2019 Credit Union Outlook

By Eileen M. Iles, CPA, CIA, CFSA; Mark A. Taylor, CPA; and Niall K. Twomey, CRCM

As the credit union industry enters 2019, it faces a changing business and technology landscape. With new areas of regulatory focus, changes in accounting and financial reporting standards, and continuing concerns over cybersecurity and other risks, credit unions will have much to consider as the year progresses.

Cybersecurity – a critical priority

Like all types of regulated financial services organizations, credit unions must work to stay abreast of regulators' current priorities, which naturally evolve over time as new risks and economic issues emerge. In today’s technological and business environments, cybersecurity risk has emerged as one of the leading concerns of credit unions and regulators alike. 

Early indications of this interest could be seen as far back as 2013, when the Federal Financial Institutions Examination Council (FFIEC) established its Cybersecurity and Critical Infrastructure Working Group. More recently, in May 2017, the group updated its Cybersecurity Assessment Tool, which was created to give financial institution management teams a repeatable and measurable process for tracking their cybersecurity preparedness over time.

In addition to its activities as a member of the FFIEC, the National Credit Union Administration (NCUA) has taken additional steps to improve and standardize supervision related to cybersecurity risk in its regulated organizations. In 2018, the NCUA introduced its Automated Cybersecurity Examination Tool (ACET), which incorporates updated standards and practices, and began implementing it in credit unions with more than $1 billion in assets. 

In 2019, examiners will expand use of the ACET to include credit unions with more than $250 million in assets. In addition, members can expect some additional testing and refining of the ACET as the NCUA reviews the results of its initial efforts in larger credit unions.

The priorities of credit union executives appear to reflect this continuing regulatory focus. For example, in a recent webinar sponsored by Crowe, executives from a broad cross section of credit unions were asked to identify which of the most widely discussed industry risks were of greatest concern to their senior management and boards. As shown in Exhibit 1, an overwhelming majority (73 percent) named cybersecurity risk as their institution's number one concern. 

Exhibit 1: Credit union risk priorities

Source: Online survey of Crowe webinar participants, Dec. 12, 2018. Numbers might not equal 100 percent due to rounding. 

In addition to employing the FFIEC self-assessment tool or other appropriate frameworks, credit union management teams should continue to follow ongoing NCUA updates and guidance closely as part of a comprehensive cybersecurity program.

Other areas of regulatory focus 

In addition to cybersecurity, other risk-related topics also are expected to continue drawing high levels of regulatory scrutiny in 2019 and beyond. In its annual statement of supervisory priorities, the NCUA said examiners will continue to focus on large concentrations of loan products and concentrations of specific risk characteristics, noting that excessive credit concentrations are a common cause of losses.

Beyond focusing on concentration risk in general, examiners obviously will continue to focus on higher-risk portfolios. One line of business that has seen increasing attention over recent months has been the area of indirect auto loans, particularly as the proportion of longer-term auto loans continues to grow. 

Commercial lending and member business loans also have been attracting increasing attention, particularly in those credit unions where the prevalence of construction and development loans and similar products has grown significantly. In some instances, examiners have expressed concerns over the level of board oversight regarding this portion of the portfolio, and are looking for evidence of more robust credit administration and governance practices.

Another area that is expected to draw continuing regulatory attention during the coming year is compliance with the Bank Secrecy Act and anti-money laundering (BSA/AML) requirements. During 2018, the NCUA published a new supervisory letter (SL-18-01) that addresses compliance with new customer due diligence and beneficial ownership rules, along with a new BSA/AML questionnaire. 

The letter said that, for the remainder of 2018, field examiners were instructed not to identify noncompliance with the new standards as a significant violation as long as the credit union was “making a good faith effort” to comply. It also noted, however, that beginning in 2019 NCUA field staff would begin more in-depth reviews of credit unions’ BSA/AML policies, procedures, and processes.

Other agencies also have taken significant actions on BSA/AML issues in recent months. In mid-October 2018, the FFIEC launched a redesigned BSA/AML website with enhanced navigation and search capabilities, along with the ability to download sections of the BSA exam manual. 

Six weeks later, in early December, the Financial Crimes Enforcement Network and the four federal financial institution supervisory agencies (including the NCUA) issued a joint statement encouraging institutions to consider implementing innovative private sector approaches to combat money laundering, terrorist financing, and other illicit financial activity. The statement widely was regarded as providing some reassurance to participating institutions that they would not be penalized for employing innovative new third-party technology as part of their BSA/AML compliance efforts.

Accounting and financial reporting issues

A number of pending changes to U.S. GAAP will affect credit unions during 2019 and subsequent years. Among the most sweeping of these changes will be the new Financial Accounting Standards Board (FASB) rules for estimating expected credit losses. 

The new FASB standard replaces the incurred loss model for estimating credit losses with the current expected credit loss (CECL) model. Although the new model will apply to many types of financial assets that are measured at amortized cost, the largest impact for most credit unions will be on the allowance for loan and lease losses. 

The new standard goes into effect for credit unions for fiscal years beginning after Dec. 15, 2021, and the first call report affected by the new standard will be March 2022. Nevertheless, the NCUA has indicated it will be monitoring credit unions’ transition efforts to see that they have adequate models in place to enable smooth data collection and reporting.

