Proposed Rule Summary: NCUA Rules & Regulations—Interpretative Ruling and Policy Statement 08-2 and Community Chartering Policies 10-1

NASCUS Proposed Rule Summary
NCUA Rules & Regulations: Interpretative Ruling and Policy Statement 08-2 and Community Chartering Policies 10-1

January 2026

As part of its third phase of the “Deregulation Project,” NCUA is proposing the removal of its rules relating to Interpretive Ruling and Policy Statements Service to Underserved Areas 08-2 and Community Chartering Policies 10-1.

The proposed rules do not apply to Federally Insured State Credit Unions (FISCUs) and may be read in their entirety here: Service to Underserved Areas 08-2 and Community Chartering Polices 10-1.

Comments are due to NCUA by March 16, 2026.

Summary

Interpretive Ruling and Policy Statement (IRPS) 08-2 Service to Underserved Areas and 10-1 Community Chartering Policies are NCUA’s interpretive guidance governing how credit unions may serve underserved areas, including through the expansion of field of membership (FOM) authority.  The policy statements outline the eligibility criteria and parameters for credit unions that seek to demonstrate service to communities that lack adequate access to financial services.

Guidance has historically focused on identifying underserved areas based on economic distress indicators and census-based criteria.  This has provided a framework for federal credit unions to expand services while maintaining safety and soundness.

IRPS 08-2 outlines how credit unions may demonstrate service to underserved areas, including the criteria used to identify communities with limited access to financial services.  IRPS 10-1 addresses the standards and considerations used in evaluating community charter applications, including how geographic areas and community boundaries are defined.

NCUA incorporated the policies originally defined in IRPS 08-2 and IRPS 10-1 into the Chartering Manual in 2010, which now serves as the source for field-of-membership policies and procedures.  Accordingly, the NCUA Board has proposed to eliminate IRPS 08-2 and IRPS 10-1 in their entirety as redundant now that they have been incorporated verbatim in the Federal Credit Union (FCU) Chartering Manual (Part 701 Appendix B).

Key Considerations:

  • No change to the underlying FCU field of membership or chartering obligations. Removal of IRPS 08-2 and IRPS 10-1 would not alter FCU obligations under the applicable statutory or regulatory requirements
  • NCUA would rely on existing statutes to govern service to underserved areas and chartering – the information is housed in NCUA’s Chartering Manual

NASCUS Proposed Rule Summary
NCUA Rules & Regulations Part 748 Catastrophic Act Reporting

December 2025

As part of the second wave of the “Deregulation Project” NCUA is proposing changes to its rules relating to Catastrophic Act Reporting, Part 748.

The proposed rule may be read in its entirety here: Catastrophic Act Reporting.

Comments are due to NCUA by February 27, 2026.

Summary

Part 748 requires a FICU to notify the appropriate NCUA Regional Director within five business days of any catastrophic act that occurs at its office(s). NCUA regulations define a catastrophic act as “any disaster, natural or otherwise, resulting in physical destruction or damage to the credit union or causing an interruption in vital member services, as defined in § 749.1 of this chapter and projected to last more than two consecutive business days.”[1]

Current Rule

  • FICUs are required by Part 748 to:
    • Develop a written security program designed to protect CU physical assets ensure the security and confidentiality of member records from unauthorized access, respond to incidents of unauthorized access and prevent destruction of vital records.
    • Provide notice to the NCUA Regional Director within 5 business days any catastrophic act that occurs at its offices, if projected to cause an interruption in vital member services for more than 2 days.
    • Notify the NCUA of reportable cyber incidents no later than 72 hours after the credit union reasonably believes that it has experienced a reportable cyber incident or has been notified by a 3rd party vendor who has experienced such an incident affecting its members.
    • File Suspicious Activity Reports, if it knows, suspects, or has reason to suspect that a transaction relates to money laundering activity, criminal activity or a violation of the Bank Secrecy Act no later than 30 calendar days from the date of detection.

Proposed Changes

  • Amend § 748.1(b) relative to catastrophic act reporting to:
    • Allow notice to the “NCUA” broadly and not require direct notification to the “NCUA Regional Director”.
    • Extend the notification requirement by a credit union affected by a catastrophic act to within 15 calendar days the event occurs from the current requirement of within 5 business days.
    • Remove the prescriptive list of items that a credit union should include in its internal record of a catastrophic act and replace it with a requirement that a credit union record the basic facts of the event.
  • FICUs remain subject to requirements to:
    • Develop a written security program designed to protect CU physical assets ensure the security and confidentiality of member records from unauthorized access, respond to incidents of unauthorized access and prevent destruction of vital records.
    • Notify the NCUA of reportable cyber incidents no later than 72 hours after the credit union reasonably believes that it has experienced a reportable cyber incident or has been notified by a 3rd party vendor who has experienced such an incident affecting its members.
    • File Suspicious Activity Reports if it knows, suspects, or has reason to suspect that a transaction relates to money laundering activity or a violation of the Bank Secrecy Act no later than 30 calendar days from the date of detection.

