Proposed Rule Summary: NCUA Rules & Regulations Part 715—Supervisory Committee Audits & Verifications

NASCUS Proposed Rule Summary

NCUA Rules & Regulations Part 715: Supervisory Committee Audits & Verifications

December 2025

As part of a “Deregulation Project” NCUA is proposing changes to its rules for credit union audits: Part 715 Supervisory Committee Audits and Verifications. NCUA’s rule applies in part to federally insured state credit unions (FISCUs) by reference in Part 741.202. These rules do not apply to privately insured credit unions.

Comments must be submitted to NCUA by February 9, 2026.

The proposed rule may be read in its entirety here.

Summary

  • Section 715.2(h)

§715.2 contains definitions for NCUA’s audit and verification rules. NCUA is proposing to eliminate a paragraph in § 715.2(h), which defines “Internal control.” NCUA now believes the definition is too prescriptive and risks becoming outdated. Specifically, NCUA would eliminate the listing of the 5 components of an internal control structure and would also eliminate the sentence defining reliable financial reporting as too narrow. The revised provision would read as follows:

(h) Internal control refers to the process, established by the credit union’s board of directors, officers and employees, designed to provide reasonable assurance of reliable financial reporting and safeguarding of assets against unauthorized acquisition, use, or disposition.

A credit union’s internal control structure consists of five components: control environment; risk assessment; control activities; information and communication; and monitoring. Reliable financial reporting refers to preparation of Call Reports (NCUA Forms 5300 and 5310) that meet management’s financial reporting objectives.

Internal control over safeguarding of assets against unauthorized acquisition, use, or disposition refers to prevention or timely detection of transactions involving such unauthorized access, use, or disposition of assets which could result in a loss that is material to the financial statements.

  • Section 715.8(a)

The current rule requires members’ accounts to be verified against the records of the treasurer of the credit union. NCUA would eliminate the reference to the Treasurer and have the rule require member accounts be verified against the records of the credit union.

  • Section 715.9(b)

Part 715(9) addressed requirements related to credit union engagement of outside auditors. Specifically, the provision requires the scope of work to be documented in an engagement letter contracted between the supervisory committee and the auditor, including noting that the contract must be signed by both parties. NCUA now finds the addition of the requirement to have the contract signed to be unnecessary given the clear understanding that the requirement to enter into a contract inherently includes the contract be signed.

  • Section 715.10(a)

Part 715.10(a) requires, in part, a credit union’s supervisory committee to provide NCUA with a copy of audit reports upon request. Because NCUA has statutory authority to access all of a credit union’s books and records, NCUA believes reiterating this requirement in Part 715 is redundant and unnecessary. NCUA proposes eliminating the last sentence of existing Part 715.10(a) that requires the supervisory committee to provide the audit report upon request.

  • Section 715.12

NCUA §715.12(b) asserts NCUA’s authority to require a FICU to obtain a financial statement audit. The last two sentences of the provision describe the objectives of a financial statement audit. NCUA now believes those final two sentences to be unnecessary. The revised provision would read:

715.12(b) Financial statement audit required. The NCUA Board may compel a federal credit union to obtain a financial statement audit performed in accordance with GAAS by an independent person who is licensed by the State or jurisdiction in which the credit union is principally located (even if such audit is not required by § 715.5), for any fiscal year in which the credit union has experienced serious and persistent recordkeeping deficiencies as defined in paragraph (c) of this section.

The objective of a financial statement audit performed under this paragraph is to reconstruct the records of the credit union sufficient to allow an unqualified or, if necessary, a qualified opinion on the credit union’s financial statements. An adverse opinion or disclaimer of opinion should be the exception rather than the norm.

NASCUS Note: As noted above, §715 applies to FISCUs by reference in Part 741.202 which reads as follows:

§ 741.202 Audit and verification requirements.

(a) The supervisory committee of each credit union insured pursuant to title II of the Act shall make or cause to be made an audit of the credit union at least once every calendar year covering the period elapsed since the last audit. The audit must fully meet the applicable requirements set forth in part 715 of this chapter or applicable state law, whichever requirement is more stringent.

(b) Each credit union which is insured pursuant to title II of the Act shall verify or cause to be verified, under controlled conditions, all passbooks and accounts with the records of the financial officer not less frequently than once every 2 years. The verification must fully meet the requirements set forth in § 715.8 of this chapter.

While NCUA does not seek comment on § 741.202, NASCUS encourages state system stakeholders to consider commenting on necessary changes to this provision to provide greater clarity and guidance to FISCUs as to what provisions of Part 715 apply. For example, §715.3 discusses the responsibilities of the supervisory committee, however FISCUs are not required by NCUA rules to have a supervisory committee.

In considering Part 715 and Part 741.202, numerous other changes and clarifications could reduce regulatory burden for FISCUs.

NASCUS Proposed Rule Summary: NCUA Rules & Regulations Part 748 Guidance on Response Programs for Unauthorized Access to Member Information and Member Notice – Appendix B

December 2025

As part of the first round of the “Deregulation Project” NCUA is proposing changes to its rules relating to Guidance on Response Programs for Unauthorized Access to Member Information and Member Notice, Part 748.

Federally Insured State Credit Unions must comply with Part 748 by reference to standards pursuant to sections 501 and 505(b), codified at 15 U.S.C. 6801 and 6805(b), of the Gramm-Leach-Bliley Act.  These requirements are also cross-referenced to 12 CFR Part 1016 “Privacy of Consumer Financial Information (Regulation P) through Part 716.

The proposed rule may be read in its entirety here: Guidance on Response Programs for Unauthorized Access to Member Information and Member Notice.

Comments are due to NCUA by February 9, 2026.

