(May 14, 2021) If you were one of the unfortunate but countless number of folks sitting in line at the gas pumps this week – wondering “what can I do to stop this?” – consider the NASCUS Cybersecurity eSchool (in partnership with CUNA) set for Sept. 3 to Nov. 9.
The hacking and ransomware attack on the Colonial Pipeline – which disrupted gasoline delivery to stations up and down the East Coast, leading to panic buying and long lines – has underscored the need for cybersecurity preparation and protection, according to many experts.
Aimed at anyone at credit unions and regulators needing cybersecurity training, the Cybersecurity eSchool multi-week program includes sessions on: anatomy of a ransomware attack; cybersecurity strategy, developing and strengthening an information security policy; building staff and board awareness; threat hunting; security frameworks and more.
For more information, including the agenda and registration, see the link below.
Also: This week NCUA and the Cybersecurity and Infrastructure Agency (CISA) scheduled a May 26 one-hour webinar (at 2 p.m.), for credit unions on preventing and addressing cyberattacks. NCUA said the session will focus on (among other things) Identifying risks to products, services, and assets and monitoring the security of networks.
LINKS:
NASCUS Cybersecurity eSchool, in Partnership with CUNA
Registration Now Open for NCUA, CISA Cybersecurity Webinar
(May 14, 2021) Whether share insurance applies to a credit union share certificate purchased by a limited liability corporation (LLC) depends in part on who owns the funds and whether the LLC is engaged in an “independent activity” other than one solely related to increasing share insurance coverage, NCUA wrote in an April 23 legal opinion letter, but only made public this week.
The letter, addressing “Proposed Capital Markets Funding Program for Credit Unions” and signed by NCUA General Counsel Frank Kressman, summarizes a scenario in which several LLCs purchase share certificates worth a maximum of $250,000, the “standard maximum share insurance amount” (SMSIA) permitted by NCUA’s share insurance regulations, at federally insured credit unions (FICUs) where they are members or are eligible to be members. The letter states that each LLC would be the actual owner of the share certificates they purchase and would not be holding them in any sort of agent, nominee, or custodian capacity.
The NCUA general counsel wrote that share insurance coverage is provided “only to the actual owner of the funds in an account and requires the true owner of the funds to either be a member of the FICU or otherwise eligible to maintain an insured account at the FICU.”
Additionally, he wrote that the accounts held by a corporation, partnership, or unincorporated association “engaged in any activity other than one directed solely at increasing insurance coverage (that is, an ‘independent activity’) will be insured up to the SMSIA in the aggregate.”
Emphasizing the requirement for ownership of funds, the letter adds that share insurance coverage “is always dependent upon compliance with all applicable requirements of Part 745, including the recordkeeping requirements in § 745.2(c)” of the agency’s rules.
The opinion was sent to Stuart Morrissy of Hogan Lovells US LLP in Washington, D.C.
LINK:
NCUA legal opinion – Proposed Capital Markets Funding Program for Credit Unions
(May 14, 2021) NCUA is encouraging credit unions to participate in a May 24 webinar explaining (and answering questions about) the U.S. Treasury’s Emergency Capital Investment Program (ECIP), which has extended its application period to July 6.
The 75-minute webinar, “An Overview of the Emergency Capital Investment Program,” will be held at 3 p.m. ET, the agency said in a release.
The ECIP was established under the Consolidated Appropriations Act, 2021. Under the program, Treasury provides up to $9 billion in capital directly to credit unions and other depository institutions that are certified community development financial institutions (CDFIs) or minority depository institutions (MDIs). The funding may be used to provide loans, grants, and forbearance for small businesses, minority-owned businesses, and consumers – especially those in low-income and underserved communities – that may be disproportionately impacted by the economic effects of the COVID-19 pandemic.
Treasury says it will set aside $2 billion for CDFIs and MDIs with less than $500 million in assets and an additional $2 billion for CDFIs and MDIs with less than $2 billion in assets.
NCUA Board Chairman Harper has repeatedly encouraged credit unions to learn more about the program.
Registration for the webinar is open; participants may submit questions in advance by email at [email protected]; questions submitted by May 18 will receive priority, NCUA said.
