Hot Topics and Red Flags - ACUIA › sites › acuia.org › files › MN Chapter... ·...
Transcript of Hot Topics and Red Flags - ACUIA › sites › acuia.org › files › MN Chapter... ·...
Hot Topics andRed Flags
ACUIA Chapter Meeting
May 12, 2017
Peter Seidl, Principal Examiner
Region 4
Areas of Focus
Hot Topics and Red Flags 2
Hot Topics
Hot Topics and Red Flags 3
• Cybersecurity Assessment
• Bank Secrecy Act Compliance
• Internal Controls and Fraud Prevention
• Interest Rate and Liquidity Risk
• Commercial Lending
• Consumer Compliance
Cybersecurity
4
cy·ber·se·cu·ri·tynoun \-si-ˌkyu̇r-ə-tē\
measures taken to protect a computer or computer system (as on the Internet) against unauthorized access or attack
Merriam Webster
Cybersecurity – The ability to protect or defend the use of cyberspace from cyber attacks. SOURCE: CNSSI-4009 - NIST.IR.7298r2
Hot Topics and Red Flags
WHY IS CYBERSECURITY GETTING SO IMPORTANT?
Hot Topics and Red Flags 5
Financial Services Attract the Criminals
6
• Financial Services Continue to Report the Highest Number of Breaches
• Small and Large Organizations are Victims
Confirmed Breaches
Industry Total Small Large Unknown
Accommodation (72) 282 136 10 136
Administrative (56) 18 6 2 10
Agriculture (11) 1 0 0 1
Construction (23) 4 0 1 3
Educational (61) 29 3 8 18
Entertainment (71) 38 18 1 19
Finance (52) 795 14 94 687
Healthcare (62) 115 18 20 77
Information (51) 194 12 12 170
Management (55) 0 0 0 0
Manufacturing (31-33) 37 5 11 21
Mining (21) 7 0 6 1
Other Services (81) 11 5 2 4
Professional (54) 53 10 4 39
Public (92) 193 4 122 67
Real Estate (53) 5 3 0 2
Retail (44-45) 137 96 12 29
Trade (42) 4 2 2 0
Transportation (48-49) 15 1 3 11
Utilities (22) 7 0 0 7
Unknown 270 109 0 161
Total 2,260 447 312 1501
Source 2016 Verizon Data Breach Investigations Report
Hot Topics and Red Flags
Everything Is Connecting
7
“Things talking to Things”Hot Topics and Red Flags
Black Market Prices for Consumer Files
8
One way criminals monetize the fruits of their labor (intrusion and breach)
Another way criminals monetize their skills, provide services or sell exploit kits.
Ultimately, this growing black market is increasing risk exposure to legitimate businesses
Hot Topics and Red Flags
Credit Unions will Continue to Increase in Popularity as a Target
9
Growing numbers of CU attacks and compromises are being reported.
"This malware is as stealthy and persistent as the Nymaim loader while possessing the Gozi ISFB Trojan’s ability to manipulate Web sessions, resulting in advanced online banking fraud attacks," the IBM X-Force researchers said in a blog post.
Hot Topics and Red Flags
Some Recent Examples
• $80 million FICU victim of CryptoWall– ($500 us bitcoin to get data systems released)
– Other small FICUs (refused ransom, wiped the box and restored data successfully)
• $60 million FICU victim of Acct takeover– Corp CU recognized unusual transaction and halted auto wire
pending human confirmation
• Medium institution(s) ID theft, tax return fraud with false identities
• Data exfiltration (sold on black market)
• Website Defacement
• Ransomware took down portion of network where backup failed ($$$$ to mitigate)
10Hot Topics and Red Flags
Cybersecurity Assessment Tool
11
Objective
To help financial institutions identify their risks and determine their cybersecurity maturity
The Assessment provides institutions with a repeatable and measureable process to inform management of their institution’s risks and cybersecurity preparedness.
