Office of Credit Unions' Exam Manual
The Office of Credit Unions (OCU) provides this Exam Manual as a resource for its staff to use in the supervision of credit unions. The Manual provides broad, general guidance to examiners regarding the scoping process, on- and off-site supervision contacts, and more. The Manual does not impose specific legislative requirements on credit unions; however, it does offer information that credit unions may find useful to understand OCU’s safety and soundness perspective when they have questions about the examination and supervision process.
OCU will maintain an updated Exam Manual on this website and as necessary provide updates when publishing changes to the Manual.
The Manual is offered as a resource for examiners, but the guidance provided here may not necessarily be appropriate for every situation. A risk-focused examination approach requires examiners exercise professional judgment in allocating resources to review and appropriately assess the inherent risk in a given credit union operation. Determining the scope of an examination must consider many variables specific to an individual credit union. When examiners determine existing or potential risk is present, they may perform the procedures necessary to determine the extent of that risk and any mitigating circumstances related to the risk.
If you have questions that are not addressed in the Exam Manual, please contact your assigned examiner, regional supervisor or the OCU.
|Policy#||Title of Policy||Short Description|
To outline scope considerations regarding onsite examination/supervisory contacts.
Workpapers shall be maintained to evidence the scope of examinations and follow-ups, provide guidance for the direction of future examinations, and document support for the findings cited and conclusions stated in the reports issued to the credit union. Although the full scope of each examination shall be determined by the Examiner-In-Charge (EIC), based upon the individual credit union and professional judgment, examiners shall strive for reasonable consistency between workpapers maintained for each examination.
Communication between OCU personnel and credit unions shall occur in such a way to establish a positive rapport whenever possible and practical with credit unions and facilitate open communication between OCU and industry personnel. OCU personnel shall conduct examinations and meetings in a professional and objective manner.
NCUA adopted the CAMEL system for rating credit unions in 1987. The purpose of the CAMEL Rating System is to accurately and uniformly evaluate credit unions on safety and soundness of operations, compliance with regulations, financial condition, degree of risk to the National Credit Union Share Insurance Fund (NCUSIF), and amount of supervisory attention needed. In 2014 DIFS added the use of “S” to rate market sensitivity for Michigan state chartered credit unions.
|10051||7 Key Risk Categories - Defined||
This policy provides guidance on the definitions used within the Risk Analysis sheet within the Database Input Workbook for full and follow-up examinations. The definitions for the seven risk categories, inherent risk, risk management, composite risk, and risk trends are as explained here.
The Uniform Rating System for Information Technology (URSIT) is used to uniformly assess and rate IT-related risks of financial institutions and their TSPs. The purpose of this rating system is to evaluate the examined institution's overall risk exposure and risk management performance and determine the degree of supervisory attention necessary to ensure that weaknesses are addressed and risks are properly managed. The assigned rating determines the degree of supervisory attention necessary.
|10105||Review of Board and Management||
The Board of Directors is responsible for directing the affairs of the credit union. Directors must have a general knowledge of the daily operation of the credit union. Management is responsible for completing the duties delegated to them by the Board and must have the ability to manage risks determines whether the credit union can withstand fluctuations and ensure ongoing viability of the credit union. Credit Union Directors have a responsibility to act in the best interest of the membership.
An analysis of the board minutes enables the examiner to draw conclusions about how the officials and management interact and perform their job responsibilities. This information is used to determine the adequacy of management and the effectiveness of board oversight. Analysis must also include review of required actions taken by the Board of Directors to ensure compliance with credit union Bylaws and the Michigan Credit Union Act (MCUA).
The Supervisory Committee's primary duty is to ensure management practices and procedures are sufficient to safeguard members' assets. Supervisory Committee minutes should be analyzed to draw conclusions about the oversight of the institution’s officials and management. Supervisory Committee actions which must be completed as required by the Bylaws and Michigan Credit Union Act. If there is no Supervisory Committee, the Board of Directors assumes the duties of the Supervisory Committee.
The Credit Committee is responsible for the oversight and administration of credit decisions by the Credit Committee and loan officers. Credit Committee minutes should include documentation of Credit Committee actions as required by the Bylaws and MCUA. In the absence of a Credit Committee, the Board of Directors must perform all duties of the Committee.
