Federal credit unions are permitted to make investments in, or loans to, certain business entities that primarily serve credit unions and their memberships. These entities are generally referred to as credit union service organizations (CUSO).
CUSO activities can include certain loan origination services, insurance programs, electronic transaction services, and a wide range of support services such as debt collection, compliance, and record retention. In fact, an article in last month’s Credit Union Magazine pointed out CUSOs can “do just about anything credit unions need."
Section 712 of NCUA’s regulations governs not only what services CUSOs can provide, but also:
- How much a federal credit union can invest in, or loan to, CUSOs in the aggregate;
- How CUSOs should be legally structured so they’re distinct from a credit union;
- Conflicts of interest; and
- NCUA's access to CUSOs' records.
In 2008, NCUA for the first time applied certain CUSO regulations to federally insured state-chartered credit unions (FISCUs). Specifically, all federally insured credit unions must:
- Comply with Section 712.4 to maintain separate corporate identities from CUSOs; and
- Enter into contracts with CUSOs stating NCUA and its state regulators have “complete access to any books and records of the CUSO and the ability to review CUSO internal controls.”
NCUA recognizes that CUSOs, through collaboration and efficiencies of scale, provide essential services benefiting credit unions and members. But the agency attributes some past credit union and NCUSIF losses to CUSO operations and believes it’s not positioned to assess possible risks. Because it only receives information about CUSOs indirectly from credit unions, NCUA says it lacks complete information about who CUSOs serve, what services they offer, their financial conditions, and even how many CUSOs exist.
Therefore, effective June 30, 2014, NCUA is expanding its CUSO requirements. NCUA doesn’t have authority to actually examine CUSOs and other third-party vendors. Although access to records and reviews of internal controls can result in on-site CUSO reviews by NCUA, the agency says it takes that action "only if safety and soundness concerns to credit unions exist or if the CUSO poses an undue risk to the NCUSIF.”
NCUA’s lack of direct regulatory authority over CUSOs explains why the agency implements requirements for CUSOs through directives to credit unions. In a March 2014 board meeting, NCUA Board Chairman Debbie Matz reiterated the agency’s intention of obtaining direct authority over CUSOs: “NCUA remains the only financial services regulator lacking the necessary authority to examine vendors for safety and soundness and compliance with laws and regulations. NCUA will continue to call on Congress to provide this authority.”
CU contract requirements
A key change is the addition of Section 712.3(d)(4), which addresses NCUA’s major concern that incomplete information restricts its “ability to conduct off-site monitoring and evaluate the risks posed by CUSOs.”
All federally insured credit unions must amend their contracts with CUSOs by June 30, 2014, to require CUSOs to annually submit a report directly to NCUA—and to the state supervisory authority, in the case of a state-chartered credit union. The contract language must ensure the CUSO complies with a new Sec tion 712.11 that requires “subsidiary CUSOs” also to report to NCUA. This applies to an entity in which a CUSO has any ownership interest that engages primarily in providing products or services to credit unions or credit union members.
NCUA adopted its CUSO amendments last November, but established the mid-2014 effective date to allow credit unions seven months to make the necessary contractual changes.
During the comment period on the proposed CUSO changes, many commenters, including CUNA, questioned NCUA’s authority to require CUSOs to provide reports directly to the agency and its need for such information. NCUA emphatically disagrees. In the explanatory information accompanying the final regulation, the agency cites its statutory authority to collect information about CUSOs and provides examples where CUSO activities caused significant problems for credit unions.
Other FISCU rules NCUA has decided that certain CUSO requirements should apply equally to all federally insured credit unions because the risks are the same to the NCUSIF. This includes provisions in Section 712 that address accounting, audits, and financial statements. This means a federally insured state-chartered credit union's contract with a CUSO must be amended by midyear to require the CUSO to:
- Account for all of its transactions according to GAAP (generally accepted accounting principles);
- Prepare quarterly financial statements; and
- Obtain an annual audit of its financial statements by a CPA (unless a wholly owned CUSO consolidates its financials with the investing credit union, as permitted for a federal credit union).
Effective June 30, less-than-adequately capitalized federally insured state-chartered credit unions become subject to restrictions on recapitalizing a CUSO without approval from its state regulator (and notice to NCUA). Because all states don’t have the same investment and loan caps applicable to federal credit unions, these rules aren’t identical to those applicable to less-than-adequately capitalized federal credit unions.
New reporting requirements
NCUA says its system for direct reporting by CUSOs will be fully operational by Dec. 31, 2015. The agency has provided a draft of its data collection form in the supplementary information section accompanying the revised CUSO regulation.
Each CUSO will be required annually to provide “basic registration information” on contact information, services offered, names of credit unions investing in/lending to/receiving services from the CUSO, and information about any subsidiary CUSO.
A CUSO will be subject to more extensive reporting requirements if it engages in “complex or high-risk activities.” In response to commenters' complaints that the proposal went too far in requiring detailed information from all CUSOs, in the final regulation NCUA limits additional reporting to those CUSOs engaged in activities of particular concern to the agency. NCUA identifies these “complex or high-risk activities” as:
- Credit and lending: business loan origination; consumer mortgage loan origination; loan support services, including servicing; student loan and credit card loan origination;
- Information technology: electronic transaction services; record retention, security, and disaster recovery services; and payroll processing services; and
- Custody, safekeeping, and investment management services for credit unions.
CUSOs providing these enumerated activities will have to detail the services provided to each credit union and each credit union’s investment amount, loan amount, or level of activity with the CUSO. CUSOs involved in credit and lending services also will have to report details about their loan portfolios by type of loan.
And CUSOs identified as engaging in “complex or high-risk activities” will have to provide NCUA with their most recent year-end audited financial statements.
NCUA explains how it envisions using the information CUSOs provide. Possible uses include:
- Raising examiner awareness of identified risks;
- Improving supervisory oversight of federally insured credit unions;
- Helping credit unions improve their due diligence; and
- Fostering collaborative problemsolving among CUSOs, credit unions, state regulators, and NCUA.
Although credit unions remain concerned about the reach of the new reporting requirements, NCUA says it “feels the final rule achieves the balance of exercising regulatory restraint while ensuring the ultimate safety and soundness of the NCUSIF.”
KATHY THOMPSON is CUNA’s senior vice president of compliance. Contact CUNA’s compliance team at firstname.lastname@example.org.