Hot Topics and Red Flags - ACUIA › sites › acuia.org › files › MN Chapter... ·...

78
Hot Topics and Red Flags ACUIA Chapter Meeting May 12, 2017 Peter Seidl, Principal Examiner Region 4

Transcript of Hot Topics and Red Flags - ACUIA › sites › acuia.org › files › MN Chapter... ·...

Page 1: Hot Topics and Red Flags - ACUIA › sites › acuia.org › files › MN Chapter... · 2018-04-28 · advanced online banking fraud ... BSA Compliance Program Hot Topics and Red

Hot Topics andRed Flags

ACUIA Chapter Meeting

May 12, 2017

Peter Seidl, Principal Examiner

Region 4

Page 2: Hot Topics and Red Flags - ACUIA › sites › acuia.org › files › MN Chapter... · 2018-04-28 · advanced online banking fraud ... BSA Compliance Program Hot Topics and Red

Areas of Focus

Hot Topics and Red Flags 2

Page 3: Hot Topics and Red Flags - ACUIA › sites › acuia.org › files › MN Chapter... · 2018-04-28 · advanced online banking fraud ... BSA Compliance Program Hot Topics and Red

Hot Topics

Hot Topics and Red Flags 3

• Cybersecurity Assessment

• Bank Secrecy Act Compliance

• Internal Controls and Fraud Prevention

• Interest Rate and Liquidity Risk

• Commercial Lending

• Consumer Compliance

Page 4: Hot Topics and Red Flags - ACUIA › sites › acuia.org › files › MN Chapter... · 2018-04-28 · advanced online banking fraud ... BSA Compliance Program Hot Topics and Red

Cybersecurity

4

cy·ber·se·cu·ri·tynoun \-si-ˌkyu̇r-ə-tē\

measures taken to protect a computer or computer system (as on the Internet) against unauthorized access or attack

Merriam Webster

Cybersecurity – The ability to protect or defend the use of cyberspace from cyber attacks. SOURCE: CNSSI-4009 - NIST.IR.7298r2

Hot Topics and Red Flags

Page 5: Hot Topics and Red Flags - ACUIA › sites › acuia.org › files › MN Chapter... · 2018-04-28 · advanced online banking fraud ... BSA Compliance Program Hot Topics and Red

WHY IS CYBERSECURITY GETTING SO IMPORTANT?

Hot Topics and Red Flags 5

Page 6: Hot Topics and Red Flags - ACUIA › sites › acuia.org › files › MN Chapter... · 2018-04-28 · advanced online banking fraud ... BSA Compliance Program Hot Topics and Red

Financial Services Attract the Criminals

6

• Financial Services Continue to Report the Highest Number of Breaches

• Small and Large Organizations are Victims

Confirmed Breaches

Industry Total Small Large Unknown

Accommodation (72) 282 136 10 136

Administrative (56) 18 6 2 10

Agriculture (11) 1 0 0 1

Construction (23) 4 0 1 3

Educational (61) 29 3 8 18

Entertainment (71) 38 18 1 19

Finance (52) 795 14 94 687

Healthcare (62) 115 18 20 77

Information (51) 194 12 12 170

Management (55) 0 0 0 0

Manufacturing (31-33) 37 5 11 21

Mining (21) 7 0 6 1

Other Services (81) 11 5 2 4

Professional (54) 53 10 4 39

Public (92) 193 4 122 67

Real Estate (53) 5 3 0 2

Retail (44-45) 137 96 12 29

Trade (42) 4 2 2 0

Transportation (48-49) 15 1 3 11

Utilities (22) 7 0 0 7

Unknown 270 109 0 161

Total 2,260 447 312 1501

Source 2016 Verizon Data Breach Investigations Report

Hot Topics and Red Flags

Page 7: Hot Topics and Red Flags - ACUIA › sites › acuia.org › files › MN Chapter... · 2018-04-28 · advanced online banking fraud ... BSA Compliance Program Hot Topics and Red

Everything Is Connecting

7

“Things talking to Things”Hot Topics and Red Flags

Page 8: Hot Topics and Red Flags - ACUIA › sites › acuia.org › files › MN Chapter... · 2018-04-28 · advanced online banking fraud ... BSA Compliance Program Hot Topics and Red

Black Market Prices for Consumer Files

8

One way criminals monetize the fruits of their labor (intrusion and breach)

Another way criminals monetize their skills, provide services or sell exploit kits.

Ultimately, this growing black market is increasing risk exposure to legitimate businesses

Hot Topics and Red Flags

Page 9: Hot Topics and Red Flags - ACUIA › sites › acuia.org › files › MN Chapter... · 2018-04-28 · advanced online banking fraud ... BSA Compliance Program Hot Topics and Red

Credit Unions will Continue to Increase in Popularity as a Target

9

Growing numbers of CU attacks and compromises are being reported.

"This malware is as stealthy and persistent as the Nymaim loader while possessing the Gozi ISFB Trojan’s ability to manipulate Web sessions, resulting in advanced online banking fraud attacks," the IBM X-Force researchers said in a blog post.

