Dear Board of Directors and Chief Executive Officer:
This letter is intended to assist you in preparing for your next NCUA examination. NCUA field staff will continue to use the streamlined small credit union exam program procedures for credit unions with assets up to $50 million and CAMEL ratings of 1, 2, or 3. For all other credit unions, field staff will conduct risk-focused examinations, which concentrate on the areas of highest risk, new products and services, and compliance with federal regulations. In 2017, NCUA is implementing an extended exam cycle, which is discussed in more detail in NCUA Letter to Credit Unions 16-CU-12, Risk Based Examination Policy.
NCUA’s primary areas of supervisory focus in 2017 are described below.
Cybersecurity remains a key supervisory focus. NCUA will continue to carefully evaluate credit unions’ cybersecurity risk management practices. We encourage credit unions to use the Cybersecurity Assessment Tool (opens new window) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) to bolster their security and risk management processes. This tool was issued jointly with the other member agencies of the Federal Financial Institutions Examination Council.
NCUA plans to increase our emphasis on cybersecurity by enhancing the examination focus with a structured assessment process. We anticipate completing this process by late 2017, and will keep credit union system stakeholders informed as changes occur.
NCUA will continue to foster and facilitate sharing of best practices to strengthen credit unions’ existing cybersecurity programs. For more cybersecurity resources, visit NCUA’s Cybersecurity Resources website.
Bank Secrecy Act Compliance
NCUA remains vigilant in ensuring the credit union system is not used to launder money or finance criminal or terrorist activity. All federally insured credit unions must perform certain recordkeeping and reporting requirements under the Bank Secrecy Act.
NCUA field staff are required to review credit unions’ compliance with the Bank Secrecy Act and to complete the related examination questionnaire at every examination. In 2017, NCUA field staff will focus on credit unions’ relationships with money services businesses (MSBs) and other accounts that may pose a higher risk for money laundering.
Credit unions that provide services to an MSB or other types of high-risk businesses need specialized procedures in place to appropriately classify risk and determine the depth and intensity of monitoring that is necessary. Credit unions are expected to perform appropriate due diligence, analysis, and monitoring when providing services to MSBs and other high-risk accounts. For guidance outlining risk mitigation practices related to MSBs, see NCUA Letter to Credit Unions 14-CU-10, Identifying and Mitigating Risks of Money Service Businesses. For additional information and resources regarding the Bank Secrecy Act, see NCUA’s Bank Secrecy Act website.
Internal Controls and Fraud Prevention
Credit unions with limited staff may be more susceptible to insider fraud as a result of inherent challenges maintaining adequate separation of duties. NCUA field staff will continue to evaluate the adequacy of credit union internal controls, as well as overall efforts to prevent and control fraud.
Interest Rate and Liquidity Risk
On January 1, 2017, NCUA field staff will begin using a revised interest rate risk supervisory tool and new examination procedures to assess interest rate risk management practices in credit unions. These procedures will improve the efficiency of reviews by focusing agency resources on credit unions that have elevated levels of interest rate risk and by streamlining related exam procedures. For more information about these supervisory changes, see NCUA Letter to Credit Unions 16-CU-08, Revised Interest Rate Risk Supervision.
Field staff will also focus on the relationship between interest rate risk and liquidity risk.
NCUA’s revised Part 723, Member Business Loans; Commercial Lending (opens new window) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) , is effective January 1, 2017. NCUA field staff will evaluate a credit union’s commercial loan policies and procedures and assess the risk management processes associated with managing a commercial loan portfolio. Credit union officials should be prepared to provide documentation to support management’s ability to effectively monitor and manage its commercial loan portfolio.
NCUA’s online Examiner’s Guide provides guidance on the principles of sound commercial lending and NCUA’s supervisory expectations for sound risk-management practices. For more information, see NCUA Letter to Credit Unions, 16-CU-11, Member Business Loans Guidance Added to Examiner’s Guide.
Given changes to the Military Lending Act that have gone into effect recently, as well as additional changes that will go into effect in October 2017, NCUA field staff will evaluate credit unions’ compliance with the Act. For more information on the Military Lending Act, see NCUA Letter to Credit Unions 16-CU-07, Military Lending Act Examination Approach.
Field staff will also review compliance with the Servicemembers’ Civil Relief Act. For additional consumer compliance tools and resources, visit NCUA’s Consumer Compliance Regulatory Resources website.
NCUA remains committed to protecting the safety and soundness of America’s federally insured credit unions and their more than 106 million members. If you have any questions about the agency’s 2017 supervisory priorities, please contact your NCUA regional office.