Archive Links

Consumer Archive
CU System Archive
Market Archive
Products Archive
Washington Archive

Washington Archive


More than 90% of 2014 data breaches were preventable, report says

 Permanent link
SEATTLE (1/26/15)--More than 90% of data breaches that occurred in the first half of 2014 could have easily been prevented, according to the 2015 Data Protection Best Practices report from the Online Trust Alliance (OTA).

The nonprofit organization, which has a mission to "enhance online trust," analyzed more than 1,000 breaches involving the loss of personally identifiable information in 2014.

It found that 40% were the result of external intrusions, 29% were caused by employees due to a lack of internal controls, 18% were due to lost or stolen devices or documents and 11% were due to social engineering scams or fraud.

According to OTA, its recommendations for assessing third-party vendors would have prevented and contained the breaches at Target and Home Depot--breaches that have cost credit unions close to $100 million.

Some of the recommendations included in the report are:
  • Enforce effective password management policies by using multifactor authentication (e.g. passwords and one-time PINs), requiring the use of passwords for external vendor systems that are different from internal systems and deploying a log-in abuse detection system that monitors connections, login counts, cookies and other data;

  • Run accounts with as few privileged access levels as possible, which is known as least privilege user access (LUA). For example, allow a user to edit documents or emails but do not give access to download payroll data or member lists;

  • Use multilayered firewall protections that include up-to-date antivirus software and whole-disk encryption on all laptops, mobile devices and other equipment with sensitive data;

  • Implement a mobile device management program that requires authentication to unlock a device, locks a device after five failed login attempts and enables remote wiping of a device should it become lost or stolen; and

  • Permit only authorized wireless devices to connect to a network, including point-of-sale terminals and credit card devices. This includes encrypting communications with all wireless routers and printers. Keep "guest" network access on separate servers and access devices with strong encryption.
OTA has also included a risk assessment guide as part of its report. The policies in the guide echo the proposals outlined by President Barack Obama his recent remarks regarding data security.

The Credit Union National Association continues to urge the U.S. Congress to  increase data security standards for merchants so they are more aligned with the higher standards required of credit unions and other financial institutions. (See story: CUNA, trades unite to urge Congress on data security action.)

Inside Washington (1/26/15)

 Permanent link
WASHINGTON (1/26/15)--Sen. Sheldon Whitehouse (D-R.I.) and Rep. Richard Neal (D-Mass.) have introduced legislation that would create automatic payroll deposit Individual Retirement Accounts, or Auto IRAs, for workers who do not have access to employer-provided qualified retirement plans. The bill would also require employers with 10 or more employees to automatically enroll workers in an Auto IRA unless the employee opts out. The employers could receive tax credits to defray the costs of setting up the accounts. The Automatic IRA Act, as it is called, was jointly developed by Brookings Institution and Heritage Foundation scholars ...

CUNA, Defense CU Council meet with CFPB on CU exemption from lending changes

 Permanent link
WASHINGTON (1/26/15)--Credit unions should be exempt from proposed changes to the Military Lending Act (MLA), Credit Union National Association and Defense Credit Union Council (DCUC) staff told federal regulators Friday.

The meeting was with staff from the Consumer Financial Protection Bureau (CFPB), which is working in close collaboration with the Department of Defense (DOD) to finalize the proposal.

The changes would amend the MLA to place a 36% cap on the annual percentage rate (APR) of interest charged by credit products covered by the regulation, which includes credit cards. It would also require creditors to provide additional disclosures and consumer protections.

CUNA is concerned that the regulation would hamper credit unions' ability to extend credit to servicemembers and expressed concerns in its December comment letter on the proposal. This was followed by a supplemental comment letter earlier this month.

CUNA and the DCUC noted during the meeting that credit unions are not part of the problem that the proposed changes are meant to address--predatory lenders that alter products to skirt MLA requirements, which is what the proposed changes intend to combat. Therefore credit unions should not fall under the proposed rule changes.

CUNA also urged the CFPB to work with the DOD to ensure the proposed changes will not adversely affect credit unions' ability to make Payday Alternative Loans (PALs), which is a program created by the National Credit Union Administration.

NCUA Chair Debbie Matz previously expressed concerns that the PAL program would be affected by the new regulation and sent her own letter to the DOD, asking for PALs to be exempt from the proposal.

During the meeting, CUNA also expressed reservations about the proposed changes to the process by which creditors determine whether a consumer is a "covered borrower" using the Defense Manpower Data Center database, should the DOD not exempt credit unions from the proposal.

Act fast: Don't miss today's webinar on RBC2 impact, continuing concerns

 Permanent link
WASHINGTON (1/26/15)--There is still time to register for today's free webinar from the Credit Union National Association on the National Credit Union Administration's revised risk-based capital proposal (RBC2). The 60-minute webinar is scheduled for 1 to 2 p.m. (ET).

CUNA President/CEO Jim Nussle, Chief Policy Officer Bill Hampel and Deputy General Counsel Mary Dunn will discuss how and to what extent the new proposal addressed the significant concerns CUNA members raised with the first proposal.

CUNA staff will go into details of the organization's estimator tool, which is scheduled to go online today. The estimator will allow credit unions to plug in their own numbers and estimate the full impact the proposal would have on their operations.

The webinar will also feature the CUNA economic team's analysis of the impact the proposal will have, as well as other areas of continuing concern.

CUNA staff will show credit unions what they need to assess their own outcome under the proposal, including the estimator tool, in addition to the proposal's broader implications for the credit union community.