Hot Topics and Red Flags

Page 10: Hot Topics and Red Flags - ACUIA › sites › acuia.org › files › MN Chapter... · 2018-04-28 · advanced online banking fraud ... BSA Compliance Program Hot Topics and Red

Some Recent Examples

• $80 million FICU victim of CryptoWall– ($500 us bitcoin to get data systems released)

– Other small FICUs (refused ransom, wiped the box and restored data successfully)

• $60 million FICU victim of Acct takeover– Corp CU recognized unusual transaction and halted auto wire

pending human confirmation

• Medium institution(s) ID theft, tax return fraud with false identities

• Data exfiltration (sold on black market)

• Website Defacement

• Ransomware took down portion of network where backup failed ($$$$ to mitigate)

10Hot Topics and Red Flags

Page 11: Hot Topics and Red Flags - ACUIA › sites › acuia.org › files › MN Chapter... · 2018-04-28 · advanced online banking fraud ... BSA Compliance Program Hot Topics and Red

Cybersecurity Assessment Tool

11

Objective

To help financial institutions identify their risks and determine their cybersecurity maturity

The Assessment provides institutions with a repeatable and measureable process to inform management of their institution’s risks and cybersecurity preparedness.

Hot Topics and Red Flags

Page 12: Hot Topics and Red Flags - ACUIA › sites › acuia.org › files › MN Chapter... · 2018-04-28 · advanced online banking fraud ... BSA Compliance Program Hot Topics and Red

Assessment Tool Materials

12

Consists of two parts

Part One: Inherent Risk Profile

Part Two: Cybersecurity Maturity

Hot Topics and Red Flags

Page 13: Hot Topics and Red Flags - ACUIA › sites › acuia.org › files › MN Chapter... · 2018-04-28 · advanced online banking fraud ... BSA Compliance Program Hot Topics and Red

FFIEC Cybersecurity Assessment Tool

13

Inherent Risk Profile Categories

Technologies • and Connection Types

Delivery Channels•

Online/Mobile Products and Technology •

Services

Organizational Characteristics•

External • Threats

Hot Topics and Red Flags

Page 14: Hot Topics and Red Flags - ACUIA › sites › acuia.org › files › MN Chapter... · 2018-04-28 · advanced online banking fraud ... BSA Compliance Program Hot Topics and Red

FFIEC Cybersecurity Assessment Tool

14

Inherent Risk Profile Risk LevelsIn

her

ent

risk

LeastIn

her

ent

Ris

kMinimal

Inh

eren

t ri

sk

Moderate

Inh

eren

t R

isk

Significant

Inh

eren

t R

isk

Most

Type, volume, and complexity of operations and threats directed at the institution contribute to the risk level

Hot Topics and Red Flags

Page 15: Hot Topics and Red Flags - ACUIA › sites › acuia.org › files › MN Chapter... · 2018-04-28 · advanced online banking fraud ... BSA Compliance Program Hot Topics and Red

FFIEC Cybersecurity Assessment Tool

15

Inherent Risk Profile Risk LevelsIn

her

ent

risk

LeastIn

her

ent

Ris

kMinimal

Inh

eren

t ri

sk

Moderate

Inh

eren

t R

isk

Significant

Inh

eren

t R

isk

Most

Type, volume, and complexity of operations and threats directed at the institution contribute to the risk level

Hot Topics and Red Flags

Page 16: Hot Topics and Red Flags - ACUIA › sites › acuia.org › files › MN Chapter... · 2018-04-28 · advanced online banking fraud ... BSA Compliance Program Hot Topics and Red

FFIEC Cybersecurity Assessment Tool

Domain Assessment Factors

1 Cyber Risk Management & Oversight • Governance• Risk Management• Resources• Training and Culture

2 Threat Intelligence & Collaboration • Intelligence Sourcing• Monitoring and Analyzing• Information Sharing

3 Cybersecurity Controls • Preventative Controls• Detective Controls• Corrective Controls

4 External Dependency Management • Connections• Relationships Management

5 Cyber Incident Management & Resilience • Incident Resilience Planning and Strategy• Detection, Response and Mitigation• Escalation and Reporting

16Hot Topics and Red Flags

Page 17: Hot Topics and Red Flags - ACUIA › sites › acuia.org › files › MN Chapter... · 2018-04-28 · advanced online banking fraud ... BSA Compliance Program Hot Topics and Red

Cyber Maturity/Risk Relationship

17

Innovative

Advanced

Intermediate

Evolving

BaselineLowest Risk Institutions

Highest Risk Institutions

Hot Topics and Red Flags

Page 18: Hot Topics and Red Flags - ACUIA › sites › acuia.org › files › MN Chapter... · 2018-04-28 · advanced online banking fraud ... BSA Compliance Program Hot Topics and Red

Cyber Maturity/Risk Relationship

18

Innovative

Advanced

Intermediate

Evolving

BaselineLowest Risk Institutions

Highest Risk Institutions

Hot Topics and Red Flags

Page 19: Hot Topics and Red Flags - ACUIA › sites › acuia.org › files › MN Chapter... · 2018-04-28 · advanced online banking fraud ... BSA Compliance Program Hot Topics and Red

