Upcoming Compliance Dates; Veterans Day

Written by Sarah Zimmermann

I believe we've touched on these upcoming compliance issues separately but we thought it might be helpful to put them together in a cohesive post. Below are three compliance issues that are coming up soon.

SAFE Act Renewal.  MLOs that were registered before July 1 are required to renew their registrations before December 31 and they will not need to pay a renewal fee this year. Individual employees who registered after July 1 are not required to renew their registrations by the December 31 deadline but must do so in coming years. All institution accounts need to renew on an annual basis regardless of when the initial registration occurred and will pay a $100 fee. For more information the Nationwide Mortgage Licensing System & Registry has a Federal Registry Renewal and Reactivation Handbook.

 

NCUA's Advertising Rule.   NCUA's final advertising rule has a mandatory compliance date of January 1, 2012. This rule requires credit unions to include the agency’s official advertising statement on annual reports and financial statements of condition required to be published by law and shortens the radio and television advertisement exemption requiring the statement with advertisements that are 15 seconds or longer. This final rule also defines the term “advertisement” and details the size requirement for NCUA’s official advertisement statement in print materials. NAFCU members, you can read more about this in NAFCU's Final Regulation 11-EF-15, which can be accessed from this page.

Member online authentication. In June, NCUA issued Letter to CUs 11-CU-09 which included supplemental guidance to the 2005 FFIEC guidance on online member authentication. NCUA notes in the letter that examiners will evaluate authentication controls under the enhanced expectations outlined in the supplemental guidance, which includes further guidance on layered security.

***

 

In honor of Veterans Day, NAFCU offices will be closed tomorrow, November 11. As always, we'd like to extend our gratitude and appreciation to those who have served, do serve, and will serve. Your service allows us to the live the lives we do. On that note, Anthony penned a great blog last year reminding us of the laws that protect servicemembers financially. Rather than recreate, I figured we could link to it.

Have a great weekend everyone. We'll be back on Monday.

Authentication in an Internet Banking Environment

Written by Patrick Bloomstine

Yesterday, the Federal Financial Institutions Examination Council (FFIEC) released its Supplement to Authentication in an Internet Banking Environment. FFIEC originally issued guidance on this topic back in 2005. The NCUA Letter to Credit Unions can be found here. The purpose of this supplement is to “reinforce the Guidance’s risk management framework and update the Agencies’ expectations regarding customer authentication, layered security, or other controls in the increasingly hostile online environment.”

Generally, the supplement encourages financial institutions to not rely solely one or two controls for authorizing high risk transactions. Instead, it advocates a system of layered security, and it sets more specific expectations in five areas of concern: risk assessments; customer authentication for high-risk transactions; layered security programs; effectiveness of certain authentication techniques; and customer awareness and education.

Layered security uses several different controls at different points in the transaction to prevent fraud. This allows one control to make up for a weakness in another and vice versa (kind of like all the Spartans’ shields fit together to protect each other in 300). The supplement provides a non-exhaustive list of effective controls for layered security including the use of both out-of-band verification, “positive pay”, and debit blocks.

The supplement advises that financial institutions should review their risk assessments on one of three timetables. They should do this: (1) as new information becomes available, (2) before they provide new electronic financial services, or (3) at the very least every twelve months. It also, provides a non-exhaustive list of factors to consider in updated risk assessments, including changes in the customer base now using electronic banking services and changes in the internal and external threat environment.

With increases in the use of electronic banking and the greater sophistication of fraudsters, this is important guidance for credit unions to take in, so pass it along to the person at your credit union in charge of online security.

Oversight of CFPB; This and That; Still a Tourist

Posted by Anthony Demangone

Earlier this week, I had the pleasure of attending a luncheon where Congressman Spencer Bachus (R-Ala.) addressed a gaggle of regulatory peeps.  Rep. Bachus is a big deal in Washington, as he is the Chair of the House Committee on Financial Services.   He spoke about a number of issues, including his views of the CFPB. 

He viewed the new agency as potentially problematic, laying out three basic reasons for his view.

• While Elizabeth Warren is not technically the Director, she is hiring everyone who will "count" at the CFPB.   Those new hires will be molded by Ms. Warren. Mr. Bachus doesn't see eye-to-eye with Ms. Warren on the role of regulation, so he sees an agency of Warren-ites as troubling.  Mr. Bachus' views are very interesting in light of this article from the L.A. Times. 

