NCUA Issues Cybersecurity Considerations for Remote Work

Credit unions should communicate proactively with employees to verify that remote work is being done securely and provide guidance and assistance as needed.

4/21/20Compliance

The National Credit Union Administration recently issued Risk Alert 20-Risk-01 to highlight cybersecurity best practices for employees who are working remotely.

Credit union employees working remotely should adhere to their credit union’s information security and privacy related policies and procedures. Controls over remote work and use of personal devices should be based on a credit union’s risk assessment, and commensurate with the size and complexity of the credit union.

Common cybersecurity risks for remote workers include malware attacks, phishing and other social engineering attacks; and Advance Persistent Threat (APT) attacks. To minimize the risk of a cyberattack while working remotely, policies and procedures should address employee expectations, such as:

  • Ensuring that family members or others do not use devices designated for work;
  • Implementing session time outs and encryption of sensitive information;
  • Keeping devices physically secure;
  • Working with a user account and not an administrator or privileged account;
  • Establishing strong, unique passwords for all logins and devices on their home network;
  • Leveraging firewall capabilities available through internet service providers;
  • Increasing wireless security to the strongest encryption option;
  • Removing unnecessary services and software;
  • Updating software regularly;
  • Maintaining antivirus software and ensuring timely updates to definitions; and
  • Ensuring system and account logs are being collected and maintained.

Credit union management should communicate proactively with employees to verify that remote work is being done securely and provide guidance and assistance as needed.

To minimize the impact of an attack, policies and procedures should address the immediate actions that an employee should take when they suspect a cyberattack, like disconnecting the device(s) from all internet connectivity, keeping the computer on to preserve forensic evidence, and reporting the incident to their organization.

Policies and procedures should also address how the credit union would respond to a security incident, including:

  • Filing a report with local law enforcement or other law enforcement agencies, such as the FBI Internet Crime Complaint Center;
  • Taking appropriate corrective action, depending on the nature of the incident (for example, changing passwords, completing a forensic audit, and scanning and cleaning devices); and
  • Evaluating whether the incident should be reported to the NCUA or state supervisory authority.

Question of the Week

Q. Does the credit union have to provide an adverse action notice when it denies a request for a line of credit increase?

A. Yes, an adverse action notice must be provided when a credit union denies a member’s request for a line of credit increase. An adverse action is defined as:

  • A refusal to grant credit in substantially the amount or on substantially the terms requested in an application unless the creditor makes a counteroffer (to grant credit in a different amount or on other terms) and the applicant uses or expressly accepts the credit offered;
  • A termination of an account or an unfavorable change in the terms of an account that does not affect all or substantially all of a class of the creditor’s accounts; or
  • A refusal to increase the amount of credit available to an applicant who has made an application for an increase.

Resources

12 CFR 1002.9
12 CFR 1002.2(c)(1)

Legal Briefs

National Credit Union Administration (NCUA)

Interagency Statement on Appraisals and Evaluations for Real Estate Related Financial Transactions Affected by the Coronavirus
The NCUA and other federal financial institution regulators issued an interagency statement to outline existing flexibilities in industry appraisal standards and in the appraisal regulations issued by the agencies, and describes temporary changes to Fannie Mae and Freddie Mac appraisal standards that can assist lenders during this challenging time.

Cybersecurity Considerations for Remote Work
The NCUA issued Risk Alert 20-RISK-01 to highlight cybersecurity best practices for credit unions that leverage employees’ personal networks and devices.

NCUA Board Approves Changes to the Central Liquidity Facility
The interim final rule enhances the NCUA’s regulations on the Central Liquidity Facility and makes it easier for credit unions to join the facility as a regular member or through a corporate credit union as part of an agent relationship, and access emergency liquidity should the need arise.

Enhancements to Central Liquidity Facility Membership and Borrowing Authority
The NCUA issued Letter to Credit Unions 20-CU-08 to provide vital information about key changes to the NCUA’s Central Liquidity Facility (CLF). Credit unions have improved access to the CLF because of the CARES Act and regulatory amendments.

Federal and State Regulators Release Updates to BSA/AML Examination Manual
The FFIEC released several updates to the BSA/AML examination manual which will support tailored examination work and provides instructions to examiners for risk-focusing BSA/AML examinations and assessing a financial institution’s BSA/AML compliance program.

NCUA Board Approves Regulatory Relief Measures in Response to COVID-19
The NCUA Board approved three items to provide regulatory relief to credit unions. These include enhancements to the CLF, raising the residential real estate appraisal threshold to $400,000, providing deferment of appraisal requirements for 120 days.

Temporary Regulatory Relief in Response to the COVID-19 Pandemic
The NCUA released Letter to Credit Unions 20-CU-09 to provide information about temporary regulatory relief that is available to federally insured credit unions.

Consumer Financial Protection Bureau (CFPB)

CFPB and FHFA Announce Borrower Protection Program
The CFPB announced a new joint initiative with the FHFA. Under the program, the CFPB will make complaint information and analytical tools available to the FHFA via a secure electronic interface; and the FHFA will make available information about forbearances, modifications, and other loss mitigation initiatives undertaken by Fannie Mae and Freddie Mac.

CFPB Paves Way for Consumers to Receive Economic Impact Payments Quicker
The CFPB released an Interpretive Rule on the Treatment of Pandemic Relief Payments under Regulation E and Application of the Compulsory Use Prohibition.

CFPB Issues Final Rule Raising HMDA Data Reporting Thresholds
The final rule raises the reporting threshold for closed-end mortgage loans to 100 loans and permanently sets the threshold for HELOCs at 200.

Federal Reserve Board (FRB)

FRB announces PPPLF fully operational and available to provide liquidity to eligible financial institutions
The FRB announced that its Paycheck Protection Program Liquidity Facility is fully operational and available to provide liquidity to eligible financial institutions.

Internal Revenue Service (IRS)

Treasury, IRS unveil online application to help with Economic Impact Payments
The Treasury Department and IRS unveiled the new Get My Payment with features to let taxpayers check on their Economic Impact Payment date and update their direct deposit information.

Federal Financial Institutions Examination Council (FFIEC)

FFIEC Announces Federal Disclosure Computational Tools
The FFIEC announced the availability of the FFIEC Federal Disclosure Computational Tools, including the Annual Percentage Rate (APR) Computational Tool and the Annual Percentage Yield (APY) Computational Tool.

NACHA

ACH Network Rules Pandemic-Related Frequently Asked Questions
NACHA has updated their pandemic related FAQs.

Washington State Department of Financial Institutions Division of Credit Unions (DCU)

COVID-19 Questions and Answers
The DCU has released a set of questions and answers related to credit union operations during the COVID-19 emergency.

DFI Letter to Washington State Congressional Delegation Recommending Policies to Help Mitigate COVID-19 Economic Impact
Washington State Director of Financial Institutions sent a letter to the state’s Congressional delegation highlighting policies in future legislation intended to mitigate the economic impact of the COVID-19 emergency.

Office of Foreign Assets Control (OFAC)

OFAC has updated the SDN list as of April 6. The last update prior to this was March 26.

Questions? Contact the Compliance Hotline: 1.800.546.4465; [email protected].