LINKS:
Federal Financial Regulators to Hold Webinar on Emergency Capital Investment Program
Treasury ECIP information, application portal
(May 7, 2021) Possible, additional reporting requirements for state credit unions because of a proposed new rule on credit union service organizations (CUSOs) is a key concern outlined by the state system in its comment letter submitted to NCUA late last week on the proposal.
Overall, the proposal would expand the list of permissible activities for a federal credit union (FCU) CUSO and reserve authority for the NCUA Board to approve additional activities without the traditional notice and comment. Typically, NASCUS wrote, the association does not weigh in on proposals that affect, directly at least, only federal credit unions. However, because this proposal could influence state credit unions considering collaborating with FCU investors in the formation and ownership of a CUSO, the association was prompted to comment.
In some states, NASCUS pointed out, CUSOs owned by state credit unions already hold expanded lending power. The association noted, however, that the NCUA proposal could end up requiring additional reporting requirements that don’t today exist for SCUs. “NASCUS opposes extension of any additional reporting requirements to SCU CUSOs resulting from an expansion of FCU powers,” the association wrote.
NASCUS reminded the agency that SCU CUSOs may now provide many products and services authorized under state law free of restrictions in place for FCU CUSOs – and, in some cases, states already have the authority NCUA is proposing now for FCU CUSOs.
“To date, NCUA, the (National Credit Union) share insurance fund, and the credit union system have been able to manage any risk presented by SCU CUSOs within the existing reporting framework pursuant to existing Part 741.12” of NCUA regulations, NASCUS wrote. The association wrote that nothing in the proposal identifies a pressing need to include SCU CUSOs in any new reporting requirements and “we expect that should NCUA seek to include ALL CUSOs in any reporting requirements the agency would consult with the state regulators and subject proposed SCU CUSO reporting requirements to notice and comment.”
In other comments, NASCUS recommended that the agency:
- allow a limited amount of FCU investment in an SCU CUSO without triggering agency limitations on the state CUSO;
- continue to evaluate prudent changes that enhance a credit union’s ability to serve members and meaningfully engage in the marketplace, after asserting that “collaborating with a CUSO should not be a necessity in order for a credit union to remain vibrant and healthy.”
- permit FCUs to invest with banks, which would be consistent with the state system’s view of the need for greater flexibility for credit union investment.
- continue to work with NASCUS and state regulators to leverage state supervisory oversight of CUSOs and third-party service providers as needed to address any supervisory uncertainty NCUA may have related to any SCU CUSO or other third-party entity.
LINK:
Comment: Proposed Rule, Credit Union Service Organizations (CUSOs) – RIN 3133–AE95
(May 7, 2021) A new federal credit union chartered late last month in Kendall Park, N.J., to serve a local Islamic community will offer its members non-interest-bearing consumer loans, among other services, NCUA said this week. Maun FCU will be an Islamic-faith-based, no-interest credit union whose not-for-profit, cooperative business model will fill a need for affordable, federally insured financial services among members of its community, the agency said in a release. The new credit union will serve employees and members of the New Brunswick Islamic Center in New Brunswick, N.J., and employees and members of the Islamic Society of Central Jersey in Monmouth Junction, N.J. … the Federal Reserve this week called for comments on proposed guidelines it would use to evaluate requests for accounts and payment services at Federal Reserve Banks presented by “novel types” of banking institutions attempting to leverage new and emerging technologies and techniques. Generally, principles outlined in the guidelines would require the requesting entity to be eligible to receive Fed services, and cannot present “undue risk” to the Fed system or the financial system at large.
LINKS:
NCUA Charters Maun Federal Credit Union
Proposed Guidelines for Evaluating Account and Services Requests (PDF)
(May 7, 2021) Tom Fite, director of the Indiana Department of Financial Institutions, is now chairman of the State Liaison Committee (SLC) of the FFIEC, the group said this week. He will serve a one-year term as SLC chairman from May 1 to April 30, 2022.
Fite was also reappointed to a two-year membership term on the SLC, which he first joined in 2017. Director of the Indiana regulator’s office since January 2016, Fite served before that as deputy director of the department’s depository division and, for 15 years prior to that, served in field examination and regional supervision.
