If the many zombie/post-apocalyptic films are any indication, our future holds some pretty drastic changes. If you knew that at some point this year 90 percent of the population will become zombies, or that the climate will change into a nuclear desert wasteland of broken humanity reduced to fighting for the necessities of life, you would likely build up a stock of supplies and maybe even bury a survival pod deep underground in your backyard. You’d have a much better chance of survival if you knew what was coming and when to expect it. While an NCUA exam is not on the level of a zombie apocalypse, the same principles apply. You’ll do much better in the exam if you know what to expect. Which is why, in a letter earlier this year, the NCUA told credit unions exactly what to expect for exams in 2017.
If you’re a small credit union with less than $50 million in assets, you can continue to expect a streamlined exam process. But for all other credit unions, there are six specific areas that you’ll want to have in tip-top shape.
1. Cybersecurity
NCUA plans to increase its emphasis on cybersecurity by focusing on how you’ve structured your assessment process. If you don’t currently have a good handle on your cybersecurity risk, now is the time to make some changes. Some good resources to take a look at are the FFIEC’s Cybersecurity Assessment Tool, and the tool that AffirmX has developed to make the FFIEC’s tool more user-friendly.
2. BSA Compliance
Like other years, BSA compliance remains a priority in NCUA exams. This year, however, examiners will zoom in on money services businesses, or MSBs. If your credit union provides services to an MSB, you’ll need specialized procedures in place to appropriately classify risk and determine the depth and intensity of monitoring that is necessary. Beyond just MSBs however, it’s a good idea to make sure your monitoring system is properly and efficiently screening for suspicious activity, and that you’re well aware of, and appropriately managing, the risk profile of each of your members.
3. Interest Rate and Liquidity Risk
On January first, NCUA began using new interest rate risk exam procedures. These new procedures are meant to streamline the exam process and focus on credit unions with high interest-rate risk levels. Key changes to the process include a new interest-rate risk workbook and updated interest-rate risk-tolerance thresholds.
4. Commercial Lending
Revisions to CFR part 723 are effective as of January 1. This part requires credit unions to have a commercial lending policy and program in place. NCUA will be checking to make sure that these policies and programs effectively assess the risk management processes associated with managing a commercial loan portfolio. The letter also specifically mentions that credit unions should be ready with documentation that shows how management is monitoring and managing their commercial loan portfolio.
5. Consumer Compliance
We recently saw some big changes to the Military Lending Act, and there are more that will go into effect later this year. The NCUA wants to make sure that credit unions are complying with these changes. If you have not yet had an exam since the MLA changes went into effect in early October, NCUA will accept your “reasonable and good faith efforts” to comply. However, you’ll also be expected to show that you have a sound plan in place for implementing and managing the regulation, and “good faith efforts” do not apply when it comes to third-party liability under the MLA. Along with MLA compliance, the letter mentions that examiners will also check for compliance with Servicemembers’ Civil Relief Act.
6. Internal Controls and Fraud Prevention
The letter notes that examiners will be doing a more detailed check in this area for credit unions with limited staff, because they may be more susceptible to internal fraud.
Now that the NCUA has shared with you what’s coming, examiners will expect you to be fully prepared for exams. If there are any of these areas that need some work, now is the time to fix issues and ensure that there are no cracks in your compliance program.