A group of NCUA staff, headed up by Office of Examination and Insurance Director David Marquis, discussed emerging areas of risk for credit unions as part of its "2006 Hot Topics" break-out session at CUNA's GAC.
Among the emerging risks:
* The changing mortgage environment. Cory Phariss, program officer at NCUA's Office of Examination and Insurance, said that as CUs become more leveraged, a good portion of their loan growth is coming from mortgages, and in some cases riskier "alternative" mortgages, which could change credit unions' risk profile, particularly when combined with a flattening-or even inverted-yield curve. Credit unions can expect to see guidance from the FFIEC on underwriting, risk management and other areas pertaining to mortgages in the near future, he said.
* Compliance and disaster recovery. Program Officer Elizabeth Habring said the Bank Secrecy Act will remain an area of focus for NCUA this year, noting that credit unions continue to demonstrate risk exposure in three areas-understanding and assessing of risk, monitoring for suspicious activity and independent testing. Disaster recovery planning will also be a hot compliance issue, she said, and credit unions should be prepared for examiners to ask questions about this at their next exam. She emphasized the importance of not only creating a solid disaster recovery program but also testing it to make sure it works.
* Indirect Lending. Program Officer Matthew Biliouris said indirect lending remains a hot topic at NCUA, citing weak underwriting standards allowing for a potentially risky combination of increased loan balances with low downpayment requirements and lengthening amortization periods, as well as lax auto lending controls that fail to properly monitor loan underwriting leading to the extension of undesirable loans. Biliouris noted the comment period on the proposed rule on third-party servicing of indirect vehicle loans has expired, and NCUA is going through those comments. The final rule is expected to include a limit on the aggregate amount of indirect vehicle loans serviced by a third party to a percentage of the CU's net worth, but Biliouris hastened to add that there will be some grandfathering for CUs that have already surpassed this cap as well as waivers that can be granted on a case-by-case basis.
* Authentication in an Internet-Based Environment. NCUA Information Officer Dominick Nigro said the agency has five basic expectations of credit unions regarding proper authentication procedures: 1) identify and assess risk posed by Internet-based products and services; 2) identify authentication methods in place; 3) determine authentication program is effective; 4) determine a program to monitor systems and report unauthorized access and 5) evaluate member awareness efforts. Multi-factor account authentication may not be needed at every electronic touchpoint with a member, so the risk assessment is key, he said, noting that this five-step process-and any changes required as a result of it-must be complete by the end of 2006.
