Print View

FFIEC Cloud Computing FAQs
In July 2012 the Federal Financial Institutions Examination Council (FFIEC) issued a statement on Outsourced Cloud Computing. The statement discusses key risk considerations associated with using third-party vendors to implement cloud computing solutions. The guidance from the FFIEC cautions credit unions to undertake a thorough due diligence and risk assessment process for outsourced cloud computing arrangements. It is important for credit unions who are considering storing information on a cloud to understand the possible risks that are associated with this type of information technology.

To help your credit union remain in compliance, the FFIEC Cloud Computing FAQs topic on the Security channel of InfoSight provides answers to these questions:

  • Why should we follow the guidance of the FFIEC?
  • What is cloud computing?
  • Why would a credit union want to consider cloud computing?
  • What services are currently offered through a cloud and how am I exposed to them?
  • Should my credit union be concerned with the safety of data stored on a cloud?
  • Does the FFIEC guidance help credit unions understand what due diligence issues we may face with cloud computing providers?
  • Is the cloud service provider responsible for changes in regulatory requirements?
  • How would a credit union monitor cloud computing activity?
  • What legal considerations should we review before enter into a contract for cloud computing services?
  • Will the credit unions current policies and procedures be adequate if we want to join a cloud?
  • How will cloud computing affect business continuity planning?

Review the information today to help your credit union remain in compliance

2014 InfoSight Users' Survey Reminder

Your opinion counts, over 100 have responded, so please take a few minutes to answer our annual users' survey - and help us understand:

  • How you use InfoSight
  • What you like about it
  • What you think could be improved

Past responses have been used to help guide discussions about enhancing InfoSight - and we have implemented some of the changes suggested through the survey.

The survey will be available from now through September 1st.

Click here for the survey or copy and paste the following Web address into your browser:

We look forward to reading your responses!


Internal CFPB report finds workplace challenges
Consumer Financial Protection (CFPB) internal report outlines employee concerns ranging from a perceived lack of diversity and a lack of clarity around processes, according to Politico (Aug. 12)

The CFPB's Office of Minority and Women Inclusion prepared the report, which is based on 48 listening sessions conducted by the bureau between April and June.

The report "frequently mentioned frustrations with insufficiency in infrastructure, lack of transparency and communication, and perceived unfairness in application of practices and procedures which permeated throughout the various areas of concern they mentioned," according to Politico.

According to an Aug. 12 Reuters article, the report also found that staff believed their supervisors micro-managed projects, were unclear about priorities, lacked uniform standards for employee performance and had misunderstandings concerning the bureau's hiring, promotion and pay practices, which contributed to the impression those decisions were unfair.

The CFPB announced in May it would remove its performance system after lower scores and bonuses were given to older employees and minorities, an action that led to the series of listening sessions.

According to Reuters , the report said the bureau's rapid expansion and pressure to churn out rules "fostered a culture of aggressiveness and a pace that could not be sustained long-term."

The report recommends additional internal communications mechanisms, additional training and creation of a forum to assess workplace trends.

CFPB Director Richard Cordray said he "embraces the recommendations" made in the report, and would work to ensure they are implemented, according to Politico.

Reuters article

Source: CUNA News Now

EMV task force update: 575M chip cards issued by 2015
A group of electronic payment industry organizations have predicted more than 575 million chip-enabled credit and debit cards will be issued by the end of 2015.

The Payments Security Task Force (PST), made up of more than a dozen companies and organizations including the Credit Union National Association, announced this forecast Wednesday.

"The shift to EMV cards clearly has big momentum now within the financial community," said Eric Richard, CUNA general counsel/executive vice president for regulatory affairs. "There is still an issue about whether the merchant community will be prepared to facilitate the change on a full and timely basis. And both sides will need to continue working on other security strategies to counteract the growing problem of data breaches."

Nine of the country's largest payment card issuers who participate in the task force developed the current forecast. The PST is focused on continuing the momentum of payment cards with Europay- MasterCard-Visa (EMV) technology.

EMV is a global standard that uses chips embedded within the card to authenticate purchases, similar to the current magnetic strip on payment cards. EMV cards are considered more secure against fraud with authentication provided by the use of a PIN and cryptographic algorithms.

In October 2015, parties that deploy EMV cards will be protected from financial liability from card-present counterfeit fraud losses.

