Policies

Fair Lending Policy and Loan Policy

Fair lending laws are designed to provide fair and equal access to credit, based on individual creditworthiness, without regard to a prohibited basis such as race, gender, or national origin. The fair lending policies and procedures should clearly state how the credit union will comply with fair lending laws and enable the credit union to serve the entire field of membership.

The board of directors and senior management will need to understand and convey to all credit union staff they are responsible and accountable for complying with fair lending laws and regulations. Policies and procedures concerning the approval of credit, loan underwriting, pricing, and servicing standards need to be clearly written and understood. Fair lending training should be provided for all credit union employees and officials involved in the lending process. Include training for employees who take applications, originate loans, service loans, and collect delinquent loans. Additionally, the supervisory committee and any internal audit staff should incorporate an assessment of compliance with the credit union’s fair lending policies as a component of their review procedures.

Loan policies need to identify the type of lending programs to be offered in the first two years of operation. Specifically, policies should describe the type of loans, dollar limitations, terms and interest rates, maturity, collateral and insurance requirements, and other issues within each lending program. State the factors and parameters (such as credit standards) for processing a loan within each lending program.

Ensure the loan policies address compliance with the appropriate consumer lending regulations, including:

The Truth in Lending Act (Consumer Financial Protection Bureau) Regulation Z, 12 CFR Part 1026);
Equal Credit Opportunity Act (CFPB Regulation B, 12 CFR Part 1002); and
Fair Credit Reporting Act (CFPB Regulation V, 12 CFR Part 1022).

More advanced lending products, such as mortgage loans, will require compliance with the Real Estate Settlement Procedures Act (RESPA – CFPB Regulation X, 12 CFR Part 1024), Fair Housing Act, and the Home Mortgage Disclosure Act (HMDA – CFPB Regulation C, 12 CFR Part 1003), among other requirements.

Review the following NCUA’s Regulations pertaining to loans or loan-related matters:

§701.21, Loans to Members and Lines of Credit to Members;
§701.22, Loan Participation (Letters to Credit Union 08-CU-26 and 13-CU-07 also provide information);
§701.23, Purchase, sale, and pledge of eligible obligations;
§701.31, Nondiscrimination Requirements;
§702.304(a)(3), Restriction on Member Business Loans;
Part 717, Fair Credit Reporting;
Part 722, Appraisals;
Part 723, Member Business Loans; Commercial Lending;
Part 760, Loans in the Areas Having Special Flood Hazard; and
Part 761 Registration of Residential Mortgage Loan Originators

Additional guidance on lending matters can be found on under the NCUA’s Letters to Credit Unions and Other Guidance section of the website.

Collections Policy

Ensure the collections policy outlines collection practices, including information such as who is responsible for collections contacts; what are the timeframes and collection contacts/actions to be taken, such as reminder notices, letters, telephone calls, repossessions, foreclosures, or referrals to a collection agency or attorney. The policy should also identify how often collection efforts will be documented and tracked, and board reporting requirements.

Loan Charge-Off Policy

Develop a policy outlining charge-off practices. NCUA Letter to Credit Unions 03-CU-01, Loan Charge-Off Guidance for additional information.

Allowance for Loan and Lease Losses (ALLL) Policy

Develop an ALLL policy addressing the methodology and documentation requirements to fund the ALLL account. For additional guidance, refer to Letter to Credit Unions 02-CU-09 and Accounting Bulletin AB 06-01.

Investment Policy

Ensure the investment policy addresses all requirements outlined in Part 703 of the NCUA’s Regulations, such as permissible investments; explains how interest rate, liquidity, credit, and concentration risk will be managed; identifies who has investment authority and the extent of their authority, approved broker-dealers, approved safe keepers; and any other requirements. See Letter to Credit Unions 10-CU-18, Investment Due Diligence for guidance on investments.

Cash Policy

Identify how cash will be handled and the permissible amount to be held on the credit union’s premises. The amount of cash in teller drawers, vaults, etc. must be based on the bonding limits from an approved bond company. See section 713.5 of the NCUA’s Regulations for more information on the minimum bond coverage required.

Having a cash operation has Bank Secrecy Act implications, such as filing of Currency Transaction Reports (CTR) and Suspicious Activity Reports (SAR), which should be further addressed in the PFCU’s Bank Secrecy Act (BSA) policy.

Bank Secrecy Act/Customer Identification/Customer Due Diligence Program

Ensure these policies address all applicable requirements. Refer to the interagency Bank Secrecy Act/Anti-Money Laundering (BSA/AML) Examination Manual developed by the Federal Financial Institutions Examination Council member agencies, for information on the policy requirements, including how a member’s identity will be verified. The BSA program needs to be commensurate with the PFCU’s respective BSA/AML risk profiles and address the following required elements:

System of internal controls;
Independent testing;
Designated person or persons responsible;
Training; and
Customer due diligence.

