Akin to, the in-laws are coming, and they are bringing gifts…
NCUA encourages all credit unions to use the FFIEC tool to manage cybersecurity risks. NCUA also plans to begin incorporating the Cybersecurity Assessment Tool into their examinations in the second half of 2016. We provide a link to the FSSCC Cybersecurity Assessment Tool on our Resources page that may help in completing the assessment.
Appendix B to Part 748 of NCUA rules and regulations, Guidance on Response Programs for Unauthorized Access to Member Information and Member Notice, outlines the minimum components of an incident response program that federally insured credit unions need to develop and implement. An incident response program is needed to address unauthorized access to, or use of, member information that could result in substantial harm or inconvenience to a member. In 2016, NCUA will be reviewing credit union’s incident response programs in regards to unauthorized access to member information.
Bank Secrecy Act
NCUA remains vigilant in ensuring the credit union system is not used to launder money or finance criminal or terrorist activity. NCUA field staff are required to review credit unions’ compliance with the Bank Secrecy Act and to complete the related examination questionnaire at every examination.
In 2016, NCUA field staff will focus on credit unions’ relationships with money services businesses, also known as MSBs.
Credit unions can provide services to an MSB while meeting BSA requirements, but should be aware of the unique risk exposure MSBs can present and the corresponding need for commensurate expertise and monitoring systems. In 2014, NCUA issued guidance to field staff and credit unions on Identifying and Mitigating Risks of Money Service Businesses. The guidance describes the steps credit unions should take to mitigate any money-laundering risks posed by MSBs.
If your credit union provides services to an MSB, field staff will verify that you meet the following minimum expectations established by NCUA and federal banking agencies:
- Perform customer identification program procedures;
- Ensure each MSB is registered with the Financial Crimes Enforcement Network (FinCEN) and is in compliance with state and local licensing requirements; and
- Conduct a BSA/anti-money laundering risk assessment to document the level of risk associated with each MSB account and determine whether greater due diligence is necessary.
TRID Disclosure Rule
Credit unions that have accepted applications for real estate loans on or after October 3, 2015 (except for home equity lines of credit, loans, reverse mortgages, and commercial loans) are required to comply with the TILA-RESPA integrated disclosure rule, which the Consumer Financial Protection Bureau adopted to help consumers better understand mortgage transactions.
The TILA-RESPA integrated disclosure rule also imposes record retention requirements and restricts mortgage originators from imposing certain fees, providing estimates, or requiring consumers to verify before providing a loan estimate to a consumer.
Regulatory requirements associated with NCUA’s CUSO rule became effective June 30, 2014. One of the primary changes to the rule requires all federally insured credit unions that invest in or lend to a CUSO to enter into a written agreement requiring the CUSO to submit annual reports directly to NCUA and the state supervisory authority, if applicable.
CUSOs will start providing their annual reports through the CUSO Registry in 2016. Once the deadline for CUSOs to register with NCUA has passed, field staff will check to ensure any CUSO a credit union has loaned to or invested in has registered with NCUA.