Proposed Rule: NCUA Rules & Regulations 12 CFR 701.24: Refund of Interest (Loans)

NASCUS Proposed Rule Summary
NCUA Rules & Regulations 12 CFR 701.24: Refund of Interest (Loans)

February 2026
As part of its sixth wave of the “Deregulation Project” NCUA is proposing to rescind 12 CFR Part 701.24, which NCUA states is duplicative of authority already established in the Federal Credit Union Act (FCUA).

Section 701.24 allows FCUs to issue refunds of interest paid by members on loan products. Section 113(9) of the FCUA also empowers FCUs to issue interest refunds. However, § 701.24 also contains a limitation not found in the FCUA, therefore NCUA’s removal of § 701.24 would broaden FCU authority to refund interest.

The proposed rule applies only to Federal Credit Unions (FCUs) and does not apply to Federally Insured State Credit Unions (FISCUs). The proposal may be read in its entirety here: Refund of Interest (Loans).

Comments are due to NCUA by April 27, 2026.

Background and Proposed Change

Part 701.24 codifies the authority granted to FCU boards of directors under Section 113(9) of the FCU Act to authorize interest refunds to members from income earned during a dividend period. The regulation permits refund percentages to vary by loan type and interest rate, allows exclusion of certain loan categories, and limits refunds to periods in which dividends have been declared and paid.  Part 701.24 allows for the refunds only at the end of a dividend period in which dividends were paid on shares.

The Board is proposing to rescind Part 701.24 in its entirety, noting that it is redundant of the authority already granted directly to an FCU’s board of directors in Section 113(9) of the FCU Act. The Board states that Section 113(9) is a clear and self-executing grant of authority, making the regulation unnecessary. Its removal reduces the number of sources FCUs must consult to ensure compliance. By removing § 701.24, NCUA would also eliminate the limitation on paying refunds only when dividends on shares have been paid.

Key Considerations:

  • The proposal would rescind Part 701.24 in its entirety
  • The underlying authority for interest refunds is preserved through Section 113(9) of the FCU Act
  • Applies only to FCUs. The proposal does not apply to FISCUs.
  • The proposal states the Board is especially interested in comments on whether the removal of Part 701.24 provides regulatory relief and whether any portion of the current regulation should be preserved.

NASCUS Proposed Rule Summary
NCUA Rules & Regulations Part 706 — Investments in and Licensing of Permitted Payment Stablecoins Issuers

February 2026
The NCUA proposes a new 12 CFR Part 706 to implement its responsibilities under the GENIUS Act[1], which establishes a federal framework for licensing and supervising Permitted Payment Stablecoin Issuers (PPSIs) that are subsidiaries of federally insured credit unions (FICUs).

Key purposes of the rule:

  • Define the licensing process for FICU subsidiaries seeking PPSI status.
  • Establish evaluation standards, application requirements, and timelines.
  • Limit FICUs to investing only in NCUA‑licensed PPSIs.
  • Clarify NCUA supervisory authority over FISCU subsidiaries issuing stablecoins.

A second rulemaking (future) will address prudential standards (capital, liquidity, reserves, technology, etc.). The proposed rule may be read in its entirety here[2].
Comments are due to NCUA by April 13, 2026.

Background

On July 18, 2025, the GENIUS Act became law and established a regulatory framework for payment stablecoins at both the Federal and State level. 

Under the GENIUS Act, “insured depository institutions,” which the Act defines to include both FDIC-insured depository institutions and FICUs (collectively “IDIs”), cannot be issuers of payment stablecoins. Instead, IDIs must issue stablecoins indirectly through subsidiaries.

The GENIUS Act defines the term “subsidiary of an insured credit union” to mean:

  1. an organization providing services to the insured credit union that are associated with the routine operations of credit unions, as described in section 107(7)(I) of the Federal Credit Union Act[3];
  2. a credit union service organization, as such term is used under CFR 12 part 712, with respect to which the insured credit union has an ownership interest or to which the insured credit union has extended a loan; and
  3. a subsidiary of a State chartered insured credit union authorized under State law.

The GENIUS Act requires issuers that are subsidiaries of IDIs (including subsidiaries of FICUs) to be regulated by the primary Federal payment stablecoin regulators and does not allow the option for state-level issuer licensing. Thus, the NCUA has jurisdiction over payment stablecoin issuers at all FICU subsidiaries. 

Under the Act, only PPSIs may issue a payment stablecoin in the United States, subject to certain exceptions and safe harbors. PPSIs are subject to a number of requirements, including requirements related to reserves, capital, liquidity, illicit finance, and information technology risk management standards. Among those requirements, PPSIs must maintain reserves backing the stablecoin on a one-to-one basis using U.S. currency or certain other liquid assets, must publicly disclose their redemption policy and publish the details of their reserves monthly.

The GENIUS Act details the process for the primary Federal payment stablecoin regulators, which include the NCUA, the Federal Deposit Insurance Corporation (FDIC), the Office of the Comptroller of the Currency (OCC), and the Board of Governors of the Federal Reserve System (Federal Reserve Board), to evaluate and review applications for licenses to be PPSIs and provides examination, supervision, and enforcement authority over PPSIs.

