Associate Member Archives - Page 9 of 19

Final Rule Summary
FinCEN: Use of FinCEN Identifiers in Beneficial Ownership Information Reporting

NASCUS Legislative and Regulatory Affairs Department
November 28, 2023

On November 7, 2023, FinCEN issued a final rule that specifies the circumstances in which a reporting company may report an entity’s FinCEN identifier in lieu of information about an individual beneficial owner.

Summary

A FinCEN identifier is a unique number that FinCEN will issue upon request after receiving the required information. Although there is no requirement to obtain a FinCEN identifier, doing so can simplify the reporting process and allow entities or individuals to provide the required information directly to FinCEN.

The final rule amends FinCEN’s final Beneficial Ownership Information (BOI) Reporting Rule. The amendments specifically respond to concerns from commenters that the reporting of entity FinCEN identifiers could obscure the identities of beneficial owners in a manner that might result in greater secrecy or misleading disclosures. To address this concern, the final rule provides clear criteria that must be met in order for a reporting company to report an intermediate entity’s FinCEN identifier in lieu of information about the individual beneficial owner.

Specifically, the final rule adopts the following changes:

To consistently refer to the entity whose FinCEN identifier the reporting company may use as “another entity” or “the other entity” rather than simply “the entity,” in order to avoid confusion with the reporting company itself; and
To make clear that it is an individual’s ownership interest in another entity that allows the reporting company to report the other entity’s FinCEN identifier in lieu of the individual’s information.

The final rule will be effective January 1, 2024, to align with the effective date of the BOI Reporting Rule.

Notice of Proposed Rulemaking and Request for Comment
FinCEN: Proposal of Special Measure Regarding Convertible Virtual Currency Mixing, as a Class of Transactions of Primary Money Laundering Concern

NASCUS Legislative and Regulatory Affairs Department
November 6, 2023

FinCEN has issued a notice of proposed rulemaking (NPRM) and request for comment, pursuant to Section 311 of the USA PATRIOT Act. The NPRM would require domestic financial institutions, including credit unions, and domestic financial agencies, to implement certain recordkeeping and reporting requirements when the institution “knows, suspects, or has reason to suspect” that the transaction involves convertible virtual currency (CVC) mixing.

Comments on the NPRM are due by January 22, 2024.

Summary

Section 311 of the USA PATRIOT Act grants the Secretary of the Treasury authority, which has been delegated to FinCEN, to require domestic financial institutions and agencies to take certain “special measures” if FinCEN finds that reasonable grounds exist for concluding that one or more classes of transactions within or involving a jurisdiction outside of the United States are of “primary money laundering concern.”

FinCEN’s implementation of Section 311 in this NPRM is FinCEN’s first-ever action under Section 311 authority to target a “class of transactions” of primary money laundering concern.

The NPRM will primarily impact CVC exchanges that deal directly with CVC and operate as money service businesses (MSBs) under the Bank Secrecy Act (BSA). Financial institutions that deal directly with CVCs will also need to comply. The immediate effect of FinCEN’s action is that covered entities will need to begin reviewing mixing activity, understanding that the US government now deems this class of transactions to represent a heightened financial crime risk.

Definitions

The NPRM defines a CVC mixer as “any person, group, service, code, tool, or function that facilitates CVC mixing.”

CVC mixing is then defined as “the facilitation of CVC transactions in a manner that obfuscates the source, destination, or amount involved in one or more transactions, regardless of the type of protocol or service used,” including those conducted through the following six specific methods:

Pooling or aggregating CVC from multiple persons, wallets, addresses, or accounts;
Using programmatic or algorithmic code to coordinate, manage, or manipulate the structure of a transaction;
Splitting CVC for transmittal and transmitting the CVC through a series of independent transactions;
Creating and using single-use wallets, addresses, or accounts, and sending CVC through such wallets, addresses, or accounts through a series of independent transactions;
Exchanging between types of CVC or other digital assets; or
Facilitating user-initiated delays in transactional activity.

The NPRM also contains a proposed exception to the definition of CVC mixing. The definition would exclude “the use of internal protocols or processes to execute transactions by banks, broker-dealers, or money service businesses, including virtual asset service providers (VASPs) that would otherwise constitute CVC mixing, provided these financial institutions preserve records of the source and destination of CVC transactions when using such internal protocols and processes, and provide such records to regulators and law enforcement, where required by law.”

Recordkeeping and Reporting Requirements

The NPRM proposes FinCEN would seek to collect the following information:

The amount of any so-called CVC transferred, in both CVC and its US dollar equivalents, when the transaction was initiated.
The type of CVC.
The CVC mixer used, if known.
The CVC wallet address associated with the mixer.
The CVC wallet address associated with the customer.
Transaction hash.
The date of the transaction.
IP addresses and time stamps associated with the covered transaction.
Narrative

The proposal also requires that reportable information regarding the customer associated with the covered transaction would also necessarily be collected, including:

Customer’s full name;
Customer’s date of birth;
Address;
Email address associated with all accounts from which or to which the CVC was transferred; and
Unique identifying number.

Request for Comment

The NPRM includes several categories of specific questions in which they are seeking industry feedback. These categories include:

CVC Mixing as a Class of Transactions of Primary Money Laundering Concern;
Proposed Definitions;
Potential Alternatives;
Recordkeeping and Reporting; and
Burden and Other Impacts of the Proposed Rule

NCUA: 2024 Proposed Budget Summary

NASCUS Legislative and Regulatory Affairs Department
November 8, 2023

A $394.5 million 2024 proposed budget[1] was posted on October 26, 2023, by NCUA; a public briefing is set for November 16. Interested parties may provide comments on the budget, as published in the Federal Register[2], until November 21, 2023. While NASCUS refrains from commenting on a peer regulatory budget, concerns continue regarding the development and implementation of the Overhead Transfer Rate (OTR) which will be addressed in its own review process.

According to NCUA, its operating budget for next year is 11% or approximately $38 million higher than the previous year’s approval. These increases do not include approximately $18 million of unspent funds to be reallocated from the 2023 budget toward contracted services. Budget increases represent, almost exclusively, increases related to the NCUA’s Operating Budget, with a $4 million decline forecasted in the Capital Budget to $7.3 million and Share Insurance Fund Administrative Budget increases of $180,000 to $5.1 million.

