Letter to Credit Unions 23-CU-07: Cyber Incident Notification Requirements

Letter to Credit Unions 23-CU-07
Cyber Incident Notification Requirements

NASCUS Legislative and Regulatory Affairs Department
August 17, 2023 

---

NCUA issued Letter to Credit Unions 23-CU-07 to provide additional guidance on the agency’s cyber incident notification rule. As a reminder, beginning September 1, 2023, all federally insured credit unions (FICUs) are required to notify NCUA as soon as possible, and no later than 72 hours, after the credit union reasonably believes it has experienced a reportable cyber incident or received a notification from a third party regarding a reportable cyber incident.

The letter summarizes the amendments to part 748 and provides instructions on what and how to report to the NCUA. It also includes examples of reportable (Appendix A) and non-reportable (Appendix B) incidents. To provide further assistance, the NCUA has also included a cyber incident reporting quick reference guide.

---

Summary

As addressed in NASCUS final rule summary a reportable incident is any “substantial” cyber incident that leads to one or more of the following:

• A substantial loss of confidentiality, integrity, or availability of a network or member information system that results from the unauthorized access to or exposure of sensitive data, disrupts vital member services or has a serious impact on the safety and resiliency of operational systems and processes.
• A disruption of business operations, vital member services, or a member information system resulting from a cyberattack or exploitation of vulnerabilities.
• A disruption of business operations or unauthorized access to sensitive data facilitated through, or caused by, a compromise of a credit union service organization, cloud service provider, or other third-party data hosting provider or by a supply chain compromise.

The guidance indicates that federally insured credit unions may report a cyber incident through one of the following channels:

• Via phone at 1-833-CYBERCU (1.833.292.3728) and leave a voicemail; or
• Via the NCUA Secure Email Message Center to send a secure email to [email protected].

FICUs who report an incident should be prepared to provide as much of the following information as is known at the time of reporting:

• Credit union name;
• Credit union charter number;
• Name and title of individual reporting the incident;
• Telephone number and email address;
• When the credit union reasonably believed a reportable cyber incident took place; and
• A basic description of the reportable cyber incident, including what functions were, or are reasonably believed to have been affected or if sensitive information was compromised.

At the time of notification, do not send the NCUA:

• Sensitive personally identifiable information;
• Indicators of compromise;
• Specific vulnerabilities; or
• Email attachments.

If the NCUA requires additional information or clarification, the agency will follow up with the credit union directly.

If not done so already, FICUs should complete the following steps when implementing the final rule.

• Review and update existing incident response plans;
• Review contracts;
• Provide employee training;
• Monitor and review the credit union reporting process for effectiveness; and
• Document all cyber incidents, regardless of whether they meet the reporting criteria, and maintain the records in accordance with the credit union’s record retention policy. As part of the documentation process, FICUs should specifically document:
  • Indicators of compromise;
  • Network information or traffic regarding the attack;
  • The attack vector;
  • Information on any exfiltrated data; and
  • Any forensic or other reports about the reportable cyber incident.

Additional information and resources can be found at the NCUA’s Cybersecurity Resources webpage.

Final Rule Summary
NCUA: Federal Credit Union Bylaws

NASCUS Legislative and Regulatory Affairs Department
July 28, 2023

---

On March 15, 2022, Congress enacted the Credit Union Governance Modernization Act of 2022. Under the statute, the NCUA has 18 months following the date of enactment to develop a policy by which a federal credit union member may be expelled for cause by a two-thirds vote of a quorum of the FCU’s board of directors. On July 20, 2023, the Board issued a final rule to amend the standard Federal Credit Union (FCU) Bylaws, adopting this policy.

The rule is effective August 25, 2023. The final rule can be found here.

Summary

Under the current bylaws, removing a member of an FCU requires a two-thirds majority vote of credit union members present at a meeting specifically called for that purpose or a lack of participation as defined and adopted in a policy approved by the FCU’s board of directors.

The final rule adopts a policy by which an FCU member may be expelled for cause by a vote of two-thirds of a quorum of the FCU’s board of directors. The final rule also makes conforming changes to Article II of the FCU Bylaws regarding members in good standing.

