Keeping a Record of NCUA's Regs; NAFCU's Comment Letter on TILA/RESPA

Written by Steve Van Beek

On Tuesday we blogged about the FTC's rescission of their regulations that transferred to the CFPB.  We also indicated that NCUA was likely to follow soon after and rescind their rules.  We also included this information about making a copy of the current rules:

"Prior to this occurring, it might be a good business practice to make a copy of the soon-to-be rescinded regulations to ensure your credit union has a copy of the regulations in effect in the past in the case of a member complaint, exam issue or lawsuit."

A very helpful comment highlighted that the Government Printing Office (GPO) retains a copy of each year's CFR in PDF or XML format.  Below are the 2011 PDFs of the rules that transferred from the NCUA to the CFPB.   

Main Rules.  These three rules were transferred either completely (Privacy and SAFE Act) or almost completely (Fair Credit Reporting Act).

• Part 716 - Privacy of Consumer Financial Information
• Part 717 - Fair Credit Reporting
• Part 761 - Registration of Residential Mortgage Loan Originators 

There are a few other regulations listed in the CFPB's Federal Register notice on the transferred regulations but they are not major changes and only impact certain situations.  Part 707 - NCUA's Truth in Savings regulation - is also included on the list but rulemaking authority for Part 707 remains with NCUA.

Note:  Prior years of regulations can be found by using this GPO starting page.  Hat tip to Kennyb.      

***

TILA/RESPA Disclosure Combination.  On Monday, NAFCU submitted a comment letter to the CFPB on their plans to combine the TILA and RESPA disclosures.  The comment letter is 7 pages long and highlights areas of concerns as the CFPB continues along their Dodd-Frank mandate.  

Remember:  The CFPB has to have an official proposal out for the TILA/RESPA combined disclosures by July 21, 2012.  Their Know Before You Own project was not an official proposed rule and was not part of the Administrative Procedures Act.   

Updated 2012 NAFCU Credit Union Compliance GPS is Now Available!

Written by Steve Van Beek

Shameless Plug Alert!

We are very pleased to announce the availability of the Updated 2012 NAFCU Credit Union Compliance GPS.  Over the course of the last year, there have been many small tweaks and changes that have made life difficult for credit unions and, specifically, compliance officers (and many others as well).  These included technical changes to regulations as well as substantive changes to regulations and regulators.  

The Updated 2012 GPS has been thoroughly updated and edited to reflect these changes and provide those researching credit union issues a useful, electronic guide. 

For example, the Updated GPS includes:

• A New Section on the Consumer Financial Protection Bureau;
• Updated Links after NCUA's Website Change;
• Updated Regulatory Citations Reflecting the CFPB's Ownership of the Consumer Regulations;
• Links to the CFPB's Version of the Electronic Code of Federal Regulations;
• An Expanded Bank Secrecy Act Section;
• A Separate Section on Vendor Management; and
• Many more additional updates and edits to ensure accuracy.   

In non-bullet format, the Updated 2012 GPS contains all new links to the updated NCUA website (including Legal Opinion Letters and Letters to Credit Unions).  The GPS also contains the new, correct citation to the CFPB's regulations (i.e., 12 C.F.R. 1026 rather than 12 C.F.R. 226 for Regulation Z) as well as links to the CFPB's regulations to help you find the most up-to-date version of the consumer regulations.       

Pricing.  The Updated 2012 GPS is $399 for NAFCU members and $499 for anyone else.  The GPS is not limited to credit unions and can be purchased by anyone interested in learning more about credit union laws and regulations. 

***

Table of Contents.  To get a feel for the Updated 2012 GPS, take a look at the following Tables of Contents which list the Sections that are included in each Chapter (plus the Appendix).

• Main Table of Content - 1-Page Snapshot of the 2012 GPS
• Chapter Specific Cover Pages - Listing of the Sections by Chapter
• Complete Table of Content - Listing the Contents of Each Section
• The Consumer Financial Protection Bureau Section Table of Contents 

***

Below are a couple of additional items about the Updated GPS.  

