Credit Unions May be Ready for End of XP Support, But Are Their Members?

By Robert McGarvey

The menace represented by the nation’s many millions of computers running Windows XP — which Microsoft will stop patching April 8 – just may be multiplying.

The issue is not the XP fleet inside credit unions. Most financial institutions know Microsoft is ceasing support, they know their regulators will be monitoring their transition off XP, and they have plans.

Some plans are better than others, some credit unions may not have any plan – but, as a rule, financial institutions are tackling this problem.

But there is a huge XP problem they aren’t tackling. The venerable operating system is running on computers used by credit union members who will be accessing online banking, possibly other services, with machines that may well be infected with malware exploiting newly discovered vulnerabilities.

XP, understand, is a relic, but a widely used relic. It went on sale to the public in October 2001. Right now, it powers nearly one-third of computers in use globally. Upgrade paths for those many millions of computers are unclear. Most of them also are relics, many could not run Windows 7, certainly not Windows 8, the latest version of the operating system (released in 2012). Bottom line: Come April 9, there still will be millions of computers running XP.

“What new risks will financial institutions face on April 9,” asked Tom Hinkel, director of compliance at Safe Systems, an Alpharetta, Ga.,  IT vendor to the financial services industry. “XP will enter a life phase where it forever is in a zero day exploit,” meaning that daily new holes may be poked in the system by criminals, knowing that those holes will remain unplugged as long as Microsoft sticks to its resolve to turn its back on XP.

Some experts ominously say that lately there have been releases of very few XP exploits. The implication is that cyber criminals have been stockpiling exploits – counting down to Microsoft’s end of support – and they will release them after Microsoft’s final patch. So there may be an avalanche of exploits coming on the scene in mid-April.

Two big questions have to be asked: How big are the risks members running XP represent to credit unions; and is it in the best interest of credit unions to work with vulnerable members to educate them about XP risks?

Advised Jason Blackett, a product manager at Utah-based software developer Novell, “Financial institutions have to make sure they are hardened against these attacks on the server side.”

“There really will be no easy way for financial institutions to mitigate risks posed by member computers,” Blackett added.

The first-line threat is simply that the member’s computer becomes riddled with malware, such as the Zeus keylogger and hitherto unidentified malware.

It gets scarier from there. What if hackers concoct a way to use an infected XP machine to infect a credit union’s servers? Impossible? Maybe. But maybe not, because, suddenly, XP will become a playground for hackers seeking to launch new kinds of attacks, and there is no saying what they will or won’t do.

As for what credit unions can do, Hinkel urged that “the financial institution has to reach out, they have to make the effort to educate the customer. It would be easy to put a pop-up on online banking: ‘You May Be Using an Insecure Operating System.’”

That is: As members log into online banking with XP, tell them they may have risks that need attending to.

Still more needs to be done with the highest-risk members. Hinkel stressed that the savvy credit union will quickly identify its highest-risk members – in most cases, these will be small businesses using XP for online banking – then “do an outreach.”

That could pay big dividends because many may be unaware that continued use of XP puts them at risk. Few consumers are believed to be aware of XP’s scheduled end of support. More businesses know, but many do not. A recent survey by Evolve IP found that 19 percent of mid-market companies were unaware of Microsoft’s end of support for XP. Thirty percent of C-suite executives in those mid-market companies were unaware of the end of XP’s life.

Most credit unions, added Hinkel, “could count the number of high-risk members on the fingers of one hand. It’s worth the effort to reach out, to educate them.”

Presently, no security expert contacted by CU Times suggested that credit unions simply cut off access to members using XP.  “They risk the wrath of the customers if they make their systems unfriendly to XP,” Blackett said.

Blackett, however, urged credit unions to monitor the XP threat landscape, stay informed about new threats and keep tabs on new releases of any financially focused malware.

That kind of intelligence will help credit unions keep their high-risk members abreast of the changing dangers.

And that just may be enough to help both the credit union and its members dodge the risks continued use of the 13-year-old operating system will bring.

Compliance Question of the Week

In a Uniform Transfer to Minor Account (UTMA), when can the minor have access to the funds? At age 18, 21 or 25?

The first thing to know is that it is up to the custodian to transfer the funds, not the credit union.  If the custodian fails to transfer the property, the minor needs to petition the court to direct the custodian – not the credit union — to turn over the property. 

The custodian of an UTMA should transfer the funds to the minor or to the minor’s estate upon the happening of a specific occurrence. If the UTMA was created through a gift, or specifically called out in a will or trust, the transfer should occur when the minor reaches 21 years of age. If, on the other hand, the UTMA was created because of the decision of someone acting as a fiduciary (like a personal representative) or the decision of an obligor (a person who owes a liquidated debt to a minor), the transfer should occur when the minor reaches 18 years of age. Lastly, the transfer should occur upon the death of the minor if not before (meaning that the minor’s heirs will inherit the property outright, not subject to the custodian’s control). 

In addition, when the account is first being set up, the person giving the money can extend the custodianship so that the minor does not have direct access to the funds until he or she reaches 25 years of age (or upon death), with a few exceptions. First, an extension of the custodianship is valid only if the transfer creating custodianship is made on or after July 1, 2007. Further, an extension is not possible if the UTMA is created by a will or trust that specifically provides otherwise. If the UTMA was created by an obligor, the person nominating the custodian gets to choose to extend the custodianship, not the obligor. If there is no custodian, the court establishing the custodianship may extend the custodianship if it determines that doing so would not be contrary to the minor’s interest.  

For Oregon UTMA accounts, the custodian should transfer the account to the minor when the beneficiary’s attainment of 21 years of age with respect to custodial property transferred under ORS 126.816 or (2) the beneficiary’s attainment of 18 years of age with respect to custodial property transferred under ORS 126.822

Related Links:

Legal Briefs

National Credit Union Administration (NCUA)

NCUA Chairman Debbie Matz released a statement encouraging credit unions to promote financial literacy among their members. April is Financial Literacy Month and the NCUA has a few activities planned for the month to help credit unions promote financial literacy.

Consumer Financial Protection Bureau (CFPB)

The CFPB issued a report on payday lending that highlights how many payday loans are rolled over and how much in fees the average borrower ends up paying.

Financial Crimes Enforcement Network (FinCEN)

FinCEN has issued an advisory on Financial Action Task Force jurisdictions that are considered to have deficiencies in their anti-money laundering programs.

Internal Revenue Service (IRS)

The IRS issued guidance on virtual currency, including FAQs on how the taxation and reporting of virtual currency should be handled.

Federal Reserve Board (FRB)

The Federal Open Market Committee released a statement detailing its March 2014 meeting.

Office of Foreign Assets Control (OFAC)

OFAC has updated the SDN list as of March 26. The last update prior to this was March 20.


Questions? Contact the Compliance Hotline: 1.800.546.4465,

Posted in Compliance News.