2015 Spring MACCU

Compliance Update

Agenda

E-Sign Act Electronic Signatures in Global & National

Commerce Act NCUA

2015 Supervisory Priorities (Old & New)Lending ProgramSmall Credit Union Exam Program

E-Sign Act Background & History

E-Sign Act Signed Into Law -In the year 2000

President Bill Clinton

“”

Article 1 Section 10 clause 1 of the Constitution shall forever be known as the Contract Clause

JAMES MADISON

[I]n the just preservation of rights and property, it is understood and declared, that no law ought ever to be made, or have force in the said territory, that shall, in any manner whatever, interfere with or affect private contracts or engagements, bona fide, and without fraud, previously formed.

Electronic Signatures In Global and National Commerce Act

(1)a signature, contract, or other record relating to such transaction may not be denied legal effect, validity, or enforceability solely because it is in electronic form; and

(2)a contract relating to such transaction may not be denied legal effect, validity, or enforceability solely because an electronic signature or electronic record was used in its formation.

*******Definitions can be found in Section 106 of ACT

What is an Electronic Signature?

An electronic sound, symbol, or processattached to or logically associated with arecord and executed or adopted by a person with the intent to sign the record.

Uniform Electronic Transactions ActUETA

Uniform Electronic Transactions Act-UETA

At the state level:

S.C. Code §26-6-10 et seq.http://www.scstatehouse.net/code/t26c006.doc

N.C. Gen. Stat. §66-311 et seq.http://www.ncleg.net/EnactedLegislation/Statutes/HTML/ByArticle/Chapter_66/Article_40.html

How Can You Comply?

Credit Union Requirements

1) The member has consented to the electronic format and has not withdrawn this consent.

2) The member is provided, before consenting to the format, with a clear and conspicuous Statement:• informing the member that he/she has the right to receive the record(s) in

paper form. Also, that they may withdraw their consent and any consequences of withdrawing the consent (fees or termination of account, for example)

• informing the member of the scope of the consent, whether it is for a single transaction, or categories of records to be provided in an ongoing relationship

Credit Union Requirements Cont.

• describing the procedures the member must use to withdraw consent, and to update information needed to contact the member electronically

• informing the member of the method to request and obtain a paper copy of an electronic record after giving consent and any associated fees.

3) The member is provided with a statement of hardware and software requirements for access to and retention of electronic records.

4) Member consents, or confirms his/her consent electronically in a manner demonstrating the member can access the information in the electronic form the credit union will use.

Credit Union Requirements After Receiving Consent

5) If the hardware and software requirements for accessing or retaining electronic records change, creating a material risk that the member may not be able to access or retain subsequent electronic records, the credit union must…

• provides the member with a notice of the changes, and the right to withdraw the consent without charging a fee for the withdrawal, and without imposing any condition or consequence not previously disclosed.

• consents, or confirms his/her consent electronically in a manner demonstrating the member can access the information in the electronic form the credit union will use. (MUST GIVE CONSENT AGAIN)

E-Sign Other Topics (Section 101(c)

Prior Consent

Consumer disclosures of the E-Sign Act does not apply to any records that are provided or made available to a member who has consented prior to the effective date of the E-Sign Act. (2000)

Oral Communication

A recording of an oral

communication shall not qualify as an electronic record for purposes of the consumer disclosures of the E-Sign Act except as provided under applicable law.

E-Sign Other Topics (Section 101(d)

AccuracyAccurately reflect the

information set forth in the record to be retained.

AccessibilityRemain accessible to all

persons who are entitled to access it, for as long as legally required, in a form that is capable of being accurately reproduced for later reference.

Training Compliance Requirements

Annually ensure

all departments are aware of all aspects of the E-sign Act.

Annually update policies and procedures to reflect the provisions of E-Sign Act.

Internal Review

At least annually review compliance with the E-sign Act.

Conformity of the credit union’s practices with its policies and procedures.

Risks & Best Practices

E-Sign Risks

1. Failure to implement necessary controls to comply

2. Allowing E-signatures for exempt items (such as POA/deeds/court documents)

3. Failure to draft an adequate policy

4. Failure to update your policy

5. Failure to train all departments

6. Failure to ensure member has not withdrawn their consent

7. Failure to retain documents/FORMAT

Gather Process Evidence- Digital processes should aim to strengthen a credit union’s legal and compliance position by capturing and reproducing stronger evidence than is possible with pen and paper.

