NCUA Report: Electronic Banking Threats and Security

Written by Bernadette Clair, Regulatory Compliance Counsel

One of the articles in NCUA's May 2013 Report, takes a look at Electronic Banking Threats and Security. The article reminds credit unions to be diligent in safeguarding member information and ensuring proper security and controls when offering E-banking services, such as internet banking, phone banking, mobile banking, etc. (Exam Tip: According to the article, NCUA examiners have received updated training on E-banking security and have been instructed to review these areas in more detail during exams.)

The article highlights guidance from the regulators related to E-banking. From the article:

"In October 2005, the Federal Financial Institution Examination Council (FFIEC) issued guidance entitled Authentication in an Internet Banking Environment. The guidance provided minimum supervisory expectations for effective authentication controls related to high-risk online transactions involving access to customer information or the movement of funds to other parties.

In 2006, NCUA issued a Letter to Credit Unions, No. 06-CU-13, to aid in the implementation of the authentication guidance and provided answers to frequently asked questions. The letter reinforced the risk-management framework specified in the FFIEC’s earlier letter and updated supervisory expectations for effective member authentication mechanisms, layered security and other controls to combat identity theft, cyber attacks and online transaction fraud.

A 2011 Letter to Credit Unions, No. 11-CU-09, reflects a more layered approach to risk-management, and includes annual risk assessments for E-banking services. It discusses minimum monitoring requirements at initial login and for funds transfers, as well as additional guidance on challenge question authentication techniques. The letter also has valuable information about new expectations for customer awareness programs, as well as, recommendations for increased scrutiny of commercial accounts.

In February 2013, NCUA issued additional guidance in the form of a Risk Alert, 13-Risk-0[1]. The Alert encourages risk mitigation strategies, against DDoS attacks such as: 

• performing risk assessments aimed at identifying risks associated with DDoS attacks;
• ensuring incident response programs include DDoS attack scenarios during testing; and
• performing ongoing third-party due diligence of Internet and web-hosting service providers to identify risks and implement appropriate traffic management policies and controls."

Here are links to the guidance documents referenced  in the excerpt above:

FFIEC’s Authentication in an Internet Banking Environment

NCUA Letter to Credit Unions, No. 06- CU-13

NCUA Letter to Credit Unions, No. 11-CU-09

NCUA Risk Alert, 13-Risk-01

See the article for additional details and guidance resources.

Cyber Threats; SCRA; Fannie Mae Resources; Economic Update; Mortgage Servicing Transfers

Written by Steve Van Beek

Below are couple of tidbits for your Tuesday.

***

NCUA Risk Alert on Cyber Threats.  NCUA issued Risk Alert 13-Risk-01 on steps credit unions should take to protect against Distributed Denial-of-Services (DDoS) attacks.  In recent months, these attacks have ticked up at financial institutions – including credit unions.  Be sure to pass this Risk Alert along to those in charge of risk management and information technology at your credit union.    

***

CFPB “Hit or Myth” on SCRA.  The CFPB had a recent blog post on various confusing issues related to servicemember protections under SCRA.  These “Hit or Myth” questions and answers might be useful for internal SCRA training.  For more CFPB information on servicemembers, check out this page.    

*** 

Fannie Mae Loan Quality Resources. If your credit union sells loans to Fannie Mae, be sure to check out their new resources regarding Loan Quality.  The webpage includes resource guides as well as free webinars to help understand Fannie Mae’s procedures.  Be sure to pass along the resource page to others at your credit union. 

***

NCUA’s February Economic Video.  NCUA’s latest economic video is now available for viewing on YouTube.  Each month, NCUA’s Chief Economist John Worth provides an overview of the economic market and how it impacts credit unions.  These are great videos to include in strategic planning or board sessions as NCUA comes directly to you – via YouTube – each month with an economic update.  

***

CFPB Bulletin on Mortgage Servicing Transfers.  In addition to changing nearly all the mortgage servicing requirements in January, the CFPB has mortgage servicing transfers in their crosshairs.  In mid-February, the CFPB announced their intent to “closely monitor transfer activity” by mortgage servicers.  In conjunction with the announcement, the CFPB issued Bulletin 2013-1 which provides specific information regarding the CFPB’s detailed focus on mortgage servicing transfers.  

Upcoming Compliance Dates; Veterans Day

Written by Sarah Zimmermann

I believe we've touched on these upcoming compliance issues separately but we thought it might be helpful to put them together in a cohesive post. Below are three compliance issues that are coming up soon.