Implications for State Credit Unions

  • Reduced Compliance Burden
    • More time to mediate and report catastrophic acts and less prescriptive documentation requirements.
  • Operational Flexibility
    • Ability to focus on recovery and member service restoration before administrative tasks.
  • Alignment with Disaster Recovery Practices
    • Encourages integration with existing business continuity frameworks rather than rigid federal templates.

Implications for State Regulators

  • Coordination with NCUA
    • Centralized reporting may reduce direct interaction with regional offices; regulators should ensure they maintain visibility into catastrophic events affecting state-chartered FICUs.
    • Key concerns on NCUA processes to ensure NCUA communication to State Agencies of notifications received from state-chartered credit unions.
    • Coordination of regional, state or local resources towards responding to a catastrophic event.
  • Monitoring and Oversight Adjustments
    • Extended reporting timeline could delay awareness of operational disruptions; state regulators may consider supplemental notification requirements for state-chartered institutions.
  • Policy Harmonization
    • States may review their own catastrophic event reporting rules to align with NCUA’s less prescriptive approach, balancing burden reduction with supervisory needs.

Key Considerations

  • Risk Management: While burden is reduced, regulators should ensure that extended timelines do not compromise timely risk mitigation.
  • Cybersecurity Integration: NCUA seeks comment on using existing cyber incident reporting tools for catastrophic acts—states may evaluate similar efficiencies.
  • Small Credit Unions: NCUA certifies no significant economic impact; however, state regulators should assess whether smaller institutions need additional guidance under the new flexibility.

[1] 12 CFR 748.1(b). See also12 CFR 749, App. B, Catastrophic Act Preparedness Guidelines. The agency adopted this requirement under 12 U.S.C. 1785(e), which requires the agency to promulgate rules establishing minimum safety standards relating to security.

NASCUS Proposed Rule Summary

NCUA Rules & Regulations Part 740 Accuracy of Advertising and Notice of Insured Status

December 2025

As part of the second wave of the “Deregulation Project” NCUA is proposing changes to its rules relating to Accuracy of Advertising and Notice of Insured Status, Part 740.

The proposed rule may be read in its entirety here: Accuracy of Advertising and Notice of Insured Status.

Comments are due to NCUA by February 27, 2026.

Summary

Part 740 applies to all federally insured credit unions prescribing the requirements for the official sign insured credit unions must display, and the official advertising statement insured credit unions must include in their advertisements. It requires that all advertisements be accurate and also establishes requirements for advertisements of excess share insurance.

Over the years, the NCUA amended these regulations several times. The Board comprehensively revised and streamlined part 740 in a 2003 final rule.[1]  The primary purpose of the 2003 revision was to modernize the regulation for clarity, address the growing use of the internet for member transactions, and clarify the use of trade names in advertising.

In the 2006 final rule[2], the NCUA revised the official sign to reflect statutory changes from the Federal Deposit Insurance Reform Act of 2005, which included adding a statement that insured accounts are backed by the full faith and credit of the United States Government.

A subsequent 2008 final rule provided credit unions with additional flexibility permitting the use of a shortened advertising statement, “Federally insured by NCUA,” or the official sign itself in advertisements.[3]

In a 2011 final rule, the Board made the advertising rules more stringent.[4]  This amendment, among other changes, reduced the time exemption for radio and television advertisements from 30 seconds to 15 seconds. It also introduced the requirement to include the official advertising statement in annual reports and statements of condition, clarified that the statement’s font size in print must be no smaller than the smallest font used for other consumer information, and defined the term “advertisement” for the first time.

However, in a 2018 final rule, the NCUA reversed the 2011 change to the broadcast advertisement exemption to provide regulatory relief and restore parity with regulations for banks insured by the Federal Deposit Insurance Corporation.[5]  

The 2018 rule expanded the radio and television exemption back to 30 seconds and introduced a shorter advertising statement option: “Insured by NCUA.” Most recently, a 2020 final rule made technical corrections to improve clarity.[6]

The NCUA Board is issuing this proposed rule to streamline its regulations governing advertising and the notice of insured status. This proposed rule would eliminate provisions concerning the official advertising statement found in Part 740.5 and remove references to the official advertising statement found in Part 740.0 Scope.

Current Rule

  • FICUs are required to include one of several options of the “official advertising statement” in all covered advertisements.
  • Covered advertisements require mandatory language and graphic requirements unless exempted under Part 740.5(c).

