CUNA Comment Letter
NCUA Internal Regulatory Review (2005)
August 5, 2005
Mr. Paul Peterson
Office of General Counsel
National Credit Union Administration
1775 Duke Street
Alexandria, Virginia 22314-3428
Via E-mail: email@example.com
Re: NCUA Regulatory Review (2005)
Dear Mr. Peterson,
I am responding to NCUAs notice identifying existing agency regulations undergoing review this year. The Credit Union National Association (CUNA) supports NCUAs ongoing effort to examine its regulations with an eye to modifying or eliminating regulations that are out-of-date, redundant or overly burdensome. By way of background, CUNA is the largest credit union trade association, representing approximately 90% of our nations nearly 9,100 state and federal credit unions, which serve more than 87 million members.
Summary of CUNAs Position
- We encourage NCUA to post these internal regulatory review notices more conspicuously on the agencys website.
- It would be helpful to credit unions wanting more information for their anti-money laundering compliance program for NCUAs rules concerning Bank Secrecy Act (BSA) compliance to contain a reference to the Federal Financial Institutions Examination Council's Bank Secrecy Act/Anti-Money Laundering Examination Manual. We encourage NCUA to consider conducting BSA/anti-money laundering outreach for the credit union industry.
- Appendix B Guidance on Response Programs for Unauthorized Access to Member Information and Member Notice to NCUAs Rules regarding security programs could be clarified to explicitly state that the guidance only covers credit unions and the service providers with which they have contracted.
- NCUAs records preservation regulation could be expanded to include guidance for the surviving credit union following a merger with respect to retaining records from the non-surviving credit union. In addition, with respect to recommended minimum retention periods, it would be helpful for the rule to indicate the types of records that may be subject to state law.
We applaud NCUA for providing notice to the public of the one-third of the agency regulations being reviewed each year so credit unions and other interested parties may have the opportunity to weigh in on the process. However, the notice is not published in the Federal Register; the list of the regulations is only available on the NCUA website. The notice for this review was not easily found on the website. We encourage NCUA to ensure that future notices are posted in a more prominent fashion.
Implementing an appropriate anti-money laundering compliance program is complex. Credit unions must monitor and report on accounts for suspicious activity (Suspicious Activity Reports or SARs) as well as for currency transactions in excess of a certain threshold amount (Currency Transaction Reports or CTRs). They must also keep up to date with Office of Foreign Assets Control (OFAC) blocked transactions lists, FinCENs 314(a) lists, and the BSA exemption list. Further, credit unions must obtain and retain additional information when completing a transaction in cash that includes: wire transfers, selling drafts, cashiers checks money orders, and travelers checks. We believe that it would be beneficial to include in the rule a reference to the Federal Financial Institutions Examination Council's Bank Secrecy Act/Anti-Money Laundering Examination Manual (Manual) that was issued in June. The Manual discusses the majority of the issues surrounding BSA/anti-money laundering compliance and answers many questions that credit unions would have. We think including a reference to this comprehensive resource and where it can be found will help to ensure that credit unions seeking additional guidance are aware of the existence of the Manual. The FFIEC Bank Secrecy Act/Anti-Money Laundering Examination Manual InfoBase Website, which has the Manual as well as other resources such as forms, red flags, and frequently asked questions (FAQs), is an extremely valuable resource. The rule could note that the NCUA website has a special page devoted to Bank Secrecy Act-related materials, which includes a link to the Manual.
In this vein, the other FFIEC agencies are conducting joint Bank Secrecy Act/Anti-Money Laundering Examination Manual outreach through nationwide meetings and conference calls conducted by regulators. Credit unions have some of the same issues and concerns with BSA/anti-money laundering compliance as well as unique ones involving, for example, CUSOs and service centers. We encourage NCUA to consider similar outreach activities for credit unions.
The supplemental information to NCUAs final rule adding Appendix B Guidance on Response Programs for Unauthorized Access to Member Information and Member Notice to Part 748 of NCUAs Rules states that the guidance on response programs in that appendix only applies to "information that is within the control of the credit union and its service providers." We have received inquiries from several of our members regarding what the guidance would require them to do in the event there is a breach of member data that occurred not at the data processor with which the credit union contracted but rather somewhere else, such as another card payment processor with no direct link to the credit union. We suggest NCUA clarify the Appendix to explicitly state that the guidance only covers credit unions and their contracted service providers. We feel that in the event of a breach at a card processor with no link to the credit union, it should be the credit unions call (business judgment) as to whether the situation warrants notifying the membership and/or NCUA.
We believe it would be useful for NCUA to provide detailed guidance on the issue relating to records preservation in the case of a merger of credit unions. When a credit union merges with another credit union, the surviving credit union maintains the records of both credit unions. Specifically, we suggest the rule contain additional direction to assist the surviving credit union in determining which records from the merged credit union should be retained permanently or periodically destroyed.
We would also suggest amplifying the portion of Appendix A Record Retention Guidelines pertaining to recommended minimum retention times. Section D states that "[s]ince each state can impose its own rules, it is prudent for a credit union to consider consulting with local counsel when setting minimum retention periods." It would be beneficial to provide examples of the types of records that may be subject to state law, such as paid-off loan documents and cancelled checks.
Thank you again for the opportunity to express our views on this regulatory review notice. If you have any questions about this letter, please contact me by phone at (202) 508-6743 or by e-mail at firstname.lastname@example.org.
Senior Regulatory Counsel
Credit Union National Association