CUNA Comment Letter

NCUA Internal Regulatory Review (2005)

August 5, 2005

Mr. Paul Peterson
Staff Attorney
Office of General Counsel
National Credit Union Administration
1775 Duke Street
Alexandria, Virginia 22314-3428

Via E-mail: ppeterson@ncua.gov

Re: NCUA Regulatory Review (2005)

Dear Mr. Peterson,

I am responding to NCUA’s notice identifying existing agency regulations undergoing review this year. The Credit Union National Association (CUNA) supports NCUA’s ongoing effort to examine its regulations with an eye to modifying or eliminating regulations that are out-of-date, redundant or overly burdensome. By way of background, CUNA is the largest credit union trade association, representing approximately 90% of our nation’s nearly 9,100 state and federal credit unions, which serve more than 87 million members.

Summary of CUNA’s Position

Discussion

Public Notice

We applaud NCUA for providing notice to the public of the one-third of the agency regulations being reviewed each year so credit unions and other interested parties may have the opportunity to weigh in on the process. However, the notice is not published in the Federal Register; the list of the regulations is only available on the NCUA website. The notice for this review was not easily found on the website. We encourage NCUA to ensure that future notices are posted in a more prominent fashion.

Security Program, Report of Crime and Catastrophic Act and Bank Secrecy Act Compliance (Part 748)

Implementing an appropriate anti-money laundering compliance program is complex. Credit unions must monitor and report on accounts for suspicious activity (Suspicious Activity Reports or SARs) as well as for currency transactions in excess of a certain threshold amount (Currency Transaction Reports or CTRs). They must also keep up to date with Office of Foreign Assets Control (OFAC) blocked transactions lists, FinCEN’s 314(a) lists, and the BSA exemption list. Further, credit unions must obtain and retain additional information when completing a transaction in cash that includes: wire transfers, selling drafts, cashiers checks money orders, and travelers checks. We believe that it would be beneficial to include in the rule a reference to the Federal Financial Institutions Examination Council's Bank Secrecy Act/Anti-Money Laundering Examination Manual (Manual) that was issued in June. The Manual discusses the majority of the issues surrounding BSA/anti-money laundering compliance and answers many questions that credit unions would have. We think including a reference to this comprehensive resource and where it can be found will help to ensure that credit unions seeking additional guidance are aware of the existence of the Manual. The FFIEC Bank Secrecy Act/Anti-Money Laundering Examination Manual InfoBase Website, which has the Manual as well as other resources such as forms, red flags, and frequently asked questions (FAQs), is an extremely valuable resource. The rule could note that the NCUA website has a special page devoted to Bank Secrecy Act-related materials, which includes a link to the Manual.

In this vein, the other FFIEC agencies are conducting joint Bank Secrecy Act/Anti-Money Laundering Examination Manual outreach through nationwide meetings and conference calls conducted by regulators. Credit unions have some of the same issues and concerns with BSA/anti-money laundering compliance as well as unique ones involving, for example, CUSOs and service centers. We encourage NCUA to consider similar outreach activities for credit unions.

The supplemental information to NCUA’s final rule adding Appendix B – Guidance on Response Programs for Unauthorized Access to Member Information and Member Notice to Part 748 of NCUA’s Rules states that the guidance on response programs in that appendix only applies to "information that is within the control of the credit union and its service providers." We have received inquiries from several of our members regarding what the guidance would require them to do in the event there is a breach of member data that occurred not at the data processor with which the credit union contracted but rather somewhere else, such as another card payment processor with no direct link to the credit union. We suggest NCUA clarify the Appendix to explicitly state that the guidance only covers credit unions and their contracted service providers. We feel that in the event of a breach at a card processor with no link to the credit union, it should be the credit union’s call (business judgment) as to whether the situation warrants notifying the membership and/or NCUA.

Records Preservation Program and Record Retention Index (Part 749)

We believe it would be useful for NCUA to provide detailed guidance on the issue relating to records preservation in the case of a merger of credit unions. When a credit union merges with another credit union, the surviving credit union maintains the records of both credit unions. Specifically, we suggest the rule contain additional direction to assist the surviving credit union in determining which records from the merged credit union should be retained permanently or periodically destroyed.

We would also suggest amplifying the portion of Appendix A – Record Retention Guidelines pertaining to recommended minimum retention times. Section D states that "[s]ince each state can impose its own rules, it is prudent for a credit union to consider consulting with local counsel when setting minimum retention periods." It would be beneficial to provide examples of the types of records that may be subject to state law, such as paid-off loan documents and cancelled checks.

Thank you again for the opportunity to express our views on this regulatory review notice. If you have any questions about this letter, please contact me by phone at (202) 508-6743 or by e-mail at corr@cuna.com.

Sincerely,

Catherine Orr
Senior Regulatory Counsel
Credit Union National Association