THIS WEEK: Agency outlines 2020 priorities; Insurance fund adjustments due April 15; New audit option procedures detailed; Nuts, bolts of ‘alternative data’ summarized; Summary outlines OIG report on joint exams; Cybersecurity advised in wake Middle East action; BRIEFLY: Welcome new members; Dues invoices out; Task force on consumer law named
Agency supervisory priorities in 2020
include AML/BSA, consumer protection
Anti-money laundering and Bank Secrecy Act (BSA) compliance, consumer financial protection and cybersecurity are at the top of the list for NCUA’s supervisory priorities in the New Year, the agency said this week.
In outlining the agency’s priorities, Board Chairman Rodney Hood said its commitment to safety and soundness, and protection of the National Credit Union Share Insurance Fund (NCUSIF), “is the foundation for everything we do.”
Among the details of the priorities listed by NCUA:
- Bank Secrecy Act and anti-money-laundering compliance: The agency said its examiners conduct a BSA/AML review during every examination and take appropriate action, when necessary, to ensure credit unions meet their obligations. Of specific emphasis, the agency said, would be customer due diligence and beneficial ownership requirements that became effective May 11, 2018. The agency also indicated it would continue to focus on proper filing of suspicious activity and currency transaction reports (SARs and CTRs). “Filing timely and informative SARs and CTRs provides law enforcement, intelligence, and counter-terrorism officials with vital information,” the agency stated.
- Consumer financial protection: While the agency examines for compliance with all consumer financial protection rules, it said it rotates specific regulations to ensure broad coverage over a multi-year period. In 2020, NCUA said, examiners are required, at a minimum, to review compliance with: Electronic Fund Transfer Act (Regulation E), including the rule’s error resolution procedures; Fair Credit Reporting Act (FCRA), including review of credit reporting policies and procedures, as well as accuracy of reporting to credit bureaus, particularly the date of first delinquency; Gramm-Leach-Bliley (Privacy Act), to evaluate credit union protection of non-public personal information about consumers; Small dollar lending (and Payday Alternative Lending), including compliance with NCUA Payday Alternative Lending (PALs) rules and interest rate cap, as well as whether a credit union’s non-PALs short-term, small-dollar loan programs comply with regulatory requirements; Truth in Lending Act (Regulation Z) to evaluate credit union practices concerning annual percentage rates and late charges and whether credit unions appropriately levy late fees, and are accurately disclosing finance charges and annual percentage rates; Military Lending Act (MLA) and Servicemembers Civil Relief Act (SCRA), including review of credit unions that have not received a recent exam for compliance with the rules.
- Cybersecurity: The agency’s new security review program “Automated Cybersecurity Examination Tool (ACET)” will be “fully deployed” in 2020, according to the agency, allowing credit unions to complete self- assessments through access to the new program on the agency’s website early this year. In addition, the agency said it will be piloting new procedures in 2020 to “evaluate critical security controls during examinations between maturity assessments,” with the critical security controls reviews scaled to the size and risk profile of the institution.
Other priorities for the agency’s examiners are:
- Credit risk and liquidity risk: Examiners will place emphasis on the review of the credit union’s loan underwriting standards and procedures, working to verify if credit unions properly analyzed the ability of borrowers to meet debt service requirements without undue reliance on the value of any collateral. NCUA said its examiners will continue to review concentration risk exposure during each examination, but noted it is implementing in 2020 enhanced examination procedures, including supervisor concurrence and additional quality controls, for credit unions with very high concentrations in specific loan types.
- On liquidity risk, in 2020 examiners will review credit union liquidity management and planning. In particular, for credit unions with low levels of on-balance sheet liquidity, examiners will assess liquidity management by evaluating potential effects of changing interest rates on the market value of assets and borrowing capacity; scenario analysis for liquidity risk modeling; scenario analysis for changes in cash flow projections for an appropriate range of relevant factors (for example, changing prepayment speeds); and “appropriateness of contingency funding plans to address any potential liquidity shortfalls.”
- Current expected credit losses (CECL) accounting standard: despite the additional delay (to 2023) for credit unions to comply with the Financial Accounting Standards Board (FASB) standard, NCUA said its examiners will continue to discuss with credit union management their plans to implement CECL.
