2015 Spring MACCU Compliance Update
Dec 23, 2015
2015 Spring MACCU
Compliance Update
Agenda
E-Sign Act Electronic Signatures in Global & National
Commerce Act NCUA
2015 Supervisory Priorities (Old & New)Lending ProgramSmall Credit Union Exam Program
E-Sign Act Background & History
E-Sign Act Signed Into Law -In the year 2000
President Bill Clinton
“”
Article 1 Section 10 clause 1 of the Constitution shall forever be known as the Contract Clause
JAMES MADISON
[I]n the just preservation of rights and property, it is understood and declared, that no law ought ever to be made, or have force in the said territory, that shall, in any manner whatever, interfere with or affect private contracts or engagements, bona fide, and without fraud, previously formed.
Electronic Signatures In Global and National Commerce Act
(1)a signature, contract, or other record relating to such transaction may not be denied legal effect, validity, or enforceability solely because it is in electronic form; and
(2)a contract relating to such transaction may not be denied legal effect, validity, or enforceability solely because an electronic signature or electronic record was used in its formation.
*******Definitions can be found in Section 106 of ACT
What is an Electronic Signature?
An electronic sound, symbol, or processattached to or logically associated with arecord and executed or adopted by a person with the intent to sign the record.
Uniform Electronic Transactions ActUETA
Uniform Electronic Transactions Act-UETA
At the state level:
S.C. Code §26-6-10 et seq.http://www.scstatehouse.net/code/t26c006.doc
N.C. Gen. Stat. §66-311 et seq.http://www.ncleg.net/EnactedLegislation/Statutes/HTML/ByArticle/Chapter_66/Article_40.html
How Can You Comply?
Credit Union Requirements
1) The member has consented to the electronic format and has not withdrawn this consent.
2) The member is provided, before consenting to the format, with a clear and conspicuous Statement:• informing the member that he/she has the right to receive the record(s) in
paper form. Also, that they may withdraw their consent and any consequences of withdrawing the consent (fees or termination of account, for example)
• informing the member of the scope of the consent, whether it is for a single transaction, or categories of records to be provided in an ongoing relationship
Credit Union Requirements Cont.
• describing the procedures the member must use to withdraw consent, and to update information needed to contact the member electronically
• informing the member of the method to request and obtain a paper copy of an electronic record after giving consent and any associated fees.
3) The member is provided with a statement of hardware and software requirements for access to and retention of electronic records.
4) Member consents, or confirms his/her consent electronically in a manner demonstrating the member can access the information in the electronic form the credit union will use.
Credit Union Requirements After Receiving Consent
5) If the hardware and software requirements for accessing or retaining electronic records change, creating a material risk that the member may not be able to access or retain subsequent electronic records, the credit union must…
• provides the member with a notice of the changes, and the right to withdraw the consent without charging a fee for the withdrawal, and without imposing any condition or consequence not previously disclosed.
• consents, or confirms his/her consent electronically in a manner demonstrating the member can access the information in the electronic form the credit union will use. (MUST GIVE CONSENT AGAIN)
E-Sign Other Topics (Section 101(c)
Prior Consent
Consumer disclosures of the E-Sign Act does not apply to any records that are provided or made available to a member who has consented prior to the effective date of the E-Sign Act. (2000)
Oral Communication
A recording of an oral
communication shall not qualify as an electronic record for purposes of the consumer disclosures of the E-Sign Act except as provided under applicable law.
E-Sign Other Topics (Section 101(d)
AccuracyAccurately reflect the
information set forth in the record to be retained.
AccessibilityRemain accessible to all
persons who are entitled to access it, for as long as legally required, in a form that is capable of being accurately reproduced for later reference.
Training Compliance Requirements
Annually ensure
all departments are aware of all aspects of the E-sign Act.
Annually update policies and procedures to reflect the provisions of E-Sign Act.
Internal Review
At least annually review compliance with the E-sign Act.
Conformity of the credit union’s practices with its policies and procedures.
