Markets Wired

PURPOSE

The Federal Financial Institutions Examination Council (FFIEC), on behalf of its members¹, is issuing this statement, in light of recent cyber attacks, to remind financial institutions of the need to actively manage the risks associated with interbank messaging and wholesale payment networks. Financial institutions should review their risk management practices and controls over information technology (IT) and wholesale payment systems networks, including authentication, authorization, fraud detection, and response management systems and processes. The FFIEC members emphasize that participants in interbank messaging and wholesale payment networks should conduct ongoing assessments of their ability to mitigate risks related to information security, business continuity, and third-party provider management.

This statement does not contain new regulatory expectations. It is intended to alert financial institutions to specific risk mitigation techniques related to cyber attacks exploiting vulnerabilities and unauthorized entry through trusted client terminals running messaging and payment networks. Financial institutions should review their risk management practices (including services provided to clients) and refer to the appropriate FFIEC IT Examination Handbook booklets referenced in this statement for information on regulatory expectations regarding IT risk management. Financial institutions should also review and adhere to the technical guidance issued by payments and settlement networks for managing and controlling risks to critical systems.

BACKGROUND

Recent cyber attacks against interbank networks and wholesale payment systems to commit fraud have demonstrated capability to:

• Compromise a financial institution’s wholesale payment origination environment, bypassing information security controls.
• Obtain and use valid operator credentials with the authority to create, approve, and submit messages.
• Employ sophisticated understanding of funds transfer operations and operational controls.
• Use highly customized malware to disable security logging and reporting, as well as other operational controls to conceal and delay detection of fraudulent transactions.
• Transfer stolen funds across multiple jurisdictions quickly to avoid recovery.
   

RISKS

Unauthorized transactions involving interbank messaging and wholesale payment networks may subject the originating bank to financial loss and compliance risk².  

RISK MITIGATION

Financial institutions should use multiple layers of security controls to establish several lines of defense. Financial institutions should also ensure that their risk management processes address the risk posed by compromised credentials. In taking these actions, financial institutions should reference the risk management information contained in the FFIEC IT Examination Handbook³, specifically the Information Security⁴, Business Continuity Planning⁵, Outsourcing Technology Services⁶, and the Wholesale Payment Systems⁷booklets. Additionally, institutions should consult their payment system provider’s guidance for specific security control recommendations.

In accordance with regulatory requirements and FFIEC guidance, a financial institution should consider the following steps:

• Conduct ongoing information security risk assessments. Maintain an ongoing information security risk assessment program that considers new and evolving threat intelligence related to online accounts and adjust customer authentication, layered security, and other controls in response to identified risks. Identify, prioritize, and assess the risk to critical systems, including threats to applications that control various system parameters and other security and fraud prevention measures. In addition, ensure that third-party service providers:
  • Perform effective risk management and implement appropriate controls.
  • Properly maintain and conduct regular testing of their security controls simulating potential risk scenarios.
  • Are contractually obligated to provide security incident reports when issues arise that may affect the institution.
• Perform security monitoring, prevention, and risk mitigation. Ensure protection and detection systems, such as intrusion detection systems and antivirus protection, are up-to-date and firewall rules are configured properly and reviewed periodically. Establish a baseline environment to enable the ability to detect anomalous behavior. Monitor system alerts to identify, prevent, and contain attack attempts from all sources. In addition,
  • Follow software assurance industry practices for internally developed applications.
  • Conduct due diligence of third-party software and services.
  • Conduct penetration testing and vulnerability scans, as necessary.
  • Promptly manage vulnerabilities, based on risk, and track mitigation progress, including implementing patches for all applications, services, and systems.
  • Review reports generated from monitoring systems and third parties for unusual behavior.
• Protect against unauthorized access. Limit the number of credentials with elevated privileges across the institution, especially administrator accounts, and the ability to easily assign elevated privileges to access critical systems. Review access rights periodically to confirm approvals are still appropriate to the job function. Establish stringent expiration periods for unused credentials, monitor logs for use of old credentials, and promptly terminate unused or unwarranted credentials. Establish authentication rules, such as time-of-day and geolocation controls, or implement multifactor authentication protocols for web-based control panels.  In addition,
  • Conduct regular audits to review the access and permission levels to critical systems for employees and contractors.  Implement least privileges access policies across the entire enterprise.  In particular, do not allow users to have local administrator rights on workstations.
  • Change default password and settings for system-based credentials.
  • Prevent unpatched systems, such as home computers and personal mobile devices from connecting to internal-facing systems.
  • Implement monitoring controls to detect unauthorized devices connected to internal networks.
  • Use secure connections when remotely accessing systems and services (e.g., virtual private networks).
• Implement and test controls around critical systems regularly. Ensure appropriate controls, such as access control, segregation of duties, audit, and fraud detection and monitoring systems, are implemented for systems based on risk. Limit the number of sign-on attempts for critical systems and lock accounts once such thresholds are exceeded.  Implement alert systems to notify employees when baseline controls are changed on critical systems. Test the effectiveness and adequacy of controls periodically. Report test results to senior management and, if appropriate, to the board of directors or a committee of the board of directors. Include in the report recommended risk mitigation strategies and progress to remediate findings. In addition,
  • Encrypt sensitive data on internal- and external-facing systems in transit and, where appropriate, at rest.
  • Implement an adequate password policy.
  • Review the business processes around password recovery.
  • Regularly test security controls, such as web application firewalls.
  • Implement procedures for the destruction and disposal of media containing sensitive information based on risk relative to the sensitivity of the information and the type of media used to store the information.
  • Filter Internet access through Web site whitelisting where appropriate to limit employees’ access to only those Web sites necessary to perform their job functions.
  • Conduct incremental and full backups of important files and store the backed-up data offline.
• Manage business continuity risk.  Validate that business continuity planning supports the institution’s ability to quickly recover and maintain payment processing operations. In addition,
  • Coordinate business continuity development and testing with all applicable third parties.
  • Coordinate testing with other industry players.
• Enhance information security awareness and training programs. Conduct regular, mandatory information security awareness training across the financial institution, including how to identify and prevent successful phishing attempts.  Ensure training reflects the functions performed by employees.
• Participate in industry information-sharing forums. Incorporate information sharing with other financial institutions and service providers into risk mitigation strategies to identify, respond to, and mitigate cybersecurity threats and incidents. Since threats and tactics can change rapidly, participating in information-sharing organizations, such as the Financial Services Information Sharing and Analysis Center (FS-ISAC), can improve an institution’s ability to identify attack tactics and to successfully mitigate cyber attacks involving destructive malware on its systems. In addition to the FS-ISAC, there are government resources such as the U.S. Computer Emergency Readiness Team (US-CERT) that provide information on vulnerabilities. The US-CERT portal may be found at www.us-cert.gov. 

ADDITIONAL RESOURCES

The following are available payment systems risk management resources with practical information.

REFERENCES

---

[1] The FFIEC comprises the principals of the following: The Board of Governors of the Federal Reserve System, Federal Deposit Insurance Corporation, National Credit Union Administration, Office of the Comptroller of the Currency, Consumer Financial Protection Bureau, and State Liaison Committee.

[2] e.g. U.S.A. PATRIOT Act, Bank Secrecy Act, Office of Foreign Assets Control (OFAC)

[3] See: http://ithandbook.ffiec.gov/ (opens new window)

[4] See: http://ithandbook.ffiec.gov/it-booklets/information-security.aspx (opens new window)

[5] See: http://ithandbook.ffiec.gov/it-booklets/business-continuity-planning.aspx (opens new window)

[6] See: http://ithandbook.ffiec.gov/it-booklets/outsourcing-technology-services.aspx (opens new window)

[7] See: http://ithandbook.ffiec.gov/it-booklets/wholesale-payment-systems.aspx (opens new window) 

The Federal Financial Institutions Examination Council (FFIEC) members today advised financial institutions, consistent with existing regulatory expectations, to actively manage the risks associated with interbank messaging and wholesale payment networks. In a statement, the FFIEC also stressed that financial institutions should review risk-management practices and controls related to information technology systems and wholesale payment networks, including risk assessment; authentication, authorization and access controls; monitoring and mitigation; fraud detection; and incident response.

