Cybersecurity may be at the top of the “primary issues of supervisory focus” for 2018 by the federal regulator of credit unions, but easing of citations for disclosure violations of mortgage loan data will likely receive the most attention from a letter sent to federally insured credit unions this week.
In its “Letter to Credit Unions” (LTCU 17-CU-09), the National Credit Union Administration (NCUA) outlined seven issues of supervisory focus (including cybersecurity) for 2018. In addition, the letter indicates the agency would fall in line with other federal regulators in not citing violations for data errors, nor requiring data resubmissions in the absences of material errors, found in quarterly reports related to the Consumer Financial Protection Bureau’s (CFPB) Regulation C under the Home Mortgage Disclosure Act (HMDA).
The letter, the agency said, is intended to help credit unions prepare for examinations in 2018 – which will be the first full year of an “extended exam cycle” by NCUA. Under that regimen, agency examiners will use “streamlined” small credit union exam program procedures for those with assets up to $50 million and CAMEL ratings of 1, 2, or 3. All others will be subject to a risk-focused exam, which concentrate on areas of highest risk, new products and services, and compliance with federal regulations.
In cybersecurity, the agency said it would be using the Automated Cybersecurity Examination Tool (ACET), which it said would standardize cybersecurity supervision. The tool, the agency said, will be used at first in exams of credit unions with more $1 billion in assets. Results from those exams, NCUA said, will set a baseline for the “largest and most complex institutions” while testing and refinement of the tool “ensures it scales properly for smaller, less complex institutions.”
The other six areas of focus for the agency in 2018, according to the letter, are:
- HMDA reporting: Starting in the second quarter, NCUA said examiners will perform limited reviews of quarterly Loan/Application Registers (LAR), when applicable, to evaluate federal credit unions’ good faith efforts to comply with the Consumer Financial Protection Bureau’s (CFPB) amendments to Regulation C (under HMDA), most of which take effect Jan. 1. “The NCUA’s review of 2018 HMDA data will be diagnostic in nature, designed to help credit unions identify compliance weaknesses in collecting 2018 data for submission in 2019, and will credit good faith compliance efforts.” To that end, NCUA said it does not intend to cite violations for data errors found in the quarterly LARs or to require data resubmission unless data errors are material. “Furthermore, the NCUA does not intend to assess penalties with respect to errors in data collected in 2018 and reported in 2019,” the agency stated. However, credit unions subject to HMDA reporting must still collect the data, establish a quarterly LAR, and submit 2018 data by the March 1, 2019, deadline.
- Bank Secrecy Act (BSA) compliance: The agency intends to begin assessing compliance with Customer Due Diligence regulations (which take effect May 11) during the second half of the year. Additionally, examiners are required to review credit union BSA compliance and complete the related examination questionnaire at every examination.
- Internal controls, fraud prevention: Examiners will continue to evaluate the adequacy of credit union controls, as well as overall efforts to prevent and detect fraud.
- Interest rate, liquidity risk (IRR): Some credit unions will be examined for the first time in 2018 under new IRR exam procedures that were instituted in 2017, the agency said. Examiners will also increase their focus on liquidity risk management practices “given the emerging trends related to on-balance-sheet liquidity.”
- Auto lending: Material exposure to higher risk forms of auto lending will be under scrutiny, particularly portfolios that concentrate on extended loan maturities of over seven years, high loan-to-value, near-prime or subprime and indirect lending programs.
- Commercial lending: Examiners will focus on credit unions’ commercial loan policies and procedures “along with assessing the effectiveness of the credit union’s risk management processes” under the agency’s revised regulations that took effect at the beginning of 2017.