ALEXANDRIA, Va. (1/30/08)—Third-party vendor relationships and strategic planning were the topics of a Tuesday National Credit Union Administration (NCUA) Webinar on key credit union examination issues for 2008, moderated by board member Gigi Hyland. Dominick Nigro, information systems officer of the NCUA’s Office of Examination and Insurance, noted that credit unions find vendor relationships in many areas or operations, such as lending services, auditing and management consulting services, asset liability management, Bank Secrecy Act and Office of Foreign Asset Control compliance, data processing and internet banking services. Nigro noted that although the NCUA recognizes the value that can come from third-party relationships, NCUA examiners are increasingly identifying problem areas associated with such arrangements. He discussed two key elements of an effective program, which he identified as good risk assessment and planning and effective due diligence work. Nigro also indicated that an effective program must address the different levels of risks that may be associated with different vendors. The more critical the service, the deeper the credit union’s review of the relationship must be, he advised. Effective due diligence must also include background checks, review of the vendor's business model, and the vendor's financial condition. Board member Hyland specifically highlighted the need to review the legal agreement with the vendor and to ensure compliance with all applicable state and federal laws. The other important element discussed was the need for written policies and procedures for measuring, monitoring, and controlling risk. Although credit unions may refer to samples that other credit unions use, they are cautioned to use them as a starting point and to adjust them, as necessary. However, credit unions may not need to perform a risk assessment for current vendor relationships, but should review these relationships if circumstances change. On the topic of credit union strategic planning, Debra Tobin, and NCUA supervisory examiner and economic development specialist, said that the focus away from the CAMEL matrix to a risk assessment approach means that strategic planning is more important than ever. Tobin said that planning documents should include a strategic plan, business plan and budget, and should vary in complexity with the size and complexity of the credit union. She also discussed a planning process that credit union may use and that performance measurement should include a method to measure, monitor, and report results as well as make changes as necessary. An inadequate planning process, she said, can result in material losses to the credit union’s earnings and/or net worth. NCUA’s Hyland also stressed that evaluation and making adjustments to these plans is a critical part of the process. The benefit of using a "facilitator" was also highlighted. The webinar will be posted on the NCUA website in about a month and will include a "frequently asked questions" section that will address all the questions that were raised by credit unions during this webinar.
WASHINGTON (1/30/08)—The National Credit Union Administration (NCUA) is sounding the alarm about a new scam in which fraudulent wire transfers have been performed on home equity lines of credit (HELOC) at several financial institutions, including credit unions. The alert, issued Monday, advises credit unions to be diligent in protecting access to member accounts and to ensure credit union staff receive adequate training to recognize fraudulent activity. In instances of the HELOC scam, the NCUA said, an imposter typically obtained publicly available HELOC information from filings with state and local government entities and, combined with social engineering tactics, obtained access to member accounts. The imposter then initiated a draw on the member’s HELOC account, and subsequently initiated a wire transfer from the account. The regulator’s alert noted that some of the scams involved a high level of sophistication, which enabled the fraudster to bypass certain authentication controls. For instance, in some cases the imposter had the ability to fool Caller ID software by making it appear that the call initiated from the account holder’s valid phone number. In others, the imposter was knowledgeable of recent account activity--such as deposit or withdrawal amounts--and used such information to authenticate himself/herself as the account holder to the credit union representative. In the warning signed by David M. Marquis, NCUA’s director of examination and insurance, credit union management was advised that there may be variants to the scam described in the alert, such as similar fraudulent activities being launched for accounts other then HELOCs. The NCUA said it will continue to follow the issue and provide additional information as warranted. It also reminded that, where appropriate, management must file a Suspicious Activity Report in accordance with established regulation.