Dear Board of Directors and Chief Executive Officer:
This letter is intended to assist you in preparing for your NCUA examination in 2015. As always, agency field staff will be focusing on the areas of highest risk in the credit union system and compliance with new regulations.
In order to minimize burdens on small credit unions with lower risks, NCUA will be streamlining examinations for credit unions with assets up to $50 million and CAMEL ratings of 1, 2, or 3.
Below are NCUA’s specific areas of supervisory focus for 2015.
Credit unions, like all financial institutions, remain vulnerable to internal and external cybersecurity threats. Last year’s interagency cybersecurity assessment conducted through the Federal Financial Institutions Examination Council (FFIEC) found that many credit unions and banks are not taking basic cybersecurity actions.
In 2015, NCUA will redouble efforts to ensure that the credit union system is prepared for a range of cybersecurity threats.
NCUA field staff will focus on proactive measures credit unions can take to protect their data and their members, including:
- encrypting sensitive data;
- developing a comprehensive information security policy;
- performing due diligence over third parties that handle credit union data;
- monitoring cybersecurity risk exposure;
- monitoring transactions, and
- testing security measures.
Field staff will also be evaluating credit unions’ capacity to recover and resume operations in the event a security breach does occur. Appendix B to NCUA Rules and Regulations Part 748 provides guidance on developing an incident response program that can help a credit union react to a breach. These programs can help the credit union assess the nature and scope of an incident, determine when to contact law enforcement and notify members, and take steps to safely resume operations.
Credit union officials are also encouraged to review the online cybersecurity resources posted by NCUA and the FFIEC’s Cybersecurity and Critical Infrastructure Working Group (opens new window)to promote cybersecurity throughout the financial services industry.
Interest Rate Risk
Exposure to interest rate risk (IRR) remains a primary concern for all federal financial institution regulators, due to continued uncertainty about monetary policy and the direction of short-term interest rates.
While most credit unions managed through interest rate hikes in the past, some credit unions may not be as well positioned this year due to higher concentrations of net long-term assets and unrealized losses.
Throughout 2015, NCUA field staff will continue to use existing guidance to assess credit unions’ IRR exposure. The agency is also in the process of updating this guidance to ensure that IRR is assessed accurately and that the appropriate supervisory steps are taken in response to excessive IRR exposure.
In addition, field staff will evaluate credit unions’ compliance with NCUA’s Interest Rate Risk Rule, which requires credit unions with assets over $50 million to draft and implement a written IRR policy and develop a program to identify, measure, monitor, and control IRR.
NCUA’s IRR guidance and rule requirements are posted on the Interest Rate Risk Resources webpage.
Bank Secrecy Act Compliance
NCUA remains vigilant in ensuring that the credit union system is not used to launder money or finance criminal or terrorist activity. The Bank Secrecy Act (BSA) prescribes certain recordkeeping and reporting requirements to detect this type of activity, and all credit unions must perform the required procedures. NCUA field staff are required to review credit unions’ compliance with BSA and to complete the BSA questionnaire at every examination.
In 2015, NCUA field staff will continue to assess credit unions’ compliance with the Bank Secrecy Act, with a focus on credit unions’ relationships with money services businesses (MSBs).
Credit unions can provide services to MSBs while meeting their BSA requirements, but they should be aware of the unique risk exposure MSBs can present. The agency recently issued guidance to field staff to educate them about MSBs and steps credit unions can take to mitigate the money-laundering risks posed by MSBs.
NCUA and the other federal banking agencies have established minimum expectations that credit unions should meet when providing services to MSBs, including:
- identifying customers;
- ensuring that each MSB is registered with the Financial Crimes Enforcement Network (FinCEN) and in compliance with state and local licensing requirements; and
- conducting a BSA/Anti-Money Laundering risk assessment to document the level of risk associated with each MSB account and determine whether greater due diligence is necessary.
Field staff will be looking to verify that credit unions are meeting these expectations.
For compliance information and additional resources, see the Bank Secrecy Act page on NCUA’s website and the December 2014 Letter to Federally Insured Credit Unions on Identifying and Mitigating Risks of Money Service Businesses.
