NASCUS Summary re: CFPB Executive Summary on Personal Financial Data Rights Final Rule

Nov 2024

The Bureau issued a proposed rule and request for comments in October 2023 regarding implementation of Section 1033, pertaining to consumers’ personal financial data rights, under the Consumer Financial Protection Act (CFPA).  The Bureau issued a finalized rule in October 2024.

The Bureau’s Executive Summary can be found here.

Summary

The final rule requires data providers to make covered data regarding covered financial products and services available to consumers and authorized third parties in an electronic form, subject to a number of requirements. The rule also sets forth criteria a third party must satisfy in order to be an authorized third party, including certifying it will satisfy certain obligations regarding the collection, use and retention of covered data.

Covered Entities: Data Providers

The rule defines data providers as those that control and possess covered data concerning a covered consumer financial product or service obtained from the data provider.  That would include financial institutions, card issuers or any other person that controls or possesses information concerning a covered consumer financial product or service.  Depository Institutions that hold total assets at or below the Small Business Administration (SBA) size standard is not required to comply with the final rule.

Covered Consumer Financial Products/Services

Under the final rule, a “covered consumer financial product or service” can be one or more of the following:

  • Regulation E accounts
  • Regulation Z credit card accounts
  • Facilitation of payments from a Regulation E account or Regulation Z credit card excluding products/services that merely facilitate first party payments.

Making Covered Data Available

The final rule requires a data provider make available to a consumer or authorized third party, upon request, covered data in the data provider’s control or possession concerning a covered consumer financial product or service that the consumer obtained from the data provider.  Data providers are prohibited from taking steps to evade the requirements, including actions that are likely to make covered data it provides unusable or are likely to prevent, interfere with, or materially discourage a consumer or third party from accessing covered data.

Covered Data is defined as:

  • Transaction information
  • Account balance information
  • Information to initiate payment to or from a Regulation E account
  • Terms and conditions
  • Upcoming bill payment information
  • Basic account verification information

The following information does not fall into the category of “covered data” and data providers are not required to provide this information:

  • Confidential commercial information
  • Information collected by the data provider for the sole purpose of preventing fraud or money laundering, or detecting or making any report regarding other unlawful or potentially unlawful conduct
  • Information required to be kept confidential by any other provision of law
  • Any information that the data provider cannot retrieve in the ordinary course of its business with respect to that information.

Data Access Requirements

The final rule requires a data provider to receive requests for covered data in electronic form from consumers and third parties and to make covered data available in electronic form in response to the requests. The rule does not require a data provider use any particular technology to satisfy these requirements.  However, the rule does impose the following requirements regarding how a data provider must be able to receive such requests and make covered data available in response to them:

  • Standardized format – covered data must be made available in a standardized and machine-readable format.
  • Commercially reasonable performance – data provider’s interface for receiving requests from and making covered data available to authorized third parties must perform at a commercially reasonable level.
  • Access caps – data provider must not unreasonably restrict the frequency with which it receives or responds to requests for covered data through its data interface. Any frequency restrictions must be applied in a manner that is non-discriminatory and consistent with the reasonable written policies and procedures that the data provider establishes and maintains pursuant to the final rule.
  • Access credentials – data provider must not allow a third party to access covered data using credentials that a consumer uses to access data electronically.
  • Security program – a data provider must apply an information security program that satisfies the applicable rules under the Gramm-Leach Bliley Act. If the data provider is not subject to Gramm-Leach Bliley, the program must satisfy the Federal Trade Commission’s Standards for Safeguarding Customer Information.

The rule also prohibits data providers from imposing any fees or charges on a consumer or third party in connection with receiving an electronic request for access to covered data.

Denial of Data Access

A data provider does not violate the general obligation to make covered data available by denying a consumer or third-party access to its data interface if the following two conditions are met:

  • Granting access would be inconsistent with policies/procedures reasonably designed to comply with (i) safety and soundness standards of the data provider’s prudential regulator or (ii) other applicable laws and regulations regarding risk management.
  • The denial is reasonable, meaning it must be directly related to a specific risk of which the data provider is aware and must be applied in a consistent and non-discriminatory manner.

A data provider can deny access to a third party if:

  • The third party does not present any evidence that its data security practices are adequate to safeguard the covered data; or
  • The third party does not make the following information available to the data provider and readily identifiable to members of the public: it’s legal name; any assumed name it is using while doing business with the consumer; a link to its website; its Legal Entity Identifier (LEI) and contact information a data provider can use to inquire about the third party’s data security and compliance practices.

Responding to Requests

  • The rule requires a data provider to make covered data available through its interface to a consumer when it receives information sufficient to authenticate the identity of the consumer and identify the scope of the data requested.
  • The final rule requires a data provider to make covered data available through its interface to a third party when it receives information sufficient to authenticate the identity of the consumer who authorized the third party to access covered data; authenticates the third party’s identity; documents that the third party has followed the authorization procedures and identified the scope of the data requested.
  • A data provider is not required to make covered data available in response to a request when:
  • The data are withheld because an exception applies
  • The data are not in the data provider’s control or possession
  • The data provider receives the request when its data interface is not available
  • The request is from a third party and the consumer’s authorization is no longer valid
  • The data provider has not received information sufficient to trigger the obligation to make covered data available in response to the request.
  • A data provider must provide a reasonable method for a consumer to revoke a third party’s authorization to access the consumer’s covered data, provided the method does not violate the prohibition against evasion.

Making Information About the Data Provider Readily Identifiable

The rule requires data providers to make certain information readily identifiable to members of the public and available in both human-readable and machine-readable formats.  This includes the data provider’s legal name, any assumed name it is using while doing business with the consumer, a link to its website, its LEI, contact information that enables a consumer or third party to receive answers to questions about accessing covered data pursuant to the final rule, and documentation sufficient for a third party to electronically access covered data pursuant to the final rule.

In addition, each month, the data provider must disclose to the public certain information about its data interface’s response rate to authorized third party requests for covered data in the previous calendar month.

Policies, Procedures and Recordkeeping for Data Providers

The final rule requires a data provider to have written policies/procedures that are reasonably designed to ensure the data provider:

  • Creates a record for covered data in its control or possession, what covered data are not made available to authorized third parties through the data provider’s interface pursuant to an exception and the reasons the exception applies.
  • Creates certain records when it denies an authorized third party’s request for access to the data provider’s interface or a request for information and provides certain information regarding the denial.
  • Accurately makes covered data available to an authorized third party through its data interface.
  • Retains records to reflect compliance with the final rule

A data provider must periodically review these policies and procedures and update them as appropriate.  Policies and procedures must be appropriate to the size, nature, and complexity of the data provider’s activities.

