FTC: $505 Million in Refunds Sent to Payday Loan Customers
By: Nicola Foggie, NJCUL Vice President, Compliance and Regulatory Affairs

The Federal Trade Commission (FTC) announced Thursday that customers who took out an online payday loan from a company affiliated with AMG Services may be getting a check in the mail from the FTC. The $505 million the FTC is returning to consumers makes this the largest refund program the agency has ever administered.

Compliance & Regulatory
CALL TO ACTION! Is Your Credit Union a Private Student Lender?
By: Nicola Foggie, NJCUL Vice President, Compliance and Regulatory Affairs

If your credit union is a private student lender, you may need to take immediate action. Last week, the New Jersey Credit Union League (NJCUL) held a FREE virtual meeting on the July liquidation of the South Dakota-based ReliaMax Surety Company. ReliaMax wrote surety bonds covering student loan repayment to financial Institutions nationwide; including credit unions. The company ceased collection and default services effective Friday, July 27th 2018. By way of background, ReliaMax had been placed into liquidation by the South Dakota Division of Insurance (DOI). The South Dakota DOI petitioned the Hughes County Circuit Court on June 12, 2018 to place ReliaMax into liquidation due to insolvency. Judge Patricia J. DeVaney approved the petition on June 27, 2018. ReliaMax distributed communication of the liquidation on July 25, 2018, to insureds, principals, claimants and other interested parties; including all 60+ days past due borrowers and cosigners. Some of whom may be your members.

Compliance & Regulatory
Why Won’t BSA/AML Training Just Go Away?!
By: Nicola Foggie, NJCUL Vice President, Compliance and Regulatory Affairs

Almost 50 years ago, concerns about large amounts of cash coming into the country from the drug trade led Congress to pass what’s become known as the Bank Secrecy Act (BSA). The BSA was designed to help identify the source, volume, and movement of currency and other monetary instruments transported or transmitted into or out of the U.S. The Money Laundering Control Act came about in 1986. The training to counter money laundering is more commonly known as Anti-Money Laundering (AML) training.

So, with a little bit of BSA/AML history in mind, back to my original question, why won’t BSA/AML training just go away?

Compliance & Regulatory
Cyber Attacks...In the News and Costing Millions
By: Nicola Foggie, NJCUL Vice President, Compliance and Regulatory Affairs

With stories peppering the news like the two I’m sharing here, credit unions, if you have not already addressed your organization’s cybersecurity needs and further, taking the time to create a plan to protect your systems and members’ private information from attacks, such as breaches, malware, hacking, phishing scams, identity theft…I could go on…then you need to gather your senior management and board directors and begin the assessment of the vulnerabilities of your credit union, look to your organization’s cyber-safety (or lack thereof), and work internally, or with verified partners, on a proactive plan of cyber-action!

Compliance & Regulatory
When it Comes to Cybersecurity…Are You Playing Offense or Defense?
By: Nicola Foggie, NJCUL Vice President, Compliance and Regulatory Affairs

When it comes to myself, my family, and my friends, safety and security are top priority. And we’re not alone. The Consumer Banking Experience Index survey has consistently found that consumers rank the safety and security of their personal information as their highest priority in the “banking” experience. Couple that with a constant barrage of data breaches, hacks, and identity theft scams happening around the globe, and being featured in the news these days, entrusting your money and financial security to someone else can be daunting. Members want to feel confident that their credit unions are keeping their private information safe and secure. That begins with credit unions looking inward, ensuring their board of directors, supervisory committee, and senior management are placing a strong focus on cybersecurity.

You really have two choices – wait until you suffer a breach, and then scramble to clean up the mess, or be proactive, and make the credit union a hard target for anyone looking in your direction.

Verizon’s 2018 Data Breach Investigations Executive Summary report

So, where does your credit union stand? Are you sitting back and waiting for cyber-hackers to come your way…playing defense? Or, are you ready to take control of your credit union’s cyber-safety and start playing offense?

Cyber-hackers only need one point of entry to exploit a credit union’s vulnerabilities, which are sometimes the simplest of things, i.e. not enforcing complex passwords, not implementing timely security patches to servers and workstations, and failing to conduct timely security training for employees. Credit unions need to ensure that they have up-to-date cybersecurity information, education, and training to prevent these most basic of attacks. And, if a credit union does not have the internal resources to get the job done, they should look to connect with verified third-party partners that best fit their needs and budget.

Recent industry reports show that credit union membership is growing overall, with new members looking for better interest rates, lower fees, and friendlier service than traditional, for-profit banking institutions. Guess what else they are looking for? A safe and sound institution they can entrust with their personal information and money.

You might think cyber-hackers only go after big banks or the largest of credit unions; however, according to Verizon’s 2018 Data Breach Investigations Executive Summary report, the financial industry as a whole ranks in the top five most likely targets of a social engineering breach. Verizon also reports that nearly 60% of breach victims last year were small businesses — a category into which credit unions certainly fall. Verizon also indicates the motivation behind 76% of the attacks it investigated last year was to steal money or inflict financial damage, an outcome that poses obvious pitfalls for credit unions, in particular. The pressure is on to show that you are taking the steps to properly safeguard members’ information just as effectively as the big banks do for their customers.