Material components of the increased budget include:

Employee related increase of $26.2 million, or a 9.8 percent increase compared to the 2023 budget for salaries and related benefits, which includes an increase of 28 positions or 2.3% staffing increase. These expenses make up approximately 76.7 percent of the annual NCUA operating budget.
A $10.7 million, or 25.7% increase in spending on contractual services used to support the NCUA’s supervision framework, including tools used to identify and address risk concerns such as interest rate risk, credit risk and industry concentration risk. The 2024 budget of $70.1 million is forecasted to be offset by $18 million of unspent 2023 funds, to net a 2024 budget impact of $52.1 million.
A $800,000 or 13% increase in spending in rent, communications, and utilities to stand up new disaster recovery and continuity of operations sites due to the decommission of current locations at the end of 2023.

NCUA lowered the OTR, the percentage of their budget funded by the Share Insurance Fund, 60 basis points to 61.8%, which means 61.8% of the NCUA budget is funded by the Share Insurance Fund with the remainder funded by the operating fees paid by FCUs or the $18 million unspent surplus from the previous budget. While NASCUS supports a decline in the OTR, it should be acknowledged that with the increase in the budget, the decline in the OTR is estimated to represent a $15 million increase in the Share Insurance Fund contribution to the overall budget from the previous year. Further, while a decline was initiated this year, the OTR remains 50 basis points higher than that of 2020.

NASCUS continues to believe that while improvements in the methodology to apply expenses to the NCUSIF through the OTR have been instituted, there remains legitimate talking points regarding further improvements to ensure the appropriateness of the allocation of expenses between the two programs. NASCUS staff will be providing comments at the November 16, 2023, NCUA Budget Briefing as well as written comments by November 21, 2023.

[1] Available at https://ncua.gov/files/publications/budget/budget-justification-proposed-2024-2025.pdf

[2] 88 FR 75040

CFPB Summary re: Consumer Information Requests to Large Banks/Credit Unions

12 CFR Chapter X

The Consumer Financial Protection Bureau (CFPB) issued this Advisory Opinion regarding Section 1034(c) of the Consumer Financial Protection Act (CFPA), which requires large banks and credit unions to comply in a timely manner with consumer requests for information concerning their accounts for consumer financial products/services, subject to limited exceptions.

The Advisory Opinion became effective on October 16, 2023, and can be found here.

Summary:

Section 1034 (c) of the CPFA requires large financial institutions to comply with consumer requests for information concerning their accounts in a timely manner. The Advisory Opinion interprets this provision for the purpose of highlighting the obligations it imposes upon large financial institutions.

Section 1034 (c) applies to insured depository institutions and credit unions that offer or provide consumer financial products/services and that have total assets of more than $10 billion, as well as their affiliates. In accordance with Section 1034 (c), subject to certain exceptions, applicable institutions must “in a timely manner, comply with a consumer request for information in the control or possession of such covered person concerning the consumer financial product/service that the consumer obtained from such covered person, including supporting written documentation, concerning the account of the consumer.” According to the opinion, Congress added Section 1034(c) to the CFPA to establish a direct channel for consumers to request information from institutions without having to route their inquiry through the CFPB or another government entity.

Information Requests under Section 1034(c)

Section 1034(c) requires institutions to respond to a consumer’s request for information regarding their consumer financial product/service in a “timely manner.” This requirement applies in instances where the information request is in the control or possession of the entity and does not fall into an enumerated exception.

The Bureau notes that a “consumer financial product or service” includes several types of financial products or services that consumers may obtain from an institution, including deposit and saving accounts, credit products such as mortgage loans and credit cards, and loan servicing. The Bureau provided examples of the type of information that might be requested:

Information from periodic statements or online account information
Bill payments information
Deposit account balances, credit card and/or loan account interest rates, etc.
Terms/conditions of accounts including fee schedules
Information about the status of a lien on property

In addition, the Bureau notes that complying with Section 1034(c) information request requirements could include the provision of supporting, written documentation. For example, this could include the provision of account statements or check images.

Exceptions to Section 1034(c)

Section 1034(c) does not apply to consumer’s request for information that is not specifically related to a consumer’s account, such as information regarding an institution’s internal operating procedures, financial performance, marketing strategies or employee training programs. In addition, the opinion specifies the following information is exempt from Section 1034(c) requirements.

Confidential commercial information, including an algorithm used to derive credit scores or other risk scores or predictors;
Information collected for the purpose of preventing fraud or money laundering, or detecting or making any report regarding other unlawful or potentially unlawful conduct;
Information required to be kept confidential by any other provision of law; any
Nonpublic or confidential information, including confidential supervisory information.

Unreasonable barriers to consumer information requests

The Bureau notes that the language of Section 1034 (c) provides that institutions “shall” provide the relevant requested information in a timely manner and interprets this language to mean that institutions are required to comply with consumer requests for information. The Bureau also notes that institutions that cannot impose “unreasonable” conditions on consumer requests that would results in barriers to consumers being able to get their requests met.

Fees

An institution that imposes conditions that would “unreasonably impede” a consumer’s ability to request and receive account information would violate Section 1034(c) requirements. For example, institutions that require a consumer to pay a fee or charge to request account information are likely to be found to have interfered with the consumer’s ability to exercise the right provided. The following examples of problematic fees were provided:

Fees related to consumer inquiries regarding their deposit account balances
Fees related to consumer inquiries seeking the amount necessary to pay a loan balance
Fees related to a request for a specific type of supporting document, such as a check image or an original account agreement
Fees related to time spent on consumer inquiries seeking information and supporting documents regarding an account.

However, the Bureau notes there are instances fees would be appropriate. The opinion notes it would generally not violate Section 1034 (c) for an entity to impose a fee or charge in certain limited circumstances. For example, the Bureau notes that an entity that charges a consumer who repeatedly requested/received the same information regarding their account would be permissible.

