Policy Management the Easy Way And It's Free
By: David Frankil, NJCUL President/CEO

It probably doesn’t rank high on anyone’s top 10 list of favorite activities, but writing, updating, and tracking all of the policies required by NCUA is important. Not to mention a topic frequently cited by examiners.

One of the most-used free benefits of NJCUL membership is a subscription to CUPolicyPro, which provides access to over 230 credit union-specific model policies—plus a full online system to make managing them a snap.

We wanted to make sure that all of our members were making maximum use of this great resource, so Nicola has scheduled two free webinars this month:

Our speaker is an expert in the field – Mary Ann Koelzer, from CU Solutions Group, the organization that runs CUPolicyPro and a Business Partner of ours. Mary Ann has been a frequent presenter on compliance topics to credit unions, and has worked with several hundred credit unions of all sizes across the country.

Click on the links above to register – look forward to seeing you on the webinars!

Compliance & Regulatory
NJCUL Encourages CUs to Get Cybersecurity Ready!
By: Nicola Foggie, NJCUL Vice President, Compliance and Regulatory Affairs

Is your credit union cybersecurity ready? In May of last year, the National Credit Union Administration (NCUA) communicated to credit unions in the wake of the “WannaCry” global ransomware attack, reminding them to verify they had effective controls in place to prevent similar cyberattacks.

The WannaCry attack hit more than 300,000 victims in 150 countries, including the U.S., disrupting critical infrastructure, businesses, financial institutions, and healthcare markets. Then, on September 7 of last year, the public found out about the Equifax data breach. In the wake of the breach, credit unions, like other businesses, found themselves scrambling to notify their members and checking to see what, if any, impact the breach and its direct or indirect partnerships with Equifax, would mean to the security of their members’ private data.

Here we are in 2018. In response to the critical impact of information technology and information security breaches (also known as cyberbreaches, cyberattacks, cyberhacks) NCUA has developed and will begin using its NEW Automated Cybersecurity Examination Tool (ACET) this year. The ACET provides NCUA with a “repeatable, measurable and transparent process for assessing the level of cyber preparedness across federally insured institutions,” according to the agency in its Letter to federally-insured credit unions CUs: 17-CU-09, Supervisory Priorities for 2018. NCUA also said, The ACET incorporates appropriate standards and practices established for financial institutions. It also aligns with the Cybersecurity Assessment Tool developed by the FFIEC for voluntary use by banks and credit unions. Therefore, we encourage credit unions to continue to self-assess their cybersecurity and risk management practices using the Cybersecurity Assessment Tool if they do not have an alternative method of assessment”.

NCUA will begin using the ACET in examinations of larger credit unions with more than $1 billion in assets to create a baseline for the cybersecurity maturity level of the largest and most complex institutions. The agency will continue to test and refine the ACET through 2018 to ensure it scales effectively for smaller, less complex institutions 

The Financial Services Information Sharing and Analysis Center (FS-ISAC), along with CUNA, will host a webinar with NCUA examiners to explain the new Automated Cybersecurity Examination Tool (ACET). The free webinar is scheduled for April 5, from 3 to 5 p.m. (ET)

Resources: 

To schedule a Cybersecurity Assessment Review on your credit union, contact Nicola Foggie at nfoggie@njcul.org.

Click here for more information about additional audits the League provides.

Click here for Free CU cybersecurity webinars from FS-ISAC

Compliance & Regulatory
Phase 3 of Same Day ACH is Right Around the Corner
By: Nicola Foggie, NJCUL Vice President, Compliance and Regulatory Affairs

The National Automated Clearing House Association (NACHA) is gearing up for the March 16, 2018 effective date for Phase 3 of Same Day ACH: Moving Payments Faster and so should credit unions. That’s just the beginning. New capabilities of Same Day ACH become effective over three phases to allow financial institutions and businesses to acclimate to a faster processing environment, as well as to ease the implementation effort. Beginning March 16, 2018, Receiving Depository Financial Institutions (RDFIs) will be mandated to make funds available from same day ACH credits (such as payroll Direct Deposits) to their depositors by 5:00 PM at the RDFI’s local time. The Rule enables the option for same day ACH payments through additional ACH Network functionality, without affecting previously available ACH schedules and capabilities.