Policies must clearly and concisely state intentions, limitations, and controls that will guide the credit union. They should also reflect the credit union’s mission, values and principles as well as the tolerance for risk. Policies should be reviewed on at least an annual basis and amended as necessary to reflect current procedures. Management must ensure policies comply with all state and federal regulations.
|10130||Strategic Planning and Budgeting||
Strategic Planning, including the development of Key Objectives and Goals are necessary to guide the credit union. Goals must be measurable, attainable and include appropriate timeframes. Documentation should be maintained to support goals and objectives. Goals should be reviewed on a regular basis. Budgets should be prepared at least annually and reviewed periodically throughout the year.
|10135||Internal Controls||Internal controls help to minimize and monitor risk. Controls must be in place to mitigate risk within the credit union and safeguard credit union assets.|
|10140||Fraud Detection||Examiners must be able to recognize warning signs of fraud and take appropriate measures. Examiners must ensure adequate internal controls exist to deter and detect fraud and/or insider abuse, and that the credit union has procedures in place to take appropriate action if fraud and/or insider abuse is detected.|
|10145||Contracts and Commitments||All material contracts entered into by management between examinations should be reviewed. The contracts should evaluate financial impact, ensure independence, ensure legal and compliance risk is mitigated and the contract represents a sound business decision.|
|10150||Nondeposit Investment Products (NDIP)||This policy provides guidance for the examination procedures for nondeposit investment products. A Nondeposit Investment Product (NDIP) is a financial security that is not federally insured. NDIP’s include mutual funds, annuities, securities, and self-directed Individual Retirement Accounts that invest in securities. Sales activities for nondeposit investment products should ensure that members are clearly and fully informed of the nature and risks associated with these products.|
|10155||Deferred Compensation Plans||This policy details requirements regarding the review of deferred compensation programs. This includes any arrangement in which an employee receives future economic benefits, including health care, life insurance, disability income replacement plans and retirement plans. These arrangements may be qualified or nonqualified retirement plans under the Internal Revenue Code, including those fully or partially funded by the credit union.|
|10160||Reviewing Products/Services related to MRBs||These procedures outline the general review of credit union financial services related to the marijuana industry and related businesses/members. As the risks related to offering services in this space are varied and high, (particularly while federally illegal), the institution’s due diligence and ongoing control over such a portfolio must be robust. Examiners must evaluate management’s due diligence in deciding to provide such services. The board and management must have clear understanding of the associated risks, and satisfactory risk management tools in place which are functioning soundly.|
|10205||General Accounting Review||Examiners must gain reasonable confidence in the accuracy of the credit union’s accounting and financial reporting to place reliance on Call Report Data and financial statements. Accurate financial statements are essential to ensure appropriate risk assessment and CAMELS ratings. The organization and accuracy of accounting is a very strong indicator of management effectiveness. Confidence in a credit union’s reported financial condition is key to ascertaining the safety and soundness of an institution.|
|10210||Audit Review||The purpose of reviewing the audit is to determine compliance with state and federal regulations, potential risks and financial discrepancies, the scope of the general ledger review, whether the Supervisory Committee, if any, has fulfilled their audit responsibilities and to verify the financial statements fairly and accurately represent the condition of the credit union.|
|10230||Corporate Credit Card||A written policy must be developed to guide the use of the credit union’s corporate credit card. All aspects of the program should align and adhere to the policy. Internal controls and procedures must be established to govern the use of the credit union’s corporate credit card. Proper documentation should be maintained to support corporate credit card expenses.|
|10240||Allowance for Loan and Lease Losses (ALLL)||The Allowance for Loan Loss and Lease Losses Account (ALLL) should provide a best estimate of the probable amount of loan or lease account the institution will have difficulty collecting. The ALLL should be reviewed to ensure compliance with state and federal regulations and that the account is adequately funded. Methodology for the determining the required balance in the account must be consistently applied and regularly reviewed.|
|10250||Call Report Review||Examiners must evaluate management’s ability to accurately complete the Call Report and maintain sufficient supporting documentation. Call reports are to be filed quarterly.|
|10301||General Lending Review||Examiners must ascertain the overall potential financial impact of lending activities (risk of loss) and determine the levels of risks present in the loan portfolio. Management’s knowledge, abilities and effectiveness, as well as whether the lending staff have sufficient knowledge to underwrite loans in compliance with regulations and safe and sound lending standards must be evaluated.|
Examiners review loan contracts to make sure they are valid, complete, enforceable, and comply with consumer regulations and credit union loan policies. This includes:
|10305||Consumer Lending||Examiners must determine the overall level of risk in the consumer loan portfolio, the potential impact to the financial condition, and ascertain compliance with state and federal regulations. Examiners must assess management’s knowledge and capacity to grant quality loans and adequately manage the loan portfolio.|
|10310||Credit Cards||Examiners must determine the overall level of risk in the credit card loan portfolio, the potential impact to the financial condition, and ascertain compliance with state and federal regulations. Examiners must assess management’s knowledge and capacity to grant quality loans and adequately manage the credit card loan portfolio.|
Examiners must determine the levels of credit and interest rate risk in the real estate loan portfolio, the potential impact to the financial condition, and ascertain compliance with state and federal regulations. Examiners must assess management’s knowledge and capacity to grant quality loans and adequately manage the real estate loan portfolio.
