Credit risk management, cybersecurity, payments top 2022 supervisory priorities for credit union regulator

Agency plans close look at overdraft protection programs, with eye to 2023

Credit risk management, cybersecurity, and payment systems are the three top supervisory priorities for the federal credit union regulator, the agency said Tuesday.

Overall, the National Credit Union Administration (NCUA) said in its letter to credit unions (22-CU-02), it will continue to conduct examination and supervision activities primarily offsite given the uncertainty associated with the coronavirus crisis.

“Working with our public health consultant, the agency continues to closely monitor the COVID-19 pandemic trends and will resume onsite examination and supervision work when safe to do so,” the letter stated.

Other priorities, the NCUA said, include:

  • Bank Secrecy Act (BSA) compliance, anti-money laundering/countering financing of terrorism (AML/CFT) actions;
  • Capital adequacy, risk-based capital rule implementation;
  • Loan-loss reserving;
  • Consumer financial protection (including review of overdraft protection programs);
  • Loan participations;
  • Fraud;
  • LIBOR transition;
  • Interest-rate risk;

On its apparent top priority of credit risk management, the agency said its examiners would continue to review management and mitigation efforts at credit unions. “For all lending programs, credit unions’ risk management practices should be commensurate with the level of complexity and nature of their lending activities,” the agency letter states. “Credit unions must maintain safe-and-sound lending practices and comply with consumer financial protection laws, including disclosures and regulatory reporting requirements.”

Examiners will focus on adjustments credit unions made to lending programs to address borrowers facing financial hardship, the letter states. Examiners will also emphasize reviewing policies that address the use of loan workout strategies, risk-management practices, and “new strategies implemented to provide funds to borrowers under distress, including programs authorized under the CARES Act and extended in the Consolidated Appropriations Act, 2021,” the letter states. Examiners will evaluate credit unions’ controls, reporting, and tracking of these programs in particular, the NCUA wrote.

“NCUA examiners will not criticize a credit union’s efforts to provide prudent relief for borrowers when such efforts are conducted in a reasonable manner with proper controls and management oversight,” the letter stated.

On cybersecurity, the agency said it is developing updated information security examination procedures tailored to institutions of varying size and complexity. The procedures will be piloted and finalized this year, the NCUA said. “Cybersecurity risks remain a significant threat to the financial system,” the letter stated. “Ransomware, third-party/supply chain risks, and business email compromises, in particular, continue to be of concern.”

The agency asserted that payment systems are growing in complexity and risk for credit unions and consumers, and it pledged increased focus in the area. “Today’s environment of easy and fast electronic processing of transactions relies on technology, the applications and their controls, and the underlying security of the platforms facilitating the transactions,” the NCUA wrote. “The changes in payment systems increase the risk of fraud, illicit use, and breaches of data security.”

Key points of the other priorities include:

  • Overdraft programs (consumer financial protection): Examiners will request information about a credit union’s policies and procedures governing its overdraft programs and the monitoring tools and audit of its overdraft programs, as well as the communications it provides to consumers about such programs. “We anticipate using this documentation for a fuller review of credit unions’ overdraft programs in 2023,” the NCUA wrote.
  • Loan-loss reserving: The agency reminded that credit unions subject to generally accepted accounting principles (GAAP) are required to implement the current expected credit losses (CECL) accounting methodology by the start of next year. (Credit unions under $10 million are not required to follow GAAP.) All federal credit unions, the agency noted, will be required to have a reasonable reserve methodology, provided the methodology adequately covers known and probable loan losses. Federally insured, state-chartered credit unions (FISCUs) should refer to state law on GAAP accounting requirements and CECL standard applicability, the agency wrote.
  • Loan participations: Examiners will verify that credit unions have evaluated the risk in the loan participation transactions and how that risk fits within the tolerance levels established by the credit union’s board. At a transactional level, each loan participation must have separate and distinct records for individual payments, including principal, interest, fees, escrows, and other information relating to individual loans.
  • LIBOR transition: Examiners will focus on credit unions with significant LIBOR exposure or inadequate fallback language.

NCUA Letter to Credit Unions 22-CU-02: NCUA’s 2022 Supervisory Priorities