by Amy Kleinschmit, Chief Compliance Officer
NCUA – Cyber Incident Notification Requirements
As a reminder, September 1 is the effective date of NCUA’s requirement which requires federally insured credit unions that experience a reportable cyber incident to report the incident to the NCUA as soon as possible and no later than 72 hours after the FICU reasonably believes that it has experienced a reportable cyber incident.
This final rule can be found here.
In anticipation of the effective date NCUA has provided Letter to Credit Union 23-CU-07 to summarize the requirements, provide implementation steps. The letter has several attachments including a quick reference guide
With regard to implementation, NCUA recommends that credit unions complete the following steps when implementing the rule.
As previously discussed, these new requirements will be found under Part 748, which already covers the requirements for a credit union’s security program, suspicious transactions, catastrophic acts, and bank secrecy act compliance.
As with any rule/regulation understanding the new vocab is key. This final rule includes definitions for “compromise,” “confidentiality,” “cyberattack,” “disruption,” “integrity” and “sensitive information.” However, understanding the scope of this rule starts with looking at what is a “reportable cyber incident.” First, “Cyber incident” means an occurrence that actually or imminently jeopardizes, without lawful authority, the integrity, confidentiality, or availability of information on an information system, or actually or imminently jeopardizes, without lawful authority, an information system.
The final rule defines, “reportable cyber incident” to be “any substantial cyber incident that leads to one or more of the following:
With regard to the first provision, the NCUA explains in the preamble of the final rule that “there are many technological reasons why services may not be available at any given time as, for example, computer servers are offline, or systems are being updated. Such events are routine and thus would not be reportable to the NCUA. However, a failed system upgrade or change that results in unplanned widespread user outages for FICU members and employees would be reportable.”
Webinar – NCUA recently held a webinar on these new requirements which was archived and will be available on demand from NCUA’s Learning Management System. A Learning Management System account is required to view the archived webinar, and it also provides access to NCUA’s other training and educational materials (FREE).
What follows is a potpourri of existing rules and regulations – nothing new or changed, just reminders of regulatory nuggets to review and make sure everyone is on the same page.
Reg B – Evidence of Joint Application
Remember, under section 1002.7(d)(1) of Regulation B, which implements the Equal Credit Opportunity Act, the commentary requires that “a person's intent to be a joint applicant must be evidenced at the time of application. Signatures on a promissory note may not be used to show intent to apply for joint credit. On the other hand, signatures or initials on a credit application affirming applicants' intent to apply for joint credit may be used to establish intent to apply for joint credit. The method used to establish intent must be distinct from the means used by individuals to affirm the accuracy of information. For example, signatures on a joint financial statement affirming the veracity of information are not sufficient to establish intent to apply for joint credit.” Also, this is an important reminder that the commentary is as important as the regulation when reading and reviewing requirements as it expands into these additional requirements and interpretations that credit unions must know and follow to be compliant.
Reg E – Cannot Require Automatic Payments
Regulation E, Section 1005.10 covers preauthorized transfers. Subsection (e) directs that, “no financial institution or other person may condition an extension of credit to a consumer on the consumer’s repayment by preauthorized electronic fund transfers, except for credit extended under an overdraft credit plan or extended to maintain a specified minimum balance in the consumer’s account.” Thus, the general rule for loan payments is that creditors may not require repayment of loans by electronic means on a preauthorized, recurring basis. The exception noted above for overdraft means that a financial institution may require the automatic repayment of an overdraft credit plan, other than a covered separate credit feature accessible by a hybrid prepaid-credit card, even if the overdraft extension is charged to an open-end account that may be accessed by the consumer in ways other than by overdrafts. Hybrid prepaid-credit card is defined in Regulation Z, 12 CFR 1026.61.
However, a creditor may offer a program with a reduced annual percentage rate or other cost-related incentive for an automatic repayment feature, provided the program with the automatic payment feature is not the only loan program offered by the creditor for the type of credit involved.
The restriction also extends to employment and government benefit. Reg E goes on to provide that, “no financial institution or other person may require a consumer to establish an account for receipt of electronic fund transfers with a particular institution as a condition of employment or receipt of a government benefit.” An employer (including a financial institution) may not require its employees to receive their salary by direct deposit to any particular institution. An employer may require direct deposit of salary by electronic means if employees are allowed to choose the institution that will receive the direct deposit. Alternatively, an employer may give employees the choice of having their salary deposited at a particular institution (designated by the employer) or receiving their salary by another means, such as by check or cash.
Reg G – Annual Audit Required
The SAFE Mortgage Licensing Act implemented through Regulation G and Part 1007.104 details what needs to be in a credit unions policies and procedures. Remember - a covered financial institution that employs one or more mortgage loan originators must adopt and follow written policies and procedures designed to assure compliance with the SAFE Act. A credit union’s policy/procedures must include independent testing for compliance with this part to be conducted at least annually by covered financial institution personnel or by an outside party.
Reg V – Periodically Review/Update Policies
Regulation V implements the Fair Credit Reporting Act (FCRA). Section 1022.42 requires that credit unions have policies and procedures concerning the accuracy and integrity of information it furnishes to the credit reporting agencies about consumers. The regulation provides guidance to assist with developing these policies (also model policy in CU PolicyPro).
The regulation also directs that each furnisher must review its policies and procedures required by this section periodically and update them as necessary to ensure their continued effectiveness.
Truth in Savings – Term “CD” Not OK for FCUs
Part 707 of the NCUA rules and regulations implements the Truth in Savings Act of 1991 (TISA) for credit unions. Commentary for section 707.2 discusses the use of synonyms, providing “generally, it is not the purpose of part 707 to prohibit specific descriptive terms for accounts. For example, credit unions can use adjectives and trade names to describe accounts such as “Best Share Draft Account,” or “Ultra Money Market Share Account.” Synonyms for share, share draft, money market share, and term share accounts may be used to describe various types of credit union share and deposit accounts as long as the synonym is accurate and not misleading and, for account disclosures, is used in conjunction with the correct legal term. For example, the following synonyms may be used: i. The term “checking account” may be used to describe share draft accounts. ii. The term “money market account” may be used to describe money market share accounts. iii. The term “savings account” may be used to describe regular share and share accounts. iv. The terms “share certificate,” “certificate account,” or “certificate” may be used to describe share certificates and other dividend-bearing term share accounts.”
However, the regulation directs that “under no circumstances may a credit union describe a share account as a deposit account, or vice versa. For example, the term “certificate of deposit” or “CD” may not be used to describe share certificates and other dividend-bearing term share accounts. Similarly, the terms “time account” (used in Regulation DD, 12 CFR 1030.2(u)) and “time deposit” (used in Federal Reserve Board's Regulation D, 12 CFR 204.2(c)) may not be used to describe term share accounts.”
North Dakota Century Code 6-06-06.1, permits ND state chartered credit unions to issue “Certificates of deposit,” as defined in section 41-03-04. NDCC 6-06-06 provides that a state chartered credit union has to the power to receive the savings of its members either as payment on shares or as deposits, including the right to conduct Christmas clubs, vacation clubs, and other such thrift organizations within its membership.
As always, DakCU members may contact Amy Kleinschmit with any compliance related questions.
The Memo is DakCU's newsletter that keeps
Want the Memo delivered straight to your inbox?