In addition to employing the FFIEC self-assessment tool or other appropriate frameworks, credit union management teams should continue to follow ongoing NCUA updates and guidance closely as part of a comprehensive cybersecurity program.
Other areas of regulatory focus
In addition to cybersecurity, other risk-related topics also are expected to continue drawing high levels of regulatory scrutiny in 2019 and beyond. In its annual statement of supervisory priorities, the NCUA said examiners will continue to focus on large concentrations of loan products and concentrations of specific risk characteristics, noting that excessive credit concentrations are a common cause of losses.
Beyond focusing on concentration risk in general, examiners obviously will continue to focus on higher-risk portfolios. One line of business that has seen increasing attention over recent months has been the area of indirect auto loans, particularly as the proportion of longer-term auto loans continues to grow.
Commercial lending and member business loans also have been attracting increasing attention, particularly in those credit unions where the prevalence of construction and development loans and similar products has grown significantly. In some instances, examiners have expressed concerns over the level of board oversight regarding this portion of the portfolio, and are looking for evidence of more robust credit administration and governance practices.
Another area that is expected to draw continuing regulatory attention during the coming year is compliance with the Bank Secrecy Act and anti-money laundering (BSA/AML) requirements. During 2018, the NCUA published a new supervisory letter (SL-18-01) that addresses compliance with new customer due diligence and beneficial ownership rules, along with a new BSA/AML questionnaire.
The letter said that, for the remainder of 2018, field examiners were instructed not to identify noncompliance with the new standards as a significant violation as long as the credit union was “making a good faith effort” to comply. It also noted, however, that beginning in 2019 NCUA field staff would begin more in-depth reviews of credit unions’ BSA/AML policies, procedures, and processes.
Other agencies also have taken significant actions on BSA/AML issues in recent months. In mid-October 2018, the FFIEC launched a redesigned BSA/AML website with enhanced navigation and search capabilities, along with the ability to download sections of the BSA exam manual.
Six weeks later, in early December, the Financial Crimes Enforcement Network and the four federal financial institution supervisory agencies (including the NCUA) issued a joint statement encouraging institutions to consider implementing innovative private sector approaches to combat money laundering, terrorist financing, and other illicit financial activity. The statement widely was regarded as providing some reassurance to participating institutions that they would not be penalized for employing innovative new third-party technology as part of their BSA/AML compliance efforts.
Accounting and financial reporting issues
A number of pending changes to U.S. GAAP will affect credit unions during 2019 and subsequent years. Among the most sweeping of these changes will be the new Financial Accounting Standards Board (FASB) rules for estimating expected credit losses.
The new FASB standard replaces the incurred loss model for estimating credit losses with the current expected credit loss (CECL) model. Although the new model will apply to many types of financial assets that are measured at amortized cost, the largest impact for most credit unions will be on the allowance for loan and lease losses.
The new standard goes into effect for credit unions for fiscal years beginning after Dec. 15, 2021, and the first call report affected by the new standard will be March 2022. Nevertheless, the NCUA has indicated it will be monitoring credit unions’ transition efforts to see that they have adequate models in place to enable smooth data collection and reporting.
While the pending implementation of the CECL model has generated significant attention and concern over the past few years, it is not the only change to U.S. GAAP that will affect credit unions during the coming years. For example, new rules for recognizing revenue from long-term contracts and new rules for the recognition and measurement of financial assets and liabilities will go into effect for most credit unions in 2019.
The new revenue recognition standard – Accounting Standards Update (ASU) No. 2014-09, “Revenue From Contracts With Customers (Topic 606)” – has been evaluated and discussed extensively since it was first issued back in 2014. While its direct impact on financial institutions is less significant than its effects on some other industries, it nevertheless must be recognized and addressed.
For most credit unions the new standard went into effect for annual reporting periods beginning after Dec. 15, 2018. If they have not done so already, credit unions should be reviewing their products and services to determine how their timing will affect revenue reporting, as well as the expanded disclosures that are likely to be required on their financial statements.
Another new standard – ASU 2016-01, “Financial Instruments – Overall (Subtopic 825-10): Recognition and Measurement of Financial Assets and Financial Liabilities” – also went into effect for most credit unions for annual reporting periods beginning after Dec. 15, 2018. It, too, will have a limited impact on many credit unions, but nevertheless should be reviewed by management in time to prepare for upcoming financial statements. In particular, the new rule requires equity securities (including mutual funds) to be measured at fair value through the income statement as opposed to accumulated other comprehensive income. The available-for-sale treatment no longer is an option for equity securities.
The FASB’s new lease accounting rules – ASU 2016-02, “Leases (Topic 842)” – could have more far-reaching effects on many types of businesses, including credit unions. Under this new standard, all leases of more than 12 months’ duration now will be included on the balance sheet. As a result, many leases that previously had been characterized as operating leases only (and hence were disclosed only in footnotes to the financial statements) now must be reported as right-of-use assets, with offsetting lease liabilities.
For most credit unions, this change goes into effect for fiscal years beginning after Dec. 15, 2019, but financial teams will be working on the adoption of this standard well in advance. In addition to determining which of the several allowable transition methods they will use, credit unions also need to engage in a significant amount of data gathering and reviewing in order to identify various maintenance and service contracts they might not have regarded as leases in the past, but which they now must classify as such.
Compliance risk management
Although most organizations understandably focus their risk management efforts toward regulatory compliance and adherence to financial reporting standards, an effort that is too narrowly focused on these areas can, in itself, expose the organization to broader types of risk.
One of the most commonly encountered misconceptions about compliance risk management is the mistaken notion that it can be managed as a checklist function or a once-a-year activity. Risk management is not the sole responsibility of a compliance department, risk officer, or some other individual or department. Rather, compliance risk management should be embedded in all aspects of the institution as part of its foundation, its ongoing operations, and its long-term improvement system.
Broadly speaking, an effective compliance risk management system is composed of four interdependent control components:
- Board and management oversight
- The compliance program itself, including policies and procedures, training, monitoring, and correction
- Response to consumer or member complaints
- Ongoing compliance audit
A credit union can successfully address its compliance responsibilities and risks only when all four of these control components are strong and well-coordinated. When the regulatory environment changes, an effective compliance risk management system will not merely update policies, but also will initiate action plans to assess the impact of those changes, both at the enterprise level and within the affected business lines.
In addition to establishing a strong compliance culture and a positive tone from the top, boards and senior executives also should take steps to see that each business line takes ownership of its own compliance activities and decisions, and that each has a clear understanding of compliance expectations and responsibilities.
Enterprise risk management priorities
In addition to regulatory compliance and financial reporting issues, other risk management concerns among credit unions reflect longer-term strategic priorities. A preliminary – and partial – list of these broader enterprise risk management (ERM) topics includes:
- Financial technology (fintech) disruption, innovation, and automation
- Fintech companies competing with financial institutions
- Privacy and information security, including the General Data Protection Regulation, which affects individuals within the European Union and the European Economic Area and covers the export of personal data outside both areas
- Third-party risk management
- Mergers and acquisitions
- Succession
- Retention of talent
- Corporate culture
- Sustaining member loyalty
- Growing the membership
- Economic conditions
- Possible rising interest rates and impact on liquidity and capital
- Cost pressures
While many credit unions actively are addressing such strategic risk issues, it appears there still is significant room for improvement. For example, among the credit union executives participating in the webinar described earlier, only 16 percent said their institutions had fully enhanced their ERM programs to incorporate strategy-related issues. (See Exhibit 2.)
Exhibit 2: Integrating ERM and strategy
