Prepare Your Credit Union for Changes in HMDA Data Collection Rules (Part 2)

Prepare Your Credit Union for HMDA ChangesBy Edward Kramer, Executive Vice President of Regulatory Affairs, Wolters Kluwer Financial Services

In part I of this series, the new data fields that the Consumer Financial Protection Bureau (CFBP) seeks to collect for more HMDA reporting transparency and timeliness and concerns about potential misinterpretation of newly collected data was addressed.

To wrap-up, we will consider the known and unknown factors related to this regulatory change and conclude with a list of key tips you can use to prepare your credit union for these pending changes.

Imminent Compliance and Technology Challenges Are Clear

Although most industry observers expect issuance of the final regulation sometime in 2015, we don’t yet know which specific data fields will be included, nor the amount of time institutions will have to prepare before the requirements go into effect. We also do not know if or how much of any additional data collected will be made public by the regulators.

Protecting the privacy of personally identifiable financial information should be a priority. The inclusion of items such as credit scores, borrower age, and other personal data may raise legitimate privacy concerns, particularly if it becomes possible to identify a specific consumer by combining the new data with other publicly available data.

Despite the unknowns, one thing is certain:  the extent and breadth of the proposed new data collection fields will be considerable.  They will impose significant regulatory compliance and information technology challenges on mortgage lenders.

How Your Credit Union Can Prepare

Whatever requirements are ultimately adopted, lenders will need to evaluate their current data collection capabilities, identify gaps, and make needed investments to be compliant.  What impact will this have for your credit union’s staffing decisions, training, vendor support, and technology infrastructure—and how can you begin to prepare for these changes?

While the specifics have not yet been announced, you needn’t wait before initiating some preparatory action: 

  • Plan now for the increased data capture requirements and remember that data integrity is essential
    The changes coming will be sweeping and broad, impacting your organization in many ways. Minimally, these changes will include all new data fields outlined in the Dodd-Frank legislation—and likely, many if not all of the CFPB’s additional proposed data fields—so make sure your preparation is underway.
  • Identify all lines of business impacted by the HMDA changes
    Determine how you will organize these lines of business so that your efforts are coordinated. Ensure that all individuals responsible for implementation are connected and developing a plan of action so your organization is as ready as it can be once the final rules are announced.
  • Identify and prepare for any needed staff training
    Determine what your enterprise methodology and approach will be to manage the implementation. It’s never too early to start planning when it comes to staff training.
  • Strengthen and bolster your analytics capabilities
    The last thing you want is to submit data to the government that you haven’t already fully analyzed.  Given resource constraints, lenders might be best served in outsourcing their data analytics needs to a capable vendor.  But, whether you manage this function internally or through a third party, know the implications of that data for your organization—and how you plan to go about addressing any problems found in the analysis.  You don’t want others analyzing and interpreting your findings in advance of conducting your own comprehensive review.
  • Conduct a root cause analysis on questionable cases
    If your analyses uncover indicators of potential disparate treatment or impact of protected classes, conduct a root cause analysis to determine the extent of the problem and what is causing it. Then fix it.

Accept the fact that whatever implementation timeline is ultimately defined, the transition time for Tim Burniston EVP Wolters Kluwer Talks HMDAmanaging a regulatory change of this magnitude can never really be sufficient. But with some thoughtful and concerted advance preparation, you will be best positioned to ease some of the challenges in transitioning effectively to the new requirements.

Watch and share this short video of Tim Burniston, Executive VP at Wolters Kluwer, speaking about 4 key ideas to prepare for HMDA changes: New HMDA Fields Coming – Are You Ready?

Wolters Kluwer Financial ServicesWolters Kluwer Financial Services is NAFCU Services Preferred Partner for consumer and member business lending and deposit services. For more information on Wolters Kluwer’s products and services, visit http://www.nafcu.org/wolterskluwer/

Prepare Your Credit Union for Changes in HMDA Data Collection Rules (Part 1)

Mortgage-App-Approval-HMDA-Wolters-KluwerBy Edward Kramer, Executive Vice President of Regulatory Affairs, Wolters Kluwer Financial Services

In 2015, expectations loom large for lenders around finalization of rules for the new Home Mortgage Disclosure Act (HMDA) data collection requirements.

Created as part of the Dodd Frank Wall Street Reform and Consumer Protection Act (Dodd-Frank), the regulation authorizes the Consumer Financial Protection Bureau (CFPB) to expand the current HMDA dataset in order to help “financial regulators and public officials keep a watchful eye on emerging trends and problem areas in the mortgage market.”

