Back to Basics: Disaster Preparedness
October 31, 2017
CUNA recently ran the following article in their CompBlog, which should serve as a reminder to credit unions in the Northwest to ensure you are following the guidelines for disaster preparedness. Idaho, Eastern Washington, and Oregon all experienced a number of wildfires in the past few years. In addition, according to recent tabletop exercises, residents in Western Washington and Oregon should expect to be on their own for up to three weeks in the event of a major earthquake.
Hurricanes Harvey, Irma, and Maria, as well as the wildfires currently raging in California, serve as a harsh reminder of the importance of disaster preparedness for both institutions and individuals. Federally-insured credit unions (FICUs) are required to have disaster recovery and business resumption contingency plans in place to address all types of operational disruptions, from short-term power outages to natural disasters that have the potential to physically destroy the credit union’s premises. The question is: how prepared is your credit union to respond to the next unforeseen catastrophic event?
According to NCUA’s many risk alerts and guidance letters on the subject, a credit union’s disaster preparedness program should:
- Be commensurate with the institution’s complexity of operations;
- Minimize interruptions of service to members and maintain member confidence in times of emergency; and
- Be reviewed at least annually, and address changes in the credit union’s operations.
NCUA’s Catastrophic Act Preparedness Guidelines (Part 749, Appendix B) provide recommendations for developing (and maintaining) a disaster recovery program, with the oversight and approval of the credit union’s board of directors. The program should include the following elements:
A business impact analysis to evaluate potential threats. After evaluating the credit union’s exposure to a full range of possible disasters, management and/or the disaster recovery team should consider the cost, duration, and impact of critical service/system disruptions on the credit union’s operations or financial condition. For example, how will the credit union handle a power outage that disrupts all electronic forms of payments for several days? What would the credit union do if it’s main and/or branch office facilities are not available for an extended period of time?
A risk assessment to determine critical systems (buildings, hardware, software, power sources, telecommunications, etc.) and necessary resources (financial, personnel, etc.) Credit unions should prioritize the risks to critical systems/services and develop contingency plans accordingly.
A written plan addressing:
- Individuals with authority to enact the plan (e.g., senior management, disaster recovery team members);
- Preservation and ability to restore vital records (per NCUA’s Part 749);
- A method for restoring of vital member services through identification of alternate operating location(s) or mediums to provide services, such as telephone centers, shared service centers, agreements with other credit unions, or other appropriate methods;
- Communication methods for employees and members (also vendors, bonding company, and any business partners, as necessary);
- Notification of regulators (i.e., catastrophic act report required by NCUA’s Part 748);
- Training and documentation of training to ensure all employees and volunteer officials are aware of procedures to follow in the event of destruction of vital records or loss of vital member services; and
- Testing procedures, including a means for documenting the testing results.
Internal controls for reviewing the plan at least annually and for revising the plan as circumstances warrant, for example, to address changes in the credit union’s operations; and
Annual testing. To ensure the contingency plans actually work, a credit union should test (i.e., validate) the plan at least annually or when a significant change takes place. The test should determine if the credit union could recover to an acceptable level of business within the time-frame stated in the disaster recovery plan.
Examples of testing methods include, but are not limited to, simulations, role-play, walk-throughs, and alternate site reviews. Disaster drills should include all critical functions and areas of the credit union. The credit union should document the test and maintain work papers to demonstrate that responsible staff tested all critical functions and areas of the institution.
Source: CUNA Comp Blog
Question of the Week
If we run our calculations during the statement period and realize we are charging a covered borrower over 36 percent MAPR—can we waive fees until we are below the 36 percent cap?
Yes. According to the CFPB’s exam manual, a creditor can waive fees or periodic charges (either whole or in part) in order to comply with the 36 percent rate cap.
National Credit Union Administration (NCUA)
The NCUA announced that the video of its September 2017 Board Meeting is now available.
The NCUA announced that it will host a webinar focused on the benefits of diversity for credit unions, specifically promoting diversity in their workforces and membership. The webinar will be held on Thursday, November 2nd at 2 p.m. Eastern. Credit unions that wish to attend the webinar can register here.
Consumer Financial Protection Bureau (CFPB)
The CFPB announced the release of a state-by-state snapshot on student loan debt and complaints.
The CFPB issued a press release regarding a new tool that tracks mortgage performance trend. The new tool shows that the national mortgage delinquency rates are at their lowest point since the financial crisis.
National Mortgage Licensing System (NMLS)
The NMLS issued an advisory regarding a phishing scam that is targeting NMLS users. The scam is attempting to gather personal information from users. The NMLS’ advisory explains how these phishing emails should be handled.
Federal Housing Administration (FHA)
The FHA announced that it is extending its 90-day foreclosure moratorium on FHA-insured homeowners by another 90 days for homeowners impacted by the recent hurricanes.
Federal Trade Commission (FTC)
The FTC released new guidance on how the Children’s Online Privacy Protection Rule (COPPA) applies to voice recordings. Under the new guidance, websites and online services directed at children must obtain verifiable parental consent before collecting an audio recording of a child.
Office of Foreign Assets Control (OFAC)
OFAC has updated the SDN list as of October 26, 2017. The last update prior to this was October 25, 2017.
Questions? Contact the Compliance Hotline: 1.800.546.4465, firstname.lastname@example.org.