Going beyond the basic attacks, recent studies show many organizations are underprepared for the surge in new and sophisticated malware attacks. These are far more sophisticated than stealing a password, and many credit unions may find their in-house teams unequipped to take on preventative measures in-house or find those measures too complex to tackle without help.

This is a lot for credit unions to deal with on their own, and I haven’t even begun to discuss the National Credit Union Administration’s (NCUA) imminent cybersecurity audits. Just this year, the agency, along with the Financial Services Information Sharing and Analysis Center (FS-ISAC), rolled out a webinar on its new exam tool, the Automated Cybersecurity Examination Tool (ACET). NCUA plans to begin performing cyber-examinations on credit unions later this year.

Never fear, help is coming right away, in the form of Cybersecurity education and resource sessions hosted by the New Jersey Credit Union League:

Don’t wait another minute. Take a proactive approach and register today!

Compliance & Regulatory
What does your Mobile Check/Remote Deposit Agreement say? July 1, Reg CC Changed
By: Nicola Foggie, NJCUL Vice President, Compliance and Regulatory Affairs

Effective July 1, new warranty and indemnity rights, liabilities and obligations to Regulation CC (Check Cashing) may impose greater risks for credit unions. The final rule creates a new Remote Deposit Capture Indemnity in Section 229.34(f) that addresses the allocation of liability when a depository institution, such as a credit union, accepts deposit of a check through “remote deposit capture.” Meaning that the depositor (member) sends the credit union electronic information about a check, such as a photographic image, which the credit union then uses to create an electronic check, or substitute check, for collection.

The indemnity is provided by the credit union that accepted a check by remote deposit capture to a financial institution that accepted the original check for deposit in the event the financial institution that accepted the original check incurred a loss because the check had already been paid. There is an exception in the final rule that added an exception to the indemnity which would prevent a bank from making an indemnity claim if it accepted the original check containing a restrictive endorsement inconsistent with the means of deposit, such as “For Mobile Deposit Only.” One step a credit union could take is to talk to your check vendor to inquire about printing checks with a checkbox on the back which states, ”Check here if Mobile Deposit”.  Caution: there has been some question as to whether simply checking that box fulfills the restrictive endorsement requirements under the check cashing regulation.

Credit unions that accept checks by remote deposit capture will want to review the language in your Mobile Check Deposit Agreement, or Remote Deposit Capture Agreement, that requires the credit union’s member to add a specific restrictive endorsement to the check, such as “For Mobile Deposit Only to “insert credit union name” into account #123456789” and to add language for the new check box, which identifies the check as “For Mobile Deposit” to be checked.

Questions? Contact NJCUL’s Nicola Foggie at nfoggie@njcul.org.

Compliance & Regulatory
So Many Resources, So Little Time
By: Mary Ann Koelzer, Technology Product Manager, CU Solutions Group

I Googled “Credit Union Compliance Resources” today – this returned nearly 18 million results. 18 million. Finding the resources that are best for your credit union can be like finding a needle in a haystack.

There is certainly no lack of resources available, but as compliance professionals, we often find ourselves pulled in many directions – staying on top of ever-changing compliance rules and regulations, training staff, updating policies and procedures, and the many, many things we do in between, that finding time to research and filter through the numerous compliance resources can sometimes feel overwhelming.

We often know there are resources we are missing, but the day-to-day demands of our jobs simply don’t allow for the time we need to find the resources that make a real difference – and actually relieve some of the burden. It’s easy to fall back on “what we’ve always done” instead of moving forward with a better solution.

At the New Jersey Credit Union League's upcoming Compliance Conference, we will take a look at the abundance of Compliance resources the League has available for its member credit unions, and we will take a closer look at 10 specific tools and resources that are often overlooked and underutilized. You’ll be sure to find your needle without digging through the haystack! 

Here’s a sneak peek!

  • InfoSight Checklist List will help you check it off your list
  • InfoSight Compliance Videos for when you’re tired of reading
  • CU PolicyPro Redlining keeps track of changes so you don’t have to
  • CU PolicyPro Editor Notes are better than a scrawled note in the margin
  • CU PolicyPro Training makes everything easier
  • CU PolicyPro Publishing puts it all together
  • Shared Compliance so you don’t have to do it
  • ComplySight Complaint Management System because every credit union needs one
  • CU PolicyPro/ComplySight integration saves you time
  • ComplySight Training makes you the system expert

 

Compliance & Regulatory
Are You Prepared for the Unthinkably Inevitable?
By: David Reed, Attorney, Reed and Jolly, PLLC.

Let’s face it, we live in a world where many different things can go wrong at our credit union very quickly. Add that to the fact that our news cycle has gone from days to seconds, and you must understand that you need to be prepared. Crisis communications boils down to anticipating likely negative events and preparing your message before it happens.