Hot Topics and Red Flags
Assessment Tool Materials
12
Consists of two parts
Part One: Inherent Risk Profile
Part Two: Cybersecurity Maturity
Hot Topics and Red Flags
FFIEC Cybersecurity Assessment Tool
13
Inherent Risk Profile Categories
Technologies • and Connection Types
Delivery Channels•
Online/Mobile Products and Technology •
Services
Organizational Characteristics•
External • Threats
Hot Topics and Red Flags
FFIEC Cybersecurity Assessment Tool
14
Inherent Risk Profile Risk LevelsIn
her
ent
risk
LeastIn
her
ent
Ris
kMinimal
Inh
eren
t ri
sk
Moderate
Inh
eren
t R
isk
Significant
Inh
eren
t R
isk
Most
Type, volume, and complexity of operations and threats directed at the institution contribute to the risk level
Hot Topics and Red Flags
FFIEC Cybersecurity Assessment Tool
15
Inherent Risk Profile Risk LevelsIn
her
ent
risk
LeastIn
her
ent
Ris
kMinimal
Inh
eren
t ri
sk
Moderate
Inh
eren
t R
isk
Significant
Inh
eren
t R
isk
Most
Type, volume, and complexity of operations and threats directed at the institution contribute to the risk level
Hot Topics and Red Flags
FFIEC Cybersecurity Assessment Tool
Domain Assessment Factors
1 Cyber Risk Management & Oversight • Governance• Risk Management• Resources• Training and Culture
2 Threat Intelligence & Collaboration • Intelligence Sourcing• Monitoring and Analyzing• Information Sharing
3 Cybersecurity Controls • Preventative Controls• Detective Controls• Corrective Controls
4 External Dependency Management • Connections• Relationships Management
5 Cyber Incident Management & Resilience • Incident Resilience Planning and Strategy• Detection, Response and Mitigation• Escalation and Reporting
16Hot Topics and Red Flags
Cyber Maturity/Risk Relationship
17
Innovative
Advanced
Intermediate
Evolving
BaselineLowest Risk Institutions
Highest Risk Institutions
Hot Topics and Red Flags
Cyber Maturity/Risk Relationship
18
Innovative
Advanced
Intermediate
Evolving
BaselineLowest Risk Institutions
Highest Risk Institutions
Hot Topics and Red Flags
Inherent Risk Levels
Least Minimal Moderate Significant Most
Cyb
ers
ecu
rity
Mat
uri
ty L
eve
l fo
r Ea
ch
Do
mai
n
Innovative
Advanced
Intermediate
Evolving
Baseline
Elevated Investment
Underinvestment
19
Determine Cybersecurity Investment
Hot Topics and Red Flags
Role of Internal Auditors
Hot Topics and Red Flags 20
• Encourage management to use the FFIEC Cybersecurity Assessment Tool
• Once completed, audit Inherent Risk Profileand Cybersecurity Maturity for accuracy
• Help monitor gaps and work with management to achieve targeted maturity level(s)
NCUA’s use of the Tool
Hot Topics and Red Flags 21
Currently informally review credit union •
awareness and use during routine examinations
Presently (could change) plan to begin •
completing the Cybersecurity Assessment Tool as part of the exam process in late 2017
• Have yet to determine the frequency or depth of review
NCUA Support
22
Support:
Resources
Executive Overview of Cybersecurity Assessment Toolhttp://www.ffiec.gov/cyberassessmenttool.htm
Cybersecurity Assessment Observationshttp://www.ffiec.gov/press/pr110314.htm
Hot Topics and Red Flags
Bank Secrecy Act Compliance
Hot Topics and Red Flags 23
Bank Secrecy Act Compliance
Hot Topics and Red Flags 24
• We continue to review of Bank Secrecy Act compliance at every examination
• In 2017, focusing on relationships with money services businesses (MSBs) and other accounts that may pose a higher risk for money laundering
BSA Compliance Program
Hot Topics and Red Flags 25
Critical Elements
Internal Controls1.
Independent Testing2.
Responsible Person3.
Training4.
