CFPB/DOJ Withdrawal of Joint Statement on the Equal Credit Opportunity Act and Noncitizen Borrowers

January 2026

The Consumer Financial Protection Bureau (CFPB) and the Department of Justice (DOJ) withdrew a joint statement issued in October 2023 regarding the implications of a creditor’s consideration of an individual’s immigration status under the Equal Credit Opportunity Act (ECOA).

The withdrawal is effective as of January 12, 2026 and the notice can be found here

Summary

The Equal Credit Opportunity Act (ECOA) prohibits discrimination by a creditor in any aspect of a credit transaction, on the basis of race, color, religion, national origin, sex, marital status, age, an applicant’s receipt of public assistance, or the good faith exercise of an applicant’s rights. 

In October 2023, the CFPB and DOJ published a joint statement cautioning creditors that policies related to an applicant’s immigration status could, in certain circumstances, run afoul of the prohibitions against discrimination on the basis of protected classes (including race and national origin) found in the ECOA and Regulation B. 

The agencies are now withdrawing this joint statement.  The agencies disagree with the joint statement’s interpretation of the ECOA and Regulation B, which the agencies currently suggest permit creditors to consider immigration or citizenship status.  They note that Regulation B expressly permits consideration of immigration or citizenship status for certain purposes. 

In addition, the statement is being withdrawn because the agencies believe it may have created the impression that either the ECOA or the statement itself imposed limitations on the consideration of immigration or citizenship status when evaluating an application for credit.  They have now determined that no such limitation exists. 

Finally, the agencies have decided that they will not issue revised guidance on this issue because it is unnecessary.  They suggest that no additional guidance is needed beyond what is provided by Regulation B. 

IRS Notice 2025-57: Transitional Guidance on Reporting Interest from Specified Passenger Vehicle Loans

NASCUS Summary
January 13, 2026

Background

The One, Big, Beautiful Bill Act (OBBBA), enacted on July 4, 2025, introduced a new reporting requirement under IRC section 6050AA. This provision supports a temporary tax deduction for qualified passenger vehicle loan interest (QPVLI) under section 163(h)(4), applicable for tax years 2025 through 2028. To facilitate this deduction, lenders—including credit unions—must report interest received from individuals on specified passenger vehicle loans.

Key Provisions

To ease implementation of the reporting requirement for interest paid on loans secured by qualified passenger vehicles for calendar year 2025, lenders may satisfy the reporting requirement by providing a simplified statement to borrowers showing the total interest received on qualifying loans. This statement can be delivered via online portals, monthly or annual statements, or other accessible formats until an OMB approved form is created. No penalties will be imposed under sections 6721 or 6722 for 2025 if this simplified method is used.

For reporting years 2026 through 2028, lenders will be required to report interest received on qualifying loans on an appropriate OMB approved form.

An OMB form is currently being developed for implementation in the 2026 tax reporting year.[1]  At this time, the tax deduction for QPVLI sunsets after the 2028 tax year reporting requirement.

Who Must Report:

  • Any person or entity (including credit unions) engaged in a trade or business that receives $600 or more in interest from an individual on a qualifying vehicle loan in a calendar year.

What Must Be Reported:

  •   Borrower’s name and address 
  • Total interest received 
  • Loan origination date 
  • Outstanding principal at the start of the year 
  • Vehicle details (year, make, model, VIN)

When:

  • Statements must be provided to borrowers by January 31 of the following year.

What Vehicles Qualify:

  • A qualified passenger vehicle is a car, minivan, van, SUV, pickup truck, or motorcycle with a gross vehicle weight rating of less than 14,000 pounds and that has undergone final assembly in the United States.

Implications for Credit Unions

1. Operational Readiness:

  • Prepare systems to track and report QPVLI starting in 2026.
  • Update data collection processes to capture vehicle-specific loan details.

2. Member Communication:

  • Ensure members receive clear, timely statements showing interest paid on qualifying loans.
  • Educate members about the potential deductibility of this interest.

3. Compliance Planning:

  • Develop internal controls for accurate reporting and timely delivery.
  • Coordinate with core processors and loan servicing platforms.

4. Recordkeeping:

  • Maintain documentation to support IRS compliance and member inquiries.
  • Align retention policies with IRS requirements.

 Implications for State Credit Union Regulators

1. Supervisory Oversight:

  • Monitor credit union readiness for section 6050AA compliance.
  • Encourage early adoption of data collection practices.

2. Guidance and Education:

  • Provide technical assistance or training on the new requirements.
  • Share IRS guidance and best practices.

3. Examination Focus:

  • Include QPVLI reporting readiness in 2025 and 2026 examinations.
  • Assess systems and controls in place.

[1] IRS Reporting form in development: ICR 202510-1545-002 OMB: 1545-2334

IRS Notice of Proposed Rulemaking and Notice of Public Hearing: 26 CFR Parts 1 and 301 (RIN 1545-BR75) Car Loan Interest Deduction

NASCUS Summary
January 13, 2026

Background

The One, Big, Beautiful Bill Act (OBBBA), enacted on July 4, 2025, introduced a new reporting requirement under IRC section 6050AA. This provision supports a temporary tax deduction for qualified passenger vehicle loan interest (QPVLI) under section 163(h)(4), applicable for tax years 2025 through 2028. To facilitate this deduction, lenders—including credit unions—must report interest received from individuals on specified passenger vehicle loans.

