Compliance Update with Amy K
by Amy Kleinschmit
Chief Compliance Officer
7/11/2019

Regulation CC Final Rule.

Board of Governors of the Federal Reserve System (Board) and Consumer Financial Protection Bureau (CFPB) have issued a joint final rule regarding Regulation CC which implements the Expedited Funds Availability (EFA) Act.

This final rule can be found here.

This rule extends coverage of the EFA Act and Reg CC to American Samoa, the Commonwealth of the Northern Mariana Islands, and Guam which is effective September 3, 2019.

This rule also implements a statutory requirement in the EFA Act to adjust various dollar amounts for inflation. The first adjustments are effective July 1, 2020. The Dodd-Frank Act amendments require that the EFA Act's dollar amounts be inflation adjusted every five years by the annual percentage increase in the Consumer Price Index for Urban Wage Earners and Clerical Workers (CPI-W).

Section 229.10(c)(1)(vii) Next Day Availability.  Currently $200. Effective July 1, 2020, the amount is $225.

Section 229.12(d) Availability Schedule – time period for withdrawal by cash or similar means. Currently $400. Effective July 1, 2020, the amount is $450.

Sections 229.13(a), (b), and (d) Exceptions for new accounts, Large Deposits and repeated overdrafts. Currently $5,000. Effective July 1, 2020, the amount is $5,525.

Section 229.21(a) Civil liability. Prior to July 1, 2020, the amounts are $1,000, and $500,000 respectively. Effective July 1, 2020, the amounts are $1,100, and $552,500 respectively.

These adjusted dollar amounts mean that credit union must provide a change in terms notice next year and every five years there is an increase. Also, remember to update Reg CC notices and disclosures (account opening, lobby, etc) and policy/procedures. With regard to the change in terms notice, Sec. 229.18(e) provides, “Changes in policy. A bank shall send a notice to holders of consumer accounts at least 30 days before implementing a change to the bank's availability policy regarding such accounts, except that a change that expedites the availability of funds may be disclosed not later than 30 days after implementation.”

This section requires the credit union to send notices to their members when the credit union change their availability policies with regard to consumer accounts. A notice may be given in any form as long as it is clear and conspicuous. If the credit union gives notice of a change by sending the member a complete new availability disclosure, the credit union must direct the member to the changed terms in the disclosure by use of a letter or insert, or by highlighting the changed terms in the disclosure.

Commenters to the proposed rule an exception be made for the change in terms notices due to inflation. In response the Board and CFPB noted, “In their final rule, the Agencies decline to establish in Regulation CC an exception to the requirement to send a change-in-terms notice, as this requirement is established by statute. However, the Agencies note several ways that depository institutions may lower their costs under the rule, including providing the required notice electronically and sending it with the monthly account statement, as follows. Electronic delivery is permitted where the institution has complied with the requirements of the Electronic Signatures in Global and National Commerce Act (15 U.S.C. 7001 et seq. (‘‘E-Sign Act’’)). Further, the regulation already permits an institution to send a required change-in-terms notice on or with a monthly account statement, and this is so irrespective of whether the institution sends the notice and statement electronically or in paper form.”

CU PolicyPro Updates.

The second content updates for CU PolicyPro have been completed. There are 16 policy updates and new procedures. The tracked changes version of each update can be found in the Resources area of CU PolicyPro (under the “Updates” tab). Please remember: When updates are made to the Model Policies Manual, these updates do not automatically go into your CU Policies Manual. CU PolicyPro does not want to take the chance of overwriting your content, or putting in content that may not apply to your credit union. 

Access your CU PolicyPro manual here. As a benefit of membership, every CUAD affiliated credit union has access to CU policy pro as a dues supported service.

