NCUA recently issued Letter No.: 22-CU-02 outlining its Supervisory Priorities for 2022. The letter is intended to assist credit unions in preparing for their next NCUA examination. Several of the areas are carried over from prior years and continue to be high on NCUA’s risk areas for 2022, according to the letter. We encourage you to share this information with your Supervisory/Audit Committee and/or Board of Directors. The complete list of items listed in the letter as the top areas of focus for 2022 are as follows:
Credit Risk Management
Examiners will continue to review credit risk management and mitigation efforts. For all lending programs, credit unions’ risk management practices should be commensurate with the level of complexity and nature of their lending activities. Credit unions must maintain safe-and-sound lending practices and comply with consumer financial protection laws. Examiners will focus on adjustments credit unions made to lending programs to address borrowers facing financial hardship, on reviewing policies that address the use of loan workout strategies, risk-management practices, and new strategies implemented to provide funds to borrowers under distress and programs created under the CARES Act and the Consolidated Appropriations Act. This will include an evaluation of credit unions’ controls, reporting and tracking of these programs.
Information Security (Cybersecurity)
Cybersecurity risks remain a significant threat to the financial system. The likelihood of these threats adversely affecting credit unions and their members continues to rise. Ransomware, third-party/supply chain risks, and business email compromises continue to be of concern. In October 2021, the NCUA released the Automated Cybersecurity Evaluation Toolbox (ACET) application, which provides credit unions the capability to conduct a maturity assessment aligned with the Federal Financial Institutions Examination Council (FFIEC) Cybersecurity Assessment Tool. Using the assessment with the ACET allows institutions of all sizes to determine and measure their cybersecurity preparedness. The ACET is entirely voluntary and does not introduce any new requirements or expectations on credit unions.
Payment products, services, and operations is a growing area of complexity and risk for credit unions and consumers. As the retail payments’ landscape increasingly shifts and grows to meet consumer demand for easier and faster electronic access to and settlement of funds, the corresponding risk to credit unions and their members also increases. Today’s environment of easy and fast electronic processing of transactions relies on technology, the applications and their controls, and the underlying security of the platforms facilitating the transactions. The changes in payment systems increase the risk of fraud, illicit use, and breaches of data security.
Capital Adequacy and Risk-Based Capital Rule Implementation
Capital adequacy standards are important to ensure the safety and soundness of credit unions. NCUA examiners will be mindful of the effects of recent excess share growth on net worth and risk-based capital (RBC) ratios. NCUA examiners will ensure that credit unions are evaluating the impact of their COVID-19 response and relief efforts on their capital position and financial stability. Effective 1/1/22, complex credit unions are subject to the risk-based capital requirements in the final risk-based capital rule. A complex credit union has total assets that exceed $500 million, as reflected in the most recent Call Report. In support of this new capital adequacy framework, there are changes to the quarterly Call Report starting with the reporting period of March 31, 2022. Examiners will review the accuracy of the complex credit unions’ reporting for the new data elements required in the risk-based capital schedule of the Call Report.
BSA Compliance and AML/Countering the Financing of Terrorism
These issues continue to be national priorities and the examiners conduct BSA compliance and AML/CFT reviews during every examination to ensure credit unions meet their obligations. The Anti-Money Laundering Act of 2020 (AML Act) and the Corporate Transparency Act amended the BSA for the first time since 2001. These requirements will be implemented incrementally throughout 2022. The NCUA will communicate changes in BSA and AML/CFT requirements, and any impacts on examinations to credit unions.
Loan Loss Reserving
The FASB’s Accounting Standards Update No. 2016-13, Topic 326, commonly referred to as the current expected credit losses standard or CECL will be required to be implemented for all years beginning after 12/15/22. Federal credit unions with less than $10M in assets are not required to implement CECL. Examiners will be evaluating the adequacy of credit unions’ Allowance for Loan and Lease Losses (ALLL) accounts by reviewing: ALLL policies and procedures; documentation of the ALLL including modeling assumptions and qualitative factor adjustments; adherence to GAAP, and independent reviews of credit union reserving methodology and documentation practices by the Supervisory Committee or internal or external auditor. Examiners will want to discuss the credit unions’ preparations to implement CECL too.
