1 / 23

NCUA Supervisory Priorities for Compliance

Robert Parrish, Director Region III Division of Supervision. NCUA Supervisory Priorities for Compliance. Georgia Credit Union Affiliates Compliance Council March 14, 2017. Agenda. Vendor Due Diligence 2017 Compliance Priorities Cybersecurity Bank Secrecy Act Compliance MBL Rule

nelizabeth
Download Presentation

NCUA Supervisory Priorities for Compliance

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Robert Parrish, Director Region III Division of Supervision NCUA Supervisory Priorities forCompliance Georgia Credit Union Affiliates Compliance Council March 14, 2017

  2. Agenda • Vendor Due Diligence • 2017 Compliance Priorities • Cybersecurity • Bank Secrecy Act Compliance • MBL Rule • TILA-RESPA • Consumer Compliance • Questions Vendor Management

  3. Vendor Management Properly leveraging the skills and experience of qualified third parties may enable credit unions to: • Provide access to products and services through expanded delivery channels; • Pilot new programs for evaluation prior to implementation; • Offer more cost-effective products and services; and • Manage programs not feasible without external expertise. Vendor Management

  4. Regulatory Foundation for Vendor Management NCUA Rules and Regulations Part 748 Appendix A, Section D. Oversee Service Provider Arrangements Each credit union should: • Exercise appropriate due diligence in selecting service providers; • Require its service providers by contract to implement appropriate measures designed to meet the objectives of these guidelines; and • Where indicated by the credit union’s risk assessment, monitor its service providers to confirm that they have satisfied their obligations as required by paragraph D.2. As part of this monitoring, a credit union should review audits, summaries of test results, or other equivalent evaluations of its service providers. Vendor Management

  5. Vendor Management Program Written policy and procedures sufficient to outline expectations and limit risks originating from third party arrangements which should • Define the credit union risk strategy • Define the credit union board’s risk tolerance levels • Establish program limits • Establish risk management practices including risk measurement and monitoring • Outline staff responsibilities and authorities • Define the content and frequency of reporting to credit union management and officials. Vendor Management

  6. Pre-Planning Before entering into a third party relationship, officials should • Complete a risk assessment • Determine whether the relationship complements their credit union’s overall mission and philosophy • Document how the relationship will relate to their credit union’s strategic plan, considering long-term goals, objectives, and resource allocation requirements • Weigh the risks and benefits of outsourcing business functions with the risk and benefits of maintaining those functions in-house Vendor Management

  7. Examination Concerns Common Region III examination concerns regarding vendor management during 2016 • Failure to adequately monitor vendors on an ongoing basis • Failure to develop an adequate written Vendor Management policy • Failure to complete an appropriate risk assessment Vendor Management

  8. 2017 Exam Priorities NCUA Update

  9. Cybersecurity Ongoing Concerns Over Access and Disruption • Steady frequency of attacks • Continuation of financial losses and reputational damage • Elevated level of sophistication and ease on the part of criminals/terrorists Cybersecurity Assessment Tool • Released jointly in June 2015 by NCUA and other FFIEC agencies • Provides a structured methodology to manage information security and protect member information more effectively • Intended to measure cybersecurity preparedness over time and identify any gaps in risk management practices Structured Assessment Process • Late 2017 - Increased emphasis on cybersecurity by enhancing examination focus NCUA Update

  10. Cybersecurity NCUA incorporated the Cybersecurity Assessment Tool into our exam process in 2016 • To facilitate our understanding of how effective credit unions are managing cybersecurity measures NCUA continues to foster and facilitate sharing of best practices to enhance credit union cybersecurity programs • Risk management practices are fundamental to a strong cybersecurity program • Business continuity planning is crucial in preventing business disruptions • Dual controls are essential to a strong internal control function • Access/authentication controls are central to preventing unauthorized network intrusions • Audit program is imperative to testing strength of IT controls, self-identifying IT weaknesses, and ensuring the protection of customer information *Visit our Cybersecurity Resources Page on NCUA’s website for more info on the Cybersecurity Assessment Tool and other cyber sources. NCUA Update

  11. Response Programs for Unauthorized Access to Member Information • Incident response procedures are key to an effective information security program • Part 748 (Appendix B) of NCUA Rules – outlines the minimum components of an incident response program • Incident Response Program – should include procedures for: • Assessing the nature and scope of an incident • Identifying compromised member information • Notifying the appropriate NCUA Regional Director and SSA (if relevant) • Taking steps to contain and control the incident to prevent further unauthorized access • Filing Suspicious Activity Reports (SARs) • Preserving records and other evidence • Notifying members when warranted • In 2017 exams, NCUA field staff will review credit unions’ incident response programs NCUA Update

