Member Login

THE MEMO

DAKOTA CREDIT UNION ASSOCIATION
  • Advocacy
    • Government Affairs
    • Grassroots Action Center >
      • Advancing Communities
      • Bill Tracking
    • Political Fundraising
    • Regulatory Advocacy
    • Preserving Financial Choice for North Dakotans
  • Compliance
    • Compliance Resources
    • Compliance Solutions >
      • AffirmX
      • CECL
      • ComplySight
      • CU CMS
      • CU PolicyPro
      • InfoSight
      • PayLynxs
      • RecoveryPro
      • Training
    • The Memo: Compliance
  • Member Resources
    • Awards >
      • DakCU Awards
      • CUNA Awards
    • CU Awareness (SWAP)
    • DakCU Foundation >
      • Donor Wall
      • Memorials
      • Vacation Sweepstakes
    • DakCU Health Benefits Trust
    • Financial Well-Being for All
    • Professional Development >
      • Chapters
      • Emerging Leader Program
      • Sales CU Training
      • Training
    • Strategic Partners >
      • CAP Program Directory
      • Compliance Solutions
      • Pee Wee and Friends®
  • News & Events
    • The Memo
    • Events Calendar
    • Annual Summit >
      • Crashers
      • Presenters
      • Sponsors
    • New Ideas
    • Sales CU Training
  • About Us
    • Board of Directors
    • Contact Us
    • Our Team

Compliance Update with Amy K

2/23/2023

 
Picture
​NCUA proposed rule on FOM for underserved areas; and NCUA final rule on Cyber Incident Notification effective September 1. 
​by Amy Kleinschmit, Chief Compliance Officer 

NCUA – FOM Proposed Rule

At its recent board meeting, the National Credit Union Administration (NCUA) issued a proposed rule that would make several revisions to its chartering and field of membership (FOM). This proposed rule is open for a 90 day comment period and can be found here.

Briefly, the proposed rule would make four changes on underserved areas that multiple common bond federal credit unions (FCUs) may seek to add to their FOMs. Per the NCUA, the proposed changes would accomplish the following:
  1. clarify the NCUA’s intent to provide flexibility to multiple common bond FCUs serving underserved areas based on rural districts;
  2. clarify how the NCUA applies the CDFI Fund’s economic distress criteria, as the FCU Act requires;
  3. eliminate census block groups as a geographic unit for composing underserved areas, in adherence to a regulatory change that the CDFI Fund has adopted; and
  4. simplify and reduce the burden for FCUs on the required statement of unmet needs that must accompany a request to serve an underserved area.

Another area that the NCUA proposes to make changes would impact community charter applications or conversions. The NCUA seeks to reduce the regulatory burden by establishing a simplified business and marketing plan for community charter applications; provide a standardized, fillable application for community charter conversion or expansion requests; and eliminate the requirement for federally insured state chartered credit unions converting to a federal community charter to submit a business and marketing plan under certain conditions.

The NCUA is also proposing a targeted addition to the affinity groups eligible for membership in community FCUs. Currently, the FOM manual defines four affinity groups eligible for membership in FCUs serving communities or rural districts, namely persons who live in, worship in, attend school in, or work in the community or rural district. To reflect changes in the work force, the NCUA proposes to add a fifth affinity to include a “paid employee for a legal entity headquartered in the community, neighborhood, or rural district.” Per the NCUA, they believe “this rule change will help FCUs adapt to serve everyone with ties to a community by providing employees access to a community credit union with which they have a bond through their employer, even if they do not physically work in the well-defined local community or rural district.”
 
NCUA Final Rule – Cyber Incident Notification
At the same board meeting, the NCUA also finalized a rule to require federally insured credit unions that experience a reportable cyber incident to report the incident to the NCUA as soon as possible and no later than 72 hours after the FICU reasonably believes that it has experienced a reportable cyber incident.
This final rule is effective September 1, 2023 and can be found here.

These new requirements will be found under Part 748, which already discusses requirements for a credit union’s security program, suspicious transactions, catastrophic acts, and bank secrecy act compliance.

As with any rule/regulation understanding the new vocab is key. This final rule includes definitions for “compromise,” “confidentiality,” “cyberattack,” “disruption,” “integrity” and “sensitive information.” However, understanding the scope of this rule starts with looking at what is a “reportable cyber incident.” First, “Cyber incident” means an occurrence that actually or imminently jeopardizes, without lawful authority, the integrity, confidentiality, or availability of information on an information system, or actually or imminently jeopardizes, without lawful authority, an information system.