Originating Depository Financial Institutions (ODFIs) are able to submit files of same day ACH payments through two additional clearing windows provided by the ACH Operators (Note: The actual ACH Operator schedules are not determined by the NACHA Operating Rules.):

  • A morning submission deadline at 10:30 AM ET, with settlement occurring at 1:00 PM
  • An afternoon submission deadline at 2:45 PM ET, with settlement occurring at 5:00 PM

Virtually all types of ACH payments, including both credits and debits, are eligible for same-day processing. Only international transactions (IATs) and high-value transactions above $25,000 are not eligible. Eligible transactions account for approximately 99% of current ACH Network volume. All RDFIs are required to receive same day ACH payments, thereby giving ODFIs and Originators the certainty of being able to send same-day ACH payments to accounts at all RDFIs. The Rule is based on a solid foundation of economic research on the use cases for Same Day ACH. All consumers, businesses, government entities and financial institutions that use the ACH Network to move money between bank accounts will benefit from the option to move ACH payments faster. NACHA projects that ACH Originators would generate approximately 1.4 billion same-day ACH payments annually as of ten years after full implementation and rollout, primarily for transactions that can be initiated before 2:45 PM ET on business days (not on weekends or holidays), and that do not require real-time functionality.

Using an expert, third-party economist, NACHA assessed 10 primary use cases for Same Day ACH. Significant use cases for Same Day ACH include:

  1. Same-day payrolls, supporting business’ needs to pay hourly workers, and providing flexibility for late and emergency payrolls and missed deadlines; and enabling employees to have faster access to their pay in these cases;
  2. Business to-Business payments, enabling faster settlement of invoice payments between trading partners, and including remittance information with the payments;
  3. Expedited bill payments using both ACH credits and debits, enabling consumers to make on-time bill payments on due dates, and providing faster crediting for late payments; and,
  4. Account-to-account transfers, providing faster crediting for consumers who move money among various accounts they own.

Learn more about Same Day ACH with NACHA’s Resource Center and click here for access to the Association’s Summary of recent NACHA’s rules changes.

Click here for a schematic to help you understand and prepare for Same Day ACH – Phase 3.

For questions, contact NJCUL’s Nicola Foggie at nfoggie@njcul.org or call 800-792-8861, Option 1.

 

Compliance & Regulatory
Warning! Card Skimmers in NJ on the Rise: How to Spot Them, What to Do
By: Nicola Foggie, NJCUL Vice President, Compliance and Regulatory Affairs


This week, a credit union leader made NJCUL aware of a skimmer placed on a Wawa automated teller machine (ATM) located in the southern New Jersey town of Woodbury Heights. Thousands of dollars were skimmed from the victim’s account virtually overnight.

Card Skimming is a method used by criminals to capture data from the magnetic stripe on the back of an ATM card. Devices used are smaller than a deck of cards and are often fastened in close proximity to, or over the top of, the ATM's factory-installed card reader, and they are popping up everywhere, including across the state of New Jersey. According to a recent article posted by BankinfoSecurity, despite the recent bust of an alleged skimming ring in Massachusetts, ATM fraud is on the rise and shows no sign of abating.

One industry expert has a list of incident response tips (provided below) for financial institutions that want to fight back against ATM skimming attacks. Mike Urban, Senior Director of Fraud Solutions at FICO, says all types of ATMs—and even pay-at-the-pump gasoline stations—are under attack. According to BankinfoSecurity, in the last month, several skimmers have been found at gas stations around the nation, where the tech-savvy fraudsters are placing readers to capture the PIN and the card number before the PIN is encrypted. "I predict we're going to see more of those," Urban says. "They are targeting the weakness of the mag stripe, and that will be something we have to live with until a better solution is developed.”

The current trend began slowly, says Urban. Several years ago, the targets were primarily off-premise ATMs. Criminals could buy ATMs, place skimming devices in them, and collect card and pin information. Urban warns that criminals have begun focusing on financial institutions' ATMs once the encrypting PIN pad and other advancements in technology changed how PINs were protected.

Keep in mind:

  • Criminals placing skimming devices will target an attack for a day, a weekend, or a short period of time.
  • They usually go to other ATMs of the same model/make to attack that fit the look of the skimming device.
  • They are much more sophisticated than previous skimming devices.

"They also use the same paint coatings, so they are getting access to that information somewhere—those compounds that generally aren't available at a local hardware store,” says Urban. “You can't go in and order ATM gunmetal grey paint. There is a real industry around the creation of these ATM skimming devices."

The Challenge for Credit Unions
Many financial institutions, including credit unions, have not invested in real-time fraud monitoring of PIN-based transactions, Urban says, because traditionally risk has been lower. His advice: Institutions need to take a hard look at where they're going to spend monitoring money. "By now I mean getting ahead of the curve before the fraud starts to happen, and get PIN-based card transaction monitoring in place."

Technology advancement won't stop a determined criminal. It is a cat and mouse game, and from what Urban sees with increased skimming in the UK and Canada, "We're going to see significant increases in skimming."