Electronic Manual.  The GPS is designed to be a an electronic manual as it contains numerous links to regulations and guidance documents.  Of course, you can print off your own copy of the GPS and use the hardcopy as a quick resource guide.  But, the best bang for your buck is being able to use the electronic links and be taken directly to the NCUA Legal Opinion Letter being described or NCUA's Statutory Lien regulation in 12 C.F.R. 701.39.

Available to Everyone.  The GPS is available for purchase by anyone and everyone.  We've had law firms and audit firms purchase the GPS in the past in addition to numerous credit unions.  Additionally, your credit union does not need to be a NAFCU member to purchase.  We hope the GPS serves as a valuable resource for anyone seeking to learn more about credit unions and the regulations that impact their daily operations.

One GPS Per Credit Union.  Remember - the purchase of the GPS provides access to your entire credit union or organization!  Please feel free to share the GPS with your colleagues at your credit union.  However, we put a lot of time and effort into creating and editing the GPS and we ask that you not share your GPS with other credit unions or third-parties.  

Regulatory Compliance School.  If your credit union sent someone to NAFCU's 2012 Regulatory Compliance School last week, that person should already have an electronic copy of the Updated GPS.  Be sure to track that copy down and share throughout your credit union.  No additional purchase would be required.  

Finding the CFPB's Regulations

Written by Steve Van Beek

Dodd-Frank transferred authority for the "enumerated consumer laws" to the CFPB on July 21, 2011.  In late December, the CFPB officially republished the regulations that implemented these "enumerated consumer laws" in its own section of the Electronic Code of Federal Regulations.

For credit unions, this means we need to use the CFPB's regulations for our research and our citations.  For example, the correct citation for Regulation Z is now 12 C.F.R. 1026 and not 12 C.F.R. 226.  

***

Why does this matter?  When the CFPB issues changes to these regulations - such as the remittances final rule - these regulations will only update the CFPB's Regulation E.  The prior version of Regulation E - under the Federal Reserve - will not be updated.  In order to research the latest and most accurate information, look to and cite the CFPB's regulations.  Note:  The remittances final rule can be found in Subpart B to Regulation E.    

***

CFPB Regulations.  Below are links to the CFPB's regulations with the updated citations.  This should be the starting point for your research.  

• 12 C.F.R. 1002 - Regulation B:  Equal Credit Opportunity Act
• 12 C.F.R. 1003 - Regulation C:  Home Mortgage Disclosure Act
• 12 C.F.R. 1005 - Regulation E:  Electronic Funds Transfers
• 12 C.F.R. 1006 - Regulation F:  Fair Debt Collection Practices Act
• 12 C.F.R. 1007 - Regulation G:  SAFE Act Mortgage Licensing - Federal System
• 12 C.F.R. 1016 - Regulation P:  Privacy of Consumer Financial Information
• 12 C.F.R. 1022 - Regulation V:  Fair Credit Reporting Act
• 12 C.F.R. 1024 - Regulation X (RESPA):  Real Estate Settlement Procedures Act
• 12 C.F.R. 1026 - Regulation Z - Truth in Lending Act

Above is not a complete list, but they are the ones with the biggest impact on credit unions.  The full listing of the CFPB's regulations is in Section 1000-1099 of Title 12 of the Electronic Code of Federal Regulations.

***

A couple of other items to keep in mind:

• Truth in Savings.  Credit Unions need to follow Part 707 for Truth in Savings rather than Regulation DD.  This blog post has more information.
• Federal Reserve.  The Federal Reserve lost authority for quite a few regulations.  However, they retain control over regulations that were not deemed to be "consumer" regulations.  This blog post has additional information on which regulations stayed with the Federal Reserve.  

More Republishing; Part 707 - Truth in Savings; Wish Granted

Written by Steve Van Beek

A Quick Note:  NAFCU's offices will be closed Friday, December 23rd and Monday, December 26th for the Christmas holiday.  We will be back blogging on Tuesday.  We hope you all have a wonderful holiday weekend!

***

We've tracked the CFPB's republishing in Monday and Tuesday's blog posts.  The CFPB hasn't slowed down.  

