Letters to Credit Unions 19-CU-04 Use of Alternative Data in Credit Underwriting

December 2019

NCUA, FRB, CFPB, FDIC, and the OCC have issued a joint statement on the use of alternative data by financial institutions in determining a borrowers’ creditworthiness. The joint statement focuses on the benefits and risks to financial institutions of using such data and the expectation that financial institutions develop a compliance program for managing the risks of alternative data.

Alternative data “means information not typically found in the consumer’s credit files of the nationwide consumer reporting agencies or customarily provided by consumers as part of applications for credit.”

The joint statement states that alternative data is being used (or considered) for credit underwriting, as well as in fraud detection, marketing, pricing, servicing, and account management. The use of alternative data:

  • may improve the speed, cost and accuracy of credit decisions
  • may help evaluating potential borrowers who may not obtain credit in the mainstream credit system
  • may enable consumers to obtain additional products or more favorable pricing/terms based on enhanced assessments of repayment capacity

Banks and credit unions using alternative data must ensure that usage is consistent with safe and sound operations. Appropriate controls should include a rigorous assessment of the quality and suitability of the data. The appropriateness of the data models should also be evaluated. The federal agencies acknowledge that in some cases the use of alternative data may present no greater risk than the use of traditional data. For example, automating the use of cash flow data to better evaluate borrowers’ ability to repay loans is at it’s a core a longstanding underwriting principle.

The guidance provides several additional resources for managing risks associated with models, including those that may leverage alternative data:

Use of such data may implicate several consumer protection statues and regulations including fair lending laws, prohibitions against unfair, deceptive, or abusive acts or practices, and the Fair Credit Reporting Act. A well-designed compliance management program can help provide the financial institution a thorough analysis of relevant consumer protection laws and regulations to ensure firms understand the opportunities, risks and compliance requirements before using alternative data.

Some alternative data, such as cash flow data, may present lower risks than other data. However, some alternative data may warrant more robust compliance management including appropriate testing, monitoring and controls.

-End-

Summary: Final Rule re: Home Mortgage Disclosures Act’s (HMDA) Temporary Exceptions for Smaller Institutions

12 CFR Part 1003

Consumer Financial Protection Bureau

Prepared by the NASCUS Legislative & Regulatory Division

December 2019

The Consumer Financial Protection Bureau (CFPB) is amending Regulation C to extend the temporary data reporting threshold for open end lines of credit to January 1, 2022.  The Bureau is also incorporating into Regulation C the interpretations and procedures from the interpretive and procedural rule that the Bureau issued on August 31, 2019 and further implementing the Economic Growth, Regulatory Relief and Consumer Protection Act (EGRRCPA).

Most provisions of the final rule become effective on January 1, 2020.  However, amendments to Section 1003 become effective on January 1, 2022.  The final rule can be found here.

Summary

Regulation C, which implements HMDA, includes institutional and transactional coverage thresholds that determine whether financial institutions are required to collect, record and report any HMDA data on closed-end mortgage loans and open-end lines of credit.  Under EGRRCPA, Congress added partial exemptions from HMDA’s requirements that exempt certain insured depository institutions and insured credit unions from reporting some but not all HMDA data for certain transactions.  The final rule incorporates into Regulation C and implements further the EGRRCPA partial exemptions, as well as extending (for two years) a temporary adjustment to Regulation C’s institutional and transactional coverage threshold for open-end lines of credit.

Extension of the Temporary Adjustment to Open-End Coverage Threshold

Under its 2015 HMDA rule, the Bureau established institutional and transactional coverage thresholds in Regulation C that determined whether a financial institution would need to report any data under HMDA.  The 2015 rule set the closed-end reporting threshold to at least 25 loans in each of the two preceding yeas and the open-end threshold to at least 100 open-end lines of credit in each of the two preceding years.  However, before the thresholds under the 2015 rule became effective, the Bureau temporarily increased the open-end reporting threshold to at least 500 open-end lines of credit for two years (calendar years 2018 and 2019).  The Bureau believes that in the interim, extending the current temporary increase in the open-end coverage threshold for an additional two years will allow the Bureau to consider fully the appropriate level for the permanent open-end coverage threshold for data collected beginning January 1, 2022.

The final rule extends to January 1, 2022, the current temporary threshold of at least 500 open-end lines of credit for open-end institutional and transactional coverage.  The Bureau intends to issue a separate final rule to address permanent coverage thresholds for open-end lines of credit and closed end mortgage loans in the future.

 Implementation of Partial Exemptions

 The final rule also implements further the partial exemptions from HMDA’s requirements provided for under the EGRRCPA.  In 2018, the Bureau issued an interpretive and procedural rule to implement and clarify the EGRRCPA amendments to HMDA.  The 2018 HMDA rule clarifies that insured depository institutions and insured credit unions covered by a partial exemption have the option of reporting exempt data fields as long as they report all data fields within any exempt data point for which they report data; clarifies that only loans and lines of credit that are otherwise HMDA reportable count toward the thresholds for the partial exemptions; clarifies which of the data points in Regulation C are covered by the partial exemptions; designates a non-universal loan identifier for partially exempt transactions for institutions that choose not to report a universal loan identifier; and clarifies the exception to the partial exemptions for insured depository institutions with less than satisfactory examination histories under the Community Reinvestment Act (CRA) of 1977.

The final rule incorporates into Regulation C these interpretations and procedures, with minor adjustments, by adding new Section 1003.3(d) relating to the partial exemptions and making various amendments to the data compilation requirements in Section 1003.4.  The final rule further implements the EGRRCPA by addressing certain additional interpretive issues relating to the partial exemptions that the 2018 HMDA rule did not specifically address such as how to determine whether a partial exemption applies to a transaction after a merger or acquisition.

 

 

 

 

 

 

 

NCUA Final IRPS Summary

Interpretive Ruling & Policy Statement 19-1

2nd Chance IRPS

Prepared by NASCUS Legislative & Regulatory Affairs Department

November 2019

 NCUA has finalized its revisions to the agency’s Interpretive Ruling and Policy Statement (IRPS) regarding statutory prohibitions imposed by § 205(d) of the Federal Credit Union Act (FCUA). Section 205(d) prohibits, except with the prior written consent of the Board, any person who has been convicted of any criminal offense involving dishonesty or breach of trust, or who has entered into a pretrial diversion or similar program in connection with a prosecution for such offense, from participating in the affairs of an insured credit union.

