NCUA Supervisory Priorities for 2025

Administration Change Could Impact NCUA Supervisory Priorities for 2025

January 22, 2025

By Katie Ferrell, Vice President of Compliance Services

On January 7, 2025, the National Credit Union Administration (NCUA) published its annual supervisory priorities via Letter 25-CU-01. Less than 2 weeks later, President Trump was inaugurated and former NCUA Chair Todd Harper passed the baton to new Chair Kyle Hauptman on the afternoon of January 20. A regulatory freeze was enacted on Inauguration Day to foster time for new agency heads to review any rules in process. All to say, recent changes in Washington D.C. could impact the NCUA priorities outlined below. As the proverbial saying goes…“Stay tuned!”

The impending change in administration and allowance of time for the dust to settle after transition served as a precursor for a generally unchanged regulatory agenda from 2024. Emerging risks identified by the NCUA did not include any surprises, and the following remain at the forefront of the agency’s focus during examinations:  

  • Cybersecurity
  • Consumer Financial Protection
  • Credit, Liquidity, and Market Risk

Cybersecurity

Cybersecurity remains a challenge for all industries and service providers as sophistication and complexity of bad actors continues to rapidly increase. Breaches, fraud, and malicious attacks can be damaging financially to credit unions as litigation is rampant. With the ease and speed of social media use, news of an incident can be accelerated across multiple platforms and detrimental to a credit union’s reputation within seconds.

Responsible third-party (vendor) risk management of critical providers is also an expectation that will continue to linger during examinations. Regardless of who is performing the service on the credit union’s behalf, responsibility to membership remains with the credit union, and the NCUA reiterates there are no exceptions to this rule.

Responsibility to report cyber incidents to NCUA within 72 hours also includes those endured by service providers, and the agency published a Quick Reference Guide on January 8 to facilitate reporting and provide the when, how, and what (and what not) to report.

The NCUA has made it clear that credit union boards must prioritize cybersecurity as a top oversight and governance responsibility. Being familiar with the Information Security Examination Program last updated in September 2024 is key in understanding the NCUA’s perspective and planning around this extremely important area.

Consumer Financial Protection

Examiners have indicated particular focus on the following consumer financial protection areas, and the scope of examination is tailored based on complexity and product offerings:

  • Overdraft Programs: Policies, procedures, disclosures, fees, statements, complaints, internal reviews, and websites
  • Fair Lending: Potential discrimination in residential real estate valuation practices
  • Home Mortgage Disclosure Act: Data collection and reporting practices, including transaction testing
  • Military Lending Act (MLA): Incorporation in Compliance Management System (CMS) and determining and monitoring for covered military status
  • Electronic Fund Transfer Act (EFTA): Payments and error resolution

Notably, the NCUA published data on Non-sufficient Funds (NSF) and Overdraft (OD) fees on January 17, which revealed interesting results. Charts within indicated higher fees did not associate with more favorable interest rates for members, so we recommend particular attention to this area. The political transition undoubtedly will result in changes to leadership at the Consumer Financial Protection Bureau (CFPB) and subsequently Unfair, Deceptive, or Abusive Acts or Practices (UDAAP) initiatives outlined in the NCUA’s Letter 24-CU-03 from December 2024.

Credit, Liquidity & Market Risks

Credit, liquidity and market risks will always be critical to understanding the overall financial health of credit unions and typically remain as constant priorities during examination. The rising rate environment during the last few years continues to stress balance sheets, and credit card and used vehicle lending continues to deteriorate. The charge off rate for these categories is at the highest level on record. Examiners plan to delve deeply into the effectiveness of loan underwriting guidelines and collection programs of these two loan types. Examiners will also continue to evaluate contingency planning and sources of liquidity through evaluation of the appropriateness of asset-liability management and concentration policies.

Other Items to Consider

A flexible and “risk-focused” approach to examinations — and the cadence for examinations — will be dependent on CAMELS rating and any changes to the Chief Executive Officer (CEO) role since a credit union’s last exam.

Somewhat surprisingly, Anti-Money Laundering/Combating the Financing of Terrorism (AML/CFT) risks were not explicitly noted as a priority, but the NCUA strongly encourages credit unions to remain on the lookout for potential changes to regulatory requirements that may result from the Financial Crimes Enforcement Network (FinCEN) proposal from June 2024 to modernize AML/CFT programs, notably related to national priorities and de-risking strategy. There may be no movement in this area due to the regulatory freeze, but commitment to counter illicit activities is not only expected of credit unions but critical to the overall health of the financial system.

What’s Next: Recommended Action Steps

If there is a priority or area of risk at your credit union that is deemed ambiguous or heightened because of recent or impending changes to membership, products and services, or other strategic initiatives, gather appropriate internal parties to conduct a risk assessment and thoroughly evaluate controls. Seek external support for an objective perspective when necessary. ViClarity’s compliance experts can assist you, or you may find resources through your credit union league.

If your credit union feels confident in all focus areas, ensure timely audits, risk assessments, and monitoring is in place to validate that practices and procedures are consistently applied. The board of directors is responsible for top oversight and governance, so communicate and report often any self-identified gaps and progress of remedial action plans.

When in doubt, reach out directly to your Examiner in Charge. Openly communicate any self-identified deficiencies or challenges with actions plans so there are no surprises for either party.

The change in the administration also may affect the priorities described here, and this potential uncertainty requires us all to remain very diligent and up-to-date on information coming out of Washington, D.C. 

To learn more about this year’s focus areas directly from the NCUA, register for the NCUA's Supervisory Priorities Webinar on February 6, 2025.

Learn more about ViClarity’s compliance support and audit and review services, or reach out to us at info@viclarityus.com.

Back

Recent/Related Articles

Lending Technology Traps That May Get Your CU in Regulatory Trouble

December 04, 2024

As credit unions seek to digitize various signposts along the borrower journey, lending strategists are bringing onboard new people, processes and technologies to accelerate the transformation. Each brings new risks, not the least of these is failure to comply with fair lending regulations.

Complaint Management: Why CUs Should Sweat the Small Stuff

October 10, 2024

Every good credit union compliance officer will tell you that even small, seemingly isolated complaints must be thoroughly investigated. Here are some key steps to help CUs maintain a comprehensive process that is consistent, efficient, and demonstrates commitment to member satisfaction and regulatory compliance.