In addition to CUNA staff, NCUA Director of Examination and Insurance Larry Fazio will break down the proposal, including reasons behind many of the changes from the original proposal.

Nussle, Hampel, Dunn and Fazio will also answer questions from participants, as time allows.

The RBC2 proposal was released at the NCUA's Jan. 15 board meeting, almost a year after the original proposal was introduced. While it contains improvements over the original, it is still a "solution in search of a problem," Nussle said.

The proposal will have a 90-day comment period, which will begin once it is published in the Federal Register , which is expected in the coming weeks.

CUNA, trades unite to urge Congress on data security action

 Permanent link
WASHINGTON (1/26/15)--A group of financial trade organizations, including the Credit Union National Association, has written to Congress with a set of principles to serve as a guide for potential data security legislation.

President Barack Obama has spoken of the need for such legislation, and the House subcommittee on commerce, manufacturing and trade will host a hearing this week examining what sound data breach legislation should look like.
CUNA President/CEO Jim Nussle said the joint letter--with credit unions and banks uniting in a single message--serves to underscore the importance that legislative action be taken to plug the gaps in data security rules that apply to merchants.
The letter reads, "Some industries--including the financial industry--are required by law to develop and maintain robust internal protections to combat and address criminal attacks, and are required to protect consumer financial information and notify consumers when a breach occurs within their systems that will put their customers at risk.
"The same cannot be said for other industries, like retailers, that routinely handle this same information and increasingly store it for their own purposes."
The letter is signed by CUNA, the American Bankers Association, the Consumer Bankers Association, the Financial Services Roundtable, the Independent Community Bankers Association, the National Association of Federal Credit Unions and The Clearing House.

The list of principles the organizations believe should serve as a guide when drafting data breach legislation are:
  • Strong national data protection and consumer notification standards with effective enforcement provisions that are applicable to any party with access to important consumer financial information;

  • Banks and credit unions are already subject to robust data protection and notification standards. These Gramm-Leach-Bliley Act requirements must be recognized;
  • Pre-emption of inconsistent state laws and regulations for strong federal data protection and notification standards;

  • In the event of a breach, the public should be informed where it occurred as soon as reasonably possible to allow consumers to protect themselves from fraud. Credit unions and banks should be able to inform their customers and members about the information regarding the breach, including the entity at which the breach occurred; and

  • Requiring the costs of data breaches to be borne by the entity that incurs the breach.
Financial institutions are subject to significant federal requirements regarding protection of information and consumer notification, and they are also subject to federal oversight, examination and sanction authority.

"This extensive legal, regulatory examination and enforcement regime ensures that financial institutions robustly protect American's personal financial information," the letter reads. "In contrast, retailers that accept electronic payments face no similar requirements or oversight, and as a result millions of American consumers' personal financial information has been compromised in recent years."

According to surveys conducted by CUNA on the Home Depot and Target breaches, those events cost credit unions roughly $60 million and $30 million, respectively.

Consumers fear inaccurate info lingers on credit reports, says FTC study

 Permanent link
WASHINGTON (1/23/15)--Most consumers reporting unresolved errors in their credit scores believe that inaccurate information is still on their credit report, according to a study from the Federal Trade Commission (FTC).

The study, released Tuesday, is the sixth and final congressionally mandated study on national credit report accuracy from the FTC.

A full 23% of those with lingering problems told the FTC that they just do not have the time to continue the fight to get the errors cleared up.

An earlier study--one in 2012--found that 20% of consumers had an error on at least one of their three credit reports that was corrected by a credit reporting agency (CRA) after it was disputed. That study also found that approximately 20% of the consumers who identified errors in their credit reports saw a later improvement in their score that resulted in a lower credit-risk tier.

This week's study is a follow-up to the 2012 study, and it focuses on 212 consumers who had at least one unresolved dispute in the 2012 study. The 2015 report found that 37 of those consumers (31%) found the disputed information had been corrected.

The other 84 consumers continue to believe some of the disputed information on their reports is still inaccurate. Thirty-eight of those consumers (45%) said they plan to continue their dispute, 42 (50%) said they would abandon their dispute and the remaining four said they are undecided.

The 42 consumers who plan to abandon the process are involved in 93 total disputes. Of those, 40% said they were not interested in pursuing the matter, or the inaccurate information is not important. As mentioned, another 23% of those consumers indicated they do not have enough time to continue the dispute.

The 2015 study recommends that:
  • CRAs review and improve the dispute results notification process to ensure notices and explanation of investigation results are provided to consumers;

  • CRAs continue to explore efforts to educate consumers regarding their rights to review their credit reports and dispute inaccurate information; and

  • Consumers continue to examine their credit reports annually by using and follow the Federal Credit Reporting Act dispute process when inaccuracies are identified. Following the resolution of a dispute, consumers should continue to check their credit reports for potential rare instances of reinsertion.
According to the FTC, "due to the relatively small number of consumers who participated in the follow-up interview, the commission has determined not to recommend any specific legislative action regarding credit reporting accuracy at this time."

Inside Washington (1/23/15)

 Permanent link
  • WASHINGTON (1/23/15)--The Internal Revenue Service has released a video highlighting a "dirty dozen," a list of tax scams that are active during the 2015 filing season. Phone scams featuring aggressive IRS impersonators remain near the top of the list, as well as other scams used during peak filing season. The video is also available in Spanish and American Sign Language, and in podcast form in English and Spanish. The Treasury Inspector General for Tax Administration said nearly 3,000 victims have collectively paid over $14 million as a result of one particular phone scam since October 2013, where callers pretend to be IRS officials and demand payments sent via prepaid debit cards ...