The joint statement notes that recent cyber attacks have targeted interbank messaging and wholesale payment functions at financial institutions to originate unauthorized transactions. These unauthorized transactions may subject a bank that originates such transactions to losses and compliance risk.  

Financial institutions may find additional information on risk management and cybersecurity threat management on the FFIEC’s website at http://www.ffiec.gov/cybersecurity.htm (opens new window).

ALEXANDRIA, Va. (June 7, 2016) – Stakeholders throughout the credit union system may provide input on ways the National Credit Union Administration can modernize and improve its Call Reports, with the publication of a request for information in the Federal Register today.

“To do our job properly, NCUA needs to regularly capture credit union material-risk exposures through our Call Reports,” NCUA Board Chairman Rick Metsger said. “At the same time, we need to identify areas where we can reduce or eliminate unnecessary reporting burdens, especially for smaller and non-complex credit unions. This request for information is a critical first step in making our data collection systems better and more efficient. I, therefore, look forward to hearing the thoughts of all interested parties in the credit union system.”

At its May open Board meeting, NCUA announced that it would conduct a comprehensive review and modernization of content in the Call Report and Credit Union Profile. NCUA will gather information through a public comment-and-review process and will create an internal working group that will consult with stakeholders. The process could also include online surveys, focus groups, workshops and other activities.

In its request for information, available online here (opens new window), NCUA is seeking stakeholder input in several specific areas, including:

• What specific areas of the Call Report and Credit Union Profile do users find challenging;
• What sections or items could be made optional for small or non-complex credit unions without compromising the agency’s ability to assess risk in these institutions;
• What items could be added to the reports to enhance the agency’s analysis of the system’s performance trends;
• What areas of regulatory reporting align with a credit union’s internal accounting and what areas do not;
• How the Call Report and Credit Union Profile could be reorganized to reduce credit unions’ reporting burden; and
• What additional suggestions or ideas do credit unions have for collecting financial and non-financial information.

Stakeholder comments must be received by 5 p.m. Eastern on Monday, August 1. For additional information or to submit a comment, go to http://go.usa.gov/cSuuT (opens new window).

New Series Provides Practical Steps for Boards to Build a Succession Plan

ALEXANDRIA, Va. (June 8, 2016) – Credit union board directors can learn more about the necessity of succession planning in a new three-part video series released today on the National Credit Union Administration’s YouTube (opens new window) channel.

“Effective succession planning doesn’t start with the retirement announcement of a credit union executive,” NCUA Office of Small Credit Union Initiatives Director William Myers said. “Effective succession planning by a credit union board today will ensure that when it comes time to fill a leadership position tomorrow, the credit union’s members will be well served through the continuity of a credit union’s performance and culture.”

Succession Planning, available online here (opens new window), explains the two types of succession plans a credit union should have in place, the responsibilities of the credit union board in the succession planning process and why succession planning should be an ongoing part a credit union’s overall strategic planning process. Credit union boards may also access resources like a sample succession planning template and NCUA’s Federal Credit Union Handbook through the videos.

Created by NCUA’s Office of Small Credit Union Initiatives, the online training module on succession planning is part of a video series covering a variety of subjects important to credit union boards, such as effective board management (opens new window), credit union policies and procedures (opens new window) and mergers (opens new window). More information is also available on NCUA’s Small Credit Union Learning Center available on www.ncua.gov.

NCUA’s Office of Small Credit Union Initiatives fosters credit union development and the effective delivery of financial services for small credit unions, minority depository institutions, new credit unions and credit unions with a low-income designation. For more information about the work of the Office of Small Credit Union Initiatives, visit the office’s website or subscribe to its monthly FOCUS e-newsletter.

ALEXANDRIA, Va. (June 8, 2016) – The video recording of the May 2016 open meeting of the National Credit Union Administration Board is now available on the agency’s website.

Archived videos of past Board meetings may be viewed here, and each video remains on the site for one year.

