Fair Lending Policy and Loan Policy
Fair lending laws are designed to provide fair and equal access to credit, based on individual creditworthiness, without regard to a prohibited basis such as race, gender, or national origin. The fair lending policies and procedures should clearly state how the credit union will comply with fair lending laws and enable the credit union to serve the entire field of membership.
The board of directors and senior management will need to understand and convey to all credit union staff they are responsible and accountable for complying with fair lending laws and regulations. Policies and procedures concerning the approval of credit, loan underwriting, pricing, and servicing standards need to be clearly written and understood. Fair lending training should be provided for all credit union employees and officials involved in the lending process. Include training for employees who take applications, originate loans, service loans, and collect delinquent loans. Additionally, the supervisory committee and any internal audit staff should incorporate an assessment of compliance with the credit union’s fair lending policies as a component of their review procedures.
Loan policies need to identify the type of lending programs to be offered in the first two years of operation. Specifically, policies should describe the type of loans, dollar limitations, terms and interest rates, maturity, collateral and insurance requirements, and other issues within each lending program. State the factors and parameters (such as credit standards) for processing a loan within each lending program.
Ensure the loan policies address compliance with the appropriate consumer lending regulations, including:
- The Truth in Lending Act (Consumer Financial Protection Bureau) Regulation Z, 12 CFR Part 1026);
- Equal Credit Opportunity Act (CFPB Regulation B, 12 CFR Part 1002); and
- Fair Credit Reporting Act (CFPB Regulation V, 12 CFR Part 1022).
More advanced lending products, such as mortgage loans, will require compliance with the Real Estate Settlement Procedures Act (RESPA – CFPB Regulation X, 12 CFR Part 1024 (opens new window)), Fair Housing Act (opens new window), and the Home Mortgage Disclosure Act (HMDA – CFPB Regulation C, 12 CFR Part 1003 (opens new window)), among other requirements.
Review the following NCUA’s Regulations pertaining to loans or loan-related matters:
- §701.21, Loans to Members and Lines of Credit to Members;
- §701.22, Loan Participation (Letters to Credit Union 08-CU-26 and 13-CU-07 also provide information);
- §701.23, Purchase, sale, and pledge of eligible obligations;
- §701.31, Nondiscrimination Requirements;
- §702.304(a)(3), Restriction on Member Business Loans;
- Part 717, Fair Credit Reporting;
- Part 722, Appraisals;
- Part 723, Member Business Loans; Commercial Lending;
- Part 760, Loans in the Areas Having Special Flood Hazard; and
- Part 761 Registration of Residential Mortgage Loan Originators
Additional guidance on lending matters can be found on under the NCUA’s Letters to Credit Unions and Other Guidance section of the website.
Ensure the collections policy outlines collection practices, including information such as who is responsible for collections contacts; what are the timeframes and collection contacts/actions to be taken, such as reminder notices, letters, telephone calls, repossessions, foreclosures, or referrals to a collection agency or attorney. The policy should also identify how often collection efforts will be documented and tracked, and board reporting requirements.
Loan Charge-Off Policy
Develop a policy outlining charge-off practices. NCUA Letter to Credit Unions 03-CU-01, Loan Charge-Off Guidance for additional information.
Allowance for Loan and Lease Losses (ALLL) Policy
Develop an ALLL policy addressing the methodology and documentation requirements to fund the ALLL account. For additional guidance, refer to Letter to Credit Unions 02-CU-09 and Accounting Bulletin AB 06-01.
Ensure the investment policy addresses all requirements outlined in Part 703 of the NCUA’s Regulations, such as permissible investments; explains how interest rate, liquidity, credit, and concentration risk will be managed; identifies who has investment authority and the extent of their authority, approved broker-dealers, approved safe keepers; and any other requirements. See Letter to Credit Unions 10-CU-18, Investment Due Diligence for guidance on investments.
Identify how cash will be handled and the permissible amount to be held on the credit union’s premises. The amount of cash in teller drawers, vaults, etc. must be based on the bonding limits from an approved bond company. See section 713.5 of the NCUA’s Regulations for more information on the minimum bond coverage required.
