Washington State Department of Financial Institutions

Division of Credit Unions

Bulletins 2005

DCU Bulletin

Division of Credit Unions
Washington State Department of Financial Institutions
Phone: (360) 902-8701 FAX: (360) 704-6901


September 22, 2005
No. B-05-06

Guidance When Data Security Systems are Breached (PDF)

It is possible that unauthorized access to your credit union’s member personal information may occur, even though your credit union has taken steps to secure and protect the information technology systems from internal and external breaches. Generally those steps include actions to assure that third party service providers are protecting your member’s personal information, actions to conduct satisfactory testing of your credit union’s systems (including penetration testing), and other important steps to minimize the threat of a security breach. This Bulletin provides information about recently adopted rule and law changes, as well as regulatory guidance that will help your credit union develop a security response system to properly respond to security breach incidents.

New Washington State Law

A new section of state law, RCW 19.255.010 (see Appendix I), has been adopted, effective July 24, 2005, that will affect businesses that own computerized data, which includes personal information. This new RCW provides for member notification, “without unreasonable delay,” in the event of breach of data security. The negative impact of a security breach incident could be devastating if management is not ready to respond quickly with a well thought out plan. Therefore, your credit union should have a response plan in place and should have tested it to an appropriate level...

Read the complete Bulletin B-05-06 (PDF)...


September 12, 2005
No. B-05-05

Corporate Governance Models
(PDF revised October 26, 2005; see endnotes)

The Division of Credit Unions (DCU) and the Washington Credit Union League (WCUL) worked with a task force to develop model policies for Washington credit unions. DCU requested the task force to help answer questions about election of officials and membership rights. The model policies are offered to credit unions as suggestions, do not have the force of law, and are not part of the examination. Please accept these model policies as an opportunity for discussion. Also be aware some of these policies are subject to on-going litigation. The model policies are:

Management and elected volunteers of credit unions are invited to four meetings across the state to discuss the model policies with representatives from DCU, WCUL, and members of the corporate governance task force. If you have any questions, please contact Linda Jekel, DCU Director at 360-902-8778 or Ljekel@dfi.wa.gov, or Stacy Augustine, WCUL Senior VP/General Counsel at 1-800-552-0680, Ext 121 or SAugustine@waleague.org.

Read the complete Bulletin 05-05 (PDF revised October 26, 2005; see endnotes)...


July 25, 2005
No. B-05-04

Unclaimed Property: What Credit Unions Need to Know

The Department of Financial Institutions periodically receives questions from credit unions on how to treat unclaimed property. We worked with the Washington State Department of Revenue (DOR) to compile a list of answers to commonly asked questions.

While this bulletin is written for Washington state-chartered credit unions, we encourage federal and out-of-state credit unions doing business with Washington residents to use it as a guide as well.

What is unclaimed property?

Unclaimed property is money or intangible property owed to an individual or business. Property is considered unclaimed after it is held for an extended period of time with no owner contact and a “good faith” effort has been made to locate the owner.

What do Credit Unions do with unclaimed property?

The Washington Unclaimed Property Act (Chapter 63.29 RCW) requires businesses and other organizations to review their records each year to determine whether they hold any funds, securities, or other property that have remained unclaimed for the required abandonment period. Holders of unclaimed property must file an annual report and transfer the property to DOR. Abandoned property that must be turned over to the state includes:

What happens to property when it is turned over to the state?

State law protects unclaimed property until it is returned to its rightful owners or their heirs. DOR acts as custodian of the property and administers a program to locate the owners. Once reported to DOR, unclaimed property is available for refund to owners or their heirs indefinitely.

When is property considered abandoned?

The holding period before property is considered abandoned varies by type of property. The types of property usually held by credit unions are discussed in this bulletin. You can find examples of other property that is reportable, and the reporting period for each type, in the Unclaimed Property Reporting Booklet, published by DOR.

