Breaking Regulatory Compliance
NCUA 2026 Supervisory Priorities: What Credit Union Examiners Are Testing for AI, Lending, and BSA/AML Compliance
The NCUA released its 2026 supervisory priorities in January — six focus areas that will define every credit union exam this year. Here's what examiners are specifically testing: loan quality metrics, AI governance documentation, BSA risk-based tailoring, third-party vendor oversight, and fraud controls for payment systems.
Table of Contents
TL;DR
- The NCUA’s 2026 supervisory priorities (released January 14, 2026) add AI governance to the examination program for the first time — examiners are reviewing AI use policies, board briefings, and vendor AI due diligence at every credit union
- Credit risk is the dominant priority: loan performance is at its weakest in over a decade, and examiners will scrutinize underwriting standards, ACL methodologies, and concentration limits across consumer and commercial portfolios
- BSA/AML emphasis has shifted from checkbox compliance to risk-based tailoring — examiners want to see that your program resources are allocated toward your highest-risk customers and transactions, not spread evenly
- Third-party risk management will include specific questions about vendors who use AI in their services, not just traditional TPRM documentation
- The agency committed to “no regulation by enforcement” — but that doesn’t mean AI and fraud gaps are being ignored
Examiners showed up differently in 2026. Credit unions that expected the same examination rhythm as 2024 are getting questions they haven’t had before — about AI policies, about vendor AI due diligence, about whether fraud controls have kept up with the shift to real-time payments.
The NCUA released its 2026 supervisory priorities letter on January 14, 2026. If you haven’t read it, that’s the document shaping every examination scope this year. Here’s what it actually requires — and where the gaps are most common going into summer exam season.
Why 2026 Looks Different
The NCUA opened its 2026 priorities letter with an explicit commitment to “no regulation by enforcement” — a direct signal that the agency intends to engage credit unions on emerging issues before escalating to enforcement actions. That’s a meaningful shift from the approach some credit unions experienced in 2023–2025 around third-party risk and BSA/AML.
But “no regulation by enforcement” doesn’t mean reduced scrutiny. The six priority areas the NCUA identified represent the intersection of what’s going wrong (credit quality deterioration, real-time payment fraud) and what’s changing fast enough that guidance hasn’t caught up (AI governance, fintech partnership risk).
The practical effect for credit union compliance teams: examiners are flagging gaps earlier in the process — as recommendations or MRAs — which creates an opportunity to remediate before findings escalate. But you need to be ready to answer the questions.
Priority 1: Credit Risk — Loan Quality Is the Dominant Concern
The NCUA’s framing is direct: loan performance is at its weakest point in over a decade.
Credit unions that expanded consumer lending aggressively through 2022–2024 are seeing delinquency rates rise as higher interest rates, reduced stimulus savings, and strained household budgets catch up with borrowers. Examiners in 2026 are doing detailed reviews of:
Underwriting standards. Are the credit criteria that approved loans in 2022–2023 still appropriate in the current rate environment? Examiners will compare current underwriting guidelines to the vintage that’s generating your highest delinquencies — and they’ll look for whether the board received updated guidance before problems materialized.
Allowance for credit loss (ACL/CECL) methodology. For credit unions on the CECL standard, examiners will evaluate the reasonableness of the expected credit loss model — including whether economic assumptions are current, whether the reasonable-and-supportable forecast period reflects actual portfolio conditions, and whether the reversion methodology is appropriate for your mix of assets.
Loss mitigation and charge-off practices. Examiners will assess whether your loss mitigation programs (modifications, deferrals, extensions) are being tracked and whether they’re masking deterioration in underlying credit quality. Loan modifications that extend the timeline without improving the borrower’s repayment capacity attract examiner attention.