Customer/Member Identification 5.Program
BSA Requirements
Hot Topics and Red Flags 26
• Currency Transaction Reporting
• CTR Exempt Person Filing
• Suspicious Activity Reporting
• Monetary Instrument Tracking
BSA Requirements
Hot Topics and Red Flags 27
Wire Transfer Recordkeeping•
Foreign Activity Reporting•
Customer/Member Identification •
Program (CIP/MIP)
Anti• -Money Laundering Program
BSA: Most Common Violations
Hot Topics and Red Flags 28
• 314(a) Information Requests
• Training
• Required Report Filings
• Internal Controls
• Independent Testing
Money Services Businesses
Hot Topics and Red Flags 29
Types
Currency dealers and exchangers•
Check cashers•
Issuers, sellers, or redeemers of •
traveler’s checks, money orders or prepaid access cards
Money transmitters•
MSB Requirements
Hot Topics and Red Flags 30
• Must register with FinCEN
• Must develop, implement, and monitor and effective Anti-Money Laundering Program
• Must comply with requirements of the Bank Secrecy Act
MSBs: Due Diligence Expectations
Hot Topics and Red Flags 31
Not all MSBs pose the same level of risk, •and not all MSBs will require the same level of due diligenceInteragency Guidance • issued April, 2005
Minimum Due Diligence ExpectationsPerform – CIPConfirm – FinCEN registration, if applicableConfirm state or local licensing, if applicable–
Conduct BSA/AML risk – assessmentConduct Enhanced Due Diligence, if – applicable
Detecting Possible MSB Activity
Hot Topics and Red Flags 32
• Large cash transactions
• Cash transactions not commensurate with expected activity
• High volume of wire transfers
• Deposit high volume of third party checks
• Conducting cash transactions just under $10,000 (“structuring”)
Role of Internal Auditors
Hot Topics and Red Flags 33
Perform (or outsource) comprehensive •
independent BSA compliance testing at least annually
Ensure effective processes are in place •
to detect and monitor MSB activity
Verify credit union is complying with the •
due diligence expectations for MSBs
BSA Resources
Hot Topics and Red Flags 34
• FFIEC BSA/AML Examination Manual http://www.ffiec.gov/bsa_aml_infobase/pages_manual/OLM_002.htm
• Financial Crimes Enforcement Networkhttp://www.fincen.gov/
• Interagency Interpretive Guidance on Providing Banking Services to Money Services Businesses Operating in the United States (April 26, 2005)
http://www.fincen.gov/statutes_regs/guidance/pdf/guidance04262005.pdf
• BSA Resource Page on NCUA’s websitehttps://www.ncua.gov/regulation-supervision/pages/bank-secrecy-act.aspx
• NCUA Letter to Credit Unions 14-CU-10, Identifying and Mitigating Risks of Money Service Businesses (December 2014)
https://www.ncua.gov/regulation-supervision/Pages/policy-compliance/communications/letters-to-credit-unions/2014/10.aspx
Internal Controls and Fraud Prevention
Hot Topics and Red Flags 35
Internal Controls and Fraud Prevention
Hot Topics and Red Flags 36
• Credit unions with limited staff may be more susceptible to insider fraud as a result of inherent challenges maintaining adequate separation of duties
• Accordingly, we continue to take a closer look at internal controls at smaller credit unions
• However, internal controls and fraud prevention are critical in credit unions of all sizes
Purpose of Internal Controls
Hot Topics and Red Flags 37
• Fulfill fiduciary duty to protect assets
• Deter fraud
• Find and correct errors in normal course of business
Main Factors Allowing Fraud to Occur
Hot Topics and Red Flags 38
• Lack of internal controls
• Lack of management review
• Override of internal controls
• Poor tone at the top
Fraud Preventative Measures
Hot Topics and Red Flags 39
• Internal controls
• Competent personnel in oversight roles
• Independent audits
• Appropriate reporting mechanisms
Role of Internal Auditors
Hot Topics and Red Flags 40
Scope of internal audits should include:– Insider account review– File maintenance review– Dormant account activity– Share draft exception and overdrawn account
reports– Bank reconciliation– General ledger review– Loan review
As part of each review, should always evaluate the sufficiency of internal controls.