In a statement FFIEC Chairman, and NCUA Board Chairman, Todd Harper congratulated Fite as a fellow Hoosier. “ Tom’s examination and supervision acumen, along with his state regulatory experience and working knowledge of the SLC, make him an ideal choice for Chairman,” Harper said. “I look forward to working with him on the important work of the Council.”
The five-member SLC, in addition to Fite, also includes:
- Steve Pleger, State of Georgia, Department of Banking and Finance senior deputy commissioner, designated by NASCUS; he is a current NASCUS Board member and a former chairman of the Regulator Board;
- Kevin Allard, Ohio Division of Financial Institutions superintendent, designated by the American Council of State Savings Supervisors (ACSSS);
- Melanie Hall, Montana Division of Banking and Financial Institutions commissioner, confirmed by the council; and
- Susannah Marshall, Arkansas State Bank Department commissioner, designated by the Conference of State Bank Supervisors (CSBS.
LINK:
Fite Elected as State Liaison Committee Chairman, Reappointed to FFIEC State Liaison Committee
(April 23, 2021) While no new regulations were proposed or finalized, the NCUA Board did indicate at its meeting Thursday that final rules on two NASCUS-supported proposals – on capitalization of interest and derivatives — are nearing the point of being considered soon, according to comments during this week’s meeting.
In open session of the NCUA Board, Chairman Todd Harper said staff is “working through” issues on proposed rules for capitalization of interest and on derivatives. Harper said he was hopeful to see actions on the proposals “in the near future.”
The issue of action on proposed or pending regulations was brought up by Board Member Rodney Hood. Thursday’s meeting included only board briefings, on cybersecurity and an interim final rule addressing the impact of savings growth due to the coronavirus crisis on credit union capital.
Hood, in his comments, suggested the board work in the future “in a bipartisan manner” to develop board meeting agendas for “robust rulemaking opportunities.” Hood indicated that there are proposed rules awaiting action (and proposals waiting to be unveiled) that he and the other board members want to see move forward.
The capitalization of interest rule was proposed in November by the NCUA Board; it would remove the prohibition in agency rules against the capitalization of interest in connection with loan workouts and modifications, particularly as they struggled with the financial impact of the coronavirus crisis.
NASCUS, in its February comment letter, supported the proposal and called for its expeditious completion. NASCUS also recommended the agency reconsider the blanket prohibition against additional advances, to cover credit union fees and provide them with “the full range of options for managing and structuring loan work outs as other depository institutions.”
The derivatives rule was proposed in October; it would make the agency’s regulation less prescriptive and more “principles-based,” expanding federal credit unions’ authority to purchase and use derivatives as part of their interest-rate risk (IRR) management. NASCUS likewise supported the proposal in its December comment letter, calling for two changes: eliminate the redundant supervisory notice requirements where applicable, and incorporate exempt derivatives transactions directly into part 741.219 of NCUA rules – the section that covers federally insured state-chartered credit unions (FISCUS) and investment requirements.
NASCUS also noted that the proposal continues recognition by NCUA of the primacy of state law in determining investment authority for FISCUs.
Both items were issued for comment without objection by any members of the board.
NASCUS comment: Proposed Rule — Derivatives (RIN 3133–AF29)
(April 23, 2021) Meanwhile, the NCUA Board did hear two briefings during its Thursday meeting: on cybersecurity and on an interim final rule (IFR) it adopted late last week on regulatory relief due to savings surges at credit unions.
Regarding the IFR, the board on April 16 announced it had adopted, by notation vote, the IFR that reduces the earnings retention requirement for credit unions classified as adequately capitalized, and permits an undercapitalized credit union to submit a streamlined net worth restoration plan if it becomes undercapitalized predominantly because of share growth during the coronavirus crisis. The rule is substantially similar to a rule adopted in May 2020 but that lapsed at year-end. The rule took effect immediately and remains in place until March 31, 2022.
In a release last week, the agency said that, due to the pandemic’s continued financial and economic disruptions, it was necessary to reintroduce the two temporary relief measures.