- LIBOR (London Interbank Offered Rate) interest rate benchmark transition: Examiners will assess credit unions’ exposure and planning related to the discontinuance of LIBOR after 2021, including identification of all LIBOR-related transactions including both on- and off-balance sheet exposures (number of transactions and balance amounts); and planning, governance, senior executive engagement, budgeting, accounting, and addressment of other impacts related to the transition and discontinuance of LIBOR
The agency also stated in the letter that its new examination platform, the Modern Examination and Risk Identification Tool (MERIT) will be released to all examination staff in the second half of 2020. Credit unions will also be users of MERIT, NCUA said, and will have the ability to perform certain activities in the tool, such as transferring documents and files needed for the examination securely; providing status updates and requesting due date changes on corrective actions; and accessing completed examination reports securely.
Insurance fund deposit adjustments due April 15
Adjustments to 1% deposits in the NCUSIF will be due no later than April 15 by federally insured credit unions, including state chartered, NCUA said this week. Invoices for the adjustments (as necessary) will be sent in March, the agency said.
The agency set the schedule to all federally insured credit unions in a Letter to Credit Unions (LTCU 20-FCU-01). The letter also reported that federal credit union operating fees are due April 15, with invoices also sent in March to the FCUs. The credit unions are paying a slightly higher operating fee for 2020, 1.13% higher than in 2019, NCUA noted. The agency attributed the higher fees to “increased cash needs for capital investments planned for 2020, as well as the increased budget level.”
In December, the NCUA Board approved an overall budget (including operating, capital and National Credit Union Share Insurance Fund budgets) of $347.4 million for 2020. That’s a 3.76% increase from 2019 (with an overall agency budget $334.8 million).
All federally insured credit unions are encouraged to participate in the PAY.GOV direct debit program to make their payments, including for insurance fund adjustments, NCUA said. Credit unions that do not join in the program must make payments according to the instructions on the invoice, NCUA said.
Guide details new audit options procedures
A new guide to minimum procedures for a federally insured credit union using the “other supervisory committee audits” option was issued this week by NCUA as a follow up to new rules, adopted in September and which took effect Monday (Jan. 6). The new rules allow a federally insured credit union that is not required to obtain a financial statement audit to fulfill its supervisory committee audit responsibilities by obtaining an “other supervisory committee audit,” such as that led by an independent accountant.
Under the new rule, federally insured credit unions meeting certain minimum requirements – which the agency has said reflect common industry practices for testing accounts and controls over financial institution financial statements – may choose the option.
For state-chartered credit unions, the minimum audit required to fulfill supervisory committee audit responsibility is (for SCUs with $500 million or more) a financial statement audit per generally accepted accounting standards (GAAS) by an independent, state-licensed person; and, for SCUs with less than $500 million in assets, a supervisory committee audit unless an audit prescribed by state law is more stringent.
The minimum audit requirements include: review of board of director minutes to determine whether there are any material changes to the credit union’s activities or condition that are relevant to the areas to be reviewed in the audit; and, test and confirm material asset and liability accounts. Those accounts include loans, cash on deposit, investments, shares, borrowings, and at least eight other categories.
“The sufficiency of the procedures, judgments about materiality, and any need for additional or expanded procedures, remains the responsibility of the supervisory committee,” the guide states. “The supervisory committee, internal auditor, or other qualified person may need to perform additional procedures to supplement these procedures, based upon the credit union’s risk profile and products and services offered.”
The guide also notes that because an independent accountant licensed to perform audits by the state in which the credit union is located “takes no responsibility for the sufficiency of the procedures in an agreed upon procedures engagement,” the may accountant need to consult with the supervisory committee about the number of items selected for testing and the selection criteria.
Summary gives nuts, bolts of ‘alternative data’ letter
A summary of a regulator joint statement on use of alternative data, issued in December, is now posted on the NASCUS website. The summary is available to members only.
NCUA, along with the Federal Reserve Board, CFPB, FDIC and OCC, issued the joint statement Dec. 3. In it, the agencies recognized the value of information not typically found in a consumer’s credit report, used against the backdrop of a well-designed compliance management program, as potentially helpful in credit underwriting. It can include, for example, cash flow data derived from a credit union member’s (or bank customer’s) account records.
