due diligence report - catalyst corporate...

Due Diligence RepoRtSecond Quarter 2014

altmans

Typewritten Text

Please note: hyperlinks in this document will not work. For more information on a link, please contact [email protected]

2 | 2nd Quarter • 2014 Due Diligence

Dear Valued Member:

Catalyst Corporate Federal Credit Union is providing this Second Quarter 2014 Due Diligence Report to update

credit unions on its performance and to support their due diligence efforts. The idea for the Due Diligence Report came

from a member who requested that Catalyst Corporate publish all due diligence information in a single document. The

suggestion was adopted because it aligns so well with Catalyst Corporate’s mission to be a premier innovative corporate

credit union that provides exceptional member value in an efficient, safe and sound manner.

Catalyst Corporate’s operating fundamentals also focus on efficiency, safety and soundness. These fundamentals remain

constant from year to year, helping Catalyst Corporate stay true to its promise to support the success of member-owners.

They also guide the prioritization of the initiatives in the strategic plan. Among the operating fundamentals:

Catalyst Corporate…

• Continuously strives to maximize efficiency.

• Prioritizes strategies that create value for member credit unions.

• Leverages technology to achieve its objectives whenever possible.

• Continues to build financial strength in ways that surpass milestones and regulatory requirements.

• Protects its members’ assets by closely monitoring and managing risks of all kinds including credit, interest rate,

liquidity, operational, reputation and enterprise-wide risk.

• Is transparent with regard to its financial performance and operational practices affecting safety and soundness.

• Is guided in all decisions by its structure as a member-owned cooperative.

• Achieves and maintains a strong degree of engagement with its volunteer leadership, who are a primary link to the

membership at large.

The Catalyst Corporate Due Diligence Report includes financial statements with detailed commentary and information

about Catalyst Corporate’s risk profile, portfolio composition, CUSO investments, and compliance with NCUA Rules and

Regulations Part 704. Also included is information about operational practices designed to protect member credit unions.

Each edition of the report includes useful information about a current issue affecting credit union engagement with

Catalyst Corporate.

The Due Diligence Report is posted quarterly on the Catalyst Corporate website at www.catalystcorp.org/duediligence and

is available for download at any time. Please feel free to contact me or another Catalyst Corporate team member if you

need additional information.

Best regards,

Kathy Garner

President/CEO

[email protected]

letter from the president

www.catalystcorp.org/duediligence.aspx

2nd Quarter • 2014 Due Diligence | 3

current issue . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

Quarterly Financial Report

• Results of Operations . . . . . . . . . . . . . . . . . . . . . . 8

• Consolidated Statement of Financial Condition . . 9

• Consolidated Statement of Income . . . . . . . . . . . 10

• Consolidated Statement of

Comprehensive Income . . . . . . . . . . . . . . . . . . . . 11

• Consolidated Statement of Members’ Equity . . . . 11

• Notes to Consolidated Financial Statements . . . . 12

Annual Report

• 2013 Financial Statement Audit Report . . . . . . . . 14

• 2013 Annual Report . . . . . . . . . . . . . . . . . . . . . . . 14

Risk Measures

• Credit Risk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

• Interest Rate Risk . . . . . . . . . . . . . . . . . . . . . . . . . . 16

• Liquidity Risk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

portfolio

• ALM Limits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

• Diversification Limits to Asset Size . . . . . . . . . . . . 18

• Sector Limits to Capital . . . . . . . . . . . . . . . . . . . . . 19

• Single Obligor Limits to Capital . . . . . . . . . . . . . . 19

Key performance Ratio graphics

• Operating Efficiency Ratio . . . . . . . . . . . . . . . . . . 20

• Retained Earnings Ratio . . . . . . . . . . . . . . . . . . . . 20

• Leverage Ratio . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

• Tier One Risk-Based Capital Ratio . . . . . . . . . . . . 20

• Total Risk-Based Capital Ratio . . . . . . . . . . . . . . . 20

cuSos and partners

• CUSOURCE, LLC

(dba Catalyst Strategic Solutions) . . . . . . . . . . . . 21

• Credit Union Business Group, LLC . . . . . . . . . . . 21

• CU Investment Solutions, LLC . . . . . . . . . . . . . . . 21

• Primary Financial, LLC . . . . . . . . . . . . . . . . . . . . . 22

• Alaska U.S.A. Trust Company . . . . . . . . . . . . . . . 22

• D+H . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

operational compliance

• Business Continuity Summary . . . . . . . . . . . . . . . 23

• Business Continuity Activity Report . . . . . . . . . . . 25

• Fidelity Bond Statement . . . . . . . . . . . . . . . . . . . . 25

• Bank Secrecy Act/Office of

Foreign Assets Control Summary . . . . . . . . . . . . . 26

• Privacy and Security . . . . . . . . . . . . . . . . . . . . . . . 27

• Affidavit Regarding Part 717 . . . . . . . . . . . . . . 27

• Affidavit Regarding Part 716 and 748 . . . . . . 28

• SSAE16 Statement . . . . . . . . . . . . . . . . . . . . . . . . 29

table of contents

current issue

cybersecurity – it Starts At the top

“Cybersecurity is not just an IT issue. It is an operational

risk issue that requires senior management and board

level attention.”

— Thomas J. Curry, Comptroller of the Currency,

United States of America

Credit unions see news reports daily about a wide

array of information security threats, but what exactly is

cybersecurity? The National Institute of Standards and

Technology (NIST) defines it simply as “the process of

protecting information by preventing, detecting, and

responding to attacks.”

This broad description, supported by an increasing

reliance on computer systems for member engagement

and for business processes, means that cybersecurity is

pervasive – an issue that must be addressed as part of

nearly every business decision.

Who is attacking and why?

Information security professionals no longer refer to

perpetrators of cyber-attacks as criminals – at least, not

exclusively. “Threat Actors” is a general term that can be

further identified based on the underlying motivation:

• Nation-States: Foreign governments that sponsor

cyber-attacks for a wide variety of reasons, from

espionage to a desire to undermine a country’s

banking system, among others

• Hacktivists: Individuals and organizations that employ

cyberterrorism to achieve political aims

• Organized Criminals: Centralized, highly-structured

enterprises that are effective at leveraging technology

to facilitate crime, such as money laundering

• Insiders: People who, knowingly or unknowingly,

assist in a cyber-attack

What are their means?

Among the most common types of cyber-attacks are:

• Phishing – Targeted email attacks are designed to

acquire personal and corporate data, as well as

financial account credentials, by masquerading as a

trustworthy entity. It is carried out by email spoofing

and often directs users to enter information details into

a fake website. Phishing is the most common among

several types of social engineering.



current issue

• Malware – Short for malicious software, malware is

used to disrupt computer operations, gather sensitive

information or gain access to private computer

systems. It can appear in the form of executable code,

scripts, active content or other types of software.

