IRS’s Volunteer Income Tax Assistance Program Collaboration Opportunities

LTCU 21-CU-12 Internal Revenue Service’s Volunteer Income Tax Assistance Program Collaboration Opportunities 

November 2021

Credit unions have until November 15, 2021, to contact the Internal Revenue Service (IRS) to inquire about participating in the IRS’ Volunteer Income Tax Assistance (VITA) program ([email protected]).

The VITA program provides education for consumers on refundable credits, such as the Earned Income Tax Credit (EITC) and the Child Tax Credit (CTC). Credit unions may participate in the VITA program by:

  • Promoting the VITA program and eligibility requirements through social media, member statements, and/or hosting links to the VITA Locator Tool, and/or the IRS Free File;
  • Providing space and equipment at credit union facilities for members to prepare their own tax returns; and
  • Hosting IRS-certified volunteers onsite at the credit union to assist members.

NCUA notes that for credit unions, the benefits of participating in the VITA program include:

  • Potential to attract new members,
  • Asset and wealth building opportunities for members,
  • Greater financial education and financial stability among members,
  • Opportunities to partner with other community-based organizations,
  • Increased membership benefit offerings/potential increased membership loyalty,
  • Continuing professional education credits for qualified VITA-trained volunteers,
  • Free income tax preparation software or online access for credit unions and their members.

Credit union interested in participating in VITA program can learn more about the program at IRS Partner and Resource Center and Volunteer Site Coordinator Handbook. Interested credit unions should review their operations and strategic plans to determine if the program is a good fit that credit union.  Grants and other funding resources are available from NCUA and IRS.

Final Rule Summary: FCU CUSOs (Parts 712)
October 2021

Prepared by NASCUS Legislative & Regulatory Affairs Department

NCUA has issued a final rule related to federal credit union (FCU) credit union service organizations (CUSOs). NCUA’s final rule expands the list of permissible activities and services for CUSOs to include the origination of any type of loan that a FCU may originate and grants NCUA additional flexibility to approve permissible activities and services.

NCUA had also solicited comments in the proposed rule about whether to allow FCUs to invest in certain non-CUSO entities. NASCUS supported so doing, and NCUA noted NASCUS’s recommendation to allow FCUs to invest in certain federally insured state credit union (FISCU) CUSOs without those CUSOs then being subject to NCUA’s CUSO rule’s permissible activities provisions (those provisions do not currently apply to FISCU CUSOs). While not included in this final rule, NCUA did note it would consider that change at a later date.

The CUSO final rule may be read here. The rule becomes effective November 26, 2021.

The NCUA Board vote to approve the rule was a 2-1 vote. Competing views of the proposal are reflected in the enclosed statements by NCUA Chairman Harper (opposed)  and NCUA Board member Hood (in favor).

Summary

  • FCU CUSOs may now originate any type of loan that an FCU may originate.

NCUA will now permit FCU CUSOs to originate any type of loan that an FCU may originate. Prior to this rule change, FCU CUSOs were only permitted to make business, consumer mortgage, student, and credit card loans. NCUA limited FCU CUSO lending for the following reasons:

  1. FCU CUSOs may serve customers who are not members of a credit union and NCUA was concerned FCUs would then be profiting from non-members.
  2. NCUA believed if the FCU CUSO was making member loans, NCUA would have a duty to examine those loans.
  3. NCUA believed permitting FCU CUSOs to engage in a core credit union function could negatively affect affiliated credit union services.

NCUA cites the following mitigating factors for lifting the previous limitations:

  1. Although NCUA lacks 3rd party authority, FCUs may only lend or invest 1% of their paid-in and unimpaired capital and surplus, into their CUSOs (aggregate).
  2. Part 712.3(d) requires all FICUs that own CUSOs to stipulate by contract that NCUA has access to the CUSOs books and records.
  3. NCUA has broad investigative subpoena authority that agency staff can use to obtain records and testimony in certain extraordinary circumstances if needed.
  4. That most FCU CUSO loans are sold to FICUs which in turn are subject to examination and enforcement.
  5. The fact that 72% of natural person credit union CUSOs are wholly owned giving NCUA leverage over the FICU owner.

In addition to permitting a FCU CUSO to originate any type of a loan a FCU may make, FCU CUSOs are now permitted to purchase, sell, and hold any type of loan permissible for FCUs to purchase, sell, and hold. Under the final rule, FCU CUSO originated loans are not subject to the same restrictions as loans originated by FCUs. However, an FCU may not purchase a loan from a CUSO unless the loan meets the requirements of the NCUA’s eligible obligations rule. Similarly, an FCU may not purchase a loan participation from a CUSO unless it complies with the NCUA’s loan participations rule

With respect to loan participations, the final rule permits FCU CUSOs to purchase and sell only participation interests that are permissible for FCUs to purchase and sell.

  • All FCU CUSO loan originations are now considered complex or high risk and subject to the enhanced reporting requirements pursuant to the CUSO registry.

Under the current CUSO rule, a CUSO must submit an annual report to NCUA for inclusion in the CUSO registry. CUSOs that are engaged in complex or high-risk activities have enhanced reporting obligations for the registry. Pursuant to § 712.3(d)(4) complex or high-risk CUSOs must agree to include in their report:

  1. A list of services provided to certain credit unions;
  2. the investment amount, loan amount, or level of activity of certain credit unions;
  3. the CUSO’s most recent year-end audited financial statements;
  4. the total dollar amount of loans outstanding;
  5. the total number of loans outstanding;
  6. the total dollar amount of loans granted year-to-date; and
  7. the total number of loans granted year-to-date.