|10317||Real Estate Appraisals and Evaluations||Examiners review real estate appraisal and evaluation policies and procedures to ensure consistency with principles of safety and soundness. The real estate lending program must include an appropriate real estate appraisal and evaluation program and provide an effective and reliable method of determining the value of collateral securing real estate loans.|
|10320||Construction Lending||Construction loans constitute higher-risk loans and require sophisticated underwriting and administration. Management must be knowledgeable about the requirements of construction lending and establish acceptable limits to mitigate credit and concentration risks. Examiners must evaluate a credit union’s construction lending program through a review of policies and procedures, management of the portfolio, and individual construction loan files.|
|10330||Courtesy Pay (Overdraft/Bounce Protection)||Courtesy Pay advances are loans and must be reported and accounted for as loans. Examiners must evaluate Courtesy Pay programs to determine the amount of risk present, compliance with state and federal regulations and the type of monitoring management completes to mitigate risk.|
Michigan chartered credit unions may participate in loans to credit union members jointly with other credit unions, CUSOs or other financial institutions as designated by law. Participation loans must be made according to the requirements of the Michigan Credit Union and NCUA Rules and Regulations. Examiners will review participation loan documents, policies, agreements and related contracts to ensure compliance.
|10340||Purchase/Sale of Eligible Obligations||Credit unions may sell or pledge obligations of its members under certain conditions. Examiners must ensure that obligations meet the requirements of the MCUA, bylaws and lending policies as established by the Board.|
|10342||Indirect Lending||An indirect lending program allows members of the credit union to make a purchase and obtain financing at the same location. Examiners must evaluate the levels of risk in the indirect loan portfolio, determine if this level of risk is acceptable and determine whether management has sufficient controls in place to mitigate the risk. Examiners must ensure management complies with the requirements of state and federal regulations. Also, examiners must assess management’s competency in understanding, monitoring, and underwriting indirect loans.|
|10345||Member Business Lending||Examiners must evaluate the levels of credit, concentration, and interest rate risk in the business loan portfolio. Management must have appropriate controls in place to monitor and mitigate risk(s) and ensure the level of risk remains acceptable for the credit union. Examiners must ensure the credit union complies with the state and federal regulations regarding business lending, loan workouts/modifications, and appraisals. Management and the Board of Directors must understand the risks of business lending. Management and staff must have appropriate experience, expertise and resources to ensure compliance with policy, procedure, and regulation. Risk management systems must be comprehensive and ongoing and review of business loans must be completed on a regular basis.|
|10350||Loan Delinquency, Monitoring and Classification||Examiners will review policies and procedures relating to loan delinquency monitoring and classification to evaluate the accuracy of reported delinquency, the reasonableness of the Allowance for Loan and Lease Losses balance and whether systems, procedures and controls are in place to identify and monitor collection problem loans.|
|10355||Loan Extensions||Examiners must determine the level of risks associated with granting loan extensions. Credit and collateral risk may vary depending on the controls the Board of Directors and management have established to govern loan extensions and modifications. Management’s understanding of, and ability to control the risk associated with loan extensions must be evaluated. Compliance with applicable state and federal regulations and guidelines in policies and procedures will also be reviewed.|
|10360||Workout Loans and Troubled Debt Restructurings||Examiners will evaluate the credit union’s risk management practices regarding loan workouts and/or Troubled Debt Restructurings (TDRs). The adequacy of policies, procedures, and controls will be reviewed to determine if proper rick assessment and due diligence was performed in implementing any loan workout program. Management infrastructure to identify, control, and manage any loan workout activity as well as the experience and training for individuals involved in this program will be evaluated. Documentation must be in place to verify the borrower’s financial condition, collateral values for security pledged and proper lien perfection for that collateral. The effectiveness of loan collection procedures as well as proper accounting and reporting of workout loans and TDRs will evaluated. All reporting guidelines, supervisory guidance and adherence to statutory, regulatory and internal rules, regulations and internal lending limits will be evaluated.|
|10365||OREO – Other Real Estate Owned||Examiners must review management systems to ensure proper disclosure and valuation of assets, and accurate and timely recognition of expenses of Other Real Estate Owned (OREO) over the three phases of the asset’s life cycle: acquisition, holding period, and disposition.|
|10405||Investments-General||The Board of Directors is responsible for identifying appropriate risk exposure levels and ensuring proper management of those risks within the institution. Examiners must evaluate the Board of Director’s understanding of the risk characteristics of each investment, ensure policies and procedures accurately reflect the institution’s investment activity and compliance with all applicable rules and regulations. Management must demonstrate sufficient expertise to manage risks while balancing safety, liquidity, and yield. Appropriate due diligence must be performed in selecting, reviewing, and monitoring broker-dealers and/or safekeeping entities.|
|10410||CDs and Insured Deposits||
The review of a credit union’s investments in certificates of deposit (CDs) and insured deposits should verify compliance with state and federal regulations, the adequacy of investment policies, procedures, and controls as well as management’s ability to manage the risk and diversity in the investment portfolio while balancing safety, liquidity, and yield.
