Prepare Your Credit Union for Changes in HMDA Data Collection Rules (Part 1)

Mortgage-App-Approval-HMDA-Wolters-KluwerBy Edward Kramer, Executive Vice President of Regulatory Affairs, Wolters Kluwer Financial Services

In 2015, expectations loom large for lenders around finalization of rules for the new Home Mortgage Disclosure Act (HMDA) data collection requirements.

Created as part of the Dodd Frank Wall Street Reform and Consumer Protection Act (Dodd-Frank), the regulation authorizes the Consumer Financial Protection Bureau (CFPB) to expand the current HMDA dataset in order to help “financial regulators and public officials keep a watchful eye on emerging trends and problem areas in the mortgage market.”

CFPB Seeks More Data Transparency and Timeliness

The proposed changes include required reporting of 37 new data fields, including 20 not currently required under Dodd-Frank. Those 20 fields represent additional information that the CFPB proposes to collect for analytical purposes, including:

  • Detailed property location information
  • Total points and fees
  • Rate spread for all loans
  • Information on loan features such as teasers and introductory rates, and
  • Applicant’s age and credit score

In addition, the CFPB proposes to collect data such as:

  • Borrower’s debt-to-income ratio
  • Combined loan-to-value ratio
  • Loan’s qualified mortgage status, and
  • Inclusion of manufactured housing in collateral

When the CFPB proposed the expanded HMDA data collection specifications in the summer of 2014, it argued for the need for greater transparency and timely access to regulate lending activity, citing concerns that “under the current regime, HMDA data may be reported as many as 14 months after final action is taken on an application or loan.”

Consequently, for financial institutions reporting at least 75,000 covered loans per year, which accounts for the vast majority of loan application registrations in the annual HMDA files, the new rules would require submission of HMDA data on a quarterly rather than annual basis. The CFPB estimates that this specific reporting provision would impact about 28 financial institutions that combined would report about 50% of all HMDA-reported transactions.

Potential for Data Misinterpretation Causes Concern for Many

The regulatory landscape changed dramatically with the 1975 enactment of HMDA and then again with the passage of the Financial Institutions Reform, Recovery, and Enforcement Act of 1989 (“FIRREA”). The latest proposed regulatory changes may have an equal or greater impact on institutions affected by the proposal. This observation is borne out in the anxiety over the new data reporting requirements evident in the October 2014 Regulatory & Risk Management Indicator report, conducted by Wolters Kluwer Financial Services.

According to the report, U.S. credit unions and banks specifically point to the Dodd-Frank Act and the associated HMDA data collection requirements as among their chief concerns. The new data collected will unleash a flood of additional public scrutiny of mortgage lending. And that development, by extension, will likely generate a new level of criticism of the mortgage industry, including credit unions, from those interpreting the newly available data.

It is clear from its recent enforcement actions and guidance that the CFPB holds accurate HMDA data as central to fair lending compliance and its ability to enforce fair lending laws. Inaccurate HMDA data will only serve to mislead the public and will not be tolerated. That said, the additional data, however accurately reported, will be an insufficient basis on which to ground definitive conclusions about discrimination on a prohibited basis. But, the data will generate more room for error as it gets interpreted – or misinterpreted – by regulators, analysts, and the public.

Tim Burniston EVP Wolters Kluwer Talks HMDAStay tuned for part 2 of this series to get additional insights about HMDA compliance and technology challenges and a list of key tips you can use to help prepare your credit union for these changes. Get a sneak peak of the tips by watching Tim Burniston, Executive VP at Wolters Kluwer highlight the HMDA changes in the short video, New HMDA Fields Coming – Are You Ready?

Wolters Kluwer Financial ServicesWolters Kluwer Financial Services is NAFCU Services Preferred Partner for consumer and member business lending and deposit services. For more information on Wolters Kluwer’s products and services, visit http://www.nafcu.org/wolterskluwer/

Become a Vendor Assessment Jedi Using the NIST Cybersecurity Framework

Written by Randy Lindberg, Founder and Managing Partner with Rivial Security (A Quantivate Partner)

Computer bound with chain and padlockThere are some ordinary steps that you can take to assess vendor due diligence. But, you don’t want to be ordinary…

To be a Vendor Assessment Jedi, use the NIST Cybersecurity Framework, you must!