While the pending implementation of the CECL model has generated significant attention and concern over the past few years, it is not the only change to U.S. GAAP that will affect credit unions during the coming years. For example, new rules for recognizing revenue from long-term contracts and new rules for the recognition and measurement of financial assets and liabilities will go into effect for most credit unions in 2019. 

The new revenue recognition standard – Accounting Standards Update (ASU) No. 2014-09, “Revenue From Contracts With Customers (Topic 606)” – has been evaluated and discussed extensively since it was first issued back in 2014. While its direct impact on financial institutions is less significant than its effects on some other industries, it nevertheless must be recognized and addressed. 

For most credit unions the new standard went into effect for annual reporting periods beginning after Dec. 15, 2018. If they have not done so already, credit unions should be reviewing their products and services to determine how their timing will affect revenue reporting, as well as the expanded disclosures that are likely to be required on their financial statements.

Another new standard – ASU 2016-01, “Financial Instruments – Overall (Subtopic 825-10): Recognition and Measurement of Financial Assets and Financial Liabilities” – also went into effect for most credit unions for annual reporting periods beginning after Dec. 15, 2018. It, too, will have a limited impact on many credit unions, but nevertheless should be reviewed by management in time to prepare for upcoming financial statements. In particular, the new rule requires equity securities (including mutual funds) to be measured at fair value through the income statement as opposed to accumulated other comprehensive income. The available-for-sale treatment no longer is an option for equity securities.

The FASB’s new lease accounting rules – ASU 2016-02, “Leases (Topic 842)”  – could have more far-reaching effects on many types of businesses, including credit unions. Under this new standard, all leases of more than 12 months’ duration now will be included on the balance sheet. As a result, many leases that previously had been characterized as operating leases only (and hence were disclosed only in footnotes to the financial statements) now must be reported as right-of-use assets, with offsetting lease liabilities.

For most credit unions, this change goes into effect for fiscal years beginning after Dec. 15, 2019, but financial teams will be working on the adoption of this standard well in advance. In addition to determining which of the several allowable transition methods they will use, credit unions also need to engage in a significant amount of data gathering and reviewing in order to identify various maintenance and service contracts they might not have regarded as leases in the past, but which they now must classify as such.

Compliance risk management 

Although most organizations understandably focus their risk management efforts toward regulatory compliance and adherence to financial reporting standards, an effort that is too narrowly focused on these areas can, in itself, expose the organization to broader types of risk. 

One of the most commonly encountered misconceptions about compliance risk management is the mistaken notion that it can be managed as a checklist function or a once-a-year activity. Risk management is not the sole responsibility of a compliance department, risk officer, or some other individual or department. Rather, compliance risk management should be embedded in all aspects of the institution as part of its foundation, its ongoing operations, and its long-term improvement system. 

Broadly speaking, an effective compliance risk management system is composed of four interdependent control components:
  1. Board and management oversight
  2. The compliance program itself, including policies and procedures, training, monitoring, and correction
  3. Response to consumer or member complaints
  4. Ongoing compliance audit
A credit union can successfully address its compliance responsibilities and risks only when all four of these control components are strong and well-coordinated. When the regulatory environment changes, an effective compliance risk management system will not merely update policies, but also will initiate action plans to assess the impact of those changes, both at the enterprise level and within the affected business lines.

In addition to establishing a strong compliance culture and a positive tone from the top, boards and senior executives also should take steps to see that each business line takes ownership of its own compliance activities and decisions, and that each has a clear understanding of compliance expectations and responsibilities. 

Enterprise risk management priorities

In addition to regulatory compliance and financial reporting issues, other risk management concerns among credit unions reflect longer-term strategic priorities. A preliminary – and partial – list of these broader enterprise risk management (ERM) topics includes:
  • Financial technology (fintech) disruption, innovation, and automation
  • Fintech companies competing with financial institutions
  • Privacy and information security, including the General Data Protection Regulation, which affects individuals within the European Union and the European Economic Area and covers the export of personal data outside both areas
  • Third-party risk management
  • Mergers and acquisitions
  • Succession
  • Retention of talent
  • Corporate culture
  • Sustaining member loyalty
  • Growing the membership
  • Economic conditions
  • Possible rising interest rates and impact on liquidity and capital
  • Cost pressures
While many credit unions actively are addressing such strategic risk issues, it appears there still is significant room for improvement. For example, among the credit union executives participating in the webinar described earlier, only 16 percent said their institutions had fully enhanced their ERM programs to incorporate strategy-related issues. (See Exhibit 2.)

Exhibit 2: Integrating ERM and strategy

Source: Online survey of Crowe webinar participants, Dec. 12, 2018
Although half of the respondents said they had partially integrated strategy into their ERM programs, another third had not yet started this critical effort. Those organizations, along with the 50 percent that have only partially developed programs, should be prepared to expend the necessary time and resources to address this growing priority.

As the economic, business, and technology environments continue to evolve over the coming year, credit union executive and management teams will undoubtedly encounter additional issues that even the most seasoned industry observers have not yet foreseen. Strong leadership and sound, proactive risk management programs can empower those organizations to use the changes that emerge in 2019 as a springboard for continued growth and financial success.

Contact us

Niall Twomey
Niall Twomey
Principal, Financial Services Consulting