Below are a few steps, suggested by Urban, that you can take now to help your credit union move toward combatting card skimming fraud. The League is also hosting a Cyber Security Roundtable on March 21 with FBI Supervisory Special Agent Brett Yeager who will discuss current and emerging cyber threats as well as security controls that can be used to protect your critical systems. Register here.

Action Items for Credit Unions:

  • Have a Plan — For what you do if you find a skimming device on one of your ATMs.
  • Document the Plan — List everything that should happen, people to be contacted, actions to be taken.
  • Educate Your Branch Employees — If a device is found, all employees should know what and what not to do. Educate branch employees and third-party vendors, as well as ATM servicers. Make sure they are monitoring the outside of the ATMs for residue or devices that actually are on the ATM.
  • Inspect All Locations — Frequently, checking the fascia and surroundings around the ATMs, making sure nothing has been added or moved.
  • Set ATM Standards — Including visual standards for all ATMs in all branches. Keep it standard. Take a photograph of each ATM, inside and outside. Show employees what it should look like, so ATMs can be quickly examined to see what may be out of place.
  • Don't Touch Skimmer If Found — Contact law enforcement if a device is found on the ATM. Tell employees to not touch it or pick it up or pull it off the ATM. Secure the area with bank robbery tape until law enforcement arrives.
  • Be Vigilant At All Times — Increase your checks on ATMs, especially if you've heard of ATM skimming in your area. If there are reports of ATM skimming, increase the number of checks. Even if there are no reports, have employees check ATMs in off-hours and over weekends, which are prime times for skimmers to be put on ATMs.
  • Contact Other Institutions — Share information with local and regional institutions about what's happening at your branches and make sure they share information with your institution.

For more information on card skimming awareness, contact NJCUL’s Nicola Foggie at nfoggie@njcul.org.

Source: www.bankinfosecurity.com

Compliance & Regulatory
Supervisory Committee Members: The Forgotten Volunteers
By: Nicola Foggie, NJCUL Vice President, Compliance and Regulatory Affairs

Where you find education and training for credit union volunteers (which is not defined solely as board directors…there are also supervisory committee, asset-liability committee, and credit committee members, etc.) there is usually no lack of options and opportunities. Normally, you will find a list of the usual suspects in the form of topics, but if you look closely at the descriptions, you’ll see that they are generally not as all-encompassing as the word “volunteer” is supposed to imply. Those opportunities appear primarily designed for board directors, not supervisory committee members. While it is clear that board directors deserve and need appropriate education and training as well, typically when a credit union budgets for volunteers to attend conferences and training, they do so with the board directors in mind, so I can see why those industry entities that host and provide training at the volunteer level cater to this specific group. 

We know that typically these events are marketed as if they cater to ALL volunteers, but we often see only a lone breakout session or two for the supervisory committee attendees. My point being that board directors and supervisory committee members have very different and distinct roles. Directors are charged with governance and strategic planning, while the supervisory committee members are the “police” or faithful “watchdog” of the credit union, almost the “conscience” of the credit union, responsible for setting the annual audit schedule, reviewing regulatory and external audits of the credit union, and quality control. The fact is that the supervisory committee plays a hefty role in ensuring the credit union stays on track and staying current of the board’s activities and decisions to ensure it is fulfilling its responsibilities to the credit union and its members.

In the past, the duties of the supervisory committee of most credit unions were not vast or complicated. That has slowly changed over the past decade. In recent years, internal and external pressures from the financial and regulatory industries have caused the pace to pick up dramatically. Today, credit unions of all asset sizes are faced with an environment fraught with internal, as well as external threats, including cyber threats, data breaches, internal fraud, third-party partner mishaps, etc. Someone has to be minding the store. But, you can only do that if you know what you are looking out for. Credit unions have little regulatory help on that point as they are empowered to engage consultants and third-party partners to help them accomplish the supervisory committee’s duties and responsibilities.

Bottom line, I only wish to point out that the role of the supervisory committee is a very important one, and we should not underestimate their service as volunteers in this movement. That being said, a credit union’s successful strategic plan and budget will include planning and providing for appropriate education and training for supervisory committee members, specific to the committee’s duties and responsibilities to the credit union. Finding the right sources for education, conferences, and training starts with finding the right partners. Look for partners that will help your credit union’s supervisory committee stay up with the latest trends and best practices, provide them with industry insights, modern solutions and proven strategies they can use to help their credit union optimize its performance and better prepare to serve its members.

Click here to sign-up to receive timely information about NJCUL’s supervisory committee support, compliance, and audit solutions.

