Guidance Statement – Expansion of Permissible CUSO Activities and Associated Risks

Background

The NCUA Board approved a final Credit Union Service Organization (CUSO) rule, effective November 26, 2021. That rule allows federal credit unions to invest in and lend to CUSOs that engage in all types of lending permitted for federal credit unions, including auto loans, leases, payday alternative loans, and other unsecured consumer loans. Under the previous rule, federal credit unions had the authority to invest in and lend to CUSOs engaged in only four types of loans: business, consumer mortgage, student, and credit cards.

This guidance addresses some risk factors that may be associated with CUSOs originating these types of loans. The type of risk a credit union may be exposed to will depend on its relationship with the CUSO.

Credit unions may engage with CUSOs in a variety of ways, including establishing one or more of the following relationships:

• Lender – A credit union that lends funds to a CUSO, creating a debt relationship.
• Investor or owner – A credit union that invests in a CUSO. The credit union may own all or a portion of the CUSO, establishing an equity relationship. Depending on the structure of the relationship, the credit union may be a shareholder, member, or partner.
• Client or customer – A credit union that uses a CUSO’s services, or purchases products, including loans offered by a CUSO, constituting a vendor-client relationship.

Credit Risk

CUSO lending relationships can provide a credit union with greater flexibility in offering loans to members and increased opportunities for income. However, a credit union must ensure these activities are conducted in a safe and sound manner and in compliance with applicable laws and regulations, including consumer financial protection and anti-money laundering laws.

Performing a risk assessment and due diligence are important elements of a credit union’s responsibilities in any CUSO relationship. Credit unions that purchase CUSO-originated loans should perform appropriate due diligence to verify loans are underwritten and documented appropriately and conform to any applicable laws and regulations.

As an investor or lender, credit unions should monitor the CUSO’s exposure to credit risk. Depending on its business lines and balance sheet composition, a CUSO could experience loan losses that materially impact investors, owners, and lenders. For example, CUSO owners with consolidated financial statements may have to reflect the CUSO’s losses during the consolidation process, and credit union investors in CUSOs with high credit risk are at risk of losing their investments. Credit unions that lend to CUSOs may experience cash-flow disruptions or risk associated with holding or disposing of collateral if a CUSO does not properly manage its credit risk.

Strategic Risk

Before entering any type of arrangement with a CUSO, credit unions should educate themselves about a CUSO’s organizational structure, subsidiaries, functions, and the third parties the CUSO uses to provide products or services to the credit union. Credit unions should exercise sound business judgment before purchasing or participating in loans or entering into contractual arrangements with CUSOs and their subsidiaries, even if these entities are credit union affiliates. Credit unions should also establish an exit strategy with all third-party and CUSO loan origination relationships to be able to shut down or transfer any problematic lending or other activities, as warranted.

Fines, lawsuits, and litigation against a CUSO could affect credit union investors, depending on the extent of a credit union’s ownership interest in the CUSO. For example, the financial statements for a wholly owned CUSO are consolidated with the credit union’s financial statements, so CUSO losses become part of the credit union’s income statement during the consolidation process. A credit union investing in or forming a CUSO should verify the legal structure fully protects the credit union from actions at the CUSO level, including but not limited to the requirements outlined in NCUA regulation § 712.4, What must a FICU and CUSO do to maintain separate corporate identities?

Poor CUSO financial performance can negatively affect a credit union’s loan or investment in a CUSO, potentially causing a loss to the credit union. Additionally, disruptions to a CUSO’s operations can also impact credit union customers. For example, if a credit union relies on a CUSO to perform a business function or to provide a significant source of income and the CUSO fails or is otherwise unable to continue to provide the same level of service or support, this could have a material negative impact on the credit union.

Compliance Risk – Applicable Laws and Regulations

CUSOs are separate entities from federal credit unions and are not subject to NCUA’s lending regulations, including interest rate caps, loan maturity limits, and prohibitions against prepayment penalties.

