Due Diligence RepoRtSecond Quarter 2014
2 | 2nd Quarter • 2014 Due Diligence
Dear Valued Member:
Catalyst Corporate Federal Credit Union is providing this Second Quarter 2014 Due Diligence Report to update
credit unions on its performance and to support their due diligence efforts. The idea for the Due Diligence Report came
from a member who requested that Catalyst Corporate publish all due diligence information in a single document. The
suggestion was adopted because it aligns so well with Catalyst Corporate’s mission to be a premier innovative corporate
credit union that provides exceptional member value in an efficient, safe and sound manner.
Catalyst Corporate’s operating fundamentals also focus on efficiency, safety and soundness. These fundamentals remain
constant from year to year, helping Catalyst Corporate stay true to its promise to support the success of member-owners.
They also guide the prioritization of the initiatives in the strategic plan. Among the operating fundamentals:
Catalyst Corporate…
• Continuously strives to maximize efficiency.
• Prioritizes strategies that create value for member credit unions.
• Leverages technology to achieve its objectives whenever possible.
• Continues to build financial strength in ways that surpass milestones and regulatory requirements.
• Protects its members’ assets by closely monitoring and managing risks of all kinds including credit, interest rate,
liquidity, operational, reputation and enterprise-wide risk.
• Is transparent with regard to its financial performance and operational practices affecting safety and soundness.
• Is guided in all decisions by its structure as a member-owned cooperative.
• Achieves and maintains a strong degree of engagement with its volunteer leadership, who are a primary link to the
membership at large.
The Catalyst Corporate Due Diligence Report includes financial statements with detailed commentary and information
about Catalyst Corporate’s risk profile, portfolio composition, CUSO investments, and compliance with NCUA Rules and
Regulations Part 704. Also included is information about operational practices designed to protect member credit unions.
Each edition of the report includes useful information about a current issue affecting credit union engagement with
Catalyst Corporate.
The Due Diligence Report is posted quarterly on the Catalyst Corporate website at www.catalystcorp.org/duediligence and
is available for download at any time. Please feel free to contact me or another Catalyst Corporate team member if you
need additional information.
Best regards,
Kathy Garner
President/CEO
letter from the president
2nd Quarter • 2014 Due Diligence | 3
current issue . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Quarterly Financial Report
• Results of Operations . . . . . . . . . . . . . . . . . . . . . . 8
• Consolidated Statement of Financial Condition . . 9
• Consolidated Statement of Income . . . . . . . . . . . 10
• Consolidated Statement of
Comprehensive Income . . . . . . . . . . . . . . . . . . . . 11
• Consolidated Statement of Members’ Equity . . . . 11
• Notes to Consolidated Financial Statements . . . . 12
Annual Report
• 2013 Financial Statement Audit Report . . . . . . . . 14
• 2013 Annual Report . . . . . . . . . . . . . . . . . . . . . . . 14
Risk Measures
• Credit Risk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
• Interest Rate Risk . . . . . . . . . . . . . . . . . . . . . . . . . . 16
• Liquidity Risk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
portfolio
• ALM Limits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
• Diversification Limits to Asset Size . . . . . . . . . . . . 18
• Sector Limits to Capital . . . . . . . . . . . . . . . . . . . . . 19
• Single Obligor Limits to Capital . . . . . . . . . . . . . . 19
Key performance Ratio graphics
• Operating Efficiency Ratio . . . . . . . . . . . . . . . . . . 20
• Retained Earnings Ratio . . . . . . . . . . . . . . . . . . . . 20
• Leverage Ratio . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
• Tier One Risk-Based Capital Ratio . . . . . . . . . . . . 20
• Total Risk-Based Capital Ratio . . . . . . . . . . . . . . . 20
cuSos and partners
• CUSOURCE, LLC
(dba Catalyst Strategic Solutions) . . . . . . . . . . . . 21
• Credit Union Business Group, LLC . . . . . . . . . . . 21
• CU Investment Solutions, LLC . . . . . . . . . . . . . . . 21
• Primary Financial, LLC . . . . . . . . . . . . . . . . . . . . . 22
• Alaska U.S.A. Trust Company . . . . . . . . . . . . . . . 22
• D+H . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
operational compliance
• Business Continuity Summary . . . . . . . . . . . . . . . 23
• Business Continuity Activity Report . . . . . . . . . . . 25
• Fidelity Bond Statement . . . . . . . . . . . . . . . . . . . . 25
• Bank Secrecy Act/Office of
Foreign Assets Control Summary . . . . . . . . . . . . . 26
• Privacy and Security . . . . . . . . . . . . . . . . . . . . . . . 27
• Affidavit Regarding Part 717 . . . . . . . . . . . . . . 27
• Affidavit Regarding Part 716 and 748 . . . . . . 28
• SSAE16 Statement . . . . . . . . . . . . . . . . . . . . . . . . 29
table of contents
current issue
cybersecurity – it Starts At the top
“Cybersecurity is not just an IT issue. It is an operational
risk issue that requires senior management and board
level attention.”
— Thomas J. Curry, Comptroller of the Currency,
United States of America
Credit unions see news reports daily about a wide
array of information security threats, but what exactly is
cybersecurity? The National Institute of Standards and
Technology (NIST) defines it simply as “the process of
protecting information by preventing, detecting, and
responding to attacks.”
This broad description, supported by an increasing
reliance on computer systems for member engagement
and for business processes, means that cybersecurity is
pervasive – an issue that must be addressed as part of
nearly every business decision.
Who is attacking and why?
Information security professionals no longer refer to
perpetrators of cyber-attacks as criminals – at least, not
exclusively. “Threat Actors” is a general term that can be
further identified based on the underlying motivation:
• Nation-States: Foreign governments that sponsor
cyber-attacks for a wide variety of reasons, from
espionage to a desire to undermine a country’s
banking system, among others
• Hacktivists: Individuals and organizations that employ
cyberterrorism to achieve political aims
• Organized Criminals: Centralized, highly-structured
enterprises that are effective at leveraging technology
to facilitate crime, such as money laundering
• Insiders: People who, knowingly or unknowingly,
assist in a cyber-attack
What are their means?
Among the most common types of cyber-attacks are:
• Phishing – Targeted email attacks are designed to
acquire personal and corporate data, as well as
financial account credentials, by masquerading as a
trustworthy entity. It is carried out by email spoofing
and often directs users to enter information details into
a fake website. Phishing is the most common among
several types of social engineering.
4 | 2nd Quarter • 2014 Due Diligence
2nd Quarter • 2014 Due Diligence | 5
current issue
• Malware – Short for malicious software, malware is
used to disrupt computer operations, gather sensitive
information or gain access to private computer
systems. It can appear in the form of executable code,
scripts, active content or other types of software.
Malware includes many of the terms that are pre-
valent in the press: viruses, worms, trojan horses,
ransomware, etc.
• DDoS (distributed denial of service) – A disruption
to online banking is caused when multiple systems
flood the bandwidth of the targeted web server.