Malware includes many of the terms that are pre-

valent in the press: viruses, worms, trojan horses,

ransomware, etc.

• DDoS (distributed denial of service) – A disruption

to online banking is caused when multiple systems

flood the bandwidth of the targeted web server.

These terms summarize the ways systems and informa-

tion can be compromised, but the techniques used to

execute them are virtually limitless and continuously

evolving. Often, these methodologies are combined in

ways that make it nearly impossible to anticipate and

avoid the attempted fraud. In order to be successful

in achieving cybersecurity, credit union management

must establish a culture of risk management – one

involving rigorous testing, education and clear paths

of communication.

Why does cybersecurity matter to credit unions?

A successful cyber-attack can wreak havoc – through

financial losses and reputational impact. And smaller

financial institutions, such as credit unions, are not

immune. According to panelists during the Federal

Financial Institutions Examination Council (FFIEC)’s

recent webinar, “Executive Leadership of Cybersecurity:

What Today’s CEOs Need to Know about the Threats

They Don’t See,” smaller institutions are being targeted

more frequently now than ever before. One of the

reasons is that smaller firms are less likely than large

banks to have strong defenses in place – making them

easier targets for a breach.

The rapid adoption of new technologies among con-

sumers, as well as businesses, has exposed sensitive

information broadly and has accelerated attempts to

breach the barriers established to protect that information.

Between 2005 and 2014, the total number of recorded

data breaches was 4,327, with 632 million records

exposed. There was a 30 percent increase between 2012

and 2013.

Regulatory Activity

In addition to worrying about the real-life risks associated

with cyber-attacks, credit unions also must be responsive

to the demands of regulatory agencies that are grappling

to establish best practices and rules that will protect the

industry as a whole. Numerous agencies and partner

organizations are dedicating resources to the challenge.

Most notably, earlier this year, the FFIEC – a formal, inter-

agency body empowered to dictate uniform principles,

standards and reports for the examination of financial

institutions by the Federal Reserve System, FDIC, NCUA,

the OCC and the CFPB – launched a pilot program to

assess the cybersecurity of a sample of 500 community

financial institutions, leveraging the existing examination

processes of regulatory agencies, including the NCUA.

Participating regulators are focused on risk management

and oversight, threat intelligence and collaboration,

cybersecurity controls, service provider and vendor risk

management, and cyber incident management and

resilience. The expectation is that the findings of the pilot

program will result in new, more stringent rules.

Preliminary reports from participants in the FFIEC pilot

program suggest that regulators are going to expect

financial institution management to demonstrate that they

understand the specific threats they face. In addition,

participants say that their regulators indicate strong

interest in the role of information-sharing.

The FFIEC launched a cybersecurity web page on

June 24: www.ffiec.gov/cybersecurity.htm

The NCUA also hosts a cybersecurity web page:

www.ncua.gov/Resources/Pages/cyber-security-

resources.aspx, which includes extensive research

and resources. The agency has stated that its top

priority, alongside interest-rate risk, is cybersecurity. In


current issue

a recent speech, NCUA Chairman Debbie Matz explicitly

referenced vendor due diligence, strong password

policies, proper patch management, employee training

and network monitoring.

creating an environment for Success

Achieving cybersecurity is about more than establishing

strong cybersecurity practices. It requires the consid-

eration of data security in nearly every business decision,

and the creation of a culture where employees are

educated and empowered to escalate threat concerns.

Guiding principles for cybersecurity success include:

1. Though individualized cybersecurity programs

will vary, many experts state that all cybersecurity

programs should include vulnerability assessment,

penetration testing, patch management, and a

“least privilege” model.

2. education is essential and must be performed

from the frontline to the board room. Employees

who interact directly with members must learn to

be vigilant in the detection of suspicious situations.

Board members must understand the security risks

inherent to decisions they make and the importance

of budgeting sufficiently for cybersecurity. Individuals

throughout the organization should be well-informed

of the dangers of responding to phishing schemes

or inadvertently importing malware. And all parties

directly involved in setting and reviewing controls

or implementing risk-management systems and

processes must be provided access to the most

current threat information.

3. When evaluating the potential impact of a security

breach, leverage the credit union’s existing

Business impact Analysis and Business continuity

plan, which describe the criticality of various

internal processes. This knowledge can help

management determine how to best allocate

risk-mitigation resources.

4. Resource allocation is critical. In fact, some

information security professionals believe that it may

be appropriate to extricate cybersecurity resources

from the information technology budget, to ensure

that the two areas are not vying for the same dollars.

5. Vendor management receives a great deal of

attention in the literature addressing cybersecurity,

as well it should. Credit union management must

understand how each third-party could introduce risk.

Risk management should begin with thorough due

diligence at the outset of a vendor relationship and

continue with ongoing monitoring.

6. Though the challenge of vendor management may

seem daunting, credit unions should not hesitate to

acquire external expertise to help them manage

their cybersecurity. Credit unions are in the business

of serving members, and they are unlikely to have

the same level of expertise that is available from

a qualified, dedicated third-party. Earlier this year,

Chairman Matz stated that “Credit unions need to

stay on top of this issue, which means working with

experts outside the credit union and not just relying

on internal IT staff to protect their systems.”

7. Have a detailed incident response plan to describe

exactly what your credit union will do in the event of

an attack. This will include plans for communication

and escalation internally and externally, as well as

steps to actually mitigate the breach itself.

8. test, monitor, and revise. The cybersecurity strategy

cannot be allowed to stagnate. Once plans and pro-

cedures are in place, it is essential to monitor and test

on an ongoing basis. Ensure that sufficient attention

is given to the tools established to monitor concerns,

such as exception reports and internal and external

audit reports. Monitor the ever-changing threat

landscape. Employ third-parties to conduct security

testing, including social engineering tests. Refine any

aspect of the plan where gaps are identified.


current issue

9. communicate with members about cybersecurity threats, how to safeguard their

personal information, and why it’s important to protect their accounts. Use alert

mechanisms to contact members about suspicious activity on their accounts.

10. escalate and share information with third parties.

• The Financial Services Information Sharing and Analysis Center (FS-ISAC)

was established in response to a presidential directive mandating that public

and private sectors share information about physical and cybersecurity threats

and vulnerabilities.

• The United States Computer Emergency Readiness Team (US-CERT), part of

the Department of Homeland Security, leads efforts to improve the nation’s

cybersecurity posture, coordinates cyber information sharing and proactively

manages cyber risks to the United States.

• FBI InfraGard is a partnership between the FBI and the private sector, the

purpose of which is to share information and intelligence to prevent hostile

acts against the U.S.

