone or by letter.
Most seriously, in this era of troubled loans and troubled borrowers, a lender's careless e-mails can enable a clever borrower's attorney to claim that the bank has agreed to a renewal of a troubled loan or to terms that were discussed by e-mail but not agreed by the bank This is especially true in New Mexico where our courts virtually ignore our written commitment statute. There is no easy solution but banks should conduct occasional short training sessions on the dangers of e-mails and the minimum statements that must be included in every e-mail to protect the bank. The first topic in any session is "reread and revise". Just a short comment like, "your proposal sounds fair" should be followed by "but any final terms are subject to review by our loan committee"
Now for the promised form. I recommend that all e-mails authored by any lender or work out person contain the following statement which should be separated from the "confidentiality" statement that most bank's use in e-mails. It is important the following statement stand out as an important reminder to the customer.
You may ask what Harry S. Truman has to do with e-mails. One of the most controversial , but funny events in the Truman presidency, demonstrates the risks of unreviewed e-mails sent on the spur of the moment. Truman's public gaffe came at the darkest days of the Korean war-- his approval ratings plummeting. Truman was an enthusiastic piano player, concert goer and devoted to his young daughter Margaret, who was a classically trained singer bent on an operatic career. She began a tour, starting with Washington's Constitutional Hall. She sang Mozart, Shubert and others and was applauded. The next day the Washington Post's music critic wrote a scathing review of Margaret's performance. Harry Truman reacted with a father's emotion writing to the critic that the critic was a "frustrated old man" (Truman was 68 and the critic 38) and hoped for a personal meeting at which the critic would "need a new nose, a lot of beefsteak for black eyes, and perhaps a supporter below". Harry sent the letter. Truman had a history of firing off intemperate letters to people who offended him but a system was in place in which such letters were intercepted by a long time friend. The aide had died just days before the famous "music critic" letter. The letter appeared on the front page of the Post. The event--which we might now consider understandable and funny, especially in the era of Obama and Bush, caused a big controversy. (The Truman letter events are set out in David McCullough's 1992 book on Truman.)
Truman's letter is similar to many e-mails that one sees produced in litigation; they are either the product of anger, stupidity or plain lack of forethought. Generally all of them suffer from the "Truman Effect"--they were not held and reviewed by the sender or someone else. In most cases if the writer had waited until morning to send the e-mail or had a colleague read the e-mail the e-mail would not be a problem. E-mails are worse than the Truman letter because they are impersonal, easy to compose and rarely read or re-read before sending--experts on e-discovery have observed that people say things in e-mails that they would never say in person,on the telephone or by letter.
Most seriously, in this era of troubled loans and troubled borrowers, a lender's careless e-mails can enable a clever borrower's attorney to claim that the bank has agreed to a renewal of a troubled loan or to terms that were discussed by e-mail but not agreed by the bank This is especially true in New Mexico where our courts virtually ignore our written commitment statute. There is no easy solution but banks should conduct occasional short training sessions on the dangers of e-mails and the minimum statements that must be included in every e-mail to protect the bank. The first topic in any session is "reread and revise". Just a short comment like, "your proposal sounds fair" should be followed by "but any final terms are subject to review by our loan committee"
Now for the promised form. I recommend that all e-mails authored by any lender or work out person contain the following statement which should be separated from the "confidentiality" statement that most bank's use in e-mails. It is important the following statement stand out as an important reminder to the customer.
"All discussions, proposals and terms for any loan, extension or renewal of credit are not binding on the Bank or any borrower unless the terms or proposals are approved by the Bank's senior management, loan committee or Board of Directors and contained in a written commitment or similar written agreement signed by the parties to be bound."This is not a panacea for stupid e-mails, but the inclusion of the statement or something like it will assist the bank in dealing with careless e-mails.
Marshall G. Martin
Comeau, Maldegen, Templeman & Indall, LLP
(505) 982 4611
(505) 228 8506
Monday, March 28, 2011
THE RSA BREACH-- BANKERS BEWARE, NOT JUST COMPUTER GEEKS
On March 17 the RSA, the security division of information storage company EMC, announced that its servers had been breached. RSA makes the RSASecurID, a sophisticated one time password device which serves as a multifactor authenication device used by 90% of the nations' banks according to a Bank Technology News Article.
Not being a computer type I hesitated to follow my Blog on FFIEC draft authenication guidelines with another internet banking Blog but this is serious business and could have profound effects on security in every high risk internet banking transaction. It really means that internet banking security and authenication issues have moved out of the world of IT and into the headquarters' suites of CEOs, COOs and CFOs. This further complicates whatever the FFIEC comes up with in its final guidelines.