Member Expulsion and Withdrawal

Under the final rule, an FCU member may be expelled for cause by a two-thirds vote or a quorum of the FCU’s board of directors. For cause means the following:

• A substantial or repeated violation of the FCU’s membership agreement;
• A substantial or repeated disruption, including dangerous or abusive behavior (including violence, intimidation, physical threats, harassment, or physical or verbal abuse of official or employees of the FUC, members, or agents of the FCU), to the operations of an FCU; or
• Fraud, attempted fraud, or conviction of other illegal conduct in relation to the FCU, including the FCU’s employees conducting business on behalf of the FCU.

As discussed at the Board meeting upon approval of the final rule and as noted in the preamble to the final rule, the legislative history of the Governance Modernization Act describes an FCU’s need for using this authority to expel a member should be rare and used only for egregious member behavior.

The final rule for member expulsion includes the following:

Notice of the Expulsion Policy

Under the final rule, in accordance with the Governance Modernization Act, an FCU’s directors may expel a member only if the FCU has provided, in written or electronic form, a copy of the NCUA’s expulsion policy or the optional standard disclosure notice[1] to each member of the credit union.

Notice of Pending Expulsion

If a member is subject to expulsion, the member must be notified in writing in advance along with the reason for the expulsion. The final rule provides that relevant dates, sufficient detail for the member to understand the grounds for expulsion, how to request a hearing, the procedures related to the hearing, and, if applicable, a general statement on the effect of expulsion related to the member’s accounts or loans at the credit union must be included in the pending expulsion notice.

The notice must also tell the member that any complaints related to the potential expulsion should be submitted to the Consumer Assistance Center via NCUA’s website if the complaint cannot be resolved directly with the credit union.

The FCU must maintain a copy of the provided notice for its records.

Non-substantial Violations/Disruptions

If an FCU is considering expelling a member due to repeated “non-substantial” violations of the membership agreement or repeated non-substantial disruptions to the FCU’s operations, the FCU must provide written notice to the member at least once prior to the notice of expulsion, and the violation or conduct must be repeated within two years after the member was notified of the violation. The written notice must state the specific nature of the violation or conduct and that if the violation or conduct occurs again, the member may be expelled from the FCU.

Hearing

Under the final rule, a member has 60 calendar days from the date of receipt of notification of pending expulsion to request a hearing from the board of directors of the FCU. A member is not entitled to attend the hearing in person, but they must be provided a meaningful opportunity to present their case orally to the FCU’s board of directors through a videoconference hearing.

The member may also elect to provide a written submission to the board of directors instead of a hearing with oral statements.

If the member does not request a hearing or provide a written submission, the member shall be deemed expelled after the end of the 60-day period after receipt of the notice. If a member requests a hearing, the FCU board must provide the member with a hearing. At the hearing, the board may not raise any rationale for expulsion that is not explicitly included in the notice to the member.

FCU Board Vote

After the hearing, the FCU board must hold a vote within 30 calendar days on expelling the member. If a member is expelled, either through the expiration of the 60-day period or a vote to expel the member after a hearing, a written notice of the expulsion must be provided to the member in person, by mail to the member’s address, or, electronically, if the member has elected to receive communications electronically.

Notice of Expulsion

The written notice of expulsion must provide information on the effect of the expulsion, including information related to account access and any withdrawals by the FCU related to amounts due. Specifically, the notice should include pertinent information to the member, including that the expulsion does not relieve a member of any liability to the FCU and that the FCU will pay all the member’s shares upon their expulsion, less any amounts due. The notice should include a line-by-line accounting of any deductions related to amounts due. It should also include when and how the member will receive any money in their accounts.

Reinstatement

The final rule requires that if the FCU addresses a request for reinstatement through an annual meeting, this meeting must occur within 90 days of the reinstatement request. The NCUA Board believes a previously expelled member should not have to wait up to one year for a resolution to their reinstatement request. The rule also clarifies that an in-person vote is not required if the FCU holds a meeting of the members to vote on the reinstatement request. The final rule does not include automatic reinstatement if the conviction is overturned. Each FCU board could take this into consideration if a member requests reinstatement. The overturning of a conviction might cause the FCU to reconsider its expulsion decision, but the underlying conduct that led to expulsion may still be relevant. In this area, the Board believes that FCUs should exercise sound judgment and consult with counsel if they need further guidance.

