NCUA LTCU Summary: Cyber Incident Notification Requirements Update to Letter 23-CU-07

NCUA Letter to Credit Unions 25-CU-02
Cyber Incident Notification Requirements Update to letter 23-CU-07

NASCUS Legislative and Regulatory Affairs
January 13, 2025

The NCUA issued its second letter to credit unions of 2025, LTCU 25-CU-02. The letter provides an update to LTCU 23-CU-07 Cyber Incident Notification Requirements.  NASCUS’ summary of the Cyber Incident Notification final rule can be found here and a summary of LTCU 23-CU-07 here.

LTCU 25-CU-02 includes two previous methods for reporting a cyber incident to the NCUA as well as a new secure web form for reporting:

• Via phone at 1-833-CYBERCU (1.833.292.3728) and leave a voicemail; or
• Via the NCUA Secure Email Message Center with a secure email to [email protected]
• Completion of the Cyber Incident Credit Union Reporting System online form.

The letter also reminds credit unions of the agency’s cybersecurity information and resources and provides an updated Cyber Incident Reporting Quick Reference Guide.

Letter to Credit Unions 25-CU-01: NCUA’s 2025 Supervisory Priorities

NASCUS Legislative and Regulatory Affairs
January 8, 2025

On January 7, 2025, the NCUA issued Letter to Credit Unions 25-CU-01 outlining the agency’s supervisory priorities and other updates to its examination program 2025. The priorities focus on the areas the NCUA believes pose the highest risk to credit union members, the industry, and the NCUSIF.

Supervisory Priorities for 2025

Credit Risk

Credit risk remains a top priority for 2025. NCUA notes loan growth slowed in 2024 while overall delinquencies and charge-offs increased. Credit cards and used auto loan portfolios are seeing the highest levels of delinquency and charge-off since the 2008 financial crisis. To address this the letter indicates examiners will continue to review credit union lending and risk-management practices. Specific focus will be on:

• Credit union’s underwriting standards.
• Collection programs.
• Allowance for Credit Loss reserves.
• Charge-off practices.
• Management and board reporting.
• Management of risk concentrations; and
• Third-party risk management practices

The NCUA encourages credit unions to work with borrowers facing financial difficulties and provides a list of resources and guidance to assist in managing credit risk.

Balance Sheet Management and Risk to Earnings and Net Worth

Due to the rise in interest rates over the last few years, credit union costs of funds increased faster than the returns on loans and investments, impacting net interest margins. NCUA will evaluate credit unions’ earnings and net worth risk-management framework by weighing the current and prospective sources of earnings and the composition of net worth relative to a credit union’s approved plans and thresholds. Examiners will also continue to consider liquidity sources. The letter also lists liquidity resources and guidance, earnings resources and guidance, and resources on net worth and capital adequacy.

 

Cybersecurity

Unsurprisingly, Cybersecurity remains a top priority, as cybercriminals and their attacks become more sophisticated. The NCUA indicates they will continue to use the information security examination procedures to assess credit union programs and will continue to support the voluntary use of the ACET tool.  The letter also encourages credit unions to visit the NCUA’s Cybersecurity Resources webpage.  Lastly, credit unions are reminded of their obligations under the Cyber Incident Notification requirements.

Consumer Financial Protection

NCUA has indicated they will continue to place significant emphasis on credit union compliance with consumer financial protection laws and regulations during examinations. It is noted that examiners will particularly focus on:

• Overdraft programs
• Fair Lending.
• Home Mortgage Disclosure Act (HMDA) and Regulation C.
• Military Lending Act; and
• Electronic Funds Transfer Act (EFTA) and Regulation E.

It is not surprising to see overdraft programs on the top of this list given NCUA’s recently issued LTCU 24-CU-03 in which the agency highlights risks associated with certain overdraft and NSF practices.

Other Updates

While not specifically addressed as supervisory priorities the letter addresses an update to its exam flexibility initiative in 2025, providing an extended exam cycle for credit unions with over $1 billion in assets. Credit unions in this asset range rated a CAMELS composite 1 or 2 with no change in the CEO since the last examination will now be eligible for a 12–16-month exam cycle. Additionally, the extended exam cycle for eligible federal credit unions will be shortened from 14-20 months to 14-18 months.

The NCUA indicates it will continue conducting the defined Small Credit Union Exam Program for most credit unions with assets of $50 million or less, and risk-focused examination procedures for all others. The letter also notes credit unions will need to remain aware of the Bank Secrecy Act/Anti-Money Laundering/Countering of Financing of Terrorism regulations and requirements.

Minority Depository Institution (MDI) Preservation Program

Finally, the letter states the agency recognizes the importance of MDIs and is committed to supporting the ongoing success of MDIs, including the need to support some MDIs more or differently. It further states that examinations will consider the “unique strategies and member needs of MDI credit unions.”