Authorized Third Parties, Authorization Procedures, and Authorization Disclosures

  • The final rule requires a data provider to make covered data available to the consumer about whom the data pertains or to an authorized third party.
  • To become an authorized third party, a third party must seek access to covered data from a data provider (on behalf of a consumer) and must follow the authorization procedures set out in the final rule. Specifically, the third party must:
  • Provide the consumer with an authorization disclosure
  • Provide a statement to the consumer in the authorization disclosure certifying that the third party agrees to certain obligations
  • Obtain the consumer’s express informed consent to access covered data on behalf of the consumer by obtaining an authorization disclosure that is signed by the consumer electronically or in writing.
  • The authorization disclosure must include the following:
  • The name of the third party
  • The name of the data provider that controls or possesses the covered data that the third party seeks to access
  • A brief description of the product/service the consumer has requested and a statement that the third party will collect, use and retain the consumer’s data only as reasonably necessary to provide that product/service to the consumer
  • The categories of data that will be accessed
  • A statement certifying that the third party agrees to certain obligations set forth in the final rule
  • A brief description of the expected duration of data collection and a statement that collection will not last longer than one year after the consumer’s most recent reauthorization
  • A description of the method that the consumer may use to revoke authorization

Third Party Obligations

 

Third parties are required to provide a statement to a consumer certifying that the third party will satisfy the following obligations:

  • The third party will limit its collection, use and retention of covered data to what is reasonably necessary to provide the consumer’s requested product/service.
  • The third party will limit the duration of collection of covered data (per authorization) to a max period of one year. To continue collection, a new consumer authorization must be obtained.
  • The third party will have written policies/procedures that are reasonably designed to ensure that covered data are accurately received from a data provider and accurately provided to another third party, if applicable.
  • The third party will apply an information security program to its systems for the collection, use and retention of covered data. This would be Gramm-Leach Bliley in most cases.  However, if the third party is not subject to the Gramm-Leach-Bliley Act, the program would be required to comply with the Federal Trade Commission’s Standards for Safeguarding Customer Information.
  • The third party will ensure that consumers are informed about the third party’s access to covered data.
  • The third party will provide the consumer with a method to revoke the third party’s authorization.
  • Third party must have written policies/procedures that are reasonably designed to ensure retention of records that are evidence of compliance with the final rule for a reasonable period of time.

Use of Data Aggregators

The final rule allow data aggregators to perform customer authorization procedures on behalf of third parties seeking access to customer data.  However, the third party seeking the authorization remains responsible for compliance with the authorization procedures.

Data processors engaged in this process on behalf of a third party are required to certify to the consumer that it will satisfy the third party obligations required under the final rule.

Effective and Compliance Dates

The final rule will become effective 60 days after publication in the Federal Register.  However, compliance with the rule is not required at that time.  A data provider must determine which compliance date is applicable based on its status as a depository or non-depository institution and its size (measured either by total assets for depository institutions or by total receipts for non-depository institutions).

The five possible compliance dates and applicable thresholds are provided below:

  • April 1, 2026
    • Applicable to depository institutions with at least $250 billion in total assets (based on an average of Q3 2023 through Q2 2023 call report submissions)
    • Applies to non-depository institutions that generated at least $10 billion in total receipts (based on calendar year 2023 or 2024)
  • April 1, 2027
    • Applicable to depository institutions with at least $10 billion in total assets but less than $250 billion in total assets (based on an average of Q3 2023 through Q2 2024 call report submissions).
    • Applicable to non-depository institutions that did not generate $10 billion or more in total receipts in both calendar year 2023 and 2024.
  • April 1, 2028
    • Applicable depository institutions with at least $3 billion in total assets but less than $10 billion in total assets (based on an average of Q3 2023 through Q2 2024 call report submissions).
    • Not applicable to non-depository institutions
  • April 1, 2029
    • Applicable to depository institutions with at least $1.5 billion in total assets but less than $3 billion in total assets (based on an average of Q3 2023 through Q2 2024 call report submissions.)
    • Not applicable to non-depository institutions
  • April 1, 2030
    • Applicable depository institutions with less than $1.5 billion in total assets but more than $850 million in total assets (based on an average of Q3 2023 through Q 2 2024 call report submissions).
    • Not applicable to non-depository institutions

NCUA Summary Letter to Credit Unions 24-CU-02
Board of Director Engagement in Cybersecurity Oversight

NASCUS Legislative and Regulatory Affairs Department
October 22, 2024

The NCUA Board has issued its second letter to credit unions of 2024, LTCU 24-CU-02 Board of Director Engagement in Cybersecurity Oversight. The letter specifically addresses credit union boards and CEOs and urges credit union boards to prioritize cybersecurity as a top oversight and governance responsibility.  

In light of the growth and sophistication of information security threats such as “malvertising” and the importance of safeguarding information, the NCUA details four key areas boards of directors should focus on:

  • Training;
  • Approval Information Security Program;
  • Oversight of Operational Management; and
  • Incident Response Planning and Resilience

Provide for Recurring Training

The NCUA discusses the need for credit union boards to engage in ongoing education about current cybersecurity threats, trends, and best practices. The letter lists various NCUA resources including web-based training and written guidance. It also discusses the board’s role in ensuring a credit union’s employees receive regular cybersecurity education and emphasizes the importance of a “security-minded culture” to mitigate risk.

Approval of Information Security Program

The letter also reminds directors they must approve and review, at least annually, a comprehensive information security program that meets the requirements of NCUA Part 748.

Oversight of Operational Management

The letter also addresses the board’s responsibility for overseeing a credit union’s management team, placing a key focus on the following cybersecurity areas:

  • Third-Party Due Diligence
  • Embedding Cybersecurity and Operational Resilience into Organizational Culture
  • Resources
  • Vulnerability/Patch Management and Threat Intelligence
  • Audit Function
  • Reporting
  • Protecting and Management Backups; and
  • Membership Education

Incident Response Planning and Resilience

The letter discusses the importance of union boards ensuring resilience planning is consistent with the NCUA’s Cyber Incident Notification Rule and requirements, while allowing the credit union to operate effectively during a cyber attack.

LTCU 24-CU-02 states that resilience planning should include the following:

  • Internal and External Communication between the board, members, and regulators.
  • Insurance Considerations that evaluate cybersecurity insurance policies ensuring adequate coverage for potential incidents.
  • Identify an Incident Response Team of key personnel prepared to take immediate action in the event of a cyber incident.
  • Conduct regular Tabletop Exercises to simulate cyber incident scenarios.

 Finally, the letter encourages boards to consult the NCUA’s cybersecurity resources page for additional information.

National Credit Union Administration: Simplification of Share Insurance Rules

NASCUS Legislative and Regulatory Affairs Department
October 4, 2024

On September 19, 2024, the NCUA Board unanimously approved a final rule amending its share insurance regulations. The rule simplifies the regulations by establishing a “trust accounts” category. The changes also increase consistency between the FDIC’s Federal deposit insurance rules and the NCUA’s share insurance rules.

The final rule is effective December 1, 2026, except for a handful of amendments, including recordkeeping, are effective October 30, 2024.

Summary

The final rule amendments include, (1) merging the revocable and irrevocable trust categories into one category, (2) applying a simpler common calculation method to determine insurance coverage for funds held by revocable and irrevocable trusts, and (3) eliminating certain requirements found in the current rules for revocable and irrevocable trusts.

