Feb. 15, 2019 NASCUS Report

NCUA Nominees Todd M. Harper (second from left) and Rodney E. Hood (to his left) are sworn in before Thursday’s hearing. Also testifying (at left) Bimal Patel, nominee for Assistant Treasury Secretary for financial institutions, and (right), Mark Calabria, nominee for director of the Federal Housing Finance Agency (FHFA).

Nominees for NCUA Board Hood, Harper
vow safety and soundness to Senate panel

Nominees for seats on the NCUA Board both vowed to Senate Banking Committee members that they would work to safeguard the continued safety and soundness of credit unions, and protect the National Credit Union Share Insurance Fund, during their joint confirmation hearing Thursday.

Rodney E. Hood and Todd M. Harper are both nominated by President Donald Trump to seats on the three-member board. Republican Hood would replace current Board Member Rick Metsger (a Democrat) to complete a six-year term that ends in August 2023. (Metsger’s term expired in 2017; he’s been serving as a holdover.) Democrat Harper would fill a vacant seat that was last occupied by former NCUA Board Chairman Debbie Matz (also a Democrat). If confirmed, Harper would complete a six-year term that ends in April 2021. Chairman J. Mark McWatters, a Republican, rounds out the board; his term ends in August of this year.

Hood, if confirmed, would serve a second term as an NCUA Board member (he previously served on the board from 2005-09, including as vice chairman), and he told the committee that he looked forward to returning. “My paramount responsibility will be ensuring the safe and sound operation of federally-insured credit unions,” he said.

(In the short video, NCUA Board Nominees Rodney Hood (left) and Todd Harper outline their regulatory principles and aims during testimony before the Senate Banking Committee.)

Harper, if confirmed, would also be returning to the agency, where he served as a staff member for six years (leaving in 2017) as the agency’s chief liaison to Congress and as policy adviser to both Matz and Metsger, when the latter served as chairman for one year.

Aside from safety and soundness and protecting the insurance fund, Harper said his priority as a board member would be to preserve the integrity of the credit union industry “in a continually evolving and increasingly complex marketplace,” with a focus on issues of capital, liquidity, and cybersecurity – as well as prioritizing the agency’s consumer protection responsibilities, “consistent with the law.”

“In my view, financial regulators need to be fair and forward looking; innovative, inclusive, and independent; risk focused and ready to act expeditiously when necessary; and appropriately engaged with all stakeholders to develop effective, but not excessive, regulation,” he said.

In other comments, in response to a question from Sen. Catherine Cortez-Masto (D-Nevada) about whether the nominees had any concerns about NCUA’s rule exempting commercial loans of under $1 million from appraisals (and a resulting “hit” on the NCUSIF), Hood said he would work with NCUA staff to determine the impact of the exemption.

“I would agree with your concerns about raising the appraisal (exemption),” Harper told the senator. “One thing in particular I would want to look at is where the other regulators are – which is, I believe, at a different level for that particular product. For me, consistency across regulation is an important thing.”

NASCUS President and CEO Lucy Ito said the state system welcomed the comments of the NCUA nominees at their hearing, and said the association looked forward to collaborating with them on state credit union regulatory issues. “NASCUS was pleased to hear that as an NCUA Board member, Mr. Harper would focus on capital, liquidity and cybersecurity,” Ito said, “and we share Mr. Hood’s risk-based and market-oriented approach as well as his belief that regulation should be effective but not excessive.”

Testimony of Rodney E. Hood before the Senate Banking Committee

Testimony of Todd M. Harper before the Senate Banking Committee


Some simplification in federally insured credit union audit requirements – with a longstanding agency guide to be decommissioned in the process – was proposed and issued for a 60-day comment period Thursday by the NCUA Board during its open February meeting.

NCUA’s supervisory committee audit regulations, based on requirements provided in sections 115 and 202 of the Federal Credit Union Act, specify the minimum type of annual audit a federally insured credit union (FICU) is required to obtain, according to its charter type and asset size; the licensing requirements of persons performing certain audits; and the auditing principles that apply to certain audits.

Thursday’s proposal follows recent recommendations made by the agency’s Regulatory Reform Task Force. The proposal would:

  • Replace the option to perform an audit according to the Supervisory Committee Guide with the option to meet certain minimum requirements as provided in a new Appendix A to the supervisory committee audit regulation. The minimum procedures outlined in Appendix A reflect common industry practices for testing accounts and controls over financial institution financial statements. The NCUA Board also plans to decommission the Supervisory Committee Guide, according to the proposal. NCUA would instead issue reference material on how to conduct procedures that would meet the minimum requirements of Appendix A.
  • Eliminate the option for a report on examination of internal controls, which staff noted was only used by 20 credit unions as of last September.
  • Eliminate a requirement that an auditor engagement letter specify a 120-day timeframe for delivery of the written report. The proposal allows the credit union to negotiate a target date as long as that target date allows it to satisfy its annual audit requirement. (This also eliminates the need to get a waiver from the NCUA regional director in the event the prescribed timeframe were to be exceeded.)