At the May open meeting, the NCUA Board discussed two issues:

• The Chief Financial Officer briefed the Board on the performance of the Temporary Corporate Credit Union Stabilization Fund, including plans to pay down $700 million of borrowings from the U.S. Treasury by May 31, 2016.
• The Office of Examination and Insurance informed the Board about proposed plans to modernize the Call Report and Credit Union Profile content and improve data collection.

NCUA posts these videos as part of the agency’s ongoing efforts to provide transparency and to allow those unable to attend Board meetings the opportunity to become better informed. An interval between the meeting and posting is necessary for the videos to comply with Section 508 of the Rehabilitation Act for the hearing and visually impaired.

The Board Actions page of NCUA’s website has more information, including Board agendas, which are posted at least one week in advance of each open meeting, copies of Board Action Bulletins, which summarize the meetings, copies of Board memorandums and other documents.

Median Delinquency Rate Holds Steady; Return on Average Assets down Slightly

ALEXANDRIA, Va. (June 10, 2016) – More than half of federally insured credit unions in every state reported growth in loan balances over the year ending in the first quarter of 2016, according to state-level data compiled by the National Credit Union Administration and released today.

Nationally, median loan growth in federally insured credit unions was 4.5 percent during the year ending in the first quarter of 2016. The median rate of growth in deposits and shares was 3.0 percent. The median loan-to-share ratio moved above 60 percent. The median loan delinquency rate was essentially unchanged from a year earlier at 0.7 percent.

The NCUA Quarterly U.S. Map Review, available online here, tracks credit union performance indicators in the 50 states and the District of Columbia. The review also includes information on two key state-level economic indicators: unemployment rates and home price changes.

All States Report Positive Median Loan Growth; Nevada, Washington Highest

Nationally, median growth in loans outstanding was 4.5 percent over the year ending in the first quarter of 2016, up from 4.0 percent the previous year. The highest median growth rates for loans were in Nevada (9.9 percent) and Washington (8.9 percent). Median loan growth was slowest in New Jersey (0.5 percent) and the District of Columbia (1.2 percent).

Median Asset Growth Rate 2.9 Percent; Alaska, New Hampshire Highest

Median asset growth was 2.9 percent nationally in the year ending in the first quarter of 2016, up from 1.8 percent a year earlier. Median asset growth was fastest in Alaska (6.7 percent) and New Hampshire (6.3 percent). Median asset growth was slowest in New Jersey (0.7 percent) and Louisiana (1.0 percent).

Idaho, Alaska Report Highest Median Growth Rates in Shares and Deposits

Nationally, federally insured credit unions’ median growth rate in shares and deposits was 3.0 percent in the year ending in the first quarter of 2016, up from 1.6 percent during the previous year.

At the median, shares and deposits rose in each state over the year ending in the first quarter. The median growth rate in shares and deposits was highest in Idaho (6.8 percent) and Alaska (6.3 percent). The median growth rate in shares and deposits was lowest in New Jersey (0.6 percent) and Kansas (1.2 percent).

Utah, Virginia Pace Nation on Aggregate Returns on Average Assets

Nationally, the aggregate return on average assets at federally insured credit unions was 75 basis points at an annual rate at the end of the first quarter of 2016, down slightly from 78 basis points at the end of the first quarter of 2015. The aggregate return on average assets was positive in every state in the first quarter of 2016. Utah (117 basis points) had the highest aggregate return, followed by Virginia (115 basis points). New Jersey (17 basis points) and Connecticut (33 basis points) posted the lowest aggregate returns on average assets.

Idaho and Alaska Again Report Highest Median Loan-to-Share Ratios

Nationally, the median ratio of loans outstanding to total shares and deposits was 61 percent at the end of the first quarter of 2016, compared to 59 percent a year previously. The median loan-to-share ratio was highest among credit unions in Idaho (87 percent) and Alaska (82 percent). The median loan-to-share ratio was lowest in Hawaii (42 percent) and Delaware (44 percent).