Merger of Revocable and Irrevocable Trust Categories

The final rule amends §745.4 of the NCUA’s regulations, which currently applies only to revocable trust accounts. The amendment establishes a new “trust accounts” category that includes both revocable and irrevocable trust accounts with funds deposited at a Federally Insured Credit Union (FICU). The final rule defines funds that will be included in this category as:

  1. Informal revocable trust funds (e.g., payable-on-death accounts, in-trust-for accounts, and Totten trust accounts);
  2. Formal revocable trust funds, defined as funds held pursuant to a written revocable trust agreement under which funds pass to one or more beneficiaries upon the grantor’s death; and
  3. Irrevocable trust funds, e.g., funds held under an irrevocable trust established by written agreement or by statute.

The merger of the two categories eliminates §745.4(h) – (i), simplifying the amount of share insurance coverage upon the death of a formal revocable trust owner. Coverage for both irrevocable and formal revocable trusts will fall under the same category and share insurance coverage will remain the same.

Calculation of Coverage

The final rule utilizes a streamlined calculation to determine the amount of share insurance coverage for funds in both trust account categories. The adopted calculation is already used by the NCUA to calculate coverage for revocable trusts that have five or fewer beneficiaries. The final rule will provide coverage for trust funds at each FICU up to a total of $1,250,000 per grantor. This means each grantor’s insurance limit will be $250,000 per beneficiary up to a maximum of five beneficiaries.

Aggregation of Funds

The final rule aggregates a grantor’s revocable and irrevocable trust accounts for purposes of share insurance coverage. For example, all revocable and irrevocable trusts held for the same grantor at the same FICU will be aggregated, and the grantor’s insurance limit will be determined by the number of eligible and unique beneficiaries identified among all of their trust accounts.  Share insurance coverage for “trust accounts” will remain separate from the coverage provided for other funds held in non-trust accounts.

Eligible Beneficiaries

The final rule uses a single definition to determine beneficiary eligibility. As proposed, it will exclude from the calculation of share insurance coverage beneficiaries who would obtain an interest in a trust only if one or more named beneficiaries are deceased.

Removal of the Appendix to Part 745

The final rule removes the appendix to part 745, which provides examples of share insurance coverage. Instead, the NCUA plans to update its “Your Insured Funds” brochure to reflect the amendments to part 745.

Mortgage Servicing Accounts

Under the final rule, accounts maintained by a mortgage servicer in an agency, custodial, or fiduciary capacity, which consist of payments of principal and interest, will be insured for the cumulative balance paid into the account to satisfy principal and interest obligations to the lender, whether paid directly by the borrower or by another party, up to the limit of the standard maximum share insurance amount SMSIA per mortgagor. Mortgage servicers’ advances of principal and interest funds on behalf of delinquent borrowers will be insured up to the SMSIA per mortgagor, consistent with the coverage rules for payments of principal and interest collected directly from borrowers.

Liquidations

The changes to the final rule also provide NCUA with additional flexibility in determining share insurance coverage in instances where a credit union is liquidated by merging the requirements for revocable and irrevocable trusts. The changes reduce time in identifying beneficiaries and eliminate the need to review multiple differing requirements for coverage.

NASCUS Summary re: CFPB Proposed Rule/Request for Comments on Remittance Transfers under the Electronic Fund Transfer Act (Regulation E)
12 CFR Part 1005

The Consumer Financial Protection Bureau (CFPB) proposes a narrowly tailored amendment to certain remittance transfer disclosure requirements in the remittance rule in Regulation E to ensure consumers sending a remittance transfer have information about the types of inquiries that may be most efficient to direct to the CFPB and the State agency that licenses or charters their remittance transfer provider.

Comments must be received by November 4, 2024 and the proposal can be found here.

Summary

The Electronic Fund Transfer Act (EFTA) provides a basic framework for rights, protections, liabilities and responsibilities of consumers and providers in electronic fund transfer systems and remittance transfers.  Section 919 of the EFTA requires remittance transfer providers to make certain disclosures to senders of remittance transfers.  Under the current rule, remittance transfer providers are required to make disclosures including a statement about the rights of the sender regarding the resolution of errors and cancellation; the contact information of the remittance transfer provider; and a statement that the sender can contact the State agency that licenses or charters the remittance transfer provider with respect to the remittance transfer and the Consumer Financial Protection Bureau for questions/complaints about the remittance transfer provider.

The CFPB proposes amending the disclosure requirements and corresponding model forms to direct a remittance sender to contact the State licensing agency and the CFPB if the sender has unresolved problems with the remittance transfer or complaints about the remittance transfer provider.  According to the Bureau, this amendment is intended to make the process more efficient by making it clear who should be the initial point of contact in each situation.

In addition, the CFPB proposes to make remittance transfer provider’s contact information more prominent and easier to locate by consumers.  The proposed rule would update the remittance transfer provider contact information in the header of the model forms by adding the remittance transfer provider phone number and website.  The proposal would also update the model forms for receipts and combined disclosures.

Comments Requested

The CFPB seeks comment on whether the proposed changes will provide helpful information to senders and what, if any, impact these proposed changes may have on consumers, remittance transfer providers, and State licensing agencies.

Financial Crimes Enforcement Network Summary

Financial Trend Analysis: Mail Theft-Related Check Fraud: Threat Pattern & Trend Information

NASCUS Legislative and Regulatory Affairs Department
September 11, 2024

FinCEN’s latest Financial Trend Analysis focuses on mail theft-related check fraud incidents based on data collected from February 27 to August 31, 2023. FinCEN previously issued an alert addressing a surge in nationwide mail theft-related check fraud schemes targeting the U.S. mail on February 27, 2023.  The trend analysis examined BSA reports filed with the key term  “FIN-2023-MAILTHEFT” provided in the alert.  During the review period, FinCEN received 15,417 BSA reports related to mail theft-related check fraud associated with more than $688 million in transactions, including actual and attempted transactions.

Summary

FinCEN’s analysis details three primary outcomes from perpetrators after stealing checks from the U.S. Mail.

  1. Perpetrators altered and deposited checks;
  2. Perpetrators used stolen checks to create counterfeit checks; and
  3. Perpetrators fraudulently signed and deposited checks.

The analysis also found that banks filed 88 percent of all mail theft-related check fraud reports with 44 percent of filings submitted by the largest banks. Small to medium-sized banks filed the majority of reports.  The analysis found that credit unions and securities firms combined only 1,767 reports or 11.5 percent of the total reports filed during the review period.

The analysis also identified that checks were most frequently altered and negotiated after theft.  Counterfeiting of stolen checks was next on the list of frequent theft, with stolen checks utilized as a template to produce counterfeits. Finally, the third most common outcome was perpetrators fraudulently signing and depositing checks. According to the reports analyzed altered checks accounted for 44 percent of BSA reports, counterfeit checks accounted for 26 percent, and fraudulently signed checks were 20 percent.

