The National Credit Union Administration (NCUA) recently published its annual list of supervisory priorities for the upcoming exam cycle in a Letter to Credit Unions 19-CU-01. While this year’s letter brought a list of items that were expected, there are a few new items that may be of concern. To help their clients prepare, Wipfli/Macpage developed a checklist of focus areas outlined below, along with their thoughts and recommendations for compliance.
- Bank Secrecy Act Compliance – Make sure your upcoming BSA audit scope includes a review of the member due diligence process and identification and verification of beneficial owner(s) of legal entity members. Knowing your member is a major focus and important aspect in complying with the BSA/OFAC requirements. Also, if an anti-money laundering system is used for suspicious activity monitoring and the due diligence process, we recommend that the system be reviewed and validated on a periodic basis to ensure it is being used effectively.
- Concentrations of Credit – Most credit unions have a concentration policy, however it is worth revisiting the NCUA Letter to Credit Unions 10-CU-03 to ensure your current policies and procedures are capturing key risks and are appropriately monitored. If your credit union doesn’t have a policy, one should be considered. Concentrations could include loans with similar collateral types, loan terms, business loans, participation loans in a specific geographic area, and loans to one borrower or group of borrowers. Concentrations should also be considered when conducting strategic planning, considering a merger, making loan purchases, and when developing new products.
- Consumer Compliance – This year’s focus is with the Home Mortgage Disclosure Act, so it is important that the credit union review the processes for compliance with the regulation, including the new data points and exemption determination. We recommend continuous review of the Loan/Application Register (LAR) throughout the year. This will help ensure that information is being pulled correctly and reduce last minute clean-ups before the year-end filing. Remember, the regulation does require that the LAR be updated by 30 days following the end of each quarter. Examiners will also continue to focus on the Military Lending Act compliance, adverse action notices for compliance with Regulation B, and compliance with Regulation E. With the continued changes and scrutiny on regulations, it is important that the credit union maintain a strong compliance management program including policies and procedures, training, and compliance audits of the various regulations. The overall compliance management program should also be reviewed on a periodic basis.
- Current Expected Credit Losses (CECL) – Though the CECL implementation date has been delayed another year, effective for year ends beginning after December 15, 2021, examiners will be evaluating the credit union’s readiness for this accounting change. Credit unions should be evaluating the methodologies, gathering data, researching vendor models, and running parallel models to help prepare for the effective date.
- Information Systems and Assurance – Credit unions should be assessing the maturity of the IT environment using the Automated Cybersecurity Examination Toolbox (ACET) to help strengthen the IT program. This can be done using the credit union’s in house resources, or it can be outsourced. Credit unions should also be evaluating the IT audit schedule and scopes to ensure that IT risks are being mitigated and audited on a regular basis.
- Liquidity and Interest Rate Risks – Credit unions should have an asset liability management program in place to identify and monitor liquidity and interest rate risk. Management should incorporate asset liability management methodologies into strategic planning using the models to run “what if” scenarios. It is also recommended that policies, processes, and asset liability management models be reviewed internally as well as audited and validated on a regular basis.
Please contact Alison Herrick with questions concerning this checklist. Wipfli/Macpage provides various audit functions for credit unions, including financial statement audits, internal audits, compliance audits, information technology general control reviews, cybersecurity reviews, penetration/vulnerability scans, social engineering, benefit plan audits, and many other services.