Fraud Resources
Hot Topics and Red Flags 41
• NCUA Fraud Information Center
https://www.ncua.gov/regulation-supervision/Pages/policy-compliance/communications/fraud-alerts.aspx
• NCUA Fraud Hotline: (800) 827-9650
https://www.ncua.gov/services/Pages/fraud-hotline.aspx
Interest Rate Risk
Hot Topics and Red Flags 42
Interest Rate Risk
Hot Topics and Red Flags 43
• In 2017, we started using a revised interest rate risk supervisory tool and new examination procedures to assess interest rate risk management practices
• As part of this review, look at the relationship between interest rate risk and liquidity risk
Why the Changes?
Hot Topics and Red Flags 44
• Respond to NCUA Board supervisory priorities (expectations)
• Address new requirements:
– IRR Rule (§741 eff. September 2012)
– Derivatives Rule (§703 eff. April 2014)
• Enhance examiner guidance
• Reduce inconsistencies in supervision
• Identify outlier risk
• Continuous Quality Improvement
IRR Supervision Scope (March 2016 Data)
Hot Topics and Red Flags 45
Total Assets of $500m or greater
Total Assets between $50m and $500m
Is “Supervisory Test” High or
Extreme?
No Yes
35 Steps25 Steps15 Steps
Total Assets under $50m
Estimated NEV Tool “ENT”
IRR Workbook not required
1,779 CUs$283b
3,681 CUs$55b
493 CUs$903b
1st E
xa
m C
ycle
Post 1st
Exam Cycle
Key Changes to IRR Supervision
Hot Topics and Red Flags 46
IRR risk-tolerance thresholds (NEV)
– Traditional +/- 300 basis point supervisory test
– Thresholds for post-shock NEV ratio and sensitivity
– Levels for low, moderate, high and extreme IRR
– Utilizes CU data (internally generated NEV reports)
– Non-maturity share benefit (value) capped for Base and Shock scenarios
Hot Topics and Red Flags 47
NEV Supervisory Test – Risk Thresholds
Risk Level
Low
Moderate
High
Extreme
2% up to 4% 65% to 85%
Below 2% Above 85%
Post-shock NEV NEV Sensitivity (%)
Above 7% Below 40%
4% up to 7% 40% to 65%
Note: NCUA has made use of a NEV metric in the current Examiner’s Guide since 2000 in Chapter 13
Key IRR Review Areas
48Hot Topics and Red Flags
• NEV Supervisory Test
• Analysis of Balance Sheet ValuationsMarket Risk
• Review of Scenarios
• Review of results/assumptionsEarnings at Risk
• Review of Scenarios
• ResultsStress Testing
• Platform assessments
• Data controlsMeasurement Systems
• Oversight
• Policies/Reporting/Controls/StaffRisk Management
Benefits for Credit Unions
Hot Topics and Red Flags 49
• Shifting the focus towards IRR outliers
• Uniform, measurable, consistent and transparent IRR measure
• Increased clarity of supervisory expectations
• Increased accuracy of IRR rating
• Greater consistency by examiners
• Risk-focused discussions
• Reduced examination burden for most
Role of Internal Auditors
Hot Topics and Red Flags 50
• Ensure credit unions are complying with Appendix B to Part 741—Guidance for an Interest Rate Risk Policy and an Effective Program
• Internal controls should include:
– Internal assessment of IRR program
– Compliance with policy (evaluate for policy exceptions and compliance with approved limits)
– Timeliness and accuracy of reports
– Audit findings reported to board or supervisory committee
Interest Rate Risk Resources
Hot Topics and Red Flags 51
• NCUA Interest Rate Risk Resources
https://www.ncua.gov/regulation-supervision/Pages/policy-compliance/resource-centers/interest-rate-risk.aspx
• NCUA Letter to Credit Unions 16-CU-08, Revised Interest Rate Risk Supervision (October 2016)
https://www.ncua.gov/regulation-supervision/Pages/policy-compliance/communications/letters-to-credit-unions/2016/08.aspx
Hot Topics and Red Flags 52
Commercial Lending
Hot Topics and Red Flags 53
• Revisions to Part 723, Member Business Loans; Commercial Lending went into effect on January 1, 2017
• Changed from a “prescriptive” rule, to a “principles-based” rule
• Policies must be revised to comply with the new rules
Commercial Lending
Hot Topics and Red Flags 54
In crafting new policies and procedures, credit unions should reference both:
The • new regulatory requirements, and
• New correlating guidance contained in the Examiner’s Guide
Commercial Lending: Policy Changes
Hot Topics and Red Flags 55
Policy must:• Include the new definition of a commercial loan
and outline the loan types specifically excluded from the definition of a commercial loan
• Differentiate underwriting standards based on the size, risk, and complexity of the borrower
• Outline the required components of a credit approval document (credit presentation) to include sufficient information to make fully informed credit decisions