Criminals primarily utilized methods that avoided human contact, including depositing checks via remote deposit capture (RDC) or at ATMs and opening accounts online rather than in person.

Check Manipulation Methodologies Identified

The analysis also identified several methodologies used to alter, counterfeit, or fraudulently sign checks that ranged in levels of sophistication.

Unsophisticated Methodologies

  • Fraudulently endorsing a check without modifying any information on the check
  • Altering the payee or dollar amount without washing the check; and
  • Third-party payment with no check modifications: attempting to make the check appear as though the intended party signed it over to them

Moderately Sophisticated Methodologies

  • Check washing
  • Selling information from a stolen check online: dark web marketplaces or line forums
  • Using compromised check information to create counterfeit checks; and
  • Stealing newly ordered checks from the mail.

Sophisticated Methodologies

  • New account fraud: fraudsters opening new accounts, typically online, specifically designed to negotiate stolen checks
  • Mail theft-related check fraud as part of a larger scam, mainly romance and employment scams
  • Insider involvement: sophisticated operations have enlisted insider assistance at financial institutions or the USPS.

Appendix A to the analysis includes mapping of BSA report subjects and branch location activity by state. It also identifies areas where mail check fraud was the most prominent.

Financial Data Transparency Act Joint Data Standards
Federal Banking Agencies

NASCUS Legislative and Regulatory Affairs Department
September 6, 2024 

The OCC, FRB, FDIC, NCUA, CFPB, FHFA, CFTC, SEC, and Treasury (Agencies) have issued a proposed rule establishing data standards for certain information collections submitted to the Agencies. The proposed rule is required by the Financial Data Transparency Act (FDTA) of 2022. The proposal would promote interoperability of financial regulatory data across the Agencies through the establishment of data standards for identifiers of legal entities and other common identifiers.

Comments on the proposed rule are due October 21, 2024.

Summary

Section 5811 of the FDTA amends subtitle A of the Financial Stability Act (FSA) of 2010 by adding a new section 124. The new section directs the federal agencies to jointly issue regulations establishing data standards for:

  1. Certain collections of information reported to each Agency by financial entities under each Agency’s jurisdiction, and;
  2. The data collected from the Agencies on behalf of the Financial Stability Oversight Council (FSOC)

Collection of Information

The proposal would establish joint standards for collections of information reported to each agency. The FDTA does not define “collections of information” and references the Paperwork Reduction Act (PRA) definition, defined as “obtaining, causing to be obtained, soliciting, or requiring the disclosure to third parties or the public, of facts or opinions by or for an agency, regardless of form or format, calling for either –

  • Answers to identical questions posed to, or identical reporting or recordkeeping requirements imposed on, ten or more persons, other than agencies, instrumentalities, or employees of the United States; or
  • Answers to questions posed to agencies, instrumentalities, or employees of the United States which are to be used for general statistical purposes.

The proposal indicates that the PRA definition is widely understood by the Agencies and by public stakeholders and that all approved and pending PRA collection of information have been categorized and are accessible to the Agencies and the public.

Legal Entity Identifier

Section 124 requires the joint standards to include “a common nonproprietary legal entity identifier that is available under an open license for all entities required to report to” the Agencies. The Proposal would establish International Organization for Standardization (ISO) 17442 – Financial Services – the Legal Entity Identifier (LEI) as the legal entity identifier joint standard. The LEI is a global, 20-character, alphanumeric identifier standard that uniquely identifies a legal entity. The LEI is nonproprietary and is made publicly available by the Global LEI Foundation under an open license, free of charge to any interested user.

The proposal rule notes that it would not impose any requirements that any particular entity obtain an LEI and incur the associated costs; such requirements would be determined by the Agency-specific rulemakings.

Other Common Identifiers

In addition to the LEI, the proposed rule would identify the following identifiers in the joint standards:

  • UPI and CFI. For swaps and securities-based swaps, the proposal would identify ISO 4914 – Financial services — Unique product identifier (UPI) as a standard. The UPI already is used in the derivatives markets.3 For other types of financial instruments, the Proposal would identify ISO 10962 – Securities and related financial instruments — Classification of financial instruments (CFI) code.
  • FIGI. For an identifier of financial instruments, the proposal would establish the Financial Instrument Global Identifier (FIGI) as the standard. The FIGI is an international identifier for all classes of financial instruments including, but not limited to, securities and digital assets. It is a nonproprietary identifier available under an open license globally. The FIGI also is intended to fill a gap for asset classes that do not normally have a global identifier, including loans.
  • Date. For date fields, the proposal would establish the date as defined by ISO 8601 using the Basic format option as the standard. The order of the elements used to express date and time in ISO 8601 is year, month, day, hour, minutes, seconds, and milliseconds. For example, September 27, 2022 at 6 p.m. is represented as 2022-09-27 18:00:00.000. The Agencies mention that consistent representation of dates may help facilitate data integration and interoperability across diverse collections.
  • State. For identification of a state, possession, military “state” of the United States of America, or a geographic directional, the Proposal would require the US Postal Service Abbreviations, as published in Appendix B of Postal Addressing Standards, Mailing Standards of the United States Postal Service. The Agencies mention that, compared to alternative numeric state codes, this proposed standard is both human- and machine-readable and is more widely used.
  • Countries. The proposal would establish the country codes with the code(s) for subdivisions, as appropriate, as defined by the most recent version of Geopolitical Entities, Names, and Codes (GENC). GENC is the US government’s implementation of the ISO 3166 international country code standard and reflects requirements unique to US foreign policy.
  • Currencies. The proposal would establish the alphabetic currency code as defined by ISO 4217 Currency Codes. The Agencies mention that these internationally recognized codes are widely implemented used, and incorporated into many other data standards, and this standard would support interoperability, enable clarity, and reduce errors.

Data Transmission and Schema and Taxonomy Format Standards

The Proposal would set forth four properties for the data transmission and schema and taxonomy formats used by the Agencies. Specifically, the Agencies propose that the schema and taxonomy formats will, to the extent able:

  • Render data fully searchable and machine-readable;
  • Enable high-quality data through schemas, with accompanying metadata documented in machine-readable taxonomy or ontology models, that clearly define the semantic meaning of the data, as defined by the underlying regulatory information collection requirements, as appropriate;
  • Ensure that a data element or data asset that exists to satisfy an underlying regulatory information collection requirement be consistently identified as such in associated machine-readable metadata; and
  • Be nonproprietary or available under an open license.

The Proposal states that establishing the joint standards as a list of principles rather than any specific data transmission or schema formats will provide the Agencies with flexibility in selecting their data transmission or schema format data standards while promoting interoperability and allowing for adaptability to new technological developments. For example, the existing data transmission and schema formats associated with the Call Report, including XML and XBRL, satisfy these principles and would be compliant.

The Proposal notes that final standards established pursuant to this rulemaking will be adopted later for certain collections of information in separate rulemakings by the Agencies or through other actions taken by the Agencies. Regulated financial entities should begin to consider how they would comply with the proposed joint standard and identify any potential compliance problems with the standards identified in the Proposal.

