Blog

Jul 31
Map of World-Wide Cyber-attacks in Real Time

​Ever wondered just how many cyber-attacks happen in the world? Take a few seconds to watch this live cyber-attack map (click the link below). Each flash represents a unique cyber-attack going on right now in real time. It shows where the attack originated as well as the target. As scary as the map is, it apparently represents only a tiny fraction of the actual number of attacks.

 http://map.norsecorp.com/ 

 

 "Want to Get Freaked Out? Check Out This Live Cyberattack Map." Risk InboX Links RSS. AffirmX, 24 July 2015. Web. 31 July 2015.                         

 

Jul 23
Fraudsters Favor Credit Union Cards

Due to slow fraud detection, thieves favor credit union and community bank cards adn other data.  As the EMV conversion nears, this problem continues to grow worse.

Below is an article we recently read in the CU Times on this issue:

 

Fraud detection is so slow at credit unions that thieves are often willing to pay more for stolen card numbers and other data involving credit union issuers, according to Canh Tran, co-founder and CEO of Chicago-based fraud analytics firm Rippleshot.

In fact, credit unions and even community banks are bigger targets than megabanks such as Citibank, Bank of America and Capital One, Tran noted, and the looming EMV conversion could make things worse before making them better.

“Citibank and Bank of America have 60 to 100 people in their fraud reduction department,” he explained. “Eventually, using their own analytics and a lot more resources, they'll be able to identify that fraudulent card sooner. The thieves know that, so they'd rather buy the cards from the credit union and the community bank because they know that card will not be detected for quite a while, so more fraud will be perpetrated on those cards.”

EMV’s rallying cry has long been that it can prevent this sort of crime and thereby disrupt markets for stolen data, but Tran said the opposite will happen, at least in the short-term.

Part of his reasoning is that EMV conversion is voluntary and is taking a long time.

“The big difference between the United States and all the countries in Europe, and Canada, is that in Europe and Canada, it was a government mandate to do so,” he explained.

Tran thinks 90% to 98% of merchants and at least half of issuers in the U.S. won’t be ready for EMV by October. The use of chip-and-signature instead of chip-and-PIN, plus the fact that gas stations won’t be compliant until 2017 also leave open opportunities for fraud, he said.

Tran said that after France implemented EMV in 2006, total fraud increased by 67% in three years. In Canada, card-present fraud fell by more than half but card-not-present fraud more than doubled between 2008 and 2013. And in the U.K., card-present fraud dropped by 50% after chip-and-PIN arrived, but big increases in card-not-present fraud actually drove the overall rate up in the years following conversion there.

All of this is why Tran predicts card fraud will spike after EMV takes hold in the United States.

“Eventually, it will decrease and go online, but we actually predict that within the next three years it's going to increase,” he said.

The EMV card will eventually be cracked anyway, he said, as thieves progress and innovate.

In turn, the mission now is less about prevention and more about faster detection. It takes eight to nine months on average to discover a data breach today, Tran said, and that’s created a market opportunity for firms like his that can sniff out fraud faster.

Tran said traditional fraud monitoring involves profiling card users’ purchases and flagging unusual activity. But new techniques such as contagion analysis, which look for anomalies on the merchant side – analyzing disputed charges at a department store in Florida, a bookstore in Las Vegas and an electronics store in Seattle, for example – can determine whether the cards involved were all used at the same place at one point in time.

“For the big retailers that have a lot of credit card transactions, typically we're able to detect within two to four weeks of a data breach,” he said.

That dramatically shortens the time criminals have to exploit stolen cards, he added, and in turn reduces the monetary damages. And because credit unions are targets, other people’s mistakes can have much bigger ramifications.

“A lot of it is employee, either malfeasance or negligence, so you have to update your passwords,” he said. “Maybe a bartender at a restaurant is skimming the cards; somebody is paying invoices for a doctor’s billing office and so they're skimming the cards on their own. Or a point-of-sale terminal, people didn't bother to reset the 1111 password, so all the point-of-sale terminals are compromised.”

Bad Wi-Fi connections and even imported point-of-sale terminals that come with malware already on them are risks, too, he said.

Article written by Tina Orem

 Orem, Tina. "Fraudsters Favor Credit Union Cards." CU Times.com. CU Times, 15 July 2015. Web. 23 July 2015.                         

 

Jul 14
NCUA Letter to Credit Unions - Improving the Process for Consumer Complaints

NCUA publishes Letter No 12-CU-04 to establish guidance on improving the processes for consumer complaints. ​

 

This letter describes recent changes to streamline and improve NCUA’s consumer complaint handling process.  The most important change will provide credit unions with 60 days to resolve most consumer complaints before NCUA’s Consumer Assistance Center intervenes.