The importance of information sharing cannot be overstated. In July 2014, the Senate

Select Committee on Intelligence passed S. 2588 – the Cybersecurity Information

Sharing Act (CISA), intended to strengthen the ability of private industry and

government to share information by narrowing liability protections and strengthening

privacy protections.

Strategic imperative

Today, credit unions are facing the competitive threat of non-financial disinter-

mediation. Numerous technology-driven firms and retailers, most of which are not

heavily regulated, lure consumers into convenient financial transactions that bypass

the banking industry entirely. Futurists say that the tipping point for this behavior

looms near.

One distinct, and meaningful, advantage that financial institutions have is that

consumers trust them more to protect their money. A 2012 study by Market Strategies

International found that nearly 75 percent of smartphone owners named their current

financial institutions as “most trustworthy,” edging out PayPal and various credit

card companies. Just last month, ACI Worldwide and Aite Group reported the results

of their study showing that nearly one-third of global consumers do not trust retailers

to protect stored data against hacking attempts and data breaches, while nearly

60 percent of respondents think financial institutions do a better job.

Combined with the member-centric credit union brand, a strong reputation for

protecting member data is invaluable – underscoring the importance of credit unions’

efforts to achieve cybersecurity.

tranZact notice

Later this year, Catalyst

Corporate will roll out a new

and improved TranZact

system. As part of the

process, TranZact users will

receive communications

including details about

enhancements, training and

access. catalyst corporate

will not send out links to

the new system via email.

Instead, users will be asked

to access TranZact through

a specific page on the

Catalyst Corporate website.

In the unlikely event that

a TranZact user receives

an email message with

instructions and a link

to access TranZact, the

message should be

deemed fraudulent. Please

contact Member Services

to report any suspicious

communications.



ReSultS oF opeRAtionS

Catalyst Corporate’s net income for the six months ended June 30, 2014 totaled $5,802,963 compared to budgeted

net income of $4,211,904. The higher than budgeted net income included gains of $765,170 recognized due to early

prepayments of three member term loans. Year-to-date (YTD) operations resulted in a coverage ratio of 90.2 percent

versus a budgeted 84.0 percent. Catalyst Corporate’s retained earnings ratio of 1.33 percent exceeds the regulatory

requirement of 0.45 percent that took effect on October 31, 2013 and the 1.00 percent regulatory requirement that

will take effect on October 31, 2016. A summary of the unaudited results of Catalyst Corporate operations for the past

four quarters is included in the following table.

Jul-Sept oct-Dec JAn-MAR ApR-Jun 2013 2013 2014 2014

Net interest income $3,412,683 $3,239,848 $3,251,763 $3,306,761 Net fee income 6,603,061 7,234,242 6,664,971 7,349,196 Operating expenses 7,770,169 8,429,798 7,659,718 7,875,180Other net gain 65,842 — 273,699 491,471net income $2,311,417 $2,044,292 $2,530,715 $3,272,248

Key information Net operating expense $1,167,108 $1,195,556 $994,747 $525,984Coverage ratio 85.0% 85.8% 87.0% 93.3%Return on assets 0.35% 0.32% 0.42% 0.54%Daily average net assets – 12 month rolling $2,597,182,902 $2,531,936,372 $2,465,877,776 $2,424,491,780Perpetual contributed capital $161,345,137 $161,474,655 $161,987,097 $162,431,096Undivided earnings $24,836,199 $26,601,559 $28,859,784 $31,868,915Leverage ratio 7.01% 7.27% 7.59% 7.85%Retained earnings ratio 0.97% 1.07% 1.19% 1.33%

Tier one risk-based capital ratio 25.45% 25.24% 24.28% 23.61%Total risk-based capital ratio 25.45% 25.24% 24.28% 23.61%



conSoliDAteD StAteMent oF FinAnciAl conDitionJune 30, 2014 unAuDiteDAssets Cash and cash equivalents $1,391,444,944Investments: Available-for-sale 690,219,233 Federal Home Loan Bank capital stock 924,100 Investments in credit union service organizations (CUSOs) 4,396,316 Loans to members 214,633,325Accounts receivables and other assets 14,777,050Property and equipment, net 13,764,383Goodwill 2,767,548Total assets $2,332,926,899

liabilities Members’ share accounts $2,130,054,595Members’ share certificates 4,176,443Accrued expense and other liabilities 5,484,346Total liabilities 2,139,715,384

Members’ equity Perpetual contributed capital (PCC) 162,431,096Undivided earnings 31,868,915Accumulated other comprehensive loss (1,088,496)Total members’ equity 193,211,515Total liabilities and members’ equity $2,332,926,899

The accompanying notes are an integral part of the consolidated financial statements.



conSoliDAteD StAteMent oF incoMeFor the quarter and six months ended June 30, 2014

unAuDiteD ApR-Jun YeAR to DAte interest income Loans to members $1,736,326 $3,582,836Investments available-for-sale 977,863 1,754,544 Other 930,554 1,905,122Total interest income 3,644,743 7,242,502

interest expense Interest on members’ share accounts 333,104 657,317Interest on members’ share certificates 4,878 26,661Total interest expense 337,982 683,978Net interest income 3,306,761 6,558,524 net fee income Share draft and depository processing fees 4,197,375 8,050,412Off balance sheet income 2,148,197 4,283,632Other fee income 2,137,542 3,886,189Outside processing and service costs (1,133,918) (2,206,066)Net fee income 7,349,196 14,014,167

operating expenses Compensation and employee benefits 5,369,676 10,716,740Information technology 1,090,652 2,175,182Office occupancy 279,733 577,086Professional fees 250,454 489,648Other operating expense 884,665 1,576,242Total operating expenses 7,875,180 15,534,898

other net gainNet gain on loan prepayment 491,471 765,170Total other net gain 491,471 765,170 net income $3,272,248 $5,802,963




conSoliDAteD StAteMent oF coMpRehenSiVe incoMeFor the quarter and six months ended June 30, 2014 unAuDiteD ApR-Jun YeAR to DAte net income $3,272,248 $5,802,963 other comprehensive income Net unrealized holding gains on investments classified as available-for-sale 446,344 967,369 total other comprehensive income 446,344 967,369

comprehensive income $3,718,592 $6,770,332


conSoliDAteD StAteMent oF MeMBeRS’ eQuitYFor the six months ended June 30, 2014 Accumulated perpetual other contributed undivided comprehensiveunAuDiteD capital earnings loss total Balance at December 31, 2013 $161,474,655 $26,601,559 ($2,055,865) $186,020,349Net income 5,802,963 5,802,963PCC issued 956,941 956,941PCC released due to credit union liquidation (500) (500)Dividends paid on PCC (535,607) (535,607)Other comprehensive income 967,369 967,369Balance at June 30, 2014 $162,431,096 $31,868,915 ($1,088,496) $193,211,515




1. cash and cash equivalentsCash and cash equivalents include pass-through reserves deposited with the Federal Reserve Bank of $76,557,000 as of June 30, 2014. Member credit unions’ reserve balances are included in the members’ share accounts in the consolidated statement of financial condition. Cash on deposit and cash items in the process of collection from correspondent banks and the Federal Reserve Bank are included in cash and cash equivalents in the consolidated statement of financial condition.

