NCUA LTCU Summary: Cyber Incident Notification Requirements Update to Letter 23-CU-07

NCUA Letter to Credit Unions 25-CU-02
Cyber Incident Notification Requirements Update to letter 23-CU-07

NASCUS Legislative and Regulatory Affairs
January 13, 2025

The NCUA issued its second letter to credit unions of 2025, LTCU 25-CU-02. The letter provides an update to LTCU 23-CU-07 Cyber Incident Notification Requirements.  NASCUS’ summary of the Cyber Incident Notification final rule can be found here and a summary of LTCU 23-CU-07 here.

LTCU 25-CU-02 includes two previous methods for reporting a cyber incident to the NCUA as well as a new secure web form for reporting:

• Via phone at 1-833-CYBERCU (1.833.292.3728) and leave a voicemail; or
• Via the NCUA Secure Email Message Center with a secure email to [email protected]
• Completion of the Cyber Incident Credit Union Reporting System online form.

The letter also reminds credit unions of the agency’s cybersecurity information and resources and provides an updated Cyber Incident Reporting Quick Reference Guide.

Letter to Credit Unions 25-CU-01: NCUA’s 2025 Supervisory Priorities

NASCUS Legislative and Regulatory Affairs
January 8, 2025

On January 7, 2025, the NCUA issued Letter to Credit Unions 25-CU-01 outlining the agency’s supervisory priorities and other updates to its examination program 2025. The priorities focus on the areas the NCUA believes pose the highest risk to credit union members, the industry, and the NCUSIF.

Supervisory Priorities for 2025

Credit Risk

Credit risk remains a top priority for 2025. NCUA notes loan growth slowed in 2024 while overall delinquencies and charge-offs increased. Credit cards and used auto loan portfolios are seeing the highest levels of delinquency and charge-off since the 2008 financial crisis. To address this the letter indicates examiners will continue to review credit union lending and risk-management practices. Specific focus will be on:

• Credit union’s underwriting standards.
• Collection programs.
• Allowance for Credit Loss reserves.
• Charge-off practices.
• Management and board reporting.
• Management of risk concentrations; and
• Third-party risk management practices

The NCUA encourages credit unions to work with borrowers facing financial difficulties and provides a list of resources and guidance to assist in managing credit risk.

Balance Sheet Management and Risk to Earnings and Net Worth

Due to the rise in interest rates over the last few years, credit union costs of funds increased faster than the returns on loans and investments, impacting net interest margins. NCUA will evaluate credit unions’ earnings and net worth risk-management framework by weighing the current and prospective sources of earnings and the composition of net worth relative to a credit union’s approved plans and thresholds. Examiners will also continue to consider liquidity sources. The letter also lists liquidity resources and guidance, earnings resources and guidance, and resources on net worth and capital adequacy.

 

Cybersecurity

Unsurprisingly, Cybersecurity remains a top priority, as cybercriminals and their attacks become more sophisticated. The NCUA indicates they will continue to use the information security examination procedures to assess credit union programs and will continue to support the voluntary use of the ACET tool.  The letter also encourages credit unions to visit the NCUA’s Cybersecurity Resources webpage.  Lastly, credit unions are reminded of their obligations under the Cyber Incident Notification requirements.

Consumer Financial Protection

NCUA has indicated they will continue to place significant emphasis on credit union compliance with consumer financial protection laws and regulations during examinations. It is noted that examiners will particularly focus on:

• Overdraft programs
• Fair Lending.
• Home Mortgage Disclosure Act (HMDA) and Regulation C.
• Military Lending Act; and
• Electronic Funds Transfer Act (EFTA) and Regulation E.

It is not surprising to see overdraft programs on the top of this list given NCUA’s recently issued LTCU 24-CU-03 in which the agency highlights risks associated with certain overdraft and NSF practices.

Other Updates

While not specifically addressed as supervisory priorities the letter addresses an update to its exam flexibility initiative in 2025, providing an extended exam cycle for credit unions with over $1 billion in assets. Credit unions in this asset range rated a CAMELS composite 1 or 2 with no change in the CEO since the last examination will now be eligible for a 12–16-month exam cycle. Additionally, the extended exam cycle for eligible federal credit unions will be shortened from 14-20 months to 14-18 months.

The NCUA indicates it will continue conducting the defined Small Credit Union Exam Program for most credit unions with assets of $50 million or less, and risk-focused examination procedures for all others. The letter also notes credit unions will need to remain aware of the Bank Secrecy Act/Anti-Money Laundering/Countering of Financing of Terrorism regulations and requirements.

Minority Depository Institution (MDI) Preservation Program

Finally, the letter states the agency recognizes the importance of MDIs and is committed to supporting the ongoing success of MDIs, including the need to support some MDIs more or differently. It further states that examinations will consider the “unique strategies and member needs of MDI credit unions.”

NASCUS Summary re: CFPB Circular 2024-07: Design, marketing and administration of credit card rewards programs

December 18, 2024

The Bureau issued CFPB Circular 2024-07 to answer the following question – Can credit card issuers violate the law if they or their awards partners devalue earned rewards or otherwise inhibit consumers from obtaining or redeeming promised rewards?

---

Response:

Yes.  Covered persons that offer, provide or operate credit card rewards programs (and their service providers) may violate the prohibition against unfair, deceptive or abusive acts or practices under a variety of circumstances.  The circular provides examples.

