Holiday Season Fraud Prevention Checklist

Produced By Ann Davidson, VP of Risk Consulting at Allied Solutions

Holiday FraudIt’s not if fraud exposure will happen this holiday season, it’s when! That’s why your credit union should help your staff and members prepare for what fraudsters have in store this holiday season.

Our gift to you this holiday is a checklist that you should provide to your credit union staff to ensure that your credit union and credit union’s members have a safe and fraud free holiday season.

Holiday Season Fraud Prevention Checklist:

Educate cardholders about the heightened risk of attacks and scams during the holiday season, such as: Phishing attacks (where the member is asked to pay the scammer money) and recruitment scams (where the member is asked to pay a bit of money up front to earn more money later on.)

Recommend to staff and members that they more closely and more frequently monitor ACH items, outgoing wires, and online transaction activity on all of their cards and accounts to look out for any unauthorized activity. Inform them to pay special attention to ACH items and outgoing wires.

☑ Utilize promotional and communication tools to increase the proliferation of information to your credit union staff and members about the increased likelihood of scams and attacks during the holiday season.

☑ Flag or block any unusual out-of-state card purchases. Inform members to alert you if they are traveling over the holidays, so that they are not affected by these preventative measures.

☑  Monitor any type of card fraud to help identify a card breach. Look for a common point of compromise and report it to the fraud department at the card association (i.e. Visa or MasterCard) immediately.

☑  Ensure that your credit union is receiving Visa alerts (CAMs) or MasterCard alerts regarding compromised cards and/or regarding information about the type of card data at risk (i.e. Track 1, Track 2, etc.).

☑  Determine if you will block and reissue or monitor compromised card numbers. In cases where the full unaltered magnetic stripe has been compromised, it is strongly recommended to block and reissue the card data.

☑  Contact cardholders to let them know when they are part of the compromised breach.

☑  Share a message on your website or phone system with any updates about the breach.

PrivacyAuthentication☑  Utilize multiple layers of authentication when validating and sending out ACH and wire transactions both online and in-person to help prevent any unauthorized withdrawals of members’ funds.

☑  Monitor PIN change activity. The criminal may make multiple attempts to perform a PIN change in order to obtain card data.

☑  Utilize an anti-skimming device on your ATMs to help prevent skimming.

☑ Review daily dollar limits for signature, internet, and PIN transactions and offer members the option to lower their daily card limits over the holiday season.

☑  Watch for multiple payments on the same day or within days of each other on credit card accounts and do not provide availability of a payment to the credit card holder until other payments clear.

☑  Watch for increased cash disbursements (advances) being performed on non-credit union issued cards at the teller counter.

☑  Perform a review of your fraud risk tools and programs to assess their effectiveness.

☑  Continue to enhance your fraud protection strategies and your fraud management systems to help prevent card exposure.

For more information, register for the “Holiday Fraud Prevention 101” webinar on Wednesday, December 9, 2015.  Ann Davidson with Allied Solutions, LLC will explain what type of risks increase during the holidays and introduce steps that you, your staff, and your members can take to help ensure you all have a safe and fraud free holiday season.

Allied Solutions Logo

Allied Solutions is the NAFCU Services Preferred Partner for Insurance – Bond, Creditor Placed (CPI), Guaranteed Asset Protection (GAP), and Mechanical Breakdown (MBP); and rateGenius.  More educational resources and contact information are available at


6 Compliance Tips For Loan Estimate Revisions

By Sue Burt, Senior Compliance Consulting Specialist, Wolters Kluwer Financial Services

wk7When it comes to issuing a Loan Estimate under the TILA-RESPA Integrated Disclosure (TRID) rule, revisions are not permitted due to mistakes, miscalculations, and underestimation of charges caught after the fact.  However, the law does recognize that some situations can arise beyond lender errors that cause the original loan estimate to become inaccurate.

The Justifying Events

The law sets out six events that justify a revised Loan Estimate for purposes of re-setting fees and performing one’s good-faith analysis.  Those six events include:

  1. Changed circumstances that cause an increase to settlement charges
  2. Changed circumstances that affect the consumer’s eligibility for the loan or affect the value of the property securing the loan
  3. Consumer-requested changes
  4. Interest rate locks
  5. Expiration of the original Loan Estimate
  6. Construction loan settlement delays

Before considering each of these, it is important to review the definition of “changed circumstance” as this term impacts the first two triggering events.  Download the full whitepaper to explore specific case examples of the six justifying events, the timing for providing such revisions, and a review of the following few compliance tips.

Compliance Tips

wk1Collect all application information before issuing a Loan Estimate.  Revised Loan Estimates are not permitted simply because the lender failed to collect all six pieces of information required in the application prior to issuing the Loan Estimate.  For example, the failure to obtain the property address prior to issuing the Loan Estimate cannot be used as a reason to issue a revision if that address is later collected and impacts fees.

Collect complete, accurate application information.  Lenders should consider sequencing the application information requests to have sufficient information to issue an accurate Loan wk2Estimate the first time around.  In fact, they may request information above and beyond the six items that make up the definition of an “application.” For example, they may want to collect the consumer’s mailing address or the product the consumer is interested in prior to collecting the six pieces of required regulatory application information.  However, keep in mind, once the lender receives those six items, a Loan Estimate is triggered.

