NCUA Board Member Rodney E. Hood Talking Points ALM First CFO Conference
Balance Sheet Management
- Credit unions should manage their balance sheets holistically, and with consideration for:
- interest rate risk (IRR);
- capital; and
- loan pricing.
- Strong balance sheet management is paramount to running a successful credit union.
Interest Rate Risk
- Interest rates are rising, which increases interest rate and other related risks. A credit union’s ability to manage interest rate risk will remain a crucial factor in its performance. Prudent credit unions will focus on the fundamentals of capital, asset quality, earnings, liquidity, and sensitivity to market risk.
- The NCUA recognized there were industry concerns about how examiners were supervising for market risk given rising interest rates. Interest rate risk has been a supervisory priority for the NCUA for several years.
- On September 1, 2022, the NCUA issued a Letter to Credit Unions with an attached Supervisory Letter detailing the updates to the IRR Supervisory Framework. The key changes are:
- Revising the Net Economic Value, or NEV, supervisory test risk classifications by eliminating the “extreme” category.
- Eliminating the presumed need for a DOR and a de-risking plan for any NEV supervisory test risk classification.
- Enabling examiners to evaluate interest rate risk on a case-by-case basis. This allows examiners to develop tailored solutions that account for risk exposures without requiring arbitrary administrative actions.
- Reinforcing how the Estimated NEV Tool and NEV supervisory tests drive the breadth and depth of examination procedures for interest rate risk.
- The NCUA did not revise its treatment of non-maturity shares for purposes of the supervisory test. Standardizing the value of non-maturity shares is not an attempt to value a credit union’s modeling for their member accounts. However, it does provide the NCUA with a tool to measure the duration mismatch using NEV. Credit unions should conduct thoughtful behavior studies on non-maturity shares and sensitivity analysis around their assumptions because they represent a key driver of risk in the balance sheet.
- Credit unions should consider the IRR on their balance sheets and the link between IRR and liquidity risk, given the sharp decline in loan and investment valuations.
- Credit unions should mitigate elevated IRR by taking immediate action, if economically feasible, and address future IRR by lowering the interest rate risk sensitivity on their balance sheet.
- The NCUA modernized its derivatives rule in 2021. Changes included removing:
- The application requirement for complex federal credit unions with a CAMELS “M” component of 1 or 2;
- Regulatory limits, including the WARM (weighted average remaining maturity) limits; and
- Derivative types that can be used. Derivatives must be used to manage IRR.
- The NCUA modernized the ability for credit unions to manage their loan pipeline last year, too. Changes included:
- Not limiting loan pipeline management to mortgage loans;
- Explicitly allowing for derivatives to management loan pipelines; and
- Moving all loan pipeline management-related rules into one section in part 703, subpart A.
- Although not a change, all federal credit unions should know there is no required approval for them to manage their loan pipelines. Of course, these activities must be done in a safe and sound manner.
- The recent increases in interest rates may create unique challenges from a liquidity standpoint. Credit unions should pay particular attention to liquidity, given the sharp decrease in investment prices and the potential cost of borrowing.
- Unrealized positions have dropped significantly in price representing close to 13 percent of the system’s net worth as of June 30, 2022. This may present credit unions with alternative liquidity and funding challenges.
- To comply with NCUA’s regulations, federally insured credit unions with total assets exceeding $250 million must have a contingency funding plan and at least one contingent federal liquidity source.
- Credit unions should know that deposits may migrate to certificates of deposit, other financial institutions, or even outside of traditional depository institutions in search of higher yields or returns.
- The new subordinated debt rule went into effect January 1, 2022.
- Low-income designated, complex credit unions, and new credit unions can issue subordinated debt with NCUA approval.
- Only low-income credit unions can count subordinated debt towards net worth.
- Complex credit unions can count subordinated debt in their risk-based capital (RBC) numerator.
- Credit unions issued $1.9 billion of subordinated debt through the Treasury Emergency Capital Investment Program.
- The RBC rule went into effect on January 1, 2022. The rule included an option for complex credit unions to use the Complex Credit Union Leverage Ratio (CCULR) instead of RBC.
- As of June 2022, Call Reporting, 57 percent of all complex credit unions opted into the CCULR framework, while 43 percent reported on the RBC form.
Current Expected Credit Losses
Implementation of the CECL Accounting Standard
- Because federal credit unions are required by statute to have a calendar fiscal year, there is some confusion as to whether all federal credit unions must adopt CECL on the first day of the 2023 calendar year.
- The answer is no. There is no statutory or regulatory requirement that the term “fiscal year”, as used in the CECL Transition Rule, be interpreted to mean “calendar year.”
- Based on last December’s Call Report, about 880 federal credit unions reported that they are audited on a year other than a calendar year. These credit unions can continue to be audited on their usual financial statement reporting year.
- Purposefully, the CECL accounting standard and the NCUA’s CECL Transition Rule have the same implementation date for credit unions.
- CECL is implemented at the start of the credit union’s financial statement reporting year, beginning after December 15, 2022. For example, a credit union with a financial statement reporting year ending on September 30, 2023, will implement CECL on October 1, 2023. With the NCUA’s CECL Transition Rule, the phase-in of the day-one effect on the credit union’s net worth ratio would also start on October 1, 2023.