---

Analysis:

The Consumer Financial Protection Act (CFPA) prohibits any “covered person” or “service provider” from “committing or engaging in an unfair, deceptive, or abusive act or practice under Federal law in connection with the offering of a consumer financial product or service.”  An act or practice is unfair when (i) it causes or is likely to cause substantial injury to consumers that is not reasonably avoidable by consumers and (ii) such injury is not outweighed by countervailing benefits to consumers or to competition.  Substantial injury includes monetary harm, and may be based on likely rather than actual injury.  Under the CFPA, a representation, omission, or practice is deceptive if it is likely to mislead a reasonable consumer and is material.

The CFPB is issuing this circular to underscore that the CFPA’s prohibition on unfair or deceptive acts or practices applies to the design, marketing, and administration of credit card rewards programs.  Rewards program operators may violate this prohibition in a variety of circumstances regardless of whether they are taking actions consistent with rewards programs terms.  In particular, rewards program operators risk committing unfair or deceptive acts or practices when (i) rewards that consumers have already earned are devalued; (ii) consumers’ receipt of rewards is revoked, cancelled, or prevented based on buried or vague conditions; and (iii) rewards points are deducted without consumers receiving the corresponding benefit of the rewards.

NASCUS Summary re: CFPB Executive Summary on Residential PACE Financing Final Rule
December 2024

The Consumer Financial Protection Bureau (CFPB) issued a final rule on Residential Property Assessed Clean Energy (PACE) financing.  The final rule clarifies that PACE transactions are considered “credit” under TILA and Regulation Z and that the requirements under TILA/Regulation Z will generally apply to covered PACE transactions.  The final rule becomes effective on March 1, 2026.

Summary:

• The rule defines PACE transactions as financing to cover the costs of home improvements that result in a tax assessment on the real property of the consumer. Covered PACE transactions are voluntary transactions repaid through the property tax system alongside the consumer’s other property tax payment obligations.
• The rule provides two exemptions.
• The rule exempts PACE transactions from Higher-Priced Mortgage Loans (HPML) escrow rule
• The rule exempts PACE transactions from periodic statement requirements in the Mortgage Servicing Rule.

Ability to Repay Requirements

• The rule requires creditors and PACE companies substantially involved in the making credit decisions to apply the existing ability to repay requirements to PACE transactions. Specifically, the rule requires creditors and PACE companies to:
• Make a reasonable and good faith determination of a consumer’s ability to repay at or before consummation of a covered mortgage loan;
• Consider the eight required factors in making the repayment ability determination; and
• Verify the information relied on in determining a consumer’s repayment ability using reasonably reliable third-party records.

TILA/RESPA Integrated Disclosure Requirements

• The rule adds a model Loan Estimate and Closing Disclosure for use with PACE transactions
• The rule also includes certain modifications, clarifications and exemptions related to disclosures in the Loan Estimate and Closing Disclosure requirements to account for the uniqueness of PACE transactions.

NASCUS Summary re: CFPB Executive Summary on Overdraft Lending Fees
December 2024

The Consumer Financial Protection Bureau issued a final rule that amends Regulation Z and E to ensure that extensions of overdraft credit offered by very large financial institutions adhere to consumer protections required of similarly situated products unless an exception applies.  The final rule will take effect on October 1, 2025.

Summary

Under the Final Rule, Regulation Z will generally apply to all consumer overdraft credit provided by very large institutions unless it is provided at or below the institution’s costs and losses related to the overdraft credit.  The overdraft fee rule applies to banks/credit unions with more than $10 billion in assets.

The rule defines “overdraft credit” as credit that includes consumer credit extended by a financial institution to pay a transaction from a checking or other transaction account (other than a prepaid account) held at the financial institution when a consumer has insufficient or unavailable funds in the account.

In addition, the final rule updates two regulatory exceptions from the definition of finance charge.

1. The rule updates an exception that provides that a charge for overdraft is not a finance charge if the financial institution has not previously agreed in writing to pay items that overdraw an account. The rule updates this exception by limiting it to only overdraft credit that is provided at or below costs and losses.
2. The final rule updates a related exception that provides that a charge imposed in connection with an overdraft credit feature is not a finance charge, if the charge does not exceed the charge for a similar transaction account without a credit feature. The rule updates this provision by clarifying what is and is not a comparable charge.

The rule applies additional requirements to covered overdraft credit offered by a very large financial institution.  The final rule also:

• Prohibits compulsory use of preauthorized transfers
• Requires covered overdraft credit to be structured as a separate credit account
• Applies CARD Act provisions to hybrid debit-credit cards
• The new rule will provide institutions the following options with regard to overdraft fees:
  • Cap the overdraft fee at $5: This is amount is considered to be sufficient enough to cover the estimated costs associated with administrating a courtesy pay program.
  • Cap the fee at an amount that covers costs and losses: Allows institutions to see the costs based on the actual costs/losses related to the service.
  • Treat overdraft like other loans; require terms disclosure: Allows institutions to gain a profit from providing the service. This would require institutions to: (i) provide consumers the option of opening an overdraft line of credit; (ii) provide consumers with account opening disclosures; (iii) provide consumers with periodic statements and (iv) provide consumers with the option to pay automatically or manually.
• The Bureau issued an Executive Summary of the final rule that can be found here, https://files.consumerfinance.gov/f/documents/cfpb_executive-summary-overdraft-lending-final-rule_2024-12.pdf. NASCUS summary is in progress.