Inherent Risk Levels

Least Minimal Moderate Significant Most

Cyb

ers

ecu

rity

Mat

uri

ty L

eve

l fo

r Ea

ch

Do

mai

n

Innovative

Advanced

Intermediate

Evolving

Baseline

Elevated Investment

Underinvestment

19

Determine Cybersecurity Investment

Hot Topics and Red Flags

Page 20: Hot Topics and Red Flags - ACUIA › sites › acuia.org › files › MN Chapter... · 2018-04-28 · advanced online banking fraud ... BSA Compliance Program Hot Topics and Red

Role of Internal Auditors

Hot Topics and Red Flags 20

• Encourage management to use the FFIEC Cybersecurity Assessment Tool

• Once completed, audit Inherent Risk Profileand Cybersecurity Maturity for accuracy

• Help monitor gaps and work with management to achieve targeted maturity level(s)

Page 21: Hot Topics and Red Flags - ACUIA › sites › acuia.org › files › MN Chapter... · 2018-04-28 · advanced online banking fraud ... BSA Compliance Program Hot Topics and Red

NCUA’s use of the Tool

Hot Topics and Red Flags 21

Currently informally review credit union •

awareness and use during routine examinations

Presently (could change) plan to begin •

completing the Cybersecurity Assessment Tool as part of the exam process in late 2017

• Have yet to determine the frequency or depth of review

Page 22: Hot Topics and Red Flags - ACUIA › sites › acuia.org › files › MN Chapter... · 2018-04-28 · advanced online banking fraud ... BSA Compliance Program Hot Topics and Red

NCUA Support

22

Support:

[email protected]

Resources

Executive Overview of Cybersecurity Assessment Toolhttp://www.ffiec.gov/cyberassessmenttool.htm

Cybersecurity Assessment Observationshttp://www.ffiec.gov/press/pr110314.htm

Hot Topics and Red Flags

Page 23: Hot Topics and Red Flags - ACUIA › sites › acuia.org › files › MN Chapter... · 2018-04-28 · advanced online banking fraud ... BSA Compliance Program Hot Topics and Red

Bank Secrecy Act Compliance

Hot Topics and Red Flags 23

Page 24: Hot Topics and Red Flags - ACUIA › sites › acuia.org › files › MN Chapter... · 2018-04-28 · advanced online banking fraud ... BSA Compliance Program Hot Topics and Red

Bank Secrecy Act Compliance

Hot Topics and Red Flags 24

• We continue to review of Bank Secrecy Act compliance at every examination

• In 2017, focusing on relationships with money services businesses (MSBs) and other accounts that may pose a higher risk for money laundering

Page 25: Hot Topics and Red Flags - ACUIA › sites › acuia.org › files › MN Chapter... · 2018-04-28 · advanced online banking fraud ... BSA Compliance Program Hot Topics and Red

BSA Compliance Program

Hot Topics and Red Flags 25

Critical Elements

Internal Controls1.

Independent Testing2.

Responsible Person3.

Training4.

Customer/Member Identification 5.Program

Page 26: Hot Topics and Red Flags - ACUIA › sites › acuia.org › files › MN Chapter... · 2018-04-28 · advanced online banking fraud ... BSA Compliance Program Hot Topics and Red

BSA Requirements

Hot Topics and Red Flags 26

• Currency Transaction Reporting

• CTR Exempt Person Filing

• Suspicious Activity Reporting

• Monetary Instrument Tracking

Page 27: Hot Topics and Red Flags - ACUIA › sites › acuia.org › files › MN Chapter... · 2018-04-28 · advanced online banking fraud ... BSA Compliance Program Hot Topics and Red

BSA Requirements

Hot Topics and Red Flags 27

Wire Transfer Recordkeeping•

Foreign Activity Reporting•

Customer/Member Identification •

Program (CIP/MIP)

Anti• -Money Laundering Program

Page 28: Hot Topics and Red Flags - ACUIA › sites › acuia.org › files › MN Chapter... · 2018-04-28 · advanced online banking fraud ... BSA Compliance Program Hot Topics and Red

BSA: Most Common Violations

Hot Topics and Red Flags 28

• 314(a) Information Requests

• Training

• Required Report Filings

• Internal Controls

• Independent Testing

Page 29: Hot Topics and Red Flags - ACUIA › sites › acuia.org › files › MN Chapter... · 2018-04-28 · advanced online banking fraud ... BSA Compliance Program Hot Topics and Red

Money Services Businesses

Hot Topics and Red Flags 29

Types

Currency dealers and exchangers•

Check cashers•

Issuers, sellers, or redeemers of •

traveler’s checks, money orders or prepaid access cards

Money transmitters•

Page 30: Hot Topics and Red Flags - ACUIA › sites › acuia.org › files › MN Chapter... · 2018-04-28 · advanced online banking fraud ... BSA Compliance Program Hot Topics and Red

