Regulatory Compliance Weekly Roundup: October 20, 2023

It's been a busy week in the world of credit union regulatory compliance! Let's take a look at some headlines.

NCUA

The NCUA's October Board meeting was this Thursday. The Board received a cybersecurity briefing and proposed two new rules - one on simplifying insurance rules for trust accounts and one for easing disqualifiers in hiring. League President/CEO Carrie Hunt and I attended the meeting in person.

We'll dive into the proposed rules in later posts, but here were a few observations that stood out to me:

Cybersecurity Briefing 

In discussion of the Information Security Examinations, the NCUA presenter highlighted some things credit unions are doing well, and some things that could be improved. For small credit unions (<$50 million), their recommendations included:

• Report information security risk assessment results to the board of directors.
• Provide test results of key or critical controls to the board of directors.
• Report cybersecurity contract provisions for third-party service providers to their board of directors.

For larger credit unions, their recommendations…were the exact same three items. The message here is clear - the NCUA wants to see not only that cyber controls are in place, but that Boards are being updated on those controls.

The NCUA also reported that they received 146 cyber incident reports in the first 30 days of the new cyber incident reporting rule, and that over 60% were third-party compromises.

Chairman Harper used the second bullet point to renew his call for third-party vendor authority for credit unions, something he has long pushed for.

Share Insurance Simplification

The proposed rule would address the following items: simplify the share insurance regulations by establishing a “trust accounts” category that would provide for coverage of funds of both revocable trusts and irrevocable trusts deposited at federally insured credit unions (FICUs) in the accounts of members or those otherwise eligible to maintain insured accounts (member accounts); provide consistent share insurance treatment for all mortgage servicing account balances held to satisfy principal and interest obligations to a lender; and provide more flexible recordkeeping requirements to explicitly allow the NCUA to look to records held in the normal course of businesses that are maintained by parties other than a FICU and its members on their behalf.

The rule would align with some recent changes to FDIC rules. The NCUA likes to maximize NCUA share insurance rule parity with the FDIC rules wherever possible. The FDIC changes are set to take effect on April 1, 2024.

What caught my ear the most in this presentation was that in the last 4 years, NCUA's CURE division has received over 6,400 inquiries about trust account share insurance coverage. NCUA hopes that with simplification, those resources can be spent elsewhere.

Fair Hiring

The proposed rule would incorporate Interpretive Ruling and Policy Statement 19- 1 (“IRPS 19-1”) regarding statutory prohibitions imposed by Section 205(d) of the Federal Credit Union Act (“Section 205(d)”) into NCUA’s regulations. Section 205(d) prohibits, except with the prior written consent of the Board, a person who has been convicted of certain criminal offenses involving dishonesty or breach of trust, or who has entered into a pretrial diversion or similar program in connection with a prosecution for such an offense, from participating in the conduct of the affairs of an insured credit union.

The proposed rule would amend the NCUA’s policies and procedures governing an application to rescind a prohibition pursuant to Section 205(d), as currently reflected in IRPS 19-1 and consistent with both amendments made by the recent Fair Hiring in Banking Act and with comparable Federal Deposit Insurance Corporation regulations.

Following the issuance of a final regulation, IRPS 19-1 would be rescinded. The proposed rule would also amend the regulation governing the conditions under which federally insured credit unions that are newly chartered or in troubled condition must notify the NCUA of any proposed changes to the credit union’s board of directors, committee members, or senior executive staff and make other conforming changes.

In their comments and questions, NCUA Board members talked about second chances and that there should not be an overly harsh burden on someone's actions from a long time ago impacting their career prospects. This rule would make it easier for credit unions to hire and recruit volunteers, expanding the talent pool to include some people who might previously been excluded.

New NCUA Board Member

While the NCUA Board meeting was happening, nominee Tanya Otsuka was testifying for the Senate Banking Committee, along with other nominees.

Tanya gave powerful opening remarks about her family's connections to credit unions and her commitment to a fair, competitive, and resilient credit union system. When asked about serving agriculture members while mitigating climate risk, she stated that regulators should trust that credit unions know their members and can manage risk.

When asked about her priorities, she discussed maintaining regulatory independence and decision-making, helping small credit unions, and serving underserved communities. She committed to exploring overdraft protection fee fairness and consumer impact, and to keeping an open line of communication with stakeholders.

The Committee is expected to favorably support Tanya's NCUA Board nomination soon, with an anticipated Senate Floor vote in November. Upon her expected successful appointment, the League will engage directly with Tanya on her regulatory priorities, and how they align with credit union needs, in her new capacity as an NCUA Board member.

CFPB

Yesterday the CFPB announced a proposed rulemaking on Open Banking. The Bureau has long discussed its desire to make it easier for consumers to move from one financial institution to another. This rule is the next step in that mission.

The proposal would require financial institutions and others to share information – at a customer’s request and at no cost – with other businesses that offer competing products. In addition, companies would be prohibited from using consumers’ accessed data for targeted advertising, and customers would have to reauthorize access every year and would be able to revoke access at any time. This comes on the heels of the Bureau's advisory opinion last week that charging a fee for a document could stray outside of compliance with consumer requests for information.

We'll have more analysis on the rule and its potential impact on credit unions in future posts as soon as we're able to digest the rule and prepare our comments.

IRS

The IRS announced yesterday a withdrawal process for businesses that claimed the employee retention tax credit. We wrote recently about the IRS' statement on FCUs and their eligibility for the ERC. Of course, credit unions weren't the only ones. Now, this new withdrawal option allows certain employers that filed an ERC claim but have not yet received a refund to withdraw their submission and avoid future repayment, interest and penalties. Employers that submitted an ERC claim that's still being processed can withdraw their claim and avoid the possibility of getting a refund for which they're ineligible.

The IRS notes that they "created the withdrawal option to help small business owners and others who were pressured or misled by ERC marketers or promoters into filing ineligible claims. Claims that are withdrawn will be treated as if they were never filed. The IRS will not impose penalties or interest."

That's all for this week - have a great weekend, and we'll be back next week to dive further into some of these proposed rules.