Proposed Changes

  • Remove section 740.5 definitions of the “official advertising statement” and references to the “official advertising statement found in 740.0 Scope, eliminating:
    • The requirement to include an official advertising statement.
    • The required standards for language and/or graphics to meet the official advertisement statement.
  • FICUs remain subject to:
    • Ensuring the accuracy of advertising statements.
    • Requirements to clearly explain the type and amount of excess share insurance and the identity of the carrier and avoid implication of that carriers affiliation with NCUA or the federal government.
    • Requirements for the display of the official NCUA display at all windows/stations where insured account funds or deposits are normally received.

Implications for Federally Insured Credit Unions

  1. Reduced Compliance Burden
    • SCUs will no longer need to include prescribed language in every advertisement.
    • Eliminates complexity around exemptions (e.g., radio/TV spots, promotional items).
    • Frees resources previously dedicated to monitoring ad compliance.
  1. Flexibility in Marketing
    • SCUs can tailor advertising for digital and social media without rigid text requirements.
    • May still include NCUA insurance references voluntarily, provided they are accurate.
  1. No Change to Core Insurance Disclosures
    • Official NCUA sign remains mandatory in physical locations, websites, and mobile banking apps where deposits are taken.
    • Members still receive clear notice of insured status at points of account opening and transaction.

Implications for State Regulators

  • Minimal Impact on Supervisory Role
    • The rule does not alter state authority or examination responsibilities.
    • Oversight of SCUs remains unchanged; NCUA retains authority over insurance disclosures.
    • Deregulatory nature means fewer compliance issues for state regulators to monitor.

Key Takeaways

  • This is a deregulatory proposal aimed at modernizing advertising rules.
  • SCUs gain greater operational flexibility and lower compliance costs.
  • State regulators should note the removal of §740.5 but expect no shift in jurisdiction or responsibilities.
  • Comments on the proposal are invited; and due by February 27, 2026

[1] 68 FR 23382 (May 2, 2003).

[2] 71 FR 36719 (June 28, 2006).

[3]73 FR 56936 (Oct. 1, 2008).

[4] 76 FR 30523 (May 26, 2011).

[5] 83 FR 17913 (Apr. 25, 2018).

[6] 85 FR 62213 (Oct. 2, 2020).

U.S. Department of Treasury Summary: 2024 National Strategy for Combatting Terrorist and Other Illicit Financing

NASCUS Legislative and Regulatory Affairs Department
May 23, 2024

With little fanfare, on May 16, 2024 the U.S. Department of Treasury issued its 2024 National Strategy for Combatting Terrorist and Other Illicit Financing. The document is 55 pages and according to Treasury’s press release, “addresses the key risks from the 2024 National Money Laundering, Terrorist Financing, and Proliferation Financing Risk Assessments.”

The document is extensive and discusses a lengthy list of topics. At a high level, it identifies four “priorities” and 15 “supporting actions” to support the four priorities. Each of the priorities and supporting actions is to support the goals of the U.S. Anti-Money Laundering/Countering Financial Terrorism regime.

The four priority recommendations according to the press release and report are:

  1. 1Close legal and regulatory gaps in the U.S. AML/CFT framework that illicit actors exploit to anonymously access the U.S. financial system by operationalizing the beneficial ownership information registry for law enforcement, national security, and intelligence use; finalizing rules related to the residential real estate and investment adviser sectors; and assessing other sectors that may be vulnerable to illicit finance;
  2. Promote a more effective and risk-focused U.S. AML/CFT regulatory and supervisory framework for financial institutions to make them more efficient and effective in preventing illicit finance by providing clear compliance guidance, sharing information appropriately, and ensuring adequate resourcing for supervisory and enforcement functions;
  3. Enhance the operational effectiveness of law enforcement, other U.S. government agencies, and international partnerships in combating illicit finance so threat actors cannot find safe havens for their operations; and
  4. Realize the benefits of responsible technological innovation in the United States by developing new payments technology, supporting the use of new mechanisms for private sector compliance, and utilizing automation and innovation to find novel ways to combat illicit finance.

The report also includes a graphic that details the primary goals, priorities, and supporting actions.

While these are laudable goals the report also leads one to question how Treasury will accomplish these goals as the document acknowledges the lack of government resources, particularly when it comes to monitoring non-bank financial institutions, which are becoming a much greater focal point.

Final Rule: Corporate Credit Unions (Part 704)

Prepared by NASCUS Legislative & Regulatory Affairs Department
December 2020

NCUA has issued a final rule amending its corporate credit union regulations in § 704. The final rule addresses several provisions of the NCUA’s corporate credit union rule, including:

  • permitting a corporate credit union to make a minimal investment in a credit union service organization (CUSO) without the CUSO being classified as a corporate CUSO pursuant to § 704
  • expanding the categories of senior staff positions at member natural person credit unions (NPCUs) eligible to serve on a corporate credit union’s board
  • amending the minimum experience and independence requirement for a corporate credit union’s enterprise risk management (ERM) expert
  • clarifies the definition of a collateralized debt obligation
  • simplifies the requirement for net interest income modeling

The Final Rule may be read here. The final rule is effective December 14, 2020.   