On October 21, 2025, the IRS released Notice 2025-57[1] to provide transitional guidance on the information reporting requirements under section 6050AA. Notice 2025-57 provides that an interest recipient will be deemed to have satisfied the reporting obligations under section 6050AA for interest on SPVLs received in 2025 if the interest recipient makes a statement available to the individual indicating the total amount of interest received in calendar year 2025 on an SPVL

This proposed rule and notice of hearing contains regulations regarding the deduction for certain taxpayers for an amount up to $10,000 of qualified passenger vehicle loan interest. This document also contains proposed regulations regarding new information reporting requirements effective for the 2026 tax year for certain persons who, in a trade or business, receive from any individual interest aggregating $600 or more for any calendar year on a specified passenger vehicle loan, including applicable penalties for failures to file information returns or furnish payee statements as required. The proposed regulations would affect taxpayers that may deduct qualified passenger vehicle loan interest, and also persons subject to these information reporting requirements. This document also provides notice of a public hearing on these proposed regulations. 

Written or electronic comments must be received by February 2, 2026. The public hearing is being held on February 24, 2026, at 10 a.m. ET. Requests to speak and outlines of topics to be discussed at the public hearing must be received by February 2, 2026.

Key Definitions

  • Interest Recipient: A person engaged in a trade or business who receives interest on an SPVL in the course of that trade or business.
  • Payor of Record: The principal borrower listed in the interest recipient’s records.
  • APV: Any vehicle with which: (i) the original use commences with the taxpayer; (ii) that is manufactured primarily for use on public streets, roads, and highways (not including a vehicle operated exclusively on a rail or rails); (iii) that has at least 2 wheels; (iv) that is a car, minivan, van, sport utility vehicle, pickup truck, or motorcycle; (v) that is treated as a motor vehicle for purposes of title II of the Clean Air Act; and (vi) that has a gross vehicle weight rating of less than 14,000 pounds. Section 163(h)(4)(D) also provides that the term APV does not include any vehicle the final assembly of which did not occur within the United States.
  • SPVL: Indebtedness incurred after Dec. 31, 2024, for the purchase of an applicable passenger vehicle (APV) for personal use, secured by a first lien on that APV.

Proposed Rule Implications to Creditors

Who Must Report

  • Any person engaged in a trade or business who receives $600 or more of interest in a calendar year on an SPVL from an individual (the “payor of record”) must:
    1. File an information return with the IRS, and
    2. Furnish a written statement to the payor of record.

Information Return Requirements

  • Must be filed on the form designated by the IRS (similar to Form 1098 series).
    • 2025 tax returns limited under transitional relief granted to reporters as outlined in IRS released Notice 2025-57, 2025-45 I.R.B. 692.
    • 2026 tax year returns forms are currently in development.[2]
  • Due Date:
    • February 28 of the year following the calendar year interest was received (or March 31 if filed electronically).
  • Electronic Filing: Required if the filer submits 10 or more returns in a calendar year.
  • Contents of the Return Effective for the 2026 Tax Year and Beyond:[3]
    • Name, address, and taxpayer identification number (TIN) of the payor of record.
    • Name, address, and TIN of the interest recipient.
    • Amount of interest received for the calendar year.
    • Outstanding principal on the SPVL as of the beginning of the calendar year.
    • Date of loan origination.
    • Year, make, model, and VIN of the vehicle securing the loan.
    • Date the SPVL was acquired by the interest recipient.
    • Any other information required by the IRS form or instructions.

Written Statement to Borrower

  • Must be furnished to the payor of record by January 31 of the year following the calendar year for which interest was received.
  • Must include:
    • All information reported to the IRS.
    • A legend identifying the statement as important tax information furnished to the IRS.
    • A warning that the borrower may not be able to deduct the full amount of interest shown (due to statutory limits and income phaseouts).

Additional Rules

  • Threshold: Reporting is mandatory for $600 or more of interest per SPVL; optional for less than $600.
  • Foreign Persons: Special rules apply if the interest recipient or payor is foreign.
  • Penalties: Failure to file correct returns or furnish statements may trigger penalties under IRC §§6721 and 6722.
  • Electronic Delivery: Permitted under IRS procedures (e.g., Publication 1179).

Creditor Responsibilities to Determine if a Loan is an SPVL

Under proposed §1.6050AA-1 and §1.163-16, creditors (including assignees) must confirm whether a loan meets the statutory definition of an SPVL before reporting:

Key Criteria for SPVL Status

  1. Loan Purpose: Indebtedness must be incurred after Dec. 31, 2024 for the purchase of an Applicable Passenger Vehicle (APV) for personal use.
  2. Collateral Requirement: Loan must be secured by a first lien on the APV.
  3. Vehicle Eligibility:
    • Original use begins with the taxpayer.
    • Final assembly occurred in the U.S.
    • Vehicle meets APV definition (car, minivan, SUV, pickup, motorcycle; <14,000 lbs GVWR).
  4. Personal Use Test: At origination, borrower expects >50% personal use.
  5. Exclusions: Loans for fleet sales, commercial vehicles, lease financing, salvage title vehicles, or vehicles for scrap/parts are not SPVLs.
  6. Related Party Rule: Indebtedness owed to a related party under IRC §§267(b) or 707(b)(1) is excluded.
  7. Refinancing: A refinanced loan qualifies only up to the outstanding balance of the original SPVL.

Practical Steps for Creditors

  • Review Retail Installment Sales Contract:
    • Confirm VIN and APV eligibility.
    • Check items financed—only amounts customarily financed with vehicle purchase (e.g., taxes, title fees, warranties) qualify.
  • Verify Personal Use:
    • Rely on contract indicators (personal vs. business use).
    • If unclear, obtain borrower attestation or documentation.
  • Assignment Scenario:
    • Assignees typically receive sufficient info (contract copy, VIN, lien status).
    • If personal use cannot be confirmed from documents, the assignee may seek information from the originator or borrower.
  • Optional Reporting: If uncertain and interest <$600, reporting is optional.