  12. Bank Secrecy Act Compliance • NCUA –Vigilantly ensuring credit unions are not laundering money or financing criminal/terrorist activity NCUA focusing on CU relationships with Money Services Businesses (MSBs) MSBs include: • Check Cashers, Prepaid Card Providers, Money Transmitters, Foreign Currency Dealers, Money Order and Travelers Check Issuers • Bank Secrecy Act (BSA) prescribes recordkeeping and reporting requirements to detect illicit activity NCUA Update

  13. Bank Secrecy Act Compliance Examiners will verify that CU relationships with MSBs include: • Customer Identification • Customer due diligence and constant monitoring processes • Assurance that MSBs are registered with FinCEN and in compliance with state/local licensing requirements • Risk measurements gauging risks associated with MSB accounts and enhanced due diligence when necessary *See the Bank Secrecy Act page on NCUA’s website and NCUA Letters to Credit Unions No. 14-CU-10 – Identifying and Mitigating Risks of Money Service Businesses, for further guidance NCUA Update

  14. Implementation of the MBL Rule • Regulatory Relief and Enhanced Risk Management • Provides regulatory relief from loan-to-value ratio requirement, personal guarantee requirement, vehicle lending, and construction and development lending • Streamlines the waiver process • Replaces prescriptive requirements with greater flexibility and individual autonomy in safely and soundly serving business borrowers • Provides greater emphasis on managing business lending using sound risk management practices rather than monitoring to comply with regulatory restrictions NCUA Update

  15. Implementation of the MBL Rule • Supervisory Focus • Oversight focused on the effectiveness of risk management processes and the aggregate risk profile of the credit union’s loan portfolio • Sound Risk Management Processes • Responsible risk management and comprehensive due diligence remain crucial to a safe and sound commercial lending program and encompass all aspects of the lending program • Administering • Underwriting • Servicing NCUA Update

  16. Implementation of the MBL Rule • NCUA Guidance and Training • Focus on Core Elements of a Sound MBL Program • Principals for managing commercial loan risk • Critical components of commercial loan policies • Credit approval process • Credit risk-rating systems • Structuring of credit packages to properly align members’ needs with financial abilities to repay • Credit risk management processes for underwriting • Ongoing loan administration and risk monitoring NCUA Update

  17. Implementation of the MBL Rule • Board of Directors Responsibilities • Credit union’s board of directors is ultimately accountable for the safety and soundness of the credit union’s commercial lending activities and must remain adequately informed about the level of risk in the commercial loan portfolio • Set strategic direction • Approve risk management policies • Remain informed about the nature and levels of risk • Require appropriate staffing of the commercial lending function NCUA Update

  18. Implementation of the MBL Rule • Experience Requirements • Adequate training and experience are crucial to a safe, sound, and successful commercial lending program • Program should include well-defined roles and responsibilities and ensure effective coordination between key credit functions • Commercial Lending Policies • Policies and procedures must provide for ongoing control, measurement, and management of the credit union’s commercial lending activities • Adopt a formal credit risk-rating system to identify and quantify the level of risk within the commercial loan portfolio NCUA Update

  19. TILA-RESPA • TILA-RESPA: Integrated Disclosure Rule • Credit unions accepting applications for real • Estate loans on or after October 3, 2015 (except • HELOCs, reverse mtgs, and commercial loans) are required • to comply • Requires loan originators to provide consumers with: • Loan Estimate Form – combines Truth in Lending Act (TILA) disclosure and Good Faith Estimate. To be delivered or mailed by 3rd business day from receipt of mortgage application • Closing Disclosure Form – combines the final TILA disclosure and HUD-1 Settlement Statement. To be provided at least 3 days prior to consummation of mortgage • Rule also imposes record retention requirements and restricts mortgage originators from imposing certain fees, providing estimates, or requiring consumer verification of information prior to providing a Loan Estimate Form • *See the Consumer Compliance Regulatory Resources page on NCUA’s website for more information NCUA Update

  20. Consumer Compliance • Compliance Management Systems • Field staff to evaluate Compliance Management Systems when examining federal credit unions • Assess board and management oversight and compliance programs • Policies and Procedures • Training • Monitoring/Audit • Response to Complaints • Change Management • Risk Management • Self-Identification and Corrective Actions • Military Lending/Servicemembers’ Civil Relief Acts/Equal Credit Opportunity Act • New procedures and questionnaires for evaluating compliance with Military Lending Act, the Servicemembers’ Civil Relief Act, and ECOA • For more information, visit NCUA’s Consumer Compliance Regulatory Resources website NCUA Update

  21. Q&A Questions? Vendor Management

  22. Resources • NCUA Rules and Regulations Part 748 Appendix A, Section D • NCUA Letter to Credit Unions 07-CU-13 • NCUA Letter to Credit Unions 17-CU-01 Vendor Management

  23. Office Contact Page Feel free to contact our office with questions or comments. Primary Staff: Robert Parrish, Director rparrish@ncua.gov Office Phone: 678-443-3004 Vendor Management

More Related