This letter also includes recommendations for credit unions to maintain effective procedures to process consumer complaints as part of their overall compliance management systems.

 

To view the entire letter and enclosures, click this link: http://www.ncua.gov/Resources/CUs/Pages/LCU2015-04.aspx 

 

Source: Matz, Debbie. "Pages   - Improving the Process for Consumer Complaints." Pages   - Improving the Process for Consumer Complaints. National Credit Union Administration, June 2015. Web. 14 July 2015.                         

Jul 14
NCUA Letter to Credit Unions - Improving the Process for Consumer Complaints

NCUA publishes Letter No 12-CU-04 to establish guidance on improving the processes for consumer complaints. ​

 

This letter describes recent changes to streamline and improve NCUA’s consumer complaint handling process.  The most important change will provide credit unions with 60 days to resolve most consumer complaints before NCUA’s Consumer Assistance Center intervenes.

This letter also includes recommendations for credit unions to maintain effective procedures to process consumer complaints as part of their overall compliance management systems.

 

To view the entire letter and enclosures, click this link: http://www.ncua.gov/Resources/CUs/Pages/LCU2015-04.aspx 

 

Source: Matz, Debbie. "Pages   - Improving the Process for Consumer Complaints." Pages   - Improving the Process for Consumer Complaints. National Credit Union Administration, June 2015. Web. 14 July 2015.                         

Jul 07
BSA Focus: July 7, 2015

Treasury releases two new risk assessments, the National Money Laundering Risk Assessment and National Terrorist Financing Risk Assessment.   These assessments are good resources for developing a strong Anti-Money Laundering Program for your credit union.

 

Treasury Department Publishes National Money Laundering Risk Assessment and National Terrorist Financing Risk Assessment

Reports Identify Key Illicit Finance Concerns to the United States; Enable the Public and Private Sectors to More Effectively Manage and Combat Illicit Finance Risks

  

WASHINGTON – The U.S. Department of the Treasury today issued the National Money Laundering Risk Assessment (NMLRA) and the National Terrorist Financing Risk Assessment (NTFRA).  The purpose of these assessments is to help the public and private sectors understand the money laundering and terrorist financing methods used in the United States, the risks that these activities pose to the U.S. financial system and national security, and the status of current efforts to combat these methods.  In doing so, these assessments enable the U.S. Government and financial institutions to more effectively detect and combat illicit finance. 

 

This is the first NTFRA, and the NMLRA builds and expands on a previous Treasury money laundering report issued in 2005.  The methodology for today's reports is based on guidance set out in 2013 by the Financial Action Task Force (FATF), the international standard-setting body for anti-money laundering and counter-terrorist financing safeguards, of which the United States is a founding member.  The FATF requires all national governments to demonstrate their understanding of the money laundering and terrorist financing risks facing their financial systems.  The assessments issued today will help to inform the FATF's ongoing review of the United States regarding our compliance with the FATF Recommendations – which are global standards focused on these issues. 

 

The United States is the world's largest financial system and U.S. financial institutions play a central role in the global economy, processing trillions of dollars of transactions from around the world every day.  While this position exposes the United States to increased risks for illicit finance, the U.S. Government has developed a robust regulatory framework, complemented by law enforcement and supervision efforts, which make it more difficult and costly for criminals and terrorists to access and use the U.S. financial system.

 

"Today's assessments underscore our dedication to better understand and address the risk of illicit finance," said Adam J. Szubin, Acting Under Secretary for Terrorism and Financial Intelligence.  "This comprehensive review will better inform the U.S. Government and our private sector partners about how to further safeguard and strengthen the U.S. economy and national security."

 

The NMLRA finds that the United States has effectively kept pace with innovation, such that, criminals pursuing money laundering opportunities rely on costly and burdensome methods to mask their identities from financial institutions in order to open and maintain accounts.  These include, but are not limited to, using cash, other monetary instruments, shell companies, and conducting transactions below customer identification thresholds.  The report also finds that the U.S. framework for anti-money laundering and counter terrorist financing effectively narrows many of the most significant vulnerabilities that money launderers seek to exploit through a core set of tools, including targeted financial sanctions, law enforcement investigations and prosecutions and regulatory preventive measures, and by working to enhance international standards. 

