Archive Links

Consumer Archive
CU System Archive
Market Archive
Products Archive
Washington Archive

Washington Archive


Clean audit given to NCUAs stabilization fund for 2010

 Permanent link
ALEXANDRIA, Va. (12/28/11)--The National Credit Union Administration's  (NCUA) Temporary Corporate Credit Union Stabilization Fund (TCCUSF) received a "clean"--or unqualified--audit of its 2010 financial statements, the agency announced Tuesday.

The Credit Union National Association has  been concerned that sufficient information has not been provided to credit unions regarding the agency's handling of the legacy assets of the conserved corporate credit unions and had also expressed concerns about the tardiness of the year-end 2010 TCCUSF financial statements.

The purpose of the audit opinion, of course, is to express an opinion on whether the financial statements of the stabilization fund are fairly presented. The audit was executed by KPMG LLP, the independent firm that also issued a clean audit on the financial statement of the National Credit Union Share Insurance Fund in May.

The firm also reviewed the internal control structure of the stabilization fund, as well as evaluated compliance with laws and regulations, as part of its audit.

Although the audit references a number of reasons for delay, the report does fault the timeliness of the agency's reporting.

The KPMG finding acknowledges that the NCUA faced "unprecedented developments related to finalizing the 2010 financial statements" and makes recommendations to ensure that the agency produces timely reporting in the future.

The finding states:

"During 2010, the National Credit Union Administration undertook a new initiative, the Corporate System Resolution Program…as a result of the failing corporate credit unions (CCUs)due to the financial system crisis. The broad-reaching inter-related implications of this unprecedented initiative, which included actions to accumulate and value assets of liquidated CCUs and their corresponding temporary bridge entities, presented significant financial reporting challenges.

"Simultaneously, the agency was transitioning to new accounting standards for another fund as well as implementing a new accounting system. This unprecedented initiative and its reporting challenges hindered NCUA's ability to fully plan and execute timely all the related accounting requirements for the TCCUSF and contributed to delays in the publication of the financial statements by OMB [Office of Management and Budget] established deadlines."

Last year, the 2009 audit--also "clean"--was released in July. KPMG issued a clean audit for the NCUSIF for that year at the same time.

The stabilization fund was created by the U.S. Congress in 2009 to provide flexibility to the NCUA as it worked to manage the impact of the costs to consumer credit unions associated with the troubled mortgage-backed securities purchased by the five failed corporate credit unions.

Use the resource link to access the audit.

FinCEN offers help to ID report account-takeovers

 Permanent link
VIENNA, Va. (12/28?11)--The Financial Crimes Enforcement Network (FinCEN) is issuing an advisory to assist credit unions and other financial institutions in identifying account-takeover activity and reporting the activity by filing Suspicious Activity Reports (SARs).

FinCEN, in its alert, notes that cybercriminals are increasingly using sophisticated methods to obtain access to accounts, including the use of malware--the computer-ese for malicious software--SQL injection attacks (SQLIA), spyware, Trojans, and worms. These attacks aim to exploit a member's or customer's account and, often, to gain seemingly legitimate access to another customer's account.

FinCEN says that through ongoing monitoring, financial institutions may be able to identify inconsistencies with normal account activity, which could indicate illicit intrusions into an account. Such irregularities might include, but are not limited to, unusual ATM activity, clustered Automated Clearing House transactions in different geographic areas, sudden wire transfers, or changes to customer and account profiles.

Account-takeover activity is different than other forms of computer intrusion because it is the accountholder, rather than the financial institution maintaining the account, that is the primary target of the fraud.

FinCEN says that a financial institution is required under the Banker Secrecy Act to file a SAR if it: Knows, suspects, or has reason to suspect" that a transaction conducted or attempted by, at, or through the financial institution involves funds derived from illegal activity or an attempt to disguise funds derived from illegal activity, is designed to evade requirements under the BSA, or lacks a business or apparent lawful purpose, the financial institution may be required to file a SAR.

When completing SARs on suspected account takeover activity, financial institutions should use the term "account takeover fraud" in the narrative section of the SAR and provide a detailed description of the activity.

Use the resource link below to read more of the FinCEN advisory and to see more examples of possible account-takeover red flags.

Compliance CUs must build better online account security

 Permanent link
WASHINGTON (12/28/11)--January 2012 is the timeframe mentioned by the National Credit Union Administration (NCUA) for federally insured credit unions to adapt "appropriate strategies" to institute "key precautions" to address the growing problem of online transaction fraud at institutions that offer electronic services.

