Cyber Threats; SCRA; Fannie Mae Resources; Economic Update; Mortgage Servicing Transfers

Written by Steve Van Beek

Below are couple of tidbits for your Tuesday.

***

NCUA Risk Alert on Cyber Threats.  NCUA issued Risk Alert 13-Risk-01 on steps credit unions should take to protect against Distributed Denial-of-Services (DDoS) attacks.  In recent months, these attacks have ticked up at financial institutions – including credit unions.  Be sure to pass this Risk Alert along to those in charge of risk management and information technology at your credit union.    

***

CFPB “Hit or Myth” on SCRA.  The CFPB had a recent blog post on various confusing issues related to servicemember protections under SCRA.  These “Hit or Myth” questions and answers might be useful for internal SCRA training.  For more CFPB information on servicemembers, check out this page.    

*** 

Fannie Mae Loan Quality Resources. If your credit union sells loans to Fannie Mae, be sure to check out their new resources regarding Loan Quality.  The webpage includes resource guides as well as free webinars to help understand Fannie Mae’s procedures.  Be sure to pass along the resource page to others at your credit union. 

***

NCUA’s February Economic Video.  NCUA’s latest economic video is now available for viewing on YouTube.  Each month, NCUA’s Chief Economist John Worth provides an overview of the economic market and how it impacts credit unions.  These are great videos to include in strategic planning or board sessions as NCUA comes directly to you – via YouTube – each month with an economic update.  

***

CFPB Bulletin on Mortgage Servicing Transfers.  In addition to changing nearly all the mortgage servicing requirements in January, the CFPB has mortgage servicing transfers in their crosshairs.  In mid-February, the CFPB announced their intent to “closely monitor transfer activity” by mortgage servicers.  In conjunction with the announcement, the CFPB issued Bulletin 2013-1 which provides specific information regarding the CFPB’s detailed focus on mortgage servicing transfers.  

NCUA Meeting; Vendor Risk Management; Current Issues in Credit Unions

Written by Steve Van Beek

Just a couple of quick items for your Tuesday.

NCUA Cancels Board Meeting.  Last week, NCUA announced it would cancel its April Board meeting.  This is the second canceled meeting in 2012 for NCUA.  Hopefully, it means NCUA is putting extra effort and attention on reducing the regulatory burden on credit unions.  

Consumer Compliance "Outlook Live."  Yesterday we mentioned the resource Consumer Compliance Outlook from the Philadelphia Federal Reserve.  This group also provides free webinars and recently announced a May 2nd webinar on Vendor Risk Management.    

There are also archived webinars available for viewing:

• Consumer Compliance Hot Topics (December 15, 2011)
• Fair Lending Issues and Hot Topics (November 2, 2011)
• Real Estate Owned (REO) Disposition Risks and CRA Opportunities (October 4, 2011)
• Proposed Ability to Repay Standards for Mortgage Loans (May 26, 2011)
• Loan Originator Compensation (March 17, 2011)
• Risk Based Pricing Notices (February 17, 2011)
• Tips for Reporting Accurate HMDA and CRA Data  (November 17, 2010)
• Consumer Compliance “Top Ten” Lists  (May 20, 2010)
  

***

Current Issues in Credit Unions.  The latest Current Issues in Credit Unions podcast (Episode #69) is now available for download and listening.  You can find the agenda as well as past episodes here.    

Rob Rutkowski of Weltman, Weinberg & Reis does a great job with organizing and conducting these podcasts (including the live taping at our 2011 Compliance Seminar - Episode 64).

Rob will also be presenting at two upcoming NAFCU webcasts in April:

• April 11, 2012 (Tomorrow!):  Complying with Regulation B under the CFPB: Protecting Your Credit Union from Unlawful Lending
• April 25, 2012:  Managing Risks for Online Deposit Accounts (Early Bird Pricing ends April 18th)

Updated 2012 NAFCU Credit Union Compliance GPS is Now Available!

Written by Steve Van Beek

Shameless Plug Alert!

We are very pleased to announce the availability of the Updated 2012 NAFCU Credit Union Compliance GPS.  Over the course of the last year, there have been many small tweaks and changes that have made life difficult for credit unions and, specifically, compliance officers (and many others as well).  These included technical changes to regulations as well as substantive changes to regulations and regulators.  

The Updated 2012 GPS has been thoroughly updated and edited to reflect these changes and provide those researching credit union issues a useful, electronic guide. 

For example, the Updated GPS includes:

• A New Section on the Consumer Financial Protection Bureau;
• Updated Links after NCUA's Website Change;
• Updated Regulatory Citations Reflecting the CFPB's Ownership of the Consumer Regulations;
• Links to the CFPB's Version of the Electronic Code of Federal Regulations;
• An Expanded Bank Secrecy Act Section;
• A Separate Section on Vendor Management; and
• Many more additional updates and edits to ensure accuracy.   

