3 Things to Put On Your Summer (Compliance) Bucket List

With July 4th coming up and vacations right around the corner, it’s easy and tempting to put your compliance to-do list on the back burner. But, as my father-in-law likes to say every July 4th, “Summer is over.”

Before you know it, grown men will be participating in fantasy football drafts, growing children will be going back to school, budgets will be under development for 2024 and everyone will be in a panic over regulations that seemed months away not too long ago. To keep you from checking out too soon, here is a list of the top three compliance issues that I would get done over the summer.

1. Update Your Bylaws for Getting Rid of Abusive Members

Under the Governance Monetization Act passed in March 2022, Congress gave federal credit unions the ability to expel abusive members without going through a membership vote. The NCUA was given 18 months to promulgate the necessary regulations and, although math has never been a strong suit, that means by September the NCUA should have finalized the accompanying regulations. Under the act, all members must have notice of the credit union’s expulsion policies and credit unions can only exercise this new authority by amending their bylaws.

My suggestion is not to put off this fairly simple change. I have been surprised by the number of times I have been asked about the process for expelling members of federal credit unions, only to find out that the credit union has no formal policy on the subject. Remember that the board expulsion option could only be exercised against members who have given the board cause for expulsion. The final regulations as well as additional guidance will provide precise definitions, but as proposed by the NCUA, this generally includes individuals who engage in substantially disruptive, dangerous or abusive behavior, or who have used a credit union to commit fraud or other similar types of illegal activity.

2. Take a Deep Dive Into Whether to Adopt Real-Time Banking

It has taken decades longer for the United States to develop a real-time payment platform than it should have, but this summer marks the official rollout of this important new technology that will allow your members to almost instantaneously pay merchants and friends.

On June 1, the Federal Reserve published the FedNow Service Operating Guide, which will explain the framework that financial institutions interested in adopting real-time payments will use. To me, this is a must-read for someone at your credit union.

This service can be used by any two institutions, provided they have a master account with the Federal Reserve. This means that you will no longer be dependent on contracting with third-party payment providers such as Venmo, but instead can offer your own service with your own app. It also could lead to a substantial reduction in legal costs, since so many legal disputes, and increasingly regulatory actions, stem from the period between when payment has been initiated but not settled.

Unless I am missing something, this is game-changing technology, precisely the type of thing you should be ready to talk about with your Board of Directors at the Fall offsite meeting.

Incidentally, according to this 2021 article from the Payments Journal, Japan developed the first real-time payment system in the 1970s. In fact, by 2019, it was estimated that 54 countries had activated real-time payment systems.

Henry’s Handy Links:

• //www.frbservices.org/binaries/content/assets/crsocms/resources/rules-regulations/fednow-operating-procedures-june-2023.pdf
• https://www.frbservices.org/financial-services/fednow/about.html

3. Are You Ready to Report Cyber Incidents to the NCUA?

Starting in September, federally insured state and federal credit unions will have up to 72 hours to report a cyber incident to the NCUA. This is a very significant development in the area of cyber breach reporting even though states have been mandating such disclosures for years. Again, this is a regulation that will require you to update your policies and procedures. The final regulation defines a Reportable Cyber Incident as “any substantial cyber incident that leads to one or more of the following: (A) A substantial loss of confidentiality, integrity, or availability of a network or member information system as defined in appendix A, section I.B.2. e., of this part that results from the unauthorized access to or exposure of sensitive data, disrupts vital member services as defined in § 749.1 of this chapter, or has a serious impact on the safety and resiliency of operational systems and processes. (B) A disruption of business operations, vital member services, or a member information system resulting from a cyberattack or exploitation of vulnerabilities. (C) A disruption of business operations or unauthorized access to sensitive data facilitated through, or caused by, a compromise of a credit union service organization, cloud service provider, or other third-party data hosting provider or by a supply chain compromise.”

Under the final regulation, you do not have to amend your existing vendor contracts to ensure that vendors comply with this new law, but I would suggest making sure that future contracts involving third parties that could be involved in reportable incidents be drafted with this new requirement in mind. And remember that this new requirement is not a replacement for and not a replacement of existing state-level requirements.

On that note, enjoy your vacations, and if you find yourself panicking in September, don’t blame me.

Henry Meier is the former General Counsel of the New York Credit Union Association, where he authored the popular New York State of Mind blog. He now provides legal advice to credit unions on a broad range of legal, regulatory and legislative issues. He can be reached at (518) 223-5126 or via email at henrymeieresq@outlook.com.