The rule will take effect on October 1, 2025.

Agencies Issue Guidance on Elder Financial Exploitation
December 18, 2024

On December 4, 2024, the six federal banking agencies and the state financial regulators issued a statement titled “Interagency Statement on Elder Financial Exploitation” to provide supervised institutions examples of risk management and other practices that can be effective in identifying, preventing, and responding to elder financial exploitation (EFE).

FinCEN previously issued a financial trend analysis specific to EFE. NASCUS summarized the analysis here. Additionally, the US Department of Treasury’s 2024 National Money Laundering Risk Assessment described EFE as a growing money laundering threat.

The Agencies’ statement and accompanying Appendices provide a list of resources issued by federal and state agencies on the topic of EFE. This does not replace previous guidance on this topic but is meant to raise awareness and provide strategies to supervised institutions for combating EFE.

Included in the statement are nine examples of risk management and other practices that supervised institutions can consider adopting as they work to combat EFE.  These examples are not new and are addressed in previous guidance.

1. Governance and Oversight
   • Policies and procedures to better protect account holders and the institution;
   • Enhance or create risk-based policies, internal controls, employee codes of conduct, ongoing transaction monitoring, and complaint management processes.
2. Employee Training
   • Identifying red flags for different types of exploitation;
   • Proactive approaches for detecting and preventing EFE; and
   • Detailing actions for employees to take when they have concerns
3. Using Transaction Holds and Disbursement Delays
   • Implementing policies and procedures in conjunction with state law and regulations when there is a suspected case of EFE
4. Using Trusted Contacts
   • Establish policies and procedures that enable account holders to designate one or more trusted contacts that employees can contact when EFE is suspected
   • Develop clear and effective processes for when and how to disclose account holder information while also maintaining confidentiality
5. Filing SARs Involving Suspected EFE
   • Consider filing SARs voluntarily for suspected EFE cases that do not meet the mandatory SAR filing requirements
   • Consider how to detect and identify possible red flag indicators of EFE

6. Reporting to Law Enforcement, Adult Protective Services (APS), and/or Other Entities, as appropriate
   • Implement a policy for reporting to appropriate authorities if the state is a mandatory reporting state;
   • For institutions not in a mandatory reporting state, the institutions could develop processes for voluntarily reporting to relevant state or local authorities; and
   • Consider establishing procedures for referring potential victims of EFE to the Department of Justice’s National Elder Fraud Hotline (833.372.8311), FTC, the FBI’s IC3, USPIS, Social Security Administration, and other agencies.
7. Providing Financial Records to Appropriate Authorities
   • Develop a process for expediting supporting information and documentation to law enforcement agencies.
8. Engaging with Elder Fraud Prevention and Response Networks
   • Consider partnerships with various networks, community education, etc.
9. Consumer Outreach and Awareness
   • Consider various means of consumer outreach, information on trending scams and ways to avoid them, and potential training for consumers on what to look for in various scams.

---

Appendix A: Elder Financial Exploitation Resources from Government Agencies

• Appendix A includes an extensive list of reports, research, and recommendations from the agencies as well as a list of federal resources for supervised institutions that may be shared with consumers.

NCUA Letter to Credit Unions 24-CU-03
Consumer Harm Stemming from Certain Overdraft and Non-Sufficient Funds Fee Practices

NASCUS Legislative and Regulatory Affairs Department
December 10, 2024

The NCUA Board has issued its third letter to credit unions of 2024, LTCU 24-CU-03 Consumer Harm Stemming from Certain Overdraft and Non-Sufficient Funds Fee Practices.

The NCUA has shown an increased focus on consumer protection in recent years. The Agency notes it is issuing this letter to highlight the risks associated with certain overdraft and NSF fee practices while providing resources to assist credit unions in managing and mitigating these risks. The letter also describes how the Agency will approach such fees from a supervisory perspective and further outlines its expectations of credit unions in responding to the associated risks.

Background

In 2022 the NCUA requested information about federal credit union overdraft programs, policies, and procedures, and in 2023 and 2024 examiners expanded the review of federal credit union overdraft programs and evaluated adjustments credit unions made to their programs to address risk and potential harm to members. Additionally, examinations of federal credit unions in 2023 and 2024 identified the presence of certain overdraft and NSF fee practices that “may create heightened risk exposure.”

Unanticipated Overdraft Fees

Unanticipated overdraft fees occur when a credit union assesses overdraft fees on transactions that a member would not expect would give rise to such fees. The letter further addresses several types of overdraft and NSF fees and cautions against such policies that permit these fees as they would likely violate the Federal Trade Commission Act (FTC Act) and the Consumer Financial Protection Act of 2010 (CFPA) as unfair or deceptive practices.

• Authorize Positive, Settle Negative Overdraft Fees
• Multiple NSF Representment Fees

Returned Deposited Item Fees

A Returned Deposited Item (RDI) is a check deposited into a member’s account that is returned to the member because the check could not be processed against the originator’s account.