These terms summarize the ways systems and informa-
tion can be compromised, but the techniques used to
execute them are virtually limitless and continuously
evolving. Often, these methodologies are combined in
ways that make it nearly impossible to anticipate and
avoid the attempted fraud. In order to be successful
in achieving cybersecurity, credit union management
must establish a culture of risk management – one
involving rigorous testing, education and clear paths
of communication.
Why does cybersecurity matter to credit unions?
A successful cyber-attack can wreak havoc – through
financial losses and reputational impact. And smaller
financial institutions, such as credit unions, are not
immune. According to panelists during the Federal
Financial Institutions Examination Council (FFIEC)’s
recent webinar, “Executive Leadership of Cybersecurity:
What Today’s CEOs Need to Know about the Threats
They Don’t See,” smaller institutions are being targeted
more frequently now than ever before. One of the
reasons is that smaller firms are less likely than large
banks to have strong defenses in place – making them
easier targets for a breach.
The rapid adoption of new technologies among con-
sumers, as well as businesses, has exposed sensitive
information broadly and has accelerated attempts to
breach the barriers established to protect that information.
Between 2005 and 2014, the total number of recorded
data breaches was 4,327, with 632 million records
exposed. There was a 30 percent increase between 2012
and 2013.
Regulatory Activity
In addition to worrying about the real-life risks associated
with cyber-attacks, credit unions also must be responsive
to the demands of regulatory agencies that are grappling
to establish best practices and rules that will protect the
industry as a whole. Numerous agencies and partner
organizations are dedicating resources to the challenge.
Most notably, earlier this year, the FFIEC – a formal, inter-
agency body empowered to dictate uniform principles,
standards and reports for the examination of financial
institutions by the Federal Reserve System, FDIC, NCUA,
the OCC and the CFPB – launched a pilot program to
assess the cybersecurity of a sample of 500 community
financial institutions, leveraging the existing examination
processes of regulatory agencies, including the NCUA.
Participating regulators are focused on risk management
and oversight, threat intelligence and collaboration,
cybersecurity controls, service provider and vendor risk
management, and cyber incident management and
resilience. The expectation is that the findings of the pilot
program will result in new, more stringent rules.
Preliminary reports from participants in the FFIEC pilot
program suggest that regulators are going to expect
financial institution management to demonstrate that they
understand the specific threats they face. In addition,
participants say that their regulators indicate strong
interest in the role of information-sharing.
The FFIEC launched a cybersecurity web page on
June 24: www.ffiec.gov/cybersecurity.htm
The NCUA also hosts a cybersecurity web page:
www.ncua.gov/Resources/Pages/cyber-security-
resources.aspx, which includes extensive research
and resources. The agency has stated that its top
priority, alongside interest-rate risk, is cybersecurity. In
6 | 2nd Quarter • 2014 Due Diligence
current issue
a recent speech, NCUA Chairman Debbie Matz explicitly
referenced vendor due diligence, strong password
policies, proper patch management, employee training
and network monitoring.
creating an environment for Success
Achieving cybersecurity is about more than establishing
strong cybersecurity practices. It requires the consid-
eration of data security in nearly every business decision,
and the creation of a culture where employees are
educated and empowered to escalate threat concerns.
Guiding principles for cybersecurity success include:
1. Though individualized cybersecurity programs
will vary, many experts state that all cybersecurity
programs should include vulnerability assessment,
penetration testing, patch management, and a
“least privilege” model.
2. education is essential and must be performed
from the frontline to the board room. Employees
who interact directly with members must learn to
be vigilant in the detection of suspicious situations.
Board members must understand the security risks
inherent to decisions they make and the importance
of budgeting sufficiently for cybersecurity. Individuals
throughout the organization should be well-informed
of the dangers of responding to phishing schemes
or inadvertently importing malware. And all parties
directly involved in setting and reviewing controls
or implementing risk-management systems and
processes must be provided access to the most
current threat information.
3. When evaluating the potential impact of a security
breach, leverage the credit union’s existing
Business impact Analysis and Business continuity
plan, which describe the criticality of various
internal processes. This knowledge can help
management determine how to best allocate
risk-mitigation resources.
4. Resource allocation is critical. In fact, some
information security professionals believe that it may
be appropriate to extricate cybersecurity resources
from the information technology budget, to ensure
that the two areas are not vying for the same dollars.
5. Vendor management receives a great deal of
attention in the literature addressing cybersecurity,
as well it should. Credit union management must
understand how each third-party could introduce risk.
Risk management should begin with thorough due
diligence at the outset of a vendor relationship and
continue with ongoing monitoring.
6. Though the challenge of vendor management may
seem daunting, credit unions should not hesitate to
acquire external expertise to help them manage
their cybersecurity. Credit unions are in the business
of serving members, and they are unlikely to have
the same level of expertise that is available from
a qualified, dedicated third-party. Earlier this year,
Chairman Matz stated that “Credit unions need to
stay on top of this issue, which means working with
experts outside the credit union and not just relying
on internal IT staff to protect their systems.”
7. Have a detailed incident response plan to describe
exactly what your credit union will do in the event of
an attack. This will include plans for communication
and escalation internally and externally, as well as
steps to actually mitigate the breach itself.
8. test, monitor, and revise. The cybersecurity strategy
cannot be allowed to stagnate. Once plans and pro-
cedures are in place, it is essential to monitor and test
on an ongoing basis. Ensure that sufficient attention
is given to the tools established to monitor concerns,
such as exception reports and internal and external
audit reports. Monitor the ever-changing threat
landscape. Employ third-parties to conduct security
testing, including social engineering tests. Refine any
aspect of the plan where gaps are identified.
2nd Quarter • 2014 Due Diligence | 7
current issue
9. communicate with members about cybersecurity threats, how to safeguard their
personal information, and why it’s important to protect their accounts. Use alert
mechanisms to contact members about suspicious activity on their accounts.
10. escalate and share information with third parties.
• The Financial Services Information Sharing and Analysis Center (FS-ISAC)
was established in response to a presidential directive mandating that public
and private sectors share information about physical and cybersecurity threats
and vulnerabilities.
• The United States Computer Emergency Readiness Team (US-CERT), part of
the Department of Homeland Security, leads efforts to improve the nation’s
cybersecurity posture, coordinates cyber information sharing and proactively
manages cyber risks to the United States.
• FBI InfraGard is a partnership between the FBI and the private sector, the
purpose of which is to share information and intelligence to prevent hostile
acts against the U.S.
The importance of information sharing cannot be overstated. In July 2014, the Senate
Select Committee on Intelligence passed S. 2588 – the Cybersecurity Information
Sharing Act (CISA), intended to strengthen the ability of private industry and
government to share information by narrowing liability protections and strengthening
privacy protections.