Summary

This guidance interprets section 501(b) of the Gramm–Leach–Bliley Act (GLBA) and complements Part 748’s security obligations by outlining how federally insured credit unions should respond to unauthorized access to member information—defined as any nonpublic personal information, in any form—that could cause substantial harm or inconvenience to members. The guidance builds upon Appendix A’s three core expectations:

  1. Ensuring security and confidentiality of member information
  2. Protecting against anticipated threats to data integrity
  3. Preventing unauthorized access that could harm members

Under the current Rule federally insured credit unions must establish a risk-based response program tailored to their size, complexity, and risk profile.  This should include:

  • Incident Assessment – Evaluate the scope, systems, and types of data involved.
  • Regulatory Notification – Alert the NCUA Regional Director (and state regulator if applicable) promptly upon detecting unauthorized access to sensitive data.
  • Law Enforcement & SAR Reporting – File Suspicious Activity Reports and notify law enforcement for criminal breaches requiring immediate attention.
  • Containment & Preservation – Take measures like freezing accounts or preserving forensic data to prevent further access.
  • Member Notification – Inform affected members when misuse is confirmed or reasonably possible.

For incidents via service providers, credit unions must ensure their contracts obligate providers to alert the credit union quickly and support executing the response program.

Proposed Changes:

The NCUA Board (Board) is proposing to remove Appendix B to part 748. The reason for the potential removal is because the Board feels that its placement within the Code of Federal Regulations (CFR) causes confusion in that it is viewed as a mandatory regulatory requirement instead of nonbinding guidance.  If removed, the Board would then publish the content as guidance to provide clarity.  Currently there is no information on whether the republication of Appendix B into a nonbinding Letter to Credit Union would include any proposed amendments.

Key Considerations:

  1. Creates distinction between regulation and guidance, which is the main factor associated with the proposed removal of the appendix
  2. No true change in obligations of credit unions around responsibility, which also means no reduction in member protection
  3. Potential of improved flexibility with creating response programs based on an organization’s size and risk profile
  4. Potential of reduced regulatory burden   

NASCUS Proposed Rule Summary

NCUA Rules & Regulations Part 748 Safeguarding Member Information

December 2025

As part of the “Deregulation Project” NCUA is proposing changes to its rules relating to Safeguarding Member Information, Appendix A to Part748. Federally Insured State Credit Unions must comply with Part 748 by reference to standards pursuant to sections 501 and 505(b), codified at 15 U.S.C. 6801 and 6805(b), of the Gramm-Leach-Bliley Act.  These requirements are also cross referenced to 12 CFR Part 1016 “Privacy of Consumer Financial Information (Regulation P) through Part 716.

The proposed rule may be read in its entirety here: Guidelines for Safeguarding Member Information.

Comments are due to NCUA by February 9, 2026.

Summary

In November 1999, Congress passed the Gramm-Leach Bliley Act (GLBA)[1] which, among other things, required the NCUA and all federal banking agencies (FBAs) to establish standards for financial institutions relating to administrative, technical, and physical safeguards for customer records and information.[2]

These safeguards are intended to: (1) ensure the security and confidentiality of customer records and information, (2) protect against any anticipated threats or hazards to the security or integrity of such records, and (3) protect against unauthorized access to or use of such records or information that would result in substantial harm or inconvenience to any customer.[3]

After passage of GLBA, the NCUA Board (Board) determined that the standards required by GLBA could be most effectively adopted through an amendment to the NCUA’s existing regulation governing security programs in FICUs[4], an approach consistent with the FBAs by design, to include the standards required under GLBA as an appendix to part 748. The resulting Appendix A intended to provide FICUs with guidance in developing the security program required under § 748.0.

Appendix A has been amended over the years to reflect new requirements and maintain consistency with comparable regulations and guidelines issued by the FBAs.  Most recently, in 2012 and 2013, the Board again amended part 748 and Appendix A with technical changes mandated by the Dodd-Frank Wall Street Reform and Consumer Protection Act (Dodd-Frank Act) and based on the NCUA’s rolling, 3-year regulatory review.[5]

The Dodd-Frank Act, among other things, transferred rulemaking authority for many consumer protection regulations from the Federal Reserve Board to the Consumer Financial Protection Bureau (CFPB).[6]

As a result, the NCUA was required to update certain cross citations within its regulations and rescind part 716 governing the “Privacy of Consumer Financial Information” under GLBA.[7]

The rule aims to strengthen credit unions’ obligations to protect member data against unauthorized access, use, or disclosure. It aligns with evolving cybersecurity threats and incorporates best practices for risk management.

Key elements of the current guidelines include:

  • Risk Assessment Requirements: Credit unions must periodically assess risks to member information, including internal and external threats.
  • Information Security Program: Institutions must maintain a written program that addresses administrative, technical, and physical safeguards.
  • Incident Response: Enhanced expectations for timely detection, containment, and reporting of security incidents.
  • Vendor Management: Credit unions must ensure third-party service providers implement appropriate safeguards.
  • Board Oversight: Boards are expected to approve and oversee the security program.

Proposed Changes

Under the rule amendment, the Board is proposing to remove Appendix A from the CFR and instead issue nonbinding guidance through a Letter to Credit Unions.  The intent of this change is to remove the impression that the standards outlined in the GLBA are legally binding rules and clarify they are instead intended to be an aid to satisfy the regulatory requirements of Part 748.

At this time, it is unknown whether the current Part 748 Appendix A will be wholly republished and incorporated into the new version of the guidance published as a NCUA Letter to Credit Unions.

The Board is seeking feedback on all aspects of the proposed rule, including the option of maintaining the status quo.

Implications for Federally Insured Credit Unions

  • Compliance Alignment: State-chartered credit unions will need to ensure their information security programs meet or exceed these federal guidelines, or appropriately mitigate weaknesses.  State laws or regulations may also impose similar requirements.
  • Operational Impact: Increased emphasis on cybersecurity risk assessments and vendor oversight will continue to require additional resources and expertise.
  • Reporting Obligations: Enhanced incident response requirements, as developed by the Cybersecurity and Infrastructure Security Agency, under the Cybersecurity and Infrastructure Security Agency Act of 2018, could lead to stricter cyber related requirements.

