ARTICLE
Compliance Update with Amy K by Amy Kleinschmit, Chief Compliance Officer New FFIEC Authentication Guidance The Federal Financial Institutions Examination Council (FFIEC) recently issued guidance that provides financial institutions with examples of effective authentication and access risk management principles and practices for customers, employees, and third parties accessing digital banking services and information systems. The new guidance replaces previous documents issued in 2005 and 2011, and can be found here. Credit unions will want to be sure to review this updated guidance as it provides risk management practices that support oversight of identification, authentication, and access solutions as part of an institution’s information security program. The updated guidance also discusses conducting a risk assessment for access and authentication to digital banking and information systems. Guidance includes: Identifying all users and customers for which authentication and access controls are needed and identifying those users and customers who may warrant enhanced authentication controls, such as MFA; Periodically evaluating the effectiveness of user and customer authentication controls; Implementing layered security to protect against unauthorized access; Monitoring, logging, and reporting of activities to identify and track unauthorized access; Identifying risks from, and implementing mitigating controls for, email systems, internet access, customer call centers, and internal IT help desks; Identifying risks from, and implementing mitigating controls for, a customer permissioned entity’s access to a financial institution’s information systems; Maintaining awareness and education programs on authentication risks for users and customers; and Verifying the identity of users and customers. NCUA Webinar – Supplier Diversity The National Credit Union Administration (NCUA) will be hosting a free webinar on supplier diversity on Tuesday, August 31. The webinar will discuss why supplier diversity is important and how to implement a program. This 60-minute session will also: debunk the myths and biases keeping credit unions from starting supplier diversity programs; distinguish between performative versus representational communications in supplier diversity; describe what credit unions can do to begin supplier diversity programs; and describe how to measure a credit union’s supplier diversity efforts and effectiveness. Registration is available here. NCUA Letter to Credit Unions (21-CU-08) The National Credit Union Administration (NCUA) has issued Letter to Credit Unions 21-CU-08 which can be found here. This letter provides information on the new technology systems the NCUA is rolling out, including the NCUA Connect; Admin Portal; Consumer Access Process and Reporting Information System (CAPRIS); Modern Examination & Risk Identification Tool (MERIT); and Data Exchange Application (DEXA). The NCUA is offering training on these new systems which details are included in the Letter to Credit Unions. NCUA Connect allows credit unions to securely interact with NCUA. It is also the primary entry point to access MERIT, DEXA, CAPRIS, and the Admin Portal. CAPRIS is the replacement to the Field of Membership Internet Application. MERIT is the NCUA’s new examination tool with enhanced, integrated analytics that provide examiners with modernized visualizations to identify trends and potential risks in credit unions. DEXA is a separate application available on NCUA Connect used strictly as an ingest tool that provides authorized NCUA, SSA, and credit union users the ability to securely upload the credit union member loan and share data requested during the examination and supervision process. NCUA will host a webinar on the agency’s modernized examination tools on Wednesday, September 8, beginning at 1 p.m. CT. The webinar will focus on the new modern examination platforms and systems, including the agency’s Modern Examination & Risk Identification Tool, or MERIT, and will discuss the benefits of these systems to credit unions and federal and state examiners. Registration for this one-hour webinar is now open. Submit questions anytime during the presentation or in advance by emailing WebinarQuestions@ncua.gov with subject line “NCUA Modernized Examination Tools.” FinCEN Enforcement Action The Financial Crimes Enforcement Network recently announced a $100 million civil money penalty against BitMEX, which is a convertible virtual currency (CVC) derivatives exchange. BitMEX has more than 1.3 million accounts and has consistently ranked among the largest by trade volume, having facilitated over a trillion U.S. dollars’ worth of trades, accepted over $11 billion in convertible virtual currency deposits, and collected over $1 billion in fees. FinCEN found that BitMEX willfully failed to implement an anti-money laundering program. Specifically, BitMEX failed to (1) establish and implement policies, procedures, and internal controls reasonably