Other Overdraft or NSF Practices

Some additional practices highlighted by the Agency that may present heightened risk include:

• High or no daily limits on the number of fees assessed;
• Insufficient or inaccurate fee disclosures; and
• Ordering transactions to maximize fees

Risk Management Principles

If a credit union provides overdraft programs or charges NSF fees the NCUA states, the credit union should:

• Closely analyze all aspects of the credit union’s overdraft and NSF fee practices, including opt-in disclosures, website advertising, and other information provided to members specific to overdraft and NSF;
• Review recent regulatory developments regarding unanticipated overdraft and NSF fees;
• Consider member impact;
• Track and analyze related member-complaint activity;
• Monitor and take action to mitigate reputation, consumer compliance, third-party, and legal risk; and
• Consult legal counsel regarding consumer compliance responsibilities and associated risks.

It is important to highlight that the NCUA specifically states in the letter, “Mitigation strategies should include discontinuing policies related to charging overdraft, NSF, and other related fees that members cannot reasonably anticipate and avoid.”

NCUA’s Supervisory Approach

While the NCUA states they do not expect credit unions to stop offering overdraft programs to assist members, it will continue to review credit union overdraft programs. If examiners identify violations of laws or regulations due to unanticipated fee practices, the agency will evaluate appropriate supervisory or enforcement actions, including restitution to harmed consumers.

The letter also states that the NCUA will recognize efforts to self-identify and correct violations noting that examiners will generally not cite or pursue action if a credit union has self-identified and fully corrected issues before the start of an examination.

LTCU 24-CU-03 applies to federally-insured credit unions, including federally-insured state-chartered credit unions (FISCUs). It is important for FISCUs to also work with their appropriate state supervisory authority when evaluating overdraft and NSF practices.

NASCUS Summary re: CFPB Executive Summary on Personal Financial Data Rights Final Rule

Nov 2024

The Bureau issued a proposed rule and request for comments in October 2023 regarding implementation of Section 1033, pertaining to consumers’ personal financial data rights, under the Consumer Financial Protection Act (CFPA).  The Bureau issued a finalized rule in October 2024.

The Bureau’s Executive Summary can be found here.

---

Summary

The final rule requires data providers to make covered data regarding covered financial products and services available to consumers and authorized third parties in an electronic form, subject to a number of requirements. The rule also sets forth criteria a third party must satisfy in order to be an authorized third party, including certifying it will satisfy certain obligations regarding the collection, use and retention of covered data.

Covered Entities: Data Providers

The rule defines data providers as those that control and possess covered data concerning a covered consumer financial product or service obtained from the data provider.  That would include financial institutions, card issuers or any other person that controls or possesses information concerning a covered consumer financial product or service.  Depository Institutions that hold total assets at or below the Small Business Administration (SBA) size standard is not required to comply with the final rule.

Covered Consumer Financial Products/Services

Under the final rule, a “covered consumer financial product or service” can be one or more of the following:

• Regulation E accounts
• Regulation Z credit card accounts
• Facilitation of payments from a Regulation E account or Regulation Z credit card excluding products/services that merely facilitate first party payments.

Making Covered Data Available

The final rule requires a data provider make available to a consumer or authorized third party, upon request, covered data in the data provider’s control or possession concerning a covered consumer financial product or service that the consumer obtained from the data provider.  Data providers are prohibited from taking steps to evade the requirements, including actions that are likely to make covered data it provides unusable or are likely to prevent, interfere with, or materially discourage a consumer or third party from accessing covered data.

Covered Data is defined as:

• Transaction information
• Account balance information
• Information to initiate payment to or from a Regulation E account
• Terms and conditions
• Upcoming bill payment information
• Basic account verification information

The following information does not fall into the category of “covered data” and data providers are not required to provide this information:

• Confidential commercial information
• Information collected by the data provider for the sole purpose of preventing fraud or money laundering, or detecting or making any report regarding other unlawful or potentially unlawful conduct
• Information required to be kept confidential by any other provision of law
• Any information that the data provider cannot retrieve in the ordinary course of its business with respect to that information.

Data Access Requirements

The final rule requires a data provider to receive requests for covered data in electronic form from consumers and third parties and to make covered data available in electronic form in response to the requests. The rule does not require a data provider use any particular technology to satisfy these requirements.  However, the rule does impose the following requirements regarding how a data provider must be able to receive such requests and make covered data available in response to them:

• Standardized format – covered data must be made available in a standardized and machine-readable format.
• Commercially reasonable performance – data provider’s interface for receiving requests from and making covered data available to authorized third parties must perform at a commercially reasonable level.
• Access caps – data provider must not unreasonably restrict the frequency with which it receives or responds to requests for covered data through its data interface. Any frequency restrictions must be applied in a manner that is non-discriminatory and consistent with the reasonable written policies and procedures that the data provider establishes and maintains pursuant to the final rule.
• Access credentials – data provider must not allow a third party to access covered data using credentials that a consumer uses to access data electronically.
• Security program – a data provider must apply an information security program that satisfies the applicable rules under the Gramm-Leach Bliley Act. If the data provider is not subject to Gramm-Leach Bliley, the program must satisfy the Federal Trade Commission’s Standards for Safeguarding Customer Information.

The rule also prohibits data providers from imposing any fees or charges on a consumer or third party in connection with receiving an electronic request for access to covered data.