2. investments Available-for-SaleThe amortized cost and estimated fair value of investments available-for-sale as of June 30, 2014 are as follows: Amortized estimated unrealized cost Fair Value gain/(loss)Asset-backed securities $555,346,650 $555,417,986 $71,336Agency mortgage-backed securities 132,388,146 131,219,821 (1,168,325)Federal agency securities 3,572,933 3,581,426 8,493total $691,307,729 $690,219,233 ($1,088,496)

3. investments in cuSosInvestments in CUSOs are comprised of the following as of June 30, 2014:

Investment in CO-OP $2,018,310Investment in Primary Financial, LLC 1,572,739Investment in CU Business Group 705,267Investment in CU Investment Solutions, LLC 100,000total $4,396,316

Catalyst Strategic Solutions is a wholly-owned subsidiary of Catalyst Corporate. All significant intercompany balances and transactions have been eliminated in the Catalyst Corporate consolidated financial statements.

4. loans to MembersThe composition of loans to members is as follows as of June 30, 2014:

Open-end credit lines $45,352,622Term loans 169,280,703total $214,633,325

noteS to conSoliDAteD FinAnciAl StAteMentS


noteS to conSoliDAteD FinAnciAl StAteMentS (continueD)


5. Members’ Share AccountsMembers’ share accounts are summarized as follows as of June 30, 2014:

Cash management $1,678,177,813Performance tiered 252,813,132Reg D reserve 76,557,000Other shares 122,506,650total $2,130,054,595

Catalyst Corporate members transferred $4,391,575,091 to the Excess Balance Account at the Federal Reserve Bank as of June 30, 2014.

6. Regulatory capitalAs a federally-chartered corporate credit union, Catalyst Corporate is subject to various regulatory capital require-ments administered by the NCUA. The table below presents Catalyst Corporate’s actual and required capital ratios as of June 30, 2014:

capital Ratio capital Denominator Ratio

Minimum level to be classified as adequately

capitalized

Minimum level to be classified

as well capitalized

Retained earnings ratio

RE DANA 1.33% 0.45% N/A

leverage ratioRE + PCC-CUSO

InvestmentsDANA 7.85% 4.00% 5.00%

tier one risk-based capital

ratio

RE+ PCC-CUSO Investments

MANRA 23.61% 4.00% 6.00%

total risk-based capital ratio

RE + PCC-CUSO Investments

MANRA 23.61% 8.00% 10.00%

RE = Retained earnings for regulatory ratios include retained earnings acquired through business combination with Georgia CorporatePCC = Perpetual contributed capitalCUSO Investments = Investments in unconsolidated CUSOsDANA = 12-month average daily net assetsMANRA = 12-month average net risk-weighted assets


Annual Report

Annually, Catalyst Corporate engages a third-party firm to conduct an external audit of its financial statements, including the consolidated statement of financial condition and related consolidated statements of income, comprehensive income, members’ equity, and cash flows for the prior year-end. For the period ending December 31, 2013, the CPA firm of Orth, Chakler, Murnane and Company performed this function. Catalyst Corporate’s 2013 Financial Statement Audit Report was distributed during Catalyst Corporate’s Annual Meeting on April 17, 2014 and also posted to the corporate’s web site in April.

Catalyst Corporate’s 2014 Annual Meeting was held on April 17, 2014, at 12 p.m. local time, at the Planet Hollywood Resort in Las Vegas, Nevada. Additional details are available at www.catalystcorp.org/annualmtg. The 2013 Annual Report and the 2013 Audited Financial Statements are accessible in the Due Diligence section of the Catalyst Corporate website.

To review or print Catalyst Corporate’s full 2013 Financial Statement Audit Report, visit www.catalystcorp.org/financials/ar2013.pdf.

To review or print Catalyst Corporate’s full 2013 Annual Report, visit www.catalystcorp.org/financials/ar2013full.pdf.


http://www.catalystcorp.org/duediligence.aspx


Risk Measures

cReDit RiSK

June 30, 2014

Overnight Cash $1,391,444,944 Secured Loans $214,633,325 Agency Securities $134,801,247 Student Loan $143,338,180 Auto Loan $133,793,303 Credit Card $183,367,356 Equipment $94,919,147

Risk exposure

RiSK eXpoSuReRegulAtoRY

liMitScuRRent

Interest rate risk (NEV volatility)

-20.0% -13.7%

Weighted Average Life of Financial Assets

2.00 years 0.46 years

Weighted Average Life of Financial Assets - Stress Test

2.25 years 0.48 years

Single Obligor Limits (% of Capital)

Credit Card ABS 50.0% 24.9%

Sector Limits (% of Capital)

Agency RMBS 1000.0% 68.9%


Asset Diversification (% of Assets)

Agency RMBS 50.0% 5.6%


September 30, 2013

Overnight Cash $1,536,584,570Secured Loans $248,179,006Agency Securities $133,895,385Student Loan $152,411,839Auto Loan $121,985,427Credit Card $73,633,187Equipment $64,194,515

December 31, 2013

Overnight Cash $1,301,574,981 Secured Loans $411,198,496 Agency Securities $123,570,610 Student Loan $134,312,843 Auto Loan $116,520,059 Credit Card $113,044,600 Equipment $70,835,552

March 31, 2014

Overnight Cash $1,773,803,819 Secured Loans $217,161,238 AgencySecurities $144,783,947 Student Loan $140,397,404 Auto Loan $94,117,784 Credit Card $168,419,900 Equipment $87,367,218


13.7

%Ju

ne 2

014

-15%

Risk Measures

inteReSt RAte RiSK

Catalyst Corporate’s primary method of monitoring interest rate risk is through the net economic value (NEV) test. The NEV test measures the dollar and percentage potential change in the fair value of Catalyst Corporate’s capital (perpetual contributed capital, retained earnings and amortized members’ capital accounts) given a parallel, instantaneous, and permanent 300 basis point upward and downward change in the yield curve. The objective of the NEV test is to measure whether Catalyst Corporate has sufficient capital to absorb potential changes to the fair value of its balance sheet given large, sustained instantaneous interest rate shocks.

