ARTICLE
Compliance Update with Amy K by Amy Kleinschmit, Chief Compliance Officer Cybersecurity Awareness Month Continues As discussed last week, October is Cybersecurity Awareness Month. Although this issue is important throughout the year, this is an opportunity to bring some additional attention to this very important topic and to help educate staff and members about #BeCyberSmart! In case you missed it, the Cybersecurity & Infrastructure Security Agency (CISA) has a number of resources to help you spread the word about the importance of cybersecurity. The CISA provides weekly tip sheets. Tip for this week – phight the phish. “Phishing attacks use email or malicious websites to infect your machine with malware and viruses to collect personal and financial information. Cybercriminals attempt to lure users to click on a link or open an attachment that infects their computers, creating vulnerabilities for criminals to use to attack. Phishing emails may appear to come from a real financial institution, e-commerce site, government agency, or any other service, business, or individual. The email may also request personal information such as account numbers, passwords, or Social Security numbers. When users respond with the information or click on a link, attackers use it to access users’ accounts.” Find simple tips here to “phight the phish.” Homeland Security has a number of very informative and useful resources as well that can be found here, including a number of short videos to help educate folks on social privacy settings, using public Wi-Fi, issues when posting that vacation selfie, password management and other important topics. Share on your social media to remind your members, family and friends to #BeCyberSmart. If anyone needs convincing as to why cybersecurity awareness is important, here are some facts as provided by Homeland Security: 1 in 3 Home with computers are infected with malicious software. 65% of Americans who went online received at least one online scam offer. 47% of American adults have had their personal information exposed by cyber criminals. 600,000 Facebook accounts are hacked every single day. The #1 cybercrime is the imposter scam with 1 in 5 people reporting a financial loss. Remember - #BeCyberSmart! NCUA DEI Summit The National Credit Union Administration (NCUA) is hosting a virtual Diversity, Equity and Inclusion Summit November 2-4. Registration and the agenda can be found here. As noted by the NCUA, “the business case for diversity in credit unions is simple: diversity is a good investment. Diversity leads to better service, greater innovation, financial performance and profitability, improved solutions, higher levels of employee satisfaction and engagement, and increased membership. These things make credit unions resilient and sustainable, which ultimately leads to greater strength for the entire credit union system.” Risk Mitigation Webinar – November 10 Don’t miss the second part of the Attorney’s Conference for Non-Attorneys covering Risk Mitigation on Wednesday, November 10. Registration can be found here. Many credit unions look to an arbitration program to help minimize legal risks, and some credit unions are considering the implementation of arbitration clauses as a dispute resolution technique in resolving legal disputes. Learn more about adopting an arbitration clause in this session. This session will also provide general risk mitigation strategies to help protect credit unions along with more specific strategies related to employer HR risks in a changing workplace. The following topics will be covered: Cuna Mutual Group Bond Claims Update; HR/Employer Risks; Arbitration clauses; and Remote Capture update. Most credit unions do not have in-house counsel or access to the type of information provided at events like CUNA’s Attorney Conference. The Attorney’s Conference for Non-Attorneys can provide this information to you, along with risk mitigation strategies to help protect your credit union from liability. Each session is only $25 – be sure to reserve your seat now! You’ll learn from lawyers with expertise in working with credit unions. This series is made possible thanks to our sponsor Husch Blackwell and the collaborative efforts of the Minnesota Credit Union Network, Heartland Credit Union Association, Illinois Credit Union League, Iowa Credit Union League, Montana Credit Union League, Dakota Credit Union Association, Nebraska Credit Union League, and Wisconsin Credit Union League. Random Compliance Reminder As you are aware (since you have been following these weekly compliance articles), I have been including random compliance reminders on a variety of topics lately. Nothing new compliance wise with these reminders – just inspired by something I may have heard on a TV commercial or saw online snooping on websites or received as a question. With new regulatory changes and updates constantly coming out, credit unions can’t forget about the “old stuff” that perhaps hasn’t changed in a while but remains quite relevant (and audited for). SAFE Act – registration renewals and updates. Back in 2008 the Secure and Fair Enforcement for Mortgage Licensing Act (SAFE Act) was passed. This mandated a federal registry for credit unions (along with other financial institutions) and their employees who are Mortgage Loan Originators (MLOs). Initially, credit unions relied on the NCUA’s rules and regulations which implemented SAFE Act and were effective back in 2010. Title X of the Dodd-Frank Wall Street Reform and Consumer Protection Act (Dodd-Frank Act) transferred rulemaking authority for a number of consumer financial protection laws (which included the SAFE Act regulations) to the CFPB as of July 21, 2011. Regulation G, 12 CFR 1007, implements the SAFE Act’s requirements for credit unions. We are already halfway through October, which means the renewal period for the SAFE Act is just around the corner. The annual renewal period runs November 1 through December 31 of each year. Reg G requires that a registered MLO must renew the registration during the annual renewal period, confirming