NCUA’s Supervisory Priorities for 2025
It’s January, so like clockwork, you know it’s time for NCUA’s annual letter outlining the agency’s supervisory priorities for the year ahead.
NCUA issued Letter 25-CU-01 last week, outlining the supervisory priorities and other updates to the agency’s 2025 examination program. The priorities focus on the areas posing the highest risk to credit union members, the credit union industry, and the National Credit Union Share Insurance Fund (NCUSIF).
Exam Updates
Starting off with exam updates, NCUA will amend its exam flexibility initiative to provide an extended exam cycle for credit unions over $1 billion in assets and rated a CAMELS composite 1 or 2 with no change in CEO since the last examination. These credit unions will now be eligible for a 12- to 16-month exam cycle. America’s Credit Unions and its legacy organizations have consistently advocated for well-run, low-risk credit unions to be eligible for an extended cycle. Additionally, the extended exam cycle for eligible federal credit unions will be shortened from 14 to 20 months to 14 to 18 months.
NCUA will continue conducting the defined scope Small Credit Union Exam Program in most federal credit unions with assets of $50 million or less, and risk-focused exam procedures for all other credit unions. Exams and supervision activities will continue onsite and offsite, as appropriate. NCUA will continue to offer customized support to Minority Depository Institutions (MDIs) with less than $100 million in assets, and MDIs of all asset sizes through its Small Credit Union and MDI Support Program.
Now on to NCUA’s 2025 supervisory priorities…
Credit Risk
As in previous years, credit risk remains a supervisory priority. According to NCUA, loan growth moderated during 2024 while overall delinquencies and charge-offs increased, especially with regard to credit cards and vehicle loans. Consequently, NCUA examiners will continue to review credit unions’ lending and related risk-management practices, including loan underwriting standards, collection programs, Allowance for Credit Losses reserves, charge-off practices, management and board reporting, and management of any concentrations of credit risk.
To the extent possible, examiners will also review credit unions’ third-party risk-management practices when lending, servicing, or collection functions are outsourced. Examiners will also assess modification and workout strategies for borrowers experiencing financial difficulty, including assessing whether a credit union’s efforts were “reasonable” and conducted with proper controls and management oversight.
Balance Sheet Management and Risk to Earnings and Net Worth
In evaluating credit unions’ earnings and net worth risk-management frameworks, examiners will weigh the current and prospective sources of earnings and the composition of net worth relative to credit unions’ approved plans and thresholds. Examiners will also continue to consider the current and prospective sources of liquidity compared to funding needs to determine the adequacy of a credit union’s liquidity risk-management framework. Examiners will review policies, procedures, risk limits, and evaluate the adequacy of a credit union’s risk-management framework relative to its size, complexity, and risk profile.
Cybersecurity
Cybersecurity remains a top supervisory priority as cyberattacks against the financial services sector become more frequent and sophisticated. NCUA urges credit union boards to continue to prioritize cybersecurity as a top oversight and governance responsibility (see NCUA Letter 24-CU-02, Board of Director Engagement in Cybersecurity Oversight).
In 2025, examiners will continue to use the information security examination procedures to assess credit unions’ information security programs, and support credit unions’ voluntary use of the Automated Cybersecurity Evaluation Toolbox to assess their cybersecurity maturity. More resources are available on NCUA’s Cybersecurity Resources webpage.
The letter also reminded federally insured credit unions (FICUs) to report “substantial” cyber incidents to NCUA within 72 hours after the FICU reasonably believes a reportable cyber incident has occurred. This reporting includes notifying the NCUA if a third-party provider experiences a cyber incident affecting the credit union. For more information, see Letter 25-CU-02: Cyber Incident Notification Requirements (Update to Letter 23-CU-07)
Consumer Financial Protection
NCUA will also review compliance with consumer financial protection laws and regulations during every federal credit union exam, particularly concerning:
- Overdraft programs, including policies, procedures, disclosures, fees, account statements, member complaints, internal reviews, and websites;
- Fair lending, especially with regard to identifying and mitigating potential discrimination in residential real estate valuation practices;
- Home Mortgage Disclosure Act data collection and reporting policies and practices;
- Military Lending Act requirements, including policies and procedures, compliance management systems, and checking and monitoring for military status; and
- Regulation E policies and procedures related to payments and error resolution.
Last, but not least, NCUA encourages credit unions to review and maintain fundamental controls over lending, recordkeeping, and internal controls; and remain aware of changing Bank Secrecy Act requirements as FinCEN and the federal financial institution regulators continue to implement the Anti-Money Laundering Act of 2020.