Improvements in other areas will also be considered in comments, the board said, such as whether the agency should also remove the balance sheet audit as an option for credit unions not required to obtain a financial statement audit. Staff noted this option is used by fewer than 100 credit unions and has limited value, as it does not include an audit of the credit union’s income statement.

NASCUS’ Lucy Ito pledged close review of the proposal. “While NASCUS is pleased that NCUA continues to follow the recommendations of the Regulatory Reform Task Force, we are carefully reviewing today’s proposal to ensure the rule would not weaken the dual charter system or infringe upon the autonomy of the state credit union system,” she said.

Also at Thursday’s meeting, the board a staff briefing on the interagency flood insurance rule, which the agency board approved by notation vote Jan. 31.

Notice of proposed rulemaking and request for comment (Notice for Federal Register)

CANNABIS BANKING: House panel holds first-ever hearing …

Legislation aimed at offering cannabis/marijuana-related legitimate businesses access to banking services – which would include imposing a number of requirements on federal regulators — was among the topics of scrutiny during a House hearing this week.

In its hearing on “Access to Banking Services for Cannabis-Related Businesses” – the first such hearing on legislation — the House consumer protection and financial institutions subcommittee considered a discussion draft of legislation that would give legal cannabis-related businesses access to financial institutions services, and exempt from federal prosecution (or investigation) financial institutions and employees solely for providing services to state-authorized cannabis-related businesses.

(NASCUS, which for five years has called on federal authorities to resolve the ambiguity around serving legal state cannabis businesses and cannabis-related businesses, is also urging Congress to clarify the permissibility of financial institutions to serve state-authorized cannabis-related businesses; see following item.)

The bill, the Secure and Fair Enforcement Banking Act of 2019 (SAFE Banking Act)  – offered by Reps. Ed Perlmutter (D-Colo.), Denny Heck (D-Wash.), Steve Stivers (R-Ohio), and Warren Davidson (R-Ohio) – is intended to “harmonize federal and state law concerning cannabis-related businesses and allow these businesses access to banking services,” according to a draft of the bill made available by the subcommittee.

To do that, the bill bars federal financial institution regulators from taking several actions against financial institutions serving legal cannabis-related businesses, including:

  • Terminating or limiting deposit insurance at a credit union or bank “solely because the depository institution provides or has provided financial services to a cannabis-related legitimate business.”
  • Prohibiting, penalizing, or discouraging a credit union or bank from providing financial services to a cannabis-related legitimate business or to a state (and its political subdivisions, Indian Tribe) that exercises jurisdiction over cannabis-related legitimate businesses;
  • Encouraging (in any way) a credit union or bank not to offer or downgrade financial services to account holders solely because they own or become an owner of a cannabis-related legitimate business;
  • Taking any “adverse or corrective supervisory action on a loan made to an owner or operator” of a cannabis-related legitimate business, or for real estate or equipment leased to that business.

The legislation has not yet been introduced (or received a bill number).

During the hearing, Perlmutter told the subcommittee that the hearing was a “big deal” for thousands of employees of credit unions, banks and other financial institutions. He said those employees are forced to deal with piles of cash they receive from legitimate cannabis-related business, which are blocked from using the payments systems of federally regulated and insured financial institutions. Dealing with the cash, he indicated, is perilous for both the financial institutions, their employees and their communities.

“The fact is, the people – the voters in states and localities all across the country – are legalizing some level of marijuana use,” Perlmutter said, after pointing out 47 states (and the District of Columbia) have legalized some form of recreational or medicinal marijuana use. That has led to the growth of legitimate marijuana-related businesses in those areas, he indicated. “We need to have these marijuana-related business and employees to have access to our banking system,” Perlmutter said.

Committee memo: Hearing on Challenges and Solutions: Access to Banking Services for Cannabis-Related Businesses


As the first-ever hearing on cannabis-related banking was taking place, NASCUS President and CEO Lucy Ito called on Congress this week to act swiftly. In a statement, Ito noted that the state system was encouraged by this week’s hearing, but it’s high time to move legislation. “Since Colorado and Washington legalized recreational cannabis in 2014, NASCUS has called on federal authorities to resolve the ambiguity around serving legal state cannabis businesses and related businesses,” said Ito said in the Wednesday statement. “Currently, state regulators and the financial institutions that they supervise are suspended between the uncertainty of federal enforcement action and the state mandate to serve the financial needs of their local communities. While we are encouraged by today’s hearing and agree with Representative Perlmutter that the hearing is a ‘big deal’ for financial institutions, Congress should continue to act and swiftly pass legislation that would clarify the permissibility of financial institutions to serve state-authorized cannabis-related businesses.”

NASCUS encouraged by the House Financial Services subcommittee cannabis banking hearing


In addition to advocating for clarity before Congress, NASCUS will explore the cannabis banking issue in depth at its inaugural “State Legalization of Cannabis and Banking Symposium” this summer. The symposium will be held June 25-26 in Universal City, Calif., in the greater Los Angeles area and feature industry experts and stakeholders. “The decision to provide financial services to cannabis-related businesses is filled with pros and cons for credit unions and their regulators, and at this meeting NASCUS will bring all parties together to thoroughly discuss what must be considered when serving or not serving this market,” Ito said.