designed to prevent the financial institution from being used for money laundering or the financing of terrorism; (2) conduct independent testing for compliance; (3) designate an individual responsible for implementing and monitoring operations and internal controls of an AML program; (4) conduct ongoing training for appropriate persons; and (5) establish appropriate risk based procedures for conducting ongoing customer due diligence. BitMEX was also found to have willfully failed to implement a customer identification program (CIP). As detailed in the civil money penalty order, “by its own admission, BitMEX never established or implemented a written CIP and did not collect or verify information regarding the majority of its customers during the Relevant Time Period. In fact, BitMEX deliberately instituted policies and procedures that violated these requirements. For example, BitMEX’s registration pages advertised, “Sign up takes less than 30 seconds and requires no personal information. Trade in minutes, deposits only require one confirmation.” BitMEX was aware that it had a regulatory obligation to collect and verify customer information, but it refused to change its policy to comply with these requirements unless “under significant government pressure.” The Order provides that BitMEX willfully failed to file suspicious activity reports (SARs). Based on FinCEN’s analysis at least $209 million worth of transactions were conducted by, at, or through BitMEX with known darknet markets or unregistered MSBs providing mixing services, as well as transactions involving high-risk jurisdictions and alleged fraud schemes. Of these transactions, BitMEX failed to file a SAR on at least $15 million through at least 588 specific transactions that exceeded the minimum threshold and were either suspicious at the time of the transaction, or became suspicious when additional information about the suspicious nature of the transactions became available to BitMEX. InfoSight Highlight Small asset size credit unions (currently under $100 million as defined by the NCUA) have different tools and resources at their fingertips that should be utilized. In addition, there are some regulatory implications for credit unions under certain asset sizes. Visit the Small Asset Credit Unions topic found under the Board Responsibility channel in InfoSight and find information to help your small credit union today! As always, DakCU members may contact Amy Kleinschmit at akleinschmit@dakcu.org with any compliance related questions.
Compliance Update with Amy K
by Amy Kleinschmit, Chief Compliance Officer
New FFIEC Authentication Guidance
The Federal Financial Institutions Examination Council (FFIEC) recently issued guidance that provides financial institutions with examples of effective authentication and access risk management principles and practices for customers, employees, and third parties accessing digital banking services and information systems. The new guidance replaces previous documents issued in 2005 and 2011, and can be found here.
Credit unions will want to be sure to review this updated guidance as it provides risk management practices that support oversight of identification, authentication, and access solutions as part of an institution’s information security program.
The updated guidance also discusses conducting a risk assessment for access and authentication to digital banking and information systems. Guidance includes: Identifying all users and customers for which authentication and access controls are needed and identifying those users and customers who may warrant enhanced authentication controls, such as MFA; Periodically evaluating the effectiveness of user and customer authentication controls; Implementing layered security to protect against unauthorized access; Monitoring, logging, and reporting of activities to identify and track unauthorized access; Identifying risks from, and implementing mitigating controls for, email systems, internet access, customer call centers, and internal IT help desks; Identifying risks from, and implementing mitigating controls for, a customer permissioned entity’s access to a financial institution’s information systems; Maintaining awareness and education programs on authentication risks for users and customers; and Verifying the identity of users and customers.
NCUA Webinar – Supplier Diversity
The National Credit Union Administration (NCUA) will be hosting a free webinar on supplier diversity on Tuesday, August 31. The webinar will discuss why supplier diversity is important and how to implement a program. This 60-minute session will also: debunk the myths and biases keeping credit unions from starting supplier diversity programs; distinguish between performative versus representational communications in supplier diversity; describe what credit unions can do to begin supplier diversity programs; and describe how to measure a credit union’s supplier diversity efforts and effectiveness.
Registration is available here.