Denial of Data Access

A data provider does not violate the general obligation to make covered data available by denying a consumer or third-party access to its data interface if the following two conditions are met:

• Granting access would be inconsistent with policies/procedures reasonably designed to comply with (i) safety and soundness standards of the data provider’s prudential regulator or (ii) other applicable laws and regulations regarding risk management.
• The denial is reasonable, meaning it must be directly related to a specific risk of which the data provider is aware and must be applied in a consistent and non-discriminatory manner.

A data provider can deny access to a third party if:

• The third party does not present any evidence that its data security practices are adequate to safeguard the covered data; or
• The third party does not make the following information available to the data provider and readily identifiable to members of the public: it’s legal name; any assumed name it is using while doing business with the consumer; a link to its website; its Legal Entity Identifier (LEI) and contact information a data provider can use to inquire about the third party’s data security and compliance practices.

Responding to Requests

• The rule requires a data provider to make covered data available through its interface to a consumer when it receives information sufficient to authenticate the identity of the consumer and identify the scope of the data requested.
• The final rule requires a data provider to make covered data available through its interface to a third party when it receives information sufficient to authenticate the identity of the consumer who authorized the third party to access covered data; authenticates the third party’s identity; documents that the third party has followed the authorization procedures and identified the scope of the data requested.
• A data provider is not required to make covered data available in response to a request when:
• The data are withheld because an exception applies
• The data are not in the data provider’s control or possession
• The data provider receives the request when its data interface is not available
• The request is from a third party and the consumer’s authorization is no longer valid
• The data provider has not received information sufficient to trigger the obligation to make covered data available in response to the request.
• A data provider must provide a reasonable method for a consumer to revoke a third party’s authorization to access the consumer’s covered data, provided the method does not violate the prohibition against evasion.

Making Information About the Data Provider Readily Identifiable

The rule requires data providers to make certain information readily identifiable to members of the public and available in both human-readable and machine-readable formats.  This includes the data provider’s legal name, any assumed name it is using while doing business with the consumer, a link to its website, its LEI, contact information that enables a consumer or third party to receive answers to questions about accessing covered data pursuant to the final rule, and documentation sufficient for a third party to electronically access covered data pursuant to the final rule.

In addition, each month, the data provider must disclose to the public certain information about its data interface’s response rate to authorized third party requests for covered data in the previous calendar month.

Policies, Procedures and Recordkeeping for Data Providers

The final rule requires a data provider to have written policies/procedures that are reasonably designed to ensure the data provider:

• Creates a record for covered data in its control or possession, what covered data are not made available to authorized third parties through the data provider’s interface pursuant to an exception and the reasons the exception applies.
• Creates certain records when it denies an authorized third party’s request for access to the data provider’s interface or a request for information and provides certain information regarding the denial.
• Accurately makes covered data available to an authorized third party through its data interface.
• Retains records to reflect compliance with the final rule

A data provider must periodically review these policies and procedures and update them as appropriate.  Policies and procedures must be appropriate to the size, nature, and complexity of the data provider’s activities.

Authorized Third Parties, Authorization Procedures, and Authorization Disclosures

• The final rule requires a data provider to make covered data available to the consumer about whom the data pertains or to an authorized third party.
• To become an authorized third party, a third party must seek access to covered data from a data provider (on behalf of a consumer) and must follow the authorization procedures set out in the final rule. Specifically, the third party must:
• Provide the consumer with an authorization disclosure
• Provide a statement to the consumer in the authorization disclosure certifying that the third party agrees to certain obligations
• Obtain the consumer’s express informed consent to access covered data on behalf of the consumer by obtaining an authorization disclosure that is signed by the consumer electronically or in writing.
• The authorization disclosure must include the following:
• The name of the third party
• The name of the data provider that controls or possesses the covered data that the third party seeks to access
• A brief description of the product/service the consumer has requested and a statement that the third party will collect, use and retain the consumer’s data only as reasonably necessary to provide that product/service to the consumer
• The categories of data that will be accessed
• A statement certifying that the third party agrees to certain obligations set forth in the final rule
• A brief description of the expected duration of data collection and a statement that collection will not last longer than one year after the consumer’s most recent reauthorization
• A description of the method that the consumer may use to revoke authorization

Third Party Obligations

 

Third parties are required to provide a statement to a consumer certifying that the third party will satisfy the following obligations:

• The third party will limit its collection, use and retention of covered data to what is reasonably necessary to provide the consumer’s requested product/service.
• The third party will limit the duration of collection of covered data (per authorization) to a max period of one year. To continue collection, a new consumer authorization must be obtained.
• The third party will have written policies/procedures that are reasonably designed to ensure that covered data are accurately received from a data provider and accurately provided to another third party, if applicable.
• The third party will apply an information security program to its systems for the collection, use and retention of covered data. This would be Gramm-Leach Bliley in most cases.  However, if the third party is not subject to the Gramm-Leach-Bliley Act, the program would be required to comply with the Federal Trade Commission’s Standards for Safeguarding Customer Information.
• The third party will ensure that consumers are informed about the third party’s access to covered data.
• The third party will provide the consumer with a method to revoke the third party’s authorization.
• Third party must have written policies/procedures that are reasonably designed to ensure retention of records that are evidence of compliance with the final rule for a reasonable period of time.

Use of Data Aggregators

The final rule allow data aggregators to perform customer authorization procedures on behalf of third parties seeking access to customer data.  However, the third party seeking the authorization remains responsible for compliance with the authorization procedures.