Median Total Delinquency Rate Steady

The median total delinquency rate at federally insured credit unions was 0.7 percent nationally in the first quarter of 2016, unchanged from the first quarter of 2015. At the end of the first quarter, the median delinquency rate was lowest in California, Colorado and New Hampshire (all 0.3 percent). New Jersey (1.6 percent) reported the highest median delinquency rate, followed by Louisiana (1.3 percent).

Greater Share of Credit Unions Gain Members

While overall credit union membership continued to grow during the year ending in the first quarter of 2016, at the median, membership was unchanged.

Zero median membership growth means that, overall, 50 percent of federally insured credit unions had fewer members at the end of the first quarter of 2016 than a year earlier. Over the previous year, the median membership growth rate was negative 0.4 percent, and 53 percent of credit unions lost members over the year ending in first quarter of 2015.

Membership growth over the most recent four quarters continued to be concentrated in larger credit unions. Credit unions with falling membership tended to be small; about 75 percent of those credit unions had assets of less than $50 million.

Alaska (4.0 percent) had the highest median membership growth rate over the year ending in the first quarter of 2016, followed by New Mexico (2.0 percent). Median membership growth was negative in 16 states. At the median, membership declined the most in Pennsylvania (-1.8 percent).

Read the Latest Issue of “The NCUA Report” Online

ALEXANDRIA, Va. (June 14, 2016) – The business case for diversity at credit unions is simple—it’s a good investment.

In the latest issue of the National Credit Union Administration’s monthly newsletter, an article by the Office of Minority and Women Inclusion outlines how diversity leads to better service, greater innovation and increased membership. These outcomes make credit unions stronger and more sustainable, and ultimately lead to greater strength for the entire credit union system.

The June 2016 issue of The NCUA Report is now available online here (opens new window).

The agency’s newsletter features columns from NCUA Board Chairman Rick Metsger and Board Member J. Mark McWatters, as well as articles from several NCUA offices on the agency’s initiatives and information on supervisory, regulatory and compliance issues that are important to all federally insured credit unions.

Articles in this month’s issue include:

• NCUA Extends Call Report Deadlines for July, October Reporting
• Chairman’s Corner: Instant Replay Timeout: Official Review of the Regulatory Process
• Board Member McWatters’ Perspective: Accounting Standards May Drive ALLL Changes
• Board Actions: Stabilization Fund to Pay Treasury $700 Million
• How Will Your Commercial Loan Underwriting and Deal Structure Change with the New Member Business Lending Rule
• Grants Give Low-Income Credit Unions the Means to Grow
• Reaching the Credit-Invisible

Published monthly, The NCUA Report is NCUA’s flagship publication. The newsletter highlights important Board actions and key issues that credit union managers, staff and volunteers need to know. If interested, you can subscribe to the online version of the newsletter here (opens new window).

Previous issues of The NCUA Report are available online here (opens new window).

ALEXANDRIA, Va. (June 14, 2016) – Credit union stakeholders interested in the National Credit Union Administration’s efforts to modify supervision and examination procedures should submit comments by Aug. 1, the agency announced today.

“NCUA is on a fast track to update its examination and supervision procedures, and we want the input from as many people as possible,” NCUA Board Chairman Rick Metsger said. “I have instructed the Exam Flexibility Initiative, the internal working group studying the agency’s supervision and examination process, to deliver its recommendations to the NCUA Board in September. In order for the working group to both meet its deadline and give due consideration to all suggestions, we’re asking stakeholders to get us their thoughts as soon as possible.”

NCUA will accept suggestions received after Aug. 1, but comments received before the deadline will receive full consideration.

Comments can be sent to [email protected], and NCUA has created a webpage to provide information about the initiative, available online here.

NCUA has suggested five questions stakeholders should consider when they submit comments:

• How can NCUA conduct future examinations in ways that minimize their impact on credit unions’ operations?
• What concerns do credit unions have about the current examination and supervision program?
• What steps should NCUA take to improve the efficiency of its examination program while ensuring it remains effective?
• How can NCUA better use technology in examinations?
• What metrics should NCUA consider to determine a credit union’s eligibility for an extended examination cycle?