Strategic imperative
Today, credit unions are facing the competitive threat of non-financial disinter-
mediation. Numerous technology-driven firms and retailers, most of which are not
heavily regulated, lure consumers into convenient financial transactions that bypass
the banking industry entirely. Futurists say that the tipping point for this behavior
looms near.
One distinct, and meaningful, advantage that financial institutions have is that
consumers trust them more to protect their money. A 2012 study by Market Strategies
International found that nearly 75 percent of smartphone owners named their current
financial institutions as “most trustworthy,” edging out PayPal and various credit
card companies. Just last month, ACI Worldwide and Aite Group reported the results
of their study showing that nearly one-third of global consumers do not trust retailers
to protect stored data against hacking attempts and data breaches, while nearly
60 percent of respondents think financial institutions do a better job.
Combined with the member-centric credit union brand, a strong reputation for
protecting member data is invaluable – underscoring the importance of credit unions’
efforts to achieve cybersecurity.
tranZact notice
Later this year, Catalyst
Corporate will roll out a new
and improved TranZact
system. As part of the
process, TranZact users will
receive communications
including details about
enhancements, training and
access. catalyst corporate
will not send out links to
the new system via email.
Instead, users will be asked
to access TranZact through
a specific page on the
Catalyst Corporate website.
In the unlikely event that
a TranZact user receives
an email message with
instructions and a link
to access TranZact, the
message should be
deemed fraudulent. Please
contact Member Services
to report any suspicious
communications.
8 | 2nd Quarter • 2014 Due Diligence
Quarterly Financial Report
ReSultS oF opeRAtionS
Catalyst Corporate’s net income for the six months ended June 30, 2014 totaled $5,802,963 compared to budgeted
net income of $4,211,904. The higher than budgeted net income included gains of $765,170 recognized due to early
prepayments of three member term loans. Year-to-date (YTD) operations resulted in a coverage ratio of 90.2 percent
versus a budgeted 84.0 percent. Catalyst Corporate’s retained earnings ratio of 1.33 percent exceeds the regulatory
requirement of 0.45 percent that took effect on October 31, 2013 and the 1.00 percent regulatory requirement that
will take effect on October 31, 2016. A summary of the unaudited results of Catalyst Corporate operations for the past
four quarters is included in the following table.
Jul-Sept oct-Dec JAn-MAR ApR-Jun 2013 2013 2014 2014
Net interest income $3,412,683 $3,239,848 $3,251,763 $3,306,761 Net fee income 6,603,061 7,234,242 6,664,971 7,349,196 Operating expenses 7,770,169 8,429,798 7,659,718 7,875,180Other net gain 65,842 — 273,699 491,471net income $2,311,417 $2,044,292 $2,530,715 $3,272,248
Key information Net operating expense $1,167,108 $1,195,556 $994,747 $525,984Coverage ratio 85.0% 85.8% 87.0% 93.3%Return on assets 0.35% 0.32% 0.42% 0.54%Daily average net assets – 12 month rolling $2,597,182,902 $2,531,936,372 $2,465,877,776 $2,424,491,780Perpetual contributed capital $161,345,137 $161,474,655 $161,987,097 $162,431,096Undivided earnings $24,836,199 $26,601,559 $28,859,784 $31,868,915Leverage ratio 7.01% 7.27% 7.59% 7.85%Retained earnings ratio 0.97% 1.07% 1.19% 1.33%
Tier one risk-based capital ratio 25.45% 25.24% 24.28% 23.61%Total risk-based capital ratio 25.45% 25.24% 24.28% 23.61%
2nd Quarter • 2014 Due Diligence | 9
Quarterly Financial Report
conSoliDAteD StAteMent oF FinAnciAl conDitionJune 30, 2014 unAuDiteDAssets Cash and cash equivalents $1,391,444,944Investments: Available-for-sale 690,219,233 Federal Home Loan Bank capital stock 924,100 Investments in credit union service organizations (CUSOs) 4,396,316 Loans to members 214,633,325Accounts receivables and other assets 14,777,050Property and equipment, net 13,764,383Goodwill 2,767,548Total assets $2,332,926,899
liabilities Members’ share accounts $2,130,054,595Members’ share certificates 4,176,443Accrued expense and other liabilities 5,484,346Total liabilities 2,139,715,384
Members’ equity Perpetual contributed capital (PCC) 162,431,096Undivided earnings 31,868,915Accumulated other comprehensive loss (1,088,496)Total members’ equity 193,211,515Total liabilities and members’ equity $2,332,926,899
The accompanying notes are an integral part of the consolidated financial statements.
10 | 2nd Quarter • 2014 Due Diligence
Quarterly Financial Report
conSoliDAteD StAteMent oF incoMeFor the quarter and six months ended June 30, 2014
unAuDiteD ApR-Jun YeAR to DAte interest income Loans to members $1,736,326 $3,582,836Investments available-for-sale 977,863 1,754,544 Other 930,554 1,905,122Total interest income 3,644,743 7,242,502
interest expense Interest on members’ share accounts 333,104 657,317Interest on members’ share certificates 4,878 26,661Total interest expense 337,982 683,978Net interest income 3,306,761 6,558,524 net fee income Share draft and depository processing fees 4,197,375 8,050,412Off balance sheet income 2,148,197 4,283,632Other fee income 2,137,542 3,886,189Outside processing and service costs (1,133,918) (2,206,066)Net fee income 7,349,196 14,014,167
operating expenses Compensation and employee benefits 5,369,676 10,716,740Information technology 1,090,652 2,175,182Office occupancy 279,733 577,086Professional fees 250,454 489,648Other operating expense 884,665 1,576,242Total operating expenses 7,875,180 15,534,898
other net gainNet gain on loan prepayment 491,471 765,170Total other net gain 491,471 765,170 net income $3,272,248 $5,802,963
The accompanying notes are an integral part of the consolidated financial statements.
2nd Quarter • 2014 Due Diligence | 11
Quarterly Financial Report
conSoliDAteD StAteMent oF coMpRehenSiVe incoMeFor the quarter and six months ended June 30, 2014 unAuDiteD ApR-Jun YeAR to DAte net income $3,272,248 $5,802,963 other comprehensive income Net unrealized holding gains on investments classified as available-for-sale 446,344 967,369 total other comprehensive income 446,344 967,369
comprehensive income $3,718,592 $6,770,332
The accompanying notes are an integral part of the consolidated financial statements.
conSoliDAteD StAteMent oF MeMBeRS’ eQuitYFor the six months ended June 30, 2014 Accumulated perpetual other contributed undivided comprehensiveunAuDiteD capital earnings loss total Balance at December 31, 2013 $161,474,655 $26,601,559 ($2,055,865) $186,020,349Net income 5,802,963 5,802,963PCC issued 956,941 956,941PCC released due to credit union liquidation (500) (500)Dividends paid on PCC (535,607) (535,607)Other comprehensive income 967,369 967,369Balance at June 30, 2014 $162,431,096 $31,868,915 ($1,088,496) $193,211,515
The accompanying notes are an integral part of the consolidated financial statements.
