National Credit Union Administration (NCUA) 

Agencies Issue Final Rule to Help Ensure Credibility and Integrity of Automated Valuation Models 

The NCUA and other federal financial institution regulators issued the final rule to implement the Dodd-Frank Act quality control standards for automated valuation models (AVMs). Under the final rule, the agencies will require institutions that engage in certain transactions secured by a consumer’s principal dwelling to adopt policies, practices, procedures, and control systems designed to: 

• Ensure a high level of confidence in estimates; 

• Protect against data manipulation; 

• Seek to avoid conflicts of interest; 

• Require random sample testing and reviews; and 

• Comply with nondiscrimination laws. 

NCUA Board Maintains Federal Credit Union Loan Interest Rate Ceiling at 18 Percent 

The NCUA Board unanimously approved maintaining the current 18-percent interest rate ceiling for loans made by federal credit unions for a new 18-month period from September 11, 2024, through March 10, 2026. The Federal Credit Union Act caps the interest rate on federal credit union loans at 15 percent; however, the NCUA Board has the discretion to raise that limit for 18-month periods if interest-rate levels could threaten the safety and soundness of individual credit unions. The 18-percent cap applies to all federal credit union lending, except originations made under NCUA’s payday alternative loan program, which are capped at 28 percent. 

NCUA Board Approves Proposed Incentive-based Compensation Rule 

The NCUA along with the other federal financial institution regulators issued a proposed rule to implement section 956 of the Dodd-Frank Act. The statute requires the federal regulators to jointly issue regulation or guidelines to: 

• Prohibit incentive-based compensation arrangements at covered financial institutions that encourage inappropriate risks by providing excessive compensation or that could lead to material financial loss; and 

• Require those covered financial institutions to disclose information concerning incentive-based compensation arrangements to the appropriate Federal regulator. 

NCUA Board Approves Revised Proposal on Succession Planning 

The NCUA Board approved a proposed rule which requires boards of directors at federally insured credit unions to establish and adhere to processes for succession planning. This new proposed rule modifies the 2022 proposal based on the public comments received and upon further consideration of the issues. Under the revised proposal, boards of directors at federally insured credit unions would be required to establish written succession plans that address specified executive and other positions. Additionally, each board of directors would be required to review the succession plan in accordance with a schedule it establishes, but no less than annually. The plan would be required to address the credit union’s strategy for recruiting candidates to assume each of the key positions and promote the credit union’s safe and sound operation. 

 ___________________________________________________________________________ 

Consumer Financial Protection Bureau (CFPB) 

Data Spotlight: Developments in the Paycheck Advance Market 

The CFPB issued a Data Spotlight report on earned wage products which are described as third-party products that tie funding amounts to accrued or estimated wages and that are repayable on the next payday or withheld from the next paycheck. The spotlight summarizes data obtained from eight providers to better understand the size of the market, usage patterns, and fee structures.  Some of the key findings include: 

• The market for employer-partnered earned wage products continues to grow rapidly. The CFPB estimates that the number of transactions processed by these providers grew by over 90% from 2021 to 2022, with more than 7 million workers accessing approximately $22 billion in 2022. 

• The average transaction size is relatively small. Across providers in our sample of employer-partnered firms the average transaction amount ranged from $35 to $200, with an overall average transaction size of $106. The average worker accessed $3,000 in funds per year. 

• Repeat usage is high and the share of workers using earned wage products each month is increasing. The average worker in our sample had 27 earned wage transactions per year. The share of workers in our sample using the product at least once a month increased from 41% in 2021 to nearly 50% in 2022. 

• Few employers cover the cost of earned wage products on behalf of their workers. We estimate that employers in our sample subsidized less than 5% of total fees. 

• When employers do not cover the cost, nearly all workers paid a fee for expedited access to their funds. Across our sample of surveyed companies, in 2021 and 2022, roughly 90% of workers paid at least one earned wage product-related fee. Among the companies in our sample that collect fees, the average cost per transaction ranged from $0.61 to $4.70. When workers paid a fee, the average size was approximately $3.18. Workers paid an average of $68.88 per year in fees. 

• Based on the average data inputs in our sample, an illustrative annual percentage rate (APR) for a typical employer-partnered earned wage product transaction equates to 109.5%. As actual APRs will vary depending on transaction size, fees paid, and duration, this APR estimate understates APRs for smaller transactions with shorter terms. 