Implications for Credit Unions

1. Operational Readiness:

  • Prepare systems to track and report QPVLI starting in 2026.
  • Update data collection processes to capture vehicle-specific loan details.

2. Member Communication:

  • Ensure members receive clear, timely statements showing interest paid on qualifying loans.
  • Educate members about the potential deductibility of this interest.

3. Compliance Planning:

  • Develop internal controls for accurate reporting and timely delivery.
  • Coordinate with core processors and loan servicing platforms.

4. Recordkeeping:

  • Maintain documentation to support IRS compliance and member inquiries.
  • Align retention policies with IRS requirements.

Implications for State Credit Union Regulators

1. Supervisory Oversight:

  • Monitor credit union readiness for section 6050AA compliance.
  • Encourage early adoption of data collection practices.

2. Guidance and Education:

  • Provide technical assistance or training on the new requirements.
  • Share IRS guidance and best practices.

3. Examination Focus:

  • Include QPVLI reporting readiness in 2025 and 2026 examinations.
  • Assess systems and controls in place.

[1] 2025-45 I.R.B. 692

[2] IRS Reporting form in development: ICR 202510-1545-002 OMB: 1545-2334

[3] See IRS released Notice 2025-57, 2025-45 I.R.B. 692 for 2025 Tax Year Requirements.

NASCUS Proposed Rule Summary

NCUA Rules & Regulations Part 715: Supervisory Committee Audits & Verifications

December 2025

As part of a “Deregulation Project” NCUA is proposing changes to its rules for credit union audits: Part 715 Supervisory Committee Audits and Verifications. NCUA’s rule applies in part to federally insured state credit unions (FISCUs) by reference in Part 741.202. These rules do not apply to privately insured credit unions.

Comments must be submitted to NCUA by February 9, 2026.

The proposed rule may be read in its entirety here.

Summary

  • Section 715.2(h)

§715.2 contains definitions for NCUA’s audit and verification rules. NCUA is proposing to eliminate a paragraph in § 715.2(h), which defines “Internal control.” NCUA now believes the definition is too prescriptive and risks becoming outdated. Specifically, NCUA would eliminate the listing of the 5 components of an internal control structure and would also eliminate the sentence defining reliable financial reporting as too narrow. The revised provision would read as follows:

(h) Internal control refers to the process, established by the credit union’s board of directors, officers and employees, designed to provide reasonable assurance of reliable financial reporting and safeguarding of assets against unauthorized acquisition, use, or disposition.

A credit union’s internal control structure consists of five components: control environment; risk assessment; control activities; information and communication; and monitoring. Reliable financial reporting refers to preparation of Call Reports (NCUA Forms 5300 and 5310) that meet management’s financial reporting objectives.

Internal control over safeguarding of assets against unauthorized acquisition, use, or disposition refers to prevention or timely detection of transactions involving such unauthorized access, use, or disposition of assets which could result in a loss that is material to the financial statements.

  • Section 715.8(a)

The current rule requires members’ accounts to be verified against the records of the treasurer of the credit union. NCUA would eliminate the reference to the Treasurer and have the rule require member accounts be verified against the records of the credit union.

  • Section 715.9(b)

Part 715(9) addressed requirements related to credit union engagement of outside auditors. Specifically, the provision requires the scope of work to be documented in an engagement letter contracted between the supervisory committee and the auditor, including noting that the contract must be signed by both parties. NCUA now finds the addition of the requirement to have the contract signed to be unnecessary given the clear understanding that the requirement to enter into a contract inherently includes the contract be signed.

  • Section 715.10(a)

Part 715.10(a) requires, in part, a credit union’s supervisory committee to provide NCUA with a copy of audit reports upon request. Because NCUA has statutory authority to access all of a credit union’s books and records, NCUA believes reiterating this requirement in Part 715 is redundant and unnecessary. NCUA proposes eliminating the last sentence of existing Part 715.10(a) that requires the supervisory committee to provide the audit report upon request.

  • Section 715.12

NCUA §715.12(b) asserts NCUA’s authority to require a FICU to obtain a financial statement audit. The last two sentences of the provision describe the objectives of a financial statement audit. NCUA now believes those final two sentences to be unnecessary. The revised provision would read:

715.12(b) Financial statement audit required. The NCUA Board may compel a federal credit union to obtain a financial statement audit performed in accordance with GAAS by an independent person who is licensed by the State or jurisdiction in which the credit union is principally located (even if such audit is not required by § 715.5), for any fiscal year in which the credit union has experienced serious and persistent recordkeeping deficiencies as defined in paragraph (c) of this section.

The objective of a financial statement audit performed under this paragraph is to reconstruct the records of the credit union sufficient to allow an unqualified or, if necessary, a qualified opinion on the credit union’s financial statements. An adverse opinion or disclaimer of opinion should be the exception rather than the norm.

NASCUS Note: As noted above, §715 applies to FISCUs by reference in Part 741.202 which reads as follows:

§ 741.202 Audit and verification requirements.

(a) The supervisory committee of each credit union insured pursuant to title II of the Act shall make or cause to be made an audit of the credit union at least once every calendar year covering the period elapsed since the last audit. The audit must fully meet the applicable requirements set forth in part 715 of this chapter or applicable state law, whichever requirement is more stringent.

(b) Each credit union which is insured pursuant to title II of the Act shall verify or cause to be verified, under controlled conditions, all passbooks and accounts with the records of the financial officer not less frequently than once every 2 years. The verification must fully meet the requirements set forth in § 715.8 of this chapter.

While NCUA does not seek comment on § 741.202, NASCUS encourages state system stakeholders to consider commenting on necessary changes to this provision to provide greater clarity and guidance to FISCUs as to what provisions of Part 715 apply. For example, §715.3 discusses the responsibilities of the supervisory committee, however FISCUs are not required by NCUA rules to have a supervisory committee.

