Credit Unions Encouraged to Evaluate Their Disaster Preparedness Plans
December 10, 2019
As we roll into the holiday season, one of the last things on everyone’s mind is disaster preparedness.
But it’s a sure bet everyone in western Oregon and Washington remembers the snowstorms from last February, as well as the devastating wildfires we’ve seen during the summer months in all three of our states.
And then there is the Cascadia Subduction Zone. According to tabletop exercises, residents in western Washington and Oregon should expect to be on their own for up to 3 weeks in the event of a major earthquake.
The NCUA requires that federally insured credit unions (FICUs) have disaster recovery and business resumption contingency plans (BCP) in place to address all types of operational disruptions, from short-term power outages to natural disasters that have the potential to physically destroy the credit union’s premises.
According to NCUA’s many risk alerts and guidance letters on the subject, a credit union’s disaster preparedness program should:
- Be commensurate with the institution’s complexity of operations;
- Minimize interruptions of service to members and maintain member confidence in times of emergency; and
- Be reviewed at least annually, and address changes in the credit union’s operations.
The NCUA’s Catastrophic Act Preparedness Guidelines provides suggested guidelines. Each credit union’s program should be developed with oversight and approval by the board of directors and should address the following five elements:
Evaluate Potential Threats with a Business Impact Analysis (BIA)
The credit union’s first step is the development of a BIA, which should include a workflow analysis that involves an assessment and prioritization of those business functions, and processes that must be recovered. The workflow analysis should be a dynamic process that identifies the inter-dependencies between critical operations, departments, personnel, and services. The identification of these inter-dependencies, as part of the BIA, should assist management in determining the priority of businesses functions and processes and the overall impact on recovery timelines.
Determine Critical Systems and Necessary Resources by Assessing Risk
The risk assessment step is critical and has significant bearing on whether business continuity planning efforts will be successful. During the risk assessment step, businesses processes and the BIA assumptions are evaluated using various threat scenarios. This will result in a range of outcomes that may require changes to the BCP.
A Written Plan that Addresses the Following
- Persons with the authority to enact the plan;
- Preservation and ability to restore vital records;
- A method for restoring vital member services through identification of alternate operating location(s) or mediums to provide services, such as telephone centers, shared service centers, agreements with other credit unions, or other appropriate methods;
- Communication methods for employees and members;
- Notification of regulators as addressed in 12 CFR 748.1(b);
- Training and documentation of training to ensure all employees and volunteer officials are aware of procedures to follow in the event of destruction of vital records or loss of vital member services;
- Testing procedures, including a means for documenting the testing results;
- Internal controls for reviewing the plan at least annually and for revising the plan as circumstances warrant, for example, to address changes in the credit union’s operations; and
- Annual testing.
To ensure the contingency plans actually work, a credit union should test the plan at least annually or when a significant change takes place. The test should determine if the credit union could recover to an acceptable level of business within the time-frame stated in the disaster recovery plan. Examples of testing methods include, but are not limited to, simulations, role-play, walk-throughs, and alternate site reviews.
Disaster drills should include all critical functions and areas of the credit union. The credit union should document the test and maintain work papers to demonstrate that responsible staff tested all critical functions and areas of the institution.
To learn more about what credit unions can expect from the NWCUA in case of disaster, click here. Credit unions can also access a wealth of Business Continuity Planning Information within InfoSight. These resources include:
- FFIEC Examination Handbook Resources;
- NCUA Resources;
- Pandemic Resources; and
- Other Resources
Question of the Week
Q. Are there any tools out there for reporting fraud or misuse of funds by a representative payee?
A. Yes. The Office of the Inspector General for Social Security has two tools. You can find the form to report fraud here: Report fraud, waste, or abuse. You can find information on misuse here: Misuse of Benefits by a Rep Payee.
These are great resources for the credit union and for any of your members who may inquire about what they can and can’t do with Social Security funds, when they are a fiduciary for someone else.
National Credit Union Administration (NCUA)
The NCUA and other federal regulators issued an interagency state focused on consumer protection implications of the use of alternative data in underwriting, highlighting the potential benefits and risks. The agencies recognize that use of alternative data may improve the speed and accuracy of credit decisions and may help firms evaluate the creditworthiness of consumers who currently may not obtain credit in the mainstream credit system.
The NCUA released financial performance of federally insured credit unions for the quarter ending Sept. 30.
Consumer Financial Protection Bureau (CFPB)
The CFPB released a notice of proposed rulemaking for the Remittance Transfer Rule. The rule generally requires companies that provide remittance transfers in the normal course of business to disclose to the consumer certain fees and the exchange rates that apply to transfers. The rule includes an exception that allows the use of the estimate of certain fee and exchange rate information, but the exception expires in July 2020. The NPRM proposes to allow credit unions to continue to provide estimates under certain conditions where it could be infeasible to provide exact disclosures. In addition, the NPRM proposes to increase the safe harbor threshold that determines whether a company makes remittance transfers during the normal course of business from the current 100 threshold to making 500 or fewer transfers annually in the current and prior calendar year.
Federal Reserve Board (FRB)
Four federal banking agencies issued a statement clarifying the legal status of hemp growth and production and the relevant requirements under the Bank Secrecy Act (BSA) for banks providing services to hemp-related businesses.
Office of Foreign Assets Control (OFAC)
OFAC has updated the SDN list as of Dec. 9. The last update prior to this was Nov. 26.
Questions? Contact the Compliance Hotline: 1.800.546.4465; firstname.lastname@example.org.