Compliance Training: A Refresher on Credit Union Staff Training Requirements
Every so often, we get questions about various training requirements found in the rules and regulations affecting credit unions. We have written about this topic in the past (member only), but a new year always feels like a good time for a refresher on most things, training requirements included. Read on for a summary of some of the hot-ticket training requirements that credit unions should be aware of.
Bank Secrecy Act/Anti-Money Laundering
Section 748.2(c)(4) of NCUA’s regulations requires credit unions to “provide training for appropriate personnel.” Additional guidance issued by NCUA outlines the expectation that “every credit union should perform at least annual training on BSA.” However, the NCUA does not expect every credit union to perform the same BSA training; it should be appropriate to the credit union’s risk profile.
Additional training guidance can be found in the FFIEC’s BSA/AML Manual. The Manual states that “training should be tailored to each individual’s specific responsibilities, as appropriate.”
Office of Foreign Assets Control (OFAC)
While not specifically required by regulation, NCUA expects credit unions to establish a written OFAC compliance program that is commensurate with their OFAC risk profile. The compliance program should include training programs for appropriate personnel. According to the FFIEC’s BSA/AML Manual, “the scope and frequency of the training should be consistent with the [credit union’s] OFAC risk profile and appropriate to employee responsibilities.”
Guidance from NCUA in the enclosure to Letter to Credit Unions 05-CU-09 provides OFAC compliance requirements, as well as resources for additional information and training.
Electronic Payment Systems
Electronic Payment Systems (EPS) include ACH payments, wire transfers, item processing, remote deposit capture, FedLine access solutions, ATMs, card services, and mobile payments. NCUA’s Examiner’s Guide recommends “clearly defining roles and responsibilities of each credit union employee with respect to EPS minimizes fraud-related losses, ensures that board-established policies and limits are observed, and provides adequate oversight over this importation credit union function.” The Guide also states that “all staff should receive adequate training both in the EPS activities offered by the credit union and in proper security procedures.”
The NCUA AIRES Exam Questionnaire contains training expectations within each relevant procedures section.
Fair Lending
The NCUA’s Fair Lending Guide requires credit unions to provide training “to all employees involved in any aspect of taking, evaluating, acting on a credit application, or furnishing/maintaining credit information. In addition, persons involved in marketing and credit operations should receive appropriate instruction relative to their responsibilities.”
The Guide also includes training specific to the Fair Housing Act, and states that credit unions must “provide training to all employees involved in any aspect of residential real estate, including the financing, selling, renting, advertising, brokering, and appraising of housing. All employees should be provided with training on the basic principles and core requirements of FH Act, along with other relevant fair lending laws and regulations.”
NCUA expects credit union lending personnel to receive training at least annually, and the training should include the requirements of Regulation B. This expectation can be found in the Regulation B – Equal Credit Opportunity Act section of the NCUA AIRES Exam Questionnaire.
Information Security
Information security training requirements can be found in multiple sources, including the FFIEC’s IT Examination Handbook InfoBase and Information Security Booklet, Part 748 of NCUA’s regulations and its Appendices, Chapter 6 of NCUA’s Examiner’s Guide, and NCUA’s IT Security Compliance Guide.
The FFIEC’s Information Security Booklet’s section on training states:
“Training should support security awareness and strengthen compliance with security and acceptable use policies.. . . Management should educate users about their security roles and responsibilities and communicate them through acceptable use policies. . . Training materials for most users focus on issues such as end-point security, log-in requirements, and password administration guidelines. Training programs should include scenarios capturing areas of significant and growing concern, such as phishing and social engineering attempts, loss of data through e-mail or removable media, or unintentional posting of confidential or proprietary information on social media. As the risk environment changes, so should the training.”
Section V of NCUA’s IT Security Compliance Guide recommends “providing specialized training to ensure that personnel sufficiently protect member information in accordance with its security program,” and provides examples of training topics and potential scenarios staff should be aware of. The Guide also includes a list of organizations which “provide information on computer security, with a focus on risk-assessment methodologies and the design and implementation of computer security programs.”
These are only some of the credit union staff training requirements that exist. For even more training requirements, check out this comprehensive chart, published in 2018. Keep in mind, though, that this list does not include state or local training requirements that may exist, and that the chart should not be relied upon as the sole source of information for a credit union’s training program.