Consumer Financial Protection Bureau (CFPB) 

CFPB Finalizes Personal Financial Data Rights Rule to Boost Competition, Protect Privacy, and Give Families More Choice in Financial Services 

The CFPB issued a final rule to implement the personal financial data rights established by section 1033 of the Dodd-Frank Act. The final rule requires banks, credit unions, and other financial service providers to make consumers’ data available upon request to consumers and authorized third parties in a secure and reliable manner; defines obligations for third parties accessing consumers’ data, including important privacy protections; and promotes fair, open, and inclusive industry standards. 

The final rule includes a coverage threshold which exempts credit unions that hold less than the SBA size standard from the rule. Per 13 CFR 121.201, the threshold for credit unions is $850 million in assets. 

Data providers must comply with the rule beginning in: 

• April 1, 2026 – Data providers with at least $250 billion in assets; 

• April 1, 2027 – Data providers between $10 billion and $250 billion in assets; 

• April 1, 2028 – Data providers between $3 billion and $10 billion in assets; 

• April 1, 2029 – Data providers between $1.5 billion and $3 billion in assets; and 

• April 1, 2030 – Data providers between $850 million and $1.5 billion in assets. 

CFPB Orders Apple and Goldman Sachs to Pay Over $89 Million for Apple Card Failures 

The CFPB took action against Apple and Goldman Sachs for customer service breakdowns and misrepresentations that impacted hundreds of thousands of Apple Card users. The CFPB found that Apple failed to send tens of thousands of consumer disputes of Apple Card transactions to Goldman Sachs, and when Apple did send disputes to Goldman Sachs, the bank did not follow numerous federal requirements for investigating the disputes. Apple and Goldman launched Apple Card despite third-party warnings to Goldman that the Apple Card disputes system was not ready due to technological issues. These failures meant that consumers faced long waits to get money back for disputed charges, and some had incorrect negative information added to their credit reports. 

CFPB Issued Guidance on Worker Digital Tracking and Decision-Making Systems 

The CFPB issued Consumer Financial Protection Circular 2024-06 to address the question of whether an employer can make employment decisions utilizing background dossiers, algorithmic scores, and other third-party consumer reports about workers without adhering to the Fair Credit Reporting Act (FCRA) requirements. 

The CFPB’s opinion is that those would be similar to credit reports and scores which are often governed by the FCRA when it comes to employment decisions. Many background dossiers that are compiled from databases collecting public records, employment history, collective-bargaining activity, or other information about a worker are “consumer reports” under the FCRA. Other types of consumer reports may include, for example, reports that convey scores assessing a current worker’s risk level or performance. 

Employers that use consumer reports—both initially when hiring workers and for subsequent employment purposes—must comply with FCRA obligations, including the requirement to obtain a worker’s permission to procure a consumer report, the obligation to provide notices before and upon taking adverse actions, and a prohibition on using consumer reports for purposes other than the permissible purposes described in the FCRA. 

_______________________________________________________________________________

Financial Crimes Enforcement Network (FinCEN) 

FinCEN Issues Alert to Financial Institutions to Counter Financing of Hizballah and Its Terrorist Activities 

FinCEN issued an alert to assist financial institutions in identifying and reporting suspicious activity supporting Lebanese Hizballah which has been designated as a Foreign Terrorist Organization. The alert provides an overview of Hizballah and the financing of the organization along with how the organization launders its illicit proceeds. In addition, the alert provides red flags that credit unions can watch for along with SAR reporting instructions. 

_______________________________________________________________________________

National Credit Union Administration (NCUA) 

Board of Director Engagement in Cybersecurity Oversight 

The NCUA issued Letter to Credit Unions 24-CU-02 to remind credit union board of directors and senior management to stay highly focused on managing cyber risks and ensure credit unions have necessary resources to maintain an effective cybersecurity program. 

Boards should engage in ongoing education about current cybersecurity threats, trends, and best practices. The NCUA provides various resources to assist, including training webinars, web-based learning resources, and written guidance. 

The letter to credit unions provides additional insight related to: 

• Approval of information security program; 

• Oversight of operational management; and 

• Incident response planning and resilience 

League InfoSight Highlight: Personal Financial Data Rights Rule is FINAL!

We’ve been anxiously awaiting the arrival of this rule, and we knew it would be a doozy! While the exemption may not be broad enough, the final rule does exempt credit unions with assets “at or below the specified Small Business Administration (SBA) size standard,” which is currently set at $850 million.

