Hot Topics and Red Flags - ACUIA › sites › acuia.org › files › MN Chapter... ·...

Hot Topics andRed Flags

ACUIA Chapter Meeting

May 12, 2017

Peter Seidl, Principal Examiner

Region 4

Areas of Focus

Hot Topics and Red Flags 2

Hot Topics


• Cybersecurity Assessment

• Bank Secrecy Act Compliance

• Internal Controls and Fraud Prevention

• Interest Rate and Liquidity Risk

• Commercial Lending

• Consumer Compliance

Cybersecurity

4

cy·ber·se·cu·ri·tynoun \-si-ˌkyu̇r-ə-tē\

measures taken to protect a computer or computer system (as on the Internet) against unauthorized access or attack

Merriam Webster

Cybersecurity – The ability to protect or defend the use of cyberspace from cyber attacks. SOURCE: CNSSI-4009 - NIST.IR.7298r2

Hot Topics and Red Flags

WHY IS CYBERSECURITY GETTING SO IMPORTANT?


Financial Services Attract the Criminals

6

• Financial Services Continue to Report the Highest Number of Breaches

• Small and Large Organizations are Victims

Confirmed Breaches

Industry Total Small Large Unknown

Accommodation (72) 282 136 10 136

Administrative (56) 18 6 2 10

Agriculture (11) 1 0 0 1

Construction (23) 4 0 1 3

Educational (61) 29 3 8 18

Entertainment (71) 38 18 1 19

Finance (52) 795 14 94 687

Healthcare (62) 115 18 20 77

Information (51) 194 12 12 170

Management (55) 0 0 0 0

Manufacturing (31-33) 37 5 11 21

Mining (21) 7 0 6 1

Other Services (81) 11 5 2 4

Professional (54) 53 10 4 39

Public (92) 193 4 122 67

Real Estate (53) 5 3 0 2

Retail (44-45) 137 96 12 29

Trade (42) 4 2 2 0

Transportation (48-49) 15 1 3 11

Utilities (22) 7 0 0 7

Unknown 270 109 0 161

Total 2,260 447 312 1501

Source 2016 Verizon Data Breach Investigations Report


Everything Is Connecting

7

“Things talking to Things”Hot Topics and Red Flags

Black Market Prices for Consumer Files

8

One way criminals monetize the fruits of their labor (intrusion and breach)

Another way criminals monetize their skills, provide services or sell exploit kits.

Ultimately, this growing black market is increasing risk exposure to legitimate businesses


Credit Unions will Continue to Increase in Popularity as a Target

9

Growing numbers of CU attacks and compromises are being reported.

"This malware is as stealthy and persistent as the Nymaim loader while possessing the Gozi ISFB Trojan’s ability to manipulate Web sessions, resulting in advanced online banking fraud attacks," the IBM X-Force researchers said in a blog post.


https://securityintelligence.com/meet-goznym-the-banking-malware-offspring-of-gozi-isfb-and-nymaim/

Some Recent Examples

• $80 million FICU victim of CryptoWall– ($500 us bitcoin to get data systems released)

– Other small FICUs (refused ransom, wiped the box and restored data successfully)

• $60 million FICU victim of Acct takeover– Corp CU recognized unusual transaction and halted auto wire

pending human confirmation

• Medium institution(s) ID theft, tax return fraud with false identities

• Data exfiltration (sold on black market)

• Website Defacement

• Ransomware took down portion of network where backup failed ($$$$ to mitigate)

10Hot Topics and Red Flags

Cybersecurity Assessment Tool

11

Objective

To help financial institutions identify their risks and determine their cybersecurity maturity

The Assessment provides institutions with a repeatable and measureable process to inform management of their institution’s risks and cybersecurity preparedness.