NASCUS Summary re: CFPB Advisory Opinion on TILA/Reg Z Protections for Homes Sales Financed Under Contracts for Deed

12 CFE Part 1026

The Consumer Financial Protection Bureau (CFPB) issued an advisory opinion that affirms the current applicability of TILA and its implementing regulations (under Regulation Z) to transactions in which a consumer purchases a home under a “contract for deed.”

The advisory opinion is effective as of August 23, 2024 and can be found here.

Summary

  • TILA protects consumers engaged in credit transactions by requiring creditors to disclose information about the costs and terms of the credit and where the credit is secured by the consumer’s dwelling, provides additional protections. The CFPB previously identified certain contracts for deed as consumer credit under the Consumer Financial Protection Act (CFPA).  This opinion clarifies how the CFPB understands the current application of TILA and Regulation Z to contracts for deed.

Characteristics of Contracts for Deed

  • A contract for deed is a type of home loan that has key features. In a typical contract for deed, the homebuyer agrees to make periodic payments to the home seller and the seller retains the deed to the property until the loan is paid in full.  Loan terms vary but often range from 5 to 30 years and may include balloon payments.  Properties are often purchased “as is” without inspection or appraisal.  During repayment, the buyer has the exclusive right to occupy the home and often assumes many of the responsibilities of homeownership, including paying for taxes, insurance, home maintenance and repairs.
  • Such contacts also contain a “forfeiture clause” that can be triggered if the borrower fails to meet the terms of the contract. When this clause is triggered, the seller retakes possession of the property and the buyer forfeits the entire investment (including downpayment, principal payments and any increase in home equity).  Forfeiture clauses can be activated by a missed payment or breaches unrelated to payment status (such as when a borrower fails to pay taxes, is unable to obtain or maintain insurance, or does not make improvements to the property within a specified timeframe).  Some states restrict forfeiture and require foreclosure, others have allowed “virtually unrestricted use of forfeiture clauses.”

Application of the term “debt” to contracts for deed

  • TILA’s definition of credit includes the typical contract for deed. Regulation Z defines “credit” as the right granted by a creditor to a debtor to defer payment of a debt or to incur debt and defer it payment.  The opinion states that this understanding of “debt” applies to contracts for deed.
  • In typical “contract for deed” transaction, a debt is created by the buyer receiving exclusive possession of the property, along with certain ownership obligations, at the outset of the in exchange for the obligation to repay the agreed upon value of the property over time. In exchange for these rights granted in property, the purchaser agrees to complete payment on a deferred basis.  The contractual obligation to repay the agreed upon value of the property according to the terms of the contract constitute a debt under TILA.  Where the property acquired under a contract for deed is purchased by a consumer primarily for personal, family or household purposes, the transaction is considered closed-end consumer credit union Regulation Z.
  • In addition, several provisions of TILA and Regulation Z apply specifically to credit transactions secured by the consumer’s dwelling or by real property. Under TILA, a “residential mortgage loan” includes “any consumer credit transaction that is secured by a mortgage, deed of trust, or other equivalent consensual security interest on a dwelling or on  residential real property that includes a dwelling, other than an open-ended consumer credit transaction.

TILA Creditors

  • For a transaction to be covered by TILA, the seller must be a creditor. Whether or not a seller should be considered a creditor turns on whether the creditor extends credit; the characteristics of the credit and the frequency with which the seller engages in such transactions.
  • According to the CFPB, the following must be satisfied for the seller to be considered a creditor:
  • The credit extended must be either subject to a finance charge or payable by a written agreement in more than four installments
  • The obligation must be initially payable to the person, either on the face of the note or contract or by agreement when there is no note or contract, in order for that person to be considered a creditor
  • The creditor is a person that regularly extends credit. In general, when a person extends consumer credit more than 25 times, or more than 5 times for transactions secured by a dwelling (in the preceding calendar year) that person is a creditor under TILA.

NASCUS Summary re: Interagency Guidance on Reconsiderations of Value for Residential Real Estate Valuations
12 CFR Chapter X

The Fed, CFPB, FDIC, NCUA and OCC issued final guidance that highlights risks associated with highlights risks associated with deficient residential real estate valuations and describes how financial institutions may incorporate reconsiderations of value (ROV) processes and controls into established risk management functions.  The final guidance also provides examples of policies and procedures that a financial institution may choose to implement to help identify, address, and mitigate the risk of discrimination impacting residential real estate valuations.

The guidance became effective on July 26, 2024 and can be found here

Summary

The guidance is intended to highlight risks associated with deficient residential real estate valuations, describe how financial institutions may incorporate ROV processes and controls into risk management functions, and provide examples of ROV policies and procedures that institutions may choose to implement.  Prior to this issuance, the agencies had not (collectively) issued guidance specific to the ROV process.

The regulatory framework permits financial institutions to implement reconsideration of value (ROV) policies, procedures and control systems that allow consumers to provide and the financial institution to review, relevant information that may not have been considered during the appraisal or evaluation process.

A reconsideration of value (ROV) request made by the financial institution to the appraiser or other preparer of the valuation report encompasses a request to reassess the report based upon deficiencies or information that may affect the value conclusion.  The financial institution may request a ROV because of the financial institution’s valuation review activities or after consideration of information received from a consumer through a complaint or request to the loan officer or other lender representative.

A reconsideration of value (ROV) request may include consideration of comparable properties not previously identified, property characteristics, or other information about the property that may have been incorrectly reported or not previously considered, which may affect the value conclusion.  To resolve deficiencies, including those related to potential discrimination, financial institutions can communicate relevant information to the original preparer of the valuation, and, when appropriate, request an ROV.

Financial institutions are advised to capture consumer feedback regarding potential valuation deficiencies through existing complaint resolution processes.

Appropriate policies, procedures, and control systems can adequately address the monitoring, escalating, and resolving of complaints including a determination of the merits of the complaint and whether a financial institution should initiate an ROV.  The guidance provides a list of examples of risk-based ROV related policies, procedures, control systems and complaint resolution processes that identify, address, and mitigate the risk of deficient valuations, including valuations that involve prohibited discrimination.

National Credit Union Administration Incentive-Based Compensation Arrangements

NASCUS Legislative and Regulatory Affairs Department
August  2024

On July 18, 2024, the NCUA Board, in a 2 to 1 vote, issued a joint proposed rulemaking related to incentive-based compensation arrangements. The joint rulemaking includes the FDIC, OCC, and FHFA (Agencies).  The rulemaking is a “re-proposal” of an earlier proposed rule by the agencies in 2016. [1]

The Board of Governors of the Federal Reserve System and the U.S. Securities and Exchange Commission have not approved the joint rulemaking yet. Once all six agencies adopt the notice of proposed rulemaking, it will be published in the Federal Register with a comment period of 60 days following publication.

Agencies will consider comments received in response to the 2016 proposed rule and any comments received in response to this re-proposal when determining how to implement section 956 of the Dodd-Frank Act.

NCUA is accepting comments on the proposed rule until September 16, 2024.