NCUA will now classify all lending by CUSOs as complex/high risk subject to the above reporting.

  • New authorities for FCU CUSOs will be authorized by publication on NCUA website

Permissible activities for a FCU CUSO are listed in § 712.5 and have before now required notice and comment rulemaking before being changed. In contrast, NCUA’s corporate credit union CUSO rules in § 704 allowed NCUA to add permissible activities for corporate credit unions by simply publishing the new authorities on the NCUA website.

Under the final rule, NCUA will now amend permissible activities for FCU CUSOs by publishing the new authorities on the NCUA website. NCUA is reserving the right to use notice and comment for “novel” authorities in the future. NCUA will also use notice and comment before removing authorities.

Final Rule Summary: CAMELS Rating System (Parts 701, 703, 704, 713)
October 2021

Prepared by NASCUS Legislative & Regulatory Affairs Department

NCUA is updating the NCUA’s supervisory rating system from CAMEL to CAMEL”S” by adding the ‘‘S’’ (Sensitivity to Market Risk) component to the existing CAMEL rating system and redefining the ‘‘L’’ (Liquidity Risk) component. The other federal bank regulators have been using the CAMELS rating system since 1997 and over half of state credit union regulators already use CAMELS rather than the NCUA CAMEL system to more precisely measure interest rate risk (IRR).

NCUA will implement the addition of the ‘‘S’’ rating component and a redefined ‘‘L’’ rating for examinations and contacts started on or after April 1, 2022.

The CAMELS final rule may be read here. The rule becomes effective April 1, 2022.

Summary

NCUA adopted the CAMEL rating system in 1987 to reflect the significant financial, operational, and management factors that examiners assess in their evaluation of a credit union’s performance and risk profile. NCUA is now updating the agency’s supervisory rating system from CAMEL to CAMELS by adding the ‘‘S’’ component to the existing CAMEL rating system to evaluate sensitivity to market risk and adding new rating criteria and evaluation factor examples.

“S” Rating Description

S Rating Description
1 • Risk management practices & controls for market risk are strong for the size & sophistication of the credit union, and the level of market risk it has accepted.
• There is minimal potential for market price or interest rate changes to create a material adverse effect on the credit union’s earnings performance or capital position.
• The credit union has more than sufficient earnings and capital to support the level of market risk taken by the credit union.
2 • Risk management practices & controls for market risk are satisfactory for the size & sophistication of the credit union, & the level of market risk it has accepted.
• There is only moderate potential for market price or interest rate changes to create a material adverse effect on the credit union’s earnings performance or capital position.
• The credit union has sufficient earnings and capital to support the level of market risk taken by the credit union.
3 • Risk management practices and controls for market risk are not fully commensurate with the size and sophistication of the credit union, or the level of market risk it has accepted.
• There is high potential for market price or interest rate changes to create a material adverse effect on the credit union’s earnings performance or capital position.
• The level of market risk taken is high in relation to the credit union’s earnings or capital.
4 • Risk management practices and controls for market risk are significantly deficient given the size and sophistication of the credit union, or the level of market risk it has accepted.
• There is high potential for market price or interest rate changes to threaten the viability of the credit union.
• The level of market risk taken is excessive in relation to the credit union’s earnings or capital.
5 • The level of market risk taken or exposure to market price or interest rate changes is an imminent threat to the credit union’s viability.

Modifying the ‘‘L’’ Component

Now that NCUA will adopt the CAMELS rating system, the agency will redefine the “L” component to focus exclusively on liquidity.

L Rating Description
1 • The credit union has strong liquidity levels.
• The credit union has well-developed funds management policies and practices.
• The credit union has reliable access to sufficient sources of funds on favorable terms to meet present and anticipated liquidity needs.
2 • The credit union has satisfactory liquidity levels.
• The credit union has adequate funds management policies and practices.
• The credit union has access to sufficient sources of funds on acceptable terms to meet present and anticipated liquidity needs.
3 • The credit union has low liquidity levels.
• The credit union’s funds management policies and practices are not fully commensurate with its size and complexity, or the liquidity risks it has taken.
• The credit union may lack ready access to funds on reasonable terms.
4 • The credit union has inadequate liquidity levels.
• The credit union’s funds management policies and practices are inadequate given its size and complexity, or the liquidity risks it has taken.
• The credit union is likely not able to obtain sufficient funds on reasonable terms to meet liquidity needs.
5 • Liquidity levels are so deficient there is an imminent threat to the credit union’s viability.
• The credit union requires extraordinary external financial assistance to meet maturing obligations or other liquidity needs.

Technical Amendments

Several provisions of NCUA’s rules specifically reference the CAMEL (no “S”) and will be updated to reflect the new CAMEL”S” and the refined narratives. The following provisions will be amended by replacing “CAMEL” with “CAMELS.”

NCUA Part Provision
Part 700 Definitions § 700.2
Part 701 Organization & Operation of FCUs § 701.14(b) (3) (i) and (ii)
§ 701.14(b) (4)(i) and (ii)
§ 701.23(b)(2)
Part 703 Investment & Deposit Activity § 703.13(d)(3)(iii)
§ 703.14(i)
§ 703.14(j)(4)
Part 704 Corporate Credit Unions § 704.4(d)(3)(ii)
Part 713 Fidelity Bond & Insurance Coverage § 713.6(a)(1)
§ 713.6(c)

NCUA Risk Alert: 21-RISK-01 Business Email Compromise through Exploitation of Cloud-Based Email Services

October 2021

NCUA issued Risk Alert 21-Risk-01 to provide credit unions a warning regarding a common Business Email Compromise (BEC) scam and tips on mitigations measures to counter BEC fraud and wire transfer fraud.