Other issues addressed in the GENIUS Act include the provision of custody services for payment stablecoins; application of the Bank Secrecy Act and anti-money laundering and economic sanctions requirements; and treatment of payment stablecoin issuers in insolvency proceedings. The GENIUS Act establishes clear prohibitions and penalties to prevent the misrepresentation of Federal backing or insurance for payment stablecoins and to ensure that only authorized products may be marketed as such.[4]

The Act explicitly dictates that payment stablecoins are not backed by the full faith and credit of the United States, they are not guaranteed by the U.S. Government, nor are they covered by deposit or share insurance from the FDIC or NCUA. Similarly, it is unlawful to market any product as a “payment stablecoin” in the United States unless it is issued pursuant to the GENIUS Act’s procedures.[5]

Finally, the Act imposes a number of rulemaking, review, and reporting requirements on the primary Federal payment stablecoin regulators, including the NCUA. This proposal proposes regulations to implement the statutorily required process for licensure of PPSIs subject to the NCUA’s jurisdiction. It also proposes regulations limiting FICUs to invest in NCUA-licensed PPSIs. At least one other forthcoming proposal, intended at this time, will propose regulations to implement the standards and restrictions imposed by the GENIUS Act on PPSIs.

Key Provisions of the Proposed Rule

Licensing Requirement for All FICU Subsidiary Issuers

A FICU (federal or state‑chartered) may only participate in payment stablecoin activity through a licensed subsidiary.

  • FICUs cannot issue stablecoins directly.
  • Only subsidiaries meeting the statutory definition of a “subsidiary of an insured credit union” may apply.
  • Applications must be jointly filed by:
    • the subsidiary (the “Applying Issuer”), and
    • any FICU Parent Company (≥10% voting control or functional control).

Restriction on Investments

FICUs may invest only in NCUA‑licensed PPSIs — even if other federal banking regulators license the issuer.

Application Components

Applications require:

  • Business plan, financials, pro formas.
  • Governance and management information.
  • Biographical & Financial Reports for officers/directors of:
    • the Applying Issuer,
    • It’s FICU Parent(s),
    • any “Principal Shareholders” (≥10% non‑FICU owners).
  • Fingerprints for Issuer officers/directors.
  • Written certification that submissions contain no material misrepresentations.

Evaluation Standards

NCUA evaluates applications using statutory factors, including:

  • Ability to meet GENIUS Act reserve, redemption, and operational requirements.
  • Competence, experience, and integrity of officers, directors, and major shareholders.
  • Compliance history.
  • Safety and soundness considerations.
  • Strength and feasibility of the business plan.
  • Adequate capital and liquidity planning.

Timelines

  • 30 days: NCUA must notify whether an application is “substantially complete.”
  • 120 days after substantially complete notice: NCUA must approve or deny.
  • NCUA failure to respond within approval deadline means automatic approval.

Denials and Appeals

NCUA may deny issuer license only if activity would be unsafe or unsound.
Applicants get:

  • Detailed written explanation within 30 days of denial,
  • Right to a written/oral hearing before the NCUA Board within 30 days of appeal request if appeal request submitted within 30 days of denial notice,
  • Right to reapply.

Change in Control

A FICU becoming a new Parent Company of an existing PPSI must provide:

  • 60‑day prior notice to NCUA,
  • Governance/competency disclosures.

AML / Sanctions Certification

Within 180 days of approval, and annually after, PPSIs must certify:

  • AML and sanctions compliance programs exist and are effective.
  • Failure to certify can result in revocation.

Treatment of Multi‑Tier Subsidiary Structures

All tiers of subsidiaries beneath a FICU (including FISCU subsidiaries) are treated as FICU subsidiaries for PPSI purposes.

Significant Considerations for State‑Chartered Credit Unions (FISCUs)

Although this is a federal rule, it directly impacts FISCUs in several ways:

FISCU Subsidiaries Are Fully Subject to NCUA Approval

  • Any FISCU subsidiary issuing stablecoins must be licensed by NCUA.
  • GENIUS Act does not allow a FISCU subsidiary to choose state regulation for PPSI status.

A FISCU’s Subsidiary Need Not Be a CUSO

The GENIUS Act definition of “FICU subsidiary” is broader than the NCUA CUSO regulation:

  • A FISCU subsidiary can qualify even if it does not primarily serve credit unions, meaning some state‑authorized subsidiaries fall under NCUA oversight even though they are not CUSOs today.

Potential Conflicts with State Law Powers

State law may authorize FISCUs to invest in or form broader types of subsidiaries than FCUs can, but under the proposed rule:

  • Any subsidiary intending to issue a payment stablecoin must comply with Part 706 regardless of state authority.
  • FISCUs must provide extensive governance and financial disclosures to NCUA.

Impact on State Investment Authority

The rule would prohibit FISCUs from:

  • Investing in PPSIs licensed by other federal regulators unless they also obtain an NCUA license.
  • Investing in state‑qualified PPSIs (regulated under state law alone).

