LTCU: (21-CU-13) Subordinated Debt Final Rule Effective January 1, 2022
November 2021
NCUA’s LTCU was issued to reminder to FICUs that the final subordinated debt rule (NASCUS summary here) becomes effective on January 1, 2022. The final rule amends various parts of the NCUA ’s regulations to permit low-income designated credit unions, complex credit unions, and new credit unions to issue subordinated debt for purposes of regulatory capital treatment.
For low-income designated credit unions (LICUs) any secondary capital issuances occurring after January 1, 2022, will be subject to the requirements of the final rule including re-approval pursuant to the subordinated debt rule.
NCUA is considering a rule change that would allow LICUs to issue secondary capital under a plan approved in 2021, irrespective of the date of issuance, provided such issuances are to the United States government or one of its subdivisions. NCUA will likely finalize this rule change before December 31, 2021.
NCUA recommends LICUs planning on submitting a secondary capital plan to take advantage of the current rules do so as soon as possible given the 45-day review period. LICUs may also wish to consider submitting plans pursuant to the subordinated debt rules taking effect on January 1, 2022 to avoid having to resubmit a plan if their submission is not approved prior to that date.
LTCU 21-CU-12 Internal Revenue Service’s Volunteer Income Tax Assistance Program Collaboration Opportunities
November 2021
Credit unions have until November 15, 2021, to contact the Internal Revenue Service (IRS) to inquire about participating in the IRS’ Volunteer Income Tax Assistance (VITA) program ([email protected]).
The VITA program provides education for consumers on refundable credits, such as the Earned Income Tax Credit (EITC) and the Child Tax Credit (CTC). Credit unions may participate in the VITA program by:
- Promoting the VITA program and eligibility requirements through social media, member statements, and/or hosting links to the VITA Locator Tool, and/or the IRS Free File;
- Providing space and equipment at credit union facilities for members to prepare their own tax returns; and
- Hosting IRS-certified volunteers onsite at the credit union to assist members.
NCUA notes that for credit unions, the benefits of participating in the VITA program include:
- Potential to attract new members,
- Asset and wealth building opportunities for members,
- Greater financial education and financial stability among members,
- Opportunities to partner with other community-based organizations,
- Increased membership benefit offerings/potential increased membership loyalty,
- Continuing professional education credits for qualified VITA-trained volunteers,
- Free income tax preparation software or online access for credit unions and their members.
Credit union interested in participating in VITA program can learn more about the program at IRS Partner and Resource Center and Volunteer Site Coordinator Handbook. Interested credit unions should review their operations and strategic plans to determine if the program is a good fit that credit union. Grants and other funding resources are available from NCUA and IRS.
Final Rule Summary: FCU CUSOs (Parts 712)
October 2021
Prepared by NASCUS Legislative & Regulatory Affairs Department
NCUA has issued a final rule related to federal credit union (FCU) credit union service organizations (CUSOs). NCUA’s final rule expands the list of permissible activities and services for CUSOs to include the origination of any type of loan that a FCU may originate and grants NCUA additional flexibility to approve permissible activities and services.
NCUA had also solicited comments in the proposed rule about whether to allow FCUs to invest in certain non-CUSO entities. NASCUS supported so doing, and NCUA noted NASCUS’s recommendation to allow FCUs to invest in certain federally insured state credit union (FISCU) CUSOs without those CUSOs then being subject to NCUA’s CUSO rule’s permissible activities provisions (those provisions do not currently apply to FISCU CUSOs). While not included in this final rule, NCUA did note it would consider that change at a later date.
The CUSO final rule may be read here. The rule becomes effective November 26, 2021.
The NCUA Board vote to approve the rule was a 2-1 vote. Competing views of the proposal are reflected in the enclosed statements by NCUA Chairman Harper (opposed) and NCUA Board member Hood (in favor).
Summary
- FCU CUSOs may now originate any type of loan that an FCU may originate.