Commercial Lending: Policy Changes
Hot Topics and Red Flags 56
Policy must ensure existing and future lending personnel have experience in the following areas:
Underwriting • and processing for the types of commercial lending in which the credit union is engagedOverseeing • and evaluating the performance of a commercial loan portfolio, including rating and quantifying risk through a credit risk rating systemConducting • collection and loss mitigation activities for the types of commercial lending in which the credit union is engaged
Commercial Lending: Policy Changes
Hot Topics and Red Flags 57
Policy must:
• Require a borrower-prepared projection when historic performance does not support projected debt payments
• Address the new regulatory requirements pertaining to personal guarantees
Commercial Lending: Policy Changes
Hot Topics and Red Flags 58
If the credit union will consider waiving the personal guarantee, the policy must:
Establish • appropriate criteria, and adopt processes to mitigate the additional risk, for waiving the requirement for personal guarantees, when accepting partial or limited guarantees, or accepting guarantees from individuals who do not have a controlling interest in the borrowerRequire • lending staff to document justification and explain how risk was sufficiently mitigated within the credit presentation when not obtaining unlimited personal guarantees
Commercial Lending: Policy Changes
Hot Topics and Red Flags 59
Also, if the credit union waives personal guarantees, the policy must:
• Establish a concentration limit for the aggregate amount of assets allowed in unguaranteed commercial loans (as a percent of net worth)
• Require periodic reporting to the board of directors
Commercial Lending: Policy Changes
Hot Topics and Red Flags 60
Policy must:
Provide justification and support for •
loan-to-value limits for different types of collateral
Address specified risk management •
requirements
Commercial Lending: Policy Changes
Hot Topics and Red Flags 61
Policy defined risk management requirements include:• Use of loan covenants, if appropriate, including
frequency of borrower and guarantor financial reporting
• Periodic loan review, consistent with loan covenants and sufficient to conduct portfolio risk management; this review must include a periodic reevaluation of the value and marketability of any collateral
• A process to identify, report, and monitor loans approved as exceptions to the credit union’s policy
Commercial Lending: Policy Changes
Hot Topics and Red Flags 62
A key • principle in the new regulation is that a credit union’s board of directors is ultimately accountable for the safety and soundness of the credit union’s commercial lending activities
To • this end, the policy should require a comprehensive set of reports be provided to the board of directors to demonstrate they are fully informed of the risk of the commercial lending operations
The guidance contains a list of examples•
Commercial Lending: Policy Changes
Hot Topics and Red Flags 63
Policy must address new requirements for construction and development lending, including how the credit union will determine the collateral value associated with the project, which must be based on the lesser of the project’s cost to complete or its prospective market value
Commercial Lending: Policy Changes
Hot Topics and Red Flags 64
Also, policy for construction and development loans must meet the following conditions:
Qualified • personnel representing the interests of the credit union must conduct a review and approval of any line item construction budget prior to closing the loan
A • credit union approved requisition and loan disbursement process is established
Commercial Lending: Policy Changes
Hot Topics and Red Flags 65
• Release or disbursement of loan funds occurs only after on-site inspections, documented in a written report by qualified personnel representing the interests of the credit union, certifying that the work requisitioned for payment has been satisfactorily completed, and the remaining funds available to be disbursed from the construction and development loan is sufficient to complete the project
• Each loan disbursement is subject to confirmation that no intervening liens have been filed
Role of Internal Auditors
Hot Topics and Red Flags 66
If your credit union conducts commercial •
lending, ensure member business loan policy has been revised to comply with the new requirements.