Assessment Tool Materials

12

Consists of two parts

Part One: Inherent Risk Profile

Part Two: Cybersecurity Maturity


FFIEC Cybersecurity Assessment Tool

13

Inherent Risk Profile Categories

Technologies • and Connection Types

Delivery Channels•

Online/Mobile Products and Technology •

Services

Organizational Characteristics•

External • Threats



14

Inherent Risk Profile Risk LevelsIn

her

ent

risk

LeastIn

her

ent

Ris

kMinimal

Inh

eren

t ri

sk

Moderate

Inh

eren

t R

isk

Significant

Inh

eren

t R

isk

Most

Type, volume, and complexity of operations and threats directed at the institution contribute to the risk level



15

Inherent Risk Profile Risk LevelsIn

her

ent

risk

LeastIn

her

ent

Ris

kMinimal

Inh

eren

t ri

sk

Moderate

Inh

eren

t R

isk

Significant

Inh

eren

t R

isk

Most

Type, volume, and complexity of operations and threats directed at the institution contribute to the risk level



Domain Assessment Factors

1 Cyber Risk Management & Oversight • Governance• Risk Management• Resources• Training and Culture

2 Threat Intelligence & Collaboration • Intelligence Sourcing• Monitoring and Analyzing• Information Sharing

3 Cybersecurity Controls • Preventative Controls• Detective Controls• Corrective Controls

4 External Dependency Management • Connections• Relationships Management

5 Cyber Incident Management & Resilience • Incident Resilience Planning and Strategy• Detection, Response and Mitigation• Escalation and Reporting


Cyber Maturity/Risk Relationship

17

Innovative

Advanced

Intermediate

Evolving

BaselineLowest Risk Institutions

Highest Risk Institutions


Cyber Maturity/Risk Relationship

18

Innovative

Advanced

Intermediate

Evolving

BaselineLowest Risk Institutions

Highest Risk Institutions


Inherent Risk Levels

Least Minimal Moderate Significant Most

Cyb

ers

ecu

rity

Mat

uri

ty L

eve

l fo

r Ea

ch

Do

mai

n

Innovative

Advanced

Intermediate

Evolving

Baseline

Elevated Investment

Underinvestment

19

Determine Cybersecurity Investment


Role of Internal Auditors


• Encourage management to use the FFIEC Cybersecurity Assessment Tool

• Once completed, audit Inherent Risk Profileand Cybersecurity Maturity for accuracy

• Help monitor gaps and work with management to achieve targeted maturity level(s)

NCUA’s use of the Tool


Currently informally review credit union •

awareness and use during routine examinations

Presently (could change) plan to begin •

completing the Cybersecurity Assessment Tool as part of the exam process in late 2017

• Have yet to determine the frequency or depth of review

NCUA Support

22

Support:

[email protected]

Resources

Executive Overview of Cybersecurity Assessment Toolhttp://www.ffiec.gov/cyberassessmenttool.htm

Cybersecurity Assessment Observationshttp://www.ffiec.gov/press/pr110314.htm


mailto:[email protected]

http://www.ffiec.gov/cyberassessmenttool.htm

http://www.ffiec.gov/press/pr110314.htm

Bank Secrecy Act Compliance


Bank Secrecy Act Compliance


• We continue to review of Bank Secrecy Act compliance at every examination

• In 2017, focusing on relationships with money services businesses (MSBs) and other accounts that may pose a higher risk for money laundering

BSA Compliance Program


Critical Elements

Internal Controls1.

Independent Testing2.

Responsible Person3.

Training4.

Customer/Member Identification 5.Program

BSA Requirements


• Currency Transaction Reporting

• CTR Exempt Person Filing

• Suspicious Activity Reporting

• Monetary Instrument Tracking

BSA Requirements


Wire Transfer Recordkeeping•

Foreign Activity Reporting•

Customer/Member Identification •

Program (CIP/MIP)

Anti• -Money Laundering Program

BSA: Most Common Violations


• 314(a) Information Requests

• Training

• Required Report Filings

• Internal Controls

• Independent Testing

Money Services Businesses


Types

Currency dealers and exchangers•

Check cashers•

Issuers, sellers, or redeemers of •

traveler’s checks, money orders or prepaid access cards

Money transmitters•

MSB Requirements


• Must register with FinCEN

• Must develop, implement, and monitor and effective Anti-Money Laundering Program

• Must comply with requirements of the Bank Secrecy Act

MSBs: Due Diligence Expectations


Not all MSBs pose the same level of risk, •and not all MSBs will require the same level of due diligenceInteragency Guidance • issued April, 2005

Minimum Due Diligence ExpectationsPerform – CIPConfirm – FinCEN registration, if applicableConfirm state or local licensing, if applicable–

Conduct BSA/AML risk – assessmentConduct Enhanced Due Diligence, if – applicable

Detecting Possible MSB Activity


• Large cash transactions

• Cash transactions not commensurate with expected activity

• High volume of wire transfers

• Deposit high volume of third party checks

• Conducting cash transactions just under $10,000 (“structuring”)



