Cybersecurity, Bank Secrecy Act Among 2017 Supervisory Priorities

NCUA’s primary mission is to ensure the safety and soundness of America’s federally insured credit unions and preserve the National Credit Union Share Insurance Fund that protects members’ deposits. To accomplish this, we use a risk-focused examination program that allocates agency resources to credit unions and areas exhibiting the greatest potential risk.

As in previous years, our field staff will continue to use in 2017 the streamlined small credit union exam program procedures for credit unions with assets up to $50 million and a composite CAMEL rating of 1, 2, or 3. For all other credit unions, field staff will conduct risk-focused examinations, which concentrate on the areas of highest risk, new products and services, and compliance with federal regulations.

Also in 2017, we are implementing an extended exam cycle, which is discussed in more detail in Letter to Credit Unions, 16-CU-12, “Risk-based Examination Policy.” The letter is available online at

NCUA’s primary areas of supervisory focus in 2017 are:

Cybersecurity Assessments

Cybersecurity remains a key supervisory focus. NCUA will continue to evaluate carefully credit unions’ cybersecurity risk-management practices. We encourage credit unions to use the Federal Financial Institutions Examination Council’s Cybersecurity Assessment Tool to bolster their security and risk-management processes.

Additionally, NCUA plans to increase our emphasis on cybersecurity with a structured cybersecurity assessment process. We anticipate completing this process by late 2017, and we will keep credit union system stakeholders informed as changes occur.

NCUA also will continue to foster and facilitate sharing of best practices to strengthen credit unions’ existing cybersecurity programs.

For more cybersecurity resources, visit our Cybersecurity Resources website at

Bank Secrecy Act Compliance

NCUA remains vigilant in ensuring the credit union system is not used to launder money or finance criminal or terrorist activity. Our field staff are required to review credit unions’ compliance with the Bank Secrecy Act and to complete the related questionnaire at every examination.

In addition, all federally insured credit unions must perform certain recordkeeping and reporting requirements under the Bank Secrecy Act.

In 2017, NCUA field staff will focus on credit unions’ relationships with money services businesses and other accounts that may pose a higher risk for money laundering.

Credit unions that provide services to a money services business or other types of high-risk businesses need specialized procedures in place to appropriately classify risk and determine the depth and intensity of monitoring that is necessary. Credit unions are expected to perform appropriate due diligence, analysis and monitoring when providing services to these and other high-risk accounts.

For guidance on risk-mitigation practices related to money services businesses, see Letter to Credit Unions, 14-CU-10, “Identifying and Mitigating Risks of Money Services Businesses,” at

For additional information and resources on the Bank Secrecy Act, visit our Bank Secrecy Act webpage at

Internal Controls and Fraud Prevention

Credit unions with limited staff can be more susceptible to insider fraud because of the inherent challenge of maintaining adequate separation of duties among employees. Our field staff will continue to evaluate the adequacy of credit union internal controls, as well as overall efforts to prevent and control fraud.

Interest Rate and Liquidity Risk

At the beginning of the year, field staff will start using a revised interest-rate-risk supervisory tool and new examination procedures to assess interest rate risk-management practices in credit unions. These procedures will improve the efficiency of our reviews by focusing the agency’s resources on credit unions that have elevated levels of interest rate risk and by streamlining the related exam procedures.

Field staff will also focus on the relationship between interest rate risk and liquidity risk.

For more information about these supervisory changes, see Letter to Credit Unions, 16-CU-08, “Revised Interest Rate Risk Supervision,” at

Commercial Lending

NCUA field staff will evaluate a credit union’s commercial loan policies and procedures and assess the risk-management processes associated with managing a commercial loan portfolio following the changes to NCUA’s member business lending regulations that went into effect in January. Credit union officials should be prepared to provide documentation to support management’s ability to effectively monitor and manage its commercial-loan portfolio.

NCUA’s online Examiner’s Guide provides guidance on the principles of sound commercial lending and NCUA’s supervisory expectations for sound risk-management practices. It is available at

For more information, see Letter to Credit Unions, 16-CU-11, “Member Business Loans Guidance Added to Examiner’s Guide,” at

Consumer Compliance

Because of changes to the Military Lending Act that have gone into effect recently, as well as additional changes that will go into effect in October, field staff will evaluate credit unions’ compliance with the act. Field staff also will review compliance with the Servicemembers’ Civil Relief Act.

For more information on the Military Lending Act, see Letter to Credit Unions, 16-CU-07, “Military Lending Act Examination Approach,” at

For additional consumer compliance tools and resources, visit our Consumer Compliance Regulatory Resources website at


We remain committed to protecting the safety and soundness of America’s federally insured credit unions and their more than 106 million members. If you have any questions about the agency’s 2017 supervisory priorities, please contact your NCUA regional office.

Last modified on