Record Retention

The final rule requires an FCU to retain all documentation relating to the expulsion of a member for six years.

Implementation by FCUs

After the effective date of this final rule, FCUs have the option to amend their bylaws to provide their boards of directors with the authority to expel members for cause. FCUs seeking to adopt these changes must amend their bylaws through a two-thirds vote of their boards of directors.

FCUs seeking to make these changes do not need to submit the amendment to the NCUA for its approval provided the amendment is identical to the language included in this final rule or only includes additional language on hearing procedures as discussed in the final rule. FCUs may adopt amendments immediately after the effective date of the final rule or at any point in the future.

This amendment is optional and FCUs do not need to amend their bylaws or take any other action in response to this final rule. FCUs electing to not make changes to their bylaws in response to the final rule could expel a member solely through a special meeting of the members or based on a violation of a nonparticipation policy.

---

[1] The optional disclosure has been added to the end of the FCU Standard Bylaws.

Letter to Credit Unions 23-CU-06
Importance of Contingency Funding Plans

NASCUS Legislative and Regulatory Affairs Department
August 1, 2023

---

On July 28, 2023, the NCUA issued Letter to Credit Unions (LTCU) 23-CU-06 upon joining with the FDIC, Federal Reserve, and the OCC to issue Addendum to the Interagency Policy Statement on Funding and Liquidity Risk Management: Importance of Contingency Funding Plans. The agencies expect all depository institutions to maintain actionable contingency funding plans that consider a range of possible stress scenarios.

Summary

LTCU 23-CU-06 and the supporting addendum serve as a reminder to credit unions about the importance of a strong and viable contingency funding plan as previously addressed in Supervisory Letter 14-03 and LTCUs 10-CU-14.

The events of the first half of 2023 further highlight the importance of having such plans in place. Specifically, depository institutions should:

• Assess the stability of their funding and maintain a broad range of funding sources that can be accessed should circumstances arise.
• Remain aware of the operational steps required to obtain funding from contingency sources, including knowledge of contact details, and availability of collateral.
• Test plans to ensure staff understand the process and engage in appropriate planning; and
• Review and revise plans periodically dependent upon market conditions and strategic initiatives.

The addendum also provides information on available funding sources through the Federal Reserve Discount Window and the Central Liquidity Facility for state and federally chartered credit unions.

Information regarding the discount window can be found here. Information regarding the Central Liquidity Facility can be found here.

Proposed Interagency Guidance with Request for Comment
Interagency Guidance on Reconsiderations of Value of Residential Real Estate Valuations

NASCUS Legislative and Regulatory Affairs Department
July 25, 2023

---

On July 21, 2023, the Federal Reserve Board, CFPB, FDIC, OCC, and NCUA (the Agencies) issued proposed guidance highlighting risks associated with deficient residential real estate valuations. The guidance also describes how financial institutions may incorporate reconsiderations of value (ROV) processes and controls into existing risk management functions. The proposed guidance also highlights examples of policies and procedures that a financial institution may choose to establish to help identify, address, and mitigate the risk of discrimination impacting residential real estate valuations.

Comments on the proposed guidance are due on or before September 19, 2023.

---

Summary

The Federal Reserve Board, FDIC, OCC, and NCUA issued guidance in 2010 that describes actions financial institutions may take to correct deficiencies identified in collateral valuations. The current guidance includes ordering a second appraisal or evaluation or resolving the deficiency through the original appraiser or preparer of the evaluation.

The agencies do not have existing guidance specific to ROV processes and have received questions from financial institutions and other industry stakeholders on ROVs, highlighting the uncertainty in the industry on how ROVs intersect with appraisal independence requirements and compliance with consumer protection laws, including those related to non-discrimination.

A financial institution’s use of third parties in the valuation review process does not diminish its responsibility to comply with applicable laws and regulations.