Business Email Compromise

In one of the most effective types BEC scams, cybercriminals use phishing kits that impersonate popular cloud-based email services to compromising victim email accounts in search of information on financial transactions. Cybercriminal will often reconfigure victim’s mailboxes to delete key messages or forward key messages. Using information gathered from compromised accounts, cybercriminals impersonate email between compromised businesses and third parties to request pending or future payments be redirected to fraudulent bank accounts.

Cybercriminals will use compromised email accounts to also identify new targets for phishing and therefore a successful email account compromise at one business can affect multiple victims associated with the account.

Prevent Business Email Compromise Fraud

NCUA provides credit unions the following tips to help prevent BEC fraud:

Enable multi-factor authentication for all email accounts.

Disable basic or legacy account authentication that does not support multi-factor authentication.

Use caution when posting information on social media/company websites, especially job duties & descriptions, org charts & out-of-office details.

Educate employees about BEC scams, including preventative strategies like how to identify phishing emails & how to respond to compromises.

Verify all payment changes and transactions in person or via a known telephone number.

Prohibit automatic forwarding of business email to external addresses.

Add an email banner to messages coming from outside your organization.

Enable alerts for suspicious activity, such as foreign logins.

Prohibit email protocols, such as POP, IMAP, and SMTP that can be used to circumvent multi-factor authentication.

 Implement email authentication technologies such as Domain-based Message Authentication Reporting and Conformance (DMARC) policies to prevent spoofing and validate incoming email. 
Enable security features that block malicious email, such as anti-phishing & anti-spoofing policies. Ensure changes to mailbox login and settings are logged and retained for at least 90 days.

Prevent Wire Transfer Fraud
Cybersecurity threats resulting in wire transfer fraud are increasing and NCUA notes it is essential to ensure that proper wire controls are in place.

Operational Controls Transactional Controls Physical & Logical Controls
• Dual controls and separation of duties  • Call-back parameters  • Multi-factor authentication 
• Documented and board-approved policies and procedures • System enforced monetary thresholds • Patch management, virus protection, and firewall protection
• Timely balancing and reconciliation of related accounts • System enforced end user monetary limits • System access controls
• Incident response and business continuity planning and testing • System enforced time-of-day restrictions • Network security policies
• Automated velocity monitoring • Member and staff information security training
• Exception handling procedures
• Enhanced due diligence and monitoring of high-risk members and activity

Report and Recover Funds from Business Email Compromise Fraud

Credit unions that identify BEC or a wire transfer fraud should:

  • File a complaint with the FBI
  • Contact their wiring originating financial institution as soon as possible to request a recall or reversal and initiate a Hold Harmless Letter or Letter of Indemnity with the receiving financial institution
  • Follow FinCEN guidance for filing Suspicious Activity Reports on BEC incidents

Additional information on BEC is available at the FBI’s Internet Crime Complaint Center Business Email Compromise webpage. Additional information on authentication is available from FFIEC: Authentication and Access to Financial Institution Services and Systems

LTCU 21-CU-10 Interagency Statement on LIBOR Transition
October 2021

NCUA issued LTCU 21-CU-10 to follow-up on Letter to Credit Unions 21-CU-03, LIBOR Transition (NASCUS summary here) and make credit unions aware of a Joint Statement issued by state and federal bank and credit union regulators outlining supervisory expectations related to bank and credit union transition away from LIBOR. NCUA reiterates its expectations that all FICUs transition away from using U.S. dollar LIBOR as a reference rate as soon as possible, but no later than December 31, 2021, and to ensure existing contracts have robust fallback language that includes a clearly defined alternative reference rate.

The Joint Statement by the state & federal regulators reminds institutions that Failure to adequately prepare for the end of LIBOR could create safety and soundness issues and increase litigation, operational, and consumer protection risks. Other supervisory considerations detailed in the Joint Statement include:

  1. Clarification on the meaning of new LIBOR contracts – Financial institutions should be careful about entering into new contracts before December 31, 2021, that create additional LIBOR exposure for a supervised institution or extends the term of an existing LIBOR contract. New contracts should either use a reference rate other than LIBOR or have fallback language that provides for use of a strong and clearly defined alternative reference rate after LIBOR’s discontinuation.
  2. Considerations when assessing the appropriateness of alternative reference rates Institutions must conduct the due diligence necessary to ensure that alternative rate selections are appropriate for their products, risk profile, risk management capabilities, customer and funding needs, and operational capabilities.
  3. Expectations for fallback language – Institutions should identify all existing contracts that reference LIBOR and lack adequate fallback language. As noted above, all future contracts should consider fallback language in the event the initial benchmark is discontinued.
  4. Additional considerations – Institutions are encouraged to take the following actions as they prepare for the LIBOR transition:
    • develop and implement a transition plan for communicating with consumers, clients, and counterparties
    • ensure systems and operational capabilities will be ready for transition to a replacement reference rate after LIBOR’s discontinuation
LTCU 21-CU-11 Emergency Capital Investment Program

October 2021

NCUA issued LTCU 21-CU-11 to address the agency’s reconsideration of its position with respect to LICU ability to participate in the Treasury Department’s Emergency Capital Investment Program’s (ECIP) issuance of 30-year subordinated debt instruments. NCUA also provided credit unions a copy of the Supervisory Letter issued to NCA examiners on the subject (SL No. 21-02 Emergency Capital Investment Program).

