Top Story Operations Related

The NCUA has announced it issued three consent orders and one prohibition notice in October permanently prohibiting individuals from participating in the affairs of any federally insured depository institution.

Consent orders were issued to:

• Gloria J. Hall, a former employee of Prairie View Federal Credit Union, Prairie View, Texas
• Diane Stephens, a former employee of Priority First Federal Credit Union, Du Bois, Pennsylvania
• Laurie Allen, a former employee of Vibrant Credit Union, Danville, Illinois

A Notice of Prohibition was issued to Salusthian Lutamile, a former employee of IDB Global Federal Credit Union, Washington, D.C.

The FBI, the Treasury Department, and the Israel National Cyber Directorate have issued a Cybersecurity Advisory (CSA) to warn network defenders of new cyber tradecraft of the Iranian cyber group Emennet Pasargad, which has been operating under the company name Aria Sepehr Ayandehsazan (ASA) and is known by the private sector terms Cotton Sandstorm, Marnanbridge, and Haywire Kitten.

The group exhibited new tradecraft in its efforts to conduct cyberenabled information operations into mid-2024 using a myriad of cover personas, including multiple cyber operations that occurred during and targeting the 2024 Summer Olympics – including the compromise of a French commercial dynamic display provider. ASA has also undertaken a project to harvest content from IP cameras and used online resources related to Artificial Intelligence. Since 2023, the group has exhibited new tradecraft including the use of fictitious hosting resellers to provision operational server infrastructure to its own actors as well as to an actor in Lebanon involved in website hosting. Recently released reporting from Microsoft indicates this group has demonstrated interest in election-related websites and media outlets, suggesting preparations for future influence operations.

The CSA provides the threat group’s tactics, techniques, and procedures (TTPs), including its leveraging of online resources related to Artificial Intelligence, and indicators of compromise (IOCs). The CSA also highlights similar activity from a previous FBI advisory that was published on 20 October 2022. This new advisory’s information and guidance are derived from FBI investigative activity and technical analysis of this group’s intrusion activity against U.S. and foreign organizations and engagements with numerous entities impacted by this malicious activity.

The authoring agencies recommend all organizations follow guidance provided in the Mitigations section to defend against the Iranian cyber group’s activities.

FDIC FIL-77-2024, issued yesterday, describes steps intended to provide regulatory relief to financial institutions and facilitate recovery in areas affected by the Havasupai Tribe Flooding August 22–23, 2024..

Yesterday, the Treasury Department reported that OFAC had sanctioned five Mexican nationals and two Mexico-based entities linked to La Linea, a violent Mexico-based drug trafficking organization responsible for trafficking fentanyl and other deadly drugs into the United States.

See BankersOnline’s October 31, 2024, OFAC Update for the names and identifying information of the designated individuals and businesses .

The CFPB yesterday announced action against VyStar Credit Union for harming consumers through its botched rollout of a new online banking system. In May 2022, VyStar transitioned to a new, dysfunctional online banking platform that made it difficult for credit union members to perform basic banking functions for weeks, with some features unavailable for more than six months. Families incurred fees and costs as a result of these problems. The CFPB is ordering VyStar to ensure that all consumers are made whole. VyStar must also pay a $1.5 million civil penalty to the CFPB’s victims relief fund.

VyStar, formerly known as JAX Navy Federal Credit Union, is a Florida state-chartered credit union headquartered in Jacksonville with 70 branches in Florida and 10 branches in Georgia. VyStar is one of the largest credit unions in the country, with approximately $14.75 billion in total assets and over 980,000 members. In May 2022, VyStar attempted to launch a new virtual banking platform. VyStar anticipated banking services would be inaccessible for several days during the transition to the new platform, but it turned out to be much longer. The new system crashed upon launch because VyStar brought it online prematurely and failed to establish or follow critical processes to ensure its success. The platform was taken offline soon after launch. Upon bringing the system back online, the new platform lacked key banking services, some of which were not restored for months.

For further details, see “VyStar CU pays $1.5M for botched systems upgrades” in BankersOnline’s Penalties pages.

• NCUA Chairman Harper and Board Member Otsuka Statements on CFPB's VyStar Credit Union action

FinCEN has reported that the Financial Action Task Force (FATF), an intergovernmental body that establishes international standards for anti-money laundering, countering the financing of terrorism, and countering the financing of proliferation of weapons of mass destruction (AML/CFT/CPF), updated its lists of jurisdictions with strategic AML/CFT/CPF deficiencies at the conclusion of its plenary meeting this month. FinCEN said U.S. financial institutions should consider the FATF’s stance toward these jurisdictions when reviewing their obligations and risk-based policies, procedures, and practices.

