Nov. 6, 2015 NASCUS Report | NASCUS


Nov. 6, 2015

Statement warns of extortion via cyber attacks
The increasing frequency and severity of cyber attacks involving extortion is the subject of a joint statement issued this week by the Federal Financial Institutions Examination Council (FFIEC). “Cyber attacks against financial institutions to extort payment in return for the release of sensitive information are increasing,” the FFIEC stated in a release. “Financial institutions should address this threat by conducting ongoing cybersecurity risk assessments and monitoring of controls and information systems. In addition, financial institutions should have effective business continuity plans to respond to this type of cyber attack to ensure resiliency of operations.” NASCUS President and CEO Lucy Ito said that state credit union regulators are committed to ensuring a safe and sound cyber environment for financial institutions, as illustrated by the many programs and seminars the association has sponsored, and will be sponsoring in 2016 (including the NASCUS/CUNA Cybersecurity Symposium Aug. 1-2, 2016, in Chicago). In the statement released this week, the FFIEC listed a number of steps that financial institutions should consider taking to prevent and/or foil cyber extortion – such as updating security awareness and training to include extortion in cyber attacks. In the person of Idaho’s Mary Hughes, financial institutions bureau chief of the state Department of Finance, NASCUS is a member of the FFIEC’s State Liaison Committee (SLC), which is a voting member of the Council.

FFIEC statement on cyber extortion

‘Robo-dialer’ ruling contains exceptions – but it may all be moot
A ruling from federal communications regulators prohibiting unsolicited calls and texts from “robo dialers” to wireless devices contains some exceptions – but many of those exceptions may prove to be moot, a NASCUS analysis has found. In a summary of the Federal Communications Commission’s (FCC) “Declaratory Ruling and Order FCC 15-72” interpreting the Telephone Consumer Protective Act (TCPA) issued in September, NASCUS notes that the ruling carves out a very limited exception for automatic telephone dialing systems (ATDS) – also known as “robo dialers” – used by financial institutions and others to notify customers and members of data breaches and fraud. However, the NASCUS summary notes that the FCC “also expanded the breadth of the TCPA’s limitations in a manner which may render the exceptions moot.” For example, the FCC has narrowed the exception with at least eight qualifiers – among them: Calls/texts must be “strictly limited “to the excepted purpose; the consumer must be given opt out information; opt-out requests must be honored immediately; credit unions and/or banks can initiate no more than three messages per event over a three-day period. For details, see the link below.

NASCUS summary, FCC Declaratory Ruling and Order 15-72

KC Fed argues robustly against marijuana business banking for CO CU
The Federal Reserve Bank of Kansas City is taking a hard line with a Colorado credit union seeking to serve marijuana businesses, comparing pot banking to such prohibited actions as trading in endangered species or evading sanctions against North Korea, the American Banker (a trade publication) reported this week. According to court papers obtained by the newspaper that were filed by the Fed (in response to a lawsuit brought against it by Fourth Corner Credit Union of Denver, which was chartered to serve marijuana businesses), the Fed stated that marijuana legalization laws such as Colorado’s "are preempted as in conflict with the federal prohibition." The Fed further argued that guidance provided last year by the Justice Department and the federal Financial Crimes Enforcement Network (FinCEN) “do not change that analysis." Further, the Fed argued that Fourth Corner’s charter is voided because the credit union intends to "further criminal activity." Promises to comply with FinCEN's guidance, the Kansas City Fed argued in the papers (according to the newspaper), are meaningless because the credit union’s entire reason for existing “is to violate the law.” Fourth Corner sued the Fed for denying it a “master account,” which would allow the credit union access to the U.S. payment system; NASCUS does not hold a position about the lawsuit. The Banker story also noted, however, that as of the end of July, there were 34 institutions regulated by the Fed serving marijuana businesses – although not exclusively. In a related development, U.S. Sen. Bernie Sanders, I-Vermont, last week signed on as the seventh co-sponsor of Senate legislation (S.1726, sponsored by Sen. Jeff Merkley, D-Oregon) to help clarify the regulatory ambiguity for credit unions and other financials in serving legal state marijuana businesses and their affiliates. A companion House bill (H.R. 2076, sponsored by Rep. Ed Permutter, D-Colo.) is also pending. NASCUS supports both bills as matters of states’ rights, but is neutral on the legalization of marijuana use for either medical or recreational purposes. Where marijuana businesses are operating legally under state law and regulations, states have the right to clear federal law that fosters public security in their local communities.

House provision proceeds giving privately insured CUs access to FHLB
A provision giving privately insured, state-chartered credit unions access to membership in the Federal Home Loan Bank system is part of legislation approved by the House Thursday, and which now must go to conference with the Senate. The legislation, the highway and transit funding bill (H.R. 22), contains an FHLB membership amendment offered by Financial Services Committee Chairman Jeb Hensarling (R-Texas). The amendment included that provision, and a number of other regulatory relief provisions sought by financial institutions. The FHLB membership provision (the Capital Access for Community Financial Institutions Act of 2015 (H.R. 299)) most recently passed the House in April, but went nowhere beyond that. It has also been passed by the House in 2004, ’06 and ’14. The House highway bill must still be reconciled with a similar Senate measure.

More sign on to NCUA budget transparency act
Three more House members have signed on to the NCUA Budget Transparency Act (H.R. 2287), which requires the NCUA Board to open its budget process to notice and comment (including publication in the Federal Register) from stakeholders and the public. Signing on to the bill (sponsored by Rep. Mick Mulvaney (R-S.C.) were Reps. Steve Fincher (R-Tenn.), Randy Hultgren (R-Ill.) and Sam Graves (R-Mo.). The legislation now has 25 co-sponsors. As NASCUS has pointed out in letters of support for the legislation, a formal notice and comment requirement for the agency’s budget, including the overhead transfer rate (OTR), is not only sound public policy -- it also helps ensure an equitable playing field for state and federally chartered credit unions.

BRIEFLY: Talking turkey a breeze after BSA conference, Nov. 15-18
Looking for subject matter to spice up the discussion around the Thanksgiving table? Search no further than the NASCUS/CUNA Bank Secrecy Act (BSA) Conference Nov. 15-18 in Fort Lauderdale, Fla. There’s still plenty of time to sign up for this event, which has become the standard in the credit union community for keeping up with BSA updates and changes.


Information Contact:
Patrick Keefe, NASCUS Communications, or (703) 528-5974