Applying conditions to information requests

An entity may also violate Section 1034 (c) by imposing other conditions or obstacles that unreasonably impede consumers’ ability to make an information request. For example, problematic conditions/obstacles could include forcing consumers to endure excessively long wait times to submit an information request; requiring consumers to interact with a chatbot that can’t adequately respond to information requests; or directing consumers to obtain information the institution possesses from a third party instead.

Timely Compliance with Consumer Information Requests

Section 1034 (c) provides that institutions “shall, in a timely manner, comply” with consumer requests for information. The regulation does not specify a time limit for responding that applies to all information requests. The Bureau will consider the specific circumstances and nature of a particular request to determine compliance.

Bureau notes whether a response is considered timely may depend on the complexity of the request and/or the difficulty of responding. What constitutes a timely response may also be informed by the timing requirements of other Federal laws and regulations with which large banks/credit unions must comply.

Accuracy and Completeness of Responses to Consumer Information Requests

Section 1034(c) contemplates institutions will provide consumers with the information they request to the extent it is in their control or possession. An entity would violate the regulation if it provided incomplete or inaccurate information in response to a consumer’s information request.

The Bureau notes the advisory opinion is intended to serve as a simplified survey and reference tool for large banks/credit unions. In addition, the opinion clarifies that as a matter of prosecutorial discretion, the Bureau does not intend to seek monetary relief for potential violations of Section 1034(c) that occur prior to February 1, 2024.

NCUA Letter to Credit Unions 23-CU-08
Resumption of Federal Student Loan Payments

NASCUS Legislative and Regulatory Affairs Department
October 12, 2023

With federal student loan payments slated to resume this month, on October 11, the NCUA issued Letter to Credit Unions 2023-CU-08. In this letter, the NCUA encourages credit unions to work with borrowers who may be negatively impacted by the increase in total repayment obligations. It also notes that credit unions will not be criticized for their efforts to provide relief to borrowers when such efforts are conducted in a “reasonable manner with proper controls and management oversight consistent with consumer financial protection requirements.

To ensure credit unions remain safe and sound and operate in a fair manner, the NCUA is providing the industry with the following strategies when evaluating exposure to borrowers facing payment stress associated with federal student loan repayment.

Risk Management Principles

The NCUA’s 2023 Supervisory Priorities indicate NCUA examiners will review the safety and soundness of existing lending programs at credit unions, adjustments to underwriting standards, portfolio monitoring practices, and loan workout strategies. Examiners will also review policies and procedures related to the Allowance for Credit Losses.

Risk Assessment

The letter indicates credit unions should assess aggregate exposure to borrowers with federal student loans and provides recommendations for analysis including:

Identifying borrowers with large student loan balances relative to income;
Reviewing borrowers’ credit bureau information;
Querying member transaction history prior to the repayment pause with payments from their credit union account; or
Considering other indicators such as the number of members with private student loan payments.

Borrower Outreach

The letter encourages credit unions to consider contacting borrowers to inform them about the credit union’s eligibility standards and processes for requesting loan modifications. It also provides credit unions with various resources to provide borrowers, including researching repayment obligations and applying for loan forgiveness.

Underwriting and Modifications

The letter states that credit unions should apply prudent underwriting and loss mitigation strategies for borrowers experiencing financial difficulty and struggling to make their loan payments. It encourages credit unions to use well-structured and sustainable loan modifications that are in the best interest of both the credit union and the member.

Portfolio Monitoring

Credit unions should identify and monitor higher-risk portfolio segments and update the board on any relevant risk exposure in the following areas, including, but not limited to:

Private Student Loans;
Credit card balances or other debt obligations that increased during the student loan repayment pause or that increased after the repayment period resumed;
Adjustable-rate loans that have similar payment reset time frames; or
Elevated debt-to-income ratios or low credit scores.

Allowance for Credit Losses

Finally, credit unions need to consider whether the risk associated with federal student loan repayment is adequately captured in the Allowance for Credit Losses, as detailed in Accounting Standards Codification Topic 326.

Please select a valid form

The Legislative & Regulatory Affairs Committee (L&R Committee)

Our largest committee, consisting of over 70 members, is comprised of individuals from various segments of our membership, including regulators, credit unions, leagues, and associate members. This committee convenes on the first Wednesday of each month at 3 pm (EST) for a one-hour session to address significant issues facing our system. Additionally, this committee holds in-person meetings during our Annual NASCUS State System Summit (S3).

Furthermore, the committee plays a vital role in reviewing NASCUS comment letters, providing an open forum where any member can raise concerns or issues, and organizing special calls on topics like litigation trends and cryptocurrencies. Importantly, there is no limit on committee membership, and multiple individuals from the same credit union are welcome to participate.

The CDFI, MDI, and LICU Issues Committee

This committee, which is open to all NASCUS members, concentrates on raising awareness about the unique designations within the credit union sector, namely Community Development Financial Institution (CDFI), Minority Depository Institution (MDI), and Low-Income Credit Union (LICU). It also aims to identify advocacy objectives that NASCUS can pursue to enhance the significance of these special designations. The CDFI/MDI/LICU Issues Committee convenes every other month.

The Education Committee

This committee supervises NASCUS’s programs related to professional development, training, and education. It plays a crucial role in suggesting the educational requirements of the credit union system. It assesses NASCUS’s continuous professional development initiatives by examining program agendas, post-conference evaluations, and financial aspects of events. While membership on the Education Committee is available to all membership categories, it is limited to a maximum of eight participants.

If you have additional questions on how to participate with NASCUS Committees, please contact Shellee Mitchell.

NCUA Final Rule Summary

NCUA Rules 701 and 714: Financial Innovation: Loan Participations, Eligible Obligations, and Notes of Liquidating Credit Unions (NCUA-2022-0185)

NASCUS Legislative and Regulatory Affairs Department
September 29, 2023

Background

On September 21, 2023, the NCUA Board[1] approved for publication Final Rule. Published in the Federal Register on September 29, 2023[2], the Final Rule entitled Financial Innovation: Loan Participations, Eligible Obligations, and Notes of Liquidating Credit Unions seeks to amend 12 CFR Parts § 701 and § 714. The final rule is effective October 30, 2023.