The final IRPS 19-1 may be read here.

With publication of final IRPS 19-1, NCUA is rescinding existing IRPS 08-1. The new IRPS is effective January 2, 2020.

Summary

Pursuant to § 205(d)(1) of the FCUA, except with the prior written consent of the Board, a person who has been convicted of any criminal offense involving dishonesty or breach of trust, or has agreed to enter into a pretrial diversion or similar program in connection with a prosecution for such offense may not:

  • Become, or continue as, an institution-affiliated party with respect to any insured credit union; or
  • Otherwise participate, directly or indirectly, in the conduct of the affairs of any insured credit union.

NCUA has chosen to provide greater opportunity for individuals with past indiscretions to participate in the affairs of a federally insured credit union.

Covered Persons

The final IRPS clarifies the that an independent contractor is a covered person if the contractor influences or controls the management or affairs of the credit union. In addition, a person who does not meet the definition of an “institution affiliated party” might also be prohibited by § 205 if he or she is participating in the conduct of the affairs of a credit union. Under the final IRPS, NCUA will continue to define institution affiliated party separately from “participation in the conduct of the affairs of a credit union” and make determinations on a case-by-case basis.

Offenses Covered

In order for an application to be considered by the NCUA Board, the case must be considered final by the procedures of the applicable jurisdiction. All of the sentencing requirements associated with a conviction or conditions imposed by the pretrial diversion or similar program, including, but not limited to, imprisonment, fines, condition of rehabilitation, and probation requirements, must be completed before the Board will deliberate a consent application.

Offenses not Covered

Currently, where the covered offense is considered de minimis, approval is automatically granted, and an application for NCUA’s consent is not required. The final IRPS modifies exceptions for de minimis offenses in two ways:

  • By updating the general criteria for the exception
  • By expanding the scope of the exception to include additional offenses to qualify as de minimis offenses

Currently, a de minimis offense is defined by the following five criteria:

  • there is only one conviction or entry into a pretrial diversion program of record for a covered offense;
  • the offense was punishable by imprisonment for a term of less than one year and/or a fine of less than $1,000, and the punishment imposed by the court did not include incarceration;
  • the conviction or pretrial diversion program was entered at least five years prior to the date an application would otherwise be required;
  • the offense did not involve an insured depository institution or insured credit union;
  • the Board or the FDIC has not previously denied consent under Section 205(d) of the FCU Act or Section 19 of the FDIA

The final Second Chance IRPS updates these by modifying criterion #2 to allow those offenses punishable by imprisonment for a term of one year or less and/or a fine of $2,500 or less, and those offenses punishable by three days or less of jail time, to meet the  de minimis definition.

Expanding the De Minimis Exceptions

The final Second Chance IRPS expands the exception for offenses not requiring submission of an application to NCUA.

  • Age at time of covered offense – A person with a covered conviction or program entry that occurred when the individual was 21 years of age or younger at the time of the conviction or program entry, and who otherwise meets the general de minimis criteria, qualifies for this de minimis exception if:
    • the conviction or program entry was at least 30 months prior to the date an application would otherwise be required; and
    • all sentencing or program requirements have been met prior to the date an application would otherwise be required.
  • Bad checks – A conviction for writing bad checks will be considered de minimis if:
    • there is no other conviction or pretrial diversion program entry subject to Section 205(d)
    • the aggregate total face value of all bad checks $1,000 or less
    • no depository institution or credit union was a payee on any of the bad checks
  • Small-dollar, simple theft – Under the final Second Chance IRPS, a simple theft of goods, services and/or currency (or other monetary instrument) will be considered de minimis where the following conditions are met:
    • the aggregate value of the currency, goods, and/or services taken was $500 or less at the time of conviction or program entry
    • the person has no other conviction or program entry described in Section 205(d)
    • it has been 5 years since the conviction or program entry (or 30 months in the case of a person 21 years or younger at the time of the conviction or program entry)
    • it does not involve a depository institution or credit union

The offenses of burglary, forgery, robbery, identity theft, and fraud are excluded from the simple theft exception.

  • Use of a fake I.D – The use of a fake, false, or altered identification card by a person under the legal age to obtain or purchase alcohol, or to enter a premises where alcohol is served and age appropriate identification is required will be considered de minimis provided there is no other conviction or program entry for the covered offense.
  • Simple misdemeanor drug possession – The IRPS classifies as de minimis those convictions or entries for drug offenses meeting the following conditions:
  • the person has no other conviction/program entry described in § 205(d)
  • the single conviction or program entry for simple possession of a controlled substance was classified as a misdemeanor and did not involve the illegal distribution (including an intent to distribute), sale, trafficking, or manufacture of a controlled substance or other related offense
  • it has been 5 years since the conviction or program entry (or 30 months in the case of a person 21 years or younger at the time of the conviction or program entry).

Convictions or program entries for intent to distribute, illegal distribution, illegal sale or trafficking of a controlled substance, or illegal manufacture of a controlled substance will continue to require an application for the Board’s consent, unless otherwise qualifying as de minimis.

Expunged Convictions

The final IRPS clarifies the circumstances under which a conviction is deemed expunged for purposes of § 205(d). If an order of expungement has been issued in regard to a conviction or program entry and is intended by the language in the order itself, or in the legislative provisions under which the order was issued, to be a complete expungement, then it is considered expunged for the purposed of the final IRPS. If the jurisdiction’s expungement statute or the court allows the use of the conviction or program entry for a subsequent purpose, then the conviction has not been expunged.

Conditional Offers

The final rule allows credit unions to extend a conditional offer of employment contingent on the completion of a satisfactory background check to determine if the applicant is barred by § 205(d). However, the job applicant may not commence work for or be employed by the credit union until the applicant is determined to not be barred under § 205(d) or receives consent from the NCUA Board.