In non-bullet format, the Updated 2012 GPS contains all new links to the updated NCUA website (including Legal Opinion Letters and Letters to Credit Unions).  The GPS also contains the new, correct citation to the CFPB's regulations (i.e., 12 C.F.R. 1026 rather than 12 C.F.R. 226 for Regulation Z) as well as links to the CFPB's regulations to help you find the most up-to-date version of the consumer regulations.       

Pricing.  The Updated 2012 GPS is $399 for NAFCU members and $499 for anyone else.  The GPS is not limited to credit unions and can be purchased by anyone interested in learning more about credit union laws and regulations. 

***

Table of Contents.  To get a feel for the Updated 2012 GPS, take a look at the following Tables of Contents which list the Sections that are included in each Chapter (plus the Appendix).

• Main Table of Content - 1-Page Snapshot of the 2012 GPS
• Chapter Specific Cover Pages - Listing of the Sections by Chapter
• Complete Table of Content - Listing the Contents of Each Section
• The Consumer Financial Protection Bureau Section Table of Contents 

***

Below are a couple of additional items about the Updated GPS.  

Electronic Manual.  The GPS is designed to be a an electronic manual as it contains numerous links to regulations and guidance documents.  Of course, you can print off your own copy of the GPS and use the hardcopy as a quick resource guide.  But, the best bang for your buck is being able to use the electronic links and be taken directly to the NCUA Legal Opinion Letter being described or NCUA's Statutory Lien regulation in 12 C.F.R. 701.39.

Available to Everyone.  The GPS is available for purchase by anyone and everyone.  We've had law firms and audit firms purchase the GPS in the past in addition to numerous credit unions.  Additionally, your credit union does not need to be a NAFCU member to purchase.  We hope the GPS serves as a valuable resource for anyone seeking to learn more about credit unions and the regulations that impact their daily operations.

One GPS Per Credit Union.  Remember - the purchase of the GPS provides access to your entire credit union or organization!  Please feel free to share the GPS with your colleagues at your credit union.  However, we put a lot of time and effort into creating and editing the GPS and we ask that you not share your GPS with other credit unions or third-parties.  

Regulatory Compliance School.  If your credit union sent someone to NAFCU's 2012 Regulatory Compliance School last week, that person should already have an electronic copy of the Updated GPS.  Be sure to track that copy down and share throughout your credit union.  No additional purchase would be required.  

This and That...

Posted by Anthony Demangone

The issues runneth over.  Here's a health dose of compliance "stuff" to get your week started.

Who is the Joker?  As Sarah pointed on our Friday, the CFPB unveiled its website and logo.  Did that logo ring a bell?   If it made you think of Batman, you weren't alone.  (The Hill.) My only question is this: if the CFPB is Batman, who is the Joker?  Or Riddler, for that matter? I hope that credit unions and community banks aren't seen as the villains.  You may want to check out its consumer complaint section.  It will route complaints about federal credit unions to NCUA's complaint page.   I bet the launch of this website will increase the number of complaints against federal credit unions.  The CFPB appears intent to get the word out.  If you listen to this narrated video, you might recognize the voice. The voice belongs to Ron Howard. 

Oh, and they even have a blog.

Troubled debt restructuring.  An archived version of NCUA's recent webcast on this topic is now available. 

Fed services. Speaking of webcasts, NAFCU is offering a free webcast (for both NAFCU members and nonmembers) that details the Federal Reserve's services that are available to credit unions. I know a lot of credit unions are rethinking who they do business with in the wake of the corporate credit union crisis.  This webcast should provide useful information for anyone considering the use of the Fed.

TILA and RESPA.  Elizabeth Warren has indicated that the CFPB is already working on a combined mortgage disclosure.   When it comes to this issue, Godspeed, CFPB.  Godspeed. 

Reader Tip on Core Processors; Seminar Snapshot

Posted by Anthony Demangone

A blog reader sent in this great tip regarding core processors.  The following is what he sent me, verbatim.

***

I recently had a conversation with the CEO of another Federal Credit Union. This CEO was frustrated that the credit union's core processor would not supply a list of its credit union customers in the area (let alone a complete list). Perhaps there are other credit unions in a similar situation.

For many credit unions, the core data processor may be the most significant credit union vendor, both in terms of expenses and risk to the credit union. The NCUA 5300 data, collected every quarter, lists the core processing vendor for each credit union, as reported by the credit union. Some core processors readily supply a complete list of credit union customers, while others may refuse to do so. Getting referral information from both current and former customers is a commonly recommended step in vendor due diligence and third party relationships. How can this be done properly without a full customer list, not just a few cherry-picked customers?