SAFE Act Renewal.  MLOs that were registered before July 1 are required to renew their registrations before December 31 and they will not need to pay a renewal fee this year. Individual employees who registered after July 1 are not required to renew their registrations by the December 31 deadline but must do so in coming years. All institution accounts need to renew on an annual basis regardless of when the initial registration occurred and will pay a $100 fee. For more information the Nationwide Mortgage Licensing System & Registry has a Federal Registry Renewal and Reactivation Handbook.

 

NCUA's Advertising Rule.   NCUA's final advertising rule has a mandatory compliance date of January 1, 2012. This rule requires credit unions to include the agency’s official advertising statement on annual reports and financial statements of condition required to be published by law and shortens the radio and television advertisement exemption requiring the statement with advertisements that are 15 seconds or longer. This final rule also defines the term “advertisement” and details the size requirement for NCUA’s official advertisement statement in print materials. NAFCU members, you can read more about this in NAFCU's Final Regulation 11-EF-15, which can be accessed from this page.

Member online authentication. In June, NCUA issued Letter to CUs 11-CU-09 which included supplemental guidance to the 2005 FFIEC guidance on online member authentication. NCUA notes in the letter that examiners will evaluate authentication controls under the enhanced expectations outlined in the supplemental guidance, which includes further guidance on layered security.

***

 

In honor of Veterans Day, NAFCU offices will be closed tomorrow, November 11. As always, we'd like to extend our gratitude and appreciation to those who have served, do serve, and will serve. Your service allows us to the live the lives we do. On that note, Anthony penned a great blog last year reminding us of the laws that protect servicemembers financially. Rather than recreate, I figured we could link to it.

Have a great weekend everyone. We'll be back on Monday.

Authentication in an Internet Banking Environment

Written by Patrick Bloomstine

Yesterday, the Federal Financial Institutions Examination Council (FFIEC) released its Supplement to Authentication in an Internet Banking Environment. FFIEC originally issued guidance on this topic back in 2005. The NCUA Letter to Credit Unions can be found here. The purpose of this supplement is to “reinforce the Guidance’s risk management framework and update the Agencies’ expectations regarding customer authentication, layered security, or other controls in the increasingly hostile online environment.”

Generally, the supplement encourages financial institutions to not rely solely one or two controls for authorizing high risk transactions. Instead, it advocates a system of layered security, and it sets more specific expectations in five areas of concern: risk assessments; customer authentication for high-risk transactions; layered security programs; effectiveness of certain authentication techniques; and customer awareness and education.

Layered security uses several different controls at different points in the transaction to prevent fraud. This allows one control to make up for a weakness in another and vice versa (kind of like all the Spartans’ shields fit together to protect each other in 300). The supplement provides a non-exhaustive list of effective controls for layered security including the use of both out-of-band verification, “positive pay”, and debit blocks.

The supplement advises that financial institutions should review their risk assessments on one of three timetables. They should do this: (1) as new information becomes available, (2) before they provide new electronic financial services, or (3) at the very least every twelve months. It also, provides a non-exhaustive list of factors to consider in updated risk assessments, including changes in the customer base now using electronic banking services and changes in the internal and external threat environment.

With increases in the use of electronic banking and the greater sophistication of fraudsters, this is important guidance for credit unions to take in, so pass it along to the person at your credit union in charge of online security.

Oversight of CFPB; This and That; Still a Tourist

Posted by Anthony Demangone

Earlier this week, I had the pleasure of attending a luncheon where Congressman Spencer Bachus (R-Ala.) addressed a gaggle of regulatory peeps.  Rep. Bachus is a big deal in Washington, as he is the Chair of the House Committee on Financial Services.   He spoke about a number of issues, including his views of the CFPB. 

He viewed the new agency as potentially problematic, laying out three basic reasons for his view.

• While Elizabeth Warren is not technically the Director, she is hiring everyone who will "count" at the CFPB.   Those new hires will be molded by Ms. Warren. Mr. Bachus doesn't see eye-to-eye with Ms. Warren on the role of regulation, so he sees an agency of Warren-ites as troubling.  Mr. Bachus' views are very interesting in light of this article from the L.A. Times. 

In any case, Warren is already aware that fresh blood is needed in the regulatory arena. She said she wants to avoid hiring nothing but older, seen-it-all-before bureaucrats who may be set in their ways.

"We're going to hire new, young staff and train them to follow the law," Warren said.