MSB Requirements

Hot Topics and Red Flags 30

• Must register with FinCEN

• Must develop, implement, and monitor and effective Anti-Money Laundering Program

• Must comply with requirements of the Bank Secrecy Act

Page 31: Hot Topics and Red Flags - ACUIA › sites › acuia.org › files › MN Chapter... · 2018-04-28 · advanced online banking fraud ... BSA Compliance Program Hot Topics and Red

MSBs: Due Diligence Expectations

Hot Topics and Red Flags 31

Not all MSBs pose the same level of risk, •and not all MSBs will require the same level of due diligenceInteragency Guidance • issued April, 2005

Minimum Due Diligence ExpectationsPerform – CIPConfirm – FinCEN registration, if applicableConfirm state or local licensing, if applicable–

Conduct BSA/AML risk – assessmentConduct Enhanced Due Diligence, if – applicable

Page 32: Hot Topics and Red Flags - ACUIA › sites › acuia.org › files › MN Chapter... · 2018-04-28 · advanced online banking fraud ... BSA Compliance Program Hot Topics and Red

Detecting Possible MSB Activity

Hot Topics and Red Flags 32

• Large cash transactions

• Cash transactions not commensurate with expected activity

• High volume of wire transfers

• Deposit high volume of third party checks

• Conducting cash transactions just under $10,000 (“structuring”)

Page 33: Hot Topics and Red Flags - ACUIA › sites › acuia.org › files › MN Chapter... · 2018-04-28 · advanced online banking fraud ... BSA Compliance Program Hot Topics and Red

Role of Internal Auditors

Hot Topics and Red Flags 33

Perform (or outsource) comprehensive •

independent BSA compliance testing at least annually

Ensure effective processes are in place •

to detect and monitor MSB activity

Verify credit union is complying with the •

due diligence expectations for MSBs

Page 34: Hot Topics and Red Flags - ACUIA › sites › acuia.org › files › MN Chapter... · 2018-04-28 · advanced online banking fraud ... BSA Compliance Program Hot Topics and Red

BSA Resources

Hot Topics and Red Flags 34

• FFIEC BSA/AML Examination Manual http://www.ffiec.gov/bsa_aml_infobase/pages_manual/OLM_002.htm

• Financial Crimes Enforcement Networkhttp://www.fincen.gov/

• Interagency Interpretive Guidance on Providing Banking Services to Money Services Businesses Operating in the United States (April 26, 2005)

http://www.fincen.gov/statutes_regs/guidance/pdf/guidance04262005.pdf

• BSA Resource Page on NCUA’s websitehttps://www.ncua.gov/regulation-supervision/pages/bank-secrecy-act.aspx

• NCUA Letter to Credit Unions 14-CU-10, Identifying and Mitigating Risks of Money Service Businesses (December 2014)

https://www.ncua.gov/regulation-supervision/Pages/policy-compliance/communications/letters-to-credit-unions/2014/10.aspx

Page 35: Hot Topics and Red Flags - ACUIA › sites › acuia.org › files › MN Chapter... · 2018-04-28 · advanced online banking fraud ... BSA Compliance Program Hot Topics and Red

Internal Controls and Fraud Prevention

Hot Topics and Red Flags 35

Page 36: Hot Topics and Red Flags - ACUIA › sites › acuia.org › files › MN Chapter... · 2018-04-28 · advanced online banking fraud ... BSA Compliance Program Hot Topics and Red

Internal Controls and Fraud Prevention

Hot Topics and Red Flags 36

• Credit unions with limited staff may be more susceptible to insider fraud as a result of inherent challenges maintaining adequate separation of duties

• Accordingly, we continue to take a closer look at internal controls at smaller credit unions

• However, internal controls and fraud prevention are critical in credit unions of all sizes

Page 37: Hot Topics and Red Flags - ACUIA › sites › acuia.org › files › MN Chapter... · 2018-04-28 · advanced online banking fraud ... BSA Compliance Program Hot Topics and Red

Purpose of Internal Controls

Hot Topics and Red Flags 37

• Fulfill fiduciary duty to protect assets

• Deter fraud

• Find and correct errors in normal course of business

Page 38: Hot Topics and Red Flags - ACUIA › sites › acuia.org › files › MN Chapter... · 2018-04-28 · advanced online banking fraud ... BSA Compliance Program Hot Topics and Red

Main Factors Allowing Fraud to Occur

Hot Topics and Red Flags 38

• Lack of internal controls

• Lack of management review

• Override of internal controls

• Poor tone at the top

Page 39: Hot Topics and Red Flags - ACUIA › sites › acuia.org › files › MN Chapter... · 2018-04-28 · advanced online banking fraud ... BSA Compliance Program Hot Topics and Red

Fraud Preventative Measures

Hot Topics and Red Flags 39

• Internal controls

• Competent personnel in oversight roles

• Independent audits

• Appropriate reporting mechanisms

Page 40: Hot Topics and Red Flags - ACUIA › sites › acuia.org › files › MN Chapter... · 2018-04-28 · advanced online banking fraud ... BSA Compliance Program Hot Topics and Red

Role of Internal Auditors

Hot Topics and Red Flags 40

Scope of internal audits should include:– Insider account review– File maintenance review– Dormant account activity– Share draft exception and overdrawn account

reports– Bank reconciliation– General ledger review– Loan review

As part of each review, should always evaluate the sufficiency of internal controls.

