Credit union outlook 2022: Takeaways for the year ahead

Cybersecurity risk management

Recap: The NCUA released the Automated Cybersecurity Evaluation Toolbox (ACET) in 2021, which aligns with Federal Financial Institutions Examination Council (FFIEC) self-assessment tool and is used to measure cybersecurity preparedness. Many institutions use this as a starting point to help identify gaps in their cybersecurity and risk management programs. While these assessments aren’t mandatory, they are increasingly important to help combat ransomware – especially as agencies are seeing an uptick in these attacks at institutions of all sizes.

Bank Secrecy Act/anti-money laundering (BSA/AML) and terrorist financing

Recap: The implementation of the AML Act of 2020 and the Corporate Transparency Act (CTA) will prompt updates for BSA/AML policies and procedures. In addition, interagency efforts are underway to improve both Currency Transaction Report (CTR) and Suspicious Activity Report (SAR) filings.

Keep an eye on: Watch for further updates to the FFIEC BSA/AML exam manual. The NCUA has a resource center that highlights current developments.

Third-party risk management

Recap: Many institutions are refining their processes and exam procedures around third-party risk management and vendor risk management, with a heavy emphasis on fintech providers. Credit unions partnering with new technology providers will want to follow the NCUA’s guidance and talk early and often to NCUA examiners.

Keep an eye on: The NCUA has been focused on concentration risk for quite some time, so credit unions should pay close attention and make sure they are thoroughly identifying and managing credit concentrations. They also should watch out for developing climate financial risk supervisory policy.

Fair lending programs

Recap: The NCUA continues to examine for compliance with applicable consumer financial protection laws and regulations during every federal credit union examination. As credit unions explore what their fair lending programs look like now and what they should look like, focus should be on the following pillars:

• Risk assessment
• Monitoring and analysis
• Vendor- and model-related risk
• Complaints
• Servicing and loss mitigation

Fair Credit Reporting Act (FCRA)

Recap: The FCRA has been affected over the past couple of years by deferrals and by what the Coronavirus Aid, Relief, and Economic Security Act (CARES Act) has allowed in terms of topics like reporting delinquencies.

Keep an eye on: Credit unions should consider these questions when focusing on the FCRA:

• Has member data been handled according to the CARES Act requirements?
• Has our reporting over the past couple of years has been timely and accurate?
• Has the integrity of credit data reporting to the major credit bureaus been tested?
• Are FCRA-related complaints being monitored?
• Is the dispute process handled centrally, or is it decentralized? Are disputes handled consistently (for example, following operational procedures and guidance)?

Overdraft programs

Recap: Regulators are focused on overdraft programs throughout the country. If they haven’t already, credit unions should revisit their overdraft program and consider the following topics:

• Fee amounts and limits, including a de minimis amount and daily limit
• Comparison with geographic peers
• Accounts with overdraft privilege
• Monitoring complaints to be proactive
• Monitoring refunded fees for disparate impact or treatment

Keep an eye on: Data is available for examination by regulators and consumer groups alike, which means it’s critical to analyze data internally and understand what it reflects. Other topics to keep top of mind include:

• Servicemembers Civil Relief Act
• Electronic Fund Transfer Act
• Risks related to unfair, deceptive, or abusive acts or practices across the enterprise
• Monitoring of vendors (such as overdraft vendors, mortgage subservicers, and flood vendors)
• Relationships with fintechs (specifically, confidence in their compliance programs, models, and complaint management)

Recap: The financial services industry continues to observe persistent and ever-present cyberthreat actors, especially as banking data continues to hold value to criminals. People are still the primary facilitator of successful cyberattacks, due to many individuals demonstrating a lack of awareness of and attentiveness to ongoing attacks. Digital transformation and remote working have accelerated the possibility of cyberattacks. Based on refreshed guidance, frameworks, and assessments, and as risk transference becomes more costly and difficult, credit unions should ask:

• Are we targeted?
• How prepared are we?
• Are we doing enough?

Keep an eye on: Cybersecurity and cyber risk assessments are organizational needs that require attention. Like other risks, cybersecurity considerations must be incorporated into both operational and strategic decision-making processes and require organizational alignment, cooperation, and appropriate governance. It’s important for credit unions to understand the effects of cybersecurity on specific business objectives and obtain adequate representation and diverse expertise to establish and develop their risk posture and cyber risk appetite.

Recap: Here’s an overview of what Crowe is seeing in the market:

• Targeted, network-based penetration testing. Clients continue to seek new and innovative ways to test and challenge their controls, processes, and employees by performing targeted cyberattacks against their own networks and systems.
• Continued exploration in robotic process automation. Areas where credit unions are investing include loan applications and servicing, deposit account creation, account closure, customer service, know-your-customer standards, quality assurance processing, and regulatory compliance.
• Sustained remote worker arrangements. Technology that enables sustained connectivity and access to banking applications have mostly been implemented, yet refinements around usability, security, and access persist.
• Data. Clients continue to explore meaningful ways to correlate customer data with recognized patterns and trends to drive business decision-making, customer targeting, and increased revenue. Examiners also continue to focus on data governance.
• Pandemic planning. Adjustments to how systems are accessed and used (due to COVID-19 and weather events) have driven changes in multiple supporting operations and respective documentation, including disaster recovery, business continuity, and third-party risk management.
• Migration to the cloud. The past two years saw a tremendous acceleration of cloud migrations, mostly due to the need to sustain employee connectivity.

Keep an eye on: More advanced levels of penetration testing might be valuable for organizations looking to dig a bit deeper or evaluate more specific possible weaknesses. These types of tests are referred to as “red team,” “purple team,” or “simulation tests,” where the focus of a test is narrowed and the depth, length of testing, and collaboration with those being tested are increased.