In its ninth open meeting of the year, the National Credit Union Administration (NCUA) Board recently approved two items via a live webcast:

  1. A final rule adding sensitivity to market risk (an “S” component) to the existing Capital Adequacy, Asset Quality, Management, Earnings, and Liquidity/Asset-Liability Management (CAMEL) rating system, as well as redefining the “L” component.
  2. A final rule increasing the number of permissible activities credit union service organizations (CUSOs) may engage in.

On top of these new final rules, the NCUA Board also received a semiannual briefing on popular cybersecurity risks threatening credit unions.

The New “S” in CAMELS

The NCUA Board collectively approved a final rule adding sensitivity to market risk (“S”) to the current CAMEL rating system. The intention behind adding the “S” component is to increase transparency and offer context for the NCUA and federally insured consumer and corporate credit unions to differentiate between liquidity risk “L” and sensitivity to market risk “S”. Adding the “S” component also creates cohesion between financial institutions supervised by other banking agencies.

The revised CAMELS rating system will go into effect on April 1, 2022, the final rule’s effective date.

Expanded CUSO Permissible Activities and Services

In a 2-1 vote, the NCUA Board approved a final rule amending the NCUA’s CUSO regulation. The rule increases the number of permissible activities and services for CUSOs and gives the NCUA Board discretion to approve permissible activities outside of notice-and-comment rulemaking.

The list of preapproved activities and services within the CUSO rule has not been significantly updated since 2008, when it added two new categories of permissible CUSO activities: credit card loan origination and payroll processing services. The rule also created new examples of permissible CUSO activities and clarified that federal credit unions may invest in and loan to CUSOs that buy and sell participations of loans they are permitted to originate.

Under the new final rule, CUSOs are now “permitted to originate, purchase, sell, and hold any type of loan permissible for federal credit unions to originate, purchase, sell, and hold.” Therefore, CUSOs may originate general consumer loans, direct auto loans and unsecured loans and lines of credit. CUSOs can also purchase vehicle-secured retail installment sales contracts from auto dealers. This newfound flexibility will empower CUSOs to offer a wider selection of services for their customers while also reducing regulatory burdens of notice-and-comment rulemaking.

This final rule pertaining to CUSOs adopts the proposed rule from January’s Board meeting without significant changes and will go into effect 30 days after it is published in the Federal Register.

Semiannual Cybersecurity Briefing

Rounding out the open meeting was a cybersecurity briefing from the NCUA’s Office of Examination and Insurance. The presentation’s agenda was broken out into five areas:

  • Cybersecurity Threat Update
  • Information Security Examination and Cybersecurity Assessment Program
  • Guidance and Risk Alerts
  • Cybersecurity Resources Webpage
  • Industry Outreach and Partner Engagement

Attendees received an update on ongoing business email compromise complaints, ransomware cases, third-party vulnerabilities and the NCUA’s Automated Cybersecurity Evaluation Toolbox (ACET), a resource credit unions can leverage to determine potential cybersecurity risks. The resources presented to the board are accessible for credit unions here.

If you have questions about how these recently approved final rules may impact your credit union, contact Doeren Mayhew’s Financial Institutions Group today.