NCUA’s corporate credit union rule applies to state-chartered corporate credit unions by reference in § 741.206.

Summary

  • Minimal Investment in Natural Person CUSOs

Under the final rule, corporate credit unions will be allowed to make de minimus, non-controlling investment in a NPCU CUSO without that CUSO being classified as a corporate CUSO. Corporate CUSO are subject to much more prescriptive regulations than NPCU CUSOs. For example:

  • permissible activities for a corporate CUSO are more limited than the permissible activities for a NPCU CUSOs
  • corporate CUSOs must agree to give NCUA complete access to personnel, facilities, equipment, books, records, & other documentation that NCUA deems pertinent while NPCU CUSOs must only provide access to its books & records & the ability to review its internal controls
  • corporate CUSOs must provide quarterly financial statements to the corporate credit union whereas NPCU CUSOs must prepare quarterly financial statements, but do not have to provide the statements to FCUs

With this rule change, NPCUs might be more willing to allow small corporate credit union investments into their CUSOs which could benefit NPCUs by opening a new pool of investors and benefit corporates by allowing them to leverage the innovation of NPCU CUSOs.

  • New Definitions – § 704.2

The final rule has several new definitions, including:

  • Consolidate CUSO – any CUSO the assets of which are consolidated with those of the corporate credit union for purposes of reporting under GAAP
  • Corporate CUSO – a CUSO in which one or more corporate credit unions have a controlling interest, defined as:

(1) the CUSO is consolidated on a corporate credit union’s balance sheet;

(2) a corporate credit union has the power, directly or indirectly, to direct the CUSO’s management or policies;

(3) a corporate credit union owns 25% or more of the CUSO’s contributed equity, stock, or membership interests; or

(4) the aggregate corporate credit union ownership of all corporates investing in the CUSO is 50% or more of the CUSO’s contributed equity, stock, or membership interests

  • Credit Union Service Organization (CUSO) – the final rule defines a CUSO as applying to both corporate CUSOs and NPCU CUSOs.

Loans to CUSOs

Under the final rule, a corporate credit union making loans to NPCU or corporate CUSOs must have a board-approved policy that:

  • provides for ongoing control, measurement, and management of CUSO lending
  • includes qualifications and experience requirements for personnel involved in underwriting, processing, approving, administering, and collecting loans to CUSOs
  • establishes the loan approval process, underwriting standards, and risk management processes

In addition, NCUA requires any NPCU CUSO in which a corporate credit union invests or to which a corporate credit union makes a loan must comply with § 712 in its entirety.

Disclosure of Executive Compensation – § 704.19

Section 704.19 currently requires that each corporate credit union annually prepare and maintain a document that discloses the compensation of certain employees, including compensation received from a corporate CUSO. Under the final rule, employee compensation from either a NP CUSO or a corporate CUSO must be reported. Corporate CUSOs are required to report the compensation of a dual employee, however there is no requirement for the NPCU CUSO to report the income, therefore the dual employee is obligated to report the income to the corporate credit union in order for that corporate credit union to meet its reporting obligations.

Corporate Credit Union Board Representation – § 704.14

Currently, NCUA rules require corporate credit union directors hold the following positions as a NPCU: CEO, CFO, COO, treasurer, or manager. The final rule makes this preceding list a set of examples and requires only that the corporate credit union directors hold a senior management position at a NPCU.

Enterprise Risk Management – § 704.21

NCUA has eliminated the prescriptive independence and experience rules related to the required ERM position in corporate credit unions. The final rule also clarifies that the ERM expert may report either to the corporate credit union’s board of directors or to the ERMC. Corporate credit unions now have the flexibility the appropriate level of experience necessary for the position and the reporting structure. The ERM officer and function should be commensurate with the complexity and risk of the corporate credit union. NCUA will evaluate the adequacy of a corporate credit union’s enterprise risk management practices through the supervisory process.

Please select a valid form

The Legislative & Regulatory Affairs Committee (L&R Committee)

Our largest committee, consisting of over 70 members, is comprised of individuals from various segments of our membership, including regulators, credit unions, leagues, and associate members. This committee convenes on the first Wednesday of each month at 3 pm (EST) for a one-hour session to address significant issues facing our system. Additionally, this committee holds in-person meetings during our Annual NASCUS State System Summit (S3).

Furthermore, the committee plays a vital role in reviewing NASCUS comment letters, providing an open forum where any member can raise concerns or issues, and organizing special calls on topics like litigation trends and cryptocurrencies. Importantly, there is no limit on committee membership, and multiple individuals from the same credit union are welcome to participate.

The CDFI, MDI, and LICU Issues Committee

This committee, which is open to all NASCUS members, concentrates on raising awareness about the unique designations within the credit union sector, namely Community Development Financial Institution (CDFI), Minority Depository Institution (MDI), and Low-Income Credit Union (LICU). It also aims to identify advocacy objectives that NASCUS can pursue to enhance the significance of these special designations. The CDFI/MDI/LICU Issues Committee convenes every other month.