The working group is led by Region IV Director Keith Morton and includes representatives from all five of the agency’s regional offices and its central office. The working group’s outreach to credit union stakeholders will include meetings and teleconferences.

Information on Proposed 2017–2018 Budget Will Be Available in Advance

NASHVILLE, Tn. (June 15, 2016) – Credit union stakeholders will have an opportunity to offer comments on the National Credit Union Administration’s proposed 2017–2018 budget at a briefing in October, Board Chairman Rick Metsger announced today.

“As part of my commitment to implement Continual Quality Improvement across all aspects of NCUA’s operations, the agency will hold a briefing on the draft budget,” Metsger said. “This budget briefing will be more comprehensive than the briefings previously held by the agency. For example, we will release more details on the proposed budget before the briefing, so stakeholders can review and analyze the information before they participate.”

Metsger made his announcement during remarks to the National Association of Federal Credit Unions’ annual conference here. He said that, even without the briefing, stakeholders can, as always, offer comments about the agency’s budget at any time.

“I meet with people year-round, and I know Board Member McWatters does, too,” Metsger said. “We are always open to suggestions on how to improve operations. People don’t have to wait for a budget briefing if they have concerns or questions.”

Metsger said NCUA already makes a great deal of detailed budget information public, posted on the agency’s Budget and Supplementary Materials webpage. Preliminary information about NCUA’s 2017 budget is already available. At its November 2015 open meeting, the NCUA Board approved a rolling two-year agency budget. The agency will revise and supplement this material before the October budget briefing.

Everyone who participates in the budget briefing will be heard, Metsger said, but the NCUA Board still has the responsibility to make a final decision on expenditures to fulfill its mandate under the Federal Credit Union Act to protect the safety and soundness of the credit union system, the National Credit Union Share Insurance Fund, and the more than $1 trillion of members’ accounts.

Today’s announcement follows NCUA’s recent decision to conduct a comprehensive review of its examination and supervision process. Metsger created a working group to field stakeholder suggestions and report its recommendations to the Board in September.

ALEXANDRIA, Va. (June 16, 2016) – The National Credit Union Administration again ranks as a “Best of the Best” place to work for minorities and women, the agency announced today.

The annual rankings are published by DiversityComm, Inc., a human resources research and consulting firm specializing in workplace diversity, and the parent company of Black EOE Journal (opens new window), Professional Woman’s Magazine (opens new window) and Hispanic Network (opens new window). NCUA has consistently ranked as a best place to work by DiversityComm over the last three years.

“Diversity in our workforce makes NCUA a more effective regulator,” NCUA Board Chairman Rick Metsger said. “This latest recognition by DiversityComm not only illustrates our commitment to creating a more diverse and inclusive work environment, but it is also an important motivator for the agency to continue to do more. Utilizing the different skills, talents and perspectives of our diverse employees contributes directly to the success of the agency, and this ultimately strengthens the credit union system.”

As part of its efforts to create a more diverse and inclusive workforce, NCUA pursued several initiatives in 2015, including recruitment, leadership development, outreach and training. All of NCUA’s employees and leadership received diversity-awareness training during the year. The agency also conducted a barrier analysis to help the agency understand how it can make further improvements in creating a diverse and inclusive work environment.

“NCUA values diversity as a business imperative,” Monica Davy, Director of NCUA’s Office of Minority and Women Inclusion said. “We know we cannot succeed if we don’t attract the best talent and create an inclusive environment where each person can contribute to his or her full potential. It is an honor to be recognized for our efforts, but the greater reward comes from being able to leverage the diversity of our workforce to accomplish our mission.”
NCUA is regularly recognized by the Partnership for Public Service as a desirable workplace for women, minorities and veterans, earning high ratings for leadership, diversity, fairness and employee empowerment.

DiversityComm, Inc. annually conducts evaluations of employers, including government agencies, to identify those it classifies as the “Best of the Best” in terms of outreach and accessibility to African American, Hispanic, female and veteran populations. Scores are based on policies supporting equal access, advancement and inclusion of all individuals, as well as other activities demonstrating a commitment to diversity and equal opportunity.