Here are a few simple tips to initiate your crisis communications plan:

  • Create a Crisis Management Team made up of key stakeholders and arm them with a written crisis response plan and a complete contact list, which includes cell phone numbers;
  • Remember to include volunteers as well as needed local resources such as police, fire, rescue and utilities. Many institutions offer these resources to the team members in paper and on a thumb drive or other convenient device in case internet access is down for an extended period of time;
  • Conduct a quick inventory of likely negative events. You need to look no further than your local newspapers or trade publications to see that data breaches, internal fraud and potential legal claims are just a few likely negative scenarios. Understand the basic components of each scenario and be prepared to assess the full scope of the issues presented. Prepare an outline of the potential negative member impact and create a message that places a positive spin on each;
  • Consider conducting periodic table top exercises involving all staff and focus on a specific scenario and the responsibilities each person will have during that event. Remember the old adage, knowing is not enough, we must apply it; and
  • Finally, create a clear “chain of communication command”, which selects the primary spokesperson and emphasizes the need for a consistent message. In other words, only one person is able to make official comments for the credit union.

You will need to work elements of crisis communications into all of your related policies and procedures, including Disaster Recovery Plan, Social Media Policy and Employee Responsibility or Conduct Policies. Targeted preparation can reduce the sting of a negative event, and place your credit union in the best possible light during the darkest of moments.

At the League's July 13, 2018 Compliance Conference, I will discuss the EEOC guidelines regarding employer liability and discuss what actions credit unions need to take in order to comply with the various guidelines to prevent harassment and enforce effective complaint procedures. Register now!

 

Compliance & Regulatory
What Do You Need to Know About EEOC Guidelines Regarding Employer Liability?
By: Michael R. Dupont, Attorney, McKenna, DuPont, Higgins & Stone, PC

With the #metoo movement and the current political atmosphere, credit unions must be mindful of their enforcement duties to stop and investigate any harassment by supervisors.

A credit union is vicariously liable for a hostile work environment created by a supervisor if the employer has empowered that employee to take tangible employment actions against the victim.

Recently the Equal Employment Opportunity Commission (EEOC) issued enforcements, guidance, and vicarious employer liability for unlawful harassment by supervisors. This document provides guidance regarding employer liability for harassment as supervisors based on sex, race, color, religion, national origin, age, disability, or protected activity.

Credit unions must implement and enforce strong policies prohibiting harassment and effective complaint procedures. Credit unions can prevent unlawful harassment and thereby create a good working atmosphere for all involved.

At the League's July 13, 2018 Compliance Conference, I will discuss the EEOC guidelines regarding employer liability and discuss what actions credit unions need to take in order to comply with the various guidelines to prevent harassment and enforce effective complaint procedures.

 

 Register Here 

Compliance & Regulatory
Ramping up to Compliance is No Easy Task
By: Nicola Foggie, NJCUL Vice President, Compliance and Regulatory Affairs

Staying current on the latest compliance information and regulatory changes is one of the best ways credit unions can get into, and stay in, compliance. Education is the key! Compliance education and training sets the foundation for a low-risk environment that will ensure your credit union's opportunity for sustainability. The New Jersey Credit Union League is your one-stop-shop for comprehensive compliance education and training. The League's Compliance Center has a variety of educational resources available all year round that include convenient and free Webinars, regulatory topic-specific presentations, update sessions, roundtables, workshops, and an annual compliance conference, as well as customized learning for groups or individuals. Training is available to credit union CEOs/managers, staff, directors, and volunteers.

Compliance & Regulatory
Friday, July 13th Won’t Be An Unlucky Day For Compliance Professionals
By: David Frankil, NJCUL President/CEO

We’re not trying to send any sort of subliminal message by scheduling the Compliance Conference for Friday, July 13th. But if we were, it would be something along the lines of how compliance is much, much more than just a necessary evil—and how important it is to excise any skeletons in your proverbial closet before anyone from NCUA has to tell you to do so.

Compliance & Regulatory
Compliance Deadline Reminder: Beneficial Ownership is Just Two Days Away!
By: Nicola Foggie, NJCUL Vice President, Compliance and Regulatory Affairs

Credit unions had two years to get ready for the May 11, 2018 effective date for the Customer (Member) Due Diligence rule (CDD) that adds requirements for certain financial institutions, including credit unions, to identify and verify beneficial owners of legal entity customers (Beneficial Owners) in furtherance of the Bank Secrecy Act (BSA). The U.S. Treasury Department's Financial Crimes Enforcement Network (FinCEN) published the final rule May 11, 2016.

Compliance & Regulatory
5 Steps to Customer Due Diligence Compliance
By: Nicola Foggie, NJCUL Vice President, Compliance and Regulatory Affairs

The Financial Crimes Enforcement Network’s (FinCEN) final rule, in 2016, added a 5th BSA Compliance Pillar that imposed new requirements for identifying and verifying beneficial owners of legal-entity customers. This new rule, amending the Bank Secrecy Act, became effective in July 2016, and all federally insured credit unions must comply fully by May 11, 2018.  Along with credit unions requirement to comply with the existing components of the Customer Due Diligence (CDD) rule, it can all get a bit confusing.

So, what exactly is CDD? And why is it so important?
CDD is a critical element of effectively managing risk and protecting you, and your business, against potential association or involvement with financial crimes and nefarious activities. CDD processes are crucial for knowing your member (KYM), and in most cases, CDD involves identifying your member and understanding their activities. This then allows you to assess their risk profile. In the case of high-risk members sometimes, Enhanced Due Diligence (EDD) is needed.  This is additional information that must be collected for in order to provide a deeper understanding of member activity to mitigate risks. Member risk assessments can be used to determine which level of due diligence is required.