Distinguishing between Sponsored and Individual Applications

The final IRPS clarifies that generally, the insured credit union will file an application for NCUA consent for a § 205(d) applicant. The credit union submits the request to its NCUA Regional Office. Under certain circumstances, an individual may apply to NCUA in their own right for consent. In that case, the individual would submit the application to the NCUA regional Director for the area in which the applicant lives.

Delegation

NCUA is delegating consent authority for § 205(d) applications submitted by credit unions as the sponsor of an individual to the Program Office (Region) for submitting credit union. However, the NCUA Board will retain consent authority for individually filed applications for consent.

In the final IRPS, NCUA has also made changes to the application forms used to submit both sponsored and individual requests for consent.

-End-

Summary: Interpretive Rule re: Truth in Lending (Regulation Z) Screening and Training Requirements for Mortgage Loan Originators with Temporary Authority

12 CFR Part 1026

Consumer Financial Protection Bureau

Prepared by the NASCUS Legislative & Regulatory Division

November 2019

The Consumer Financial Protection Bureau (CFPB) issued an interpretive rule that construes the Bureau’s Regulation Z, which implements the Truth in Lending Act (TILA).  Generally, if a mortgage loan originator organization employs individual loan originators who are not licensed and are not required to be licensed, Regulation Z requires the loan originator organization to screen individuals interested in acting as loan originators, as well as providing certain ongoing training.  However, Regulation Z is ambiguous as to whether these requirements apply to loan originator organizations employing individual loan originators who have temporary authority to originate loans pursuant to the Economic Growth, Regulatory Relief and Consumer Protection Act of 2018 (EGRRCPA) amendments to the SAFE Act.

 

The rule concludes that a loan originator organization is not required to comply with certain screening and training requirements under Regulation Z if the individual loan originator employee is authorized to act as a loan originator pursuant to the temporary authority described in the SAFE Act.

 

The rule can be found hereThe rule became effective on November 24, 2019.

Summary

In 2010, Dodd Frank added Truth in Lending Act (TILA) section 129B(b)(1) that imposed new requirements for loan originators, including a qualifications requirement.  In 2013, the Bureau adopted amendments to Regulation Z that provide for mortgage loan originator requirements under TILA.

In accordance with these changes, Regulation Z requires a loan originator organization that employs an individual loan originator who is not licensed and is not required to by licensed pursuant to the SAFE Act to (i) complete screening of the individual prior to permitting the individual to act as a loan originator on a consumer credit transaction secured by a dwelling and (ii) to provide periodic training.

In addition to these requirements, the Bureau also took into consideration the SAFE Act’s preexisting screening and training requirements for loan originators.  EGRRCPA amended the SAFE Act to permit certain individuals who were previously registered or State-licensed for a certain period of time (in accordance with the SAFE Act) to act as a loan originator in a State, if they have applied for a loan originator license in the State.  These individuals are identified as “loan originators with temporary authority.”

The Bureau notes that the EGRRCPA amendments that provide for the “temporary authority” for certain loan originators is found under a section entitled “Eliminating Barriers to Jobs for Loan Originators.”  Additionally, the Bureau noted that it believes that Congress intended to allow a loan originator that satisfies certain enumerated criteria and who is transitioning to a new State to be able to begin acting as a loan originator in the application State with minimal burden and delay and before the State has completed all of its processes relating to determining whether to grant a State license.

 

 

 

 

 

 

Summary:  Request for Information Regarding the Integrated Mortgage Disclosures under the Real Estate Settlement Procedures Act (Regulation X) and the Truth in Lending Act (Regulation Z) Rule Assessment

12 CFR Part 1024 and 1026

Consumer Financial Protection Bureau

Prepared by the NASCUS Legislative & Regulatory Division

December 2019

The Consumer Financial Protection Bureau (CFPB) is conducting an assessment of its the Integrated Mortgage Disclosures under the Real Estate Settlement Procedures Act (Reg. Z) and the Truth in Lending Act (Regulation Z) otherwise known as the TRID disclosure rule.  The Bureau is requesting public comment on its plans for assessing this rule as well as certain recommendations and information that may be useful in conducting the planned assessment.

The Assessment and Request for Public Comments can be found hereComments are due to the Bureau no later than January 21, 2020.

Summary

 Background

Section 1022 (d) of the Dodd Frank Act requires the Bureau to conduct an assessment of each significant rule or order adopted by the Bureau under Federal consumer financial law.  The Bureau must publish a report of the assessment not later than five years after the effective date of such rule or order.  The assessment must address, among other relevant factors, the rule/order’s effectiveness in meeting the purposes and objectives of Title X of the Dodd Frank Act and the specific goals stated by the Bureau in the rule/order.  The assessment must also reflect available evidence and any data that the Bureau reasonably may collect.  In addition, before publishing a report of its assessment, the Bureau must invite public comment on recommendations for modifying, expanding or eliminating the rule/order.

The Bureau has determined that the TRID rule is a significant rule and will conduct an assessment accordingly.  The Bureau issued the final TILA-RESPA rule in 2013.  However, the bureaus amended the rule twice before its effective date.  The amended rule, which took effect on October 3, 2015 and is known as the TRID rule, will be the subject of this assessment.  The 2015 TRID rule was amended again in 2017 and 2018.  While such amendments are not intended to be the subject of this assessment, the Bureau has noted that it may consider certain amendments to the extent that doing so will facilitate a more meaningful assessment of the TRID rule and the data is available.

Assessments under Dodd Frank are for informational purposes only and are not part of a formal or informal rulemaking process under the Administrative Procedure Act. However, the Bureau does intend to consider relevant comments and other information received as it conducts the assessment and prepares the assessment report.  The Bureau anticipates the assessment report will be issued no later than October 3, 2020.

Assessment Process

As noted earlier, the assessment will examine whether or not the TRID rule has met the purposes and objectives of Title X of the Dodd Frank Act, as well as the specific goals specified within the TRID rule.  The Bureau intends to use a cost-benefit analysis to assess the effectiveness of the TRID rule.  Research questions under the Bureau’s assessment plan seek to quantify the costs/benefits of the TRID rule as implemented with a focus on:

  • Effects on consumers;
  • Effects on firms, particularly creditors, settlement service providers (including title agents), mortgage brokers, consumers and others; and
  • Effects on markets related to mortgage origination.

