Posts tagged ‘FFIEC’

Are you developing a social media policy?

imagesWe’ve all heard about social media and most credit unions have tried to integrate it into their business plans. But what exactly are the regulatory requirements and how does a credit union manage the compliance, legal, operational and regulatory risks unique to technology such as Facebook and Twitter while complying with regulations promulgated long before Al Gore convinced himself that he invented the Internet?

Those are the implicit questions posed by a proposed guidance issued by the FFIEC — the council of the major financial industry regulators including the NCUA — on a proposal establishing baseline requirements for financial institutions relating to the use of social media. In a nutshell, the guidance, if it is formalized in its proposed form, mandates that credit unions have policies and procedures in place regulating the use of social media that are commensurate with the credit union’s size and use of interactive technology such as Facebook and Twitter.

At first blush the guidance is so broad as to be of little utility to credit unions in their day-to-day operations. You don’t have to be a compliance maven to realize that virtually every major fair lending law applies to communications made over the Internet to the same extent as an advertisement placed in your local newspaper. But I slept on this one and by the light of day — albeit an extremely cold day for the late-middle of April — I realize it’s important for credit unions irrespective of their size to start developing ways to systematically evaluate social media policy and its impact on them.

Social media has the potential of impacting virtually every aspect of your credit union’s management ranging from labor issues (can I discipline an employee for what she posted on her Facebook page?) to third party due diligence (the company says it can cheaply provide an up-to-date homepage but has only been around for a year, can a credit union expect it to get the job done?). The answer to these and other questions will, of course, be unique to each credit union and if your regulator starts insisting on a one-size fits all approach to these and other issues, please give me a call. But if the end result of this proposal is a requirement that gets all credit unions to systematically evaluate their social media offerings, then that’s a guidance worth having.

April 22, 2013 at 7:36 am Leave a comment

News Flash: Social Media Presents Compliance Issues

social-mediaGarrison Keillor has a great theory about neighborhood barbeques:  when you have five or six people deciding when the burgers are done, many of whom aren’t quite sure how to barbecue, you inevitably end up with a grossly overcooked burger.  That’s the way I feel about guidances issued by the FFIEC, the council representing all the major federal bank regulators and state banking departments.  It’s not that the guidances aren’t useful.  It’s just that when you have to reach consensus among that many people the resulting document is often so general as to be void of any practical value except for that relative handful of institutions that didn’t realize there were regulatory issues in the first place.

I am bringing this up because yesterday the Grand Council released a proposed guidance on regulatory issues related to the use of social media by financial institutions.  Remember that just because it is called a guidance doesn’t mean it is any less binding on your credit union than a traditional regulation.  It provides the framework for examiners reviewing your credit union practices and as such should not be ignored.

First, what is social media?  Social media refers to the interactive use of electronic communication such as through Facebook, Instagram and Twitter.  What does the proposed guidance mandate?  In a nutshell, the use of social media presents compliance, legal, operational and reputational risks to your financial institution.  Therefore, you should have a risk management program in place to regulate the use of social media that is commensurate with your credit union’s use of this medium.  Importantly, almost every single banking law and regulation you could think of applies to representations you make online to the same extent that they would if you were making them with traditional forums such as newspaper ads or account opening disclosures.  This means that the whole alphabet soup of regulations ranging from the Truth in Lending Act to the Equal Credit Opportunity Act applies to your online activities.

In addition to the regulatory issues, there are unique legal issues as well.  For instance, the guidance notes that financial institutions should be aware that employees’ communications via social media, even through an employee’s own personal social media accounts, may be viewed by the public as reflecting the institution’s views (for the record, as any faithful reader of this blog will know, my views do not always reflect the views of the Association, much to the relief of our President).  However, despite the important employment issues involved, the regulators take a pass on addressing them.

In a very general way, this is all good advice.  But, it’s not the type of thing you can rely on in developing sound day-to-day practices.  My personal advice is that any credit union with any type of online presence, whether or not it uses social media, should do a compliance audit designed specifically to assess whether its electronic representations are consistent not only with existing law and regulation but with the credit union’s own representations.  The last point is important since I have seen cases involving lots of money where attorneys have tried to argue that language on a bank’s website binds them to a greater legal obligation (for instance, regarding funds availability) than does the bank’s account agreement.