Having a cash operation has Bank Secrecy Act implications, such as filing of Currency Transaction Reports (CTR) and Suspicious Activity Reports (SAR), which should be further addressed in the PFCU’s Bank Secrecy Act (BSA) policy.
Bank Secrecy Act/Customer Identification/Customer Due Diligence Program
Ensure these policies address all applicable requirements. Refer to the interagency Bank Secrecy Act/Anti-Money Laundering (BSA/AML) Examination Manual (opens new window) developed by the Federal Financial Institutions Examination Council member agencies, for information on the policy requirements, including how a member’s identity will be verified. The BSA program needs to be commensurate with the PFCU’s respective BSA/AML risk profiles and address the following required elements:
- System of internal controls;
- Independent testing;
- Designated person or persons responsible;
- Training; and
- Customer due diligence.
In general, BSA requires credit unions to track cash transactions and purchases of cash equivalents, such as money orders, and to comply with other recordkeeping and reporting requirements. The forms used most frequently by credit unions to report transactions are the Currency Transaction Report and the Suspicious Activity Report.
The Customer Identification Program (CIP)/Customer Due Diligence (CDD) policy must detail the method to verify a person’s identity and include risk-based procedures for conducting ongoing customer due diligence and complying with beneficial ownership requirements for legal entity customers. It should indicate who will handle or respond to the information sharing requests (commonly known as 314a lists) provided by the Financial Crimes Enforcement Network (FinCEN).
Separate policies may be developed for BSA, CIP, and CDD if preferred. BSA regulatory requirements are located in Sections 748.1 (opens new window) and 748.2 (opens new window) of NCUA’s Regulations. Additional guidance is found on the NCUA’s Bank Secrecy Act Resources site (opens new window) in the National Credit Union Administration’s section of the FFIEC BSA/AML Examination Agency Resources site (opens new window).
The BSA statute and implementing regulations can be viewed on FinCEN’s website (opens new window).
Office of Foreign Assets Control (OFAC) Policy
Develop an OFAC policy addressing compliance, including appropriate actions to block, freeze, or prohibit transactions with persons and countries contained on the Specially Designated Nationals (SDN) and Blocked Persons list. Credit unions must take steps to download or otherwise obtain the SDN list from OFAC on a regular basis. Many data processing vendors have incorporated OFAC reviews, including the download of updated SDN lists, in their daily processing and monthly closing routines. Section 314 of the USA Patriot Act addresses cooperative efforts between law enforcement agencies and financial institutions to deter money laundering.
Truth-in-Savings (TIS) Policy
Develop TIS disclosures that comply with Part 707 (opens new window) of the NCUA’s Regulations. TIS disclosures outline the share products and include the terms, interest rates, maturity, fees, procedure for payment of dividends, etc., for each of the share products. NCUA Regulations section 701.35 (opens new window) covers permissible share accounts; permissible non-member deposits are outlined in section 701.32 (opens new window).
Director Fiduciary Duties
Develop a policy addressing the fiduciary responsibilities of the board of directors. The board of directors is responsible for the general direction and control of the credit union, including the ability to:
- Carry out the duties of a director in good faith and in the best interests of the membership;
- Administer the affairs of the credit union fairly, impartially, and without discrimination;
- Direct management’s operations in conformity with the Federal Credit Union Act, the NCUA’s Regulations, other applicable law, and sound business practices; and
- Develop a working familiarity with basic finance and accounting practices, including the ability to read and understand the credit union’s balance sheet and income statement and to ask, as appropriate, substantive questions of management and the internal and external auditors within six months of appointment or election.
The policy should also include training available to implement the objectives listed above. Section 701.4 (opens new window) of the NCUA’s Regulations and Letter to Federal Credit Union 11-FCU-02, Duties of Federal Credit Union Boards of Directors address directors’ fiduciary duties.
Develop, in accordance with section 701.33(b)(2)(i) (opens new window) of the NCUA Regulations, written policies and procedures, including documentation requirements, for the payment of reasonable and proper costs incurred by an official in carrying out the official’s responsibilities, if the board of directors determines the payment is necessary or appropriate to carry out the official business of the credit union. Such payment includes reimbursement to a credit union official or direct credit union payment to a third party.