2019 NASCUS Symposium: Cannabis Banking


No data was compromised during a recent “spear phishing” campaign targeted at Bank Secrecy Act officers at credit unions, NCUA said late last week. In a brief press release, the agency said that, upon learning of the phishing attack, it “conducted comprehensive review of its security logs and alerts.” The completed review, the agency said, “did not find any indication that information was compromised,” and that “the most recent information available indicates the campaign extends beyond credit unions to other parts of the financial sector.”

The agency release was in regard to a phishing scam targeting BSA compliance officers at credit unions and other financial institutions, reported by data security watchdog Krebs On Security. According to the article, attacks on credit unions were the only ones first reported, but later reporting said the attacks targeted bank BSA compliance officers as well. Krebs reported that the attacks first surfaced Jan. 30 at credit unions, when BSA officers began receiving emails “spoofed” to resemble those sent by BSA officers at other credit unions.

“The missives addressed each contact by name, claimed that a suspicious transfer from one of the recipient credit union’s customers was put on hold for suspected money laundering, and encouraged recipients to open an attached PDF to review the suspect transaction,” Krebs reported. “The PDF itself comes back clean via a scan at Virustotal.com, but the body of the PDF includes a link to a malicious site.”

NCUA, in its release, said it “makes protection of sensitive data a top priority, and the agency uses a defense-in-depth approach to monitoring and shielding its systems and information. “The NCUA encourages all credit union staff to be wary of suspicious emails, and credit unions may report suspicious activity to the agency,” NCUA stated in its release.

NCUA Review Finds No Bank Secrecy Act Data Breach


NASCUS followed up the NCUA message this week with a notice to the state system urging it to follow “best practices” in securing their data – something NASCUS has advocated for several years. The joint message from NASCUS executives President and CEO Lucy Ito, and Executive Vice President and General Counsel Brian Knight, noted that, increasingly, the nexus between BSA/AML and cybersecurity would become a focus of importance. “This episode is illustrative of that fact,” the NASCUS executives wrote. The NASCUS message noted several “best practices” in handling e-mail, including:

  • Hovering over the sender in the email to verify the sending address;
  • Being alert for misspellings and grammatical errors;
  • Verify sender before opening attachments and clicking on links; and
  • Using the phone to verify the sender is legitimate.

NASCUS message: Phishing Attack Targets Bank & Credit Union BSA Compliance Officers


Feedback on the collection, use and protection of sensitive information by financial regulators and private companies is being sought by the leaders of the Senate Banking Committee, toward an ultimate goal of examining how well the Fair Credit Reporting Act (FCRA) is working in the digital age, the leaders said Wednesday.

In a joint press release, Committee Chairman Mike Crapo (R-Idaho) and Ranking Member Sherrod Brown (D-Ohio) said examining how FCRA should work in a digital economy – and whether certain data brokers and others serve a function similar to the original consumer reporting agencies – are of interest to the committee.

They indicated that collection and use of personally identifiable information will be a major focus of their committee in this Congress. They added that information collection by financial regulators and private financial companies (including third-parties that share information with financial regulators and private financial companies) deserves close scrutiny, as Americans are rightly concerned about how their data is collected and used, and how such data is secured and protected.

The senators said the committee wants feedback (which will be made public) by March 15 on five questions, outlined in their memo (see the link below). The questions covered legislation and regulation that could be adopted address consumer control of financial data, disclosures, protection of data and more.

Responders should submit electronic copies of their responses to Committee staff at [email protected].

Crapo, Brown Invite Feedback on Data Privacy, Protection and Collection

TRANSITIONS: SC goes Green for permanent commissioner

Richards H. “Rick” Green (at right, next to South Carolina Treasurer Curtis Loftis, Chairman of the State Board of Financial Institutions) has been promoted to serve as the next South Carolina Commissioner of Banking, succeeding Robert Davis in the position, and effectively removing the word “acting” from his title (which he had used for only about one week). Green has spent his entire career with the State Board of Financial Institutions, the agency charged with chartering, examining and regulating South Carolina state-chartered credit unions and banks; he joined the agency in 1999.

BRIEFLY: Directors’ college added for SD/ND

NASCUS has added another Directors’ College to its education agenda, this one set April 11 in Fargo, N.D. The session – a unique opportunity for CEOs, upper management, and volunteers seeking training for their fiduciary duties and board responsibilities – is sponsored jointly by NASCUS and the Credit Union Association of the Dakotas (CUAD). It is scheduled to cover a wide variety of topics, including: cybersecurity, CECL update, board governance – and more.

NASCUS Education Agenda: April 11 Directors’ College, Fargo (with CUAD)

For more information about NASCUS's news and/or public relations, please contact our Marketing and Communications Department.