June 9, ’17 NASCUS Report

Cybersecurity takes deep dive into issues

The watchword in cybersecurity these days, judging by the discussion at this week’s NASCUS/CUNA Cybersecurity Symposium, is “monitor.” That is: monitor activity on your systems to watch for any strange or unusual activity. For the 150 or so participants in the Symposium, held Monday through Tuesday in San Diego, that wasn’t necessarily news – but it was stressed by nearly all of the 19 speakers at the event.

Randy Romes of CliftonLarsonAllen (CLA), who served as master of ceremonies for the event, included “monitoring” as a top “resilience technique” in his opening remarks to the group, stressing the combination of monitoring, incident response, testing, and validation as the cornerstones of an information security strategy. “Be prepared,” he told the group. “We don’t have to be bulletproof – we just have to be prepared enough.” He also noted that credit unions, generally are in good shape when it comes to security. “You’ve been in continuous improvement mode for the last 20 years,” he said, urging the group of credit union regulators and practitioners to be careful of “new ways of doing things” that are being pushed on networks and systems generally.

In other comments at the symposium:

  • NCUA Board Member Rick Metsger told the group that the agency is working to adapt its policies to stay current on changes in cybersecurity challenges. “Things are changing all of the time; input back from you on our policies is very important,” Metsger said.
  • Jim Stickley, president and CEO of Stickley on Security, focused on the workings of the “dark web,” which offers a wide variety of nefarious products and services, including those related to ID theft. “Everybody in the ID theft chain makes money,” Stickley said, “that’s why it is taking off, surpassing even the drug trade.”
  • Mau Castanheiro of Verafin, in discussing combatting cyber crime, noted that “business email compromises” (or thefts conducted via email) are leading to large losses and significant financial or reputational risk – particularly when vulnerable victims are scammed through efforts appealing to romance, “work from home” schemes, and lottery winnings.
  • Jerry Beasley of Trace Security outlined the threat landscape, noting that attacks are increasing, with a 42% rise in 2016 in targeted attacks alone.
  • Panelists Chad Nordstrom of CLA, Jon Cohen of law firm Joseph & Cohen, and Remi Gonzalez of PR firm Public Communications Inc. discussed how to respond to data breaches (or “incidents”) urging the group to follow a process of prepare, identify, contain, eradicate, recover and remediate.
  • David Anderson of CLA – a noted system penetration tester — walked the group through the 10 ways that systems typically get hacked: all of them began with “users clicking on links.”
  • Patrick Truett of NCUA’s office of examination and insurance told the group he expects the agency will cyber examine all federally insured credit unions (beginning in 2018) in two batches of 18 months, for a total of 36-months.

The fifth annual NASCUS/CUNA Cybersecurity Symposium is scheduled for June 3-4, 2018, in Nashville.

(In the photos, clockwise from top left: An energetic Jim Stickley delivers the keynote address; Mau Castanheiro of Verafin; NCUA Board Member Rick Metsger; panelists (from left) Remi Gonzalez, Jon Cohen, Chad Nordstrom; CLA’s Randy Romes; (center) Jerry Beasley of Trace Security.) 


The House Thursday approved the Financial CHOICE Act (H.R. 10, overturning much of the 2010 Dodd-Frank Act) on a vote of 233-186 with no Democratic support, sending the bill to the Senate for consideration. However, a Senate version of the bill – whenever and however it emerges — is expected to be much narrower in scope than the sweeping House measure. As approved by the House, H.R. 10 includes provisions that: mandate increased transparency for the NCUA budget (including through public hearings); calls for annual detailing of how the overhead transfer rate (OTR) is determined; and an “off-ramp” allowing financial institutions, including credit unions that maintain an average leverage ratio of at least 10%, the option to be exempt from federal capital and liquidity requirements. The institutions, if they apply for the exemption and receive it, would be defined as “qualifying banking organizations” (QBOs). However, the bill also places the NCUA budget (and budgets of other independent federal financial regulators) under the congressional appropriations process – meaning Congress would have to sign off on the agency’s annual spending plan.

In advance of the House vote, the White House issued a “policy statement” supporting the legislation, noting that the bill reflects “the Administration’s Core Principles in several key respects.” The “core principles” were outlined in a Feb. 3 executive order signed by President Donald Trump; the order also mandated a report from the Treasury secretary within 120 days about how the current federal financial regulatory regime fits into the “core principles.” The White House policy noted that the Treasury report (which technically was due last Friday, June 2) “may yield additional views with respect to other provisions of H.R. 10.”

White House policy statement on H.R. 10 (“substitute amendment”)

President Trump’s Feb. 3 order for review of Dodd-Frank


Comments are due Aug. 7 about NCUA’s proposed rule on voluntary mergers of federally insured credit unions, the end of a 60-day period after publication of the proposal in yesterday’s (June 8) Federal Register. The proposal, which is aimed by the agency at enhancing transparency of mergers, would amend the “procedures and timeframes that a federal credit union (FCU) must follow for voluntary mergers with another credit union,” according to materials released by the agency at its May 25 board meeting, when the rule was proposed. However, the Federal Register notice headline refers to “federally insured credit unions,” which includes state-chartered credit unions as well. NASCUS President and CEO Lucy Ito said the association would be canvassing its member regulators for their views in preparation of a comment on the proposal. “NASCUS supports transparency and protection of member-consumers’ interests,” Ito said. “But appropriate disclosure is for the chartering agency of the merging credit union to determine. Our concern, at this point, is that homogenizing all federal and state merger disclosures into a single method robs the entire credit union system of the benefits of learning from different approaches, which individual states offer, and can help to fine-tune a regulation. We will likely be taking a close look at that approach.”

