Proposed Rule Summary: NCUA Rules & Regulations 12 CFR 701.32(b)(2)—Changes for Public Unit and Non-Member Shares

NASCUS Proposed Rule Summary
NCUA Rules & Regulations 12 CFR 701.32(b)(2): Changes for Public Unit and Non-Member Shares

January 2026

As part of its fourth wave of the “Deregulation Project” NCUA is proposing an amendment of its rule relating to public unit and non-member shares, Part §701.32, by removing the requirement in paragraph (b)(2) for a credit union’s board of directors to adopt a written plan documenting intended usage of borrowings, public unit, or non-member shares, if the funds exceed 70% of the FICU’s paid-in and unimpaired capital and surplus.

The proposed rule applies to all Federally Insured Credit Unions (FICUs) including Federally Insured State Credit Unions (FISCUs) through 12 CFR 741.204 and may be read in its entirety here: Changes for Public Unit and Non-Member Shares

Comments are due to NCUA by March 30, 2026.

Summary

Part §701.32 governs the acceptance of share deposits from public units and certain non-members, including other credit unions, by FICUs. NCUA states the purpose of the rule is intended to ensure that these funding sources are used in a manner that supports a credit union’s members while appropriately managing liquidity, concentration, and safety and soundness risks. 

The rule establishes:

  • Aggregate limits on public unit and non-member shares.
  • Written plan requirement when public unit and non-member shares, together with borrowings, exceed specified thresholds.
  • Operational limitations and due diligence expectations related to the acceptance and use of these funds.

The Board’s proposal would remove the written board plan requirement tied to funding levels that exceed 70% of capital and surplus.

Why?

NCUA has proposed amending §701.32based on its determination that the written plan requirement within the rule is overly prescriptive and creates unnecessary administrative burden without enhancing safety and soundness. 

The Board has stated credit unions should be able to manage share funding sources based on risk management practices and supervisory review, versus a one-size fits all plan mandate.

Key Considerations:

  • FICUs will remain subject to aggregate limits found in Part 701.32(b)(1) restricting total public unit and nonmember deposits to 50% of the net amount of paid-in and unimpaired capital and surplus.
  • FICUs will continue to be subject to the existing regulatory frameworks governing these types of shares.
  • The proposal reflects a shift toward allowing credit unions to use internal policies and procedures to show risk management rather than relying on a specific regulatory requirement.
  • While §701.32 applies to FICUs, Federally Insured State-Chartered Credit Unions (FISCUs) that apply for and maintain insurance are subject to the requirements of §701.32 under 12 CFR §741.204.

NASCUS Summary re: CFPB Agency Information Collection Activities (Consumer Response Intake Form)
CFPB 2026-0005
January 30, 2026

The Consumer Financial Protection Bureau issued a request for comment regarding their request to the Office of Management and Budget (OMB) to extend an information collection entitled “Consumer Response Intake Form.”

Comments are due by March 2, 2026, and the request for comments can be found here.

Summary

The Consumer Response Intake Form is designed to aid consumers in the submission of complaints, inquiries, and feedback and to help the Bureau fulfill its statutory requirements. Consumers will be able to complete and submit information through the Intake Form electronically on the Bureau’s website. Consumers may also request that the Bureau mail a paper copy of the Intake Form to them. The form prompts consumers for a description of, and key facts about, the complaint at issue, the desired resolution, contact and account information, information about the company they are submitting a complaint about, and previous action taken to attempt to resolve the complaint.

Comments

The CFPB is publishing this notice and soliciting comments on (i) whether the collection of information is necessary for the proper performance of the functions of the CFPB, including whether the information will have practical utility; (ii) the accuracy of the CFPB’s estimate of the burden of the collection of information, including the validity of the methods and the assumptions used; (iii) ways to enhance the quality, utility, and clarity of the information to be collected; and (iv) ways to minimize the burden of the collection of information on respondents, including through the use of automated collection techniques or other forms of information technology.

NASCUS Proposed Rule Summary
NCUA Rules & Regulations—Part 701.31 Nondiscrimination Requirements

January 2026

As part of its third wave of the “Deregulation Project” NCUA is proposing the removal of its rule relating to Nondiscrimination Requirements, Part 701.31.

The proposed rule does not apply to Federally Insured State Chartered Credit Unions (FISCUs) and may be read in its entirety here: Nondiscrimination Requirements

Comments are due to NCUA by March 16, 2026.

Summary

Part 701.31 is NCUA’s longstanding rule addressing nondiscrimination in real estate lending for federal credit unions.  The rule was created to reinforce federal fair lending laws by summarizing expectations as it relates to the following:

  • Equal access to housing-related credit
  • Non-discriminatory lending practices
  • Fair appraisals
  • Non-discriminatory advertising and signage

By incorporating federal nondiscrimination laws into the NCUA’s regulatory framework it has served as a reference point for examinations and reviews.

The NCUA Board proposes to remove Part 701.31 in its entirety.

Why?

