Comments: on Strategies for Future Examination and Supervision Utilizing Digital Technologies

August 31, 2020

Heather Phelps
National Credit Union Administration
1775 Duke Street
Alexandria, Virginia 22314

Re:      NASCUS Comments on Strategies for Future Examination and Supervision Utilizing Digital Technologies

Dear Ms. Phelps:

The National Association of State Credit Union Supervisors (NASCUS)[1] submits the following comments in response to the National Credit Union Administration’s (NCUA’s) Request for Information (RFI) on Strategies for Future Examination and Supervision Utilizing Digital Technologies.[2] By further leveraging technology in the examination and supervision process, NCUA could reduce burden on federally insured credit unions, enhance the agency’s cooperative supervisory relationship with its state regulatory peers, and generate costs savings to the National Credit Union Share Insurance Fund (NCUSIF). NASCUS commends NCUA for the progress the agency has made on this initiative and for the foresight to have begun this undertaking long before the COVID-19 pandemic forced state and federal regulatory agencies into a remote examination posture.

We support this initiative without reservation and note that many state regulatory agencies had also been moving to reconfigure examination and supervision programs to maximize the utility of off-site supervision and examination work prior to the pandemic.

Of course, the implementation of an offsite examination program for NCUA will differ between federal credit unions (FCUs) and federally insured state credit unions (FISCUs). For the latter, NCUA performs insurance reviews rather than full scope examinations, and primarily relies on Reports of Examination (ROE) issued by state regulatory agencies. Given the presence of regular state reports of examination, and the fact that many FISCUs already have only infrequent NCUA examination, the implementation of offsite NCUA supervision should present less of a hurdle than NCUA replacement of its full scope examination program for FCUs.

It will be of critical importance to the success of an offsite examination program for FISCUs that NCUA continue to rely, to the fullest extent, on examinations conducted by state regulators. To do otherwise would be to negate any benefit of reduced burden on FISCUs from offsite examination.

Generally speaking, NASCUS believes many aspects of NCUA’s insurance review of FISCUs can be achieved offsite. Secure technology exists that would allow NCUA to communicate with its state peers and credit unions by video, transmit data, and collaborate on documents in a remote posture. Some credit unions will likely need technical assistance to participate in offsite examination, and examiners should receive training in how to effectively conduct examinations and communicate remotely. Regulators and credit unions will have to work together to allow credit unions to integrate offsite examination data requests and video communications into the credit union’s cybersecurity posture and policies.

Specific Questions Asked by NCUA in the RFI

In the RFI, NCUA specifically asked for feedback on 36 questions to inform the agencies development of a remote examination program. After consulting with state regulatory agencies and state credit union system stakeholders, NASCUS provides the following specific responses to many of NCUA’s direct questions. In some cases, NCUA’s questions are more appropriately answered by individual credit unions based on their experience. In those instances, we defer to credit union stakeholders to respond directly to NCUA.

Question #1: What capabilities can federally insured credit unions adopt to facilitate the NCUA’s transition toward more offsite exam work?

To facilitate offsite examination work, credit unions will have to adopt digital capabilities and resources to aggregate and transmit requested data. While many credit unions have these capabilities, we believe some more modestly sized credit unions may need assistance in the form of help procuring equipment and training for staff.

In addition, it will take a great deal of human resources for credit unions to digitize hard copy records. NCUA will need to make some accommodation to help credit unions that currently lack robust digital records. At a minimum, examiners will need to be cognizant of how the credit union stores the data being requested in order to calibrate information requests.

 Question #2: What capabilities do you recommend the NCUA adopt to be able to conduct more examination work offsite?

To conduct offsite examinations, NCUA examiners need to be able to communicate by video, transmit data, and share screens (document collaboration) with credit unions and state examiners in a secure manner. There are numerous programs and platforms that provide the needed capabilities, and NCUA should ensure its examiners have the flexibility to participate on state, and credit union, preferred software and platforms.

Question #4: Do you think the NCUA can do significantly more offsite work without compromising its safety and soundness responsibilities?

Yes, NCUA could perform significantly more offsite work without compromising its duty to the NCUSIF. As a result of the COVID-19 pandemic, NCUA and state regulators have conducted examination and supervision of state and federal credit unions remotely without incident. Traditionally, a majority of onsite examination time is spent in review of documents. The onsite presence of the examiner makes the credit union’s sharing of the documents easier and provides the examiner access to relevant credit union staff should the examiner need clarification on an issue or needs to ask questions. In large part, these things may be done remotely. Reading and analyzing data, worksheet completions, writing comments, and compilation and completion of workpapers does not need to be done onsite.