Savings (Share) and Checking (Share Draft) Accounts

Savings (share) and checking (share draft) accounts are abandoned if there is no positive owner contact for three years. Positive owner contact is any documented contact initiated by the owner, including:

Positive owner contact does not include:

One problem unique to credit unions is that they often require members keep a share account in order to have certificates of deposit or other accounts. If the member’s share account becomes unclaimed property, but related accounts are not, the credit union must either report the related accounts early, or change its bylaws to allow related accounts to stay open without the share account.

Safe Deposit Boxes

For safe deposit box contents, the abandonment period is five years, which begins at the expiration of the box lease.

Uncashed Checks

Uncashed official checks, like cashiers checks or certified checks, are presumed abandoned three years after they are issued, or three years from the last positive owner contact. Payroll checks are reportable after one year. Credit unions may not deduct any charges for a payee’s failure to present the check for payment.

The payee is the owner of a check, not the member who wrote it. As a result, credit unions may not redeposit stale-dated check amounts back in a member’s account without a written statement from the member indicating that the check was either lost or not used for the purpose intended.

Credit unions are rarely required to report uncashed money orders or traveler’s checks, as that is generally the responsibility of the company that originates them, such as American Express. However, if the credit union issues its own money orders, it will be required to report them.

Certificates of Deposit (Share Certificates)

Non-renewing certificates of deposit (CDs), also known as share certificates, are presumed abandoned three years after maturity. Automatically renewing CDs are abandoned three years after the expiration of the initial rollover period. If the rollover period is less than one year, the period to count for abandonment begins after one year.

IRAs, KEOGHs, and Other Retirement Plans

Traditional retirement accounts are not payable or distributable until distribution of all or part of the funds would be mandatory, when the account holder is 70 years old. Traditional retirement accounts need to be reported to DOR when the owner is at least 73 years old and there has been no positive owner contact for three years.

Roth IRAs are not payable until the owner reaches 59 years old. Thus, Roth IRAs do not need to be reported until the owner is at least 62 years old, and there has been no positive owner contact for three years.

Pre-Paid Credit or Debit Cards

Credit union-issued gift certificates (including pre-paid credit or debit cards) that may be used for buying goods or services at unaffiliated businesses are presumed abandoned after three years of non-activity. Other types of gift certificates and cards are subject to more complex rules, which changed on January 1, 2005. Before embarking on a gift card program, credit unions should consult legal counsel to ensure that they are following the appropriate rules.

When do Credit Unions have to report unclaimed property to the state?

Credit unions are required to report unclaimed property to DOR annually, before November 1 each year, for property that has gone unclaimed for the required period as of June 30 of that year. If the required abandonment period ends after June 30 of any year, the property is reported the following year. Credit unions that have reported unclaimed property in the past, but have nothing to report for the current year, should file a zero report.

Savings (Share) and Checking (Share Draft) Accounts

For most property held by credit unions, such as deposits and checks, the abandonment period is three years. Thus, property that has gone unclaimed for three years as of June 30, 2005 must be reported before November 1, 2005. No fees may be assessed against accounts after June 30, but interest must continue to be paid on funds in interest-bearing accounts. The following examples are for the 2005 reporting period:

Safe Deposit Boxes

Safe deposit box contents are considered abandoned five years after the expiration of the box lease. If safe deposit contents have gone unclaimed for five years as of June 30, 2005, they must be reported before November 1, 2005. The box contents are not sent with the report. DOR will notify the credit union of when and how the box contents must be delivered.

In some cases, DOR will reject safe deposit box contents. If DOR rejects the contents, the credit union may dispose of them as it chooses. Within five years after delivery to DOR, the agency sells safe deposit box contents at auction. After the auction, credit unions may claim auction proceeds as reimbursement for drilling fees and rental charges. The following example is for the 2005 reporting period:

Do Credit Unions to report the property of out-of-state owners or owners without addresses?

