Dear Board of Directors and Chief Executive Officer:
This letter is intended to assist you in preparing for your next NCUA examination. In 2017, the NCUA began implementing an extended exam cycle, which is expected to be fully implemented by the end of 2018. The extended exam cycle is discussed in more detail in the NCUA Letter to Credit Unions, 16-CU-12, Risk Based Examination Policy. Examiners will continue to use the streamlined small credit union exam program procedures for credit unions with assets up to $50 million and CAMEL ratings of 1, 2, or 3. For all other credit unions, examiners will conduct risk-focused examinations, which concentrate on the areas of highest risk, new products and services, and compliance with federal regulations.
The NCUA’s primary areas of supervisory focus in 2018 are described below.
Cybersecurity remains a key supervisory focus. In 2018, the NCUA will begin implementing the Automated Cybersecurity Examination Tool (ACET) to improve and standardize supervision related to cybersecurity. The ACET provides the NCUA with a repeatable, measurable and transparent process for assessing the level of cyber preparedness across federally insured institutions.
The ACET incorporates appropriate standards and practices established for financial institutions. It also aligns with the Cybersecurity Assessment Tool (opens new window) developed by the FFIEC for voluntary use by banks and credit unions. Therefore, we encourage credit unions to continue to self-assess their cybersecurity and risk management practices using the Cybersecurity Assessment Tool if they do not have an alternative method of assessment.
The NCUA will begin using the ACET in examinations of larger credit unions with over $1 billion in assets. This will allow the NCUA to create a baseline for the cybersecurity maturity level of the largest and most complex institutions, while we continue to test and refine the ACET through 2018 to ensure it scales properly for smaller, less complex institutions. The NCUA will keep credit union system stakeholders informed as changes occur. For more information, visit the NCUA’s Cybersecurity Resources website.
Bank Secrecy Act Compliance
The NCUA remains vigilant in ensuring the credit union system is not used to launder money or finance criminal or terrorist activity. Examiners are required to review credit unions’ compliance with the Bank Secrecy Act and complete the related examination questionnaire at every examination. The Customer Due Diligence regulations for Financial Institutions (31 CFR 1010.230) becomes effective May 11, 2018. Examiners will begin assessing compliance with this new regulation in the second half of 2018. For additional information and resources, see the NCUA’s Bank Secrecy Act website.
Internal Controls and Fraud Prevention
Credit union safety and soundness includes establishing a strong system of internal controls and a comprehensive approach to managing fraud risk. Examiners will continue to evaluate the adequacy of credit union internal controls, as well as overall efforts to prevent and detect fraud.
Interest Rate and Liquidity Risk
On January 1, 2017, examiners began using a revised interest rate risk supervisory tool and examination procedures to assess interest rate risk management practices in credit unions. As not all credit unions were examined in 2017, some credit unions will be examined under the new procedures for the first time in 2018. For more information, see the NCUA Letter to Credit Unions, 16-CU-08, Revised Interest Rate Risk Supervision. Examiners will also increase their focus on liquidity risk management practices given the emerging trends related to on-balance-sheet liquidity.
Examiners will apply additional scrutiny to credit unions with material exposure to higher risk forms of auto lending. Specifically, examiners will focus on portfolios with the following concentrations:
- Extended loan maturities of over 7 years.
- High loan-to-value.
- Near-prime or subprime.
- Indirect lending programs.
For more information, see the NCUA Letter to Credit Unions, 10-CU-03, Concentration Risk.
The NCUA’s revised regulation for commercial lending, Part 723 - Member Business Loans; Commercial Lending (opens new window), went into effect January 1, 2017. Examiners will continue to focus on the credit union’s commercial loan policies and procedures along with assessing the effectiveness of the credit union’s risk management processes. Credit union officials should be prepared to ensure the policy, practices and staffing are appropriate for the type of commercial loans offered. The NCUA’s online Examiner’s Guide (opens new window) provides guidance on the principles of sound commercial lending and NCUA’s supervisory expectations for sound risk-management practices. For more information, see the NCUA Letter to Credit Unions, 16-CU-11, Member Business Loans Guidance Added to Examiner’s Guide.
Beginning in the second quarter, examiners will perform limited reviews of quarterly Loan/Application Registers (LAR), when applicable, to evaluate federal credit unions’ good faith efforts to comply with the Consumer Financial Protection Bureau’s (Bureau) October 15, 2015 and August 24, 2017 amendmendments to Regulation C (Home Mortgage Disclsoure), which implements the Home Mortgaage Disclsoure Act (HMDA). Most of the new HMDA requirements take effect on January 1, 2018. The NCUA’s review of 2018 HMDA data will be diagnostic in nature, designed to help credit unions identify compliance weaknesses in collecting 2018 data for submission in 2019, and will credit good faith compliance efforts.
Recognizing the impending January 1, 2018 effective date of the Bureau’s amendments to Regulation C and the significant systems and operational challenges needed to adjust to the revised regulation, for HMDA data collected in 2018 and reported in 2019, the NCUA does not intend to cite violations for data errors found in the quarterly LARs, nor require data resubmission unless data errors are material. Furthermore, the NCUA does not intend to assess penalties with respect to errors in data collected in 2018 and reported in 2019. However, credit unions subject to HMDA reporting must still collect the data, establish a quarterly LAR, and submit 2018 data by the March 1, 2019 deadline.
Collection and submission of the 2018 HMDA data will provide credit unions an opportunity to identify any gaps in their implementation of amended Regulation C and make improvements in their HMDA compliance management systems for future years. For data collected in 2017, credit unions will submit their reports in 2018 in accordance with the current Regulation C using the Bureau’s HMDA Platform.
Examiners will also evaluate credit unions’ efforts to comply with the Military Lending Act’s restrictions against the use of certain contract terms, as well as the credit card provisions for which compliance began in October 2017. For more information on the Military Lending Act, see the NCUA Regulatory Alert 16-RA-04, Guidance on Regulatory Changes Affecting Military Lenders and Regulatory Alert 16-RA-06, Department of Defense’s Interpretive Guidance on Military Lending Act Limitations on Terms of Consumer Credit Extended to Service Members and Dependents.1
Examiners will also review credit union’s overdraft policies and procedures for compliance with Regulation E. For additional consumer compliance tools and resources, visit the NCUA’s Consumer Compliance Regulatory Resources website.
The NCUA remains committed to protecting America’s federally insured credit unions and their more than 109 million members. If you have any questions about the agency’s 2018 supervisory priorities, please contact your NCUA regional office.
J. Mark McWatters
1 Recent amendments to the Department of Defense’s Interpretive Guidance on the Military Lending Act are available in the December 14, 2017 issue of the Federal Register, available at (opens new window).