We acknowledge there remains value in some onsite contact and review. Furthermore, there are some reviews, such as for Bank Secrecy Act/Anti-Money Laundering/Combating the Financing of Terrorism (BSA/AML/CFT) for which the remote transfer of data and remote access to key credit union personnel may present some complications related to the strict confidentiality of BSA/AML/CFT data and the data’s exposure to unauthorized credit union personnel as part of the upload of examination data. However, even within the BSA/AML/CFT examination context, written policies and procedures can be reviewed offsite without compromising the integrity of the data or effectiveness of the exam.

Question #5: What credit union data can be provided to examiners to facilitate more offsite supervision and reduce time onsite during the examination?

Examples of the credit union data that could be provided to examiners to facilitate offsite supervision include board and committee minutes, written policies and procedures, financial statements, internal and external audits, vendor contracts and agreements, and management questionnaires. With proper safeguards, digitized loan files could also be transmitted for offsite review. Credit unions could also provide samples of loan agreements, disclosures, account opening documents and other forms for review.

Question #6: To ease the administrative burden, should the NCUA ask third party service providers for data on credit unions directly?

We caution against NCUA seeking credit union data directly from third parties. Information requests should be communicated to the credit unions and the credit unions should be responsible for aggregating and transmitting needed data.

NASCUS heard from credit unions that they prefer to maintain control of their data and be the point of contact for inquiries from examiners. In addition, credit unions were concerned that NCUA communication directly with service providers, rather than with the credit union, would result in possible confusion and miscommunication that could make the examination process more burdensome rather than less.

Credit unions also raised concerns of the potential for NCUA direct access to third party data to complicate the credit union’s cyber security hygiene. As it is, credit unions have limited ability to evaluate the cyber hygiene of their regulator or share insurer. Indeed, credit unions have pointed out that NCUA’s and state regulators’ data protocols do not meet credit unions’ data security standards for third party vendors. A regulator’s direct access to third party providers for data presents a potential “blind spot” in a credit union’s cyber security posture.  In the event of an incident of potential data loss, the credit union would be faced with a data entry and exit point over which it had very little oversight if any at all. In cases where the credit union transmits the data itself to its regulator, the credit union retains far more control over its critical data.

Question #8: What other methodologies or approaches should NCUA include in this exam  study?

NCUA should continue to leverage the experiences of state regulators and other federal bank regulators. In addition, NCUA should incorporate the NCUA/NASCUS Joint Supervisory Working Group into discussions on how to coordinate between state and federal examiners during remote examinations.

Question #9: Would credit unions benefit from more clarity and consistency on the timing and types of documents and data examiners need to conduct examinations?

In addition to driving efficiencies for the regulatory agency, one of the goals of an offsite supervision and examination program is to reduce burden on credit unions. Of course, examiners need a certain flexibility to request documents and data cohering to the scoping of the examination.  However, providing credit unions some certainty as to timing and type of information requested, and format in which it should be provided may allow credit unions to partially automate the process for pulling data from their core.

Question #10: Would it be easier or less burdensome for credit unions to provide documents and data to the NCUA on a more scheduled, flow basis throughout the year so the time spent onsite would be more efficient and the majority of the examination/supervision could primarily be conducted offsite?

As noted above, an issue not addressed by the RFI is the distinction between a remote examination program that remains a “point in time” assessment of a credit union’s condition and continuous examination program that continues throughout the year and is rolled up into a Report of Examination annually. This question hints at a continuous examination program more than an offsite examination program. NCUA should clarify how it views these concepts.

Whether NCUA should collect data on a flow basis might hinge on the size and complexity of the credit union providing the information. More complex and sophisticated credit unions might prefer to provide information on a flow basis and have the personnel to manage such obligation. Other credit unions may find a constant stream of data requests to be overly burdensome and disruptive to daily operations.

The concept of flowing data is also complicated by the nature of NCUA’s supervisory relationship to FISCUs. As noted, NCUA does not regularly directly examine most FISCUs. FISCUs for which NCUA does perform a direct insurance review are also undergoing examination by their prudential state regulator. NCUA would need to coordinate with the state regulator to prevent duplicative information requests.