In considering Part 715 and Part 741.202, numerous other changes and clarifications could reduce regulatory burden for FISCUs.

NASCUS Proposed Rule Summary: NCUA Rules & Regulations Part 748 Guidance on Response Programs for Unauthorized Access to Member Information and Member Notice – Appendix B

December 2025

As part of the first round of the “Deregulation Project” NCUA is proposing changes to its rules relating to Guidance on Response Programs for Unauthorized Access to Member Information and Member Notice, Part 748.

Federally Insured State Credit Unions must comply with Part 748 by reference to standards pursuant to sections 501 and 505(b), codified at 15 U.S.C. 6801 and 6805(b), of the Gramm-Leach-Bliley Act.  These requirements are also cross-referenced to 12 CFR Part 1016 “Privacy of Consumer Financial Information (Regulation P) through Part 716.

The proposed rule may be read in its entirety here: Guidance on Response Programs for Unauthorized Access to Member Information and Member Notice.

Comments are due to NCUA by February 9, 2026.

Summary

This guidance interprets section 501(b) of the Gramm–Leach–Bliley Act (GLBA) and complements Part 748’s security obligations by outlining how federally insured credit unions should respond to unauthorized access to member information—defined as any nonpublic personal information, in any form—that could cause substantial harm or inconvenience to members. The guidance builds upon Appendix A’s three core expectations:

  1. Ensuring security and confidentiality of member information
  2. Protecting against anticipated threats to data integrity
  3. Preventing unauthorized access that could harm members

Under the current Rule federally insured credit unions must establish a risk-based response program tailored to their size, complexity, and risk profile.  This should include:

  • Incident Assessment – Evaluate the scope, systems, and types of data involved.
  • Regulatory Notification – Alert the NCUA Regional Director (and state regulator if applicable) promptly upon detecting unauthorized access to sensitive data.
  • Law Enforcement & SAR Reporting – File Suspicious Activity Reports and notify law enforcement for criminal breaches requiring immediate attention.
  • Containment & Preservation – Take measures like freezing accounts or preserving forensic data to prevent further access.
  • Member Notification – Inform affected members when misuse is confirmed or reasonably possible.

For incidents via service providers, credit unions must ensure their contracts obligate providers to alert the credit union quickly and support executing the response program.

Proposed Changes:

The NCUA Board (Board) is proposing to remove Appendix B to part 748. The reason for the potential removal is because the Board feels that its placement within the Code of Federal Regulations (CFR) causes confusion in that it is viewed as a mandatory regulatory requirement instead of nonbinding guidance.  If removed, the Board would then publish the content as guidance to provide clarity.  Currently there is no information on whether the republication of Appendix B into a nonbinding Letter to Credit Union would include any proposed amendments.

Key Considerations:

  1. Creates distinction between regulation and guidance, which is the main factor associated with the proposed removal of the appendix
  2. No true change in obligations of credit unions around responsibility, which also means no reduction in member protection
  3. Potential of improved flexibility with creating response programs based on an organization’s size and risk profile
  4. Potential of reduced regulatory burden   

NASCUS Proposed Rule Summary

NCUA Rules & Regulations Part 748 Safeguarding Member Information

December 2025

As part of the “Deregulation Project” NCUA is proposing changes to its rules relating to Safeguarding Member Information, Appendix A to Part748. Federally Insured State Credit Unions must comply with Part 748 by reference to standards pursuant to sections 501 and 505(b), codified at 15 U.S.C. 6801 and 6805(b), of the Gramm-Leach-Bliley Act.  These requirements are also cross referenced to 12 CFR Part 1016 “Privacy of Consumer Financial Information (Regulation P) through Part 716.

The proposed rule may be read in its entirety here: Guidelines for Safeguarding Member Information.

Comments are due to NCUA by February 9, 2026.

Summary

In November 1999, Congress passed the Gramm-Leach Bliley Act (GLBA)[1] which, among other things, required the NCUA and all federal banking agencies (FBAs) to establish standards for financial institutions relating to administrative, technical, and physical safeguards for customer records and information.[2]

These safeguards are intended to: (1) ensure the security and confidentiality of customer records and information, (2) protect against any anticipated threats or hazards to the security or integrity of such records, and (3) protect against unauthorized access to or use of such records or information that would result in substantial harm or inconvenience to any customer.[3]

After passage of GLBA, the NCUA Board (Board) determined that the standards required by GLBA could be most effectively adopted through an amendment to the NCUA’s existing regulation governing security programs in FICUs[4], an approach consistent with the FBAs by design, to include the standards required under GLBA as an appendix to part 748. The resulting Appendix A intended to provide FICUs with guidance in developing the security program required under § 748.0.

Appendix A has been amended over the years to reflect new requirements and maintain consistency with comparable regulations and guidelines issued by the FBAs.  Most recently, in 2012 and 2013, the Board again amended part 748 and Appendix A with technical changes mandated by the Dodd-Frank Wall Street Reform and Consumer Protection Act (Dodd-Frank Act) and based on the NCUA’s rolling, 3-year regulatory review.[5]

The Dodd-Frank Act, among other things, transferred rulemaking authority for many consumer protection regulations from the Federal Reserve Board to the Consumer Financial Protection Bureau (CFPB).[6]

As a result, the NCUA was required to update certain cross citations within its regulations and rescind part 716 governing the “Privacy of Consumer Financial Information” under GLBA.[7]

The rule aims to strengthen credit unions’ obligations to protect member data against unauthorized access, use, or disclosure. It aligns with evolving cybersecurity threats and incorporates best practices for risk management.