The Education Committee

This committee supervises NASCUS’s programs related to professional development, training, and education. It plays a crucial role in suggesting the educational requirements of the credit union system. It assesses NASCUS’s continuous professional development initiatives by examining program agendas, post-conference evaluations, and financial aspects of events. While membership on the Education Committee is available to all membership categories, it is limited to a maximum of eight participants.

If you have additional questions on how to participate with NASCUS Committees, please contact Shellee Mitchell.

Summary of NCUA Letter 23-CU-04: Interagency Policy Statement on Allowances for Credit Losses
(Revised April 2023)

NASCUS Legislative and Regulatory Affairs Department
April 25, 2023

The National Credit Union Administration, the Office of the Comptroller of the Currency, the Board of Governors of the Federal Reserve System, and the Federal Deposit Insurance Corporation (collectively, the agencies) are issuing a revised interagency policy statement on allowance for credit losses (ACLs).  The revision is issued in response to changes to U.S. generally accepted accounting principles (GAAP) promulgated by the Financial Accounting Standards Board (FASB) in March 2022.

On June 1, 2020, the agencies published an interagency policy statement[1] related to changes to GAAP as promulgated by the FASB in ASU 2016-13, Financial Instruments – Credit Losses (Topic 326): Measurement of Credit Losses on Financial Instruments.

In March 2022, the FASB further amended Topic 326 with the issuance of ASU 2022-02, Financial Instruments – Credit Losses (Topic 326): Troubled Debt Restructuring and Vintage Disclosures.  ASU 2022-02 eliminates the recognition and measurement accounting guidance for Troubled Debt Restructurings (TDR) by creditors upon adoption of Topic 326.

To maintain conformance with GAAP, the agencies are revising their ACLs policy statement to remove references to TDRs and correct a citation in footnote 4 of the original statement.  No other changes are being made.

The policy statement continues to describe the measurement of expected credit losses in accordance with FASB ASC Topic 326; the design, documentation, and validation of expected credit loss estimation processes, including the internal controls over these processes; the maintenance of appropriate ACLs; the responsibilities of boards of directors and management; and examiner reviews of ACLs and is effective at the time of each institutions adoption of Topic 326[2].

The following policy statements are no longer effective for an institution upon its adoption of FASB Topic 326:

  • The December 2006 Interagency Policy statement on the Allowance for Loan and Lease Losses;
  • The July 2001 Policy Statement on Allowance for Loan and Lease Losses Methodologies and Documentation for Banks and Savings Institutions; and
  • The NCUA’s May 2002 Interpretive Ruling and Policy Statement 02-3, Allowance for Loan and Lease Losses Methodologies and Documentation for Federally Insured Credit Unions.

The aforementioned ALLL Policy Statements will be formally rescinded after FASB Topic 326 is instituted for all institutions.

[1] 85 FR 32991 (June 1, 2020).

[2] As noted in Accounting Standards Update 2019-10, FASB ASC Topic 326 is effective for fiscal years beginning after December 15, 2019, including interim periods within those fiscal years, for public business entities that meet the definition of a Securities Exchange Commission (SEC) filer, excluding entities eligible to be small reporting companies as defined by the SEC. FASB ASC Topic 326 is effective for all other entities for fiscal years beginning after December 15, 2022, including interim periods within those fiscal years. For all entities, early application of FASB ASC Topic 326 is permitted as set forth in ASU 2016-13.

NCUA Final Rule Summary: Cyber Incident Notification Requirements for Federally Insured Credit Unions

NASCUS Legislative and Regulatory Affairs Department
March 7, 2023

At the February 16, 2023, meeting, the NCUA Board approved a final rule amending Part 748 of its regulations to require federally insured credit unions (FICUs) to report an incident to NCUA as soon as possible, but no later than 72 hours after a FICU reasonably believes it has experienced a reportable cyber incident. The notification requirement is intended to be an “early alert” to the NCUA and will not require a FICU to provide a detailed incident assessment within the 72-hour time frame.

The effective date of the final rule is September 1, 2023. The final rule can be found here.

Summary

Background

In July 2022, the Board approved a proposed rule that would require a FICU to notify NCUA of a cyber incident that rises to the level of a reportable cyber incident. The proposed rule would require this notification as soon as possible but no later than 72 hours after a FICU reasonably believes that a reportable cyber incident has occurred.

Shortly before the Board issued the proposed rule, Congress enacted the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (Cyber Incident Reporting Act), requiring covered entities to report covered cyber incidents to the Cybersecurity and Infrastructure Security Agency (CISA) not later than 72 hours after the entity reasonably believes that a covered cyber incident has occurred.