Under the first provision of the IFR (reducing the earnings retention requirement for credit unions classified as adequately capitalized), NCUA said those credit unions unable to meet the requirement will not have to submit a written application requesting approval to decrease their earnings retention amount.
Under the second provision (permitting an undercapitalized credit union to submit a streamlined net worth restoration plan if it becomes undercapitalized predominantly because of share growth due to the crisis), if a credit union becomes less than adequately capitalized for reasons other than share growth, it must still submit a net worth restoration plan under the current requirements in NCUA’s regulations.
A 60-day comment period, ending June 18, is also open for the IFR.
The briefing on cybersecurity provided a status update (including threats and mitigation trends). Johnny Davis, the agency’s top cybersecurity expert, focused on supply chain risk management in his presentation, noting the agency will host a table-top exercise on the issue in August. He said the agency is looking for credit unions to volunteer to participate in the exercise, to gauge if there are additional items for due diligence consideration by the agency.
Davis noted that NCUA will be working with the Treasury Department, the Department of Homeland Security, and other law enforcement and intelligence agencies to carry out the planned exercise with credit unions.
NASCUS President and CEO Lucy Ito said the association looks forward to the inclusion of state supervisory authorities in this effort and other NCUA table-top exercises to more fully capture the totality of the national credit union environment in modeling supply chain attacks and other possible cyber intrusions.
At the end of the conversation at the meeting, Board Member Hood made a pitch for NCUA to procure examination authority over vendors to credit unions. Davis, in response to Hood’s query, said doing so would require an additional eight to 11 agency staff members, and an annual budget of up to $2 million (although Hood indicated that if NCUA obtains vendor exam authority, he would favor the FDIC’s model of not increasing its budget, at least initially).
“It’s important to note that NCUA would focus only on those significant service providers in core processing and payment arenas that are not already covered in the work that we do jointly with the FFIEC and our banking (regulatory) counterparts,” Davis said.
He added that “selected entities” subject to oversight would need to pose a significant concentration risk to credit unions in regard to service and products being consumed. “Exams would not be on an annual basis; likely a three to five year life cycle,” he said, calling that “very similar to collective audit spread of security controls.”
Davis said that “lifecycle” would also give the agency a chance to continuously monitor effectiveness, noting that “operational efficiencies would occur over time.”
Regarding vendor exam authority for NCUA, NASCUS supports the agency obtaining the power over technology service providers (TSPs) that provide services to federally insured credit unions — provided that any such authority requires NCUA to rely on state examinations of such service providers where such authority exists at the state level. Further, NASCUS supports efforts to strengthen state regulatory exam and supervision of third parties providing services to state-chartered credit unions.
Later this year, NASCUS, in partnership with the Credit Union Natl. Assn. (CUNA), hosts the Sept. 3-Nov. 9 Cybersecurity eSchool, a multi-week, virtual program developed to explore latest popular and important cybersecurity topics, including strategies and tactics on how to keep credit union data safe.
LINKS:
Temporary Regulatory Relief in Response to COVID-19 – Prompt Corrective Action
April 2021 NCUA Board Presentation: Cybersecurity Update (Current Events and Trends)
Cybersecurity eSchool, in Partnership with CUNA
(April 16, 2021) In a development Friday morning, the NCUA Board announced it had adopted an interim final rule (IFR) by notation vote that reduces the earnings retention requirement for credit unions classified as adequately capitalized, and permitting an undercapitalized credit union to submit a streamlined net worth restoration plan if it becomes undercapitalized predominantly because of share growth during the coronavirus crisis.
The board adopted the IFR – which is substantially similar to a rule adopted last May but that lapsed at year-end 2020 – in a notation vote. The IFR is also the subject of a briefing for the board at its regular monthly meeting Thursday (April 22). That same meeting will also include a board briefing on cybersecurity.
The IFR takes effect immediately; the vote also keeps the temporary measures in place until March 31, 2022.
