(A) Credit unions utilizing computers shall adopt as a minimum, the following policies:
(1) An electronic information policy which shall provide for operating procedures, practices and purchases of devices used for information technology. These policies and procedures shall serve as an overall plan and analysis of how the system benefits the credit union. In addition, these policies and procedures shall provide guidance and uniformity to the credit union's management.
(2) A security policy which shall provide for the data and physical security needed to ensure that member data obtained by credit unions is safeguarded at all times.
(3) A data backup and recovery policy which, ensures that the credit union is able to recover members' data in the event that data is corrupted or lost.
(4) A contingency/disaster recovery policy and plan which shall provide for procedures for interruption of computer operations and tests for ability to recover both hardware and software. The policy should include a business continuity plan to ensure that the various business lines are aware of their responsibilities in the event of an unanticipated incident or disaster affecting the daily business of the institution. At a minimum, management must ensure that the provisions within this policy are tested on an annual basis.
(5) A policy to notify regulators, insurers and members within five days of any known breach of member data.
(6) Credit unions utilizing a servicer shall have a contract which provides for ownership of the data base, minimum notice for cancelling the contract, and a plan for obtaining a copy of the electronic information security policy and regular audit of the servicer periodically, a copy of the backup and recovery plan, and a disaster plan to ensure solvency and continued service. The contract shall also, provide the superintendent with complete access to any books and records of the servicer, as deemed necessary by the superintendent in carrying out his or her responsibilities.
(B) A credit union shall provide to the superintendent annually, within ten days after it holds its annual meeting and reorganization meeting, a roster of directors, officers and senior management personnel.
(C) Within ten days after the board of directors appoints a director to fill a vacancy, elects a new officer or officers, or appoints or approves a senior management employee, the credit union shall notify the superintendent in writing of the change.
(D) Credit unions operating under a supervisory agreement or letter of understanding and agreement, shall notify the superintendent in writing, at least fifteen days prior to the date any change in the position of director, officer, committee member or any senior management personnel takes place. The notice shall include the position that the person will be assuming and a detailed resume. An individual shall not assume a position and related duties until after the superintendent has approved such change in writing. Immediate notice shall be given to the superintendent of resignations of directors, officers or senior management.
(E) The annual financial report required by division (C) of section 1733.32 of the Revised Code shall be filed upon the date designated by the division of financial institutions in a notice mailed to each credit union at least thirty days in advance of the filing date. If a credit union fails to file its annual financial report by the filing date, the superintendent may assess a fine in accordance with paragraph (I) of 1301:9-1-04 of the Administrative Code. In accordance with division (B) of section 1733.32 of the Revised Code, a credit union shall submit a financial report to the division when requested by the superintendent within thirty days of the superintendent's request. If the credit union fails to comply with division (B) of section 1733.32 of the Revised Code, the superintendent may assess a fine in accordance with paragraph (I) of 1301:9-1-04 of the Administrative Code.
(F) By the due date indicated on the examination acknowledgment page, the president or chairperson shall respond to the superintendent in writing, satisfactorily addressing all of the concerns detailed in the examination report and all actions taken to address these concerns. Each member of the board of directors and the chairperson of the supervisory audit committee, if applicable, shall acknowledge receipt of the examination by signing the examination acknowledgement page. This signed page must be returned to the superintendent by the due date indicated on the examination acknowledgment page. Any extensions to the due date of the examination response shall be made to the superintendent in writing before the original due date. All written requests for an extension of time to complete the examination response shall include reasons why the examination response cannot be submitted in a timely manner, as well as when it is expected the response will be received by the superintendent.
Replaces: 1301:9-1-03, part of 1301:9-1-04