The final rule applies to covered “data providers” that control or possess covered data concerning a covered financial product or service obtained by the consumer from the provider (credit union). A “covered consumer financial product or service” is one or more of the following:

• An account for purposes of Regulation E;
• A credit card for purposes of Regulation Z; or
• The facilitation of payments from a Regulation E or Regulation Z credit card, excluding products or services that merely facilitate first party payments.
  
  
  

The final rule requires the credit union to make certain data available to both a consumer and a third party (upon request) in an electronic form. That would include:

• Transaction information
• Account balance information
• Terms and conditions (account opening agreement, amendments, pricing information, etc.)
• Upcoming bill payment information
• Basic account verification information
  
  
  

The final rule also requires credit unions to have the capacity to receive requests electronically and provide the data in electronic form in response to consumer and third-party requests but does not require any particular type of technology. Access can only be granted once the credit union receives enough information to authenticate the identity of the consumer and the scope of the data requested. For third-party access, the authentication needs to include the consumer’s identity, documentation confirming the third party’s access to the covered data, authentication of the third party’s identity, documentation that the third party has followed the authorization procedures set forth in the final rule and has identified the scope of the data requested.

The final rule requires that the credit union maintain written policies and procedures to comply with the final rule and requirements. As we get closer to the effective date, League InfoSight resources will be created and made available to help credit unions comply with these requirements.

Compliance dates for this final rule is dependent upon on asset size:

• Credit unions between $850 million and $1.5 billion: April 1, 2030.
• Credit unions between $1.5 billion and $3 billion: April 1, 2029.
• Credit unions between $3 billion and $10 billion: April 1, 2028.
• Credit unions over $10 billion in assets, but less than $250 billion: April 1, 2027.
  
  
  

Credit unions are encouraged to review the available resources, including:

• CFPB Executive Summary

• CFPB Final Rule – Personal Financial Data Rights

Glory LeDu

CEO, League InfoSight & CU Risk Intelligence

The Minor Vote 

CFPB Affirms That Some Disclousres are Only for Credit Card Accounts 

FinCEN Assesses $900,000 CMP Against Lake Elsinore Hotel and Casino for BSA Violations 

Love It or List It 

New FTC Report to Congress on Scams and Older Adults 

Help Your Library Patrons Avoid Scams 

How to Avoid TSA PreCheck Scams 

Oct. 30, 2024: Effective Date - NCUA Final Rule on Fair Hiring in Banking

Oct. 31, 2024: Fannie Mae/Freddie Mac – Reconsiderations of Value Procedures 

Nov. 6, 2024: Unpacking the Final Ruling Webinar- 1033 is Here 

Nov. 7, 2024: Office of Foreign Assets Control (OFAC) – Reporting, Procedures and Penalties Regulations 

Nov. 7, 2024: NCUA Webinar – Small and MDI Credit Union Support 

Nov. 7, 2024: NCUA Webinar – FFIEC IT Handbook 

Nov. 15, 2024: NCUA Comments Due Changes to Call Reports

Nov. 28, 2024: Thanksgiving Day – Federal Holiday 

Dec. 25, 2024: Christmas Day – Federal Holiday 

Jan. 1, 2025: Department of Labor (DOL) - Fair Labor Standards Act Amendment 

Jan. 27, 2025: FCC – Targeting and Eliminating Unlawful; Text Messages 

July 1, 2025: CFPB and FRB – Reg CC Threshold Adjustments 

July 18, 2025: CFPB – Small Business Lending Data – ECOA 

Oct. 1, 2025: Quality Control Standards AVMs 

How much access can an agent on a share account be allowed?  

By law, an agent is given whatever access the principal (your member) grants.  It depends on the agency agreement (power of attorney) in question.  Usually, however, an agent is given full access to receive information, deposit, and withdraw from the account. 

For your individualized login, select your state below. 

If you have questions about this communication, contact us at 800.546.4465 or via our shared email inbox at compliance@gowest.org.

Have a great weekend!

Your GoWest Compliance Team, 

Copyright © 2023 GoWest Credit Union Association. All Rights Reserved.

Mailing Address:
GoWest Credit Union Association, 18000 International Blvd Ste. 1102, SeaTac, WA 98188, United States
1.800.995.9064

View in Browser | Manage Your Preferences | Unsubscribe