Back in 2005, the NCUA and the federal banking agencies issued "Authentication in an Internet Banking Environment."  It was an effort intended to move institutions away from single-factor authentication--such as user name and password only-- to the use of multi-factor authentication, like username with password and PIN, or password and challenge question, layered security and other controls.

Then just this past July the agencies issued a supplement to this guidance to address growing incidences of online transaction fraud and ID theft, and to highlight some key precautions institutions should take if they offer electronic services.  (Use resource link to see NCUA Letter to Credit Unions 11-CU-09: Online Member Authentication Guidance).

A recent Credit Union National Association (CUNA) webinar highlighted that Jan. 1, 2012 is not a compliance "deadline." Rather, credit unions that offer online banking will need to be able to provide a progress report by that date.  They will need to demonstrate that they have:

  • Reviewed and updated the credit union's risk assessment;
  • Talked to their vendor(s); and
  • Put together a timeline or compliance in 2012. 
 With that in mind, CUNA's compliance team recommends that a credit union should:

  • Review and update risk assessments as new information becomes available, prior to implementing new electronic financial services, or at least every twelve months. Consider any: changes in the internal and external threat environment; changes in the member base adopting electronic banking; changes in the member functionality offered through electronic banking; and any actual incidents of security breaches, identity theft, or fraud experienced by the credit union or financial services industry.
  • Implement more robust controls for "high risk" transactions, which include the use of automated payment mechanisms (e.g., ACH, wire transfer) or offering online services for commercial accounts. The agencies recommend both layered security and multifactor authentication for business accounts because of the higher dollar amounts involved and the frequency of transactions.
  • Implement layered security programs at the transaction process level based on the credit union's service operations and threat environment to facilitate fraud detection and respond to suspicious activity. Layered security means that if a vulnerable control is installed at a different point, it can be compensated for by the strength of other control layers. The layered security approach can significantly strengthen the overall security of an institution's Internet-based services, and has been shown to reduce money transfer fraud. The agency guidance provides several examples of controls that may be included in a layered security program.
  • Re-evaluate current authentication techniques to determine if they are still effective in today's online environment.   Apparently, use of simple "cookies" for device identification and/or typical challenge questions (e.g., mother's maiden name, city where you were born, high school, etc.) just won't cut it anymore. More sophisticated authentication techniques are now available from many vendors, as described in the guidance.
  • Educate membership so all are aware of the steps the credit union is taking to protect them and the institution from cyber-crime, and let them know what they can do to protect themselves.  Advise them of their Regulation E error resolution rights, and that the credit union may ask them to provide electronic banking credentials, implement suggested risk control mechanisms, and contact authorities when they become aware of suspicious activity.

Inside Washington (12/27/2011)

 Permanent link
  • WASHINGTON (12/28/11)--President Barack Obama was expected to announce plans Tuesday to nominate economist Jeremy Stein, a Harvard University finance professor, and Jerome Powell, a former private-equity executive,  to fill the two open spots on the Federal Reserve's  seven-member board of governors. (The Wall Street Journal Dec. 27)  The move essentially packages a nominee who is a Democrat with one who is a Republican in what is described as an attempt to overcome daunting hurdles in the path of Senate confirmation …
  • Washington (12/28/11)--$2.2 billion-asset Bank of Hampton Roads in Norfolk, Va., will pay $33,600 in fines and $619 million-asset State Bank and Trust Co. of Defiance, Ohio, will pay $9,340 in fines for violations of the National Flood Insurance Act, reported the Dec. 27 issue of American Banker.  The penalty orders did not describe the banks'  violations, but the article noted the act's requirement that loans secured by properties in these areas at a high risk for flooding have the proper coverage.  The Virginia bank was named in violation in its capacity as successor of Gateway Bank and Trust in Elizabeth City, N.C.,  which Hampton Roads acquired in 2009 …
  • WASHINGTON (12/28/11)--Late last week, four federal banking agencies approved an extension on the comment period for a proposal that  requires regulators to implement certain prohibitions on banking entity and nonbank financial company to restrict their ability to engage in proprietary trading and have certain interests in, or relationships with, a hedge fund or private equity fund.  The proposal, commonly referred to as the Volcker Rule, is part of the Dodd-Frank Wall Street Reform and Consumer Protection Act.  The new comment deadline is Feb. 13, 2012, pushed back from Jan. 13, 2012. The proposal was issued by the Federal Reserve Board, the Federal Deposit Insurance Corporation, the Office of the Comptroller of the Currency, and the Securities and Exchange Commission …