Bank Technology News noted that worlds leading security vendor was not able "to lock out the beasts" criticized RSA "lack of candor" in it release of "scant" details. P.C. World describes the operation of the RSA SecurID in almost lay terms. The user logs in by username, inserts a four digit PIN and, from the RSA SecurID gets a six digit one time password to enter the system. Mysteriously the one time password is generated by algorithim and a "seed record". The one time password lasts from 30 to 60 seconds. A remote RSA server verifies the information and lets the user into the system. P.C. World is concerned, given the lack of information, that the "seed record" at RSA was breached. If so, PC World claims it would be a fairly easy step for the bad guys to get into a bank transaction. This RSA device is used by 40 million people and 30,000 organizations worldwide according to RSA. See, http://pcworld.com/ for March 18. In an SEC filing RSA suggested some precautionary steps which did not seem to calm the IT world. One competitor has advised that RSA customers unhook their RSA systems.
Even without the RSA breach some criminals have mastered a fraud technique to inject their presence into the middle of the bank-customer RSA SecurID operation and plunder an account. In the colorful jargon of IT this is the "man in the middle" ploy.
I usually try to tell the reader some solutions or ways to at least minimize harm. I am sorry. If I had a scant idea of the answers I would not be practicing law.
Not being a computer type I hesitated to follow my Blog on FFIEC draft authenication guidelines with another internet banking Blog but this is serious business and could have profound effects on security in every high risk internet banking transaction. It really means that internet banking security and authenication issues have moved out of the world of IT and into the headquarters' suites of CEOs, COOs and CFOs. This further complicates whatever the FFIEC comes up with in its final guidelines.
Bank Technology News noted that worlds leading security vendor was not able "to lock out the beasts" criticized RSA "lack of candor" in it release of "scant" details. P.C. World describes the operation of the RSA SecurID in almost lay terms. The user logs in by username, inserts a four digit PIN and, from the RSA SecurID gets a six digit one time password to enter the system. Mysteriously the one time password is generated by algorithim and a "seed record". The one time password lasts from 30 to 60 seconds. A remote RSA server verifies the information and lets the user into the system. P.C. World is concerned, given the lack of information, that the "seed record" at RSA was breached. If so, PC World claims it would be a fairly easy step for the bad guys to get into a bank transaction. This RSA device is used by 40 million people and 30,000 organizations worldwide according to RSA. See, http://pcworld.com/ for March 18. In an SEC filing RSA suggested some precautionary steps which did not seem to calm the IT world. One competitor has advised that RSA customers unhook their RSA systems.
Even without the RSA breach some criminals have mastered a fraud technique to inject their presence into the middle of the bank-customer RSA SecurID operation and plunder an account. In the colorful jargon of IT this is the "man in the middle" ploy.
I usually try to tell the reader some solutions or ways to at least minimize harm. I am sorry. If I had a scant idea of the answers I would not be practicing law.
Marshall G. Martin
Comeau, Maldegen, Templeman & Indall, LLP
(505) 982 4611
(505) 228 8506
Monday, March 21, 2011
DOCUMENT RETENTION POLICIES AND BEWARE FACEBOOK
Although the focus of this Blog is document retention and similar policies, Facebook users should be aware that their comments on Facebook are not immune from hacking or "forgery". I have used Facebook minimally to keep track of classmates from high school and college. My computer savvy son just informed me that my Facebook had been hacked. When I opened my Facebook page, I found postings in which I represented that I personally used a new, super weight loss compound that had taken pounds and inches from my overweight frame. This false weight loss claim was contained in six postings that I had not authored. I am now an "ex" user of Facebook. If my experience is widespread, it adds to the Facebook danger.
This story points up the essential need for all banks and responsible business to have strong written policies on the use of social media and other E-discovery targets. Even if your system blocks use or access to Facebook, Twitter, etc. you should still have a policy that extends to discussion of company business or personnel on employees' personal computers. This is no different from having a confidentiality policy that extends to conduct outside the workplace.
It is now standard litigation practice to request discovery of all electronic records, including e-mails and social media. Therefore all banks and substantial target companies should have policies on e-mail retention and the use of e-mails and social media. E-mails still remain the main target of E-discovery. Invariably, some damaging "nugget" of evidence is found in most e-mail production under E-discovery practice.
In this day of expensive and burdensome "E-discovery" the following policies are essential:
1 A comprehensive e-mail retention policy is required with deletion times, e-mail archival times and a period after which no e-mail or electronic communication will be saved or retained in an archive (unless a "hold" is placed on it by HR or legal counsel). The electronic retention policy should cover all forms of electronic communication, including voice mail. The key to an electronic retention policy is that with modern technology no e-mail is really deleted from the hard drive. Even e-mails that are not archived can be restored, but only at great expense and burden. Most judges will not order such an undertaking absent bad faith or unusual circumstances. Archived e-mails can be accessed by computer professional on request. The question is how long should you archive? That depends on the circumstance but generally the periods should be from one to three years. Wall Street lawyers like 30 days, which is risky in New Mexico.