Amendments to the final rule apply to §§701.21, 701.22, 701.23, and 714.9 relating to origination of loans and lines of credit to members; the purchase of loan participations and the purchase, sale, and pledge of eligible obligations (including notes from liquidating credit unions).

The final rule adopts the amendments largely as initially proposed to provide additional flexibility to federally insured credit unions (FICUs) in the use of advanced technologies and other opportunities provided by the financial technology (Fintech) sector. Further the amendments remove prescriptive limitations and other qualifying requirements relating to eligible obligations in favor of principle-based guidance that allow an institution to establish individual risk tolerance limits and governance policies.

Most significantly, the new rule conforms NCUA’s regulation regarding the definition of indirect lending and indirect leasing arrangements to be consistent with concepts outlined in NCUA Legal Opinion 15-0813, Loan Participations in Indirect Loans – Originating Lender[3].

The majority of the changes apply to FCUs with the exception of amendments to specific sections of §701.22 (participations). However, amendments within §701.23 would impact transactions between FICUs and FCUs and some amendments could indirectly impact FISCUs in cases where state agencies use similarly constructed state regulations related to the determination of a purchased investment being classified as a loan to member, a participation, or a purchased obligation of a member. Of particular interest are the amendments found in §701.21.

This summary will highlight the material implications of the changes that directly affect FISCUs and those with the potential to indirectly impact FISCUs through indirect, definitional and/or SSA adoption of NCUA like rules and regulations.

Summary

The following summarizes the material changes to each applicable section of the final rule.

§701.21 (Loans to members and lines of credit to members)
Provisions of § 701.21 apply to FCUs with only the following provisions applying to FICUs:

Insider lending restrictions as outlined in (c)(8);
Non-preferential treatment requirements to FISCU officials or related parties outlined in (d)(5); and
Third-party servicing of indirect vehicle loan limitations found in (h).

The final rule adds a new paragraph §701.21(c)(9) clarifying the definition of indirect lending and indirect leasing arrangements. The application of these indirect arrangement definitions provides a purchasing credit union to consider purchased indirect loans as an originated loan to a member as outlined below. These changes do not relate directly to state-chartered credit unions but may impact state language similarly adopted or bound by definitions in §701.21. The new language replaces language formerly found in §701.23(b)(4)(iv).

Under §701.21(c)(9) indirect lending and leasing agreements are defined as written agreements to purchase loans or leases from an originating entity where the purchaser (1) makes the final underwriting decision, and (2) the loan or lease agreement is assigned to the purchaser “very soon after” it is signed by the member and the originating third-party retailer. It is presumed that loans assigned “very soon after” the agreement between the consumer and the third-party retailer indicate the retailer acts as a facilitator of the loan as opposed to an originating lender.

The length of time that satisfies the “very soon after” is not specifically defined and dependent on the nature of the loan, the practical realities of assigning certain kinds of loans in the current marketplace and in accordance with prevailing industry standards.[4] The rule maintains that while “very soon after” is generally determined on a case-by-case basis as described above, the longer the period between the formation of the contract and its assignment, the more likely the program will be viewed as involving the purchase of an eligible obligation rather than the origination of a loan.[5]

Presuming such indirect lending or leasing arrangement requirements are met indicates such investments would be classified as loans to members, as authorized by §701.21, and not as the purchase of an eligible obligation of a member as authorized by §701.23.

§701.22 (Loan Participations)

FISCUs must comply with all provisions of §701.22, except (b)(4) which requires a borrower to become a member of one of the participating credit unions before the purchasing federally insured credit unions purchases a participation interest in the loan.

The NCUA final rule provides clarification in the introductory paragraph and codifies NCUA Legal Opinion 15-0813. This language clarifies that a FICU engaged in an indirect lending relationship can meet the definition of an “eligible organization” under §701.22, provided the FICU meets certain conditions.

Specifically, a FICU would be considered the originating lender and meet the definition of an “eligible organization” if the FICU (1) makes the final underwriting decision regarding the loan, and (2) the loan is assigned to the purchaser very soon after the inception of the obligation to extend credit. An “originating lender” is defined as a participant with which the borrower initially or originally contracts for a loan and who, thereafter or concurrently with the funding of the loan, sells participations to other lenders. An originating lender specifically includes a participant that acquires a loan through an indirect lending arrangement as defined under §701.21(c)(9).

The final rule clarifies that a FICU can meet the definition of “originating lender” in certain transactions where the FICU is engaging in indirect lending arrangements with Fintech companies and other third-party loan acquisition channels, such as Credit Union Service Organizations (CUSOs) or other loan-originating retailers.

§701.23 (Purchase, sale, and pledge of eligible obligations)

The final rule provides amendments through certain clarifying and conforming language to the introductory paragraph of §701.23. No part of §701.23 applies directly to FISCUs.

Proposed amendments include the deletion of §701.23(b)(4) which excludes certain loans acquired through indirect lending and leasing arrangements from the 5-percent limit on the aggregate of the unpaid balance of certain loans purchased under §701.23. Excluded loans include student loans, real estate loans, and eligible obligations purchased in accordance with §701.23(b)(4)(b)(1)(iii), (iv), or (i) or purchased through indirect lending arrangements defined in §701.23(b)(4)(iv). These limitations would be removed and instead, such investments may meet the definition of a loan to a member under the proposed language of §701.21(c)(9). The 5-percent limitation to unimpaired capital and surplus of the FCU purchaser would still apply to purchases of eligible obligations from liquidating FCUs and FICUs under §701.23(b)(1)(ii) and (2)(ii)

This change, in conjunction with the other changes in §701.21, is intended to provide clarification on the long-standing interpretation[6] that credit instruments acquired by an FCU pursuant to an indirect lending arrangement are considered loans made by the FCU under §701.21, if the aforementioned conditions of underwriting and timeliness of assignment are met, rather than eligible obligations purchased under §701.23.

Amendments to §701.23 include removing the CAMELS ratings and well-capitalized requirement found under §701.23(b)(2) for FCU purchases of certain non-member loans from FICUs and add principle-oriented safety and soundness requirements to section §701.23(b)(i)-(vi) concerning the purchase of eligible obligations. These new safety and soundness requirements offset the removal of the CAMELS/ well-capitalized requirements and the 5-percent limit constraints.

