Aug. 5, ’16 NASCUS Report

Speakers at Cybersecurity '16

From left: Detective Mark Solomon discusses trends in cyber crime — including exploding ATMs; NCUA’s Tim Segerson outlines an IT examination; host Chad Nordstrom of CliftonLarsonAllen opens the program with an overview of information security

Cybersecurity confab covers hot topics

The world of cybersecurity for credit union practitioners and regulators was thrown open for a broad view this week when the NASCUS/CUNA Cybersecurity Symposium convened in Chicago Monday and Tuesday, with 130 in attendance. The two-day meeting touched on nearly every hot topic in cybersecurity: lessons in penetration testing, trends in cyber crime, secure use of the cloud, choosing the right cybersecurity risk assessment tool, and more.

Chad Nordstrom of CliftonLarsonAllen served as the host for the program, who took the group on an assessment of the information security environment for 2016, telling the group that they should “assume you will be breached” and that no one in an organization should assume that “IT is the end-all be-all,” but that cybersecurity is an enterprise-wide issue. Among challenges ahead, Nordstrom identified ransonware/malware, more sophisticated attackers, criminal gangs involved in cyber crime, as well as foreign actors.

Among other comments:

  • Tim Segerson, NCUA deputy director of examination and insurance, reiterated that the agency is not mandating use of the FFIEC’s cybersecurity self-assessment tool; rather, he said, the tool is incorporated into the agency’s exam approach. Segerson noted, however, that the agency will expect credit unions to be performing some sort of cybersecurity assessment, using the FFIEC tool or some other appropriate instrument.
  • Mark Solomon, a member of the Greenwich, Conn., police department’s criminal investigation division who routinely works with federal law enforcement on cyber crime, remarked that as EMV (chip) cards become more prevalent in the U.S. over the next five or more years, expect to see more “old-school” crimes, including a rapid return of ATM card skimming. “Financial crimes increasingly are not ‘white collar,’” Solomon said – adding that criminals are also turning to social media to carry out financial misdeeds.
  • NCUA’s Senior Cyber Intelligence Officer Christina Saari outlined key steps for developing a cybersecurity threat intelligence (CTI) program, which she urged the group to adopt. A key tactic for adopting CTI, she said — institutionalize the process.
  • Chad Carrington of The Golden 1 Credit Union discussed six things participants could do – now – to improve information security, which included having strong business continuity and disaster recovery plans that are exercised regularly
  • Kirk Drake of Ongoing Operations, LLC, explained how use of “the cloud” can be a safe venture for credit unions, particularly if they adopt a strategy for use, develop tactics for migration, and pay close attention to audit and legal standards.
  • David Reed of the law firm Reed and Jolly discussed the laws protecting credit union members’ information, noting members’ sensitivity about their privacy, and urging the audience to perform a privacy inventory at their own institutions.
  • Jim Vilkers oF CU*Answers stressed the importance of weaving into the cybersecurity fabric of institutions anti-money laundering/Bank Secrecy Act (BSA) functions, as well as identity theft prevention efforts.


Commenting on six areas – the exam cycle, extended examination cycle eligibility, the regulatory appeal process, adopting a variable approach to regulation, leveraging technology and call report reform – NASCUS filed a letter this week with NCUA about the agency’s Exam Flexibility Initiative. In the letter, NASCUS pointed out that federally insured, state-chartered credit unions face a unique burden of facing both state and federal exams — but that burden can be mitigated when state and federal regulators improve efficiencies, conserve resources and coordinate and harmonize where possible. “The configuration of NCUA’s examination program for both federal credit unions (FCUs) and federally insured state chartered credit unions (FISCUs) influences and impacts how state regulators structure their supervision programs and expend their resources,” the NASCUS letter stated. The letter also pointed out that, in addition to affecting state regulators, NCUA’s share insurance-related examination program for FISCUs also directly affects state chartered credit unions and the state credit union system.

Key among the items in the NASCUS letter is the recommendation for discretionary extended exam cycles for all FISCUs. NASCUS emphasized that the agency should “move expeditiously” to a policy allowing the longer exam cycles and – in lieu of NCUA exams — to adopt a policy of accepting state exams for FISCUs regardless of size. NASCUS wrote that approach would be “consistent with Congress’ statutory mandate to rely on state examinations.” The association added that NCUA could extend the exam cycle for larger FISCUs examination cycle to an 18-month cycle, accepting state exams without any material increase in risk to the NCUSIF. “Setting a more flexible examination cycle would allow states and NCUA to focus resources where most urgently needed,” NASCUS wrote, particularly for state regulators, who not only examine 2,600 state charters, but in some cases CUSOs and other-third-party service providers. For the entire text of the NASCUS letter, see the link below.