Implications for State Regulators

  • Supervisory Expectations: State regulators will need to incorporate the updated enforcement standards into their examination processes to maintain parity with federal oversight.
  • Coordination with NCUA: Greater collaboration may be necessary for incident reporting and enforcement, especially for federally insured state-chartered credit unions.
  • Policy Updates: States may consider revising their own regulations or guidance to align with NCUA’s enhanced framework, ensuring consistency and reducing regulatory burden.

[1] 15 U.S.C. 6801 et. seq. (Nov. 12, 1999).

[2] Id. At this time, “federal banking agencies” refers to the Office of the Comptroller of the Currency, the Federal Reserve Board, and the Federal Deposit Insurance Corporation, although at the time of GLBA’s passage the term included the now-defunct Office of Thrift Supervision.

[3] 15 U.S.C. 6801(b).

[4]66 FR 8152 (Jan. 30, 2001).

[5]77 FR 71085 (Nov. 29, 2012); 78 FR 32541 (May 31, 2013).

[6] 12 U.S.C. 5581(b)(6) (July 21, 2010).

[7]12 CFR part 716. To assist FICUs, the part 716 heading was retained with a cross citation to the CFPB’s republished version of the regulation at 12 CFR part 1016.

NASCUS Proposed Rule Summary
NCUA Rules & Regulations Part 701.20 Suretyship and Guaranty

December 2025

As part of the second wave of the “Deregulation Project” NCUA is proposing changes to its rules relating to Suretyship and Guaranty, Part 701.20.

Part 701.20 applies to state-chartered credit unions by reference in Part 741.221.

The proposed rule may be read in its entirety here: Suretyship and Guaranty

Comments are due to NCUA by February 27, 2026.

Summary

The Federal Credit Union Act (FCU Act) explicitly grants FCUs the power to, among other activities, make loans to members and to provide letters of credit on behalf of members.[1]

The accompanying incidental powers provision states that each FCU may “exercise such incidental powers as shall be necessary or requisite to enable it to carry on effectively the business for which it is incorporated.” [2]

Section 701.20, established in 2004, recognizes the ability of FCUs to enter into suretyship and guaranty agreements for their members as an incidental power, providing additional flexibility to meet member needs.[3]  At that time, Part 741.221 made the provisions of Part 701.20 applicable to FISCUs.

The NCUA Board proposes to remove the segregated deposit and collateral requirements under §701.20 when federally insured credit unions (FICUs) act as a surety or guarantor. This change aims to reduce regulatory burden and provide credit unions with greater flexibility in designing products to meet members’ needs.

Current Rule

  • FICUs acting as surety/guarantor must:
    • Limit obligations to a fixed amount and duration.
    • Create an authorized loan compliant with lending regulations.
    • Obtain segregated deposits or collateral equal to 100% or 110% of the obligation (depending on asset type).

Proposed Changes

  • Remove paragraphs (c)(3) and (d) of §701.20, eliminating:
    • Mandatory segregated deposit.
    • Collateral requirements (100% for cash/government obligations; 110% for real estate/securities).
  • FICUs remain subject to:
    • Fixed amount/duration limits.
    • Compliance with NCUA lending regulations and safety/soundness standards including the limitations on loans to one member or associated members or officials for purposes of §§ 701.21(c)(5), (d); 723.4(c).

Implications for State Credit Unions & Regulators

  • FISCUs authorized under state law to engage in suretyship/guaranty will benefit from reduced compliance burden.
  • State regulators should:
    • Review state-specific collateral requirements.
    • Ensure alignment with NCUA’s principles-based approach under Part 723 (Commercial Lending).
  • NCUA expects minimal federalism impact; states retain authority over FISCUs’ lending rules.

Key Considerations

  • Risk management remains critical—credit unions must determine appropriate collateral and underwriting standards.
  • No new reporting or recordkeeping requirements under the Paperwork Reduction Act.
  • NCUA certifies no significant economic impact on small credit unions (<$100M assets).
  • Comments invited on:
    • Safety and soundness implications.
    • Impact on state regulatory frameworks.
    • Whether additional guidance is needed for FISCUs.

[1] 12 U.S.C. 1757(5), 1757a

[2] 12 U.S.C. 1757(17).

[3] 69 FR 8547, Feb. 25, 2004.

NASCUS Proposed Rule Summary
NCUA Rules & Regulations Part 748 Catastrophic Act Reporting

December 2025

As part of the second wave of the “Deregulation Project” NCUA is proposing changes to its rules relating to Catastrophic Act Reporting, Part 748.

The proposed rule may be read in its entirety here: Catastrophic Act Reporting.

Comments are due to NCUA by February 27, 2026.

Summary

Part 748 requires a FICU to notify the appropriate NCUA Regional Director within five business days of any catastrophic act that occurs at its office(s). NCUA regulations define a catastrophic act as “any disaster, natural or otherwise, resulting in physical destruction or damage to the credit union or causing an interruption in vital member services, as defined in § 749.1 of this chapter and projected to last more than two consecutive business days.”[1]

Current Rule

  • FICUs are required by Part 748 to:
    • Develop a written security program designed to protect CU physical assets ensure the security and confidentiality of member records from unauthorized access, respond to incidents of unauthorized access and prevent destruction of vital records.
    • Provide notice to the NCUA Regional Director within 5 business days any catastrophic act that occurs at its offices, if projected to cause an interruption in vital member services for more than 2 days.
    • Notify the NCUA of reportable cyber incidents no later than 72 hours after the credit union reasonably believes that it has experienced a reportable cyber incident or has been notified by a 3rd party vendor who has experienced such an incident affecting its members.
    • File Suspicious Activity Reports, if it knows, suspects, or has reason to suspect that a transaction relates to money laundering activity, criminal activity or a violation of the Bank Secrecy Act no later than 30 calendar days from the date of detection.