• Published in the Federal Register on Wednesday, December 21:
  • Equal Credit Opportunity (Regulation B)
  • Fair Credit Reporting (Regulation V)
  • Interstate Land Sales Registration Program (Regulations J, K, and L)
  • Privacy of Consumer Financial Information (Regulation P)
  • Truth in Savings (Regulation DD)

• Published in the Federal Register on Thursday, December 22:
  • Truth in Lending (Regulation Z)

***

On December 7th, we blogged on the possibility of the CFPB combining consumer regulations when it conducted its republishing.  Now that the CFPB has made progress on their republishing, we know additional information.  

NCUA will retain authority over Part 707 - implementing the Truth in Savings Act for credit unions.  Footnote 2 of the Proposed Rule contains this information:

"2. Dodd-Frank section 1029 generally excludes from this transfer of authority, subject to certain exceptions, any rulemaking authority over a motor vehicle dealer that is predominantly engaged in the sale and servicing of motor vehicles, the leasing and servicing of motor vehicles, or both. Further, Dodd-Frank section 1100B did not grant the Bureau TISA rulemaking authority over credit unions or repeal the NCUA's TISA rulemaking authority over credit unions under 12 U.S.C. 4311."  (emphasis added)

The proposed regulation (12 CFR 1030) mirrors the current Regulation DD (12 CFR 230) and includes this language in Part 1030.1(c):

"(c) Coverage. This part applies to depository institutions except for credit unions. In addition, the advertising rules in § 1030.8 of this part apply to any person who advertises an account offered by a depository institution, including deposit brokers."

What this means is that NCUA will need to follow the CFPB's lead on Truth in Savings issues just as they did in the past following the Federal Reserve.  The U.S. Code section cited by the CFPB - 12 U.S.C. 4311 - still requires NCUA to adopt a "substantially similar" regulation within 90 days.  NCUA's regulation, which will still be located in 12 C.F.R. 707, will continue to reflect the unique nature of credit unions.  

***

This year - my Christmas gift came early.  Two months ago, in fact.       

Michigan's victory over Ohio State wasn't too bad either.  I was able to enjoy The Game with my father-in-law (as he is from Ohio, he didn't enjoy it as much).  Luckily, we were able to get a photo before the game where we both were happy.  

Have a wonderful holiday weekend!

This and That; A Well-Fed Elmo

Posted by Anthony Demangone

Here's a few things to finish off the week.

NCUA.  NCUA held its monthly board meeting yesterday.  There was a minor tweak to its Truth in Savings regulation to bring it into line with Regulation DD.  The also disclosed their priorities for 2011.  You can access the items from the board meeting here.  In addition, we did write an article for today's NAFCU Today on the meeting.   NCUA also issued its most recent edition of the NCUA Report.  This issue tackles some timely issues:

• Financial literacy
• Recent board actions
• Risk management on online banking
• Trends in mortgage delinquencies
• Contingency fund planning

Privacy.  The OTS has issued a compliance guide for the model privacy notice. While this would have been handy dandy three months ago, the guide looks to be written in a clear manner and should be useful if you still have issues in that area. 

MBLs.  Here's a nice historical look at member business lending at credit unions. (Elliot Kashner, at CreditUnions.com)

***

Here's how we found Elmo the other day, thanks to Kate.  I'm just glad that Elmo didn't ask for cottage cheese.  I'm off to State College this weekend to visit family and kneel at the shrine. Have a great weekend, everyone!

Tuesday Grab Bag

Posted by Anthony Demangone

Here are a few items of interest.

Discrimination.  HUD is going to investigate 22 banks and mortgage lenders to see if there is illegal discrimination against minorities related to FHA loans. 

The investigations are in response to 22 complaints the National Community Reinvestment Coalition (NCRC) filed with HUD alleging that the loan activities of the mortgage originators showed that their home lending practices deny FHA- insured loans to African Americans and Latinos with credit scores as high as 640. Federal Housing Administration (FHA) guidelines allow mortgages to borrowers with credit scores above 580, provided the borrowers have down payments equaling 3.5 percent of the loan amount, or above 500, provided the borrowers have down payments equaling 10 percent of the loan amount.

