Board Action Bulletin
ALEXANDRIA, Va. (Oct. 19, 2023) – The National Credit Union Administration Board held its ninth open meeting of 2023, where it unanimously approved a proposed rule incorporating its Second Chance Interpretive Ruling and Policy Statement and the Fair Hiring in Banking Act into its regulations. The NCUA Board also approved a proposed rule that would simplify share insurance regulations by establishing a “trust accounts” category.
In addition, the Board received a briefing on cybersecurity issues facing credit unions, their vendors, and the broader financial services sector.
Proposed Rule Opens More Opportunity for Employment in Credit Unions
The NCUA Board unanimously approved a proposed rule that would incorporate the NCUA’s Second Chance Interpretive Ruling and Policy Statement (IRPS 19-1) and statutory prohibitions imposed by Section 205(d) of the Federal Credit Union Act into the agency’s regulations. This proposed rule would allow people convicted of certain minor offenses to work in the credit union industry without applying for the Board’s approval.
“Many of these individuals are not violent or career criminals. They are people who made poor choices at some point and who have since paid their debts to society,” NCUA Chairman Todd M. Harper said. “What’s more, a disproportionate number of these individuals come from communities of color. If we are to advance financial inclusion and equity within the credit union system, we must facilitate the access of all demographic groups to credit union employment opportunities.”
Section 205(d) prohibits, except with the prior written consent of the NCUA Board, a person who has been convicted of certain criminal offenses involving dishonesty or breach of trust or who has entered a pretrial diversion or similar program from participating in the affairs of a credit union.
The proposed rule would address, among other topics, the individuals and types of offenses covered by Section 205(d) and the NCUA’s procedures for reviewing a consent application. Additionally, the proposed rule would amend the following:
- NCUA’s policies and procedures governing an application to rescind a prohibition pursuant to Section 205(d), as currently reflected in the Second Chance policy statement and consistent with both amendments made by the recent Fair Hiring in Banking Act and with comparable Federal Deposit Insurance Corporation regulations.
- Regulation governing the conditions under which newly chartered or troubled federally insured credit unions must notify the NCUA of any proposed changes to the credit union’s board of directors, committee members, or senior executive staff and make other conforming changes.
If a final rule is approved by the NCUA Board, the Second Chance Interpretive Rule and Policy Statement will be rescinded.
Comments on the proposed rule must be received no later than 60 days following its publication in the Federal Register.
Proposed Rule on Simplification of Share Insurance Provides Parity With FDIC
A proposed rule that would simplify the NCUA’s share insurance regulations by establishing a “trust accounts” category was unanimously approved by the NCUA Board. The trust accounts category would provide Share Insurance Fund coverage of funds in both revocable and irrevocable trusts deposited at federally insured credit unions in the accounts of members or those otherwise eligible to maintain insured accounts.
Said Chairman Harper, “Deposit insurance at federally insured credit unions and banks is the cornerstone that secures the foundation of our nation’s vibrant credit union and banking systems. The confidence created by knowing savings are protected by the full faith and credit of the United States allows consumers to rest easy, knowing their hard-earned nest eggs up to the current limit of $250,000 will be safe even during periods of financial and economic stress.”
Additionally, the proposed rule would provide:
- Consistent share insurance treatment for all mortgage servicing account balances held to satisfy principal and interest obligations to a lender.
- More flexible recordkeeping requirements to explicitly allow the NCUA to look to records held in the normal course of business that are maintained by parties other than federally insured credit unions and their members.
The proposed changes to the trust account and mortgage servicing account provisions in the NCUA’s Share Insurance Fund regulations would align with changes the FDIC previously adopted that take effect on April 1, 2024.
Comments on the proposed rule must be received no later than 60 days following publication in the Federal Register.
Board Briefed on Cybersecurity Trends, Third-party Vendor Vulnerabilities
Employees from the NCUA’s Office of Examination and Insurance and Office of the Executive Director briefed the Board on trending cybersecurity attack tactics and continuing third-party vendor incidents. The staff also briefed the Board on the implementation of the NCUA’s Information Security Examination program and the cyber incident reporting rule.
“For many credit unions, especially small, low-income, and MDI credit unions, making cybersecurity investments can be difficult,” Chairman Harper said. “Thankfully, there are free resources available to help. I encourage all credit unions to download and use the NCUA’s Automated Cybersecurity Evaluation Toolbox. The ACET is available at no cost and can be found online on the NCUA’s website.”
The briefing noted that MOVEit vulnerabilities led to private data being stolen from more than 2,000 organizations and 60 million individuals. The briefing included suggestions for credit unions from the 2023 Information Security Examinations and an update on the implementation of the NCUA’s recently approved cyber incident reporting rule. Staff noted there were 146 incidents reported by credit unions in the first 30 days of rule implementation, and more than 60 percent of reported incidents were due to compromises to third-party service providers.
Said Chairman Harper, “Stakeholders must understand that the risks resulting from the NCUA’s lack of vendor authority are real, expanding, and impact all of us. Until this growing regulatory blind spot is closed, thousands of federally insured credit unions, tens of millions of consumers who use credit unions, and trillions in assets are exposed to high levels of risk. During my travels and meetings with credit union leagues and officials, more CEOs and leaders have told me they see the value and benefits of restoring the NCUA’s vendor authority because they cannot manage all the potential risks and liabilities associated with their vendors.”
The NCUA continues to encourage credit union staff and boards of directors to review their third-party and vendor relationships, assess and mitigate any potential risk associated with products and services, and strengthen their institution’s cyber vigilance and preparedness efforts.
Cybersecurity-related information, including regulations, guidance, and resources to help protect credit unions and their members from cyberthreats is available on the NCUA’s cybersecurity resources webpage.
Follow @TheNCUA on X, and access Board Action Memorandums and NCUA rule changes at www.ncua.gov. The NCUA also live streams, archives, and posts videos of open Board meetings online.