NCUA has proposed the removal of 701.31 because it is duplicative of other existing, more comprehensive federal discrimination laws, including Fair Housing Act (FHA) and Equal Credit Opportunity Act (ECOA), and creates unnecessary burden for credit unions. NCUA has determined that maintaining the standalone regulation does not expand or clarify these statutory requirements.

The removal would not change credit unions’ compliance obligations regarding these statutory requirements.

Key Considerations:

  • No change to underlying compliance obligations. Removal of Part 701.31 would not alter the Federal Credit Union (FCU’s) responsibility to comply with all federal and state nondiscrimination laws
  • NCUA would rely on existing statutes and state laws to govern nondiscrimination requirements
    • Examinations will continue to assess nondiscrimination compliance

NASCUS Proposed Rule Summary
NCUA Rules & Regulations: Interpretative Ruling and Policy Statement 08-2 and Community Chartering Policies 10-1

January 2026

As part of its third phase of the “Deregulation Project,” NCUA is proposing the removal of its rules relating to Interpretive Ruling and Policy Statements Service to Underserved Areas 08-2 and Community Chartering Policies 10-1.

The proposed rules do not apply to Federally Insured State Credit Unions (FISCUs) and may be read in their entirety here: Service to Underserved Areas 08-2 and Community Chartering Polices 10-1.

Comments are due to NCUA by March 16, 2026.

Summary

Interpretive Ruling and Policy Statement (IRPS) 08-2 Service to Underserved Areas and 10-1 Community Chartering Policies are NCUA’s interpretive guidance governing how credit unions may serve underserved areas, including through the expansion of field of membership (FOM) authority.  The policy statements outline the eligibility criteria and parameters for credit unions that seek to demonstrate service to communities that lack adequate access to financial services.

Guidance has historically focused on identifying underserved areas based on economic distress indicators and census-based criteria.  This has provided a framework for federal credit unions to expand services while maintaining safety and soundness.

IRPS 08-2 outlines how credit unions may demonstrate service to underserved areas, including the criteria used to identify communities with limited access to financial services.  IRPS 10-1 addresses the standards and considerations used in evaluating community charter applications, including how geographic areas and community boundaries are defined.

NCUA incorporated the policies originally defined in IRPS 08-2 and IRPS 10-1 into the Chartering Manual in 2010, which now serves as the source for field-of-membership policies and procedures.  Accordingly, the NCUA Board has proposed to eliminate IRPS 08-2 and IRPS 10-1 in their entirety as redundant now that they have been incorporated verbatim in the Federal Credit Union (FCU) Chartering Manual (Part 701 Appendix B).

Key Considerations:

  • No change to the underlying FCU field of membership or chartering obligations. Removal of IRPS 08-2 and IRPS 10-1 would not alter FCU obligations under the applicable statutory or regulatory requirements
  • NCUA would rely on existing statutes to govern service to underserved areas and chartering – the information is housed in NCUA’s Chartering Manual

NCUA Letter to Credit Unions 26-CU-01 NCUA’s 2026 Supervisory Priorities

NASCUS Legislative and Regulatory Affairs 
January 16, 2026 

NCUA issued Letters to Credit Union 26-CU-01 outlining the agency’s supervisory priorities and other updates to its examination program 2026. The priorities focus on the areas the NCUA believes pose the highest risk to credit union members, the industry, and the NCUSIF.  Beyond that, the letter reinforces that the priorities are consistent with the agency’s No Regulation-by-Enforcement policy.

Supervisory Priorities for 2026 

  1. Balance Sheet Management

Lending

When evaluating credit union’s lending practices and credit risk management, NCUA examiners will focus on institution-specific risks around:

  • Underwriting
  • Loss mitigation programs (including modifications and workouts)
  • Allowance for credit loss reserves and methodologies
  • Charge-off practices
  • Portfolio monitoring

The letter also states that when various areas of lending are outsourced, examiners will also be assessing third-party risk-management practices.

Various lending-related resources are outlined, including the loan section of the Examiner’s Guide

Sensitivity to Market Risk and Liquidity

Interest Rate Risk and Liquidity risk remain key supervisory priorities due to ongoing interest rate volatility “following an extended period of balance sheet expansion and repricing.” NCUA will assess sensitivity to market and liquidity risk by evaluating how credit unions identify, measure, and manage interest rate and liquidity risk exposure through modeling, governance oversight, and alignment between balance sheet strategy and risk appetite.

Various resources are outlined, including the Liquidity and Sensitivity to Market Risk within the Examiner’s Guide.

Earnings and Capital Adequacy

NCUA states “earnings and capital adequacy remain central supervisory priorities.”  Higher funding costs and margin pressure have affected credit union earnings and capital accumulation. As well, equity capital remains constrained by unrealized losses on long-term securities that were purchased during the lower rate environment.  For some credit unions, this creates a reality where balance sheet flexibility is reduced.

