This Spring has been busy with plenty of travels to credit unions and I can say things will only continue to get busier with Summer right around the corner. During these visits to credit unions I have been looking branch signs and notices that are required to be posted. One of the notices that I have seen missing at branch offices recently, is the HMDA Lobby Notice.
If your credit union is required to comply with HMDA, per Regulation C, you must post a general notice about the availability of your HMDA data in the lobby of your “home office and each branch office located in a Metropolitan Statistical Area (MSA).” Upon request, a credit union must promptly provide the location of the office where the statement is available for inspection and copying, or it may include the location on the notice.
Regulation C provides the following suggested, but not required, language:
Home Mortgage Disclosure Act Notice
The HMDA data about our residential mortgage lending are available for review. The data show geographic distribution of loans and applications; ethnicity, race, sex, and income of applicants and borrowers; and information about loan approvals and denials. Inquire at this office regarding the locations where HMDA data may be inspected.
As a tip for some final Spring cleaning, please take the time to check to make sure that you have a HMDA Notice posted in the lobby of your main office and branch offices located in a MSA.
/ READ MORE
“Policies” seems to be the buzz word around our compliance team this week. It seems we are taking cues from the examiners, although our policy stuff should be helpful to you! This week we released another round of PolicyAid updates as well as a free white paper about policies.
/ READ MORE
There has been a lot of talk lately about the new Interest Rate Risk rules issued by the NCUA. The most asked question, “Do I need a separate Interest Rate Risk Policy?” Before we answer that, let’s discuss the rule.
/ READ MORE
Congratulations and welcome to those of you who made it past the title and continued reading despite the word ‘derivatives!’ As you likely know, the NCUA has issued an advanced notice of proposed rulemaking (ANPR) regarding how federal credit union participation in derivatives transactions should be handled. Comments to the NCUA are due on April 3, 2012 and should be submitted to CUNA on or before March 16, 2012. I’m certainly not trying to sell anyone on derivatives, but you should at least analyze your interest rate risk, assess whether hedging may even be considered in the future, and if so, review the ANPR and see how it would apply to your credit union.
/ READ MORE
As you may be aware of by now, the Consumer Financial Protection Bureau (CFPB) has amended Regulation E with respect to remittance transfers. No big deal right? Well in the words of Lee Corso, “Not so fast my friend…” You may be surprised to learn that the change does impact credit unions.
Depending on how many international wire transfers or ACH transactions your credit union performs each year, you may be subject to the rule. If you are, you will also be subject to the new error resolution procedures.
/ READ MORE
When the new final remittance rule was released by the CFPB, many of you probably assumed it didn’t apply to your credit union because you don’t do traditional remittance transfers. Well, if you do international wire transfers or international ACH transactions, it may apply to you.
/ READ MORE
Guest Blog by Tony Schwarz, Director of Risk Management, Affiliates Management Company
Is your credit union fully compliant with the new FFIEC authentication guidance? Your internet banking provider likely has a variety of security controls you can choose from to help protect your members’ accounts and transactions. However, another aspect of compliance is the NCUA exam. You will want to make sure you have an executed awareness program for your members and that you have performed a risk assessment based on the FFIEC guidance. After completing your risk assessment your credit union should be clear on what additional changes you may need to make internally with your credit union procedures, and which security/authentication options to implement with your internet banking site. The risk assessment will help you find the balance between too much security and not enough.
Building a risk assessment can be done in several ways. You may have incorporated the FFIEC analysis into your annual enterprise risk assessment process. Or maybe you’ve built a new document using a framework like the NIST 800-30 from the National Institute of Standards and Technology for IT risk assessments. If you are a smaller credit union or you just haven’t had the time to do it, you may need to outsource the risk assessment. Hopefully you’ve not ignored it because you will find that the examiners are certainly looking for it. The value of working through the process can help protect your members and also help highlight other changes that may be necessary in your internet banking security.
In collaboration with PolicyWorks, I recently worked with a credit union that needed their internet banking risk assessment completed. Our completed document included a variety of recommendations that helped the credit union finalize decisions and move towards a more secure internet banking site for their members. Although our process may be more detailed, at a very high level your own risk assessment process may look something like this:
- Select the risk assessment framework you will use (like NIST 800-30 found at http://csrc.nist.gov/publications/nistpubs/800-30/sp800-30.pdf) and study the structure.
- Gather the input information such as credit union policies, internet banking vendor documentation/options, decisions the credit union has made, documentation on processes performed by the credit union related to internet banking, specific information about which transactions (ACH, wires, bill pay) can be performed on the internet banking site, and what personally identifiable information is available on the site or on linked sites like bill pay.
- Document the threats, vulnerabilities, risks (that are present due to those threats and vulnerabilities), the controls that are in place (like out-of-band-authentication), the residual risk, and what recommendations exist for control improvements to address the residual risk.
In summary, credit unions should be ready to provide their internet banking risk assessment to NCUA as they will likely ask for it in your 2012 exam.
/ READ MORE
