Compliance Blog

Jun 02, 2017

ICYMI: NCUA Second Quarter News Letter; New Procedures for External Audit Reports

Here in DC we have been experiencing an extended chilly, rainy spring, but I hope the weather is better wherever you are. In the month of May, NCUA issued its second quarter newsletter that detailed numerous topics, including but not limited to: consumer compliance risk indicators; share insurance; indirect lending; information security; the new MBL rule; and the fifth BSA compliance "pillar".

In today's blog, I've highlighted a few topics from the second quarter 2017 newsletter. I've also included a note about a recent NCUA Credit Union Express regarding new procedures for delivery and review of external audit reports.

Managing an Indirect Lending Program

Credit unions have increased their lending for both new and used automobiles over the last several years. A key aspect of this growth has been indirect auto lending. To be clear, an indirect lending relationship exists when members within the credit union's field-of-membership apply for credit directly through a car dealer.

Although this indirect lending relationship can be a convenient way of diversifying the credit union's loan portfolios, an indirect lending program does come with potential risks. According to the NCUA Report, a credit union may want to "establish clear expectations and have regular contact with participating dealers to ensure the program is being administered in accordance with the board of director's expectations for risk management."

Credit unions can make strategic decisions when managing an indirect lending program, such as:

  • Establishing appropriate growth goals and concentration limits, along with minimum standards for creditworthiness;
  • Monitoring the performance and risk-levels of the portfolio;
  • Setting loan rates to ensure adequate profitability; and
  • Taking early action to revise the program when adverse performance trends occur.

The NCUA Report contains a more detailed discussion about preventative management practices.

Credit unions may want to seek to understand the unique risks associated with indirect lending and have the expertise and processes in place to offer this service safely. The credit union will definitely want to monitor trends in the auto lending market, which is currently showing signs of increased credit risk, and regulator evaluating the effectiveness of a credit union's risk-management practices.

FinCEN Adds Fifth BSA Compliance "Pillar"

In 2016, FinCEN issued a final rule that imposed new requirements for identifying and verifying beneficial owners of legal-entity customers. This new rule, which amended the Bank Secrecy Act, became effective in July 2016, and all federally insured credit unions must comply fully by May 11, 2018.

This final rule added a fifth core element to the original four core elements of an effective BSA and anti-money laundering compliance program. Under the new rule, a credit union's program must now include this fifth core element:

  • Risk-based procedures for conducting ongoing customer due diligence, to include, but not be limited to:
    • Understanding the nature and purpose of customer relationships for the purpose of developing a customer risk profile; and
    • Conducting ongoing monitoring to identify and report suspicious transactions and, on a risk basis, to maintain the update customer information.

Credit unions will need to develop and maintain compliance procedures to identify and verify the beneficial owners of legal-entity members. In preparation for the May 2018 implementation date, credit unions may want to review their "policies, processes, record-retention practices, information technology systems, employee training and other aspects of their BSA/AML compliance programs".

Please see these additional resources for more information:

“Customer Due Diligence Requirements for Financial Institutions,”

“Frequently Asked Questions Regarding Customer Due Diligence Requirements for Financial Institutions.”

Do You Need to Report an Information Security Incident?

Threats to information security range from unintentional human error to cyberattacks. Since members' sensitive information is constantly at risk, it is important that credit unions understand their reporting requirements when an information security incident occurs.

Regulatory Context

From a federal regulatory perspective, the Gramm-Leach-Bliley Act requires the NCUA Board to establish appropriate standards for federally insured credit unions relating to administrative, technical and physical safeguards for member records and information. Part 748 of NCUA's rules and regulations direct federally insured credit unions to establish a security program that incorporates Gramm-Leach-Bliley requirements and to detail response procedures to unauthorized access to member information.

Appendix B of Part 748 of NCUA's rules and regulations also directs a credit union's response program to contain procedures for notifying the appropriate NCUA regional director. According to the NCUA Report, the credit union may want to plan for the notification to occur as soon as possible after the credit union becomes aware of an incident involving unauthorized access to or use of sensitive member information. In addition, a federal insured, state-chartered credit union may also want to have procedures to notify its state supervisory authority.

Specifically, the preamble to the Federal Register notice for Part 748, Appendix B, states:

"The NUCA Board has concluded that the standard for notification to regulators should provide an early warning to allow [the] NCUA or applicable state supervisory agency to assess the effectiveness of a credit union's response plan, and, where appropriate, to direct that notice be given to members if the credit union has not already done so."

Note, "member information" is a defined term in Appendix A to Part 748, and the term "sensitive member information" is defined in Appendix B to Part 748.

In regards to Appendix B, NCUA Legal Opinion 06-0332 clarifies that "where an incident, even one involving sensitive member information, involves little or no likelihood of harm to the member, a credit union need not notify the NCUA." Consequently, the credit union's risk assessment of the incident is a critical component of your response program, and a material factor in your decision to notify the regional director.

Practical Application

According to the NCUA Report, credit unions may want to consider including details in their response programs concerning their notification procedures for members, regulators and other concerned parties.

To determine whether the regional director notification is warranted, the credit union may want to assess the inherent risk of the incident based on the information available. Then, if applicable, the credit union may want to consider any immediate mitigating actions it took to reduce the risk to the member. If the incident involves sensitive member information and presents the potential for harm (more than little-or no-likelihood of harm) to the member, the credit union may be prompted to notify the NCUA regional director. Federally insured, state-chartered credit unions may also notify their state supervisory authority.

Even if the credit union decided not to notify the NCUA regional director, the credit union may want to retain documentation of its risk assessment to demonstrate compliance with Part 748's reporting expectations.

The NCUA Report also details a best practice for the content of notifications to the NCUA regional director:

  • The incident;
  • The risk to the member or members;
  • The corrective actions taken already;
  • Any additional corrective or mitigation actions planned;
  • Your coordination with law enforcement; and
  • Any other relevant factors.

Note, state supervisory authorities may have their own notification requirements.

Lastly, the credit union may need to notify other parties, such as its insurance or bond company. Notifying your NCUA regional director does not replace other reporting requirements such as: filing a suspicious activity report, notifying the FBI or involving local law enforcement.

For more information, please visit the NCUA's Cybersecurity Resources Webpage.


New Procedures for External Audit Reports

Last month, NCUA issued a Credit Union Express that provided an overview of the new procedures for delivery and audit reports. NCUA has recently updated its policies governing how and when examiners will receive external audit reports. This updated procedure is meant to maintain better custody of audit reports. As the NCUA Credit Union Express mentions, "this new policy was created partly in response to a recommendation made by NCUA 's Office of Inspector General during a material loss review. The report recommended examiners obtain audit reports directly from the auditors rather than receiving them from credit union management to avoid any potential manipulation."

As an additional reference, please refer to the recently updated National Supervision Policy Manual (p.52/p.66 with PDF pagination):