Summary

Covered Entities and Individuals

The proposed rule, like that of the 2016 rule, divides credit unions (and other covered entities) into three categories:

  • Level 1 (greater than or equal to $250 billion);
  • Level 2 (greater than or equal to $50 billion and less than $250 billion); and
  • Level 3 (greater than or equal to $1 billion and less than $50 billion).

While most of the proposed rule applies only to Level 1 and 2 entities, NCUA reserves the authority to require a Level 3 credit union to comply with provisions intended for the larger Level 1 & 2 credit unions.

The rule would apply to any “senior executive” or “significant risk taker” (Level 1 & 2 credit unions only) who receives incentive-based compensation.

Disclosure and Recordkeeping Requirements

All Level 1 and 2 credit unions would be required to create annually and maintain for at least seven years records that document:

  1. Senior executive officers and significant risk-takers, listed by legal entity, job function, organizational hierarchy, and line of business;
  2. Incentive-based compensation arrangements for senior executive officers and significant risk-takers, including information on the percentage of incentive-based compensation deferred and form of award;
  3. Any forfeiture and downward adjustment or clawback reviews and decisions for senior executive officers and significant risk-takers; and
  4. Any material changes to the covered institution’s incentive-based compensation arrangements and policies.

Deferral, Forfeiture and Downward Adjustment, and Clawback Requirements (Level 1 and 2 only)

Deferral

For Level 1 and 2 credit unions, deferral requirements would apply to significant risk-takers and senior executive officers, and would require 40, 50, or 60 percent deferral depending on the size of the covered institution and whether the covered person receiving the compensation was a senior executive officer or significant risk-taker. Deferral periods range from one to four years depending on the type of compensation arrangement, the size of the credit union, and whether the covered person receiving the compensation was a senior executive officer or significant risk-taker.

Forfeiture and Downward Adjustment

A covered credit union would be required to make subject to forfeiture all unvested deferred incentive-based compensation of any covered person, including unvested deferred amounts awarded under long-term incentive plans.

A covered credit union would also be required to make subject to downward adjustment all incentive-based compensation amounts not yet awarded to any covered person for the current performance period, including amounts payable under long-term incentive plans.

A covered credit union would be required to consider forfeiture or downward adjustment if any of the following adverse outcomes occurred:

  • Poor financial performance attributable to a significant deviation from the credit union’s risk parameters set forth in the credit union’s policies and procedures;
  • Inappropriate risk-taking, regardless of the impact on financial performance;
  • Material risk management or control failures;
  • Non-compliance with statutory, regulatory, or supervisory standards resulting in enforcement or legal action brought by a federal or state regulator or agency, or a requirement that the credit union report a restatement of a financial statement to correct a material error; and
  • Other aspects of conduct or poor performance as defined by the credit union. 

Clawback Provisions

Covered credit unions would be required to include clawback provisions in the incentive-based compensation arrangements for senior executive officers and significant risk-takers that, allow the credit union to recover incentive-based compensation from a current or former covered person for seven years following the date on which such compensation vests, if the credit union determines the covered person engaged in misconduct that resulted in significant financial or reputational harm to the credit union, fraud, or intentional misrepresentation of information used to determine the cover persona’s incentive-based compensation.

Additional Prohibitions (Level 1 and 2 only)

  • Hedging: Level 1 or 2 credit unions would be prohibited from purchasing a hedging instrument on behalf of a covered person to hedge or offset any decrease in value of the covered person’s incentive-based compensation.
  • Maximum incentive-based compensation opportunity (leverage): Level 1 or 2 credit unions would be prohibited from awarding incentive-based compensation to a senior executive officer in excess of 125 percent of the target amount for that incentive-based compensation. For a significant risk-taker the amount would be 150 percent of the target amount.
  • Relative performance measures: Level 1 or 2 credit unions would be prohibited from providing incentive-based compensation to a covered person based solely on transaction revenue or volume without regard to transaction quality or compliance with sound risk management.

Risk Management and Controls

The proposed rule would require all Level 1 and 2 credit unions to have a risk management framework for their incentive-based compensation programs that is independent of any lines of business, including an independent compliance program, and is commensurate with the size and complexity of the credit union’s operations.  Level 1 and 2 credit unions would be required to:

  • Provide individuals in control functions with the appropriate authority to influence the risk-taking of the business areas they monitor, and sure covered persons engaged in control functions are compensated in accordance with the achievement of performance objectives linked to their control functions and independently of performance of the business areas they monitor; and
  • Provide for independent monitoring of:
    • Incentive-based compensation plans to identify whether the plans appropriately balance risk and reward;
    • Events related to forfeiture and downward adjustment and decisions of forfeiture and downward adjustment reviews to determine consistency with the proposed rule; and
    • Compliance of the incentive-based compensation program with the credit union’s policies and procedures.

Governance

The proposed rule would require Level 1 or 2 credit unions to establish a compensation committee composed solely of directors who are not senior executive officers. The committee would be required to:

  • Obtain input from the credit union risk and audit committees, risk management function, and include an independent written risk assessment.
  • Management would be required to submit to the committee on an annual or more frequent basis, a written assessment of the effectiveness of the credit union’s incentive-based compensation program.
  • Internal audit or risk management function would also be required to submit an independent written assessment, developed independently of the credit union’s management, to the compensation committee on an annual or more frequent basis.

Policies and Procedures

Level 1 and 2 credit unions would be required to have policies and procedures that:

  • Are consistent with the requirements and prohibitions of the proposed rule;
  • Specify the procedures for forfeiture and clawback;
  • Document final forfeiture, downward adjustment, and clawback decisions;
  • Specify the substantive and procedural criteria for the acceleration of payments of deferred incentive-based compensation to a covered person;
  • Describe the role of any employees, committees, or groups authorized to make incentive-based compensation decisions, including when discretion is authorized;
  • Describe how discretion is exercised to achieve balance;
  • Document processes for the establishment, implementation, modification, and monitoring of incentive-based compensation arrangements;
  • Describe how incentive-based compensation arrangements will be monitored;
  • Describe procedures for the independent compliance program; and
  • Ensure appropriate roles for risk management, risk oversight, and other control functions.

[1] 81 FR 37673 (June 10, 2016)

National Credit Union Administration: Succession Planning

NASCUS Legislative and Regulatory Affairs Department
August 8, 2024 

On February 3, 2022, the NCUA Board (Board) published a proposed rule to require only Federal credit union (FCU) boards of directors to establish processes for succession planning for key positions. At the July 18, 2024, meeting of the Board, the Board approved, in a 2-1 decision, a proposed rule addressing succession planning.

The new proposal is based on the 2022 proposed rule but also includes several changes that the Board believes will further strengthen succession planning efforts for both consumer FICUs. This latest proposed rule also includes consumer federally insured, State-chartered credit unions (FISCUs), previously excluded from the 2022 proposed rule.

Comments on the proposed rule are due by September 23, 2024.