NCUA has, in its words, “recalibrated its position” and will now allow LICUs participating in the ECIP to accept 15-year or 30-year subordinated debt investments from the ECIP (but will only receive a maximum of 20 years capital treatment).

LICUs that have already had their secondary capital plans approved by NCUA for issuances under the ECIP have 30 days from October 20, 2021, to notify their respective NCUA Regional Office and SSA in writing of the following:

  • The stated maturity of the ECIP subordinated debt note chosen (15 or 30 years)
  • The length of regulatory capital treatment for the ECIP issuance (max 20 years)

The written notification must also contain a statement indicating that the credit union will not materially deviate from the strategies outlined in the previously approved secondary capital plan. If a credit union chooses a maturity that is longer than the maturity used in the originally approved secondary capital plan and must materially deviate from the previously approved plan’s strategies, than a new plan must be submitted pursuant to 12 C.F.R. §741.204(c).

Finally, NCUA notes that it is considering a rule change that would extend the starting period of the 20 years for ECIP issuances to the later of the date of issuance or January 1, 2022. (See the proposed rule and NASCUS’s summary and comment letter here).

 Proposed Rule: Subordinated Debt

Prepared by NASCUS Legislative & Regulatory Affairs Department
October 2021

NCUA is proposing changes to the Subordinated Debt rule taking effect on January 1, 2022, to accommodate the Treasury Department’s Emergency Capital Investment Program (ECIP). If finalized, the rule would amend the definition of ‘‘Grandfathered Secondary Capital’’ to include:

  • Any secondary capital issued to the United States Government or one of its subdivisions (U.S. Government), under an application approved before January 1, 2022, irrespective of the date of issuance.

This change would allow low-income credit unions (LICUs) that are either participating in the ECIP or other government programs that can be used to fund secondary capital, even if they do not receive the funds for such programs by December 31, 2021. NCUA would also extend the expiration of regulatory capital treatment for these issuances to the later of 20 years from the date of issuance or January 1, 2042.

The proposal may be read here. Comments are due to NCUA on October 28, 2021.

Summary

Upon its effective date on January 1, 2022, the Subordinated Debt final rule (Sub Debt rule) would generally require secondary capital issuance to comply with the requirements for Subordinated Debt.

Grandfathered Secondary Capital

The Sub Debt rule grandfathers secondary capital issued before January 1, 2022, allowing it to receive regulatory capital treatment until January 1, 2042 (20 years from the effective date of the final rule) and allowing the secondary capital to be subject to the requirements of current § 701.34(b), (c), and (d) (recodified as § 702.414 in the Sub Debt rule), rather than the requirements of the final rule.

Under the Sub Debt rule, any issuances of secondary capital not completed by January 1, 2022, must comply with the new final rule as of January 1, 2022. This means any approved secondary capital applications would be nullified if the associated issuance was not completed before January 1, 2022.

Treasury’s Emergency Capital Investment Program

After the Sub Debt rule was finalized, Congress passed the Consolidated Appropriations Act, 2021 which, among other things, created the ECIP. Under ECIP, the Treasury Department will make investments in ‘‘eligible institutions’’ to support their efforts to provide financial assistance to small businesses, minority-owned businesses, and consumers. FICUs that are minority depository institutions or community development financial institutions qualify as eligible institutions. The investments to be made by the Treasury Department would be in the form of subordinated debt and were designed to align with the FCUA and NCUA’s secondary capital rules.

Treasury’s ECIP application process has been delayed several times. As a result, it is likely that LICUs that applied for ECIP funds would receive those funds AFTER the January 1, 2022, Sub Debt rule deadline and therefore would not be able to use those funds as regulatory capital without a change the Sub Debt rule.

Proposed Rule

The proposed rule would permit funding of secondary capital approved under the current rule, beyond 2021, without the need to reapply under the Subordinated Debt rule for ECIP or other government programs if the issuance:

  • is being conducted under a secondary capital application that was approved before January 1, 2022, under either § 701.34 (FCUs) or § 741.203 (FISCUs) but the funds are dispersed after January 1, 2022

Other important aspects of the proposed change include:

  1. A LICU operating under an approved secondary capital plan may only conduct those capital issuances in accordance with the terms & conditions of the plan.
  2. Any LICU that receives an investment from the U.S. Government that is less than the amount approved under its secondary capital application with the NCUA would be limited to only that lesser investment and would not be permitted to use the proposed exception to conduct subsequent issuances.
  3. If a LICU receives a lesser investment amount, the NCUA reserves the right to revisit the LICU’s approved plan to verify that the LICU continues to operate in accordance with that plan.

NCUA is also proposing to amend the starting point for Grandfathered Secondary Capital to retain its status as Regulatory Capital. Currently, the Subordinated Debt rule states that all Grandfathered Secondary Capital will be treated as regulatory capital until January 1, 2042. To accommodate ECIP funds that may be disbursed AFTER January 1, 2022, NCUA would allow such secondary capital to count as regulatory capital for up to 20 years from the date of issuance.

