Compliance Center: What You Need to Know About Washington DFI’s 2016 Examination Focus

The Washington State Department of Financial Institutions Division of Credit Union (DCU) released DCU Bulletin B-16-02 which details the Division’s examination focus for 2016 as an aid to help Washington State chartered credit unions better prepare for the 2016 examinations.

  1. Cybersecurity – Cybersecurity threats are of major concern for the DCU because the attacks against financial institutions are more frequent, sophisticated and expensive to remedy. The DCU has hired Security Compliance Associated (SCA) to assist in completing IT security exams. Through this partnership there will be more onsite IT exams completed, more exam hours devoted to IT exams, and cybersecurity will be the IT exam focus. The Division believes that the FFIEC cybersecurity assessment tool is a good baseline assessment since it allows credit unions to assess their cybersecurity preparedness and to advance their IT security programs. The examiners will stress the importance of credit unions completing the FFIEC cybersecurity self-assessment too.
  2. Interest Rate Risk (IRR) – Examiners will continue to closely evaluate each credit union’s IRR management program and assess the credit union’s balance sheet composition to determine whether IRR levels are too high. When examining the credit union’s IRR program, they will consider the main factors of:
    • The current and projected levels of net income and net worth;
    • The ability of management, including boards, to manage and control IRR;
    • The ability of staff and management to accurately measure and assess IRR exposure;
    • The credit union’s current IRR trend; and
    • Whether the credit union’s asset liability management (ALM) and IRR strategies and practices are consistent with anticipated market interest rate changes and board approved IRR tolerance limits.
  3. Performing Comprehensive and Effective Due Diligence Over New Program Offerings and Vendors – The Division expects credit unions to be proactive in performing due diligence over new programs and vendors. Examiners will be looking to determine whether a credit union has strong procedural guidance and programs designed to ensure satisfactory due diligence in performed in new program offerings and over its vendor management. Examiners will closely review new program offering, especially new lending programs, to assess whether risks are properly managed and controlled. Examiners will also evaluate whether satisfactory due diligence is performed on new vendors and whether effective vendor oversight is performed on an ongoing basis.
  4. Consumer Protection Law Compliance – The Division plans on scheduling at least six separate compliance examinations in 2016 at credit unions with total assets over $500 million. Examiners will continue to evaluate the following compliance areas during these exams: (1) The effectiveness of the overall compliance management program; (2) The compliance program’s ability to detect and self-correct problems; and (3) The credit union’s timeliness in implementing new regulatory compliance requirements. This is in addition to examining compliance with the new TILA- RESPA integrated disclosure requirements, the Servicemembers Civil Relief Act, and other specific consumer compliance regulations. In addition, compliance examination work will also be completed during the regularly schedule safety and soundness exams. Examiners will focus on the following areas during these exams: (1) The overall effectiveness of the compliance program, given the credit union’s asset size and product offering; (2) BSA/OFAC; (3) The new TILA-RESPA integrated disclosure requirements; and (4) Banking licensed marijuana industry businesses. Other compliance areas may be examined, depending on the risk profile of the credit union. 

Compliance Question of the Week

Our credit union would like to contract with a third party for services and would like to know what we need to do.

NCUA’s Letter to Federal Credit Unions (07-CU-13) lays out a number of factors that credit unions should consider before entering into a third party servicing relationship. According to NCUA, credit unions should consider the following:

  • Will the third party relationship complement the credit union’s over all mission and philosophy?
  • How critical is the activity being outsourced?
  • How the third party relationship will impact (if at all) the credit union’s strategic plans (long term goals, objectives and resource allocation)?
  • How the risks/benefits of outsourcing the particular function compare with keeping the function in-house?
  • How the third party relationship will impact (if at all) seven risk areas (credit risk, interest rate risk, liquidity risk, transaction risk, compliance risk, strategic risk and reputation risk)?
  • Does credit union staff have the expertise to manage and monitor a third party relationship?
  • Will the third party relationship create additional insurance responsibilities for the credit union?
  • How will the relationship impact the credit union’s membership (positive and negative)?
  • Does the credit union have an effective exit strategy?

The guidance highlights the need for credit unions to perform extensive due diligence and review the risks/benefits of outsourcing member services prior to engaging in a third party vendor relationship.

Additionally, the NCUA published Letter 08-CU-09 which provides the third party relationship questionnaire that examiners will use, as well as Letter 10-CU-26 which discusses the evaluation of payment system service providers.

Related Links

NCUA Letter 07-CU-13
NCUA Supervisory Letter 07-01
NCUA Letter 10-CU-26
NCUA Letter 08-CU-09

Legal Briefs

National Credit Union Administration (NCUA)

The NCUA issued Letter to Credit Unions 16-CU-03 which lays out the situations in which a credit union would not need to send out an annual privacy notice under the new Fast Act amendment to the Gramm-Leach-Bliley Act.

The NCUA released Letter to Credit Unions 16-CU-02, alerting credit unions to the fact that the CUSO Registry website opens on February 1, 2016. CUSOs will have an initial 60 day period to register with the site, with registration closing on March 31, 2016.

The NCUA released a statement reminding consumers about the benefits of the Earned Income Tax Credit. Additionally, the NCUA reminded tax payers that there is a free program sponsored by the IRS that offers tax-filing assistance.

The NCUA updated its tax identify theft resource page on the consumer website. The updates including information on reporting identity theft, how to tell if the IRS has received a fraudulent return, and tips for preventing tax identity theft.

The NCUA announced that it will host a webinar on Thursday, February 11, that will help CUSOs learn how to use the NCUA’s new CUSO Registry system.  

Consumer Financial Protection Bureau (CFPB)

The CFPB has released its January monthly complaint snapshot which shows that prepaid complaints have received the greatest percentage increase year over year. Additionally, this month’s snapshot focuses on other finance services complaints, which include debt settlement, check cashing, and credit repair.

The CFPB posted a blog entry about a consumer’s right to obtain their consumer report. The blog entry includes the Bureau’s 2016 list of consumer reporting companies. 

Federal Reserve Board (FRB)

The Federal Open Market Committee released a state that detailed its December 2015 meeting. In its statement, the committee stated that it expects that economic activity will expand at a moderate pace.

The FRB has created a resource center for Same Day ACH payments. The resource center includes FAQs, scheduled, and links to NACHA resources.

The FRB announced that it is extending the comment period of its financial stability for systemically important U.S. bank holding companies rule. The comment period is being extended through February 19, 2016. 

Federal Trade Commission (FTC)

The FTC announced significant enhancements to its website, including the offering of a free, personalized identity theft recovery plan.

The FTC released its Privacy and Data Security Update, which details how it helps enforce privacy regulations, curbed practices that put consumer data at risk, and helped correct FCRA violations.  

Federal Housing Administration (FHA)

The FHA announced a rate reduction in its multifamily insurance rate. The reduction is aimed at encouraging capital financing of affordable and energy-efficient apartments. 

Internal Revenue Service (IRS)

The IRS issued a statement to taxpayers, reminding them that they can check the IRS’ website to determine the status of their tax refund. 

Office of Foreign Assets Control (OFAC)

OFAC has updated the SDN list as of January 28, 2016. The last update prior to this was January 21, 2016.

Questions? Contact the Compliance Hotline: 1.800.546.4465,

Posted in Compliance News, NCUA.