Risks & Best Practices
E-Sign Risks
1. Failure to implement necessary controls to comply
2. Allowing E-signatures for exempt items (such as POA/deeds/court documents)
3. Failure to draft an adequate policy
4. Failure to update your policy
5. Failure to train all departments
6. Failure to ensure member has not withdrawn their consent
7. Failure to retain documents/FORMAT
Gather Process Evidence- Digital processes should aim to strengthen a credit union’s legal and compliance position by capturing and reproducing stronger evidence than is possible with pen and paper.
Embed the Audit Trail- All electronic signatures, time stamping and audit trails should be embedded directly within the document rather than stored separately in the cloud or a proprietary database.
E-Signature Best Practices
www.cuinsight.com/top-5-e-signatures-security-best-practices-for-credit-iunions.html
Do NOT use Email to Distribute Documents Containing Private Member Information- Deliver documents and disclosures through a secure html page (one that the member logs into to view). From there, PDF copies of documents can be downloaded for their own files.
Use Digital Signatures -Both the document and the E-signatures should be protected using digital signature technology. The digital signature creates a digital fingerprint of the document (called a hash) that can later be used to verify the integrity of the E-record. If the document is tampered with the E-signature will be visibly invalidated.
E-Signature Best Practices
www.cuinsight.com/top-5-e-signatures-security-best-practices-for-credit-iunions.html
E-Sign Enforcement /Liability
Penalties
1. E-Sign Act does not specify civil liability provisions for violations
2. Nor does it provide an exemption from penalties
Moving Forward with Today’s Agenda
NCUA • 2015 Supervisory Priorities (Old & New)• Lending Program• Small Credit Union Exam Program
"Change is the law of life and those who look only to the past or
present are certain to miss the future."
—John F. Kennedy
NCUA 2015 Supervisory Priorities Top 5 concerns
NCUA 2015 Supervisory Priorities I. Cybersecurity – Focus on proactive measures CU can take to protect their data and their members including:
• Encrypting sensitive data
• Developing a comprehensive Information Security Policy (ISO)
• Vendor Due Diligence (3rd parties) that handle CU PII data
• Monitoring cybersecurity risk exposure
• TESTING security measures (Results & Rebounding)
** Examiners will be evaluating your capacity to notify, recover and resume operations in the event of a security breach does occur.
Appendix B NCUA Rules & Regulations Part 748 -Guidance
The biggest cybersecurity threats of 2015
Insider Cybersecurity Issues
1. Equipment Losses: Laptop, Keys etc.
2. Skimmers, Key loggers, Phishing Emails, Cell Phones & Other blue tooth devices –Training required
3. Employee Retention Issues (why are they leaving)
4. Moving of employee accounts to another institution
5. Substance Abuse & Gambling Issues
6. Failure to Update Malware –Regularly
Cybercrime's Easiest Prey: Small businesses
1. Lack of IT department
2. Lack of protected computers and updated malware
3. They offer the path of least resistance
Latest trend in this arena: The most common tactics cyber attackers use against small businesses include "ransomware" scams that lock computers and demand a ransom fee. Attackers also use malicious software designed to steal information from employees' mobile devices and malware that uses a small businesses' website as bait to gain access to a larger company's database. http://money.cnn.com/2013/04/22/smallbusiness/small-business-cybercrime/index.html
What Can the CEO/Executive Leadership do to Mitigate Risk
NCUA Channel On YouTube
Resources: Stay on top of current trends
1. Join local work group
a. Columbia, SC: USPIS
b. Greensboro, NC: USPIS
2. Join National Organizations such as :
a. IACFI Carolinas (cost 2 /1 until end of April) normally cost $100.00 a year. https://www.iafci.org
b. Training program $85 (for 12 CPE hrs.) Durham, NC
c. Additional training offerings through out the year
Resources: Stay on top of current trends3. Review Online Cybersecurity Resources: (NCUA/FFEIC)
4. Visit the CCUL League Website (FRAUD SECTION)
a. view update fraud articles & resources
b. view real time fraud alerts from member credit unions
5. Attend CCUL Compliance Conference on November 17-18, 2015 in Charlotte ( contact Jeanne Couchois for more Information). Topics to include Risk Assessments, ERM, Fraud etc.
A BREACH/FRAUD OCCURRENCE WILL HAPPEN EVENTUALLY-PREPARE TODAY!