21-RA-09 CFPB Issues New Specifications for its Collect Website Relating to Credit Card Data Submission
October 2021

On August 20 the CFPB issued new technical specifications for complying with credit card agreement and data submission requirements under TILA and the Credit Card Accountability Responsibility and Disclosure Act of 2009 through the

CFPB’s Collect website. To use the website, credit unions must complete the Collect registration form and send it to Collect [email protected].

Registration

  1. Credit unions that are selected to participate in the TCCP Survey or are required to submit an annual report of college student credit card agreements pursuant to 12 CFR 1026.57(d)may register now.
  2. Credit unions with 10,000 or more credit card accounts as of any quarter-end is required to make quarterly credit card submissions to the CFPB pursuant to 12 CFR 1026.58(c)and must register for Collect by November 1, 2021.

Once a credit union receives its login credentials, it will be able to review its current submissions and make the required submissions for Q4 2021 starting on December 1.

The CFPB is in the process of updating and publishing resources to help card issuers use Collect. For more resources for quarterly credit card agreement submissions and annual reports related to college credit card marketing agreements and data see the CFPB website here.

Upcoming Submission Deadlines

Requirement Submission Date
Quarterly credit card agreement submissions January 31, 2022
Terms of Credit Card Plans (TCCP) Survey data February 14, 2022
Annual reports related to college credit card marketing agreements and data March 31, 2022

 

LTCU 21-CU-09 Navigating and Understanding the End of Pandemic-Era Homeowner Protection Programs

September 2021

NCUA issued LTCU 21-CU-09 to provide guidance to credit unions on the winding down of several emergency aid programs enacted during the pandemic to help people stay in their homes.

Deadline to Grant CARES Act Forbearance Extended to September 30, 2021

The option for homeowners to request a temporary suspension of mortgage payments pursuant to the CARES Act § 4022 ends September 30, 2021. After that date, and upon conclusion of the forbearance period, borrowers will need to work with their credit union mortgage servicers to establish a repayment plan for missed payments.

NCUA strongly encourages credit unions to work with borrowers who are exiting the forbearance period in a safe and sound manner and consistent with all applicable consumer financial protection laws.

FHFA and other agencies that provide federally backed mortgages have announced a series of programs to help borrowers exiting forbearance to stay in their homes by requiring (in some cases) or encouraging mortgage servicers to offer borrowers new payment reduction and loan modification options. More information on federal mortgage modification programs is available from the CFPB.

Non-Federally Backed Mortgage Modification under CARES Act § 4013

For non-federally backed mortgages, § 4013 allows credit unions to modify a loan, including forbearance, without designating the modification as a troubled debt restructuring if it meets the following criteria:

  1. The loan was in existence before December 31, 2019:
  2. The modification is related to COVID-19:
  3. The borrower was less than 30 days past due as of December 31, 2019; and
  4. The modification is executed between March 1, 2020 and the earlier of January 1, 2022, or 60 days after the date of termination of the Presidential declaration of a National Emergency for the pandemic.

§ 4022 Foreclosure Moratorium Expired July 31, 2021

§ 4022 of the CARES Act aided homeowners by imposing a temporary moratorium on foreclosures for federally backed mortgages that expired at the end of July. To provide help to borrowers as the protection period winds down, the CFPB recently issued a final rule temporarily amending certain mortgage servicing requirements under Regulation X.

The final rule establishes temporary special COVID-19 procedural safeguards to ensure that a borrower has a meaningful opportunity to pursue loss mitigation options. The CFPB’s safeguards DO NOT apply if:

  • The foreclosure is commenced on or after January 1, 2022;
  • The borrower was more than 120 days delinquent prior to March 1, 2020; or
  • The applicable statute of limitations for the foreclosure action will expire before January 1, 2022.

NCUA addresses the final rule in more detail in Regulatory Alert, RA-08-20.

Eviction Moratorium Expired September 30, 2021

§ 4022 of the CARES Act also prohibited mortgage servicers from evicting homeowners from a foreclosed property with a federally backed mortgage. The eviction moratorium expired on September 30, 2021.

Other Homeowner and Renter Assistance Programs

There are additional resources to help distressed homeowners, renters and landlords. The American Rescue Plan  provides almost $10 billion to help struggling homeowners  with financial for mortgage payments, utilities, insurance, and other needs. The Emergency Rental Assistance Program can provide relief to renters and landlords. NCUA encourages credit unions to review available resources on the Treasury Department’s website and refer distressed members to those available resources.

Summary: CFPB Proposal Regarding Small Business Lending Data Collection

The Consumer Financial Protection Bureau (CFPB) issued a notice of proposed rulemaking seeking comment on its proposal to implement the small business lending data collection requirements set forth in Section 1071 of the Dodd-Frank Act.  The Bureau is proposing to add new Subpart B to Regulation B to implement Section 1071’s requirements.

Comments are due on the proposed rule within 90 days following the rule’s publication in the Federal Register.  The proposed rule can be found here and the Bureau’s Executive Summary of the proposal can be found here.