NCUA will continue to focus on the sufficiency of earnings to support capital adequacy as it relates to pressures from interest rate volatility, credit, and liquidity stressing. Exam reviews may focus on:

  • Policies & Procedures
  • Risk Limits
  • Capital Planning Practices Including:
    • How credit unions incorporate credit interest rate risk
    • Funding constraints
    • Concentration risks

It is important to note that NCUA states their approach “will emphasize forward-looking analysis aligned with a credit union’s size, complexity, and risk profile.”

Various earnings and capital related resources are outlined, including the Earnings section of the Examiner’s Guide.

  • Operational Risk Management

Payment Systems

As payment systems continue to increase in complexity and fraud risk, NCUA examiners will continue to assess if credit unions are maintaining appropriate controls and oversight.  Examiners will focus on:

  • Effective governance and oversight
  • Risk assessment and monitoring practices
  • Third-party vendor management
  • Security frameworks and control environments

Payment systems related resources can be found within the Retail Payment Systems and the Wholesale Payment Systems section within the Federal Financial Institutions Examination Council’s IT Examination Handbook Infobase.

Fraud Prevention and Detection

The increasing sophistication of fraud schemes remains a supervisory priority.  NCUA will evaluate fraud prevention and detection programs, including internal controls, monitoring systems, and incident response practices.

Fraud Prevention information can be found at NCUA’s Fraud Prevention Resources page.

  • Compliance Risk Management

Bank Secrecy Act (BSA) Compliance and Anti-Money Laundering/Counter the Financing of Terrorism (AML/CFT) Programs

NCUA will continue to assess compliance with Bank Secrecy Act and AML/CFT requirements, with an emphasis on risk-based programs tailored to the organization’s risk profile.  Examiners will evaluate whether policies, procedures, and internal controls remain effective with regulatory changes and if they adequately mitigate the risk of financial activity.

This section states that “significant developments and changes in the regulatory system are expected in 2026.” It states NCUA will notify credit unions but emphasizes credit unions should stay informed via notifications so that their programs remain in compliance.  It is recommended that personnel receive FinCEN Updates.

More information and resources are available on the BSA/AML Resources page.

January 2026

The Consumer Financial Protection Bureau (CFPB) and the Department of Justice (DOJ) withdrew a joint statement issued in October 2023 regarding the implications of a creditor’s consideration of an individual’s immigration status under the Equal Credit Opportunity Act (ECOA).

The withdrawal is effective as of January 12, 2026 and the notice can be found here

Summary

The Equal Credit Opportunity Act (ECOA) prohibits discrimination by a creditor in any aspect of a credit transaction, on the basis of race, color, religion, national origin, sex, marital status, age, an applicant’s receipt of public assistance, or the good faith exercise of an applicant’s rights. 

In October 2023, the CFPB and DOJ published a joint statement cautioning creditors that policies related to an applicant’s immigration status could, in certain circumstances, run afoul of the prohibitions against discrimination on the basis of protected classes (including race and national origin) found in the ECOA and Regulation B. 

The agencies are now withdrawing this joint statement.  The agencies disagree with the joint statement’s interpretation of the ECOA and Regulation B, which the agencies currently suggest permit creditors to consider immigration or citizenship status.  They note that Regulation B expressly permits consideration of immigration or citizenship status for certain purposes. 

In addition, the statement is being withdrawn because the agencies believe it may have created the impression that either the ECOA or the statement itself imposed limitations on the consideration of immigration or citizenship status when evaluating an application for credit.  They have now determined that no such limitation exists. 

Finally, the agencies have decided that they will not issue revised guidance on this issue because it is unnecessary.  They suggest that no additional guidance is needed beyond what is provided by Regulation B. 

IRS Notice 2025-57: Transitional Guidance on Reporting Interest from Specified Passenger Vehicle Loans

NASCUS Summary
January 13, 2026

Background

The One, Big, Beautiful Bill Act (OBBBA), enacted on July 4, 2025, introduced a new reporting requirement under IRC section 6050AA. This provision supports a temporary tax deduction for qualified passenger vehicle loan interest (QPVLI) under section 163(h)(4), applicable for tax years 2025 through 2028. To facilitate this deduction, lenders—including credit unions—must report interest received from individuals on specified passenger vehicle loans.

Key Provisions

To ease implementation of the reporting requirement for interest paid on loans secured by qualified passenger vehicles for calendar year 2025, lenders may satisfy the reporting requirement by providing a simplified statement to borrowers showing the total interest received on qualifying loans. This statement can be delivered via online portals, monthly or annual statements, or other accessible formats until an OMB approved form is created. No penalties will be imposed under sections 6721 or 6722 for 2025 if this simplified method is used.

For reporting years 2026 through 2028, lenders will be required to report interest received on qualifying loans on an appropriate OMB approved form.

An OMB form is currently being developed for implementation in the 2026 tax reporting year.[1]  At this time, the tax deduction for QPVLI sunsets after the 2028 tax year reporting requirement.

Who Must Report:

  • Any person or entity (including credit unions) engaged in a trade or business that receives $600 or more in interest from an individual on a qualifying vehicle loan in a calendar year.

