On March 29, 2017, NCUA released a supervisory letter in a Letter to Credit Unions (17-CU-02) that provides an updated list of Compliance Risk Indicators. The updated list builds upon the previous guidance issued in a 2002 Letter to Credit Unions. NCUA notes that the “updated list of indicators does not impose any new or higher supervisory expectations to credit unions.” The updated list of Compliance Risk Indicators took effect on March 31, 2017.

The 2002 Letter to Credit Unions, 02-FCU-09, highlighted the NCUA’s risk-focused examination process. The Agency designed this process to be “forward-looking, with an emphasis on management’s ability to identify and monitor current and potential areas of risk.” The risk-focused examination process evaluates both the credit union’s performance and the management’s ability to identify, measure, monitor and control risk.

During a risk-focused exam, the NCUA examiner reviews the credit union’s risk profile, which consists of seven specific categories of risk. Credit, interest rate and liquidity risks can be assessed using objective financial data, combined with management’s awareness and ability to control the risk.

However, transaction, compliance, strategic and reputation risks are more subjective and are difficult to measure using financial data. Alternatively, compliance, strategic and reputation risks are evaluated in terms of the credit union’s control structure and risk management systems.

In the supervisory letter, the NCUA provided an updated list of Compliance Risk Indicators along with an updated AIRES questionnaire for Compliance Risk. According to the supervisory letter, “[t]he update reflects transformations in technology, business models, and members’ banking habits since the list of Compliance Risk Indicators [was] originally developed in 2002.” The NCUA anticipates the updated list will result in a “more comprehensive, integrated and transparent framework in evaluating a credit union’s ability to manage its risk of violations and non-compliance applicable law and regulations.”

The supervisory letter also advises that a credit union’s compliance risk is best managed when they are proactive, self-identify, and self-correct any identified deficiencies. The updated Compliance Risk Indicators framework includes three broad categories: Board and Management Oversight; Compliance Programs; and Violations of Law and Consumer Harm. Below are the categories along with several factors:

• Board and Management Oversight
  • Commitment to the credit union’s compliance management system.
  • Effectiveness of change management processes.
  • Risk management associated with products, services, and activities.
  • Self-Identification efforts and corrective actions taken.
• Compliance Program
  • The effectiveness of a credit union’s compliance management system.
  • Policies and procedures, training, monitoring, and audit programs, and complaint resolution.
• Violations of Law and Consumer Harm (if applicable)
  • Pervasiveness of the violation.
  • Root cause of the violation.
  • Severity of the violation or any consumer harm.
  • Duration of the violation.

NCUA examiners will continue to use the Management CAMEL component rating and the CAMEL composite rating as appropriate to reflect their conclusion about a credit union’s compliance risk. In assigning a Compliance Risk rating, field staff will consider the totality of the Compliance Risk Indicators.

In reviewing the differences between the Compliance Risk Indicators provided in 2002 and the recent supervisory letter, the NCUA appears to have provided a greater level of detail and modified some of the terminology used to describe compliance risk factors.