The principled safety and soundness requirements on the purchasing FCU related to eligible obligations or notes from a liquidating credit union include:

Establishing written, board-approved policies, risk assessments, and risk management process requirements commensurate with the size, scope, type, complexity, and level of risk posed by the planned purchase activities.
Conducting due diligence on the seller prior to purchase.
Initiating written loan purchase agreements with provisions established in §701.22.
Conducting a legal review and assessment of applicable loan purchase agreements or contracts to protect the FCU’s legal and business interests from undue risk.

Additional safety and soundness requirements to §701.23(c) relate to the selling FCU and include:

Obtaining a legal review and assessment of all applicable loan sale agreements on contracts.
Identifying the specific loan(s) being sold either directly in the written loan sale agreement or through a document incorporated by reference in the loan sale agreement.

The final rule amends §701.23(b)(5) to broaden the grandfather provision of that section to include purchased obligations where the investments were made in compliance with the former rule so long as updated risk assessments, established concentration limits, and risk monitoring appropriate for safety and soundness are still effective.

Finally, the addition of §701.23(b)(6) implies requirements that purchases of eligible obligations from liquidating credit unions must comply with the purchasing FCUs internal written purchase policies, which must:

Require that the purchasing FCU conduct due diligence on the seller of the loans and other counterparties to the transaction prior to purchase.
Establish risk assessment and management process requirements that are commensurate with the size, scope, type, complexity, and level of risk posed by the panned loan purchase activities.
Establish internal underwriting and ongoing monitoring standards commensurate with the size, scope, type, complexity, and level of risk posed by the activities.
Require that the written agreement include (1) the specific loans purchased, the location and custodian of the original loan documents, an explanation of the duties and responsibilities of the seller, servicer, and all parties with respect to all aspects of the loans being purchased, and the circumstances and conditions under which the parties to the agreement may replace the servicer when the seller retains the servicing rights.
Establish portfolio concentration limits by loan type and risk category in relation to net worth commensurate with the size, scope, and complexity of the credit unions loan purchases.
Address when a legal review of agreements or contracts will be performed to ensure that the legal and business interests of the credit union are protected.

§714.9 (Indirect leasing arrangements subject to the purchase of eligible obligation limit set forth in § 701.23)

The final rule amends certain clarifying and conforming amendments. No part of §714.9 applies to state-chartered credit unions.

Under the final rule §714.9 is removed completely, no longer applying the §701.23(b)(4)(iv) application of the 5-percent limitation to any purchases of eligible obligations. Further, the definition of indirect leasing arrangements, previously addressed here, is now defined in §701.21(c)(9).

[1] Board agenda available at https://ncua.gov/news/board-meetings-agendas-results/board-agenda-september-21-2023-meeting

[2] 88 FR 67570

[3] NCUA Legal Op. 15-0813 (Aug. 10, 2015) available at https://www.ncua.gov/regulation-supervision/legal-opinions/2015/loan-participations-indirect-loans-originating-lenders

[4] The preamble to the 1998 proposal to amend the eligible obligations rule requested public comment on whether the NCUA should specify a certain number of days as constituting “very soon.” 63 FR 41976, 41977 (Aug. 6, 1998). After considering the comments, however, the NCUA Board determined not to specifically define it because it wanted to provide FCUs with flexibility under various circumstances. The NCUA Board also clarified that assignment of the loan means acceptance of the loan and not necessarily the physical receipt of the loan documentation, recognizing that acceptance and payment are often done electronically. However, physical receipt of the loan documents by the FCU should occur within a reasonable time following acceptance of the loan. 63 FR 70997, 70998 (Dec. 23, 1998); see also NCUA Legal Op. 97-0546 (Aug. 6, 1997) (Concluding that an indirect lending arrangement where the retailer made a loan and assigned it to the purchasing credit union within one business day met the “very soon after” timing requirement.).

[5] 63 FR 41976, 41977 (Aug. 6, 1998).

[6] See, e.g., NCUA Legal Op. 97-0546 (Aug. 6, 1997), available at https://www.ncua.gov/regulation-supervision/legal-opinions/1997/indirect-lending.

Notice of Proposed Rulemaking and Request for Comment

FinCEN: Beneficial Ownership Information Reporting Deadline Extension for Reporting Companies Created or Registered in 2024

NASCUS Legislative and Regulatory Affairs Department
September 28, 2023

The Financial Crimes Enforcement Network (FinCEN) issued a proposed rule and request for comment that would amend the beneficial ownership information (BOI) reporting rule (Reporting Rule) to extend the filing deadline for certain BOI reports. Under the current Reporting Rule, new entities created or registered on or after the January 1, 2024, effective date, must file initial BOI reports with FinCEN within 30 days of notice of their creation or registration.

The proposed amendment would extend the filing deadline from 30 days to 90 days for entities created or registered on or after January 1, 2024, and before January 1, 2025, to give those entities additional time to understand the new reporting obligation and collect the necessary information to complete the filing.

Entities created or registered on or after January 1, 2025, would have 30 days to file their BOI reports with FinCEN, as required under the Reporting Rule.

Comments are due on or before October 30, 2023.

Summary

As required under the Corporate Transparency Act (CTA)[1], FinCEN issued the final Reporting Rule on September 30, 2022. The Reporting Rule requires certain entities, “reporting companies,” to report certain identifying information about the beneficial owners who own or control the entities and the company applicants who form or register them.

Specifically, the Reporting Rule requires reporting companies to report to FinCEN the following information within the prescribed period:

The beneficial owners of the reporting company; and
The company applicants, who are the individuals who filed a document to create the reporting company or register it to do business.

For reporting companies established prior to January 1, 2024, an initial BOI report must be filed by January 1, 2025. However, the Reporting Rule requires an initial BOI report to be filed within 30 days for reporting companies established after January 1, 2024.

Proposed Rule

FinCEN is proposing to extend the period for reporting companies created or registered on or after January 1, 2024, and before January 1, 2025. These reporting companies would have 90 days to submit their initial BOI reports instead of 30 days as required under the Reporting Rule.

