Written by: André B. Cotten, Regulatory Compliance Counsel
On March 29, 2017, NCUA released a supervisory letter in a Letter to Credit Unions (17-CU-02) that provides an updated list of Compliance Risk Indicators. The updated list builds upon the previous guidance issued in a 2002 Letter to Credit Unions. NCUA notes that the "updated list of indicators does not impose any new or higher supervisory expectations to credit unions." The updated list of Compliance Risk Indicators took effect on March 31, 2017.
The 2002 Letter to Credit Unions, 02-FCU-09, highlighted the NCUA's risk-focused examination process. The Agency designed this process to be "forward-looking, with an emphasis on management's ability to identify and monitor current and potential areas of risk." The risk-focused examination process evaluates both the credit union's performance and the management's ability to identify, measure, monitor and control risk.
During a risk-focused exam, the NCUA examiner reviews the credit union's risk profile, which consists of seven specific categories of risk. Credit, interest rate and liquidity risks can be assessed using objective financial data, combined with management's awareness and ability to control the risk.
However, transaction, compliance, strategic and reputation risks are more subjective and are difficult to measure using financial data. Alternatively, compliance, strategic and reputation risks are evaluated in terms of the credit union's control structure and risk management systems.
In last week's the supervisory letter, the NCUA provided an updated list of Compliance Risk Indicators along with an updated AIRES questionnaire for Compliance Risk. According to the supervisory letter, "[t]he update reflects transformations in technology, business models, and members' banking habits since the list of Compliance Risk Indicators [was] originally developed in 2002." The NCUA anticipates the updated list will result in a "more comprehensive, integrated and transparent framework in evaluating a credit union's ability to manage its risk of violations and non-compliance applicable law and regulations."
The supervisory letter also advises that a credit union's compliance risk is best managed when they are proactive, self-identify, and self-correct any identified deficiencies. The updated Compliance Risk Indicators framework includes three broad categories: Board and Management Oversight; Compliance Programs; and Violations of Law and Consumer Harm. Below are the categories along with several factors:
- Board and Management Oversight
- Commitment to the credit union's compliance management system.
- Effectiveness of change management processes.
- Risk management associated with products, services, and activities.
- Self-Identification efforts and corrective actions taken.
- Compliance Program
- The effectiveness of a credit union's compliance management system.
- Policies and procedures, training, monitoring, and audit programs, and complaint resolution.
- Violations of Law and Consumer Harm (if applicable)
- Pervasiveness of the violation.
- Root cause of the violation.
- Severity of the violation or any consumer harm.
- Duration of the violation.
The NCUA examiners will continue to use the Management CAMEL component rating and the CAMEL composite rating as appropriate to reflect their conclusion about a credit union's compliance risk. In assigning a Compliance Risk rating, field staff will consider the totality of the Compliance Risk Indicators.
In reviewing the differences between the Compliance Risk Indicators provided in 2002 and the recent supervisory letter, the NCUA appears to have provided a greater level of detail and modified some of the terminology used to describe compliance risk factors.
For instance, the 2002 Compliance Risk Indicator has a factor called "Response to Changes". In 2002, the NCUA provided the following as guidance:
- Low Risk
- Anticipates and responds well to market or regulatory changes.
- Moderate Risk
- Adequately responds to market or regulatory changes.
- High Risk
- Does not anticipate or take timely or appropriate actions in response to market or regulatory changes.
Using last week's supervisory letter, the factor "Response to Changes" is now called "Change Management", and it is now listed under the broader category Board and Management oversight. The updated Compliance Risk Indicator list provides the following in regards to "Change Management":
- Low Risk
- Management anticipates and responds promptly to changes in applicable laws and regulations, market conditions and products and services offered by evaluating the change and implementing responses across impacted lines of business.
- Management conducts due diligence in advance of product changes, considers the life cycle of a product before implementing the change, and reviews the change after implementation to determine whether actions taken have achieved planned results.
- Moderate Risk
- Management responds timely and adequately to changes in applicable laws and regulations, market conditions, and products and services offered by evaluating the change and implementing responses across impacted lines of business.
- Management evaluates product changes before and after implementing the change.
- High Risk
- Management does not respond adequately or timely or fails to respond to changes in applicable laws and regulations, market conditions, and products and services offered.
The above is an example of how the NCUA has enhanced the Compliance Risk Indicators. For further comparisons, please refer to the the previous list of Compliance Risk Indicators ( Download 02-FCU-09 Risk-Focused Examination Program (Compliance Only) ). Also, here is the
full 2002 letter to credit unions, and the most recent supervisory letter.
On a personal note, I traveled home to Mississippi this past weekend to celebrate my cousins' initiation into Delta Sigma Theta Sorority, Inc. Here's a picture from their new member presentation on Saturday night!