The final rule defines, “reportable cyber incident” to be “any substantial cyber incident that leads to one or more of the following:
  • A substantial loss of confidentiality, integrity, or availability of a network or member information system as defined in appendix A, section I.B.2. e., of this part that results from the unauthorized access to or exposure of sensitive data, disrupts vital member services as defined in § 749.1 of this chapter, or has a serious impact on the safety and resiliency of operational systems and processes.
  • A disruption of business operations, vital member services, or a member information system resulting from a cyberattack or exploitation of vulnerabilities.
  • A disruption of business operations or unauthorized access to sensitive data facilitated through, or caused by, a compromise of a credit union service organization, cloud service provider, or other third-party data hosting provider or by a supply chain compromise.”

With regard to the first provision, the NCUA explains in the preamble of the final rule that “there are many technological reasons why services may not be available at any given time as, for example, computer servers are offline, or systems are being updated. Such events are routine and thus would not be reportable to the NCUA. However, a failed system upgrade or change that results in unplanned widespread user outages for FICU members and employees would be reportable.”

An example of the second provision would be, a distributed denial of service (DDoS) attack that disrupts member account access and would therefore be reportable. Blocked phishing attempts, failed attempts to gain access to systems, or unsuccessful malware attacks do not have to be reported.

The final rule provides that a reportable cyber incident does not include any event where the cyber incident is performed in good faith by an entity in response to a specific request by the owner or operators of the system.

Each federally insured credit union must notify the appropriate NCUA designated point of contact of the occurrence of a reportable cyber incident via email, telephone, or other similar methods that the NCUA may prescribe. The NCUA will be providing more detailed reporting guidance before the effective date of the final rule.

The cyber incident report must be received by the NCUA as soon as possible but no later than 72 hours after a federally insured credit union reasonably believes that it has experienced a reportable cyber incident or within 72 hours of being notified by a third-party, whichever is sooner.
 
InfoSight Update
The Telephone Consumer Protection Act topic in the Advertising channel has been updated to include the effective date of the Pallone-Thune Telephone Robocall Abuse Criminal Enforcement and Deterrence Act (TRACED Act), which was originally published back on February 25, 2021. Compliance is now required for the previously delayed components of the Act by July 20, 2023. The topic content has been updated to reflect this effective date.

Want to stay on top of what’s new in InfoSight? The InfoSight dashboard includes a customizable Recent Updates area to easily view changes to topics that are most important to you! Don’t hesitate to contact me with any compliance related questions.
Picture

Comments are closed.

    The Memo

    The Memo is DakCU's newsletter that keeps
    ​credit union professionals updated on current news and information. ​

    Memo Home

    Want the Memo delivered straight to your inbox?
    Sign Up Now


    Archives

    March 2023
    February 2023
    January 2023
    December 2022
    November 2022
    October 2022
    September 2022
    August 2022
    July 2022
    June 2022
    May 2022
    April 2022
    March 2022
    February 2022
    January 2022
    December 2021
    November 2021
    October 2021
    September 2021
    August 2021
    July 2021
    June 2021
    May 2021
    April 2021
    March 2021
    February 2021
    January 2021


    Categories

    All
    Action Alert
    Advocacy
    Awards
    Awareness Campaign
    Compliance
    CUPAC/CULAC
    Dakota CUs Give Back
    Events
    Facebook Creeping
    Financial Well Being
    Foundation
    Fraud Alert
    Grants
    In The Spotlight
    Marketing Tips
    Member Solutions
    Miscellaneous
    ND Legislative Update
    News And Notes
    President's Perspective
    Press Releases
    SD Legislative Update
    Webinars

Copyright Dakota Credit Union Association.  All Rights Reserved.
2005 N Kavaney Dr - Suite 201 | Bismarck, North Dakota 58501
Phone: 
800-279-6328 | info@dakcu.org | sitemap | privacy policy
Picture
Picture
Picture
  • Advocacy
    • Government Affairs
    • Grassroots Action Center >
      • Advancing Communities
      • Bill Tracking
    • Political Fundraising
    • Regulatory Advocacy
    • Preserving Financial Choice for North Dakotans
  • Compliance
    • Compliance Resources
    • Compliance Solutions >
      • AffirmX
      • CECL
      • ComplySight
      • CU CMS
      • CU PolicyPro
      • InfoSight
      • PayLynxs
      • RecoveryPro
      • Training
    • The Memo: Compliance
  • Member Resources
    • Awards >
      • DakCU Awards
      • CUNA Awards
    • CU Awareness (SWAP)
    • DakCU Foundation >
      • Donor Wall
      • Memorials
      • Vacation Sweepstakes
    • DakCU Health Benefits Trust
    • Financial Well-Being for All
    • Professional Development >
      • Chapters
      • Emerging Leader Program
      • Sales CU Training
      • Training
    • Strategic Partners >
      • CAP Program Directory
      • Compliance Solutions
      • Pee Wee and Friends®
  • News & Events
    • The Memo
    • Events Calendar
    • Annual Summit >
      • Crashers
      • Presenters
      • Sponsors
    • New Ideas
    • Sales CU Training
  • About Us
    • Board of Directors
    • Contact Us
    • Our Team