Credit Union Operations

The COVID-19 pandemic may have extensive impact on credit unions, including (but not limited to):

  • Material asset quality issues caused by business failures and job loss
  • Negative pressure on a credit union’s earnings and capital
  • Liquidity strain due to increased share withdrawals
  • Operational challenges due to employee unavailability or office closures
  • Adverse effects on memberships

These circumstances will vary by credit union.

Examiners should evaluate and understand the operational and financial condition of each credit union within the context of COVID-19 disruptions and assign CAMELS ratings consistently and in accordance with Letter to Credit Unions 22-CU-05, CAMELS Rating System, and the June 2020 Interagency Examiner Guidance for Assessing Safety and Soundness Considering the Effect of the COVID-19 Pandemic on Institutions.

Strategic Risk

In evaluating strategic risk, examiners should distinguish between problems caused by credit union management’s lack of oversight and those that are the result of the business disruption caused by COVID-19. Examiners should consider the circumstances credit unions are facing when reviewing a credit union’s financial and operational condition. A credit union should not be criticized for its efforts to provide prudent relief for members so long as the relief efforts are conducted in a reasonable manner with proper controls and management oversight.

Examiners should assess the effectiveness of a credit union’s disaster recovery and business continuity plans and consider whether these plans need modification. At a minimum, business continuity plans should address the following:

  • Operating with limited staff
  • Identifying essential personnel
  • Informing essential personnel how and where they will perform essential functions
  • Keeping open lines of communication with staff throughout a crisis
  • Providing members with ways to receive updated information regarding the credit union’s operational capabilities
  • Notifying key third-party service providers and suppliers of the credit union’s intention to initiate its business continuity plan after the event
  • Maintaining the security of member and proprietary information as employees work from offsite locations

COVID-19 and its aftermath may necessitate revisions to a credit union’s budget and strategic plan. Assessing the potential financial exposure through scenario analysis should be a part of this process. Although each credit union has a different balance sheet composition, every credit union should have an adequate ALM process to evaluate past trends and identify past scenarios that can forecast future scenarios and strategies.

Management will have to make important decisions to balance helping members with the potential increased credit risk and resulting losses of income. Scenario analysis should include an assessment of varied possible outcomes which include optimistic, most probable, and adverse scenarios in terms of the length and depth of the impact on credit union earnings.

This analysis should be used to inform management’s decisions. Examiners should not penalize credit unions that develop a prudent strategy for providing sustainable financial relief to their membership impacted by COVID-19, even if it results in a negative impact on earnings.

Earnings

Primarily, credit unions generate earnings through loans, investments, and fees charged for services. Credit union expenses include interest, PLLL, and operating costs. A credit union’s earnings structure should generate sufficient income to maintain or grow net worth to a level commensurate with the credit union’s risk profile.

The implications of the COVID-19 pandemic may have a material effect upon credit unions’ ability to meet established earnings goals. Examiners should evaluate the expected duration of any reductions to core earnings caused by the pandemic, including expenses associated with decreased asset quality (such as deferred interest and increased allowance levels), and any ongoing operational issues (such as staffing changes, legal, and information systems and technology expenses). Examiners will rely on their professional judgment in assessing earnings adequacy, considering all the quantitative and qualitative factors that affect the credit union’s financial condition.

Capital

A credit union is expected to maintain capital commensurate with the nature and extent of its operational risk and management’s ability to identify, measure, monitor, and control these risks. Examiners should consider the effects of COVID-19 on a credit union’s operations when evaluating capital adequacy. Asset quality and other fee income streams may be impacted by the current crisis and reflect negatively on the credit union’s capital position.

Credit union management should have plans in place to eventually reverse any negative capital trends over a longer planning horizon. Should the need arise, examiners should inform credit union management about how trends may ultimately trigger PCA measures.

Regulatory capital requirements establish the minimum levels of capital, and are distinct from a credit union’s need to maintain capital levels that are appropriate for the level of risk inherent in operations.

