NCUA Releases Supervisory Priorities for 2018


The NCUA released Letter to Credit Unions 17-CU-09, which provides insight into the supervisory priorities of the administration for the coming year. This year’s exam focuses will be: cybersecurity assessment, BSA compliance, internal controls and fraud prevention, interest rate and liquidity risk, automobile lending, commercial lending, and consumer compliance.

Details on each of the administration’s areas of focus are below:

Cybersecurity Assessments – Cybersecurity remains at the top of the list for the NCUA, five years running. The NCUA plans to begin implementing the Automated Cybersecurity Examination Tool (ACET), which incorporates appropriate standards and practices established for financial institutions and aligns with the FFIEC Cybersecurity Assessment Tool (CAT). Credit unions should continue to perform self-assessments. The NCUA examiners will first start using the ACET for credit unions with over $1 billion in assets to help establish a baseline for the cybersecurity maturity level of the largest and most complex credit unions.

BSA Compliance – Examiners will continue to review credit unions’ compliance with the Bank Secrecy Act, and begin assessing compliance with the Customer Due Diligence for Legal Entity Members, which becomes effective on May 11, 2018.

Internal Controls and Fraud Prevention – Examiners will continue to evaluate the adequacy of credit union internal controls, as well as overall efforts to prevent and detect fraud.

Interest Rate and Liquidity Risk – The NCUA rolled out the new interest rate supervisory tool last year.  Because of exam cycles, not all credit unions were examined under the new procedures. For some, their first examination under the new procedures will be in 2018. Examiners will also increase their focus on liquidity risk management practices.

Automobile Lending – Examiners will apply additional scrutiny to credit unions with material exposure to higher-risk forms of auto lending. Specifically, examiners will focus on portfolios with the following concentrations:

  • Extended loan maturities of over 7 years
  • High loan-to-value
  • Near-prime or subprime
  • Indirect lending programs

Commercial Lending – For credit unions involved in commercial lending, the NCUA will continue to focus on commercial loan policies and procedures, along with assessing the effectiveness of the credit union’s risk management processes. Credit unions should be prepared to ensure the policy, practices, and staffing are appropriate for the type of commercial loans offered.

Consumer Compliance – The NCUA will focus on three key areas of consumer compliance: the new HMDA requirements, MLA compliance, and overdraft policies and procedures for compliance with Regulation E.

Question of the Week

Does the FACT Act ID Theft Red Flag regulation require a credit union to report on compliance with the regulation to the Board of Directors annually?

Yes.  The regulation requires a credit union to annually report to its board of directors (a committee of the board or a designated senior management employee) regarding compliance with the FACT Act red flag regulations.  The guidelines require that the report include:

  • The effectiveness of the policies and procedures of the credit union in addressing the risk of ID theft in connection with the opening and existence of covered accounts;
  • Service provider arrangements;
  • Significant incidents involving ID theft and management’s response; and
  • Recommendations for material changes to the program.

Related Links:

Legal Briefs

Consumer Financial Protection Bureau (CFPB)

The CFPB released its biennial report on the state of the credit card market. The report found that the total credit lines are below pre-crisis levels but are steadily increasing, more secured cards are being issues, and cardholders average fewer credit cards than before the recession.

Federal Reserve Board (FRB)

The FRB issued a request for comment on proposed guidance clarifying its supervisor expectations related to risk management of large financial institutions.

The FRB released the minutes from the Dec. 12, 2017, Federal Open Market Committee meeting.

Department of Justice (DOJ)

The DOJ released a memo on its new federal marijuana enforcement policy, which includes a rescission of the Cole Memo.

Office of Foreign Assets Control (OFAC)

OFAC has updated the SDN list as of Jan. 4, 2018. The last update prior to this was Jan. 5, 2018.

Questions? Contact the Compliance Hotline: 1.800.546.4465,


Posted in Compliance News, Compliance News.