On Monday January 23 NCUA issued its 2024 Supervisory Priorities outlining five primary areas of supervisory focus to assist credit unions in preparing for their exam. Exam activities focus on the areas that pose the highest risk to credit unions, credit union members, and the National Credit Union Share Insurance Fund (NCUSIF).
For 2024, NCUA is highlighting risks surrounding credit, liquidity, and interest rates, as well as information security (cybersecurity) and consumer financial protection. This year’s list of five core areas, outlined in NCUA’s Letter to Credit Unions 24-CU-01, presents a slight decrease from last year’s six core areas.
First on the list is Credit Risk Management.
Credit risk is the risk of default on expected repayments of loans or investments. This is not just the risk that a member will not fully repay a loan; this risk is also present in investments.
High inflation and rising interest rates and borrowing costs are putting financial pressure on credit union members’ household budgets. This could negatively impact borrowers’ ability to repay outstanding debt, leading to an increase in credit risk in future quarters. And rising interest rates could result in higher loan payments for borrowers.
According to NCUA, credit union loan portfolios are at increased risk considering that loan portfolios expanded faster during 2022 than any year within the last 30 years, while aggregate loan performance began to show signs of deterioration in 2023.
NCUA examiners will review the soundness of existing lending programs and credit risk management practices, including any adjustments your credit union made to loan underwriting standards, portfolio monitoring practices, loan workout strategies for borrowers facing financial hardships, and collection programs. Examiners will consider all efforts to provide relief to borrowers and whether the efforts were reasonable and conducted with proper controls and management oversight. Examiners will also “review policies and procedures related to Allowance for Credit Losses (ACL), documentation of the ACL reserve methodology, the adequacy of ACL reserves and adherence to generally accepted accounting principles.”
Next is Liquidity Risk.
Liquidity is defined as a credit union’s capacity to meet its cash and collateral obligations at a reasonable cost. NCUA cautions that credit unions will need to maintain strong liquidity risk management in 2024 due to the increased uncertainty in economic conditions and interest rate levels.
NCUA also cautions that “[p]ressure in deposit pricing and the use of wholesale funding as an alternative to satisfy funding needs is accelerating while new lending, participations, and loan sale markets may slow.” The changes in member behaviors and risk relationships entail greater focus on forecasting assumptions, forward-looking cash flows, and risk projections, resulting in liquidity challenges and increased risk to capital and earnings.
Credit unions need to prepare for contingency funding needs due to increased liquidity risk and uncertainty. NCUA issued Letter to Credit Unions 23-CU-06 in July 2023 to remind credit unions of the importance of a strong and viable contingency funding plan.
Examiners will review your credit union’s liquidity policies, procedures, and risk limits. In looking at a credit union’s liquidity risk management framework, examiners will also evaluate the adequacy of it relative to the size, complexity, and risk profile of your credit union. Examiners will assess scenario analysis for liquidity risk modeling, including possible member share migrations and they will assess scenario analysis for changes in cash flow projections for an appropriate range of relevant factors. Examinations will also assess a credit union’s liquidity management by evaluating the cost of various funding alternatives and their impact on earnings and capital, the effects of changing interest rates on the market value of assets and borrowing capacity, the diversity of funding sources under normal and stressed conditions, and the appropriateness of contingency funding plans to address any plausible unexpected liquidity shortfalls.
Consumer Financial Protection Remains a Priority.
Examiners will continue to perform a risk-focused assessment of your compliance with consumer financial protection laws and regulations based on your credit union’s products and services. Examiners will focus on overdraft programs, fair lending, and auto lending, including a review of indirect lending programs.
NCUA has included an expanded review of credit unions’ overdraft programs as a supervisory priority, including website advertising, balance calculation methods, and settlement processes. Examiners will evaluate adjustments credit unions made to their overdraft programs to address consumer compliance risk and potential consumer harm from unexpected overdraft fees. Notably, NCUA Chairman Todd Harper gave a speech last fall in which he stated it was “time for credit unions to rethink their overdraft programs if the industry wants to remain competitive and achieve its statutory mission and purpose.”
For fair lending, examiners will review credit union practices and policies for redlining, marketing, and pricing discrimination factors.