Vendor due diligence is the process of ensuring that the use of external IT service providers and other vendors does not create unacceptable potential for business disruption or negative impact on business performance.

To accomplish the objective of vendor due diligence, your credit union needs to:

  • Gather company details such as ownership specifics, company size, products offered, and location
  • Understand the company’s financial position, or rather, is this vendor financially stable enough to service your needs for at least 1 to 2 years
  • Know if the vendor will live up to their promises in terms of reputation via BBB ratings, CFPB complaints, and reference checks
  • Know how well the vendor is going to protect your data

Vendors that provide IT Services have additional due diligence requirements, your credit union needs to:

  • Make sure that contract language includes information on the right to audit, data security measures, and data ownership
  • Define specific security considerations and incident response procedures. Additionally, for cloud-based IT service there are additional data security questions that need answers (cloud-based IT service that the NIST 800-145 definition is referred to in FFIEC guidance1)

Ultimately, your credit union, as the entity responsible for assessing vendor due diligence, must understand the vendor’s cybersecurity stance. How do you determine a vendor’s cybersecurity position? You can request an audit of their security controls, which typically comes back in the form of an SSAE 16 report.

SSAE  stands for “Statement on Standards for Attestation Engagements.” The SSAE 16 is delivered in the form of Service Organization Controls (SOC) reports. There are several report types, but the two most common and important are:

  • SOC 1 Type 2, which reports on the design and effectiveness of internal controls over financial reporting; and
  • SOC 2 Type 2, which reports on the design and effectiveness of “trust service principles” such as security, confidentiality, and availability.

In most cases, the SOC 2 Type 2 is the best report for assessing cybersecurity. The SOC 1 report, however, is the most commonly used report. Not all SSAE 16 reports are the same because there is discretion as to which and how many of the five (5) trust services principles are actually examined and reported on during a SOC 2 engagement. You have to dig into some details to understand what is being reported.

For example, if an IT Service Provider has a SOC audit performed on their corporate network, but outsources application development and data center hosting, you’ll essentially be left with a meaningless document.

The ordinary steps used to perform a SSAE 16 review are:

  • Pinpoint findings without adequate management responses
  • Provide complementary user entity controls to system owner and/or IT

But, you want to be extraordinary. By using the NIST Cybersecurity Framework in the following way, you can become a Vendor Assessment Jedi:

  • Review the description of the vendor’s system addressed in the SSAE 16 report
  • Search for “subservice” to find the section where subservice organizations (i.e., any businesses that your vendor contracts with/outsources) are described
  • Use function, category, or subcategory (depending on your technical expertise and comfort level) to ensure control objectives are covered

NIST Cybersecurity Framework Core Example

NIST Cybersecurity Framework Core Example

Using the partial image above, you could search through the SSAE 16 report in a structured manner using the Framework as a guide.

If you use the “subcategory” component of the Framework, you would check the vendor’s report for a control objective that outlines “Response plans incorporate lessons learned” (as highlighted in the example above) or something very similar. If there is sufficient content in the report, you can mark that subcategory is ‘in place’ in your vendor cybersecurity assessment tracking documentation.

Using the NIST Cybersecurity Framework, in this way, to walk through vendor security audit reports provides a useful and efficient method to review vendor security controls.

To learn more about using the NIST Cybersecurity Framework to ensure proper vendor due diligence, register for the upcoming webinar, “Assessing Vendors Using the NIST Cybersecurity Framework,” presented by Randy Lindberg and Dan Banning, Director of Marketing at Quantivate.

Here are some additional resources for you to reference in the process of becoming a Vendor Assessment Jedi at your credit union:

Quantivate Logo
Quantivate is the NAFCU Services Preferred Partner for Vendor and Contract Management. Quantivate partners with Rivial Security to deliver cost-effective data security solutions that enable organizations to protect sensitive data, comply with industry standards, and gain a competitive advantage. Additional educational resources and contact information can be found at www.nafcu.org/quantivate.