NASCUS Summary re: CFPB Executive Summary on Residential PACE Financing Final Rule
December 2024

The Consumer Financial Protection Bureau (CFPB) issued a final rule on Residential Property Assessed Clean Energy (PACE) financing.  The final rule clarifies that PACE transactions are considered “credit” under TILA and Regulation Z and that the requirements under TILA/Regulation Z will generally apply to covered PACE transactions.  The final rule becomes effective on March 1, 2026.

Summary:

• The rule defines PACE transactions as financing to cover the costs of home improvements that result in a tax assessment on the real property of the consumer. Covered PACE transactions are voluntary transactions repaid through the property tax system alongside the consumer’s other property tax payment obligations.
• The rule provides two exemptions.
• The rule exempts PACE transactions from Higher-Priced Mortgage Loans (HPML) escrow rule
• The rule exempts PACE transactions from periodic statement requirements in the Mortgage Servicing Rule.

Ability to Repay Requirements

• The rule requires creditors and PACE companies substantially involved in the making credit decisions to apply the existing ability to repay requirements to PACE transactions. Specifically, the rule requires creditors and PACE companies to:
• Make a reasonable and good faith determination of a consumer’s ability to repay at or before consummation of a covered mortgage loan;
• Consider the eight required factors in making the repayment ability determination; and
• Verify the information relied on in determining a consumer’s repayment ability using reasonably reliable third-party records.

TILA/RESPA Integrated Disclosure Requirements

• The rule adds a model Loan Estimate and Closing Disclosure for use with PACE transactions
• The rule also includes certain modifications, clarifications and exemptions related to disclosures in the Loan Estimate and Closing Disclosure requirements to account for the uniqueness of PACE transactions.

Agencies Issue Guidance on Elder Financial Exploitation
December 18, 2024

On December 4, 2024, the six federal banking agencies and the state financial regulators issued a statement titled “Interagency Statement on Elder Financial Exploitation” to provide supervised institutions examples of risk management and other practices that can be effective in identifying, preventing, and responding to elder financial exploitation (EFE).

FinCEN previously issued a financial trend analysis specific to EFE. NASCUS summarized the analysis here. Additionally, the US Department of Treasury’s 2024 National Money Laundering Risk Assessment described EFE as a growing money laundering threat.

The Agencies’ statement and accompanying Appendices provide a list of resources issued by federal and state agencies on the topic of EFE. This does not replace previous guidance on this topic but is meant to raise awareness and provide strategies to supervised institutions for combating EFE.

Included in the statement are nine examples of risk management and other practices that supervised institutions can consider adopting as they work to combat EFE.  These examples are not new and are addressed in previous guidance.

1. Governance and Oversight
   • Policies and procedures to better protect account holders and the institution;
   • Enhance or create risk-based policies, internal controls, employee codes of conduct, ongoing transaction monitoring, and complaint management processes.
2. Employee Training
   • Identifying red flags for different types of exploitation;
   • Proactive approaches for detecting and preventing EFE; and
   • Detailing actions for employees to take when they have concerns
3. Using Transaction Holds and Disbursement Delays
   • Implementing policies and procedures in conjunction with state law and regulations when there is a suspected case of EFE
4. Using Trusted Contacts
   • Establish policies and procedures that enable account holders to designate one or more trusted contacts that employees can contact when EFE is suspected
   • Develop clear and effective processes for when and how to disclose account holder information while also maintaining confidentiality
5. Filing SARs Involving Suspected EFE
   • Consider filing SARs voluntarily for suspected EFE cases that do not meet the mandatory SAR filing requirements
   • Consider how to detect and identify possible red flag indicators of EFE

6. Reporting to Law Enforcement, Adult Protective Services (APS), and/or Other Entities, as appropriate
   • Implement a policy for reporting to appropriate authorities if the state is a mandatory reporting state;
   • For institutions not in a mandatory reporting state, the institutions could develop processes for voluntarily reporting to relevant state or local authorities; and
   • Consider establishing procedures for referring potential victims of EFE to the Department of Justice’s National Elder Fraud Hotline (833.372.8311), FTC, the FBI’s IC3, USPIS, Social Security Administration, and other agencies.
7. Providing Financial Records to Appropriate Authorities
   • Develop a process for expediting supporting information and documentation to law enforcement agencies.
8. Engaging with Elder Fraud Prevention and Response Networks
   • Consider partnerships with various networks, community education, etc.
9. Consumer Outreach and Awareness
   • Consider various means of consumer outreach, information on trending scams and ways to avoid them, and potential training for consumers on what to look for in various scams.

