FFIEC assessment tool best if voluntary for CUs: CUNA

September 21, 2015

WASHINGTON (9/21/15)--The regulatory burdens for credit unions due to the Federal Financial Institutions Examination Council’s (FFIEC) Cybersecurity Assessment Tool will be much greater than the council estimates, according to CUNA. Commenting on the accuracy of the FFIEC’s estimates of the burden created by the new assessment tool, CUNA also raised a number of questions about the tool.

The FFIEC introduced its tool in June, based on a pilot assessment of more than 500 financial institutions’ cybersecurity preparedness. While the council estimates credit unions and other types of financial institutions can complete the assessment in 80 hours, CUNA believes this is a severe underestimation, given that the assessment is more than 55 pages long.

“We have heard from credit unions, of varying asset sizes, that they anticipate allocating several hundred hours in the first year alone to understand and complete the assessment,” the letter reads. “At a minimum, we believe the FFIEC has overlooked the challenges many institutions will face in reviewing and understanding the assessment, let alone the time and resource commitment necessary to actually conduct the assessment.”

The assessment tool is currently voluntary for all FFIEC-regulated entities, and the burden estimate from the council is based on the voluntary nature. However, the NCUA has said its examiners will be receiving training using the tool in the coming months, and will begin requiring credit unions to complete the assessment within the next year, likely by June 2016.

The NCUA has indicated it will release a letter to credit unions and a frequently asked questions document regarding the assessment tool in the coming months.

CUNA has urged the NCUA to allow credit unions to use the assessment tool as a voluntary guidance tool.

“While we fully embrace the importance of cybersecurity, we believe credit unions can enhance their capabilities in this area in a way that does not unduly increase the compliance burden they are already under,” the letter reads, adding that allowing the tool to be used as a voluntary basis by credit unions will maintain an appropriate balance of protecting credit union interests while minimizing regulatory burden.