Asset Liability Management (ALM) Policy
Ensure the asset liability management policy addresses interest rate risk limits, monitoring, reporting, and controls. ALM is a process of evaluating balance sheet risk (interest rate and liquidity risks) and making prudent decisions, which enables a credit union to remain financially viable as economic conditions change. An ALM policy is necessary to control interest rate risk and liquidity risk associated with longer term investments, real estate loans, and business lending activities. The following Letters to Credit Unions and the Examiner’s Guide (opens new window) provide additional information:
- 00-CU-14, Liquidity and Balance Sheet Management
- 01-CU-08, Liability Management Highly Rate-Sensitive Volatile
- 03-CU-11, Non-Maturity Shares and Balance Sheet Risk
- 10-CU-06, Interagency Advisory on Interest Rate Risk Management
- 10-CU-14, Strengthening Funding and Liquidity Risk Management
- 12-CU-05, Interest Rate Risk Policy and Program Requirements
- 12-CU-11, Interest Rate Risk Policy and Program Frequently Asked Questions
- 13-CU-10, Guidance on How to Comply with NCUA Regulation §741.12 Liquidity and Contingency Funding Plans
- 16-CU-08, Revised Interest Rate Risk Supervision
Develop a liquidity policy that addresses:
- Minimum cash levels;
- Concentration limits in loans, investments, fixed assets, and other areas;
- Approved liquidity sources such as a corporate credit union line of credit, correspondent banking relationships, Federal Home Loan Bank membership, the NCUA’s Central Liquidity Facility, or Federal Reserve System; and
- Reporting and monitoring requirements.
Adequate liquidity management helps ensure management has sufficient funds available to meet demands for loans and share withdrawals. Section 741.12 of NCUA’s Regulations (opens new window), the Examiner’s Guide (opens new window), and Letters to Credit Unions 10-CU-14, Strengthening Funding and Liquidity Risk Management and 13-CU-10, Guidance on How to Comply with NCUA Regulation §741.12 Liquidity and Contingency Funding Plans provide information on liquidity and contingency funding plans.
Vendor Management/Third-Party Relationships
Develop a vendor management policy that addresses planning, due diligence, and controls required before engaging in third-party relationships. The level of planning, due diligence, and controls required to safely engage in any relationship depends upon the credit union’s risk profiles and the type of relationship with the vendor. Letters to Credit Unions 08-CU-09, Evaluating Third Party Relationships Questionnaire; 07-CU-13, Evaluating Third Party Relationships; and 01-CU-20, Due Diligence Over Third Party Service Providers provide information on vendor/third-party relationships.
Establish an e-commerce policy when the business plan calls for delivering financial services electronically, including the internet and audio response. This policy should address procedures that monitor and control activities relating to the electronic delivery of financial services. The following Letters to Credit Unions provide guidance on e-commerce:
- 11-CU-09, Online Member Authentication Guidance Compliance Required by January 2012
- 06-CU-13, Authentication for Internet Based Services
- 05-CU-18, Guidance on Authentication in Internet Banking Environment
- 03-CU-08, Web linking Identifying Risks Risk Management Techniques
- 02-CU-17, Security Program
- 01-CU-12, e-Commerce Insurance Considerations
Ensure this policy adequately addresses the federal consumer protection laws and regulations pertaining to electronic delivery of financial services, specifically the Electronic Fund Transfers Act (CFPB Regulation E, 12 CFR Part 1005 (opens new window)) and Electronic Signatures in Global and National Commerce Act (E-SIGN Act, codified at 15 U.S.C. §§ 7001-7006, 7021, and 7031).
Develop a security program covering the following areas:
- Protecting each credit union office from robberies, burglaries, larcenies, and embezzlement;
- Ensuring the security and confidentiality of member records (hardcopy and electronic records); and
- Preventing the destruction of vital records.
