|
 |
 |
 |
 |
|
The federal financial institution regulatory agencies and the Federal Trade Commission have sent to the Federal Register for publication final rules on identity theft “red flags” and address discrepancies. The final rules implement sections 114 and 315 of the Fair and Accurate Credit Transactions Act of 2003. The final rules require each financial institution and creditor that holds any consumer account, or other account for which there is a reasonably foreseeable risk of identity theft, to develop and implement an Identity Theft Prevention Program (Program) for combating identity theft
The federal financial regulatory agencies issued final rules today that provide consumers with an opportunity to "opt out" before a financial institution uses information provided by an affiliated company to market its products and services to the consumer. The final rules on affiliate marketing implement section 214 of the Fair and Accurate Credit Transactions Act of 2003, which amends the Fair Credit Reporting Act (FCRA).
The National Credit Union Administration (NCUA) has activated its disaster relief policy to assist credit unions and their members affected by the wildfires in California. President George W. Bush has declared an emergency exists in the state of California and ordered federal aid to supplement state and local response efforts.
The Financial Crimes Enforcement Network (FinCEN) and the federal banking agencies announced Thursday that the format for the Suspicious Activity Report by Depository Institutions (SAR-DI) has been revised to support a new joint filing initiative, which will reduce the number of duplicate SARs filed for a single suspicious transaction. The revisions are the result of a joint effort by FinCEN and the federal banking agencies.
Eight federal regulators on Wednesday released a notice of proposed rulemaking (NPR) requesting comment on a model privacy form that financial institutions can use for their privacy notices to consumers required by the Gramm-Leach-Bliley Act (GLB Act). The privacy notices must describe an institution's information sharing practices, and, for certain types of sharing, consumers have the right to opt out. The notices must be provided when a consumer first becomes a customer of a financial institution and then annually for as long as the customer relationship lasts. Last October, President Bush signed into law the Financial Services Regulatory Relief Act of 2006, amending the GLB Act to require the agencies to propose a model form that is succinct and comprehensible to consumers, allows consumers easily to compare privacy practices of financial institutions, and uses easily readable type font.
The National Credit Union Administration and the Financial Crimes Enforcement Network today announced that they will jointly host a seminar over the web "BSA: A Year in Review and Setting the Table for 2007." The seminar, known as a webinar, will take place on Tuesday, February 6, 2007 and will be co-hosted by JoAnn Johnson, Chairman of the National Credit Union Administration (NCUA), and Jamal El-Hindi, Associate Director of the Regulatory Policy and Programs Division at the Financial Crimes Enforcement Network (FinCEN).
As use of the Internet continues to expand, more credit unions are using it to offer products and services or otherwise enhance communications with members. The Internet offers the potential for safe, convenient new ways to shop for financial services and conduct credit union business, any day, any time. However, members need to make good on-line choices—decisions that may help avoid costly surprises or scams.
This Regulatory Alert is to inform you about revisions to Part 748 of the NCUA Rules and Regulations. The revised rule describes in greater detail Suspicious Activity Report (SAR) reporting and filing requirements. The rule became effective November 27, 2006. There are six changes to Part 748 which are summarized below. 1. Notification to board of directors
National Credit Union Administration (NCUA) Executive Director J. Leonard Skiles has selected John E. Kutchey as Director of Risk Management. As Director of Risk Management, Kutchey is responsible for overseeing NCUA's credit union problem resolution program. Kutchey graduated Magna Cum Laude from the University of Baltimore in 1990 with a Bachelor's Degree in Business Administration with an Accounting Concentration. Kutchey joined NCUA in 1990 as an Examiner in Baltimore, MD. During his career with NCUA, Kutchey has served as an Examiner; Problem Case Officer; Supervisory Examiner; and most recently the Director of Supervision in Region II.