Proposed Changes

  • Amend § 748.1(b) relative to catastrophic act reporting to:
    • Allow notice to the “NCUA” broadly and not require direct notification to the “NCUA Regional Director”.
    • Extend the notification requirement by a credit union affected by a catastrophic act to within 15 calendar days the event occurs from the current requirement of within 5 business days.
    • Remove the prescriptive list of items that a credit union should include in its internal record of a catastrophic act and replace it with a requirement that a credit union record the basic facts of the event.
  • FICUs remain subject to requirements to:
    • Develop a written security program designed to protect CU physical assets ensure the security and confidentiality of member records from unauthorized access, respond to incidents of unauthorized access and prevent destruction of vital records.
    • Notify the NCUA of reportable cyber incidents no later than 72 hours after the credit union reasonably believes that it has experienced a reportable cyber incident or has been notified by a 3rd party vendor who has experienced such an incident affecting its members.
    • File Suspicious Activity Reports if it knows, suspects, or has reason to suspect that a transaction relates to money laundering activity or a violation of the Bank Secrecy Act no later than 30 calendar days from the date of detection.

Implications for State Credit Unions

  • Reduced Compliance Burden
    • More time to mediate and report catastrophic acts and less prescriptive documentation requirements.
  • Operational Flexibility
    • Ability to focus on recovery and member service restoration before administrative tasks.
  • Alignment with Disaster Recovery Practices
    • Encourages integration with existing business continuity frameworks rather than rigid federal templates.

Implications for State Regulators

  • Coordination with NCUA
    • Centralized reporting may reduce direct interaction with regional offices; regulators should ensure they maintain visibility into catastrophic events affecting state-chartered FICUs.
    • Key concerns on NCUA processes to ensure NCUA communication to State Agencies of notifications received from state-chartered credit unions.
    • Coordination of regional, state or local resources towards responding to a catastrophic event.
  • Monitoring and Oversight Adjustments
    • Extended reporting timeline could delay awareness of operational disruptions; state regulators may consider supplemental notification requirements for state-chartered institutions.
  • Policy Harmonization
    • States may review their own catastrophic event reporting rules to align with NCUA’s less prescriptive approach, balancing burden reduction with supervisory needs.

Key Considerations

  • Risk Management: While burden is reduced, regulators should ensure that extended timelines do not compromise timely risk mitigation.
  • Cybersecurity Integration: NCUA seeks comment on using existing cyber incident reporting tools for catastrophic acts—states may evaluate similar efficiencies.
  • Small Credit Unions: NCUA certifies no significant economic impact; however, state regulators should assess whether smaller institutions need additional guidance under the new flexibility.

[1] 12 CFR 748.1(b). See also12 CFR 749, App. B, Catastrophic Act Preparedness Guidelines. The agency adopted this requirement under 12 U.S.C. 1785(e), which requires the agency to promulgate rules establishing minimum safety standards relating to security.

NASCUS Proposed Rule Summary

NCUA Rules & Regulations Part 740 Accuracy of Advertising and Notice of Insured Status

December 2025

As part of the second wave of the “Deregulation Project” NCUA is proposing changes to its rules relating to Accuracy of Advertising and Notice of Insured Status, Part 740.

The proposed rule may be read in its entirety here: Accuracy of Advertising and Notice of Insured Status.

Comments are due to NCUA by February 27, 2026.

Summary

Part 740 applies to all federally insured credit unions prescribing the requirements for the official sign insured credit unions must display, and the official advertising statement insured credit unions must include in their advertisements. It requires that all advertisements be accurate and also establishes requirements for advertisements of excess share insurance.

Over the years, the NCUA amended these regulations several times. The Board comprehensively revised and streamlined part 740 in a 2003 final rule.[1]  The primary purpose of the 2003 revision was to modernize the regulation for clarity, address the growing use of the internet for member transactions, and clarify the use of trade names in advertising.

In the 2006 final rule[2], the NCUA revised the official sign to reflect statutory changes from the Federal Deposit Insurance Reform Act of 2005, which included adding a statement that insured accounts are backed by the full faith and credit of the United States Government.

A subsequent 2008 final rule provided credit unions with additional flexibility permitting the use of a shortened advertising statement, “Federally insured by NCUA,” or the official sign itself in advertisements.[3]

In a 2011 final rule, the Board made the advertising rules more stringent.[4]  This amendment, among other changes, reduced the time exemption for radio and television advertisements from 30 seconds to 15 seconds. It also introduced the requirement to include the official advertising statement in annual reports and statements of condition, clarified that the statement’s font size in print must be no smaller than the smallest font used for other consumer information, and defined the term “advertisement” for the first time.

However, in a 2018 final rule, the NCUA reversed the 2011 change to the broadcast advertisement exemption to provide regulatory relief and restore parity with regulations for banks insured by the Federal Deposit Insurance Corporation.[5]  

The 2018 rule expanded the radio and television exemption back to 30 seconds and introduced a shorter advertising statement option: “Insured by NCUA.” Most recently, a 2020 final rule made technical corrections to improve clarity.[6]

The NCUA Board is issuing this proposed rule to streamline its regulations governing advertising and the notice of insured status. This proposed rule would eliminate provisions concerning the official advertising statement found in Part 740.5 and remove references to the official advertising statement found in Part 740.0 Scope.

Current Rule

  • FICUs are required to include one of several options of the “official advertising statement” in all covered advertisements.
  • Covered advertisements require mandatory language and graphic requirements unless exempted under Part 740.5(c).

Proposed Changes

  • Remove section 740.5 definitions of the “official advertising statement” and references to the “official advertising statement found in 740.0 Scope, eliminating:
    • The requirement to include an official advertising statement.
    • The required standards for language and/or graphics to meet the official advertisement statement.
  • FICUs remain subject to:
    • Ensuring the accuracy of advertising statements.
    • Requirements to clearly explain the type and amount of excess share insurance and the identity of the carrier and avoid implication of that carriers affiliation with NCUA or the federal government.
    • Requirements for the display of the official NCUA display at all windows/stations where insured account funds or deposits are normally received.

