Top Story Operations Related

The CFPB has announced a consent order filed in an Administrative Proceeding against Navy Federal Credit Union for charging "illegal overdraft fees." The Bureau said that, from 2017 to 2022, Navy Federal charged customers surprise overdraft fees on certain ATM withdrawals and debit card purchases, even when their accounts showed sufficient funds at the time of the transactions. The CFPB is ordering Navy Federal to refund more than $80 million to consumers, stop charging illegal overdraft fees, and pay a $15 million civil penalty to the CFPB’s victims relief fund.

The CFPB said Navy Federal illegally charged it members' accounts in two ways.

1. Charging OD fees on "approved positive, settled negative" or APSN debit card transactions, collecting an average of $44 million a year, in spite of warnings about such fees by federal regulators, including the CFPB and the Federal Reserve Board, as early as 2015.
2. Charging member accounts that received money via Zelle, PayPal, and similar peer-to-peer payment services when Navy Federal's systems showed those funds as immediately available, but the credit union failed to disclose that payments received after 10:00 a.m. Eastern (later 8:00 p.m.) would not actually post to the accounts until the next business day. Some members tried using those funds and were charged OD fees.

In addition to the order's requirement to pay the $15 million civil money penalty and $80 million in refunds to Navy Federal members, it includes a provision banning Navy Federal from charging OD fees for APSN transactions or resulting from delayed posting of funds received from peer-to-peer payment networks.

Yesterday, the Treasury Department reported that OFAC has designated one individual and one entity who support a corrupt patronage network in Bosnia and Herzegovina (BiH) that is attempting to evade U.S. sanctions.

For the names and identification information of the designated individual and entity, see yesterday's BankersOnline OFAC Update.

The FDIC has announced it will introduce a new online tool to help financial institutions, investors, and other interested groups to identify neighborhoods that could benefit from banking services. The FDIC’s new Minority Banking Opportunity Explorer will be presented at a meeting of the agency’s Minority Depository Institutions (MDI) Subcommittee to the Advisory Committee on Community Banking today.

This new tool supports FDIC’s statutory mission to promote and encourage the creation of new minority depository institutions by assisting financial institution organizing groups with exploring potential business opportunities in areas that may meet the "community served" part of an MDI designation. The tool can also support existing MDIs’ growth by identifying new branch locations or advertising opportunities.

The FDIC has issued Financial Institution Letters with guidance to help financial institutions and facilitate recovery in areas affected by severe weather.

• FIL-78-2024 for financial institutions in areas of South Dakota affected by the Cheyenne River Sioux Tribe severe storm, straight-line winds, and flooding on July 13 and 14, 2024
• FIL-79-2024 for financial institutions in areas of New Mexico affected by a severe storm and flooding on October 19 and 20, 2024

FinCEN recently announced that certain victims of Hurricane Milton, Hurricane Helene, Hurricane Debby, Hurricane Beryl, and Hurricane Francine will receive an additional six months to submit beneficial ownership information reports, including updates and corrections to prior reports.

FinCEN has issued the five Notices below extending the filing deadlines for reporting companies that 1) have an original reporting deadline beginning one day before the date the specified disaster began and ending 90 days after that date, and 2) are located in an area that is designated both by the Federal Emergency Management Agency as qualifying for individual or public assistance and by the Internal Revenue Service as eligible for tax filing relief.

Notice regarding—

• Hurricane Milton
• Hurricane Helene
• Hurricane Debby
• Hurricane Beryl
• Hurricane Francine

The Internal Revenue Service on Friday announced that the amount individuals can contribute to their 401(k) plans in 2025 has increased to $23,500, up from $23,000 for 2024. The IRS also issued technical guidance regarding all cost‑of‑living adjustments affecting dollar limitations for pension plans and other retirement-related items for tax year 2025 in Notice 2024-80.

The limit on annual contributions to an IRA remains $7,000. The IRA catch‑up contribution limit for individuals aged 50 and over was amended under the SECURE 2.0 Act of 2022 (SECURE 2.0) to include an annual cost‑of‑living adjustment but remains $1,000 for 2025.

The NCUA has announced it issued three consent orders and one prohibition notice in October permanently prohibiting individuals from participating in the affairs of any federally insured depository institution.

Consent orders were issued to:

• Gloria J. Hall, a former employee of Prairie View Federal Credit Union, Prairie View, Texas
• Diane Stephens, a former employee of Priority First Federal Credit Union, Du Bois, Pennsylvania
• Laurie Allen, a former employee of Vibrant Credit Union, Danville, Illinois

A Notice of Prohibition was issued to Salusthian Lutamile, a former employee of IDB Global Federal Credit Union, Washington, D.C.

The FBI, the Treasury Department, and the Israel National Cyber Directorate have issued a Cybersecurity Advisory (CSA) to warn network defenders of new cyber tradecraft of the Iranian cyber group Emennet Pasargad, which has been operating under the company name Aria Sepehr Ayandehsazan (ASA) and is known by the private sector terms Cotton Sandstorm, Marnanbridge, and Haywire Kitten.

The group exhibited new tradecraft in its efforts to conduct cyberenabled information operations into mid-2024 using a myriad of cover personas, including multiple cyber operations that occurred during and targeting the 2024 Summer Olympics – including the compromise of a French commercial dynamic display provider. ASA has also undertaken a project to harvest content from IP cameras and used online resources related to Artificial Intelligence. Since 2023, the group has exhibited new tradecraft including the use of fictitious hosting resellers to provision operational server infrastructure to its own actors as well as to an actor in Lebanon involved in website hosting. Recently released reporting from Microsoft indicates this group has demonstrated interest in election-related websites and media outlets, suggesting preparations for future influence operations.

The CSA provides the threat group’s tactics, techniques, and procedures (TTPs), including its leveraging of online resources related to Artificial Intelligence, and indicators of compromise (IOCs). The CSA also highlights similar activity from a previous FBI advisory that was published on 20 October 2022. This new advisory’s information and guidance are derived from FBI investigative activity and technical analysis of this group’s intrusion activity against U.S. and foreign organizations and engagements with numerous entities impacted by this malicious activity.

The authoring agencies recommend all organizations follow guidance provided in the Mitigations section to defend against the Iranian cyber group’s activities.

FDIC FIL-77-2024, issued yesterday, describes steps intended to provide regulatory relief to financial institutions and facilitate recovery in areas affected by the Havasupai Tribe Flooding August 22–23, 2024..

Yesterday, the Treasury Department reported that OFAC had sanctioned five Mexican nationals and two Mexico-based entities linked to La Linea, a violent Mexico-based drug trafficking organization responsible for trafficking fentanyl and other deadly drugs into the United States.

See BankersOnline’s October 31, 2024, OFAC Update for the names and identifying information of the designated individuals and businesses .