Prepare & Protect: Top Credit Union Risks in 2025

Take a look at any headline these days, and there is one word that seems to be everywhere: uncertainty. And is it any wonder why? From security to liquidity, the threat of uncertainty is profoundly ingrained in every aspect of credit union operations.

Even though credit unions are not new to risk – just take a look at the past five years, the financial crisis, etc. – we remain a movement imbued by resilience. But the risks continue to grow in frequency, intensity and, sadly, cost. In fact, IBM has reported that the average cost of a data breach for financial organizations is approximately $5.9 million. Even in the name of prevention, Gartner predicts that cybersecurity spending among financial institutions could reach $212 billion this year.

Those are some serious figures that could have significant impacts for credit unions of all sizes…and that’s only encompassing of cybersecurity issues, an arguably high-priority concern. But it’s just one fish in an ocean of many.

While these risks are difficult to avoid completely, there is a clear equation for combating them: prepare for emerging risks and protect the credit union and members against them. To do this, the best place to be is in the know. A good place to start is with the National Credit Union Administration (NCUA)’s 2025 supervisory priorities. These priorities are a good indicator of where the industry believes the biggest risks will lie, and is also helpful in prepping for your annual audits, as these areas will be of the biggest concern for auditors.

Now, let’s take a look at the top risks to credit unions in 2025 (the prepare part of the equation), how examiners are likely to view them and how to mitigate them (the protect part of the equation).

Cybersecurity Risks

As our dependence on the virtual world continues to grow and new technologies emerge, cybersecurity concerns have increased exponentially over the past several years. Not only does our nearly exclusive reliance on the digital world for transaction processing, data storage and operations put our institutions at a high risk, but the level of sophistication in cyberattacks has also increased. That means vigilance and, even more so, proactive responses are more important now than ever before.

Consider the landscape of ransomware, phishing, social engineering, data breaches, malware and fraud in recent years. One malicious link in an email or a system takeover that happens within minutes are very real threats facing credit unions on a daily basis, and they could easily take down an institution from both a monetary and reputational standpoint. Just like a virus can spread on the internet, so, too, can press from one cyber event. And that doesn’t have to be a direct attack on the credit union either – it can stem from vendors and third-party providers as well, a concern that is gaining even more traction in 2025.

Examiner Perspective:

The NCUA has heightened their concerns over cybersecurity in recent years, as it has been a part of their supervisory priorities for years now. That trend will only continue throughout 2025, as examiners look for credit unions to have a robust security infrastructure. Notably, in 2023, the governing body issued its Cyber Incident Notifications Requirement, which mandates that all federally insured credit unions have a maximum of 72 hours to report a cyber incident to the NCUA.

Potential Mitigation Strategies:

• Implement an all-inclusive security program. Again, the NCUA is a good reference for the pieces of a comprehensive security program in their Guidelines for Safeguarding Member Information (Part 748).
• Use monitoring tools that can detect threats in real-time. The use of an AI enhanced tool in these detection efforts is becoming more and more useful, with the proper vetting and settings, of course.
• Create and implement incident response, disaster recovery and crisis communication plans. These plans will allow you to take quick and efficient action to combat cyber threats should one occur and create a structure of communication that will serve your credit union. In addition, test these plans often.
• Conduct regular risk assessments, penetration testing, vulnerability scanning and internal audits. Know your weaknesses and address them accordingly.
• Provide ongoing training for staff and members. Your front line and your members are the most vulnerable targets, so ensure they are knowledgeable about potential threats.
• Do your due diligence when it comes to your vendors. The more you know about them, the better understanding you will have of their vulnerabilities that could have an impact on your credit union. Work with your vendors to eliminate or reduce these risks so you aren’t caught off guard.
• If you haven’t already, develop an AI policy now. This technology isn’t going anywhere, and it’s going to be a part of every credit union at some point or another. Plan ahead now so you can determine and prepare for AI-related risks.

Take note of all these mitigation strategies, as they are pieces required in the NCUA’s information security/cybersecurity exam, so not only are they good practices to put in place, but they’ll also be critical to passing your annual examination.

Financial Risks

As the theme of uncertainty continues to grow stronger, perhaps it is the most prevalent in the financial risks credit unions face in 2025.

Credit Risk

Over the past couple years, loan delinquencies and charge-offs began their ascent in response to ongoing inflation, high interest rates and economic turmoil. As financial pressures have built up for members, those troubles have trickled through to credit unions. From credit cards to auto and mortgage loans, sources of credit continue to pose risks to institutions. That means the entire loan cycle will be under the microscope – both on a credit union and a regulatory level.