Implications for Federally Insured Credit Unions

  1. Reduced Compliance Burden
    • SCUs will no longer need to include prescribed language in every advertisement.
    • Eliminates complexity around exemptions (e.g., radio/TV spots, promotional items).
    • Frees resources previously dedicated to monitoring ad compliance.
  1. Flexibility in Marketing
    • SCUs can tailor advertising for digital and social media without rigid text requirements.
    • May still include NCUA insurance references voluntarily, provided they are accurate.
  1. No Change to Core Insurance Disclosures
    • Official NCUA sign remains mandatory in physical locations, websites, and mobile banking apps where deposits are taken.
    • Members still receive clear notice of insured status at points of account opening and transaction.

Implications for State Regulators

  • Minimal Impact on Supervisory Role
    • The rule does not alter state authority or examination responsibilities.
    • Oversight of SCUs remains unchanged; NCUA retains authority over insurance disclosures.
    • Deregulatory nature means fewer compliance issues for state regulators to monitor.

Key Takeaways

  • This is a deregulatory proposal aimed at modernizing advertising rules.
  • SCUs gain greater operational flexibility and lower compliance costs.
  • State regulators should note the removal of §740.5 but expect no shift in jurisdiction or responsibilities.
  • Comments on the proposal are invited; and due by February 27, 2026

[1] 68 FR 23382 (May 2, 2003).

[2] 71 FR 36719 (June 28, 2006).

[3]73 FR 56936 (Oct. 1, 2008).

[4] 76 FR 30523 (May 26, 2011).

[5] 83 FR 17913 (Apr. 25, 2018).

[6] 85 FR 62213 (Oct. 2, 2020).

NASCUS Proposed Rule Summary

NCUA Rules & Regulations Part 701.25 Loans to Credit Unions

December 2025

As part of the second wave of the “Deregulation Project” NCUA is proposing changes to its rules relating to loans to credit unions, Part 701.25. NCUA’s rules on loans between credit unions applies to state chartered credit unions by reference in Part 741.227.

The proposed rule may be read in its entirety here: Loans to Credit Unions

Comments are due to NCUA by February 27, 2026.

Summary

In 2021 NCUA finalized a rule permitting low-income designated credit unions, complex credit unions, and new credit unions to issue subordinated debt (sub debt). As part of the rulemaking, NCUA created new Part 701.25 to mitigate potential risk from credit unions engaging with sub debt.

Through Part 701.25, NCUA established various limits on total aggregate loans a lending credit union can make, limits on the total loans to a single credit union, limits on investment of the subordinated debt of another credit union, and numerous requirements for the credit union’s board of directors to establish a written loan policy and limits on such loans consistent with the regulatory aggregate limits.

The NCUA Board proposes to remove §701.25(b), which currently requires federally insured credit unions (FICUs) to:

  • Obtain board approval for all loans to other credit unions.
  • Adopt written policies specifying aggregate limits on such loans.

Why?

NCUA is now proposing to eliminate Part 701.25(b) because the agency now believes the requirement is redundant to long standing requirements for Federal Credit Unions to adopt written loan policies and procedures that are codified in §1757 of the Federal Credit Union Act.

NOTE: §1757 of the FCUA DOES NOT apply to state-chartered federally insured credit unions. Therefore, if this proposal is finalized there would be no NCUA share insurance requirement that a FISCU have written loan policies related to loans to other credit unions.

What remains?

  • Statutory limits and other provisions in §701.25 still apply (e.g., aggregate lending limits and eligibility requirements).
  • Federally insured state-chartered credit unions (FISCUs) will look to state law for board approval and policy requirements.

Key Takeaways for State Credit Unions

  1. Flexibility in Governance
    FISCUs will no longer be federally required to adopt written policies for loans to other credit unions. Boards can tailor oversight based on risk and operational needs.
  2. State Law Still Governs
    State regulators should confirm whether state statutes or rules impose similar approval or policy requirements. This change does not override state authority.
  3. Risk Management Remains Critical
    Even without prescriptive federal rules, prudent risk management practices—such as documenting board approval and setting internal limits—are strongly recommended.
  4. Operational Impact
    Removal of documentation requirements reduces compliance burden and saves time, especially for smaller credit unions. Estimated reduction: NCUA estimates a reduction of 1,650 annual burden hours.

Regulatory & Supervisory Considerations

  • Regulators: Assess whether state rules need clarification to avoid gaps in governance.
  • Credit Unions: Review internal lending policies to ensure they align with risk appetite and state requirements.
  • Comment Period Ends: February 27, 2026

NASCUS Summary on the Proposed Rule — NCUA Rules & Regulations Part 704: Corporate Credit Unions

December 2025

As part of a “Deregulation Project” NCUA is proposing changes to its rules for corporate credit unions: Part 704.

The first change would eliminate the requirement in Part 704.8(b) that a corporate credit union’s ALCO have at least one member from the corporate credit union’s board of directors. The second set of changes would eliminate several requirements in Part 704.15(c), including the requirement to file a copy of the annual report with NCUA, to submit management letters received from public accountants, the requirement to notify NCUA of late filing and the requirement that NCUA make a corporate credit union’s annual report available to the public.

Part 704 applies to state-charted corporate credit unions by reference in Part 741.206.

The proposed rule may be read in its entirety here: Corporate Credit Unions

Comments are due to NCUA by February 9, 2026.

Summary

  • Membership of the ALCO

Since 1997, NCUA has required corporate credit unions to operate according to a written asset and liability management policy and that each corporate credit union Additionally, the 1997 final rule required that each corporate credit union’s asset and liability management committee (ALCO) must have at least one member who is also a member of the board of directors. See 62 FR 12938 (Mar. 19, 1997).

NCUA now believes this requirement is too prescriptive and corporate credit unions should have more flexibility to determine the membership of their ALCOs. Therefore, NCUA proposes eliminating the requirement that at least one member of the ALCO must be a board member.

  • Supervisory Committee and reporting requirements

The 1997 rule required a corporate credit union’s supervisory committee to obtain an annual opinion audit of the corporate’s financial statements and to submit the audit report to NCUA along with all communications provided to the corporate by the external auditor. Later, NCUA added additional reporting requirements including that the corporate submit a copy of its annual report to NCUA within 180 days of the end of the calendar year, that the corporate submit to NCUA a copy of any management letter or report issued by its independent public accountant, and that a corporate notify NCUA when filing its annual report late. In addition, NCUA began making a corporate credit union’s annual report available for public inspection.