Question #11: What do you see as the most significant challenges facing the NCUA’s move to an offsite examination/ supervision model that utilizes technology?

Moving to an offsite supervision model will not be without its challenges. NCUA, and state regulators, will confront and have to overcome, the challenges faced by remote workforces throughout the pandemic. The agency will have to ensure remote staff have sufficient internet speed and bandwidth. This may require providing routers with higher Mbps capability as well as higher Mbps service subscriptions to reduce buffering on video conferences with credit unions and fellow examiners.

NCUA will also have to train examiners how to best conduct remote video supervision. Such training should include professionalism expectations such as attire, backgrounds, lighting, and audio quality. In addition to remote video training, NCUA, and states, will have to consider how to reconfigure training for new examiners.

Traditionally, a critically important component of new examiner training is the ability of new examiners to “shadow” a seasoned examiner onsite at a credit union. While close coordination can be maintained during a remote examination between a seasoned examiner and an examiner in-training, many of the advantages of ongoing, in-person, contact will need to be replaced.

Question #12: What difficulties do you foresee with moving to a future examination model for federal and state charted credit unions?

NCUA and state regulators will have to work to coordinate closely as NCUA develops an offsite examination program. To reduce supervisory burden on FISCUs, NCUA and state regulators should work together to adopt changes to NCUA’s program to the shared supervisory responsibilities related to FISCUs. Changes in NCUA’s program should not result in redundant and duplicative data/examination requests for FISCUs.

We note that increasing NCUA reliance on examinations conducted by state regulators would be consistent with NCUA’s initiative to conduct more supervision by way of remote offsite analysis.

Question #13: What concerns do you have, if any, about a diminished NCUA onsite presence, and can these be mitigated?

For the foreseeable future, a de minimis onsite presence might still be necessary and desirable. For credit unions of all sizes, establishing and maintaining a connection with the examination team produces dividends for both the credit union and the examiner(s). For both large and modest sized credit unions, the onsite presence of the examiner is an opportunity for informal dialogue on issues.

For examiners, often onsite presence allows a seasoned examiner to develop a “sense” of the management, compliance culture, and operational “tone” of the credit union in ways difficult to replicate by video offsite.

Question #17: If rebuilding the examination process from scratch, how might you redesign what is currently done today in order to reduce the burden on credit unions and/or minimize time that examiners need to be onsite at credit unions?

One aspect of redesign for NCUA’s examination of FISCUs would be to increase NCUA’s reliance on state examinations for credit unions of all asset sizes. More effective use of management questionnaires and improved ROEs could improve supervision. There is a variety of examples of both available from various state regulatory agencies.

Question #19: Are video and telecommunications capabilities sufficient to maintain good lines of communication between examiners and credit union management and officials with reduced in-person meeting opportunities? What other communication protocols would support quality communications between the credit union and examination staff?

Yes, video and telecommunications capabilities can help maintain sound lines of communication if used regularly to ensure credit unions and examiners stay connected. An offsite examination program should include robust video touch points to begin the examination, throughout the exam and at conclusion. To help examiners maintain familiarity with credit union management, offsite examination communications should be held with a variety of credit union officials, not “only” a single point of contact.

Question #21: Does the NCUA have regulations/ policies that are sufficiently flexible to allow you to leverage various technological advances such as artificial intelligence, machine learning, process robotics, Fintech, Regtech, and Suptech etc.?

NASCUS encourages NCUA, and state regulatory agencies, to consider permitting credit unions to make modest equity investments in technology companies to permit credit unions to obtain a front row seat to emerging technology. In the increasingly competitive marketplace of financial technology, credit unions should be allowed to strategically invest not for speculative purposes, but to enable credit unions to maintain a competitive edge in technology development and adoption.

Question #24: What issues are unique to smaller institutions regarding the use and implementation of innovative products, services, or processes that the NCUA should consider?

As discussed above, many modestly sized credit unions may have limited access to the digital capabilities necessary to engage with NCUA examiners remotely. Credit union records may not be stored in a manner conducive to electronic transfer and personnel may be limited, in turn hampering the credit union’s ability to digitize its existing records. For these credit unions, the technology upgrades, training on equipment and programs, and conversion of existing records into digital format present a substantial obstacle to participation in remote examinations.

