NCUA Heightened Risk Alert: Social Engineering and Phishing Attacks
NCUA is warning the ongoing conflict in Ukraine raises concerns about potential cyberattacks in the United States, including those against the financial services sector. All credit unions and vendors, regardless of size, are potential targets for cyberattacks, like social engineering and phishing attacks, and must remain vigilant. Credit unions should report any cyber incidents to the NCUA, your local FBI field office or the Internet Crime Complaint Center, and the Cybersecurity and Infrastructure Security Agency.
This Risk Alert also reminds credit unions of the ongoing threat of social engineering and phishing attacks and reiterates the continued importance of educating your employees and members on how to avoid these threats. You can read the full Risk Alert here.
FinCEN Enforcement Action
The Financial Crimes Enforcement Network (FinCEN) recently announced a $140 million civil money penalty against a bank for willfull violations of the Bank Secrecy Act. The Bank that is the subject of this enforcement action provides retail deposit and consumer loan products to approximately 13 million members (customers)—consisting of U.S. military personnel and their families—throughout the United States and at military installations around the world. The Bank did not offer small business or commercial products.
One of the first points that FinCEN made is that the Bank had experienced tremendous growth as a financial institution, however, it failed to match that growth with effective AML compliance capabilities.
The enforcement action discusses deficiencies across the Bank’s entire BSA program. Highlights of some points from the enforcement action include:
The Bank’s BSA/AML compliance department was significantly understaffed. As a result, the Bank relied on third-party contractors to augment staffing levels. As discussed, “In 2018, the Bank conducted an assessment and determined that it needed 178 permanent, full-time positions to fully staff its compliance functions. As of early 2021, the Bank had 62 vacant positions, including the head of the Bank’s Financial Intelligence Unit (FIU). Additionally, USAA FSB supplemented approximately 76% of its compliance staffing needs with third-party contractors. However, the Bank failed to properly train or otherwise ensure these contractors possessed satisfactory qualifications and expertise.”
FinCEN found deficiencies in the Bank’s Customer Due Diligence program, which requires financial institutions to have procedures for understanding the nature and purpose of a customer’s financial relationships in order to develop a customer risk profile. Furthermore, the CDD program must include ongoing monitoring to maintain and update customer information. FinCEN found that the information obtained at account opening was insufficient to assess a customer’s risk and support effective suspicious activity monitoring.
FinCEN found that the Bank failed to timely and accurately file at least 3,873 SARs. The Enforcement Action details several examples of activity on which the Bank did not file the necessary SARs.
The Bank knew of significant problems in its AML program and had an opportunity to bring its AML program into compliance with the law under its own terms, but the Bank failed to make adequate progress despite extending its commitment deadline multiple times and receiving repeated warnings over many years.
Homeowner Assistance Fund
The Homeowner Assistance Fund (HAF) was created by the American Rescue Plan Act of 2021. Under the HAF, federal funds were set aside to help American homeowners who have missed mortgage payments, among other homeownership expenses. The money is disbursed by each state’s housing finance agencies.
Educate Struggling Members About the HAF Program. HAF funds must be requested by the borrower, so educating struggling members about their availability is critical. The CFPB has HAF resources for consumers.
CFPB – Targeting Illegal Discrimination
The Consumer Financial Protection Bureau (CFPB) recently announced changes to its supervisory operations to target illegal discrimination, including in situations where fair lending laws may not apply. CFPB will be looking beyond Equal Credit Opportunity Act (ECOA) and using the Consumer Financial Protection Act (CFPA), which prohibits unfair, deceptive and abusive acts and practices (UDAAPs) when it reviews for discriminatory action.
As explained in the press release, “the CFPB published an updated exam manual today for evaluating UDAAPs, which notes that discrimination may meet the criteria for “unfairness” by causing substantial harm to consumers that they cannot reasonably avoid, where that harm is not outweighed by countervailing benefits to consumers or competition. Consumers can be harmed by discrimination regardless of whether it is intentional. Discrimination can be unfair in cases where the conduct may also be covered by ECOA, as well as in instances where ECOA does not apply. For example, denying access to a checking account because the individual is of a particular race could be an unfair practice even in those instances where ECOA may not apply.”
While South Dakota credit unions are not under the direct examination authority of the CFPB, it is important to note this updated supervisory guidance. Among the changes CFPB is taking includes examining for discrimination in all consumer finance markets, including credit, servicing, collections, consumer reporting, payments, remittances, and deposits. CFPB examiners will require supervised companies to show their processes for assessing risks and discriminatory outcomes, including documentation of customer demographics and the impact of products and fees on different demographic groups. The CFPB will look at how companies test and monitor their decision-making processes for unfair discrimination, as well as discrimination under ECOA. The updated UDAAP exam manual can be found here.
CU Policy Pro Updates
The first content update for 2022 is now available for your credit union’s CU Policy Pro manual. A regulatory update relating to NACHA’s Same Day ACH as made to several ACH policies, specifically 2610, 2611 and 2612. A new policy for virtual currency, policy 2630 – Digital Assets, has been added which reflects NCUA’s Letter to Credit Union 21-CU-16.
Remember, updates are not automatically made to your credit union’s tailored and adopted policies. You can find a redlined document under “Resources” in CU policy Pro which tracks the relevant changes. Below is an overview of the changes made.
Policy 1230 – Regulatory Compliance. This policy has been revised to provide more clarity regarding the confidentiality provisions, which only pertain to the internal compliance reviews conducted through the credit union’s compliance management system. Other grammatical changes were also included.
Policy 2190 - Business Continuity Program Policy **POLICY NAME CHANGE** This policy has been revised and re-named to provide a more comprehensive policy for the credit union’s overall business continuity program versus the narrower disaster recovery contingency planning. Note: the changes to this policy were so extensive that we are not providing a redlined version. We recommend adopting this version of the policy in its entirety.
Policy 2191 – Chain of Command. This policy has been revised to provide a more comprehensive policy for the credit union’s overall business continuity program versus the narrower disaster recovery contingency planning.
Policy 2192 – Emergency Powers. Policy 2192 was revised to coincide with the other policies related to business continuity planning.
Policy 2193: Statement of Decision Criteria **DELETED** This policy is being removed and the content incorporated within Policy 2190 – Business Continuity Program Policy.
Policy 2195 – Pandemic Preparedness and Response. This policy is being updated to coincide with the newly revised Policy 2190 – Business Continuity Program Policy. Duplicative content has been removed and this policy solely focuses on pandemic-related events. Credit unions should consider adopting both policies to have a more comprehensive program in place.
Policies 2610 – ACH Operations; 2611-- - ACH Management; 2612 – ACH Audit. This policy is being revised to comply with the NACHA changes effective on March 18, 2022 increasing the Same Day ACH limit to $1 million per transaction (up from $100,000). Additional grammatical changes were also made to the policies.
Policy 2630 – Digital Assets **NEW POLICY** This policy was created to comply with NCUA Letter 21-CU-16 – Relationships with Third Parties that Provide Services Related to Digital Assets, which highlights the existing authority for credit unions to offer digital services to their members, provided certain conditions are met.
Policy 7302 – Appraisal. The Appraisal policy was updated to adjust the threshold amount for higher-priced mortgage loans (HPMLs), that are exempt from the appraisal requirements. This threshold adjusts every year.
Policy 7303 – Real Estate Appraisals: Appendices. The 7303 Appendices have been revised to remove specific regulatory citations, some of which had been amended.
As always, DakCU members may contact Amy Kleinschmit with any compliance related questions.
The Memo is DakCU's newsletter that keeps
Want the Memo delivered straight to your inbox?