2. There should be policies, usually contained in the employment manual, concerning the lack of an employee's expectation of privacy on company computers, appropriate use and, if not blocked, social media policies. Most lawyer or HR prepared employment manual forms contain some of these features. Social media policies are currently not widespread but most publicly traded companies have them.
3. A social media policy covering Facebook and other forms of the social media are becoming more and more critical. Aside from cases in which employees post damaging information (worst example:: an Albuquerque police officer involved in a publicized shooting posted that he was part of the trash removal squad), their random posting about what is happening at work can be damaging in litigation or to company reputation. Anyone who has seen e-mail discovery in litigation and been shocked by the lack of thought which appears, should take a minute to view Facebook and Twitter postings which vary from the damaging to embarrassing. If your computer system does not block social media, you should have a strong policy on its use--covering everything from confidentiality to inappropriate personnel comments (some recent cases involve termination when an employee describes her jerk boss). As mentioned, this policy should extend to the employee's personal computer.
Banks should also consider training in e-mail communication, especially in this time of frequent foreclosure counterclaims over alleged "bad" loan renewals. This is a topic for a future blog.
This story points up the essential need for all banks and responsible business to have strong written policies on the use of social media and other E-discovery targets. Even if your system blocks use or access to Facebook, Twitter, etc. you should still have a policy that extends to discussion of company business or personnel on employees' personal computers. This is no different from having a confidentiality policy that extends to conduct outside the workplace.
It is now standard litigation practice to request discovery of all electronic records, including e-mails and social media. Therefore all banks and substantial target companies should have policies on e-mail retention and the use of e-mails and social media. E-mails still remain the main target of E-discovery. Invariably, some damaging "nugget" of evidence is found in most e-mail production under E-discovery practice.
In this day of expensive and burdensome "E-discovery" the following policies are essential:
1 A comprehensive e-mail retention policy is required with deletion times, e-mail archival times and a period after which no e-mail or electronic communication will be saved or retained in an archive (unless a "hold" is placed on it by HR or legal counsel). The electronic retention policy should cover all forms of electronic communication, including voice mail. The key to an electronic retention policy is that with modern technology no e-mail is really deleted from the hard drive. Even e-mails that are not archived can be restored, but only at great expense and burden. Most judges will not order such an undertaking absent bad faith or unusual circumstances. Archived e-mails can be accessed by computer professional on request. The question is how long should you archive? That depends on the circumstance but generally the periods should be from one to three years. Wall Street lawyers like 30 days, which is risky in New Mexico.
2. There should be policies, usually contained in the employment manual, concerning the lack of an employee's expectation of privacy on company computers, appropriate use and, if not blocked, social media policies. Most lawyer or HR prepared employment manual forms contain some of these features. Social media policies are currently not widespread but most publicly traded companies have them.
3. A social media policy covering Facebook and other forms of the social media are becoming more and more critical. Aside from cases in which employees post damaging information (worst example:: an Albuquerque police officer involved in a publicized shooting posted that he was part of the trash removal squad), their random posting about what is happening at work can be damaging in litigation or to company reputation. Anyone who has seen e-mail discovery in litigation and been shocked by the lack of thought which appears, should take a minute to view Facebook and Twitter postings which vary from the damaging to embarrassing. If your computer system does not block social media, you should have a strong policy on its use--covering everything from confidentiality to inappropriate personnel comments (some recent cases involve termination when an employee describes her jerk boss). As mentioned, this policy should extend to the employee's personal computer.
Banks should also consider training in e-mail communication, especially in this time of frequent foreclosure counterclaims over alleged "bad" loan renewals. This is a topic for a future blog.
Marshall G. Martin
Comeau, Maldegen, Templeman & Indall, LLP
(505) 982 4611
(505) 228 8506
newmexicobankinglawyer.blogspot.com
Friday, March 11, 2011
COMMUNITY BANKERS BEWARE: THE FFIEC AUTHENICATION GUIDANCE IS COMING:
Until early February 2011 I thought FFIEC was a obscure governmental agency which set out guidelines for the examiners of the various financial regulatory agencies of the federal government. Its proper name is Federal Financial Institutions Examination Council. It is a creation of FIRREA. It is a interagency body composed of the Federal Reserve, FDIC, NCUA, OCC and OTS (for a time). Its guidance is designed to provide uniform principles, standards and report forms for examiners of the financial regulatory bodies. In 2005 FFIEC published guidance for authentication in electronic transactions including ACH and wire transfer. In 2010 FFIEC was updating the guidance. FFIEC's members were set to release the draft on December 31, 2010. However, one agency asked for delay. The word apparently did not get to NCAU and it posted the draft guidance on December 31. .Bank Info Security blog, edited by Tracy Kitten reported that immediately over the New Year's holiday 1,100 copies were downloaded. (The draft guidance is titled, "Interagency Supplement to Authentication in an Internet Banking Environment"). The details of the FFIEC draft guidance were then analyzed in detail by leading members of bank security community from mid-February to March, 2011 in Bank Info Security (http://www.bankinfosecurity.com/).