Summary:

  • Section 1071 amended the Equal Credit Opportunity Act (ECOA) to require that federal institutions collect and report to the Bureau certain data regarding certain business credit applications. Section 1071’s purposes are to facilitate enforcement of fair lending laws and to enable the identification of business and community development needs and opportunities for women-owned, minority-owned and small businesses.  In particular, Section 1071:
  • Specifies several data points that financial institutions are required to collect and provides authority for the Bureau to require collection of additional data that the Bureau determines would aid in fulfilling Section 1071’s purposes
  • Contains a number of other requirements regarding information collected pursuant to Section 1071, including a requirement that financial institutions restrict certain persons’ access to certain information, requirements regarding maintaining certain information, and requirements regarding publication of data.
  • Directs the Bureau to prescribe such rules and issue such guidance as may be necessary to carry out, enforce and compile data pursuant to Section 1071.
  • Permits the Bureau to adopt exceptions and exemptions to Section 1071’s requirements as the Bureau deems necessary or appropriate to carry out Section 1071’s purposes.
  • The Bureau is proposing that “covered” financial institutions collect and report data regarding covered applications from small businesses. These institutions would also need to meet other requirements regarding covered applications from small businesses.
  • The Bureau is proposing to define a “covered application” as an oral or written request for a covered credit transaction that is made in accordance with procedures used by a financial institution for the type of credit requested. This proposed definition is largely consistent with the existing Regulation B definition of “application,” the Bureau is also proposing that certain circumstances would not be covered applications, even if they are covered applications under existing Regulation B.  Specifically, the Bureau is proposing that a covered application would not include:
  • Reevaluation requests, extension requests, or renewal requests on an existing business credit account, unless the request seeks additional credit amounts, or inquiries and prequalification requests
  • The Bureau is proposing to define a “covered credit transaction” as a transaction that meets the definition of business credit under existing Regulation B. These transactions would include, among other things, loans, lines of credit, credit cards, and merchant cash advances (including such credit transactions for agricultural-purposes and those that are also covered by the Home Mortgage Disclosure Act of 1975 (HMDA).  However, the following would not be considered covered credit transactions even if they satisfy the definition of business credit:
  • Financing arrangements wherein a business acquires goods or services from another business without making immediate payment to the business providing the goods/services;
  • Public utilities credit as defined in Regulation B, 12 CFR 1002.3(a)(1);
  • Securities credit as defined in Regulation B, 12 CFR 1002.3(b)(1); and
  • Incidental credit as defined in Regulation B, 12 CFR 1002.3(c)(1).
  • In addition to the transactions listed above, factoring, leases, consumer-designated credit used for business purposes, and credit secured by certain investment properties would not be covered credit transactions.

Proposed Data Collection/Reporting Requirements

  • A covered financial institution would be required to collect/report certain data regarding covered applications from small businesses.
  • The proposed rule includes data points that financial institution would generate or provide. These data points include a unique identifier for each covered application or covered credit transaction, an application date, the application method, the application recipient, the action taken by the financial institution on the application, and the action taken date.  For denied applications, the institution would need to provide the denial reason(s).
  • The proposal includes data points that could be provided by the applicants or that a financial institution could determine by reviewing information provided by the applicant or a third party. These data points include information specifically related to the credit being applied for (credit type; credit purpose; and the amount applied for) and information related to the applicant’s business (address/location; gross annual revenue for the preceding fiscal year; NAICS code for applicant; number of applicant’s non-owner workers; applicant’s time in business; and the number of applicant’s principal owners).
  • A financial institution would be required to ask for data that addresses the demographics of the applicant’s principal owners or ownership status. These data points include minority-owned business status, women-owned business status and the ethnicity, race and sex of the applicant’s principal owners.  If an applicant does not provide any ethnicity, race or sex information for at least one principal owner, the Bureau is proposing that the financial institution must collect at least one principal owner’s race/ethnicity via visual observation and/or surname if the financial institution meets in person with any principal owners.
  • The proposed rule also includes provisions addressing the collection of data within a “timely” manner, as well as reporting and verification of applicant responses.

Proposed requirements to report data to the Bureau and provisions regarding availability and publication of data

  • The Bureau is proposing that covered financial institutions be required to collect data on a calendar year basis and report their data to the Bureau by June 1st of the following year.
  • The Bureau is proposing a “balancing test” that would assess the risks and benefits of public disclosure
  • Requirement to limit certain persons’ access to certain data
  • The proposed rule includes a provision that limits the employees and officers that have access to certain data. This proposed “firewall” would prohibit an employee or officer of a covered financial institution or a covered financial institution’s affiliate from accessing an applicant’s responses to inquires made pursuant to Section 1071 if that employee/officer is involved in making the determination concerning the applicant’s application unless otherwise provided.
  • This prohibition would not apply to an employee/officer if the covered financial institution determines that is it not feasible to limit that employee’s or officer’s access to an applicant’s response to the covered financial institution’s Section 1071 inquiries.

Proposed recordkeeping requirements and compliance dates

The proposal includes a requirement to retain evidence of compliance, including a copy of small business lending application registers, for at least three years.

The proposal also contains provisions regarding enforcement of violations, bona fide errors and safe harbors.

The Bureau is proposing that the final rule would become effective 90 days after publication in the Federal Register.  However, the compliance date would not take effect until approximately 18 months after the final rule’s publication in the Federal Register.

Request for Information & Comment: Digital Assets & Related Technologies

Prepared by NASCUS Legislative & Regulatory Affairs Department
August 2021

NCUA has issued a Request for Information and Comment (RFI) on Decentralized Finance the effect of digital assets and related technologies on federally insured credit unions (FICUs), third parties, and NCUA. NCUA is particularly interested in input on the current and potential uses of digital assets and related technologies in the credit union system, and the risks associated with them.

NCUA poses questions across four broad categories:

  1. Questions Regarding Usage and Marketplace
  2. Operational Questions
  3. Questions on Supervision and Activities
  4. Questions on Share Insurance and Resolution

The Request for Information may be read in its entirety here. Comments are due to NCUA on September 27, 2021.