Last May, the board issued an IFR that waived the earnings retention requirement for “adequately capitalized” credit unions and eased net worth restoration plan requirements for some “undercapitalized” credit unions. That rule, approved with an expiration date of Dec. 31, 2020, was intended to help ensure that federally insured credit unions (FICUs) remained operational and liquid during the COVID-19 crisis.
NCUA called this week’s rule “substantially similar” to the regulation adopted nearly a year ago. The agency said that, due to the pandemic’s continued financial and economic disruptions, it was necessary to reintroduce the two temporary relief measures.
Under the first provision of the IFR (reducing the earnings retention requirement for credit unions classified as adequately capitalized), NCUA said those credit unions unable to meet the requirement will not have to submit a written application requesting approval to decrease their earnings retention amount.
“However, if a credit union either poses an undue risk to the National Credit Union Share Insurance Fund or exhibits material safety and soundness concerns, the appropriate NCUA Regional Director may require the credit union to submit an earnings transfer waiver request,” the agency said.
Under the second provision (permitting an undercapitalized credit union to submit a streamlined net worth restoration plan if it becomes undercapitalized predominantly because of share growth due to the crisis), if a credit union becomes less than adequately capitalized for reasons other than share growth, it must still submit a net worth restoration plan under the current requirements in NCUA’s regulations.
In a statement, NCUA Board Chairman Todd Harper said the changes reflect the impact of the influx of savings by members into their credit unions from stimulus payments and other sources. “The latest round of stimulus spending has further expanded credit unions’ balance sheets,” Harper said. “As a result, many well-run credit unions with positive earnings now have lower net worth ratios. Given the continued uncertainty with the pandemic and share growth many credit unions are seeing, this targeted, tailored and temporary rule will provide critical relief so eligible credit unions can focus their limited resources on their members’ needs instead of planning for earnings transfers and developing detailed net worth restoration plans.”
Board Vice Chairman Kyle Hauptman characterized the rule as a method for allowing credit unions to stay focused on serving members. Board Member Rodney Hood observed that “while this temporary relief wasn’t widely utilized last year when it expired, it now appears we need this tool now for credit unions.”
The IFR has a 60-day comment period, ending on June 18.
LINKS:
Temporary Regulatory Relief in Response to COVID-19 – Prompt Corrective Action
NCUA Board April 22 open meeting agenda
(April 16, 2021) NCUA and other federal agencies are seeking feedback on how well four-year-old guidance for complying with anti-money laundering and Bank Secrecy Act (AML/BSA) requirements is working for them, according to a request for information (RFI) issued late last week.
NCUA joined with the federal banking agencies, as well as Treasury’s Financial Crimes Enforcement Network (FinCEN) and the Office of Foreign Assets Control (OFAC) in issuing the RFI. It seeks comment on the principles outlined in the 2017 interagency “Supervisory Guidance on Model Risk Management.” Comments are due June 11 (following a 60-day comment period).
According to the RFI, it is aimed at enhancing the agencies’ understanding of institutions’ practices with respect to BSA/AML and OFAC compliance and determining whether additional explanation or clarification may increase transparency, effectiveness, or efficiency.
Even though the banking agencies’ model risk management guidance (MRMG) does not apply to credit unions, the RFI nonetheless seeks input from the perspective of credit unions as well as banks.
The OCC, Fed Board, and FDIC, in consultation with NCUA and FinCEN, also issued a statement late last week to clarify that the risk management principles discussed in the model risk management guidance (MRMG) are appropriate considerations in the context of the BSA/AML statutory and regulatory requirements.
In an unrelated, but topical, development this week, the U.S. Justice Department announced the indictment of two individuals who used a now-defunct New York credit union (and others) as their cover in helping the individuals (now defendants under the federal indictment) allegedly facilitate more than $1 billion in high-risk transactions that were carried out without AML controls. In a release, the DOJ said the two defendants were charged with failure to maintain an anti-money laundering program, failure to file suspicious activity reports (SARs), and operation of an unlicensed money transmitting business (MSB).
According to the DOJ, the former New York State Employees Federal Credit Union (NYSEFCU) of New York, N.Y. – a $2 million credit union liquidated in 2017 by NCUA, citing (among other things) AML/BSA deficiencies — allowed the defendants to conduct high-risk transactions through the credit union during 2014-16. The DOJ said the defendants allegedly caused the transfer of more than $1 billion in high-risk transactions, including hundreds of millions of dollars originating from foreign jurisdictions, through NYSEFCU and other entities.