Regulation Z.  The OCC has updated its Regulation Z examination procedures.   These procedures are a great way to gain a solid overview of examiner expectations.  And while the OCC does not regulate credit unions, its views on Regulation Z matters should be useful, as Regulation Z applies evenly to both credit unions and banks.

NCUA Legal Opinion on Gift Card Incentives. Can a credit union use a gift card give-away to boost attendance at its annual meeting?  Yes, but credit unions must be judicious in their use.  At some points, examiners may raise objections on "safety and soundness or corporate waste grounds."  That puts credit unions in a tough position, as this opinion letter doesn't give bright-line guidance or any safe harbors.  When is a gift-card attendance campaign too much? When does it raise a safety and soundness or corporate waste issue? Much like Supreme Court Justice Potter Stewart said about hard-core pornography, I guess that examiners will know it when they see it.  

Privacy.  This blog post provides a nice overview of a recent Commerce Department report on privacy. (Privacy & Security Law Blog.) This isn't a regulatory proposal, so there aren't any changes to our privacy requirements on the horizon (other than the move to the model privacy disclosure).  But privacy is an important issue, and a fluid one.  As technologies and marketing methods evolve, you'll see efforts to amend privacy requirements for American businesses.  This blog post is a nice reminder of that fact. 

Privacy; This and That

Posted by Anthony Demangone

I know that some of you are putting the final touches on your credit union's privacy policy to align it with the new model privacy form.  I'm not going to go into the nuts and bolts of the new model privacy form.  I did this post earlier that covered the "nuts and bolts" issues.  Today, I want to touch on two common questions that we've seen.

1. I don't see a requirement to post our privacy policy on our web site site.  Really? Yes, really.  There's no requirement to post your privacy policy there.  Keep in mind, not every credit union has a web site.  The requirement is to deliver it at account opening, and thereafter on an annual basis per the privacy regulation's requirements.  Again - there's no requirement to post it on your website.  But here's a thought: why wouldn't you post your privacy policy online? 
2. The next question comes in two flavors.  Flavor one: Do we have to use the new form? Flavor two: There is no way we're going to have our form ready by January 1, 2011.  I know the Mayans think the world is ending in 2012, but I fear our demise might come one year earlier based on our progress with this project.  No - there's no requirement to use the new form.  It is a model form, and if you use it according to its requirements beginning on January 1, 2011 - you'll exist in the regulatory Nirvana known as "Safe Harborville." Put another way, regulators and others will not be able to criticize your form if you use it properly.  If you don't have your new form ready on January 1, 2011, will the world end?  I really hope not based on my conversations with a few credit unions.  I'll just say this much...the regulators have given us a model form that provides a safe harbor.  If you don't take advantage of it on January 1, 2011, you will increase your compliance risk.  How much?  I can't speak for the regulators.  But I'll say this: which form would you rather have as your form if an examiner walked into your office on January 1, 2011?  (OK, I understand your credit union is likely closed that day to allow all employees to watch the "can't miss" Outback Bowl, featuring the football powerhouses Penn State and Florida.  But you get my point.)

Here are some other issues that caught my eye.

• Here's yet another wonderful post on overdraft protection from the Bank Lawyer's Blog that provides another view of the recently issued FDIC overdraft protection guidance.  You should read this guy's blog. Every day. And twice on Tuesdays.
• The Fed has issued this notice, WHICH CONTAINS THE INTER-AGENCY EXAM PROCEDURES FOR RISK-BASED PRICING NOTICES. I would have made that text blink if I had a clue about computers and such.  This is a nice little Holiday Gift from the Fed which should give us a better idea of regulator expectations on this issue.  And based on the emails and calls we've been receiving, quite a few of you are still working on this issue.

PS: Apologies for letting Pearl Harbor Day pass without mention yesterday. Shame on me. To any and all veterans out there, many thanks.

Some Private Thoughts; Early Bird Expires Today

Posted by Anthony Demangone

Quite a few NAFCU members have called us on privacy issues.  It seems that quite a few credit unions are in the midst of creating a new privacy disclosure using the new model privacy disclosure format. Quite a few callers are confused as to what a non-affiliated third party is, or when a member gets the right to opt-out of information sharing.  Other callers simply do not have a good handle on how they handle and share member information.