The task force plans to update the issuer forecast regularly and expand it to include acquirer and merchant perspectives on EMV chip terminalization. Javelin Strategy and Research estimates that 52% of point-of-sale terminals will be EMV-enabled by the end of 2015.

Priorities include identifying a long-term roadmap to deliver a consistent level of security for payments in the digital and physical environments.

Source: CUNA News Now

Credit Unions Lag as EMV Chip Deadline Slowly Approaches
By David Morrison

As the October 2015 implementation deadline approaches, some leaders who helped credit unions launch EMV chip-equipped payment cards estimated that fewer than 50% of card-issuing cooperatives would have both EMV-equipped credit and debit cards ready in time.

Oct. 15 next year marks the point when the cards’ brands have said liability for fraud losses will shift to the party that has not put EMV cards in place. This means that the party, either the issuer or merchant, that does not support EMV assumes liability for counterfeit card transactions, possibly costing or saving credit unions significant amounts of money.

“Credit unions are definitely gearing up and picking up the pace,” said Barney Moore, manager of card consulting services for Card Services for Credit Unions, the association of credit unions that use the services of payment processor FIS. “But it seems unlikely that they will have gotten it done by next October.”

Moore cited concerns about the costs of issuing the chip-enabled cards among credit unions, as well as delays in ironing out technical details with EMV-equipped debit cards. Another hurdle includes bottlenecks among plastic card suppliers, he added.

“We are urging credit unions that might not be ready to pull the trigger to at least get the project started and get into a queue for a chance to get EMV cards,” Moore advised.

He also said the costs of EMV-embedded cards were running double or more than double the costs of payment cards with only a magnetic stripe. The costs are higher for cards with contactless technology included on their chips.

Roughly 2% of CSCU's 2,600 member credit unions had either completed their switch over to EMV credit cards or were well along in the process, Moore said.

Some executives with other card processing CUSOs reported a larger percentage of their member credit unions have progressed toward issuing EMV-equipped credit cards. However, those organizations also work with fewer institutions.

CO-OP Financial Services, the Rancho Cucamonga, Calif.-based payments network CUSO, did not say what percentage of its 3,500 client credit unions use its debit processing services. However, Michelle Thornton, manager for core products, said the pace has been picking up since the technical challenges have been worked out.

While the path to issuing EMV-enabled credit cards has been straightforward, Thornton explained, issuing EMV-enabled debit cards has been complicated because the industry has had to program debit EMV chips to include the Durbin amendment's transaction routing requirements.

Developing programs to meet those requirements slowed progress on issuing EMV-enabled debit cards, Thornton said. However, adoption has begun to move more quickly now that there are common application identifiers in place for Visa and MasterCard that allow the cards to meet the Durbin regulation requirements.

Still, she estimated some credit unions will not roll out debit cards by October 2015, preferring to move into this space more slowly and to see how the market develops.

Brandon Kuehl, senior product manager for payments processor The Members Group in Des Moines, Iowa, also declined to say how many credit unions process card payments with the CUSO, but said that 50% of its clients were already issuing EMV-enabled credit cards. The other 50% are on track to have them issued by next year's deadline, he said.

Kuehl attributed the relatively rapid adoption to a streamlined process First Data put into place that took many of the complications out of the decision making process on EMV. Card processor First Data developed the approach in conjunction with PSCU, which processes transactions on its platform. TMG also processes on the First Data platform.

Kuehl said TMG was surprised to see how many of its credit unions had opted to issue cards with both the EMV chips and contactless technology. Seventy-five percent of them that issued cards or were close to doing so had decided for the so-called dual interface.

Cards with both the EMV chips and contactless technology are significantly more expensive, sometimes as much as a dollar more, than cards with only the EMV chip, according to some experts. But these cards will also be well-positioned if contactless point of sale terminals become more common, Kuehl said.

Jon Sarvis, CEO of TMG Financial Services, TMG's agent issuing subsidiary, said most of the CUSO's 100,000-account portfolio will have EMV cards on the way if not actually in hand in time for October.

The CUSO is expected to roll out the EMV cards first to credit union members who travel or work overseas and then to credit unions located in geographic areas with the highest incidence of fraud, Sarvis said.

“Mostly, that means credit unions on the coasts will get the cards first, since their fraud incidence tends to be higher,” Sarvis explained. “Credit unions in the Midwest will likely get them second.”

Arthur Harper, director of card payment solutions at PSCU, was the one executive to report that all 500 of the CUSO's credit issuing credit unions would have EMV credit cards issued in time for the October 2015 deadline, though he acknowledged only 5% had already issued EMV-equipped cards.