Summary

NCUA’s RFI provides a high-level overview of both Decentralized Finance (DeFi) and Distributed Ledger technologies (DLT). DeFi is the broad category of technology applications including:

  • peer-to-peer networks
  • DLT
  • smart contracts
  • digital assets (including cryptos)
  • clearing and settlement systems
  • identity management systems
  • record retention systems

Distributed Ledger Technologies (DLT) are shared electronic databases where copies of the same information are stored on a distributed network of computers. DLTs are designed to ensure data cannot be altered or added to without the consensus of a pre-designated community. As a result, any attempt to modify the information on one computer will not impact the information on other computers. “Blockchains” are one type of DLT.

NCUA notes that while potentially beneficial, the emerging technologies also present risks, including:

  • the permanent nature of the transactions and questions about consumer recourse for fraudulent financial activities
  • possible manipulation in the price of tokens
  • the challenge of lost/forgotten/compromised crypto keys
  • the unregulated nature of the value transfers creates avenues for money laundering or tax avoidance

The RFI poses several specific questions and invites any other relevant comments.

NCUA’s Specific Request for Comment

  1. Questions Regarding Usage and the Marketplace
    1.  How are those in the credit union system currently using or planning to use DLT and DeFi applications?
    2. What, if any, DLT or DeFi applications are those in the credit union system currently engaging in or considering? Please explain, including the nature and scope of the activity. More specifically:
      • What, if any, types of specific products or services related to these technologies are those in the credit union system currently offering or considering offering to members? Are credit union members asking for specific products or services related to these technologies?
      • To what extent are those in the credit union system engaging in or considering DeFi applications or providing services related to digital assets that have direct balance sheet impacts?
      • To what extent are those in the credit union system engaging in or considering DLT for other purposes, such as to facilitate internal operations?
      • To what extent, if any, are those in the credit union system aware of crossjurisdiction or cross-border transactions related to DLT and digital assets.
    3. In terms of the marketplace, where do those in the credit union system see the greatest demand for DeFi application services, and who are the largest drivers for such services?
    4. Are there new developments that might affect use of DeFi applications by those in the credit union system in the future?
    5. Are DeFi applications a competitive threat for those in the credit union system?
    6. What concerns, if any, do those in the credit union system have related to current statutory or regulatory limitations on their ability to utilize DeFi applications? Are there any changes that would influence the credit union system’s ability to utilize DeFi applications?
    7. Apart from anything listed in this Request for Information, what other actions should the NCUA take? Please be as precise as possible, including, but not limited to, necessary regulatory changes, additional guidance, and legal opinions.
  2. Operational Questions
    1. What are the advantages and disadvantages of FICUs developing DLT and DeFi projects through third-party relationships versus through a credit union service organization (CUSO)?
    2. How dependent will FICUs be on third-party software and open-source libraries for their own DLT projects? Questions Regarding Risk and Compliance Management
    3. To what extent are existing risk and compliance management frameworks designed to identify, measure, monitor, and control risks associated with various DLT and DeFi applications? Do some DLT and DeFi applications more easily align with existing risk and compliance management frameworks compared to others? Do, or would, some DLT and DeFi applications result in FICUs developing entirely new or materially different risk and compliance management frameworks?
    4. What unique or specific risks are challenging to measure, monitor, and control for various DLT and DeFi applications? What unique controls or processes are or could be implemented to address such risks?
    5. What unique benefits or risks to operations do FICUs consider as they analyze various DLT and DeFi applications?
    6. How are FICUs integrating, or how would FICUs integrate, operations related to DLT and DeFi applications with legacy FICU systems?
    7. Please identify any potential benefits, and any unique risks, of particular DLT and DeFi applications to FICUs and their members.
    8. What impact will DLT and DeFi applications have on FICUs’ earnings? How will FICUs ensure they account for any negative impact, such as potential lost interchange income as peer-to-peer transactions grow?
    9. How are those in the credit union system integrating these new technologies into their existing Information Technology environment securely, including existing cybersecurity functions and data privacy/data protection policies? How are the risks in this area being evaluated?
    10. What considerations have commenters given to how to maintain continued compliance with State and Federal laws and regulations that may be applicable to various DLT and DeFi applications, including, but not limited to, those governing securities, Bank Secrecy Act (BSA) and anti-money laundering, and consumer protection? Have those obligations, or uncertainty related to potential obligations, impacted commenters DLT and DeFi activities? How do commenters’ DLT and DeFi activities address requirements in these areas?
    11. How specifically do DLT and DeFi projects in the credit union system address BSA and Know Your Customer (KYC) requirements?
    12. How can FICUs address fraud and other consumer protections with an immutable digital ledger? How can FICUs ensure continued compliance with any applicable consumer protection requirements that may arise with various DLT and DeFi applications, such as obligations related to fair lending, electronic funds transfers, and funds availability?
    13. If utilizing/planning to utilize, any of these or related technologies, what steps have been taken in providing the services and what has been done to ensure the services are being utilized safely and in compliance with all applicable laws and regulations? Please describe:
      • The process for developing a sound business case and presenting it to the board of directors for approval;
      • The process for ensuring the consideration of all of the risks & risk categories;
      • The level of due diligence performed on any vendors or third parties and whether the vendors were a new entry in the market or an established technology provider;
      • The process for assessing the quality and level of internal information systems and technology staff to support systems and applications; and
      • The process for developing internal oversight of the program.
  3. Questions Regarding Supervision and Activities
    1. Are there any unique aspects the NCUA should consider from a supervisory perspective?
    2. Are there any areas in which the NCUA should clarify or expand existing supervisory guidance to address these activities?
    3. NCUA § 721 application procedures may be applicable to certain DLT activities. Is additional clarity needed? Would any changes to NCUA’s regulations be helpful in addressing uncertainty surrounding the permissibility of particular types of DLT activity to support FICUs considering or engaging in such activities?
  4. Questions Regarding Share Insurance and Resolution
    1. Are there any steps the NCUA should consider to ensure FICU members can distinguish between uninsured digital asset products and insured shares?
    2. Are there distinctions or similarities between stablecoins (cryptocurrencies that are backed by a currency like the U.S. Dollar and are designed to have a stable value compared to other cryptocurrencies) and stored value products where the underlying funds are held at FICUs and, for which pass-through share insurance may be available to members in limited scenarios?
    3. If the NCUA were to encounter any of the digital assets use cases in the resolution process or in a conservatorship capacity, what complexities might be encountered in valuing, marketing, transferring, operating, or resolving the DeFi activity? What actions should be considered to overcome the complexities?
LTCU 21-CU-08 Implementation of Modernized Systems 
August 2021