On October 25, 2024, the FATF added Algeria, Angola, Côte d’Ivoire, and Lebanon to its list of Jurisdictions Under Increased Monitoring and also removed Senegal from the list.

The FATF’s list of High-Risk Jurisdictions Subject to a Call for Action remains the same, with Iran, the Democratic People’s Republic of Korea (DPRK), and Burma subject to calls for action. Iran and DPRK are still subject to the FATF’s countermeasures, while Burma is still subject to the application of enhanced due diligence, but not countermeasures

The Department of the Treasury has announced it has sanctioned 275 individuals and entities involved in supplying Russia with advanced technology and equipment that it desperately needs to support its war machine. Yesterday’s action targets both individual actors and sprawling sanctions evasion networks across 17 jurisdictions, including India, the People’s Republic of China (PRC), Switzerland, Thailand, and Türkiye. In addition to disrupting global evasion networks, this action also targets domestic Russian importers and producers of key inputs and other materiel for Russia’s military-industrial base.

Treasury reported that the Department of State also targeted sanctions evasion and circumvention in multiple third countries, including several PRC-based companies exporting dual-use goods that fill critical gaps in Russia’s military-industrial base and entities and individuals in Belarus related to the Lukashenka regime’s support for Russia’s defense industry. State also targeted several senior Russian Ministry of Defense officials and defense companies and those supporting Russia’s future energy production and exports.

For the names and identification information of the designated parties, see yesterday’s BankersOnline OFAC Update.

The Treasury Department has announced the release of the National Strategy for Financial Inclusion in the United States, which identifies objectives and recommendations for policymakers, industry, employers, and community organizations to advance consumer access to safe financial products and services and strengthen financial security. The Strategy was requested in 2023 by Congress and has been informed by Treasury’s research and engagement with experts, community leaders, industry representatives, and other federal agencies, including public input through a Request for Information.

Objectives and key recommendations of the Strategy include:

• Promote access to transaction accounts that meet consumer needs
• Increase access to safe and affordable credit
• Expand equitable access to savings and investments
• Improve the inclusivity of financial products and services provided or backed by the government
• Foster trust in the financial system by protecting consumers from illegal and predatory practices

Treasury invited all stakeholders to engage with this Strategy, to innovate, and to collaborate in creating a more inclusive financial landscape.

• Fact Sheet on the report and recommendations

The FDIC has released its list of enforcement actions issued in September 2024. Among the ten actions listed, there were four consent orders, four orders terminating consent orders, and two orders terminating deposit insurance.

The consent orders were issued to:

• Industry State Bank, Industry, TX (jointly issued with the Texas Department of Banking)
• Fayetteville Bank, Fayetteville, TX ((jointly issued with the Texas Department of Banking)
• Citizens State Bank, Buffalo, TX (jointly issued with the Texas Department of Banking)
• International Bank of Chicago, Chicago, IL (jointly issued with the Illinois Department of Financial and Professional Regulation Division of Banking)

The orders terminating deposit insurance were issued to:

• Algonquin State Bank, Algonquin, IL (not engaged in the business of receiving deposits other than trust funds)
• McHenry Savings Bank, McHenry, IL (not engaged in the business of receiving deposits other than trust funds)

Terminations of previous consent orders were issued to LifeSteps Bank & Trust, Union Springs, AL; International Bank of Chicago, Chicago, IL; Sainte Marie State Bank, Sainte Marie, IL; and KansasLand Bank, Quinter, KS.

The CFPB has issued Consumer Financial Protection Circular 2024-06, "Background Dossiers and Algorithmic Scores for Hiring, Promotion, and Other Employment Decisions," presenting the question: "Can an employer make employment decisions utilizing background dossiers, algorithmic scores, and other third-party consumer reports about workers without adhering to the Fair Credit Reporting Act (FCRA)?"

The guidance warns that companies using third-party consumer reports — including background dossiers and surveillance-based, “black box” AI or algorithmic scores about their workers — must follow FCRA rules. This means employers must obtain worker consent, provide transparency about data used in adverse decisions, and allow workers to dispute inaccurate information.

PUBLICATION INFO: Published 11/12/2024 at 89 FR 88875. The circular was released by the CFPB on its website on 10/24/2024.