Credit union exams are basically open-book tests. Examiners tell you exactly what they’ll be looking for and what they want to see.
2024 is no different. The National Credit Union Administration (NCUA) released its 2024 Supervisory Priorities highlighting areas sure to draw examiner scrutiny. While many of the priorities are dedicated to credit unions' financial condition – including credit risk, liquidity risk, and interest rate risk – many others are focused on compliance and operational risk.
Let’s take a closer look at the compliance and operational risks top of mind for NCUA examiners in 2024 and how you can best prepare.
The Consumer Financial Protection Bureau (CFPB) isn’t the only regulatory agency taking a closer look at so-called “junk fees.” The NCUA plans to continue its expanded review of credit unions’ overdraft programs, which began in 2023. It will focus on website advertising, transactions that post after other transactions to bring a member’s balance into the negative (ASPNs), balance calculations, and the order checks that are settled and whether that increases the number of surprise overdrafts. It also updated its call report for larger credit unions to pay even more attention to overdraft fees.
The big question: Do you know if your overdraft program is harmful or unfair to members? If so, have you done anything to address the problem?
A risk assessment of your credit union’s overdraft program is one way to show examiners you’ve reviewed your program and are confident that it’s helping, not harming consumers – or that it wasn’t as helpful as it should have been and you’ve taken steps to correct the oversight.
Related: Risk Assessing Overdraft Programs: Is the Fee Income Worth the Risk?
Credit unions must also remain vigilant in fair lending. Redlining, unequal marketing and community outreach, and pricing discrimination are on NCUA’s radar.
When the Department of Justice (DOJ) launched its Initiative to Combat Redlining in 2021, financial institutions were unprepared for its aggressiveness. With more than $100 million in settlements to date, agencies continue to refer cases to the DOJ, and it continues to prosecute. DOJ expanded redlining enforcement to a nonbank lender for the first time in 2022, demonstrating its commitment to root out redlining wherever it occurs.
How is your fair lending compliance faring? How do you know? If you haven’t analyzed your lending data, you’re missing out on the best way to uncover and investigate disparities.
No credit union discriminates on purpose. Fair lending analytics software helps identify potential discrimination and fair lending violations.
Related: Credit Union Fair Lending: The Most Common Mistakes & Violations
While not mentioned explicitly in the priorities, appraisal bias is also likely to be top of mind for examiners after the FFIEC released exam principles to help examiners identify discrimination in residential property valuation. Credit unions should ensure partner appraisers are acting fairly and implement reviews.
Related: What Is Appraisal Bias and How Can My Financial Institution Avoid It?
Given the high number of auto loans credit unions underwrite, NCUA announced it will perform fair lending examinations of credit unions’ auto loan portfolios if they meet the following criteria:
Examiners will review policies, procedures, and disclosures for compliance with the Truth in Lending Act (TILA/Reg Z) and Guaranteed Asset Protection (GAP) insurance policies on auto loans.
GAP insurance has been a persistent problem for credit unions. Dealers do not always provide accurate refunds of GAP waivers in the event of early payoffs, leading to compliance headaches and litigation for credit unions. To avoid these issues, credit unions must oversee the GAP refund process.
Even if your credit union does not meet the above criteria for special examination, the NCUA may still review your indirect auto loan portfolio.
Flood insurance requirements are deceptively easy to follow. Yet every year, examiners assess civil penalties for institutions that fail to renew flood insurance for borrowers or close loans without this legally mandated protection.
NCUA’s supervisory priorities mention flood insurance as an afterthought, but credit unions assessed $2,000 per violation recognize the importance of complying with the National Flood Insurance Act.
Related: Flood Insurance: Compliance Tips for Avoiding Costly Penalties
NCUA’s 2023 supervisory priorities didn’t mention Bank Secrecy Act/Anti-Money Laundering (BSA/AML) compliance, but examiners are approaching it with renewed interest in 2024.
A $100,000 civil penalty brought by FinCEN against a BSA Compliance Officer at a New York credit union in January 2023 may have something to do with it. The employee in question allowed millions in deposits to flow into suspicious funds, including his own Money Service Business (MSB).
BSA/AML compliance looms as a risk for every financial institution and credit union, regardless of asset size. While the case above was the work of a bad actor, failure to train staff on BSA/AML compliance or weak controls can wreak havoc for credit unions.
After all, the credit union mentioned above no longer exists. There aren’t many credit union violations that can shutter your institution, but BSA is one of them. Make sure you’re conducting risk assessments of your BSA/AML compliance program to understand your BSA risk.
Related: Here Are the 4 Pillars of a Strong BSA/AML Compliance Program
Sixty credit unions faced service outages and interruptions late last year when a third-party disaster recovery and business continuity service provider (BCP) failed to patch a critical vulnerability.
The danger of internal and third-party cybersecurity breaches makes cybersecurity a perennial concern for examiners. The NCUA will continue using the ACET toolbox and FFEIC IT Examination Handbook to evaluate the strength of credit unions’ information security programs.
Additionally, the NCUA reminds credit unions that they must adhere to the new Cyber Incident Notification Reporting Rule that went into effect on September 1, 2023. Under the reporting rule, CUs must notify the NCUA within 72 hours if they believe a cyber incident has occurred. They are also responsible for notifying the NCUA of third-party breaches affecting their institution.
The key steps for Cyber Incident Notification Reporting Rule include:
In the first month after the new reporting rule was enacted, credit unions reported 146 cyber incidents, many arising from third-party vendors.
Credit unions benefit tremendously from continuous third-party cybermonitoring.
The NCUA demands more from credit unions' compliance and cybersecurity programs each year. The good news is that you can systematize and streamline these functions with the proper risk and compliance management solutions.
Don’t go at it alone. Be proactive about managing these risks before they turn into costly mistakes discovered by examiners.
Reach Out to Our Exam-Readiness Experts