This may limit options available under state investment statutes.

Examination and Supervision

FISCU subsidiaries licensed as PPSIs fall under:

  • NCUA’s direct exam authority (greater than traditional CUSO access-rights),
  • Ongoing AML/sanctions certification requirements,
  • Future prudential standards in forthcoming rulemakings.

This represents a new federal supervisory footprint over FISCU subsidiaries.

Key Considerations for State Regulators (SSAs)

Preemption and State Authority

The GENIUS Act provides:

  • Federal PPSI licensing preempts state licensing/chartering requirements for PPSI activities.
  • BUT it does not preempt:
    • State authority over the FISCU itself,
    • State supervision of the FISCU’s subsidiary for non‑PPSI activities.

Implication: SSAs retain chartering and safety/soundness authority, but NCUA becomes the primary regulator for stablecoin‑issuing subsidiaries.

Supervisory Coordination Challenges

Because:                                                             

  • FISCUs can create subsidiaries engaged in activities broader than CUSO activities, and
  • NCUA gains increased supervisory exam authority over those subsidiaries,

SSAs may need to increase coordination with NCUA on:

  • Subsidiary examination scopes,
  • IT/cyber reviews,
  • AML and sanctions program examinations,
  • Remediation of unsafe/unsound practices.

Monitoring Investment Limits

For FCUs, GENIUS Act ties subsidiaries back to the 1% CUSO investment cap.
For FISCUs:

  • State law investment limits still apply,
  • But NCUA approval and oversight impose practical constraints on ownership structures of PPSIs.

SSAs may need to monitor:

  • Whether FISCUs’ stablecoin activity increases risk to the share insurance fund,
  • Parent‑company change‑of‑control notifications.

Multi‑Tier Entities

NCUA treats all tiers of subsidiaries beneath a FISCU as PPSI‑subject entities if used for stablecoin issuance.

States may need to ensure consistent state‑level awareness of complex structures.

Consumer and Operational Risk Oversight

Future NCUA rulemakings will address:

  • Reserve requirements,
  • Redemption rights,
  • Technology and cybersecurity standards,
  • Incident reporting.

SSAs may expect significant operational complexity for FISCUs entering the stablecoin space.

[1] Public Law 119-27

[2] 91 FR 6531

[3] 12 U.S.C. 1757(7)(I)

[4] See 12 U.S.C. 5903(e).

[5] 12 U.S.C. 5903(e)(3).

NASCUS Proposed Rule Summary

NCUA Rules & Regulations 12 CFR Part 701 IRPS 06-1 Organization and Operation of Federal Credit Unions

February 2026

As part of its fifth wave of the “Deregulation Project” NCUA is proposing to remove Interpretive Ruling and Policy Statement (IRPS) 06-1 related to Federal Credit Union (FCU) chartering and field of membership guidance, due to the statement being redundant with existing provisions in NCUA’s FCU  Chartering and Field of Membership Manual.

The proposed rule does not apply to Federally Insured State Credit Unions (FISCUs) and may be read in its entirety here.

Comments are due to NCUA by April 13, 2026.

Background

In 2006, the NCUA Board issued IRPS 06-1 as a final rule amending FCU field of membership regulations to limit underserved area additions to multiple common bond credit unions and to revise facility requirements applicable to underserved areas.

In 2010, NCUA  incorporated relevant policies and procedures for FCUs into the Chartering and Field of Membership Manual (Part 701 Appendix B), which now serves as the primary source of governing guidance for FCU chartering and membership determinations.

With the policies established in IRPS 06-1 now being reflected in the Chartering and Field of Membership Manual the Board is proposing, as a part of its ongoing Deregulation Project, to remove IRPS 06-1 after determining that the statement is duplicative and no longer necessary as a standalone document.

Key Considerations

  • No change to underlying FCU field of membership or chartering obligations. Removal of IRPS 06-1 would not alter FCU obligations under the applicable statutory or regulatory requirements.
  • FCUs should rely on the Chartering and Field of Membership Manual as the controlling source of guidance.

NASCUS Proposed Rule Summary

NCUA Rules & Regulations 12 CFR Part §741.5: Notice of Termination of Excess Insurance Coverage

January 2026

As part of its fourth wave of the “Deregulation Project” NCUA is proposing an amendment to its rule governing notice requirements related to the termination of excess share insurance coverage under 12 CFR Part 741.5

The proposed rule applies to all Federally Insured Credit Unions (FICUs) and may be read in its entirety here: Notice of Termination of Excess Insurance Coverage.

Comments are due to NCUA by March 30, 2026.

Summary

12 CFR Part 741 of the NCUA’s regulations implements Title II of the Federal Credit Union Act (FCU), which governs the National Credit Union Share Insurance Fund (SIF). It prescribes requirements that all FICUs must satisfy to obtain and maintain federal share insurance, as well as payment of insurance premiums and the capitalization of deposit, with the SIF.

Part 741.5 addresses notice requirements applicable when a FICU terminates share insurance coverage in excess of that provided by the SIF.  The rule is intended to ensure that members are informed when supplemental share insurance coverage is discontinued.