NCUA will now permit FCU CUSOs to originate any type of loan that an FCU may originate. Prior to this rule change, FCU CUSOs were only permitted to make business, consumer mortgage, student, and credit card loans. NCUA limited FCU CUSO lending for the following reasons:
- FCU CUSOs may serve customers who are not members of a credit union and NCUA was concerned FCUs would then be profiting from non-members.
- NCUA believed if the FCU CUSO was making member loans, NCUA would have a duty to examine those loans.
- NCUA believed permitting FCU CUSOs to engage in a core credit union function could negatively affect affiliated credit union services.
NCUA cites the following mitigating factors for lifting the previous limitations:
- Although NCUA lacks 3rd party authority, FCUs may only lend or invest 1% of their paid-in and unimpaired capital and surplus, into their CUSOs (aggregate).
- Part 712.3(d) requires all FICUs that own CUSOs to stipulate by contract that NCUA has access to the CUSOs books and records.
- NCUA has broad investigative subpoena authority that agency staff can use to obtain records and testimony in certain extraordinary circumstances if needed.
- That most FCU CUSO loans are sold to FICUs which in turn are subject to examination and enforcement.
- The fact that 72% of natural person credit union CUSOs are wholly owned giving NCUA leverage over the FICU owner.
In addition to permitting a FCU CUSO to originate any type of a loan a FCU may make, FCU CUSOs are now permitted to purchase, sell, and hold any type of loan permissible for FCUs to purchase, sell, and hold. Under the final rule, FCU CUSO originated loans are not subject to the same restrictions as loans originated by FCUs. However, an FCU may not purchase a loan from a CUSO unless the loan meets the requirements of the NCUA’s eligible obligations rule. Similarly, an FCU may not purchase a loan participation from a CUSO unless it complies with the NCUA’s loan participations rule
With respect to loan participations, the final rule permits FCU CUSOs to purchase and sell only participation interests that are permissible for FCUs to purchase and sell.
- All FCU CUSO loan originations are now considered complex or high risk and subject to the enhanced reporting requirements pursuant to the CUSO registry.
Under the current CUSO rule, a CUSO must submit an annual report to NCUA for inclusion in the CUSO registry. CUSOs that are engaged in complex or high-risk activities have enhanced reporting obligations for the registry. Pursuant to § 712.3(d)(4) complex or high-risk CUSOs must agree to include in their report:
- A list of services provided to certain credit unions;
- the investment amount, loan amount, or level of activity of certain credit unions;
- the CUSO’s most recent year-end audited financial statements;
- the total dollar amount of loans outstanding;
- the total number of loans outstanding;
- the total dollar amount of loans granted year-to-date; and
- the total number of loans granted year-to-date.
NCUA will now classify all lending by CUSOs as complex/high risk subject to the above reporting.
- New authorities for FCU CUSOs will be authorized by publication on NCUA website
Permissible activities for a FCU CUSO are listed in § 712.5 and have before now required notice and comment rulemaking before being changed. In contrast, NCUA’s corporate credit union CUSO rules in § 704 allowed NCUA to add permissible activities for corporate credit unions by simply publishing the new authorities on the NCUA website.
Under the final rule, NCUA will now amend permissible activities for FCU CUSOs by publishing the new authorities on the NCUA website. NCUA is reserving the right to use notice and comment for “novel” authorities in the future. NCUA will also use notice and comment before removing authorities.
Final Rule Summary: CAMELS Rating System (Parts 701, 703, 704, 713)
October 2021
Prepared by NASCUS Legislative & Regulatory Affairs Department
NCUA is updating the NCUA’s supervisory rating system from CAMEL to CAMEL”S” by adding the ‘‘S’’ (Sensitivity to Market Risk) component to the existing CAMEL rating system and redefining the ‘‘L’’ (Liquidity Risk) component. The other federal bank regulators have been using the CAMELS rating system since 1997 and over half of state credit union regulators already use CAMELS rather than the NCUA CAMEL system to more precisely measure interest rate risk (IRR).
NCUA will implement the addition of the ‘‘S’’ rating component and a redefined ‘‘L’’ rating for examinations and contacts started on or after April 1, 2022.
The CAMELS final rule may be read here. The rule becomes effective April 1, 2022.