Audit policy for compliance with regulations •
and guidance contained in the Examiner’s Guide.
Verify underwriting and documentation •
complies with the new requirements.
Commercial Lending Resources
Hot Topics and Red Flags 67
• Part 723 of NCUA Rules and Regulationshttps://www.ecfr.gov/cgi-bin/text-idx?SID=a787104950456263ce693f65aa56ccbe&mc=true&tpl=/ecfrbrowse/Title12/12cfr723_main_02.tpl
• NCUA Letter to Credit Unions, 16-CU-11, Member Business Loans Guidance Added to Examiner’s Guide (November 2016)
https://www.ncua.gov/regulation-supervision/Pages/policy-compliance/communications/letters-to-credit-unions/2016/11.aspx
Consumer Compliance
Hot Topics and Red Flags 68
Consumer Compliance
Hot Topics and Red Flags 69
• In 2017, we are reviewing the following areas for compliance:
– Military Lending Act
– Servicemembers’ Civil Relief Act
• Encourage internal auditors to proactively verify compliance in these areas, and with other new or revised consumer compliance regulations.
Consumer Compliance Resources
Hot Topics and Red Flags 70
• NCUA Letter to Credit Unions 16-CU-07, Military Lending Act Examination Approach (October 2016)
https://www.ncua.gov/regulation-supervision/Pages/policy-compliance/communications/letters-to-credit-unions/2016/07.aspx
• NCUA Consumer Compliance Regulatory Resources website
https://www.ncua.gov/regulation-supervision/Pages/policy-compliance/resource-centers/consumer.aspx
Red Flags
Hot Topics and Red Flags 71
Red Flags
Hot Topics and Red Flags 72
• Lack of Segregation of Duties
• Unusually High Earnings
• Rapid Loan Growth
• Unusually Low Loan Delinquency and/or Charge-off Rates
Lack of Segregation of Duties
Hot Topics and Red Flags 73
Encourage internal auditors to:
• Ensure loan approval and disbursement is segregated at all times (required by FCU Act)
• Ensure cash is counted under dual control, and all cash (including the vault) is counted on a reasonably frequent basis
• Verify bank and general ledger reconcilements are performed by someone without access to cash or authority to disburse loans
Unusually High Earnings
Hot Topics and Red Flags 74
When earnings are unusually high, encourage internal auditors to:
• Determine the source of the unusually high earnings
• Ensure the risks of the income source are known and properly communicated
Red flag: High fee income can be an indicator of elevated credit risk (lender of last resort)
Rapid Loan Growth
Hot Topics and Red Flags 75
When there is rapid loan growth, encourage internal auditors to:
• Review the cause of the rapid growth, and any associated risks
• Verify the controls over, and quality of, the loans
Red flag: Rapid growth in indirect loans
Low Loan Delinquency or Charge-off Rates
Hot Topics and Red Flags 76
When delinquency or charge-offs are unusually low, encourage internal auditors to:
• Verify delinquency is not being masked by extending due dates (review file maintenance reports, high amounts of accrued interest on current loans)
• Review collection activity and notes for reasonableness on loans delinquent greater than 120 days
• Ensure charge-offs policies are being followed
Questions
Hot Topics and Red Flags 77
Contact Information
Hot Topics and Red Flags 78
Feel free to contact us with questions or comments.
Primary Staff: Peter Seidl,
Principal Examiner
Secondary Staff: Justin BurlesonSupervisory Examiner