A summary of Catalyst Corporate’s NEV test at June 30, 2014 is as follows (in thousands):

NEV$ Change

in NEV% Change

in NEV

Fair Value Base

$208,100 N/A N/A

Fair Value +300 Bp

$179,700 ($28,400) -13.7%

Fair Value -100 Bp*

$219,200 $11,100 5.3%

* Interest rates are adjusted down 100 basis points due to the low rate environment at June 30, 2014.

neV Ratio(+/- 300 BP Shock Scenarios) Maximum neV change

+300 BP Change

REGULATORY LIMIT-20%

POLICY LIMIT

Sep

t 201

3

Mar

201

4

Jun

2014

Dec

201

3

0%

2%

4%

6%

8%

10%

12%

REGULATORY LIMIT

POLICY LIMIT

BASE NEV RATIO 8.9%

LOWEST NEV RATIO 7.8%

-15%

-12%

-9%

-6%

-3%

0%

Sep

t 201

313

.2%

14.4

%M

ar 2

014

13.9

%D

ec 2

013


Risk Measures

Liquidity risk pertains to whether Catalyst Corporate has sufficient short-term assets, marketable securities, and borrowing capacity to meet member credit unions’ potential liquidity needs.

At June 30, 2014, Catalyst Corporate had $1.4 billion in cash and cash equivalents. Catalyst Corporate had access to a $131 million line of credit with the Federal Home Loan Bank of Dallas and a $30 million line of credit with JPMorgan Chase. This line of credit is secured with qualified investment securities. There were no outstanding advances under this agreement at June 30, 2014.

Catalyst Corporate continues to meet members’ liquidity needs. Catalyst Corporate had outstanding loans to members of $214.6 million and additional uncommitted lines of credit to members of $7.9 billion at June 30, 2014. All outstanding lines of credit are collateralized by specific or general pledges by members.

excess Balance AccountCatalyst Corporate uses the Federal Reserve Bank’s Excess Balance Account (EBA) to manage excess liquidity by sweeping funds above certain thresholds to member EBAs nightly.

Below is a chart showing member share balances and the EBA balances for the month ending each of the last four quarters.

Member Share Balances

excess Balance Account

Sept 2013 $2.2 billion $4.8 billion

Dec 2013 $2.1 billion $4.4 billion

Mar 2014 $2.5 billion $5.8 billion

Jun 2014 $2.1 billion $4.4 billion

liQuiDitY RiSK

current portfolio* June 30, 2014

Assets

ASSetSpeRcent oF

BAlAnce SheetWAl

(YeARS)Loans 9.2% 1.9

ABS - Autos 5.7% 0.6ABS - Credit Cards 7.9% 0.9

FFELP Student Loans 6.1% 1.1Agency RMBS 5.6% 1.2

ABS - Equipment 4.1% 0.8SBA Pools 0.2% 4.5

Other (Non-Earning) 1.6% 0.0Overnight 59.6% 0.0

total 100.0% 0.45

WAL = Weighted Average Life*Based on a $2.3 billion balance sheet

liabilities & capital

ShAReS & eQuitYpeRcent oF

BAlAnce SheetWAl

(YeARS)Overnight Shares 91.4% 0.0

Certificates 0.2% 0.2

Member Capital 7.0% N/A

RUDE 1.4% 0.0total 100.0% 0.3

Average Life Mismatch (years) 0.42

WAL=Weighted Average Life


portfolio

AlM liMitS

June 30, 2014 RegulAtion cuRRent

NRSRO Rating AA or better AA- AA+

No prohibited securities None None

NEV Volatility (Base Plus) 20% 13.7%

NEV Ratio (Base Plus) 2% 7.8%

Weighted Average Life of Financial Assets (Years) 2.00 0.46

Stressed Weighted Average Life of Financial Assets (Years)

2.25 0.48

DiVeRSiFicAtion liMitS to ASSet SiZe


Loans N/A 9.2%

Auto Loan Asset Backed Securities 25% 5.7%

Credit Card Asset Backed Securities 25% 7.9%

FFELP Student Loan Securities 50% 6.1%

Equipment Asset Backed Securities 25% 4.1%

Corporate Bonds 50% 0.0%

Agency Residential Mortgage Backed Securities 50% 5.6%

Agency Debt N/A 0.0%

SBA Pools 25% 0.2%

Other (Non-Earning) N/A 1.6%

Overnight Investments N/A 59.6%


portfolio

Single oBligoR liMitS to cApitAl*







* Obligor limits are set as a percentage of the corporate’s total capital. As of June 30, 2014, total capital is $190,359,539. Total capital consists of Perpetual Contributed Capital and Retained Earnings, less Investments in Unconsolidated CUSOs.

SectoR liMitS to cApitAl*







Agency Residential Mortgage Backed Securities 1000% 68.9%

SBA Pools 500% 1.9%

* Sector limits are set as a percentage of the corporate’s total capital. As of June 30, 2014, total

capital is $190,359,539. Total capital consists of Perpetual Contributed Capital and Retained Earnings, less Investments in Unconsolidated CUSOs.


0%

1%

2%

3%

4%

5%

6%

7%

8%

7.85

%Ju

ne 2

014

Sep

t 201

37.

01%

7.59

%M

ar 2

014

7.27

%D

ec 2

013

86.8

%86

.8%

Key performance Ratio graphicsR

etai

ned

ear

ning

s R

atio

YtD

op

erat

ing

E

ffici

ency

Rat

io

tier

one

Ris

k-B

ased

c

apita

l Rat

io

leve

rag

e R

atio

tota

l Ris

k-B

ased

c

apita

l Rat

io

The operating efficiency ratio is calculated as net fee income divided by operating expenses. Catalyst Corporate’s ability to cover expenses through fee income supports a business model that is less reliant on balance-sheet activity for income and therefore supports a risk-averse portfolio for the long-term. Management anticipates an operating efficiency ratio ranging from 75 to 85 percent on a long-term basis.

opeRAting eFFiciencY RAtio

RegulAtoRY cApitAl RAtioS 0%

20%

40%

60%

80%

100%

90.2

%Ju

ne 2

014

Sep

t 201

387

.2%

87.0

%M

ar 2

014

86.8

%D

ec 2

013

0%

5%

10%

15%

20%

25%

30%

23.6

1%Ju

ne 2

014

Sep

t 201

325

.45%

24.2

8%M

ar 2

014

25.2

4%D

ec 2

013

0%

5%

10%

15%

20%

25%

30%23

.61%

June

201

4

Sep

t 201

325

.45%

24.2

8%M

ar 2

014

25.2

4%D

ec 2

013

1.33

%Ju

ne 2

014

Sep

t 201

30.

