Regulatory Review 2021
August 16, 2021
Office of General Counsel
National Credit Union Administration
1775 Duke Street
Alexandria, VA 22314
Re: Regulatory Review 2021
To the Office of General Counsel:
The National Association of State Credit Union Supervisors (NASCUS)[1] submits this letter in response to the Office of General Counsel’s (OGC) request for comments on the 2021 Regulatory Review.[2] NASCUS commends the OGC and NCUA for the commitment to an ongoing annual review of existing regulations and solicitation of public comment on regulations that might be clarified, amended, or repealed. In our comments that follow, we offer both recommendations for amending Part 748, as well as for improving the Regulatory Review process.
- 748 Security Program, Report of Suspected Crimes, Suspicious Transactions, Catastrophic Acts and Bank Secrecy Act Compliance
NCUA Rules and Regulations Part 748 mandate compliance with the Bank Secrecy Act and Anti-Money Laundering laws (BSA/AML) and require the maintenance of a written security program for federally insured credit unions (FICUs). Federally insured state credit unions (FISCUs) are required to comply with §748 by way of reference in Part 741.214.
NCUA’s rule combines implementing language taken verbatim from the BSA/AML with NCUA specific requirements. For example, § 748(c)(1)(i) requires the filing of a Suspicious Activity Report (SAR) for insider abuse of any amount, whereas the BSA/AML statutes have dollar thresholds for reporting. In June of this year, the Financial Crimes Enforcement Network (FinCEN) completed a Congressionally mandated assessment of the benefit, and feasibility, of creating a No Action Letter (NAL) program for the BSA/AML.[3] FinCEN has determined that establishing a NAL program for the BSA would be beneficial and will be moving forward with implementing rulemaking in the future. Of course, FinCEN’s determination of “No Action” with respect to the application of specific regulation in a specific circumstance would only apply to BSA/AML rules over which FinCEN has interpretive and enforcement authority: not NCUA (or other prudential regulatory authority) specific rules. To mitigate the potential for confusion as to which provisions of § 748 are eligible for FinCEN NAL determination and which are NCUA specific, we recommend the rule be reorganized to co-locate or otherwise more clearly identify BSA/AML “FinCEN” rules and NCUA specific rules.
NCUA should also revisit longstanding guidance interpreting § 748(c)(4) requirements regarding informing the credit union’s board of directors of SAR filings. The BSA/AML and NCUA’s regulations require the board of directors be notified “promptly” of SAR filings. Neither the statute nor the NCUA regulation defines “promptly.” NCUA has issued guidance interpreting this provision to require monthly reporting to the credit union’s board.[4] As we have pointed out in past comments, while a monthly standard may make sense for federal credit unions (FCUs) given their requirement for monthly board meetings, not all states require monthly board meetings. In other covered industries, including banking, best practice for reporting to the entity’s board is quarterly, or synchronized to regularly scheduled board meetings. NCUA should clarify its expectations for how reporting is handled and make clear that for credit unions with less-than-monthly board meeting, reporting SAR filings at the next available board meeting, or quarterly, would satisfy the regulatory requirement. In the past, NCUA has declined to entertain this recommendation, considering it beyond the scope of the regulatory process.[5] We disagree that clarifying the interpretation of § 748(c)(4) is beyond the scope of the annual Regulatory Review and urge NCUA to reconsider such a narrow application of the review process.
Finally, while not germane to this annual review of existing Part 748, it is imperative to reiterate the importance of NCUA working with state regulators to develop regulations to implement the Anti-Money Laundering/Countering the Financing of Terrorism National Priorities (National Priorities) as published by the Treasury Department on June 30, 2021. NASCUS was pleased NCUA has acknowledged the need to work with state regulators on both changes to the BSA/AML regulations as well as supervisory processes to implement the National Priorities pursuant to the AML Act of 2020.[6] We would recommend the creation of a working group of NCUA and state regulators to develop pending regulations.
NCUA Response to Annual Regulatory Review Recommendations Provides Value to Stakeholders
While it is commendable that NCUA continues to solicit input from stakeholders regarding potential improvements to all of the agency’s existing regulations, NCUA could further improve the process by reinstating the policy of publishing a summary and response to stakeholder comments. There is real value for stakeholders in understanding NCUA’s response to recommended changes and in gaining insight into the agency’s rational for resisting making various recommended changes.