Page 41: Hot Topics and Red Flags - ACUIA › sites › acuia.org › files › MN Chapter... · 2018-04-28 · advanced online banking fraud ... BSA Compliance Program Hot Topics and Red

Fraud Resources

Hot Topics and Red Flags 41

• NCUA Fraud Information Center

https://www.ncua.gov/regulation-supervision/Pages/policy-compliance/communications/fraud-alerts.aspx

• NCUA Fraud Hotline: (800) 827-9650

https://www.ncua.gov/services/Pages/fraud-hotline.aspx

Page 42: Hot Topics and Red Flags - ACUIA › sites › acuia.org › files › MN Chapter... · 2018-04-28 · advanced online banking fraud ... BSA Compliance Program Hot Topics and Red

Interest Rate Risk

Hot Topics and Red Flags 42

Page 43: Hot Topics and Red Flags - ACUIA › sites › acuia.org › files › MN Chapter... · 2018-04-28 · advanced online banking fraud ... BSA Compliance Program Hot Topics and Red

Interest Rate Risk

Hot Topics and Red Flags 43

• In 2017, we started using a revised interest rate risk supervisory tool and new examination procedures to assess interest rate risk management practices

• As part of this review, look at the relationship between interest rate risk and liquidity risk

Page 44: Hot Topics and Red Flags - ACUIA › sites › acuia.org › files › MN Chapter... · 2018-04-28 · advanced online banking fraud ... BSA Compliance Program Hot Topics and Red

Why the Changes?

Hot Topics and Red Flags 44

• Respond to NCUA Board supervisory priorities (expectations)

• Address new requirements:

– IRR Rule (§741 eff. September 2012)

– Derivatives Rule (§703 eff. April 2014)

• Enhance examiner guidance

• Reduce inconsistencies in supervision

• Identify outlier risk

• Continuous Quality Improvement

Page 45: Hot Topics and Red Flags - ACUIA › sites › acuia.org › files › MN Chapter... · 2018-04-28 · advanced online banking fraud ... BSA Compliance Program Hot Topics and Red

IRR Supervision Scope (March 2016 Data)

Hot Topics and Red Flags 45

Total Assets of $500m or greater

Total Assets between $50m and $500m

Is “Supervisory Test” High or

Extreme?

No Yes

35 Steps25 Steps15 Steps

Total Assets under $50m

Estimated NEV Tool “ENT”

IRR Workbook not required

1,779 CUs$283b

3,681 CUs$55b

493 CUs$903b

1st E

xa

m C

ycle

Post 1st

Exam Cycle

Page 46: Hot Topics and Red Flags - ACUIA › sites › acuia.org › files › MN Chapter... · 2018-04-28 · advanced online banking fraud ... BSA Compliance Program Hot Topics and Red

Key Changes to IRR Supervision

Hot Topics and Red Flags 46

IRR risk-tolerance thresholds (NEV)

– Traditional +/- 300 basis point supervisory test

– Thresholds for post-shock NEV ratio and sensitivity

– Levels for low, moderate, high and extreme IRR

– Utilizes CU data (internally generated NEV reports)

– Non-maturity share benefit (value) capped for Base and Shock scenarios

Page 47: Hot Topics and Red Flags - ACUIA › sites › acuia.org › files › MN Chapter... · 2018-04-28 · advanced online banking fraud ... BSA Compliance Program Hot Topics and Red

Hot Topics and Red Flags 47

NEV Supervisory Test – Risk Thresholds

Risk Level

Low

Moderate

High

Extreme

2% up to 4% 65% to 85%

Below 2% Above 85%

Post-shock NEV NEV Sensitivity (%)

Above 7% Below 40%

4% up to 7% 40% to 65%

Note: NCUA has made use of a NEV metric in the current Examiner’s Guide since 2000 in Chapter 13

Page 48: Hot Topics and Red Flags - ACUIA › sites › acuia.org › files › MN Chapter... · 2018-04-28 · advanced online banking fraud ... BSA Compliance Program Hot Topics and Red

Key IRR Review Areas

48Hot Topics and Red Flags

• NEV Supervisory Test

• Analysis of Balance Sheet ValuationsMarket Risk

• Review of Scenarios

• Review of results/assumptionsEarnings at Risk

• Review of Scenarios

• ResultsStress Testing

• Platform assessments

• Data controlsMeasurement Systems

• Oversight

• Policies/Reporting/Controls/StaffRisk Management

Page 49: Hot Topics and Red Flags - ACUIA › sites › acuia.org › files › MN Chapter... · 2018-04-28 · advanced online banking fraud ... BSA Compliance Program Hot Topics and Red

