NCUA Supervisory Priorities for Compliance Robert Parrish, Director Region III Division of Supervision NCUA Supervisory Priorities for Compliance Georgia Credit Union Affiliates Compliance Council March 14, 2017
Agenda Vendor Due Diligence 2017 Compliance Priorities Questions Cybersecurity Bank Secrecy Act Compliance MBL Rule TILA-RESPA Consumer Compliance Questions Vendor Management
Vendor Management Properly leveraging the skills and experience of qualified third parties may enable credit unions to: Provide access to products and services through expanded delivery channels; Pilot new programs for evaluation prior to implementation; Offer more cost-effective products and services; and Manage programs not feasible without external expertise. However, inadequately managed and controlled third party relationships can result in unanticipated costs, legal disputes, and financial loss. Vendor Management
Regulatory Foundation for Vendor Management NCUA Rules and Regulations Part 748 Appendix A, Section D. Oversee Service Provider Arrangements Each credit union should: Exercise appropriate due diligence in selecting service providers; Require its service providers by contract to implement appropriate measures designed to meet the objectives of these guidelines; and Where indicated by the credit union’s risk assessment, monitor its service providers to confirm that they have satisfied their obligations as required by paragraph D.2. As part of this monitoring, a credit union should review audits, summaries of test results, or other equivalent evaluations of its service providers. Vendor Management
Vendor Management Program Written policy and procedures sufficient to outline expectations and limit risks originating from third party arrangements which should Define the credit union risk strategy Define the credit union board’s risk tolerance levels Establish program limits Establish risk management practices including risk measurement and monitoring Outline staff responsibilities and authorities Define the content and frequency of reporting to credit union management and officials. Vendor Management
Pre-Planning Before entering into a third party relationship, officials should Complete a risk assessment Determine whether the relationship complements their credit union’s overall mission and philosophy Document how the relationship will relate to their credit union’s strategic plan, considering long-term goals, objectives, and resource allocation requirements Weigh the risks and benefits of outsourcing business functions with the risk and benefits of maintaining those functions in-house Vendor Management
Examination Concerns Common Region III examination concerns regarding vendor management during 2016 Failure to adequately monitor vendors on an ongoing basis Failure to develop an adequate written Vendor Management policy Failure to complete an appropriate risk assessment Vendor Management
2017 Exam Priorities Key Risks Initiatives Cybersecurity Interest Rate Risk Bank Secrecy Act Compliance Initiatives MBL Rule FOM Final Rule Changes TILA Consumer Compliance CUSO Reporting CECL NCUA Update
Cybersecurity Ongoing Concerns Over Access and Disruption Steady frequency of attacks Continuation of financial losses and reputational damage Elevated level of sophistication and ease on the part of criminals/terrorists Cybersecurity Assessment Tool Released jointly in June 2015 by NCUA and other FFIEC agencies Provides a structured methodology to manage information security and protect member information more effectively Intended to measure cybersecurity preparedness over time and identify any gaps in risk management practices Structured Assessment Process Late 2017 - Increased emphasis on cybersecurity by enhancing examination focus NCUA Update
Cybersecurity NCUA incorporated the Cybersecurity Assessment Tool into our exam process in 2016 To facilitate our understanding of how effective credit unions are managing cybersecurity measures NCUA continues to foster and facilitate sharing of best practices to enhance credit union cybersecurity programs Risk management practices are fundamental to a strong cybersecurity program Business continuity planning is crucial in preventing business disruptions Dual controls are essential to a strong internal control function Access/authentication controls are central to preventing unauthorized network intrusions Audit program is imperative to testing strength of IT controls, self-identifying IT weaknesses, and ensuring the protection of customer information *Visit our Cybersecurity Resources Page on NCUA’s website for more info on the Cybersecurity Assessment Tool and other cyber sources. NCUA Update
Response Programs for Unauthorized Access to Member Information Incident response procedures are key to an effective information security program Part 748 (Appendix B) of NCUA Rules – outlines the minimum components of an incident response program Incident Response Program – should include procedures for: Assessing the nature and scope of an incident Identifying compromised member information Notifying the appropriate NCUA Regional Director and SSA (if relevant) Taking steps to contain and control the incident to prevent further unauthorized access Filing Suspicious Activity Reports (SARs) Preserving records and other evidence Notifying members when warranted In 2017 exams, NCUA field staff will review credit unions’ incident response programs NCUA Update
