Man, that went fast didn’t it? It feels like 2017 just started yesterday, but I guess things are never “slow” when it comes to compliance. Now it is time to prepare for 2018, a year in which we will see new (and old) priorities from our regulator friends. NCUA recently published their supervisory priorities for 2018 and I wanted to take this time to give a brief recap of what they will be looking for this upcoming year.
It is not a surprise that cybersecurity is a top focus going into 2018. Data breaches dominated the headlines in 2017, and with the use of technology becoming more prominent in everything that we do, it makes sense that this is a top focus again this year. This year the NCUA will begin implementing the Automated Cybersecurity Examination Tool (ACET) which was designed to help improve and standardize the review process. The ACET aligns with the FFIEC Cybersecurity Assessment Tool, so I would highly recommend that you complete your own assessment based off this guidance. The NCUA does state that they will be using the ACET during exams for credit unions that have over $1 billion in assets. This will allow them to set a baseline for how this looks today, and then they can scale and redefine from there how it should look for smaller institutions.
Bank Secrecy Act (BSA)
Nothing new here. BSA is and will be a top priority for the foreseeable future. The only notable change here is the review of your compliance with the new Customer Due Diligence requirements that go into effect May 11, 2018. So if you haven’t done so already, make sure your policies and procedures are updated to reflect these changes.
Internal Controls and Fraud Prevention
Pretty much status quo here. The sentences below come directly from the NCUA's letter.
"Credit union safety and soundness includes establishing a strong system of internal controls and a comprehensive approach to managing fraud risk. Examiners will continue to evaluate the adequacy of credit union internal controls, as well as overall efforts to prevent and detect fraud."
Interest Rate and Liquidity Risk
Again, this is another reoccurring priority. Credit unions will be examined based on the revised interest rate risk tool that went into effect January 1, 2017. If you weren’t examined last year, I would recommend taking a look at the Revised Interest Rate Risk Letter to ensure you are ready this year. They also state that there will be an increased focus on liquidity risk management practices given the emerging trends related to on-balance-sheet liquidity.
Below is what the NCUA is saying about auto lending this year.
"Examiners will apply additional scrutiny to credit unions with material exposure to higher risk forms of auto lending. Specifically, examiners will focus on portfolios with the following concentrations:
- Extended loan maturities of over 7 years.
- High loan-to-value.
- Near-prime or subprime.
- Indirect lending programs.
For more information, see the NCUA Letter to Credit Unions, 10-CU-03, Concentration Risk."
Same ole, same ole here. You’ll want to make sure that you have made all of the necessary changes to comply with last year’s Member Business Loans changes.
There are three areas of focus that they mention here; HMDA, MLA, and Reg E. Starting in the second quarter, examiners will be completing limited reviews of your quarterly LAR to evaluate your “good faith effort” to comply with the new HMDA changes. The nice thing here is that there is no intention to site violations or assess penalties for noncompliance. The goal here is to identify gaps and areas where you can improve. Lets be honest, these examiners are going to be learning at the same time you are. The MLA focus revolves around your effort to comply with the "restrictions against the use of certain contract terms", as well as the "credit card provisions" that took place in October. The Reg E focus is interesting. They state that the focus here will be on your overdraft policies and procedures. We have seen this topic gain steam over the last few years, so don’t be surprised if we see more guidance come out in 2018.
Like I said, things are never slow when it comes to compliance.