12 | 2nd Quarter • 2014 Due Diligence
Quarterly Financial Report
1. cash and cash equivalentsCash and cash equivalents include pass-through reserves deposited with the Federal Reserve Bank of $76,557,000 as of June 30, 2014. Member credit unions’ reserve balances are included in the members’ share accounts in the consolidated statement of financial condition. Cash on deposit and cash items in the process of collection from correspondent banks and the Federal Reserve Bank are included in cash and cash equivalents in the consolidated statement of financial condition.
2. investments Available-for-SaleThe amortized cost and estimated fair value of investments available-for-sale as of June 30, 2014 are as follows: Amortized estimated unrealized cost Fair Value gain/(loss)Asset-backed securities $555,346,650 $555,417,986 $71,336Agency mortgage-backed securities 132,388,146 131,219,821 (1,168,325)Federal agency securities 3,572,933 3,581,426 8,493total $691,307,729 $690,219,233 ($1,088,496)
3. investments in cuSosInvestments in CUSOs are comprised of the following as of June 30, 2014:
Investment in CO-OP $2,018,310Investment in Primary Financial, LLC 1,572,739Investment in CU Business Group 705,267Investment in CU Investment Solutions, LLC 100,000total $4,396,316
Catalyst Strategic Solutions is a wholly-owned subsidiary of Catalyst Corporate. All significant intercompany balances and transactions have been eliminated in the Catalyst Corporate consolidated financial statements.
4. loans to MembersThe composition of loans to members is as follows as of June 30, 2014:
Open-end credit lines $45,352,622Term loans 169,280,703total $214,633,325
noteS to conSoliDAteD FinAnciAl StAteMentS
2nd Quarter • 2014 Due Diligence | 13
noteS to conSoliDAteD FinAnciAl StAteMentS (continueD)
Quarterly Financial Report
5. Members’ Share AccountsMembers’ share accounts are summarized as follows as of June 30, 2014:
Cash management $1,678,177,813Performance tiered 252,813,132Reg D reserve 76,557,000Other shares 122,506,650total $2,130,054,595
Catalyst Corporate members transferred $4,391,575,091 to the Excess Balance Account at the Federal Reserve Bank as of June 30, 2014.
6. Regulatory capitalAs a federally-chartered corporate credit union, Catalyst Corporate is subject to various regulatory capital require-ments administered by the NCUA. The table below presents Catalyst Corporate’s actual and required capital ratios as of June 30, 2014:
capital Ratio capital Denominator Ratio
Minimum level to be classified as adequately
capitalized
Minimum level to be classified
as well capitalized
Retained earnings ratio
RE DANA 1.33% 0.45% N/A
leverage ratioRE + PCC-CUSO
InvestmentsDANA 7.85% 4.00% 5.00%
tier one risk-based capital
ratio
RE+ PCC-CUSO Investments
MANRA 23.61% 4.00% 6.00%
total risk-based capital ratio
RE + PCC-CUSO Investments
MANRA 23.61% 8.00% 10.00%
RE = Retained earnings for regulatory ratios include retained earnings acquired through business combination with Georgia CorporatePCC = Perpetual contributed capitalCUSO Investments = Investments in unconsolidated CUSOsDANA = 12-month average daily net assetsMANRA = 12-month average net risk-weighted assets
14 | 2nd Quarter • 2014 Due Diligence
Annual Report
Annually, Catalyst Corporate engages a third-party firm to conduct an external audit of its financial statements, including the consolidated statement of financial condition and related consolidated statements of income, comprehensive income, members’ equity, and cash flows for the prior year-end. For the period ending December 31, 2013, the CPA firm of Orth, Chakler, Murnane and Company performed this function. Catalyst Corporate’s 2013 Financial Statement Audit Report was distributed during Catalyst Corporate’s Annual Meeting on April 17, 2014 and also posted to the corporate’s web site in April.
Catalyst Corporate’s 2014 Annual Meeting was held on April 17, 2014, at 12 p.m. local time, at the Planet Hollywood Resort in Las Vegas, Nevada. Additional details are available at www.catalystcorp.org/annualmtg. The 2013 Annual Report and the 2013 Audited Financial Statements are accessible in the Due Diligence section of the Catalyst Corporate website.
To review or print Catalyst Corporate’s full 2013 Financial Statement Audit Report, visit www.catalystcorp.org/financials/ar2013.pdf.
To review or print Catalyst Corporate’s full 2013 Annual Report, visit www.catalystcorp.org/financials/ar2013full.pdf.
14 | 2nd Quarter • 2014 Due Diligence
2nd Quarter • 2014 Due Diligence | 15
Risk Measures
cReDit RiSK
June 30, 2014
Overnight Cash $1,391,444,944 Secured Loans $214,633,325 Agency Securities $134,801,247 Student Loan $143,338,180 Auto Loan $133,793,303 Credit Card $183,367,356 Equipment $94,919,147
Risk exposure
RiSK eXpoSuReRegulAtoRY
liMitScuRRent
Interest rate risk (NEV volatility)
-20.0% -13.7%
Weighted Average Life of Financial Assets
2.00 years 0.46 years
Weighted Average Life of Financial Assets - Stress Test
2.25 years 0.48 years
Single Obligor Limits (% of Capital)
Credit Card ABS 50.0% 24.9%
Sector Limits (% of Capital)
Agency RMBS 1000.0% 68.9%
Credit Card ABS 500.0% 96.3%
Asset Diversification (% of Assets)
Agency RMBS 50.0% 5.6%
Credit Card ABS 25.0% 7.9%
September 30, 2013
Overnight Cash $1,536,584,570Secured Loans $248,179,006Agency Securities $133,895,385Student Loan $152,411,839Auto Loan $121,985,427Credit Card $73,633,187Equipment $64,194,515
December 31, 2013
Overnight Cash $1,301,574,981 Secured Loans $411,198,496 Agency Securities $123,570,610 Student Loan $134,312,843 Auto Loan $116,520,059 Credit Card $113,044,600 Equipment $70,835,552
March 31, 2014
Overnight Cash $1,773,803,819 Secured Loans $217,161,238 AgencySecurities $144,783,947 Student Loan $140,397,404 Auto Loan $94,117,784 Credit Card $168,419,900 Equipment $87,367,218
16 | 2nd Quarter • 2014 Due Diligence
13.7
%Ju
ne 2
014
-15%
Risk Measures
inteReSt RAte RiSK
Catalyst Corporate’s primary method of monitoring interest rate risk is through the net economic value (NEV) test. The NEV test measures the dollar and percentage potential change in the fair value of Catalyst Corporate’s capital (perpetual contributed capital, retained earnings and amortized members’ capital accounts) given a parallel, instantaneous, and permanent 300 basis point upward and downward change in the yield curve. The objective of the NEV test is to measure whether Catalyst Corporate has sufficient capital to absorb potential changes to the fair value of its balance sheet given large, sustained instantaneous interest rate shocks.