|10420||Investments in Corporate Credit Unions||Investments in corporate credit unions are reviewed to determine compliance with state and federal regulations and the adequacy of the credit union’s investment policies, procedures and controls. Management’s ability to manage the risks in this portfolio while balancing safety, liquidity and yield must also be evaluated.|
|10430||Federal Agency, U.S. Government and Related Securities||Investments in federal agency and U.S. government issued securities are reviewed to determine compliance with state and federal regulations and the adequacy of the credit union’s investment policies, procedures, and controls. Management’s ability to manage the risks in the investment portfolio and understand how the investment portfolio’s market value and realized and unrealized gains or losses could impact the credit union’s financial position must also be evaluated.|
|10440||Corporate Bonds||Investments in corporate bonds are reviewed to determine compliance with state and federal regulations, the adequacy of the credit union’s investment policies, procedures, and controls and management’s ability to manage the risk in this portfolio. Management’s ability to understand how realized and unrealized gains or losses in this portfolio could impact the credit union’s financial position must also be evaluated.|
|10450||Collateralized Mortgage Obligations (CMOs)||Collateralized Mortgage Obligations are reviewed to determine compliance with state and federal regulations, and the adequacy of investment policies, procedures, and controls. Management’s ability to manage the risks in the investment portfolio and understand how an investment’s market value and unrealized gains or losses could impact the credit union’s financial position must also be evaluated.|
Investments in mutual funds are reviewed to determine compliance with state and federal regulations as well as the adequacy of investment policies, procedures, and controls. Management’s ability to manage the risks in the investment portfolio, balance, safety, liquidity and yield and understand how market value and realized and unrealized gains or losses in this portfolio could impact the credit union’s financial position must be evaluated.
|10470||Stocks (CUSO, FHLB, IPO, Other)||
Investments in stocks are reviewed to determine compliance with state and federal regulations, the adequacy of the credit union’s investment policies, procedures and controls and Management’s ability to manage the risks in the investment portfolio while diversifying investments to balance safety, liquidity and yield.