NCUA is issuing a final rule to describe in greater detail the requirements for reporting and filing a Suspicious Activity Report (SAR) and to address prompt notification of the board of directors of SAR filings, the confidentiality of reports, and liability protection. NCUA also is changing the heading for this part so it more accurately describes its scope. NCUA seeks to enhance credit union compliance with SAR reporting requirements by providing greater detail in its rule on the thresholds and procedures for filing a SAR. DATES: This rule is effective [insert date 30 days after published in the FEDERAL REGISTER]. FOR FURTHER INFORMATION CONTACT: Linda K. Dent, Staff Attorney, Office of General Counsel, at (703) 518-6540.
Alexandria, VA, September 27, 2006 - National Credit Union Administration (NCUA) Chairman JoAnn Johnson met recently with senior Administration officials to share recommendations with the President's Identity Theft Task Force. Based upon these recommendations, the Task Force will deliver a final strategic plan to President Bush in early November. During a September 19 Task Force meeting, Chairman Johnson joined U.S. Attorney General Alberto Gonzalez; Clay Johnson III, Deputy Director of the White House Office of Management and Budget, Michael Chertoff, Secretary of the Department of Homeland Security, Carlos M. Guiterrez, Secretary of Commerce; and other senior government officials to discuss recommendations to the President in key areas.
Please note that the following rule is the version that was approved by the NCUA Board. The official version is published in the Federal Register approximately one week after Board approval. There may be some minor numbering or format differences between the two versions. The proposed rule describes in greater detail the requirements for reporting and filing a Suspicious Activity Report (SAR) and addresses prompt notification of the board of directors of SAR filings, the confidentiality of reports, and liability protection. NCUA also proposes to change the heading for this part so it more accurately describes its scope. While retaining cross-references in the rule to the SAR form and instructions, these changes will enhance credit union compliance by providing greater detail in the rule on the thresholds and procedures for filing a SAR.
National Credit Union Administration (NCUA) Board Member Gigi Hyland represented the agency yesterday at the inaugural meeting of President Bush's Identity Theft Task Force. On May 10, 2006, the President signed an Executive Order for the purpose of strengthening federal efforts to protect against identity theft. The Order establishes the Task Force and provides that it will be co-chaired by the Attorney General and the Chairman of the Federal Trade Commission. Task Force membership includes representatives from the other executive branch departments as well as representatives from all of the federal financial regulatory agencies.
Interagency Advance Notice of Proposed Rulemaking: Procedures to Enhance the Accuracy and Integrity of Information Furnished to Consumer Reporting Agencies Under Section 312 of the Fair and Accurate Credit Transactions Act. Summary
The OCC, Board, FDIC, OTS, NCUA, and FTC (the Agencies) request comment to gather information useful for developing the guidelines and regulations required by section 312 of the Fair and Accurate Credit Transactions Act (FACT Act). Pursuant to section 312, the Agencies, acting in consultation and coordination, must: Establish guidelines for use by persons that furnish information to consumer reporting agencies (furnishers) regarding the accuracy and integrity of the consumer information that they furnish to those agencies; and prescribe regulations that require furnishers to establish resonable policies and procedures for implementing the guidelines. Section 312 also requires the Agencies jointly to prescribe regulations that identify the circumstances under which a furnisher shall be required to reinvestigate a dispute concerning the accuracy of information contained in a consumer report on a consumer based on a direct request of the consumer.
Federally Insured Credit Unions are increasingly offering a variety of Internet banking services ranging from simple inquiry to complex e-Commerce activities for their members. In parallel, the number of members using transactional sites grew significantly. As e-Commerce services increase in volume and complexity, criminals are using more sophisticated methods for account fraud and identity theft. You should become more diligent to safeguard member information, to prevent money laundering and terrorist financing, to reduce fraud, and to inhibit identity theft. One of the effective security measures to mitigate these risks is to implement an effective and reliable authentication system. Authentication is the process of verifying a member’s identity using a variety of methodologies and technologies before the member gains access to the system. It is a way to ensure members are who they say they are. A single-factor authentication such as user name and password used as a security control mechanism may not be adequate for high-risk transactions involving access to member information or fund transfers.