The proposed rule would eliminate:

  1. the requirements to file a copy of an annual report and any management letter or other report issued by its independent public accountant with the NCUA;
  2. the requirement that NCUA make the annual report available to the public; and
  3. the requirement to file notice of late filing with NCUA.

NASCUS Note:

NCUA’s proposed changes, while providing regulatory relief, are generally procedural. In evaluating the proposed rule for submission of comments, NASCUS encourages stakeholders to consider balance sheet rule changes that could provide corporates with greater flexibility in managing balance sheets in a safe and sound manner and improve the services and benefits corporates provide natural person credit unions.

CFPB Interpretive Rule on Fair Credit Reporting Act; Preemption of State Laws
12 CFR Part 1022

The Consumer Financial Protection Bureau (Bureau) issued an interpretive rule that clarified that the Fair Credit Reporting Act (FCRA) generally preempts State laws that touch on broad areas of credit reporting, consistent with Congress’s intent to create national standards for the credit reporting system.  The new interpretive rule replaces the July 2022 interpretive rule that was withdrawn by the Bureau in May 2025.

The new interpretive rule became effective on October 28, 2025. The rule can be found here.

Summary

The Fair Credit Reporting Act (FCRA) specifies requirements “concerning the creation and use of consumer reports.”  The Bureau notes that the FCRA has always preempted State law, however, the scope of that preemption has changed over time.

The FCRA has preempted state laws “to the extent that those laws are inconsistent with any provision of” the FCRA. Additionally, in 1996, Congress emphasized the national nature of FCRA standards by adding a provision that further preempted any state regulation related to specifically enumerated subjects already regulated by the FCRA. This newly added provision was due to expire in 2004. However, in 2003, Congress made the provision permanent. The primary preemption provision of the FCRA, 15 USC 1681t(b)(1) includes language that preempts areas of state law that were intended to be governed solely by Federal law. The provision specifically prohibits the imposition of state laws regarding any of the subject matters regulated under the subparagraphs of 1681t(b)(1).

In July 2022, the Bureau published an interpretive rule analyzing Section 1681t finding that the provision has a “narrow sweep” that allows for substantial State regulation of consumer reports and consumer reporting agencies. The rule concluded that unless a state law specifically concerned a requirement or obligation addressed in Section 1681t of the FCRA, it was not preempted.

In May 2025, the Bureau withdrew a number of guidance documents including this 2022 interpretive rule. The previous interpretation was withdrawn because it was determined to be unnecessary and did in alignment with the Administration’s goal of reducing compliance burdens. In addition, the Bureau is now issuing this new interpretive rule to clarify that the 2022 interpretation was incorrect. Specifically, the Bureau suggests that the 2022 interpretive rule contradicted the plan text of Section 1681t(b)(1), ignored the legislative history of the preemption clause, and reflected a misguided policy choice that would undermine the credit reporting system and credit markets. The new interpretation was issued to clarify the expectation of Congress that the FCRA create a national credit reporting standard that generally preempts broad state laws on the issue of credit reporting.

Senate Proposed Bill S. 3017: Streamlining Transaction Reporting and Ensuring Anti-Money Laundering Improvements for a New Era Act – STREAMLINE Act

NASCUS Summary
October 24, 2025

Background

The STREAMLINE Act (Streamlining Transaction Reporting and Ensuring Anti-Money Laundering Improvements for a New Era Act) was introduced in the U.S. Senate on October 20, 2025, by Senator Kennedy and co-sponsored by several other senators. It aims to modernize and improve the efficiency of financial reporting requirements under the Bank Secrecy Act (BSA), particularly those related to Currency Transaction Reports (CTRs) and Suspicious Activity Reports (SARs). These reports are critical tools for detecting and preventing money laundering, terrorist financing, and other illicit financial activities.  The bill also proposes to require Treasury to review and modernize reporting forms, recordkeeping requirements and reporting thresholds at least every 5 years while seeking to mandate automation of reporting systems.

Implications For Credit Unions

  • Higher thresholds mean fewer CTRs and SARs, reducing compliance costs and administrative workload.
  • Encourages automation and streamlining of reporting systems.
  • Provides predictability through periodic inflation adjustments.

Implications For Regulators

  • May require updates to state rules, guidance and exam procedures to align with federal thresholds.
  • Changes in reporting volumes could affect monitoring and oversight.
  • Potential involvement in reviewing and implementing updated procedures.

 Summary of Key Provisions

Currency Transaction Reports (CTRs) pursuant to sections 5313 and 5315 of title 31, United States Code

  • Raises the reporting threshold from $10,000 to $30,000.
  • Requires inflation adjustment every 5 years based on the Consumer Price Index (CPI), rounded to the nearest $1,000.

Nonfinancial Business Reporting Updates Section 5331 of Title 31

  • Raises the threshold for reporting cash transactions from $10,000 to $30,000.
  • Includes similar inflation adjustments every 5 years.

Suspicious Activity Reports (SARs) for certain transactions as described under section 5318(g) of title 31, United States Code

  • Raises the threshold from $2,000 to $3,000.
  • Raises the threshold from $5,000 to $10,000 for others.

Treasury Review and Reporting

  • Requires review and modernization of reporting forms and recordkeeping requirements.
  • Mandates analysis of aggregation, prioritization, and automation of reporting systems.
  • Requires submission of a report to Congress with recommendations.

Rule of Construction

  • Clarifies that the Act does not affect the Treasury’s authority to issue Geographic Targeting Orders (GTOs).
  • Does not alter existing GTOs or prevent lowering thresholds when legally justified.
  • Does not alter the ability of the Secretary of Treasury to reduce reporting thresholds when consistent with applicable law.

