Compliance Center: FFIEC Joint Statements on Risk Mitigation and NFIP Program Changes

FFIEC Releases Joint Statements on Risk Mitigation

The Federal Financial Institutions Examination Council (FFIEC) has issued two joint statements to alert financial institutions to specific risk mitigation techniques related to destructive malware and cyber attacks that compromise credentials.

  • The joint statement on Cyber Attacks Compromising Credentials discusses the growing trend of cyber attacks designed to obtain online credentials for theft, fraud, or business disruption and recommends risk mitigation techniques. Credit Unions should address this threat by reviewing their risk management practices and controls related to information technology networks and authentication, authorization, fraud detection, and response management systems and processes.
  • The joint statement on Destructive Malware discusses the increasing threat of cyber attacks involving destructive malware. Financial institutions and technology service providers should enhance their information security programs to ensure they are able to identify, mitigate, and respond to this type of attack. In addition, business continuity planning and testing activities should incorporate response and recovery capabilities and test resilience against cyber attacks involving destructive malware.

Credit Unions should design multiple layers of security controls to establish several lines of defense and ensure that their risk management processes also address the risk posed by compromised credentials, consistent with the risk management guidance contained in the FFIEC IT Examination Handbook, specifically the “Information Security,”  “Outsourcing Technology Services,” and the “Retail Payment Systems” booklets.

National Flood Insurance Program Changes

According to the FEMA website, there are changes to the National Flood Insurance Program’s (NFIP) flood insurance manual that go into effect on April 1, 2015.

There are also a number of changes to the rate structure and some of the NFIP business practices as a result of the Homeowner Flood Insurance Affordability Act (HFIAA) of 2014 and the Biggert-Waters Act of 2012. Key changes include:

  • Implementation of the first annual rate change that sets rates using rate increase limitations set by HFIAA, for individual premiums and rate classes: limiting premium increases for individual premiums to 18 percent premium; limiting increases for average rate classes to 15 percent; and mandatory increases for certain subsidized policyholders under Biggert-Waters and HFIAA.
  • Increasing the Reserve Fund assessments required by Biggert-Waters.
  • Implementation of the annual surcharges required by HFIAA.
  • Guidance on substantially damaged and substantially improved structures and additional rating guidance on Pre-Flood Insurance Rate Map (FIRM) structures.
  • Implementation of a new procedure for Properties Newly Mapped into the Special Flood
  • Hazard Area and existing Preferred Risk Policy Eligibility Extension (PRP EE) policies.
  • The premiums will be the same as the Preferred Risk Policy for the first year (calculated before fees and assessments) to comply with provisions of HFIAA.
  • Reformulation of expense loading on premiums, reducing the expense load on the highest risk policies as an interim step while investigating expenses on policies as required by Biggert-Waters.

These changes took effect on April 1, 2015, for new business and renewals beginning April 1, 2015. More detailed information is available in the NFIP bulletin.

Compliance Question of the Week

The SAFE Act provides for a de minimus exception of 5 or fewer residential loans during the last 12 months. Is that rolling 12 months or calendar year?

It is rolling 12 months.

12 CFR 1007.101 (c)(2) states:

(2) De minimis exception. (i) This part and the requirements of 12 U.S.C. 5103(a)(1)(A) and (2) of the S.A.F.E. Act do not apply to any employee of a national bank, member bank, insured state nonmember bank, savings association, Farm Credit System institution, or credit union who has never been registered or licensed through the Registry as a mortgage loan originator if during the past 12 months the employee acted as a mortgage loan originator for 5 or fewer residential mortgage loans.

Legal Briefs

National Credit Union Administration (NCUA)

The NCUA has released a new Economic Update video.

The NCUA released a statement on the supervisory policy change aimed at streamlining secondary capital available to low-income credit unions.

The NCUA announced that it awarded over $500,000 in grants to low-income credit unions in its first round of 2015 grants. The grant funds were awarded to 153 low-income credit unions.

The NCUA announced that credit unions can now register for the livestreaming of the NCUA’s April 30th open Board Meeting. Credit unions can register here.

Consumer Financial Protection Bureau (CFPB)

The CFPB has started a blog series where they will share the rulemaking process over time. Their first post focuses on how small businesses play a role in the rulemaking process.

The CFPB announced the availability of its new “Know Before You Owe” Mortgage Shopping Toolkit. The toolkit was designed to help consumers better understand the new disclosures they will be receiving when applying for mortgages on or after August 1, 2015.

The CFPB has updated its Supervision and Examination Manual to include information on the new TILA/RESPA integrated disclosures.

Federal Reserve Board (FRB)

The FRB released a report titled “Consumers and Mobile Financial Services 2015” which explores the use of mobile devices used by consumers to connect with their financial institutions.

FRB Chair Yellen delivered a speech at a research conference sponsored by the FRB of San Francisco titled “Normalizing Monetary Policy: Prospects and Perspectives’. The speech examined the current economic conditions, a possible increase in the federal funds rate, the shaping of monetary policy over the next several years, and risks and considerations that should be taken into account in the current environment.

The FRB delivered its March 2015 Report to the Congress on the Office of Minority and Women Inclusion.

Office of the Comptroller of Currency (OCC)

At the National Community Reinvestment Coalition, Comptroller of the Currency Thomas Curry delivered a speech focused on the growing issue of elder financial abuse and the many forms that this abuse can take.  

The OCC issued a bulletin reminding its regulated institutions on SCRA time extensions for certain protections.

Federal Financial Institutions Examination Council (FFIEC)

The FFIEC released statements on destructive malware and compromised credentials aimed at informing financial institutions of the threats while also providing best practices and risk mitigation solutions.  

Office of Foreign Assets Control (OFAC)

OFAC has updated the SDN list as of April 3, 2015. The last update prior to this was March 31, 2015.

Questions? Contact the Compliance Hotline: 1.800.546.4465,

Posted in Compliance News, NCUA.