A summary of Catalyst Corporate’s NEV test at June 30, 2014 is as follows (in thousands):
NEV$ Change
in NEV% Change
in NEV
Fair Value Base
$208,100 N/A N/A
Fair Value +300 Bp
$179,700 ($28,400) -13.7%
Fair Value -100 Bp*
$219,200 $11,100 5.3%
* Interest rates are adjusted down 100 basis points due to the low rate environment at June 30, 2014.
neV Ratio(+/- 300 BP Shock Scenarios) Maximum neV change
+300 BP Change
REGULATORY LIMIT-20%
POLICY LIMIT
Sep
t 201
3
Mar
201
4
Jun
2014
Dec
201
3
0%
2%
4%
6%
8%
10%
12%
REGULATORY LIMIT
POLICY LIMIT
BASE NEV RATIO 8.9%
LOWEST NEV RATIO 7.8%
-15%
-12%
-9%
-6%
-3%
0%
Sep
t 201
313
.2%
14.4
%M
ar 2
014
13.9
%D
ec 2
013
2nd Quarter • 2014 Due Diligence | 17
Risk Measures
Liquidity risk pertains to whether Catalyst Corporate has sufficient short-term assets, marketable securities, and borrowing capacity to meet member credit unions’ potential liquidity needs.
At June 30, 2014, Catalyst Corporate had $1.4 billion in cash and cash equivalents. Catalyst Corporate had access to a $131 million line of credit with the Federal Home Loan Bank of Dallas and a $30 million line of credit with JPMorgan Chase. This line of credit is secured with qualified investment securities. There were no outstanding advances under this agreement at June 30, 2014.
Catalyst Corporate continues to meet members’ liquidity needs. Catalyst Corporate had outstanding loans to members of $214.6 million and additional uncommitted lines of credit to members of $7.9 billion at June 30, 2014. All outstanding lines of credit are collateralized by specific or general pledges by members.
excess Balance AccountCatalyst Corporate uses the Federal Reserve Bank’s Excess Balance Account (EBA) to manage excess liquidity by sweeping funds above certain thresholds to member EBAs nightly.
Below is a chart showing member share balances and the EBA balances for the month ending each of the last four quarters.
Member Share Balances
excess Balance Account
Sept 2013 $2.2 billion $4.8 billion
Dec 2013 $2.1 billion $4.4 billion
Mar 2014 $2.5 billion $5.8 billion
Jun 2014 $2.1 billion $4.4 billion
liQuiDitY RiSK
current portfolio* June 30, 2014
Assets
ASSetSpeRcent oF
BAlAnce SheetWAl
(YeARS)Loans 9.2% 1.9
ABS - Autos 5.7% 0.6ABS - Credit Cards 7.9% 0.9
FFELP Student Loans 6.1% 1.1Agency RMBS 5.6% 1.2
ABS - Equipment 4.1% 0.8SBA Pools 0.2% 4.5
Other (Non-Earning) 1.6% 0.0Overnight 59.6% 0.0
total 100.0% 0.45
WAL = Weighted Average Life*Based on a $2.3 billion balance sheet
liabilities & capital
ShAReS & eQuitYpeRcent oF
BAlAnce SheetWAl
(YeARS)Overnight Shares 91.4% 0.0
Certificates 0.2% 0.2
Member Capital 7.0% N/A
RUDE 1.4% 0.0total 100.0% 0.3
Average Life Mismatch (years) 0.42
WAL=Weighted Average Life
18 | 2nd Quarter • 2014 Due Diligence
portfolio
AlM liMitS
June 30, 2014 RegulAtion cuRRent
NRSRO Rating AA or better AA- AA+
No prohibited securities None None
NEV Volatility (Base Plus) 20% 13.7%
NEV Ratio (Base Plus) 2% 7.8%
Weighted Average Life of Financial Assets (Years) 2.00 0.46
Stressed Weighted Average Life of Financial Assets (Years)
2.25 0.48
DiVeRSiFicAtion liMitS to ASSet SiZe
June 30, 2014 RegulAtion cuRRent
Loans N/A 9.2%
Auto Loan Asset Backed Securities 25% 5.7%
Credit Card Asset Backed Securities 25% 7.9%
FFELP Student Loan Securities 50% 6.1%
Equipment Asset Backed Securities 25% 4.1%
Corporate Bonds 50% 0.0%
Agency Residential Mortgage Backed Securities 50% 5.6%
Agency Debt N/A 0.0%
SBA Pools 25% 0.2%
Other (Non-Earning) N/A 1.6%
Overnight Investments N/A 59.6%
2nd Quarter • 2014 Due Diligence | 19
portfolio
Single oBligoR liMitS to cApitAl*
June 30, 2014 RegulAtion cuRRent
Auto Loan Asset Backed Securities 25% 12.4%
Credit Card Asset Backed Securities 50% 24.9%
FFELP Student Loan Securities 25% 10.5%
Equipment Asset Backed Securities 25% 13.0%
Corporate Bonds 25% 0.0%
* Obligor limits are set as a percentage of the corporate’s total capital. As of June 30, 2014, total capital is $190,359,539. Total capital consists of Perpetual Contributed Capital and Retained Earnings, less Investments in Unconsolidated CUSOs.
SectoR liMitS to cApitAl*
June 30, 2014 RegulAtion cuRRent
Auto Loan Asset Backed Securities 500% 70.3%
Credit Card Asset Backed Securities 500% 96.3%
FFELP Student Loan Securities 1000% 75.3%
Equipment Asset Backed Securities 500% 49.9%
Corporate Bonds 1000% 0.0%
Agency Residential Mortgage Backed Securities 1000% 68.9%
SBA Pools 500% 1.9%
* Sector limits are set as a percentage of the corporate’s total capital. As of June 30, 2014, total
capital is $190,359,539. Total capital consists of Perpetual Contributed Capital and Retained Earnings, less Investments in Unconsolidated CUSOs.
20 | 2nd Quarter • 2014 Due Diligence
0%
1%
2%
3%
4%
5%
6%
7%
8%
7.85
%Ju
ne 2
014
Sep
t 201
37.
01%
7.59
%M
ar 2
014
7.27
%D
ec 2
013
86.8
%86
.8%
Key performance Ratio graphicsR
etai
ned
ear
ning
s R
atio
YtD
op
erat
ing
E
ffici
ency
Rat
io
tier
one
Ris
k-B
ased
c
apita
l Rat
io
leve
rag
e R
atio
tota
l Ris
k-B
ased
c
apita
l Rat
io
The operating efficiency ratio is calculated as net fee income divided by operating expenses. Catalyst Corporate’s ability to cover expenses through fee income supports a business model that is less reliant on balance-sheet activity for income and therefore supports a risk-averse portfolio for the long-term. Management anticipates an operating efficiency ratio ranging from 75 to 85 percent on a long-term basis.
opeRAting eFFiciencY RAtio
RegulAtoRY cApitAl RAtioS 0%
20%
40%
60%
80%
100%
90.2
%Ju
ne 2
014
Sep
t 201
387
.2%
87.0
%M
ar 2
014
86.8
%D
ec 2
013
0%
5%
10%
15%
20%
25%
30%
23.6
1%Ju
ne 2
014
Sep
t 201
325
.45%
24.2
8%M
ar 2
014
25.2
4%D
ec 2
013
0%
5%
10%
15%
20%
25%
30%23
.61%
June
201
4
Sep
t 201
325
.45%
24.2
8%M
ar 2
014
25.2
4%D
ec 2
013
1.33
%Ju
ne 2
014
Sep
t 201
30.