Concentration limits. If your credit union has significant concentrations in auto loans, credit cards, or commercial real estate, examiners will review whether the board-approved concentration limits are documented, being monitored against actual portfolio composition, and whether triggers have been set for when concentrations exceed thresholds.
| Credit Risk Exam Topic | What Examiners Are Looking For |
|---|---|
| Delinquency trends | 30/60/90-day trends by product, vintage analysis |
| ACL/CECL methodology | Economic assumptions, documentation, board approval |
| Underwriting standards | Current guidelines vs. recent vintage underwriting |
| Loss mitigation | Volume, terms, re-default rates |
| Concentration risk | Board-approved limits, KRIs, management reporting |
If you’re running key risk indicators for credit quality — delinquency rate by product, net charge-off ratio, ACL coverage ratio — make sure they’re being reported to the board and that amber/red breaches have documented management responses.
Priority 2: Interest Rate Risk and Capital Management
With rates having stayed elevated longer than many credit unions projected, the IRR focus in 2026 is on two related questions: whether earnings are sufficient to support capital accumulation under stress, and whether unrealized losses on long-duration securities are being managed with a credible strategy.
Examiners will review:
- IRR modeling. Does your model capture the full range of rate scenarios, including both parallel shifts and non-parallel changes (twist, flatten)? Is the model being validated independently?
- Capital trajectory under stress. If rates stay elevated for 18–24 months, does your capital plan show sufficient earnings to maintain regulatory minimums? Examiners want to see a documented stress scenario, not just a base-case projection.
- Unrealized losses. For credit unions with significant available-for-sale securities portfolios, examiners will assess whether board reporting addresses the magnitude of unrealized losses, their expected realization timeline, and the credit union’s strategy for managing duration mismatch as rates eventually decline.
Priority 3: BSA/AML — Risk-Based Tailoring, Not Checkbox Compliance
The 2026 BSA/AML priority represents a meaningful shift in examination approach. The NCUA is explicitly moving away from evaluating whether programs have the required written components (the checklist model) toward evaluating whether programs are calibrated to the credit union’s actual risk profile.
The exam question is no longer “do you have a BSA officer, written policies, and a training program?” — it’s “have you analyzed your specific customer base, products, and geographies, and allocated your controls and resources accordingly?”
Three areas where credit unions frequently fall short on risk-based tailoring:
Transaction monitoring tuning. Generic transaction monitoring rules set at industry-default thresholds are being flagged when they’re clearly miscalibrated to the credit union’s actual transaction mix. If your membership skews toward small businesses in a specific industry, or if you offer specific ACH products that generate distinctive transaction patterns, your monitoring rules should reflect that — and you should be able to document the rationale for your current thresholds.
SAR decision documentation. Examiners want to see that SAR filing decisions — both files and no-files — are documented with adequate rationale. The “looked suspicious but we decided not to file” decision is the one that creates the most exam exposure if it can’t be supported.
High-risk customer program. If your credit union offers products used by higher-risk customer categories (cannabis-related businesses where legal, MSBs, NGOs), examiners will review whether your enhanced due diligence program is documented and consistently applied, and whether ongoing monitoring reflects the elevated risk.
The BSA/AML independent testing framework is the documentation examiners rely on to evaluate whether the program is working — not just whether it exists. Make sure your last independent test reflects the risk-based tailoring emphasis, not just the traditional five-pillar checklist.
Priority 4: Fraud Prevention — Payment System Fraud Is the Specific Target
Real-time payments have changed the fraud equation for credit unions. FedNow and RTP transactions settle instantly and irrevocably — there’s no return window, no chargeback mechanism, no recall process analogous to what exists for ACH. When a member is socially engineered into sending a wire through FedNow, recovery is extremely difficult.
The NCUA’s 2026 fraud priority explicitly emphasizes payment system fraud, with examiners evaluating:
Real-time payment fraud controls. Credit unions that have onboarded to FedNow or RTP will face specific questions about their fraud monitoring for instant payment transactions. The questions will cover: how fraudulent transactions are detected before settlement, what member education is provided about payment scams, and what your instant payment return/dispute procedures look like for unauthorized transactions.
Business email compromise (BEC) and vendor impersonation. The NACHA ACH Phase 2 rule (effective June 22, 2026) now requires all non-consumer originators and RDFIs to document fraud monitoring processes specifically intended to detect “false pretenses” fraud — which covers BEC, vendor impersonation, and payroll diversion schemes. Credit unions that are RDFIs or that serve commercial members who originate ACH need to have documented their Phase 2 compliance.