CFPB Seeks More Data Transparency and Timeliness

The proposed changes include required reporting of 37 new data fields, including 20 not currently required under Dodd-Frank. Those 20 fields represent additional information that the CFPB proposes to collect for analytical purposes, including:

  • Detailed property location information
  • Total points and fees
  • Rate spread for all loans
  • Information on loan features such as teasers and introductory rates, and
  • Applicant’s age and credit score

In addition, the CFPB proposes to collect data such as:

  • Borrower’s debt-to-income ratio
  • Combined loan-to-value ratio
  • Loan’s qualified mortgage status, and
  • Inclusion of manufactured housing in collateral

When the CFPB proposed the expanded HMDA data collection specifications in the summer of 2014, it argued for the need for greater transparency and timely access to regulate lending activity, citing concerns that “under the current regime, HMDA data may be reported as many as 14 months after final action is taken on an application or loan.”

Consequently, for financial institutions reporting at least 75,000 covered loans per year, which accounts for the vast majority of loan application registrations in the annual HMDA files, the new rules would require submission of HMDA data on a quarterly rather than annual basis. The CFPB estimates that this specific reporting provision would impact about 28 financial institutions that combined would report about 50% of all HMDA-reported transactions.

Potential for Data Misinterpretation Causes Concern for Many

The regulatory landscape changed dramatically with the 1975 enactment of HMDA and then again with the passage of the Financial Institutions Reform, Recovery, and Enforcement Act of 1989 (“FIRREA”). The latest proposed regulatory changes may have an equal or greater impact on institutions affected by the proposal. This observation is borne out in the anxiety over the new data reporting requirements evident in the October 2014 Regulatory & Risk Management Indicator report, conducted by Wolters Kluwer Financial Services.

According to the report, U.S. credit unions and banks specifically point to the Dodd-Frank Act and the associated HMDA data collection requirements as among their chief concerns. The new data collected will unleash a flood of additional public scrutiny of mortgage lending. And that development, by extension, will likely generate a new level of criticism of the mortgage industry, including credit unions, from those interpreting the newly available data.

It is clear from its recent enforcement actions and guidance that the CFPB holds accurate HMDA data as central to fair lending compliance and its ability to enforce fair lending laws. Inaccurate HMDA data will only serve to mislead the public and will not be tolerated. That said, the additional data, however accurately reported, will be an insufficient basis on which to ground definitive conclusions about discrimination on a prohibited basis. But, the data will generate more room for error as it gets interpreted – or misinterpreted – by regulators, analysts, and the public.

Tim Burniston EVP Wolters Kluwer Talks HMDAStay tuned for part 2 of this series to get additional insights about HMDA compliance and technology challenges and a list of key tips you can use to help prepare your credit union for these changes. Get a sneak peak of the tips by watching Tim Burniston, Executive VP at Wolters Kluwer highlight the HMDA changes in the short video, New HMDA Fields Coming – Are You Ready?

Wolters Kluwer Financial ServicesWolters Kluwer Financial Services is NAFCU Services Preferred Partner for consumer and member business lending and deposit services. For more information on Wolters Kluwer’s products and services, visit http://www.nafcu.org/wolterskluwer/

Become a Vendor Assessment Jedi Using the NIST Cybersecurity Framework

Written by Randy Lindberg, Founder and Managing Partner with Rivial Security (A Quantivate Partner)

Computer bound with chain and padlockThere are some ordinary steps that you can take to assess vendor due diligence. But, you don’t want to be ordinary…

To be a Vendor Assessment Jedi, use the NIST Cybersecurity Framework, you must!

Vendor due diligence is the process of ensuring that the use of external IT service providers and other vendors does not create unacceptable potential for business disruption or negative impact on business performance.

To accomplish the objective of vendor due diligence, your credit union needs to:

  • Gather company details such as ownership specifics, company size, products offered, and location
  • Understand the company’s financial position, or rather, is this vendor financially stable enough to service your needs for at least 1 to 2 years
  • Know if the vendor will live up to their promises in terms of reputation via BBB ratings, CFPB complaints, and reference checks
  • Know how well the vendor is going to protect your data

Vendors that provide IT Services have additional due diligence requirements, your credit union needs to:

  • Make sure that contract language includes information on the right to audit, data security measures, and data ownership
  • Define specific security considerations and incident response procedures. Additionally, for cloud-based IT service there are additional data security questions that need answers (cloud-based IT service that the NIST 800-145 definition is referred to in FFIEC guidance1)

Ultimately, your credit union, as the entity responsible for assessing vendor due diligence, must understand the vendor’s cybersecurity stance. How do you determine a vendor’s cybersecurity position? You can request an audit of their security controls, which typically comes back in the form of an SSAE 16 report.