Data processors engaged in this process on behalf of a third party are required to certify to the consumer that it will satisfy the third party obligations required under the final rule.

Effective and Compliance Dates

The final rule will become effective 60 days after publication in the Federal Register.  However, compliance with the rule is not required at that time.  A data provider must determine which compliance date is applicable based on its status as a depository or non-depository institution and its size (measured either by total assets for depository institutions or by total receipts for non-depository institutions).

The five possible compliance dates and applicable thresholds are provided below:

• April 1, 2026
  • Applicable to depository institutions with at least $250 billion in total assets (based on an average of Q3 2023 through Q2 2023 call report submissions)
  • Applies to non-depository institutions that generated at least $10 billion in total receipts (based on calendar year 2023 or 2024)
• April 1, 2027
  • Applicable to depository institutions with at least $10 billion in total assets but less than $250 billion in total assets (based on an average of Q3 2023 through Q2 2024 call report submissions).
  • Applicable to non-depository institutions that did not generate $10 billion or more in total receipts in both calendar year 2023 and 2024.
• April 1, 2028
  • Applicable depository institutions with at least $3 billion in total assets but less than $10 billion in total assets (based on an average of Q3 2023 through Q2 2024 call report submissions).
  • Not applicable to non-depository institutions
• April 1, 2029
  • Applicable to depository institutions with at least $1.5 billion in total assets but less than $3 billion in total assets (based on an average of Q3 2023 through Q2 2024 call report submissions.)
  • Not applicable to non-depository institutions
• April 1, 2030
  • Applicable depository institutions with less than $1.5 billion in total assets but more than $850 million in total assets (based on an average of Q3 2023 through Q 2 2024 call report submissions).
  • Not applicable to non-depository institutions

NCUA Summary Letter to Credit Unions 24-CU-02
Board of Director Engagement in Cybersecurity Oversight

NASCUS Legislative and Regulatory Affairs Department
October 22, 2024

The NCUA Board has issued its second letter to credit unions of 2024, LTCU 24-CU-02 Board of Director Engagement in Cybersecurity Oversight. The letter specifically addresses credit union boards and CEOs and urges credit union boards to prioritize cybersecurity as a top oversight and governance responsibility.  

In light of the growth and sophistication of information security threats such as “malvertising” and the importance of safeguarding information, the NCUA details four key areas boards of directors should focus on:

• Training;
• Approval Information Security Program;
• Oversight of Operational Management; and
• Incident Response Planning and Resilience

Provide for Recurring Training

The NCUA discusses the need for credit union boards to engage in ongoing education about current cybersecurity threats, trends, and best practices. The letter lists various NCUA resources including web-based training and written guidance. It also discusses the board’s role in ensuring a credit union’s employees receive regular cybersecurity education and emphasizes the importance of a “security-minded culture” to mitigate risk.

Approval of Information Security Program

The letter also reminds directors they must approve and review, at least annually, a comprehensive information security program that meets the requirements of NCUA Part 748.

Oversight of Operational Management

The letter also addresses the board’s responsibility for overseeing a credit union’s management team, placing a key focus on the following cybersecurity areas:

• Third-Party Due Diligence
• Embedding Cybersecurity and Operational Resilience into Organizational Culture
• Resources
• Vulnerability/Patch Management and Threat Intelligence
• Audit Function
• Reporting
• Protecting and Management Backups; and
• Membership Education

Incident Response Planning and Resilience

The letter discusses the importance of union boards ensuring resilience planning is consistent with the NCUA’s Cyber Incident Notification Rule and requirements, while allowing the credit union to operate effectively during a cyber attack.

LTCU 24-CU-02 states that resilience planning should include the following:

• Internal and External Communication between the board, members, and regulators.
• Insurance Considerations that evaluate cybersecurity insurance policies ensuring adequate coverage for potential incidents.
• Identify an Incident Response Team of key personnel prepared to take immediate action in the event of a cyber incident.
• Conduct regular Tabletop Exercises to simulate cyber incident scenarios.

 Finally, the letter encourages boards to consult the NCUA’s cybersecurity resources page for additional information.

National Credit Union Administration: Fair Hiring in Banking

NASCUS Legislative and Regulatory Affairs Department
October 4, 2024

On September 19, 2024, the NCUA Board unanimously approved a final rule codifying Section 205(d) of the Federal Credit Union Act (FCUA) and incorporating the NCUA’s Second Chance Interpretive Ruling and Policy Statement (IPRS) 19-1 and the Fair Hiring in Banking Act (FHBA) into Section 752 of the agency’s regulations. The Federal Credit Union Act (FCUA) generally prohibits, except with the Board’s written consent, any person who has been convicted of or has a program entry for certain criminal offenses involving dishonesty or breach of trust, from participating in the affairs of an insured credit union.

The preamble to the final rule states the rule will “expand career opportunities for individuals to work and volunteer at insured credit unions.”

---

Summary

Section 752.1 – What is Section 205(d) of the FCUA?

Section 752.1 describes the requirements of Section 205(d) of the FCUA including:

• Paragraph (a) describes the requirements of Section 205(d)
• Paragraph (b) clarifies that insured credit unions must make a reasonable and documented inquiry regarding an applicant’s history, and at a minimum, a credit union should establish a screening process to obtain information about convictions and program entries from applicants. Paragraph (b) also provides that insured credit unions are permitted to make conditional offers of employment to prospective applicants.
• Paragraph (c) addresses the need for a consent application and establishes the standard for an application’s approval.

