NCUA Board Approves Two Proposed Rules & Given Update on New Cyber Incident Rule

The NCUA Board members unanimously approved two proposed rules during their meeting Thursday. One proposed rule would incorporate its Second Chace Interpretive Ruling and Policy Statement and the Fair Hiring and Banking act into the agency’s regulations. The other proposed rule aims to simplify the share insurance regulations by creating a “trust accounts” category.

Also thrown into the mix during Thursday’s meeting was a cybersecurity update on the agency’s relatively new Cyber Incident Reporting Rule that went into effect Sept. 1. And NCUA cybersecurity officials provided an update of what the data has revealed in the first 30 days.

Second Chance Interpretive Ruling & Policy Statement

In a 3-0 vote, board members approved a proposed rule that would incorporate the NCUA’s Second Chance Interpretive Ruling and Policy Statement and statutory prohibitions imposed by Section 205(d) of the Federal Credit Union Act into the agency’s regulations. According to the NCUA, this proposed rule would allow people convicted of certain minor offenses to work in the credit union industry without applying for the board’s approval.

Chairman Todd Harper said, “Many of these individuals are not violent or career criminals. They are people who made poor choices at some point and who have since paid their debts to society. What’s more, a disproportionate number of these individuals come from communities of color. If we are to advance financial inclusion and equity within the credit union system, we must facilitate the access of all demographic groups to credit union employment opportunities.”

According to the NCUA, Section 205(d) “prohibits, except with the prior written consent of the NCUA Board, a person who has been convicted of certain criminal offenses involving dishonesty or breach of trust or who has entered a pretrial diversion or similar program from participating in the affairs of a credit union.”

This proposed rule would address the individuals and types of offenses covered by Section 205(d) and the NCUA’s procedures for reviewing a consent application. NCUA officials said the proposed rule would also amend the following items:

• The NCUA’s policies and procedures governing an application to rescind a prohibition pursuant to Section 205(d), as currently reflected in the Second Chance policy statement and consistent with both amendments made by the recent Fair Hiring in Banking Act and with comparable Federal Deposit Insurance Corporation regulations.
• Regulation governing the conditions under which newly chartered or troubled federally insured credit unions must notify the NCUA of any proposed changes to the credit union’s board of directors, committee members or senior executive staff, and make other conforming changes.

If the final rule is approved, the Second Chance Interpretive Rule and Policy Statement will be rescinded.

Comments on the proposed rule must be received no later than 60 days following its publication in the Federal Register.

Proposed Rule on Simplification of Share Insurance

In another 3-0 vote, board members approved a proposed rule to simplify the NCUA’s share insurance regulations by establishing a “trust accounts” category.

According to the NCUA, the trust accounts category would provide Share Insurance Fund coverage of funds in both revocable and irrevocable trusts deposited at federally insured credit unions in the accounts of members or those otherwise eligible to maintain insured accounts.

Harper said, “Deposit insurance at federally insured credit unions and banks is the cornerstone that secures the foundation of our nation’s vibrant credit union and banking systems. The confidence created by knowing savings are protected by the full faith and credit of the United States allows consumers to rest easy, knowing their hard-earned nest eggs up to the current limit of $250,000 will be safe even during periods of financial and economic stress.”

The NCUA said the proposed rule would also provide the following:

• Consistent share insurance treatment for all mortgage servicing account balances held to satisfy principal and interest obligations to a lender.
• More flexible recordkeeping requirements to explicitly allow the NCUA to look to records held in the normal course of business that are maintained by parties other than federally insured credit unions and their members.

If approved, the proposed changes to the trust account and mortgage servicing account provisions in the NCUA’s Share Insurance Fund regulations would take effect on April 1, 2024.

Comments on the proposed rule must be received no later than 60 days following publication in the Federal Register.

Cyber Incident Reporting Rule Update

On Thursday, board members were also briefed and the given new data from the newly-implemented Cyber Incident Reporting Rule.

Staff presenting to the board said there were 146 incidents reported by credit unions in the first 30 days of rule implementation, and more than 60% of reported incidents were due to compromises to third-party service providers.

Harper said, “Stakeholders must understand that the risks resulting from the NCUA’s lack of vendor authority are real, expanding and impact all of us. Until this growing regulatory blind spot is closed, thousands of federally insured credit unions, tens of millions of consumers who use credit unions and trillions in assets are exposed to high levels of risk. During my travels and meetings with credit union leagues and officials, more CEOs and leaders have told me they see the value and benefits of restoring the NCUA’s vendor authority because they cannot manage all the potential risks and liabilities associated with their vendors.”

Cybersecurity-related information, including regulations, guidance and resources to help protect credit unions and their members from cyber threats, is available on the NCUA’s cybersecurity resources webpage.