A second bit of advice is to reach out to an employment law expert to understand the unique employment issues involved with employee use of social media.  If you think the issues are clear cut, then you don’t understand them.  I’ve done a couple of posts on the issue for those of you want to start some basic research.

CFPB delays remittance regulations

As expected, the CFPB announced yesterday that it was delaying the effective date of the international remittance regulations scheduled to take effect on February 7, 2013.  The delay will give regulators time to incorporate proposed amendments to the regulations that are currently out for public comment.  A new compliance date has not been released.

January 23, 2013 at 7:53 am Leave a comment

Credit Unions Put On Notice: Keep Your Head In The Cloud

Yesterday, the FFIEC, a coordinating council of financial regulators including the NCUA, issued guidance on “cloud computing,” putting credit unions on notice that they had better exercise proper due diligence and oversight as they migrate more of their data and computer services to off-site third-party service providers.  If you think this doesn’t impact your credit union, either it will in the near future or you already use cloud computing and you just don’t realize it.

In the guidance, the examiners concede that “there is no widely accepted definition” of what cloud computing is; however, in general, “cloud computing is a migration from owned resources to shared resources in which client users receive information technology services on demand from third-party service providers.”  For those of you who use an iPAD or smart phone, you are already using the cloud since those devices probably don’t have enough memory to physically store all the information and applications you wish to save.  But the real key to cloud computing is yet to come.  We aren’t too far from the day that the clunky desktop looks as antiquated as the dusty typewriter in the office closet.  Software applications will no longer be saved on your hard-drive and all of your information will be kept on servers, chances are in a state or country far away from the credit union.

The opportunity for cost savings are huge, but the council flags important steps that financial institutions have to take.  The guidance urges credit unions to look at six general areas, including:

  • Due diligence (e.g. Is this the provider that can best meet the needs of your credit union?);
  • Vendor Management (e.g. Is your vendor familiar with your industry’s regulations?);
  • Auditing (e.g. Can you keep an eye on your vendor on an ongoing basis?);
  • Information Security (e.g. Is your member information being adequately protected?);
  • Legal regulatory and policy considerations (e.g. Does your contract provide adequate protection in the event your service provider messes up?  This is particularly important as more cloud computing takes place overseas.); and
  • Business continuity planning (e.g. How will you get back online in the event of a disruption, such as a flood?).

The guidance is more than simply a list of best practices.  Virtually all litigation involving data breaches and information technology center on whether a financial institution was using commercially reasonable policies and technology to protect member information and money.  FFIEC guidance provides the baseline for commercial reasonableness.  You can bet that plaintiff lawyers will be reading this document about as closely as your IT professional, so this is not one to file away.

July 11, 2012 at 7:44 am Leave a comment

Crime doesn’t pay, but because some people think it does…

Despite what Woody Allen says, crime really doesn’t pay, it is just that there’s always going to be some people who don’t get that.

Although Manhattan District Attorney Cyrus Vance is best known for bungling rape investigations of prominent French politicians, his office deserves credit for prioritizing financially related cyber crimes for investigation and prosecution.  Interestingly, I can think of no place more removed from Manhattan, both culturally and geographically, than Watertown, New York.  However, recent arrests in both localities provide important reminders to credit unions as they seek to prevent both good old-fashioned theft and computer-aided crime.

In Manhattan, the District Attorney’s cyber crimes and identity theft bureau announced that 94 persons were indicted this past week for their role in capitalizing on a defect in TD Bank’s account opening procedures.  From May 2009 to August 2011, persons were recruited to open up new checking and savings accounts using checks drawn on either closed accounts or from accounts at other banks that had insufficient funds.  The bank was aware that Regulation CC’s check availability rules don’t apply to newly opened accounts; unfortunately for the bank, someone knew that new account owners could transfer these funds from newly opened savings accounts over the phone into their newly opened checking accounts.  The account openers were then driven to casinos, Western Union branch locations, or banks with particularly high ATM withdrawal limits where the money from the bogus checks would be withdrawn.  The scheme is estimated to have cleared $494,000.

