Oct. 20, 2022 – The National Credit Union Administration Board held its ninth open meeting—and second in person—of 2022, and approved the agency’s Enterprise Risk Appetite Statement, which helps the agency align risks and opportunities when making decisions and allocating resources to achieve the agency’s strategic goals and objectives.
The NCUA Board was also briefed on the state of the Central Liquidity Facility (CLF) and cybersecurity trends affecting federally insured credit unions and the broader financial system.
Board Approves New Enterprise Risk Appetite Statement
The NCUA Board unanimously approved the NCUA’s new enterprise risk appetite statement prepared by the agency’s Enterprise Risk Management Council. The statement is a management tool that provides guidance from agency leadership to managers and staff on the amount of risk the NCUA is willing to undertake in pursuit of its objectives.
“The enterprise risk appetite statement presented today is part of the NCUA’s overall management approach. And, I am especially pleased that we will have an averse risk appetite when addressing identified safety and soundness concerns at credit unions,” NCUA Chairman Todd M. Harper said. “This means we will be risk-focused and ready to act expeditiously if needed. I also appreciate that through this statement we will remain focused on ensuring compliance with and enforcement of federal consumer financial protection laws and regulations at credit unions.”
The NCUA’s Enterprise Risk Management Council developed a risk appetite statement through careful consideration and evaluation of the risks the agency faces and focused on achieving several programmatic goals, which included:
- Communicating guidelines about the levels of risk the NCUA is willing to accept in pursuit of its mission and goals;
- Promoting consistency in understanding, measuring, and managing risk across the enterprise;
- Informing agency responses to risks and decision-making to balance limited time and resources; and
- Driving a more risk-aware culture.
Briefing Highlights Central Liquidity Fund’s Status for 3rd Quarter
The Central Liquidity Facility President briefed the NCUA Board on the status of the Central Liquidity Fund as of September 30, 2022. The briefing covered liquidity and contingency funding plans, liquidity sources and needs, CLF advances, and membership requirements. The CLF president also discussed enhancements to the CLF’s processes and structures to ensure it can serve as an effective liquidity backstop for the credit union system should the need arise.
Said Chairman Harper, “The CLF is a vital source of emergency liquidity within the credit union system. However, the pending expiration of the temporary CLF enhancements authorized by Congress at the start of the COVID-19 pandemic remains a very real concern. While we are grateful to Congress for allowing the CLF enhancements of the last few years, there is a real need to keep in place the ability of corporate credit unions to serve as a CLF agent for a subset of their members. That authority will allow us to provide emergency liquidity quickly when needed.”
Financial highlights for the CLF in the third quarter include:
- $1.243 billion in total assets;
- $1.1 million in year-to-date net income;
- $40.5 million in retained earnings;
- 2.24 percent dividend was paid to members of the CLF in the third quarter;
- 3,991 corporate credit unions and consumer credit unions have access to the CLF; and
- $29.1 billion in borrowing authority for the CLF.
The Central Liquidity Facility is an NCUA-operated, mixed-ownership government corporation that was created to improve the general financial stability of credit unions by serving as a liquidity lender to credit unions experiencing unusual or unexpected liquidity shortfalls. Member credit unions own the CLF, which exists within the NCUA. The CLF’s President manages the facility under the oversight of the NCUA Board.
Cybersecurity Threats Continue, NCUA Launches ISE Program at Year-end
Ransomware, cloud migration, and distributed denial-of-service attacks are contributing to a dynamic threat landscape that creates evolving risks for federally insured credit unions, according to a briefing provided to the NCUA Board by the agency’s Critical Infrastructure Division. Additionally, rising geopolitical tensions continue to increase the potential for cyberattacks on the financial system and other parts of the nation’s critical infrastructure.
“Each of us — the NCUA, state supervisory authorities, vendors, and credit unions — has a responsibility to protect our systems, improve our ability to recover from incidents, educate our teams, share information, and report and address potential vulnerabilities,” Chairman Harper said. “Our chain is only as strong as our weakest link, so we all must be hypervigilant to prevent a catastrophic failure.”
The briefing also outlined good cyber hygiene practices, summarized the NCUA’s proposed cyber incident reporting rule, and provided an update on the NCUA’s Information Security Examination (ISE) Program. This new examination program offers flexibility for credit unions of all asset sizes and complexity levels while providing examiners with standardized review steps to facilitate advanced data collection and analysis. These new examination procedures will assist the credit union system in preparing for, withstanding, and recovering from cybersecurity threats. The ISE examination procedures will be deployed at the end of 2022.
The NCUA strongly encourages credit unions to strengthen their cybersecurity programs and preparedness and immediately report known details of cyber incidents to the NCUA, the FBI, and the Cybersecurity and Infrastructure Security Agency.
Credit unions are also encouraged to download and use the NCUA’s Automated Cybersecurity Evaluation Toolbox, or ACET. The ACET is an excellent resource for small credit unions or those credit unions with limited resources to take the first steps in understanding their level of cyber preparedness. Additional cyber-related information and resources are available on the NCUA’s cybersecurity resources webpage.