Compliance Team Update
Written by Carrie Hunt, SVP of Government Affairs and General Counsel
Today marks JiJi Bahhur’s last day at NAFCU. She is moving on from the NAFCU family to return to work directly for a credit union. I have known JiJi for over three and half years and have admired her hard work and appreciated her counsel. JiJi has done a great job for NAFCU members, and everyone here wishes her the best! But JiJi leaves NAFCU in good hands, as Brandy Bruyere, NAFCU’s Senior Regulatory Compliance Counsel will take over as NAFCU’s Director of Regulatory Compliance on Monday. Many of you know Brandy, and for those of you who don’t, I urge you to reach out and send her a note.
NAFCU has a great team and there is nothing we enjoy more than serving our members.
***
NCUA Issues Letter to CEOs on Encrypting Data Provided to Examiners
Written by Brandy Bruyere, Senior Regulatory Compliance Counsel
On August 21, 2015 NCUA’s Office of Examination and Insurance sent a letter to CEOs of federally-insured credit unions regarding new requirements allowing NCUA examiners to only accept sensitive data electronically if properly encrypted. A link to the letter can be found here. This letter implements one recommendation made by NCUA’s Office of the Inspector General report auditing NCUA’s controls to protect credit union information during exams after agency examiners misplaced an unencrypted flash drive containing sensitive credit union member information in October 2014.
The letter clarifies that “sensitive data” is defined as “(1) any information which by itself, or in combination with other information, could be used to cause harm to a credit union, credit union member, or any other party external to NCUA, and (2) any information concerning a person or their account which is not public information, including any non-public personally identifiable information.” NCUA examiners may only accept sensitive data electronically using one of two forms.
First, the “preferred method” is for data files “to be provided on removable media (thumb drives, external hard drives, etc.) or transmitted through a secure electronic transmission.” This information can be provided using either the credit union’s own hardware, by NCUA if permitted under the credit union’s internal policies and procedures. The minimum encryption requirements are as follows:
- “128-bit AES encryption
- Strong password (a minimum of eight characters; mixture of upper- and lower-case, numbers, and special characters; not easily guessable, etc.)
- Password must be provided separately from the device or transmission”
The second option is by a controlled in-person transfer using removable media that does not include encryption. However, “NCUA examiners may then only accept such data electronically if a credit union representative in person provides the data file(s) to the examiner and remains physically present while the examiner transfers the data to NCUA’s encrypted equipment.” In order to perform the transfer, the credit union’s representative must:
- "Take receipt of the removable media from the examiner immediately after the data transfer is complete, and
- Sign the Chain of Custody document to acknowledge receipt of the removable media."
Credit unions will want to review the letter in full to be clear on the requirements for providing sensitive data to NCUA examiners electronically and review sample documents such as the Chain of Custody Tracking Form. This letter implements one of the seven recommendations made in the NCUA OIG report so this is probably not the last we will hear from the agency in this area.
Congrats to both JiJi and Brandy!
As Anthony passed the baton to me and I passed it to JiJi - it is now being passed on to Brandy!
I echo Carrie's comments, JiJi has been a great asset to NAFCU members and was an absolute to work with!
Posted by: Steve Van Beek | August 28, 2015 at 08:56 AM
Thank you, Steve! And thank you to all of the readers for following me - and the growth of my children - over the last several years. I have truly enjoyed having this opportunity to assist you and your credit unions with compliance issues over the last nearly 4 years! This has been an amazing experience!
Posted by: JiJi Bahhur | August 28, 2015 at 09:01 AM
JiJi - BEST of luck! You will be missed! Will we see you at NAFCU's Regulatory Conference each year? It would be great if you could continue, in some capacity, to offer your insights and interpretations. Thank you for all you have done for us while at NAFCU! Take Care!
Posted by: DJ | August 28, 2015 at 09:37 AM
Thank you, DJ! I don't think it'll be the last you'll see of me!
Posted by: JiJi Bahhur | August 28, 2015 at 09:53 AM