The law enforcement agency said that, contrary to their representations of being trained and well-versed in AML practices, the defendants “willfully failed to implement and maintain the requisite AML programs or conduct oversight required to detect, identify, and report suspicious transactions.
“This caused, among other things, the NYSEFCU to process more than a billion dollars in high-risk transactions,” during the individuals’ relationship with the credit union, “without ever filing a single Suspicious Activity Report, as required by law,” the DOJ said.
NASCUS, in conjunction with CUNA, each year sponsors a BSA/AML Certification School, widely viewed as the premier event of its kind for credit unions in the subject area. The event is typically held in the fall; last year’s event, in the wake of the coronavirus crisis, was held as a virtual “e-school.” The annual program helps attendees boost their status as reliable, confident authorities on all things relevant to the Bank Secrecy Act (BSA). It also offers them an opportunity to earn or recertify their BSA Compliance Specialist (BSACS) designation.
(April 16, 2021) A request for information (RFI) about how credit unions and banks use artificial intelligence (AI) in their activities, including fraud prevention, personalization of customer services, credit underwriting, and more is summarized by NASCUS and posted on the website this week.
The summary is available to members only.
On March 29, the CFPB – along with NCUA and federal banking agencies – issued the RFI seeking information from a broad audience that includes credit unions and other financial institutions, but also trade associations, consumer groups, and other stakeholders. The agencies said they want to better understand financial institutions’ use of AI, including machine learning; appropriate governance, risk management, and controls over AI; challenges in developing, adopting, and managing AI; and whether clarifications are needed.
Regarding those clarifications, CFPB and the other agencies said they want to learn whether any are necessary from the agencies that would be helpful for financial institutions’ use of AI “in a safe and sound manner and in compliance with applicable laws and regulations, including those related to consumer protection.”
Comments are due June 1.
(April 16, 2021) Samuel Schumach was tapped as deputy director for external affairs and communications at NCUA this week by agency board Chairman Todd Harper. Schumach previously served as legislative affairs officer for the Federal Aviation Administration (FAA). Before that, he was a media spokesperson for the CFPB and had also served as press secretary for the Office of Personnel Management (OPM), the White House Office of National Drug Control Policy, and for former Senate Majority Leader Harry Reid (D-Nev.) … Two in five of new hires (42.1%) in 2020 were people of color, and gender diversity among senior executives achieved parity last year for the first time, NCUA said this week in a report outlining the agency’s hiring practices. In its Office of Minority and Women Inclusion (OMWI) annual report, NCUA also said 188 federally insured credit unions submitted Voluntary Credit Union Diversity Self-Assessments in 2020, up 59.3% from the 118 submissions in 2019 … Federal legislation to mitigate risks related to legacy contracts that use LIBOR (London Interbank Offered Rate) will be needed, Federal Reserve General Counsel Mark Van Der Weide told a congressional hearing Thursday. He said such legislation would establish a uniform national framework for replacing LIBOR in legacy contracts that do not provide for an appropriate fallback rate. Additionally, he indicated, a statute could diminish the instance of lawsuits that he said are inevitable due to the phase out of the reference rate. A witness at the same hearing from the OCC made essentially the same points. LIBOR is scheduled to be phased out at the end of this year (meaning, no new loans or contracts are supposed to be written that use the rate). Additionally, existing “legacy contracts” (or those that are in force now and using the reference rate) have until June 2023 to discontinue the reference rate … An executive order directing federal financial regulators (including NCUA) and others to combat climate-related financial risks is being prepared by President Joe Biden (D), according to press reports this week. The order would be issued in conjunction with a “climate summit” set for next week in Washington. Among other things, the order will also reportedly direct the Treasury Department to assess climate risks to the financial system and report back within 180 days.
LINKS:
Samuel Schumach Named Deputy Director for External Affairs and Communications
NCUA Releases Office of Minority and Women Inclusion Annual Report to Congress