Compliance Center: NCUA Issues Guidance on Exam Data Encryption
August 31, 2015
August 31, 2015
The National Credit Union Administration (NCUA) sent a letter to all Federally Insured Credit Unions which details the updates to the NCUA’s examination procedures which are designed to strengthen the safeguards for sensitive data that is received electronically from credit unions during the examination.
NCUA defines sensitive data as (1) any information which by itself, or in combination with other information, could be used to cause harm to a credit union, credit union member, or any other party external to NCUA, and (2) any information concerning a person or their account which is not public information, including any non-public personally identifiable information.
Effective immediately, NCUA examiners may only accept sensitive data electronically through:
- Secure electronic transmission or transfer by removable media, including encryption. The data files or the electronic transmission conveying the files must be encrypted. Encryption must have 128-bit encryption and the use of a strong password (minimum eight characters, mixture of upper- and lowercase letters, numerals and special characters). The password must be provided separately from the device or transmission; and
- In-person transfer by removable media not including encryption. If a credit union is unable or unwilling to provide data as mandated in the previous option, it may accept data if a credit union representative provides the data files to the examiner and remains physically present while the examiner transfers the data to the NCUA’s encrypted equipment.
The above protocols reflect the initial steps NCUA is taking to strengthen the safeguards for sensitive data received electronically from a credit union during an examination. NCUA is in the process of acquiring a secure file transfer solution (such as an online portal) to facilitate examiner staff and credit unions securely and efficiently exchanging information. The agency aims to have such a solution in place early in 2016. More information on the secure file transfer solution will be provided once it is ready to be deployed.
Compliance Question of the Week
On the new TILA/RESPA forms, how do we handle the different charges associated with HOA fees and dues?
According to the CFPB’s Integrated TILA/RESPA Guide, you would handle the fees as follows:
On the Loan Estimate, fees associated with homeowner’s association transfer of ownership would be listed in the “other” section. It is important to note that this is only required if the creditor is aware of the fee.
If the homeowner’s association requires prorated dues, this should be included in the “Adjustments and Other Credits” section.
For the closing disclosure, homeowner’s association fees paid at consummation should be listed in the “other” section.
For homeowner’s association dues, you would list them in the escrow property costs (generally under “other”). You will do this if an escrow account is established or is not established, under the definition of “property costs.”
National Credit Union Administration (NCUA)
The NCUA announced that it will be holding a webinar on Wednesday, September 16 regarding Participation Lending in a Safe and Sound Manner. The webinar will discuss the benefits of loan participation, the three levels of due diligence for participation buyers, case studies, and solutions in partnership with corporate credit unions. Credit unions that are interested in attending can register here.
Consumer Financial Protection Bureau (CFPB)
The CFPB released its monthly consumer complaint snapshot. The report states that credit reporting complaints have increased since the last report was issued.
In its blog, the CFPB highlights the importance of college students reviewing and shopping around for college-sponsored bank accounts. The blog post encourages new college students to ask questions, look around, and know that they don’t have to open an account just because the financial institution says it is affiliated or sponsored by the college.
Federal Reserve Board (FRB)
The FRB released the minutes of its Discount Rate Meeting from July 27, 2015. The minutes state that the existing rate was maintained.
The FRB has released information for financial institutions that wish to order holiday currency. The first round of special currency ordering will begin on Friday, October 30.
Federal Deposit Insurance Corporation (FDIC)
The FDIC released its Summer 2015 Supervisory Insights. This issue covers Strategic Planning in an Evolving Earnings Environment and a regulatory and supervisory roundup.
The FDIC released its Summer 2015 Consumer News publication. This issue features information on mobile banking and payments, ATM security, and bank rewards programs.
Federal Financial Institutions Examination Council (FFIEC)
The FFIEC posted information regarding the changes to the currency (2015) Census File.
Federal Trade Commission (FTC)
FTC Chairwoman Edith Ramirez released a statement in response to the Appellate Ruling on the FTC’s case against Wyndham Hotels and Resorts regarding a data breach. The ruling allows the FTC’s authority to hold companies accountable for their failure to safeguard consumer data.
The FTC announced that it will host a conference in January 2016, PrivacyCon, which will focus on trends in protecting consumer privacy and security. The event is free and open to the public and the conference (including presentations) will be available via a live-stream on the FTC’s website.
U.S. Treasury (Treasury)
The Treasury issued an interim rule implementing the Community Development Financial Institutions Program. The interim rule makes technical corrections, revisions related to the administrative requirements, cost principles, and audit requirements for federal awards, and other updates to the current rule.
Office of Foreign Assets Control (OFAC)
OFAC has updated the SDN list as of August 27, 2015. The last update prior to this was August 25, 2015.
Questions? Contact the Compliance Hotline: 1.800.546.4465, email@example.com.