As appropriate, the security policy needs to address the requirements and guidelines of the NCUA’s Regulations Part 748, Appendix A (opens new window) (Safeguarding Member Information), Appendix B (opens new window) (Incident Response Programs), and Part 749 (opens new window) (Records Preservation Program). Letters to Credit Unions 06-CU-07, IT Security Compliance Guide for Credit Unions and 02-CU-12, Security Program also provide guidance on developing a security program. Regulatory Alert 11-RA-03, Security Incidents Prevention and Detection addresses cybersecurity prevention and detection.
Disaster Recovery and Business Continuity or Resumption Policy
Establish a disaster recovery policy covering potential disasters and describes what staff must do and who they must notify in the event of a disaster. The policy should also indicate where back-up records will be stored or maintained. For guidance on disaster recovery programs, Risk Alert 06-RISK-01, Disaster Planning and Response and the following Letters to Credit Unions:
- 11-CU-13, Emergency Financial Services for Disaster Victims
- 09-CU-13, Hurricane Preparedness and Pandemic Planning
- 08-CU-07, Evaluating Risk Management of Remote Deposit Capture Questionnaire
- 08-CU-01, Guidance on Pandemic Planning
- 06-CU-12, Hurricane Preparedness and Pandemic Planning
- 01-CU-21, Disaster Recovery and Business Resumption
Ensure the policy includes business continuity and resumption procedures during failures affecting telecommunications networks, telephone lines, power grids, and water and sanitation systems.
Identity Theft Red Flags, Credit Report Address Discrepancies, and Records Disposal
Develop and implement written identity theft prevention programs under the Red Flags Rules, which implement part of the Fair and Accurate Credit Transactions Act of 2003 (FACTA). Under these rules, financial institutions and creditors with covered accounts must have identity theft prevention programs in place to identify, detect, and respond to patterns, practices, or specific activities that could indicate identity theft.1 For more information, refer to Letter to Credit Unions 08-CU-24, Identity Theft Red Flags Procedures and Regulatory Alert 09-RA-06, Identity Theft Red Flags and Address Discrepancies Guidance.
FACTA also requires users of credit reports to implement reasonable policies and procedures to use when the user receives a notice of address discrepancy from a credit reporting agency. Additionally, credit unions and other financial institutions are required to adopt measures for properly disposing of consumer information derived from credit reports.2
Procedures for Major Operational Areas
In addition to the written policies in the section above, written procedures must be developed for all major areas of operations, including, but not limited to, record retention, maintaining and balancing general ledger accounts; capitalization or expenditure of purchases, and fixed asset calculation and limit.
Policies for Advanced Services
Policies should be established for any complex or higher-risk services planned for implementation during the first two years of operations. For example, a share draft program should have a policy to address the terms of the program, including who will qualify for an account, when an account will be closed, overdraft procedures, fees, clearing procedures, third party relationships, and compliance with the Expedited Funds Availability Act and the Check Clearing for the 21st Century Act (Codified in Regulation CC, 12 CFR Part 229 (opens new window)), the Truth-in-Savings Act, and the Reserve Requirements of Depository Institutions (Regulation D, 12 CFR 204 (opens new window)). A credit union must also have a policy to address overdraft protection procedures, if applicable, as required in NCUA’ Regulations section 701.21(c)(3) (opens new window). See Letters to Credit Unions 05-CU-03, Overdraft Protection Bounce Protection Programs and 05-CU-21, Overdraft Courtesy Pay Programs; and Regulatory Alert 10-RA-12, Member Notice Requirements for Overdraft Services for information on overdraft courtesy pay programs.
Documentation Required for Developed Policies
- Provide draft copies of all written policies.
1 For FCUs, the red flags rules appear in NCUA Regulations Part 717, Subpart J (opens new window) (Identity Theft Red Flags) and Appendix J (opens new window) (Interagency Guidelines on Identity Theft Detection, Prevention, and Mitigation).
2 For FCUs, the credit report address discrepancies and disposal of consumer information rules appear in the NCUA’s Regulations Part 717, Subpart I (opens new window) (Duties of Users of Consumer Reports Regarding Address Discrepancies and Records Disposal).