Under the current rule, a FICU is required to:

  • Provide written notice to all members at least 30 days prior to the effective date of termination of any excess share insurance coverage

The NCUA Board proposes to amend Part 741.5 by removing the specific requirement that members be notified 30 days in advance of the termination of excess share insurance coverage.  Under the proposal, a credit union would instead be required to notify members prior to the termination of the coverage, without a defined advance notice period.

Why?

NCUA has proposed the amendment based on its determination that the existing 30-day advance notice requirement is overly prescriptive and may create unnecessary regulatory burden without enhancing safety and soundness. 

The Board has indicated that requiring member notification prior to termination of excess share insurance coverage, without mandating a specific timeframe, provides credit unions with greater flexibility while continuing to ensure members are informed.

Key Considerations:

  • Credit Unions would still be required to notify members prior to termination of any excess share insurance coverage, with only the timing requirement removed
  • Only the prescriptive timing requirement is addressed in the proposal.  There are no new obligations or other modifying aspects that are considered in the proposal

NASCUS Proposed Rule Summary
NCUA Rules & Regulations 12 CFR 701.32(b)(2): Changes for Public Unit and Non-Member Shares

January 2026

As part of its fourth wave of the “Deregulation Project” NCUA is proposing an amendment of its rule relating to public unit and non-member shares, Part §701.32, by removing the requirement in paragraph (b)(2) for a credit union’s board of directors to adopt a written plan documenting intended usage of borrowings, public unit, or non-member shares, if the funds exceed 70% of the FICU’s paid-in and unimpaired capital and surplus.

The proposed rule applies to all Federally Insured Credit Unions (FICUs) including Federally Insured State Credit Unions (FISCUs) through 12 CFR 741.204 and may be read in its entirety here: Changes for Public Unit and Non-Member Shares

Comments are due to NCUA by March 30, 2026.

Summary

Part §701.32 governs the acceptance of share deposits from public units and certain non-members, including other credit unions, by FICUs. NCUA states the purpose of the rule is intended to ensure that these funding sources are used in a manner that supports a credit union’s members while appropriately managing liquidity, concentration, and safety and soundness risks. 

The rule establishes:

  • Aggregate limits on public unit and non-member shares.
  • Written plan requirement when public unit and non-member shares, together with borrowings, exceed specified thresholds.
  • Operational limitations and due diligence expectations related to the acceptance and use of these funds.

The Board’s proposal would remove the written board plan requirement tied to funding levels that exceed 70% of capital and surplus.

Why?

NCUA has proposed amending §701.32based on its determination that the written plan requirement within the rule is overly prescriptive and creates unnecessary administrative burden without enhancing safety and soundness. 

The Board has stated credit unions should be able to manage share funding sources based on risk management practices and supervisory review, versus a one-size fits all plan mandate.

Key Considerations:

  • FICUs will remain subject to aggregate limits found in Part 701.32(b)(1) restricting total public unit and nonmember deposits to 50% of the net amount of paid-in and unimpaired capital and surplus.
  • FICUs will continue to be subject to the existing regulatory frameworks governing these types of shares.
  • The proposal reflects a shift toward allowing credit unions to use internal policies and procedures to show risk management rather than relying on a specific regulatory requirement.
  • While §701.32 applies to FICUs, Federally Insured State-Chartered Credit Unions (FISCUs) that apply for and maintain insurance are subject to the requirements of §701.32 under 12 CFR §741.204.

NASCUS Summary re: CFPB Agency Information Collection Activities (Consumer Response Intake Form)
CFPB 2026-0005
January 30, 2026

The Consumer Financial Protection Bureau issued a request for comment regarding their request to the Office of Management and Budget (OMB) to extend an information collection entitled “Consumer Response Intake Form.”

Comments are due by March 2, 2026, and the request for comments can be found here.

Summary

The Consumer Response Intake Form is designed to aid consumers in the submission of complaints, inquiries, and feedback and to help the Bureau fulfill its statutory requirements. Consumers will be able to complete and submit information through the Intake Form electronically on the Bureau’s website. Consumers may also request that the Bureau mail a paper copy of the Intake Form to them. The form prompts consumers for a description of, and key facts about, the complaint at issue, the desired resolution, contact and account information, information about the company they are submitting a complaint about, and previous action taken to attempt to resolve the complaint.

Comments

The CFPB is publishing this notice and soliciting comments on (i) whether the collection of information is necessary for the proper performance of the functions of the CFPB, including whether the information will have practical utility; (ii) the accuracy of the CFPB’s estimate of the burden of the collection of information, including the validity of the methods and the assumptions used; (iii) ways to enhance the quality, utility, and clarity of the information to be collected; and (iv) ways to minimize the burden of the collection of information on respondents, including through the use of automated collection techniques or other forms of information technology.

NASCUS Proposed Rule Summary
NCUA Rules & Regulations—Part 701.31 Nondiscrimination Requirements

January 2026

As part of its third wave of the “Deregulation Project” NCUA is proposing the removal of its rule relating to Nondiscrimination Requirements, Part 701.31.