Also, recognize that it is important to collect as much information as possible from the consumer during the application stage so that the Loan Estimate disclosures are accurate.  Remember, lender errors and oversights will not justify a revised loan.  Put another way, a “bad” application is not a change in circumstances.

wk3Only fees affected by a triggering event can be re-set.  For good-faith purposes, only those fees impacted by the triggering event can be re-set.  The triggering events are not a license to issue a completely revised Loan Estimate and address other changes not affected by the event being relied upon.

wk4Courtesy loan estimate revisions.  The law does not prohibit issuing updates to a Loan Estimate to reflect changes not based on one of the six triggering events.  Many refer to these revisions as “‘courtesy” revised Loan Estimates.  The purpose of such revisions is more customer service oriented in nature and intended to keep the consumer updated on fee changes to avoid surprises at consummation.  However, courtesy Loan Estimate revisions cannot be used for purposes of re-setting fees to establish good faith.

wk5Record retention.  The TRID rule recordkeeping provisions require that documentation be maintained to support the reason for issuing a revised Loan Estimate.  Presumably, examiners will look for this supporting documentation when they review loan files and see revised Loan Estimates.  Lenders should keep records documenting the reason for revision, the original Loan Estimate, and the revised Loan Estimate.  This evidence of compliance should be retained for three years.

wk6Manage Revisions.  Lenders should implement some type of system to track and mange revised Loan Estimates.  This will be important for purposes of conducting one’s good-faith analyses.  It’s also important for purposes of tracking multiple revisions and determining at what point fee increases exceed the 10% cumulative tolerance threshold.

For more information, download “The Revised Loan Estimate: Changed Circumstances and Other Triggering Events.”  The whitepaper highlights when a Loan Estimate revision is permitted, the timing for providing such revisions, and a few compliance tips to consider regarding the revision process.

wolterskluwerlogoWolters Kluwer is NAFCU Services Preferred Partner for Consumer and Member Business Lending and Deposit Services for credit unions.  More education resources and contact information are available at


Combat Social Engineering Fraud

Produced by Jay Slagel, VP of Risk Management at Allied Solutions

Due to a general lack of awareness, fraudsters are often successful in obtaining your account holders’ private information using various social engineering methods.  Because of this, it is essential that you raise awareness among your employees about the causes of social engineering fraud and the prevention measures your financial institution has in place to combat these attacks.

Social engineering fraud occurs in a variety of ways:

  • Social Engineering FraudPhishing attacks via email or phone, where the fraudster claims to be a person of authority to obtain confidential and personal information.
  • Impersonation of a fellow employee, friend, or vendor to gather personal and confidential account information.
  • Obtaining personal and confidential information from digital storage devices (such as thumb drives, phones, or CDs) or paper documents that were not discarded properly.
  • Offering prizes or gifts via phony emails or calls in exchange for private information and/or money.
  • Baiting is when a person leaves an infected storage device, like a thumb drive or CD, at a location where someone would likely find it to entice the individual to load the infected device onto their computer.
  • Phone phishing where the fraudster uses an interactive voice response system (IVR) to duplicate a message from the person’s financial institution, directing the account holder to input their confidential and personal information.

Credit unions can defend against social engineering fraud by changing their corporate culture through education and training. Employees should know how to recognize methods of social engineering and how to combat those attacks.

Actions your financial institution should take to combat social engineering include:

  1. Determine which employees have access to sensitive information, and may be targeted.
  2. Educate employees about ongoing threats.
  3. Verify that deposited checks clear before permitting a withdrawal or transfer.
  4. Establish a multi-level authentication process for financial transactions or account change requests that are not performed in person.
  5. Never open attachments or links in emails received from untrusted sources and do not forward these emails.
  6. Tell employees to be wary of any prizes or offers made over the phone or through email, especially those that offer to update, correct, or solve a computer issue or problem.
  7. Protect private information on documents or storage devices no longer needed before shredding or destroying.
  8. Conduct tests to determine where system vulnerabilities exist and promptly address those areas of weakness.
  9. Monitor social media outlets to reduce the chance of sensitive information being posted.

It is likely that one or more of your employees will be the target of a social engineering scheme, but taking proactive steps early and often will help your financial institution to remain protected from these fraud attempts.

Allied Solutions Logo

Allied Solutions is the NAFCU Services Preferred Partner for Insurance – Bond, Creditor Placed (CPI), Guaranteed Asset Protection (GAP), and Mechanical Breakdown (MBP); and rateGenius.  More educational resources and contact information are available at


Cybersecurity Ratings: The Third Party Cyber Risk Management Solution

BitSight Cyber Lock

So, you have identified your top partners.  You have thoroughly evaluated their cybersecurity services in order to keep your members’ financial data safe and secure. But before you sit back and relax, you have to ask yourself “what about tomorrow?”