We have also heard from credit unions and state examiners that smaller credit unions appreciate examiner onsite presence. The credit unions will take advantage of the examiner being onsite to “pick the examiners’ brain” about operational and regulatory issues.

NCUA will have to consider how to bring these credit unions up to speed with access to, and understanding of, the necessary technology as well as how to replace the resource to the credit unions represented by the examiner onsite presence.

 Question #27: Do you feel there are circumstances that would disqualify or preclude a credit union from participating in this examination model where the majority of  work is completed offsite?

Credit unions that are in troubled condition, or credit unions where regulators have management concerns would likely require more on an onsite presence then would be provided for in a robust offsite supervision model. In these cases, while minutes and policies may still be effectively reviewed remotely, the need to fully inspect loan files, and engage directly with management and staff, often necessitate a greater onsite presence. Under current examination protocols, a troubled credit union would warrant an increase in the numbers of examiners onsite.

Question #28: What documentation and measures should be collected and used to assess a credit union’s financial education efforts or programs?

As a NCUSIF and safety and soundness matter, a FISCU’s financial education programs are not relevant to NCUA. This is but one area where NCUA’s remote examination for FCUs would differ from NCUA’s remote examination.

State regulators interested in evaluating the financial education programs administered by state-chartered credit unions would use questionnaires and evaluation of publicly available resources such as the websites of credit unions and related third parties.

Question #29: Are there better ways for the NCUA to receive important contextual information regarding how you serve the low-income, underserved, and unbanked communities in your field of membership?

In most cases, gathering information of this nature would only be germane to NCUA examination of FCUs. If for some reason, NCUA needed some of this information in relation to determinations of low income designation pursuant to § 741.204, NCUA should coordinate with the prudential state regulator on a case-by-case basis on how to gather necessary data.[3]

Question #32: All technology is coupled with internal and external security risks. As credit

unions remain diligent in addressing these risks, what can the NCUA do to support credit unions’ security posture?

Several credit unions suggested to NASCUS that complying with extensive offsite record requests causes them to regularly note exceptions to their cybersecurity policies. Any information NCUA could share with credit unions and state regulators regarding the security of NCUA systems used for offsite examination, and any security audits of those systems, might help credit unions adjust policies and procedures to participate in offsite supervision without regularly having to violate their own security policies.

NCUA, state regulators, and stakeholders could also discuss what information might be redacted in data transfers in a manner that preserves the supervisory value of the data while withholding sensitive information with limited supervisory value.

Question #33: What cybersecurity challenges do you see with the NCUA moving to this future examination model?

Remote operations and remote communications increase vulnerability to cyber compromise. NCUA, state regulators, and credit unions will have to ensure the security of data transmissions and video communications. For credit unions needing technology assistance to participate in offsite examination programs will likely need help implementing and maintaining the security for those systems as well.

 

Conclusion

Lessons learned from NCUA’s 2018 Virtual Examination Program, experience gained during the past several months of remote examinations, and insight provided in response to this RFI should enable NCUA to further develop the concept of a remote examination program. As noted in our comments, several states have already undertaken initiatives to increase offsite supervision and examination. While an element of onsite contact between examiners and credit unions remains a valuable and necessary component of supervision, increasing and enhancing offsite examination capability can benefit both credit unions and the regulatory agency. NASCUS supports NCUA’s initiative and we look forward to working with NCUA to tailor the agency’s offsite examination program to its insurance reviews of state-chartered credit unions and cooperative working relationships with state credit union regulators.

 

Sincerely,

– signature redacted for electronic publication –

Brian Knight

Executive Vice President & General Counsel


[1] NASCUS is the professional association of the nation’s 45 state credit union regulatory agencies that charter and supervise over 2,000 state credit unions. NASCUS membership includes state regulatory agencies, state chartered and federally chartered credit unions, and other important stakeholders in the state system. State-chartered credit unions hold nearly half the $1.76 trillion assets in the credit union system and are proud to represent nearly half of the 123 million credit union members.

[2] NCUA Request for Information on Strategies for Future Examination and Supervision Utilizing Digital Technologies, 85 Fed. Reg. 127, 39588 (July 1, 2020).

[3] 12 C.F.R. 741.204 incorporating by reference 12 C.F.R. 701.34 for low-income designation for FISCUs.

A PDF of the letter can be accessed here.