Risk Management

The COVID-19 pandemic may result in unprecedented issues for credit union management. Examiners should evaluate a credit union’s risk management practices based on the scope and thoroughness of the credit union’s internal risk assessment and business continuity plan.

In assessing management’s effectiveness, examiners should consider the credit union’s size, complexity, and risk profile. Additionally, examiners should be mindful that in times of crisis, risk management changes are likely to occur on a lagged basis, once resources and operations have stabilized and lessons learned can be thoughtfully incorporated.

The credit union’s decision-making process should start with an initial risk assessment and include a process for refining the risk assessment over time as more information becomes available.

Examiners should determine whether the risk assessments are sufficient in scope and content. In reviewing the assessments, examiners should recognize that the issues confronting affected credit unions are complex and the resolution may be multifaceted and require time. The examination scope may need to be adjusted depending on the quality and thoroughness of the risk assessment. Additionally, the scope and content of a risk assessment will vary based on the credit union's size, complexity, and risk exposure.

The risk assessment should reflect management’s best estimate of the credit union’s asset quality, given the prevailing economic conditions. In addition to determining the effect on asset quality, management should be able to explain the implications for the credit union’s earnings and capital, as well as the effect on funding, liquidity, operations, and asset/liability management.

The examiner’s assessment of operational risk should address the effectiveness of the credit union’s operational capability and its business continuity plan. Management should be able to explain its review and assessment methodology and demonstrate reasonable progress, given the circumstances.

Cybersecurity

While mobile banking has been progressively on the rise in recent years, usage has increased during the COVID-19 pandemic. With the benefits of mobile banking comes risk by cyber criminals of exploiting consumers new to these methods of banking. The Federal Bureau of Investigation has issued Public Service Announcement I-061020-PSA highlighting methods of cyber-attacks on mobile banking as well as a few protection tips.

Additional information associated with security protections for privacy and mobile device applications are available on the Department of Homeland Security Cybersecurity and Infrastructure Security Agency’s Security Tip (ST19-003).

With the social distancing requirements that many states and localities have put in place, the number of remote workers has increased. Credit unions should ensure that employees working remotely address cybersecurity risks for their home networks, personal computing devices, and other internet-connected devices.

Credit union employees working remotely should adhere to their organizations’ information security—and privacy—related policies and procedures. Policies and procedures should effectively address remote work by preparing employees to prevent security incidents and including provisions for responding to any incidents that do occur. Controls over remote work and use of personal devices should be based on an institution’s risk assessment, and commensurate with the size and complexity of the institution.

To minimize the risk of a successful cyberattack while working remotely or with personal equipment, policies and procedures should address employee expectations, such as:

  • Ensuring that family members or others do not use devices designated for work
  • Implementing session time outs and encryption of sensitive information
  • Keeping devices physically secure
  • Working with a user account and not an administrator or privileged account
  • Establishing strong, unique passwords for all log-ins and devices on their home network
  • Leveraging firewall capabilities available through internet service providers
  • Increasing wireless security to the strongest encryption option
  • Removing unnecessary services and software
  • Updating software regularly
  • Maintaining antivirus software and ensuring timely updates to definitions
  • Collecting and maintaining system and account logs

Credit union management should communicate proactively with employees to verify that remote work is being done securely, and provide guidance and assistance as needed. Additional institution-level controls such as those designed to ensure operating system versions, patch levels, and anti-malware solutions meet your security standards, should be considered and addressed in your risk assessment.

To minimize the impact of an attack, policies and procedures should address the immediate actions an employee should take when they suspect a cyberattack, such as:

  • Disconnecting the device(s) from all internet connectivity
  • Keeping the computer on to preserve forensic evidence
  • Reporting the incident to their organization

Policies and procedures should also address how the credit union would respond to a security incident, such as:

  • Filing a report with local law enforcement or other law enforcement agencies, such as the FBI Internet Crime Complaint Center (opens new window)
  • Taking appropriate corrective action, depending on the nature of the incident (for example, changing passwords, completing a forensic audit, and scanning and cleaning devices)
  • Evaluating whether the incident should be reported to the NCUA or state supervisory authority

Last updated on June 30, 2020