 Request for Comments

 The Bureau invites the public to submit information and other comments relevant to the issues identified in the Request for Information (RFI), information relevant to enumerating costs and benefits of the TRID rule to inform the assessment’s cost-benefit perspective, and any other information relevant to assessing the effectiveness of the TRID rule in meeting the purposes and objectives of Title X of Dodd Frank and the specific goals of the Bureau.  The Bureau is seeking comment on the following:

  • Comments on the feasibility and effectiveness of the assessment plan, the objectives of the TRID rule the Bureau intends to use in the assessment, and the outcomes, metrics, baselines and analytical methods for assessing the effectiveness of the rule;
  • Data and other factual information that the Bureau may find useful in executing its assessment plan and answering related research questions, particularly research questions that may be difficult to address with the data currently available to the Bureau;
  • Recommendations to improve the assessment plan, as well as data, other factual information and sources of data that would be useful and available to the Bureau to execute any recommended improvements to the assessment plan;
  • Data and other factual information about the benefits and costs of the TRID rule for consumers, creditors, or other stakeholders;
  • Data and other factual information about the effects of the Rule on transparency, efficiency, access and innovation in the mortgage market;
  • Data and other factual information about the Rule’s effectiveness in meeting the purposes and objectives of Title X of the Dodd-Frank Act;
  • Data and other factual information on the disclosure data set specified in the “Assessing Firm Effects” section;
  • Comments on any aspects of the TRID rule that were or are confusing or on which more guidance was or is needed during implementation including whether the issues have been resolved or remain unresolved; and
  • Recommendations for modifying, expanding, or eliminating the TRID rule.

 

 

 

 

NASCUS Summary

Executive Orders

E.O. 13891 Executive Order on Promoting the Rule of Law Through Improved Agency Guidance Documents; and

E.O. 13892 Executive Order on Promoting the Rule of Law Through Transparency and Fairness in Civil Administrative Enforcement and Adjudication

On October 9, 2019, the Trump Administration issued 2 Executive Orders related to guidance issued by Executive Agencies. As an independent agency, NCUA is not subject to the Executive Orders, however NCUA has traditionally adhered to such orders.

  1. O. 13891 Executive Order on Improving the Rule of Law through Improved Agency Guidance Documents

 Executive Order 13891 mandates:

  • Agencies gather all guidance in one place on their websites & review all existing guidance & rescind guidance that should no longer be in effect.
  • Agencies adopt rules for issuing guidance that include with each piece of guidance a statement that the guidance is not binding; and a process for the public to appeal for guidance rescission.
  • Classifies as “significant guidance” any guidance with an impact of $100 million or more on the economy. For significant guidance, mandates public notice and comment with a comment period no less than 30 days. Furthermore, “significant guidance” shall be reviewed by Office of Information and Regulatory Affairs (OIRA) under Executive Order 12866.

The Executive Order also contains numerous exceptions to the requirements that render its ultimate impact questionable. The Executive Order also mirrors a joint statement made by the Federal Banking Agencies in 2018.

 O 13892 Executive Order on Promoting the Rule of Law Through Transparency and Fairness in Civil Administrative Enforcement and Adjudication

 The Executive Order prohibits agencies from using guidance documents to impose new standards or to make a determination that has legal consequences. Furthermore, the Order states that noncompliance with a guidance document alone may not be used as a regulatory violation and an agency may only cite a guidance document in enforcement actions only if it had previously published it.

 

Finally, the Order prohibits an agency from taking any action that has a “legal consequence” before providing the subject an opportunity to be heard regarding the agency’s legal and factual determinations.

 

-End-

NCUA Final Rule Summary

Part 701 and Part 741

Public Unit and Nonmember Shares

Prepared by NASCUS Legislative & Regulatory Affairs Department

November 2019

 NCUA has published a final rule amending its regulations in Part 701.32(b) limiting public unit and non-member deposits in federally insured credit unions (FICUs). These rules apply to federally insured state credit unions (FISCUs) by reference in §741.204.

The final rule:

  • Raises the limit on public unit and non-member shares to 50% of the credit union’s paid-in and unimpaired capital and surplus less any public unit and non-member shares
  • Eliminate the waiver process for deposits in excess of the new limit
  • Require an FICUs to develop and maintain a written plan if its public unit and non-member shares, taken together with borrowings, exceed 70% of paid-in and unimpaired capital and surplus

The final rule may be read here. The final rule is effective January 29, 2020.

NASCUS note:: For FISCUs, NCUA’s rule serves as a limit only on the amount of non-member and public unit deposits that may be held as a share insurance matter. NCUA’s rule does not give FISCUs the authority to hold these accounts. The authority to for a FISCU to hold non-member shares or public unit deposits is a matter of state law.

Summary

Part 701 addresses two distinct issues:

  • Deposits from non-members
  • Deposits from public units, whether members or not

Federal credit unions, and many FISCUs, are authorized to accept deposits from certain non-members. In some cases, they are permitted to accept deposits from public units regardless of whether the public unit is a member of the credit union. In other cases, low income designated credit unions may accept deposits from non-members.

The final rule establishes limits on the amounts of BOTH public deposits and non-member deposits that me be held in a FICU.

Limits on the Amount of Public Deposits and Non-member deposits

NCUA’s limit on public unit deposits does not distinguish between deposits from a public unit that is a member of the credit union or deposits from a non-member public unit.

  • The final rule provides that a FICU may receive public unit and nonmember shares in an amount up to 50% of the FICU’s net amount of paid-in and unimpaired capital and surplus less any public unit and nonmember shares.

Alternative Threshold $3 million

For smaller credit unions, where 50% of paid in capital would not provide sufficient capacity, NCUA has preserved the option for a credit union accept non-member and public deposits up to $3 million if that amount is greater than 50% of the FICU’s net amount of paid-in and unimpaired capital and surplus less any public unit and nonmember shares.

Waivers

NCUA’s final rule eliminates the §701.32(b) waiver provisions that had allowed a credit union to seek a higher limit of non-member and public deposits from the NCUA Regional Director. With the new higher limit, NCUA does not believe there is a need for credit unions to seek a waiver above the 50% threshold.