Proposed rule (in Federal Register): Voluntary Mergers of Federally Insured Credit Unions


State credit unions continued slightly better growth than their federal credit union counterparts in the first quarter of 2017, continuing a growth trend from the previous four quarters and increasing the state credit unions’ share of the overall credit union market. According to first quarter 2017 numbers released this week by NCUA, state-chartered, federally insured credit unions (FISCUs) grew faster than federal credit unions (FCUs) in deposits, assets, loans and memberships. The number of the state credit unions, however, declined (as did the number of FCUs) in the first quarter, by 24 credit unions each (with 2,273 state-chartered credit unions, both federally and privately insured; and 3,584 FCUs). Numbers in all other categories for state-chartered, privately insured credit unions were not immediately available.

The NCUA numbers show that FISCU assets at the end of the first quarter stood at $646.4 billion, up 3.9% from year-end 2016, and representing about 48.3% of all credit union assets. (Assets of privately insured credit unions, combined with the FISCUs, could increase that to 49.2% of the total, based on year-end 2016 figures showing about 2.5% growth per quarter that year.) The asset growth was driven by deposits, which expanded by 4.4% in the first quarter (to $556.3 billion), compared to 3.9% growth at FCUs.

Loans at state chartered CUs expanded by 2.2% in the first quarter (to $434.1 billion), while FCUs recorded 1.3% loan growth. Memberships at the state credit unions expanded by 1.2% to 50.9 million members; FISCUs now count about 47.13% of all memberships at federally insured credit unions, up slightly from year-end 2016.

NCUA credit union data summary Q1 2017


Interstate branching for South Carolina state credit unions has become more accessible with the signing by state Commissioner of Banking Robert L. Davis of a cooperative agreement with 10 other states. The agreement is the 2009 Southeastern Regional Cooperative Interstate Agreement. In addition now to South Carolina, the agreement includes Alabama, Florida, Georgia, Illinois, Mississippi, Missouri, North Carolina, Tennessee, Texas and Washington. The agreement was developed by the engaged states with NASCUS.

Association President and CEO Lucy Ito said that by joining the interstate branching accord, South Carolina is promoting interstate commerce and cooperation on a reciprocal basis among the participating states, “as well as fostering parity with the federal credit union charter for South Carolina state-chartered credit unions.” Ito added that the Southeastern agreement (as well as the NASCUS-developed 2015 Nationwide Cooperative Agreement for the Supervision of State Chartered Credit Unions, which includes the states of Idaho, Illinois, Indiana, Kentucky, Michigan, Ohio, Oregon, Washington, West Virginia and Wisconsin) eases the procedural impediments for credit unions to branch across states. “The agreements demonstrate that interstate branching is a viable choice for credit unions to extend their operations as state-chartered financial institutions, consistent with their strategic plans, should they choose to do so,” she said.

Southeastern Regional Cooperative Interstate Agreement for the Supervision of State-Chartered Credit Unions

2015 Cooperative Interstate Agreement for the Supervision of State-Chartered Credit Unions


Extended by one week, early-bird registration discounts end after today for the 2017 NASCUS State System Summit, the only national meeting focusing exclusively on the state credit union system. After the deadline, registration fees rise an additional $200 per registration for members, and up to $300 for non-members. This year’s Summit, Aug. 29-Sept. 1 in San Diego (at the Westin Gaslamp Quarter Hotel), takes a close look at what’s ahead for the state credit union system by featuring sessions on FinTech, the future of the CFPB, the future of the corporate system, evolving field of membership rulemaking, the future of cross-border business, outlook for the payments system, and more. Other sessions include a look at unconscious bias and its impact on credit union growth, cybersecurity, marijuana issues for 2017, litigation to watch, and the congressional and political environments. In addition, the Summit features the winner of the “Next Big Idea” competition sponsored by the National Association of Credit Union Service Organizations (NACUSO). Another deadline to keep in mind: the Aug. 8 hotel registration cutoff. See the link for complete information about the Summit – and save by registering today!

NASCUS 2017 State System Summit; registration info, agenda, speakers, more

BRIEFLY: CFPB study shows link between negative credit records, income levels; Small biz lending RFI reportedly extended; Permanent OCC head nominated

Consumers in lower-income areas are 240% more likely to become “credit visible” (that is, establish credit records) due to negative records, the CFPB states in a new study released this week. That’s compared to consumers in higher-income areas, who are 30% more likely to become credit visible by using a credit card, the most common way that consumers establish their credit. The study results indicate that persons in lower income areas are more likely to establish negative credit records than those persons in higher-income areas (who are more likely to establish positive records) … The bureau is extending by 60 days (to Sept. 12) the deadline for comments on its “request for information” on small business lending, according to remarks delivered by Director Richard Cordray Thursday to the bureau’s Consumer Advisory Board … President Trump Monday nominated Joseph Otting as comptroller of the currency to oversee the nation’s federally chartered banks; if confirmed by the Senate for a five-year term, he would replace Keith Noreika, who is serving as acting comptroller (Noreika, in turn, replaced Tom Curry, who’s term ended in April). From 2010 to 2015, Otting was chief executive of OneWest Bank in California, where he worked with then-chairman Steven Mnuchin, now the U.S. treasury secretary (and Otting’s nominal boss if confirmed to head the OCC).

CFPB Study: Consumers in Lower-Income Areas Are More Likely to Become Credit Visible Due to Negative Records

NASCUS Summary: Request for Information Regarding the Small Business Lending Market


Information Contact:
Patrick Keefe, NASCUS Communications, [email protected] or (703) 528-5974

For more information about NASCUS's news and/or public relations, please contact our Marketing and Communications Department.