In order to ensure that your credit union is following best practices, here are 5 steps to improve your CDD processes:

Step 1 – Perform CDD measures before entering into a business relationship with your member to detect any bad actors early on.
Ascertain the identity and location of the potential member, and gain a good understanding of their business activities. This can be as simple as locating documentation that verifies the name and address of your member. You have to first decide whether a member fits your established risk profile, before entering into a business relationship with them. You can only do this by undertaking the appropriate CDD measures. This ensures that identity thefts and any potential forgeries can be detected early on.

Step 2 – Strengthen your processes when vetting third parties.
You may rely on third parties to help you perform due diligence, however it’s important to choose these parties or providers wisely because the ultimate responsibility for CDD measures remain with you, the credit union, – not the third party. Sometimes, the only way to get the information required for CDD is through a trusted third-party so it’s important to ensure that their standards and best practices are aligned with your business. At the end of the day you are liable and will be fined or penalized for non-compliance.

Step 3 – Ensure that pertinent information has been collected and stored securely.
When authenticating or verifying a potential member, classify their risk category and define what type of member they are, before storing this information and any additional documentation digitally. Having a meticulous and comprehensive process for documenting CDD-related information is not only highly effective, it also mitigates any potential risk for you as a business.

Step 4 – Detect if there is a need for EDD.
Beyond basic CDD, it’s important that you carry out the correct processes to ascertain whether EDD is necessary. This can be an ongoing process, as members have the potential to transition into higher risk categories over time so, conducting periodic due diligence assessments can be beneficial. For example, most jurisdictions require politically exposed persons (PEPs) to go through the EDD process. Other factors that might trigger EDD are high transaction value accounts, accounts that deal with high-risk countries, or accounts that deal with high risk activities. Factors to consider to determine whether EDD is required include, but are not limited to the;

  • Location of the person
  • Occupation of the person
  • Type of transactions
  • Expected pattern of activity in terms of transaction types, dollar value and frequency
  • Expected method of payment

Again, this protects you and your business against any involvement with nefarious activities and also ensures that you are meeting various KYM and Anti-Money Laundering (AML) regulatory requirements.

Step 5 – Keep historical records on hand.
Store records of instances of CDD and EDD securely, in a digital format. Keeping records of all the CDD and EDD performed on each member, or potential member, is necessary in case of future regulatory obligations.

Want to know more? Join us for the NJCUL's FREE "Beneficial Membership is Here: Customer Due Diligence Compliance" webinar on Thursday, May 10, 10:00 am – 11:00 am. Click here to register to attend.  

 Register 

Compliance & Regulatory
Policy Management the Easy Way And It's Free
By: David Frankil, NJCUL President/CEO

It probably doesn’t rank high on anyone’s top 10 list of favorite activities, but writing, updating, and tracking all of the policies required by NCUA is important. Not to mention a topic frequently cited by examiners.

One of the most-used free benefits of NJCUL membership is a subscription to CUPolicyPro, which provides access to over 230 credit union-specific model policies—plus a full online system to make managing them a snap.

We wanted to make sure that all of our members were making maximum use of this great resource, so Nicola has scheduled two free webinars this month:

Our speaker is an expert in the field – Mary Ann Koelzer, from CU Solutions Group, the organization that runs CUPolicyPro and a Business Partner of ours. Mary Ann has been a frequent presenter on compliance topics to credit unions, and has worked with several hundred credit unions of all sizes across the country.

Click on the links above to register – look forward to seeing you on the webinars!

Compliance & Regulatory
NJCUL Encourages CUs to Get Cybersecurity Ready!
By: Nicola Foggie, NJCUL Vice President, Compliance and Regulatory Affairs

Is your credit union cybersecurity ready? In May of last year, the National Credit Union Administration (NCUA) communicated to credit unions in the wake of the “WannaCry” global ransomware attack, reminding them to verify they had effective controls in place to prevent similar cyberattacks.

The WannaCry attack hit more than 300,000 victims in 150 countries, including the U.S., disrupting critical infrastructure, businesses, financial institutions, and healthcare markets. Then, on September 7 of last year, the public found out about the Equifax data breach. In the wake of the breach, credit unions, like other businesses, found themselves scrambling to notify their members and checking to see what, if any, impact the breach and its direct or indirect partnerships with Equifax, would mean to the security of their members’ private data.

Here we are in 2018. In response to the critical impact of information technology and information security breaches (also known as cyberbreaches, cyberattacks, cyberhacks) NCUA has developed and will begin using its NEW Automated Cybersecurity Examination Tool (ACET) this year. The ACET provides NCUA with a “repeatable, measurable and transparent process for assessing the level of cyber preparedness across federally insured institutions,” according to the agency in its Letter to federally-insured credit unions CUs: 17-CU-09, Supervisory Priorities for 2018. NCUA also said, The ACET incorporates appropriate standards and practices established for financial institutions. It also aligns with the Cybersecurity Assessment Tool developed by the FFIEC for voluntary use by banks and credit unions. Therefore, we encourage credit unions to continue to self-assess their cybersecurity and risk management practices using the Cybersecurity Assessment Tool if they do not have an alternative method of assessment”.

