News Feed

NCUA Issues Updated Guidance on Compliance Risk Indicators

Mon, Apr 10, 2017

Alexandria, Virginia

NCUA has recently provided its examiners with guidance on the updated list of compliance risk indicators that are part of NCUA’s Risk-focused Examination Program. The updated list of indicators does not impose any new or higher supervisory expectations for credit unions. NCUA examiners will continue to take a consistent approach when evaluating a credit union’s ability to manage compliance risk. Additionally, NCUA staff will continue to consider such factors as the credit union’s size, complexity, and risk profile as part of their evaluation. 

These risk indicators incorporate the principles of the FFIEC's Interagency Consumer Compliance Rating System (CCRS). You may recall that the CCRS is an interagency framework for evaluating an institution's ability to manage consumer compliance risk and to prevent consumer harm.  NCUA incorporates the framework into its Risk Focused Examination Program.  Remember, a credit union's compliance management system is to proactively manage compliance risk by self-identifying and self-correcting any identified compliance deficiencies. The updated compliance risk indicators detailed in NCUA's recent letter focus on three areas and specific factors within each area:  

1. Board and Management Oversight

  • Do officials and management fully understand compliance risks?
  • Is there a clear commitment to compliance?
  • Are there significant resources dedicated to support compliance (systems, capital, HR)?
  • Is there comprehensive and ongoing due diligence and oversight of third parties to ensure that the credit union isn't exposed to compliance risks?
  • How does management handle and respond to changes in applicable laws and regulations, market conditions, and product and services offered?
  • Are corrective actions taken when management proactively identifies compliance issues and deficiencies?

2. Compliance Program

  • Are your policies/procedures and third party relationship management programs effective in handling risks posed by the activities and products/services of the credit union?  
  • Is your compliance training tailored to those receiving it?
  • Is compliance training to the roll out of new products and services or new consumer protection laws for awareness purposes?
  • Are management information systems, reporting, audit, and internal control systems evaluated throughout the credit union?
  • What are the processes for addressing consumer complaints and what actions are taken to prevent future complaints?

The first two areas (Board/Management Oversight and Compliance Program) take into account the credit union's size, complexity, and risk profile.

3. Violations of Law and Consumer Harm

  • If there are violations of law and consumer harm has the credit union evaluated the root cause, the severity, duration, and the pervasiveness of the violation/harm across the credit union's product lines and taken corrective action? 

According to the Supervisory Letter, the AIRES questionnaire will be updated by June of 2017.