SSAE  stands for “Statement on Standards for Attestation Engagements.” The SSAE 16 is delivered in the form of Service Organization Controls (SOC) reports. There are several report types, but the two most common and important are:

  • SOC 1 Type 2, which reports on the design and effectiveness of internal controls over financial reporting; and
  • SOC 2 Type 2, which reports on the design and effectiveness of “trust service principles” such as security, confidentiality, and availability.

In most cases, the SOC 2 Type 2 is the best report for assessing cybersecurity. The SOC 1 report, however, is the most commonly used report. Not all SSAE 16 reports are the same because there is discretion as to which and how many of the five (5) trust services principles are actually examined and reported on during a SOC 2 engagement. You have to dig into some details to understand what is being reported.

For example, if an IT Service Provider has a SOC audit performed on their corporate network, but outsources application development and data center hosting, you’ll essentially be left with a meaningless document.

The ordinary steps used to perform a SSAE 16 review are:

  • Pinpoint findings without adequate management responses
  • Provide complementary user entity controls to system owner and/or IT

But, you want to be extraordinary. By using the NIST Cybersecurity Framework in the following way, you can become a Vendor Assessment Jedi:

  • Review the description of the vendor’s system addressed in the SSAE 16 report
  • Search for “subservice” to find the section where subservice organizations (i.e., any businesses that your vendor contracts with/outsources) are described
  • Use function, category, or subcategory (depending on your technical expertise and comfort level) to ensure control objectives are covered

NIST Cybersecurity Framework Core Example

NIST Cybersecurity Framework Core Example

Using the partial image above, you could search through the SSAE 16 report in a structured manner using the Framework as a guide.

If you use the “subcategory” component of the Framework, you would check the vendor’s report for a control objective that outlines “Response plans incorporate lessons learned” (as highlighted in the example above) or something very similar. If there is sufficient content in the report, you can mark that subcategory is ‘in place’ in your vendor cybersecurity assessment tracking documentation.

Using the NIST Cybersecurity Framework, in this way, to walk through vendor security audit reports provides a useful and efficient method to review vendor security controls.

To learn more about using the NIST Cybersecurity Framework to ensure proper vendor due diligence, register for the upcoming webinar, “Assessing Vendors Using the NIST Cybersecurity Framework,” presented by Randy Lindberg and Dan Banning, Director of Marketing at Quantivate.

Here are some additional resources for you to reference in the process of becoming a Vendor Assessment Jedi at your credit union:

Quantivate Logo
Quantivate is the NAFCU Services Preferred Partner for Vendor and Contract Management. Quantivate partners with Rivial Security to deliver cost-effective data security solutions that enable organizations to protect sensitive data, comply with industry standards, and gain a competitive advantage. Additional educational resources and contact information can be found at www.nafcu.org/quantivate.

Protect Your Corporate Customers from Account Takeovers

Produced by Ann Davidson, VP of Risk Consulting at Allied Solutions

Manage Your RiskWere you aware that your corporate account holders are at an increasing risk of being targeted by cybercriminals?

Corporate accounts are especially vulnerable to account takeover attacks due to the fact that large wire and automated clearing house (ACH) transfers are frequently performed through these accounts, making fraudulent outgoing wire transfers or ACH credit requests harder to detect.

Additionally, these corporate accounts do not always have the most up-to-date or robust authentication layers in place on transactional activities, which makes it that much easier for criminals to obtain private credentials and take over these accounts.