Bank Secrecy Act Compliance NCUA – Vigilantly ensuring credit unions are not laundering money or financing criminal/terrorist activity Bank Secrecy Act (BSA) prescribes recordkeeping and reporting requirements to detect illicit activity NCUA focusing on CU relationships with Money Services Businesses (MSBs) MSBs include: Check Cashers, Prepaid Card Providers, Money Transmitters, Foreign Currency Dealers, Money Order and Travelers Check Issuers NCUA Update
Bank Secrecy Act Compliance Examiners will verify that CU relationships with MSBs include: Customer Identification Customer due diligence and constant monitoring processes Assurance that MSBs are registered with FinCEN and in compliance with state/local licensing requirements Risk measurements gauging risks associated with MSB accounts and enhanced due diligence when necessary *See the Bank Secrecy Act page on NCUA’s website and NCUA Letters to Credit Unions No. 14-CU-10 – Identifying and Mitigating Risks of Money Service Businesses, for further guidance NCUA Update
Implementation of the MBL Rule Regulatory Relief and Enhanced Risk Management Provides regulatory relief from loan-to-value ratio requirement, personal guarantee requirement, vehicle lending, and construction and development lending Streamlines the waiver process Replaces prescriptive requirements with greater flexibility and individual autonomy in safely and soundly serving business borrowers Provides greater emphasis on managing business lending using sound risk management practices rather than monitoring to comply with regulatory restrictions NCUA Update
Implementation of the MBL Rule Supervisory Focus Oversight focused on the effectiveness of risk management processes and the aggregate risk profile of the credit union’s loan portfolio Sound Risk Management Processes Responsible risk management and comprehensive due diligence remain crucial to a safe and sound commercial lending program and encompass all aspects of the lending program Administering Underwriting Servicing NCUA Update
Implementation of the MBL Rule NCUA Guidance and Training Focus on Core Elements of a Sound MBL Program Principals for managing commercial loan risk Critical components of commercial loan policies Credit approval process Credit risk-rating systems Structuring of credit packages to properly align members’ needs with financial abilities to repay Credit risk management processes for underwriting Ongoing loan administration and risk monitoring NCUA Update
Implementation of the MBL Rule Board of Directors Responsibilities Credit union’s board of directors is ultimately accountable for the safety and soundness of the credit union’s commercial lending activities and must remain adequately informed about the level of risk in the commercial loan portfolio Set strategic direction Approve risk management policies Remain informed about the nature and levels of risk Require appropriate staffing of the commercial lending function NCUA Update
Implementation of the MBL Rule Experience Requirements Adequate training and experience are crucial to a safe, sound, and successful commercial lending program Program should include well-defined roles and responsibilities and ensure effective coordination between key credit functions Commercial Lending Policies Policies and procedures must provide for ongoing control, measurement, and management of the credit union’s commercial lending activities Adopt a formal credit risk-rating system to identify and quantify the level of risk within the commercial loan portfolio NCUA Update
TILA-RESPA TILA-RESPA: Integrated Disclosure Rule Credit unions accepting applications for real Estate loans on or after October 3, 2015 (except HELOCs, reverse mtgs, and commercial loans) are required to comply Requires loan originators to provide consumers with: Loan Estimate Form – combines Truth in Lending Act (TILA) disclosure and Good Faith Estimate. To be delivered or mailed by 3rd business day from receipt of mortgage application Closing Disclosure Form – combines the final TILA disclosure and HUD-1 Settlement Statement. To be provided at least 3 days prior to consummation of mortgage Rule also imposes record retention requirements and restricts mortgage originators from imposing certain fees, providing estimates, or requiring consumer verification of information prior to providing a Loan Estimate Form *See the Consumer Compliance Regulatory Resources page on NCUA’s website for more information NCUA Update
Consumer Compliance Compliance Management Systems Field staff to evaluate Compliance Management Systems when examining federal credit unions Assess board and management oversight and compliance programs Policies and Procedures Training Monitoring/Audit Response to Complaints Change Management Risk Management Self-Identification and Corrective Actions Military Lending/Servicemembers’ Civil Relief Acts/Equal Credit Opportunity Act New procedures and questionnaires for evaluating compliance with Military Lending Act, the Servicemembers’ Civil Relief Act, and ECOA For more information, visit NCUA’s Consumer Compliance Regulatory Resources website NCUA Update
Q&A Questions? Vendor Management
Resources NCUA Rules and Regulations Part 748 Appendix A, Section D NCUA Letter to Credit Unions 07-CU-13 NCUA Letter to Credit Unions 17-CU-01 Vendor Management
Office Contact Page Feel free to contact our office with questions or comments. Primary Staff: Robert Parrish, Director rparrish@ncua.gov Office Phone: 678-443-3004 Vendor Management