 

The core processor information for every credit union is available at the NCUA web site, under FOIA (Freedom of Information Act) data http://www.ncua.gov/DataServices/FOIA/foia.aspx#top

 

Download and unzip the most recent file. The text files within the ZIP file contain the 5300 data. Contact information for credit unions is located in file FOICU.TXT and the vendor information is in FS220D.TXT. It is not difficult to load this information into a spreadsheet and sort by vendor, by state, by zip code, etc. You then have a complete credit union customer list (as reported by credit unions) for each core processing vendor.

 

If you want to find former customers of that vendor (who have left in the last several years), older versions of this data are available as well.

***

During this year's NAFCU Compliance Seminar in Dallas, NAFCU staff will deliver two "shotgun" style sessions. When you put together a compliance conference, it is nearly impossible to devote a compliance session to every important topic.  Some things fall through the cracks.  Well, we decided last year to create special sessions where we could deliver any important information that was not covered in a formal session.  NCUA legal opinion letters, Letters to Credit Unions, Risk Alerts, Material Loss Reviews, and other hot topics will be covered.  We'll deliver 2 of these sessions with this goal: you won't leave the conference without have been exposed to nearly all the major compliance changes from the previous year.

***

Have a great weekend, everyone!

Fraud Issue; Texting and Third Parties

News reports are circulating today regarding law enforcement efforts in arresting and prosecuting criminals involved with an international identity theft ring that targeted credit unions.  Read the news story here. 

The members of both rings searched publicly available records or used fee-based Web databases to search for potential victims with large home equity lines of credit. Once they located potential victims, they used sophisticated social engineering techniques to get information from bank tellers and to get them to transfer money out of victims' accounts.

NCUA issued a fraud alert earlier this year to warn of this threat.  Access the fraud alert here

Here's how I'd handle this.  First, read the story.  If the threat seems possible for your shop, I'd then read the NCUA fraud alert.  It is yet another example of how compliance and security lines can blur.

***

 I get text messages all the time from unknown third parties.  I find it annoying, as I pay per text.  But those texts may annoy me, but they can land a business in hot water.  Just ask Timberland, who was hit with a $7 million dollar fine after companies it hired to do a texting campaign violated the Telephone Consumer Protection Act.  If you want to read a good post on what happened, go here.

If your credit union uses text messages, or works with outside parties to do so, give it a read.  But it is also something you may want to share with your marketing team.  Working with third parties on promotional campaigns can be a great way to get the message out.  But only if the third parties comply with consumer protection laws.

Frequently Asked Questions; delicious

Anthony has mentioned the value of Frequently-Asked-Questions documents in past blog postings here and here.  These documents can help compliance officers weave through convoluted regulations and find answers to common issues.  Here are a few that I've found useful in the past: 

Bank Secrecy Act

Anti-Money Laundering Compliance FAQs

FinCEN Answers to FAQs on BSA

FAQs on Final CIP Rule - February 2004

FAQs on Final CIP Rule - May 2005

FAQs Relating to BSA and Hurricane Katrina

OFAC

OFAC Q&As Prepared by Treasury

Privacy

FAQs on the Privacy Regulation

Share Insurance

FAQs from NCUA's October 7, 2008 Webinar on Share Insurance Changes

NCUA's FAQs on NCUSIF and Share Insurance

HMDA

FAQs on Regulation C (HMDA Reporting)

RESPA

FAQs on RESPA for Industry

Appraisals

FAQs on Appraisal Regulation and Interagency Statement*

*Note:  The Agencies recently announced a proposal to replace this interagency statement.

Third Party Due Diligence

FAQs from NCUA's January 29, 2008 Webinar on Third-Party Relationships

Flood Insurance

2008 Proposal on Interagency Q&As on Flood Insurance (would replace 1997 Q&As)

1997 Interagency Q&As on Flood Insurance

Servicemembers Civil Relief Act (SCRA)

HUD's Q&As for Lenders Regarding SCRA

Judge's Guide to SCRA - including Q&As

Health Savings Accounts

Q&As on Health Savings Accounts - IRS Notice 2004-50

Q&As on Health Savings Accounts - IRS Notice 2008-59

Check 21 Act

Consumers FAQs on Check 21

FAQs for Financial Institutions on Check 21

Check 21 FAQs on Financial Institutions Requirements - from ABA

Accounting for Loan and Lease Losses (ALLL)

Questions and Answers on Accounting for Loan and Lease Losses

Online Banking

FFIEC Guidance on Authentication in an Internet Banking Environment

Savings Bonds

FAQs on Savings Bonds

***

You never know when these FAQ's will come in handy.  That is why I have mine bookmarked on my delicious page.

If you are wondering what delicious is, take a look at the user guide and slides I prepared for a talk on Organizing the Compliance Information Flow at NAFCU's 2008 Regulatory Seminar.

