Washington DFI on How Ukraine Invasion May Impact Financial Services Sector
March 8, 2022
The Washington State Department of Financial Institutions (DFI) issued an alert to entities regulated by the DFI regarding the situation in Ukraine and the impact this may have on financial institutions in the region. While the alert was specifically sent to Washington state-chartered entities, the information provided in the alert may be useful for federally chartered credit unions as well as credit unions in Idaho and Oregon.
It is anticipated that additional individuals will be added to the OFAC sanctions list. Credit unions regularly scan the OFAC and other lists. The Alert provided specific steps that credit unions should take, including:
- Monitor all communications from the Department, the U.S. Department of the Treasury, OFAC, and other Federal agencies on a real-time basis to stay abreast of the latest developments to ensure that their systems, programs, and processes remain in compliance with all the requirements and restrictions imposed.
- Review Transaction Monitoring and Filtering Programs to make any modification that is necessary to your systems to capture the new sanctions as they are proposed and to ensure continued compliance with all applicable laws and regulations.
- Monitor all transactions going through your institution, particularly trade finance transactions and funds transfers, to identify and block transactions subject to the OFAC sanctions and follow OFAC’s direction regarding any blocked funds.
- Ensure that OFAC compliance policies and procedures are being updated continuously to incorporate these sanctions and any new sanctions that may be imposed on additional entities.
Credit unions typically do not provide financial services using virtual currencies but may engage with outside providers to give members access to the virtual currencies. The alert provides examples of virtual-currency-specific internal controls which include:
- Use of geolocation tools and IP address identification and blocking capabilities to detect and prevent potential sanctions exposure.
- Transaction monitoring and investigative tools, including blockchain analytics tools, to identify transaction activity involving virtual currency addresses or other identifying information associated with sanctioned individuals and entities listed on the SDN List, or located in sanctioned jurisdictions.
Since the Russian invasion of Ukraine, there has been an elevated cyber risk to U.S. critical infrastructure, including financial institutions. Credit unions should closely track the guidance and alerts from the Cybersecurity and Infrastructure Security Agency (CISA), which provides information on its ‘Shields-Up’ website to promote awareness of current cybersecurity threats and mitigations. Credit unions should review and implement practices not already in place that are recommended in the following CISA issuances:
- Understanding and Mitigating Russian State-Sponsored Cyber Threats to U.S. Critical Infrastructure.
- CISA Insights Article: Implement Cybersecurity Measures Now to Protect Against Potential Critical Threats.
- Preparing for and Mitigating Foreign Influence Operations Targeting Critical Infrastructure.
The alert contains additional cybersecurity risk mitigation steps, including:
- Review programs to ensure full compliance, with particular attention to core cybersecurity hygiene measures like multi-factor authentication (“MFA”), privileged access management, vulnerability management, and disabling or securing remote desktop protocol (“RDP”) access.
- Review and confirm border security configurations to eliminate any networking protocols that are non-essential.
- Review, update, and test incident response and business continuity planning, and ensure that those plans address destructive cyber-attacks such as ransomware.
- Immediately confirm backups are protected from a ransomware attack and have and maintain an updated incident response plan.
- Re-evaluate plans to maintain essential services, protect critical data, and preserve customer confidence considering the realistic threat of extended outages and disruption.
- Conduct a full test of the ability to restore from backups. Do not assume that backup restoration will succeed until a full test has been successfully completed.
- Provide additional cybersecurity awareness, training, and reminders for all employees.
- Senior management, boards of directors, and other governing bodies of regulated entities should exercise oversight of all such planning and implementation.
Question of the Week
Q. What are Letters Testamentary?
A. Letters Testamentary is the written legal instrument by which a probate court approves the appointment of an executor/personal representative under a will and authorizes the executor/personal representative to administer the estate. Each state has its own provisions for issuing the Letters Testamentary or Letters of Administration.
National Credit Union Administration
NCUA to Distribute $569 Million Under Corporate System Resolution Program: The NCUA will distribute an additional $359.2 million to capital shareholders of the former Members United, Constitution, and U.S. Central corporate credit unions. In addition, the NCUA will distribute $209.8 million in dividends to shareholders of Southwest Corporate. The scheduled distributions are to occur before the end of this month.
NCUA Releases 2021 Fourth Quarter Credit Union System Performance Data: The NCUA provided data on how well credit unions performed for the fourth quarter of 2021. Total assets rose year over year, and insured shares and deposits grew by 11.4%. Total loans also increased while the delinquency rate fell to 49 basis points.
Office of Foreign Assets Control
OFAC has updated the SDN list as of March 4. The last update prior to this was March 1.
Questions? Contact the Compliance Hotline: 1.800.546.4465; firstname.lastname@example.org.