Examining Risk

Pay attention to new developments in NCUA’s seven risk factors.

March 1, 2014
Risk is the four-letter word first and foremost in every regulator’s mind.

That’s why it’s important for credit unions to pay attention to new developments in each of the seven “risk factors” NCUA identifies in its Examiner’s Guide. Obviously, there aren’t clear demarcations between highly interrelated risks, so many of these developments could fall under several risk categories. While NCUA doesn’t recognize “concentration risk” as a separate category, that risk concern impacts a number of agency’s risk factors.

1.Interest-rate risk

NCUA states that “interest-rate risk is the most significant risk the credit union industry faces right now.” Since 2012, federally insured credit unions with more than $50 million in assets must have an interest-rate risk (IRR) management program.

The framework of an effective IRR management program has five elements, according to NCUA: A comprehensive, written IRR policy; IRR oversight by the board of directors and management; appropriate IRR measurement and monitoring systems; good internal controls; and informed decision-making based on IRR measurement system results.

At the time the NCUA Board adopted this new regulation, interest rates were at (and generally remain near) historic lows. An NCUA board member asked staff why the agency needed a regulation at a time when interest-rate risk wasn’t of particular concern. Staff answered that credit unions need to be “repairing the roof before it rains.”

NCUA is concerned that the rain might come at any time and credit unions aren’t ready. Expect examiners to ask far more pointed questions this year about your credit union’s IRR program. For example, if a credit union’s real estate loan portfolio has a large concentration of fixed-rate mortgages (and perhaps also a large amount invested in mortgage-backed securities), expect the examiner to ask some tough questions.

Early this year, NCUA finalized a new regulation on derivatives as another tool to mitigate interest-rate risk—and only for this purpose. Federal credit unions with at least $250 million in assets and a composite CAMEL rating of 1, 2, or 3 can apply to NCUA for permission to use certain derivatives (interest-rate swaps, interest-rate caps, interest-rate floors, basis swaps and Treasury futures). The agency might allow smaller federal credit unions to use them, too. While state-chartered credit unions permitted under state law to use derivatives don’t have to apply for permission, they must notify NCUA 30 days before engaging in derivative activities, must follow NCUA-issued “guidance” on derivatives, and can expect a close regular review by NCUA.

Don’t expect many credit unions to have authority to use derivatives. NCUA believes that 30 to 60 federal credit unions will likely apply during the next two years, and agency approval will take many months. Adding in the state-chartered credit unions it expects to see using derivatives, NCUA says 50 to 100 credit unions likely will engage in derivative activities by year-end 2015.

2.Credit risk

Concerns about loan performance, rates of delinquencies, and charge-offs are always high on examiners’ minds, regardless of type of loan. Obviously, problems in the housing sector were a key cause of the Great Recession, and the Dodd-Frank Act mandated the Consumer Financial Protection Bureau adopt numerous regulations to restore order and balance to mortgage lending.

The CFPB’s ability-to-repay/qualified mortgage (QM) regulation, which became effective in January 2014, raises concerns about how examiners will respond to credit unions making non-QMs. NCUA specifically says:

“Whether your credit union originates QMs or non-QMs, field staff will evaluate credit risk, liquidity risk, and concentration risk. NCUA will not subject a mortgage to safety-and-soundness criticism solely because of the loan’s status as a QM or non-QM. But credit unions choosing to make non-QMs will need to take into account the potential new market and legal risks.”

It’s uncertain how many non-QMs will end up on credit unions’ books and if there will be a secondary market for non-QMs. So expect examiners to look at the composition of your mortgage portfolio, to evaluate if your credit union really understands risks of holding non-QMs, and to ask how you plan to address these risks if you hold a large amount of them.