Key elements of the current guidelines include:

  • Risk Assessment Requirements: Credit unions must periodically assess risks to member information, including internal and external threats.
  • Information Security Program: Institutions must maintain a written program that addresses administrative, technical, and physical safeguards.
  • Incident Response: Enhanced expectations for timely detection, containment, and reporting of security incidents.
  • Vendor Management: Credit unions must ensure third-party service providers implement appropriate safeguards.
  • Board Oversight: Boards are expected to approve and oversee the security program.

Proposed Changes

Under the rule amendment, the Board is proposing to remove Appendix A from the CFR and instead issue nonbinding guidance through a Letter to Credit Unions.  The intent of this change is to remove the impression that the standards outlined in the GLBA are legally binding rules and clarify they are instead intended to be an aid to satisfy the regulatory requirements of Part 748.

At this time, it is unknown whether the current Part 748 Appendix A will be wholly republished and incorporated into the new version of the guidance published as a NCUA Letter to Credit Unions.

The Board is seeking feedback on all aspects of the proposed rule, including the option of maintaining the status quo.

Implications for Federally Insured Credit Unions

  • Compliance Alignment: State-chartered credit unions will need to ensure their information security programs meet or exceed these federal guidelines, or appropriately mitigate weaknesses.  State laws or regulations may also impose similar requirements.
  • Operational Impact: Increased emphasis on cybersecurity risk assessments and vendor oversight will continue to require additional resources and expertise.
  • Reporting Obligations: Enhanced incident response requirements, as developed by the Cybersecurity and Infrastructure Security Agency, under the Cybersecurity and Infrastructure Security Agency Act of 2018, could lead to stricter cyber related requirements.

Implications for State Regulators

  • Supervisory Expectations: State regulators will need to incorporate the updated enforcement standards into their examination processes to maintain parity with federal oversight.
  • Coordination with NCUA: Greater collaboration may be necessary for incident reporting and enforcement, especially for federally insured state-chartered credit unions.
  • Policy Updates: States may consider revising their own regulations or guidance to align with NCUA’s enhanced framework, ensuring consistency and reducing regulatory burden.

[1] 15 U.S.C. 6801 et. seq. (Nov. 12, 1999).

[2] Id. At this time, “federal banking agencies” refers to the Office of the Comptroller of the Currency, the Federal Reserve Board, and the Federal Deposit Insurance Corporation, although at the time of GLBA’s passage the term included the now-defunct Office of Thrift Supervision.

[3] 15 U.S.C. 6801(b).

[4]66 FR 8152 (Jan. 30, 2001).

[5]77 FR 71085 (Nov. 29, 2012); 78 FR 32541 (May 31, 2013).

[6] 12 U.S.C. 5581(b)(6) (July 21, 2010).

[7]12 CFR part 716. To assist FICUs, the part 716 heading was retained with a cross citation to the CFPB’s republished version of the regulation at 12 CFR part 1016.

NASCUS Proposed Rule Summary
NCUA Rules & Regulations Part 701.20 Suretyship and Guaranty

December 2025

As part of the second wave of the “Deregulation Project” NCUA is proposing changes to its rules relating to Suretyship and Guaranty, Part 701.20.

Part 701.20 applies to state-chartered credit unions by reference in Part 741.221.

The proposed rule may be read in its entirety here: Suretyship and Guaranty

Comments are due to NCUA by February 27, 2026.

Summary

The Federal Credit Union Act (FCU Act) explicitly grants FCUs the power to, among other activities, make loans to members and to provide letters of credit on behalf of members.[1]

The accompanying incidental powers provision states that each FCU may “exercise such incidental powers as shall be necessary or requisite to enable it to carry on effectively the business for which it is incorporated.” [2]

Section 701.20, established in 2004, recognizes the ability of FCUs to enter into suretyship and guaranty agreements for their members as an incidental power, providing additional flexibility to meet member needs.[3]  At that time, Part 741.221 made the provisions of Part 701.20 applicable to FISCUs.

The NCUA Board proposes to remove the segregated deposit and collateral requirements under §701.20 when federally insured credit unions (FICUs) act as a surety or guarantor. This change aims to reduce regulatory burden and provide credit unions with greater flexibility in designing products to meet members’ needs.

Current Rule

  • FICUs acting as surety/guarantor must:
    • Limit obligations to a fixed amount and duration.
    • Create an authorized loan compliant with lending regulations.
    • Obtain segregated deposits or collateral equal to 100% or 110% of the obligation (depending on asset type).

Proposed Changes

  • Remove paragraphs (c)(3) and (d) of §701.20, eliminating:
    • Mandatory segregated deposit.
    • Collateral requirements (100% for cash/government obligations; 110% for real estate/securities).
  • FICUs remain subject to:
    • Fixed amount/duration limits.
    • Compliance with NCUA lending regulations and safety/soundness standards including the limitations on loans to one member or associated members or officials for purposes of §§ 701.21(c)(5), (d); 723.4(c).

Implications for State Credit Unions & Regulators

  • FISCUs authorized under state law to engage in suretyship/guaranty will benefit from reduced compliance burden.
  • State regulators should:
    • Review state-specific collateral requirements.
    • Ensure alignment with NCUA’s principles-based approach under Part 723 (Commercial Lending).
  • NCUA expects minimal federalism impact; states retain authority over FISCUs’ lending rules.

Key Considerations

  • Risk management remains critical—credit unions must determine appropriate collateral and underwriting standards.
  • No new reporting or recordkeeping requirements under the Paperwork Reduction Act.
  • NCUA certifies no significant economic impact on small credit unions (<$100M assets).
  • Comments invited on:
    • Safety and soundness implications.
    • Impact on state regulatory frameworks.
    • Whether additional guidance is needed for FISCUs.

[1] 12 U.S.C. 1757(5), 1757a

[2] 12 U.S.C. 1757(17).