All credit unions, regardless of their location, must report to DOR any unclaimed property they hold that belongs to someone with a last known address in Washington. Credit unions incorporated or domiciled in Washington must also report property of unknown owners, items with no owner address, and property of owners with foreign last known addresses. Washington domiciled credit unions may report out-of-state abandoned property to DOR, but they must follow the other state’s abandonment periods. However, some states may require credit unions to report property directly to them.

Do Credit Unions have to pay interest on inactive accounts before they become abandoned?

Credit unions must pay interest on interest-bearing accounts until the property is sent to the state, unless the contract with the account-holder permits the credit union to stop paying interest. Once the monies in an interest-bearing account are sent to DOR, the state pays interest on the funds for up to ten years, at the same rate reported by the credit union.

Do Credit Unions have to notify property owners before reporting abandoned property to the state?

For items $75 or greater, written notices must be sent to owners between May 1 and August 1 for property that is reportable to DOR before November 1 of that year. The credit union only needs to send notices to owners who appear to have valid addresses. The notice should inform the owner that, if not claimed, the property will be reported to the state by a certain date. (See the sample letter in the Notification of Owners Guide on the DOR Unclaimed Property website. Links to this guide are at the end of this bulletin.)

When can Credit Unions charge inactivity fees and stop paying interest on accounts?

DOR’s position on charging inactivity fees is, they are generally not in the best interest of the missing owner. Customers impacted by these fees are usually unaware of them and cannot complain or move their funds. Incorrectly charged inactivity fees or ceased interest will be considered unclaimed property if discovered during a DOR audit.

Before charging inactivity fees or ceasing interest on an account, the credit union must fulfill three requirements:

First, there must be an enforceable written contract with clear terms allowing inactivity charges or ceasing of interest. The contract should clearly define what inactivity is, and when the charge will begin or interest will cease. The contract must be accessible to members. If the credit union changes its inactivity terms, it must send a notice of those changes to all account holders at their last known addresses.

Second, for accounts over $10, the credit union must send written notice to the owner, at his or her last known address, no more than three months before the first inactivity charge or cessation of interest. The notice must state the amount of the fee or that interest will cease.

Third, the credit union must regularly impose such charges or cease interest payments, and it must not regularly reverse or cancel them or retroactively credit interest on accounts.

For More Information

The DOR Unclaimed Property Section publishes a number of guides, which can be found on their website, with more detailed information to help you follow Unclaimed Property Act rules. You may find the following guides particularly useful:

General Information Guide
Financial Institutions Guide
Notification of Owners Guide
Unclaimed Property Reporting Booklet
Audits, Internal Control, and Recordkeeping Guide
Unclaimed Property Review for Financial Institutions may be requested by calling Nancy Savage at the number listed below.

DOR also has representatives who will come to your credit union and answer questions about unclaimed property reporting at no charge. Consultations can help credit unions avoid mistakes and reduce the chance of being selected for an audit. To schedule a consultation, send an email to ucp@dor.wa.gov, or call 1-800-435-2429 (in Washington) or (360) 705-6706. If you have any other questions, please call Nancy Savage of DOR at (360) 570-3254.


April 1, 2005
No. B-05-03

Focusing on Bank Secrecy Act (BSA) Compliance

This Bulletin serves the dual-purposes of alerting Washington state-chartered credit unions to the heightened sensitivity of Bank Secrecy Act (BSA) compliance, and that BSA compliance will be a major examination focus in 2005 and beyond.  To these ends this Bulletin advises credit unions about new reporting requirements the Division of Credit Unions (Division) must follow and provides guidance as to Division examiner’s expectations of state chartered credit unions. This Bulletin also discusses time frames and guidelines for resolving significant BSA violations found by Division examiners.

Background

In October 2004, the Financial Crimes Enforcement Network (FinCEN) entered into agreements (known as Memorandums of Understanding) with all federal banking regulators, including the National Credit Union Administration (NCUA), concerning the reporting of significant BSA violations.  The agreement went into effect on December 1, 2004 and both the Division and all state credit union regulators will be bound to similar reporting requirements.  Currently, FinCEN is negotiating with state regulators to develop separate agreements with each state.  These agreements may cause slight variations from the guidance in this Bulletin for future BSA reporting requirements for the Division.