If you know of other valuable FAQ documents, please let us know by adding a comment to this post. 

Mortgage Brokers and Correspondents

NCUA recently released NCUA Letter to Credit Union 08-CU-19 to make credit unions aware of risk management issues surrounding mortgage brokers and mortgage correspondents.  You can access the guidance here.  This guidance not only builds on NCUA's recent guidance on third party relationships; it puts it in action. 

As you may recall, last year NCUA issued a major piece of guidance in the form of a letter to credit union regarding the management of third party relationships.  (Letter to Credit Unions 07-CU-13) 

The mortgage broker and mortgage correspondent guidance literally walks you through the third party relationship guidance in relation to mortgage brokers and correspondents.  It is a must read for credit unions that use mortgage brokers and correspondents, but it also serves as an example of how to apply the third party relationship guidance to a given relationship.

And it is the latest example of how important risk management is becoming in the day-to-day affairs of federal credit unions.

Share Insurance Resources

Last week, NCUA issued Letter to Credit Unions 08-CU-18 on share insurance.  The letter highlights the importance of educating members on share insurance coverage and includes links to NCUA's resources.

Additionally, the letter announced NCUA would be hosting a webinar on share insurance this fall.  Keep an eye out for this webinar as NCUA's webinars have been valuable resources in the past (See the Frequently Asked Questions that were published after Board Member Hyland's presentation on Key Examination Issues for 2008).

Free Tip:  If you view the Frequently Asked Questions linked above you will hopefully do one of three things: 

1. Save the PDF to your computer;
2. Bookmark the webpage; OR
3. Return to NAFCU's blog to find the link to this ever elusive document....

***

On July 25, NAFCU produced a free webcast on Share Insurance.  The webcast is archived on NAFCU's website and can be viewed by both NAFCU-members and non-NAFCU members.  Also, The unanswered questions from the webcast have been answered and are also available (15 pages worth of Q&As). 

To view the free archived webcast and other NAFCU share insurance resources, click here (you will need to call NAFCU's Member Service Center to receive a username and password.)

All NAFCU webcasts are archived and available online for 6 months after the live viewing.  Even if you missed the live viewing, you can purchase access to the archived webcasts.  Recently posted, is the archived feed of the NAFCU's webcast on Vender Due Diligence and Third Party Outsourcing with David Reed, the CU Doctor.

Due Diligence and Wachovia

The OCC recently hammered Wachovia for its lack of oversight regarding certain relationships with payment processors.  Hammered to the tune of $140 million or more.  Here's some information from the OCC:

In reaching the settlement, which culminates an 18-month investigation, the OCC concluded that the bank engaged in unsafe or unsound practices during the course of its relationships with the payment processors and telemarketers, and unfair practices within the meaning of the Federal Trade Commission Act. The OCC believes that thousands of consumers, many of whom were elderly, were harmed in connection with the payment processors’ and telemarketers’ activities at the bank, and that the bank profited from these activities in the form of fees collected from and balances maintained at the bank by the payment processors and telemarketers. Under the agreement, the bank will forfeit an amount equal to the fees it earned and donate the funds, plus an additional $5 million, to consumer education programs directed at the elderly.

The practices cited by the OCC in the settlement involved the use of remotely created checks, or RCCs, by telemarketers and payment processors that maintained account relationships with the bank. An RCC is a check that is not created by the accountholder and does not bear the accountholder’s signature. Instead, the signature block of the check includes text such as “authorized by your depositor, no signature required.”

The telemarketers obtained bank account information over the phone by offering consumers a range of questionable products and services such as grant writing kits, identity theft certificates, medical discount plans and vouchers for discount travel and groceries. With the account information obtained during the call, the telemarketer or payment processor would create an RCC and deposit the instrument into an account at Wachovia, causing funds to be withdrawn from consumers’ accounts...

In addition to the monetary components of the settlement, Wachovia is required to develop new policies and procedures with respect to RCCs, payment processors for telemarketers and telemarketers. These policies are to include requirements for enhanced due diligence and underwriting on these higher risk customers, regular monitoring of return rates, better coordination of risk management efforts, and targeted consumer protection policies.

Here's a link to the OCC press release, which has links to the settlement agreement.  This news item caught my attention for a number of reasons.

• While this affects Wachovia and comes from the OCC, it might be seen by consumer groups more broadly.  In essence, a financial institution is being forced to make consumers whole who were harmed by entities that were associated with the financial institution.
• Does this decision increase due diligence requirements for all institutions?
• How many credit unions have business accounts for payment processors?  And if they do, will NCUA use the Wachovia situation as an excuse to poke around these accounts?

It is a fairly complicated set of facts that led to the settlement agreement.  I urge you to read it in its entirety.