NASCUS comment letter: NCUA Exam Flexibility Initiative


A final rule implementing amendments to mortgage servicing regulations under RESPA and TILA, mostly effective a year from now, were released this week by the CFPB. According to the bureau’s notice, the 900-plus page final rule clarifies, revises, or amends provisions regarding force-placed insurance notices, policies and procedures, early intervention, and loss mitigation requirements under servicing provisions of Regulation X (Real Estate Settlement Procedures Act, or RESPA); and prompt crediting and periodic statement requirements under servicing provisions of Regulation Z (Truth in Lending Act, or TILA). CFPB stated that the regulation additionally addresses proper compliance regarding certain servicing requirements when a person is a potential or confirmed successor in interest, is a debtor in bankruptcy, or sends a “cease communication” request under the Fair Debt Collection Practices Act (FDCPA). The final rule also makes technical corrections to several provisions of Regulations X and Z. Additionally, CFPB stated it is issuing concurrently with the final rule an interpretive rule under the FDCPA relating to servicers’ compliance with certain mortgage servicing rules. Most of the provisions of the final take effect 12 months after publication in the Federal Register. The provisions relating to successors in interest and the provisions relating to periodic statements for borrowers in bankruptcy will take effect 18 months after publication in the Register.

A summary of the proposed changes issued in late 2013 by NASCUS gives additional context to the final rule, and provides some background and key points about the proposal.

CFPB final rule, mortgage servicing
NASCUS Nov., 2013 proposed rule summary: Amendments to the 2013 Mortgage Rules


An outline of possible key proposals affecting debt collection, a proposal about “know before you owe” mortgage disclosure rules, and “principles for foreclosure prevention” have all been floated over the past week by the CFPB. Under the possible debt collection proposals issued last week, collector contact attempts would be capped and companies would be required to have more and better information about the debt before they collect. And, as they are collecting, debt collectors would be required (among other things) to limit communications, clearly disclose debt details, and make it easier to dispute the debt. When responding to disputes, collectors would be prohibited from continuing to pursue debt without sufficient evidence, CFPB stated in a release. The bureau added that these requirements and restrictions would follow the debt if it were sold or transferred.

Under the “know before you owe” proposal issued this week, guidance in the existing rule would be formalized and — the bureau stated in another release — “provide greater clarity and certainty.” The agency stated that changes it is proposing would “augment implementation of the Know Before You Owe rule” and “help facilitate compliance within the mortgage industry.”

Also published this week: an outline of “guiding principles for foreclosure prevention,” which focus on access to information, transparency and affordability. Issued in the context of Treasury’s Home Affordable Modification Program (HAMP) set to sunset in January, the bureau noted the principles are not legally binding, but are intended to help create new foreclosure relief options in the aftermath of the financial crisis. The four principles in the outline are: Accessibility — Consumers must be able to access information about loss mitigation options and how to apply them; Affordability — Repayment plans and mortgage loan modifications must be designed with an eye to affordability for consumers; Sustainability — Loss mitigation options must be sustainable for the consumer throughout the remaining or extended loan term; Transparency — Consumers must get clear and concise information about what decisions servicers are making.


Debt collection proposal
Proposed ‘know before you owe’ changes
Principles for the future of loss mitigation
NASCUS CFPB pages on the web


If you missed the Cybersecurity Symposium earlier this week – or, if you did attend and wish you could devote some more time to the topic of cybersecurity – you are in luck: The 2016 NASCUS State System Summit keeps the conversation going that was started in Chicago. In fact – if you liked talking about cybersecurity in Chicago, there’s more of that ahead for you: Chicago is the location for the Summit, Oct. 5-7 – at the same hotel (the Westin Chicago River North). Cybersecurity is just one of the topics, of course, covered at the Summit during more than 21 hours of general sessions, group discussions and networking. Among the other topics: Preparing for the coming wave: FinTech; The changing allowance account: adapting to CECL, or not; Campaign 2016: reshuffling the congressional deck; The new frontier of commercial lending. Check out our working agenda at the link below, and register today!

2016 NASCUS State System Summit Agenda


There’s more on the NASCUS education calendar coming up for the late summer and fall, including the annual Bank Secrecy Act (BSA) Conference set for Nov. 13-16 in San Antonio. The BSA Conference is an acclaimed, timely three-day event (with a one-day, bonus pre-conference session) which offers compliance officers, state and federal examiners, industry experts and regulators — from beginners to veterans — a forum for discussing and learning about the very latest on the complex federal BSA laws. Other NASCUS events on the calendar include: 2016 Ohio Credit Union Day, Aug. 29, Columbus; Ohio Examiners’ School, Sept. 13-15 (also Columbus); Colorado Directors’ College, Sept. 27, Denver; and Examiners School, Oct. 10-14, Traverse City, Mich. Two additional directors’ colleges are set for later in the fall: Nov. 10 in Texas and Dec. 1 in Kentucky (locations to be announced). See more details at the link below.

NASCUS 2016 late summer/fall education agenda

Summit 2016

Information Contact:
Patrick Keefe, NASCUS Communications, [email protected] or (703) 528-5974

For more information about NASCUS's news and/or public relations, please contact our Marketing and Communications Department.