While CISA has until 2025 to publish its final rule, the NCUA Board believed “it would be imprudent in light of the increasing frequency and severity of cyber incidents to postpone a notification requirement until after CISA promulgates a final rule.” The Board intends to coordinate with CISA on any future credit union cyber incident reporting to avoid duplicate reporting to both NCUA and CISA.

Final Rule

Definition – Reportable Cyber Incident

The final rule defines a “reportable cyber incident” as any substantial cyber incident that leads to one or more of the following:

  • A substantial loss of confidentiality, integrity, or availability of a network or member information system that results from the unauthorized access to or exposure of sensitive data, disrupts vital member services, or has a serious impact on the safety and resiliency of operational systems and processes.
  • A disruption of business operations, vital member services, or a member information system resulting from a cyberattack or exploitation of vulnerabilities.
  • A disruption of business operations or unauthorized access to sensitive data facilitated through, or caused by, a compromise of a credit union service organization, cloud service provider, or other third-party data hosting provider or by a supply chain compromise.

A “reportable cyber incident” does not include any event where the cyber incident is performed in good faith by an entity in response to a specific request by the owner or operators of the system. For example, contracting with a third-party to conduct penetration testing or e-mail spoofing testing.

Reporting Process

If a reportable cyber incident occurs, Part 748 will now require FICUs to notify the “appropriate NCUA-designated point of contact of the occurrence via email, telephone, or other similar methods that the NCUA may prescribe. NCUA must receive this notification as soon as possible but no later than 72 hours after a FICU reasonably believes that it has experienced a reportable cyber incident, or within 72 hours of being notified by a third-party with whom the credit union has a contractual relationship with, whichever is sooner.

NCUA has indicated additional information will be issued prior to the September 1, 2023, effective date, including more detailed reporting guidance. NCUA also intends to coordinate with state regulators as much as possible.

NASCUS will provide updates as additional information becomes available.

NCUA Letter 23-CU-02 Summary
Expansion of Permissible CUSO Activities and Associated risks

NASCUS Legislative and Regulatory Affairs Department
February 7, 2023

Summary

On November 26, 2021, a final rule amending NCUA Regulation Part 712 – Credit Union Service Organizations (CUSOs)[1] became effective. NASCUS’ summary of the NCUA rule[2] outlines its expansion of the list of permissible activities and services for CUSOs.  The expanded list includes the origination of any type of loan that a Federal Credit Union (FCU) may originate and grants NCUA additional flexibility to approve permissible activities and services.

NCUA Letter 23-CU-02 reminds the industry of published guidance that broadly outlines the responsibility of a credit union to address primary related risks with CUSO relationships, including the various ways the relationship between the CUSO and credit union impacts the risk profile and to ensure consumer financial protection risks from CUSO originated loans are properly addressed.

NCUA guidance published includes:

  • The CUSO provisions of the NCUA Examiners Guide[3];
  • The CUSO Activities portion of the NCUA’s website[4]; and
  • NCUA Rules and Regulations Part 712.5[5] outlining preapproved activities and services for CUSOs.

The relevant guidance found in the NCUA Examiner’s Guide outlines the statutory definition of a CUSO, the impact of CUSO to credit union relationships, investment, and loan limitations, maintenance of entity legal separation, authorized CUSO services, the CUSO registry, associated primary risks, the impact on earnings and net worth of the credit union, appropriate risk management practices and CUSO review procedures.

The CUSO Activities portion on the NCUA website outlines the approval process for requesting additional preapproved CUSO activities that, once approved, will be added to the webpage to authorize any CUSO which desires to engage in those activities with no further NCUA approval necessary.  Currently, no “newly authorized activities” are listed outside those found within Part 712.5.

[1] Available at www.govinfo.gov/content/pkg/FR-2021-10-27/pdf/2021-23322.pdf

[2] Available at https://www.nascus.org/summaries/final-rule-summary-fcu-cusos/

[3] Available at https://publishedguides.ncua.gov/examiner/Content/ExaminersGuide/CUSOs/IntroCUSO.htm

[4] Available at https://www.ncua.gov/regulation-supervision/cuso-activities

[5] Available at https://www.ecfr.gov/current/title-12/chapter-VII/subchapter-A/part-712/section-712.5

NCUA Risk Alert: 23-RA-01 Change to HMDA’s Closed-End Loan Reporting Threshold

 NASCUS Legislative and Regulatory Affairs Department
February 3, 2023

On February 2, 2023, the NCUA Board issued Risk Alert 23-RA-01. The alert addresses a September 23, 2022, order issued by the U.S. District Court for the District of Columbia that vacated a portion of the CFPB’s 2020 HMDA Final Rule that had established a reporting threshold of 100 closed-end mortgage loans.

The decision by the court reverts the threshold for reporting data on closed-end mortgage loans to 25 loans in each of the two preceding calendar years, the threshold previously established by the 2015 HMDA Final Rule.