Description of Proposed ROV Guidance

The proposed guidance addresses the following:

1. Describes the risks of deficient collateral valuations;
   • Prevent individuals, families, and neighborhoods from building wealth through homeownership;
   • Prevent prospective buyers from purchasing homes;
   • Make it harder for homeowners to sell or refinance their homes and increase the risk of default.
2. Outlines applicable statutes, regulations, and existing guidance that govern ROVs and collateral valuations;
   • Fair Housing Act
   • Equal Credit Opportunity Act
   • Truth in Lending Act
3. Explains how ROV processes and controls can be incorporated into existing risk management functions such as appraisal review and complaint management; and
   • Financial institutions can capture feedback regarding potential deficiencies through existing complaint resolution processes.
   • Data collected can be an important indicator of potential risks and risk management weaknesses.
4. Provides examples of ROV policies, procedures, and controls that financial institutions may choose to adopt that:
   • Consider ROVs as a possible resolution for consumer complaints related to residential property valuations.
   • Consider whether any information or other process requirements related to a consumer’s request for a financial institution to initiate an ROV create unreasonable barriers or discourage consumers from requesting an ROV.
   • Establish a process that provides for the identification, management, analysis, escalation, and resolution of valuation-related complaints across all relevant lines of business, from various channels and sources (such as letters, phone calls, in-person, regulators, third-party service providers, emails, and social media).
   • Establish a process to inform consumers how to raise concerns about the valuation sufficiently early enough in the underwriting process for any errors or issues to be resolved before a final credit decision is made. This may include suggesting to consumers the type of information they may provide when communicating with the financial institution about potential valuation deficiencies.
   • Identify stakeholders to clearly outline each business unit’s roles and responsibilities for processing an ROV request;
   • Establish risk based ROV systems that route the request to the appropriate business unit;
   • Establish standardized processes to increase the consistency of consideration of requests for ROVs;
     1. Use clear, plain language in notices to consumers of how they may request the ROV;
     2. Use clear, plain language in ROV policies that provide a consistent process for the consumer, appraiser, and internal stakeholders.
     3. Establish guidelines for the information the financial institution may need to initiate the ROV process
     4. Establish timelines in the complaint or ROV process for when milestones need to be achieved
     5. Establish guidelines for when a second appraisal could be ordered and who assumes the cost; and
     6. Establish protocols for communicating the status of the complaint or ROV and results to consumers.

• • Ensure relevant lending and valuation-related staff, including third parties (e.g., appraisal management companies, fee-appraisers, mortgage brokers, and mortgage servicers) are trained to identify deficiencies (inclusive of prohibited discriminatory practices) through the valuation process.

---

Request for Comment

The agencies are seeking comments on all aspects of the proposed guidance as well as specific comments on the following:

1. To what extent does the proposed guidance describe suitable considerations for a financial institution to take into account in assessing and potentially modifying its current policies and procedures for addressing ROVs?
   • What, if any, additional examples of policies and procedures related to ROVs should be included in the guidance?
   • Which, if any, of the policies and procedures described in the proposed guidance could present challenges?
2. What model forms, or model policies and procedures, if any, related to ORVs would be helpful for the agencies to recommend?
3. What other guidance may be helpful to financial institutions regarding the development of ROV processes?
4. To what extent, if any, does the proposed ROV guidance conflict, duplicate, or complement the existing Interagency Appraisal Evaluation Guidelines or a financial institution’s policies and procedures to implement those Guidelines?

Additional comments are invited on:

• Whether the collections of information are necessary for the proper performance of the agencies’ functions, including whether the information has practical utility;
• The accuracy of the estimate of the burden of the information collections, including the validity of the methodology and assumptions used;
• Ways the enhance the quality, utility and clarity of the information to be collected;
• Ways to minimize the burden of the information collections on respondents, including through the use of automated collection techniques or other forms of information technology; and
• Estimates of capital or start-up costs and costs of operation, maintenance, and purchase of services to provide information.