CFPB Proposes Interpretive Rule to Ensure Workers Know the Costs and Fees of Paycheck Advance Products 

The CFPB issued a proposed interpretive rule explaining that many paycheck advance products, sometimes marketed as “earned wage” products, are consumer loans subject to the Truth in Lending Act. The guidance will ensure that lenders understand their legal obligations to disclose the costs and fees of these credit products to workers. The proposed interpretive rule explains how existing law applies to this emerging product market and replaces a 2020 advisory opinion that addressed a very specific paycheck advance product that is not common in the real market. The proposed interpretive rule makes clear that many paycheck advance products – whether provided through employer partnerships or marketed directly to borrowers – trigger obligations under the federal Truth in Lending Act. In addition, the CFPB’s proposed interpretive rule makes clear that: 

• Many loan costs are finance charges: Fees for certain “tips” and expedited delivery meet the Truth in Lending Act’s standard for being finance charges. When the paycheck advance product is no-fee and truly free to the employee, many requirements would not apply. 

• Borrowers must receive key disclosures: Among other requirements, earned wage lenders must provide workers with appropriate disclosures about the finance charges. Clear disclosures help borrowers understand and compare loan options, sharpens price competition, and ultimately benefits companies that offer competitive products. 

Final Interagency Guidance on Reconsiderations of Value for Residential Real Estate Valuations 

The CFPB and other federal financial institution regulators released a final interagency guidance addressing reconsiderations of value (ROVs) for residential real estate transactions. The guidance advises on policies and procedures that financial institutions may implement to allow consumers to provide financial institutions with information that may not have been considered during an appraisal or if deficiencies are identified in the original appraisal. 

____________________________________________________________________________ 

Financial Crimes Enforcement Network (FinCEN) 

FinCEN, OFAC, and FBI Joint Notice on Timeshare Fraud Associated with Mexico-Based Transnational Criminal Organizations 

FinCEN, OFAC, and the FBI issued a joint notice to financial institutions urging them to be vigilant in detecting, identifying, and reporting timeshare fraud perpetrated by Mexico-based transnational criminal organizations (TCO). The alert provides financial institutions with methodologies, financial typologies, and red flags associated with timeshare fraud being orchestrated by Mexico-based TCOs. Mexico-based TCOs such as the Jalisco New Generation Cartel (CJNG) are increasingly targeting U.S. owners of timeshares in Mexico through complex and often yearslong telemarketing, impersonation, and advance fee schemes. They use the illicit proceeds to diversify their revenue streams and finance other criminal activities, including the manufacturing and trafficking of illicit fentanyl and other synthetic drugs into the United States. 

League InfoSight Highlight: Cyber Incidents – Ransomware and Data Breaches 

Recent ransomware attacks have been making headlines and raising concerns for credit unions. Ransomware is a form of malware designed to encrypt files on a device, rendering any files and the systems that rely on them unusable. Malicious actors then demand ransom in exchange for decryption. The Cybersecurity Infrastructure Security Agency (CISA) highlighted that in recent years ransomware incidents have become increasingly prevalent among the nation’s state, local, tribal government entities, and credit infrastructure organizations such as credit unions. 

Ransomware follows similar patterns, starting with the initial compromise of the system. Some of the most common infection points are: 

• Phishing emails with corrupt attachments or links; 

• Weak remote desktop protocols; 

• Unpatched systems; 

• Extensive reuse of passwords; and 

• Lack of multi-factor authentication. 

Users often open a corrupt attachment or link which unknowingly installs the malware on their computer. The hacker then will explore the networks looking for vulnerabilities and sensitive data, which often goes undetected. Once they have access, the ransomware will spread through the network and then encrypt material. After which, the hackers will make their ransom demand in exchange for a decryption key. 

CISA provides suggestions which may help protect credit unions’ networks. 

1. Backups: Do we backup all critical information? Are the backups stored offline? Have we tested our ability to revert to backups during an incident? 

2. Risk Analysis: Have we conducted a cybersecurity risk analysis of the organization? 

3. Staff Training: Have we trained staff on cybersecurity best practices? 

4. Vulnerability Patching: Have we implemented appropriate patching of known system vulnerabilities? 

5. Application Whitelisting: Do we allow only approved programs to run on our networks? 

6. Incident Response: Do we have an incident response plan, and have we exercised it? 

7. Business Continuity: Are we able to sustain business operations without access to certain systems? For how long? Have we tested this? 

8. Penetration Testing: Have we attempted to hack into our own systems to test the security of our systems and our ability to defend against attacks? 

TruStage shared steps credit unions should take to manage a ransomware incident, which include: 

• Do not restore data until images can be collected by the digital forensics team. 

• Do a global password reset. 

• Disconnect from back-ups. 

• Disconnect from the internet. 

• Check to see if there are any malicious inbox rules. 

• Obtain the ransom demand to share with the legal and forensics vendors. 

• Contact your insurance carrier immediately to report an incident. 