Reporting Expectations

Under the agreement entered into by NCUA and FinCEN, the Division is expected to identify and report significant BSA compliance violations to the NCUA, who will then report these violations to FinCEN.  Significant BSA violations include pervasive violations, systemic violations, and repeat findings.  Appendix A contains definitions of pervasive, systemic, and repeat violations.  Appendix B provides a list of Frequently Asked Questions (FAQs) that better define and illustrate significant BSA violations.

Correction of Violations

Once a significant BSA violation has been identified by examiners, it is important that credit union management correct the violation as soon as possible.  Division examiners will set-up an acceptable time frame for the BSA violation to be corrected.  Under NCUA plans, this time frame must be no longer than 90 days from the date the violation was discovered by the examiner.  Individual credit unions will be required to forward documentation to the Division examiner that shows the significant BSA violation was satisfactorily corrected.  After the examiner verifies that satisfactory correction was made, the Division will notify NCUA of the resolution.  NCUA will in turn notify FinCEN that satisfactory correction was made.  It is imperative that all significant BSA violations be corrected within 90 days of identification by Division examiners.

Exam Focus

The Division recommends that credit union management be proactive in identifying weaknesses and problems in their credit union’s BSA compliance program.  Specifically, credit unions should take the following steps to ensure BSA compliance:

At a minimum, a satisfactory BSA policy should cover the following required elements:

  • Identification of a member’s name, date-of-birth, address, and identification number prior to account opening;
  • Verification of the information obtained.
  • Are CTRs filed timely (within 15 days) when necessary (involves more than $10,000 in cash-in or cash-out)?
  • Does the credit union properly exempt permitted people from filing CTRs by filing a “Designation of Exempt Person” form?
  • Are SARs filed within 30 days after discovery of a suspicious activity?
  •  Is staff aware of what activity might be termed “suspicious”?
  • Does the credit union block or freeze accounts and transactions that are found to match the prohibited OFAC listing?
  • Does the credit union report this information to FinCEN immediately?
  • Credit unions that provide money transfer services (i.e. wire transfers) must obtain and record specific information on each money transfer of $3,000 or more.
  • Other BSA Compliance Requirements

The importance of following the Bank Secrecy Act requirements cannot be over-emphasized.  Federal government regulators, FinCEN, The Department of Homeland Security, OFAC and others, have elevated even more the importance of blocking transactions that occur at financial institutions that might benefit terrorism and drug trafficking.  To this end, they have elevated the importance of BSA and are requiring that financial institutions, including credit unions and their regulators, elevate the importance of examining for BSA compliance.  Federal monetary penalties can be assessed to financial institutions who do not comply with BSA; and both criminal charges and civil money penalties can be brought against individuals who are willfully non-compliant with BSA requirements.

Senior management, including the Board of Directors, will need to ensure that their credit union’s policy and procedures are compliant with BSA, that employees are properly trained on BSA, and that internal controls are in place to ensure that employees are properly implementing these policies and procedures. 

The requirements for BSA compliance do not vary based on the asset size of the credit union; however, the cost and type of action to achieve compliance will vary.  For example, a small, non-cash credit union, would need to have a BSA policy, but this credit union will have a very different policy (less complex and much smaller) than a large, multi-branch credit union. 

Resources

Further guidance on BSA can be found at the following websites:

FinCEN – www.fincen.gov (click on BSA guidance)

CUNA Compliance - www.cuna.org/compliance (webinars & training)

WA CU League Compliance Manual- www.compliance.waleague.org (look under Resources tab & under Operations & Security Tab, also see the June 9th Webinar.)

NASCUS On-line University - www.nascusonline.org

Please contact Doug Lacy-Roberts at (360) 902-0507, if you have any questions about this Bulletin.