Benefits for Credit Unions

Hot Topics and Red Flags 49

• Shifting the focus towards IRR outliers

• Uniform, measurable, consistent and transparent IRR measure

• Increased clarity of supervisory expectations

• Increased accuracy of IRR rating

• Greater consistency by examiners

• Risk-focused discussions

• Reduced examination burden for most

Page 50: Hot Topics and Red Flags - ACUIA › sites › acuia.org › files › MN Chapter... · 2018-04-28 · advanced online banking fraud ... BSA Compliance Program Hot Topics and Red

Role of Internal Auditors

Hot Topics and Red Flags 50

• Ensure credit unions are complying with Appendix B to Part 741—Guidance for an Interest Rate Risk Policy and an Effective Program

• Internal controls should include:

– Internal assessment of IRR program

– Compliance with policy (evaluate for policy exceptions and compliance with approved limits)

– Timeliness and accuracy of reports

– Audit findings reported to board or supervisory committee

Page 51: Hot Topics and Red Flags - ACUIA › sites › acuia.org › files › MN Chapter... · 2018-04-28 · advanced online banking fraud ... BSA Compliance Program Hot Topics and Red

Interest Rate Risk Resources

Hot Topics and Red Flags 51

• NCUA Interest Rate Risk Resources

https://www.ncua.gov/regulation-supervision/Pages/policy-compliance/resource-centers/interest-rate-risk.aspx

• NCUA Letter to Credit Unions 16-CU-08, Revised Interest Rate Risk Supervision (October 2016)

https://www.ncua.gov/regulation-supervision/Pages/policy-compliance/communications/letters-to-credit-unions/2016/08.aspx

Page 52: Hot Topics and Red Flags - ACUIA › sites › acuia.org › files › MN Chapter... · 2018-04-28 · advanced online banking fraud ... BSA Compliance Program Hot Topics and Red

Hot Topics and Red Flags 52

Page 53: Hot Topics and Red Flags - ACUIA › sites › acuia.org › files › MN Chapter... · 2018-04-28 · advanced online banking fraud ... BSA Compliance Program Hot Topics and Red

Commercial Lending

Hot Topics and Red Flags 53

• Revisions to Part 723, Member Business Loans; Commercial Lending went into effect on January 1, 2017

• Changed from a “prescriptive” rule, to a “principles-based” rule

• Policies must be revised to comply with the new rules

Page 54: Hot Topics and Red Flags - ACUIA › sites › acuia.org › files › MN Chapter... · 2018-04-28 · advanced online banking fraud ... BSA Compliance Program Hot Topics and Red

Commercial Lending

Hot Topics and Red Flags 54

In crafting new policies and procedures, credit unions should reference both:

The • new regulatory requirements, and

• New correlating guidance contained in the Examiner’s Guide

Page 55: Hot Topics and Red Flags - ACUIA › sites › acuia.org › files › MN Chapter... · 2018-04-28 · advanced online banking fraud ... BSA Compliance Program Hot Topics and Red

Commercial Lending: Policy Changes

Hot Topics and Red Flags 55

Policy must:• Include the new definition of a commercial loan

and outline the loan types specifically excluded from the definition of a commercial loan

• Differentiate underwriting standards based on the size, risk, and complexity of the borrower

• Outline the required components of a credit approval document (credit presentation) to include sufficient information to make fully informed credit decisions

Page 56: Hot Topics and Red Flags - ACUIA › sites › acuia.org › files › MN Chapter... · 2018-04-28 · advanced online banking fraud ... BSA Compliance Program Hot Topics and Red

Commercial Lending: Policy Changes

Hot Topics and Red Flags 56

Policy must ensure existing and future lending personnel have experience in the following areas:

Underwriting • and processing for the types of commercial lending in which the credit union is engagedOverseeing • and evaluating the performance of a commercial loan portfolio, including rating and quantifying risk through a credit risk rating systemConducting • collection and loss mitigation activities for the types of commercial lending in which the credit union is engaged

Page 57: Hot Topics and Red Flags - ACUIA › sites › acuia.org › files › MN Chapter... · 2018-04-28 · advanced online banking fraud ... BSA Compliance Program Hot Topics and Red

Commercial Lending: Policy Changes

Hot Topics and Red Flags 57

Policy must:

• Require a borrower-prepared projection when historic performance does not support projected debt payments

• Address the new regulatory requirements pertaining to personal guarantees

Page 58: Hot Topics and Red Flags - ACUIA › sites › acuia.org › files › MN Chapter... · 2018-04-28 · advanced online banking fraud ... BSA Compliance Program Hot Topics and Red

Commercial Lending: Policy Changes

Hot Topics and Red Flags 58

If the credit union will consider waiving the personal guarantee, the policy must:

Establish • appropriate criteria, and adopt processes to mitigate the additional risk, for waiving the requirement for personal guarantees, when accepting partial or limited guarantees, or accepting guarantees from individuals who do not have a controlling interest in the borrowerRequire • lending staff to document justification and explain how risk was sufficiently mitigated within the credit presentation when not obtaining unlimited personal guarantees