Liquidity and Contingency Funding Plans Rule
NCUA’s liquidity rule (§741.12), which became effective in March 2014, is intended to ensure that all credit unions conduct sound liquidity planning. Depending on asset size, credit unions are subject to different requirements under the rule, and field staff will be looking for full compliance with relevant provisions.
Compliance guidance is detailed in the October 2013 Letter to Federally Insured Credit Unions on Liquidity and Contingency Funding Plans (opens new window).
For example, credit unions with assets of $250 million or more are required to establish and document access to at least one contingent federal liquidity source—the Federal Reserve Discount Window, the Central Liquidity Facility, or both—for use in times of financial emergency or distressed economic circumstances. These credit unions must also conduct advance planning and periodic testing to ensure that contingent funding sources are readily available when needed. Compliance with this provision of the rule was required by December 31, 2014. In 2015, field staff will be assessing compliance with this provision and evaluating contingent funding testing results at credit unions with assets of at least $250 million.
TILA-RESPA Integrated Disclosure Rule
On August 1, 2015, credit unions that originate residential mortgages will be required to comply with the Consumer Financial Protection Bureau’s (CFPB’s) TILA-RESPA Integrated Disclosure Rule (opens new window). The rule requires loan originators to provide consumers with:
- A Loan Estimate form, which combines the initial Truth in Lending Act (TILA) disclosure and the Good Faith Estimate. The Loan Estimate form must be delivered or placed in the mail no later than the third business day after receiving a consumer’s mortgage application.
- A Closing Disclosure form, which combines the final TILA disclosure and the HUD-1 Settlement Statement. The Closing Disclosure form must be provided to the consumer at least three business days prior to consummation of the mortgage.
The new rule also imposes record retention requirements and restricts mortgage originators from imposing certain fees, providing estimates, or requiring consumers to verify information before providing consumers with a Loan Estimate form.
After the rule goes into effect, NCUA field staff will assess credit unions’ compliance with relevant provisions.
Ability-to-Repay and Qualified Mortgage Standards Rule
Credit unions have had a full year to come into compliance with the CFPB’s mortgage rule, which:
- Requires certain mortgage lenders to consider eight specific factors to assess a borrower’s ability to repay a loan, and
- Provides certain legal protections to loans that meet the ability-to-repay requirement and other underwriting criteria (i.e., “Qualified Mortgages”).
In 2015, field staff will be looking at credit unions’ compliance with the required provisions, and ensuring that their mortgage lending programs are being operated in a safe and sound manner.
For a summary of CFPB’s mortgage rule and compliance guidance, see NCUA’s January 2014 Letter to Federally Insured Credit Unions on CFPB’s Ability-to-Repay and Qualified Mortgage Rule.
Small Credit Union Exam Program
Each year, NCUA looks for opportunities to reallocate staff time and resources in order to make the examination process more efficient and effective. In 2015, NCUA’s Small Credit Union Examination Program (SCUEP) will employ a defined-scope exam approach that focuses staff attention on the primary areas of risk for small credit unions: internal controls, recordkeeping, and lending. This narrower, defined scope requires field staff to focus on risk exposures in the areas that, historically, have led to small credit union failures and losses to the National Credit Union Share Insurance Fund.
When fully implemented by the second quarter of 2015, the new SCUEP examination will involve more transactions testing and a three-tiered review. The first tier includes standard, required procedures; subsequent tiers require more in-depth analysis and testing triggered by red flags or concerns.
The table below summarizes the type of examination each federal credit union (FCU) will receive, depending on its overall CAMEL rating, size, and complexity.
Type of FCU Exam by CAMEL Rating and Asset Size
NCUA continues to monitor trends in credit unions’ loan portfolios. Credit unions have begun to offer new loan products and services in recent years. While these areas can offer opportunities to serve members and expand loan portfolios, credit unions should be sure to perform adequate due diligence and to properly manage risk.
For guidance on specialized lending—including indirect lending, third-party lending, and subprime lending—see the August 2010 Letter to Federally Insured Credit Unions on Appropriate Due Diligence (opens new window).
As you can see, NCUA will be working on several fronts in the coming year to protect the safety and soundness of America’s federally insured credit unions and the nearly 100 million members who put their trust in us. We look forward to working with you to achieve this goal.
If you have any questions about your credit union’s NCUA examination, please contact your Examiner, Supervisory Examiner, or Regional Office.