Appendix A

Definition of Pervasive, Systemic & Repeat BSA Violations

A pervasive violation is “all-encompassing”.  A pervasive violation generally pertains to policies and procedures; it should be assessed from a strategic perspective.  A partial list of examples follows:

A systemic violation is a willful or reckless disregard for compliance with BSA provisions; it typically involves multiple incidents of noncompliance.  A systemic violation should be assessed from a transactional perspective.  A partial list of examples follows:

Depending on the circumstances associated with an individual violation, a violation which, would usually be classified as systemic, may become pervasive.

A repeat violation is any violation (pervasive or systemic) that was previously identified and not resolved by a credit union.

Appendix B

FAQs: Frequently Asked Questions and Answers

Regarding BSA Compliance

  1. If a credit union has a BSA policy but it does not include all the required elements, is it a significant violation that has to be reported?

Yes. A credit union must have a BSA policy addressing all the required elements. If the BSA policy incorporates one or more required elements via referencing other written policies, this is acceptable. 

An existing policy that needs improvement, but which contains all the required elements, may not be a significant violation.  Determination that a significant BSA violation exists will depend on examiner judgment.  Examiners should consider: 1) whether the policy is generally appropriate for the size and complexity of the credit union, 2) if the policy reflects the products and services offered by the credit union, and 3) if weak elements can be strengthened in a rapid manner (less than 3 months) with minimal or no examiner oversight.

  1. If a credit union cannot locate its written policy but is following adequate procedures, is there a significant violation?

Yes. A credit union must have a board approved written policy.  For example, this would occur when a credit union cannot readily produce its policy for review.  No written policy is a pervasive violation, even if adequate procedures exist.  

  1. If a credit union generally files currency transaction reports (CTRs), but missed one or two during the exam periods, is there a significant violation?

It depends on examiner judgment; examiners should consider 1) the number of CTRs filed during a year and 2) the reason that the CTR was improperly filed.  If a CU usually files 10 CTRs each year and forgets 2, this is a significant BSA violation.  If a CU usually files 1,000 CTRs each year and forgets 2, this is probably not a significant BSA violation.  In general, if the rate of error is more than 1 percent or greater than 20 CTRs, an examiner should assess the violation as significant.  Description of the violation as pervasive or systemic will depend on whether there is no process/procedure for filing the CTR (pervasive) or there is a process, but it is not adequate (systemic).

In both cases, the CU must back-file the incomplete CTR, audit its filings to ensure no others were missed, and strengthen internal controls to reduce the likelihood that future CTRs will not be filed timely.

  1. If CU staff members were given BSA training when they were initially hired but have not had training within a couple years, is there a significant violation?

It depends on examiner judgment; examiners should consider 1) whether changes have occurred in staffing (new hires), 2) if continuing staff retain knowledge of BSA requirements (up to date policies, regular completion of CTRs), 3) person(s) charged with oversight of the BSA program have sufficient knowledge to catch and correct errors, and 4) a process exists to identify staff members with inadequate BSA awareness and provide them with training.

  1. If CU staff tell the member to break up large cash deposit into smaller amounts to avoid filing a CTR (in the interest of customer service), is there a significant violation?  Does the CU have to file a CTR anyway?

Yes, there are multiple significant BSA violations and the CTR must be filed, regardless.  This scenario demonstrates inadequate staff training (staff suggested the member engage in structuring – a money laundering activity), an inadequate process for aggregating transactions (staff doesn't anticipate the CU will "find" transactions if they are split), and weak oversight of the BSA program.

  1. If a CU does not have an adequate BSA policy and examiners give them a sample policy, is the problem resolved?

No.  While a sample policy can be of significant assistance to a CU, the CU must customize this policy to reflect the CU's operations, have the CU board approve and adopt the policy, and schedule staff training on the policy (if necessary) for the problem to be resolved.  If all of this activity occurs prior to the conclusion of the exam, the problem can be reported as both identified (pervasive) and resolved on the exam report.  The exam report would still be written to address the BSA issues, but the exam report would state the significant BSA violation has been adequately corrected.