Although the Bank Info Security expert reporters'analysis of the FFIEC draft guidance contains many suggestions and generally approves the draft guidance, the experts have ignored the reality of coping with a wide array of commercial customers and varying levels of sophistication in ACH, wire transfer and internet banking departments.
The principal draft guidance recommendations as reported by Bank Info Security are: (1) better risk assessments to address emerging threats now used frequently by foreign and domestic gangs, such as man in the middle, man in the browser and key loggers [a Google search will quickly summarize how each works, but essentially the criminal injects himself in the middle between the server and the computer user and intercepts data without the knowledge of the server or user; and in key logging the bad guy captures key strokes remotely]; (2) use multi-factor identification [again, a Google search explains the operation well, but multi-factor authentication is the use of more than a password to authenticate identity with a preference for three factor authentication]; (3) layered security [again see Google, but the concept involves vertical layers of review or checking of IDs; (4) improved user authentication measures; and (5) customer and employee training of fraud awareness.
In the writer's personal experience, the technologically of the Russians, Eastern Europeans, Nigerians, and some domestic gangs will attack and conquer the latest token or gimmick to defeat authentication security measures. The Russians, etc. have no other jobs and as quick as a new device is implemented, absent multifactor or layered security, the Bad Guys may be in business.
David Shroyer, an expert reporting in Bank Info Security notes in a February 24, 2011 edition of the blog, that the draft guidance mentions the vulnerabilities of small to medium sized commercial accounts. Most surprising is the concept that banks must "educate" commercial customers to the lack of protection of Regulation E in most commercial transactions. The draft guidance also puts much more responsibility on the bank to monitor high risk transactions such as wire transfer or ACH, including regular reviews of volume and value for customers and the customer's online users. The guidance also suggests banks encourage commercial customers to perform risk assessments and control evaluations.
This is not just an bank IT issue. Recently, as reported by Bank Info Security, two customers with large wire transfer losses have used the 2005 FFIEC guidance to argue that two banks did not follow acceptable standards. If the FFIEC 2010 draft guidance is adopted (which it may not be in the December form) banks are in the cross hairs of broad but vague standards that do not fit reality for many banks.
New Mexico banks don't have search out the big security companies or out of state auditors to analyze the issues posed by the draft guidance, once it is adopted. New Mexico has competent experts in the '"authentication" and the compliance process which is involved. in the draft guidance Aside from the "usual suspects" like the big national firms,. New Mexico has local resources. One is CAaNES,LLC which offers a network security and other services. (http://www.caanes.com/) CAaNES, LLC is a creature of NM Tech University's Reseach Corporation and is actively involved in research. REDW, LLC, an Albuquerque accounting firm, regularly does security and authentication evaluations and audits for banks, and has an IT Governance, Risk Management and Compliance Practice http://www.redw.com/
My friends in bank IT will now point out to you that I am a techno idiot. But it does not take a technocrat to judge that all banks are not created equal, all customers are not equal (in the sense of internet banking). A great number of commercial customer losses to internet fraud are caused by poor internal controls at the customer level. Most customers resist bringing in outside experts to strengthen their controls. Most bank internet systems require a named "administrator" who is solely responsible for passwords and other security devices. Often, for convenience sake, passwords are doled out without restrictions or user accounts are set up without thought. The customer's CFO or person in charge must be available (or a back up named) to insure that at the first sign of a suspicious transaction internet banking can contact him or her to stop the transactions. Most major wire fraud transactions are not done in one wire transfer but are spread over several transfers. In short customer accountability is required.
My suggestions follow but they are not a substitute for an expert review of issues raised by the draft guidance.
1. If you don't have them, use very strong internet banking, wire transfer and ACH agreements for commercial customers. NACHA has a model form for ACH transactions, although it needs modifications. Insert a clear statement concerning Regulation E's inapplicability to commercial transactions. Consumer forms of agreement usually can be simpler.
2. If possible, communicate any concerns to the customer if controls are lax or the customer's administrator does not control passwords, other security devices or is not careful about setting up user accounts.