Hey, wait a minute. Isn't that the script for "The Untouchables"?

"That's what I'll be renting this weekend," she said, laughing.

• He noted that the CFPB will increase regulatory burdens.  But he added something that is missed by many.  When a new set of regulatory hurdles is put in place, those hurdles have a greater impact on smaller businesses.  So, credit unions and community banks, entities that don't have a ton of resources to throw at compliance and legal risks, will be affected the most.  This remains to be seen, but it is a concern that I share with Mr. Bachus.  I understand that Ms. Warren wants to level the playing field so that good actors are not competing against bad actors with one arm tied behind their backs.  But if the smaller good actors are using both hands to deal with new regulatory requirements, we won't have any free hands to compete with anyone.
• Mr. Bachus also noted that financial regulators must balance consumer protection with safety and soundness.  If the only products that a financial firm is allowed to offer do not make money, that firm is in a world of trouble. 

Mr. Bachus' comments are a reminder of the complex dance that is done in Washington, D.C.  Ms. Warren has her marching orders. She is building the CFPB.  But checks and balances are in place, and Mr. Bachus has indicated that he'll use his position and power to keep an eye on things at the CFPB.  

***

Here are a few items of interest.

• The CFPB will host a "credit card conference" next Tuesday to measure the impact of the Credit CARD Act.

We will bring together academics, industry leaders, consumer advocates, and voices from within government to look at the data from multiple directions, and to analyze how the industry has reacted and how consumers are responding. The idea is to establish a fact base upon which the CFPB can improve our understanding of the impact of the CARD Act and to help us understand how we can make credit markets work better.

• The FFIEC announced its new and improved IT Examination Infobase.   The announcement doesn't signal a change to the FFIEC's IT handbook, but the FFIEC believes the change should improve access to guidance and the ability of the FFIEC to update guidance in the future. The IT Examination Handbook is a huge source of valuable guidance.
• NAFCU has entered into an agreement with Sheshunoff and Thompson that benefits the entire credit union industry. NAFCU was able to negotiate a credit union discount for the entire Sheshunoff and Thompson libraries of content. If you find a manual or product that tickles your fancy, use promo code NAFCU11 at checkout when you purchase or renew the product to save 10%.  Learn more about this new development here.

***

I arrived a bit early for the luncheon with Rep. Bachus, so I had about 5 minutes to kill.  Those five minutes became a personal pep-talk. I've lived in the D.C. area since 1996.  The traffic may be bad and the work may be hectic, but part of me will always be a tourist that is overwhelmed by Washington, D.C. and the institutions and places it hosts. 

 

This and That...

Posted by Anthony Demangone

My inbox still runneth over. Here are some more items of note.

Da Fed.  The Fed just released two rule-makings.  I'll get into more details later in the week, but for now...

• They released this interim final rule (compliance deadline April 1, 2011), to address appraiser independence and compensation. The rule-making was required under Dodd-Frank.
• They released this proposal to close a few loopholes that popped up concerning Reg Z's rules on credit cards. 
• They also released a final rule that finalizes an interim final rule concerning the compliance date for gift cards. 

STS.  I guess that's the new acronym for NCUA's short-term, small amount loan regulation. NCUA recently released NCUA Regulatory Alert 10-RA-13, which is a FAQ document that addresses the recent changes. For example, the following question and answer addresses balloon payments in relation to STS loans. 

Must the loan be amortized, or can the borrower make a balloon payment at the end of the loan term?

The loan must be amortized in such a way that allows the borrower to repay the loan in the given term. FCUs must structure the payments so that the borrower is paying a portion of the principle and interest in equal or near-equal installments on a periodic basis over the course of the loan. While NCUA is not prescribing specific payment schedules (such as monthly or bi-weekly), FCUs should offer payment schedules that allow borrowers to easily repay the loan within the given term.

 FinCEN.  FinCEN was a busy beaver recently.

• FinCEN will reorganize its rules  next year in an effort to make the rules easier to understand.  Rules affecting a particular industry will be grouped together, for example.  Here's an index of the proposed reorganization.  Our rules will be under Part 1020.  Keep in mind that this will not change anything of substance.  But it will take some time to get used to, and all of our existing BSA citations will be dated once the changes go into affect.  Ugh.
• FinCEN published a study  that looked at SARs which reported identify theft.  There is a ton of information in there, and I would forward the study on to your fraud team.  Of note, credit card fraud continues to be the most common type reported on SARs.  And roughly 27 percent of fraud victims know the alleged suspect.  