  1. Do small/non-cash operation CUs have to meet the same standards as large CUs?

Yes, but the cost and type of action taken to achieve compliance will vary.  For example, all CUs must have a written BSA policy.  A small, non-cash CU would probably have a smaller less complex policy than a large, multi-branch CU.  Nevertheless, the small CU's written policy would need to address all products and services offered by the CU, establish a reasonable method for verifying member identity (when a new loan or share account is opened), and ensure review of the 314a list.

  1. If a credit union fills out a CTR but systematically does so inaccurately or incompletely is there a violation?

Yes, the CTR must be filled out accurately and completely.  Similar criteria as noted above would apply to the frequency of the omissions.  One or two inaccurate CTRs out of a thousand would generally not represent a systematic violation while two out of ten would.


March 16, 2005
No. B-05-02

Interest Rate Risk Measurement and

Strategic Planning Seminar

The Division of Credit Unions (DCU) last year revised its examination procedures used to evaluate how effectively a credit union is managing its interest rate risk (IRR).  This examination revision was in response to the increasing level of IRR exposure found in some state credit unions based on 5300 data and on projected rising rates in coming months.

The examiners frequently found that strategies and assumptions being modeled were unrelated to the strategic plan and budget of the credit unions.  The examiners also noticed that credit union personnel were frequently confused as to the difference and purposes of net economic value (NEV) and net interest income (NII) measurement tools.

Seminar Date & Format

On April 21, 2005 at 6:00 pm, DCU and the Washington Credit Union League (WCUL) will be hosting a free seminar on Interest Rate Risk Measurement and Strategic Planning.  This seminar will consist of a one hour web-cast presented by Gayle Peterson, Risk Management Specialist from National Credit Union Administration (NCUA) and Jay Weintraub, Interest Rate Risk Specialist from DCU, followed by a one and a half hour facilitated discussion.  To facilitate the discussion, there will be a representative from DCU or NCUA and a representative from a credit union with expertise in managing interest-rate risk at each location. 

Seminar Content

Key Model Assumptions and What to Look For

Static versus Dynamic Balance Sheets and their Relationship to IRR

Locations

We have chosen five locations throughout the state to make attendance as convenient as possible.  The locations include Everett, Federal Way, Spokane, Vancouver, and Yakima. 

Who should attend?

We encourage attendance from the Board, ALCO Committee members (particularly including representatives from the Board), senior operating staff, and staff involved in the modeling analysis for the credit union.

We hope you will take advantage of this opportunity to join us.  You will find out what the examiners are looking for, have the opportunity to discuss this important topic with others in the field, and build a network with your peers.


February 1, 2005
No. B-05-01

EDPR New IS&T Questionnaire Starting Point

Up to this point, the Division of Credit Unions has used the EC-1 (Electronic Commerce) questionnaire as the starting point for the information services and technology exam. We often find it necessary to expand our efforts and use the EC-2 and EDPR (Electronic Data Processing Review) forms in appropriate circumstances.

This bulletin is to advise you that effective March 15, 2005, the Division IS&T examiners (Trust CC) will begin using the EDPR questionnaire instead of the EC-1 questionnaire as the starting point for our exams. The EC-1 questionnaire strictly covers electronic commerce, whereas, the EDPR questionnaire is more general and relevant to our IS&T examination reviews. As you will see the EDPR is somewhat shorter than the EC-1. We anticipate no increase in the amount of time necessary for the IS & T examination. If you would like to preview the EDPR questionnaire it can be found on the Division’s website under “Credit Union Exam Forms” (www.dfi.wa.gov/cu) and click on “AIRES Electronic Data Processing Review”.

Please contact Doug Lacy-Roberts at (360) 902-0507, if you have any questions about this Bulletin.