Compliance Center: Skimming Alerts. Also, Found Money After Vehicle Repo & Legal Briefs

A recent CUNA Mutual Risk Alert and separate KrebsonSecurity blog post both highlighted a dramatic increase in ATM skimming attacks across the United States.

Both reference a FICO Card Alert Services alert noting an increase in skimming attacks of 546-percent from 2014 to 2015. That is on top of the 174-percent increase in attacks in 2014 when compared to 2013.

Credit unions in the Northwest may remember the Fraud Alert we issued last summer regarding a potential ring of fraudsters who were installing skimming devices along the I-5 corridor.

As the CUNA Mutual Risk Alert points out, the dramatic shift in ATM skimming devices is largely due to ATMs not receiving the same attention as POS terminals at retailers and the EMV liability shifts coming in 2016 and 2017 for ATMs.

Typically, fraudsters attack the weaker ATMs by attaching skimming devices used to capture card data from magnetic strip of the card and use a hidden camera to capture the pin number being input by the card holder. Another post by Brian Krebs’ KrebsonSecurity blog highlighted a spike in ATM fraud targeting convenience stores.

In addition, a Fraud Alert we ran in August, 2015 suggested that credit unions may wish to take the following steps to check for skimming devices on their machines:

  • Try to check the ATM fascia as often as possible. If devices are placed over your card reader or keyboard, gently tugging on these areas may reveal the devices. It may be worth checking the ATM as often as once or twice a day to ensure no skimmer was placed on the machine since the last check.
  • Keep an eye on vehicles that are sitting within a close proximity to the machine but do not appear to have a business purpose.
  • Regularly check your ATM camera footage, if possible.
  • Be familiar with how your machine looks and what is around it. If a new brochure rack suddenly appears—determine if it is supposed to be there or not.
  • If you do suspect or detect a skimming device on one of your machines, contact your local police department.

The CUNA Mutual Risk Alert also included a number of additional risk mitigation steps that credit unions may wish to incorporate into their program. Some of these include:

  • Use a photograph of the ATM as a comparison in your daily inspections. This makes it easier to compare and contrast differences.
  • Contact your ATM vendor to learn more about anti-skimming device readers to see if there is a cost-benefit to implementing. These readers detect if a skimmer or similar electronic device is installed and shuts down the terminal.
  • Place additional scrutiny on ATM and gas station transactions since these are the last to require the EMV migration and will be the targets as fraudsters stop focusing on merchant POS systems.
  • Work with local law enforcement to establish a response plan in the event a skimming device is found.

You can access the CUNA Mutual Group’s risk alerts via the Protection Resource Center (UserID and Password required).  In addition, credit unions that wish to familiarize themselves with different skimming devices can also use an industry resource: Brain Krebs.  Krebs is a security blogger who on his website discusses various skimming devices and schemes that are in use, along with providing a wealth of other information regarding cybersecurity.

Compliance Question of the Week

We repossessed a vehicle and in it, we found an envelope of money. We have notified the debtor in the legally-required manner, but the debtor has claimed neither the money nor the car. Can we use the found money for offset or deposit the money into the member’s account?

No. The credit union does not have a security interest in the money so offset would not be a good idea. Further, the credit union doesn’t know that the money belongs to the member so it should not be put in their account. 

One option would be to keep the money in a separate account at the credit union. If the debtor does not claim the money within the required time, the credit union would probably be safe in taking it. 

The policy on lost and found property in Washington states that the owner has 60 days after the find was appropriately reported to establish their right to possession. Failure to comply with the lost and found procedure is forfeiture to the right of the property. The finder is made liable for the full value of the property to the owner. So, if the credit union fails to properly notify the debtor or appropriate officer or takes the money before 60 days has passed, they would be liable for the full value of the property to the owner. 

In Oregon, the owner has 3 months after the find was appropriately reported to establish their right to possession.

In Idaho, amounts under $50 are not considered unclaimed property. Amounts over $50 would be considered unclaimed property and would fall under Idaho’s unclaimed property rules.


RCW 63.21.020

RCW 63.21.040

ORS 98.005

ORS 98.025

IDS 14-500

Legal Briefs

National Credit Union Administration (NCUA)

The NCUA’s nomination season for consulting assistance from the NCUA will be open until May 31st.

The NCUA announced that it will host a May 25 listening session to receive input on ways it can enhance its Minority Depository Institutions Preservation Program.

The NCUA announced the release of a new video module that offers best practices for merging credit unions.

Consumer Financial Protection Bureau (CFPB)

The CFPB announced the release of its student loan Payback Playbook, which providers borrowers with personalized information about their repayment options.

The CFPB reopened its comment period for a portion of its proposed rule regarding mortgage servicing for consumers that filed bankruptcy. The CFPB has reopened the comment period is now open through May 26, 2016, seeking comment specifically on its report summarizing the consumer testing it conducted.

The CFPB released its latest monthly complaint snapshot. This issue’s focus was on complaints related to mortgages.

Federal Reserve Board (FRB)

The FRB announced that it amended several operating circulars. The FRB also provided a summary of key changes to help institutions understand the changes.

The FRB released a statement from the Federal Open Mark Committee detailing its March 2016 meeting.

Office of the Comptroller of the Currency (OCC)

The OCC issued a bulletin that provides record retention guidance to the banks that is supervises. The guidance specifically notes that some technology adopted in the institutions does not retain documentation long enough or encrypts the data in a manner that doesn’t allow the supervising agency to view the documents necessary during an examination.

Federal Financial Institutions Examination Council (FFIEC)

The FFIEC announced the revision of its Retail Payment Systems booklet, which is part of its IT Handbook. The update was made to incorporate guidance on mobile financial services.

The FFIEC announced that it is seeking comments on its proposed revisions to the Uniform Interagency Consumer Compliance Rating System.

Federal Housing Finance Agency (FHFA)

The FHFA issued a notice of proposed rulemaking regarding the Dodd-Frank required Incentive-based Compensation Agreements.

Federal Deposit Insurance Corporation (FDIC)

The FDIC announced that it approved a final rule that amends how small banks (under $10 billion) are assessed for deposit insurance.

The FDIC has released the video recording of its April 26th board meeting.

Office of Foreign Assets Control (OFAC)

OFAC has updated the SDN list as of April 19, 2016. The last update prior to this was April 15, 2016.

Questions? Contact the Compliance Hotline: 1.800.546.4465,

Posted in Compliance News.