National Credit Union Administration (NCUA) Vice Chairman Rodney E. Hood joined fifty credit union CEOs in Boston for a roundtable dialogue during which he outlined his regulatory focus for 2006. "Regulatory flexibility will be a top priority of mine in 2006," said Vice Chairman Hood. He discussed the recent final rule empowering an additional 413 federal credit unions with RegFlex eligibility by allowing well-managed, well-capitalized credit unions with a qualifying net worth requirement of 7% rather than 9% for earned regulatory flexibility. "This rule demonstrates the Board’s belief that the agency should not micro-manage, well-managed institutions," said Vice Chairman Hood. "This year, I will look for ways to reduce unnecessary regulatory burdens on credit unions."
The purpose of this letter is to provide NCUA’s IT Security Compliance Guide for Credit Unions. The guide offers information to assist credit unions in complying with the NCUA Rules and Regulations, Part 748, Appendix A; Guidelines for Safeguarding Member Information, and Appendix B; Guidance on Response Programs for Unauthorized Access to Member Information and Member Notice. Each section of the guide relates to specific parts of Appendixes A and B of Part 748 of the NCUA Rules and Regulations. Section III provides additional guidance on the risk-assessment process necessary to identify reasonably foreseeable internal and external threats that could result in unauthorized disclosure, misuse, alteration, or destruction of member information or member information systems.
National Credit Union Administration (NCUA) Chairman JoAnn Johnson announced the extension of the application deadline for the Community Development Revolving Loan Fund’s (CDRLF) disaster relief grants from March 31, 2006 to September 30, 2006. Qualifying credit unions in areas affected by the Gulf Coast hurricanes may apply for up to $2,500 for assistance in resuming operations.
The NCUA’s Community Development Revolving Loan Fund (CDRLF) was established by Congress to support credit unions that serve low-income communities by providing loans and technical assistance grants (TAGs) to qualifying institutions. The programs are designed to further the safety and soundness of low income credit unions while stimulating economic growth. Qualifying credit unions may also apply for CDRLF loans of up to $300,000. Loans have a maturity of 5 years and an interest rate of 1 percent.
The purpose of this Letter to Credit Unions (LTCU) is intended to raise awareness regarding the threat of a pandemic influenza outbreak and its potential impact on the delivery of critical financial services. It further advises credit unions and their service providers to consider this and similar threats in their event response and contingency strategies (business continuity and disaster recovery plans). This LTCU discusses the National Strategy for Pandemic Influenza (National Strategy) and the roles and responsibilities it outlines for financial institutions.
On November 1, 2005, the White House issued the National Strategy, which discusses the threat and potential impact of a pandemic influenza event. It also identifies the roles and responsibilities for the federal government, the private sector, and others.
The federal financial institution regulatory agencies and the Federal Trade Commission have jointly issued for comment an Advance Notice of Proposed Rulemaking (ANPR) on section 312 of the Fair and Accurate Credit Transactions Act (FACT Act). Comments are invited for the purpose of developing guidelines and rules to implement section 312. Section 312 requires the agencies to: (1) establish guidelines regarding the accuracy and integrity of information furnished to consumer reporting agencies; and (2) prescribe regulations that require the entities that furnish such information to establish reasonable policies and procedures for implementing the guidelines. Section 312 also requires the agencies to prescribe regulations that identify the circumstances under which an entity that furnishes information to consumer reporting agencies will be required to reinvestigate a dispute concerning the accuracy of information contained in a consumer credit report based on a consumer's direct request.
National Credit Union Administration (NCUA) Vice Chairman Rodney E. Hood joined Federal Deposit Insurance Corporation (FDIC) Acting Chairman Martin Gruenberg today for an update to consumer organizations and financial services associations regarding the impending changes to federal deposit insurance coverage. “I was pleased that the NCUA and FDIC joined together for such an important forum to discuss the implementation of deposit insurance changes recently signed into law by President Bush,” said Vice Chairman Hood. “It is vital that credit unions have accurate information available for members. We look forward to the assistance of those within the credit union system and consumer affairs in outreach efforts concerning enhancements to deposit insurance.”
