BRIDGING THE DIVIDE (FROM PAGE 4)
At a minimum, all examination findings and documents of
resolution (DORs) must be based upon clear legal authority
and an objective analysis. We must also operate transparently.
We need to create an environment where examination issues
are discussed openly, and both parties can present their
positions without having those views dismissed. We also need
to ensure that examination findings are thoroughly vetted
with the credit union and do not suddenly turn into DORs
without the proper legal justification and certainly not
without clear and convincing data to support the decision.
NCUA developed new policies and procedures for conducting
examinations and issuing DORs. These policies were shared
with credit unions in Letter to Credit Unions (13-CU-09), in
If credit unions have concerns that field staff aren’t following
NCUA’s prescribed policy, they should raise those concerns
with examiners and supervisory examiners. If these concerns
then go unheeded, they should be appealed to the Regional
Director, the Supervisory Review Committee, or even the
NCUA Board, if necessary.
Current NCUA policy makes it clear that examiners should
not include in DORs:
n Broad or general provisions requiring the credit union to
“comply with the examination report” or to correct
problems included in the Examiner’s Findings section.
n Unresolved Examiner’s Findings merely because they have
n Suggestions or items for management to consider as
Additionally, examiners must cite the specific section of the
Federal Credit Union Act, NCUA rules, credit union bylaws,
or other official agency policy—including NCUA-issued
guidance, such as supervisory letters—when listing an item
within a DOR.
Clearly, there must be an arm’s-length, cooperative and
respectful relationship between our field staff and the credit
unions we regulate. Each party needs to be fully aware of the
other’s duties and responsibilities and not overreach, overstep
or disrespect each other.
Moreover, I have no interest—and NCUA examiners should
have no interest—in directly or indirectly running credit
union operations or influencing the development or execution
of a credit union’s business strategy. Credit unions run legal,
legitimate businesses, and they do it quite well judging from
their success in the marketplace.
I am absolutely committed to following NCUA’s legal mandate.
Thus, credit unions—not me, not NCUA examiners—should
develop and execute their business plans for the benefit of
their members. I appreciate that a fine line often exists
between a safety and soundness issue and a credit union’s
ability to operate in accordance with its business policy. In
my view, NCUA should not cross that line and meddle in the
internal affairs of the credit union without clearly articulating
the demonstrable safety and soundness issue raised by the
allegedly offending action.
n Disabling the recursive name resolution associated
with DNS servers resolvers (Refer to U.S. CERT Alert
n Disabling the CHARGEN service because it is rarely needed
beyond testing, debugging and measurement purposes.
But taking these steps is just the beginning. Cyber threats are
constantly evolving. To be better prepared, credit unions
n Develop strong incident response plans that are tested
annually using a variety of scenarios.
n Use vetted DDoS mitigation service providers to detect
and filter malicious traffic aimed at disrupting Internet-
n Monitor network traffic with network monitoring
software that is managed by trained professionals who can
quickly identify what normal and abnormal traffic looks
like at your credit union.
n Create a strong vendor management program that includes
agreements with internet-service providers for expert
assistance, such as blocking or redirecting traffic during a
n Execute a disciplined vulnerability and patch management
The National Institute of Standards and Technology’s
Computer Incident Response is a good resource for credit
unions looking for a framework to establish or strengthen
their incident response program. Credit unions should also
refer to the U.S. Computer Emergency Readiness Team’s
website for the latest information on cyber threats.
DDOS ATTACKS INCREASING ON FINANCIAL INSTITUTIONS (FROM PREVIOUS PAGE)