What Must Be Reported:

  •   Borrower’s name and address 
  • Total interest received 
  • Loan origination date 
  • Outstanding principal at the start of the year 
  • Vehicle details (year, make, model, VIN)

When:

  • Statements must be provided to borrowers by January 31 of the following year.

What Vehicles Qualify:

  • A qualified passenger vehicle is a car, minivan, van, SUV, pickup truck, or motorcycle with a gross vehicle weight rating of less than 14,000 pounds and that has undergone final assembly in the United States.

Implications for Credit Unions

1. Operational Readiness:

  • Prepare systems to track and report QPVLI starting in 2026.
  • Update data collection processes to capture vehicle-specific loan details.

2. Member Communication:

  • Ensure members receive clear, timely statements showing interest paid on qualifying loans.
  • Educate members about the potential deductibility of this interest.

3. Compliance Planning:

  • Develop internal controls for accurate reporting and timely delivery.
  • Coordinate with core processors and loan servicing platforms.

4. Recordkeeping:

  • Maintain documentation to support IRS compliance and member inquiries.
  • Align retention policies with IRS requirements.

 Implications for State Credit Union Regulators

1. Supervisory Oversight:

  • Monitor credit union readiness for section 6050AA compliance.
  • Encourage early adoption of data collection practices.

2. Guidance and Education:

  • Provide technical assistance or training on the new requirements.
  • Share IRS guidance and best practices.

3. Examination Focus:

  • Include QPVLI reporting readiness in 2025 and 2026 examinations.
  • Assess systems and controls in place.

[1] IRS Reporting form in development: ICR 202510-1545-002 OMB: 1545-2334

IRS Notice of Proposed Rulemaking and Notice of Public Hearing: 26 CFR Parts 1 and 301 (RIN 1545-BR75) Car Loan Interest Deduction

NASCUS Summary
January 13, 2026

Background

The One, Big, Beautiful Bill Act (OBBBA), enacted on July 4, 2025, introduced a new reporting requirement under IRC section 6050AA. This provision supports a temporary tax deduction for qualified passenger vehicle loan interest (QPVLI) under section 163(h)(4), applicable for tax years 2025 through 2028. To facilitate this deduction, lenders—including credit unions—must report interest received from individuals on specified passenger vehicle loans.

On October 21, 2025, the IRS released Notice 2025-57[1] to provide transitional guidance on the information reporting requirements under section 6050AA. Notice 2025-57 provides that an interest recipient will be deemed to have satisfied the reporting obligations under section 6050AA for interest on SPVLs received in 2025 if the interest recipient makes a statement available to the individual indicating the total amount of interest received in calendar year 2025 on an SPVL

This proposed rule and notice of hearing contains regulations regarding the deduction for certain taxpayers for an amount up to $10,000 of qualified passenger vehicle loan interest. This document also contains proposed regulations regarding new information reporting requirements effective for the 2026 tax year for certain persons who, in a trade or business, receive from any individual interest aggregating $600 or more for any calendar year on a specified passenger vehicle loan, including applicable penalties for failures to file information returns or furnish payee statements as required. The proposed regulations would affect taxpayers that may deduct qualified passenger vehicle loan interest, and also persons subject to these information reporting requirements. This document also provides notice of a public hearing on these proposed regulations. 

Written or electronic comments must be received by February 2, 2026. The public hearing is being held on February 24, 2026, at 10 a.m. ET. Requests to speak and outlines of topics to be discussed at the public hearing must be received by February 2, 2026.

Key Definitions

  • Interest Recipient: A person engaged in a trade or business who receives interest on an SPVL in the course of that trade or business.
  • Payor of Record: The principal borrower listed in the interest recipient’s records.
  • APV: Any vehicle with which: (i) the original use commences with the taxpayer; (ii) that is manufactured primarily for use on public streets, roads, and highways (not including a vehicle operated exclusively on a rail or rails); (iii) that has at least 2 wheels; (iv) that is a car, minivan, van, sport utility vehicle, pickup truck, or motorcycle; (v) that is treated as a motor vehicle for purposes of title II of the Clean Air Act; and (vi) that has a gross vehicle weight rating of less than 14,000 pounds. Section 163(h)(4)(D) also provides that the term APV does not include any vehicle the final assembly of which did not occur within the United States.
  • SPVL: Indebtedness incurred after Dec. 31, 2024, for the purchase of an applicable passenger vehicle (APV) for personal use, secured by a first lien on that APV.

Proposed Rule Implications to Creditors

Who Must Report

  • Any person engaged in a trade or business who receives $600 or more of interest in a calendar year on an SPVL from an individual (the “payor of record”) must:
    1. File an information return with the IRS, and
    2. Furnish a written statement to the payor of record.