Protect Your Corporate Customers from Account Takeovers

Produced by Ann Davidson, VP of Risk Consulting at Allied Solutions

Manage Your RiskWere you aware that your corporate account holders are at an increasing risk of being targeted by cybercriminals?

Corporate accounts are especially vulnerable to account takeover attacks due to the fact that large wire and automated clearing house (ACH) transfers are frequently performed through these accounts, making fraudulent outgoing wire transfers or ACH credit requests harder to detect.

Additionally, these corporate accounts do not always have the most up-to-date or robust authentication layers in place on transactional activities, which makes it that much easier for criminals to obtain private credentials and take over these accounts.

To help combat these attacks, your credit union should have dynamic authentication methods in place for all consumer and business accounts, and should implement the following loss prevention recommendations:

  • Validate all account holder information when a wire transfer or ACH credit is requested
  • Pay special attention to new accounts performing large outgoing wire transfer or ACH credit requests, as these might be “money mule” accounts
  • Limit the dollar amount on outgoing wire transfers and ACH credit requests
  • Only offer in-person outgoing wire transfers and ACH credit requests
  • Have account holders sign an agreement that specifies that they will be assigned a confidential individual PIN and requires that they answer a security question prior to submitting an outgoing wire transfer or ACH credit request
  • Call back account holders’ listed phone number(s) to confirm their identities prior to performing requested outgoing wire transfer or ACH credit
  • Inform your corporate account holders that they have to do their part to stay protected from these attacks, such as:
    • Implementing anti-virus software on all company owned computers
    • Requiring password protection on all of their employees’ computers, cell phones, landlines, business accounts, and software applications
  • Continue to monitor reliable sources for updated information on risk exposures

To find out more about recommended authentication measures that can help your credit union and account holders remain more protected from this and other types of cyber crime, register for Allied Solutions webinar, Top Authentication and Identification Methods to Protect Your Credit Union.

 

Allied Solutions LogoAllied Solutions is the NAFCU Services Preferred Partner for Insurance – Bond, Creditor Placed (CPI), Guaranteed Asset Protection (GAP), and Mechanical Breakdown (MBP); and rateGenius. More educational resources and contact information are available at www.nafcu.org/allied.

Compensation and Severance Plan Rule Changes May Impact Your Credit Union

By Kirk D. Sherman and James S. Patterson, Sherman & Patterson, Ltd.

457(f) Compensation RegulationsAfter almost eight years and several false alarms, the IRS may finally issue the new Section 457(f) regulations addressing nonqualified deferred compensation plans and severance plans. Two IRS attorneys speaking at separate events have expressed hope that the regulations will be released by this summer.

Credit unions at greatest risk of having to modify their plans are those that sponsor:

  • Nonqualified deferral plans (other than 457(b) eligible plans) that allow elective deferrals,
  • Nonqualified deferral plans that use noncompete restrictions as substantial risks of forfeiture, and
  • Severance plans providing severance benefits greater than two times compensation.

For other credit unions, the new regulations may be a non-event.

What Should Your Credit Union Do Now?

  • While awaiting the new 457(f) regulations, credit union boards and management can determine whether the credit union sponsors 457(f) plans that use noncompetes or elective deferrals, and whether it has promised severance greater than the two-times limit.
  • Having identified such plans, the credit union (and its advisers) will quickly be able to determine if and how the new rules impact the credit union’s arrangements and what, if any, changes are required.

Understanding the Tax Implications of 457(f) Rule Changes

In 2007, the IRS first announced its intent to change the 457(f) rules.  If the rules are issued as the IRS anticipated, elective deferrals and deferrals subject to noncompete restrictions would no longer defer taxes.  Instead, taxes would be deferred only if the deferrals were non-elective and subject to cliff vesting (i.e., the benefit is forfeited if the executive quits before the specified vesting date).