Perform (or outsource) comprehensive •

independent BSA compliance testing at least annually

Ensure effective processes are in place •

to detect and monitor MSB activity

Verify credit union is complying with the •

due diligence expectations for MSBs

BSA Resources


• FFIEC BSA/AML Examination Manual http://www.ffiec.gov/bsa_aml_infobase/pages_manual/OLM_002.htm

• Financial Crimes Enforcement Networkhttp://www.fincen.gov/

• Interagency Interpretive Guidance on Providing Banking Services to Money Services Businesses Operating in the United States (April 26, 2005)

http://www.fincen.gov/statutes_regs/guidance/pdf/guidance04262005.pdf

• BSA Resource Page on NCUA’s websitehttps://www.ncua.gov/regulation-supervision/pages/bank-secrecy-act.aspx

• NCUA Letter to Credit Unions 14-CU-10, Identifying and Mitigating Risks of Money Service Businesses (December 2014)

https://www.ncua.gov/regulation-supervision/Pages/policy-compliance/communications/letters-to-credit-unions/2014/10.aspx

http://www.ffiec.gov/bsa_aml_infobase/pages_manual/OLM_002.htm

http://www.fincen.gov/

http://www.fincen.gov/statutes_regs/guidance/pdf/guidance04262005.pdf

https://www.ncua.gov/regulation-supervision/pages/bank-secrecy-act.aspx


Internal Controls and Fraud Prevention


Internal Controls and Fraud Prevention


• Credit unions with limited staff may be more susceptible to insider fraud as a result of inherent challenges maintaining adequate separation of duties

• Accordingly, we continue to take a closer look at internal controls at smaller credit unions

• However, internal controls and fraud prevention are critical in credit unions of all sizes

Purpose of Internal Controls


• Fulfill fiduciary duty to protect assets

• Deter fraud

• Find and correct errors in normal course of business

Main Factors Allowing Fraud to Occur


• Lack of internal controls

• Lack of management review

• Override of internal controls

• Poor tone at the top

Fraud Preventative Measures


• Internal controls

• Competent personnel in oversight roles

• Independent audits

• Appropriate reporting mechanisms



Scope of internal audits should include:– Insider account review– File maintenance review– Dormant account activity– Share draft exception and overdrawn account

reports– Bank reconciliation– General ledger review– Loan review

As part of each review, should always evaluate the sufficiency of internal controls.

Fraud Resources


• NCUA Fraud Information Center

https://www.ncua.gov/regulation-supervision/Pages/policy-compliance/communications/fraud-alerts.aspx

• NCUA Fraud Hotline: (800) 827-9650

https://www.ncua.gov/services/Pages/fraud-hotline.aspx

https://www.ncua.gov/regulation-supervision/Pages/policy-compliance/communications/fraud-alerts.aspx

https://www.ncua.gov/services/Pages/fraud-hotline.aspx

Interest Rate Risk


Interest Rate Risk


• In 2017, we started using a revised interest rate risk supervisory tool and new examination procedures to assess interest rate risk management practices

• As part of this review, look at the relationship between interest rate risk and liquidity risk

Why the Changes?


• Respond to NCUA Board supervisory priorities (expectations)

• Address new requirements:

– IRR Rule (§741 eff. September 2012)

– Derivatives Rule (§703 eff. April 2014)

• Enhance examiner guidance

• Reduce inconsistencies in supervision

• Identify outlier risk

• Continuous Quality Improvement

IRR Supervision Scope (March 2016 Data)


Total Assets of $500m or greater

Total Assets between $50m and $500m

Is “Supervisory Test” High or

Extreme?