[3] 69 FR 8547, Feb. 25, 2004.

NASCUS Proposed Rule Summary
NCUA Rules & Regulations Part 748 Catastrophic Act Reporting

December 2025

As part of the second wave of the “Deregulation Project” NCUA is proposing changes to its rules relating to Catastrophic Act Reporting, Part 748.

The proposed rule may be read in its entirety here: Catastrophic Act Reporting.

Comments are due to NCUA by February 27, 2026.

Summary

Part 748 requires a FICU to notify the appropriate NCUA Regional Director within five business days of any catastrophic act that occurs at its office(s). NCUA regulations define a catastrophic act as “any disaster, natural or otherwise, resulting in physical destruction or damage to the credit union or causing an interruption in vital member services, as defined in § 749.1 of this chapter and projected to last more than two consecutive business days.”[1]

Current Rule

  • FICUs are required by Part 748 to:
    • Develop a written security program designed to protect CU physical assets ensure the security and confidentiality of member records from unauthorized access, respond to incidents of unauthorized access and prevent destruction of vital records.
    • Provide notice to the NCUA Regional Director within 5 business days any catastrophic act that occurs at its offices, if projected to cause an interruption in vital member services for more than 2 days.
    • Notify the NCUA of reportable cyber incidents no later than 72 hours after the credit union reasonably believes that it has experienced a reportable cyber incident or has been notified by a 3rd party vendor who has experienced such an incident affecting its members.
    • File Suspicious Activity Reports, if it knows, suspects, or has reason to suspect that a transaction relates to money laundering activity, criminal activity or a violation of the Bank Secrecy Act no later than 30 calendar days from the date of detection.

Proposed Changes

  • Amend § 748.1(b) relative to catastrophic act reporting to:
    • Allow notice to the “NCUA” broadly and not require direct notification to the “NCUA Regional Director”.
    • Extend the notification requirement by a credit union affected by a catastrophic act to within 15 calendar days the event occurs from the current requirement of within 5 business days.
    • Remove the prescriptive list of items that a credit union should include in its internal record of a catastrophic act and replace it with a requirement that a credit union record the basic facts of the event.
  • FICUs remain subject to requirements to:
    • Develop a written security program designed to protect CU physical assets ensure the security and confidentiality of member records from unauthorized access, respond to incidents of unauthorized access and prevent destruction of vital records.
    • Notify the NCUA of reportable cyber incidents no later than 72 hours after the credit union reasonably believes that it has experienced a reportable cyber incident or has been notified by a 3rd party vendor who has experienced such an incident affecting its members.
    • File Suspicious Activity Reports if it knows, suspects, or has reason to suspect that a transaction relates to money laundering activity or a violation of the Bank Secrecy Act no later than 30 calendar days from the date of detection.

Implications for State Credit Unions

  • Reduced Compliance Burden
    • More time to mediate and report catastrophic acts and less prescriptive documentation requirements.
  • Operational Flexibility
    • Ability to focus on recovery and member service restoration before administrative tasks.
  • Alignment with Disaster Recovery Practices
    • Encourages integration with existing business continuity frameworks rather than rigid federal templates.

Implications for State Regulators

  • Coordination with NCUA
    • Centralized reporting may reduce direct interaction with regional offices; regulators should ensure they maintain visibility into catastrophic events affecting state-chartered FICUs.
    • Key concerns on NCUA processes to ensure NCUA communication to State Agencies of notifications received from state-chartered credit unions.
    • Coordination of regional, state or local resources towards responding to a catastrophic event.
  • Monitoring and Oversight Adjustments
    • Extended reporting timeline could delay awareness of operational disruptions; state regulators may consider supplemental notification requirements for state-chartered institutions.
  • Policy Harmonization
    • States may review their own catastrophic event reporting rules to align with NCUA’s less prescriptive approach, balancing burden reduction with supervisory needs.

Key Considerations

  • Risk Management: While burden is reduced, regulators should ensure that extended timelines do not compromise timely risk mitigation.
  • Cybersecurity Integration: NCUA seeks comment on using existing cyber incident reporting tools for catastrophic acts—states may evaluate similar efficiencies.
  • Small Credit Unions: NCUA certifies no significant economic impact; however, state regulators should assess whether smaller institutions need additional guidance under the new flexibility.

[1] 12 CFR 748.1(b). See also12 CFR 749, App. B, Catastrophic Act Preparedness Guidelines. The agency adopted this requirement under 12 U.S.C. 1785(e), which requires the agency to promulgate rules establishing minimum safety standards relating to security.

NASCUS Proposed Rule Summary

NCUA Rules & Regulations Part 740 Accuracy of Advertising and Notice of Insured Status

December 2025

As part of the second wave of the “Deregulation Project” NCUA is proposing changes to its rules relating to Accuracy of Advertising and Notice of Insured Status, Part 740.

The proposed rule may be read in its entirety here: Accuracy of Advertising and Notice of Insured Status.

Comments are due to NCUA by February 27, 2026.

Summary

Part 740 applies to all federally insured credit unions prescribing the requirements for the official sign insured credit unions must display, and the official advertising statement insured credit unions must include in their advertisements. It requires that all advertisements be accurate and also establishes requirements for advertisements of excess share insurance.

Over the years, the NCUA amended these regulations several times. The Board comprehensively revised and streamlined part 740 in a 2003 final rule.[1]  The primary purpose of the 2003 revision was to modernize the regulation for clarity, address the growing use of the internet for member transactions, and clarify the use of trade names in advertising.

In the 2006 final rule[2], the NCUA revised the official sign to reflect statutory changes from the Federal Deposit Insurance Reform Act of 2005, which included adding a statement that insured accounts are backed by the full faith and credit of the United States Government.