In our Letter to Credit Unions #04-CU-12 Phishing Guidance for Credit Union Members, we highlighted the need to educate your membership about phishing activities. As the number and sophistication of phishing scams continues to increase, we would like to emphasize the importance of educating your employees and members on how to avoid phishing scams as well as action you and/or your members may take should they become a victim. Appendix A of this document contains information you may share with your members to help them from becoming a victim of phishing scams. Appendix B contains information you may share with your members who may have become a victim of phishing scams. Background Phishing is a form of social engineering, characterized by attempts to fraudulently acquire sensitive information, such as passwords, account, credit card details, etc. by masquerading as a trustworthy person or business in an apparently official electronic communication, such as an e-mail or an instant message. Often the message includes a warning regarding a problem related to the recipient’s account and requests the recipient to respond by following a link to a fraudulent website and providing specific confidential information. The format of the e-mail typically includes proprietary logos and branding, such as a “From” line disguised to appear as if the message came from a legitimate sender, and a link to a website or a link to an e-mail address. All of these features are designed to assure the recipient that the e-mail is from a legitimate business source when in fact, the information submitted will be sent to the perpetrator.
I meet and work with financial leaders every day, but I can easily say that Credit Unions have the most heart. Your motto rings true to your culture: "not for charity, not for profit, but for service." You do good work: loans to small business, home mortgages, financial education and working in partnership with the government to fight the financial war on terror. You were wonderful in your response to hurricane Katrina, in a time when American's helping each other meant so very much. Each one of these efforts is critical to our country's economic health and strength, and I applaud you for doing good while you do business.
The nation’s federally insured credit unions reported strong loan growth as delinquencies remained low according to fourth quarter 2005 Call Report data submitted by the nation’s 8,695 federally insured credit unions. During 2005, the loan to share ratio climbed to 79.4 percent as loans grew nearly $44 billion, delinquencies remained well below 1 percent. “The strong pace of loan growth is an excellent indication that credit unions are fulfilling their mission of being the source of affordable loans for their members,” said Chairman JoAnn Johnson. “What’s more, net worth continues to grow at a consistent, healthy level, which indicates credit unions are effectively managing their balance sheets.”
The National Credit Union Administration (NCUA) requests public comment on whether and how to modify its Supervisory Committee audit rules to require credit unions to obtain an “attestation on internal controls” in connection with their annual audits; to identify and impose assessment and attestation standards for such engagements; to impose minimum qualifications for Supervisory Committee members; and to identify and impose a standard for the independence required of State-licensed, compensated auditors. In 1998, the Credit Union Membership Access Act (“CUMMA”), Pub. L. No. 105¬219, 112 Stat. 913 (1998), amended the Federal Credit Union Act to require credit unions having assets of $10 million or more to follow generally accepted accounting principles (“GAAP”) in all reports and statements filed with the NCUA Board. 12 U.S.C. 1782(a)(6)(C). CUMMA further required credit unions having assets of $500 million or more to obtain an annual independent audit of its financial statements (“financial statement audit”) performed in accordance with generally accepted auditing standards (“GAAS”) by an independent certified public accountant or public accountant licensed by the appropriate State or jurisdiction. 12 U.S.C. 1782(a)(6)(D).
The Office of Inspector General (OIG) for the National Credit Union Administration (NCUA) engaged Cotton & Company LLP to conduct an independent evaluation of NCUA’s information systems (IS) and security program and controls for compliance with the Federal Information Security Management Act (FISMA), Title III of the E-Government Act of 2002.
The Office of Management & Budget (OMB) issued 2004 Guidance on Annual Information Technology Security Reports on August 23, 2004. This guidance provides clarification to agencies for implementing, meeting, and reporting FISMA requirements to OMB and the Congress. This report contains a summary of our evaluation of the NCUA’s information security program and is presented in the OMB prescribed format.