Background

The proposed rule indicates several factors that have contributed to the increased relevance of succession planning for FICU boards. The credit union system has seen a significant decline in the number of FICUs which the NCUA states is attributable to the long-running trend of consolidation across all depositories. The proposed rule also notes that data suggests smaller FICUs may be more likely to merge.

Increased Relevance of Succession Planning

The preamble to the proposed rule highlights several factors that the Board believes contribute to the increased relevance of succession planning for FICUs. One item of note in the preamble indicates that “data suggests that smaller FICUs may be more likely to merge.”  Statistics provided state: “At the close of 2015, there were 1,816 FICUs with less than $10 million in assets. By the third quarter of 2023, the number of these smallest FICUs was 938. By comparison, during the same period, the number of FICUs with assets of at least $1 billion decreased from 424 to 414.”

The preamble also indicates that NCUA analysis found “poor succession planning was either a primary or secondary reason for almost a third of FICU consolidations.”

NCUA’s Efforts to Strengthen FICU Succession Planning Efforts

In March 2022, the NCUA issued Letter to Credit Unions 22-CU-05, CAMELS Rating System, which provides that “succession planning for key management positions” is a key factor considered when assessing the management of a credit union. The Letter to Credit Unions 23-CU-01 included succession planning as one of the NCUA’s supervisory priorities for 2023.

While the NCUA does assess succession planning as part of the CAMELS Management component, there is no NCUA regulation requiring FICUs to implement a formal, written succession plan. As a result, the NCUA lacks a full complement of regulatory tools to help address deficiencies in a FICU’s succession planning process. For example, Letter to Credit Unions 23-CU-01 makes clear that NCUA examiners are precluded from evaluating “any formal or informal succession plans developed by credit unions beyond what would normally be considered in assigning the Management component of the CAMELS rating.”

Moreover, examiners may “not issue an Examiner’s Finding or Document of Resolution if the credit union has not conducted succession planning, or the planning is not adequate, unless the credit union violates its policy for conducting succession planning or administering any such plan(s).”

The Board believes the absence of specific regulations on this topic also means there are no requirements as to what constitutes an acceptable succession plan and therefore believes establishing standards within regulation is necessary.

Summary

As previously discussed, the proposed rule would apply to all consumer federally insured credit unions and proposes new requirements by amending part 701 of its regulations. The proposal would also make these amendments applicable to FISCUs through an amendment to 12 CFR part 741, subpart B, by adding a new 741.228.

The proposal notes that the Board recognizes the importance of state law in FISCUs’ internal governance and that states may already have state-specific succession planning requirements. It also notes, that to the extent that a FISCU is subject to a state statutory or regulatory requirement that conflicts with the proposed rule, the NCUA will defer to state law.

Plan Requirements

The proposal would require the following:

  • The FICU board of directors must establish a written succession plan addressing specified positions (or the equivalent if the FICU has adopted different position titles):
    • Members of the board of directors;
    • Members of the supervisory committee;
    • Members of the credit committee;
    • Loan officers (where provided for in the bylaws in lieu of a credit committee and the loan officers are involved in the daily review of loans)
    • Management officials and assistant management officials;
    • “Senior executive officers” as defined in 12 CFR 701.14 and any other FICU personnel the board deems critical given the FICU’s size, complexity, or risk of operations.
  • The board would be required to review the succession plan by a schedule it establishes, but no less than annually;
  • Identify the title of the incumbent for each covered position, the expiration date of the incumbent’s term, or other anticipated vacancy date (e.g., retirement);
  • Describe the FICU’s general plan or strategy for temporarily and permanently filling vacancies for each of the positions including vacancies due to unexpected circumstances;
  • Required to address the FICU’s strategy for recruiting candidates;
    • The strategy must consider how the selection and diversity among covered employees collectively and individually promotes the safe and sound operation of the FICU as well as budgetary impacts in the development of the plan.

The proposed rule would also amend 701.49(b)(3), which sets forth certain education requirements for FCU directors, to require that directors have working familiarity with the FCU’s succession plan no later than 6 months after appointment. This amendment would be made applicable to FISCUs through the newly proposed 741.228.

NCUA expects succession plans to be consistent with the size and complexity of each FICU and therefore has indicated in the proposed rule they will consider the size of the FICU, as well as the complexity and risk of its operations.

Small FICU Considerations

NCUA believes that small FICUs may be most likely to benefit from this proposed rule. The proposed rule includes a template for succession planning that may be appropriate for some smaller FICUs, though they note all FICUs may benefit from it.  The proposal also states that FISCUs electing to use the template should consult applicable state requirements to ensure their succession plans are consistent with any such requirement.

NASCUS Summary re: CFPB Proposal on Streamlining Mortgage Servicing for Borrowers Experiencing Payment Difficulties
12 CFR Part 1024

The Consumer Financial Protection Bureau (CFPB) is proposing a rule that would amend its 2013 mortgage servicer responsibilities regulations.  The proposed amendments would streamline existing requirements when borrowers seek payment assistance in times of distress.  The rule would also require servicers to provide certain communications in languages other than English.

Comments must be received by September 9, 2024. The proposal rule can be found here.

Summary

The CFPB is proposing and seeking comment on key changes related to assisting borrowers during loss mitigation and early intervention.  None of the proposed requirements would apply to small servicers (as defined in Regulation Z, Section 1026.41)

Streamlined loss mitigation procedures and foreclosure procedural safeguards

The proposal looks to streamline Regulation X’s loss mitigation procedures by removing most of the existing requirements regarding incomplete and complete loss mitigation applications and replacing them with a new framework based on foreclosure procedural safeguards.  Under the proposed framework:

  • A servicer would not be required to collect a complete application prior to making a loss mitigation determination and would have flexibility to review a borrower for loss mitigation options sequentially rather than simultaneously.
  • Once a borrower makes a request for loss mitigation assistance, the loss mitigation review cycle begins. It continues until either the borrower’s loan is brought current or one of the following foreclosure procedural safeguards is met: (i) the servicer reviews the borrower for all available loss mitigation options and no available options remain, or (ii) the borrower remains unresponsive for a specified period of time despite the servicer regularly taking steps to reach the borrower.
  • The CFPB proposes to remove currently required loss mitigation notices that would no longer be necessary under the new proposed framework.

Early Intervention Changes

  • The CFPB is proposing to require servicers to provide certain additional information in written early intervention notices, including among other things, the name of the owner or assignee of the borrower’s mortgage loan, a brief description of each type of loss mitigation option, as well as a website to access a list of all loss mitigation options may be available from that owner/assignee.
  • The CFPB is also proposing a partial exemption for servicers from early intervention requirements while a borrower is performing under a forbearance, new live contact and written notice requirements when a borrower’s forbearance is nearing its scheduled end, and timing for resuming compliance with early intervention when a borrower’s forbearance ends.