FTC.  Speaking of identity theft, the FTC announced a bundling of consumer-oriented ID theft resources. You may be able to help consumers by pointing them toward these free resources.  (SHAMELESS PLUG ALERT!) In addition, NAFCU does sell a number of security and ID-related statement stuffers. 

Consumer Compliance Outlook; This and That

Posted by Anthony Demangone

The Fed has released the latest issue of its Consumer Compliance Outlook publication.  I always find the articles to be well-written, and very useful.  Of note in this issue:

• An article on changes to the HUD-1.
• Furnisher requirements under the FACT Act.
• MDIA explanations and examples.
• An index of all of their articles.
• A super useful calendar of upcoming requirements.

Sign up to receive email notifications when new issues are available here. 

***

In other news:

• NCUA charters 2 "bridge" corporate credit unions. 
• NAFCU members: We've issued a "Final Regulation" for NCUA's recent Short Term/Small Amount Loan Regulation.
• The FDIC has issued guidance on the security risks involved with digital images stored on copiers, fax machines, and printers.  You may recall that we wrote about this issue back in August. In short, these machines store digital images of the faxes, copies or items that you print.  When you get rid of the machines, the images go with them unless you have policies and procedures in place to strip the potentially sensitive data.  The security risk increases compliance risks related to Part 748 of NCUA's rules and regulations, not to mention Red Flags. 

 

Massachusetts Privacy Law; Any Authors Out There?

Posted by Anthony Demangone

OK, here's a tidbit from San Francisco: The new Massachusetts Privacy Rule.  First, here are some useful links:

• The press release from the good Commonwealth of Massachusetts.
• The rule itself.
• An FAQ document about the rule.

The rule creates data security requirements for anyone who holds "personal information" of a Massachusetts resident.  The reach of the rule is long - Massachusetts believes it applies to all entities in the U.S. who hold such data.  It went into effect on March 1, 2010. 

But wait...don't FCUs have to comply with federal security regulations?  Yes, but those regulations were written under the Gramm-Leach Bliley Act.  That Act does not preempt state laws that offer greater protection.

The Massachusetts requirements are very similar to NCUA's security regulation, but not identical.  The one difference that caught my eye is found under section 17.04.  It deals with encryption.

*******

17.04: Computer System Security Requirements

Every person that owns or licenses personal information about a resident of the Commonwealth and electronically stores or transmits such information shall include in its written, comprehensive information security program the establishment and maintenance of a security system covering its computers, including any wireless system, that, at a minimum, and to the extent technically feasible, shall have the following elements:

(1) Secure user authentication protocols including:

(a) control of user IDs and other identifiers;

(b) a reasonably secure method of assigning and selecting passwords, or use of unique identifier technologies, such as biometrics or token devices;

(c) control of data security passwords to ensure that such passwords are kept in a location and/or format that does not compromise the security of the data they protect;

(d) restricting access to active users and active user accounts only; and

(e) blocking access to user identification after multiple unsuccessful attempts to gain access or the limitation placed on access for the particular system;

(2) Secure access control measures that:

(a) restrict access to records and files containing personal information to those who need such information to perform their job duties; and

(b) assign unique identifications plus passwords, which are not vendor supplied default passwords, to each person with computer access, that are reasonably designed to maintain the integrity of the security of the access controls;

(3)Encryption of all transmitted records and files containing personal information that will travel across public networks, and encryption of all data containing personal information to be transmitted wirelessly.

(4) Reasonable monitoring of systems, for unauthorized use of or access to personal information;

(5) Encryption of all personal information stored on laptops or other portable devices;

(6) For files containing personal information on a system that is connected to the Internet, there must be reasonably up-to-date firewall protection and operating system security patches, reasonably designed to maintain the integrity of the personal information.

(7) Reasonably up-to-date versions of system security agent software which must include malware protection and reasonably up-to-date patches and virus definitions, or a version of such software that can still be supported with up-to-date patches and virus definitions, and is set to receive the most current security updates on a regular basis.

(8) Education and training of employees on the proper use of the computer security system and the importance of personal information security.

*******

NCUA's security regulation does not have such a clear mandate for encrypted data. (Appendix A of Part 748 indicates that credit unions should use encryption, if appropriate.)  While Massachusetts has limited resources and won't be able to enforce this rule in every corner of the U.S., I wanted to make you aware of this new expectation.

