What’s Happening? Regulatory Round Up from the NCUA to the OCC

The NCUA was given fuel for its third-party oversight fire when 60 credit unions were suffered digital blackouts over the last few weeks. At the same time, the agency reported credit unions' Q3 results, including increasing CDs as financial institutions scrap for deposits amid tight liquidity with interest rates not seen in years. That's good because credit unions are going to need more of an allowance for rising delinquencies and CECL expenses.

In other agency news that might touch on credit unions, the IRS is looking at expanding retirement account access to long-term, part-time employees; the CFPB is taking enforcement action against a bank over how customers opt-in to overdraft protection; and the OCC handed down guidance on Buy Now-Pay Later products.

Do You Know Who Your Vendor’s Vendors Are?

The biggest regulatory development of the week is the news that 60 small credit unions were virtually shut down for several days, as members can’t get account information as a result of a ransomware attack. According to the CU Times, while the scope of the ransomware attack or who conducted the attack isn’t fully known, it appears the attack was aimed at Ongoing Operations, a credit union information technology organization acquired by credit union Fintech Trellance in November 2022, and FedComp, a third-party vendor of Trellance. 

This is exactly the type of scenario that has concerned NCUA given its lack of oversight over third-party vendors. Expect the agency to put even more emphasis on third-party due diligence and baseline contractual provisions that seek to place requirements on third parties with whom vendors operate. 

Recently, federal banking regulators, with the exception of NCUA, finalized this guidance updating due diligence expectations for financial institutions. The guidance explains that “An evaluation of the volume and types of subcontracted activities and the degree to which the third party relies on subcontractors helps inform whether such subcontracting arrangements pose additional or heightened risk to a banking organization.”

This would not be a bad time to ask yourself if your existing due diligence and operational framework adequately protects the credit union against attacks on your vendor’s vendors. Among the questions that I would be asking are: with whom does your vendor work? Does your vendor utilize third parties to store cloud-based information? Are you sure that your data is backed up? And, does your contract provide recourse for the failure of your vendor to meet these baseline requirements?

NCUA's Third Quarter Industry Snapshot: Is the Glass Half-Empty or Half-Full for Credit Unions?

 The NCUA released its quarterly snapshot of the industry’s financial health. Not surprisingly, the industry is a reflection of trends we are seeing in the larger economy. In the aggregate, the industry remains strong but there are also warning signs for those who are inclined to worry. To me, the most intriguing findings include:

●      Members are in search of higher yields; share certificates grew $185.9 billion, or 72.0 percent, over the year to $444.2 billion.

●      Delinquencies are on the rise; The delinquency rate at federally insured credit unions was 72 basis points in the third quarter of 2023, up 19 basis points from one year earlier. The net charge-off ratio was 56 basis points, up 25 basis points compared with the third quarter of 2022.

●      CECL is having an impact; the credit union system’s provision for loan and lease losses or credit loss expense increased $5.5 billion, or 125.5 percent, to $9.9 billion at an annual rate in the first three quarters of 2023.

IRS Proposes Regulations Expanding Access to Retirement Plans for Long-Term, Part-Time Employees

With the caveat that yours truly makes absolutely no representation that he is a retirement benefits expert, I wanted to bring to your attention a regulation proposed by the IRS on November 27 to implement parts of the Retirement Enhancement Act of 2019 (SECURE Act), enacted on December 20, 2019, and the SECURE 2.0 Act of 2022. This is certainly a development of which your HR team should be aware. Taken together this legislation reduced from 1000 to 500 the number of hours an employee had to work per year to be eligible for participation in employer-sponsored retirement plans. This legislation also reduced from 3 to 2 years the number of years an employee has to be employed to be entitled to participate in these plans. These requirements start taking effect on January 1, 2024. These regulations provide answers to important questions such as exactly how part-time a long-term part-time employee is defined.

CFPB Brings Enforcement Action Against Bank Based on How New Members Opt-In to Overdraft Protection Programs

For the second time, the Bureau has brought an enforcement action against a bank for allowing customers to opt in to receiving overdraft protection without first being given written notice required under federal law. Make sure your institution isn’t making the same mistake.

To what mistake am I referring to? According to the NCUA, “under Respondent’s branch enrollment procedures, Respondent’s branch employees do not print the written overdraft notice for new customers until the end of the account-opening process. This form is entitled ‘What You Need to Know about Overdrafts,’ which is [the Bank’s] version of the Regulation E model consent form (the A-9 Form).” The bottom line: make sure you document that members are given the appropriate disclosures before they agree to overdraft protection, as opposed to simply providing them a packet of disclosures after they have signed up. 

Buy Now-Pay Later Guidance Issued By OCC

In my ever so humble opinion it is not a question of if but when your credit union will start getting involved in the buy-now-pay-later ecosystem. Generally speaking, a buy-now-pay-later loan is an installment loan made to a merchant payable in four or less payments that charges no interest and facilitates the purchase of a product. Lenders have relationships with merchants either directly or indirectly pursuant to which they purchase these loans in return for the payment of a fee by the merchant which is typically larger than an interchange fee There is a lot of evidence to suggest that credit card averse young people like this option.

Of course, these loans present unique challenges for credit unions because of field of membership restrictions, but in reality, there was little difference between the technology used to facilitate these loans and the type of platforms used to allow credit unions to purchase automobile loans. Furthermore, the recent eligible obligation amendments give credit unions the flexibility they need to take a serious look at this type of activity.

Consequently, you may want to take a look at this guidance issued by the OCC providing examples of the risks posed by BNPL products and the issues that should be taken into account for the unique features of these loans. Among the issues that should be considered are: Credit Reporting Agencies have not yet started monitoring the repayment history of BNPL borrowers, so it may be particularly challenging to develop appropriate underwriting standards; because these are short-term loans, new collection protocols-such as determining when to reach out to delinquent borrowers-need to be addressed and many of these programs involve partnering with third-party lenders for whom appropriate due diligence needs to take place.

What’s Happening? Regulatory Round Up from the NCUA to the OCC -