NCUA Annual Performance Budget 2005 I am pleased to present the National Credit Union Administration’s Annual Performance Budget 2005. You will notice that it is called a performance budget and not a plan. It was developed to serve as an element of budget development and reflects a greater correlation between our strategic and annual performance goals and resource allocation. This enhanced correlation is in support of the President Management Agenda Initiative #5 – Budget and Performance Integration.
The year 2004 has been a very productive year. NCUA Annual Performance Plan 2004 served to guide the agency’s efforts to achieve its performance goals and objectives in its regulatory and supervisory roles during the past year. The credit union industry’s performance validated these efforts with assets increasing $30.6 billion or 5.02%, net worth increasing $4.3 billion or 6.52%, shares increasing $22.8 billion or 4.31%, loans increasing $30.2 billion or 8.02% and delinquent loans as a percentage of total loans decreasing from 0.76% to 0.71% for a very productive year. As a result, NCUA’s priorities continue to stress providing proper training and tools for examiners, an optimal regulatory environment that balances innovation with safety and soundness, enhanced organizational effectiveness and efficiency, promoting access of financial services to all eligible residents and maintaining a responsible budget process.
In 2001, NCUA amended 12 CFR Part 748 to fulfill a requirement in Section 501 of the Gramm-Leach-Bliley Act (Pub. L. No. 106-102) (GLBA), in which Congressdirected both NCUA and the other Federal Financial Institution Examination Council (FFIEC ) agencies, including the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, the Office of the Comptroller of the Currency, and the Office of Thrift Supervision (collectively, the “Banking Agencies”) to establish standards for financial institutions relating to administrative, technical, and physical safeguards to: (1) insure the security and confidentiality of customer records and information; (2) protect against any anticipated threats or hazards to the security or integrity of such records; and (3) protect against unauthorized access to or use of such records or information that could result in substantial harm or inconvenience to any customer. Although NCUA worked with the Banking Agencies to develop the standards described above, the Banking Agencies issued their standards as guidelines under the authority of Section 39 of the Federal Deposit Insurance Act.
Since Section 39 of the Federal Deposit Insurance Act does not apply to NCUA, the NCUA Board determined that it could best meet the congressional directive to prescribe standards through an amendment to its existing regulation governing security programs for federally insured credit unions and by providing guidanceto credit unions, substantially identical to the guidelines issued by the Banking Agencies, in an appendix to the regulation. 12 CFR Part 748, Appendix A; 66 FR 8152 (January 30, 2001). The preamble to the final rule discusses the different regulatory framework under which the Banking Agencies issued their guidelines. The final regulation requires each federally insured credit union to establish and maintain a security program implementing the safeguards required by GLBA.
The National Credit Union Administration (NCUA) has developed this guide to assist credit unions engaging in, or considering, e-Commerce activities. For the purposes of this guide, e-Commerce is defined as the electronic delivery of financial services via the Internet. NCUA does not expect all credit unions to offer e-Commerce. However, NCUA expects credit unions offering e-Commerce to do so in a safe and sound manner. This guide focuses on processes to assist credit unions in managing the risks related to e-Commerce in an environment of rapidly changing technology. Credit union management should use the information in this guide to assist with technology planning, contracting, delivery, and support of e-Commerce activities. This should be done within a framework designed to identify, quantify and, to the extent possible, reduce related technology risks.
Much of the information in this guide is derived from NCUA issuances such as Rules & Regulations and Letters to Credit Unions. Although this information is provided in summary format in the guide, the related issuances typically contain more detail on a particular subject and may contain additional checklists that can assist in evaluating performance in a given area. Please refer to Appendix A for a listing of NCUA reference information. These issuances, as well as additional guidance, can be found via the Information Systems and Technology link under the reference section of the NCUA website (http://www.ncua.gov)*. This site is updated frequently and can serve as a valuable resource.