Examiners will review credit unions’ auto lending disclosures, policies, and procedures to confirm compliance with Truth in Lending and Reg Z. This review will include policies regarding Guaranteed Asset Protection (GAP) insurance.
Finally, examiners will continue to review credit unions’ policies and procedures addressing flood insurance rules. In May 2022, NCUA and the federal banking agencies issued revised federal flood insurance questions and answers. Be sure to review these Q&A’s as they reflect significant changes to the flood insurance requirements made by federal law in recent years.
Information Security (Cybersecurity) is a perennial item of concern.
Geopolitical issues continue to elevate cybersecurity risks and cybersecurity is one of NCUA’s top supervisory priorities as a key examination focus. The Letter reminds credit unions that as technology-related operating environments become ever more complex, it is crucial to establish a cybersecurity program that can adapt and evolve to counter these threats effectively.
Examiners will continue to evaluate whether credit unions have established robust information security programs to protect members and the credit union. To strengthen the examination process for cybersecurity, NCUA developed and tested updated Information Security Examination procedures tailored to institutions of varying size and complexity. Examiners will continue to use these procedures in 2024. Your credit union may conduct voluntary, cybersecurity self-assessment using NCUA’s Automated Cybersecurity Evaluation Toolbox which is a free downloadable standalone application that can help you determine your credit unions’ risks and controls and works in coordination with an Information Security Examination.
NCUA implemented a new Cyber Incident Notification Reporting Rule, effective September 1, 2023, requiring that federally insured credit unions must notify NCUA as soon as possible, and no later than 72 hours, after the credit union reasonably believes it has experienced a reportable cyber incident or received a notification from a third party regarding a reportable cyber incident.
NCUA’s Letter to Credit Unions 23-CU-07 summarizes the amendments to Part 748, known as the Cyber Incident Notification Requirements rule. It also provides instructions on what and how to report to NCUA and includes examples of both reportable and non-reportable incidents.
Next is Interest Rate Risk.
This isn’t surprising due to the tightening in U.S. monetary policy over the past two years. The Letter states that the higher interest rates continue to amplify market risk in asset and liability repricing mismatches and the overall management of interest rate risk. The risk arises because interest rates can vary significantly over time and the credit union business typically involves activities that produce exposures to maturity or rate mismatch.
In September 2022, NCUA revised its interest rate risk supervisory framework so review NCUA’s Letter to Credit Unions 22-CU-09 to understand why and how NCUA has updated its approach to supervising interest rate risk.
Examiners will continue to evaluate whether a credit union proactively manages its interest rate risk. Such examination will include checking to see that key assumptions and related data sets are reasonable and well documented, back testing and sensitivity are in place to test the reasonableness of assumptions, the overall level of interest rate risk exposure is properly measured and controlled, results are communicated to decision makers and the board of directors, and proactive action is taken to remain within sound policy limits.
NCUA included in the 2024 Supervisory Priorities are Bank Secrecy Act (BSA) Compliance and Support for Small Credit Unions and Minority Depository Institutions.
BSA compliance continues to be a supervisory area of interest for NCUA as failure to comply with BSA requirements can pose a significant risk to the credit union, its members, and the NCUSIF. Throughout 2024, NCUA will provide updates to credit unions regarding any regulatory changes to the BSA, as well as updates to supervisory expectations and examination procedures.
NCUA will continue its Small Credit Union and Minority Depository Institutions (MDI) support program, which the agency implemented in 2022 to support and preserve these credit unions. NCUA recognizes the value small and MDI credit unions bring to members in underserved communities by offering access to safe, fair, and affordable loans and other financial products and services. This program will continue in 2024 to assist with identifying resources and opportunities, providing training and guidance, and supporting management of small credit unions.
NCUA’s exam posture will continue with onsite/offsite supervision activities as appropriate. The extended examination cycle will continue in 2024 for eligible credit unions. NCUA will also continue its Small Credit Union Exam Program in most federal credit unions with assets of $50 million or less. For all other credit unions, NCUA examiners will use the agency’s risk-focused examination procedures.
And remember that NCUA has indicated that federal credit unions can record their exit conferences with examiners. This can be helpful institutional knowledge, particularly if there is a change with the CEO or other executive-leader at the credit union. The credit union must request that the exit interview be recorded and must provide a copy to NCUA.