NCUA will begin using the ACET in examinations of larger credit unions with more than $1 billion in assets to create a baseline for the cybersecurity maturity level of the largest and most complex institutions. The agency will continue to test and refine the ACET through 2018 to ensure it scales effectively for smaller, less complex institutions 

The Financial Services Information Sharing and Analysis Center (FS-ISAC), along with CUNA, will host a webinar with NCUA examiners to explain the new Automated Cybersecurity Examination Tool (ACET). The free webinar is scheduled for April 5, from 3 to 5 p.m. (ET)

Resources: 

To schedule a Cybersecurity Assessment Review on your credit union, contact Nicola Foggie at nfoggie@njcul.org.

Click here for more information about additional audits the League provides.

Click here for Free CU cybersecurity webinars from FS-ISAC

Compliance & Regulatory
Phase 3 of Same Day ACH is Right Around the Corner
By: Nicola Foggie, NJCUL Vice President, Compliance and Regulatory Affairs

The National Automated Clearing House Association (NACHA) is gearing up for the March 16, 2018 effective date for Phase 3 of Same Day ACH: Moving Payments Faster and so should credit unions. That’s just the beginning. New capabilities of Same Day ACH become effective over three phases to allow financial institutions and businesses to acclimate to a faster processing environment, as well as to ease the implementation effort. Beginning March 16, 2018, Receiving Depository Financial Institutions (RDFIs) will be mandated to make funds available from same day ACH credits (such as payroll Direct Deposits) to their depositors by 5:00 PM at the RDFI’s local time. The Rule enables the option for same day ACH payments through additional ACH Network functionality, without affecting previously available ACH schedules and capabilities.

Originating Depository Financial Institutions (ODFIs) are able to submit files of same day ACH payments through two additional clearing windows provided by the ACH Operators (Note: The actual ACH Operator schedules are not determined by the NACHA Operating Rules.):

  • A morning submission deadline at 10:30 AM ET, with settlement occurring at 1:00 PM
  • An afternoon submission deadline at 2:45 PM ET, with settlement occurring at 5:00 PM

Virtually all types of ACH payments, including both credits and debits, are eligible for same-day processing. Only international transactions (IATs) and high-value transactions above $25,000 are not eligible. Eligible transactions account for approximately 99% of current ACH Network volume. All RDFIs are required to receive same day ACH payments, thereby giving ODFIs and Originators the certainty of being able to send same-day ACH payments to accounts at all RDFIs. The Rule is based on a solid foundation of economic research on the use cases for Same Day ACH. All consumers, businesses, government entities and financial institutions that use the ACH Network to move money between bank accounts will benefit from the option to move ACH payments faster. NACHA projects that ACH Originators would generate approximately 1.4 billion same-day ACH payments annually as of ten years after full implementation and rollout, primarily for transactions that can be initiated before 2:45 PM ET on business days (not on weekends or holidays), and that do not require real-time functionality.

Using an expert, third-party economist, NACHA assessed 10 primary use cases for Same Day ACH. Significant use cases for Same Day ACH include:

  1. Same-day payrolls, supporting business’ needs to pay hourly workers, and providing flexibility for late and emergency payrolls and missed deadlines; and enabling employees to have faster access to their pay in these cases;
  2. Business to-Business payments, enabling faster settlement of invoice payments between trading partners, and including remittance information with the payments;
  3. Expedited bill payments using both ACH credits and debits, enabling consumers to make on-time bill payments on due dates, and providing faster crediting for late payments; and,
  4. Account-to-account transfers, providing faster crediting for consumers who move money among various accounts they own.

Learn more about Same Day ACH with NACHA’s Resource Center and click here for access to the Association’s Summary of recent NACHA’s rules changes.

Click here for a schematic to help you understand and prepare for Same Day ACH – Phase 3.

For questions, contact NJCUL’s Nicola Foggie at nfoggie@njcul.org or call 800-792-8861, Option 1.

 

Compliance & Regulatory
Warning! Card Skimmers in NJ on the Rise: How to Spot Them, What to Do
By: Nicola Foggie, NJCUL Vice President, Compliance and Regulatory Affairs


This week, a credit union leader made NJCUL aware of a skimmer placed on a Wawa automated teller machine (ATM) located in the southern New Jersey town of Woodbury Heights. Thousands of dollars were skimmed from the victim’s account virtually overnight.

Card Skimming is a method used by criminals to capture data from the magnetic stripe on the back of an ATM card. Devices used are smaller than a deck of cards and are often fastened in close proximity to, or over the top of, the ATM's factory-installed card reader, and they are popping up everywhere, including across the state of New Jersey. According to a recent article posted by BankinfoSecurity, despite the recent bust of an alleged skimming ring in Massachusetts, ATM fraud is on the rise and shows no sign of abating.