 

The NTFRA finds that the U.S. Government has made it substantially more difficult for terrorist organizations to raise and move money through the U.S. financial system since the September 11, 2001 attacks.  A notable trend highlighted in the report is a decrease in the use of the U.S banking system for terrorist financing-related transactions, as terrorists are forced into more expensive and less efficient methods to facilitate terrorist financing, such as cash smuggling.  Such channels outside of the regulated financial system are riskier than straightforward bank transfers, making them more vulnerable to disruption and exposure.  Nonetheless, the wealth and resources of the United States will continue to make it an attractive target for a wide range of terrorist organizations seeking to fund their activities, and the risk of terrorist financing through the U.S. financial system persists. 

 

The review for these assessments was led by the Treasury Department's Office of Terrorist Financing and Financial Crimes, and developed in close coordination with offices and bureaus in the Treasury Department, the Department of Justice, the Department of Homeland Security, the Department of State, and across the intelligence community and staffs of the Federal functional regulators.

 

Source: "Press Center." <i>Treasury Department Publishes National Money Laundering Risk Assessment and National Terrorist Financing Risk Assessment</i>. U.S. Department of the Treasury, 12 June 2015. Web. 07 July 2015.

Jun 30
June Compliance Minute

We came across this great article from a mortgage banking newsletter published in June and thought we would share it.  Enjoy!

 

CFPB Announces 'Good Faith' Grace Period for TRID Rule Compliance

 

The Consumer Financial Protection Bureau (CFPB) announced on Wednesday June 3rd that a grace period will be in effect for those servicers attempting to comply in good faith with the TILA-RESPA Integrated Disclosure (TRID) requirements that are scheduled to go into effect August 1.

Both mortgage industry stakeholders (servicers in particular) and lawmakers have been asking the CFPB to delay the implementation of TRID. In a letter to CFPB Director Richard Cordray dated May 20, a bipartisan coalition in Congress asked for a grace period, expressing concerns that "this complicated and extensive rule is likely to cause challenges during implementation" that could "negatively impact consumers."

 

While the CFPB did not push back the August 1 implementation date of the rule, it attempted to ease some of those concerns on Wednesday by saying it would take into account a company's good faith effort to comply with the rule after it goes into effect.

"We also delivered a letter to Members of Congress stating that our oversight of the implementation of the Know Before You Owe mortgage rule (also known as the TILA-RESPA Integrated Disclosure rule) will be sensitive to the progress made by those entities that have been squarely focused on making good-faith efforts to come into compliance with the rule on time," the CFPB wrote on its blog on Wednesday. "We have spoken with our fellow regulators to clarify this approach. This is consistent with our approach in the implementation of the Title XIV mortgage rules."

 

Cordray responded to the lawmakers' letter on June 3, stating the Bureau's desire for a smooth transition and that since the rule was published in November 2013, the CFPB has made it a point to "engage directly and intensively with financial institutions and vendors through a formal regulatory implementation project." That project includes inter-agency coordination, the publishing of a "readiness guide" and other resources, publishing amendments and updates to the rule in response to industry requests, providing unofficial staff guidance, conducting webinars, and clarifying misunderstandings.

 

The CFPB Director also pointed out in his response that the Bureau will continue to work with industry, consumer, and other stakeholders to support implementation of TRID after August 1.  Mortgage industry leaders praised Cordray's response to the concerns expressed by lawmakers and those within the industry.

 

"I thank CFPB Director Cordray for listening to the requests of CUNA, Congress, and others in our call for a safe harbor period through the end of the year for the enforcement of the TRID rule," said Jim Nussle, president and CEO of the Credit Union National Association (CUNA), released the following statement. "CUNA supports the CFPB's goal for transparency with the new disclosures helping consumers better understand mortgage terms, and now credit unions will be allowed the time they need to figure out the day-to-day aspects of complying with the rule without worrying about enforcement."                                                   

Author: Brian Honea

May 11
May Compliance Minute

Texas Unclaimed Property

 

With regard to account dormancy, several clients recently asked us what qualifies as "communication." In essence, they are asking what a member has to do in order to keep their accounts current and avoid having funds escheated to the state. 

 

As a reminder, accounts must be escheated to the State of Texas once they are considered inactive (i.e. dormant) for three years (as of March 1st).  For accounts with balances greater than $250, you are required to notify the member of the pending escheatment via a letter.

 

State rules require that in order for communication with a member to change an account from dormant to active, it must be considered positive communication. This means that the member must respond to your letter in writing, conduct a financial transaction, or, if properly documented by an employee, the member can call and request the account be made active. (If accepting a phone call, your credit union must make sure to have good documentation, that is two employee signatures, or mail a letter to the member for verification, etc.).