97%
1.19
%M
ar 2
014
1.07
%D
ec 2
013
0.0%
0.3%
0.6%
0.9%
1.2
1.5%
2nd Quarter • 2014 Due Diligence | 21
cuSos and partners
CUSOURCE, LLC, better known as Catalyst Strategic Solutions, is a wholly-owned CUSO of Catalyst Corporate that provides client credit unions with balance sheet consulting, including an SEC-registered investment advisory service, asset-liability management modeling, derivative hedging support, and related consultation. Catalyst Strategic Solutions has been in operation since 1998. As of June 30, 2014, 92 credit unions use the investment advisory service and 171 credit unions and corporates use ALM and consulting services. As of June 30, 2014, Catalyst Strategic Solutions has $5.0 billion in off-balance sheet funds under advisement.
To view the balance sheet and income statement of CUSOURCE/Catalyst Strategic Solutions, visit www.catalystcorp.org/duediligence/cuso.pdf.
cuSouRce, llc / cAtAlYSt StRAtegic SolutionS
CU Investment Solutions, LLC provides broker/dealer services to corporates and natural person credit unions. Formerly a CUSO of U.S. Central Corporate (and its successor, U.S. Central Bridge Corporate), CU Investment Solutions was purchased by its corporate users in 2011. Catalyst Corporate has an investment of $100,000 in the CUSO, which equates to an 11 percent ownership stake.
Catalyst Corporate employs registered agents to assist credit unions with securities purchases and has brokerageaccounts with approximately 245 active credit unions at present; 113 of these have done trades in the past 12 months. Catalyst Corporate’s year-to-date sales volume as of June 30, 2014, was $1.0 billion.
To view CU Investment Solutions’ audited financial statements for the current fiscal year-end, visit www.catalystcorp.org/duediligence/cuis.pdf.
cu inVeStMent SolutionS, llc
CU Business Group, LLC, provides business service consultation to credit union clients in areas such as:
• Loan origination, underwriting and servicing
• Documentation and compliance
• Risk monitoring
• Independent loan review
• Business deposit services
• Education and training
• Loan participation network
• Strategic consulting and operational training
CU Business Group is owned by seven corporate credit unions. As of June 30, 2014, Catalyst Corporate owns approximately 37 percent of this CUSO and has 125 member credit unions using its services.
To view the most recent audited financial statements, visit www.catalystcorp.org/duediligence/cubg.pdf.
To view Credit Union Business Group’s full Due Diligence Package, visit www.catalystcorp.org/duediligence/cubgreport.pdf.
cReDit union BuSineSS gRoup, llc
22 | 2nd Quarter • 2014 Due Diligence
cuSos and partners
Primary Financial, LLC is owned by 14 corporate credit unions and provides brokered certificates of deposit tonatural person credit unions nationwide, as well as a channel for these credit unions to issue certificates. CatalystCorporate has an investment of $1.6 million in Primary Financial, equating to an 8.0 percent interest in the company.As of June 30, 2014, Catalyst Corporate had SimpliCD agreements with 844 member credit unions, including 257 member credit unions actively using the service over the last 12 months, $803.6 million in certificates outstanding, and $219.5 million in sales year-to-date.
To view Primary Financial’s year-end 2013 audited financial statements, visit www.catalystcorp.org/duediligence/primary.pdf.
Alaska U.S.A. Trust Company is a Catalyst Corporate partner, facilitating the safekeeping of its members’ securities. Catalyst Corporate does not have an ownership stake in Alaska U.S.A. Trust Company, but does entrust execution of highly-regulated service activities to this partner. As a result, Catalyst Corporate monitors its financial and service performance. Alaska U.S.A. Trust Company, which operates exclusively within the credit union industry, is deeply familiar with the regulatory requirements credit unions must meet with regard to security safekeeping and due diligence of safekeeping service providers. It is competent and committed to ensuring safe and sound custodianship practices.
Catalyst Corporate has 294 members using the program that is offered in partnership with Alaska U.S.A. Trust Company, with approximately $22.1 billion in safekeeping for members and $554.5 million in corporate holdings as of June 30, 2014.
To view Alaska U.S.A.’s year-end 2013 audited financial statements, visit www.catalystcorp.org/duediligence/alaskausa.pdf.
D+H is Catalyst Corporate’s partner in the delivery of cloud computing and other technology solutions to credit unions. Headquartered in Toronto, Ontario, Canada, D+H delivers solutions to more than 6,000 North American banks and credit unions across three broad service areas: Banking Technology Solutions (Enterprise, Lending), Lending Processing Solutions, and Payments Solutions.
D+H cloud computing and managed information technology operations are based in Santa Ana, CA, with five geographically distributed operation and support centers, three redundant data centers and a 24/7 Network Operations Center located in Dallas, TX. These solutions were designed specifically for the financial market and are validated by third-party assessments including SSAE16/SOC2 Type II and regular regulatory reviews. D+H provides information technology outsourcing to over 389 financial organizations across the United States, including numerous credit unions.
Specific due diligence information will be made available to any credit union that engages in an active evaluation process with Catalyst Corporate and D+H, and could include a review of D+H’s SSAE16/SOC2 Type II review, operational details and pertinent financial information. D+H has been in business since 1875 and became a public company in 2001. To review its financial statements, visit the “Results” page of the D+H web site at http://dhltd.com/investors/financial-reports/.
pRiMARY FinAnciAl, llc
AlASKA u.S.A. tRuSt coMpAnY
D+h
2nd Quarter • 2014 Due Diligence | 23
operational compliance
BuSineSS continuitY SuMMARY
Catalyst Corporate’s Business Continuity Program is based on best practices established by the Federal Financial Institutions Examination Council (FFIEC), the Disaster Recovery Institute International (DRII), and the Gartner Group. Oversight is performed by a board-approved committee consisting primarily of Catalyst Corporate management and senior management. The Business Continuity Management Program and related activities are reviewed annually by the board of directors.
Catalyst Corporate utilizes a Business Continuity Lifecycle, which defines five major elements representing a specific set of tasks, procedures and outcomes that can be used as a guideline for developing a business continuity program. The five planning sections of the Business Continuity Lifecycle are:
• Analyze the business
• Assess the continuity risks
• Develop the strategy
• Develop the plan
• Exercise and maintain the plan
Catalyst Corporate performs the steps of the Business Continuity Lifecycle at least annually. Controls have been identified and implemented to help minimize or prevent potential loss from a disruption or disaster. Observations and deficiencies noted during the Continuity Risk Assessment (CRA) are documented and presented to the board of directors annually.