3. Institute a clear and reliable communications system with the customer's CFO, administrator or other appropriate authority figure to immediately alert that person to suspicious circumstances or transactions. I would not leave out the CEO if no one else can be found.
4. Contact a knowledgeable insurance consultant or broker about obtaining "cyber" insurance coverage or similar coverage. Make sure that the coverage extends to the type of ACH or wire transfer account takeover or invasion which is now occurring frequently.
5. In one lawsuit reported by Bank Info Security, a CEO complained that knowing the size of his company's accounts the bank should have given the company information about multi-factor identification and other types of protection. Picking and choosing which commercial customers get the most effective security has grave legal risks. On what risk or "reasonable care" basis do you differentiate between an $800,000 account and a $200,000 account? Telling a New Mexico jury that you take better care of the "big" $800,000 customer when the $200,000 customer has lost $175,000 is a recipe for losing. Start with high risk, but treat everyone as vulnerable and get protections in as soon as possible.
And, last but not least, meet with IT and see what problems exist in following the final FFIEC guidelines when they arrive in final form. Consult an expert if needed.
Marshall G. Martin
Comeau, Maldegen, Templeman & Indall, LLP
(505) 982 4611
(505) 228 8506
newmexicobankinglawyer.blogspot.com
Although the Bank Info Security expert reporters'analysis of the FFIEC draft guidance contains many suggestions and generally approves the draft guidance, the experts have ignored the reality of coping with a wide array of commercial customers and varying levels of sophistication in ACH, wire transfer and internet banking departments.
The principal draft guidance recommendations as reported by Bank Info Security are: (1) better risk assessments to address emerging threats now used frequently by foreign and domestic gangs, such as man in the middle, man in the browser and key loggers [a Google search will quickly summarize how each works, but essentially the criminal injects himself in the middle between the server and the computer user and intercepts data without the knowledge of the server or user; and in key logging the bad guy captures key strokes remotely]; (2) use multi-factor identification [again, a Google search explains the operation well, but multi-factor authentication is the use of more than a password to authenticate identity with a preference for three factor authentication]; (3) layered security [again see Google, but the concept involves vertical layers of review or checking of IDs; (4) improved user authentication measures; and (5) customer and employee training of fraud awareness.
In the writer's personal experience, the technologically of the Russians, Eastern Europeans, Nigerians, and some domestic gangs will attack and conquer the latest token or gimmick to defeat authentication security measures. The Russians, etc. have no other jobs and as quick as a new device is implemented, absent multifactor or layered security, the Bad Guys may be in business.
David Shroyer, an expert reporting in Bank Info Security notes in a February 24, 2011 edition of the blog, that the draft guidance mentions the vulnerabilities of small to medium sized commercial accounts. Most surprising is the concept that banks must "educate" commercial customers to the lack of protection of Regulation E in most commercial transactions. The draft guidance also puts much more responsibility on the bank to monitor high risk transactions such as wire transfer or ACH, including regular reviews of volume and value for customers and the customer's online users. The guidance also suggests banks encourage commercial customers to perform risk assessments and control evaluations.
This is not just an bank IT issue. Recently, as reported by Bank Info Security, two customers with large wire transfer losses have used the 2005 FFIEC guidance to argue that two banks did not follow acceptable standards. If the FFIEC 2010 draft guidance is adopted (which it may not be in the December form) banks are in the cross hairs of broad but vague standards that do not fit reality for many banks.
New Mexico banks don't have search out the big security companies or out of state auditors to analyze the issues posed by the draft guidance, once it is adopted. New Mexico has competent experts in the '"authentication" and the compliance process which is involved. in the draft guidance Aside from the "usual suspects" like the big national firms,. New Mexico has local resources. One is CAaNES,LLC which offers a network security and other services. (http://www.caanes.com/) CAaNES, LLC is a creature of NM Tech University's Reseach Corporation and is actively involved in research. REDW, LLC, an Albuquerque accounting firm, regularly does security and authentication evaluations and audits for banks, and has an IT Governance, Risk Management and Compliance Practice http://www.redw.com/
My friends in bank IT will now point out to you that I am a techno idiot. But it does not take a technocrat to judge that all banks are not created equal, all customers are not equal (in the sense of internet banking). A great number of commercial customer losses to internet fraud are caused by poor internal controls at the customer level. Most customers resist bringing in outside experts to strengthen their controls. Most bank internet systems require a named "administrator" who is solely responsible for passwords and other security devices. Often, for convenience sake, passwords are doled out without restrictions or user accounts are set up without thought. The customer's CFO or person in charge must be available (or a back up named) to insure that at the first sign of a suspicious transaction internet banking can contact him or her to stop the transactions. Most major wire fraud transactions are not done in one wire transfer but are spread over several transfers. In short customer accountability is required.