Embed the Audit Trail- All electronic signatures, time stamping and audit trails should be embedded directly within the document rather than stored separately in the cloud or a proprietary database.

E-Signature Best Practices

www.cuinsight.com/top-5-e-signatures-security-best-practices-for-credit-iunions.html

Do NOT use Email to Distribute Documents Containing Private Member Information- Deliver documents and disclosures through a secure html page (one that the member logs into to view). From there, PDF copies of documents can be downloaded for their own files.

Use Digital Signatures -Both the document and the E-signatures should be protected using digital signature technology. The digital signature creates a digital fingerprint of the document (called a hash) that can later be used to verify the integrity of the E-record. If the document is tampered with the E-signature will be visibly invalidated.

E-Signature Best Practices

www.cuinsight.com/top-5-e-signatures-security-best-practices-for-credit-iunions.html

E-Sign Enforcement /Liability

Penalties

1. E-Sign Act does not specify civil liability provisions for violations

2. Nor does it provide an exemption from penalties

Moving Forward with Today’s Agenda

NCUA • 2015 Supervisory Priorities (Old & New)• Lending Program• Small Credit Union Exam Program

"Change is the law of life and those who look only to the past or

present are certain to miss the future."

—John F. Kennedy

NCUA 2015 Supervisory Priorities Top 5 concerns

NCUA 2015 Supervisory Priorities I. Cybersecurity – Focus on proactive measures CU can take to protect their data and their members including:

• Encrypting sensitive data

• Developing a comprehensive Information Security Policy (ISO)

• Vendor Due Diligence (3rd parties) that handle CU PII data

• Monitoring cybersecurity risk exposure

• TESTING security measures (Results & Rebounding)

** Examiners will be evaluating your capacity to notify, recover and resume operations in the event of a security breach does occur.

Appendix B NCUA Rules & Regulations Part 748 -Guidance

The biggest cybersecurity threats of 2015

Insider Cybersecurity Issues

1. Equipment Losses: Laptop, Keys etc.

2. Skimmers, Key loggers, Phishing Emails, Cell Phones & Other blue tooth devices –Training required

3. Employee Retention Issues (why are they leaving)

4. Moving of employee accounts to another institution

5. Substance Abuse & Gambling Issues

6. Failure to Update Malware –Regularly

Cybercrime's Easiest Prey: Small businesses

1. Lack of IT department

2. Lack of protected computers and updated malware

3. They offer the path of least resistance

Latest trend in this arena: The most common tactics cyber attackers use against small businesses include "ransomware" scams that lock computers and demand a ransom fee. Attackers also use malicious software designed to steal information from employees' mobile devices and malware that uses a small businesses' website as bait to gain access to a larger company's database. http://money.cnn.com/2013/04/22/smallbusiness/small-business-cybercrime/index.html

What Can the CEO/Executive Leadership do to Mitigate Risk

NCUA Channel On YouTube

Resources: Stay on top of current trends

1. Join local work group

a. Columbia, SC: USPIS

b. Greensboro, NC: USPIS

2. Join National Organizations such as :

a. IACFI Carolinas (cost 2 /1 until end of April) normally cost $100.00 a year. https://www.iafci.org

b. Training program $85 (for 12 CPE hrs.) Durham, NC

c. Additional training offerings through out the year

Resources: Stay on top of current trends3. Review Online Cybersecurity Resources: (NCUA/FFEIC)

4. Visit the CCUL League Website (FRAUD SECTION)

a. view update fraud articles & resources

b. view real time fraud alerts from member credit unions

5. Attend CCUL Compliance Conference on November 17-18, 2015 in Charlotte ( contact Jeanne Couchois for more Information). Topics to include Risk Assessments, ERM, Fraud etc.

A BREACH/FRAUD OCCURRENCE WILL HAPPEN EVENTUALLY-PREPARE TODAY!