Consumer Financial Protection
The NCUA will continue to examine for compliance with the applicable consumer financial protection laws and regulations. The scope of each examination’s consumer compliance review is risk-focused and is based on the credit union’s compliance record, products and services provided, and any new or emerging concerns. The NCUA selects the specific priorities to reflect trends in violations identified through examinations and member complaints, any recent changes to regulatory requirements, and how much time has passed since the regulation was last required to be reviewed. In 2022, specific areas will include: the COVID-19 pandemic; fair lending; Servicemembers Civil Relief Act; Fair Credit Reporting Act, and overdraft programs. The examiners will review mortgage forbearances and other loan accommodations credit unions have provided to their members during the pandemic. Examiners will identify fair lending policies and practices that indicate discrimination risk or loan portfolio and underwriting discrimination risk. In addition, examiners will assess whether a credit union has policies and procedures to evaluate the consistency, fairness, and accuracy of the appraisals it obtains. Examiners will request information about a credit union’s policies and procedures governing its overdraft programs and the monitoring tools and audit of its overdraft programs, as well as the communications it provides to consumers about these programs. Examiners expect to use the documentation for a more complete review of credit unions’ overdraft programs in 2023.
NCUA examiners will verify that credit unions have evaluated the risk in the loan participation transactions and how that risk fits within the tolerance levels established by the credit union’s board. At a transactional level, each loan participation must have separate and distinct records for individual payments, including principal, interest, fees, escrows, and other information relating to individual loans. While remittances to the credit union may come in a single payment, credit unions must reconcile this information to the servicer’s records and follow prudent third-party due diligence practices when purchasing loan participations.
Due to many credit unions increasing the amount of offsite work and employees, the potential risk for fraud has increased. The NCUA will review credit union efforts to deter and detect fraud, including internal controls and separation of duties. Transaction testing will be part of the exam procedures.
London Inter-Bank Offered Rate (LIBOR) Transition
The one-week and two-month US dollar LIBOR settings have ceased and the overnight and one-, three-, six-, and 12-month USD LIBOR setting will be extended through June 2023, which will provide additional time to wind down or renegotiate existing contracts that reference these LIBOR settings. During 2022, examiners will focus on credit unions with significant LIBOR exposure or inadequate fallback language. In May 2021, the NCUA issued the 21-CU-03 LIBOR Transition letter to credit unions that also included Supervisory Letter, 21-01, Evaluating LIBOR Transition Plans. The Supervisory Letter provides the supervision framework examiners will continue to use to evaluate a credit union’s risk management processes and planning regarding the transition away from using the USD LIBOR settings by no later than 12/31/21, and to provide fallback language and a replacement rate(s) for all legacy LIBOR-based contracts.
Interest Rate Risk
This is certainly not anything new but due to the high share growth over the last two years, if credit unions have invested surplus funds in longer duration assets, this could result in greater sensitivity to market risk, and therefore increased interest rate risk. Conversely, keeping all assets short-term can impact current period earnings. Credit unions should continue to carefully model and manage interest rate risk using a broad range of scenarios that include various prepayment speed and yield curve assumptions.
Exam Program Updates
The NCUA examinations will be conducted using the Modern Examination and Risk Identification Tool (MERIT) and most will be conducted remotely due to the pandemic.
In October 2021, the NCUA Board finalized a rule that added the “S” component (for Market Sensitivity) to the existing CAMEL rating system and redefined the “L” component, thus updating the CAMEL rating system to CAMELS. Adoption of the CAMELS allows the NCUA, state supervisory authorities, and federally insured credit unions to achieve greater transparency in the ratings and clearly distinguish between liquidity risk in the “L” component and sensitivity to market risk captured in the “S” component. The final rule is effective for examinations starting on or after April 1, 2022.
The evaluation of the “S” component reflects the credit union’s exposure to changes in its earnings and capital position arising from changes in market prices and interest rates. Effective risk management programs include comprehensive interest rate risk policies, appropriate and identifiable risk limits, clearly defined risk mitigation strategies, and a suitable governance framework.
In evaluating the “L” component to determine the adequacy of a credit union’s liquidity profile, examiners will consider the current and prospective sources of liquidity compared to funding needs. The adequacy of liquidity risk management is also evaluated relative to a credit union’s size, complexity, and risk profile.
GBQ Partners LLC
Our Credit Union service specialists have many years of industry experience in helping credit unions through accounting, compliance, regulatory, mergers, tax (federal, state and local), IT and a number of other complex areas. Our IT professionals have already been using the FFIEC Cybersecurity Assessment Tool to assist our clients evaluate and implement risk monitoring tools. Our compliance professionals are up-to-date and accredited, and our accounting professionals live in the credit union space every single day. If you have questions or need assistance, please do not hesitate to contact us.
Article written by:
Scott Runyan, CPA
Director, Assurance & Business Advisory Services