Member error resulted in fraud

Manager at a credit_union ($49MUSA)
We had a member who received a text from our fraud department and confirmed that it wasn’t fraud and it resulted in $400 worth of transactions that the member is now claiming it was fraud. Do we HAVE to provide the member credit or is it at our discretion because she made an error. We have this happen quite a bit of times and I am just wondering if we are required to provide credit back (they are transactions that don’t have chargeback rights). The member said it wasn’t fraud, so the transactions cleared. Based off MasterCard zero liability, it seems I can interpret the safeguarding rule as the member technically didn’t safeguard her card and it would be our decision. But just wondering if anyone has encountered this and if there are any rules that would protect us from denying it. 

FDIC Connect user guide

AVP at a bank ($370MUSA)
Has anyone put together a user guide for FDIC Connect.  I have started to put together a few things but since this is my first exam using the new system I was wondering if anyone had anything.  I was not able to find much in FDIC Connect, call them and was told they did not have anything.

Merchant Services for Non-Bank Customers

Person at a bank ($536MUSA)
Currently my bank provides card processing services to clients only. I would like to open up this service to non-banking merchants as well. When presenting this idea to management I will have to provide a list of pros and cons. One concern brought up already is the risk of funds liability. Does anybody else do this or have any input?

Retention of Total Loss Documents

Employee at a credit_union ($2.1BUSA)
Do you retain any paperwork that may generate from processing a total loss claim? If so for how long?

For example, someone crashes the car they have financed with us, their insurance will send a payoff check and instructions on where to send the released title. Do we keep those instructions? Or let's say the settlement didn't cover the full balance and the borrower purchased a GAP waiver. At our institution we gather all of the necessary documents the GAP insurer may require and we file the claim. Should we keep all of that paperwork?

In the end, the loan is paid off, so I'm inclined to stick it with the other loan documents until they're disposed of, but I can't actually find any guidance on how long to retain these or if we should even bother.

The Best things to do with Microsoft 365 – Microsoft Secure Score

Most small- to medium-sized institutions don’t have a full-time employee available to devote to Microsoft 365 administration and security.  If you are the person spinning about two dozen plates including administration of 365, you know this.
Also, you probably know through your vendor management program what Microsoft is (and is not) responsible for.  For example, Microsoft supplies the administration of a global cloud infrastructure to host your resources; however, Microsoft does not manage the security and access to your data.
There’s a learning curve to understanding what configuration changes to make in order for you to ensure the data and access are properly configured.  Sure, you can Google-fu things like best practices for cloud security, and likely implement some good strategies.  But how do you know you haven’t missed something, or worse, taken bad advice?
Microsoft has provided tools to help assess your security posture.  Tools like Microsoft Secure Score which provides “a measurement of an organization's security posture…”  That’s right, they have designed a tool that analyzes your configuration efforts and spits out a number to “score” your efforts.
Even if you’re a 365 expert, or if you’re not and unsure of your security posture in 365, use this tool.  Glean from it what you can and make decisions.  Information can only help manage the limited sanity left for spinning plates.  You can access your score at
Also, get familiar with  Microsoft is changing things all the time.  Administrator resources that were once in one admin portal or Azure blade a month ago are often moved and consolidated somewhere else.  It can be frustrating trying to keep up with the changes or even find current documentation.  There is also a lot of good information outside of Microsoft documentation, so Google is your friend.  Microsoft also has RSS and Twitter feeds to help keep you up to date on changes that are occurring.  You can find this info at  Also consider signing into the Microsoft documentation with your 365 credentials and updating your account settings to get content update notifications sent to your email.

Non Bank Financial Institutions - High Risk Customer Type

Employee at a bank ($765MUSA)
We have been making a strong effort to identify all customers that fit into any High Risk Customer (HRC) category, and there is one we are struggling with - NBFIs. We are currently working off of a manual BSA Compliance system. 
 Non Bank Financial Institutions seem like an odd catch all category, that is defined vaguely in the FFIEC Exam Manual as '...institutions, other than banks, that offer financial services' (well duh...). They provide examples, some of which have overlap with other HRC types - MSBs and PSPs most notably. Examples provided:
·         Casinos and card clubs. 
·         Securities and commodities firms (e.g., brokers/dealers, investment advisers, mutual funds, hedge funds, or commodity traders).
·         Money services businesses (MSB).278
·         Insurance companies. 
·         Loan or finance companies.279 
·         Operators of credit card systems. 
·         Other financial institutions (e.g., dealers in precious metals, stones, or jewels; pawnbrokers).

So the question is, how are other banks identifying these NBFIs? What are the common business types you find fit this definition? Do you utilize specific NAICS codes, or conduct keyword searches? Once identified, what due diligence specific to NBFIs are you conducting?