In any case, Warren is already aware that fresh blood is needed in the regulatory arena. She said she wants to avoid hiring nothing but older, seen-it-all-before bureaucrats who may be set in their ways.

"We're going to hire new, young staff and train them to follow the law," Warren said.

Hey, wait a minute. Isn't that the script for "The Untouchables"?

"That's what I'll be renting this weekend," she said, laughing.

• He noted that the CFPB will increase regulatory burdens.  But he added something that is missed by many.  When a new set of regulatory hurdles is put in place, those hurdles have a greater impact on smaller businesses.  So, credit unions and community banks, entities that don't have a ton of resources to throw at compliance and legal risks, will be affected the most.  This remains to be seen, but it is a concern that I share with Mr. Bachus.  I understand that Ms. Warren wants to level the playing field so that good actors are not competing against bad actors with one arm tied behind their backs.  But if the smaller good actors are using both hands to deal with new regulatory requirements, we won't have any free hands to compete with anyone.
• Mr. Bachus also noted that financial regulators must balance consumer protection with safety and soundness.  If the only products that a financial firm is allowed to offer do not make money, that firm is in a world of trouble. 

Mr. Bachus' comments are a reminder of the complex dance that is done in Washington, D.C.  Ms. Warren has her marching orders. She is building the CFPB.  But checks and balances are in place, and Mr. Bachus has indicated that he'll use his position and power to keep an eye on things at the CFPB.  

***

Here are a few items of interest.

• The CFPB will host a "credit card conference" next Tuesday to measure the impact of the Credit CARD Act.

We will bring together academics, industry leaders, consumer advocates, and voices from within government to look at the data from multiple directions, and to analyze how the industry has reacted and how consumers are responding. The idea is to establish a fact base upon which the CFPB can improve our understanding of the impact of the CARD Act and to help us understand how we can make credit markets work better.

• The FFIEC announced its new and improved IT Examination Infobase.   The announcement doesn't signal a change to the FFIEC's IT handbook, but the FFIEC believes the change should improve access to guidance and the ability of the FFIEC to update guidance in the future. The IT Examination Handbook is a huge source of valuable guidance.
• NAFCU has entered into an agreement with Sheshunoff and Thompson that benefits the entire credit union industry. NAFCU was able to negotiate a credit union discount for the entire Sheshunoff and Thompson libraries of content. If you find a manual or product that tickles your fancy, use promo code NAFCU11 at checkout when you purchase or renew the product to save 10%.  Learn more about this new development here.

***

I arrived a bit early for the luncheon with Rep. Bachus, so I had about 5 minutes to kill.  Those five minutes became a personal pep-talk. I've lived in the D.C. area since 1996.  The traffic may be bad and the work may be hectic, but part of me will always be a tourist that is overwhelmed by Washington, D.C. and the institutions and places it hosts. 

 

This and That...

Posted by Anthony Demangone

My inbox still runneth over. Here are some more items of note.

Da Fed.  The Fed just released two rule-makings.  I'll get into more details later in the week, but for now...

• They released this interim final rule (compliance deadline April 1, 2011), to address appraiser independence and compensation. The rule-making was required under Dodd-Frank.
• They released this proposal to close a few loopholes that popped up concerning Reg Z's rules on credit cards. 
• They also released a final rule that finalizes an interim final rule concerning the compliance date for gift cards. 

STS.  I guess that's the new acronym for NCUA's short-term, small amount loan regulation. NCUA recently released NCUA Regulatory Alert 10-RA-13, which is a FAQ document that addresses the recent changes. For example, the following question and answer addresses balloon payments in relation to STS loans. 

Must the loan be amortized, or can the borrower make a balloon payment at the end of the loan term?

The loan must be amortized in such a way that allows the borrower to repay the loan in the given term. FCUs must structure the payments so that the borrower is paying a portion of the principle and interest in equal or near-equal installments on a periodic basis over the course of the loan. While NCUA is not prescribing specific payment schedules (such as monthly or bi-weekly), FCUs should offer payment schedules that allow borrowers to easily repay the loan within the given term.

 FinCEN.  FinCEN was a busy beaver recently.