Page 59: Hot Topics and Red Flags - ACUIA › sites › acuia.org › files › MN Chapter... · 2018-04-28 · advanced online banking fraud ... BSA Compliance Program Hot Topics and Red

Commercial Lending: Policy Changes

Hot Topics and Red Flags 59

Also, if the credit union waives personal guarantees, the policy must:

• Establish a concentration limit for the aggregate amount of assets allowed in unguaranteed commercial loans (as a percent of net worth)

• Require periodic reporting to the board of directors

Page 60: Hot Topics and Red Flags - ACUIA › sites › acuia.org › files › MN Chapter... · 2018-04-28 · advanced online banking fraud ... BSA Compliance Program Hot Topics and Red

Commercial Lending: Policy Changes

Hot Topics and Red Flags 60

Policy must:

Provide justification and support for •

loan-to-value limits for different types of collateral

Address specified risk management •

requirements

Page 61: Hot Topics and Red Flags - ACUIA › sites › acuia.org › files › MN Chapter... · 2018-04-28 · advanced online banking fraud ... BSA Compliance Program Hot Topics and Red

Commercial Lending: Policy Changes

Hot Topics and Red Flags 61

Policy defined risk management requirements include:• Use of loan covenants, if appropriate, including

frequency of borrower and guarantor financial reporting

• Periodic loan review, consistent with loan covenants and sufficient to conduct portfolio risk management; this review must include a periodic reevaluation of the value and marketability of any collateral

• A process to identify, report, and monitor loans approved as exceptions to the credit union’s policy

Page 62: Hot Topics and Red Flags - ACUIA › sites › acuia.org › files › MN Chapter... · 2018-04-28 · advanced online banking fraud ... BSA Compliance Program Hot Topics and Red

Commercial Lending: Policy Changes

Hot Topics and Red Flags 62

A key • principle in the new regulation is that a credit union’s board of directors is ultimately accountable for the safety and soundness of the credit union’s commercial lending activities

To • this end, the policy should require a comprehensive set of reports be provided to the board of directors to demonstrate they are fully informed of the risk of the commercial lending operations

The guidance contains a list of examples•

Page 63: Hot Topics and Red Flags - ACUIA › sites › acuia.org › files › MN Chapter... · 2018-04-28 · advanced online banking fraud ... BSA Compliance Program Hot Topics and Red

Commercial Lending: Policy Changes

Hot Topics and Red Flags 63

Policy must address new requirements for construction and development lending, including how the credit union will determine the collateral value associated with the project, which must be based on the lesser of the project’s cost to complete or its prospective market value

Page 64: Hot Topics and Red Flags - ACUIA › sites › acuia.org › files › MN Chapter... · 2018-04-28 · advanced online banking fraud ... BSA Compliance Program Hot Topics and Red

Commercial Lending: Policy Changes

Hot Topics and Red Flags 64

Also, policy for construction and development loans must meet the following conditions:

Qualified • personnel representing the interests of the credit union must conduct a review and approval of any line item construction budget prior to closing the loan

A • credit union approved requisition and loan disbursement process is established

Page 65: Hot Topics and Red Flags - ACUIA › sites › acuia.org › files › MN Chapter... · 2018-04-28 · advanced online banking fraud ... BSA Compliance Program Hot Topics and Red

Commercial Lending: Policy Changes

Hot Topics and Red Flags 65

• Release or disbursement of loan funds occurs only after on-site inspections, documented in a written report by qualified personnel representing the interests of the credit union, certifying that the work requisitioned for payment has been satisfactorily completed, and the remaining funds available to be disbursed from the construction and development loan is sufficient to complete the project

• Each loan disbursement is subject to confirmation that no intervening liens have been filed

Page 66: Hot Topics and Red Flags - ACUIA › sites › acuia.org › files › MN Chapter... · 2018-04-28 · advanced online banking fraud ... BSA Compliance Program Hot Topics and Red

Role of Internal Auditors

Hot Topics and Red Flags 66

If your credit union conducts commercial •

lending, ensure member business loan policy has been revised to comply with the new requirements.

Audit policy for compliance with regulations •

and guidance contained in the Examiner’s Guide.

Verify underwriting and documentation •

complies with the new requirements.