Plan Regarding Use of Funds

The final rule requires a FICU to develop a plan regarding the intended use of any borrowings, public unit, or nonmember shares that, taken together, exceed 70% of paid-in and unimpaired capital and surplus. Credit unions will not be required to submit plans to NCUA for approval. Rather, NCUA will review plans during the normal course of examination.

 

-End-

NCUA Final Rule

 Part 715 Supervisory Committee Audits and Verifications (By reference in §741.6 and §741.202)

Summary

Prepared by NASCUS Legislative & Regulatory Affairs Department

September 2019

NCUA has published a final rule amending its rules regarding required audits and account verifications for federally insured credit unions. NCUA’s audit rules are found in NCUA’s Rules and Regulations Part 715. For federally insured state credit unions (FISCUs), Part 715 is referenced in Parts 741.6 and 741.202.

NCUA’s final rule:

  • Replaces the existing NCUA Supervisory Committee Guide with an expanded Appendix to § 715;
  • Replaces the references to “federal credit unions” with “federally insured credit union”;
  • Eliminates the specific deadline for the outside audit to be delivered to the credit union;
  • Eliminates the Report on Examination of Internal Controls over Call Reporting [§715.7(b)] and the Balance Sheet Audit option [§715.7(a)] options

 NCUA’s final rule may be read here. The rule will be effective 90 days after publication in the Federal Register.  

 Summary

  • Eliminating 2 alternatives to a financial statement audit

The final rule eliminates 2 options credit unions with less than $500 million in assets could use to meet the audit requirements of § 715. The first alternative allowed qualifying credit unions to obtain a Report on Examination of Internal Controls Over Call Reporting. However, NCUA noted that less than 1% of credit unions availed themselves of this option and therefore have eliminated it to streamline their rules and regulations.

Under the old § 715, credit unions with less than $500 million also had the option of performing a Balance Sheet Audit. NCUA is eliminating this option as well because a Balance Sheet Audit does not cover the credit union’s income statement nor does it reflect the current value of the credit union’s assets.

  • Eliminate the Supervisory Committee Guide

NCUA will replace the Supervisory Committee Guide with an Appendix covering minimum supervisory committee audit requirements or outside auditor requirements when a qualifying credit union chooses an alternative to financial statement audit. The new Appendix will require the following minimum procedures:

  • Review Board of Director minutes to determine whether there are any material changes to the credit union’s activities or condition that are relevant to the areas to be reviewed in the audit
  • Test and confirm material asset and liability accounts including, at a minimum:
  • Loans
  • Cash on deposit
  • Investments
  • Shares
  • Borrowings
  • Test material equity, income, and expense accounts
  • Test for unrecorded liabilities
  • Review key internal controls including, at a minimum:
  • Bank reconciliation procedures
  • Cash controls
  • Dormant account controls
  • Wire and ACH transfer controls
  • Loan approval and disbursement procedures
  • Controls over accounts of employees and officials
  • Other real estate owned
  • Foreclosed and repossessed assets 28
  • Test the mathematical accuracy of the ALLL account and ensure the methodology is properly applied
  • Test loan delinquency and charge-offs

Note: While not expressly included in the new § 715 Appendix, NCUA states in the preamble to the final rule that the “supervisory committee audit must test employee and board compensation when it is a significant component of a FICU’s expenses – as the regulation requires the audit to include a test of “material equity, income, and expense accounts.” See page 13 of NCUA’s Board Action Memorandum on the final rule.

  • Assistance from Outside, Compensated Person

NCUA has eliminated the current regulations requirement that an engagement letter specify a target date of delivery of written audit reports “not to exceed 120 days from the date of calendar or fiscal year-end under audit.” The new rule § 715.9(c)(6) will require that the retention letter with the outside auditor specify the delivery date of written reports so the credit union may meet its annual audit requirement.

 

-End-

NASCUS Summary

Proposed IRPS 19-1

Exceptions to Employment Restrictions Under Section 205(d) of the FCUA (‘‘Second Chance IRPS’’)

Prepared by NASCUS Legislative & Regulatory Affairs Department

September 2019

NCUA is proposing to issue a new Interpretive Ruling and Policy Statement (IRPS 19-1) to replace existing IRPS 08-1 regarding statutory prohibitions imposed by § 205(d) of the Federal Credit Union Act (FCUA) prohibiting individuals who have been convicted of crimes involving dishonesty from participating in the affairs of a federally insured credit union. Specifically, NCUA is proposing to remove from the list of disqualifying offenses:

  • insufficient funds checks of aggregate moderate value
  • small dollar simple theft
  • false identification
  • simple drug possession
  • “isolated minor offenses” committed by covered persons as young adults

The proposed IRPS 19-1 may be read here in its entirety. The proposal applies to both federal credit unions and federally insured state credit unions.

Comments are due to NCUA by September 27, 2019.

Summary

Section 205(d) of the FCUA prohibits a person 1) convicted of any criminal offense involving dishonesty or breach of trust, or 2) who has entered into a pretrial diversion or similar program in connection with a prosecution for such offense, from participating in the conduct of the affairs of an insured credit union without the prior written consent of the NCUA Board. Existing IRPS 08–1 provides direction and guidance to credit unions and the public and establishes procedures for applying to the NCUA Board for written consent on a case-by-case basis.

NCUA notes that recently several cases before the Board involved offenses that while technically minor, did not qualify for the existing de minimis exceptions established in IRPS 08-1. NCUA is also mindful of recent updates to § 19 prohibitions administered by the Federal Deposit Insurance Corporation. As a result, NCUA proposes the following changes to its administration of the FCUA §205 prohibitions.

  • Covered Persons

The FCUA prohibitions apply to “institution affiliated parties” and others “who are participants in the conduct of the affairs of an insured credit union.” The current IRPS considers independent contractors to be “instituted affiliated parties” if “they knowingly or recklessly participate in violations, unsafe or unsound practices or breaches of fiduciary duty which are likely to cause significant loss to, or a significant adverse effect on, an insured credit union.” NCUA believes this definition is confusing.

  • Proposed IRPS 19-1 would clarify that an independent contractor is a covered person if the contractor influences or controls the management or affairs of the credit union.