97%

1.19

%M

ar 2

014

1.07

%D

ec 2

013

0.0%

0.3%

0.6%

0.9%

1.2

1.5%


cuSos and partners

CUSOURCE, LLC, better known as Catalyst Strategic Solutions, is a wholly-owned CUSO of Catalyst Corporate that provides client credit unions with balance sheet consulting, including an SEC-registered investment advisory service, asset-liability management modeling, derivative hedging support, and related consultation. Catalyst Strategic Solutions has been in operation since 1998. As of June 30, 2014, 92 credit unions use the investment advisory service and 171 credit unions and corporates use ALM and consulting services. As of June 30, 2014, Catalyst Strategic Solutions has $5.0 billion in off-balance sheet funds under advisement.

To view the balance sheet and income statement of CUSOURCE/Catalyst Strategic Solutions, visit www.catalystcorp.org/duediligence/cuso.pdf.

cuSouRce, llc / cAtAlYSt StRAtegic SolutionS

CU Investment Solutions, LLC provides broker/dealer services to corporates and natural person credit unions. Formerly a CUSO of U.S. Central Corporate (and its successor, U.S. Central Bridge Corporate), CU Investment Solutions was purchased by its corporate users in 2011. Catalyst Corporate has an investment of $100,000 in the CUSO, which equates to an 11 percent ownership stake.

Catalyst Corporate employs registered agents to assist credit unions with securities purchases and has brokerageaccounts with approximately 245 active credit unions at present; 113 of these have done trades in the past 12 months. Catalyst Corporate’s year-to-date sales volume as of June 30, 2014, was $1.0 billion.

To view CU Investment Solutions’ audited financial statements for the current fiscal year-end, visit www.catalystcorp.org/duediligence/cuis.pdf.

cu inVeStMent SolutionS, llc

CU Business Group, LLC, provides business service consultation to credit union clients in areas such as:

• Loan origination, underwriting and servicing

• Documentation and compliance

• Risk monitoring

• Independent loan review

• Business deposit services

• Education and training

• Loan participation network

• Strategic consulting and operational training

CU Business Group is owned by seven corporate credit unions. As of June 30, 2014, Catalyst Corporate owns approximately 37 percent of this CUSO and has 125 member credit unions using its services.

To view the most recent audited financial statements, visit www.catalystcorp.org/duediligence/cubg.pdf.

To view Credit Union Business Group’s full Due Diligence Package, visit www.catalystcorp.org/duediligence/cubgreport.pdf.

cReDit union BuSineSS gRoup, llc

http://www.catalystcorp.org/duediligence/cuso0614.pdf

http://www.catalystcorp.org/duediligence/cubg2013.pdf

http://www.catalystcorp.org/duediligence/cubgreport2014.pdf

http://www.catalystcorp.org/duediligence/cuis2013.pdf


cuSos and partners

Primary Financial, LLC is owned by 14 corporate credit unions and provides brokered certificates of deposit tonatural person credit unions nationwide, as well as a channel for these credit unions to issue certificates. CatalystCorporate has an investment of $1.6 million in Primary Financial, equating to an 8.0 percent interest in the company.As of June 30, 2014, Catalyst Corporate had SimpliCD agreements with 844 member credit unions, including 257 member credit unions actively using the service over the last 12 months, $803.6 million in certificates outstanding, and $219.5 million in sales year-to-date.

To view Primary Financial’s year-end 2013 audited financial statements, visit www.catalystcorp.org/duediligence/primary.pdf.

Alaska U.S.A. Trust Company is a Catalyst Corporate partner, facilitating the safekeeping of its members’ securities. Catalyst Corporate does not have an ownership stake in Alaska U.S.A. Trust Company, but does entrust execution of highly-regulated service activities to this partner. As a result, Catalyst Corporate monitors its financial and service performance. Alaska U.S.A. Trust Company, which operates exclusively within the credit union industry, is deeply familiar with the regulatory requirements credit unions must meet with regard to security safekeeping and due diligence of safekeeping service providers. It is competent and committed to ensuring safe and sound custodianship practices.

Catalyst Corporate has 294 members using the program that is offered in partnership with Alaska U.S.A. Trust Company, with approximately $22.1 billion in safekeeping for members and $554.5 million in corporate holdings as of June 30, 2014.

To view Alaska U.S.A.’s year-end 2013 audited financial statements, visit www.catalystcorp.org/duediligence/alaskausa.pdf.

D+H is Catalyst Corporate’s partner in the delivery of cloud computing and other technology solutions to credit unions. Headquartered in Toronto, Ontario, Canada, D+H delivers solutions to more than 6,000 North American banks and credit unions across three broad service areas: Banking Technology Solutions (Enterprise, Lending), Lending Processing Solutions, and Payments Solutions.

D+H cloud computing and managed information technology operations are based in Santa Ana, CA, with five geographically distributed operation and support centers, three redundant data centers and a 24/7 Network Operations Center located in Dallas, TX. These solutions were designed specifically for the financial market and are validated by third-party assessments including SSAE16/SOC2 Type II and regular regulatory reviews. D+H provides information technology outsourcing to over 389 financial organizations across the United States, including numerous credit unions.

Specific due diligence information will be made available to any credit union that engages in an active evaluation process with Catalyst Corporate and D+H, and could include a review of D+H’s SSAE16/SOC2 Type II review, operational details and pertinent financial information. D+H has been in business since 1875 and became a public company in 2001. To review its financial statements, visit the “Results” page of the D+H web site at http://dhltd.com/investors/financial-reports/.

pRiMARY FinAnciAl, llc

AlASKA u.S.A. tRuSt coMpAnY

D+h

http://dhltd.com/investors/financial-reports/

http://www.catalystcorp.org/duediligence/primary2013.pdf

http://www.catalystcorp.org/duediligence/alaskausa2013.pdf

http://dhltd.com/investors/financial-reports/



BuSineSS continuitY SuMMARY

Catalyst Corporate’s Business Continuity Program is based on best practices established by the Federal Financial Institutions Examination Council (FFIEC), the Disaster Recovery Institute International (DRII), and the Gartner Group. Oversight is performed by a board-approved committee consisting primarily of Catalyst Corporate management and senior management. The Business Continuity Management Program and related activities are reviewed annually by the board of directors.

Catalyst Corporate utilizes a Business Continuity Lifecycle, which defines five major elements representing a specific set of tasks, procedures and outcomes that can be used as a guideline for developing a business continuity program. The five planning sections of the Business Continuity Lifecycle are:

• Analyze the business

• Assess the continuity risks

• Develop the strategy

• Develop the plan

• Exercise and maintain the plan

Catalyst Corporate performs the steps of the Business Continuity Lifecycle at least annually. Controls have been identified and implemented to help minimize or prevent potential loss from a disruption or disaster. Observations and deficiencies noted during the Continuity Risk Assessment (CRA) are documented and presented to the board of directors annually.