POLICY STATEMENT FOR THE REVIEW OF INFORMATION SYSTEM VENDORS
Weblinking:
Identifying Risks & Risk Management Techniques ENCL:
Weblinking Guidance The purpose of this letter is to assist
credit unions in identifying risks posed by the use of weblinks on
their websites and suggest a variety of risk management techniques to
mitigate these risks. A large number of credit unions maintain
sites on the World Wide Web. Virtually every website contains weblinks.
A weblink is a word, phrase, or image that contains coding that will
transport the viewer to a different part of the website or a completely
different website by clicking on it. While weblinks are a convenient
and accepted tool in website design, their use can present certain risks.
The primary risk posed by weblinking is viewer confusion about whose
website they are viewing and who is responsible for information, products,
and services available through that website. Credit unions using weblinks are encouraged
to review the enclosed guidance that was developed jointly with other
federal regulatory agencies. This guidance applies to credit unions
that develop and maintain their own websites, as well as those using
service providers for these functions. This letter supercedes NCUA Letter 02-FCU-04.
If you have any questions, please contact your NCUA Regional Office
or State Supervisory Authority.
Chairman Bachus, and Members of the Subcommittee, I appreciate your invitation to present this testimony reviewing the National Credit Union Administration’s (NCUA’s) experiences with information systems and technology (IS&T) incidents and other security events resulting in the potential compromise of personal financial data. We also identify actions by NCUA to ensure credit unions safeguard member information and to mitigate potential losses to credit unions and members when breaches occur. We recommend that NCUA be granted examination authority over third party vendors, which would enable us to better monitor risk and protect credit union members’ personal financial data. Examples of Data Security Breaches Involving Credit Union Members
Information is provided here on types of security breaches NCUA and credit unions have experienced. These security breaches include: fraudulent email or telephone scams, known as phishing; the unauthorized storing of customer information and the ensuing theft of this information; the theft of a credit union’s hard drive; and the theft of a vendor’s computer. We also provide information on how NCUA and credit unions have responded to these data security incidents.
The purpose of this letter is to provide important considerations for credit unions that are currently engaged in or may be considering the use of wireless technology. Wireless technology can potentially provide important benefits for credit unions and their members. For some, this may be a cost-effective alternative for a credit union seeking to expand its existing hard-wired computer network. Additionally, it may enable a credit union to provide members with increased accessibility to its Internet-based financial service offerings.
However, those credit unions that have made a decision to implement wireless technology should also be aware of the potential increase in the amount of risk exposure for the credit union. Credit unions may be able to mitigate the following risk areas with proper planning and controls.
GUIDELINES FOR ENSURING THE QUALITY OF DISSEMINATED INFORMATION Policy NCUA will undertake to ensure that the information it disseminates to the public is objective (accurate, clear, complete, and unbiased), useful and has integrity. Most information disseminated by NCUA is subject to the basic standard described in these guidelines. Additional levels of quality standards are adopted as appropriate for specific categories of disseminated information. The OMB guidelines require “influential scientific, financial or statistical information” to meet a higher standard of quality. OMB defines “influential” to mean, “the agency can reasonably determine that dissemination of the information will have or does have a clear and substantial impact on important public policies or important private sector decisions.” Id. at 8455. Influential information disseminated byNCUA is subject to a level higher than the basic standard. The NCUA’s Chief Information Officer (CIO) serves as the agency official charged with overseeing the agency’s compliance with OMB guidelines for the quality of information disseminated by NCUA.
The National Credit Union Administration (NCUA) Office of Inspector General (OIG) Annual Performance Plan for 2004 delineates those audits and investigations that would most benefit the NCUA. In formulating this Plan, we considered: • The agency’s strategic and annual performance plans; • Pertinent legislation, including the Inspector General Act, the Federal Credit Union Act, the Government Performance Results Act (GPRA), the Credit Union Membership Act, the Federal Information Security Management Act (FISMA), and the Sarbanes-OxleyAct of 2002; • Congressional activity and testimony by NCUA officials as well as significant areas of interest to NCUA Board members and the Congress; • Audits and reviews of NCUA and the credit union industry planned and performed by the General Accounting Office (GAO); • Input obtained from the NCUA Board and Executive staff; and • NCUA and the credit union industry’s operating environment.