The NCUA states they recognize credit unions affected by this change may need time to implement or adjust policies, procedures, systems, and operations to achieve compliance with the reporting requirements. Therefore, the NCUA intends to take a flexible supervisory and enforcement approach, similar to that of the CFPB, and not issue enforcement actions or citations for closed-end mortgage loan data collected in 2020, 2021, or 2022. Credit unions can find additional information on HMDA reporting requirements here, including a Reference Chart for HMDA Data Collected in 2022.

Summary re: CFPB Request for Information Regarding Consumer Credit Card Market 

Docket No. CFPB-2023-0009

Section 502(a) of the Credit Card Accountability Responsibility and Disclosure Act of 2009 (CARD Act or Act) requires the Consumer Financial Protection Bureau (CFPB) to conduct a review of the consumer credit card market, within limits of its existing resources available for reporting purposes.  In connection with conducting that review, and in accordance with Section 502(a) of the Act, the CFPB is soliciting information from the public about a number of aspects of the consumer credit card market.

Comments must be received no later than April 24, 2023.  The RFI can be accessed here.

Summary:

The CARD Act was signed into law in May 2009.  The Act was intended to “establish fair and transparent practices related to the extension of credit” in the credit card market. 

Section 502(a) of the CARD act requires the CFPB to conduct a review, within the limits of its existing resources available for reporting purposes, of the consumer credit market every two years.  The CFPB published its last review in September 2021. To inform its next review, the CFPB invites members of the public, including consumers, credit card issuers, industry analysts, consumer groups and other interested parties to submit information and other comments relevant to the questions posed as well as any additional information they believe is relevant to a review of the credit card market.

The CFPB seeks information from members of the public about how the credit card market is functioning. Specifically, the CFPB seeks comments on the experiences of consumers and credit card issuers in the credit card market as well as the overall health of the market.  The Bureau is seeking responses to the specific questions listed below but welcomes commenters to provide any additional information they believe is relevant.

Terms of credit card agreements and the practices of credit card issuers:

  • How have the substantive terms and conditions of credit card agreements or the length and complexity of such agreements changed over the past two years?
  • How have issuers changed their pricing, marketing, underwriting, or other practices?
  • How are the terms of, and practices related to, major supplementary credit card features (such as credit card rewards, deferred interest promotions, balanced transfers, and cash advances) evolving? What are the terms of, practices related to, and prevalence of emerging supplementary credit card features (such as credit card installment plans)?
  • How have issuers’ marketing practices changed since the CFPB reported on the credit card market in 2021? Has this impacted consumers’ ability to comparison shop? If so, in what ways?
  • What practices of credit card issuers may uniquely affect special populations (such as servicemembers and their dependents, low and moderate-income consumers, old Americans, and students)? What are the effects of protections specific to special populations (for example, the Servicemembers Civil Relief Act or the Military Lending Act)? How are these changing and what, if any, trends are evolving?
  • How have practices related to collecting on delinquent and charged-off credit card debt changed over the past two years?
  • Has the use of electronic communication (e.g., email or SMS) by creditors and debt collectors in connection with credit card debt grown or otherwise evolved? If so, in what ways?
  • How are the terms of, and practices related to, partnerships between credit card issuers and merchant partners (such as hospitality, airline, healthcare, and/or retail companies) evolving?

The effectiveness of disclosure of terms, fees, and other expenses of credit card plans 

  • How effective are current disclosures of rates, fees, and other cost terms of credit card accounts in conveying to consumers the costs of credit card plans?
  • What further improvements in disclosure, if any, would benefit consumers and what costs would card issuers or others incur in providing such disclosures?
  • How well are current credit card disclosure rules and practices adapted to the digital environment? What adaptations to credit card disclosure regimes in the digital environment would better serve consumers or reduce industry compliance burden?

The adequacy of protections against unfair, deceptive, or abusive acts and practices relating to credit cards plans 

  • What unfair, deceptive, or abusive acts and practices exist in the credit card market? How prevalent are those acts and practices and what effect do they have? With regard to any unfair, deceptive, or abusive acts and practices that exist in the credit card market, how might any such conduct be prevented and at what cost?

The cost and availability of consumer credit cards

  • How have the cost and availability of consumer credit cards (including with respect to non-prime borrowers) changed since the CFPB reported on the credit card market in 2021?
  • What is responsible for changes (or absence of changes) in cost and availability? Has the impact of the CARD Act on cost and availability changed over the past two years?
  • How, if at all, are the characteristics of consumers with lower credit scores changing? How are groups of consumers in different score tiers faring in the market? How do other factors relating to consumer demographics or financial lives affect consumers’ ability to successfully obtain and use credit cards?