- A credit union that prepares its financial statements on a calendar year will implement CECL on January 1, 2023, with the phase-in of the day-one effect starting that same day.
- This applies to federal credit unions and federally insured state-chartered credit unions with assets greater than $10 million.
Examining for CECL
- Credit unions have asked how examiners will approach the allowance for loan losses (ALLL) under CECL.
- The Allowance for Credit Losses on Loans and Leases is an estimate, and examiners will approach CECL in a similar manner as the former ALLL method (under the incurred loss method). It will be very much like prior years.
- In evaluating the adequacy of the allowance, examiners will review:
- The related policies and procedures;
- The reserving methodology, including modeling assumptions and qualitative factor adjustments;
- Adherence to generally accepted accounting principles; and
- Any reports, such as from auditors, that analyze the reserving methodology.
- Examiners will not be looking for perfection. Rather the reasonableness of the allowance based on credit union’s business lines, members, and circumstances. Just like the ALLL, examiners will ask about the qualitative adjustments made to calibrate the allowance to the credit union’s current facts and circumstances.
- In summary, while the accounting standard has changed, the approach has not.
NCUA Final Rule (June 2021)
- Consistent with the Federal Credit Union Act, the NCUA Board issued a final rule exempting credit unions with less than $10 million in assets from CECL. The final rule requires any reasonable reserve methodology (incurred loss) to determine loan losses, provided it adequately covers known and probable losses unless state regulation requires compliance with Generally Accepted Accounting Principles (GAAP).
- The final rule implements the three-year phase-in of CECL’s impact on net worth.
- This rulemaking is akin to the CECL implementation issued by the other federal banking agencies.
- The effects of the phase-in on a federally insured credit union’s net worth calculations would be consistent with Section 216 of the Federal Credit Union Act and are closely modeled on the CECL transition provisions issued by the other banking agencies.
- The phase-in gives federally insured credit unions time to adjust to the new GAAP standard, adopted by the FASB, in a uniform manner and without disrupting their ability to serve their members.
Preparing for Examiner Evaluations
- Being organized—CECL is a very flexible accounting standard designed to be applied to any size entity. Thus, every credit union will implement and apply CECL differently, meaning there is no one set way. Credit unions can be prepared by:
- Creating an organized set of documents that allows for easy understanding of the reserving methodology;
- Explaining the way that CECL’s life-of-loan concept is included in the reserving methodology; and
- Supporting or justifying that the credit loss allowance logically represents the credit union’s current circumstances. That is, supporting the reasonableness of the allowance based on a credit union’s business lines, customers, and circumstances.
NCUA Simplified CECL Tool
- NCUA recently released the Simplified CECL Tool for small credit unions. This tool is important because more than 3,100 credit unions have assets of less than $100million.
- While the tool contains peer data related to credit unions that have assets of less than $100 million, the agency anticipates larger credit unions will use the tool as well.
- Larger credit unions will need to do their due diligence to ensure the tool is adjusted to align with their loan portfolio.
- To facilitate this, the tool already includes loss histories for credit unions up to a billion in assets and in the FAQ document, the attributes are included of the loan level data used to determine the CECL life-of-loan factors, which the tool refers to as the weighted average remaining maturity factors.
- Credit unions can compare whether their portfolios align with the peer data.
- The September 2022 version of the tool will be released in October, and the December 2022 version will be released in January 2023. Our goal is to provide credit unions and their accountants and auditors enough time to test, evaluate, and become comfortable with the CECL Tool before using it.
- The NCUA recognizes that credit unions need time to evaluate applicable CECL tools, especially with other CECL tools vying for attention.
- The tool is on the NCUA’s website, under CECL Resources.
- The NCUA has started training examiners on CECL with a focus on concepts and implementation and evaluating the allowance for credit losses. The agency will provide guidance and methodologies for examiners to evaluate the different types of models that can be used under CECL to determine the allowance for credit losses.
- Examiner training reinforces that the NCUA is not expecting perfection on day one. Rather the agency wants to see improvements in the credit union’s estimation of allowance for credit losses as time progresses.
Recent FASB Developments
- The CECL standard continues to be updated. At its February 2, 2022 Board meeting, the FASB eliminated troubled debt restructuring, or TDRs, under CECL, though previous TDRs can still be accounted for as TDRs.
- Cyber-enabled frauds continue to rise—remain vigilant, and ensure your staff receives periodic training on the latest tactics and schemes.
- Synthetic identity fraud is also on the rise, or, at least, is beginning to be detected in more financial institutions. This can directly impact credit losses, so be mindful of this and establish mitigation and detection strategies.
- There are many technological tools available to address fraud risk, and we know some credit unions have participated in pilot projects or have already started to implement tools to address synthetic identity fraud risk. The Federal Reserve also has a great toolkit (opens new window) of resources available on this topic.
- The potential for insider fraud increased during the pandemic. As society transitions to a “new normal,” this is a key time to review your anti-fraud and conflict of interest programs, policies, procedures, and internal controls, and update your internal audits to reflect risks in a post-pandemic environment.