Vendor Cybersecurity Risk Management Option

Example: MasterCard & CU’s

The White House also listed MasterCard’s partnership with First Tech Credit Union to launch a biometrics pilot program later this year, allowing consumers to authenticate and verify

transactions using unique biometrics like facial and voice recognition.

NCUA 2015 Supervisory Priorities II. Interest Rate Risk (IRR) – No new guidance- continued compliance with 2014

NCUA Rule:

• CU over 50 million to draft & implement a written IRR policy

• Develop a program to identify, measure, monitor and control IRR

NCUA IRR Rules & Resources page on NCUA website –Guidance

III. NCUA Liquidity Rule Section 741.12

• Full Compliance Required

• $250 million or more Dec 31, 2014 requirement to advance planning & Periodic testing to ensure contingent funding sources are available when needed.

• Examiners will also be looking to evaluate THE RESULTS OF YOUR TEST.

NCUA 2015 Supervisory PrioritiesIV. BSA Compliance

Specific focus will be on Credit Union relationships with Money Service Businesses (MSB)

• Identifying customers

• MSB registration

• Enhanced Risk Assessment

NCUA BSA page on website for additional guidance

V. RESPA-TILA CFPB Integrated Disclosures (August 1, 2015) *

At this point MLO’s should be working on rewriting policy & procedures to ensure compliance by August.

NCUA 2015 Supervisory Priorities

V. RESPA-TILA CFPB Integrated Disclosures (August 1, 2015) *

• At this point MLO’s should be working on rewriting policy & procedures to ensure compliance by August.

• LETTER No.: 14-CU-01

• NCUA ALERT 14-RA-01 provides additional information about the new rule and its exemptions.

NCUA 2015 Supervisory Priorities

From the Perspective of Examiners

Top 3 concerns

NCUA 2015 Revised Focus: 3rd RegionI. IRR

• What does it mean to earnings• Can you get over it (Impact Analysis) • Model that works• Test It (Back testing)/ Independent Testing• Do you look at your balance sheets for deposits or do you have another

source

II. Cybersecurity• Comprehensive Plan (Required)• Policy & Vendor Mgt. Plan• CEO’s must address: (How are you mitigating the risk)• What did you learn? (Back Brief- What would you do differently)• CUSO (Can not be the only way of putting off risk)

NCUA 2015 Revised Focus: 3rd Region

III. RESPA/TILA

It’s the first year so at least have the basics:

• Have a policy/plan in place

• Have new forms/ or access to new forms

• Have trained personnel & staff

• Remember when new disclosures go into affect: August 1, 2015

• Remember other lending rules such as Ability to Repay Rule (8 factors)

Lending Program Compliance

Specialized Lending Programs

Lending Programs

Specialized Lending:• Indirect, • Third-party &• Sub prime

Letter to FCU on Appropriate Due Diligence

Specialized Lending Programs

Guidance:•WATCH DELINQUENCY/CHARGE-OFFS•VENDOR DUE DILIGENCE•RISK ASSESSMENT

*http://www.ncua.gov/Resources/Documents/05-RISK-01.pdf

*http://www.ncua.gov/Resources/Documents/LCU2004-13.pdf

Small Credit Union Exam Program

Small Credit Union Exam Program

2 Exam Options: Defined -OR- Risk Based •Determined based upon-•Camel Rating•Asset Class•Complexity of Product & Services

Small Credit Union EXAM Type

Small Credit Union Exam Program

Defined Scope Exam Approach:• Internal controls• Recordkeeping • LendingIn 2nd qtr. 2015 examiners will use a 3 tiered approachStandard required procedures, more in depth

analysis and testing triggered by red flags

Additional Resources & Assistance

OSCUI-Office of Small Credit Union Initiatives

http://www.ncua.gov/Resources/OSCUI/Pages/default.aspx

FS-ISAC –FFEIC Resource

Beth Hubbard bhubbard@fsisac.us (Member Services)

(*fee as low as $250 per year for assets size under 1 billion)

FFEIC- Executive Leadership of Cybersecurity (Free Webinar) http://www.ffiec.gov/cybersecurity.htm

NEVER GIVE UP!

CCUL Compliance Team

QUESTIONS?

Compliance Department

compliance@carolinasleague.org