 

As shown below, the fact that a member's statement or letter is not returned to you marked bad address by the United States Postal Service does NOT count as communication. This excerpt is taken straight from the Texas Unclaimed Property Reporting Instructions, page #7. This instruction manual can be found here:  http://comptroller.texas.gov/up/forms/96-478.pdf.

 

Mail Not Returned by Post Office - Under the Texas Administrative Code Title 34 § 13.3, the fact that mail is not returned to you by the post office does not, by itself, qualify as contact with that owner or activity on the account. When reviewing your records for abandoned property, look for the last documented communication with the owner or the last debit or credit generated by the owner on any account or safe deposit box, not merely an account that is inactive. Con­tact with the owner may be established by mail, email, accessing an online account or phone. Phone contact should be docu­mented in writing with the date and time of the conversation.

 

We hope this brings clarity to this issue as you prepare your unclaimed property reports for 2015. Remember, these payments are due to the state on or before July 1, 2015.  We have seen recent instances of the state of Texas issuing fines for late filers, so please mark this due date on your calendar.

 

 

Waypoint Advisory Services, Inc. is a multifaceted provider specializing in audit services, internal control testing, compliance, strategic planning and director training for federal

Feb 09
February Compliance Minute

Home Mortgage Disclosure Act (HMDA) Data

Credit unions subject to HMDA requirements in calendar year 2014 must submit loan/application register (LAR) data to the Federal Reserve Board by March 2, 2015.  This applies to credit unions located in metropolitan areas that do residential mortgage lending and had assets exceeding $43 million as of December 31, 2013.  For additional information review NCUA's Regulatory Alert 15-RA-01.

NCUA SUPERVISORY PRIORITIES FOR 2015

NCUA issued Letter to Credit Unions 15-CU-01 to assist credit unions in preparing for their NCUA examination in 2015.  The specific areas are: 

1) Cybersecurity – Review of the credit union's system to handle a range of cybersecurity threats.

 

2) Interest Rate Risk (IRR) – Review compliance with NCUA's IRR Rule & assess IRR exposure.

 

3) Bank Secrecy Act (BSA) Compliance – Review for continued compliance & relationships with money services businesses (MSBs).

 

4) Liquidity and Contingency Funding Plans – Assessing compliance with NCUA's liquidity rule (741.12) & contingent funding testing at credit unions with assets of at least $250 million.

 

5) New TILA-RESPA Integrated Disclosure Rule – Review compliance with the CFPB's new rule that is effective as of August 1, 2015.  More to come in future Waypoint Compliance Minutes.  

 

6) Ability-to-Repay and Qualified Mortgage Standards Rule – Review compliance with the CFPB's mortgage rule and the safety and soundness of mortgage lending programs.

 

 

Waypoint Advisory Services, Inc. is a multifaceted provider specializing in audit services, internal control testing, compliance, strategic planning and director training for federally insured credit unions.

Jan 05
Janaury Compliance Update

ANNUAL PRIVACY NOTICE

Credit unions can now opt for an alternative method to deliver the required annual privacy notice as of October 28, 2014.  NCUA published Regulatory Alert 14-RA-11 to provide guidance on the five eligibility requirements that must be met and other disclosure requirements.  This change to Regulation P, which was recently issued by the CFPB is available here.

 

NCUA SUPERVISORY PRIORITIES FOR 2015

NCUA issued Letter to Credit Unions 15-CU-01 to assist credit unions in preparing for their NCUA examination in 2015.  The specific areas are: 

1) Cybersecurity – Review of the credit union's system to handle a range of cybersecurity threats.

 

2) Interest Rate Risk (IRR) – Review compliance with NCUA's IRR Rule & assess IRR exposure.

 

3) Bank Secrecy Act (BSA) Compliance – Review for continued compliance & relationships with money services businesses (MSBs).

 

4) Liquidity and Contingency Funding Plans – Assessing compliance with NCUA's liquidity rule (741.12) & contingent funding testing at credit unions with assets of at least $250 million.

 

5) New TILA-RESPA Integrated Disclosure Rule – Review compliance with the CFPB's new rule that is effective as of August 1, 2015.  More to come in future Waypoint Compliance Minutes.  

 

6) Ability-to-Repay and Qualified Mortgage Standards Rule – Review compliance with the CFPB's mortgage rule and the safety and soundness of mortgage lending programs.

 

 

Waypoint Advisory Services, Inc. is a multifaceted provider specializing in audit services, internal control testing, compliance, strategic planning and director training for federally insured credit unions.