Dear Boards of Directors and Chief Executive Officers:
The National Credit Union Administration (NCUA) supports initiatives by federally insured credit unions to better serve their members. The rapid emergence of financial technology is creating opportunities for credit unions to increase speed of service, improve security, and expand products and services. In this spirit, the Board is exploring how the agency can provide clarity around expectations regarding financial technology adoption to not impede safe, fair, and responsible federally insured credit union engagement.
This letter clarifies certain expectations for credit unions contemplating the use of new or emerging distributed ledger technologies (DLT). The NCUA does not prohibit credit unions from developing, procuring, or using DLT. DLT used as an underlying technology by credit unions is not prohibited if it is deployed for permissible activities and in compliance with all applicable laws and regulations, including applicable state laws or state supervisory authority requirements. As with the internet at its inception, the NCUA recognizes that new technologies may transform how credit unions perform traditional financial operations and services.
This letter reiterates the importance of sound governance and planning related to deploying new technologies like DLT.1 While DLT is maturing, the NCUA recognizes that cases for implementation may expand rapidly as the technology becomes more widespread and credit unions become more familiar with it. For this reason, this letter provides areas for credit unions to consider when evaluating whether to use DLT. The NCUA also recognizes that the specific application of DLT may necessitate additional due diligence by credit unions, and approaches that vary with some of the more general guidance provided in this letter. As such, the NCUA expects that this letter may generate follow-up inquiries where additional guidance is requested and prudent. This letter also signals to the broader financial and technology communities that credit unions are a market to consider when designing products, considering partnerships, or making investments.
As with all new and emerging technology, the NCUA expects credit unions to exercise judgment, apply sound risk-management practices, and conduct necessary due diligence when choosing a platform, product, or service. When considering DLT, credit unions should first evaluate the permissibility of the activity itself and then assess the opportunities and risks relative to the activity. Finally, given the emerging nature of DLT and its potential use by credit unions, considerations introduced in this letter should not be construed as all inclusive.
Governance, Oversight and Planning
As with the development of any new product or service, when deploying a platform, product, or service using DLT as part of the underlying technology, credit unions should find an appropriate balance between the opportunities and the risks. Related project plans and risk assessments should include examining internal constraints and obstacles, and ensuring, at a minimum:
- The credit union’s board of directors is notified of advancements in the underlying technology, the purposes of the technology, and how using DLT aligns with the credit union’s strategic planning objectives and approved risk tolerances.
- Credit union staff and third parties using and managing the technology are complying with applicable laws and regulations and acting in a safe-and-sound manner.
- Effective risk-management practices are followed to identify, assess, and mitigate risks associated with DLT and the specific activities for which it will be deployed.
- Risk assessment and audit functions can validate and attest to the effectiveness of risk-mitigation practices in accordance with internal policy and industry leading practices.
Risk and Risk-Mitigation Strategies
All technology and systems have inherent risks. Credit unions are responsible for ensuring sound operations whether delivery of services is accomplished internally or through third parties. For example, the NCUA recognizes third-party relationships may be valuable to credit unions in facilitating implementation and use of, and member access to, new and emerging technology. Inadequately managed and controlled third-party relationships, however, can result in harm to members, unanticipated costs, legal disputes, and financial loss. Therefore, effective risk management is important.
Credit unions must identify, assess, and mitigate risks associated with DLT. Credit unions should consider specific questions related to DLT as part of their due diligence efforts and ensure activities are permissible and in compliance with all applicable laws and regulations. Depending upon the characteristics of the DLT being deployed and how it is being used, other risk factors may merit consideration. Credit unions should employ a comprehensive approach to risk identification, assessment, and mitigation as part of the development and implementation of DLT. In cases where vendor-provided solutions are considered, the responsibility to identify, understand, and mitigate material risks resides with the board and management of the credit union and not solely the vendor.
Depending on the purpose for which the DLT is being implemented, credit unions should consider the following questions, among others:
Information and Cybersecurity Risk2
- What are the primary characteristics of the DLT network architecture?
- Does the DLT exist within a private or public network?
- Has the risk of compromise related to many points of entry (nodes) been assessed?
- Are consensus mechanisms built into the DLT architecture immune to external exploitation?
- How are permissions and identity management credentials managed?
- By whom and how is governance over the network conducted?
- What are the data quality control expectations among participants within the network?
- Are DLT solutions deployed within a strictly governed coding process in accordance with industry leading practices?
Legal and Compliance Risk
- Have the potential legal and compliance risks been assessed, including those related to maintaining confidentiality, privacy, data security, recordkeeping, and consumer and fraud protections?
- When deploying the DLT, will the credit union comply with applicable laws and regulations, such as requirements of the Bank Secrecy Act (BSA), including customer due diligence, “Know Your Customer,” and anti-money laundering requirements?
- Are each of the nodes on the DLT network BSA compliant?
- If the application involves the use of smart contracts, is testing of the underlying architecture in place and documented? Has the credit union confirmed with whom and to what extent oversight, governance, and maintenance of the smart contract application reside and exist?3
Strategic and Reputation Risk
- Have potential strategic and reputational risks related to the DLT been identified, assessed, and mitigated?
- Are consensus mechanisms built into the DLT architecture well understood by management?
- Is a process in place to monitor emerging risks and changes in technology? Can the credit union or third-party apply changes in deployment and internal controls in response?
- Do contracts with third-party vendors provide reasonable “exit strategies” in the event of deterioration in financial condition or service delivery by the vendor?
- Have potential liquidity risks been identified, assessed, and mitigated?
- Have potential legal and compliance risks associated with new-entry participants and third-party agreements been assessed?
- Have the appropriate due diligence steps been taken in the selection of the third party before entering a DLT arrangement? Has NCUA’s existing guidance on evaluating third-party relationships and third-party due diligence been reviewed?
Examples of current and evolving use of DLT in various applications exist within the credit union industry and larger financial services sector. This letter explains that credit unions may appropriately use DLT as an underlying technology and highlights a variety of relevant issues credit unions should evaluate prior to deployment. Credit unions can responsibly explore the use of DLT for business uses to enhance their operations and ongoing competitiveness.
Credit unions must remain alert to new or evolving risks posed by use of an emerging technology or approach. The NCUA expects credit unions to exercise good judgment and apply sound risk-management practices when choosing to offer a new platform, product, or service, including where DLT is part of the underlying technology. These reviews include evaluating the permissibility of the activity itself and the opportunities and risks associated with any underlying technology, such as DLT. Examiners will evaluate the rigor with which credit unions exercised good judgement, applied sound risk management, and executed compliance and risk oversight of acquisition or development and deployment of new systems and technology.
The NCUA supports innovations that are safe and sound, in compliance with all applicable laws and regulations, and fair to consumers. The NCUA also believes that DLT-related activities are rapidly evolving, and present questions and evolving risks not yet well understood. The NCUA reserves the right to issue future guidance, as appropriate.
Todd M. Harper
1 The National Institute of Standards and Technology (NIST) Blockchain Technology Overview (opens new window) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) paper includes additional information and definitions related to DLT. The NIST Consumer Security Resource Center (CSRC) also has an Enhanced Distributed Ledger Technology project page (opens new window) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) .
2 For additional information refer to NIST CSRC Enhanced Distributed Ledger Technology (opens new window) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) project page and ISO/TC 307 Standards (opens new window) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) issued by the International Organization for Standardization.
3 For additional information and definitions related to smart contracts and other terms related to distributed ledger technologies, refer to NIST white papers and guidance: Specifically, see A Taxonomic Approach to Understanding Emerging Blockchain Identity Management Systems (opens new window) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) .