Letter to Credit Unions No.: 16-CU-01 Supervisory Priorities for 2016
January 2016

NCUA has published its supervisory priorities for 2016. These are the areas of emphasis for NCUA examiners as they scope their exams over the next 12 months. While NCUA will continue to use the streamlined small credit union exam program procedures for credit unions with assets up to $50 million and CAMEL ratings of 1, 2, or 3, for all other credit unions NCUA will place particular emphasis on:

Cybersecurity Assessment
NCUA will continue to evaluate credit unions’ cybersecurity risk management in 2016. Credit union should familiarize themselves with the June, 2015, Federal Financial Institutions Examination Council (FFIEC) Cybersecurity Assessment Tool. The FFIEC tool provides a methodology by which credit unions (and other depositories) may evaluate their preparedness to manage information security and protect member data.

While credit unions are not technically required to use the FFIEC tool, NCUA expects all federally insured credit unions to conduct cybersecurity risk assessments and self-evaluations. NCUA will be incorporating the FFIEC tool into the AIRES exam platform and assessing cybersecurity preparedness will be integrated into the exam process by mid-2016.

Response Programs for Unauthorized Access to Member Information
NCUA examiners will also be reviewing credit unions’ incident response programs. These programs are governed by Appendix B to Part 748 of NCUA rules and regulations, Guidance on Response Programs for Unauthorized Access to Member Information and Member Notice. For FISCUs, Part 748 applies by incorporation in § 741.214.

Bank Secrecy Act Compliance
NCUA examiners are required to review credit unions’ compliance with the Bank Secrecy Act at every examination.  In 2016, NCUA examiners will continue to focus on credit unions’ relationships with money services businesses (MSBs). MSBs present a higher risk and should be monitored as such with a credit union’s BSA program. In 2014, NCUA issued MSB related guidance, Identifying and Mitigating Risks of Money Service Businesses, describing steps credit unions should take to mitigate BSA risks posed by MSBs. A NASCUS summary of the guidance is available here.

Credit unions providing services to MSBs must, at a minimum:

  • Perform customer identification program procedures;
  • Ensure each MSB is registered with the Financial Crimes Enforcement Network (FinCEN) and is in compliance with state and local licensing requirements; and
  • Conduct a BSA/anti-money laundering risk assessment to document the level of risk associated with each MSB account and determine whether greater due diligence is necessary.

Interest Rate Risk (IRR)
NCUA is in the process of updating IRR guidance, to be published in 2016. In addition, NCUA will transition to revised IRR examination procedures over the course of 2016. NCUA examiners will receive training on the new IRR exam procedures in April of 2016 and be incorporating their new training throughout the remainder of 2016. NCUA’s IRR rules and guidance are available at § 741, Requirements for Insurance and Appendix B to § 741, Guidance for an Interest Rate Risk Policy and an Effective Program.

TILA-RESPA Integrated Disclosure Rule (TRID)
Credit unions that have accepted applications for real estate loans on or after October 3, 2015 (except for home equity lines of credit, reverse mortgages, and commercial loans) are required to comply with the TILA-RESPA integrated disclosure rule (TRID), adopted by the CFPB. The TRID rule requires loan originators to provide consumers with two disclosures: 

  • Loan Estimate Disclosure – Combines Truth in Lending Act disclosure and Good Faith Estimate.  The loan estimate disclosure must be delivered or placed in the mail no later than the 3rd business day after receiving a consumer’s mortgage application. 
  • Closing Disclosure – Combines the final TILA disclosure and the HUD-1 Settlement Statement.  The closing disclosure must be provided to the consumer at least three business days before the consummation of a mortgage.

The TRID also imposes record retention requirements and restricts mortgage originators from imposing certain fees, providing estimates, or requiring consumers to verify information before providing a loan estimate to a consumer.  More information is available at Consumer Compliance Regulatory Resources page on NCUA’s website.

In addition to NCUA focusing on TRID compliance, NASCUS notes that the CFPB has emphasized TRID compliance will one of its priorities for 2016.

CUSO Reporting
NCUA’s CUSO reporting rule became effective June 30, 2014. The rule requires all federally insured credit unions that invest in or lend to a CUSO to enter into a written agreement requiring the CUSO to submit annual reports directly to NCUA and the state supervisory authority, if applicable. NCUA’s CUSO registry will begin accepting registration on February 1, 2016, and CUSOs will have until March 31, 2016 to register. More information on the CUSO registry and the process in 2016 is available in NCUA Letter to Credit Unions 16-CU-02.


Back to NASCUS Regulatory Affairs