Nevertheless, a federal credit union generally may not purchase or participate in a loan from a CUSO unless the federal credit union itself would be empowered to grant the loan.¹ Federal credit unions must ensure any loans they purchase or in which they participate comply with the Federal Credit Union Act and NCUA regulations.

While CUSOs are not subject to the NCUA’s lending regulations, they are subject to state lending laws and state and federal consumer financial protection laws and regulations.² In addition, some CUSOs may be subject to state-level supervision, licensing requirements, usury, and other laws that apply to non-bank lenders.³ Credit unions are encouraged to review loans for compliance with various federal and state laws and regulations prior to purchase. CUSO noncompliance could lead to enforcement action by other agencies or state authorities, litigation by affected consumers, and elevated reputation risk for the organization.

Fair Lending

Credit unions with ownership interests in CUSOs, as well as those using CUSOs to originate or purchase loans, should ensure the CUSO provides equal treatment to customers in all aspects of the process, including marketing and advertising, disclosures, servicing, member interactions, and complaints management. Credit unions should conduct adequate due diligence to have reasonable assurance fair lending laws and regulations are complied with.

Third parties often use artificial intelligence and machine learning to make lending decisions. Prudent credit unions ensure that users of artificial intelligence:

• Understand the models and their associated risks.
• Can explain how the models work.
• Evaluate whether the lending algorithms and data used by partners avoid disparate impacts.
• Collaborate with model risk experts to evaluate and verify that the models and algorithms do not promote bias or discrimination.

Unfair, Deceptive, or Abusive Acts and Practices

Certain credit union practices related to promoting CUSO services or CUSOs with names similar to the credit union may raise concerns about unfair, deceptive, or abusive acts or practices.⁴ For example, a CUSO’s use of a name similar to the credit union, consumer awareness of the credit union’s ownership of the CUSO, or credit union promotion of the CUSO’s products or services may result in the public linking any aggressive or improper CUSO lending activity with the lending activity of the credit union itself. To mitigate these concerns, credit unions should:

• Comply with the NCUA’s corporate separateness rule § 712.4(a), including holding the credit union and CUSO out to the public as separate enterprises.
• Pay particular attention to their marketing to inform members of programs with CUSO-originated loans.
• Ensure the loan contract terms match credit union policies and rate sheets for the interest rate, annual percentage rate, grace period, late fees, payment schedule, prepayment, insurance requirements, force placement of insurance, among others.

Reputation Risk

Credit unions, especially credit unions that wholly own a CUSO, are susceptible to reputation risk from a CUSO originating credit union loans. The NCUA’s accuracy of advertising regulation § 740.2 requires an insured credit union using a trade name in advertising to use its official name in loan agreements and account statements, among other legal documents. The same concept applies for CUSOs originating loans or providing other services for credit unions. The credit union should make clear to its members when they are dealing with the CUSO and not the credit union to avoid confusion and limit the credit union’s reputation risk. This includes following best practices for web linking by using clear and conspicuous webpage disclosures to explain the credit union’s limited role and responsibility with respect to member products and services offered through linked third-party websites.⁵

Another potential reputation risk is a CUSO’s ability to maintain the privacy of customer records and implement an appropriate information security and disclosure program. This risk is applicable to all types of credit union-CUSO relationships in which the CUSO has access to credit union members’ information. Credit unions should ensure they understand how CUSOs identify, manage, and protect the members’ information by embracing privacy principles as a baseline for robust data protection.

Conclusion

The NCUA expects credit unions to conduct prudent due diligence on a CUSO and its activities prior to investing in, lending to, purchasing assets, or using the services of a CUSO and to safeguard the credit union and its members from potential risks. For more information on third-party relationships and lending, refer to the following NCUA guidance:

• CUSO section of NCUA’s Examiner’s Guide
• Letter to Credit Unions 07-CU-13, Evaluating Third-Party Relationships
• Letter to Credit Unions 08-CU-26, Evaluating Loan Participation Programs
• Letter to Credit Unions 10-CU-15, Indirect Lending