Harper noted that a large amount of work remained to issue EMV debit cards due to the technical problems that programmers had to work out. He steadfastly predicted that PSCU credit unions would have their debit cards ready on time as well, but acknowledged there may be a traffic jam trying to get so many credit unions certified for EMV debit in the days leading up to the deadline.

“Despite the delay, I think getting debit cards to EMV is more important than credit,” Harper said. “Debit cards are used much more often and therefore, have a much higher incidence of fraud.”

None of the processing executives CU Times spoke to reported large numbers of credit unions transitioning to EMV-equipped cards en masse. Instead, almost all were moving toward a staged rollout that targets overseas travelling or working members first, then planned to issue the rest as part of the natural expiration and reissue process.

Source: CU Times August 20, 2014 issue

BSA/AML compliance needs to be part of CU culture: FinCEN

Recent anti-money laundering (AML) enforcement actions have led the U.S. Treasury's Financial Crimes Enforcement Network (FinCEN) this week to issue an advisory identifying common compliance shortcomings.

The advisory is meant to highlight principles that can strengthen a financial institution's Bank Secrecy Act (BSA) compliance program.

The advisory lays out the following guidance for financial institutions:

  • Leadership, including board of directors, senior and executive management, owners and operators, should be engaged with the financial institution's BSA/AML compliance program. Leaders should receive training tailored to their roles and should remain informed of BSA/AML compliance practices within the institution;
  • Compliance, including submission of appropriate and accurate reports, should not be compromised by revenue interests. BSA/AML compliance should function independently within a financial institution, in order to be prepared to take action to address and mitigate risks from the business side of the institution;
  • BSA/AML compliance staff should have access to all relevant information. According to FinCEN, several recent enforcement actions noted that compliance staff was not given information, possibly due to the lack of an information-sharing mechanism. Fraud prevention and legal departments should be sharing information with compliance staff;
  • Adequate human and technological resources should always be accessible. An individual should be designated as the person responsible for coordinating and monitoring day-to-day compliance, and appropriate support staff should be assigned to a BSA/AML compliance program based on an organization's risk profile;
  • Compliance programs should be commensurate with an institution's risk level, and should always include a proper ongoing risk assessment, sound risk-based customer due diligence and appropriate detection and reporting of suspicious activity. This should also include independent program testing from an independent, qualified, unbiased and non-conflicting entity; and
  • Staff at all levels should understand the purpose of BSA reports. FinCEN considers the information provided among the most important information available for law enforcement and other security entities. Information provided can help initiate investigations, expand existing investigations, promote international information exchange and identify significant relationships, trends and patterns.

FinCEN Advisory to U.S. Financial Institutions on Promoting a Culture of Compliance (PDF)

CUNA Bank Secrecy Act Conference

Source: CUNA News Now

CFPB slaps $19.3M penalty on Amerisave for mortgage tactics

The Consumer Financial Protection Bureau (CFPB) has ordered Atlanta-based online mortgage lender Amerisave Mortgage Corp. and its affiliate to pay $19.3 million for "deceptive bait-and-switch" lending practices.

Amerisave and Novo Appraisal Management Co. will pay $14.8 million to affected consumers and a $4.5 million penalty. The companies' owner, Patrick Markert, was fined an additional $1.5 million. Fines will go to the CFPB's Civil Penalty Fund.

"Amerisave lured consumers in with deceptive advertising, trapped them with costly upfront fees, and then illegally overcharged them for services from an undisclosed affiliate," said CFPB Director Richard Cordray. "By the time consumers could have discovered the advertised low rates were too good to be true, they had already committed to pay hundreds of dollars to Amerisave."

Amerisave drew in consumers nationwide with online ads that teased rates that did not match the consumers' credit scores or did not exist. "Through use of these inaccurate rates and terms, Amerisave lured consumers into pursuing a mortgage with the company," the CFPB said, which found this practice deceptive under the Consumer Financial Protection Act and the Mortgage Acts and Practices Rule.

The CFPB also alleged that Amerisave required consumers to schedule appraisals that cost between $375 and $500 before obtaining an official estimate of mortgage costs, in violation of the Truth in Lending Act and the Real Estate Settlement Procedures Act.

The company also referred customers to Novo without disclosing its affiliate relationship with the appraisal company.

The CFPB order also requires Amerisave, Novo and Markert to stop advertising unavailable mortgage rates and stop charging illegal fees.