According to the agencies, a well-designed compliance management program provides a thorough analysis of relevant consumer protection laws and regulations to ensure firms understand the opportunities, risks, and compliance requirements before using alternative data.
The agencies said they also “recognize that use of alternative data may improve the speed and accuracy of credit decisions and may help firms evaluate the creditworthiness of consumers who currently may not obtain credit in the mainstream credit system.”
OIG report on SSA joint exams outlined in summary
Also summarized by NASCUS this week: the audit by NCUA’s Office of Inspector General (OIG) about the agency’s joint exam process with state regulators. The summary is also available only to members.
The Dec. 18 audit (as reported last week in NASCUS Report) generally found that the agency provided shared oversight of federally insured state-chartered credit unions (FISCUs) to assess their condition and address material risks that could negatively affect the National Credit Union Share Insurance Fund (NCUSIF), and; that NCUA effectively monitors FISCUs using off-site monitoring tools and joint oversight processes with state supervisory authorities.
However, the audit also determined that the agency could make some improvements, including updating its operating agreements between NCUA regions and state supervisory authorities (SSAs) in those regions (among other things).
“As a result of the NCUA not having updated and useable optional operating agreements with each SSA,” the report states, “some NCUA examiners and officials we interviewed, as well as some examiners and officials for the SSAs, expressed there could be confusion regarding roles and responsibilities at a high level and indicated that although optional, having an executed operating agreement in place would help bring consistency to the working relationship and across the joint examination process.”
State system watches Iran hacker threat closely
Although there is no specific, credible threat to the U.S. homeland now, recent events in the Middle East have raised the chances of cyber-terrorism – and the state system is on top of the situation as it unfolds, with NASCUS working with key portions of the federal government in Washington.
In a message to all members this week, NASCUS noted that – in working with the Treasury Department and other federal agencies – it has been advised that there is a heightened risk of cyber-attacks from hackers affiliated with the Iranian government.
“Financial institutions are encouraged to notify law enforcement and their primary regulator of a disruptive or destructive cyberattack,” NASCUS noted in its message. The association also pointed out that “implementation and maintenance of effective cybersecurity controls, including threat monitoring, is critical to protecting financial institutions from malicious activity.”
The NASCUS message included links to a variety of resources for credit union supervisors and practitioners to turn to during heightened cyber security, including:
- DHS cyber activity alert AA20-0006A, “Potential for Iranian Cyber Response to U.S. Military Strike in Baghdad,” which provides historical data on Iranian cyber threats, technical details and recommended mitigation strategies.
- FFIEC Cybersecurity Resource Guide for Financial Institutions.
- FFIEC information about mitigating the effects of destructive malware and other threats.
- DHS NTAS bulletin on terrorism threat posed by Iran
BRIEFLY: Welcome new members; Dues invoices due; Bureau names membership of consumer financial law task force
Welcome new members (and associates) to NASCUS: SchoolsFirst FCU, Santa Ana, Calif. (Bill Cheney, president & CEO); Pacific Cascade FCU, Eugene, Oregon (Jackie Hoonjan, president & CEO); Coast 2 Coast Financial CU, Tampa, Fla. (Sharmon Lenth, president & CEO) …: Membership dues invoices for 2020 were sent in early December to credit union and associate members electronically and by regular mail (due to the transitioning to electronic format) to the primary points of contact at each. Missing a membership renewal packet? please let Alicia Valencia Erb know. We look forward to showing you the NASCUS value of membership in 2020 … Four individuals from disciplines of the law, academia and consumer protection have been tapped as members of the CFPB’s Taskforce on Federal Consumer Financial Law, announced in October. None of the four represent credit unions, banks or consumer groups. The four are: Todd J. Zywicki (who will also serve as chairman of the group, and is a longtime critic of the agency), professor of law at George Mason University (GMU) Antonin Scalia Law School, senior fellow of the Cato Institute, and former executive director of the GMU Law and Economics Center; J. Howard Beales, III, former professor of strategic management and public policy at the George Washington University and former director of the Bureau of Consumer Protection at the Federal Trade Commission; Thomas Durkin, retired senior economist at the Federal Reserve Board, and; Jean Noonan, partner at Hudson Cook, former general counsel at the Farm Credit Administration, and former associate director of the Bureau of Consumer Protection’s Credit Practice at the Federal Trade Commission.