Northwest Credit Unions Must Have a Solid Disaster Preparedness Plan
December 11, 2018
Last year the Credit Union National Association ran an article in its Compliance Blog, which should serve as a reminder to credit unions in the Northwest to ensure they are following the guidelines for disaster preparedness.
With the recent earthquake in Anchorage, Alaska, credit unions may wish to revisit their business continuity and disaster preparedness plans. Idaho, Eastern Washington, and Oregon all experienced a number of wildfires over the last couple of years. In addition, the Northwest sits on the Cascadia Subduction Zone – an area that’s known for earthquake activity. According to recent tabletop exercises, residents in Western Washington and Oregon should expect to be on their own for up to three weeks in the event of a major earthquake.
Hurricanes Harvey, Irma, and Maria, as well as the wildfires recently raging in California, serve as a harsh reminder of the importance of disaster preparedness – for both institutions and individuals. Federally insured credit unions (FICUs) are required to have disaster recovery and business resumption contingency plans in place to address all types of operational disruptions, from short-term power outages to natural disasters that have the potential to physically destroy the credit union’s premises. The question is: how prepared is your credit union to respond to the next unforeseen catastrophic event?
According to the National Credit Union Administration’s many risk alerts and guidance letters on the subject, a credit union’s disaster preparedness program should:
- Be commensurate with the institution’s complexity of operations;
- Minimize interruptions of service to members and maintain member confidence in times of emergency; and
- Be reviewed at least annually, and address changes in the credit union’s operations.
NCUA’s Catastrophic Act Preparedness Guidelines (Part 749, Appendix B) provide recommendations for developing (and maintaining) a disaster recovery program, with the oversight and approval of the credit union’s board of directors. The program should include the following elements:
A business impact analysis to evaluate potential threats: After evaluating the credit union’s exposure to a full range of possible disasters, management and/or the disaster recovery team should consider the cost, duration, and impact of critical service/system disruptions on the credit union’s operations or financial condition. For example, how will the credit union handle a power outage that disrupts all electronic forms of payments for several days? What would the credit union do if its main and/or branch office facilities are not available for an extended period of time?
A risk assessment: Determine critical systems (buildings, hardware, software, power sources, telecommunications, etc.) and necessary resources (financial, personnel, etc.). Credit unions should prioritize the risks to critical systems/services and develop contingency plans accordingly.
A written plan:
- Identify individuals with authority to enact the plan (e.g., senior management, disaster recovery team members);
- Preservation and ability to restore vital records (per NCUA’s Part 749);
- A method for restoring of vital member services through identification of alternate operating location(s) or mediums to provide services, such as telephone centers, shared service centers, agreements with other credit unions, or other appropriate methods;
- Communication methods for employees and members (also vendors, bonding company, and any business partners, as necessary);
- Notification of regulators (i.e., catastrophic act report required by NCUA’s Part 748);
- Training and documentation of training to ensure all employees and volunteer officials are aware of procedures to follow in the event of destruction of vital records or loss of vital member services; and
- Testing procedures, including a means for documenting the testing results.
Internal controls: Review the plan at least annually and revise as circumstances warrant, for example, to address changes in the credit union’s operations.
Annual testing: To ensure the contingency plans actually work, a credit union should test (i.e., validate) the plan at least annually or when a significant change takes place. The test should determine if the credit union could recover to an acceptable level of business within the time-frame stated in the disaster recovery plan. Examples of testing methods include, but are not limited to, simulations, role-play, walk-throughs, and alternate site reviews. Disaster drills should include all critical functions and areas of the credit union. The credit union should document the test and maintain work papers to demonstrate that responsible staff tested all critical functions and areas of the institution.
Source: CUNA Compliance Blog
Additional Resources for Credit Unions
Credit Unions may also wish to review the Business Continuity Planning channel within InfoSight. This channel contains topics such as BCP: Summary, BCP: Board Responsibilities, BCP: Glossary, BCP: Pandemic, BCP: Process, and BCP: Threat Analysis. In addition, the page contains additional related links, including the WA DFI Presentation “Cascadia Subduction Zone: Preparing for the Worst”
Question of the Week
Are members of the National Guard considered to be on “active duty” under the Servicemembers Civil Relief Act?
Yes, they will be covered under the definition of military service and active duty in 50 U.S. Code § 3911(2)(A)(ii), so long as they are serving under a call to active service authorized by the President or the Secretary of Defense for a period of more than 30 consecutive days under section 502(f) of title 32 for purposes of responding to a national emergency declared by the President and supported by Federal funds.
National Credit Union Administration (NCUA)
The NCUA released third quarter 2018 credit union performance data.
Bureau of Consumer Financial Protection (BCFP)
The BCFP released its annual Fair Lending Report to Congress, which highlights the 2017 actions the Bureau took to promote fair, equitable, and nondiscriminatory access to credit.
Washington State Department of Financial Institutions (DFI)
The DFI has completed rulemaking for student education loan servicers. This rulemaking only applies to persons regulated under the WA Consumer Loan Act. The rule will include definitions and include student education loan servicing and student loan education loan servicers to the activities that are regulated under the WA Consumer Loan Act.
U.S. Department of the Treasury (Treasury)
The Treasury’s Postal Task Force released its report, which provides a series of recommendations to overhaul the United States Postal Service’s (USPS) business model. Of note, the report states, “Given the USPS’s narrow expertise and capital limitations, expanding into sectors where the USPS does not have a comparative advantage or where balance sheet risk might arise, such as postal banking, should not be pursued.”
Office of Foreign Assets Control (OFAC)
OFAC has updated the SDN list as of Nov. 28, 2018. The last update prior to this was Nov. 13, 2018.
Questions? Contact the Compliance Hotline: 1.800.546.4465; email@example.com.
Posted in Compliance News.