The Pitfalls of Traditional Evaluation Methods for Cybersecurity

Traditional methods of evaluating your partners may include detailed questionnaires and conversations, audits, and maybe you have even conducted some vulnerability scans. These are all sound methods for establishing whether your partners are on the right track, but they are only a start.

  • One-time snapshot. The problem with this type of evaluation method is it only gives you a snapshot of the organization at one small point in time. It would be the equivalent of checking the locks on your doors once and then not doing it again in the future.
  • Expensive. Numerous questionnaires and audits can become very costly very quickly. If you are a small credit union, it may not seem practical to spend the cash or the manpower on these efforts.
  • Regulation struggle. In addition to an ethical obligation to your members, regulators are creating new legal obligations aimed at third party risk management plans. The sooner you can get in front of this issue, the easier it will be.

Vendors, especially high priority ones that have direct access to your network or your most sensitive data, really need to be monitored for their security practices all the time. This may seem daunting or even impossible, but it doesn’t have to be. The key to locking up holes in your partners’ security is through security rating and monitoring solutions.

How Cybersecurity Ratings Work

Cybersecurity ratings work essentially like a credit rating company issuing a FICO score, but instead it issues a security rating. For example, companies can be rated on a scale from 250 to 900. A high number indicates a strong security performance and a lower security risk.

A security rating platform gathers and analyzes publicly available information and noted incidents to create its security rating. It considers things like spam propagation, malware propagation, botnet infections, and then calculates a rating. You will also be able to see where the infections and incidents relating to a company’s security are occurring.

Utilizing Ratings as a Resource

BitSightRatings2Cybersecurity ratings can be a very useful tool in prioritizing which vendors require the most attention from your credit union. A company with a consistently high score probably doesn’t need a tremendous amount of your effort, so you can allocate your time and budget to the vendors that are creating greater risks for you and your members.

In addition, this rating can be a valuable resource when having a more sophisticated conversation with your vendors about cybersecurity. If you are grappling with what questions to ask or what risk vectors you should be focused on, the security rating information can give you a road map to do that.

web logo.bitsightNAFCU Services and BitSight Technologies have partnered to provide an independent security monitoring service that provides continuous data on outside vendors’ security practices. If you would like to learn more about BitSight’s solutions for credit unions, or formulating a third party risk management plan, you can check out our webinar here.

Cybersecurity Awareness Month: Confronting the Scariest Threats to Your Credit Union


October is National Cybersecurity Awareness Month which means it’s an excellent time to make sure there aren’t any unseen forces within your credit union that have nefarious plans for your members’ money.

Earlier this year, Wired Magazine wrote about the biggest cybersecurity threats for 2015. Three of these are indeed scary prospects for the credit union industry, but the key is to make sure you are doing everything you can to prevent these scenarios:

  • Data Destruction: Malware exists that erases data and boot records, so it is vitally important to make sure you have an excellent data backup plan.
  • Bank Card Breaches: This is a threat that isn’t going away any time soon, so it is important to be moving towards tokenization technologies to prevent this. NAFCU has partnered with MasterCard to help credit unions move towards this. For more information you can check out this webinar from earlier this year here.
  • Third Party Breaches: The data breach at Target stores is an excellent example of why you need a strong Third Party Risk Management Plan. For more information on this, check our recent webinar or blog posts here or here.

The costs of cyber threats are no joke to financial institutions big or small. According to the National Small Business Association, 44 percent of small businesses have been the victims of a cyber-attack. Clearly, it is worth the investment to review how sound your security is. The following tips from the Department of Homeland Security are an excellent place to start.

Cyberattack Prevention Tips and Practices

  • Have a plan. According to, 59% of small and medium size businesses in the United States do not have a plan that outlines procedures for responding and reporting data breach losses.  A number of these plans are covered in various compliance frameworks that may already exist, but as shelf ware.  If this describes you, now is the time to formulate both short and long term plans.
  • Utilize the latest software. Make sure you have antivirus and antispywear and update it regularly.
  • Educate. Make sure that all of your employees are aware Cybersecurity_KCGof cyber threats and educate them on the steps they must take to help combat these attacks.
  • Invest in data loss protection software, use encryption technologies to protect data in transit, and use two-factor authentication where possible.
  • Passwords. Use strong passwords throughout your organization and have employees change them regularly.

Who Should You Call?

What should you do if you’re unsure if your organization is prepared to navigate this threat landscape? If you are not sure where your cyber security threats may lie or even where you should be looking, consider going to an outside vendor. NAFCU and Knowledge Consulting Group (KCG) have partnered to provide comprehensive cybersecurity solutions.

KCG provides expert services in penetration testing and cybersecurity advisory services. Their tests offer simulation of potential attack vectors and scenarios most likely to impact the overall credit union environment, from IT systems to social engineering. They provide risk management, governance, operations, and compliance services to help credit unions navigate the complexities of the evolving cybersecurity landscape.

So take an inventory of your practices, make a plan, and evaluate where your weak spots are.

Knowledge Consulting Group is a subsidiary of ManTech International. For more detailed information on penetration testing or cybersecurity advisory services, visit KCG’s preferred partner page.