***

So, you think you can dance write? One of my friends at Sheshunoff forwarded this:

Become a Published Writer.  Sheshunoff Information Services is looking for experienced content experts with strong organizational and writing skills for quarterly updating of its publications. Sheshunoff publishes authoritative, timely, and practical guidance for financial institution professionals. Whether your expertise is in policy drafting, information technology, or compliance – this is your opportunity to share your valuable expertise with financial institutions across the country.

Interested?  Email them.

Sunburned This and That...

Posted by Anthony Demangone

I'm back from the beach.  I thought I'd share this one story.  During the evening on July 1, I heard explosions.  My family members assumed the noise came from fireworks. (We vacationed in South Carolina, where you can purchase serious, big, boom-boom fireworks on every street corner.)  I countered with another theory, centered on the anarchy caused by all the July 1 compliance deadlines.  

They all looked at me with blank stares.  

I explained to them that for banks and credit union compliance peeps, July 1st had been circled on calendars for quite some time.  No one in my family was aware of our pain and suffering.  They knew something had happened with credit cards, and a few of them did notice an up-tick in communications about something called "overdraft protection."   That was it. 

And perhaps that is as it should be. Sometimes, we can get so caught up in issues, that we can lose sense of what is really important.  Our jobs are serious, as is our work.  But in 30 years, I truly hope that none of us look back on this summer as the defining moment in our lives.  Let's do our work.  Let's do it well.  Let's protect our credit unions.  But let's keep a balance in our lives.  

***

OK, my email inbox is overwhelmed.  Here's a few items of interest.

Threats.  NCUA's security regulation requires us to reasonably protect sensitive member information from threats.  We often view threats as coming from "out there."  Well, they can come from the "in here" as well. This article reminds us that security should protect member information from internal threats. 

Hurricanes.  NCUA issued Letter to Credit Unions 10-CU-10 to urge credit unions to prepare for hurricane season and to periodically refresh pandemic preparedness.  The guidance contains an appendix with a number of resources. Perhaps my favorite resource is the FFIEC Business Continuity Handbook. 

Podcast.  Rob and the gang (sans me) delivered another great "current issues in credit unions" podcast.  Download the podcast and listen to it while on the treadmill, where I should be for the next 2 months based on last week's see-food diet. (Not a typo.)

Gambling.  The FDIC released this financial institution letter regarding Regulation GG. It contains a nice overview, as well as the exam procedures used by examiners to review your compliance.  Granted, this was issued by the FDIC, but the FDIC indicated that NCUA would be using these exam procedures as well.

BSA.  Here's a great blog post from Felix Salmon highlighting how money laundering is still a problem. 

This and That...

Posted by Anthony Demangone

Here are a few things to kick off your week.

Death of free checking? I don't like to say I told you so, but this was pretty easy to see coming.  A Wall Street Journal article points to the possible death of "free checking."  With all the constraints placed on our shoulders in the last year or so, is this truly a surprise to anyone?

Bank of America Corp. and other banks are preparing new fees on basic banking services as they try to replace revenue lost to regulatory rules, in a push that is expected to spell an end to free checking accounts for many Americans.

Free checking accounts, which have been widely available for more than a decade, have been a boon to middle-class consumers and attracted low-income customers to the banking system for the first time.

Customers will likely be required to pay new monthly maintenance fees on the most basic accounts that don't generate a lot of activity. To avoid a fee, customers will have to maintain certain account balances or frequently use other banking services, such as credit and debit cards, automated teller machines and online accounts.

Flood.  Two things remain the same.  We're still in a NFIP lapse.  And the civil money penalties for bank flood violations keep rolling in.  (Link to Bankersonline.com.)

Mortgage fraud.  In the past, you may recall FinCEN hammering away on the issue of mortgage fraud.  I think they were on to something.  Recently, the DOJ announced an indictment involving a $1.9 billion mortgage fraud scheme.  More than 1,200 individuals have been arrested on similar charges in the last few months.  While the horse may be out of the barn, here's a link to FinCEN's latest mortgage fraud update.

NCUA Virtual Town Hall Meeting.  NCUA is taking registrations for its "virtual" town hall meeting with NCUA Chairman Debbie Matz. 

Ponzi Schemes.  Here's an interesting blog post from BankInfoSecurity.com on Ponzi schemes, and how they might affect your credit union.  And if anyone wants a truly terrifying picture of a Ponzi scheme, just read this book.   It is a page-turner.