In addition, a person who does not meet the definition of an “institution affiliated party” might also be prohibited by § 205 if he or she is participating in the conduct of the affairs of a credit union. Currently, the NCUA does not define “participation in the conduct of the affairs of a credit union.” Instead, NCUA analyzes this on a case-by-case basis.

  • Proposed IRPS 19– 1 will maintain NCUA’s current position that cases will be evaluated upon the degree of influence or control over the management or affairs of the credit union exercised by the party in question.
    • Covered Offenses

    Under the proposed IRPS, the underlying case, and any sentencing, must be fully resolved and sentence completed prior to an applicant seeking NCUA Board consent.

    • De minimis Offenses

    The exception for de minimis offenses would be updated and expanded. IRPS 19-1 would continue the current policy that application to NCUA is not required for de minimis offenses.

    Under the current rule a covered offense is considered de minimis if it meets all 5 of the following five criteria:

    (1) single conviction or entry into a pretrial diversion program for a covered offense

    (2) the offense was punishable by imprisonment for a term of < 1 year and/or a fine of < $1,000, & the punishment imposed by the court did not include incarceration

    (3) the conviction/pretrial diversion began at least 5 years prior to application to NCUA (4) the offense did not involve an insured depository institution or insured credit union (5) the Board or any other Federal financial institution regulatory agency has not previously denied consent under Section 205(d) of the FCU Act or Section 19 of the FDIA

    Proposed IRPS 19–1 would modify criterion #2 to allow the following offenses to meet that de minimis criterion:

    • those punishable by imprisonment for a term of one year or less and/or a fine of $2,500 or less
    • those punishable by three days or less of jail time

    The Proposed IRPS would define ‘‘jail time’’ to include any significant restraint on an individual’s freedom of movement, including confinement to a specific facility or building on a continuous basis where the person may leave temporarily only to perform specific functions or during specified time periods or both.

    NCUA is also proposing expanding the scope of the de minimis exception by eliminating the need to apply for certain low-risk, isolated offenses. The following criteria, if met, would qualify for the de minimis exception without having to apply to NCUA:

    • Age-based exception – A person with a covered conviction that occurred when the individual was 21 years of age or younger at the time of conviction and who otherwise meets the de minimis criteria, will qualify for the exception if:
    • The conviction or program entry was entered at least 30 months prior to the date an application would otherwise be required; and
    • all sentencing or program requirements were met prior to the date an application would otherwise be required.
    • Insufficient funds checks – A conviction or pretrial diversion for writing of ‘‘bad’’ check(s) will be considered a de minimis offense and will not be considered as having involved an insured depository institution or insured credit union if:
    • There is no other conviction or pretrial diversion program entry subject to Section 205(d);
    • the aggregate total face value of all ‘‘bad’’ check(s) cited across all the conviction(s) is $1,000 or less; and
    • no insured depository institution or insured credit union was a payee on any of the ‘‘bad’’ checks that were the basis of the conviction(s)
    • Simple theft/petty crime – A conviction for simple theft of goods, services and/or currency (or other monetary instrument) such as shoplifting would be considered de minimis if the following conditions are met:
    • The aggregate value of the currency, goods, and/or services taken was $500 or less at the time of conviction; and
    • the person has no other § 205 conviction;
    • it has been 5 years since the conviction (or 30 months in the case of a person 21 years or younger at the time of the conviction); and
    • it did not involve an insured depository institution or insured credit union

    For purposes of the exception, simple theft does not include the offenses of burglary, forgery, robbery, identity theft, or fraud. These crimes would continue to require an application for the Board’s consent, unless otherwise qualifying as de minimis.

    • Use of a fake ID – The use of a fake, false, or altered identification card by a person under the legal age to obtain or purchase alcohol, or to enter a premises where alcohol is served and age appropriate identification is required, would be considered de minimis, provided there is no other conviction for the offense.
    • Misdemeanor drug possession – Drug related convictions meeting the following conditions would be considered de minimis:
    • The person has no other conviction described in § Section 205(d);
    • the single conviction for simple possession of a controlled substance was classified as a misdemeanor and did not involve the illegal distribution (including an intent to distribute), sale, trafficking, or manufacture of a controlled substance or other related offense; and
    • it has been 5 years since the conviction (or 30 months in the case of a person 21 years or younger at the time of the conviction)

    Convictions for intent to distribute, illegal distribution, illegal sale or trafficking of a controlled substance, or illegal manufacture of a controlled substance would continue to require an application for the Board’s consent, unless otherwise qualifying as de minimis.

    • Fidelity Bond

    Proposed IRPS 19–1 would continue to require that any person who meets the de minimis criteria must be covered by a fidelity bond to the same extent as other employees in a similar position. In addition, that person must disclose the presence of the conviction or pretrial diversion program entry to all insured credit unions or insured depository institutions in the affairs of which he or she intends to participate.

    No conviction or pretrial diversion program entry for a violation of the Title 18 sections set out in 12 U.S.C. 1785(d)(2) can qualify under any of the de minimis exceptions.

    • Expunged convictions

    A conviction that has been ‘‘completely expunged’’ is not considered a conviction of record and will not require an application for the NCUA Board’s consent under Section 205(d). Proposed IRPS 19–1 would clarify that if an order of expungement has been issued in regard to a conviction and is intended by the language in the order itself, or in the legislative provisions under which the order was issued, to be a complete expungement, then the jurisdiction, either in the order or the underlying legislative provisions, cannot allow the conviction or program entry to be used for any subsequent purpose. In addition, the failure to destroy or seal the records would not prevent the expungement from being considered complete for purposes of Section 205(d).

    • Duty Imposed on Credit Unions

    Proposed IRPS 19–1 would clarify that when a credit union learns that a prospective employee has a prior conviction for a de minimis offense, the credit union should document in its files that an application was and that the offense met the criteria for an exception.

    The proposal would also allow for extensions of conditional offers of employment to prospective employees requiring the Board’s consent under Section 205(d). If a conditional offer is extended, however, the job applicant may not commence work for or be employed by the credit union until the applicant is determined to not be barred under Section 205(d) or receives consent from the Board.