Loss mitigation determination notices and appeals

  • The CFPB is proposing to require that servicers provide loss mitigation determination notices and appeal rights to borrowers regarding all types of loss mitigation options.
  • The CFPB also is proposing to require servicers to include additional information in determination notices including borrower-provided inputs that served as the basis for the determination; a list of other loss mitigation options that are still available to the borrower, or if applicable, a statement that the servicer has reviewed the borrower for all available loss mitigation options and none remain; and, if applicable, a list of any loss mitigation options that the servicer previously offered to the borrower that remain available but that the borrower did not accept. The CFPB is also proposing to clarify that loss mitigation determinations are subject to the notice of error procedures contained in Section 1024.35.

Language Access

CFPB is proposing several requirements to provide borrowers with limited English proficiency greater access to certain early intervention and loss mitigation communications in languages other than English.

  • The proposal would require mortgage servicers to provide Spanish-language translations of certain written communications to all borrowers.
  • The proposal would also require servicers to make certain written and oral communications available in multiple languages and to provide those translated or interpreted communications upon borrower request.
  • The proposal would require servicers to include brief translated statements in certain written communications notifying borrowers of the availability of the translations and interpretations, and how they can be requested. It would also require that borrowers who received marketing for a loan in a language other than English receive specific early intervention and loss mitigation communications in that same language upon the borrower’s request.

Credit Reporting

  • The CFPB is concerned that mortgage servicers may be furnishing information about borrowers undergoing loss mitigation review that may not be accurate or consistent.
  • The Bureau is not proposing any regulatory changes regarding credit reporting at this time. However, the CFPB is requesting comment about possible approaches it could take to ensure servicers are furnishing accurate and consistent credit reporting information about borrowers undergoing loss mitigation review.

The Bureau is interested in receiving feedback on all aspects of the proposed rule and will accept comments until September 9, 2024.

National Credit Union Administration Anti-Money Laundering and Countering the Financing of Terrorism Program Requirements

NASCUS Legislative and Regulatory Affairs Department
July 24, 2024

Background

The OCC, FRB, FDIC, and the NCUA (the “Agencies”) have published a notice of proposed rulemaking and request for comment that would amend the requirements each Agency has issued for its supervised entities under the Bank Secrecy Act. For purposes of this summary, we will refer specifically to the NCUA.

The amendments are intended to align with the changes concurrently proposed by FinCEN as required by the AML Act of 2020.

The proposed rule incorporates a risk assessment process in the AML/CFT program rules that requires consideration of the national AML/CFT Priorities published by FinCEN. Additionally, the proposed rule would add customer due diligence requirements to reflect prior amendments to FinCEN’s rule and, concurrently with FinCEN, propose clarifying and other amendments to codify longstanding supervisory expectations and conform to AML Act changes.

Comments will be due 60 days after the proposed rule is published in the Federal Register.

Summary

The proposed rule would make several changes to NCUA’s BSA compliance program rules. As previously discussed, the main reason for the proposed changes is that NCUA and the Agencies’ BSA compliance program rules will remain aligned with FinCEN’s rule to avoid confusion and additional burdens upon supervised entities.

Proposed Rule

1. Purpose Statement
Like FinCEN, NCUA is proposing a statement describing the purpose of an AML/CFT program requirement which is:  “To ensure that each bank implements an effective, risk-based, and reasonably designed AML/CFT program to identify, manage, and mitigate illicit finance activity risks that: complies with the requirements of subchapter II of chapter 53 of title 31, United States Code, and the implementing regulations promulgated thereunder by the Department of the Treasury at 31 CFR chapter X; focuses attention and resources in a manner consistent with the risk profile of the bank; may include consideration and evaluation of innovative approaches to meet its AML/CFT compliance obligations; provides highly useful reports or records to relevant government authorities; protects the financial system of the United States from criminal abuse; and safeguards the national security of the United States, including by preventing the flow of illicit funds in the financial system.”

The statement is intended to summarize the overarching goals of credit unions’ effective, risk-based, and reasonably designed AML/CFT programs.

2. Establishment and Contents of an AML/CFT Program

  • Establishment: As addressed in FinCEN’s proposed rule, a credit union must establish, implement, and maintain an effective, risk-based, and reasonably designed AML/CFT program. While financial institutions are already required to maintain a “reasonably designed AML/CFT program, the proposal would add the terms “effective” and “risk-based” to the existing requirements.

    Also reflective of FinCEN’s proposal, NCUA is proposing to add the terminology “AML/CFT” to this rule, consistent with the AML Act.

  • AML/CFT Program: The proposed rule establishes the following minimum requirements and are not meant to stand alone, but rather form the basis of an effective AML/CFT program:
    • A risk assessment process that serves as a basis for the credit union’s AML/CFT program;
    • Reasonable management and mitigation of risks through internal policies, procedures, and controls;
    • A qualified AML/CFT officer;
    • An ongoing employee training program;
    • Independent, periodic testing conducted by qualified personnel of the bank or by a qualified outside party; and
    • Customer due diligence

NASCUS would like to highlight while the AML Act did not change the existing BSA requirement that each credit union designate a compliance officer as part of its BSA compliance program, the NCUA is proposing clarifying and technical changes to this subsection to codify existing regulatory expectations and conform to FinCEN’s proposal.

Accordingly, for an AML/CFT program to be effective, reasonably designed, and risk-based, the compliance officer must be qualified. Based on the experience of the Agencies in examining BSA compliance programs, the compliance officer’s qualifications (i.e., the requisite training, skills, expertise, and experience) need to be commensurate with the bank’s ML/TF and other illicit finance activity risks.

In addition to qualifications, the proposed rule states the credit union’s organizational structure must enable the compliance officer to effectively implement the credit union’s AML/CFT program. This means this individual’s authority, independence, and access to resources within the credit union is critical.

3. Board Oversight
Although not a new requirement to some FIs, the NPRM requires documentation of the AML/CFT program. In addition, the AML/CFT program must be approved by and overseen by the board of directors (or equivalent governing body). This is not a new practice for credit unions. Finally, the proposal contains new oversight requirements, such as governance mechanisms, escalation, and reporting lines, to ensure the board properly oversees the AML/CFT program.

4. Presence in the United States
Section 6101(b)(2)(C), of the AML Act, provides that the duty to establish, maintain, and enforce a bank’s AML/CFT program shall remain the responsibility of, and be performed by, persons in the United States who are accessible to, and subject to oversight and supervision by, the Secretary of the Treasury and the appropriate Federal functional regulator. The proposed rule would incorporate this statutory requirement into the AML/CFT program rule by restating that the duty to establish, maintain, and enforce the AML/CFT program must remain the responsibility of, and be performed by, persons in the United States who are accessible to, and subject to the oversight and supervision by, the relevant Agency.

5. Customer Identification Program
There are no changes to the current CIP requirements. The proposed rule would only move them to a separate section.

Request for Comment

The proposed rule consists of twenty-seven questions separated into the following categories:

  • Incorporation of AML/CFT Priorities
  • Risk Assessment Process
  • Updating the Risk Assessment
  • Effective, Risk-Based, and Reasonably Designed
  • Other AML/CFT Program Requirements
  • Innovative Approaches
  • Board Approval and Oversight; and
  • Duty to establish, maintain, and enforce an AML/CFT Program in the United States