Page 67: Hot Topics and Red Flags - ACUIA › sites › acuia.org › files › MN Chapter... · 2018-04-28 · advanced online banking fraud ... BSA Compliance Program Hot Topics and Red

Commercial Lending Resources

Hot Topics and Red Flags 67

• Part 723 of NCUA Rules and Regulationshttps://www.ecfr.gov/cgi-bin/text-idx?SID=a787104950456263ce693f65aa56ccbe&mc=true&tpl=/ecfrbrowse/Title12/12cfr723_main_02.tpl

• NCUA Letter to Credit Unions, 16-CU-11, Member Business Loans Guidance Added to Examiner’s Guide (November 2016)

https://www.ncua.gov/regulation-supervision/Pages/policy-compliance/communications/letters-to-credit-unions/2016/11.aspx

Page 68: Hot Topics and Red Flags - ACUIA › sites › acuia.org › files › MN Chapter... · 2018-04-28 · advanced online banking fraud ... BSA Compliance Program Hot Topics and Red

Consumer Compliance

Hot Topics and Red Flags 68

Page 69: Hot Topics and Red Flags - ACUIA › sites › acuia.org › files › MN Chapter... · 2018-04-28 · advanced online banking fraud ... BSA Compliance Program Hot Topics and Red

Consumer Compliance

Hot Topics and Red Flags 69

• In 2017, we are reviewing the following areas for compliance:

– Military Lending Act

– Servicemembers’ Civil Relief Act

• Encourage internal auditors to proactively verify compliance in these areas, and with other new or revised consumer compliance regulations.

Page 70: Hot Topics and Red Flags - ACUIA › sites › acuia.org › files › MN Chapter... · 2018-04-28 · advanced online banking fraud ... BSA Compliance Program Hot Topics and Red

Consumer Compliance Resources

Hot Topics and Red Flags 70

• NCUA Letter to Credit Unions 16-CU-07, Military Lending Act Examination Approach (October 2016)

https://www.ncua.gov/regulation-supervision/Pages/policy-compliance/communications/letters-to-credit-unions/2016/07.aspx

• NCUA Consumer Compliance Regulatory Resources website

https://www.ncua.gov/regulation-supervision/Pages/policy-compliance/resource-centers/consumer.aspx

Page 71: Hot Topics and Red Flags - ACUIA › sites › acuia.org › files › MN Chapter... · 2018-04-28 · advanced online banking fraud ... BSA Compliance Program Hot Topics and Red

Red Flags

Hot Topics and Red Flags 71

Page 72: Hot Topics and Red Flags - ACUIA › sites › acuia.org › files › MN Chapter... · 2018-04-28 · advanced online banking fraud ... BSA Compliance Program Hot Topics and Red

Red Flags

Hot Topics and Red Flags 72

• Lack of Segregation of Duties

• Unusually High Earnings

• Rapid Loan Growth

• Unusually Low Loan Delinquency and/or Charge-off Rates

Page 73: Hot Topics and Red Flags - ACUIA › sites › acuia.org › files › MN Chapter... · 2018-04-28 · advanced online banking fraud ... BSA Compliance Program Hot Topics and Red

Lack of Segregation of Duties

Hot Topics and Red Flags 73

Encourage internal auditors to:

• Ensure loan approval and disbursement is segregated at all times (required by FCU Act)

• Ensure cash is counted under dual control, and all cash (including the vault) is counted on a reasonably frequent basis

• Verify bank and general ledger reconcilements are performed by someone without access to cash or authority to disburse loans

Page 74: Hot Topics and Red Flags - ACUIA › sites › acuia.org › files › MN Chapter... · 2018-04-28 · advanced online banking fraud ... BSA Compliance Program Hot Topics and Red

Unusually High Earnings

Hot Topics and Red Flags 74

When earnings are unusually high, encourage internal auditors to:

• Determine the source of the unusually high earnings

• Ensure the risks of the income source are known and properly communicated

Red flag: High fee income can be an indicator of elevated credit risk (lender of last resort)

Page 75: Hot Topics and Red Flags - ACUIA › sites › acuia.org › files › MN Chapter... · 2018-04-28 · advanced online banking fraud ... BSA Compliance Program Hot Topics and Red

Rapid Loan Growth

Hot Topics and Red Flags 75

When there is rapid loan growth, encourage internal auditors to:

• Review the cause of the rapid growth, and any associated risks

• Verify the controls over, and quality of, the loans

Red flag: Rapid growth in indirect loans

Page 76: Hot Topics and Red Flags - ACUIA › sites › acuia.org › files › MN Chapter... · 2018-04-28 · advanced online banking fraud ... BSA Compliance Program Hot Topics and Red

Low Loan Delinquency or Charge-off Rates

Hot Topics and Red Flags 76

When delinquency or charge-offs are unusually low, encourage internal auditors to:

• Verify delinquency is not being masked by extending due dates (review file maintenance reports, high amounts of accrued interest on current loans)

• Review collection activity and notes for reasonableness on loans delinquent greater than 120 days

• Ensure charge-offs policies are being followed

Page 77: Hot Topics and Red Flags - ACUIA › sites › acuia.org › files › MN Chapter... · 2018-04-28 · advanced online banking fraud ... BSA Compliance Program Hot Topics and Red

Questions

Hot Topics and Red Flags 77

Page 78: Hot Topics and Red Flags - ACUIA › sites › acuia.org › files › MN Chapter... · 2018-04-28 · advanced online banking fraud ... BSA Compliance Program Hot Topics and Red

Contact Information

Hot Topics and Red Flags 78

Feel free to contact us with questions or comments.

Primary Staff: Peter Seidl,

Principal Examiner

[email protected]

Secondary Staff: Justin BurlesonSupervisory Examiner

[email protected]