FFIEC Issues a Warning about Increased Cyber Attacks On ATMs

The National Credit Union Administration has released a statement on behalf of the Federal Financial Institutions Examination Council to notify credit unions of the risks associated with cyber attacks on ATM and card authorization systems. The U.S. Secret Service characterized this type of large-dollar-value, cash-out fraud as Unlimited Operations.

Unlimited Operations may cause credit unions to incur large dollar losses. Therefore, members expect financial institutions to take steps to address this threat by reviewing the adequacy of their controls over their information technology networks, card issuer authorization systems, systems that manage ATM parameters, and fraud detection and response processes.

The FFIEC guidance establishes various steps that credit unions should take in order to address the threat:

  • Conduct ongoing information security risk assessments;
  • Perform monitoring, prevention, and risk-mitigation;
  • Protect against unauthorized access;
  • Implement and test controls around critical systems regularly;
  • Conduct information security awareness and training programs;
  • Test incident response plans; and
  • Participate in industry information sharing forums

In addition, FFIEC also expects financial institutions to address DDoS readiness as part of their ongoing information security and incident plans.

Question of the Week

Can a credit union stop payment on a cashier’s check, teller’s check, or certified check?

The short answer is no. This is because a third party can enforce a cashier’s check if they are a “holder in due course.” In order to be considered a holder in due course, the holder must have taken the instrument for value, in good faith, without notice of any claims against the instrument, and without notice that the instrument was fraudulent. If a credit union wrongfully refuses to pay a cashier’s check, the holder can assert the right to enforce the check and may be entitled to compensation for expenses and possible damages.

There is, however, an exception if the credit union’s member claims that the cashier’s check has been lost, destroyed or stolen. If this happens, the member must identify the check with reasonable certainty, complete a declaration of loss, and promise to indemnify the credit union for any loss. Once the member completes these steps, the cashier’s check can be reissued. It is important to note that the original check has not actually been stopped. If someone received the original check under circumstances where (s)he is considered a holder in due course, the credit union must pay the original check.   

Related Links:

Legal Briefs

National Credit Union Administration (NCUA)

The NCUA released the video of its March Board Meeting.

The NCUA released a statement encouraging credit unions to work with member affected by the mudslides in Oso, Washington.

The NCUA issued a reminder to credit unions that the comment deadline for the Risk-based Capital Rule ends on May 28, 2014.

The NCUA will offer a free webinar on April 16 on small dollar lending that will discuss short-term lending programs created by credit unions.

Consumer Financial Protection Bureau (CFPB)

CFPB Director Richard Cordray delivered prepared remarks to the American Bar Association and the Greenling Institute’s Economic Summit. The agency’s deputy director delivered prepared remarks to the Consumer Bankers Association.

The CFPB released its Small Entity Compliance Guide for the TILA/RESPA Integrated Disclosure Rule.

Federal Financial Institutions Examination Council (FFIEC)

The FFIEC released guidance to financial institutions regarding cyber attacks on automated teller machines and card authorization systems and distributed denial of service (DDoS) attacks.

Internal Revenue Service (IRS)

The IRS issued guidance aimed at helping individuals consolidate their retirement accounts if needed.

Federal Reserve Board (FRB)

The Office of Inspector General for the Federal Reserve System issued an evaluation report that discusses how the CFPB can improve its supervisory activities.

The April edition of FedFocus is now available.

The FRB issued its report to Congress on the Office of Minority and Women Inclusion.

Office of Foreign Assets Control (OFAC)

OFAC has updated the SDN list as of April 1. The last update prior to this was March 26.


Questions? Contact the Compliance Hotline: 1.800.546.4465, compliance@nwcua.org.

Posted in Compliance News, NCUA.