• FinCEN will reorganize its rules  next year in an effort to make the rules easier to understand.  Rules affecting a particular industry will be grouped together, for example.  Here's an index of the proposed reorganization.  Our rules will be under Part 1020.  Keep in mind that this will not change anything of substance.  But it will take some time to get used to, and all of our existing BSA citations will be dated once the changes go into affect.  Ugh.
• FinCEN published a study  that looked at SARs which reported identify theft.  There is a ton of information in there, and I would forward the study on to your fraud team.  Of note, credit card fraud continues to be the most common type reported on SARs.  And roughly 27 percent of fraud victims know the alleged suspect.  

FTC.  Speaking of identity theft, the FTC announced a bundling of consumer-oriented ID theft resources. You may be able to help consumers by pointing them toward these free resources.  (SHAMELESS PLUG ALERT!) In addition, NAFCU does sell a number of security and ID-related statement stuffers. 

Consumer Compliance Outlook; This and That

Posted by Anthony Demangone

The Fed has released the latest issue of its Consumer Compliance Outlook publication.  I always find the articles to be well-written, and very useful.  Of note in this issue:

• An article on changes to the HUD-1.
• Furnisher requirements under the FACT Act.
• MDIA explanations and examples.
• An index of all of their articles.
• A super useful calendar of upcoming requirements.

Sign up to receive email notifications when new issues are available here. 

***

In other news:

• NCUA charters 2 "bridge" corporate credit unions. 
• NAFCU members: We've issued a "Final Regulation" for NCUA's recent Short Term/Small Amount Loan Regulation.
• The FDIC has issued guidance on the security risks involved with digital images stored on copiers, fax machines, and printers.  You may recall that we wrote about this issue back in August. In short, these machines store digital images of the faxes, copies or items that you print.  When you get rid of the machines, the images go with them unless you have policies and procedures in place to strip the potentially sensitive data.  The security risk increases compliance risks related to Part 748 of NCUA's rules and regulations, not to mention Red Flags. 

 

Massachusetts Privacy Law; Any Authors Out There?

Posted by Anthony Demangone

OK, here's a tidbit from San Francisco: The new Massachusetts Privacy Rule.  First, here are some useful links:

• The press release from the good Commonwealth of Massachusetts.
• The rule itself.
• An FAQ document about the rule.

The rule creates data security requirements for anyone who holds "personal information" of a Massachusetts resident.  The reach of the rule is long - Massachusetts believes it applies to all entities in the U.S. who hold such data.  It went into effect on March 1, 2010. 

But wait...don't FCUs have to comply with federal security regulations?  Yes, but those regulations were written under the Gramm-Leach Bliley Act.  That Act does not preempt state laws that offer greater protection.

The Massachusetts requirements are very similar to NCUA's security regulation, but not identical.  The one difference that caught my eye is found under section 17.04.  It deals with encryption.

*******

17.04: Computer System Security Requirements

Every person that owns or licenses personal information about a resident of the Commonwealth and electronically stores or transmits such information shall include in its written, comprehensive information security program the establishment and maintenance of a security system covering its computers, including any wireless system, that, at a minimum, and to the extent technically feasible, shall have the following elements:

(1) Secure user authentication protocols including:

(a) control of user IDs and other identifiers;

(b) a reasonably secure method of assigning and selecting passwords, or use of unique identifier technologies, such as biometrics or token devices;

(c) control of data security passwords to ensure that such passwords are kept in a location and/or format that does not compromise the security of the data they protect;

(d) restricting access to active users and active user accounts only; and

(e) blocking access to user identification after multiple unsuccessful attempts to gain access or the limitation placed on access for the particular system;

(2) Secure access control measures that:

(a) restrict access to records and files containing personal information to those who need such information to perform their job duties; and

(b) assign unique identifications plus passwords, which are not vendor supplied default passwords, to each person with computer access, that are reasonably designed to maintain the integrity of the security of the access controls;

(3)Encryption of all transmitted records and files containing personal information that will travel across public networks, and encryption of all data containing personal information to be transmitted wirelessly.

(4) Reasonable monitoring of systems, for unauthorized use of or access to personal information;

(5) Encryption of all personal information stored on laptops or other portable devices;

(6) For files containing personal information on a system that is connected to the Internet, there must be reasonably up-to-date firewall protection and operating system security patches, reasonably designed to maintain the integrity of the personal information.

(7) Reasonably up-to-date versions of system security agent software which must include malware protection and reasonably up-to-date patches and virus definitions, or a version of such software that can still be supported with up-to-date patches and virus definitions, and is set to receive the most current security updates on a regular basis.