their responses remain accurate and complete, and updating information as appropriate. However, the MLO must update the registration within 30 days if any of the following events occur - a change in the name of the registrant; the registrant ceases to be an employee of the covered financial institution; or certain information required under the regulations becomes inaccurate, incomplete, or out-of-date. Information that must be updated within 30 days includes: Convictions of any criminal offense involving dishonesty, breach of trust, or money laundering against the employee or organizations controlled by the employee, or agreements to enter into a pretrial diversion or similar program in connection with the prosecution for such offense(s); Civil judicial actions against the employee in connection with financial services-related activities, dismissals with settlements, or judicial findings that the employee violated financial services-related statutes or regulations, except for actions dismissed without a settlement agreement; Actions or orders by a state or Federal regulatory agency or foreign financial regulatory authority that: Found the employee to have made a false statement or omission or been dishonest, unfair or unethical; to have been involved in a violation of a financial services-related regulation or statute; or to have been a cause of a financial services-related business having its authorization to do business denied, suspended, revoked, or restricted; Are entered against the employee in connection with a financial services-related activity; Denied, suspended, or revoked the employee's registration or license to engage in a financial services-related activity; disciplined the employee or otherwise by order prevented the employee from associating with a financial services-related business or restricted the employee's activities; or Barred the employee from association with an entity or its officers regulated by the agency or authority or from engaging in a financial services-related business; Final orders issued by a state or Federal regulatory agency or foreign financial regulatory authority based on violations of any law or regulation that prohibits fraudulent, manipulative, or deceptive conduct; Revocation or suspension of the employee's authorization to act as an attorney, accountant, or state or Federal contractor; or Customer-initiated financial services-related arbitration or civil action against the employee that required action, including settlements, or which resulted in a judgment. Another annual requirement under the SAFE Act – an independent test. 12 CFR 1007.104 requires that the covered financial institution, which includes credit unions, must adopt policy and procedures that provide for independent testing for compliance with this part to be conducted at least annually by covered financial institution personnel or by an outside party. As always, DakCU members may contact Amy Kleinschmit at akleinschmit@dakcu.org with any compliance related questions.
Compliance Update with Amy K
by Amy Kleinschmit, Chief Compliance Officer
Cybersecurity Awareness Month Continues
As discussed last week, October is Cybersecurity Awareness Month. Although this issue is important throughout the year, this is an opportunity to bring some additional attention to this very important topic and to help educate staff and members about #BeCyberSmart!
In case you missed it, the Cybersecurity & Infrastructure Security Agency (CISA) has a number of resources to help you spread the word about the importance of cybersecurity.
The CISA provides weekly tip sheets. Tip for this week – phight the phish. “Phishing attacks use email or malicious websites to infect your machine with malware and viruses to collect personal and financial information. Cybercriminals attempt to lure users to click on a link or open an attachment that infects their computers, creating vulnerabilities for criminals to use to attack. Phishing emails may appear to come from a real financial institution, e-commerce site, government agency, or any other service, business, or individual. The email may also request personal information such as account numbers, passwords, or Social Security numbers. When users respond with the information or click on a link, attackers use it to access users’ accounts.” Find simple tips here to “phight the phish.”
Homeland Security has a number of very informative and useful resources as well that can be found here, including a number of short videos to help educate folks on social privacy settings, using public Wi-Fi, issues when posting that vacation selfie, password management and other important topics. Share on your social media to remind your members, family and friends to #BeCyberSmart.
If anyone needs convincing as to why cybersecurity awareness is important, here are some facts as provided by Homeland Security:
1 in 3 Home with computers are infected with malicious software.
65% of Americans who went online received at least one online scam offer.
47% of American adults have had their personal information exposed by cyber criminals.
600,000 Facebook accounts are hacked every single day.
The #1 cybercrime is the imposter scam with 1 in 5 people reporting a financial loss.
Remember - #BeCyberSmart!
NCUA DEI Summit
The National Credit Union Administration (NCUA) is hosting a virtual Diversity, Equity and Inclusion Summit November 2-4. Registration and the agenda can be found here.
As noted by the NCUA, “the business case for diversity in credit unions is simple: diversity is a good investment. Diversity leads to better service, greater innovation, financial performance and profitability, improved solutions, higher levels of employee satisfaction and engagement, and increased membership. These things make credit unions resilient and sustainable, which ultimately leads to greater strength for the entire credit union system.”
Risk Mitigation Webinar – November 10
Don’t miss the second part of the Attorney’s Conference for Non-Attorneys covering Risk Mitigation on Wednesday, November 10. Registration can be found here.