Timeframes related to the above changes

  • Updated thresholds would need to occur no later than 180 days after the date of enactment.
  • Updates for inflation occur no later than 5 years after the date of enactment, and every five years thereafter.
  • The bill states that no later than 360 days after the date of enactment, the Secretary of the Treasury shall:
    • Review forms, reporting, and record-keeping requirements to ensure they are effective and efficient for identifying illicit finance activity
    • Update forms, as necessary
    • Conduct reviews and submit reports
    • Submit to the Committee on Banking, Housing, and Urban Affairs of the Senate and the Committee on Financial Services of the House of Representatives a report that:
      • Summarizes the results of the review
      • Include recommendations for updating forms and requirements

NASCUS Summary on the NCUA Proposed Rule: Prohibition on Use of Reputation Risk
October 21, 2025

NCUA has issued a proposed rule to codify the elimination of reputation risk from its supervisory program. The proposed rule would prohibit NCUA:

  1. From criticizing or taking adverse action against a federally insured credit union (FICU) or any other entity NCUA may now or in the future supervise;
  2. From requiring, instructing, or encouraging a FICU to close an account, to refrain from providing an account, product, or service, or to modify or terminate any product or service on the basis of a person or entity’s political, social, cultural, or religious views or beliefs, constitutionally protected speech, or on the basis of politically disfavored but lawful business activities perceived to present reputation risk;
  3. From requiring, instructing, or encouraging an institution or its employees to terminate a contract with, discontinue doing business with, or modify the terms under which it will do business with a person or entity on the basis of the person’s or entity’s political, social, cultural, or religious views or beliefs, constitutionally protected speech, or on the basis of the third party’s involvement in politically disfavored but lawful business activities perceived to present reputation risk.

NCUA emphasizes that the proposed prohibition on NCUA’s use of reputation risk does not affect requirements or limitations related to field of membership. Nor would the prohibition affect requirements under OFAC, CTR rules, or the NCUA’s administration of Community Development Revolving Loan Fund activities, or any other federal law mandates consideration of criteria such as character and fitness or integrity.

NASCUS Note: The proposed rule, while applicable to NCUA’s interactions with federally insured state (chartered) credit unions (FISCUs), it only applies to NCUA examiners and NCUA activities. It does not apply to state rules, state supervision, or state examiners.

Comments are due to NCUA by December 22, 2025.

Background

NCUA’s proposed rule follows Letter to Credit Unions 25-CU-05 Elimination of Reputation Risk issued in September of this year. The LTCU in turn follows Executive Order 14331, Guaranteeing Fair Banking for All Americans. The Executive order required federal bank regulators (including NCUA) to remove reputation risk from their oversight and supervisory materials and directed the Small Business Administration. For more background on the Executive Order, see this overview from Holland & Knight.

It is important to note that proposed rule deals exclusively with NCUA’s use of reputation risk in its regulatory and supervisory functions. The proposed rule does not address the second element of Executive Order 14331 related to prohibitions on institutions debanking of customers protected political views. The proposed rule would not alter the ability of a credit union to make business decisions regarding its members, accountholders, or third-party arrangements consistent with safety & soundness and compliance with applicable laws.

The preamble to the proposal notes that in NCUA’s view, assessing reputation risk is too subjective, too ambiguous, and lacks measurable criteria and is therefore inappropriate for NCUA to use in its oversight. However, NCUA also notes that credit unions should operate in a manner that members view favorably, noting that credit union management is better positioned to make decisions that will positively reflect on the credit union.

Proposed Rule and Changes

The proposal would make two changes to the current NCUA Rules and Regulations.

  • Part 702 Prompt Corrective Action

Under NCUA’s Capital Planning rule, Part 702.304(b)(2) requires as a mandatory part of a covered credit union’s capital planning include:
A discussion of how the credit union will, under expected and unfavorable conditions, maintain stress test capital commensurate with all of its risks, including reputational, strategic, legal, and compliance risks;

  • Part 791 Rules of NCUA Board Procedure; Promulgation of NCUA Rules & Regulations; Public Observation of NCUA Board Meetings

The bulk of the proposed changes would affect Part 791.

  1. The proposed rule would change the title of Part 791 to “Rules of NCUA Board Procedure; Promulgation of NCUA Rules & Regulations; Public Observation of NCUA Board Meetings; Use of Supervisory Guidance; Prohibition on Use of Reputation Risk” [emphasis added]
  2. The proposed rule would add new Subpart E to Part 791, Prohibition on Use of Reputation Risk by NCUA. The provision prohibits NCUA from criticizing an “institution,” formally or informally, or taking “adverse action” against an institution on the basis of “reputation risk.”

NASCUS note: One key to understanding the proposed rule is understanding how NCUA is defining some key terms such as “reputation risk” and “adverse action.” Key definitions in the proposed rule include:

  • “Adverse action” would be defined as any negative feedback delivered by or on behalf of the NCUA to an institution, including in an NCUA-issued report of examination or a formal or informal enforcement action, supervisory action, or decisions on applications.
  • ‘‘Doing business with’’ means an institution providing any product or service, account services; contracting with a 3rd party vendor; providing discounted or free products or services to customers or third parties, including charitable activities; entering into, maintaining, modifying, or terminating an employment relationship; or any other similar business activity that involves an institution’s member or accountholder or a third party.
  • ‘‘Institution’’ means an entity for which the NCUA makes or will make supervisory determinations or other decisions, either solely or jointly.
  • ‘‘Reputation risk’’ is defined as any risk, regardless of how the risk is labeled by the institution or the NCUA, that an action or activity, or combination of actions or activities, or lack of actions or activities, of an institution could negatively impact public perception of the Institution for reasons unrelated to the current or future financial condition of the institution.

NASCUS note: In theory, these definitions taken together likely mean that on a joint State/NCUA exam, NCUA would not participate in any discussions by the state of reputation risk. It also likely means that NCUA would assign its own CAMELS rating for a FISCU where the state rating included reputation risk. What is unclear is what NCUA would do with respect to accepting a state examination, where NCUA was not present (a majority of FISCU exams) and the state references reputation risk.

