NCUA Board Approves Final Rules on CUSOs and CAMELS Rating System, Briefed on Cybersecurity

Board Action Bulletin

(Oct. 21, 2021) – Through a live webcast, the National Credit Union Administration Board held its ninth open meeting of 2021 and approved two items:

• A final rule that adds the sensitivity to market risk or “S” component to the existing CAMEL rating system and redefines the liquidity risk or “L” component.
• A final rule that expands the list of permissible activities and services credit union service organizations or CUSOs are allowed to engage in.

In addition, the NCUA Board received a semiannual briefing on cybersecurity risks confronting credit unions and the financial services sector.

Final Rule Would Add Sensitivity to Market Risk to the CAMEL Rating System

The NCUA Board unanimously approved a final rule that adds the “S” (Sensitivity to market risk) component to the existing CAMEL rating system, thus updating the rating system from CAMEL to CAMELS, and redefines the “L” (Liquidity risk) component.

The benefits of adding the “S” component are to enhance transparency and allow the NCUA and federally insured consumer and corporate credit unions to better distinguish between liquidity risk (“L”) and sensitivity to market risk (“S”). The addition of “S” also enhances consistency between the supervision of credit unions and financial institutions supervised by the other banking agencies. 

“The NCUA’s adoption of the CAMELS system is good public policy and long overdue. Separating the liquidity and market sensitivity components will allow the NCUA to better monitor these risks within the credit union system, better communicate specific concerns to individual credit unions, and better allocate resources,” said NCUA Chairman Todd M. Harper.  

Implementation of the revised CAMELS rating system will take place on the final rule’s effective date, which is April 1, 2022.

Rule Expands Permissible Activities and Services for CUSOs

The NCUA Board, by a 2-1 vote, approved a final rule that amends the NCUA’s credit union service organization regulation. The final rule:

• Expands the list of permissible activities and services for CUSOs to include originating any type of loan that a federal credit union may originate; and
• Grants the board additional flexibility to approve permissible activities and services outside of notice-and-comment rulemaking.

“This rule gives credit unions the tools to compete more effectively in the digital marketplace,” said NCUA Vice Chairman Kyle Hauptman. “It also gives members another choice when shopping online. That’s a good thing. As always, we will be watching how this rule impacts consumers and credit unions.”

“I believe this rule will help credit unions, and in particular, mid-size and smaller credit unions, stay relevant in the years ahead by continuing to grow and scale in the cooperative spirit while insuring the industry is responding to the rapidly changing lending landscape,” said NCUA Board Member Rodney Hood. “I view today’s rule as a significant milestone for Credit Union Service Organizations, but our work here is not done with regard to CUSO investments. I look forward to addressing this in the future with my board colleagues.”

“As stewards of the credit union system, the NCUA Board should act to safeguard consumers and protect the system from sizable losses to the Share Insurance Fund,” said Harper in opposing the final rule. “Because the agency lacks the third-party vendor authorities that the other federal banking agencies and several state regulators have, the NCUA has no power to supervise CUSOs for compliance with federal consumer financial protection laws and regulations and compliance with prudential standards like concentration limits, maximum loan-to-value ratios, and minimum capital levels.”

Harper continued: “[i]n adopting the final rule today, we will not be taking substantive action to close these regulatory blind spots. Instead, this final rule will create an unregulated Wild West within the credit union space with little accountability for protecting consumers and credit unions.”

The final CUSO rule adopts the proposed rule issued at the January 2021 Board meeting without any substantive changes, and is effective 30 days after publication in the Federal Register.

Board Briefed on Cybersecurity Risk to Credit Unions

Staff from the NCUA’s Office of Examination and Insurance briefed the Board on continuing cybersecurity risks to credit unions and the broader financial services industry. The briefing focused on five areas:

• Cybersecurity Threat Update
• Information Security Examination and Cybersecurity Assessment Program
• Guidance and Risk Alerts
• Cybersecurity Resources Webpage
• Industry Outreach and Partner Engagement

“To compete, credit unions must be able to safely and securely use technology to deliver member services and adopt financial innovations to ensure the industry’s long-term success,” said Harper. “We, therefore, must all work together to promote innovation with an emphasis on security and equity. I encourage credit unions to utilize the information-sharing groups and other resources presented in this briefing.”

In addition, the briefing included an update on ransomware cases and business email compromise complaints, supply chain and third-party vulnerabilities, and the NCUA’s Automated Cybersecurity Evaluation Toolbox (ACET), which credit unions can use to identify potential cybersecurity vulnerabilities. A summary of the NCUA’s industry outreach and partner engagement efforts, along with the resources available on the NCUA’s Cybersecurity Resources page at ncua.gov/cybersecurity, were also presented to the Board.

The NCUA tweets all open Board meetings live. Follow @TheNCUA(opens new window) on Twitter, and access Board Action Memorandums and NCUA rule changes at www.ncua.gov. The NCUA also live streams, archives and posts videos of open Board meetings online.