This year’s supervisory priorities for the federal regulator of credit unions include credit risk, liquidity risk, consumer financial protection, information security, and interest-rate risk, and more, the agency said in a letter to credit unions issued Monday.
In its letter (24-CU-01) signed by Chairman Todd Harper, the National Credit Union Administration (NCUA) said the credit union system remains stable but has faced balance-sheet strains over the past year, and it said economists are forecasting an economic slowdown as the lagged effects of elevated interest rates take hold. It said the rise in interest-rate and liquidity risks resulted in an increased number of composite CAMELS code 3, 4, and 5 credit unions.
The agency said its supervisory priorities focus on areas posing the highest risk to credit union members, the credit union industry, and the National Credit Union Share Insurance Fund (NCUSIF, credit unions’ federal deposit insurance fund).
Below are excerpts on how the agency will address targeted risks through its examination program:
Credit risk
NCUA examiners will review existing lending programs’ soundness and credit union risk management practices, including any adjustments a credit union made to loan underwriting standards, portfolio monitoring practices, modification and workout strategies for borrowers facing financial hardships, and collection programs. Examiners will carefully consider all factors in evaluating a credit union’s efforts to provide relief for borrowers, including whether the efforts were reasonable and conducted with proper controls and management oversight. Also, examiners will review policies and procedures related to the Allowance for Credit Losses (ACL), documentation of the ACL reserve methodology, the adequacy of ACL reserves, and adherence to generally accepted accounting principles.
Liquidity risk
In evaluating the “L” component of CAMELS to determine the adequacy of a credit union’s liquidity risk management framework, examiners will continue to consider the current and prospective sources of liquidity compared to funding needs. Examiners will review the credit union’s policies, procedures, and risk limits, and also evaluate the adequacy of the credit union’s liquidity risk management framework relative to its size, complexity, and risk profile.
(The agency said it will also continue to examine credit unions against contingency funding needs as discussed in its July 2023 letter 23-CU-06, “Importance of Contingency Funding Plans,” which added an addendum to the 2010 Interagency Policy Statement on Funding and Liquidity Risk Management.)
Consumer financial protection (focus on overdraft, fair lending, auto lending, flood insurance)
In 2024, examiners will continue an expanded review of credit unions’ overdraft programs, including website advertising, balance calculation methods, and settlement processes. The NCUA will also continue to evaluate adjustments credit unions made to their overdraft programs to address consumer compliance risk and potential consumer harm from unexpected overdraft fees.
Regarding fair lending, examiners will review policies and practices for redlining, marketing, and pricing discrimination risk factors.
For auto lending, examiners will review credit unions’ disclosures, policies, and practices to assess compliance with the Truth in Lending Act as implemented by Regulation Z. Examiners will also review credit unions’ policies regarding Guaranteed Asset Protection insurance.
Lastly, examiners will continue to conduct reviews of credit unions’ policies and procedures governing compliance with flood insurance rules.
Information security
Recognizing the importance of cybersecurity, the NCUA continues to prioritize this area as a key examination focus. Examiners will continue to assess whether credit unions have implemented robust information security programs to safeguard both members and the credit unions themselves. Examiners will continue to utilize the information security examination procedures in 2024, ensuring a thorough evaluation of cybersecurity measures.
The NCUA also implemented a new Cyber Incident Notification Reporting Rule, effective September 1, 2023, mandating federally insured credit unions swiftly — within 72 hours — notify the NCUA after the credit union reasonably believes that a reportable cyber incident has occurred. Credit unions should also notify the NCUA if a third-party provider experiences a cyber incident affecting the credit union.
Interest rate risk
In evaluating the “S” CAMELS component, examiners will continue to evaluate whether a credit union proactively manages its IRR and the related risks to capital, asset quality, earnings, and liquidity. Examiners will review a credit union’s IRR program for the following key risk management and control activities:
- Key assumptions and related data sets are reasonable and well documented.
- Back testing and sensitivity testing of the assumption set.
- The credit union’s overall level of IRR exposure is properly measured and controlled.
- Results are communicated to decision-makers and the board of directors.
- Proactive action is taken to remain within safe and sound policy limits.
The agency said it would also continue to focus and update credit unions on supervisory expectations and regulatory updates under the Bank Secrecy Act (BSA) and that the agency remains committed to supporting small credit unions and minority depository institutions (MDIs) through its Small Credit Union and MDI Support Program.