The proposed rule does not apply to Federally Insured State Chartered Credit Unions (FISCUs) and may be read in its entirety here: Nondiscrimination Requirements

Comments are due to NCUA by March 16, 2026.

Summary

Part 701.31 is NCUA’s longstanding rule addressing nondiscrimination in real estate lending for federal credit unions.  The rule was created to reinforce federal fair lending laws by summarizing expectations as it relates to the following:

  • Equal access to housing-related credit
  • Non-discriminatory lending practices
  • Fair appraisals
  • Non-discriminatory advertising and signage

By incorporating federal nondiscrimination laws into the NCUA’s regulatory framework it has served as a reference point for examinations and reviews.

The NCUA Board proposes to remove Part 701.31 in its entirety.

Why?

NCUA has proposed the removal of 701.31 because it is duplicative of other existing, more comprehensive federal discrimination laws, including Fair Housing Act (FHA) and Equal Credit Opportunity Act (ECOA), and creates unnecessary burden for credit unions. NCUA has determined that maintaining the standalone regulation does not expand or clarify these statutory requirements.

The removal would not change credit unions’ compliance obligations regarding these statutory requirements.

Key Considerations:

  • No change to underlying compliance obligations. Removal of Part 701.31 would not alter the Federal Credit Union (FCU’s) responsibility to comply with all federal and state nondiscrimination laws
  • NCUA would rely on existing statutes and state laws to govern nondiscrimination requirements
    • Examinations will continue to assess nondiscrimination compliance

NASCUS Proposed Rule Summary
NCUA Rules & Regulations: Interpretative Ruling and Policy Statement 08-2 and Community Chartering Policies 10-1

January 2026

As part of its third phase of the “Deregulation Project,” NCUA is proposing the removal of its rules relating to Interpretive Ruling and Policy Statements Service to Underserved Areas 08-2 and Community Chartering Policies 10-1.

The proposed rules do not apply to Federally Insured State Credit Unions (FISCUs) and may be read in their entirety here: Service to Underserved Areas 08-2 and Community Chartering Polices 10-1.

Comments are due to NCUA by March 16, 2026.

Summary

Interpretive Ruling and Policy Statement (IRPS) 08-2 Service to Underserved Areas and 10-1 Community Chartering Policies are NCUA’s interpretive guidance governing how credit unions may serve underserved areas, including through the expansion of field of membership (FOM) authority.  The policy statements outline the eligibility criteria and parameters for credit unions that seek to demonstrate service to communities that lack adequate access to financial services.

Guidance has historically focused on identifying underserved areas based on economic distress indicators and census-based criteria.  This has provided a framework for federal credit unions to expand services while maintaining safety and soundness.

IRPS 08-2 outlines how credit unions may demonstrate service to underserved areas, including the criteria used to identify communities with limited access to financial services.  IRPS 10-1 addresses the standards and considerations used in evaluating community charter applications, including how geographic areas and community boundaries are defined.

NCUA incorporated the policies originally defined in IRPS 08-2 and IRPS 10-1 into the Chartering Manual in 2010, which now serves as the source for field-of-membership policies and procedures.  Accordingly, the NCUA Board has proposed to eliminate IRPS 08-2 and IRPS 10-1 in their entirety as redundant now that they have been incorporated verbatim in the Federal Credit Union (FCU) Chartering Manual (Part 701 Appendix B).

Key Considerations:

  • No change to the underlying FCU field of membership or chartering obligations. Removal of IRPS 08-2 and IRPS 10-1 would not alter FCU obligations under the applicable statutory or regulatory requirements
  • NCUA would rely on existing statutes to govern service to underserved areas and chartering – the information is housed in NCUA’s Chartering Manual

NCUA Letter to Credit Unions 26-CU-01 NCUA’s 2026 Supervisory Priorities

NASCUS Legislative and Regulatory Affairs 
January 16, 2026 

NCUA issued Letters to Credit Union 26-CU-01 outlining the agency’s supervisory priorities and other updates to its examination program 2026. The priorities focus on the areas the NCUA believes pose the highest risk to credit union members, the industry, and the NCUSIF.  Beyond that, the letter reinforces that the priorities are consistent with the agency’s No Regulation-by-Enforcement policy.

Supervisory Priorities for 2026 

  1. Balance Sheet Management

Lending

When evaluating credit union’s lending practices and credit risk management, NCUA examiners will focus on institution-specific risks around:

  • Underwriting
  • Loss mitigation programs (including modifications and workouts)
  • Allowance for credit loss reserves and methodologies
  • Charge-off practices
  • Portfolio monitoring

The letter also states that when various areas of lending are outsourced, examiners will also be assessing third-party risk-management practices.

Various lending-related resources are outlined, including the loan section of the Examiner’s Guide

Sensitivity to Market Risk and Liquidity

Interest Rate Risk and Liquidity risk remain key supervisory priorities due to ongoing interest rate volatility “following an extended period of balance sheet expansion and repricing.” NCUA will assess sensitivity to market and liquidity risk by evaluating how credit unions identify, measure, and manage interest rate and liquidity risk exposure through modeling, governance oversight, and alignment between balance sheet strategy and risk appetite.