With that in mind, here are some general thoughts for those who are drafting privacy disclosures.

• Your privacy policy drives the disclosure.  To fill out the form correctly, a credit union has to know how it shares information.  This should be spelled out in a policy, and that policy should be shared with anyone who has the ability to share member information.  Does your credit union share information with non-affiliated third parties outside of one of the exceptions to providing an opt-out?  Don't look at me.  That's something you must be able to answer yourself.  
• Think about having a privacy officer.  I just made that up, but it might make sense.  You have many different parts of your credit union that share member information with third parties - hopefully in concert with your privacy policy.  When someone wants to do something new, such as share information with another company to market something, are they reviewing the privacy policy to see if the new practice is kosher? Are they reporting the proposed information sharing relationship to the person who is managing the privacy disclosure? Having a central person to manage information sharing would help to keep everyone on the same page.
• Shameless plug. If you’re interested in having NAFCU print and deliver your privacy notice after you’ve customized it based on your privacy policy, you click here to learn more. 
• Here are some aids that might help you as you put together your model disclosures:
  • NCUA's Small Credit Union Privacy Compliance Guide.  This resource provides a wonderful overview of NCUA's privacy rule, and it reviews basic privacy concepts that are fundamental to understanding the regulation.  Keep in mind that this guide was written before the model form was created, so please ignore any discussion in the guide concerning how to construct a privacy notice.
  • The FDIC's Model Privacy Form Compliance Guide.  The FDIC did a nice job of discussing issues related to the new model form, and they put together a 7 page compliance guide.  Very handy!
  • NCUA's Consumer Privacy FAQ document. There are a ton of gems in there.  Such as ....

Q. I offer consumer checking accounts. I notify my customers that, among other things, I make disclosures as permitted by law. My checking account customers deposit checks made payable to my customer but drawn on a financial institution unaffiliated with me. My practice is to write my customer’s account number on the back of the deposited check to facilitate its processing. The check itself then goes to the maker’s financial institution, with my customer’s account number on the check. Is this a disclosure of nonpublic personal information that would be subject to opt out requirements or the prohibition against sharing account numbers?

A. No. The opt out provisions do not apply to disclosures in connection with servicing or processing a financial product or service that a consumer requests or authorizes. Nor do they apply to disclosures that are required, or are a usual, appropriate, or acceptable method in connection with settling, processing, clearing, transferring, reconciling or collecting amounts charged, debited or otherwise paid. §§ ___.14(a), ___.14(b)(2)(vi)(A). Also, because the account number is added to the check solely for use in processing the check and is not used in connection with marketing by a third party, this disclosure is not prohibited by the ban on disclosing account numbers for marketing purposes. § ___.12.

Here's one final thought.  The new model privacy form is not mandatory.  Said another way, you don't have to use it. But it is the only way to enjoy "safe harbor" protection beginning in 2011.  Moving to the new model form may not be easy, but always keep your eye on the prize(the safe harbor).

***

The early bird pricing for the November 3 NAFCU "Annual Compliance Roundup" webcast ends today. Hey - I won't be offended if you don't sign up.  I understand that training budgets are limited.  But if you do plan to sign up, by all means do so today. You'll save $100. 

NCUA LOL on compensation and the IRS; A little privacy help from the FDIC

Posted by Anthony Demangone

Yesterday, NCUA released Legal Opinion Letter 10-0919 (September 22, 2010)  via its Express Subscription Service.   The opinion letter addresses NCUA's compensation regulation.

In short, NCUA regulations contain a general prohibition against compensating directors and other volunteer officials, not including the one paid director position as allowed by the Federal Credit Union Act. General rules often contain exceptions, as does this one.  For example, under NCUA's compensation rule, you can pay for a director's health insurance (subject to the rule's limitations), and this insurance benefit does not violate NCUA's general ban on compensation.  The same goes for training expenses.  

The exceptions, though, only pertain to NCUA's rule.  As NCUA indicates in its legal opinion:

The use of the term “compensation” in §701.33 is only for the purpose of describing the kind and amount of payment or reimbursement an FCU is permitted to provide to a board officer. NCUA’s use of that term does not in any way affect an FCU’s obligation to issue a Form 1099 to an individual when the IRC requires it.