In general, BSA requires credit unions to track cash transactions and purchases of cash equivalents, such as money orders, and to comply with other recordkeeping and reporting requirements. The forms used most frequently by credit unions to report transactions are the Currency Transaction Report and the Suspicious Activity Report.

The Customer Identification Program (CIP)/Customer Due Diligence (CDD) policy must detail the method to verify a person’s identity and include risk-based procedures for conducting ongoing customer due diligence and complying with beneficial ownership requirements for legal entity customers. It should indicate who will handle or respond to the information sharing requests (commonly known as 314a lists) provided by the Financial Crimes Enforcement Network (FinCEN).

Separate policies may be developed for BSA, CIP, and CDD if preferred. BSA regulatory requirements are located in Sections 748.1 and 748.2 of NCUA’s Regulations. Additional guidance is found on the NCUA’s Bank Secrecy Act Resources site in the National Credit Union Administration’s section of the FFIEC BSA/AML Examination Agency Resources site.

The BSA statute and implementing regulations can be viewed on FinCEN’s website.

Office of Foreign Assets Control (OFAC) Policy

Develop an OFAC policy addressing compliance, including appropriate actions to block, freeze, or prohibit transactions with persons and countries contained on the Specially Designated Nationals (SDN) and Blocked Persons list. Credit unions must take steps to download or otherwise obtain the SDN list from OFAC on a regular basis. Many data processing vendors have incorporated OFAC reviews, including the download of updated SDN lists, in their daily processing and monthly closing routines. Section 314 of the USA Patriot Act addresses cooperative efforts between law enforcement agencies and financial institutions to deter money laundering.

Truth-in-Savings (TIS) Policy

Develop TIS disclosures that comply with Part 707 of the NCUA’s Regulations. TIS disclosures outline the share products and include the terms, interest rates, maturity, fees, procedure for payment of dividends, etc., for each of the share products. NCUA Regulations section 701.35 covers permissible share accounts; permissible non-member deposits are outlined in section 701.32.

Director Fiduciary Duties

Develop a policy addressing the fiduciary responsibilities of the board of directors. The board of directors is responsible for the general direction and control of the credit union, including the ability to:

Carry out the duties of a director in good faith and in the best interests of the membership;
Administer the affairs of the credit union fairly, impartially, and without discrimination;
Direct management’s operations in conformity with the Federal Credit Union Act, the NCUA’s Regulations, other applicable law, and sound business practices; and
Develop a working familiarity with basic finance and accounting practices, including the ability to read and understand the credit union’s balance sheet and income statement and to ask, as appropriate, substantive questions of management and the internal and external auditors within six months of appointment or election.

The policy should also include training available to implement the objectives listed above. Section 701.4 of the NCUA’s Regulations and Letter to Federal Credit Union 11-FCU-02, Duties of Federal Credit Union Boards of Directors address directors’ fiduciary duties.

Reimbursement Policy

Develop, in accordance with section 701.33(b)(2)(i) of the NCUA Regulations, written policies and procedures, including documentation requirements, for the payment of reasonable and proper costs incurred by an official in carrying out the official’s responsibilities, if the board of directors determines the payment is necessary or appropriate to carry out the official business of the credit union. Such payment includes reimbursement to a credit union official or direct credit union payment to a third party.

Asset Liability Management (ALM) Policy

Ensure the asset liability management policy addresses interest rate risk limits, monitoring, reporting, and controls. ALM is a process of evaluating balance sheet risk (interest rate and liquidity risks) and making prudent decisions, which enables a credit union to remain financially viable as economic conditions change. An ALM policy is necessary to control interest rate risk and liquidity risk associated with longer term investments, real estate loans, and business lending activities. The following Letters to Credit Unions and the Examiner’s Guide provide additional information:

Liquidity Policy

Develop a liquidity policy that addresses:

Minimum cash levels;
Concentration limits in loans, investments, fixed assets, and other areas;
Approved liquidity sources such as a corporate credit union line of credit, correspondent banking relationships, Federal Home Loan Bank membership, the NCUA’s Central Liquidity Facility, or Federal Reserve System; and
Reporting and monitoring requirements.

Adequate liquidity management helps ensure management has sufficient funds available to meet demands for loans and share withdrawals. Section 741.12 of NCUA’s Regulations, the Examiner’s Guide, and Letters to Credit Unions 10-CU-14, Strengthening Funding and Liquidity Risk Management and 13-CU-10, Guidance on How to Comply with NCUA Regulation §741.12 Liquidity and Contingency Funding Plans provide information on liquidity and contingency funding plans.

Vendor Management/Third-Party Relationships

Develop a vendor management policy that addresses planning, due diligence, and controls required before engaging in third-party relationships. The level of planning, due diligence, and controls required to safely engage in any relationship depends upon the credit union’s risk profiles and the type of relationship with the vendor. Letters to Credit Unions 08-CU-09, Evaluating Third Party Relationships Questionnaire; 07-CU-13, Evaluating Third Party Relationships; and 01-CU-20, Due Diligence Over Third Party Service Providers provide information on vendor/third-party relationships.