CFPB-Amerisave consent order (PDF)

Source: CUNA News Now

Would you like your own copy of the InfoSight newsletter? If you'd like to be added to, or removed from, the distribution list, click here




Input Welcome on NCUA’s Asset Securitization and Safe Harbor Proposals

Comment letters for NCUA’s asset securitization and safe harbor proposals are due to the agency by August 25. Because the two proposals are so closely related, CUNA will be sending a combined comment letter.

The asset securitization proposal would expand NCUA’s incidental powers for federal credit unions to allow the private securitization of credit unions loans. This will likely only be attractive to a few credit unions that have sufficient resources to undergo the expense of hiring rating agencies, an investment bank, and counsel. CUNA’s summary of the proposal is available here.

CUNA has identified the following issues but welcomes additional input:

  • NCUA has the authority to make private asset securitization an incidental power for federal credit unions. CUNA encourages NCUA to give credit unions broad authority and limit the rule to requirements for the authorization to securitize, and not place rules on actual securitizations as this could limit credit unions’ ability to securitize loans.
  • The rule needs more flexibility for credit unions to securitize loans that a credit union has not originated.
  • “Origination” should be narrowly defined so that it does not capture entities that are simply conduits for making a loan and have no economic interest in the loan.
  • The proposed safe harbor is necessary to encourage investors to purchase credit union securitized loans.

You can provide feedback by reviewing the information and completing this survey.

HMDA, Fixed-Assets Proposal Now Loaded On PowerComment

CUNA has released the first two comment calls with PowerComment, the new online regulatory advocacy resource. This week, CUNA included proposals on the National Credit Union Administration’s (NCUA) FCU ownership of fixed assets proposal and the Consumer Financial Protection Bureau’s (CFPB) regulation of Home Mortgage Disclosure Act Regulation C.

Comments on these proposals are due to NCUA and the CFPB October 10 and October 22, respectively. Comments are requested to CUNA by October 1 and October 8.

“CUNA also is soliciting comments on five other proposals currently listed on PowerComment. Credit unions have the ability to email regulators directly through PowerComment,” Assistant General Counsel for Special Projects Robin Cook stated.

The site, which is exclusive to CUNA-affiliated credit unions, counts down the number of days left in the comment period, indicates which regulator proposed the regulation, the date the regulation’s was published, and the progress of any letters a credit union has started in the system. PowerComment also includes a discussion board for each rule to give credit union staff the ability to talk about the rules with other credit unions. Users can access PowerComment with their username and password. CUNA and the California and Nevada Credit Union Leagues partnered to develop the tool, which helps users efficiently generate and submit letters to regulatory agencies, including the NCUA and CFPB.

Source: CUNA NewsNow

Regulatory Advocacy Report

The CUNA Regulatory Advocacy Report keeps you on top of the most important changes in Washington for credit unions--and what CUNA is doing to monitor, analyze, and influence government agencies and federal law. You can view the current report and past reports from the archive.


Compliance eNEWSLETTER

August 22, 2014
Vol. 8, Issue 32

Created in partnership with the

Credit Union National Association

Derivatives Authority

The National Credit Union Administration passed a final rule that permits Federal credit unions to engage in limited derivatives activities for the purpose of mitigating interest rate risk. This presentation reviews permissible derivatives and characteristics, limits on derivatives, operational requirements, counterparty and margining requirements, and the procedures a credit union must follow to apply for derivatives authority.

Click here for the video


September, 2014 October, 2014 November, 2014
  • November 2nd, 2014: Daylight Savings Time Ends
  • November 11th, 2014: Veterans' Day - Federal Holiday
  • November 27th, 2014: Thanksgiving Day - Federal Holiday
December, 2014


September 14 – 19
CUNA Regulatory Compliance School, Chicago, IL 

October 19 – 22
CUNA Attorney's Conference, Dana Point, CA

October 26 - 29
CUNA Bank Secrecy Act Conference
, Las Vegas, NV

CUNA Webinars
CUNA offers hundreds of online training events that make it easy for you to learn right at your desk. Whether you are looking for a beginner course or want a comprehensive understanding on a specific topic, CUNA webinars, audio conferences and eSchools have what you need. Click here for updates on compliance, operations, lending topics and more!

Money Mission Demo - Online Financial Literacy Game webinar (09-29-2014)

CUNA Lending Compliance eSchool (09-29-2014)