The National Credit Union Administration (NCUA) Office of Inspector General (OIG) Annual Performance Plan for 2005 delineates those audits that would most benefit the NCUA. In formulating this Plan, we considered: • The agency’s strategic and annual performance plans; • Pertinent legislation, including the Federal Credit Union Act, the Government Performance Results Act (GPRA), the Credit Union Membership Act, Federal Information Security Management Act (FISMA), the Sarbanes-Oxley Act, and the Inspector General Act; • Congressional activity and testimony by NCUA officials as well as significant areas of interest to NCUA Board members and the Congress; • Audits planned and performed by the General Accounting Office (GAO); • Input obtained from the NCUA Board and Executive staff; and • NCUA and the credit union industry’s operating environment.
The National Credit Union Administration (NCUA) Office of Inspector General (OIG) Annual Performance Plan for 2003 delineates those audits and investigations that would most benefit the NCUA. In formulating this Plan, we considered: • The agency’s strategic and annual performance plans; • Pertinent legislation, including the Federal Credit Union Act, the Government Performance Results Act (GPRA), the Credit Union Membership Act, the Government Information Security Act (GISRA), and the Inspector General Act; • Congressional activity and testimony by NCUA officials as well as significant areas of interest to NCUA Board members and the Congress; • Input obtained from the NCUA Board and Executive staff; and • NCUA and the credit union industry’s operating environment. How the Annual Plan was formulatedThe NCUA OIG plans its work to identify and respond to issues that are of greatest importance to NCUA. For purposes of the Annual Plan, we have identified prospective audit and investigative work that is responsive to the agency’s strategic goals. The agency’s strategic goals are: • Promote a system of financially healthy, well-managed federally insured credit unions able to withstand economic volatility. • Facilitate credit unions’ ability to safely integrate financial services and emerging technology in order to meet the changing expectations of their members. • Create a regulatory environment that will facilitate credit union innovation to meet member financial service expectations. • Enable credit unions to leverage their unique place in the American financial system to extend availability of service to all who seek such service, while encouraging and recognizing their historical emphasis on servicing those of modest means.
• Enhance NCUA’s organization to continue to work with the credit union community in creating an environment that enables credit unions to continue to flourish while addressing the challenges of the 21stcentury.
NATIONAL CREDIT UNION ADMINISTRATIONOFFICE OF INSPECTOR GENERAL EVALUATION The Government Information Security Reform Act (GISRA), Public Law 106-398, requires Inspectors General (IG) to perform independent evaluations to:
•Assess compliance with GISRA and agency security policies and procedures; and The Office of Management and Budget (OMB) has requested IGs to submit the results of their independent evaluation by responding specifically to questions 2 through 13 of OMB Memorandum M-01-24. The following presents our evaluation of the National Credit Union Administration’s (NCUA) compliance with GISRA. The NCUA Office of Inspector General (OIG) has determined that NCUA is not yet in compliance with GISRA. The following represents the agency’s status toward compliance with key GISRA provisions as of August 2001:
•NCUA needs to develop an agency-wide security program. NCUA developed a draft security policy that will be incorporated in the security program. However this policy has not been approved by the agency head or disseminated to personnel with key responsibilities.
