2015 Spring MACCU Compliance Update. Today’s Agenda E-Sign Act Electronic Signatures in Global & National Commerce Act Signed Into Law -In the year.

2015 Spring MACCU

Compliance Update

Today’s AgendaE-Sign Act

Electronic Signatures in Global & National Commerce Act Signed Into Law -In the year 2000

NCUA 2015 Supervisory Priorities (Old & New) Lending Program Small Credit Union Exam Program

President Bill Clinton

“”

Article 1 Section 10 clause 1 of the Constitution shall forever be known as the Contract Clause

JAMES MADISON

[I]n the just preservation of rights and property, it is understood and declared, that no law ought ever to be made, or have force in the said territory, that shall, in any manner whatever, interfere with or affect private contracts or engagements, bona fide, and without fraud, previously formed.

Electronic Signatures in Global and National Commerce Act

(1)a signature, contract, or other record relating to such transaction may not be denied legal effect, validity, or enforceability solely because it is in electronic form; and

(2)a contract relating to such transaction may not be denied legal effect, validity, or enforceability solely because an electronic signature or electronic record was used in its formation.

*******Definitions can be found in Section 106 of ACT

Uniform Electronic Transactions ActUETA

Uniform Electronic Transactions Act-UETA

At the state level:

S.C. Code §26-6-10 et seq.

http://www.scstatehouse.net/code/t26c006.doc)

N.C. Gen. Stat. §66-311 et seq.

http://www.ncleg.net/EnactedLegislation/Statutes/HTML/ByArticle/Chapter_66/Article_40.html

What is an Electronic Signature?

An electronic sound, symbol, or processattached to or logically associated with arecord and executed or adopted by a person with the intent to sign the record.

Credit Union Operational Requirements

1) The member has consented to the electronic format and has not withdrawn this consent.

2) The member is provided, before consenting to the format, with a clear and conspicuous Statement:• informing the member that he/she has the right to receive the record(s)in

paper form. Also, that they may withdraw their consent and any consequences of withdrawing the consent (fees or termination of account, for example)

• informing the member of the scope of the consent, whether it is for a single transaction, or categories of records to be provided in an ongoing relationship

Credit Union Requirements Cont.

• describing the procedures the member must use to withdraw consent, and to update information needed to contact the member electronically

• informing the member of the method to request and obtain a paper copy of an electronic record after giving consent and any associated fees.

3) The member is provided with a statement of hardware and software requirements for access to and retention of electronic records.

4) Member consents, or confirms his/her consent electronically in a manner demonstrating the member can access the information in the electronic form the credit union will use.

Credit Union Requirements after receiving consent

5) If the hardware and software requirements for accessing or retaining electronic records change, creating a material risk that the member may not be able to access or retain subsequent electronic records, the credit union must…

• provides the member with a notice of the changes, and the right to withdraw the consent without charging a fee for the withdrawal, and without imposing any condition or consequence not previously disclosed.

• consents, or confirms his/her consent electronically in a manner demonstrating the member can access the information in the electronic form the credit union will use. (MUST GIVE CONSENT AGAIN)

E-Sign Other Topics (Section 101(c)

Prior Consent

Consumer disclosures of the E-Sign Act does not apply to any records that are provided or made available to a member who has consented prior to the effective date of the E-Sign Act. (2000)

Oral Communication

A recording of an oral

communication shall not qualify as an electronic record for purposes of the consumer disclosures of the E-Sign Act except as provided under applicable law.

E-Sign Other Topics (Section 101(d)

AccuracyAccurately reflect the

information set forth in the record to be retained.

AccessibilityRemain accessible to all

persons who are entitled to access it, for as long as legally required, in a form that is capable of being accurately reproduced for later reference.

Credit Union Training Requirements

Annually ensure

all departments are aware of all aspects of the E-sign Act.

Annually update policies and procedures to reflect the provisions of E-Sign Act.

Credit Union Internal Review

At least annually assess compliance with the E-sign Act.

Conformity of the credit union’s practices with its policies and procedures.

E-Sign Associated Risks

1. Failure to implement necessary controls to comply

2. Allowing E-signatures for exempt items (such as deeds/court documents)

3. Failure to draft an adequate policy

4. Failure to update your policy

5. Failure to train all departments

6. Failure to ensure member has not withdrawn their consent

7. Failure to retain documents/FORMAT

Do NOT use Email to Distribute Documents Containing Private Member Information- Deliver documents and disclosures through a secure html page (one that the member logs into to view). From there, PDF copies of documents can be downloaded for their own files.

Gather Process Evidence- Digital processes should aim to strengthen a credit union’s legal and compliance position by capturing and reproducing stronger evidence than is possible with pen and paper.

Embed the Audit Trail- All electronic signatures, time stamping and audit trails should be embedded directly within the document rather than stored separately in the cloud or a proprietary database.