Various resources are outlined, including the Liquidity and Sensitivity to Market Risk within the Examiner’s Guide.

Earnings and Capital Adequacy

NCUA states “earnings and capital adequacy remain central supervisory priorities.”  Higher funding costs and margin pressure have affected credit union earnings and capital accumulation. As well, equity capital remains constrained by unrealized losses on long-term securities that were purchased during the lower rate environment.  For some credit unions, this creates a reality where balance sheet flexibility is reduced.

NCUA will continue to focus on the sufficiency of earnings to support capital adequacy as it relates to pressures from interest rate volatility, credit, and liquidity stressing. Exam reviews may focus on:

  • Policies & Procedures
  • Risk Limits
  • Capital Planning Practices Including:
    • How credit unions incorporate credit interest rate risk
    • Funding constraints
    • Concentration risks

It is important to note that NCUA states their approach “will emphasize forward-looking analysis aligned with a credit union’s size, complexity, and risk profile.”

Various earnings and capital related resources are outlined, including the Earnings section of the Examiner’s Guide.

  • Operational Risk Management

Payment Systems

As payment systems continue to increase in complexity and fraud risk, NCUA examiners will continue to assess if credit unions are maintaining appropriate controls and oversight.  Examiners will focus on:

  • Effective governance and oversight
  • Risk assessment and monitoring practices
  • Third-party vendor management
  • Security frameworks and control environments

Payment systems related resources can be found within the Retail Payment Systems and the Wholesale Payment Systems section within the Federal Financial Institutions Examination Council’s IT Examination Handbook Infobase.

Fraud Prevention and Detection

The increasing sophistication of fraud schemes remains a supervisory priority.  NCUA will evaluate fraud prevention and detection programs, including internal controls, monitoring systems, and incident response practices.

Fraud Prevention information can be found at NCUA’s Fraud Prevention Resources page.

  • Compliance Risk Management

Bank Secrecy Act (BSA) Compliance and Anti-Money Laundering/Counter the Financing of Terrorism (AML/CFT) Programs

NCUA will continue to assess compliance with Bank Secrecy Act and AML/CFT requirements, with an emphasis on risk-based programs tailored to the organization’s risk profile.  Examiners will evaluate whether policies, procedures, and internal controls remain effective with regulatory changes and if they adequately mitigate the risk of financial activity.

This section states that “significant developments and changes in the regulatory system are expected in 2026.” It states NCUA will notify credit unions but emphasizes credit unions should stay informed via notifications so that their programs remain in compliance.  It is recommended that personnel receive FinCEN Updates.

More information and resources are available on the BSA/AML Resources page.

NASCUS Proposed Rule Summary

NCUA Rules & Regulations Part 715: Supervisory Committee Audits & Verifications

December 2025

As part of a “Deregulation Project” NCUA is proposing changes to its rules for credit union audits: Part 715 Supervisory Committee Audits and Verifications. NCUA’s rule applies in part to federally insured state credit unions (FISCUs) by reference in Part 741.202. These rules do not apply to privately insured credit unions.

Comments must be submitted to NCUA by February 9, 2026.

The proposed rule may be read in its entirety here.

Summary

  • Section 715.2(h)

§715.2 contains definitions for NCUA’s audit and verification rules. NCUA is proposing to eliminate a paragraph in § 715.2(h), which defines “Internal control.” NCUA now believes the definition is too prescriptive and risks becoming outdated. Specifically, NCUA would eliminate the listing of the 5 components of an internal control structure and would also eliminate the sentence defining reliable financial reporting as too narrow. The revised provision would read as follows:

(h) Internal control refers to the process, established by the credit union’s board of directors, officers and employees, designed to provide reasonable assurance of reliable financial reporting and safeguarding of assets against unauthorized acquisition, use, or disposition.

Internal control over safeguarding of assets against unauthorized acquisition, use, or disposition refers to prevention or timely detection of transactions involving such unauthorized access, use, or disposition of assets which could result in a loss that is material to the financial statements.

  • Section 715.8(a)

The current rule requires members’ accounts to be verified against the records of the treasurer of the credit union. NCUA would eliminate the reference to the Treasurer and have the rule require member accounts be verified against the records of the credit union.

  • Section 715.9(b)

Part 715(9) addressed requirements related to credit union engagement of outside auditors. Specifically, the provision requires the scope of work to be documented in an engagement letter contracted between the supervisory committee and the auditor, including noting that the contract must be signed by both parties. NCUA now finds the addition of the requirement to have the contract signed to be unnecessary given the clear understanding that the requirement to enter into a contract inherently includes the contract be signed.

  • Section 715.10(a)

Part 715.10(a) requires, in part, a credit union’s supervisory committee to provide NCUA with a copy of audit reports upon request. Because NCUA has statutory authority to access all of a credit union’s books and records, NCUA believes reiterating this requirement in Part 715 is redundant and unnecessary. NCUA proposes eliminating the last sentence of existing Part 715.10(a) that requires the supervisory committee to provide the audit report upon request.