Credit Union Industry Cybersecurity
- Technological advancements provide electronic service platforms and worldwide payment systems to even the smallest credit unions and expand access to financial services. However, these gains come with growing worldwide interconnectivity, which increases vulnerability to attack by malicious threat actors.
- Credit unions of all sizes are potentially vulnerable to cyberattacks and should adopt a heightened state of awareness and based on risk and resource availability, proactively look for potential threats.
- The prevalence of ransomware, malware, supply-chain vulnerabilities, social engineering, business e-mail compromises, insider threats, and other forms of historical cyber intrusion are creating challenges at credit unions of all sizes and will require ongoing measures for rapid detection, protection, response, and recovery.
- These risks are likely to continue and accelerate in the foreseeable future.
The NCUA’s Cybersecurity Focus
- The NCUA remains vigilant in its cybersecurity posture and continues to focus its efforts on:
- Advancing consistency, transparency, and accountability within the NCUA’s cybersecurity examination program;
- Providing credit unions with information and resources to improve their preparedness and resiliency;
- Safeguarding the NCUA’s systems and information; and
- Increasing operational resilience in the credit union system to reduce systemic risks.
- The NCUA continues to alert credit unions to the increased likelihood of cyberattacks from geopolitical events.
Proposed Cyber Incident Notification Requirements
- At its July 2022 meeting, the NCUA Board approved a proposed rule that would require a federally insured credit union to notify the NCUA as soon as possible, but no later than 72 hours after they reasonably believe that a reportable cyber incident has occurred.
- This proposed rule is intended to address rapidly evolving cybersecurity threats and the urgent need to maintain a heightened state of awareness and vigilance across the credit union and broader financial services systems.
- The reporting activities required by the proposed rule are a critical step in increasing cybersecurity awareness and protection within the financial system. Federally insured credit unions are the system’s first line of defense.
- To that end, the proposed rule would set parameters for what constitutes a reportable incident and the minimum notification requirements. By doing so, the proposal would align with the Cyber Incident Reporting for Critical Infrastructure Act signed into law in March.
- The proposed rule would also bring the NCUA’s cyber incident reporting framework into greater alignment with those of other federal banking regulators.
- The NCUA expects credit unions to exercise their best judgment in determining whether a substantial cyber incident is reportable to the agency. The NCUA Board anticipates a credit union would need sufficient time to form a reasonable belief that it has experienced a reportable incident.
- Under this proposal, the 72-hour clock starts only once the credit union reasonably believes it has experienced a reportable cyber incident.
- Given the frequency and severity of cyber incidents within the financial services industry, the Board would encourage credit unions to contact the agency if they are uncertain about whether a cyber incident is reportable. The proposed rule emphasizes the earliest possible initial report of an incident, instead of a comprehensive forensic analysis, which takes longer to report.
- Under the proposed rule, a federally insured credit union would be required to report a cyber incident that leads to a substantial loss of confidentiality, integrity, or availability of a member information system because of the exposure of sensitive data, disruption of vital member services, or that has a serious impact on the safety and resiliency of operational systems and processes.
- The NCUA Board expects the term “reasonably believes” to cover not only circumstances where a belief exists but where a reasonable person in the federally insured credit union’s position would hold such a belief.
- The proposed rule was published in the Federal Register on July 27, 2022, with a 60-day comment period. The comment period for the proposed rule ended September 26, 2022.
Third-Party Vendors and Cybersecurity
- Cyber actors continue to focus on exploiting vulnerabilities identified across U.S. infrastructure sectors and systems, including those of third-party providers of information technology services.
- Increasingly, activities fundamental to the credit union mission, such as loan origination, lending services, Bank Secrecy Act/Anti-Money Laundering compliance, and financial management, are being outsourced to third-party entities.
- Credit unions’ use of third-party vendors to provide technological services, including information security and mobile and online banking, is growing. Member data is also stored on vendors’ servers.
- While there are many advantages to using third-party service providers, the concentration of credit union services within credit union service organizations (CUSOs) and third-party vendors presents safety and soundness and compliance risk for the credit union industry.
- The pandemic has accelerated the industry’s movement to digital services and has increased credit union reliance on third-party vendors.
Information Security Examination and Automated Cybersecurity Evaluation Toolbox
- The NCUA is testing an updated Information Security Examination program, a scalable risk-focused information security examination focusing on compliance with NCUA regulations Parts 748 and 749.
- During the IT examination, the examiner:
- Assesses management’s ability to recognize, assess, monitor, and manage information systems and technology-related risks;
- Determines whether the board of directors has adopted and implemented adequate IT related policies and procedures;
- Evaluates the adequacy of internal IT controls and oversight to safeguard member information; and
- Assesses management’s ability to oversee and implement resilience, continuity, and response capabilities to safeguard sensitive member information.
- The NCUA released the Automated Cybersecurity Evaluation Toolbox (or ACET), which allows credit unions to conduct self-assessments of their cybersecurity programs. ACET is available on the NCUA’s website at no charge at ncua.gov/cybersecurity.