Minority Depository Institution Preservation Program Proposed Interpretive Ruling and Policy Statement
National Credit Union Administration

NASCUS Legislative and Regulatory Affairs Department
July 28, 2023

---

In 2015, the NCUA Board approved IRPS 13-1 establishing the Minority Depository Institution Preservation Program (MDI program), to encourage the preservation of MDIs as well as the establishment of new MDI credit unions.  On June 22, 2023, the NCUA Board issued proposed revisionstoInterpretive Ruling and Policy Statement (IRPS) 13-1, regarding the agency’s Minority Depository Institution Preservation Program for credit unions

In 2018 the Board restructured the Agency. This restructuring included establishing the Office of Credit Union Resources and Expansion (CURE). CURE subsequently assumed administration of the MDI Program from the agency’s Office of Minority and Women Inclusion.

The proposed changes to IRPS 13-1 summarized below are intended to reflect the changes in NCUA’s structure, provide several updates to the MDI program’s features, and clarify the requirements for a credit union to receive and maintain an MDI designation.

Comments are due to NCUA on the proposed changes on or before August 28, 2023.

---

Summary

The NCUA is proposing the following amendments to IRPS 13-1.

1. Incorporate recent program initiatives such as the consulting and support program for MDIs, and provide examples of technical assistance an MDI may receive. Technical assistance includes:
   • Providing guidance in resolving examination concerns;
   • Helping MDIs locate new sponsors, mentors, or merger partners;
   • Assisting with field of membership expansions;
   • Supporting management in setting up new programs and services;
   • Attempting to preserve the minority character of failing institutions during the resolutions process; and
   • Assisting groups that are interested in chartering a new MDI.
2. Include subsections on engagement with MDIs, technical assistance, examination of MDIs, Community Development Revolving Loan Fund grants and loans, training and education, and preservation of MDIs.
   • The NCUA expects examiners to recognize the distinctive characteristics and differences in core objectives of each financial institution and consider these when evaluating. Examiners can evaluate an MDI using peer metrics such as through the FPR.
   • MDIs without the low-income designation are now eligible for CDRLF grants and loans.
3. Establish a new standard for MDIs to assess their designation. The standard states, a credit union is eligible to receive the MDI designation if it meets all the following criteria:

• • A majority (greater than 50%) of its current members are from any eligible minority groups;
  • A majority of the members of its board of directors are from any of the eligible minatory groups; and
  • A majority of the community it services, as designated in its field of membership, are from any of the eligible minority groups.

A credit union defined as a “small credit union” [1]by NCUA may self-certify greater than 50% representation among current members, within the community it serves (potential members), based solely on knowledge of those members. A credit union not defined as a “small credit union” by the NCUA may rely on one of the following methods to determine the minority composition of its current membership.

• • Demographic data from the U.S. Census Bureau
  • Home Mortgage Disclosure Act (HMDA) data
  • Collect data from members who voluntarily choose to participate in such collection about their racial identity and the use of the data to determine minority representation among the credit union’s members; or
  • Any other reasonable form of data, such as membership address lists or an employer’s demographic analysis of employees.

An MDI credit union must assess whether it continues to meet the required definition of an MDI whenever there is a significant change in its board of directors, or it changes its field of membership and update its designation, if necessary, in the NCUA Credit Union Profile.

4. Update how the NCUA will review an MDI’s designation status to reflect it will be part of the examination process.
5. Simplify “community it services, as designated in its charter” to refer to an MDI’s field of membership.
6. Specify that “Asian American” includes Native Hawaiian or Other Pacific Islander, and “Native American” includes American Indian and Alaskan Natives.
7. Clarify that “small entity” means a “small credit union” as defined by the NCUA, and the simplified process for a small credit union to determine whether it qualifies as an MDI.
8. Add new sections that address comments to the agency, the agency’s annual congressional reporting on MDIs, and the availability of the list of MDIs from the NCUA’s website.

NCUA invites comments on all aspects of the proposed amendments to the IRPS. Additionally, the agency is seeking comments on any other aspects of the IRPS and what additional information the agency could provide to help MDIs, and how best to deliver the information.

---

[1] [1] 80 FR 57512: Under the Regulatory Flexibility Act, NCUA currently defines a small credit union as a credit union with total assets of less than $100 million.