Information Return Requirements

  • Must be filed on the form designated by the IRS (similar to Form 1098 series).
    • 2025 tax returns limited under transitional relief granted to reporters as outlined in IRS released Notice 2025-57, 2025-45 I.R.B. 692.
    • 2026 tax year returns forms are currently in development.[2]
  • Due Date:
    • February 28 of the year following the calendar year interest was received (or March 31 if filed electronically).
  • Electronic Filing: Required if the filer submits 10 or more returns in a calendar year.
  • Contents of the Return Effective for the 2026 Tax Year and Beyond:[3]
    • Name, address, and taxpayer identification number (TIN) of the payor of record.
    • Name, address, and TIN of the interest recipient.
    • Amount of interest received for the calendar year.
    • Outstanding principal on the SPVL as of the beginning of the calendar year.
    • Date of loan origination.
    • Year, make, model, and VIN of the vehicle securing the loan.
    • Date the SPVL was acquired by the interest recipient.
    • Any other information required by the IRS form or instructions.

Written Statement to Borrower

  • Must be furnished to the payor of record by January 31 of the year following the calendar year for which interest was received.
  • Must include:
    • All information reported to the IRS.
    • A legend identifying the statement as important tax information furnished to the IRS.
    • A warning that the borrower may not be able to deduct the full amount of interest shown (due to statutory limits and income phaseouts).

Additional Rules

  • Threshold: Reporting is mandatory for $600 or more of interest per SPVL; optional for less than $600.
  • Foreign Persons: Special rules apply if the interest recipient or payor is foreign.
  • Penalties: Failure to file correct returns or furnish statements may trigger penalties under IRC §§6721 and 6722.
  • Electronic Delivery: Permitted under IRS procedures (e.g., Publication 1179).

Creditor Responsibilities to Determine if a Loan is an SPVL

Under proposed §1.6050AA-1 and §1.163-16, creditors (including assignees) must confirm whether a loan meets the statutory definition of an SPVL before reporting:

Key Criteria for SPVL Status

  1. Loan Purpose: Indebtedness must be incurred after Dec. 31, 2024 for the purchase of an Applicable Passenger Vehicle (APV) for personal use.
  2. Collateral Requirement: Loan must be secured by a first lien on the APV.
  3. Vehicle Eligibility:
    • Original use begins with the taxpayer.
    • Final assembly occurred in the U.S.
    • Vehicle meets APV definition (car, minivan, SUV, pickup, motorcycle; <14,000 lbs GVWR).
  4. Personal Use Test: At origination, borrower expects >50% personal use.
  5. Exclusions: Loans for fleet sales, commercial vehicles, lease financing, salvage title vehicles, or vehicles for scrap/parts are not SPVLs.
  6. Related Party Rule: Indebtedness owed to a related party under IRC §§267(b) or 707(b)(1) is excluded.
  7. Refinancing: A refinanced loan qualifies only up to the outstanding balance of the original SPVL.

Practical Steps for Creditors

  • Review Retail Installment Sales Contract:
    • Confirm VIN and APV eligibility.
    • Check items financed—only amounts customarily financed with vehicle purchase (e.g., taxes, title fees, warranties) qualify.
  • Verify Personal Use:
    • Rely on contract indicators (personal vs. business use).
    • If unclear, obtain borrower attestation or documentation.
  • Assignment Scenario:
    • Assignees typically receive sufficient info (contract copy, VIN, lien status).
    • If personal use cannot be confirmed from documents, the assignee may seek information from the originator or borrower.
  • Optional Reporting: If uncertain and interest <$600, reporting is optional.

Implications for Credit Unions

1. Operational Readiness:

  • Prepare systems to track and report QPVLI starting in 2026.
  • Update data collection processes to capture vehicle-specific loan details.

2. Member Communication:

  • Ensure members receive clear, timely statements showing interest paid on qualifying loans.
  • Educate members about the potential deductibility of this interest.

3. Compliance Planning:

  • Develop internal controls for accurate reporting and timely delivery.
  • Coordinate with core processors and loan servicing platforms.

4. Recordkeeping:

  • Maintain documentation to support IRS compliance and member inquiries.
  • Align retention policies with IRS requirements.

Implications for State Credit Union Regulators

1. Supervisory Oversight:

  • Monitor credit union readiness for section 6050AA compliance.
  • Encourage early adoption of data collection practices.

2. Guidance and Education:

  • Provide technical assistance or training on the new requirements.
  • Share IRS guidance and best practices.

3. Examination Focus:

  • Include QPVLI reporting readiness in 2025 and 2026 examinations.
  • Assess systems and controls in place.

[1] 2025-45 I.R.B. 692

[2] IRS Reporting form in development: ICR 202510-1545-002 OMB: 1545-2334

[3] See IRS released Notice 2025-57, 2025-45 I.R.B. 692 for 2025 Tax Year Requirements.

NASCUS Proposed Rule Summary

NCUA Rules & Regulations Part 715: Supervisory Committee Audits & Verifications

December 2025

As part of a “Deregulation Project” NCUA is proposing changes to its rules for credit union audits: Part 715 Supervisory Committee Audits and Verifications. NCUA’s rule applies in part to federally insured state credit unions (FISCUs) by reference in Part 741.202. These rules do not apply to privately insured credit unions.

Comments must be submitted to NCUA by February 9, 2026.

The proposed rule may be read in its entirety here.