    • Procedures for Requesting the Board’s Consent Under § 205(d)

    While proposed IRPS 19–1 would not modify the current procedures for requesting the Board’s consent under Section 205(d), it would distinguish between 1) a credit union-sponsored application filed by the institution on behalf of a covered individual and 2) an individual application filed on a covered person’s own behalf.

    • The application form for requesting NCUA consent would be revised to more clearly distinguish between the two types of applications and the supporting information required for each.
    • Proposed IRPS 19-1 would clarify that the appropriate regional office for submission of a credit union-sponsored application is the program office that oversees the credit union (the credit union’s Regional Office or ONES)

    NCUA also seeks comment on whether delegating responsibility for reviewing certain applications could further streamline the application process and reduce burdens on credit unions and applicants.

     

    -End-

    Final Rule Summary

    Part 713 and Part 704 Fidelity Bond Coverage (741.201)

    Prepared by NASCUS Legislative & Regulatory Affairs Department

    August 2019

     NCUA has finalized amendments to Part 713 and Part 704 regarding fidelity bond coverage for natural person and corporate credit unions. Part 713 applies to federally insured state-chartered credit unions (FISCUs) by reference in Part 741.201.

    The final rule may be read here. The rule is effective October 22, 2019.

    Summary

    The Federal Credit Union Act (FCUA) requires credit unions to maintain fidelity bond coverage for certain employees and officials. NCUA’s Part 713 implements fidelity bond coverage for natural person federal credit unions (FCUs) and federally insured state credit unions (FISCUs) by way of reference in Part 741.201. Part 704 implements fidelity bond coverage for all corporate credit unions (by way of reference in Part 741.206). In general, Parts 713 and 704 establish:

    • Requirements for fidelity bond coverage
    • Acceptable bond forms
    • Minimum permissible coverage
    • Obligation of board of directors to annually review adequacy of the bond coverage
    • Corporate credit union deductible thresholds

    In addition to NCUA’s rules, a 2017 Legal Opinion issued by NCUA’s General Counsel reversed longstanding prohibitions against a credit union purchasing a single bond policy that covered the credit union and its CUSOs.

    NCUA has now issued new final fidelity bond rules for natural person and corporate credit uni0ns. Among the changes discussed in more detail below, NCUA has now extended virtually ALL of Part 713 to FISCUs.

    Part 713.1 What is the scope of this section?

    The final rule added “federally insured credit unions” as the new term for which credit unions are covered by the rule. Previously, the rule only referred directly to FCUs. The new rule also includes references to §741.201 the controlling provision for natural person FISCUs and for §704.18, the corporate credit union provision establishing fidelity bond requirements.

    • 713.2 What are the responsibilities of a federally insured credit union’s board of directors under this section?

    The final rule divides old § 713.2 into two sections. Subsection (a) retains the existing requirement that the credit union’s board review the amount of bond coverage carried by the credit union each year to ensure it is adequate given the credit union’s risk profile. New subsection (b) requires:

    • The credit union’s board of directors review the application for purchase or renewal of the fidelity bond contract
    • When the board approves an application for purchase or renewal, the board must pass a resolution of approval
    • One member of the board, who is not an employee of the credit union, must sign the purchase or renewal agreement and all attachments

    Part 713.2(b) also requires that the credit union alternate the board member signatory to the bond contract prohibiting the same board member from signing consecutive contracts. The

    713.3 What bond coverage must a federally insured credit union have?

    The final rule expanded and reorganized existing § 713.3. The current requirements that credit unions purchase an individual policy from a certified company that covers fraud and dishonesty are retained. A new requirement mandates that all bond agreements include a provision extending the discovery period for a covered loss:

    • for at least one year after a involuntary liquidation
    • for at least 4 months in the case of a voluntary liquidation

    Part 713.2 also “codifies” NCUA’s 2017 Legal Opinion allowing a credit union to have a fidelity bond that also covers its CUSOs provided:

    • the credit union owns 50% of the CUSO; or
    • the CUSO is organized by the credit union to handle certain of the credit union’s business transactions and all the CUSO’s employees are employees of the credit union

    It is important to note however that the final rule DOES NOT eliminate the prohibition against a single bond policy covering the credit union as well as other entities it does not majority own.

    • 713.4 What bond forms may a federally insured credit union use?

    NCUA has also reorganized § 713.4 and clarified its treatment of bond forms. The final rule retains the requirement for NCUA to review all bond forms before a credit union may use them and as well as NCUA’s retention of approved forms on the NCUA website for ease of credit union access. Part 713.4(c) prohibits credit unions from using any o fht following without first receiving NCUA approval:

    • any bond form that has been amended or changed since the time the NCUA Board approved the form
    • any rider, endorsement, renewal, or other document that limits coverage of approved bond forms.

    NCUA has created a new sunset provision in § 713.4(d) establishing that approvals of all bond forms expire every 10 years from the date of NCUA approval or reapproval. All bond forms approved by NCUA prior to 2019 will expire on January 1, 2029. NCUA also reserved the right to review any given bond form at any time without regard to the 10-year sunset.

    In the preamble to the final rule, NCUA notes that should it disapprove a bond form currently in use by a credit union, it would not require the credit union to -recontract immediately on an approved form, but rather would expect the credit union to use an approved form upon the end of the term of the disapproved form’s contract.

    Part 704.18 Corporate Credit Unions Fidelity Bond

    • Board review of bond coverage

    The provision implementing the board review of the bond application, the signature of a board member, and the continued requirement for annual review of coverage amounts is codified in § 704.18(b).

    • NCUA approval of bond forms

    The provisions implementing NCUA’s approval of bond froms, the requirement for coverage of fraud and dishonesty, the prohibition on use of amended forms unless approved by NCUA and the 10-year sunset are codified in §704.18(c).

    • Extended discovery period

    Part 704.18(c)(4) contains the requirements for the extended discovery periods.

    • Written Notice by the surety

    The corporate credit union bond provision contains a unique provision not applicable to natural person credit unions. Part 704.18(c)(5) requires written notice to NCUA from the surety when the fidelity bond of a credit union or individual is terminated or when a deductible is increased above the limits set by NCUA. The written notice must be accompanied by a brief statement of cause for the termination or increase in deductible.

