Credit Union Banks and NCUA IT ComplianceAnirban Banerjee
Credit Union Banks are a lifeline for this country and for many people internationally. There are more than 6000 credit union organizations who service more than 100 million people, out of whom at least 45% are economically active. This means that credit union banks play a very important role in the economy and touch the lives of nearly a quarter of the population of the US, if not more.
Given that Credit Unions play a vital role in the economy we want to focus on something called the NCUA. NCUA stands for the National Credit Union Administration and their IT regulations. Quoting – NCUA “is the independent federal agency created by the United States Congress to regulate, charter, and supervise federal credit unions. With the backing of the full faith and credit of the U.S. government, NCUA operates and manages the National Credit Union Share Insurance Fund, insuring the deposits of more than 100 million account holders in all federal credit unions and the overwhelming majority of state-chartered credit unions. As of March 2015, there were 6,206 federally insured credit unions, with assets totaling more than $1.16 trillion, and net loans of $721.9 billion.” – https://en.wikipedia.org/wiki/National_Credit_Union_Administration
We will talk specifically about the NCUA’s IT regulation – security program. Within 3 months (90 days) of getting insurance any credit union must develop a written security program. The goal of this program is to:
- Protect the bank from any embezzlement of funds, larceny, robberies etc.
- Identify and react to incidents of unauthorized access of member information
- Assist in identifying individuals who are involved in wrongdoings
- Ensure that member records are kept safely and access is tightly controlled
- Prevent destruction of vital information
We are going to refer to section 748 of the NCUA’s security guidance for IT in Credit Union organizations. We are presenting below a list of important areas that credit union’s need to make plans for and ensure that they have the process and policies in place to handle any situations described here. With a Privileged Access Management (PAM) solution credit union’s can easily achieve compliance with these regulations.
(1) 748.1 Filing of reports – Reportable activity. Transaction for purposes of this paragraph means a deposit, withdrawal, transfer between accounts, exchange of currency, loan, extension of credit, purchase or sale of any stock, bond, share certificate, or other monetary instrument or investment security, or any other payment, transfer, or delivery by, through, or to a financial institution, by whatever means effected. A credit union must report any known or suspected crime or any suspicious transaction related to money laundering or other illegal activity, for example, terrorism financing, loan fraud, or embezzlement, or a violation of the Bank Secrecy Act by sending a completed suspicious activity report (SAR) to the Financial Crimes Enforcement Network (FinCEN) in the following circumstances: (i) Insider abuse involving any amount. Whenever the credit union detects any known or suspected Federal criminal violations, or pattern of criminal violations, committed or attempted against the credit union or involving a transaction or transactions conducted through the credit union, where the credit union believes it was either an actual or potential victim of a criminal violation, or series of criminal violations, or that the credit union was used to facilitate a criminal transaction, and the credit union has a substantial basis for identifying one of the credit union’s officials, employees, or agents as having committed or aided in the commission of the criminal violation, regardless of the amount involved in the violation;(4) Notification to board of directors. (i) Generally. The management of the credit union must promptly notify its board of directors, or a committee designated by the board of directors to receive such notice, of any SAR filed. (c) Suspicious Activity Report. A credit union must file a report if it knows, suspects, or has reason to suspect that any crime or any suspicious transaction related to money laundering activity or a violation of the Bank Secrecy Act has occurred.
A PAM solution can help provide the ability to layer least privilege across applications and servers. PAM solutions can also track, detect and prevent insider threats as they happen.
(2) 748.2 Procedures for monitoring Bank Secrecy Act (BSA) compliance – (c) Contents of compliance program. Such compliance program shall at a minimum—(1) Provide for a system of internal controls to assure ongoing compliance; (4) Provide training for appropriate personnel.
A PAM solution can help provide continuous assurance for access controls by providing a consolidated view of high risk individuals and accounts and therefore helping to pare down how many people have elevated access.
(3) Appendix A to Part 748— Guidelines for Safeguarding Member Information III. Development and Implementation of Member Information Security Program – B. Assess Risk. Each credit union should:1. Identify reasonably foreseeable internal and external threats that could result in unauthorized disclosure, misuse, alteration, or destruction of member information or member information systems;2. Assess the likelihood and potential damage of these threats, taking into consideration the sensitivity of member information; and3. Assess the sufficiency of policies, procedures, member information systems, and other arrangements in place to control risks.
and C. Manage and Control Risk. Each credit union should:. Design its information security program to control the identified risks, commensurate with the sensitivity of the information as well as the complexity and scope of the credit union’s activities. Each credit union must consider whether the following security measures are appropriate for the credit union and, if so, adopt those measures the credit union concludes are appropriate:a. Access controls on member information systems, including controls to authenticate and permit access only to authorized individuals and controls to prevent employees from providing member information to unauthorized individuals who may seek to obtain this information through fraudulent means;c. Encryption of electronic member information, including while in transit or in storage on networks or systems to which unauthorized individuals may have access;d. Procedures designed to ensure that member information system modifications are consistent with the credit union’s information security program;e. Dual controls procedures, segregation of duties, and employee background checks for employees with responsibilities for or access to member information;f. Monitoring systems and procedures to detect actual and attempted attacks on or intrusions into member information systems;g. Response programs that specify actions to be taken when the credit union suspects or detects that unauthorized individuals have gained access to member information systems, including appropriate reports to regulatory and law enforcement agencies;
A PAM solution can help provide real time actionable alerts and information that helps IT teams make the right decision about granting elevated access. PAM solutions can also provide 2 man protocols where two people have to agree to grant privileges to another individual.
In this article we have discussed NCUA’s IT regulation framework and where a PAM solution can help cut down time and effort for the IT, security and compliance teams at Credit Unions.