Also this past week, police in Watertown, New York arrested the manager of United Neighbors Federal Credit Union for allegedly stealing more than $34,000 from the credit union between January 1 and November 3 of this year.  According to the paper, the three-year employee of the credit union told police that she stole $18,000 from the ATM and the rest from her cash drawer, although the newspaper account provided no specifics as to how exactly she carried out the heist.  She admitted to the crime  immediately upon observing that an audit was being conducted by the credit union’s audit committee.

To me, these disparate examples provide several important reminders for credit unions.

First, although you should all be putting your finishing touches on implementing the FFIEC’s layered security guidance, which examiners are going to begin reviewing in 2012, this guidance is in addition to rather than a replacement of the obligation of credit unions pursuant to section 12 CFR 748 to deter robbery, larceny, and embezzlement.  For credit unions like the one in Watertown, New York this means recognizing the importance of audits.  It’s not enough to have a policy in place, polices must be implemented.

For larger credit unions, this means insuring that you periodically review not only new account opening procedures, but the computer systems used to put them in place. One of the biggest mistakes a financial institution can make is to fail to monitor the systems put in place by its vendors or, if you’re lucky enough, your information technology employees.  Is your credit union vulnerable to the same type of crime which bamboozled TD Bank for more than a year?  Do you know who at your credit union would know the answer? 

Irrespective of size, a credit union’s security procedures should not be static, but rather evolve to address potential new vulnerabilities.  Make sure that someone in your credit union is aware of the latest schemes and that your credit union can guard against them.

December 12, 2011 at 7:18 am Leave a comment

Guidance in Name Only

The single most important mandate facing credit unions over the next few months is the authentication guidance issued by the grand council known as the FFIEC mandating that they take steps to upgrade the security of their internet banking operations.   This guidance supplements the Council’s 2005 internet banking guidance. 

First, I can assure you that I am not saying this as someone who loves technology.  In fact, I am the type of person who makes IT departments cringe.  But the reality is that given the potential expense and the need to review credit union operations by January, this is a guidance that cannot be put on the back burner.

At its core, it emphasizes the use of “layered” security in protecting your internet banking services when authorizing fund transfers.  Given the growing sophistication of today’s hackers, the examiners recognized that simply stressing the use of two forms of identification no longer provides adequate protection against crooks who have figured out how to steal passwords despite the best of systems.  What all institutions are required to do is develop security techniques that make it difficult to execute transactions even for people who have given the proper password.  For example, a member making an unusually large transfer may be asked challenge questions, the answers to which require information beyond the typical date of birth or mother’s maiden name, in order to complete the transaction.

One of the problems with FFIEC guidance is that it applies to the smallest institutions, which offer only the most rudimentary internet banking services, and Goldman Sachs.  Consequently, in analyzing how to respond to this guidance, keep in mind that it is primarily concerned with electronic fund transfers and that it recognizes that transfers involving business accounts represent a greater threat than do accounts involving individuals.  In addition to reading the guidance, you should review §4-A-202 of New York’s Uniform Commercial Code, which regulates electronic fund transfers.   As explained by the statute, commercial reasonableness is a legal standard that reflects, among other things, that you know your members and their typical banking practice, that you have offered and they have accepted security procedures to protect them, and that these procedures are consistent across similarly situated members.   

Finally, keep in mind that by issuing this updated guidance, the FFIEC has created a baseline standard against which your actions would be judged if, God forbid, you were ever sued.  This point was made abundantly clear in Patco Construction Co., Inc. v. People’s United Bank, where the bank prevailed because it convinced the court that it had complied with the 2005 guidance.   

Nominal Improvement

Kudos to Hudson Valley Federal Credit Union.  On Thursday, NCUA responded to a request by the credit union with a legal opinion letter clarifying the awards that can be given to board members without running afoul of the prohibition against giving board members anything more than nominal compensation.   The credit union successfully sought permission to give a $250 gift card to  volunteers  who have  served  the credit union for five years.  NCUA’s letter explained that an award representing $50 for each year of service was reasonable.  It also stressed that the reward was given to a member in recognition of multiple years of service  member as opposed to an entire class of board members and, therefore, could not be misconstrued as an incentive for service.

September 5, 2011 at 4:30 pm Leave a comment

Authored By:

Henry Meier, Esq., Associate General Counsel, Credit Union Association of New York

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Join 258 other followers

Archives

Follow

Get every new post delivered to your Inbox.

Join 258 other followers