A subsequent 2008 final rule provided credit unions with additional flexibility permitting the use of a shortened advertising statement, “Federally insured by NCUA,” or the official sign itself in advertisements.[3]

In a 2011 final rule, the Board made the advertising rules more stringent.[4]  This amendment, among other changes, reduced the time exemption for radio and television advertisements from 30 seconds to 15 seconds. It also introduced the requirement to include the official advertising statement in annual reports and statements of condition, clarified that the statement’s font size in print must be no smaller than the smallest font used for other consumer information, and defined the term “advertisement” for the first time.

However, in a 2018 final rule, the NCUA reversed the 2011 change to the broadcast advertisement exemption to provide regulatory relief and restore parity with regulations for banks insured by the Federal Deposit Insurance Corporation.[5]  

The 2018 rule expanded the radio and television exemption back to 30 seconds and introduced a shorter advertising statement option: “Insured by NCUA.” Most recently, a 2020 final rule made technical corrections to improve clarity.[6]

The NCUA Board is issuing this proposed rule to streamline its regulations governing advertising and the notice of insured status. This proposed rule would eliminate provisions concerning the official advertising statement found in Part 740.5 and remove references to the official advertising statement found in Part 740.0 Scope.

Current Rule

  • FICUs are required to include one of several options of the “official advertising statement” in all covered advertisements.
  • Covered advertisements require mandatory language and graphic requirements unless exempted under Part 740.5(c).

Proposed Changes

  • Remove section 740.5 definitions of the “official advertising statement” and references to the “official advertising statement found in 740.0 Scope, eliminating:
    • The requirement to include an official advertising statement.
    • The required standards for language and/or graphics to meet the official advertisement statement.
  • FICUs remain subject to:
    • Ensuring the accuracy of advertising statements.
    • Requirements to clearly explain the type and amount of excess share insurance and the identity of the carrier and avoid implication of that carriers affiliation with NCUA or the federal government.
    • Requirements for the display of the official NCUA display at all windows/stations where insured account funds or deposits are normally received.

Implications for Federally Insured Credit Unions

  1. Reduced Compliance Burden
    • SCUs will no longer need to include prescribed language in every advertisement.
    • Eliminates complexity around exemptions (e.g., radio/TV spots, promotional items).
    • Frees resources previously dedicated to monitoring ad compliance.
  1. Flexibility in Marketing
    • SCUs can tailor advertising for digital and social media without rigid text requirements.
    • May still include NCUA insurance references voluntarily, provided they are accurate.
  1. No Change to Core Insurance Disclosures
    • Official NCUA sign remains mandatory in physical locations, websites, and mobile banking apps where deposits are taken.
    • Members still receive clear notice of insured status at points of account opening and transaction.

Implications for State Regulators

  • Minimal Impact on Supervisory Role
    • The rule does not alter state authority or examination responsibilities.
    • Oversight of SCUs remains unchanged; NCUA retains authority over insurance disclosures.
    • Deregulatory nature means fewer compliance issues for state regulators to monitor.

Key Takeaways

  • This is a deregulatory proposal aimed at modernizing advertising rules.
  • SCUs gain greater operational flexibility and lower compliance costs.
  • State regulators should note the removal of §740.5 but expect no shift in jurisdiction or responsibilities.
  • Comments on the proposal are invited; and due by February 27, 2026

[1] 68 FR 23382 (May 2, 2003).

[2] 71 FR 36719 (June 28, 2006).

[3]73 FR 56936 (Oct. 1, 2008).

[4] 76 FR 30523 (May 26, 2011).

[5] 83 FR 17913 (Apr. 25, 2018).

[6] 85 FR 62213 (Oct. 2, 2020).

NASCUS Proposed Rule Summary

NCUA Rules & Regulations Part 701.25 Loans to Credit Unions

December 2025

As part of the second wave of the “Deregulation Project” NCUA is proposing changes to its rules relating to loans to credit unions, Part 701.25. NCUA’s rules on loans between credit unions applies to state chartered credit unions by reference in Part 741.227.

The proposed rule may be read in its entirety here: Loans to Credit Unions

Comments are due to NCUA by February 27, 2026.

Summary

In 2021 NCUA finalized a rule permitting low-income designated credit unions, complex credit unions, and new credit unions to issue subordinated debt (sub debt). As part of the rulemaking, NCUA created new Part 701.25 to mitigate potential risk from credit unions engaging with sub debt.

Through Part 701.25, NCUA established various limits on total aggregate loans a lending credit union can make, limits on the total loans to a single credit union, limits on investment of the subordinated debt of another credit union, and numerous requirements for the credit union’s board of directors to establish a written loan policy and limits on such loans consistent with the regulatory aggregate limits.

The NCUA Board proposes to remove §701.25(b), which currently requires federally insured credit unions (FICUs) to:

  • Obtain board approval for all loans to other credit unions.
  • Adopt written policies specifying aggregate limits on such loans.

Why?

NCUA is now proposing to eliminate Part 701.25(b) because the agency now believes the requirement is redundant to long standing requirements for Federal Credit Unions to adopt written loan policies and procedures that are codified in §1757 of the Federal Credit Union Act.

NOTE: §1757 of the FCUA DOES NOT apply to state-chartered federally insured credit unions. Therefore, if this proposal is finalized there would be no NCUA share insurance requirement that a FISCU have written loan policies related to loans to other credit unions.

What remains?

  • Statutory limits and other provisions in §701.25 still apply (e.g., aggregate lending limits and eligibility requirements).
  • Federally insured state-chartered credit unions (FISCUs) will look to state law for board approval and policy requirements.

