How To Build A Third Party Cyber Risk Management Program

By: Jake Olcott, VP of Business Development at BitSight

Modern integrated business processes have dramatically expanded the attack surface of organizations in all industries. Institutions can no longer ignore the risk presented by vendors or other business partners, especially with regulatory bodies pushing for formal risk management of vendors and third parties. Assessing cyber risk adds to this challenge. It is one thing to make sure your organization is ready to deal with evolving threats- it is even more difficult to ensure your third parties are also prepared.

So, how can credit unions start evaluating the cyber risk associated with their vendors? More importantly, how can credit unions make this process efficient and cost-effective?

Using the right tools and techniques, those in charge of security and risk can drastically reduce third party cyber risk even if it’s not their primary responsibility. Below are four tips on how to save time and money in this process:

  1. Tier Your Third Parties

Some of your third parties have access to sensitive data that could compromise your employees and customer base. However, it’s likely that many others only have access to nonsensitive data. Identify your most important third parties and spend the most time assessing their security programs. Most organizations use a three or four-tier system.

  1. Adjust Your Contracts

Making sure that the contracts you’ve signed with your third party vendors reflects the level of security you expect is a critical step to managing and reducing 3rd party cyber risk.

  1. Use a Mix of Information to Assess Vendors

There are many ways organizations currently evaluate third party cyber risk. These typically include: standard security assessments and questionnaires, vulnerability scans, penetration tests, on-site visits, and data obtained through continuous monitoring. Taken together, these methods provide a good snapshot of an organization’s security posture.

  1. Continuously Monitor Your Critical Vendors

Just as your organization seeks to continuously monitor its own environment for security risks, it is critical to continuously monitor your critical third party vendors. Cyber is a dynamic environment, and security postures can change overnight. Monitoring your vendors and setting up alerts when security incidents arise is a more efficient way to assess and reduce security risk.

Join Jake for his webinar, “How To Build A Third Party Cyber Risk Management Program,” on August 24 from 2-3pm ET where he will offer tips, techniques, and tools you can leverage to make it an efficient and cost-effective process for your credit union. Click here to register today.

BitSight Technologies is the NAFCU Services Preferred Partner for Cybersecurity Ratings for Vendor Risk Management and Benchmarking. More educational resources and partner contact information are available at

CFPB Shares Proposed TRID Amendments

By: Andy Dunn, Senior Attorney, Wolters Kluwer 

Recently the Consumer Financial Protection Bureau (CFPB) released its notice of proposed rulemaking for the Know Before You Owe rule, commonly referred to as TILA-RESPA Integrated Disclosures (TRID). In their press release, the CFPB emphasized four changes: 1) Tolerances for the total of payments; 2) Housing assistance lending; 3) Cooperatives; and 4) Privacy and sharing of information, along with minor corrections across several topic areas.

It’s great to have the CFPB working to formalize the nonbinding verbal guidance it has provided to industry stakeholders, including Wolters Kluwer. The proposed rule helps eliminate the risk, especially in a presidential election year, that nonbinding verbal guidance could lead to future compliance violations following a change in bureau leadership. Once the proposed rule changes are finalized and published, all industry participants will be working from the same playbook.

In working closely with our customers to help them comply with the Know Before You Owe rule, especially around areas where nonbinding verbal guidance from the CFPB was required, we’ve found the most recurring trouble spots came from financial calculations. From the CFPB’s proposed changes it appears many of these areas, including calculating cash to close table; principal reduction/curtailment; summary of transactions table; and escrow account disclosures will be addressed. This is great news for our customers and partners, as many of these calculations are complicated to produce under the current rule.

Wolters Kluwer kicked off its 2016 User Summits and workshops with their ComplianceOne mortgage customers in Bloomington, Minnesota on August 9. The events are being held in 18 U.S. cities, ending in San Antonio, Texas on December 8, 2016. The Summits will provide a great opportunity for ComplianceOne mortgage customers to discuss the proposed rule changes with peers and to share their feedback if they think additional guidance is needed beyond what has been proposed.

Wolters Kluwer is looking forward to responding to the CFPB’s proposal and sharing their customers’ feedback with the bureau. The comment period closes October 18, 2016.