No Yes

35 Steps25 Steps15 Steps

Total Assets under $50m

Estimated NEV Tool “ENT”

IRR Workbook not required

1,779 CUs$283b

3,681 CUs$55b

493 CUs$903b

1st E

xa

m C

ycle

Post 1st

Exam Cycle

Key Changes to IRR Supervision


IRR risk-tolerance thresholds (NEV)

– Traditional +/- 300 basis point supervisory test

– Thresholds for post-shock NEV ratio and sensitivity

– Levels for low, moderate, high and extreme IRR

– Utilizes CU data (internally generated NEV reports)

– Non-maturity share benefit (value) capped for Base and Shock scenarios


NEV Supervisory Test – Risk Thresholds

Risk Level

Low

Moderate

High

Extreme

2% up to 4% 65% to 85%

Below 2% Above 85%

Post-shock NEV NEV Sensitivity (%)

Above 7% Below 40%

4% up to 7% 40% to 65%

Note: NCUA has made use of a NEV metric in the current Examiner’s Guide since 2000 in Chapter 13

Key IRR Review Areas


• NEV Supervisory Test

• Analysis of Balance Sheet ValuationsMarket Risk

• Review of Scenarios

• Review of results/assumptionsEarnings at Risk

• Review of Scenarios

• ResultsStress Testing

• Platform assessments

• Data controlsMeasurement Systems

• Oversight

• Policies/Reporting/Controls/StaffRisk Management

Benefits for Credit Unions


• Shifting the focus towards IRR outliers

• Uniform, measurable, consistent and transparent IRR measure

• Increased clarity of supervisory expectations

• Increased accuracy of IRR rating

• Greater consistency by examiners

• Risk-focused discussions

• Reduced examination burden for most



• Ensure credit unions are complying with Appendix B to Part 741—Guidance for an Interest Rate Risk Policy and an Effective Program

• Internal controls should include:

– Internal assessment of IRR program

– Compliance with policy (evaluate for policy exceptions and compliance with approved limits)

– Timeliness and accuracy of reports

– Audit findings reported to board or supervisory committee

Interest Rate Risk Resources


• NCUA Interest Rate Risk Resources

https://www.ncua.gov/regulation-supervision/Pages/policy-compliance/resource-centers/interest-rate-risk.aspx

• NCUA Letter to Credit Unions 16-CU-08, Revised Interest Rate Risk Supervision (October 2016)


https://www.ncua.gov/regulation-supervision/Pages/policy-compliance/resource-centers/interest-rate-risk.aspx


Commercial Lending


• Revisions to Part 723, Member Business Loans; Commercial Lending went into effect on January 1, 2017

• Changed from a “prescriptive” rule, to a “principles-based” rule

• Policies must be revised to comply with the new rules

Commercial Lending


In crafting new policies and procedures, credit unions should reference both:

The • new regulatory requirements, and

• New correlating guidance contained in the Examiner’s Guide

Commercial Lending: Policy Changes


Policy must:• Include the new definition of a commercial loan

and outline the loan types specifically excluded from the definition of a commercial loan

• Differentiate underwriting standards based on the size, risk, and complexity of the borrower

• Outline the required components of a credit approval document (credit presentation) to include sufficient information to make fully informed credit decisions



Policy must ensure existing and future lending personnel have experience in the following areas:

Underwriting • and processing for the types of commercial lending in which the credit union is engagedOverseeing • and evaluating the performance of a commercial loan portfolio, including rating and quantifying risk through a credit risk rating systemConducting • collection and loss mitigation activities for the types of commercial lending in which the credit union is engaged



Policy must:

• Require a borrower-prepared projection when historic performance does not support projected debt payments

• Address the new regulatory requirements pertaining to personal guarantees



If the credit union will consider waiving the personal guarantee, the policy must:

Establish • appropriate criteria, and adopt processes to mitigate the additional risk, for waiving the requirement for personal guarantees, when accepting partial or limited guarantees, or accepting guarantees from individuals who do not have a controlling interest in the borrowerRequire • lending staff to document justification and explain how risk was sufficiently mitigated within the credit presentation when not obtaining unlimited personal guarantees



Also, if the credit union waives personal guarantees, the policy must:

• Establish a concentration limit for the aggregate amount of assets allowed in unguaranteed commercial loans (as a percent of net worth)

• Require periodic reporting to the board of directors



Policy must:

Provide justification and support for •

loan-to-value limits for different types of collateral

Address specified risk management •

requirements



Policy defined risk management requirements include:• Use of loan covenants, if appropriate, including

frequency of borrower and guarantor financial reporting

• Periodic loan review, consistent with loan covenants and sufficient to conduct portfolio risk management; this review must include a periodic reevaluation of the value and marketability of any collateral

• A process to identify, report, and monitor loans approved as exceptions to the credit union’s policy



A key • principle in the new regulation is that a credit union’s board of directors is ultimately accountable for the safety and soundness of the credit union’s commercial lending activities