Section 752.2 – Who is covered by Section 205(d)?

• Institution Affiliated Parties (IAPs)
• Volunteer and de-facto employees

Section 752.3 – Which offenses qualify as “covered” offenses under Section 205(d)?

The following constitutes a covered offense under section 205(d):

• A conviction or program entry must have been for a criminal offense involving dishonesty or breach of trust:
  • “An offense under which an individual directly or indirectly cheats or defrauds or wrongfully takes property belonging to another in violation of a criminal statute.”
  • This also includes an offense that federal, state, or local law defines as “dishonest” or for which dishonesty is an element of the offense.
• The term does NOT include a misdemeanor criminal offense committed more than one year before the date on which a person files a waiver application, excluding any period of incarceration or an offense involving the possession of controlled substances.
• “Breach of trust” refers to “a wrongful act, use, misappropriation, or omission concerning any property or fund that has been committed to a person in a fiduciary or official capacity, or the misuse of one’s official or fiduciary position to engage in a wrong act, use, misappropriation, or omission.”

Section 752.4 – What constitutes a conviction under Section 205(d)?

Section 752 does not cover arrests or pending cases not brought to trial.

Section 752.5 – What constitutes a pretrial diversion or similar program under Section 205(d)?

The term “pretrial diversion or similar program” (program entry) refers to a program characterized by a suspension or eventual dismissal or reversal of charges or criminal prosecution upon agreement by the accused to restitution, drug or alcohol rehabilitation, anger management, or community service.

Section 752.6 – What are the types of consent applications that can be filed?

According to the final rule, the NCUA will accept applications from:

• An individual; or
• An insured credit union applying on behalf of an individual
  • An individual or insured credit union may file applications at separate times. Applications must be filed with the appropriate NCUA field office.
• A waiver is no longer needed if:
  • It has been seven years or more since the offense occurred (measured from the date of offense, not the date of disposition); or
  • The person was incarcerated, and it has been five years or more since the person was released; or
  • The person committed the offense before age 21, and it has been more than 30 months since the sentencing occurred (the date the court imposed the sentence.)

Section 752.7 – When may an application be filed?

Applications must be filed when an adult or minor treated as an adult is convicted by a court of competent jurisdiction for a Covered Offense or when such person has a program entry regarding the offense.

Section 752.8 – What is the de minimis exemption?

De minimis exemptions have been expanded to include (but are not limited to):

• An individual has been convicted of, or has program entries for, no more than two covered offenses.
• Increasing the requirement that the offense be punishable by a term of one year or less to three years or less.
• For “bad check criteria,” increasing the aggregate total face value of all NSF checks across all convictions or program entries related to NSF checks from $1000 or less to $2000 or less.
• Excluding a new category of lesser offenses, including using a fake ID, shoplifting, trespassing, or driving with an expired license or tag, if one year or more has passed since the applicable conviction or program entry.

Section 752.9 – How does an individual or credit union file an application?

Forms and instructions can be found on NCUA’s website at www.ncua.gov. An application must be filed with the appropriate field of office Director.

Section 752.10 – How will the NCUA evaluate an application?

The ultimate determination in assessing an application is:

• Whether the person has demonstrated their fitness to participate in the conduct of the affairs of an insured credit union; and
• Whether the person’s affiliation or participation in the conduct of the affairs of the credit union may constitute a threat to the safety and soundness of the credit union, the interests of its members, or threaten to impair public confidence in the credit union.

The final rule details a number of additional evaluating factors for individualized assessments. For state-chartered, federally insured credit unions, the NCUA will consider the opinion or position of the state regulator.

Section 752.11 – What will the NCUA do if the application is denied?

If an application is denied, the NCUA will inform the applicant in writing that the application has been denied and summarize or cite the relevant considerations specified in 752.10. The denial will also notify the applicant of the right to request reconsideration from the field office or to file an appeal with the NCUA Board and will include the applicable filing deadlines and time frames for Agency response.

Amendments to §701.14 on Change in Official or Senior Executive Officer in Credit Unions that are Newly Chartered or are in Troubled Condition

The changes to 701.14 include:

• Clarifying when notice is required by specifying that a credit union must provide notice when adding or replacing any member of its board of directors or committees, employing any person as a senior executive of the credit union, or changing the responsibilities of a board member, committee member, or a senior executive officer so that the person would assume a different position;
• Increase the amount of time for NCUA to initially review a notice after its receipt from 10 calendar days to 15 calendar days;
• Specify the Regional Director and ONES Director communications under 701.14 may be done through email and
• Explicitly state the notice of disapproval will identify the reason(s) for the denial.

National Credit Union Administration: Simplification of Share Insurance Rules

NASCUS Legislative and Regulatory Affairs Department
October 4, 2024

On September 19, 2024, the NCUA Board unanimously approved a final rule amending its share insurance regulations. The rule simplifies the regulations by establishing a “trust accounts” category. The changes also increase consistency between the FDIC’s Federal deposit insurance rules and the NCUA’s share insurance rules.

The final rule is effective December 1, 2026, except for a handful of amendments, including recordkeeping, are effective October 30, 2024.