Catalyst Corporate attempts to minimize the impact of threats by implementation of preventative controls. In the event that preventative controls fail to protect from a threat, the overall business continuity strategy is to plan for impacts that escalate all the way through to the worst-case scenario in order to develop plans of action that are applicable to most any situation. These situations may range from non-catastrophic outages of individual computing systems or business processes to catastrophic outages that require relocation of the entire operation to the collocation site.

The following business continuity strategies provide the framework for ensuring that Catalyst Corporate can sustain critical business processes at a level acceptable to the business and to member credit unions.

Business continuity plansBusiness continuity plans are developed for each business process to document the procedures to be followed in order to achieve the minimum service level requirements and recovery time objectives. Solutions are identified for potential issues, and resources are put in place to ensure timely resolution to anticipated service disruptions.

Business units have developed and refined both continuity plans for their critical systems and exercise plans to validate those continuity plans. These plans, which are approved by senior management, collectively address a wide variety of scenarios:

• Employee Emergency Procedures provide guidance on what steps should be taken in the event certain threats occur.

• Immediate Action Items document immediate actions in disaster declaration mode both before and after arrival at the Work Area Continuity site.

• Disaster Declaration Plans address the building being indefinitely inaccessible and/or totally destroyed.

• Temporary Evacuation Plans address the evacuation of the building for a few hours.

• The Pandemic Preparedness Plan details the steps that need to be taken in the event of a pandemic event.

BackupCatalyst Corporate knows that recovery of data from magnetic media backup will take longer than what is acceptable during a disaster. To mitigate this concern, a hot-site is managed so that data is mirrored or replicated to identical equipment for rapid recovery. Additionally, systems and data are backed up as often as required and the tapes are sent off-site for long-term storage. Data backups are tested periodically to verify the backup system is working properly.


BuSineSS continuitY SuMMARY (continueD)

hot-siteThe hot-site provides a highly secured environment with connectivity to numerous telecommunication carriers and utility power that is backed up by a UPS. Redundant firewalls, routers, switches, IBM iSeries, servers and data storage devices are in place and are exercised on a regular basis to protect against prolonged service disruptions. High-speed telecommunication lines are installed to connect the hot-site to Catalyst Corporate’s Plano, Texas office for rapid transmission of high volumes of data and images. Storage Area Network (SAN) data is distributed to both the production and hot-site synchronously (active/active) significantly reducing the recovery time objective for virtualized servers. Critical physical servers are duplicated with equivalent hardware at the hot-site and the associated data is replicated in real time to its hot-site counterpart. File data is continuously mirrored to the hot-site using Common Internet File System (CIFS) replication technology.

Work Area continuity SiteCatalyst Corporate leases office space in the same building as the hot-site for the Work Area Continuity site. With direct connection to the hot-site for access to the AS/400, servers and disk storage, this site houses the necessary workstations, work area, telecommunications and network connections to continue operations in the event of a disruption. Business units maintain off-site storage of supplies and documentation needed to continue operations.

continuity exercisesCritical business processes identified in the Business Impact Analysis are exercised at least annually, and some of the more critical systems are exercised on a quarterly basis. Exercise exceptions are presented to senior management and the Internal Audit Department after each exercise. An overview of all exercises and exercise exceptions is presented to the board of directors annually.

contingency communicationsGuidelines are available that provide information on how to establish communications with Catalyst Corporate as soon as possible following an event that causes a service disruption. Credit unions and Catalyst Corporate employees maintain familiarity with these contingency communications plans by conducting quarterly exercises. To view Catalyst Corporate’s Contingency Communications guidelines, visit www.catalystcorpcc.org/ccguidelines.html.




BuSineSS continuitY ActiVitY RepoRt

exercises completed During Second Quarter 2014

Service Alert Messages (SAM) sent to participating credit unionsSAM exercises are conducted semi-annually to ensure that credit union contact information for specific processes is maintained and to ensure timely communications to member credit unions regarding the nature and duration of process specific disruptions. Messages are also sent using the SAM system when services are disrupted or delayed.

• Messages sent on 5/19/14, 6/2/14 and 6/20/14

contingency communications exerciseContingency Communications Exercises are conducted semi-annually to ensure timely communications to member credit unions regarding the nature and duration of a service disruption in an effort to minimize the impact on operations. These exercises began in September 2002 with participation from a total of 153 credit unions. Catalyst Corporate now has the participation of 1,141 credit unions in these exercises (as of June 2014).

• Message sent on 6/18/14

Full Scale (Disaster Declaration) exercise Disaster Declaration Exercises are conducted at Catalyst Corporate’s collocation facility. Critical systems are either (1) exercised with data and systems at the hot site to simulate the Catalyst Corporate headquarters building being destroyed or (2) pointed back to the headquarters facility to simulate indefinite building inaccessibility by personnel. The plans are designed to accurately and objectively compare results against already established Recovery Time Objectives.

• Conducted on 4/12/14

Remote Access exercisesRemote Access Exercises are conducted on a regular basis and are used to assess employees’ ability to work remotely.

• Conducted in June 2014

Application Specific ExercisesCatalyst Corporate conducts application specific exercises of its critical systems and also simulates scenarios that are different from used during Catalyst Corporate’s full scale exercises in order to assess additional areas of coverage.

FiDelitY BonD StAteMent

NCUA Part 704.18 states that “every corporate credit union will maintain bond coverage with a company holding a certificate of authority from the Secretary of the Treasury” and “the minimum amount of bond coverage will be computed based on the corporate credit union’s daily average net assets for the preceding calendar year.”

Catalyst Corporate maintains a $10 million fidelity bond which is the coverage required by NCUA Part 704.



BAnK SecRecY Act (BSA)/oFFice oF FoReign ASSetS contRol (oFAc) SuMMARY

Catalyst Corporate is committed to fulfilling the require-ments of the BSA, the OFAC, and the USA PATRIOT Act. Catalyst Corporate’s BSA Policy is reviewed and approved by the board of directors at least annually.

Anti-money laundering procedures have been developed and implemented that enable Catalyst Corporate to meet the requirements of the BSA, OFAC, USA PATRIOT Act, and the Financial Crimes Enforcement Network (FinCEN). These procedures and controls include, but are not limited to, the following:

• Coordination and monitoring of compliance by a designated BSA compliance officer.

• A Member Identification Program designed to meet the requirements of Section 326 of the USA PATRIOT Act.

• BSA/OFAC risk assessment of Catalyst Corporate processes, products and services, and members.

