ICYMI: NCUA Online Examiner’s Guide Includes COVID-19 Chapter
Many may recall that the NCUA updated its supervisory priorities in July 2020, as detailed in this past NAFCU Compliance Blog post. But something that was not highlighted in that document that credit unions should be aware of is there is also a new chapter in the online NCUA Examiner’s Guide (guide) that is dedicated to COVID-19. The chapter provides more details on the items highlighted as additional exam priorities as well as a discussion on how NCUA will review credit unions’ operational risk in light of COVID-19. The entire chapter is worth reviewing as a credit union prepares for an upcoming examination, but here are some highlights.
Credit Union Operations
The COVID-19 chapter has a subsection dedicated to CU operations that touches on issues like strategic risk, cybersecurity, earnings and capital. There is also a discussion of risk management expectations. While the guide advises examiners to be “mindful” that a crisis can mean a lag in risk management changes, as operations “have stabilized” then the “lessons learned” by a credit union “can be thoughtfully incorporated.” NCUA will look at a credit union’s decision-making process, expecting an initial risk assessment and a process for refining that assessment as more information becomes available. Examiners will look for a few things on these risk assessments like:
- Whether it is sufficient in scope and content, which will vary based on the CU’s size, complexity and risk exposure;
- Management’s best estimate of the CU’s asset quality given the economic conditions, including the implications for earnings, capital, funding, liquidity, operations and asset/liability management; and
- The effectiveness of the CU’s operational capability and business continuity plan.
There are also cybersecurity specific items relative to CU operations addressed in the COVID-19 section of the guide that addresses expectations for employees working remotely. Of course, NCUA expects CU employees working remotely to follow information security- and privacy-related policies and procedures. But the agency also outlined some specifics to include in policies and procedures for remote workers:
- Ensuring that family members or others do not use devices designated for work
- Implementing session time outs and encryption of sensitive information
- Keeping devices physically secure
- Working with a user account and not an administrator or privileged account
- Establishing strong, unique passwords for all log-ins and devices on their home network
- Leveraging firewall capabilities available through internet service providers
- Increasing wireless security to the strongest encryption option
- Removing unnecessary services and software
- Updating software regularly
- Maintaining antivirus software and ensuring timely updates to definitions
- Collecting and maintaining system and account logs
Paycheck Protection Program
As part of the July 2020 update to the supervisory priorities, NCUA indicated that good faith efforts to comply with the CARES Act would be a focus, including the PPP if a CU participated in that program. The guide has a subsection on this topic indicating that NCUA will review basic components of PPP. For example: the CU’s eligibility criteria to participate in the program as a lender; whether the borrowers the CU lent to were eligible for PPP loans; if the PPP loans made by the CU conform to the loan terms set forth by the Small Business Administration (SBA); loan documentation and underwriting; loan forgiveness; and loans to credit union board members or other officials.
There is also a separate section on small-dollar loans that refers back to Letter to Credit Unions 20-CU-04, Responsible Small-Dollar Lending in Response to COVID-19. The guide scopes small-dollar lending as unsecured loans in amounts up to $5,000. As demand for these kinds of loans often increases during a crisis, NCUA has encouraged CUs to offer “responsible” loans to those members that may face hardships.
There are multiple other subsections on topics like credit risk, loan workouts, allowance for loan and lease losses, liquidity, and more so again this chapter is worth taking a closer look at before an exam. Finally, recall that in March 2020 and again in May 2020 NCUA issued guidance on its offsite examination approach. In part, the agency indicated that examiners would take the “extraordinary circumstances” of the pandemic into consideration. NCUA also stated it would not “criticize a credit union’s efforts to provide prudent relief for members when such efforts are conducted in a reasonable manner with proper controls and management oversight.” While this sounds like the expectation is not that hindsight be 20/20, it remains to be seen what will be considered sufficient oversight or controls as NCUA examines in the current environment.