Cyber Incident Reporting 

The NCUA has the Cyber Incident Notification Requirements rule which states that NCUA must receive notification as soon as possible but no later than 72 hours after a credit union reasonably believes that it has experienced a reportable cyber incident. A reportable cyber incident is any substantial cyber incident that leads to one or more of the following: 

1. A substantial loss of confidentially, integrity, or availability of a network or member information system that results from the unauthorized access to or exposure of sensitive data, disrupts vital member services, or has serious impact on the safety and resiliency of operational systems and processes; 

2. A disruption of business operations, vital member services, or a member information system resulting from a cyberattack or exploitation of vulnerabilities; or 

3. A disruption of business operations or unauthorized access to sensitive data facilitated through, or caused by, a compromise of a credit union service organization, cloud servicer provider, or other third-party data hosting provider or by a supply chain compromise. 

In addition, CISA recommends contacting law enforcement immediately. They encourage contacting a local FBI or Secret Service field office to report a ransomware event and request assistance. 

https://www.fbi.gov/contact-us/field-offices 

https://www.secretservice.gov/contact 

Resources  

InfoSight

• Cybersecurity  

• Data Breach   

• Member Notification and Content Notice 

• Media Response Components 

• State Considerations 

• Security Program for Credit Unions  

• NCUA Notification Requirements 

• Information Security Program Requirements 

CU PolicyPro 

• Policy 4120 – Information Security  

• Policy 4125 – Incident Response 

RecoveryPro 

• Section 1600: Cyber Incident Response Process 

• Procedures for detecting, containing, and recovering from Cyber Attacks 

• Cyber Incident Reporting  

• Member Notifications and Communications Templates 

• Cyber Incident Planning Recommendations      

• Cyber Event - Threat Assessment 

CISA Ransomware Guide 

CISA How to Protect Your Networks from Ransomware 

NCUA Cybersecurity Resources 

NCUA - Guidance on Response Programs for Unauthorized Access to Member Information and Member Notice 

David Curtis 

Director, Compliance Services, GoWest Credit Union Association 

LIS Webinar: Cyber Incident Content Review 

Join us on Tuesday, July 30, 2024 at 2 pm ET for our upcoming webinar where we will dive into the latest content updates for RecoveryPro! The new content includes a comprehensive Cyber Incident section, developed to address NCUA’s heightened emphasis on cyber events and Business Continuity Planning (BCP).  

The new content includes procedures for detecting, containing, and recovering from cyberattacks, along with communication strategies for notifying key stakeholders.  

You do not need to subscribe to RecoveryPro to attend, but registration is required. 

Register now to secure your spot! 

Whether you are a federal or state-chartered credit union, there are state laws that impact your operations. The most efficient and quickest way to find those laws is through InfoSight. This member benefit provides you with access to applicable state content for all 50 states, without you needing to search through tons of random online sources. Stop wasting time trying to research when InfoSight has aggregated all the information your credit union needs to stay compliant in an ever-changing and evolving federal and state environment. 

Monthly Roundup of Beneficial Ownership Reporting Outreach Activities and Preview of Upcoming Events 

Agencies Release List of Distressed or Underserved Nonmetropolitan Middle-Income Geographies 

OFAC Basics Video Series – My Funds are Blocked, Now What? 

Can You Spot an Investment Scam? 

DFI Warns of Cryptocurrency Scams Involving Sel Proclaimed “Professors” 

July 30, 2024: Cyber Incident Content Review 

Aug. 8, 2024: OFAC Interim Final Rule Requiring Use of Electronic Reporting System 

Aug. 12, 2024: Comments Due CFPB Proposed Rule Concerning Medical Debt and Credit Reports

Aug. 14-15, 2024: Fraud Symposium

Sep. 3, 2024: Comments Due – FinCEN AML/CFT Program Amendments 

Sep. 9, 2024: Comments Due – CFPB Proposed Mortgage Servicing Amendments 

How do I verify the identity of an undocumented individual who has no driver’s license or passport? 

According to the Bank Secrecy Act (BSA), the Customer Identification Program (CIP) allows for the verification of identity by both documentary and non-documentary methods. You are required to obtain an identification number, but the number does not necessarily have to be a taxpayer identification number if the individual is not a U.S. citizen. It can be an alien identification number or other government identification number from the individual's country of residence. Additionally, if you can confirm that the individual has applied for a TIN and you can obtain the TIN within a reasonable period of time after the account is opened, you can open the account with that identification number.

For your individualized login, select your state below. 

If you have questions about this communication, contact us at 800.546.4465, or via our shared email inbox at compliance@gowest.org.

Have a great weekend!

Your GoWest Compliance Team, 

Copyright © 2023 GoWest Credit Union Association. All Rights Reserved.

Mailing Address:
GoWest Credit Union Association, 18000 International Blvd Ste. 1102, SeaTac, WA 98188, United States
1.800.995.9064

View in Browser | Manage Your Preferences | Unsubscribe