My suggestions follow but they are not a substitute for an expert review of issues raised by the draft guidance.
1. If you don't have them, use very strong internet banking, wire transfer and ACH agreements for commercial customers. NACHA has a model form for ACH transactions, although it needs modifications. Insert a clear statement concerning Regulation E's inapplicability to commercial transactions. Consumer forms of agreement usually can be simpler.
2. If possible, communicate any concerns to the customer if controls are lax or the customer's administrator does not control passwords, other security devices or is not careful about setting up user accounts.
3. Institute a clear and reliable communications system with the customer's CFO, administrator or other appropriate authority figure to immediately alert that person to suspicious circumstances or transactions. I would not leave out the CEO if no one else can be found.
4. Contact a knowledgeable insurance consultant or broker about obtaining "cyber" insurance coverage or similar coverage. Make sure that the coverage extends to the type of ACH or wire transfer account takeover or invasion which is now occurring frequently.
5. In one lawsuit reported by Bank Info Security, a CEO complained that knowing the size of his company's accounts the bank should have given the company information about multi-factor identification and other types of protection. Picking and choosing which commercial customers get the most effective security has grave legal risks. On what risk or "reasonable care" basis do you differentiate between an $800,000 account and a $200,000 account? Telling a New Mexico jury that you take better care of the "big" $800,000 customer when the $200,000 customer has lost $175,000 is a recipe for losing. Start with high risk, but treat everyone as vulnerable and get protections in as soon as possible.
And, last but not least, meet with IT and see what problems exist in following the final FFIEC guidelines when they arrive in final form. Consult an expert if needed.
Marshall G. Martin
Comeau, Maldegen, Templeman & Indall, LLP
(505) 982 4611
(505) 228 8506
newmexicobankinglawyer.blogspot.com
Tuesday, March 1, 2011
HELP'!! MY COURT IS CLOGGED
As a young lawyer sitting on a Bar Committee, I once naively complained--with a New Mexico Supreme Court Justice in attendance-- that the New Mexico courts' dockets were clogged. The judge rebuked me strongly, saying that I sounded like I was talking about toilets--not the courts. If the old judge saw the present budget mess in the New Mexico courts he might agree. The courts clogged condition significantly affect banks trying to clean up their asset quality by foreclosure and collection actions.
On Sunday February 13 the Albuquerque Journal had a byline, "Courts Struggle to Stay Afloat". A Tucumcari District Judge was reported as having given up his office copier to save $120 a month. In Albuquerque layoffs of security personnel added to more than 16 unfilled court staff vacancies. This concerned some judges since a year before an outraged spouse was shot after threatening his wife and court staff. The Journal article reported that the current Chief Justice, complained of likely cuts in the court system budget, noted that the recession had added to the work of the courts--more foreclosures, more collection actions, more conflicts and criminal cases. The Journal reported one legislative committee meeting at which judges' complained of case loads increasing by 7 % and budgets cut by 10 %. An executive of the court system was reported as stating the cuts planned by the legislature and Governor would result a week's furlough for all employees in the court system.
Courts take people. Every time you file a foreclosure complaint you go to court and manually process the complaint in the clerk's office, standing as the clerk checks the papers, stamps them, etc.. Since there are fewer clerks, the process takes longer. Often the chief clerk shuts down the line with you or others waiting to file. The judge's staff who schedule and keep track of the judge's cases is overworked or furloughed. After the complaint is filed most papers are mailed, and they have to be sorted, filed and brought to the judge's attention and scheduled for hearing. Fewer cases are settled since savvy lawyers know that the system is almost broke and cases will not move as they did a few years ago. There is no incentive to settle.
Five years ago an uncontested mortgage foreclosure might take 4 months to complete, assuming no intervening mechanics liens, and timely filing and publication, etc. as required by law. Now, with the heavier case loads, thinner staff and less scheduling help, an uncontested mortgage foreclosure might take 6 months. And now comes the real clog. Times are hard. An increasing number of defendant debtors think, "if I can just buy more time, I can make it out of this--I will see my old college roommate who went to law school". Roomie says, "thin case, but I think you should counterclaim. It will buy you time." "How much time", you ask. Roomie, " at least a year." When a counterclaim is filed it adds the whole mix of litigation to the case with discovery, disputes about discovery, motions, etc. All of which add delay to the foreclosure.
Why is New Mexico so bad? Aren't Colorado and Arizona suffering the same problems? Arizona and Colorado have had Deeds of Trust for many years. Absent exceptional circumstances the foreclosure of a Deed of Trust can not be stopped by litigation. From notice of default to the banks taking the property normally takes only two months. New Mexico now has a Deed of Trust statute, but only newer loans have used the Deed of Trust. Due to some drafting problems no bank started using Deeds of Trust in New Mexico until after 2007. Most foreclosures involve the old mortgage procedures. In addition, New Mexico has a very weak version of a statute that prohibits claims concerning loans above $25,000 without a written commitment. New Mexico's version of the statute rarely produces a favorable result.
