Cybersecurity, Bank Secrecy Act Among 2017 Supervisory Priorities

NCUA’s primary mission is to ensure the safety and soundness of America’s federally insured credit unions and preserve the National Credit Union Share Insurance Fund that protects members’ deposits. To accomplish this, the NCUA uses a risk-focused examination program that allocates agency resources to credit unions and areas exhibiting the greatest potential risk.

As in previous years, its field staff will continue to use in 2017 the streamlined small credit union exam program procedures for credit unions with assets up to $50 million and a composite CAMEL rating of 1, 2, or 3. For all other credit unions, field staff will conduct risk-focused examinations, which concentrate on the areas of highest risk, new products and services, and compliance with federal regulations.

Also in 2017, the NCUA are implementing an extended exam cycle, which is discussed in more detail in Letter to Credit Unions, 16-CU-12, “Risk-based Examination Policy.” The letter is available online here.

The NCUA’s primary areas of supervisory focus in 2017 are:

Cybersecurity Assessments
Cybersecurity remains a key supervisory focus. NCUA will continue to evaluate carefully credit unions’ cybersecurity risk-management practices. We encourage credit unions to use the Federal Financial Institutions Examination Council’s Cybersecurity Assessment Tool to bolster their security and risk-management processes.

Additionally, NCUA plans to increase its emphasis on cybersecurity with a structured cybersecurity assessment process. The NCUA anticipates completing this process by late 2017, and will keep credit union system stakeholders informed as changes occur.

NCUA also will continue to foster and facilitate sharing of best practices to strengthen credit unions’ existing cybersecurity programs.

For more cybersecurity resources, visit our Cybersecurity Resources Web site.

Bank Secrecy Act Compliance
NCUA remains vigilant in ensuring the credit union system is not used to launder money or finance criminal or terrorist activity. Its field staff is required to review credit unions’ compliance with the Bank Secrecy Act and to complete the related questionnaire at every examination.

In addition, all federally insured credit unions must perform certain recordkeeping and reporting requirements under the Bank Secrecy Act.

In 2017, NCUA field staff will focus on credit unions’ relationships with money services businesses and other accounts that may pose a higher risk for money laundering.

Credit unions that provide services to a money services business or other types of high-risk businesses need specialized procedures in place to appropriately classify risk and determine the depth and intensity of monitoring that is necessary. Credit unions are expected to perform appropriate due diligence, analysis and monitoring when providing services to these and other high-risk accounts.

For guidance on risk-mitigation practices related to money services businesses, see Letter to Credit Unions, 14-CU-10, “Identifying and Mitigating Risks of Money Services Businesses,” by clicking here.

For additional information and resources on the Bank Secrecy Act, visit the Bank Secrecy Act Web page.

Internal Controls and Fraud Prevention
Credit unions with limited staff can be more susceptible to insider fraud because of the inherent challenge of maintaining adequate separation of duties among employees. The NCUA’s field staff will continue to evaluate the adequacy of credit union internal controls, as well as overall efforts to prevent and control fraud.

Interest Rate and Liquidity Risk
At the beginning of the year, field staff will start using a revised interest-rate-risk supervisory tool and new examination procedures to assess interest rate risk-management practices in credit unions. These procedures will improve the efficiency of NCUA reviews by focusing the agency’s resources on credit unions that have elevated levels of interest rate risk and by streamlining the related exam procedures.

Field staff will also focus on the relationship between interest rate risk and liquidity risk.

For more information about these supervisory changes, see Letter to Credit Unions, 16-CU-08, “Revised Interest Rate Risk Supervision,” by clicking here.

Commercial Lending
NCUA field staff will evaluate a credit union’s commercial loan policies and procedures and assess the risk-management processes associated with managing a commercial loan portfolio following the changes to NCUA’s member business lending regulations that went into effect in January. Credit union officials should be prepared to provide documentation to support management’s ability to effectively monitor and manage its commercial-loan portfolio.

NCUA’s online Examiner’s Guide provides guidance on the principles of sound commercial lending and NCUA’s supervisory expectations for sound risk-management practices available here.

For more information, see Letter to Credit Unions, 16-CU-11, “Member Business Loans Guidance Added to Examiner’s Guide,” by clicking here.

Consumer Compliance
Because of changes to the Military Lending Act that have gone into effect recently, as well as additional changes that will go into effect in October, field staff will evaluate credit unions’ compliance with the act. Field staff also will review compliance with the Servicemembers’ Civil Relief Act.

For more information on the Military Lending Act, see Letter to Credit Unions, 16-CU-07, “Military Lending Act Examination Approach,” by clicking here.

For additional consumer compliance tools and resources, visit the Consumer Compliance Regulatory Resources Web site.

in Compliance & Regulatory News