Catalyst Corporate attempts to minimize the impact of threats by implementation of preventative controls. In the event that preventative controls fail to protect from a threat, the overall business continuity strategy is to plan for impacts that escalate all the way through to the worst-case scenario in order to develop plans of action that are applicable to most any situation. These situations may range from non-catastrophic outages of individual computing systems or business processes to catastrophic outages that require relocation of the entire operation to the collocation site.
The following business continuity strategies provide the framework for ensuring that Catalyst Corporate can sustain critical business processes at a level acceptable to the business and to member credit unions.
Business continuity plansBusiness continuity plans are developed for each business process to document the procedures to be followed in order to achieve the minimum service level requirements and recovery time objectives. Solutions are identified for potential issues, and resources are put in place to ensure timely resolution to anticipated service disruptions.
Business units have developed and refined both continuity plans for their critical systems and exercise plans to validate those continuity plans. These plans, which are approved by senior management, collectively address a wide variety of scenarios:
• Employee Emergency Procedures provide guidance on what steps should be taken in the event certain threats occur.
• Immediate Action Items document immediate actions in disaster declaration mode both before and after arrival at the Work Area Continuity site.
• Disaster Declaration Plans address the building being indefinitely inaccessible and/or totally destroyed.
• Temporary Evacuation Plans address the evacuation of the building for a few hours.
• The Pandemic Preparedness Plan details the steps that need to be taken in the event of a pandemic event.
BackupCatalyst Corporate knows that recovery of data from magnetic media backup will take longer than what is acceptable during a disaster. To mitigate this concern, a hot-site is managed so that data is mirrored or replicated to identical equipment for rapid recovery. Additionally, systems and data are backed up as often as required and the tapes are sent off-site for long-term storage. Data backups are tested periodically to verify the backup system is working properly.
operational compliance
BuSineSS continuitY SuMMARY (continueD)
hot-siteThe hot-site provides a highly secured environment with connectivity to numerous telecommunication carriers and utility power that is backed up by a UPS. Redundant firewalls, routers, switches, IBM iSeries, servers and data storage devices are in place and are exercised on a regular basis to protect against prolonged service disruptions. High-speed telecommunication lines are installed to connect the hot-site to Catalyst Corporate’s Plano, Texas office for rapid transmission of high volumes of data and images. Storage Area Network (SAN) data is distributed to both the production and hot-site synchronously (active/active) significantly reducing the recovery time objective for virtualized servers. Critical physical servers are duplicated with equivalent hardware at the hot-site and the associated data is replicated in real time to its hot-site counterpart. File data is continuously mirrored to the hot-site using Common Internet File System (CIFS) replication technology.
Work Area continuity SiteCatalyst Corporate leases office space in the same building as the hot-site for the Work Area Continuity site. With direct connection to the hot-site for access to the AS/400, servers and disk storage, this site houses the necessary workstations, work area, telecommunications and network connections to continue operations in the event of a disruption. Business units maintain off-site storage of supplies and documentation needed to continue operations.
continuity exercisesCritical business processes identified in the Business Impact Analysis are exercised at least annually, and some of the more critical systems are exercised on a quarterly basis. Exercise exceptions are presented to senior management and the Internal Audit Department after each exercise. An overview of all exercises and exercise exceptions is presented to the board of directors annually.
contingency communicationsGuidelines are available that provide information on how to establish communications with Catalyst Corporate as soon as possible following an event that causes a service disruption. Credit unions and Catalyst Corporate employees maintain familiarity with these contingency communications plans by conducting quarterly exercises. To view Catalyst Corporate’s Contingency Communications guidelines, visit www.catalystcorpcc.org/ccguidelines.html.
24 | 2nd Quarter • 2014 Due Diligence
2nd Quarter • 2014 Due Diligence | 25
operational compliance
BuSineSS continuitY ActiVitY RepoRt
exercises completed During Second Quarter 2014
Service Alert Messages (SAM) sent to participating credit unionsSAM exercises are conducted semi-annually to ensure that credit union contact information for specific processes is maintained and to ensure timely communications to member credit unions regarding the nature and duration of process specific disruptions. Messages are also sent using the SAM system when services are disrupted or delayed.
• Messages sent on 5/19/14, 6/2/14 and 6/20/14
contingency communications exerciseContingency Communications Exercises are conducted semi-annually to ensure timely communications to member credit unions regarding the nature and duration of a service disruption in an effort to minimize the impact on operations. These exercises began in September 2002 with participation from a total of 153 credit unions. Catalyst Corporate now has the participation of 1,141 credit unions in these exercises (as of June 2014).
• Message sent on 6/18/14
Full Scale (Disaster Declaration) exercise Disaster Declaration Exercises are conducted at Catalyst Corporate’s collocation facility. Critical systems are either (1) exercised with data and systems at the hot site to simulate the Catalyst Corporate headquarters building being destroyed or (2) pointed back to the headquarters facility to simulate indefinite building inaccessibility by personnel. The plans are designed to accurately and objectively compare results against already established Recovery Time Objectives.
• Conducted on 4/12/14
Remote Access exercisesRemote Access Exercises are conducted on a regular basis and are used to assess employees’ ability to work remotely.
• Conducted in June 2014
Application Specific ExercisesCatalyst Corporate conducts application specific exercises of its critical systems and also simulates scenarios that are different from used during Catalyst Corporate’s full scale exercises in order to assess additional areas of coverage.
FiDelitY BonD StAteMent
NCUA Part 704.18 states that “every corporate credit union will maintain bond coverage with a company holding a certificate of authority from the Secretary of the Treasury” and “the minimum amount of bond coverage will be computed based on the corporate credit union’s daily average net assets for the preceding calendar year.”
Catalyst Corporate maintains a $10 million fidelity bond which is the coverage required by NCUA Part 704.
26 | 2nd Quarter • 2014 Due Diligence
operational compliance
BAnK SecRecY Act (BSA)/oFFice oF FoReign ASSetS contRol (oFAc) SuMMARY
Catalyst Corporate is committed to fulfilling the require-ments of the BSA, the OFAC, and the USA PATRIOT Act. Catalyst Corporate’s BSA Policy is reviewed and approved by the board of directors at least annually.
Anti-money laundering procedures have been developed and implemented that enable Catalyst Corporate to meet the requirements of the BSA, OFAC, USA PATRIOT Act, and the Financial Crimes Enforcement Network (FinCEN). These procedures and controls include, but are not limited to, the following:
• Coordination and monitoring of compliance by a designated BSA compliance officer.
• A Member Identification Program designed to meet the requirements of Section 326 of the USA PATRIOT Act.