 

Compliance & Regulatory
Does Your Credit Union Have a Robust Disaster Recovery Strategy?
By: Nicola Foggie, NJCUL Vice President, Compliance and Regulatory Affairs

Are you ready for an unexpected event? A large-scale natural disaster like a hurricane, earthquake or flood may lead to hardware failure, network outage or a total shutdown of credit union facilities.  Even a small scale event could shut down a credit union for hours and serve to shake member’s confidence in you.  Recent natural disasters have illustrated the importance of effective contingency planning to ensure that all credit unions are able to fulfill their missions and obligations to their members during natural disasters or other disruptions in their operations. Effective business continuity planning and disaster recovery practices were discussed Thursday during a free compliance webinar, “Credit Union Disaster Preparedness and Business Continuity”, offered by the New Jersey Credit Union League. Those at a credit union who should be addressing the disaster recovery and business continuity strategy and plan include board directors, senior management, and those responsible for execution. Speaker, Nicola Foggie, VP of Compliance and Regulatory Affairs with NJCUL, provided a high-level overview to effective continuity planning and practices for credit unions, including answering questions and addressing necessary actions like:

  • Why have a plan?
  • Objectives of a plan?
  • Key components of a plan
  • How to customize your plan
  • Steps for Recovery

Working through creating and updating plans, as well as ongoing work with the right business continuity and disaster recovery standards can have the side benefit of getting your organization on the path to continued compliance. A well-planned and regularly tested business continuity and disaster recovery strategy often goes way beyond the typical DR plan.  Usually put together by an internal team, then put away in a drawer and maybe revisited once a year.  Sometimes a plan is not looked at until an actual disaster or significant disruptive event occurs.  Only one thing worse than not having a well-thought out Disaster Preparedness & Business Continuity Plan and that’s having an outdated, ineffective one.

Click here to check out NJCUL Business Continuity and Disaster Planning resources and information.

Compliance & Regulatory
Not Again?! Merging the TCCUSF and NCUSIF…a Good Idea, But Not at Credit Union Members’ Expense
By: David Frankil, NJCUL President/CEO

What is the difference between May, 2009 and September, 2017?

In 2009, the markets were plunging, the economy was in crisis, the Corporate system was failing – and credit unions across the country were asked to make "temporary" contributions to stabilize the entire system.

In 2017, the economy is stable and growing (albeit more slowly than desired), there is no systemic crisis in the credit union system – and NCUA is trying to convert those "temporary" contributions into permanent contributions.

Something is wrong with this picture.

The NCUA Board is seeking comment on a proposed plan to close the Temporary Corporate Credit Union Stabilization Fund (TCCUSF) and to concurrently raise the equity ratio of the National Credit Union Share Insurance Fund (NCUSIF) Normal Operating Level (NOL) from 1.30 percent to 1.39 percent of insured shares, with planned Equity Distributions.

This seemingly innocuous change in an obscure operating ratio would allow NCUA to retain a significant percentage of the “temporary” stabilization fees that credit unions paid into the Fund. Although the NCUA estimates that credit unions will receive an NCUSIF distribution (dividend payment) between $600 million and $800 million for 2018, the increased operating ratio would mean that NCUA would retain as much as $1 billion by some estimates. Some New Jersey credit unions have reported that their equity distributions would be reduced by more than 50%.

NCUA is justifying this capital grab under the guise of “risk management.” Currently, NCUA’s process is that the money in excess of the 1.30% equity ratio the regulator uses as its NCUSIF NOL must be paid back to credit unions in the form of a dividend. NCUA is proposing to raise that ratio to 1.39%, to hold back $1 billion dollars in case the original assets of the TCCUSF (which would now be a liability of the NCUSIF due to the merger) do not perform as expected. 

On the surface this may seem reasonable, until you look at the Board’s justification for the increase, which is based on the same selective modeling that resulted in billions of excess reserves, unnecessary premiums, and overestimates of losses on legacy assets over the past seven years. 

Let’s think about this. Given the restructured corporate system that exists today, much of "yesterday's" risk has been eliminated. If a comparatively larger rebate is made to credit unions and its members by NCUA today, which ends up being premature, the fund can always be recapitalized at a later date. In the interim, absent a crisis, I would suggest that credit unions could do a much better job of managing those assets for themselves than will the regulator.

We can expect that the closure of the TCCUSF will reduce expenses, add sorely needed transparency by simplifying the NCUA’s reporting, and so, in general, it’s a good idea. It should also enable the NCUA to tie financial results of the NCUSIF to real-world credit union events rather than its current practice involving projecting long-term scenarios to justify current expenditures — scenarios that often don’t hold up over time. Credit union members are the ones that send one cent of every insured share to fund the NCUSIF. NCUA is the “steward” for those interests and credit unions have a responsibility to speak up on behalf of their members’ interests.