NCUA Letter to Credit Unions (21-CU-08)
The National Credit Union Administration (NCUA) has issued Letter to Credit Unions 21-CU-08 which can be found here. This letter provides information on the new technology systems the NCUA is rolling out, including the NCUA Connect; Admin Portal; Consumer Access Process and Reporting Information System (CAPRIS); Modern Examination & Risk Identification Tool (MERIT); and Data Exchange Application (DEXA). The NCUA is offering training on these new systems which details are included in the Letter to Credit Unions.
NCUA Connect allows credit unions to securely interact with NCUA. It is also the primary entry point to access MERIT, DEXA, CAPRIS, and the Admin Portal.
CAPRIS is the replacement to the Field of Membership Internet Application.
MERIT is the NCUA’s new examination tool with enhanced, integrated analytics that provide examiners with modernized visualizations to identify trends and potential risks in credit unions.
DEXA is a separate application available on NCUA Connect used strictly as an ingest tool that provides authorized NCUA, SSA, and credit union users the ability to securely upload the credit union member loan and share data requested during the examination and supervision process.
NCUA will host a webinar on the agency’s modernized examination tools on Wednesday, September 8, beginning at 1 p.m. CT. The webinar will focus on the new modern examination platforms and systems, including the agency’s Modern Examination & Risk Identification Tool, or MERIT, and will discuss the benefits of these systems to credit unions and federal and state examiners.
Registration for this one-hour webinar is now open. Submit questions anytime during the presentation or in advance by emailing WebinarQuestions@ncua.gov with subject line “NCUA Modernized Examination Tools.”
FinCEN Enforcement Action
The Financial Crimes Enforcement Network recently announced a $100 million civil money penalty against BitMEX, which is a convertible virtual currency (CVC) derivatives exchange. BitMEX has more than 1.3 million accounts and has consistently ranked among the largest by trade volume, having facilitated over a trillion U.S. dollars’ worth of trades, accepted over $11 billion in convertible virtual currency deposits, and collected over $1 billion in fees.
FinCEN found that BitMEX willfully failed to implement an anti-money laundering program. Specifically, BitMEX failed to (1) establish and implement policies, procedures, and internal controls reasonably designed to prevent the financial institution from being used for money laundering or the financing of terrorism; (2) conduct independent testing for compliance; (3) designate an individual responsible for implementing and monitoring operations and internal controls of an AML program; (4) conduct ongoing training for appropriate persons; and (5) establish appropriate risk based procedures for conducting ongoing customer due diligence.
BitMEX was also found to have willfully failed to implement a customer identification program (CIP). As detailed in the civil money penalty order, “by its own admission, BitMEX never established or implemented a written CIP and did not collect or verify information regarding the majority of its customers during the Relevant Time Period. In fact, BitMEX deliberately instituted policies and procedures that violated these requirements. For example, BitMEX’s registration pages advertised, “Sign up takes less than 30 seconds and requires no personal information. Trade in minutes, deposits only require one confirmation.” BitMEX was aware that it had a regulatory obligation to collect and verify customer information, but it refused to change its policy to comply with these requirements unless “under significant government pressure.”
The Order provides that BitMEX willfully failed to file suspicious activity reports (SARs). Based on FinCEN’s analysis at least $209 million worth of transactions were conducted by, at, or through BitMEX with known darknet markets or unregistered MSBs providing mixing services, as well as transactions involving high-risk jurisdictions and alleged fraud schemes. Of these transactions, BitMEX failed to file a SAR on at least $15 million through at least 588 specific transactions that exceeded the minimum threshold and were either suspicious at the time of the transaction, or became suspicious when additional information about the suspicious nature of the transactions became available to BitMEX.
InfoSight Highlight
Small asset size credit unions (currently under $100 million as defined by the NCUA) have different tools and resources at their fingertips that should be utilized. In addition, there are some regulatory implications for credit unions under certain asset sizes. Visit the Small Asset Credit Unions topic found under the Board Responsibility channel in InfoSight and find information to help your small credit union today!
As always, DakCU members may contact Amy Kleinschmit at akleinschmit@dakcu.org with any compliance related questions.