Summary

  • Section 715.2(h)

§715.2 contains definitions for NCUA’s audit and verification rules. NCUA is proposing to eliminate a paragraph in § 715.2(h), which defines “Internal control.” NCUA now believes the definition is too prescriptive and risks becoming outdated. Specifically, NCUA would eliminate the listing of the 5 components of an internal control structure and would also eliminate the sentence defining reliable financial reporting as too narrow. The revised provision would read as follows:

(h) Internal control refers to the process, established by the credit union’s board of directors, officers and employees, designed to provide reasonable assurance of reliable financial reporting and safeguarding of assets against unauthorized acquisition, use, or disposition.

Internal control over safeguarding of assets against unauthorized acquisition, use, or disposition refers to prevention or timely detection of transactions involving such unauthorized access, use, or disposition of assets which could result in a loss that is material to the financial statements.

  • Section 715.8(a)

The current rule requires members’ accounts to be verified against the records of the treasurer of the credit union. NCUA would eliminate the reference to the Treasurer and have the rule require member accounts be verified against the records of the credit union.

  • Section 715.9(b)

Part 715(9) addressed requirements related to credit union engagement of outside auditors. Specifically, the provision requires the scope of work to be documented in an engagement letter contracted between the supervisory committee and the auditor, including noting that the contract must be signed by both parties. NCUA now finds the addition of the requirement to have the contract signed to be unnecessary given the clear understanding that the requirement to enter into a contract inherently includes the contract be signed.

  • Section 715.10(a)

Part 715.10(a) requires, in part, a credit union’s supervisory committee to provide NCUA with a copy of audit reports upon request. Because NCUA has statutory authority to access all of a credit union’s books and records, NCUA believes reiterating this requirement in Part 715 is redundant and unnecessary. NCUA proposes eliminating the last sentence of existing Part 715.10(a) that requires the supervisory committee to provide the audit report upon request.

  • Section 715.12

NCUA §715.12(b) asserts NCUA’s authority to require a FICU to obtain a financial statement audit. The last two sentences of the provision describe the objectives of a financial statement audit. NCUA now believes those final two sentences to be unnecessary. The revised provision would read:

715.12(b) Financial statement audit required. The NCUA Board may compel a federal credit union to obtain a financial statement audit performed in accordance with GAAS by an independent person who is licensed by the State or jurisdiction in which the credit union is principally located (even if such audit is not required by § 715.5), for any fiscal year in which the credit union has experienced serious and persistent recordkeeping deficiencies as defined in paragraph (c) of this section.

NASCUS Note: As noted above, §715 applies to FISCUs by reference in Part 741.202 which reads as follows:

§ 741.202 Audit and verification requirements.

(a) The supervisory committee of each credit union insured pursuant to title II of the Act shall make or cause to be made an audit of the credit union at least once every calendar year covering the period elapsed since the last audit. The audit must fully meet the applicable requirements set forth in part 715 of this chapter or applicable state law, whichever requirement is more stringent.

(b) Each credit union which is insured pursuant to title II of the Act shall verify or cause to be verified, under controlled conditions, all passbooks and accounts with the records of the financial officer not less frequently than once every 2 years. The verification must fully meet the requirements set forth in § 715.8 of this chapter.

While NCUA does not seek comment on § 741.202, NASCUS encourages state system stakeholders to consider commenting on necessary changes to this provision to provide greater clarity and guidance to FISCUs as to what provisions of Part 715 apply. For example, §715.3 discusses the responsibilities of the supervisory committee, however FISCUs are not required by NCUA rules to have a supervisory committee.

In considering Part 715 and Part 741.202, numerous other changes and clarifications could reduce regulatory burden for FISCUs.

NASCUS Proposed Rule Summary: NCUA Rules & Regulations Part 748 Guidance on Response Programs for Unauthorized Access to Member Information and Member Notice – Appendix B

December 2025

As part of the first round of the “Deregulation Project” NCUA is proposing changes to its rules relating to Guidance on Response Programs for Unauthorized Access to Member Information and Member Notice, Part 748.

Federally Insured State Credit Unions must comply with Part 748 by reference to standards pursuant to sections 501 and 505(b), codified at 15 U.S.C. 6801 and 6805(b), of the Gramm-Leach-Bliley Act.  These requirements are also cross-referenced to 12 CFR Part 1016 “Privacy of Consumer Financial Information (Regulation P) through Part 716.

The proposed rule may be read in its entirety here: Guidance on Response Programs for Unauthorized Access to Member Information and Member Notice.

Comments are due to NCUA by February 9, 2026.

