Security: It’s Everyone’s Problem

All financial institutions have strict regulations that must be followed regarding the security of the member data that is collected and stored. Information isn’t shared with outside parties (unless a very specific contractual agreement exists), data is securely stored and backed up, and all team members know that member data is to be treated with the highest regard in terms of confidentiality. Credit unions go to great lengths to protect their members’ data.

In order to help standardize some of the steps credit unions take to protect member data, financial regulators continue to issue guidance on different steps that could/should be taken to ensure a minimum set of security standards are met. These standards can be found in various regulations including the Gramm Leach Bliley Act (GLBA), NCUA Parts 748 and 749, Regulation P, and various guidance issued by the FFIEC (Cybersecurity Assessment Tool, Multifactor Authentication, etc.).

Most regulatory security requires some type of periodic risk assessment and reporting to the Board. Risk assessments should be updated as your credit union grows, expands membership and offers new products and services. It is easy to forget to update risk assessments as the excitement of a new product launch is set, but it is important that the risks are reviewed and if possible, mitigated. It is important to add risk assessments to your implementation checklists.

Additionally, as we pass the halfway mark for this year, it is important to ensure that your board reporting for the year is on track as well.

If you have questions related to security, compliance, or any of the regulations above, please feel free to contact the compliance team at or 1.800.546.4465.

Compliance Question of the Week

I know we have to conduct a risk assessment for our online banking, but I cannot find the requirements for the assessment. What items should the assessment consider?

Each credit union will have its own unique risk assessment tailored to identify the risks associated with its specific products and services. However, the FFIEC released updated guidance in 2008 that identifies some key considerations for credit unions risk assessments to address and the process that shape the assessment.

Credit unions are encouraged to:

  • Ensure that their information security program:
    • Identifies and assesses the risks associated with Internet-based products and services,
    • Identifies risk mitigation actions, including appropriate authentication strength, and
    • Measures and evaluates customer awareness efforts;
  • Adjust, as appropriate, their information security program in light of any relevant changes in technology, the sensitivity of its customer information, and internal or external threats to information; and
  • Implement appropriate risk mitigation strategies.

The risk assessment process should:

  • Identify all transactions and levels of access associated with Internet-based customer products and services;
  • Identify and assess the risk mitigation techniques, including authentication methodologies, employed for each transaction type and level of access; and
  • Include the ability to gauge the effectiveness of risk mitigation techniques for current and changing risk factors for each transaction type and level of access.

In addition to ensuring that the risk assessment addresses the applicable product and services, credit unions are strongly encouraged to consider a multi-factor authentication system for online banking access to mitigate potential risk (if identified).

Authentication factors include one or more of the following:

  • Something a person knows—commonly a password or PIN. If the user types in the correct password or PIN, access is granted.
  • Something a person has—most commonly a physical device referred to as a token. Tokens include self-contained devices that must be physically connected to a computer or devices that have a small screen where a one-time password (OTP) is displayed, which the user must enter to be authenticated.
  • Something a person is—most commonly a physical characteristic, such as a fingerprint, voice pattern, hand geometry, or the pattern of veins in the user’s eye. This type of authentication is referred to as “biometrics” and often requires the installation of specific hardware on the system to be accessed.

When using mutli-factor authentication, these factors can be used to supplement each other. For example, a credit union might require a member to type in a password and also a one-time use token delivered to their cell phone.

Related Links:

FFIEC Guidance

Legal Briefs

National Credit Union Administration (NCUA)

The NCUA announced that it will host a Twitter Conversation on July 27th that will focus on military consumer issues.

The July issue of the NCUA Report is now available. This month’s issue discusses Brexit, effective liquidity management, and the NCUA plans for adding “S” to the CAMEL rating.

Consumer Financial Protection Bureau (CFPB)

The CFPB released a blog post that shares tools with consumers that are designed to help consumer make smart money decisions.

The CFPB announced changes to its Senior Leadership Team.

The CFPB announced that the filing instruction guides are now available for HMDA data collected in 2017 and 2018.

The CFPB added new resources to its HMDA page, including a video overview of the HMDA final rule.

Federal Reserve Board (FRB)

The FRB announced changes to its Policy on Payment System Risk to conform with the enhancements to the same-day automated clearing house service.

The FRB announced that it has updated its Consumer Compliance Handbook.

The FRB and CFPB issued a proposal that describes the method that will be used to adjust the exemption thresholds for TILA and the Consumer Leasing Act.

The FRB, CFPB, and OCC issued a proposal that describes the method that will be used to make the annual adjustments to the exemption threshold for HPMLs.

Financial Crimes Enforcement Network (FinCEN)

FiNCEN issued guidance FIN-2016-G003 aimed at answering frequently asked questions regarding the new Customer Due Diligence Rule.

Federal Deposit Insurance Corporation (FDIC)

The FDIC announced that it will hold an Advisory Committee on Community Banking meeting on Wednesday, July 20.

The FDIC announced that it is releasing an updated video on community bank corporate governance.

U.S. Department of the Treasury (Treasury)

Treasury Secretary Lew delivered a statement on the sixth anniversary of the enactment of the Dodd-Frank Wall Street Reform and Consumer Protection Act.

The Treasury released details from its most recent Financial Stability Oversight Council Meeting. The Council also approved the meeting minutes from its June meetings.

Office of Foreign Assets Control (OFAC)

OFAC has updated the SDN list as of July 21, 2016. The last update prior to this was July 20, 2016.

Questions? Contact the Compliance Hotline: 1.800.546.4465,

Posted in Compliance News, Federal.