2016 Examinations Will Focus on Greatest Potential Risks

NCUA's primary mission is to ensure the safety and soundness of America's federally insured credit unions and preserve the National Credit Union Share Insurance Fund that protects members' deposits. To accomplish this, NCUA uses a risk-focused examination program that allocates agency resources to credit unions and areas exhibiting the greatest potential risk.

In 2016, NCUA will continue to implement a streamlined examination process in select federal credit unions that have less than $50 million in assets and a CAMEL rating of 1, 2 or 3. The streamlined examination will include a defined-scope that focuses on areas of greatest risk in smaller credit unions—lending, recordkeeping and internal controls.

For all other credit unions, field staff will conduct risk-focused examinations, which rely on examiner judgement to determine the areas needing review and will concentrate on areas of highest risk, new products and services, and compliance with federal regulations.

As detailed in the Letter to Credit Unions, 16-CU-01, NCUA's supervisory priorities for 2016 include:

Cybersecurity Threats

Credit unions, like many other businesses, are becoming increasingly more dependent on information technology to deliver services to their members. As a result, cybersecurity has become an area of heightened concern, as data breaches have become more prevalent. Cybersecurity threats represent a major operational risk to credit unions, and they will be one of NCUA's areas of focus in 2016.

In June 2015, NCUA released a Cybersecurity Assessment Tool jointly with the other member agencies of the Federal Financial Institutions Examination Council. The Assessment Tool provides a process for credit unions to measure their cybersecurity preparedness over time. NCUA will begin incorporating the Cybersecurity Assessment Tool into the examination process in the second half of 2016.

Safeguarding Member Information

Part 748 of NCUA Rules and Regulations requires federally insured credit unions to develop and implement a security program designed to safeguard member information and respond to incidents of unauthorized access to or use of member information that could result in substantial harm or inconvenience to a member. In 2016, field staff will review credit union security programs and incident response programs to ensure compliance with Appendix A to Part 748, "Guidelines for Safeguarding Member Information" and Appendix B to Part 748, "Guidance on Response Programs for Unauthorized Access to Member Information and Member Notice."

Money Services Businesses

In 2014, NCUA issued guidance to field staff on evaluating credit unions that provide account services to money services businesses. Money services businesses include transactional businesses, such as check cashiers, prepaid card providers, foreign currency dealers, money transmitters and issuers of money orders and traveler checks.

While credit unions may provide services to money services businesses within their field of membership, they must assess the risks posed by each individual business and implement policies, procedures and controls to manage the risk exposure.

For credit unions that provide account services for money services businesses, field staff will evaluate whether a credit union:

  • Has adequate policies, procedures and processes to identify and assess risk related to money services business accounts;
  • Has met the due diligence expectations found in Letter to Credit Unions, 14-CU-10, "Identifying and Mitigating Risks of Money Services Businesses," and the associated supervisory letter;
  • Has adequate policies, procedures and processes in place to identify, monitor and report suspicious activity;
  • Is in compliance with all Bank Secrecy Act reporting requirements; and
  • Has accurately reported MSB account information on its Call Report.

Interest Rate Risk

Interest rate risk remains a key supervisory focus for 2016. Interest rates have begun to rise and may present a challenge for credit unions with high concentrations of long-term assets funded with short-term liabilities.

NCUA is in the process of updating its risk-management guidance on interest rate risk, which will be published later this year. Field staff will transition to the updated examination procedures over the course of the year. The new procedures will improve the efficiency of our reviews by focusing resources on those credit unions with elevated levels of interest rate risk and streamlining related examination procedures.

Field staff will continue to evaluate credit unions' compliance with NCUA's interest rate risk rule, which requires federally insured credit unions with more than $50 million in assets to develop and adopt a written policy on interest-rate risk management and establish a program to identify, measure, monitor and control for interest rate risk.

TILA-RESPA Integrated Disclosure Rule

During 2016, field staff will review credit unions' compliance with the relevant provisions of the TILA-RESPA Integrated Disclosure Rule. The Consumer Financial Protection Bureau adopted this rule to help consumers better understand mortgage transactions. The rule requires loan originators to provide consumers with two disclosures:

  • Loan Estimate Disclosure — Combines the Truth in Lending Act disclosure and the Good Faith Estimate of the Real Estate Settlement Procedures Act. The loan estimate disclosure must be delivered or placed in the mail no later than the third business day after receiving a consumer's mortgage application.
  • Closing Disclosure — Combines the final TILA disclosure and the HUD-1 Settlement Statement. The closing disclosure must be provided to the consumer at least three business days before the consummation of a mortgage.

The disclosure rule also imposes record-retention requirements and restricts mortgage originators from imposing certain fees, providing estimates or requiring consumers to verify information before providing a loan estimate to a consumer. Credit unions that originate real estate loans on or after Oct. 3, 2015, are required to comply with the TILA-RESPA integrated disclosure rule.

CUSO Reporting

Federally insured credit unions that invest in or lend to a CUSO are required to enter into a written agreement requiring the CUSO to submit annual reports to NCUA and the state supervisory authority if the credit union is state-chartered. CUSOs began providing their annual reports through the CUSO registry on Feb. 1.

Once the deadline for CUSOs to register with NCUA has passed, field staff will check the registry to confirm that CUSOs have an active and current record in the system.

Conclusion

NCUA remains committed to protecting the safety and soundness of America's federally insured credit unions and their more than 102 million members. In the coming year, our field staff will work with credit unions to ensure the health of the system and the integrity of the Share Insurance Fund.