To • this end, the policy should require a comprehensive set of reports be provided to the board of directors to demonstrate they are fully informed of the risk of the commercial lending operations

The guidance contains a list of examples•



Policy must address new requirements for construction and development lending, including how the credit union will determine the collateral value associated with the project, which must be based on the lesser of the project’s cost to complete or its prospective market value



Also, policy for construction and development loans must meet the following conditions:

Qualified • personnel representing the interests of the credit union must conduct a review and approval of any line item construction budget prior to closing the loan

A • credit union approved requisition and loan disbursement process is established



• Release or disbursement of loan funds occurs only after on-site inspections, documented in a written report by qualified personnel representing the interests of the credit union, certifying that the work requisitioned for payment has been satisfactorily completed, and the remaining funds available to be disbursed from the construction and development loan is sufficient to complete the project

• Each loan disbursement is subject to confirmation that no intervening liens have been filed



If your credit union conducts commercial •

lending, ensure member business loan policy has been revised to comply with the new requirements.

Audit policy for compliance with regulations •

and guidance contained in the Examiner’s Guide.

Verify underwriting and documentation •

complies with the new requirements.

Commercial Lending Resources


• Part 723 of NCUA Rules and Regulationshttps://www.ecfr.gov/cgi-bin/text-idx?SID=a787104950456263ce693f65aa56ccbe&mc=true&tpl=/ecfrbrowse/Title12/12cfr723_main_02.tpl

• NCUA Letter to Credit Unions, 16-CU-11, Member Business Loans Guidance Added to Examiner’s Guide (November 2016)


https://www.ecfr.gov/cgi-bin/text-idx?SID=a787104950456263ce693f65aa56ccbe&mc=true&tpl=/ecfrbrowse/Title12/12cfr723_main_02.tpl


Consumer Compliance


Consumer Compliance


• In 2017, we are reviewing the following areas for compliance:

– Military Lending Act

– Servicemembers’ Civil Relief Act

• Encourage internal auditors to proactively verify compliance in these areas, and with other new or revised consumer compliance regulations.

Consumer Compliance Resources


• NCUA Letter to Credit Unions 16-CU-07, Military Lending Act Examination Approach (October 2016)


• NCUA Consumer Compliance Regulatory Resources website

https://www.ncua.gov/regulation-supervision/Pages/policy-compliance/resource-centers/consumer.aspx


https://www.ncua.gov/regulation-supervision/Pages/policy-compliance/resource-centers/consumer.aspx

Red Flags


Red Flags


• Lack of Segregation of Duties

• Unusually High Earnings

• Rapid Loan Growth

• Unusually Low Loan Delinquency and/or Charge-off Rates

Lack of Segregation of Duties


Encourage internal auditors to:

• Ensure loan approval and disbursement is segregated at all times (required by FCU Act)

• Ensure cash is counted under dual control, and all cash (including the vault) is counted on a reasonably frequent basis

• Verify bank and general ledger reconcilements are performed by someone without access to cash or authority to disburse loans

Unusually High Earnings


When earnings are unusually high, encourage internal auditors to:

• Determine the source of the unusually high earnings

• Ensure the risks of the income source are known and properly communicated

Red flag: High fee income can be an indicator of elevated credit risk (lender of last resort)

Rapid Loan Growth


When there is rapid loan growth, encourage internal auditors to:

• Review the cause of the rapid growth, and any associated risks

• Verify the controls over, and quality of, the loans

Red flag: Rapid growth in indirect loans

Low Loan Delinquency or Charge-off Rates


When delinquency or charge-offs are unusually low, encourage internal auditors to:

• Verify delinquency is not being masked by extending due dates (review file maintenance reports, high amounts of accrued interest on current loans)

• Review collection activity and notes for reasonableness on loans delinquent greater than 120 days

• Ensure charge-offs policies are being followed

Questions


Contact Information


Feel free to contact us with questions or comments.

Primary Staff: Peter Seidl,

Principal Examiner

[email protected]

Secondary Staff: Justin BurlesonSupervisory Examiner

[email protected]

Hot Topics and Red Flags - ACUIA › sites › acuia.org › files › MN Chapter... ·...

Documents

Transcript of Hot Topics and Red Flags - ACUIA › sites › acuia.org › files › MN Chapter... ·...