As the credit union industry enters 2019, it faces a changing business and technology landscape. With new areas of regulatory focus, changes in accounting and financial reporting standards, and continuing concerns over cybersecurity and other risks, credit unions will have much to consider as the year progresses.
Cybersecurity – a critical priorityLike all types of regulated financial services organizations, credit unions must work to stay abreast of regulators' current priorities, which naturally evolve over time as new risks and economic issues emerge. In today’s technological and business environments, cybersecurity risk has emerged as one of the leading concerns of credit unions and regulators alike.
Early indications of this interest could be seen as far back as 2013, when the Federal Financial Institutions Examination Council (FFIEC) established its Cybersecurity and Critical Infrastructure Working Group. More recently, in May 2017, the group updated its Cybersecurity Assessment Tool, which was created to give financial institution management teams a repeatable and measurable process for tracking their cybersecurity preparedness over time.
In addition to its activities as a member of the FFIEC, the National Credit Union Administration (NCUA) has taken additional steps to improve and standardize supervision related to cybersecurity risk in its regulated organizations. In 2018, the NCUA introduced its Automated Cybersecurity Examination Tool (ACET), which incorporates updated standards and practices, and began implementing it in credit unions with more than $1 billion in assets.
In 2019, examiners will expand use of the ACET to include credit unions with more than $250 million in assets. In addition, members can expect some additional testing and refining of the ACET as the NCUA reviews the results of its initial efforts in larger credit unions.
The priorities of credit union executives appear to reflect this continuing regulatory focus. For example, in a recent webinar sponsored by Crowe, executives from a broad cross section of credit unions were asked to identify which of the most widely discussed industry risks were of greatest concern to their senior management and boards. As shown in Exhibit 1, an overwhelming majority (73 percent) named cybersecurity risk as their institution's number one concern.
Exhibit 1: Credit union risk priorities