Vendor Cybersecurity Risk Management Option
Example: MasterCard & CU’s
The White House also listed MasterCard’s partnership with First Tech Credit Union to launch a biometrics pilot program later this year, allowing consumers to authenticate and verify
transactions using unique biometrics like facial and voice recognition.
NCUA 2015 Supervisory Priorities II. Interest Rate Risk (IRR) – No new guidance- continued compliance with 2014
NCUA Rule:
• CU over 50 million to draft & implement a written IRR policy
• Develop a program to identify, measure, monitor and control IRR
NCUA IRR Rules & Resources page on NCUA website –Guidance
III. NCUA Liquidity Rule Section 741.12
• Full Compliance Required
• $250 million or more Dec 31, 2014 requirement to advance planning & Periodic testing to ensure contingent funding sources are available when needed.
• Examiners will also be looking to evaluate THE RESULTS OF YOUR TEST.
NCUA 2015 Supervisory PrioritiesIV. BSA Compliance
Specific focus will be on Credit Union relationships with Money Service Businesses (MSB)
• Identifying customers
• MSB registration
• Enhanced Risk Assessment
NCUA BSA page on website for additional guidance
V. RESPA-TILA CFPB Integrated Disclosures (August 1, 2015) *
At this point MLO’s should be working on rewriting policy & procedures to ensure compliance by August.
NCUA 2015 Supervisory Priorities
V. RESPA-TILA CFPB Integrated Disclosures (August 1, 2015) *
• At this point MLO’s should be working on rewriting policy & procedures to ensure compliance by August.
• LETTER No.: 14-CU-01
• NCUA ALERT 14-RA-01 provides additional information about the new rule and its exemptions.
NCUA 2015 Supervisory Priorities
From the Perspective of Examiners
Top 3 concerns
NCUA 2015 Revised Focus: 3rd RegionI. IRR
• What does it mean to earnings• Can you get over it (Impact Analysis) • Model that works• Test It (Back testing)/ Independent Testing• Do you look at your balance sheets for deposits or do you have another
source
II. Cybersecurity• Comprehensive Plan (Required)• Policy & Vendor Mgt. Plan• CEO’s must address: (How are you mitigating the risk)• What did you learn? (Back Brief- What would you do differently)• CUSO (Can not be the only way of putting off risk)
NCUA 2015 Revised Focus: 3rd Region
III. RESPA/TILA
It’s the first year so at least have the basics:
• Have a policy/plan in place
• Have new forms/ or access to new forms
• Have trained personnel & staff
• Remember when new disclosures go into affect: August 1, 2015
• Remember other lending rules such as Ability to Repay Rule (8 factors)
Lending Program Compliance
Specialized Lending Programs
Lending Programs
Specialized Lending:• Indirect, • Third-party &• Sub prime
Letter to FCU on Appropriate Due Diligence
Specialized Lending Programs
Guidance:•WATCH DELINQUENCY/CHARGE-OFFS•VENDOR DUE DILIGENCE•RISK ASSESSMENT
*http://www.ncua.gov/Resources/Documents/05-RISK-01.pdf
*http://www.ncua.gov/Resources/Documents/LCU2004-13.pdf
Small Credit Union Exam Program
Small Credit Union Exam Program
2 Exam Options: Defined -OR- Risk Based •Determined based upon-•Camel Rating•Asset Class•Complexity of Product & Services
Small Credit Union EXAM Type
Small Credit Union Exam Program
Defined Scope Exam Approach:• Internal controls• Recordkeeping • LendingIn 2nd qtr. 2015 examiners will use a 3 tiered approachStandard required procedures, more in depth
analysis and testing triggered by red flags
Additional Resources & Assistance
OSCUI-Office of Small Credit Union Initiatives
http://www.ncua.gov/Resources/OSCUI/Pages/default.aspx
FS-ISAC –FFEIC Resource
Beth Hubbard [email protected] (Member Services)
(*fee as low as $250 per year for assets size under 1 billion)
FFEIC- Executive Leadership of Cybersecurity (Free Webinar) http://www.ffiec.gov/cybersecurity.htm
NEVER GIVE UP!
CCUL Compliance Team
QUESTIONS?
Compliance Department