Letters to Credit Unions No.: 17-CU-02
Risk-Focused Examinations & Compliance Risk
April 2017

In 2002, NCUA moved to a formal risk focused examination program (See Letter to Federal Credit Unions 02-FCU-09). The RFE program is based on a foundation in which NCUA examiners evaluate a credit union’s risk profile based upon 7 specific risk categories. Category #5 is Compliance Risk, defined by NCUA in the 2002 guidance as:

Risk of violations and non-compliance with applicable laws and regulations resulting in fines, penalties, payment, or damages. Example: If the credit union does not properly train staff regarding compliance with the Bank Secrecy Act, one result could be tellers failing to file required reports for large cash deposits. Failure to properly report could result in substantial penalties.

NCUA has updated the Compliance Risk indicators its examiners use to evaluate credit unions for that category in order to reflect transformations in technology, business models, and members’ banking habits since the list of Compliance Risk indicators were originally developed in 2002. This new guidance provides examiners and credit unions information on those updated risk indicators. The updates took effect March 31, 2017.

Updated Compliance Risk Examination

NCUA’s Compliance Risk assessment encompasses all of the federal consumer financial protection laws and regulations for which it has enforcement authority and other relevant laws and regulations governing the operation of credit unions, such as the Bank Secrecy Act, the Flood Disaster Protection Act, and the SAFE Act. Conclusions about a credit union’s compliance risk, and management of that risk, is reflected in:

  • the compliance risk rating
  • the Management CAMEL component rating
  • the CAMEL composite rating

NCUA’s Compliance Risk Evaluation focuses on the sufficiency of a credit union’s overall approach to managing compliance risk: aka its compliance management system.

The updated Compliance Risk Indicators framework has three broad categories:

  1. Board and Management Oversight - Consideration is given to the credit union’s size, complexity and overall risk profile. Consideration is also given to management’s commitment to its compliance program, the effectiveness of change management processes, risk management associated with products, services, and activities, and any self-identification efforts and corrective actions taken
  2. Compliance Programs – Consideration is given to the credit union’s size, complexity and overall risk profile. In addition, consideration is given to the effectiveness of the credit union’s compliance management system, its policies and procedures, training, monitoring and audit programs, and complaint resolution
  3. Violations of Law and Consumer Harm – Consideration is given to pervasiveness of the violation, the root cause and severity of the violation, extent of consumer harm and duration of the violation .

Back to NASCUS Regulatory Affairs