The safety and soundness of credit card issuers

  • What, if any, safety and soundness risks related to the credit cycle are present or growing in this market, and which entities are disproportionately affected by these risks? Has the impact of the CARD Act on safety and soundness changed over the past two years?
  • How have current dynamics related to funding sources (such as asset-backed securities or deposits) for credit card receivables affected issuers’ profitability and lending operations?
  • What changes, if any, in capital markets for credit cards have there been since the last biennial report? How do capital requirements for different types of institutions affect competition in the credit card market or consumer’s access to and cost of credit? How might these trends positively or negatively impact consumers?

The use of risk-based pricing for consumer credit cards

  • How has the use of risk-based pricing for consumer credit cards changed since the CFPB reported on the credit card market in 2021? What has driven those changes or lack of changes? Has the impact of the CARD Act on risk-based pricing changed over the past two years?
  • How have CARD Act provisions relating to risk-based pricing impacted (positively or negatively) the evolution of practices in this market?

Consumer credit card product innovation and competition

  • How has credit card product innovation changed since the CFPB reported on the credit market in 2021? What has driven those changes or lack of changes? Has the impact of the CARD Act on product innovation changed over the past two years?
  • How is the competition in the credit card market changing? How has the CARD Act (positively or negatively) impacted competition between credit card issuers? How, if at all, do these changes and impacts relate to the cost or availability of consumer credit cards?
  • What barriers to entry, if any, exist in the consumer credit market? What obstacles may smaller financial institutions face when launching a credit card product? How are these impediments changing and what, if any, trends are evolving? To what extent are financial institutions adopting “credit card-as-a-service” offerings? How might these changes affect competition, promote innovation, or introduce risk, if at all?
  • How have broader innovations in finance, such as (but not limited to) new products and entrants offering unique features (like rewards redemption for cryptocurrency, environmental causes, and other categories beyond cash-back or points), evolving digital tools, greater availability of and new applications for consumer data, and new technological tools (like machine learning), impacted the consumer credit card market, either directly or indirectly? In what ways do CARD Act provisions encourage or discourage innovation? In what ways do innovations increase or decrease the impact of certain CARD Act provisions, or change the nature of those impacts?
  • How do innovations by firms offering other consumer financial products and services (such as buy-now-pay-later credit, mobile payments, or non-card point-of-sale loans) compete with credit cards, and to what extent do consumers view them as effective alternatives to or substitutes for credit cards?

The Consumer Financial Protection Bureau issued a circular that asked if “persons” that engage in negative option marketing practices violate the prohibition on unfair, deceptive, or abusive acts or practices in the Consumer Financial Protection Act (CFPA).

The circular was issued on January 19, 2023 and can be accessed here.

Summary

The Bureau answered the question affirmatively and noted the circular was issued to reiterate that covered persons and service providers who engage in negative option marketing are required to comply with the Consumer Financial Protection Act (CFPA)’s prohibition on unfair, deceptive, and abusive acts or practices.

The Bureau further emphasizes that its approach to negative option marketing is generally in alignment with the FTC’s approach to Section 5 of the FTC Act as set forth in its recent policy statement.  According to the circular, the phrase “negative option” refers to a term or condition under which a seller may interpret a consumer’s silence, failure to take an affirmative action to reject a product or service, or failure to cancel an agreement as acceptance or continued acceptance of the offer.  The circular notes that negative option programs can cause harm to consumers who do not wish to receive the products/services for which they are charged.  Harm is “most likely to occur when sellers mislead consumers about terms and conditions, fail to obtain consumers’ informed consent or make it difficult to consumers to cancel.”

The Bureau notes that a seller offering a negative option program risks violating the law if the seller (i) misrepresents or fails to clearly and conspicuously disclose the material terms of a negative option program; (ii) fails to obtain consumers’ informed consent; (iii) misleads consumers who want to cancel, erects unreasonable barriers to cancellation, or fails to honor cancellation requests that comply with its promised cancellation procedures.

Failure to Disclose

Sellers may violate the CFPA’s prohibition on deceptive acts or practices if they misrepresent or fail to clearly and conspicuously disclose the material terms of an offer for a product/service with a negative option feature.  Under the CFPA, a representation or omission is deceptive if it is likely to mislead a reasonable consumer and is material.  A “material” representation or omission “involves information that is important to consumers and, hence is likely to affect their choice of, or conduct regarding, a product.”

Consent

Sellers engaged in negative option marketing would likely violate the CFPA where they fail to obtain the consumer’s informed consent before charging the consumer.  Consent will generally not be informed if, for example, a seller mischaracterizes or conceals the negative option feature, provides contradictory or misleading information, or otherwise interferes with the consumer’s understanding of the agreement.

Enforcement

The Bureau has used its authority under the CFPA’s UDAAP provisions to halt a variety of harmful negative option practices.  The Bureau has also relied on other Federal consumer financial laws (such as the Electronic Fund Transfer Act (EFTA) and Regulation E) that it enforces to address certain harmful negative option marketing practices.