NCUA Issues Guidance on Expanding CUSO Activities
In an early February NCUA issued Letter to Credit Unions 23-CU-02, outlining risk factors linked to credit union service organizations (CUSOs) originating business, consumer mortgage, student, and credit card loans. NCUA emphasizes that a credit union’s risk due to these CUSO loans will depend on the relationship between CUSOs and credit unions. The guidance begins by introducing ways a credit union and a CUSO may interact.
- Lender – A credit union that lends funds to a CUSO, creating a debt relationship.
- Investor or owner – A credit union that invests in a CUSO. The credit union may own all or a portion of the CUSO, establishing an equity relationship. Depending on the structure of the relationship, the credit union may be a shareholder, member, or partner.
- Client or customer – A credit union that uses a CUSO’s services, or purchases products, including loans offered by a CUSO, constituting a vendor-client relationship.
NCUA lists the following risk factors as potential areas of concern when operating with a CUSO and lending: credit risk; strategic risk; compliance risk – applicable laws and regulations; fair lending; unfair, deceptive, or abusive acts and practices (UDAAP); reputation risk. This compliance blog will address these risk areas in that order.
Credit Risk
NCUA encourages credit unions to perform risk assessments and conduct due diligence as a part of a credit union’s oversight of the credit union-CUSO relationship. For example, NCUA advises credit unions that purchase CUSO-originated loans to verify these loans are underwritten, documented appropriately, and meet applicable laws and regulations. Moreover, NCUA ask credit unions to monitor CUSO’s exposure to credit risk. Credit risk may vary among different business lines and balance sheet composition. The guidance highlights the loss of credit union investments and cash-flow disruptions as two issues that may occur due to credit risk exposure.
Strategic Risk
NCUA’s advice to credit unions when managing strategic risk relating to a credit union-CUSO relationship may be summarized in two sayings: know your friends and always have an exit strategy. The guidance suggests “…credit unions should educate themselves about a CUSO’s organizational structure, subsidiaries, functions, and the third parties the CUSO uses to provide products or services to the credit union.” A credit union may want to play twenty-one questions with its CUSO to better understand what makes its friend tick.
NCUA also underscores how a CUSO’s legal and regulatory problems may sometimes spill over into a credit union’s own affairs. The guidance highlights several vulnerabilities along the CUSO-credit union relationship where such CUSO issues may become credit union issues. For example, “…the financial statements for a wholly owned CUSO are consolidated with the credit union’s financial statements, so CUSO losses become part of the credit union’s income statement during the consolidation process.” Another potential vulnerability is a heavy reliance on “…a CUSO to perform…business function[s] or to provide a significant source of income.” A credit union may want to review its own relationship with CUSOs to ensure vulnerabilities identified in this guidance do not materialize in existing relationships.
Compliance Risk – Applicable Laws and Regulations
One thing to keep in mind as reiterated in the guidance: CUSOs are separate entities and fall outside the NCUA’s lending regulations. This includes interest rate caps, loan maturity limits, and prohibitions against repayment penalties. While a CUSO is not restricted under NCUA’s lending restrictions, a credit union is still unable to use a CUSO to circumvent NCUA’s lending regulations. The guidance reminds us a credit union is only able to participate or purchase a CUSO-originated loan if the credit union itself is “empowered” to grant the loan. CUSOs are subject to state regulatory authorities and their laws such as lending, licensing, and usury laws as well. In addition, CUSOs are subject to federal consumer financial protection laws and regulations.
Fair Lending
Another risk factor that may arise during a credit union-CUSO relationship are fair lending issues. The guidance focuses on third party use of artificial intelligence and machine learning to make lending decisions. NCUA highlights steps a credit union should take as users of artificial intelligence. A credit union should:
- Understand the models and their associated risks.
- Can explain how the models work.
- Evaluate whether the lending algorithms and data used by partners avoid disparate impacts.
- Collaborate with model risk experts to evaluate and verify that the models and algorithms do not promote bias or discrimination.
Unfair, Deceptive, or Abusive Acts and Practices
A practice identified by the guidance as a potential UDAAP concern is when CUSOs have names similar to the credit union that is promoting the service. NCUA raises concern that members may link “any aggressive or improper CUSO lending activity with the lending activity of the credit union” if there is a close link between a CUSO and a credit union such as a name. The guidance suggests ways a credit union could avoid confusion:
- Comply with the NCUA’s [section] 712.4(a), including holding the credit union and CUSO out to the public as separate enterprises.
- Pay particular attention to their marketing to inform members of programs with CUSO-originated loans.
- Ensure the loan contract terms match credit union policies and rate sheets for the interest rate, annual percentage rate, grace period, late fees, payment schedule, prepayment, insurance requirements, force placement of insurance, among others.
Reputation Risk
NCUA warns that CUSO-originated loans may cause reputation risk to a credit union. The guidance suggests several ways for a credit union to protect itself from this risk. First, CUSOs similar to credit unions should use the CUSO’s official name in loan agreements and accounts statements. Second, credit unions should educate its members on the difference between the CUSO and the credit union. For example, NCUA advises credit unions to tell its members when the member is dealing with the CUSO and not the credit union. Last, both credit unions and CUSOs should protect member records and information from inadvertent disclosure.
If there are any additional questions, please do not hesitate to contact NAFCU’s Regulatory Compliance team at compliance@nafcu.org.
$300.00 savings on Online Compliance Training Subscriptions: Industry experts cover the hottest topics in a fast, convenient way. Master the most challenging areas of CU compliance—all accessible by your entire credit union staff 24/7/365. Subscribe now and use code NEWYEAR by February 28 to save.