• Review of unbatched transactions for the detection and reporting of suspicious activity to FinCEN.

• A documented process for analysis and reporting of suspicious activity.

• Entities, countries and individuals associated with unbatched transactions screened for potential matches against OFAC lists.

• Review of member accounts in accordance with Section 314(a) of the USA PATRIOT Act.

• Monthly reporting of BSA and OFAC activity to the board of directors.

• Ongoing training of appropriate personnel.

• Independent testing and monitoring of compliance.

• Recordkeeping and record retention.

• An annual review of policies, procedures and risk assessments.

• Checks and balances, including a query validation process, a retention validation process, and the use of dual control.


privacy and Security

Affidavit Regarding Part 717

DeScRiption oF the pRiVAcY AnD SecuRitY AFFiDAVitS

The Affidavits below are provided to assist member credit unions with their due diligence and compliance with NCUA Rules and Regulations Parts 716, 717 and 748.

Catalyst Corporate places a high priority on security, and utilizes security measures to protect not just nonpublic personal information and information about “covered accounts” (as defined in Part 717), but all types of confidential information that it receives from its member credit unions.

Under Part 717 of the NCUA’s Regulations, Catalyst Corporate is deemed to be a “service provider” to its member credit unions. Catalyst Corporate is providing this Affidavit in order to assist member credit unions in their compliance with Part 717. The Affidavit is written in general language so that member credit unions can utilize the Affidavit regardless of the level of complexity of their security programs.

Each credit union for which Catalyst Corporate is a “service provider” is hereby authorized to consider this Affidavit to be a contractual agreement with Catalyst Corporate, or to be an amendment of any agreements or Schedules that the credit union has entered into with Catalyst Corporate.

• Catalyst Corporate agrees to utilize policies and procedures, developed by the corporate, that are designed to prevent, detect and mitigate the risk of security breaches that could result in a member of a credit union, or any other person, being exposed to identity theft. These policies and procedures will apply to all circumstances in which Catalyst Corporate processes or otherwise has access to confidential information, whether in connection with providing services for a “covered account” held at a credit union or otherwise.

• Catalyst Corporate agrees not to use nonpublic personal information about any credit union’s members, or about any other person, for any purpose

other than those purposes for which the credit union disclosed the information to Catalyst Corporate, including servicing and processing of transactions in the ordinary course of business.

• Catalyst Corporate will utilize security measures that Catalyst Corporate deems to be appropriate for the protection of nonpublic personal information about credit union members and other persons, with particular attention to protection against unauthorized access to or unauthorized use of such information that could result in substantial harm or inconvenience to any credit union’s members or to any other person.

• If an incident occurs that involves unauthorized access to or unauthorized use of nonpublic personal information about any credit union’s members or about any other person, Catalyst Corporate will take actions that Catalyst Corporate deems to be appropriate, including notification to the affected credit union as soon as possible of any such incident.

• From time to time, if requested by a credit union, Catalyst Corporate will make available to the credit union information deemed by Catalyst Corporate to be appropriate as to the security measures, controls, systems, and procedures that Catalyst Corporate uses for the protection of nonpublic personal information.

• Catalyst Corporate will utilize security measures designed to accomplish the proper disposal of nonpublic personal information held by Catalyst Corporate. If immediate deletion or disposal of the nonpublic personal information held by Catalyst Corporate is not feasible, then until the date when deletion or disposal of the information occurs, Catalyst Corporate will continue to utilize security measures designed to protect the information against unauthorized access and against unauthorized use.


privacy and Security

Catalyst Corporate places a high priority on security, and utilizes security measures to protect not just nonpublic personal information, but all types of confidential information that it receives from its member credit unions.

Under Parts 716 and 748 of the NCUA’s Regulations, Catalyst Corporate is deemed to be a “service provider” to its member credit unions. Catalyst Corporate is providing this Affidavit in order to assist member credit unions in their compliance with Parts 716 and 748. The Affidavit is written in general language so that member credit unions can utilize the Affidavit regardless of the level of complexity of their security programs.

Each credit union for which Catalyst Corporate is a “service provider” is hereby authorized to consider this Affidavit to be a contractual agreement with Catalyst Corporate, or to be an amendment of any agreements or Schedules that the credit union has entered into with Catalyst Corporate.

Catalyst Corporate agrees not to use nonpublic personal information about any credit union’s members, or about any other person, for any purpose other than those purposes for which the credit union disclosed the information to Catalyst Corporate, including servicing and processing of transactions in the ordinary course of business.

Catalyst Corporate will utilize security measures that Catalyst Corporate deems to be appropriate for the

protection of nonpublic personal information about credit union members and other persons, with particular attention to protection against unauthorized access to or unauthorized use of such information that could result in substantial harm or inconvenience to any credit union’s members or to any other person.

If an incident occurs that involves unauthorized access to or unauthorized use of nonpublic personal information about any credit union’s members or about any other person, Catalyst Corporate will take actions that Catalyst Corporate deems to be appropriate, including notification to the affected credit union as soon as possible of any such incident.

From time to time, if requested by a credit union, Catalyst Corporate will make available to the credit union information deemed by Catalyst Corporate to be appropriate as to the security measures, controls, systems, and procedures that Catalyst Corporate uses for the protection of nonpublic personal information.

Catalyst Corporate will utilize security measures designed to accomplish the proper disposal of nonpublic personal information held by Catalyst Corporate. If immediate deletion or disposal of the nonpublic personal information held by Catalyst Corporate is not feasible, then until the date when deletion or disposal of the information occurs, Catalyst will continue to utilize security measures designed to protect the information against unauthorized access and against unauthorized use.

Affidavit Regarding Part 716 and 748


Catalyst Corporate is committed to the confidentiality, integrity and availability of its operations, information, information systems and members’ information. To meet these objectives, Catalyst Corporate has implemented and continues to develop internal controls. To demonstrate compliance with these controls, Catalyst Corporate engaged a firm to perform an SSAE16 review for the period April-September 2013. The Service Organization Controls (SOC1) report covers controls placed in operation and tests of operating effectiveness.

The SSAE16/SOC1 review is available to credit unions who contact Member Services at [email protected] or 800.442.5763, option 1. The report also may be downloaded from TranZact by authorized users.

SSAe16 StAteMent

texas

6801 Parkwood Blvd.Plano, TX 75024

214.703.7500 800.442.5763

georgia

6705 Sugarloaf Pkwy., Suite 250

Duluth, GA 30097770.476.9704800.768.4228

california

2855 E. Guasti Road, Suite 600

Ontario, CA, 91761214.703.7500 800.442.5763

hawaii

1654 South King StreetHonolulu, HI 96826

214.703.7500 800.442.5763

due diligence report - catalyst corporate...

Documents