Use Digital Signatures -Both the document and the E-signatures should be protected using digital signature technology. The digital signature creates a digital fingerprint of the document (called a hash) that can later be used to verify the integrity of the E-record. If the document is tampered with the E-signature will be visibly invalidated.

E-Signature Best Practices

www.cuinsight.com/top-5-e-signatures-security-best-practices-for-credit-iunions.html

E-Sign Enforcement /Liability

Penalties

1. E-Sign Act does not specify civil liability provisions for violations

2. Nor does it provide an exemption from penalties

Moving Forward with Today’s Agenda

NCUA 2015 Supervisory Priorities (Old & New)Lending ProgramSmall Credit Union Exam Program

"Change is the law of life and those who look only to the past or

present are certain to miss the future."

—John F. Kennedy

NCUA 2015 Supervisory Priorities I. Cybersecurity – Focus on proactive measures CU can take to protect their data and their members including:

• Encrypting sensitive data

• Developing a comprehensive Information Security Policy (ISO)

• Vendor Due Diligence (3rd parties) that handle CU PII data

• Monitoring cybersecurity risk exposure

• TESTING security measures (Results & Rebounding)

** Examiners will be evaluating your capacity to notify, recover and resume operations in the event of a security breach does occur.

Appendix B NCUA Rules & Regulations Part 748 -Guidance

The biggest cybersecurity threats of 2015

Insider Cybersecurity Issues

1. Equipment Losses : Laptop & ATM machines

2. Missing Keys

3. Employee Retention Issues (why are they leaving)

4. Moving of employee accounts to another institution

5. Substance Abuse & Gambling Issues

What Can the CEO/Executive Leadership do?

NCUA Channel On YouTube

The White House also listed MasterCard’s partnership with First Tech Credit Union to launch a biometrics pilot program later this year, allowing consumers to authenticate and verify

transactions using unique biometrics like facial and voice recognition.

NCUA 2015 Supervisory Priorities

II. Interest Rate Risk (IRR) – No new guidance- continued compliance with 2014

NCUA Rule:

• CU over 50 million to draft & implement a written IRR policy

• Develop a program to identify, measure, monitor and control IRR

NCUA IRR Rules & Resources page on NCUA website –Guidance

III. NCUA Liquidity Rule Section 741.12

• Full Compliance

• $250 million or more Dec 31, 2014 requirement to advance planning & Periodic testing to ensure contingent funding sources are available when needed.

• Examiners will also be looking to evaluate THE RESULTS OF YOUR TEST.

NCUA 2015 Supervisory Priorities

IV. BSA Compliance

Specific focus will be on Credit Union relationships with Money Service Businesses(MSB)

• Identifying customers

• MSB registration

• Enhanced Risk Assessment

NCUA BSA page on website for additional guidance

V. TILA-RESPA CFPB Integrated Disclosures (August 1, 2015) *

At this point MLO’s should be working on rewriting policy & procedures to ensure compliance by August.

NCUA 2015 Revised Focus: 3rd RegionI. IRR

• What does it mean to earnings• Can you get over it (Impact Analysis) • Model that works• Test It (Back testing)/ Independent Testing• Do you look at your balance sheets for deposits or do you have another source

II. Cybersecurity• Comprehensive Plan (Required)• Policy & Vendor Mgt.• CEO must address how you are trying to stay ahead (How are you mitigating

risk)• What did you learn? (Back Brief- What would you do differently)• CUSO (can not be the only way of putting off risk)

NCUA 2015 Revised Focus: 3rd Region

III. RESPA/TILA

It’s the first year so at least have the basics:• Have a policy/plan in place

• Have new forms/ or access to new forms

• Have trained personnel & staff

Specialized Lending Programs

Specialized Lending Programs

Specialized Lending:• Indirect, • Third-party &• Sub prime

*Guidance August 2010

Letter to FCU on Appropriate Due Diligence

Small Credit Union Exam Program

2 Exam Options Defined & Risk Based •Determined based upon:•Camel Rating•Asset Class•Complexity of Product & Services

Small Credit Union EXAM Type FCU Camel Rating & Asset Size

Small Credit Union Exam Program

Defined Scope Exam Approach:• Internal controls• Recordkeeping • LendingIn 2nd qtr. 2015 they will use a 3 tiered approach

Standard required procedures, more in depth analysis and testing triggered by red flags

Additional Resources & Assistance

OSCUI-Office of Small Credit Union Initiatives

http://www.ncua.gov/Resources/OSCUI/Pages/default.aspx

FS-ISAC –FFEIC Resource

Beth Hubbard [email protected] (Member Services)

(*fee as low as $250 per year for assets size under 1 billion)

FFEIC- Executive Leadership of Cybersecurity (Free Webinar) http://www.ffiec.gov/cybersecurity.htm

NEVER GIVE UP!

Compliance Department

[email protected]