FinCEN is issuing this proposed rule to allow entities to understand and comply with the new requirements. FinCEN also believes the extension will provide new reporting companies with additional time to obtain the information necessary to complete the initial BOI reports. Finally, the proposed rule would give reporting companies more time to resolve questions that may arise in the process of completing the initial BOI reports.

FinCEN indicates in the proposed rule they will continue to work actively to develop and issue guidance and education materials such as FAQs, videos, infographics, and compliance guides to help reporting companies, which NASCUS addressed here.

The proposed rule also notes that FinCEN aims to establish a contact center prior to January 1, 2024, to field questions about the BOI reporting requirements. FinCEN believes the proposed extension will also assist them in managing the volume of contact center inquiries while also providing more comprehensive customer service to reporting companies.

The proposed extension would apply to both domestic and foreign entities created or registered in the U.S. for the first year after the effective date. Any entity created or registered after January 1, 2025, would remain subject to the 30-day deadline established in the Reporting Rule.

Comments

FinCEN is seeking comments on:

Whether the proposed rule may provide other benefits to reporting companies, their service providers, or other stakeholders.
Whether any aspects of the proposed rule would result in cost or burden, or whether the proposed rule would affect the estimate of the cost, burden, and impact of the Reporting Rule in the Reporting Rule’s Regulatory Impact Analysis.

[1] 31 U.S.C. 5336

FinCEN Issues Compliance Guide to Help Small Business Report Beneficial Ownership Information

NASCUS Legislative and Regulatory Affairs Department
September 22, 2023

As the January 1, 2024 compliance deadline looms, FinCEN has published a Small Entity Compliance Guide for the Beneficial Ownership Information (BOI) Reporting Rule (Rule) under the Corporate Transparency Act (CTA) and updated FAQs regarding CTA compliance requirements.

A series of three separate rulemakings is required of FinCEN to fully implement the CTA. The first of the three, the BOI Reporting Rule, requires certain legal entities to file BOI reports with FinCEN. The rule describes who must file BOI reports, the information required to be reported, and when the reports must be filed.

Compliance Guide

The guide includes six chapters addressing specific areas of the final rule to assist small businesses in identifying their obligations under the Rule. The six key areas include:

Determining if a company is a reporting company.
Identifying the beneficial owners of a company.
How to determine if a company is required to report its company applicants.
The specific information a company needs to report.
When and how to file the initial BOI report.
What to do if there are changes to or inaccuracies in the reported information.

To further assist small businesses in determining their requirements for reporting the guide includes a series of fillable questions and answers, checklists, and infographics.

It is important to note the Guide does not appear to provide any substantive answers beyond the final rule but rather attempts to provide clarity regarding the existing regulatory requirements.

Reporting Requirements

As a reminder, business members who were created or registered to do business before January 1, 2024, will have one full year, until January 1, 2025, to file their initial BOI report.

Business members who are created or registered to do business after January 1, 2024, will have 30 days after receiving notice of their company’s creation or registration to file their initial BOI report.

Updated Frequently Asked Questions and Rulemaking

As noted above, FinCEN has also updated its FAQs on the CTA. The FAQs were first published in March 2023, along with the launch of FinCEN’s dedicated BOI webpage which NASCUS previously discussed here. The FAQs, like the Guide, do not provide any additional clarification regarding the CTA, but rather review the existing guidance.

FinCEN does indicate the regulation surrounding access to the database for BOI is still forthcoming and mentions that FinCEN is still in the process of revising the reporting form. The FAQs fail to mention amendments to the Customer Due Diligence (CDD) Rule. This proposed rule isn’t expected until sometime in 2024.

FinCEN Alert on Prevalent Virtual Currency Investment Scam Commonly Known as “Pig Butchering”
FIN-2023-Alert005

NASCUS Legislative and Regulatory Affairs Department
September 11, 2023

On September 8, 2023, FinCEN issued an alert FIN-2023-Alert005 regarding the virtual currency investment scam referred to as “pig butchering.” The scams are referred to as “pig butchering” as they resemble the practice of fattening a hog before slaughter. Scammers leverage fictitious identities under the guise of potential relationships with elaborate storylines to “fatten up” the victims into believing they are in trusted partnerships. In many cases, the “butchering” phase involves convincing the victims to invest in virtual currency or “over the counter” foreign exchange schemes, all with the intent of defrauding the victims of their investments.

These scams are largely perpetrated by criminal organizations based in Southeast Asia that use victims of labor trafficking to conduct outreach to millions of unsuspecting victims around the world.

The alert explains the pig butchering scam methodology, provides red flag indicators to identify and report suspicious activity, and reminds financial institutions of their reporting requirements under the Bank Secrecy Act.

Methodology of a Pig Butchering Scam

Initial Contact with Victim

Pig butchering scammers will typically contact a potential victim through text messages, direct messages on social media, professional networking sites, and dating sites, under the guise of accidentally reaching a wrong number or trying to re-establish a connection with an old friend. The scammer, who may claim to be an investor or money manager, may also create a social media profile showcasing wealth and an enviable lifestyle. Once a response is elicited from the victim, the scammer will communicate with them over time to establish trust and build a relationship.

The” Investment” Sales Pitch

Once trust or a relationship has been established, the scammer will introduce the victim to what is portrayed as a “lucrative investment opportunity” in virtual currency and direct them to use virtual currency investment websites or applications designed to appear legitimate, but which are fraudulent and ultimately controlled or manipulated by the scammer. This includes the use of legitimate applications with third-party plugins that allow the scammer to manipulate or falsify information presented to the victim. A scammer may also request remote access to the victim’s devices to register accounts with virtual currency service providers (i.e., virtual asset service providers, or VASPs) on the victim’s behalf, or instruct their victims to take screenshots of their device so that the scammers can walk them through the process of purchasing virtual currency.

Often scammers will leverage high-pressure sales tactics as well as encourage friends and family to invest. Recent cases have even been presented as “play-to-earn” games offering financial incentives to players but in reality, players are playing on fake gaming applications created by scammers to steal virtual currency from the players.