Authorized push payment fraud. Examiners will ask about scams where the member was deceived into authorizing a transfer — these don’t fit traditional “unauthorized transaction” frameworks, and the CFPB’s Regulation E and P2P payment scam guidance is still evolving. Credit unions need documented positions on how they handle authorized push payment fraud claims.
Member education documentation. Training members about social engineering scams is increasingly being treated as a fraud control. Examiners will ask whether you have active member education programs, not just a static website disclosure.
Priority 5: Third-Party Risk Management — AI Vendors Are Now in Scope
Third-party risk management has been a credit union examination priority for several years. What’s new in 2026 is the explicit inclusion of AI tools embedded in third-party platforms.
Many credit unions have added vendor-supplied AI tools without running them through the same TPRM process applied to traditional vendors. The NCUA’s 2026 priorities letter makes clear that this gap will be tested.
Examiners will ask:
- When a vendor uses AI in the services it provides to the credit union (fraud scoring, loan underwriting, member service), how does the credit union evaluate that AI as part of its vendor assessment?
- What due diligence was performed on the vendor’s AI model before deployment? What ongoing monitoring is in place?
- Does the board know which critical services rely on vendor AI?
- What’s the credit union’s fallback if a vendor-supplied AI model produces biased or inaccurate outputs?
The practical implication: if your credit union uses a core processor, loan origination system, or fraud detection vendor that includes AI components, you need a record showing you’ve asked the right questions and assessed the AI-specific risks — not just the traditional security and financial health questions.
For credit unions using AI in credit underwriting decisions, the existing ECOA and Reg B adverse action notice requirements apply to vendor AI outcomes just as they do to internally developed models. The AI governance checklist for regulatory exams covers the documentation examiners are looking for when AI touches member-facing decisions.
The NCUA hired three AI officers in 2025–2026 specifically to support examination teams evaluating AI governance. These aren’t technology specialists checking source code — they’re evaluating whether boards know about AI risk, whether TPRM programs capture AI-specific due diligence, and whether consumer compliance programs extend to AI-driven member decisions.
Priority 6: Operational Resilience and Cybersecurity
Operational resilience rounds out the six priorities. Examiners will evaluate governance, vendor oversight, and security controls supporting payment systems — with particular attention to cybersecurity vulnerabilities and data protection.
The specific examiner questions cluster around:
Multi-factor authentication. MFA enforcement — not just availability — is now a baseline expectation. Examiners will ask whether MFA is enforced on email, administrative systems, remote access, and core banking access, and whether there are any exceptions or bypass mechanisms.
Patch management. The examination will include questions about whether known vulnerability remediation timelines are documented and being met — not just whether you have a patch management policy on paper.
Business continuity and vendor dependencies. For credit unions whose critical business functions depend on third-party vendors, examiners will review whether the BCP specifically addresses vendor failure scenarios — not just internal system outages. The Business Continuity for Banks and Credit Unions post covers the NCUA’s specific BCP examination expectations.
Incident response. Examiners will confirm that the credit union has a documented incident response plan, that it has been tested (tabletop exercise results documented), and that staff responsible for incident response know their roles.
What Gaps Look Like in Practice
Credit union compliance teams heading into a 2026 examination are typically running into four specific gaps:
-
AI governance documentation doesn’t exist. The credit union uses AI tools but has no documented policy, no board briefing, and no vendor AI due diligence record. This creates a finding even if the tools are working correctly.
-
BSA/AML program hasn’t been risk-calibrated to the current member base. The written program was built for a different product mix or membership composition and hasn’t been updated to reflect current higher-risk areas.
-
Third-party risk management doesn’t ask about AI. The credit union’s vendor questionnaire doesn’t include AI-specific questions, so there’s no documentation of what AI tools vendors are using or how the credit union evaluated them.
-
Credit risk KRIs aren’t board-reported. Delinquency trends and ACL methodology changes are tracked internally but haven’t been elevated to the board in a format that shows the board is engaged with credit quality deterioration.