To help combat these attacks, your credit union should have dynamic authentication methods in place for all consumer and business accounts, and should implement the following loss prevention recommendations:

  • Validate all account holder information when a wire transfer or ACH credit is requested
  • Pay special attention to new accounts performing large outgoing wire transfer or ACH credit requests, as these might be “money mule” accounts
  • Limit the dollar amount on outgoing wire transfers and ACH credit requests
  • Only offer in-person outgoing wire transfers and ACH credit requests
  • Have account holders sign an agreement that specifies that they will be assigned a confidential individual PIN and requires that they answer a security question prior to submitting an outgoing wire transfer or ACH credit request
  • Call back account holders’ listed phone number(s) to confirm their identities prior to performing requested outgoing wire transfer or ACH credit
  • Inform your corporate account holders that they have to do their part to stay protected from these attacks, such as:
    • Implementing anti-virus software on all company owned computers
    • Requiring password protection on all of their employees’ computers, cell phones, landlines, business accounts, and software applications
  • Continue to monitor reliable sources for updated information on risk exposures

To find out more about recommended authentication measures that can help your credit union and account holders remain more protected from this and other types of cyber crime, register for Allied Solutions webinar, Top Authentication and Identification Methods to Protect Your Credit Union.

 

Allied Solutions LogoAllied Solutions is the NAFCU Services Preferred Partner for Insurance – Bond, Creditor Placed (CPI), Guaranteed Asset Protection (GAP), and Mechanical Breakdown (MBP); and rateGenius. More educational resources and contact information are available at www.nafcu.org/allied.

What Credit Unions Need to Know About the Rise of Chip and PIN and Risk

According to the Federal Reserve, Chip and PIN technology involving a secure microchip used with a numeric code makes transactions about 700 times more secure than older payment methods.

Is Chip and PIN technology a priority at your credit union in 2015?

Join Ann Davidson, VP of Risk Consulting, Allied Solutions and Joe Majka, Vice President & Chief Security OffEmerging Payment Technologies & Impact on Data Breachesicer, Verifone Inc. on March 4th to learn about Chip and PIN technology and other emerging payment solutions (e.g., Apple Pay, tokenization, etc.) that can help your credit union reduce the risk of data breaches.

Ann advocates that credit unions seize the golden opportunity to reduce risk through the adoption of Chip and PIN technology and shares 5 things you need to know about the impact of the rise of Chip and PIN:

CHIP and PIN’s Golden Opportunity

Chip-and-PIN cards, also called EMV (Europay, Mastercard, Visa), or smart cards, utilize a computer chip embedded in the card to authenticate transactions. When this card is inserted into a chip-enabled reader to make a purchase, the chip on the card communicates with the reader by sending a one-time, dynamic code unique to that transaction.

Implementing Chip and PIN card technology prior to October 1st, when new fraud liability rules take effect will help your credit union:

  • Stop counterfeiting: Makes it impossible for criminals to create counterfeit cards with stolen data because Chip and PIN cards generate a one-time dynamic code that changes with each transaction.
  • Reduce data breach and fraud exposure: Decreases your credit union’s breach and fraud exposure when the physical card is used since Chip and PIN technology security far exceeds magnetic stripe technology.
  • Save time and resources: Cuts the time and resources used by your credit union to process fraud claimsChip and PIN Technology and card reissues associated with card data compromises.
  • Get a reputation boost: Builds your credit union’s reputation for member satisfaction, given that consumers are becoming more aware of available payment security options.
  • Facilitate easier international travel payments for members: Makes international travel payments easier in some cases. Much of the world, including Europe, Asia, and Canada, has already converted to chip technology and some international merchants and ATMs no longer accept magnetic stripe cards.

5 Things You Need to Know About Chip and PIN:

  1. If your credit union has not issued your members a Chip and PIN card, but a merchant has the new Chip and PIN technology, your credit union is held liable when fraud occurs.
  2. If you do not have chip-enabled cards by October 1st, you may be targeted by criminals and may have increased risk exposure to magnetic stripe fraud.
  3. Consider upgrading or replacing your ATM terminals to accept Chip and PIN technology before the card associations’ fraud liability shifts occur in 2016 and 2017.
  4. Credit unions should continue to deploy multiple layers of protection and enhance existing fraud detection systems to combat payment fraud in both the “card-present” and “card-not-present” environments.
  5. Chip-and-PIN does not address card-not-present fraud (i.e., online, mail, telephone, or lost/stolen card fraud).*

Increase your credit unions financial stability, reputation, and member/customer base by seizing the golden opportunity to get rid of risk through Chip and PIN technology Chip in 2015.

Get the knowledge your credit union needs by registering today for Allied Solutions’ Emerging Payment Technologies & Impact on Data Breaches webinar on Wednesday, March 4, 2015.

Presented by Allied Solutions, LLC and NAFCU Services, this webinar is offered at no cost to the credit union community. *Working with Allied Solutions to establish risk management procedures and get cyber liability protection can help mitigate this risk.