  • Most credit union 457(f) plans already use cliff vesting, and elective 457(f) deferrals are rare.  Therefore, we expect few credit unions to have to modify their 457(f) plans.
  • The guidance is also expected to address what qualifies as a bona fide severance benefit for purposes of 457(f). Compensation paid under a bona fide severance plan would be taxed as received. Compensation in excess of the bona fide severance limits would be taxed in a lump sum at termination.
  • We expect the bona fide plan limit to be the lesser of two times the executive’s annual total compensation or two times the qualified plan compensation limit (two times $265,000 in 2015).  Credit unions can still pay severance in excess of the two times limit, if fair and reasonable, but the taxation may be different.
  • As with 457(f) plans, we expect that few changes to severance plans will be required to comply with the new rules.
  • For noncompliant 457(f) or severance plans, we expect the new rules to provide a process for transitioning to compliant designs.  Grandfathering of noncompliant arrangements seems unlikely.

What Should Your Credit Union Do When the IRS Issues the Guidance?

After the IRS issues the new 457(f) guidance, and especially if it expands the guidance beyond what is expected, your credit union should check with its advisors to make sure you address any modifications to your nonqualified deferral or severance plans that may be required at that time.

Watch the recent webinar, “Attracting and Retaining Executive Talent with Fair and Reasonable Compensation,” presented by Kirk Sherman, Dr. Loretta Dodgen of Human Capital Solutions Group, and Chris Burns-Fazzi of Burns-Fazzi, Brock to learn more about executive compensation trends and challenges.

Burns-Fazzi, Brock (BFB) LogoBurns-Fazzi, Brock (BFB) is the NAFCU Services Preferred Partner for Executive Compensation and Benefit Consulting. Burns-Fazzi, Brock engages the law firm of Sherman & Patterson to advise on regulatory and tax compliance matters. Sherman & Patterson, located in Minneapolis, MN, has consulted with and represented tax-exempt organizations with their executive compensation needs for the past 30 years. They work closely with NCUA and state credit union regulators, and frequently write and present on these topics.

For more information and educational resources, visit http://www.nafcu.org/BFB.

Your Members Can Protect What Matters During Disability Insurance Awareness Month

If your credit union member is unable to work due to a disabling injury or illness what would happen to their ability to make their loan payment?

No Time to Waste - May is Disability Insurance Awareness MonthMay is Disability Insurance Awareness Month. And, it’s the perfect opportunity to talk to your members about the importance of protecting against the unexpected risk of a disabling illness or injury.

An Underestimated Issue

“According to recent industry studies many employees think their odds of becoming disabled for at least three months are only 1%1. It’s an underestimated issue. More than 25% of today’s 20 year olds will become disabled before they retire2,” says Ryan Frantzen, National Sales Director, Securian Financial Institution Group.

“There is a major disconnect between what people think their risk of disability is and reality. That’s why we feel it is important for us to help credit unions make members aware of the risk.”

Consider the Gap

  • A recent U.S Department of Labor employee benefits survey revealed only one in three workers have access to a disability insurance plan through work3.
  • Nearly 90% of disabilities are not work related and therefore are not covered by workers’ compensation.4
  • Of those who qualified for benefits, approximately 35% of disabled men and 56% of disabled women received less than $1,000 per month in Social Security disability income.5

Take Action

You can help reduce your member’s financial burden in the event of an unexpected disability with credit protection programs that include disability benefits. And, members can protect their credit rating by helping ensure their loan will not end up in default, if they are unable to work due to a disabling injury or illness.

Start the conversation by asking your member to imagine their life without their paycheck as they try to pay for their daily living expenses, medical bills, and their loan with your credit union.

To help you promote national Disability Insurance Awareness Month, Securian Financial Group has developed marketing materials to use at your credit union. Request these complimentary materials by contacting Karen Thompson at Karen.thompson@securian.com or 651-665-3695.

Securian LogoSecurian is the NAFCU Services preferred partner for credit insurance and debt protection solutions for credit unions. For additional information and educational resources from Securian, visit http://www.nafcu.org/securian.

_________________________________________________________________

1CDA. 2013 Employer Disability Awareness Study, p.6.

2U.S. Social Security Administration, Fact Sheet February 7, 2013.

3Source: Employee Benefits Survey, U.S. Bureau of Labor Statistics, March 2015

4Facts from LIMRA, 2014 Disability Insurance Awareness month, October 2014

52014 Council for Disability Awareness Long Term Disability Claims Review