And there’s another part of loan portfolios receiving additional examiner scrutiny: NCUA notes private student loans are the fastest-growing product in the credit union industry. Possible losses won’t occur for a number of years after the loan is made, so credit risks are hard to assess. More than 600 credit unions offer this product, and they should expect examiners to closely look at their planning, policies, and monitoring systems, as well as how they conduct due diligence reviews of third parties they rely upon and what steps they take to mitigate risk (such as the use of co-borrowers and purchase of default insurance). At year-end 2013, NCUA shared with credit unions not only its Supervisory Letter to examiners on this subject but also its AIRES questionnaire.

As the agency’s January 2014 risk-based capital proposal demonstrates, NCUA also is very concerned about a credit union holding a large concentration of its assets in member business loans (MBLs). So expect continued examiner scrutiny of MBL portfolios. In the “good news” category, the agency plans to revisit some of the restrictions in its MBL regulation this year.

NEXT: Liquidity risk

3. Liquidity risk

Interest rates will rise at some point and a credit union’s current loan and investment portfolios might not provide enough flexibility to rapidly adjust to different economic conditions. To address these concerns—and problems credit unions faced in the recent financial crisis—NCUA adopted a regulation that requires all federally insured credit unions to have liquidity and contingency funding plans. The regulation goes into effect on March 31.

Credit unions with less than $50 million in assets must have a basic board-approved policy that provides a framework for managing liquidity and a list of contingent liquidity sources. Credit unions with assets of $50 million or more must have a contingency funding plan that sets out strategies for addressing liquidity shortfalls in emergency situations. In addition, credit unions with assets of $250 million or more must establish access to NCUA’s Central Liquidity Facility and/or to the Federal Reserve’s discount window.

4. Transactional risk

Obviously, the widespread merchant data breaches are a continuing concern for everyone. Credit unions have been required for years to have response programs in place to monitor member accounts, replace cards, etc. NCUA continues to express concerns about new risks created by new technology, such as online banking, mobile banking, remote deposit capture, social media, etc. Early this year, NCUA said in addition to interest-rate risk, its major concern is cybersecurity threats, and not just at large credit unions:

“NCUA field staff will evaluate credit unions’ ability to assess and mitigate cybersecurity risk and respond to cyber-attacks. Credit unions of all sizes will be expected to implement appropriate risk mitigation controls—including vendor due diligence, strong password processes, proper patch management and network monitoring—to better prevent, detect, and recover from cyberattacks.”

Last spring, NCUA said that it would issue further guidance on eBanking, but so far, it hasn’t. The federal banking agencies have similar concerns, so look for the Federal Financial Institutions Examination Council (of which NCUA is a member) to issue guidance on cyberthreat risk mitigation soon.

5. Compliance risk

The list of new or revised federal regulations that apply to credit unions in 2014 include:

  • The CFPB mortgage rules that became effective in January 2014 (including ability-to-repay/qualified mortgages , mortgage servicing, loan originations, high-cost mortgages, homeownership counseling, appraisals, etc.) and the bureau’s international remittance transfers regulation;
  • NCUA’s revised loan participation regulation (that now applies to all federally insured credit unions); the new charitable account regulation for federal credit unions; and revised credit union service organization rules.

NCUA and the CFPB have instructed their examiners not to write up credit unions for noncompliance with the new mortgage lending regulations so long as the credit union is showing a good-faith effort and taking reasonable steps toward full compliance. NCUA and the CFPB are very vague on when examiners will start to take stricter actions. But this is the reality: Failure to comply with all the Truth-in-Lending Act (TILA) regulations can possibly lead to private lawsuits down the road. And remember, the TILA-Real Estate Settlement and Procedures Act new “loan estimates” and “closing disclosure” rules start on Aug. 1, 2015, and don’t expect any delay in that effective date.

Compliance involving the Bank Secrecy Act (BSA) regulations and reporting requirements is ongoing. In 2014, NCUA specifically says that its “field staff will be scrutinizing credit unions’ relationship with money services businesses (MSB), looking to ensure credit unions are in compliance with BSA requirements with regard to MSB member accounts.”