Summary
NCUA adopted the CAMEL rating system in 1987 to reflect the significant financial, operational, and management factors that examiners assess in their evaluation of a credit union’s performance and risk profile. NCUA is now updating the agency’s supervisory rating system from CAMEL to CAMELS by adding the ‘‘S’’ component to the existing CAMEL rating system to evaluate sensitivity to market risk and adding new rating criteria and evaluation factor examples.
“S” Rating Description
| S Rating | Description |
|---|---|
| 1 | • Risk management practices & controls for market risk are strong for the size & sophistication of the credit union, and the level of market risk it has accepted. • There is minimal potential for market price or interest rate changes to create a material adverse effect on the credit union’s earnings performance or capital position. • The credit union has more than sufficient earnings and capital to support the level of market risk taken by the credit union. |
| 2 | • Risk management practices & controls for market risk are satisfactory for the size & sophistication of the credit union, & the level of market risk it has accepted. • There is only moderate potential for market price or interest rate changes to create a material adverse effect on the credit union’s earnings performance or capital position. • The credit union has sufficient earnings and capital to support the level of market risk taken by the credit union. |
| 3 | • Risk management practices and controls for market risk are not fully commensurate with the size and sophistication of the credit union, or the level of market risk it has accepted. • There is high potential for market price or interest rate changes to create a material adverse effect on the credit union’s earnings performance or capital position. • The level of market risk taken is high in relation to the credit union’s earnings or capital. |
| 4 | • Risk management practices and controls for market risk are significantly deficient given the size and sophistication of the credit union, or the level of market risk it has accepted. • There is high potential for market price or interest rate changes to threaten the viability of the credit union. • The level of market risk taken is excessive in relation to the credit union’s earnings or capital. |
| 5 | • The level of market risk taken or exposure to market price or interest rate changes is an imminent threat to the credit union’s viability. |
Modifying the ‘‘L’’ Component
Now that NCUA will adopt the CAMELS rating system, the agency will redefine the “L” component to focus exclusively on liquidity.
| L Rating | Description |
|---|---|
| 1 | • The credit union has strong liquidity levels. • The credit union has well-developed funds management policies and practices. • The credit union has reliable access to sufficient sources of funds on favorable terms to meet present and anticipated liquidity needs. |
| 2 | • The credit union has satisfactory liquidity levels. • The credit union has adequate funds management policies and practices. • The credit union has access to sufficient sources of funds on acceptable terms to meet present and anticipated liquidity needs. |
| 3 | • The credit union has low liquidity levels. • The credit union’s funds management policies and practices are not fully commensurate with its size and complexity, or the liquidity risks it has taken. • The credit union may lack ready access to funds on reasonable terms. |
| 4 | • The credit union has inadequate liquidity levels. • The credit union’s funds management policies and practices are inadequate given its size and complexity, or the liquidity risks it has taken. • The credit union is likely not able to obtain sufficient funds on reasonable terms to meet liquidity needs. |
| 5 | • Liquidity levels are so deficient there is an imminent threat to the credit union’s viability. • The credit union requires extraordinary external financial assistance to meet maturing obligations or other liquidity needs. |
Technical Amendments
Several provisions of NCUA’s rules specifically reference the CAMEL (no “S”) and will be updated to reflect the new CAMEL”S” and the refined narratives. The following provisions will be amended by replacing “CAMEL” with “CAMELS.”
| NCUA Part | Provision |
|---|---|
| Part 700 Definitions | § 700.2 |
| Part 701 Organization & Operation of FCUs | § 701.14(b) (3) (i) and (ii) § 701.14(b) (4)(i) and (ii) § 701.23(b)(2) |
| Part 703 Investment & Deposit Activity | § 703.13(d)(3)(iii) § 703.14(i) § 703.14(j)(4) |
| Part 704 Corporate Credit Unions | § 704.4(d)(3)(ii) |
| Part 713 Fidelity Bond & Insurance Coverage | § 713.6(a)(1) § 713.6(c) |
NCUA Risk Alert: 21-RISK-01 Business Email Compromise through Exploitation of Cloud-Based Email Services
October 2021
NCUA issued Risk Alert 21-Risk-01 to provide credit unions a warning regarding a common Business Email Compromise (BEC) scam and tips on mitigations measures to counter BEC fraud and wire transfer fraud.