Key Takeaways for State Credit Unions

  1. Flexibility in Governance
    FISCUs will no longer be federally required to adopt written policies for loans to other credit unions. Boards can tailor oversight based on risk and operational needs.
  2. State Law Still Governs
    State regulators should confirm whether state statutes or rules impose similar approval or policy requirements. This change does not override state authority.
  3. Risk Management Remains Critical
    Even without prescriptive federal rules, prudent risk management practices—such as documenting board approval and setting internal limits—are strongly recommended.
  4. Operational Impact
    Removal of documentation requirements reduces compliance burden and saves time, especially for smaller credit unions. Estimated reduction: NCUA estimates a reduction of 1,650 annual burden hours.

Regulatory & Supervisory Considerations

  • Regulators: Assess whether state rules need clarification to avoid gaps in governance.
  • Credit Unions: Review internal lending policies to ensure they align with risk appetite and state requirements.
  • Comment Period Ends: February 27, 2026

NASCUS Summary on the Proposed Rule — NCUA Rules & Regulations Part 704: Corporate Credit Unions

December 2025

As part of a “Deregulation Project” NCUA is proposing changes to its rules for corporate credit unions: Part 704.

The first change would eliminate the requirement in Part 704.8(b) that a corporate credit union’s ALCO have at least one member from the corporate credit union’s board of directors. The second set of changes would eliminate several requirements in Part 704.15(c), including the requirement to file a copy of the annual report with NCUA, to submit management letters received from public accountants, the requirement to notify NCUA of late filing and the requirement that NCUA make a corporate credit union’s annual report available to the public.

Part 704 applies to state-charted corporate credit unions by reference in Part 741.206.

The proposed rule may be read in its entirety here: Corporate Credit Unions

Comments are due to NCUA by February 9, 2026.

Summary

  • Membership of the ALCO

Since 1997, NCUA has required corporate credit unions to operate according to a written asset and liability management policy and that each corporate credit union Additionally, the 1997 final rule required that each corporate credit union’s asset and liability management committee (ALCO) must have at least one member who is also a member of the board of directors. See 62 FR 12938 (Mar. 19, 1997).

NCUA now believes this requirement is too prescriptive and corporate credit unions should have more flexibility to determine the membership of their ALCOs. Therefore, NCUA proposes eliminating the requirement that at least one member of the ALCO must be a board member.

  • Supervisory Committee and reporting requirements

The 1997 rule required a corporate credit union’s supervisory committee to obtain an annual opinion audit of the corporate’s financial statements and to submit the audit report to NCUA along with all communications provided to the corporate by the external auditor. Later, NCUA added additional reporting requirements including that the corporate submit a copy of its annual report to NCUA within 180 days of the end of the calendar year, that the corporate submit to NCUA a copy of any management letter or report issued by its independent public accountant, and that a corporate notify NCUA when filing its annual report late. In addition, NCUA began making a corporate credit union’s annual report available for public inspection.

The proposed rule would eliminate:

  1. the requirements to file a copy of an annual report and any management letter or other report issued by its independent public accountant with the NCUA;
  2. the requirement that NCUA make the annual report available to the public; and
  3. the requirement to file notice of late filing with NCUA.

NASCUS Note:

NCUA’s proposed changes, while providing regulatory relief, are generally procedural. In evaluating the proposed rule for submission of comments, NASCUS encourages stakeholders to consider balance sheet rule changes that could provide corporates with greater flexibility in managing balance sheets in a safe and sound manner and improve the services and benefits corporates provide natural person credit unions.

CFPB Interpretive Rule on Fair Credit Reporting Act; Preemption of State Laws
12 CFR Part 1022

The Consumer Financial Protection Bureau (Bureau) issued an interpretive rule that clarified that the Fair Credit Reporting Act (FCRA) generally preempts State laws that touch on broad areas of credit reporting, consistent with Congress’s intent to create national standards for the credit reporting system.  The new interpretive rule replaces the July 2022 interpretive rule that was withdrawn by the Bureau in May 2025.

The new interpretive rule became effective on October 28, 2025. The rule can be found here.

Summary

The Fair Credit Reporting Act (FCRA) specifies requirements “concerning the creation and use of consumer reports.”  The Bureau notes that the FCRA has always preempted State law, however, the scope of that preemption has changed over time.

The FCRA has preempted state laws “to the extent that those laws are inconsistent with any provision of” the FCRA. Additionally, in 1996, Congress emphasized the national nature of FCRA standards by adding a provision that further preempted any state regulation related to specifically enumerated subjects already regulated by the FCRA. This newly added provision was due to expire in 2004. However, in 2003, Congress made the provision permanent. The primary preemption provision of the FCRA, 15 USC 1681t(b)(1) includes language that preempts areas of state law that were intended to be governed solely by Federal law. The provision specifically prohibits the imposition of state laws regarding any of the subject matters regulated under the subparagraphs of 1681t(b)(1).

In July 2022, the Bureau published an interpretive rule analyzing Section 1681t finding that the provision has a “narrow sweep” that allows for substantial State regulation of consumer reports and consumer reporting agencies. The rule concluded that unless a state law specifically concerned a requirement or obligation addressed in Section 1681t of the FCRA, it was not preempted.

In May 2025, the Bureau withdrew a number of guidance documents including this 2022 interpretive rule. The previous interpretation was withdrawn because it was determined to be unnecessary and did in alignment with the Administration’s goal of reducing compliance burdens. In addition, the Bureau is now issuing this new interpretive rule to clarify that the 2022 interpretation was incorrect. Specifically, the Bureau suggests that the 2022 interpretive rule contradicted the plan text of Section 1681t(b)(1), ignored the legislative history of the preemption clause, and reflected a misguided policy choice that would undermine the credit reporting system and credit markets. The new interpretation was issued to clarify the expectation of Congress that the FCRA create a national credit reporting standard that generally preempts broad state laws on the issue of credit reporting.