If perusing the Federal Register is not part of your daily grind (or your idea of fun) then you may have missed the CFPB’s Semiannual Regulatory Agenda and Fiscal Year 2011 Regulatory Plan published in the Register on February 13th.
/ READ MORE
As you may be aware of by now, the Consumer Financial Protection Bureau (CFPB) has amended Regulation E with respect to remittance transfers. No big deal right? Well in the words of Lee Corso, “Not so fast my friend…” You may be surprised to learn that the change does impact credit unions.
Depending on how many international wire transfers or ACH transactions your credit union performs each year, you may be subject to the rule. If you are, you will also be subject to the new error resolution procedures.
/ READ MORE
We are excited to introduce our readers to a new contributor to the Works blog–Jeff Andersen. Jeff recently joined the PolicyWorks team as Regulatory Counsel.
/ READ MORE
With new regulations coming from federal agencies on almost a daily basis it is easy to forget that broad reviews of all existing regulations are conducted regularly. The NCUA recently posted a list of regulations that it plans to review in 2012. The NCUA reviews all of its existing regulations every three years. This year it has identified one-third of the regulations for review and we are starting at the beginning. NCUA Rules and Regulations 700 through 710 are up for review and public comment.
/ READ MORE
When the new final remittance rule was released by the CFPB, many of you probably assumed it didn’t apply to your credit union because you don’t do traditional remittance transfers. Well, if you do international wire transfers or international ACH transactions, it may apply to you.
/ READ MORE
If you are like me you have a significant number of favorites set up in your web browser to assist you with your ongoing compliance responsibilities. Take for instance Regulation Z (Truth in Lending). I have Title 12 Chapter II Part 226 from the electronic Code of Federal Regulations bookmarked (no, unfortunately I don’t have it memorized).
/ READ MORE
Guest Blog by Tony Schwarz, Director of Risk Management, Affiliates Management Company
Is your credit union fully compliant with the new FFIEC authentication guidance? Your internet banking provider likely has a variety of security controls you can choose from to help protect your members’ accounts and transactions. However, another aspect of compliance is the NCUA exam. You will want to make sure you have an executed awareness program for your members and that you have performed a risk assessment based on the FFIEC guidance. After completing your risk assessment your credit union should be clear on what additional changes you may need to make internally with your credit union procedures, and which security/authentication options to implement with your internet banking site. The risk assessment will help you find the balance between too much security and not enough.
Building a risk assessment can be done in several ways. You may have incorporated the FFIEC analysis into your annual enterprise risk assessment process. Or maybe you’ve built a new document using a framework like the NIST 800-30 from the National Institute of Standards and Technology for IT risk assessments. If you are a smaller credit union or you just haven’t had the time to do it, you may need to outsource the risk assessment. Hopefully you’ve not ignored it because you will find that the examiners are certainly looking for it. The value of working through the process can help protect your members and also help highlight other changes that may be necessary in your internet banking security.
In collaboration with PolicyWorks, I recently worked with a credit union that needed their internet banking risk assessment completed. Our completed document included a variety of recommendations that helped the credit union finalize decisions and move towards a more secure internet banking site for their members. Although our process may be more detailed, at a very high level your own risk assessment process may look something like this:
- Select the risk assessment framework you will use (like NIST 800-30 found at http://csrc.nist.gov/publications/nistpubs/800-30/sp800-30.pdf) and study the structure.
- Gather the input information such as credit union policies, internet banking vendor documentation/options, decisions the credit union has made, documentation on processes performed by the credit union related to internet banking, specific information about which transactions (ACH, wires, bill pay) can be performed on the internet banking site, and what personally identifiable information is available on the site or on linked sites like bill pay.
- Document the threats, vulnerabilities, risks (that are present due to those threats and vulnerabilities), the controls that are in place (like out-of-band-authentication), the residual risk, and what recommendations exist for control improvements to address the residual risk.
In summary, credit unions should be ready to provide their internet banking risk assessment to NCUA as they will likely ask for it in your 2012 exam.
/ READ MORE