|10480||Impermissible Investments||To identify impermissible investments held by a credit union and ensure appropriate corrective action to remedy the state of non-compliance. Examples of impermissible investments are Standby Commitments, Cash Forward Agreements, Short Sales, Pair-off Transactions, Repurchase Agreements, Bank Stock, any investment considered to be speculative in nature, any investments not otherwise specifically permitted by the Michigan Credit Union Act.|
|10490||CUSO Examination Procedures||This policy provides guidance for the examination procedures of credit union service organizations (CUSOs). CUSOs are defined by Section 102(l) of the Michigan Credit Union Act (MCUA). Examiners must evaluate a CUSO’s structure, financial statements, annual audit, and compliance with applicable state and federal laws.|
|10510||Asset Liability Management - General Review||Asset Liability Management policies, procedures and controls are reviewed to determine management’s effectiveness in managing the balance sheet and to evaluate the adequacy of the credit union’s liquidity. Procedures to measure interest rate risk, liquidity risk, concentration rick, strategic risk and reputation risk are also reviewed. Policies and procedures must be appropriate for individual credit union operations.|
|10520||Sensitivity - Interest Rate Risk||Examiners must determine the institution’s exposure to interest rate risk (IRR) and evaluate how effectively management addresses IRR exposure. The complexity of the institution’s balance sheet must be evaluated as well as policies and procedures necessary to manage an institution’s interest rate risk.|
|10530||Liquidity||Examiners must ensure management has established sound controls to manage liquidity risks. These controls should include identifying the existence of cash flow demands and measuring the extent of those demands, processes to identify emerging liquidity demands and ensuring corrective measures are in place to minimize liquidity risk and disruption of member services|
|10540||Concentration Risk||Examiners must evaluate all measures, policies, and procedures credit union officials have in place to identify, measure, monitor, and control concentration risk. Examiners must ensure concentration risk is managed in conjunction with credit, interest rate and liquidity risks; as a negative event in any category may have significant consequences on the other areas, as well as strategic and reputation risks.|
|10605||Information Technology and Security||Examiners must assess information technology complexity and management's oversight of information security. The Gramm-Leach-Bliley Act (GLBA) provides a minimum compliance governance framework. Examiners should evaluate industry accepted security standard practices and guidelines and their integration with the institution's operations and environment. Without appropriate information security controls and oversight, management places consumers' personally identifiable information at risk, which in return, places the institution's reputation at risk. Since information technology is integrated throughout operations, numerous inherent risks exist which impact institutions.|
|10620||ACH Transactions||ACH transactions are inherently high risk transactions. Fraud may originate internally or externally. To counter these risks, strong internal controls, segregation of duties, checks and balances, and reviews/monitoring must occur. Examiners must evaluate if management is assessing and initiating appropriate risk countermeasures.|
|10630||Wire Transfers||Wire transfers are inherently high risk transactions. Without adequate controls, institutions incur undue financial and operating risks. To mitigate risks, strong internal controls including segregation of duties, checks and balances, and frequent reviews must occur. Management must assess the risks and initiate appropriate risk countermeasures. Examiners should ensure the countermeasures are effective and management's oversight is appropriate.|
|10640||Cybersecurity||Cybersecurity is the process of protecting consumer and financial institution information by preventing, detecting, and responding to attacks. An effective cybersecurity program must include satisfactory identification and management of internal and external threats and vulnerabilities, implementation of appropriate controls and monitoring systems, and periodic controls testing. Examiners must assess management’s oversight, policies and procedures regarding cybersecurity. In light of the increasing volume and sophistication of cybersecurity threats, examiners should focus on cybersecurity preparedness in assessing the effectiveness of an institution’s overall information security program.|
|10710||Bank Secrecy Act||Examiners must determine whether the Board of Directors, management, and credit union staff have complied with the requirements outlined in the USA Patriot Act, the Bank Secrecy Act, and other applicable state and federal regulations. Inherent risk within the credit union’s operations and transactions must be evaluated to determine whether the credit union has instituted appropriate internal controls to mitigate or reduce the risk.|
|10720||Membership Card Review||Membership application cards should contain sufficient information to determine compliance with Article III, Section 3 of the credit union’s bylaws. Applications must be in writing, signed by the applicant and approved by the Membership Officer. A report including the name of all new members and date of approval should be provided to the Board of Directors each month. Examiners must verify compliance with BSA requirements in the credit union’s completion of membership cards.|
|10730||Electronic Membership Approval||Electronic membership applications allow individuals to join a credit union and fund new accounts without having to physically enter a branch location. The electronic membership application must obtain sufficient information to comply with the credit union’s customer identification program. Additionally, the process must include checking the applicant against the Office of Foreign Asset Control (OFAC) lists before making the membership decision. The process must provide a means for determining and documenting membership eligibility per Section 352 of the Michigan Credit Union Act and Article III of the credit union’s bylaws as well as compliance with all applicable rules and regulations.|
|10810||Net Worth and Capital||Net worth/Capital is reviewed to ensure it is sufficient for the institution’s risk profile, whether adequate policies and procedures exist regarding net worth accounts and to ensure compliance with applicable state and federal regulations.|
|10820||Earnings||Earnings must be evaluated relative to net worth needs, financial and operational risk exposures, the current economic climate, and the institution’s strategic plans. Examiners must ensure current earnings and net worth are accurately stated, earnings are managed appropriately, and proper internal controls exist over expenditures and reserves.|
|10910||Bond and Insurance Coverage||Bond and other insurance coverage is required of all credit unions to insure against unforeseen losses such as employee or director dishonesty, and losses in relation to the services provided to the membership. Coverage must be reviewed by examiners from a safety and soundness aspect as well as compliance. Review of credit union records and discussions with management should help determine if a bond claim is required or should have been filed.|