The Promise of Greater Returns

Once the victim invests with the scammer the scammer will show the victim extraordinary returns on the investment that has been fabricated. The scammer may even allow the victim to withdraw a small amount of that investment to further build the victim’s confidence before urging them to invest more. Victims of pig butchering scams have been known to liquidate holdings in tax-advantaged accounts or take out home equity lines of credit and second mortgages on their homes.

The Point of No Return

When a victim’s pace of investment slows or stops, the scammer will use even more aggressive tactics to extract any final payments. The scammer may present the victim with supposed losses on their investments and encourage them to make up the difference with additional deposits. If the victim tries to withdraw their investment, the scammer may demand the victim pay purported taxes or early withdrawal fees. Once a victim is unable or unwilling to pay more into the scam, the scammer will abruptly cease communication and take the entire investment with them.

Red Flag Indicators

FinCEN, in consultation with law enforcement, has identified fifteen red flag indicators to help detect, prevent, and report potential suspicious activity relating to pig butchering. In the alert, FinCEN also reminds financial institutions that no single indicator is illicit, or suspicious activity, and financial institutions should consider several factors including a customer’s (member) financial history. Financial institutions should also, as part of the risk-based approach to compliance with BSA, perform additional due diligence when appropriate.

Behavioral Red Flags

The alert consists of four behavioral red flags including a customer with no history of using or interacting with virtual currency attempting to exchange a high amount of fiat currency to virtual currency.

Financial Red Flags

The alert also consists of six financial red flags including a customer taking out a HELOC, home equity loan, or second mortgage and using the proceeds to purchase virtual currency or wires the proceeds to a VASP for the purchase of virtual currency.

Technical Red Flags

Finally, the alert consists of five technical red flags including system monitoring and logs show that a customer’s account is accessed repeatedly by unique IP addresses, device IDs, or geographies inconsistent with prior access patterns. Additionally, logins to a customer’s online account at a VASP come from a variety of different device IDs and names inconsistent with the customer’s typical logins.

Pig Butchering Fraud Reporting

In addition to filing a SAR, the alert encourages financial institutions to refer their customers who may be victims of pig butchering to the FBI’s IC3: https://www.ic3.gov/, and may also refer their customers to the Securities and Exchange Commission’s tips, complaints, and referrals (TCR) system to report investment fraud: https://www.sec.gov/tcr.

In the case of elder victims of pig butchering, financial institutions may also refer their customers to DOJ’s National Elder Fraud Hotline at 833-FRAUD-11 or 833-372-8311.

Reminder of BSA Obligations

Finally, FinCEN’s alert reminds financial institutions of their BSA obligations and tools for SAR reporting and other BSA reporting under the USA Patriot Act Section 314(b) Information Sharing Authority. When filing a SAR in connection with this alert, FinCEN requests that financial institutions include the key term “FIN-2023-PIGBUTCHERING” in SAR field 2 and select “fraud-other” under SAR field 34(z) with the description “Pig Butchering.” The SAR narrative should indicate a connection between the suspicious activity reported and the activities outlined in this alert.

Letter to Credit Unions 23-CU-07
Cyber Incident Notification Requirements

NASCUS Legislative and Regulatory Affairs Department
August 17, 2023

NCUA issued Letter to Credit Unions 23-CU-07 to provide additional guidance on the agency’s cyber incident notification rule. As a reminder, beginning September 1, 2023, all federally insured credit unions (FICUs) are required to notify NCUA as soon as possible, and no later than 72 hours, after the credit union reasonably believes it has experienced a reportable cyber incident or received a notification from a third party regarding a reportable cyber incident.

The letter summarizes the amendments to part 748 and provides instructions on what and how to report to the NCUA. It also includes examples of reportable (Appendix A) and non-reportable (Appendix B) incidents. To provide further assistance, the NCUA has also included a cyber incident reporting quick reference guide.

Summary

As addressed in NASCUS final rule summary a reportable incident is any “substantial” cyber incident that leads to one or more of the following:

A substantial loss of confidentiality, integrity, or availability of a network or member information system that results from the unauthorized access to or exposure of sensitive data, disrupts vital member services or has a serious impact on the safety and resiliency of operational systems and processes.
A disruption of business operations, vital member services, or a member information system resulting from a cyberattack or exploitation of vulnerabilities.
A disruption of business operations or unauthorized access to sensitive data facilitated through, or caused by, a compromise of a credit union service organization, cloud service provider, or other third-party data hosting provider or by a supply chain compromise.

The guidance indicates that federally insured credit unions may report a cyber incident through one of the following channels:

Via phone at 1-833-CYBERCU (1.833.292.3728) and leave a voicemail; or
Via the NCUA Secure Email Message Center to send a secure email to [email protected].

FICUs who report an incident should be prepared to provide as much of the following information as is known at the time of reporting:

Credit union name;
Credit union charter number;
Name and title of individual reporting the incident;
Telephone number and email address;
When the credit union reasonably believed a reportable cyber incident took place; and
A basic description of the reportable cyber incident, including what functions were, or are reasonably believed to have been affected or if sensitive information was compromised.

At the time of notification, do not send the NCUA:

Sensitive personally identifiable information;
Indicators of compromise;
Specific vulnerabilities; or
Email attachments.

If the NCUA requires additional information or clarification, the agency will follow up with the credit union directly.

If not done so already, FICUs should complete the following steps when implementing the final rule.

Review and update existing incident response plans;
Review contracts;
Provide employee training;
Monitor and review the credit union reporting process for effectiveness; and
Document all cyber incidents, regardless of whether they meet the reporting criteria, and maintain the records in accordance with the credit union’s record retention policy. As part of the documentation process, FICUs should specifically document:
- Indicators of compromise;
- Network information or traffic regarding the attack;
- The attack vector;
- Information on any exfiltrated data; and
- Any forensic or other reports about the reportable cyber incident.

Additional information and resources can be found at the NCUA’s Cybersecurity Resources webpage.