NCUA’s LTCU 21-CU-08 provides an update on the agency’s technology modernization efforts supporting NCUA’s examination, data collection, field of membership, and reporting efforts. The new programs and applications are:

  1. NCUA Connect – A central user interface where credit unions can securely interact with the NCUA and the primary entry-point to access MERIT, DEXA, CAPRIS, and the Admin Portal. NCUA anticipates adding more applications in the future to provide a streamlined user experience & a single point of access for NCUA systems. Data and system security is enhanced by layered security, multifactor authentication, and role-based access to applications.
  2. Admin Portal – Provides confirmed, delegated credit union administrative users the ability to manage their credit union’s access to NCUA Connect and NCUA applications, including adding & removing users, and resetting passwords.
  3. Consumer Access Process and Reporting Information System (CAPRIS) – NCUA is replacing its legacy FOM Internet Application (FOMIA) with the new Consumer Access Process and Reporting Information System (CAPRIS). Multiple common bond FCUs will use CAPRIS to submit FOM expansion requests electronically beginning on August 16, 2021.
  4. Data Exchange Application (DEXA) – DEXA is a separate application on NCUA Connect that allows authorized NCUA, SSA, and credit union users to securely upload the credit union member loan and share data requested during an examination. DEXA also provides users with a history of file uploads and data validation reports for any files failing the upload process and implements new loan and share mapping files that help facilitate data visualizations for examiners. DEXA uses the same data schema outlined in LTCU 03-CU05 Expanded AIRES Loan & Share Record Layout.
  5. Modern Examination & Risk Identification Tool (MERIT) – The new examination tool has enhanced analytic capabilities to allow examiners to identify trends and potential risks in credit unions. MERIT allows examiners to document examination results, generate the report issued to the credit union, and formally follow up on examination concerns. MERIT should also facilitate cooperative state/NCUA exam work: reducing redundancy, increasing efficiency, and improving communication. New features in MERIT include:
    • Document Request List Surveys
      MERIT’s “survey” function allows NCUA and state examiners to send credit unions document request lists (“surveys”) and for credit unions to transfer documents securely back to the examiners. Additionally, users can generate several survey inventory reports. Through these reports, users can see historical MERIT survey requests, open the survey form, and view all related documents and comments provided to the examiner.
    • Electronic Delivery of Examination Reports
      Allows examiners to securely send examination reports to credit union management at the conclusion of the exam.7Authorized staff and officials may access MERIT and download the examination report from their dashboard, providing an easy and efficient way to access official reports. MERIT also retains a history of reports, allowing credit unions to view and download historical reports sent through the system, as needed.
    • Examination Concerns Tracking & Response Workflows
      Allows credit unions to track outstanding exam concerns, document resolution progress, and send updates to the examiner. If additional time is needed to address an issue, credit unions can use MERIT to request due date extensions.

Accessing the New Applications

To access NCUA’s new systems, credit unions must submit names of 1 or 2 staff to NCUA to be approved as Admin Portal Administrators who will be responsible for managing the users for the credit union. Once approved and confirmed by the NCUA, administrators can add other users and grant access to the systems for other credit union staff. Administrator requests should be submitted to NCUA’s technical support team at [email protected].

For MERIT and DEXA, credit unions should wait until they are notified of their first exam in MERIT before requesting and obtaining access to DEXA. NCUA notes that user accounts are locked after a period of inactivity, and user access would need to be restored once notified of an upcoming examination.

Training

NCUA will provide credit union user training through various avenues, including:

Information Security

  1. NCUA new systems are built on infrastructure that is certified by the Federal Risk and Authorization Management Program (FedRamp) “cloud” security certification process. Data in the system is protected by denial of service mitigation and multi-layer encryption of information in transit as well as at rest.
  2. NCUA has implemented strong administrative and physical controls including, but not limited to, rules of behavior, physical and personnel security, configuration management control, and routine security training.
  3. As a federal agency, the NCUA must also comply with security standards for federal information and information systems, including all National Institute of Standards and Technology (NIST) standards and guidelines, OMB, and federal laws, such as the Federal Information Security Management Act.
  4. Additional information on NCUA’s standards and controls governing the collection of examination and supervision information can be found here.