So, there really is a two-step process.  First, when conferring a benefit or reimbursing expenses for a volunteer, the payment or benefit first must be able to pass through NCUA's compensation regulation.  If the payment can pass through the rule's requirements, a credit union must then determine if it must issue an appropriate 1099, in the name of the director. 

***

The FDIC issued FIL-60-2010 to help supervised banks comply with the new model privacy notice requirements.  The guidance does a nice job of framing the issue.  While the guidance applies to banks, I believe credit unions will find it to be a useful overview.

Massachusetts Privacy Law; Any Authors Out There?

Posted by Anthony Demangone

OK, here's a tidbit from San Francisco: The new Massachusetts Privacy Rule.  First, here are some useful links:

• The press release from the good Commonwealth of Massachusetts.
• The rule itself.
• An FAQ document about the rule.

The rule creates data security requirements for anyone who holds "personal information" of a Massachusetts resident.  The reach of the rule is long - Massachusetts believes it applies to all entities in the U.S. who hold such data.  It went into effect on March 1, 2010. 

But wait...don't FCUs have to comply with federal security regulations?  Yes, but those regulations were written under the Gramm-Leach Bliley Act.  That Act does not preempt state laws that offer greater protection.

The Massachusetts requirements are very similar to NCUA's security regulation, but not identical.  The one difference that caught my eye is found under section 17.04.  It deals with encryption.

*******

17.04: Computer System Security Requirements

Every person that owns or licenses personal information about a resident of the Commonwealth and electronically stores or transmits such information shall include in its written, comprehensive information security program the establishment and maintenance of a security system covering its computers, including any wireless system, that, at a minimum, and to the extent technically feasible, shall have the following elements:

(1) Secure user authentication protocols including:

(a) control of user IDs and other identifiers;

(b) a reasonably secure method of assigning and selecting passwords, or use of unique identifier technologies, such as biometrics or token devices;

(c) control of data security passwords to ensure that such passwords are kept in a location and/or format that does not compromise the security of the data they protect;

(d) restricting access to active users and active user accounts only; and

(e) blocking access to user identification after multiple unsuccessful attempts to gain access or the limitation placed on access for the particular system;

(2) Secure access control measures that:

(a) restrict access to records and files containing personal information to those who need such information to perform their job duties; and

(b) assign unique identifications plus passwords, which are not vendor supplied default passwords, to each person with computer access, that are reasonably designed to maintain the integrity of the security of the access controls;

(3)Encryption of all transmitted records and files containing personal information that will travel across public networks, and encryption of all data containing personal information to be transmitted wirelessly.

(4) Reasonable monitoring of systems, for unauthorized use of or access to personal information;

(5) Encryption of all personal information stored on laptops or other portable devices;

(6) For files containing personal information on a system that is connected to the Internet, there must be reasonably up-to-date firewall protection and operating system security patches, reasonably designed to maintain the integrity of the personal information.

(7) Reasonably up-to-date versions of system security agent software which must include malware protection and reasonably up-to-date patches and virus definitions, or a version of such software that can still be supported with up-to-date patches and virus definitions, and is set to receive the most current security updates on a regular basis.

(8) Education and training of employees on the proper use of the computer security system and the importance of personal information security.

*******

NCUA's security regulation does not have such a clear mandate for encrypted data. (Appendix A of Part 748 indicates that credit unions should use encryption, if appropriate.)  While Massachusetts has limited resources and won't be able to enforce this rule in every corner of the U.S., I wanted to make you aware of this new expectation.

***

So, you think you can dance write? One of my friends at Sheshunoff forwarded this:

Become a Published Writer.  Sheshunoff Information Services is looking for experienced content experts with strong organizational and writing skills for quarterly updating of its publications. Sheshunoff publishes authoritative, timely, and practical guidance for financial institution professionals. Whether your expertise is in policy drafting, information technology, or compliance – this is your opportunity to share your valuable expertise with financial institutions across the country.

Interested?  Email them.