Wipfli logo
Back to Articles

National Credit Union Administration sets 2025 priorities

Alison Herrick
Alison J. Herrick
Jan 27, 2025
6 min read

The National Credit Union Administration (NCUA) recently rolled out its 2025 supervisory priorities. NCUA issues a list of priorities annually to help insured credit unions navigate compliance, governance and other timely issues.

This year’s priorities are not a surprise but are important reminders across very high-risk areas.

NCUA supervisory priorities for 2025

The industry has continued to see signs of financial stress on balance sheets, loan performance and earnings. Though in recent years we have seen record lows in delinquencies and charge-offs, loan delinquencies are trending up and are now at their highest in over 10 years. Overall, the credit union system remains stable and relatively resilient, though there are areas of uncertainty and concern which NCUA will be focused on.

Credit risk

Credit risk has been a top priority for the last couple of years and continues to be. Credit unions saw moderate loan growth in 2024, coupled with increased delinquencies and charge-offs. With the increase in prices and inflation, as well as the overinflated values of vehicles during the COVID years, it is no surprise that the two areas of greatest deterioration were in credit card portfolios and used auto loans. Used vehicle charge-off rates have actually reached their highest levels on record. 

NCUA examiners will continue to review credit unions’ lending and risk management practices. They will focus on all aspects of the loan cycle, including underwriting, collection efforts, charge-off practices, allowance for credit losses and board and management reporting.  They will also hone in on third parties outsourced by the credit union. 

Still, NCUA wants to make sure credit unions are working with borrowers encountering difficulties, consistent with the mission of the credit union system. As borrowers are facing difficulties and workout activity is on the rise, examiners will be assessing the credit union’s efforts for reasonableness and proper controls and oversight.

Balance sheet management and risk to earnings and net worth

Credit, liquidity and market risk are all components tied to the credit union’s ability to manage financial assets and liabilities, which directly affects earnings and net worth. Interest rate risk is the primary element in market risk. Interest rate changes have a profound effect on income.

Credit unions have seen a squeezing in net interest margin due to increased rates and costs of funds increasing faster than loans and investment income. This squeeze has put pressure on earnings while waiting for investment and loan income to catch up. Conversely, interest rate decreases make loans and investments prone to prepayment. Between interest rate management, poor loan performance and increased operating expenses, credit union earnings and net worth could be at risk. 

Examiners will continue to evaluate the credit union’s policies, procedures, risk limits and overall risk management framework relative to the credit union’s size, complexity and risk profile. As part of the evaluation, examiners will be looking at the credit union’s current and prospective sources of earnings, as well as composition of net worth relative to the credit union’s approved plans and thresholds. This approach will help examiners focus on trends in earnings and get a better understanding of concentration risks within earnings and net worth. They will also continue to look at current and prospective sources of liquidity compared to funding needs.

As was expected in prior years, credit unions should consider various scenarios, assumptions and data when evaluating their earnings and liquidity risks. These plans should be well documented, communicated and tested regularly.

Cybersecurity

Cybersecurity remains a top priority as cyberattacks become more frequent and sophisticated. Credit unions are very dependent on technology, as well as their vendors that host many of the technologies used. Any loss or compromise of confidential data, whether by the credit union or a vendor, can cost the credit union not just financially but reputationally.

Managing information security programs, having business continuity plans and ongoing due diligence of critical vendors is crucial in mitigating cybersecurity risks. NCUA will continue to use the information security examination procedures to assess credit unions. NCUA will also continue to support the credit union’s voluntary use of the ACET for assessing cybersecurity maturity.

As a reminder, the cyber incident notification requirement requires credit unions to notify the NCUA within 72 hours if they or a third-party provider experience a cyber incident.

NCUA also reiterated the need for the credit union’s board of directors to prioritize cybersecurity as a top oversight and governance responsibility, as was urged in the Credit Union Letter 24-CU-02. Some highlights from the letter include four key areas of focus:

  • Provide for recurring training: This will help the board stay aware of cyber risks and their implications. The board should also ensure employees receive regular education and that the credit union maintains a security-minded culture.
  • Approve information security program: The board must approve a comprehensive information security program that meets the requirements of Part 748 and review and update it annually.
  • Oversee operational management: The board is responsible for overseeing management and their ability to manage risks, including:
    • Third-party due diligence.
    • Embedding cybersecurity and operational resilience into the organizational culture, making it a core value, influencing decision-making at all levels.
    • Providing management access to cybersecurity expertise as well as an adequate budget to implement, maintain and defend.
    • Vulnerability/patch management and threat intelligence.
    • Audit function consistent with the size and risk profile.
    • Establishing a framework for periodic reporting by management to the board on cybersecurity audits, incidents and program effectiveness.
    • Protecting and managing backups, including procedures for restoring data from backups in the event of an incident.
    • Membership education.
  • Incident response planning and resilience: Plans must allow the credit union to operate effectively during and after a cyberattack. Effective planning includes a communication strategy, both internal and external, insurance considerations, an incident response team and tabletop exercises.

Consumer financial protection

Examiners will continue to focus on consumer financial protection laws and regulations, specifically the following:

  • Overdraft programs: Review will include policies, procedures, disclosures, fees, account statements, member complaints, internal reviews and websites. See Credit Union Letter 24-CU-03 for risks and additional guidance related to overdraft programs
  • Fair lending: Examiners will assess policies and practices for identifying and mitigating any potential discrimination in residential real estate valuation practices.
  • Home Mortgage Disclosure Act (HMDA) and Regulation C: Examiners will evaluate compliance with HMDA data collection and reporting, including transaction testing.
  • Military Lending Act: Review will include policies and procedures for checking and monitoring military status.
  • Electronic Fund Transfer Act and Regulation E: Examiners will assess policies and procedures related to payments and error resolution.

Other updates

  • Exam flexibility initiative to provide extended exam cycle for credit unions over $1 billion in assets with a CAMELS composite rating of 1 or 2 and no change in CEO since last cycle. These credit unions are eligible for a 12- to 16-month exam cycle.
  • NCUA will continue to conduct the small credit union exam program scope for federal credit unions with $50 million or less in assets.
  • Risk-focused exam for all other credit unions with examiners performing examinations both onsite and offsite as appropriate.
  • Though cybersecurity, technology and third parties need additional attention, credit unions are reminded to review and maintain fundamental controls over lending, recordkeeping and internal controls.
  • NCUA also encourages the credit union to remain aware of changing Bank Secrecy Act, anti-money laundering and countering the financing of terrorism regulatory requirements.

Overall, the primary objective of the exams is to ensure a safe and sound credit union system and protect credit union members. With the ever-changing economic and technological landscape, it is critical for credit unions to be adaptable and agile in managing risks. 

How Wipfi can help

Staying on top of changes in the regulatory space is essential for credit unions. If your organization is looking for assistance in navigating the ever-shifting world of compliance, Wipfli can help. Our team of dedicated professionals is attuned to industry trends and stays vigilant as regulatory priorities change and can guide you to more certain footing in 2025 and beyond. Contact a representative today to get started.

Author(s)

Alison Herrick
Alison J. Herrick
CPA, Partner
View Profile

TOP PICKS

Andrew Maychruk
Andrew Maychruk 03/24/2025
The strategic edge: Leveraging fractional CIOs in credit unions
Read full story
Luke Soper
Luke Soper 05/24/2024
How credit unions can manage liquidity risk in 2024
Read full story
Alison Herrick
Alison J. Herrick 02/09/2024
Information you need: NCUAā€™s 2024 supervisory priorities
Read full story