Key Takeaways From Our 2025 Credit Union Update

Our midyear credit union briefing brought together accounting, regulatory, and risk specialists to help credit union leaders navigate shifting conditions across a variety of areas, including financial reporting, consumer protection, and cybersecurity. Here are some key takeaways from that briefing, which can help inform planning conversations and board-level decisions.

Accounting and financial reporting

• Prepare for purchased financial assets accounting changes.
  • Assess the potential effect of the expected new guidance on your acquisition strategy.
  • If an acquisition is imminent, consider early adoption scenarios for when the Accounting Standards Update is finalized (expected in Q4), and confirm alignment between accounting and M&A teams.
• Reevaluate capitalization practices for internal-use software.
  • With the recent issuance of the standard, update capitalization policies to reflect the new probability threshold and funding commitment criteria. For more information, see the Crowe article “FASB Revises Internal-Use Software Cost Guidance.”
  • Engage with technology and finance leaders to assess implications for budgeting, forecasting, and project planning.

Regulatory and compliance readiness

• Strengthen first-line ownership of compliance risk.
  • Clarify roles and responsibilities across the three lines of defense.
  • Provide targeted training to business units, particularly in lending and servicing functions.
• Update and operationalize fair lending policies.
  • Ensure policies reflect current regulatory expectations, including those related to appraisal bias and merger activity.
  • Develop or enhance fair lending reporting for board and executive visibility.
  • Assess readiness to evaluate lending data for fair lending risks, including those related to non-Home Mortgage Disclosure Act portfolios.
• Enhance governance related to third-party relationships.
  • Expand vendor oversight to include fair lending and cybersecurity considerations.
  • Review advertising and marketing practices for compliance with consumer protection regulations.

Cybersecurity and technology risk

• Assess and reinforce incident response protocols.
  • Confirm that your credit union’s process for 72-hour incident reporting – including for third-party breaches – is clear and tested.
  • Include tabletop exercises that account for AI-driven threats and impersonation tactics.
• Layer your defenses to match evolving threats.
  • Evaluate technical controls such as multifactor authentication, endpoint protection, and access governance.
  • Enhance training for business units to recognize social engineering, phishing, and emerging deepfake scenarios.
• Implement intentional AI governance.
  • Form or expand steering committees to review AI use cases, risks, and controls.
  • Establish clear parameters for acceptable use, especially when member data or automated decision-making is involved.

This list can help credit unions determine focused next steps and create a comprehensive plan for the rest of 2025.