(8) Education and training of employees on the proper use of the computer security system and the importance of personal information security.

*******

NCUA's security regulation does not have such a clear mandate for encrypted data. (Appendix A of Part 748 indicates that credit unions should use encryption, if appropriate.)  While Massachusetts has limited resources and won't be able to enforce this rule in every corner of the U.S., I wanted to make you aware of this new expectation.

***

So, you think you can dance write? One of my friends at Sheshunoff forwarded this:

Become a Published Writer.  Sheshunoff Information Services is looking for experienced content experts with strong organizational and writing skills for quarterly updating of its publications. Sheshunoff publishes authoritative, timely, and practical guidance for financial institution professionals. Whether your expertise is in policy drafting, information technology, or compliance – this is your opportunity to share your valuable expertise with financial institutions across the country.

Interested?  Email them.

Sunburned This and That...

Posted by Anthony Demangone

I'm back from the beach.  I thought I'd share this one story.  During the evening on July 1, I heard explosions.  My family members assumed the noise came from fireworks. (We vacationed in South Carolina, where you can purchase serious, big, boom-boom fireworks on every street corner.)  I countered with another theory, centered on the anarchy caused by all the July 1 compliance deadlines.  

They all looked at me with blank stares.  

I explained to them that for banks and credit union compliance peeps, July 1st had been circled on calendars for quite some time.  No one in my family was aware of our pain and suffering.  They knew something had happened with credit cards, and a few of them did notice an up-tick in communications about something called "overdraft protection."   That was it. 

And perhaps that is as it should be. Sometimes, we can get so caught up in issues, that we can lose sense of what is really important.  Our jobs are serious, as is our work.  But in 30 years, I truly hope that none of us look back on this summer as the defining moment in our lives.  Let's do our work.  Let's do it well.  Let's protect our credit unions.  But let's keep a balance in our lives.  

***

OK, my email inbox is overwhelmed.  Here's a few items of interest.

Threats.  NCUA's security regulation requires us to reasonably protect sensitive member information from threats.  We often view threats as coming from "out there."  Well, they can come from the "in here" as well. This article reminds us that security should protect member information from internal threats. 

Hurricanes.  NCUA issued Letter to Credit Unions 10-CU-10 to urge credit unions to prepare for hurricane season and to periodically refresh pandemic preparedness.  The guidance contains an appendix with a number of resources. Perhaps my favorite resource is the FFIEC Business Continuity Handbook. 

Podcast.  Rob and the gang (sans me) delivered another great "current issues in credit unions" podcast.  Download the podcast and listen to it while on the treadmill, where I should be for the next 2 months based on last week's see-food diet. (Not a typo.)

Gambling.  The FDIC released this financial institution letter regarding Regulation GG. It contains a nice overview, as well as the exam procedures used by examiners to review your compliance.  Granted, this was issued by the FDIC, but the FDIC indicated that NCUA would be using these exam procedures as well.

BSA.  Here's a great blog post from Felix Salmon highlighting how money laundering is still a problem. 

This and That...

Posted by Anthony Demangone

Here are a few things to kick off your week.

Death of free checking? I don't like to say I told you so, but this was pretty easy to see coming.  A Wall Street Journal article points to the possible death of "free checking."  With all the constraints placed on our shoulders in the last year or so, is this truly a surprise to anyone?

Bank of America Corp. and other banks are preparing new fees on basic banking services as they try to replace revenue lost to regulatory rules, in a push that is expected to spell an end to free checking accounts for many Americans.

Free checking accounts, which have been widely available for more than a decade, have been a boon to middle-class consumers and attracted low-income customers to the banking system for the first time.

Customers will likely be required to pay new monthly maintenance fees on the most basic accounts that don't generate a lot of activity. To avoid a fee, customers will have to maintain certain account balances or frequently use other banking services, such as credit and debit cards, automated teller machines and online accounts.

Flood.  Two things remain the same.  We're still in a NFIP lapse.  And the civil money penalties for bank flood violations keep rolling in.  (Link to Bankersonline.com.)

Mortgage fraud.  In the past, you may recall FinCEN hammering away on the issue of mortgage fraud.  I think they were on to something.  Recently, the DOJ announced an indictment involving a $1.9 billion mortgage fraud scheme.  More than 1,200 individuals have been arrested on similar charges in the last few months.  While the horse may be out of the barn, here's a link to FinCEN's latest mortgage fraud update.

