July 21 NCUA Board Meeting Summary

Budget Briefing

The NCUA board was briefed on the budget and current operating budget surplus. The surplus is primarily from lower staffing levels and vacancy rates resulting in decreased pay and benefits and continued travel reduction. The board anticipates this to shift as they fill vacant positions and travel ramps up into 2023.

There was also discussion surrounding transparency over the 2023 budget to ensure an opportunity for the industry to ask questions etc. The anticipated release to the public of the 2023 proposed budget is expected to be the end of September.

Vice Chair Hauptman also inquired if there would be a reduction in the operating fee imposed to credit unions due to the surplus.

Final Rule Parts 700,701,702,708a, 708b, 750 and 790 – Asset Threshold for Determination the Appropriate Supervisory Office – (Final ONES Rule)

As expected, at the NCUA Board meeting today, the board members unanimously passed a final rule regarding ONES supervision.  Vice Chair Hauptman expressed his concerns that the rule doesn’t go far enough in terms of regulatory relief and pushed the board to identify means of regulatory relief for well-run institutions in a future discussion. Board Member Hood agreed and stated this isn’t the end of this rule, and it’s likely to see further iterations down the road as they continue to evaluate the industry as it evolves.

  • No substantive changes to the final rule from the proposed rule.

Proposed Rule Part 748 – Cyber Incident Notification Requirements 

Also, as expected, the board unanimously approved a proposed rule under Part 748 addressing cyber incident notification requirements, similar to those of the federal banking regulators.  The timing for notification would be 72 hours from the date a FICU determines an incident has occurred.

From the NCUA: NCUA Board Issues Proposed Rule on Cyber Incident Reporting Requirements

The proposed rule and request for comment will have a 60-day comment window upon publication in the Federal Register. The NCUA has stated that to be reported, an incident must be considered “substantial.” The definition of what is considered “substantial” will be included in the request for public comment. It was discussed at the meeting that 3 incident types would be deemed substantial and reportable incidents:

  • Federally Insured Credit Union identifies substantial loss of confidentiality/sensitive data as a result of unauthorized access/disruption of member services or integrity of a network or changed
  • cyber-attack or exploitation of a vulnerability that disrupts business operations/member services
  • Third-party service provider informs credit union data compromised by the third party – or upon a CU forming reasonable belief of compromise by a third party (whichever comes first)

Vice Chair Hauptman requested that if/when the rule is finalized, the NCUA must send out something directly to the industry – not just on the website – outlining examples of when to report and incidents that would not require reporting