As banks have stopped offering accounts to MSBs, NCUA is concerned that credit unions are opening these accounts without understanding the compliance implications.

Marijuana businesses seeking banking relationships raise BSA and other compliance questions. Credit unions need to move slowly and allow states and the U.S. Department of Justice to figure out how depository institutions can help these businesses establish accounts.

Fair lending is another area you can expect increased CFPB and NCUA scrutiny. The CFPB issued a controversial bulletin last spring on autodealer indirect lending programs, the U.S. Justice Department seems to be stepping up its interest in fair lending cases, and NCUA’s Office of Consumer Protection is conducting annually a limited number of fair lending exams. And additional HMDA data (used to identify possible discriminatory lending patterns) might be required in 2015. So credit unions certainly should review NCUA’s 2013 Fair Lending Guide and assess the adequacy of their policies and compliance procedures.

NEXT: Strategic risk

6. Strategic risk

NCUA broadly defines this category of risk as making adverse business decisions, improperly implementing decisions, or being unresponsive to industry changes. This is a good place to discuss NCUA’s November 2013 Supervisory Letter on enterprise risk management (ERM). NCUA makes clear that credit unions (other than corporate credit unions) aren’t required to implement a formal ERM framework. But NCUA believes ERM “presents potential benefits to larger [not defined by NCUA], more complex credit unions,” and that examiners “should ensure the credit union employs a comprehensive risk management approach, which may or may not include a formal ERM program.”

NCUA recognizes ERM is an evolving concept and there’s no “off-the-shelf” ERM program. Its 2013 Letter briefly discusses eight ERM components, and discusses only in very general terms what examiners should look for in all credit unions when evaluating risk (such as the credit union’s risk appetite, potential exposures, risk concentration, management performance, etc.).

Expect examiners to see if larger credit unions have risk management frameworks that manage risks across the credit union’s entire operations, rather than having a “silo” departmental approach, regardless of whether it’s a formal ERM program. And as examiners receive more training about ERM concepts, expect them to discuss an ERM program’s components with credit union management, such as the desirability of having a “risk culture” established throughout the credit union.

7. Reputation risk

NCUA’s Examiner’s Guide says “reputation risk is the current and prospective risk to earnings or capital arising from negative public [or member] opinion or perception.” It would be impossible to create a plan of action to address all possible problems, but one thing a credit union can do is formalize how it handles member complaints.

Some consumer protection regulations—those on electronic funds transfers and truth-in-lending come to mind—provide specific procedures for responding to member complaints involving specific products. But few credit unions appear to have in place an organized framework for tracking and responding to member complaints. This would include a centralized place to gather complaints regardless of how they arrive at the credit union, a formalized way to respond to complaints, and documentation (including how long records will be retained). And a credit union should make sure to have a procedure to periodically analyze complaints from all across the credit union. For instance, you’ll want to see if patterns of organizational weaknesses or disparate impact exist.

No regulatory requirement exists to take this action. NCUA’s Office of Consumer Protection now has specific procedures on contacting a federal credit union’s supervisory committee to respond to member complaints that come into NCUA. And remember in the Dodd-Frank Act the second enumerated function of the CFPB is “collecting, investigating, and responding to consumer complaints.”

The CFPB considers responding to consumer complaints to be one of four primary components of a “compliance management system” that the bureau expects the large credit unions under its supervision to maintain. The CFPB doesn’t require any specific compliance management system structure, but believes the other three primary components are: board and senior management oversight; a compliance program that addresses policies, training, and monitoring with corrective action as needed; and an independent compliance audit.

And the CFPB publicizes the types of consumer complaints it receives—and those complaints someday could form the basis for revisiting parts of its regulations.

So it just makes good business sense for a credit union to formalize tracking and handling complaints made by its members.

Adapted from the soon-to-be-released 2014-2015 CUNA Environmental Scan.

KATHY THOMPSON is CUNA’s senior vice president of compliance. Contact CUNA’s compliance team at