Request for Comments

NCUA identified 9 specific issues for which they would like feedback. However, stakeholders may offer comments on all aspects of the proposed rule.

  1. Do commenters believe the prohibitions capture the types of actions that add undue subjectivity to supervision based on reputation risk? If there are other prohibitions that would be warranted, please identify such prohibitions and explain.
  2. Is the definition of ‘‘adverse action’’ in the proposed rule sufficiently clear? Should the definition be broader or narrower? Are there other types of agency actions that should be included in the list of ‘‘adverse actions?’’ Does the catch-all provision at the end of the definition of ‘‘adverse action’’ appropriately capture any agency action that is intended to punish or discourage credit unions on the basis of perceived reputation risk? Is such catch-all provision sufficiently clear?
  3. Are commenters aware of any other uses of reputation risk in supervision that should be addressed in this proposed rule? If so, please describe such uses and their effects on credit unions.
  4. Do commenters believe the definition of ‘‘reputation risk’’ should be broadened or narrowed? If so, how should the definition be broadened or narrowed? Please provide support for any suggested changes.
  5. The proposed definition of ‘‘reputation risk’’ includes risks that could negatively impact public perception of a credit union for reasons unrelated to the credit union’s financial condition. Should this be broadened to include reasons unrelated to the credit union’s operational condition?
  6. Should the list of relationships that would constitute ‘‘doing business with’’ include additional types of relationships?
  7. Does the removal of reputation risk create any other unintended consequences for the agency or institutions?
  8. Would the proposed rule have any costs, benefits, or other effects that the agency has not identified? If so, please describe any such costs, benefits, or other effects.
  9. Should the definition of institution be broadened or are there any other categories of activities that should be excluded from the scope of the rule?

FinCEN Summary: Notice on Financially Motivated Sextortion

FIN-2025-NTC2 | Financial Crimes Enforcement Network
NASCUS Legislative and Regulatory Affairs

October 2025

On September 8, 2025, FinCEN issued a Notice on “Financially Motivated Sextortion.” This Notice is addressed to financial institutions and describes the risks, red flags, and reporting expectations surrounding financially motivated sextortion.

 According to the Notice, financially motivated sextortion occurs when perpetrators, using fake personas, coerce victims to create and send sexually explicit images or videos of themselves, only to threaten to release the compromising material to the victims’ friends and family unless the victims provide payment.

How Financially Motivated Sextortion Works

Perpetrators often use fake online identities (or hijacked accounts) to befriend or lure targets, then request explicit images and later extort money by threatening disclosure of the images. These schemes tend to become more aggressive and once the initial payment is made, further demands continue, and are often made via P2P payment apps, convertible virtual currency (CVC), prepaid cards, money orders, and even goods.

The notice draws specific attention to how perpetrators may layer, launder, or obfuscate the cash flow through intermediaries or money mules, sometimes across multiple jurisdictions.  Additionally, perpetrators may utilize AI and deepfakes to generate synthetic explicit content (or alter images) to extort victims.

Jurisdictional and Geographical Patterns

The Notice indicates that perpetrators of these schemes are often located outside the United States, primarily in West African countries such as Benin, Cote d’Ivoire, and Nigeria, or Southeast Asian countries such as the Philippines, and they typically target English-speaking countries. According to FinCEN’s analysis of BSA data, the top reported jurisdictions where the subjects of suspicious transactions potentially related to financially motivated sextortion schemes were located, in rank order, include: Cote d’Ivoire, the United States, the Philippines, Monaco, Burkina Faso, the Dominican Republic, Kenya, Benin, and Nigeria (hereinafter referred to as “Jurisdictions of Concern”).  In some cases, perpetrators may operate as part of an organized criminal group; however, in most instances, the perpetrators are individuals or small groups.

Red Flag Indicators for Financial Institutions

The Notice provides for ten “red flag” behaviors or indicators that financial institutions should monitor. These include:

Red Flag Indicators for Victims Experiencing Financially Motivated Sextortion

  • Minor or customer sends multiple rapid P2P payments to a recipient in a Jurisdiction of Concern, with no clear personal link to that location.
  • A minor or young adult customer makes multiple low, round-dollar P2P transfers ($10–$50) over a short period to individuals with no prior relationship; the recipient quickly sends the funds to other accounts.
  • A customer makes payments that include payment memos with messages indicating extortion (e.g., “delete the pictures,” “please stop”) and typically occur during late-night and early-morning hours.
  • A customer, including a minor with a co-signed P2P account, buys CVC on a P2P platform and transfers it to an unhosted wallet linked to illicit activity or to a wallet with no prior relationship or lawful purpose.
  • A customer, including a minor with a co-signed account, makes multiple unusual prepaid card purchases that are later redeemed in another jurisdiction.

Red Flag Indicators for Money Mule Accounts

  • A customer, including a minor with a co-signed account, receives multiple P2P payments from unrelated parties and quickly forwards the funds to other unrelated accounts, potentially indicating money mule coercion.
  • A customer’s account receives numerous small P2P deposits over a short period, followed by rapid cash withdrawals or transfers with no apparent lawful purpose.
  • A customer’s P2P or bank account experiences a high volume of transfers to and from accounts in Jurisdictions of Concern with no business or apparent lawful purpose.
  • A customer receives multiple P2P payments, uses the funds to buy CVC, and transfers it to an unhosted wallet linked to illicit activity or to a CVC exchange in a Jurisdiction of Concern.
  •  A customer deposits or cashes multiple small money orders from unrelated or geographically distant individuals with no apparent lawful purpose.

SAR Filing Instructions

The Notice provides SAR filing instructions and requests that financial institutions indicate a connection between suspicious activity begin reported and activities highlighted in this notice by including the key term “FIN-2025-SEXTORTION” in SAR Field 2, as well as in the narrative.  SARE Field 38(z) (Other) should also be selected as the associated suspicious activity type to indicate a connection between suspicious activity reported and financially motivated sextortion activity, and include the term “SEXTORTION” in the text box.