PHOENIX — Imagine what would happen if a hacker gained access to your credit union’s email accounts and sent a message to members telling them the credit union was unable to honor all deposit withdrawal requests.
You could probably quickly regain access to the account and quickly inform members the email was fake, C. Myers Executive Vice President Adam Johnson said during a standing room only breakout session May 21 at the CUNA CFO Council Conference.
“You might be thinking, ‘No big deal, just inform members you were hacked. You might think the response wouldn’t create a liquidity event. But it could,” he said.
In April, hackers gained access to the Associated Press Twitter account, tweeting a false report that the White House had been attacked and President Barack Obama was injured. Thanks to the power of social media, within seconds the report caused a major dip in the stock market.
Johnson and said the event illustrates how quickly technology can create and grow an unexpected liquidity crisis and should force risk managers to brainstorm all possible threats.
C. Myers President John Myers also outlined what NCUA examiners are looking for when they will check for compliance with the regulator’s proposed liquidity rule, which would require that all credit unions have a liquidity policy and those with more than $10 million have a contingency funding plan. The proposed rule would also require credit unions with more than $100 million in assets to establish an emergency liquidity relationship with either the Federal Reserve or the Central Liquidity Facility.
Myers said at a minimum, a contingency funding plan should address the institution’s ability to meet normal liquidity requirements as well as for contingent events, and must identify the contingency sources. It must also include policies to manage a range of stress environments, identification of some possible stress events, and likely liquidity responses.
The plan must also include management processes that include clear implementation and escalation procedures for liquidity events, a list of who is responsible within the institution to respond to events, and the frequency with which the plan will be tested and updated. Myers said he’s seen plans so detailed the responsibility list included not just position titles but current employee names and cell phone numbers.
Defining liquidity management decisions like which solutions will be used for certain events and where they stand on the escalation staircase requires consideration of all investments, borrowings, deposits and loans on the books or available.
For example, when considering solutions involving loans, Johnson said credit unions must determine at what point would might raise rates or stop approving or funding loans. Could a credit union stop approving loans across the board or could it legally do so selectively? What are the legal, reputational and competitive risks associated with not funding approved loans? Is it legal to reduce credit lines when a member’s collateral value or credit profile hasn’t changed? If the liquidity scenario is systemic, would a credit union’s loan portfolio sell in the stressed market?
And, Johnson said, because the bar is being raised for even basic liquidity policies, credit unions must revisit their policy after establishing a contingency funding plan to ensure there are no policy limits or other parameters that would restrict it.
Myers warned against bad practices in liquidity risk management, including the practice of copying and pasting another credit union’s policy. Both the NCUA and other regulators have specifically stated that liquidity policies and CFPs must be commensurate with the institution’s complexity, risk profile, and scope of operations, he said, so that practice isn’t effective.
“Nobody wants to admit it, but slapping your name on somebody else’s policy does happen,” he said.
Giving management and applicable staff enough time to provide feedback on liquidity planning – and demanding feedback if busy members of the team don’t provide it – is also crucial, Myers said.