Summary

This guidance interprets section 501(b) of the Gramm–Leach–Bliley Act (GLBA) and complements Part 748’s security obligations by outlining how federally insured credit unions should respond to unauthorized access to member information—defined as any nonpublic personal information, in any form—that could cause substantial harm or inconvenience to members. The guidance builds upon Appendix A’s three core expectations:

  1. Ensuring security and confidentiality of member information
  2. Protecting against anticipated threats to data integrity
  3. Preventing unauthorized access that could harm members

Under the current Rule federally insured credit unions must establish a risk-based response program tailored to their size, complexity, and risk profile.  This should include:

  • Incident Assessment – Evaluate the scope, systems, and types of data involved.
  • Regulatory Notification – Alert the NCUA Regional Director (and state regulator if applicable) promptly upon detecting unauthorized access to sensitive data.
  • Law Enforcement & SAR Reporting – File Suspicious Activity Reports and notify law enforcement for criminal breaches requiring immediate attention.
  • Containment & Preservation – Take measures like freezing accounts or preserving forensic data to prevent further access.
  • Member Notification – Inform affected members when misuse is confirmed or reasonably possible.

For incidents via service providers, credit unions must ensure their contracts obligate providers to alert the credit union quickly and support executing the response program.

Proposed Changes:

The NCUA Board (Board) is proposing to remove Appendix B to part 748. The reason for the potential removal is because the Board feels that its placement within the Code of Federal Regulations (CFR) causes confusion in that it is viewed as a mandatory regulatory requirement instead of nonbinding guidance.  If removed, the Board would then publish the content as guidance to provide clarity.  Currently there is no information on whether the republication of Appendix B into a nonbinding Letter to Credit Union would include any proposed amendments.

Key Considerations:

  1. Creates distinction between regulation and guidance, which is the main factor associated with the proposed removal of the appendix
  2. No true change in obligations of credit unions around responsibility, which also means no reduction in member protection
  3. Potential of improved flexibility with creating response programs based on an organization’s size and risk profile
  4. Potential of reduced regulatory burden   

NASCUS Proposed Rule Summary

NCUA Rules & Regulations Part 748 Safeguarding Member Information

December 2025

As part of the “Deregulation Project” NCUA is proposing changes to its rules relating to Safeguarding Member Information, Appendix A to Part748. Federally Insured State Credit Unions must comply with Part 748 by reference to standards pursuant to sections 501 and 505(b), codified at 15 U.S.C. 6801 and 6805(b), of the Gramm-Leach-Bliley Act.  These requirements are also cross referenced to 12 CFR Part 1016 “Privacy of Consumer Financial Information (Regulation P) through Part 716.

The proposed rule may be read in its entirety here: Guidelines for Safeguarding Member Information.

Comments are due to NCUA by February 9, 2026.

Summary

In November 1999, Congress passed the Gramm-Leach Bliley Act (GLBA)[1] which, among other things, required the NCUA and all federal banking agencies (FBAs) to establish standards for financial institutions relating to administrative, technical, and physical safeguards for customer records and information.[2]

These safeguards are intended to: (1) ensure the security and confidentiality of customer records and information, (2) protect against any anticipated threats or hazards to the security or integrity of such records, and (3) protect against unauthorized access to or use of such records or information that would result in substantial harm or inconvenience to any customer.[3]

After passage of GLBA, the NCUA Board (Board) determined that the standards required by GLBA could be most effectively adopted through an amendment to the NCUA’s existing regulation governing security programs in FICUs[4], an approach consistent with the FBAs by design, to include the standards required under GLBA as an appendix to part 748. The resulting Appendix A intended to provide FICUs with guidance in developing the security program required under § 748.0.

Appendix A has been amended over the years to reflect new requirements and maintain consistency with comparable regulations and guidelines issued by the FBAs.  Most recently, in 2012 and 2013, the Board again amended part 748 and Appendix A with technical changes mandated by the Dodd-Frank Wall Street Reform and Consumer Protection Act (Dodd-Frank Act) and based on the NCUA’s rolling, 3-year regulatory review.[5]

The Dodd-Frank Act, among other things, transferred rulemaking authority for many consumer protection regulations from the Federal Reserve Board to the Consumer Financial Protection Bureau (CFPB).[6]

As a result, the NCUA was required to update certain cross citations within its regulations and rescind part 716 governing the “Privacy of Consumer Financial Information” under GLBA.[7]

The rule aims to strengthen credit unions’ obligations to protect member data against unauthorized access, use, or disclosure. It aligns with evolving cybersecurity threats and incorporates best practices for risk management.

Key elements of the current guidelines include:

  • Risk Assessment Requirements: Credit unions must periodically assess risks to member information, including internal and external threats.
  • Information Security Program: Institutions must maintain a written program that addresses administrative, technical, and physical safeguards.
  • Incident Response: Enhanced expectations for timely detection, containment, and reporting of security incidents.
  • Vendor Management: Credit unions must ensure third-party service providers implement appropriate safeguards.
  • Board Oversight: Boards are expected to approve and oversee the security program.

Proposed Changes

Under the rule amendment, the Board is proposing to remove Appendix A from the CFR and instead issue nonbinding guidance through a Letter to Credit Unions.  The intent of this change is to remove the impression that the standards outlined in the GLBA are legally binding rules and clarify they are instead intended to be an aid to satisfy the regulatory requirements of Part 748.

At this time, it is unknown whether the current Part 748 Appendix A will be wholly republished and incorporated into the new version of the guidance published as a NCUA Letter to Credit Unions.