  • Section 715.12

NCUA §715.12(b) asserts NCUA’s authority to require a FICU to obtain a financial statement audit. The last two sentences of the provision describe the objectives of a financial statement audit. NCUA now believes those final two sentences to be unnecessary. The revised provision would read:

715.12(b) Financial statement audit required. The NCUA Board may compel a federal credit union to obtain a financial statement audit performed in accordance with GAAS by an independent person who is licensed by the State or jurisdiction in which the credit union is principally located (even if such audit is not required by § 715.5), for any fiscal year in which the credit union has experienced serious and persistent recordkeeping deficiencies as defined in paragraph (c) of this section.

NASCUS Note: As noted above, §715 applies to FISCUs by reference in Part 741.202 which reads as follows:

§ 741.202 Audit and verification requirements.

(a) The supervisory committee of each credit union insured pursuant to title II of the Act shall make or cause to be made an audit of the credit union at least once every calendar year covering the period elapsed since the last audit. The audit must fully meet the applicable requirements set forth in part 715 of this chapter or applicable state law, whichever requirement is more stringent.

(b) Each credit union which is insured pursuant to title II of the Act shall verify or cause to be verified, under controlled conditions, all passbooks and accounts with the records of the financial officer not less frequently than once every 2 years. The verification must fully meet the requirements set forth in § 715.8 of this chapter.

While NCUA does not seek comment on § 741.202, NASCUS encourages state system stakeholders to consider commenting on necessary changes to this provision to provide greater clarity and guidance to FISCUs as to what provisions of Part 715 apply. For example, §715.3 discusses the responsibilities of the supervisory committee, however FISCUs are not required by NCUA rules to have a supervisory committee.

In considering Part 715 and Part 741.202, numerous other changes and clarifications could reduce regulatory burden for FISCUs.

NASCUS Proposed Rule Summary: NCUA Rules & Regulations Part 748 Guidance on Response Programs for Unauthorized Access to Member Information and Member Notice – Appendix B

December 2025

As part of the first round of the “Deregulation Project” NCUA is proposing changes to its rules relating to Guidance on Response Programs for Unauthorized Access to Member Information and Member Notice, Part 748.

Federally Insured State Credit Unions must comply with Part 748 by reference to standards pursuant to sections 501 and 505(b), codified at 15 U.S.C. 6801 and 6805(b), of the Gramm-Leach-Bliley Act.  These requirements are also cross-referenced to 12 CFR Part 1016 “Privacy of Consumer Financial Information (Regulation P) through Part 716.

The proposed rule may be read in its entirety here: Guidance on Response Programs for Unauthorized Access to Member Information and Member Notice.

Comments are due to NCUA by February 9, 2026.

Summary

This guidance interprets section 501(b) of the Gramm–Leach–Bliley Act (GLBA) and complements Part 748’s security obligations by outlining how federally insured credit unions should respond to unauthorized access to member information—defined as any nonpublic personal information, in any form—that could cause substantial harm or inconvenience to members. The guidance builds upon Appendix A’s three core expectations:

  1. Ensuring security and confidentiality of member information
  2. Protecting against anticipated threats to data integrity
  3. Preventing unauthorized access that could harm members

Under the current Rule federally insured credit unions must establish a risk-based response program tailored to their size, complexity, and risk profile.  This should include:

  • Incident Assessment – Evaluate the scope, systems, and types of data involved.
  • Regulatory Notification – Alert the NCUA Regional Director (and state regulator if applicable) promptly upon detecting unauthorized access to sensitive data.
  • Law Enforcement & SAR Reporting – File Suspicious Activity Reports and notify law enforcement for criminal breaches requiring immediate attention.
  • Containment & Preservation – Take measures like freezing accounts or preserving forensic data to prevent further access.
  • Member Notification – Inform affected members when misuse is confirmed or reasonably possible.

For incidents via service providers, credit unions must ensure their contracts obligate providers to alert the credit union quickly and support executing the response program.

Proposed Changes:

The NCUA Board (Board) is proposing to remove Appendix B to part 748. The reason for the potential removal is because the Board feels that its placement within the Code of Federal Regulations (CFR) causes confusion in that it is viewed as a mandatory regulatory requirement instead of nonbinding guidance.  If removed, the Board would then publish the content as guidance to provide clarity.  Currently there is no information on whether the republication of Appendix B into a nonbinding Letter to Credit Union would include any proposed amendments.

Key Considerations:

  1. Creates distinction between regulation and guidance, which is the main factor associated with the proposed removal of the appendix
  2. No true change in obligations of credit unions around responsibility, which also means no reduction in member protection
  3. Potential of improved flexibility with creating response programs based on an organization’s size and risk profile
  4. Potential of reduced regulatory burden   

NASCUS Proposed Rule Summary

NCUA Rules & Regulations Part 748 Safeguarding Member Information

December 2025

As part of the “Deregulation Project” NCUA is proposing changes to its rules relating to Safeguarding Member Information, Appendix A to Part748. Federally Insured State Credit Unions must comply with Part 748 by reference to standards pursuant to sections 501 and 505(b), codified at 15 U.S.C. 6801 and 6805(b), of the Gramm-Leach-Bliley Act.  These requirements are also cross referenced to 12 CFR Part 1016 “Privacy of Consumer Financial Information (Regulation P) through Part 716.