---

Appendix A: Elder Financial Exploitation Resources from Government Agencies

• Appendix A includes an extensive list of reports, research, and recommendations from the agencies as well as a list of federal resources for supervised institutions that may be shared with consumers.

NCUA Letter to Credit Unions 24-CU-03
Consumer Harm Stemming from Certain Overdraft and Non-Sufficient Funds Fee Practices

NASCUS Legislative and Regulatory Affairs Department
December 10, 2024

The NCUA Board has issued its third letter to credit unions of 2024, LTCU 24-CU-03 Consumer Harm Stemming from Certain Overdraft and Non-Sufficient Funds Fee Practices.

The NCUA has shown an increased focus on consumer protection in recent years. The Agency notes it is issuing this letter to highlight the risks associated with certain overdraft and NSF fee practices while providing resources to assist credit unions in managing and mitigating these risks. The letter also describes how the Agency will approach such fees from a supervisory perspective and further outlines its expectations of credit unions in responding to the associated risks.

Background

In 2022 the NCUA requested information about federal credit union overdraft programs, policies, and procedures, and in 2023 and 2024 examiners expanded the review of federal credit union overdraft programs and evaluated adjustments credit unions made to their programs to address risk and potential harm to members. Additionally, examinations of federal credit unions in 2023 and 2024 identified the presence of certain overdraft and NSF fee practices that “may create heightened risk exposure.”

Unanticipated Overdraft Fees

Unanticipated overdraft fees occur when a credit union assesses overdraft fees on transactions that a member would not expect would give rise to such fees. The letter further addresses several types of overdraft and NSF fees and cautions against such policies that permit these fees as they would likely violate the Federal Trade Commission Act (FTC Act) and the Consumer Financial Protection Act of 2010 (CFPA) as unfair or deceptive practices.

• Authorize Positive, Settle Negative Overdraft Fees
• Multiple NSF Representment Fees

Returned Deposited Item Fees

A Returned Deposited Item (RDI) is a check deposited into a member’s account that is returned to the member because the check could not be processed against the originator’s account.

Other Overdraft or NSF Practices

Some additional practices highlighted by the Agency that may present heightened risk include:

• High or no daily limits on the number of fees assessed;
• Insufficient or inaccurate fee disclosures; and
• Ordering transactions to maximize fees

Risk Management Principles

If a credit union provides overdraft programs or charges NSF fees the NCUA states, the credit union should:

• Closely analyze all aspects of the credit union’s overdraft and NSF fee practices, including opt-in disclosures, website advertising, and other information provided to members specific to overdraft and NSF;
• Review recent regulatory developments regarding unanticipated overdraft and NSF fees;
• Consider member impact;
• Track and analyze related member-complaint activity;
• Monitor and take action to mitigate reputation, consumer compliance, third-party, and legal risk; and
• Consult legal counsel regarding consumer compliance responsibilities and associated risks.

It is important to highlight that the NCUA specifically states in the letter, “Mitigation strategies should include discontinuing policies related to charging overdraft, NSF, and other related fees that members cannot reasonably anticipate and avoid.”

NCUA’s Supervisory Approach

While the NCUA states they do not expect credit unions to stop offering overdraft programs to assist members, it will continue to review credit union overdraft programs. If examiners identify violations of laws or regulations due to unanticipated fee practices, the agency will evaluate appropriate supervisory or enforcement actions, including restitution to harmed consumers.

The letter also states that the NCUA will recognize efforts to self-identify and correct violations noting that examiners will generally not cite or pursue action if a credit union has self-identified and fully corrected issues before the start of an examination.

LTCU 24-CU-03 applies to federally-insured credit unions, including federally-insured state-chartered credit unions (FISCUs). It is important for FISCUs to also work with their appropriate state supervisory authority when evaluating overdraft and NSF practices.

How to get started: Select the dropdown preferences based on the section topic and the state(s) of interest,  then press “search.” Once the results pop up, use the “export” or “print” features on the right side to save your search findings.

DISCLAIMER
The NASCUS State System Profile is an online open-content collaborative database; that is, a voluntary association of individuals and groups working to develop a resource of state supervisory information. The structure of this project allows for approved state-specific supervisory editors to alter its content. Please be advised that data found here has not been peer-reviewed by NASCUS staff. That is not to say that you won’t find this to be a valuable and accurate source of information. However, NASCUS cannot guarantee the validity of the information found here. Copyright 2022 National Association of State Credit Union Supervisors (NASCUS)

---

 

Instructions:

• To update data points, simply click into the field box and begin typing new information.
• Click “Next” at the bottom of the page or on the circles at the top to navigate through the form sections. You do not have to go in order, however, it may make communicating with your team about your progression easier if you do.
• Don’t forget to save your progress at the bottom of each page as you move through the tabs.

Click here to access the State System Profile FAQ.

You do not have permission to view this form.