The Board is seeking feedback on all aspects of the proposed rule, including the option of maintaining the status quo.

Implications for Federally Insured Credit Unions

  • Compliance Alignment: State-chartered credit unions will need to ensure their information security programs meet or exceed these federal guidelines, or appropriately mitigate weaknesses.  State laws or regulations may also impose similar requirements.
  • Operational Impact: Increased emphasis on cybersecurity risk assessments and vendor oversight will continue to require additional resources and expertise.
  • Reporting Obligations: Enhanced incident response requirements, as developed by the Cybersecurity and Infrastructure Security Agency, under the Cybersecurity and Infrastructure Security Agency Act of 2018, could lead to stricter cyber related requirements.

Implications for State Regulators

  • Supervisory Expectations: State regulators will need to incorporate the updated enforcement standards into their examination processes to maintain parity with federal oversight.
  • Coordination with NCUA: Greater collaboration may be necessary for incident reporting and enforcement, especially for federally insured state-chartered credit unions.
  • Policy Updates: States may consider revising their own regulations or guidance to align with NCUA’s enhanced framework, ensuring consistency and reducing regulatory burden.

[1] 15 U.S.C. 6801 et. seq. (Nov. 12, 1999).

[2] Id. At this time, “federal banking agencies” refers to the Office of the Comptroller of the Currency, the Federal Reserve Board, and the Federal Deposit Insurance Corporation, although at the time of GLBA’s passage the term included the now-defunct Office of Thrift Supervision.

[3] 15 U.S.C. 6801(b).

[4]66 FR 8152 (Jan. 30, 2001).

[5]77 FR 71085 (Nov. 29, 2012); 78 FR 32541 (May 31, 2013).

[6] 12 U.S.C. 5581(b)(6) (July 21, 2010).

[7]12 CFR part 716. To assist FICUs, the part 716 heading was retained with a cross citation to the CFPB’s republished version of the regulation at 12 CFR part 1016.

NASCUS Proposed Rule Summary
NCUA Rules & Regulations Part 701.20 Suretyship and Guaranty

December 2025

As part of the second wave of the “Deregulation Project” NCUA is proposing changes to its rules relating to Suretyship and Guaranty, Part 701.20.

Part 701.20 applies to state-chartered credit unions by reference in Part 741.221.

The proposed rule may be read in its entirety here: Suretyship and Guaranty

Comments are due to NCUA by February 27, 2026.

Summary

The Federal Credit Union Act (FCU Act) explicitly grants FCUs the power to, among other activities, make loans to members and to provide letters of credit on behalf of members.[1]

The accompanying incidental powers provision states that each FCU may “exercise such incidental powers as shall be necessary or requisite to enable it to carry on effectively the business for which it is incorporated.” [2]

Section 701.20, established in 2004, recognizes the ability of FCUs to enter into suretyship and guaranty agreements for their members as an incidental power, providing additional flexibility to meet member needs.[3]  At that time, Part 741.221 made the provisions of Part 701.20 applicable to FISCUs.

The NCUA Board proposes to remove the segregated deposit and collateral requirements under §701.20 when federally insured credit unions (FICUs) act as a surety or guarantor. This change aims to reduce regulatory burden and provide credit unions with greater flexibility in designing products to meet members’ needs.

Current Rule

  • FICUs acting as surety/guarantor must:
    • Limit obligations to a fixed amount and duration.
    • Create an authorized loan compliant with lending regulations.
    • Obtain segregated deposits or collateral equal to 100% or 110% of the obligation (depending on asset type).

Proposed Changes

  • Remove paragraphs (c)(3) and (d) of §701.20, eliminating:
    • Mandatory segregated deposit.
    • Collateral requirements (100% for cash/government obligations; 110% for real estate/securities).
  • FICUs remain subject to:
    • Fixed amount/duration limits.
    • Compliance with NCUA lending regulations and safety/soundness standards including the limitations on loans to one member or associated members or officials for purposes of §§ 701.21(c)(5), (d); 723.4(c).

Implications for State Credit Unions & Regulators

  • FISCUs authorized under state law to engage in suretyship/guaranty will benefit from reduced compliance burden.
  • State regulators should:
    • Review state-specific collateral requirements.
    • Ensure alignment with NCUA’s principles-based approach under Part 723 (Commercial Lending).
  • NCUA expects minimal federalism impact; states retain authority over FISCUs’ lending rules.

Key Considerations

  • Risk management remains critical—credit unions must determine appropriate collateral and underwriting standards.
  • No new reporting or recordkeeping requirements under the Paperwork Reduction Act.
  • NCUA certifies no significant economic impact on small credit unions (<$100M assets).
  • Comments invited on:
    • Safety and soundness implications.
    • Impact on state regulatory frameworks.
    • Whether additional guidance is needed for FISCUs.

[1] 12 U.S.C. 1757(5), 1757a

[2] 12 U.S.C. 1757(17).

[3] 69 FR 8547, Feb. 25, 2004.