The KRI Library includes pre-built indicators for all six NCUA priority areas — credit quality metrics, IRR monitoring triggers, BSA/AML operational indicators, fraud KRIs, and vendor health signals — with green/amber/red thresholds pre-calibrated for financial services. For credit unions building or refreshing their risk dashboard ahead of an examination, it’s a faster start than building metrics from scratch.
So What?
The NCUA’s 2026 examination emphasis won’t produce surprises for credit unions that have kept their risk programs current. But the AI governance addition is genuinely new — there’s no credit union that has been examined on this before — and the BSA/AML shift toward risk-based tailoring catches programs that were built to check boxes rather than to reflect actual risk.
The checklist for the summer examination season:
- Credit risk: Board has received updated credit quality reporting with delinquency trend analysis and ACL methodology documentation within the last 60 days
- IRR: Board-approved stress scenario exists and capital trajectory under adverse conditions has been analyzed
- BSA/AML: Transaction monitoring thresholds are documented with rationale; SAR decision log is current; high-risk customer EDD is consistently applied
- Fraud: Documented position on real-time payment fraud, BEC controls, and authorized push payment claims; NACHA ACH Phase 2 documentation is in place
- Third-party risk: Vendor questionnaire has been updated to include AI-specific questions; critical vendor AI tools are inventoried and assessed
- AI governance: Board-level briefing has been conducted; AI use policy exists; AI vendors are in the TPRM process
If any of those are unchecked, now is the time to close the gap — not during the examination.
Sources:
◆ Need the working template?
Start with the source guide.
These answer-first guides summarize the required fields, evidence, and implementation steps behind the templates practitioners search for.
◆ Immaterial Findings · Weekly
Sharp risk & compliance insights. No fluff.
◆ FAQ
Frequently asked questions.
What are the NCUA's 2026 supervisory priorities?
What does the NCUA mean by 'no regulation by enforcement' in its 2026 priorities?
Is AI governance an NCUA examination requirement in 2026?
What does the NCUA's 2026 BSA/AML priority mean for how examiners will assess my program?
What third-party risk topics will NCUA examiners cover in 2026?
What credit risk items will NCUA examiners focus on in 2026?
Author
Rebecca Leung
Rebecca Leung has 8+ years of risk and compliance experience across first and second line roles at commercial banks, asset managers, and fintechs. Former management consultant advising financial institutions on risk strategy. Founder of RiskTemplates.
● Don't wait for your own enforcement action
Every case like this started with a gap someone knew about but hadn't documented. The template below gives you the framework to get ahead of it.
KRI Library (132 Key Risk Indicators)
132 KRIs with thresholds, data sources, and escalation triggers pre-built for financial services.
◆ Keep reading
Related posts.
Regulatory Compliance
The Fed's Payment Account Proposal: What Fintechs and Digital Asset Firms Need to Know Before the July 27 Comment Deadline
The Federal Reserve proposed a special-purpose Payment Account in May 2026, offering eligible fintechs direct access to Fedwire Funds and FedNow without a bank charter. The comment period closes July 27. Here's who qualifies, what compliance the Fed requires, and why your institution should care even if you're not applying yet.
Jul 7, 2026
Regulatory Compliance
SEC Cyber Disclosure Rule: What 2.5 Years of Form 8-K Filings Reveal About Your Response Program Gaps
The SEC's 4-business-day cyber incident disclosure rule has 2.5 years of enforcement history. Here's what the filings and enforcement actions reveal about common materiality determination failures — and how to build a decision protocol that survives SEC scrutiny in 2026.
Jul 5, 2026
Regulatory Compliance
GENIUS Act AML/CFT Compliance: Breaking Down the FinCEN and OFAC Rule That Drops July 18
The FinCEN/OFAC joint proposed rule for stablecoin issuers establishes a full BSA/AML compliance program requirement — SAR filing, CTR filing, CIP, CDD, and OFAC sanctions screening — with a technical wallet-blocking mandate that has no precedent in traditional financial services. Here's what Permitted Payment Stablecoin Issuers and their bank partners need to build.
Jul 4, 2026