The proposed rule may be read in its entirety here: Guidelines for Safeguarding Member Information.

Comments are due to NCUA by February 9, 2026.

Summary

In November 1999, Congress passed the Gramm-Leach Bliley Act (GLBA)[1] which, among other things, required the NCUA and all federal banking agencies (FBAs) to establish standards for financial institutions relating to administrative, technical, and physical safeguards for customer records and information.[2]

These safeguards are intended to: (1) ensure the security and confidentiality of customer records and information, (2) protect against any anticipated threats or hazards to the security or integrity of such records, and (3) protect against unauthorized access to or use of such records or information that would result in substantial harm or inconvenience to any customer.[3]

After passage of GLBA, the NCUA Board (Board) determined that the standards required by GLBA could be most effectively adopted through an amendment to the NCUA’s existing regulation governing security programs in FICUs[4], an approach consistent with the FBAs by design, to include the standards required under GLBA as an appendix to part 748. The resulting Appendix A intended to provide FICUs with guidance in developing the security program required under § 748.0.

Appendix A has been amended over the years to reflect new requirements and maintain consistency with comparable regulations and guidelines issued by the FBAs.  Most recently, in 2012 and 2013, the Board again amended part 748 and Appendix A with technical changes mandated by the Dodd-Frank Wall Street Reform and Consumer Protection Act (Dodd-Frank Act) and based on the NCUA’s rolling, 3-year regulatory review.[5]

The Dodd-Frank Act, among other things, transferred rulemaking authority for many consumer protection regulations from the Federal Reserve Board to the Consumer Financial Protection Bureau (CFPB).[6]

As a result, the NCUA was required to update certain cross citations within its regulations and rescind part 716 governing the “Privacy of Consumer Financial Information” under GLBA.[7]

The rule aims to strengthen credit unions’ obligations to protect member data against unauthorized access, use, or disclosure. It aligns with evolving cybersecurity threats and incorporates best practices for risk management.

Key elements of the current guidelines include:

  • Risk Assessment Requirements: Credit unions must periodically assess risks to member information, including internal and external threats.
  • Information Security Program: Institutions must maintain a written program that addresses administrative, technical, and physical safeguards.
  • Incident Response: Enhanced expectations for timely detection, containment, and reporting of security incidents.
  • Vendor Management: Credit unions must ensure third-party service providers implement appropriate safeguards.
  • Board Oversight: Boards are expected to approve and oversee the security program.

Proposed Changes

Under the rule amendment, the Board is proposing to remove Appendix A from the CFR and instead issue nonbinding guidance through a Letter to Credit Unions.  The intent of this change is to remove the impression that the standards outlined in the GLBA are legally binding rules and clarify they are instead intended to be an aid to satisfy the regulatory requirements of Part 748.

At this time, it is unknown whether the current Part 748 Appendix A will be wholly republished and incorporated into the new version of the guidance published as a NCUA Letter to Credit Unions.

The Board is seeking feedback on all aspects of the proposed rule, including the option of maintaining the status quo.

Implications for Federally Insured Credit Unions

  • Compliance Alignment: State-chartered credit unions will need to ensure their information security programs meet or exceed these federal guidelines, or appropriately mitigate weaknesses.  State laws or regulations may also impose similar requirements.
  • Operational Impact: Increased emphasis on cybersecurity risk assessments and vendor oversight will continue to require additional resources and expertise.
  • Reporting Obligations: Enhanced incident response requirements, as developed by the Cybersecurity and Infrastructure Security Agency, under the Cybersecurity and Infrastructure Security Agency Act of 2018, could lead to stricter cyber related requirements.

Implications for State Regulators

  • Supervisory Expectations: State regulators will need to incorporate the updated enforcement standards into their examination processes to maintain parity with federal oversight.
  • Coordination with NCUA: Greater collaboration may be necessary for incident reporting and enforcement, especially for federally insured state-chartered credit unions.
  • Policy Updates: States may consider revising their own regulations or guidance to align with NCUA’s enhanced framework, ensuring consistency and reducing regulatory burden.

[1] 15 U.S.C. 6801 et. seq. (Nov. 12, 1999).

[2] Id. At this time, “federal banking agencies” refers to the Office of the Comptroller of the Currency, the Federal Reserve Board, and the Federal Deposit Insurance Corporation, although at the time of GLBA’s passage the term included the now-defunct Office of Thrift Supervision.

[3] 15 U.S.C. 6801(b).

[4]66 FR 8152 (Jan. 30, 2001).

[5]77 FR 71085 (Nov. 29, 2012); 78 FR 32541 (May 31, 2013).

[6] 12 U.S.C. 5581(b)(6) (July 21, 2010).

[7]12 CFR part 716. To assist FICUs, the part 716 heading was retained with a cross citation to the CFPB’s republished version of the regulation at 12 CFR part 1016.