Business Email Compromise
In one of the most effective types BEC scams, cybercriminals use phishing kits that impersonate popular cloud-based email services to compromising victim email accounts in search of information on financial transactions. Cybercriminal will often reconfigure victim’s mailboxes to delete key messages or forward key messages. Using information gathered from compromised accounts, cybercriminals impersonate email between compromised businesses and third parties to request pending or future payments be redirected to fraudulent bank accounts.
Cybercriminals will use compromised email accounts to also identify new targets for phishing and therefore a successful email account compromise at one business can affect multiple victims associated with the account.
Prevent Business Email Compromise Fraud
NCUA provides credit unions the following tips to help prevent BEC fraud:
|
Enable multi-factor authentication for all email accounts. |
Disable basic or legacy account authentication that does not support multi-factor authentication. |
|
Use caution when posting information on social media/company websites, especially job duties & descriptions, org charts & out-of-office details. |
Educate employees about BEC scams, including preventative strategies like how to identify phishing emails & how to respond to compromises. |
|
Verify all payment changes and transactions in person or via a known telephone number. |
Prohibit automatic forwarding of business email to external addresses. |
|
Add an email banner to messages coming from outside your organization. |
Enable alerts for suspicious activity, such as foreign logins. |
|
Prohibit email protocols, such as POP, IMAP, and SMTP that can be used to circumvent multi-factor authentication. |
Implement email authentication technologies such as Domain-based Message Authentication Reporting and Conformance (DMARC) policies to prevent spoofing and validate incoming email. |
| Enable security features that block malicious email, such as anti-phishing & anti-spoofing policies. | Ensure changes to mailbox login and settings are logged and retained for at least 90 days. |
Prevent Wire Transfer Fraud
Cybersecurity threats resulting in wire transfer fraud are increasing and NCUA notes it is essential to ensure that proper wire controls are in place.
| Operational Controls | Transactional Controls | Physical & Logical Controls |
|---|---|---|
| • Dual controls and separation of duties | • Call-back parameters | • Multi-factor authentication |
| • Documented and board-approved policies and procedures | • System enforced monetary thresholds | • Patch management, virus protection, and firewall protection |
| • Timely balancing and reconciliation of related accounts | • System enforced end user monetary limits | • System access controls |
| • Incident response and business continuity planning and testing | • System enforced time-of-day restrictions | • Network security policies |
| • Automated velocity monitoring | • Member and staff information security training | |
| • Exception handling procedures | ||
| • Enhanced due diligence and monitoring of high-risk members and activity |
Report and Recover Funds from Business Email Compromise Fraud
Credit unions that identify BEC or a wire transfer fraud should:
- File a complaint with the FBI
- Contact their wiring originating financial institution as soon as possible to request a recall or reversal and initiate a Hold Harmless Letter or Letter of Indemnity with the receiving financial institution
- Follow FinCEN guidance for filing Suspicious Activity Reports on BEC incidents
Additional information on BEC is available at the FBI’s Internet Crime Complaint Center Business Email Compromise webpage. Additional information on authentication is available from FFIEC: Authentication and Access to Financial Institution Services and Systems
NASCUS Annual Members’ Reception
Date: Tuesday, March 1, 2022
Time: 5:00 pm to 7:00 pm
Location:
Marriott Marquis Hotel
University of District of Columbia Room
Washington D.C.
RSVP by February 22, 2022, to [email protected]
This members-only event is being held in conjunction with the CUNA Governmental Affairs Conference. A member and a guest are invited to attend. Dress is business attire. NASCUS is meeting COVID safety protocols set by the Center for Disease Control, the District of Columbia, and the Marriott Marquis Hotel. Click here to learn more about the Marriott Marquis Hotel’s COVID protocols.
For questions or further information, please contact Dr. Isaida Woo, Senior Vice President, Corporate Affairs and Education