Two added factors aggravate the delay or push the bank into a less than favorable settlement:: (1) New Mexico judge's reluctance to grant summary judgment and (2) the in terror em effect in some New Mexico counties of a trial by jury. Summary judgements were invented by the federal courts to permit a party to file a motion for summary judgement to end the case before trial if "there were no material issues of fact" concerning the merits of the case. In New Mexico most state judges will not grant summary judgement if there is any hint of a dispute. Many time even a loud and confusing argument will persuade the judge to deny the motion. Added to this inability to stop weak cases at the outset, is the liberal view of some juries in certain parts of New Mexico. Banks are never favorites of juries, but a jury in one of the high unemployment, high poverty counties makes a bank officer check the bank's lender liability insurance limits
Is there a solution, absent a change in the economics of New Mexico? Yes, to an extent, although little can be done to fix the old mortgage loan foreclosure problems. A bank should do at least four things immediately : (1) if possible do all loans and renewals on a Deed of Trust; (2) insert a "waiver of jury trial" in your loan forms or use the most current LaserPro, or similar vendor form, which have the waiver of jury trial language in it; (3) always use a "workout agreement" or similar "without prejudice" document when negotiating a renewal of a loan (in the writer's experience most sizable foreclosures have been renewed, sometimes with contentious negotiations); and (4) always use a tight, well drafted commitment letter for any renewal.
After this you may agree with Ambrose Beirce: "Lawsuit: a machine you go into as a pig and come out as a sausage." The Devil's Dictionary
Marshall Martin
Comeau, Maldegenn, Templeman & Indall, LLP
(505) 982-4611
mmartin@cmtisantafe.com
newmexicobankinglawyer.blogspot.com
On Sunday February 13 the Albuquerque Journal had a byline, "Courts Struggle to Stay Afloat". A Tucumcari District Judge was reported as having given up his office copier to save $120 a month. In Albuquerque layoffs of security personnel added to more than 16 unfilled court staff vacancies. This concerned some judges since a year before an outraged spouse was shot after threatening his wife and court staff. The Journal article reported that the current Chief Justice, complained of likely cuts in the court system budget, noted that the recession had added to the work of the courts--more foreclosures, more collection actions, more conflicts and criminal cases. The Journal reported one legislative committee meeting at which judges' complained of case loads increasing by 7 % and budgets cut by 10 %. An executive of the court system was reported as stating the cuts planned by the legislature and Governor would result a week's furlough for all employees in the court system.
Courts take people. Every time you file a foreclosure complaint you go to court and manually process the complaint in the clerk's office, standing as the clerk checks the papers, stamps them, etc.. Since there are fewer clerks, the process takes longer. Often the chief clerk shuts down the line with you or others waiting to file. The judge's staff who schedule and keep track of the judge's cases is overworked or furloughed. After the complaint is filed most papers are mailed, and they have to be sorted, filed and brought to the judge's attention and scheduled for hearing. Fewer cases are settled since savvy lawyers know that the system is almost broke and cases will not move as they did a few years ago. There is no incentive to settle.
Five years ago an uncontested mortgage foreclosure might take 4 months to complete, assuming no intervening mechanics liens, and timely filing and publication, etc. as required by law. Now, with the heavier case loads, thinner staff and less scheduling help, an uncontested mortgage foreclosure might take 6 months. And now comes the real clog. Times are hard. An increasing number of defendant debtors think, "if I can just buy more time, I can make it out of this--I will see my old college roommate who went to law school". Roomie says, "thin case, but I think you should counterclaim. It will buy you time." "How much time", you ask. Roomie, " at least a year." When a counterclaim is filed it adds the whole mix of litigation to the case with discovery, disputes about discovery, motions, etc. All of which add delay to the foreclosure.
Why is New Mexico so bad? Aren't Colorado and Arizona suffering the same problems? Arizona and Colorado have had Deeds of Trust for many years. Absent exceptional circumstances the foreclosure of a Deed of Trust can not be stopped by litigation. From notice of default to the banks taking the property normally takes only two months. New Mexico now has a Deed of Trust statute, but only newer loans have used the Deed of Trust. Due to some drafting problems no bank started using Deeds of Trust in New Mexico until after 2007. Most foreclosures involve the old mortgage procedures. In addition, New Mexico has a very weak version of a statute that prohibits claims concerning loans above $25,000 without a written commitment. New Mexico's version of the statute rarely produces a favorable result.