Many credit unions look to an arbitration program to help minimize legal risks, and some credit unions are considering the implementation of arbitration clauses as a dispute resolution technique in resolving legal disputes. Learn more about adopting an arbitration clause in this session. This session will also provide general risk mitigation strategies to help protect credit unions along with more specific strategies related to employer HR risks in a changing workplace. The following topics will be covered: Cuna Mutual Group Bond Claims Update; HR/Employer Risks; Arbitration clauses; and Remote Capture update.
Most credit unions do not have in-house counsel or access to the type of information provided at events like CUNA’s Attorney Conference. The Attorney’s Conference for Non-Attorneys can provide this information to you, along with risk mitigation strategies to help protect your credit union from liability.
Each session is only $25 – be sure to reserve your seat now! You’ll learn from lawyers with expertise in working with credit unions.
This series is made possible thanks to our sponsor Husch Blackwell and the collaborative efforts of the Minnesota Credit Union Network, Heartland Credit Union Association, Illinois Credit Union League, Iowa Credit Union League, Montana Credit Union League, Dakota Credit Union Association, Nebraska Credit Union League, and Wisconsin Credit Union League.
Random Compliance Reminder
As you are aware (since you have been following these weekly compliance articles), I have been including random compliance reminders on a variety of topics lately. Nothing new compliance wise with these reminders – just inspired by something I may have heard on a TV commercial or saw online snooping on websites or received as a question. With new regulatory changes and updates constantly coming out, credit unions can’t forget about the “old stuff” that perhaps hasn’t changed in a while but remains quite relevant (and audited for).
SAFE Act – registration renewals and updates. Back in 2008 the Secure and Fair Enforcement for Mortgage Licensing Act (SAFE Act) was passed. This mandated a federal registry for credit unions (along with other financial institutions) and their employees who are Mortgage Loan Originators (MLOs). Initially, credit unions relied on the NCUA’s rules and regulations which implemented SAFE Act and were effective back in 2010. Title X of the Dodd-Frank Wall Street Reform and Consumer Protection Act (Dodd-Frank Act) transferred rulemaking authority for a number of consumer financial protection laws (which included the SAFE Act regulations) to the CFPB as of July 21, 2011. Regulation G, 12 CFR 1007, implements the SAFE Act’s requirements for credit unions.
We are already halfway through October, which means the renewal period for the SAFE Act is just around the corner. The annual renewal period runs November 1 through December 31 of each year. Reg G requires that a registered MLO must renew the registration during the annual renewal period, confirming their responses remain accurate and complete, and updating information as appropriate.
However, the MLO must update the registration within 30 days if any of the following events occur - a change in the name of the registrant; the registrant ceases to be an employee of the covered financial institution; or certain information required under the regulations becomes inaccurate, incomplete, or out-of-date. Information that must be updated within 30 days includes:
Convictions of any criminal offense involving dishonesty, breach of trust, or money laundering against the employee or organizations controlled by the employee, or agreements to enter into a pretrial diversion or similar program in connection with the prosecution for such offense(s);
Civil judicial actions against the employee in connection with financial services-related activities, dismissals with settlements, or judicial findings that the employee violated financial services-related statutes or regulations, except for actions dismissed without a settlement agreement;
Actions or orders by a state or Federal regulatory agency or foreign financial regulatory authority that: Found the employee to have made a false statement or omission or been dishonest, unfair or unethical; to have been involved in a violation of a financial services-related regulation or statute; or to have been a cause of a financial services-related business having its authorization to do business denied, suspended, revoked, or restricted; Are entered against the employee in connection with a financial services-related activity; Denied, suspended, or revoked the employee's registration or license to engage in a financial services-related activity; disciplined the employee or otherwise by order prevented the employee from associating with a financial services-related business or restricted the employee's activities; or Barred the employee from association with an entity or its officers regulated by the agency or authority or from engaging in a financial services-related business;
Final orders issued by a state or Federal regulatory agency or foreign financial regulatory authority based on violations of any law or regulation that prohibits fraudulent, manipulative, or deceptive conduct;
Revocation or suspension of the employee's authorization to act as an attorney, accountant, or state or Federal contractor; or
Customer-initiated financial services-related arbitration or civil action against the employee that required action, including settlements, or which resulted in a judgment.
Another annual requirement under the SAFE Act – an independent test. 12 CFR 1007.104 requires that the covered financial institution, which includes credit unions, must adopt policy and procedures that provide for independent testing for compliance with this part to be conducted at least annually by covered financial institution personnel or by an outside party.
As always, DakCU members may contact Amy Kleinschmit at akleinschmit@dakcu.org with any compliance related questions.