Significant Regulatory Relief Could be Achieved Were NCUA to Modernize the Organization of the Agency’s Share Insurance Rules and Regulations
As we have repeatedly noted, the current organization of NCUA’s Rules and Regulations is unnecessarily burdensome for FISCUs and sometimes confusing for state and federal examiners. NCUA’s practice of applying rules to FISCUs by incorporating references in Part 741 unnecessarily complicates compliance because most substantive provisions applicable to FISCUs are scattered throughout NCUA’s rules for federal credit unions.
While the 2021 Regulatory Review features rules that are all generally applicable and relevant to FISCUs, this is the only segment of NCUA rules in which this is the case. As we explained in last year’s Regulatory Review, NCUA understands that scattering FISCU rules throughout the FCU rules that do not apply makes compliance unnecessarily difficult.[7]
NCUA should reorganize its rules to consolidate and co-locate all National Credit Union Share Insurance Fund (NCUSIF) rules for FISCUs in one section (or series of consecutive sections). Reorganizing the rules in this manner would provide significant regulatory relief to credit unions without increasing risk to the NCUSIF.
NCUA Should Initiate a Similar Review Policy for Guidance
In recent years, NCUA has made vast improvements in the presentation of supervisory guidance on the agency’s website. Stakeholders may now access various guidance by year, subject matter, and issuance type. In addition to the organizational improvements in presenting guidance that have been made, NCUA should develop a regular review of guidance as a companion to the annual Regulatory Review.
As NCUA aptly noted in the agency’s recent final rule on the Role of Supervisory Guidance, often regulations are not simple prescriptions that lend themselves to “right or wrong” determinations in the supervisory process.[8] While not carrying the force of regulation or statute, supervisory guidance provides stakeholders crucial insight into how NCUA interprets compliance with regulation, and as such is just as critical to be regularly evaluated.
NCUA Use of “Should,” “Shall,” or “Must”
NCUA rules are mostly, but not entirely, consistent in using mandatory language as appropriate when describing required elements of credit union compliance. However, throughout Appendix A of § 748, NCUA uses “should” while discussing necessary elements of credit union information security programs. Wherever rule text describes mandatory components of compliance, mandatory, rather than permissive, language should be used.[9]
NCUA should ensure that regulatory provisions containing mandatory elements of compliance contain mandatory language rather than permissive language. Requirements should also be stated in the active tense such as “a credit union shall design its information security program” rather than passive construction such as a “credit union information security program should be designed.”
NASCUS appreciates the opportunity to participate in the annual review of NCUA’s Rules and Regulations. The Regulatory Review is a commendable undertaking with real value for the credit union system. We are happy to discuss our recommendations further at your convenience.
Sincerely,
Brian Knight
Executive Vice President & General Counsel
[1] NASCUS is the professional association of the nation’s 45 state credit union regulatory agencies that charter and supervise over 2,000 state credit unions. NASCUS membership includes state regulatory agencies, state chartered and federally chartered credit unions, and other important stakeholders in the state system. State chartered credit unions hold over half of the $1.97 trillion assets in the credit union system and are proud to represent nearly half of the 126 million credit union members.
[2] Available at https://www.ncua.gov/regulation-supervision/rules-regulations/regulatory-review.
[3] See FinCEN Report on No Action Letter program assessment available at https://www.fincen.gov/sites/default/files/shared/No-Action%20Letter%20Report%20to%20Congress%20per%20AMLA%20for%20ExecSec%20Clearance%20508.pdf.
[4] See NCUA Regulatory Alert 06-RA-07, Final Rule Part 748: Filing Requirements for Suspicious Activity Reports, (December 2006). Available at https://www.ncua.gov/regulation-supervision/letters-credit-unions-other-guidance/final-rule-part-748-filing-requirements-suspicious-activity-reports.
[5] See The Office of the General Counsel’s 2014 Regulation Review, p. 3. Available at https://www.ncua.gov/files/publications/regulation-review-report-2014.pdf. .
[6] See https://www.ncua.gov/regulation-supervision/letters-credit-unions-other-guidance/interagency-statement-issuance-anti-money-launderingcountering-financing-terrorism.
[7] NASCUS Comments NCUA 2020 Regulatory Review. Available at https://www.nascus.org/comment-letters/comment-letter-regulatory-review-2020/.
[8] The Role of Supervisory Guidance, 86 Fed. Reg. 21, 7951 (February 3, 2021).
[9] See Federal Deposit Insurance Corporation 12 CFR 364 Appendix B and Office of the Comptroller of the Currency 12 CFR 30 Appendix B.