One industry expert has a list of incident response tips (provided below) for financial institutions that want to fight back against ATM skimming attacks. Mike Urban, Senior Director of Fraud Solutions at FICO, says all types of ATMs—and even pay-at-the-pump gasoline stations—are under attack. According to BankinfoSecurity, in the last month, several skimmers have been found at gas stations around the nation, where the tech-savvy fraudsters are placing readers to capture the PIN and the card number before the PIN is encrypted. "I predict we're going to see more of those," Urban says. "They are targeting the weakness of the mag stripe, and that will be something we have to live with until a better solution is developed.”

The current trend began slowly, says Urban. Several years ago, the targets were primarily off-premise ATMs. Criminals could buy ATMs, place skimming devices in them, and collect card and pin information. Urban warns that criminals have begun focusing on financial institutions' ATMs once the encrypting PIN pad and other advancements in technology changed how PINs were protected.

Keep in mind:

  • Criminals placing skimming devices will target an attack for a day, a weekend, or a short period of time.
  • They usually go to other ATMs of the same model/make to attack that fit the look of the skimming device.
  • They are much more sophisticated than previous skimming devices.

"They also use the same paint coatings, so they are getting access to that information somewhere—those compounds that generally aren't available at a local hardware store,” says Urban. “You can't go in and order ATM gunmetal grey paint. There is a real industry around the creation of these ATM skimming devices."

The Challenge for Credit Unions
Many financial institutions, including credit unions, have not invested in real-time fraud monitoring of PIN-based transactions, Urban says, because traditionally risk has been lower. His advice: Institutions need to take a hard look at where they're going to spend monitoring money. "By now I mean getting ahead of the curve before the fraud starts to happen, and get PIN-based card transaction monitoring in place."

Technology advancement won't stop a determined criminal. It is a cat and mouse game, and from what Urban sees with increased skimming in the UK and Canada, "We're going to see significant increases in skimming."

Below are a few steps, suggested by Urban, that you can take now to help your credit union move toward combatting card skimming fraud. The League is also hosting a Cyber Security Roundtable on March 21 with FBI Supervisory Special Agent Brett Yeager who will discuss current and emerging cyber threats as well as security controls that can be used to protect your critical systems. Register here.

Action Items for Credit Unions:

  • Have a Plan — For what you do if you find a skimming device on one of your ATMs.
  • Document the Plan — List everything that should happen, people to be contacted, actions to be taken.
  • Educate Your Branch Employees — If a device is found, all employees should know what and what not to do. Educate branch employees and third-party vendors, as well as ATM servicers. Make sure they are monitoring the outside of the ATMs for residue or devices that actually are on the ATM.
  • Inspect All Locations — Frequently, checking the fascia and surroundings around the ATMs, making sure nothing has been added or moved.
  • Set ATM Standards — Including visual standards for all ATMs in all branches. Keep it standard. Take a photograph of each ATM, inside and outside. Show employees what it should look like, so ATMs can be quickly examined to see what may be out of place.
  • Don't Touch Skimmer If Found — Contact law enforcement if a device is found on the ATM. Tell employees to not touch it or pick it up or pull it off the ATM. Secure the area with bank robbery tape until law enforcement arrives.
  • Be Vigilant At All Times — Increase your checks on ATMs, especially if you've heard of ATM skimming in your area. If there are reports of ATM skimming, increase the number of checks. Even if there are no reports, have employees check ATMs in off-hours and over weekends, which are prime times for skimmers to be put on ATMs.
  • Contact Other Institutions — Share information with local and regional institutions about what's happening at your branches and make sure they share information with your institution.

For more information on card skimming awareness, contact NJCUL’s Nicola Foggie at nfoggie@njcul.org.

Source: www.bankinfosecurity.com

Compliance & Regulatory
Supervisory Committee Members: The Forgotten Volunteers
By: Nicola Foggie, NJCUL Vice President, Compliance and Regulatory Affairs

Where you find education and training for credit union volunteers (which is not defined solely as board directors…there are also supervisory committee, asset-liability committee, and credit committee members, etc.) there is usually no lack of options and opportunities. Normally, you will find a list of the usual suspects in the form of topics, but if you look closely at the descriptions, you’ll see that they are generally not as all-encompassing as the word “volunteer” is supposed to imply. Those opportunities appear primarily designed for board directors, not supervisory committee members. While it is clear that board directors deserve and need appropriate education and training as well, typically when a credit union budgets for volunteers to attend conferences and training, they do so with the board directors in mind, so I can see why those industry entities that host and provide training at the volunteer level cater to this specific group. 

We know that typically these events are marketed as if they cater to ALL volunteers, but we often see only a lone breakout session or two for the supervisory committee attendees. My point being that board directors and supervisory committee members have very different and distinct roles. Directors are charged with governance and strategic planning, while the supervisory committee members are the “police” or faithful “watchdog” of the credit union, almost the “conscience” of the credit union, responsible for setting the annual audit schedule, reviewing regulatory and external audits of the credit union, and quality control. The fact is that the supervisory committee plays a hefty role in ensuring the credit union stays on track and staying current of the board’s activities and decisions to ensure it is fulfilling its responsibilities to the credit union and its members.