Wolters Kluwer is the NAFCU Services Preferred Partner for Consumer and Member Business Lending & Deposit Services. Learn more at

The HSA: An Uncovered Opportunity for Millennials (and Others Struggling to Pay Healthcare Costs)

By: James Thompson, Product Manager for Ascensus

As a millennial, I can give you a long list of reasons why I don’t think I have enough money to set aside for life’s biggest moments, especially when it comes to healthcare. In fact, most millennials will tell you that they can’t afford to save while acknowledging that they can’t afford not to save. Millennials seem to understand better than the generation before them how important it is to set aside money. It’s just that they don’t think they are capable of saving enough.

So how can millennials—or anyone struggling to save—save enough to combat healthcare costs? Well, if they are eligible, by taking advantage of the triple tax benefits of owning a health savings account (HSA): tax deduction, tax-deferred earnings, and tax-free distributions (if eligible). These tax benefits allow HSA owners to transform their previously taxable money into completely tax-free money. This is a perfectly legal way to avoid taxation on once taxable money—all the way around.

These tax benefits exist because the money in an HSA is intended to pay for medical expenses incurred by the HSA owner or the HSA owner’s dependents. But it’s not a matter of using the HSA in case you incur medical expenses; it’s a matter of using the HSA when you incur medical expenses. That’s where the tax advantages really come into play.

Consider the millennial HSA owner who becomes injured playing Frisbee golf or (insert other millennial-friendly activity here) and has to be seen by a doctor or is hospitalized. That innocent recreational activity resulting in a trip to the doctor may cost the individual hundreds, if not thousands, of dollars.

The beauty of the HSA is that before paying any medical bills ‘out-of-pocket’, the HSA owner can put that payment amount in his HSA (being careful not to exceed the annual contribution limit) and receive a tax deduction for the contribution. The tax deduction is like receiving a discount on his medical bills. For instance, someone in the 25 percent tax bracket essentially is receiving a 25 percent discount on his medical bills by contributing to, or running his money through, the HSA first.

Keep in mind that an HSA owner doesn’t have to put in the total amount of all her medical bills. Many people don’t realize that, if eligible, they can contribute as little or as much as they want to an HSA (up to the statutory limit) as they are able to or on an as-needed basis. There is no federal minimum balance requirement to maintain an HSA so making several small contributions over time may be a viable option for those who feel they cannot set aside much money at one time. For example, an individual who qualifies for the full HSA family contribution amount ($6,750 for 2016) whose medical bills total $6,000 may choose to contribute a more affordable amount, such as $200, in several deposits over time, adding up to $6,000, rather than contribute $6,000 to her HSA in one deposit. In the meantime, the longer these contributions remain in the account, the greater the potential for tax-deferred earnings.

Whenever the HSA owner is ready, he can withdraw from the HSA the amounts contributed to either reimburse himself or pay the healthcare provider directly for medical expenses. And as long as the distributed amount equals his qualified medical expenses, he will not have to pay taxes on the HSA distribution.

Millennial or not, with all of the tax advantages HSAs offer, those who are eligible to make contributions will likely find it worthwhile to build up a healthy HSA balance, as medical expenses often are inevitable, even for young, healthy individuals.

As for those HSA-eligible individuals who believe that they can’t afford an HSA, it is still worth opening one with a minimal balance and adding to it as qualified medical expenses occur. These individuals might as well take advantage of the tax breaks of the HSA (taking into consideration the contribution limit and any previously contributed amounts for the year) before handing it over to the healthcare provider. After all, paying the expense out-of-pocket when eligible for an HSA contribution is like throwing money away.

Ascensus LogoAscensus is the NAFCU Services Preferred Partner for IRA, Retirement Plan, and Health Savings Account (HSA) Solutions Software, Training, Documents and Consulting. More educational resources can be found at

Four Emerging Risks Challenging Credit Unions Today

By: Roger Nettie, Senior Risk Management Consultant, CUNA Mutual Group

As the risk landscape continues to shift and evolve, cmg risk blogcredit unions face two challenges: Staying current with risk trends and integrating risk management into their day-to-day plans and operations.