Summary

The final rule amendments include, (1) merging the revocable and irrevocable trust categories into one category, (2) applying a simpler common calculation method to determine insurance coverage for funds held by revocable and irrevocable trusts, and (3) eliminating certain requirements found in the current rules for revocable and irrevocable trusts.

Merger of Revocable and Irrevocable Trust Categories

The final rule amends §745.4 of the NCUA’s regulations, which currently applies only to revocable trust accounts. The amendment establishes a new “trust accounts” category that includes both revocable and irrevocable trust accounts with funds deposited at a Federally Insured Credit Union (FICU). The final rule defines funds that will be included in this category as:

1. Informal revocable trust funds (e.g., payable-on-death accounts, in-trust-for accounts, and Totten trust accounts);
2. Formal revocable trust funds, defined as funds held pursuant to a written revocable trust agreement under which funds pass to one or more beneficiaries upon the grantor’s death; and
3. Irrevocable trust funds, e.g., funds held under an irrevocable trust established by written agreement or by statute.

The merger of the two categories eliminates §745.4(h) – (i), simplifying the amount of share insurance coverage upon the death of a formal revocable trust owner. Coverage for both irrevocable and formal revocable trusts will fall under the same category and share insurance coverage will remain the same.

Calculation of Coverage

The final rule utilizes a streamlined calculation to determine the amount of share insurance coverage for funds in both trust account categories. The adopted calculation is already used by the NCUA to calculate coverage for revocable trusts that have five or fewer beneficiaries. The final rule will provide coverage for trust funds at each FICU up to a total of $1,250,000 per grantor. This means each grantor’s insurance limit will be $250,000 per beneficiary up to a maximum of five beneficiaries.

Aggregation of Funds

The final rule aggregates a grantor’s revocable and irrevocable trust accounts for purposes of share insurance coverage. For example, all revocable and irrevocable trusts held for the same grantor at the same FICU will be aggregated, and the grantor’s insurance limit will be determined by the number of eligible and unique beneficiaries identified among all of their trust accounts.  Share insurance coverage for “trust accounts” will remain separate from the coverage provided for other funds held in non-trust accounts.

Eligible Beneficiaries

The final rule uses a single definition to determine beneficiary eligibility. As proposed, it will exclude from the calculation of share insurance coverage beneficiaries who would obtain an interest in a trust only if one or more named beneficiaries are deceased.

Removal of the Appendix to Part 745

The final rule removes the appendix to part 745, which provides examples of share insurance coverage. Instead, the NCUA plans to update its “Your Insured Funds” brochure to reflect the amendments to part 745.

Mortgage Servicing Accounts

Under the final rule, accounts maintained by a mortgage servicer in an agency, custodial, or fiduciary capacity, which consist of payments of principal and interest, will be insured for the cumulative balance paid into the account to satisfy principal and interest obligations to the lender, whether paid directly by the borrower or by another party, up to the limit of the standard maximum share insurance amount SMSIA per mortgagor. Mortgage servicers’ advances of principal and interest funds on behalf of delinquent borrowers will be insured up to the SMSIA per mortgagor, consistent with the coverage rules for payments of principal and interest collected directly from borrowers.

Liquidations

The changes to the final rule also provide NCUA with additional flexibility in determining share insurance coverage in instances where a credit union is liquidated by merging the requirements for revocable and irrevocable trusts. The changes reduce time in identifying beneficiaries and eliminate the need to review multiple differing requirements for coverage.

NASCUS Summary re: CFPB Proposed Rule/Request for Comments on Remittance Transfers under the Electronic Fund Transfer Act (Regulation E)
12 CFR Part 1005

The Consumer Financial Protection Bureau (CFPB) proposes a narrowly tailored amendment to certain remittance transfer disclosure requirements in the remittance rule in Regulation E to ensure consumers sending a remittance transfer have information about the types of inquiries that may be most efficient to direct to the CFPB and the State agency that licenses or charters their remittance transfer provider.

Comments must be received by November 4, 2024 and the proposal can be found here.

---

Summary

The Electronic Fund Transfer Act (EFTA) provides a basic framework for rights, protections, liabilities and responsibilities of consumers and providers in electronic fund transfer systems and remittance transfers.  Section 919 of the EFTA requires remittance transfer providers to make certain disclosures to senders of remittance transfers.  Under the current rule, remittance transfer providers are required to make disclosures including a statement about the rights of the sender regarding the resolution of errors and cancellation; the contact information of the remittance transfer provider; and a statement that the sender can contact the State agency that licenses or charters the remittance transfer provider with respect to the remittance transfer and the Consumer Financial Protection Bureau for questions/complaints about the remittance transfer provider.

The CFPB proposes amending the disclosure requirements and corresponding model forms to direct a remittance sender to contact the State licensing agency and the CFPB if the sender has unresolved problems with the remittance transfer or complaints about the remittance transfer provider.  According to the Bureau, this amendment is intended to make the process more efficient by making it clear who should be the initial point of contact in each situation.

In addition, the CFPB proposes to make remittance transfer provider’s contact information more prominent and easier to locate by consumers.  The proposed rule would update the remittance transfer provider contact information in the header of the model forms by adding the remittance transfer provider phone number and website.  The proposal would also update the model forms for receipts and combined disclosures.

Comments Requested

The CFPB seeks comment on whether the proposed changes will provide helpful information to senders and what, if any, impact these proposed changes may have on consumers, remittance transfer providers, and State licensing agencies.