In the past, the duties of the supervisory committee of most credit unions were not vast or complicated. That has slowly changed over the past decade. In recent years, internal and external pressures from the financial and regulatory industries have caused the pace to pick up dramatically. Today, credit unions of all asset sizes are faced with an environment fraught with internal, as well as external threats, including cyber threats, data breaches, internal fraud, third-party partner mishaps, etc. Someone has to be minding the store. But, you can only do that if you know what you are looking out for. Credit unions have little regulatory help on that point as they are empowered to engage consultants and third-party partners to help them accomplish the supervisory committee’s duties and responsibilities.

Bottom line, I only wish to point out that the role of the supervisory committee is a very important one, and we should not underestimate their service as volunteers in this movement. That being said, a credit union’s successful strategic plan and budget will include planning and providing for appropriate education and training for supervisory committee members, specific to the committee’s duties and responsibilities to the credit union. Finding the right sources for education, conferences, and training starts with finding the right partners. Look for partners that will help your credit union’s supervisory committee stay up with the latest trends and best practices, provide them with industry insights, modern solutions and proven strategies they can use to help their credit union optimize its performance and better prepare to serve its members.

Click here to sign-up to receive timely information about NJCUL’s supervisory committee support, compliance, and audit solutions.

 

Compliance & Regulatory
Does Your Credit Union Have a Robust Disaster Recovery Strategy?
By: Nicola Foggie, NJCUL Vice President, Compliance and Regulatory Affairs

Are you ready for an unexpected event? A large-scale natural disaster like a hurricane, earthquake or flood may lead to hardware failure, network outage or a total shutdown of credit union facilities.  Even a small scale event could shut down a credit union for hours and serve to shake member’s confidence in you.  Recent natural disasters have illustrated the importance of effective contingency planning to ensure that all credit unions are able to fulfill their missions and obligations to their members during natural disasters or other disruptions in their operations. Effective business continuity planning and disaster recovery practices were discussed Thursday during a free compliance webinar, “Credit Union Disaster Preparedness and Business Continuity”, offered by the New Jersey Credit Union League. Those at a credit union who should be addressing the disaster recovery and business continuity strategy and plan include board directors, senior management, and those responsible for execution. Speaker, Nicola Foggie, VP of Compliance and Regulatory Affairs with NJCUL, provided a high-level overview to effective continuity planning and practices for credit unions, including answering questions and addressing necessary actions like:

  • Why have a plan?
  • Objectives of a plan?
  • Key components of a plan
  • How to customize your plan
  • Steps for Recovery

Working through creating and updating plans, as well as ongoing work with the right business continuity and disaster recovery standards can have the side benefit of getting your organization on the path to continued compliance. A well-planned and regularly tested business continuity and disaster recovery strategy often goes way beyond the typical DR plan.  Usually put together by an internal team, then put away in a drawer and maybe revisited once a year.  Sometimes a plan is not looked at until an actual disaster or significant disruptive event occurs.  Only one thing worse than not having a well-thought out Disaster Preparedness & Business Continuity Plan and that’s having an outdated, ineffective one.

Click here to check out NJCUL Business Continuity and Disaster Planning resources and information.

Compliance & Regulatory
Not Again?! Merging the TCCUSF and NCUSIF…a Good Idea, But Not at Credit Union Members’ Expense
By: David Frankil, NJCUL President/CEO

What is the difference between May, 2009 and September, 2017?

In 2009, the markets were plunging, the economy was in crisis, the Corporate system was failing – and credit unions across the country were asked to make "temporary" contributions to stabilize the entire system.

In 2017, the economy is stable and growing (albeit more slowly than desired), there is no systemic crisis in the credit union system – and NCUA is trying to convert those "temporary" contributions into permanent contributions.

Something is wrong with this picture.

The NCUA Board is seeking comment on a proposed plan to close the Temporary Corporate Credit Union Stabilization Fund (TCCUSF) and to concurrently raise the equity ratio of the National Credit Union Share Insurance Fund (NCUSIF) Normal Operating Level (NOL) from 1.30 percent to 1.39 percent of insured shares, with planned Equity Distributions.

This seemingly innocuous change in an obscure operating ratio would allow NCUA to retain a significant percentage of the “temporary” stabilization fees that credit unions paid into the Fund. Although the NCUA estimates that credit unions will receive an NCUSIF distribution (dividend payment) between $600 million and $800 million for 2018, the increased operating ratio would mean that NCUA would retain as much as $1 billion by some estimates. Some New Jersey credit unions have reported that their equity distributions would be reduced by more than 50%.

NCUA is justifying this capital grab under the guise of “risk management.” Currently, NCUA’s process is that the money in excess of the 1.30% equity ratio the regulator uses as its NCUSIF NOL must be paid back to credit unions in the form of a dividend. NCUA is proposing to raise that ratio to 1.39%, to hold back $1 billion dollars in case the original assets of the TCCUSF (which would now be a liability of the NCUSIF due to the merger) do not perform as expected. 

On the surface this may seem reasonable, until you look at the Board’s justification for the increase, which is based on the same selective modeling that resulted in billions of excess reserves, unnecessary premiums, and overestimates of losses on legacy assets over the past seven years. 