New risks can present themselves at any moment. So credit unions have to deal with familiar threats while recognizing new ones.

At the upcoming NAFCU Risk Management Seminar in Denver, I will speak about four emerging risks and provide action steps credit unions can take to mitigate and minimize exposure. These include:

  1. Wire transfers and ACH. Wire transfer fraud has been an ongoing problem with HELOC accounts, and fraudsters are evolving their attacks through email impersonations and by targeting real estate closings. ACH origination fraud has also become a new issue, as members and fraudsters are finding ways to take advantage of account-to-account transfer capabilities. Electronic payment systems are a favored target since large quantities of money are moved quickly, increasing the difficulty of retrieving it.
  2. Overdraft fees. Overdraft fees have generated class-action litigation, with members seeking monetary damages, restitution, punitive damages and injunction relief. Plaintiff attorneys are arguing that the calculation of overdraft fees isn’t adequately disclosed.
  3. Collection letters. Post-repossession collection letters have caused the most class-action claims against credit unions in recent years. Attorneys have successfully challenged the fact that many of the letters fail to meet the requirements of state laws that call for disclosures of the terms of sale of repossessed collateral. Damages and/or penalties for failing to adhere to these requirements are generally not insurable.
  4. ATMs and the Americans with Disabilities Act (ADA) compliance. This is a hot-button issue as of late, and it has generated lawsuits. ATMs must be accessible to everyone. Some requirements include: detectable warnings (truncated domes) in place on ramps leading to and from ATMs, volume control, tactile symbols for function keys, privacy options, and Braille instructions. Credit unions have been found in violation of ADA laws for failure to comply with these requirements.

Interested in learning mitigation tips for these emerging risks? Join my session, titled “The Unique Footprint of Emerging Risks,” at NAFCU’s Risk Management Seminar on Wednesday, August 10, from 9 – 10 a.m. MT to hear more.

Roger Nettie is a senior risk management consultant for CUNA Mutual Group. Contact him at

CUNA Mutual Group is the NAFCU Services Preferred Partner for Mortgage Payment Protection. For more information please visit

This article is for informational purposes only and should not be construed as legal advice. Credit Unions should contact their own legal counsel for advice with respect to any particular issue or problem.


Embrace Your Inner Millennial

By: Hayley Haspeslagh, Product Marketing Manager, Geezeo

Some of you may have cringed at this title—after all, who wants to be associated with the Millennials? We know the stereotype of the generation born somewhere in the 80s and 90s who think they’re entitled to a specific way of life and want to change the world (Feel The Bern!), but let’s take a step back for a second and discuss what we know about Millennials and their relationship with financial institutions.

1. Millennials know little about credit unions.

I won’t lie, I’m a Millennial and had very little knowledge of what being a credit union member meant until I began working for Geezeo. Imagine the confusion of the rest of my peers when they hear they shouldn’t be banking with the Top 10. You won’t get our attention with an ad, but 30% of Millennials indicate they’d switch their banking relationship for one free year of banking, 21% for an enhanced digital experience, and 12% for free coffee (yes, please).

2. Millennials love technology.

We can’t live without it. We have most likely had our phones in our hand since our parents bought us our first around age 13. Your digital experience is key to obtain Millennial members and build lasting connections. In fact, 62% of Millennials link frustration with their bank with tech failure or the inability to carry out an online transaction.

3. Millennials are just like everyone else.

Millennials have expectations… and so do you! Banking can be a chore. When the mobile app is down, who wants to go to the branch? When you need cash, finding the right ATM can be a hassle. All members want a convenient experience using dependable technology to reduce friction. Aside from that? We want an advocate to help us save for each of our goals, pay down our debts and make of financial journey through life as smooth, and easy, as possible.

Millennials are not the only generation, nor do we want to be. A financial institution should build long-term connections with its members through its traditional and digital banking experience.
For a more comprehensive discussion, join Bryan Clagett, Geezeo’s CMO, at the NAFCU Annual Conference and Solutions Expo on Thursday, June 16 at 12:15pm for the session “Perhaps There’s a Millennial in All of Us.”

Geezeo is the NAFCU Services Preferred Partner for Personal Financial Management (PFM).