E-Commerce Policy

Establish an e-commerce policy when the business plan calls for delivering financial services electronically, including the internet and audio response. This policy should address procedures that monitor and control activities relating to the electronic delivery of financial services. The following Letters to Credit Unions provide guidance on e-commerce:

Ensure this policy adequately addresses the federal consumer protection laws and regulations pertaining to electronic delivery of financial services, specifically the Electronic Fund Transfers Act (CFPB Regulation E, 12 CFR Part 1005) and Electronic Signatures in Global and National Commerce Act (E-SIGN Act, codified at 15 U.S.C. §§ 7001-7006, 7021, and 7031).

Security Program

Develop a security program covering the following areas:

Protecting each credit union office from robberies, burglaries, larcenies, and embezzlement;
Ensuring the security and confidentiality of member records (hardcopy and electronic records); and
Preventing the destruction of vital records.

As appropriate, the security policy needs to address the requirements and guidelines of the NCUA’s Regulations Part 748, Appendix A (Safeguarding Member Information), Appendix B (Incident Response Programs), and Part 749 (Records Preservation Program). Letters to Credit Unions 06-CU-07, IT Security Compliance Guide for Credit Unions and 02-CU-12, Security Program also provide guidance on developing a security program. Regulatory Alert 11-RA-03, Security Incidents Prevention and Detection addresses cybersecurity prevention and detection.

Disaster Recovery and Business Continuity or Resumption Policy

Establish a disaster recovery policy covering potential disasters and describes what staff must do and who they must notify in the event of a disaster. The policy should also indicate where back-up records will be stored or maintained. For guidance on disaster recovery programs, Risk Alert 06-RISK-01, Disaster Planning and Response and the following Letters to Credit Unions:

Ensure the policy includes business continuity and resumption procedures during failures affecting telecommunications networks, telephone lines, power grids, and water and sanitation systems.

Privacy Policy

Create a privacy policy addressing treatment of nonpublic personal information about consumers and compliance with annual disclosure requirements. For more information, refer to CFPB Regulation P (12 CFR Part 1016) and Letters to Credit Unions 02-CU-02, NCUA’s Privacy of Consumer Financial Information and 01-CU-02, Privacy of Consumer Financial Information.

Identity Theft Red Flags, Credit Report Address Discrepancies, and Records Disposal

Develop and implement written identity theft prevention programs under the Red Flags Rules, which implement part of the Fair and Accurate Credit Transactions Act of 2003 (FACTA). Under these rules, financial institutions and creditors with covered accounts must have identity theft prevention programs in place to identify, detect, and respond to patterns, practices, or specific activities that could indicate identity theft.¹ For more information, refer to Letter to Credit Unions 08-CU-24, Identity Theft Red Flags Procedures and Regulatory Alert 09-RA-06, Identity Theft Red Flags and Address Discrepancies Guidance.

FACTA also requires users of credit reports to implement reasonable policies and procedures to use when the user receives a notice of address discrepancy from a credit reporting agency. Additionally, credit unions and other financial institutions are required to adopt measures for properly disposing of consumer information derived from credit reports.²

Procedures for Major Operational Areas

In addition to the written policies in the section above, written procedures must be developed for all major areas of operations, including, but not limited to, record retention, maintaining and balancing general ledger accounts; capitalization or expenditure of purchases, and fixed asset calculation and limit.

Policies for Advanced Services

Policies should be established for any complex or higher-risk services planned for implementation during the first two years of operations. For example, a share draft program should have a policy to address the terms of the program, including who will qualify for an account, when an account will be closed, overdraft procedures, fees, clearing procedures, third party relationships, and compliance with the Expedited Funds Availability Act and the Check Clearing for the 21^st Century Act (Codified in Regulation CC, 12 CFR Part 229), the Truth-in-Savings Act, and the Reserve Requirements of Depository Institutions (Regulation D, 12 CFR 204). A credit union must also have a policy to address overdraft protection procedures, if applicable, as required in NCUA’ Regulations section 701.21(c)(3). See Letters to Credit Unions 05-CU-03, Overdraft Protection Bounce Protection Programs and 05-CU-21, Overdraft Courtesy Pay Programs; and Regulatory Alert 10-RA-12, Member Notice Requirements for Overdraft Services for information on overdraft courtesy pay programs.

Documentation Required for Developed Policies

Provide draft copies of all written policies.

¹ For FCUs, the red flags rules appear in NCUA Regulations Part 717, Subpart J (Identity Theft Red Flags) and Appendix J (Interagency Guidelines on Identity Theft Detection, Prevention, and Mitigation).

² For FCUs, the credit report address discrepancies and disposal of consumer information rules appear in the NCUA’s Regulations Part 717, Subpart I (Duties of Users of Consumer Reports Regarding Address Discrepancies and Records Disposal).