Examiner Perspective:

The NCUA will be examining lending policies and procedures very closely in 2025. This includes all underwriting, loan portfolio (including allowances and CECL), collection, charge-off policies, etc. – both in-house and external.

Potential Mitigation Strategies

• Monitor and report on credit sources regularly. This includes internal processes as well as those of any vendors you may use to assist in the credit process.
• Review your underwriting standards and make updates as necessary. Lending has become notoriously tight in recent years. As your credit union’s financial circumstances evolve, so, too, should your underwriting policies and criteria.
• Pay close attention to your portfolio in an effort to identify at-risk loans early on. The quicker you become aware of problem loans, the greater opportunity you have to offset those losses.
• Provide assistance, such as counseling services, to members to help them avoid the pitfalls of things like defaults and repossessions.

Interest Rate Risk

Interest rates have been a headline issue since inflation took hold in the years following the Covid pandemic. Even in 2025, the markets continue to keep rates in the spotlight – will they stay elevated, will they decrease over the year, are they doing what they need to do to curb inflation? With so much volatility surrounding interest rates, it’s difficult to find a sweet spot of what rates to offer members that will ensure they borrow while creating revenue for the credit union. Additionally, interest rates are impacting other areas of financial concern, including liquidity, loans and investment returns. If income and assets don’t offset liabilities, risks to the credit union balance sheet grow.

Examiner Perspective:

The NCUA will be looking at the credit union’s revenue sources, future financial plans and balance sheet strength will be of great importance. As such, credit unions may consider employing the following mitigation strategies.

Potential Mitigation Strategies:

• Perform routine asset liability management, and with it, stress testing for different rate scenarios.
• Diversify loan and investment portfolios in an effort to safeguard against interest rate volatility.
• Review data and evaluate your risk limits and policies to ensure everything is aligned. In addition, create plans that can be deployed quickly if alternative sources of funding are required.

Consumer Protection Risks

It’s no secret that consumer financial protection laws have been getting a complete overhaul in recent years. Litigators and regulators alike have been doubling down on making changes to overdraft fee charges, fair lending standards, payment fraud and more. The goal is to ensure that institutions are implementing reasonable and transparent policies that preserve the trust of members.

Examiner Perspective:

The NCUA is first and foremost a regulating body, but they also work to ensure that credit unions uphold their mission of serving members in an honest and responsible way. As such, they take consumer protection very seriously and will seek to overturn any credit union practices that impose harsh penalties or discriminatory policies against members.

Potential Mitigation Strategies:

As laid out by the NCUA, credit unions should assess their current policies and make changes to remain compliant in the following areas:

• Overdraft programs
• Fair lending for real estate/mortgage lending
• Home Mortgage Disclosure Act (HMDA)/Regulation C
• Military Lending Act
• Electronic Funds Transfers/Regulation E

On the Radar: Additional Risks

The big risks take priority, but there are some additional risks that are also important and should be on your radar throughout the year:

Other Risks to Consider

• Compliance: In an industry with ever-changing regulations, compliance risks are nothing new. But with increased scrutiny from regulators, credit unions must stay on top of data privacy, fraud and BSA/AML efforts or face heavy fines and reputational damage. Keep a vigilant eye, a quick-acting implementation policy for new regulations and a compliance tracking/reporting system top of mind for these risks.
• Technology: To stay relevant, credit unions must invest in increasingly costly technologies, such as AI enhanced tools and fintech. Not only do these technologies pose funding challenges, but they also need to be vetted for security measures. The good can outweigh the bad, but that requires stringent due diligence and internal controls by the credit union.
• Operations: Risks no longer lie in just one key area, like employees, processing systems, etc. In a digital world, operations have become increasingly complex and specialized, exposing credit unions to even more risk. Effective enterprise risk management and business continuity strategies are critical in overseeing operational risks.

Be Prepared, Stay Protected

You can see why “uncertainty” is the buzzword of the year. From a risk outlook, there are many uncertainties and impending threats facing our institutions every day. We look to the NCUA’s 2025 supervisory priorities as guidance on what areas will require the majority of our attention, but only you know your credit union’s risk posture and infrastructure. In the interest of finding some certainty in a time full of chaos, heed these top risks to be prepared and stay protected.

John Cuneo works as the SVP/chief risk officer for Vizo Financial Corporate Credit Union. In this role, he is responsible for the coordination of the Corporate’s risk, compliance and audit functions and provides oversight of the Corporate’s business continuity plan and facilities administration. He also oversees a team of senior consultants who specialize in enterprise risk management, information security risk, business continuity and compliance.