BSA, cybersecurity top NCUA’s exam agenda

BSA, cybersecurity top NCUA’s exam agenda

Regulator will have increased flexibility to conduct 'suitable' examination work offsite.

February 27, 2019

Bank Secrecy Act (BSA) compliance and cybersecurity maturity assessments will remain at the top of NCUA’s list of examination priorities for 2019.

Other primary areas of supervisory focus include credit concentration risk, compliance with consumer regulations, current expected credit loss (CECL), and liquidity and interest-rate risks. These supervisory priorities are outlined in NCUA’s Letter to Credit Unions 19-CU-01: Supervisory Priorities for 2019 [PDF].

NCUA’s extended exam cycle (introduced in 2017) will be fully implemented in 2019.

Examiners will continue using the streamlined small credit union exam program procedures for most credit unions that have assets of less than $50 million.

For all other credit unions, NCUA examiners will conduct risk-focused examinations, concentrating on the areas of highest risk, new products and services, and compliance with federal regulations.

In addition, NCUA notes examiners will have increased flexibility to conduct “suitable” examination work offsite.

BSA compliance

NCUA examiners plan to perform more in-depth reviews of credit unions’ BSA and anti-money laundering (BSA/AML) policies, procedures, and processes to assess compliance with the Financial Crimes Enforcement Network’s customer due diligence (CDD) regulations.

The regulations, which went into effect in May 2018, strengthen and codify existing CDD guidance and require institutions to identify and verify the identity of individuals (called “beneficial owners”) who own or control certain legal entity customers/members (i.e., business accounts), subject to certain exclusions and exemptions.

‘As in previous years, NCUA will be carefully evaluating credit unions’ cybersecurity risk management practices.’

NCUA examiners began assessing credit unions’ efforts to comply with the new regulations during the second half of 2018.

CUNA wrote in support of a bill that would update thresholds for certain reporting thresholds contained in BSA.

Concentrations of credit

NCUA examiners will continue to focus on large concentrations of loans (e.g., real estate loans, member business loans, loan participations, etc.) in credit portfolios.

“Concentration risk” is defined as “any single exposure or group of highly correlated exposures that have the potential to produce losses large enough to threaten a credit union’s health or ability to maintain its core operations.”

Concentration in credit portfolios is generally considered to be the most significant source of risk to a financial institution.

Implementing sound risk management practices is critical to managing concentration risk. If examiners identify excessive levels of credit concentration risk, they’ll work with credit union management to identify strategies to mitigate the risk.

Consumer compliance

In the area of consumer compliance, NCUA examiners will continue to perform limited reviews of Home Mortgage Disclosure Act (HMDA) loan/application registers to evaluate federal credit unions’ good faith efforts to comply with 2018 HMDA data collection and reporting requirements.

The reviews will take into account the statutory partial exemptions that took effect May 24, 2018.

Examiners will also continue to evaluate credit unions’ efforts to comply with:

  • Military Lending Act, which affects most non-mortgage-related consumer credit a lender extends to active duty servicemembers and their dependents.
  • Equal Credit Opportunity Act’s (Regulation B) notification requirements following adverse action (e.g., denial) taken on consumer credit applications.
  • Electronic Funds Transfer Act’s (Regulation E) “opt in” requirements for overdrafts related to ATM and one-time debit card transactions. A number of lawsuits have been filed against financial institutions for improperly imposing overdraft charges related to these types of transactions.

Next: CECL requirements

CECL requirements

As CECL requirements continue to evolve in 2019, examiners will inquire about credit unions’ efforts to prepare for the new accounting standard, and whether they have analyzed how CECL would alter the allowance for loan and lease losses funding needs.

The Financial Accounting Standards Board issued the new accounting standard in June 2016, introducing the current expected credit losses methodology for estimating allowances for credit losses. The standard becomes effective Jan. 1, 2022, for most credit unions.

CUNA called on NCUA to do more to prepare credit unions for CECL in a letter [PDF] to Chairman J. Mark McWatters. The letter echoes CUNA’s request during a June 2018 meeting that the agency increase its focus on implementation of CECL.

Information systems and assurance

As in previous years, NCUA will be carefully evaluating credit unions’ cybersecurity risk management practices. Examiners will continue conducting information security maturity assessments with the Automated Cybersecurity Examination Toolbox (ACET).

Developed in 2017, ACET mirrors the Federal Financial Institutions Examination Council’s Cybersecurity Assessment Tool, developed for voluntary use by credit unions and banks to identify their risks and determine their cybersecurity preparedness.

Examiners will use ACET to assess credit unions with more than $250 million in assets that have not previously received an assessment.

In addition, NCUA examiners will focus on the assessment of a credit union’s information technology risk management to ensure it effectively identifies, remediates, and controls inherent risks to appropriate residual risk levels, and oversight of service provider arrangements to ensure credit unions implement effective risk-based supply chain management.

NCUA chose these areas of focus as a result of historical examination analysis, emerging threat trends, and sample results of ACET maturity assessments to date.

Liquidity and interest-rate risk

Examiners will assess credit unions’ liquidity and interest-rate risk management to identify:

  • The potential effects of rising interest rates on the market value of assets that affect changes to net worth and borrowing capacity.
  • Member preference shifts to shares with more market sensitivity.
  • Management’s ability to meet liquidity needs given the increased competitive pressures that affect share balances.

An effective liquidity and interest-rate risk management program is a key component of a credit union’s safety and soundness.

“The projected economic fluctuations in 2019 make this an increased area of emphasis,” according to the agency’s letter.

When rates rise, it puts pressure on credit unions to raise deposit rates to maintain deposit account volume. Enhanced mobile and internet banking applications and non-bank financial technology may also result in greater challenges to retain low cost core deposits compared to prior interest rate cycles.

Contact CUNA’s compliance team