• BSA/OFAC risk assessment of Catalyst Corporate processes, products and services, and members.
• Review of unbatched transactions for the detection and reporting of suspicious activity to FinCEN.
• A documented process for analysis and reporting of suspicious activity.
• Entities, countries and individuals associated with unbatched transactions screened for potential matches against OFAC lists.
• Review of member accounts in accordance with Section 314(a) of the USA PATRIOT Act.
• Monthly reporting of BSA and OFAC activity to the board of directors.
• Ongoing training of appropriate personnel.
• Independent testing and monitoring of compliance.
• Recordkeeping and record retention.
• An annual review of policies, procedures and risk assessments.
• Checks and balances, including a query validation process, a retention validation process, and the use of dual control.
2nd Quarter • 2014 Due Diligence | 27
privacy and Security
Affidavit Regarding Part 717
DeScRiption oF the pRiVAcY AnD SecuRitY AFFiDAVitS
The Affidavits below are provided to assist member credit unions with their due diligence and compliance with NCUA Rules and Regulations Parts 716, 717 and 748.
Catalyst Corporate places a high priority on security, and utilizes security measures to protect not just nonpublic personal information and information about “covered accounts” (as defined in Part 717), but all types of confidential information that it receives from its member credit unions.
Under Part 717 of the NCUA’s Regulations, Catalyst Corporate is deemed to be a “service provider” to its member credit unions. Catalyst Corporate is providing this Affidavit in order to assist member credit unions in their compliance with Part 717. The Affidavit is written in general language so that member credit unions can utilize the Affidavit regardless of the level of complexity of their security programs.
Each credit union for which Catalyst Corporate is a “service provider” is hereby authorized to consider this Affidavit to be a contractual agreement with Catalyst Corporate, or to be an amendment of any agreements or Schedules that the credit union has entered into with Catalyst Corporate.
• Catalyst Corporate agrees to utilize policies and procedures, developed by the corporate, that are designed to prevent, detect and mitigate the risk of security breaches that could result in a member of a credit union, or any other person, being exposed to identity theft. These policies and procedures will apply to all circumstances in which Catalyst Corporate processes or otherwise has access to confidential information, whether in connection with providing services for a “covered account” held at a credit union or otherwise.
• Catalyst Corporate agrees not to use nonpublic personal information about any credit union’s members, or about any other person, for any purpose
other than those purposes for which the credit union disclosed the information to Catalyst Corporate, including servicing and processing of transactions in the ordinary course of business.
• Catalyst Corporate will utilize security measures that Catalyst Corporate deems to be appropriate for the protection of nonpublic personal information about credit union members and other persons, with particular attention to protection against unauthorized access to or unauthorized use of such information that could result in substantial harm or inconvenience to any credit union’s members or to any other person.
• If an incident occurs that involves unauthorized access to or unauthorized use of nonpublic personal information about any credit union’s members or about any other person, Catalyst Corporate will take actions that Catalyst Corporate deems to be appropriate, including notification to the affected credit union as soon as possible of any such incident.
• From time to time, if requested by a credit union, Catalyst Corporate will make available to the credit union information deemed by Catalyst Corporate to be appropriate as to the security measures, controls, systems, and procedures that Catalyst Corporate uses for the protection of nonpublic personal information.
• Catalyst Corporate will utilize security measures designed to accomplish the proper disposal of nonpublic personal information held by Catalyst Corporate. If immediate deletion or disposal of the nonpublic personal information held by Catalyst Corporate is not feasible, then until the date when deletion or disposal of the information occurs, Catalyst Corporate will continue to utilize security measures designed to protect the information against unauthorized access and against unauthorized use.
28 | 2nd Quarter • 2014 Due Diligence
privacy and Security
Catalyst Corporate places a high priority on security, and utilizes security measures to protect not just nonpublic personal information, but all types of confidential information that it receives from its member credit unions.
Under Parts 716 and 748 of the NCUA’s Regulations, Catalyst Corporate is deemed to be a “service provider” to its member credit unions. Catalyst Corporate is providing this Affidavit in order to assist member credit unions in their compliance with Parts 716 and 748. The Affidavit is written in general language so that member credit unions can utilize the Affidavit regardless of the level of complexity of their security programs.
Each credit union for which Catalyst Corporate is a “service provider” is hereby authorized to consider this Affidavit to be a contractual agreement with Catalyst Corporate, or to be an amendment of any agreements or Schedules that the credit union has entered into with Catalyst Corporate.
Catalyst Corporate agrees not to use nonpublic personal information about any credit union’s members, or about any other person, for any purpose other than those purposes for which the credit union disclosed the information to Catalyst Corporate, including servicing and processing of transactions in the ordinary course of business.
Catalyst Corporate will utilize security measures that Catalyst Corporate deems to be appropriate for the
protection of nonpublic personal information about credit union members and other persons, with particular attention to protection against unauthorized access to or unauthorized use of such information that could result in substantial harm or inconvenience to any credit union’s members or to any other person.
If an incident occurs that involves unauthorized access to or unauthorized use of nonpublic personal information about any credit union’s members or about any other person, Catalyst Corporate will take actions that Catalyst Corporate deems to be appropriate, including notification to the affected credit union as soon as possible of any such incident.
From time to time, if requested by a credit union, Catalyst Corporate will make available to the credit union information deemed by Catalyst Corporate to be appropriate as to the security measures, controls, systems, and procedures that Catalyst Corporate uses for the protection of nonpublic personal information.
Catalyst Corporate will utilize security measures designed to accomplish the proper disposal of nonpublic personal information held by Catalyst Corporate. If immediate deletion or disposal of the nonpublic personal information held by Catalyst Corporate is not feasible, then until the date when deletion or disposal of the information occurs, Catalyst will continue to utilize security measures designed to protect the information against unauthorized access and against unauthorized use.
Affidavit Regarding Part 716 and 748
2nd Quarter • 2014 Due Diligence | 29
Catalyst Corporate is committed to the confidentiality, integrity and availability of its operations, information, information systems and members’ information. To meet these objectives, Catalyst Corporate has implemented and continues to develop internal controls. To demonstrate compliance with these controls, Catalyst Corporate engaged a firm to perform an SSAE16 review for the period April-September 2013. The Service Organization Controls (SOC1) report covers controls placed in operation and tests of operating effectiveness.
The SSAE16/SOC1 review is available to credit unions who contact Member Services at [email protected] or 800.442.5763, option 1. The report also may be downloaded from TranZact by authorized users.
SSAe16 StAteMent
texas
6801 Parkwood Blvd.Plano, TX 75024
214.703.7500 800.442.5763
georgia
6705 Sugarloaf Pkwy., Suite 250
Duluth, GA 30097770.476.9704800.768.4228
california
2855 E. Guasti Road, Suite 600
Ontario, CA, 91761214.703.7500 800.442.5763
hawaii
1654 South King StreetHonolulu, HI 96826
214.703.7500 800.442.5763