The current plan to close the TCCUSF is long overdue and the NCUA board should be commended for doing so, but I think the action steps are based on past intricate models that have been shown over the past half dozen years to underestimate the value of the assets taken and overestimate the losses. By closing the TCCUSF and transferring those funds to NCUSIF, the equity ratio of the NCUSIF could be as high as 1.47%.

CUNA and NJCUL have argued the NCUA’s proposed increase in the NOL (to 1.39%) is absolutely unnecessary and are urging the agency to increase no more than 1.34%, temporarily, to offset the risk of underlying legacy assets, if at all. We make it clear that we expect the NCUA to publicly reaffirm the 1.30% NOL as an appropriate upper bound for the NCUSIF’s capital level (given favorable historical performance) and we ask that the agency specifically document plans for the orderly and expeditious return of the NOL from 1.34% to 1.30%. 

The challenge to credit unions today is to take action on your and your members’ behalf by responding to the NCUA Board’s request for comments. Merging the TCCUSF and NCUSIF will place a spotlight on NCUA’s management of future corporate resolution transactions and end a stabilization work out that has now gone on for nearly nine years.

Make your voice heard! Click here for NJCUL’s Stabilization Fund Resources, access to PowerComment and a Comment Letter Template. Comments are due by September 5.

Additional Resources:

 

Compliance & Regulatory
Calling All Policy Wonks
By: Nicola L. Foggie, CUCE, BSACS, NJCUL Vice President, Compliance & Regulatory Affairs

My name is Nicola, and I’m a policy wonk (and proud of it!)

That’s true for the rest of the NJCUL compliance team too – Donna, Sabrina, and Evelyn. But there is a very good reason why we wear the policy wonk label as a badge of honor – it is a core part of the value we provide to NJCUL members, with free use of CUPolicyPro.

Compliance & Regulatory
Changes to the HMDA Act: What Do You Need to Know?
By: Nicola L. Foggie, CUCE, BSACS, NJCUL Vice President, Compliance & Regulatory Affairs

The Home Mortgage Disclosure Act (HMDA) has undergone several changes, since it was first enacted in 1975. The most recent changes, which went into effect on October 15, 2015, are just the beginning of reporting modifications set to roll out in the coming years.

What are the changes and what does your financial institution need to do to prepare?

Compliance & Regulatory
Would You Want to Live in a Risk-Free Society?
By: David Frankil, NJCUL President/CEO

Think about it – there is literally no human activity that occurs without some degree of risk.  Walking on the street, riding a bike, driving a car, flying in an airplane, even getting a meal in a restaurant all pose some degree of risk. 

The question we face as individuals is the same we face as leaders of financial institutions – how much risk are we willing to accept, and how do we manage it.  But to re-state the obvious, without risk, there is no return....

Compliance & Regulatory
Court Dismisses Bankers’ Frivolous MBL Lawsuit
By: Nicola Foggie, NJCUL Vice President, Compliance and Regulatory Affairs

Yesterday, the NCUA and credit unions won a huge victory! U.S. District Court Judge James Cacheris dismissed a lawsuit brought by the Independent Community Bankers of America (ICBA) against the National Credit Union Administration (NCUA), this past September. The Banker’s suit against the agency challenged NCUA’s 2016 member business lending rule (MBL). The American Bankers Association supported the ICBA litigation that challenged the MBL rule and amendments that changed the statutory MBL cap, including making it easier to exclude nonmember loans from the cap calculation. According to the court’s opinion, the lawsuit was dismissed based on ICBA’s lack of standing and timeliness. In his opinion, Judge Cacheris stated that even if the ICBA had established standing and timeliness, the court said it still would have found that the rules satisfied the requirements established by the Administrative Procedures Act and existing case law.

Compliance & Regulatory
Did You Know that NJCUL was Founded in 77 BC?
By: David Frankil, NJCUL President/CEO

That would be “Before CFPB.”

And odds are that your credit union was also born in the BC era.

Few new financial services regulatory agencies have had the fast start and wide-ranging impact of the Consumer Financial Protection Bureau (CFPB). For anyone charged with tracking and complying with their rules, the last five years probably seem like dog years.

This all came to mind this week with the Wells Fargo debacle, and the role that the CFPB played in bringing those practices to light and to an end. The CFPB vision and values statements provide the foundation upon which they acted – but what is most interesting is how consistent they are with what you’d see at a credit union:

Compliance & Regulatory