     

    -End-

    19-RA-02 Serving Hemp Businesses

    August 2019

    NCUA has issued “interim guidance” for credit unions interested in serving the legalized hemp industry. The guidance will be updated as needed as necessary regulations are issued by the United States Department of Agriculture (USDA) and others regarding the growth, processing, manufacture, and retail sale of hemp. The change in federal law results from the 2018 Farm Bill removing hemp from Schedule I of the Controlled Substances Act (signed into law on December 20, 2018).

    Background

    The 2018 Farm Bill defines hemp as “the plant Cannabis sativa L. and any part of that plant, including the seeds thereof and all derivatives, extracts, cannabinoids, isomers, acids, salts, and salts of isomers, whether growing or not, with a delta-9 tetrahydrocannabinol concentration of not more than 0.3 percent on a dry weight basis.”
    Although hemp is no longer a controlled substance, whether any given hemp crop is being produced legally is a complicated matter involving the 2014 Farm Bill, the 2018 Farm Bill, pending USDA regulations and state law and state regulations.

    • As of the date of this publication (August 2019) only industrial hemp produced pursuant to the 2014 Farm Bill is legal (for a good explainer, see here)
    • For hemp to be legally produced pursuant to the 2018 Farm Bill, the USDA must issue regulations and guidelines implementing the 2018 Farm Bill hemp provisions (see USDA FAQ on hemp production issued July 2019)
    • The USDA has issued a legal opinion interpreting the 2018 Farm Bill and establishing the need for implementing regulations.
    • States and Tribal authorities may still prohibit, or more strictly regulate hemp production regardless of the pending USDA regulations, however States and Tribal Authorities may not prohibit the interstate transportation of hemp or hemp products grown or produced pursuant to the 2014 and/or 2018 Farm Bills.

    NCUA’s guidance reminds credit unions that in addition to regulations related to hemp production, other hemp-related businesses such as manufacturers, distributors, shippers, and retailers of hemp-derived products, and the products themselves, may be subject to other state and federal laws related to sales, distribution, and medication among others. For example, nothing in the 2018 Farm Bill affected the authority of the

    of the Secretary of Health and Human Services or the Commissioner of Food and Drugs to promulgate Federal regulations and guidelines that relate to hemp and foods, medication and public health.

     Considerations for Credit Unions Serving Hemp-Related Businesses

    NCUA notes that credit unions choosing to serve the hemp industry should be aware of relevant Federal, State and Indian Tribe laws and regulations that apply to any hemp-related businesses they serve. NCUA also notes the need for any credit union seeking to serve the hemp industry to have a BSA/AML program commensurate with the complexity, and risks, of serving the industry.

    NCUA highlights the need for credit unions serving the hemp industry to have the following elements of their BSA/AML programs:

    • Appropriate due diligence procedures for hemp-related accounts and for compliance with SAR filing requirements. NCUA states that it is the agency’s understanding that SARs are not required to be filed for the activity of hemp-related businesses operating lawfully, provided the activity is not unusual for that business.
    • If serving 2014 Farm Bill hemp-related businesses, a knowledge the states’ laws, regulations, and agreements under which each member/hemp-related business operates, an understanding of how to verify the member is part of the state’s pilot program, and the ability to adapt due diligence and reporting procedures to risks specific to participants in the pilot program(s).
    • A familiarity with any other state, federal or Tribal laws and regulations that prohibit, restrict, or otherwise govern these businesses and their activity when deciding whether to serve hemp-related businesses that may already be able to operate lawfully without reliance on forthcoming 2018 Farm Bill rules,

    Lending to Hemp-Related Businesses

    NCUA states that lending to a lawfully operating hemp-related business is permissible, however must be done in accordance with NCUA rules such Part 723 regulating commercial lending as well as within safe and sound parameters for underwriting and appropriate commercial lending practices.

     

    NCUA Risk Alert: 19-Risk-01 Business Email Compromise Fraud

    August 2019

     NCUA issued the first Risk Alert of 2019 to remind credit unions of the risks related to Business Email Compromise (BEC) fraud and steps that institutions should consider in order to mitigate the risk of falling prey to such scams.

     

    BEC occurs when a criminal uses email to impersonate a legitimate business or person in order to request or access fraudulent payments. Criminals may compromise a victim’s email address or domain through social engineering or use publicly available services to spoof this information.

     

    NCUA notes in its Risk Alert that the FBI has created a recovery asset team with a goal to quickly identify and freeze suspicious wire transfers before funds are transferred or removed from a suspect’s account.

     

    NCUA provided the following recommendation for steps credit unions can take to mitigate the risk of BEC fraud:

     

    • Never make a payment change without verifying the change with the intended recipient
    • Verify the accuracy of email addresses when checking mail on a mobile device
    • Use a two-step verification process to verify wire requests with members, and use information from previously known email addresses and phone numbers rather than what is provided in the wire transfer request
    • Require staff to investigate and verify changes to members’ personal information or business practices of the credit union’s vendors or member business accounts
    • Know the routines of members’ wire activity and contact them with any changes or concerns before sending a wire transfer
    • Verify transaction details with the recipient bank before sending a suspicious wire transfer
    • Use email spam filters to quickly identify potential fraudulent or spoofed emails
    • Create rules in the credit union’s intrusion detection system to flag emails with extensions that are similar, but different to, your credit union or members
    • Use caution posting information on social media and company websites, especially job duties/descriptions, hierarchal information, and out-of-office details
    • Implement multi-factor authentication (MFA) for corporate e-mail accounts that requires at least two pieces of information to login (something a user knows, such as a password, and something a user has, such as a dynamic PIN)

     

    Additional self-protection strategies may be found in the Justice Department’s publication “Best Practices for Victim Response and Reporting of Cyber Incidents.”

     NCUA recommends credit unions also consider:

    • contact the originating financial institution as soon as possible to request a recall or reversal, as well as a Hold Harmless Letter or Letter of Indemnity
    • determine whether a Suspicious Activity Report should be filed with FinCEN (FinCEN has issued an advisory on BEC fraud schemes)

    NCUA last issued a Risk Alert in February of 2013 regarding denial of service attacks.