Policy 1530 – Employee Use of Social Media. This policy was updated to strengthen the guidelines associated with employee use of social media, including a paragraph regarding employee privacy. (Recommended)

Policy 1531 – Credit Union Use of Social Media. Updated to include more up-to-date references to social media and to include responsibilities and authorities designated by the Credit Union for managing social media. (Recommended)

Policy 2245 – Protecting the Elderly and Vulnerable from Fraud. This policy was revised to incorporate the change in law resulting from S.2155 related to the protection for employees and institutions from administrative and civil proceedings under federal law if they disclose suspected exploitation of a senior citizen. In order to receive this immunity, there are certain requirements the credit union must meet, which are now outlined within policy. (Recommended)

Policy 2400 – Funds Availability. This policy was amended to correct the references made within Section 6 and to clarify the coverage and exception noted in Section 4. (Recommended)

Policy 2610 – ACH Operations. This policy was revised to include the changes made by NACHA allowing for same day ACH transactions processed during the first processing window to be made available by 1:30pm local time for the RDFI. This change does not become effective until September 20, 2019. (Recommended)

Policy 2611 – ACH Management. This policy was revised to include the changes made by NACHA allowing for same day ACH transactions processed during the first processing window to be made available by 1:30pm local time for the RDFI. This change does not become effective until September 20, 2019. (Recommended)

Policy 2612 – ACH Audit. This policy was revised to include the changes made by NACHA allowing for same day ACH transactions processed during the first processing window to be made available by 1:30pm local time for the RDFI. This change does not become effective until September 20, 2019. (Recommended)

Policy 4120 – Information Security. Updated to include changes related to password complexity, external network connections, new system set up, systems removal and disposal, application development, internet connections and a reference to social media policy requirements. (Recommended)

Policy 4125 – Incident Response. This policy was updated to include definitions for determining incident severity and workflows based on the severity of the incident.  This policy was also revised include cybersecurity training requirements for both the employees and Board of Directors. The credit union should amend the policy accordingly based on their current program parameters.

Policy 4300 – Computer Security & Control. This policy was updated to remove the dated technology references, added examples under Unauthorized and Destructive Programs and added additional requirements under the Computer Usage section. (Recommended)

Policy 4305 – Configuration Management. This policy was updated to add references to www.cisecurity.org and https://iase.disa.mil for published baseline security configuration templates. (Recommended)

Policy 4310 – Patch Management. Updated to add additional System Administrator Responsibilities, added references under Identifying Patch Information and also to include emergency updates under Patch Cycle Scheduling. (Recommended)

Policy 4315 – Firewalls. Updated to include a section on firewall ingress and egress policies, authentication requirements for firewall administrators and auditing recommendations for firewalls. (Recommended)

Policy 4320 – Computer Hardware and Software Acquisition. Updated to strengthen requirements for purchasing software and hardware, update reference to technology and added supervision criteria for nonlocal maintenance. (Recommended)

Policy 4340 – Remote Access. This policy was revised to reflect the annual threshold changes for exemption under the home mortgage disclosure act. The threshold has been changed to exempt credit unions that are under $46 million in assets as of December 31, 2018. (Recommended)

Policy 4350 – Cloud Computing. Added authentication controls for all internet facing cloud services that host or process member information, employee information or propriety information to be protected by multi-factor authentication and/or IP address restrictions. (Recommended)

Policy 4400 – Change Management Procedures ** New Procedure. The Change Management Procedures were created as a result of credit union requests and the expectation of examiners. In addition to the proposed model procedures, the “Change Management Request Form” was also added to the “Resources” section of CU PolicyPro under “Tools” and “Sample Forms.” (Recommended)

Policy 5200 – Liquidity Risk Management. Because examiner expectations surrounding this policy are increasing, we have expanded the content of this policy to include model liquidity parameters, pre-emptive liquidity risk monitoring provisions, ability to grant policy exceptions, sources of liquidity to utilize in the event of contingency events, and additional sources of contingency funds. (Recommended)

 

As always, CUAD members may contact Amy Kleinschmit with any compliance related questions.

 

<< Go to Memo List