Let’s think about this. Given the restructured corporate system that exists today, much of "yesterday's" risk has been eliminated. If a comparatively larger rebate is made to credit unions and its members by NCUA today, which ends up being premature, the fund can always be recapitalized at a later date. In the interim, absent a crisis, I would suggest that credit unions could do a much better job of managing those assets for themselves than will the regulator.

We can expect that the closure of the TCCUSF will reduce expenses, add sorely needed transparency by simplifying the NCUA’s reporting, and so, in general, it’s a good idea. It should also enable the NCUA to tie financial results of the NCUSIF to real-world credit union events rather than its current practice involving projecting long-term scenarios to justify current expenditures — scenarios that often don’t hold up over time. Credit union members are the ones that send one cent of every insured share to fund the NCUSIF. NCUA is the “steward” for those interests and credit unions have a responsibility to speak up on behalf of their members’ interests.

The current plan to close the TCCUSF is long overdue and the NCUA board should be commended for doing so, but I think the action steps are based on past intricate models that have been shown over the past half dozen years to underestimate the value of the assets taken and overestimate the losses. By closing the TCCUSF and transferring those funds to NCUSIF, the equity ratio of the NCUSIF could be as high as 1.47%.

CUNA and NJCUL have argued the NCUA’s proposed increase in the NOL (to 1.39%) is absolutely unnecessary and are urging the agency to increase no more than 1.34%, temporarily, to offset the risk of underlying legacy assets, if at all. We make it clear that we expect the NCUA to publicly reaffirm the 1.30% NOL as an appropriate upper bound for the NCUSIF’s capital level (given favorable historical performance) and we ask that the agency specifically document plans for the orderly and expeditious return of the NOL from 1.34% to 1.30%. 

The challenge to credit unions today is to take action on your and your members’ behalf by responding to the NCUA Board’s request for comments. Merging the TCCUSF and NCUSIF will place a spotlight on NCUA’s management of future corporate resolution transactions and end a stabilization work out that has now gone on for nearly nine years.

Make your voice heard! Click here for NJCUL’s Stabilization Fund Resources, access to PowerComment and a Comment Letter Template. Comments are due by September 5.

Additional Resources:

 

Compliance & Regulatory
Calling All Policy Wonks
By: Nicola L. Foggie, CUCE, BSACS, NJCUL Vice President, Compliance & Regulatory Affairs

My name is Nicola, and I’m a policy wonk (and proud of it!)

That’s true for the rest of the NJCUL compliance team too – Donna, Sabrina, and Evelyn. But there is a very good reason why we wear the policy wonk label as a badge of honor – it is a core part of the value we provide to NJCUL members, with free use of CUPolicyPro.

Compliance & Regulatory
Changes to the HMDA Act: What Do You Need to Know?
By: Nicola L. Foggie, CUCE, BSACS, NJCUL Vice President, Compliance & Regulatory Affairs

The Home Mortgage Disclosure Act (HMDA) has undergone several changes, since it was first enacted in 1975. The most recent changes, which went into effect on October 15, 2015, are just the beginning of reporting modifications set to roll out in the coming years.

What are the changes and what does your financial institution need to do to prepare?

Compliance & Regulatory
Would You Want to Live in a Risk-Free Society?
By: David Frankil, NJCUL President/CEO

Think about it – there is literally no human activity that occurs without some degree of risk.  Walking on the street, riding a bike, driving a car, flying in an airplane, even getting a meal in a restaurant all pose some degree of risk. 

The question we face as individuals is the same we face as leaders of financial institutions – how much risk are we willing to accept, and how do we manage it.  But to re-state the obvious, without risk, there is no return....

Compliance & Regulatory
Court Dismisses Bankers’ Frivolous MBL Lawsuit
By: Nicola Foggie, NJCUL Vice President, Compliance and Regulatory Affairs

Yesterday, the NCUA and credit unions won a huge victory! U.S. District Court Judge James Cacheris dismissed a lawsuit brought by the Independent Community Bankers of America (ICBA) against the National Credit Union Administration (NCUA), this past September. The Banker’s suit against the agency challenged NCUA’s 2016 member business lending rule (MBL). The American Bankers Association supported the ICBA litigation that challenged the MBL rule and amendments that changed the statutory MBL cap, including making it easier to exclude nonmember loans from the cap calculation. According to the court’s opinion, the lawsuit was dismissed based on ICBA’s lack of standing and timeliness. In his opinion, Judge Cacheris stated that even if the ICBA had established standing and timeliness, the court said it still would have found that the rules satisfied the requirements established by the Administrative Procedures Act and existing case law.

Compliance & Regulatory
Did You Know that NJCUL was Founded in 77 BC?
By: David Frankil, NJCUL President/CEO

That would be “Before CFPB.”

And odds are that your credit union was also born in the BC era.

Few new financial services regulatory agencies have had the fast start and wide-ranging impact of the Consumer Financial Protection Bureau (CFPB). For anyone charged with tracking and complying with their rules, the last five years probably seem like dog years.

This all came to mind this week with the Wells Fargo debacle, and the role that the CFPB played in bringing those practices to light and to an end. The CFPB vision and values statements provide the foundation upon which they acted – but what is most interesting is how consistent they are with what you’d see at a credit union:

Compliance & Regulatory