Two added factors aggravate the delay or push the bank into a less than favorable settlement:: (1) New Mexico judge's reluctance to grant summary judgment and (2) the in terror em effect in some New Mexico counties of a trial by jury. Summary judgements were invented by the federal courts to permit a party to file a motion for summary judgement to end the case before trial if "there were no material issues of fact" concerning the merits of the case. In New Mexico most state judges will not grant summary judgement if there is any hint of a dispute. Many time even a loud and confusing argument will persuade the judge to deny the motion. Added to this inability to stop weak cases at the outset, is the liberal view of some juries in certain parts of New Mexico. Banks are never favorites of juries, but a jury in one of the high unemployment, high poverty counties makes a bank officer check the bank's lender liability insurance limits
Is there a solution, absent a change in the economics of New Mexico? Yes, to an extent, although little can be done to fix the old mortgage loan foreclosure problems. A bank should do at least four things immediately : (1) if possible do all loans and renewals on a Deed of Trust; (2) insert a "waiver of jury trial" in your loan forms or use the most current LaserPro, or similar vendor form, which have the waiver of jury trial language in it; (3) always use a "workout agreement" or similar "without prejudice" document when negotiating a renewal of a loan (in the writer's experience most sizable foreclosures have been renewed, sometimes with contentious negotiations); and (4) always use a tight, well drafted commitment letter for any renewal.
After this you may agree with Ambrose Beirce: "Lawsuit: a machine you go into as a pig and come out as a sausage." The Devil's Dictionary
Marshall Martin
Comeau, Maldegenn, Templeman & Indall, LLP
(505) 982-4611
mmartin@cmtisantafe.com
newmexicobankinglawyer.blogspot.com
Monday, February 21, 2011
SAVING A BANK FROM BONNIE AND CLYDE 1932
This Blog is for New Mexico banks and New Mexico businesses or for those who want to know about the legal landscape in New Mexico banking and business. However, as banks wallow in the slow recovery from the worst economic downturn since the Great Depression and the regulators and Congress turn their backs on the community banks which have been the mainstay of American banking outside of Wall Street, an amusing historical event from the Depression is worth telling. It does not have much to do with law. It does show the spirit and attachment to local banks--at least those that survived-- which marked the Depression.
In August 1932 Bonnie and Clyde were trying to get out of Texas after a spree of robberies and three murders. They headed toward Carlsbad, New Mexico. Bonnie's aunt, Nettie Stamps, lived alone outside of Carlsbad. They holed up in her house with Ray Hamilton, their partner in crime.
Word reached Artesia, New Mexico, about 30 miles north of Carlsbad that the Barrow gang was in New Mexico. On "reliable authority" someone in Artesia law enforcement got word that Bonnie and Clyde planned to rob the First National Bank of Artesia (recently renamed First American Bank). First National was started in 1903 and was the only viable bank in town. Bank failures had started as the Depression worsened and First National Bank of Artesia was an essential part of the economic life of Artesia's farmers. The town was less than 2000 in population and law enforcement was likely one or two town police.
Word of the impending Barrow gang raid on the Artesia bank got out quickly. The farmers, a close knit group, met and organized, joined by a few businessmen. There were about 10 of them. In the New Mexico of that day each of the farmers had 30-30 Winchesters or double barrel shotguns, loaded with Double Aught buckshot left from deer season.
The small bank building was in the center of town, just off Main Street. The bank was surrounded on all sides by one or two story buildings with small shops and apartments in the second stories. On August 12 1932,before the bank opened, the armed farmers arrived to take their posts on top of the buildings surrounding the bank. They were waiting for Bonnie and Clyde. These farmers were to become some of the most prominent citizens of the town and their irrigated farms stretched out as far as 10 miles from town.
They sat on the roof until dark, waiting on the Barrow Gang. My Dad, one of them, admitted that the vigil was marked by boredom and occasional terror when a strange car approached the area. The farmers mounted the roofs early the next day. Later, after noon, word spread that Bonnie and Clyde were indeed in Carlsbad. They had kidnapped the Sheriff of Carlsbad, Joe Johns, and they were seen heading back to Texas. They liked him and did not kill him.
The Great Bank Robbery was foiled. First National Bank of Artesia was safe from Bonnie and Clyde. Privately most of the farmers were disappointed that they had not been able to engage in battle with Bonnie and Clyde. Bonnie and Clyde were lucky. Those farmers were good shots and no one was going cause their bank to fail. Sadly, the farmers' spirit is gone and sometimes one thinks there is no one left to save these small banks.
Marshall Martin
Comeau, Maldegen, Templeman & Indall, LLP
(505) 982-4611
newmexicobankinglawyer.blogspot.com
Subscribe to:
Posts (Atom)