Rapidly evolving technologies continue to provide efficient, cost effective methods for providing fast delivery of a wide range of member services. Accompanying the opportunities to deliver cost effective services is growing exposure of technology resources to misuse and theft, which can result in loss of member confidence. Intrusion and abuse of technology is growing at an escalating rate. Intrusions, as noted in the chart below, reflect an increasing average rate of approximately 300 percent annually. The data was provided by Computer Emergency Response Team/Coordinating Committee (CERT/CC). The CERT/CC1is a government sponsored organization operated by the Carnegie Mellon Software Engineering Institute. Part of its mission is to track vulnerabilities in computer systems and recommend methods to improve computer security. Incidents are voluntarily reported and include:
1. Attempts to gain unauthorized access to a system or its data;
The purpose of this Letter is to provide additional guidance for combating the email schemes discussed in the recently released Letter to Credit Unions #04-CU-05 Fraudulent E-Mail Schemes. In addition, this Letter is intended to raise awareness of the increasingly common Internet fraud called “phishing.” NCUA encourages credit unions to educate their members, strengthen monitoring systems, and enhance response programs to reduce the potential risk of Internet-related fraud schemes to their organization and members. Such schemes may negatively impact your credit union’s reputation, transaction, liquidity, and strategic risks.
This alert is intended to raise awareness of an Internet worm, BugBear.B, that recently surfaced as a potential threat specifically targeted to financial institutions and to prompt credit unions and credit union technology service providers to take immediate steps to mitigate the threat to their organizations and customers.
The purpose of this Letter is to provide additional guidance for combating the email schemes discussed in the recently released Letter to Credit Unions #04-CU-05 Fraudulent E-Mail Schemes. In addition, this Letter is intended to raise awareness of the increasingly common Internet fraud called "phishing." NCUA encourages credit unions to educate their members, strengthen monitoring systems, and enhance response programs to reduce the potential risk of Internet-related fraud schemes to their organization and members. Such schemes may negatively impact your credit union's reputation, transaction, liquidity, and strategic risks.
Information technology (IT) and security continue to evolve at a rapid pace. New risks and threats arise quickly to challenge emerging and established technologies. Yet the essential elements of strong controls and sound IT practices remain the same despite the environmental changes. As part of our review of IT in corporate credit unions, the Office of Corporate Credit Unions (OCCU) IT examiners have focused on ensuring the adequacy of basic control elements such as firewalls, intrusion detection, penetration tests, and sound network architectures. I am pleased to note that corporates have been diligent in this regard and that many sound control practices have been implemented. OCCU IT staff will continue to verify that basic IT security control elements remain strong. However, the ever changing dynamics of the corporate credit union IT risk profile require that we also focus attention on the following critical information security areas: Information Security Risk Assessment; 2. Security Application Code Reviews; 3. Service Provider Oversight & Contracts; 4. Security Awareness of Employees; 5. Change Management for Applications & Infrastructure; and 6. Security for Remote Locations. Each area is briefly discussed below.
In 2001, NCUA amended 12 CFR Part 748 to fulfill a requirement in Section 501 of the Gramm-Leach-Bliley Act (Pub. L. No. 106-102) (GLBA), in which Congress directed both NCUA and the other Federal Financial Institution Examination Council (FFIEC ) agencies, including the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, the Office of the Comptroller of the Currency, and the Office of Thrift Supervision (collectively, the “Banking Agencies”) to establish standards for financial institutions relating to administrative, technical, and physical safeguards to...
This advisory letter highlights issues regarding bank electronic record systems in light of the E-SIGN Act. 15 USC 7001, et seq. The letter provides a basic framework that bank management can use to assess and address key issues posed by electronic record keeping systems. BACKGROUND Federal legislation changed the legal framework for electronic records and will likely result in more banks adopting electronic record retention systems. Banks can implement electronic record retention systems in many ways to support different business processes. Some examples of possible electronic record retention systems are loan file imaging, retention of paperless applications and online agreements, and the use of electronic payment systems.
On January 17, 2001, the banking regulatory agencies adopted guidelines implementing Section 501 of the Gramm-Leach-Bliley Act (GLBA). The guidelines require financial institutions to establish a comprehensive and coordinated information security program, appropriate to the size of the bank and the complexity of its operations.
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
RSS Syndication