NCUA Virtual Town Hall Meeting.  NCUA is taking registrations for its "virtual" town hall meeting with NCUA Chairman Debbie Matz. 

Ponzi Schemes.  Here's an interesting blog post from BankInfoSecurity.com on Ponzi schemes, and how they might affect your credit union.  And if anyone wants a truly terrifying picture of a Ponzi scheme, just read this book.   It is a page-turner.

Odds and Ends

Posted by Anthony Demangone

Welcome back, everyone.   I hope everyone is getting over their sunburns and overloaded email inboxes.   Now, on to the post...

Red Flags Delayed...Again.  The FTC has delayed enforcement of its Identity Theft Red Flags rule...again. Enforcement is now delayed until December 31, 2010.

At the request of several Members of Congress, the Federal Trade Commission is further delaying enforcement of the “Red Flags” Rule through December 31, 2010, while Congress considers legislation that would affect the scope of entities covered by the Rule. Today’s announcement and the release of an Enforcement Policy Statement do not affect other federal agencies’ enforcement of the original November 1, 2008 deadline for institutions subject to their oversight to be in compliance.

The delay only benefits state chartered credit unions.  Federally-chartered credit unions have been under NCUA's identity theft regulation for quite some time.

Reg Z's Closed End Final Rule. A little birdie told us that the Fed is nowhere close to releasing the final rule that will amend its closed end lending rules. 

Fraud and insider abuse. OTS has released an updated version of Regulatory Bulletin 37-54.  The bulletin addresses the issue of fraud and insider abuse.  The bulletin discusses virtually every angle of this issue, from filing SARs to risk mitigation techniques.  I'd share this with your security officer.  While the citations flow to OTS requirements, the basic information is sound and worthy of your attention.

1099s.  NAFCU is in no way an expert on tax issues, but we do track IRS-related issues to see how they could affect our members.  You may not have seen this yet, but buried inside the health care reform legislation was language that will change how 1099s are prepared.  The changes will take effect in 2012.  Here's a general article that highlights how those changes may affect American businesses - including credit unions. (CNNMoney.com)

But under the new rules, if a freelance designer buys a new iMac from the Apple Store, they'll have to send Apple a 1099. A laundromat that buys soap each week from a local distributor will have to send the supplier a 1099 at the end of the year tallying up their purchases.

The bill makes two key changes to how 1099s are used. First, it expands their scope by using them to track payments not only for services but also for tangible goods. Plus, it requires that 1099s be issued not just to individuals, but also to corporations.

Taken together, the two seemingly small changes will require millions of additional forms to be sent out.

Shameless plug.  Tomorrow, I'll moderate a NAFCU webcast on Hot Issues at NCUA.  There's still time to sign up! 

This and That

Posted by Anthony Demangone

So many compliance issues, so little time!

Flood insurance.  The FDIC issued a nice Financial Institution Letter highlighting responsibilities of institutions during a lapse in the National Flood Insurance Plan. Sure, the FDIC does not regulate credit unions, but the guidance should be useful.  And speaking of flood insurance, Rep. Barney Frank has proposed legislation that would extend the NFIP through the end of September 2010. The NFIP will lapse at the end of this month unless Congress acts to extend the program. 

NCUA prohibition orders. NCUA recently issued three prohibition orders against individual who worked (notice the past tense) at federally insured credit unions. The prohibition orders can help trainers drive home the following two points:

1. There is a need for strong internal controls and audit functions, as there are people who will rip off credit unions from the inside if they think they can get away with it;
2. The prohibition orders can act as a deterrent, as they show that there are consequences.  The orders show that people are watching.  

Credit Card Act - Report.  The Credit CARD Act required the FTC to study the feasibility of ATM emergency systems that could help consumers alert authorities when a crime takes place at an ATM.  When I saw the requirement of the study, it caught my attention. If the report concluded that such systems would be the bee's knees, there could be a drive to upgrade ATMs throughout the country.  And that could be costly.  Well, here's the study.  The study indicates that there isn't much data on this issue.  But it concludes that such "alert systems" likely would not deter crime, the systems might increase the likelihood of injury to the consumer who used such a system, and that the implementation of such a system on ATMs would be cost-prohibitive.  Well, that's that.