Final Rule Summary
NCUA: Federal Credit Union Bylaws

NASCUS Legislative and Regulatory Affairs Department
July 28, 2023

On March 15, 2022, Congress enacted the Credit Union Governance Modernization Act of 2022. Under the statute, the NCUA has 18 months following the date of enactment to develop a policy by which a federal credit union member may be expelled for cause by a two-thirds vote of a quorum of the FCU’s board of directors. On July 20, 2023, the Board issued a final rule to amend the standard Federal Credit Union (FCU) Bylaws, adopting this policy.

The rule is effective August 25, 2023. The final rule can be found here.

Summary

Under the current bylaws, removing a member of an FCU requires a two-thirds majority vote of credit union members present at a meeting specifically called for that purpose or a lack of participation as defined and adopted in a policy approved by the FCU’s board of directors.

The final rule adopts a policy by which an FCU member may be expelled for cause by a vote of two-thirds of a quorum of the FCU’s board of directors. The final rule also makes conforming changes to Article II of the FCU Bylaws regarding members in good standing.

Member Expulsion and Withdrawal

Under the final rule, an FCU member may be expelled for cause by a two-thirds vote or a quorum of the FCU’s board of directors. For cause means the following:

A substantial or repeated violation of the FCU’s membership agreement;
A substantial or repeated disruption, including dangerous or abusive behavior (including violence, intimidation, physical threats, harassment, or physical or verbal abuse of official or employees of the FUC, members, or agents of the FCU), to the operations of an FCU; or
Fraud, attempted fraud, or conviction of other illegal conduct in relation to the FCU, including the FCU’s employees conducting business on behalf of the FCU.

As discussed at the Board meeting upon approval of the final rule and as noted in the preamble to the final rule, the legislative history of the Governance Modernization Act describes an FCU’s need for using this authority to expel a member should be rare and used only for egregious member behavior.

The final rule for member expulsion includes the following:

Notice of the Expulsion Policy

Under the final rule, in accordance with the Governance Modernization Act, an FCU’s directors may expel a member only if the FCU has provided, in written or electronic form, a copy of the NCUA’s expulsion policy or the optional standard disclosure notice[1] to each member of the credit union.

Notice of Pending Expulsion

If a member is subject to expulsion, the member must be notified in writing in advance along with the reason for the expulsion. The final rule provides that relevant dates, sufficient detail for the member to understand the grounds for expulsion, how to request a hearing, the procedures related to the hearing, and, if applicable, a general statement on the effect of expulsion related to the member’s accounts or loans at the credit union must be included in the pending expulsion notice.

The notice must also tell the member that any complaints related to the potential expulsion should be submitted to the Consumer Assistance Center via NCUA’s website if the complaint cannot be resolved directly with the credit union.

The FCU must maintain a copy of the provided notice for its records.

Non-substantial Violations/Disruptions

If an FCU is considering expelling a member due to repeated “non-substantial” violations of the membership agreement or repeated non-substantial disruptions to the FCU’s operations, the FCU must provide written notice to the member at least once prior to the notice of expulsion, and the violation or conduct must be repeated within two years after the member was notified of the violation. The written notice must state the specific nature of the violation or conduct and that if the violation or conduct occurs again, the member may be expelled from the FCU.

Hearing

Under the final rule, a member has 60 calendar days from the date of receipt of notification of pending expulsion to request a hearing from the board of directors of the FCU. A member is not entitled to attend the hearing in person, but they must be provided a meaningful opportunity to present their case orally to the FCU’s board of directors through a videoconference hearing.

The member may also elect to provide a written submission to the board of directors instead of a hearing with oral statements.

If the member does not request a hearing or provide a written submission, the member shall be deemed expelled after the end of the 60-day period after receipt of the notice. If a member requests a hearing, the FCU board must provide the member with a hearing. At the hearing, the board may not raise any rationale for expulsion that is not explicitly included in the notice to the member.

FCU Board Vote

After the hearing, the FCU board must hold a vote within 30 calendar days on expelling the member. If a member is expelled, either through the expiration of the 60-day period or a vote to expel the member after a hearing, a written notice of the expulsion must be provided to the member in person, by mail to the member’s address, or, electronically, if the member has elected to receive communications electronically.

Notice of Expulsion

The written notice of expulsion must provide information on the effect of the expulsion, including information related to account access and any withdrawals by the FCU related to amounts due. Specifically, the notice should include pertinent information to the member, including that the expulsion does not relieve a member of any liability to the FCU and that the FCU will pay all the member’s shares upon their expulsion, less any amounts due. The notice should include a line-by-line accounting of any deductions related to amounts due. It should also include when and how the member will receive any money in their accounts.

Reinstatement

The final rule requires that if the FCU addresses a request for reinstatement through an annual meeting, this meeting must occur within 90 days of the reinstatement request. The NCUA Board believes a previously expelled member should not have to wait up to one year for a resolution to their reinstatement request. The rule also clarifies that an in-person vote is not required if the FCU holds a meeting of the members to vote on the reinstatement request. The final rule does not include automatic reinstatement if the conviction is overturned. Each FCU board could take this into consideration if a member requests reinstatement. The overturning of a conviction might cause the FCU to reconsider its expulsion decision, but the underlying conduct that led to expulsion may still be relevant. In this area, the Board believes that FCUs should exercise sound judgment and consult with counsel if they need further guidance.

Record Retention

The final rule requires an FCU to retain all documentation relating to the expulsion of a member for six years.

Implementation by FCUs

After the effective date of this final rule, FCUs have the option to amend their bylaws to provide their boards of directors with the authority to expel members for cause. FCUs seeking to adopt these changes must amend their bylaws through a two-thirds vote of their boards of directors.

FCUs seeking to make these changes do not need to submit the amendment to the NCUA for its approval provided the amendment is identical to the language included in this final rule or only includes additional language on hearing procedures as discussed in the final rule. FCUs may adopt amendments immediately after the effective date of the final rule or at any point in the future.

This amendment is optional and FCUs do not need to amend their bylaws or take any other action in response to this final rule. FCUs electing to not make changes to their bylaws in response to the final rule could expel a member solely through a special meeting of the members or based on a violation of a nonparticipation policy.

[1] The optional disclosure has been added to the end of the FCU Standard Bylaws.