by Amy Kleinschmit, Chief Compliance Officer
NCUA – FOM Proposed Rule
At its recent board meeting, the National Credit Union Administration (NCUA) issued a proposed rule that would make several revisions to its chartering and field of membership (FOM). This proposed rule is open for a 90 day comment period and can be found here.
Briefly, the proposed rule would make four changes on underserved areas that multiple common bond federal credit unions (FCUs) may seek to add to their FOMs. Per the NCUA, the proposed changes would accomplish the following:
Another area that the NCUA proposes to make changes would impact community charter applications or conversions. The NCUA seeks to reduce the regulatory burden by establishing a simplified business and marketing plan for community charter applications; provide a standardized, fillable application for community charter conversion or expansion requests; and eliminate the requirement for federally insured state chartered credit unions converting to a federal community charter to submit a business and marketing plan under certain conditions.
The NCUA is also proposing a targeted addition to the affinity groups eligible for membership in community FCUs. Currently, the FOM manual defines four affinity groups eligible for membership in FCUs serving communities or rural districts, namely persons who live in, worship in, attend school in, or work in the community or rural district. To reflect changes in the work force, the NCUA proposes to add a fifth affinity to include a “paid employee for a legal entity headquartered in the community, neighborhood, or rural district.” Per the NCUA, they believe “this rule change will help FCUs adapt to serve everyone with ties to a community by providing employees access to a community credit union with which they have a bond through their employer, even if they do not physically work in the well-defined local community or rural district.”
NCUA Final Rule – Cyber Incident Notification
At the same board meeting, the NCUA also finalized a rule to require federally insured credit unions that experience a reportable cyber incident to report the incident to the NCUA as soon as possible and no later than 72 hours after the FICU reasonably believes that it has experienced a reportable cyber incident.
This final rule is effective September 1, 2023 and can be found here.
These new requirements will be found under Part 748, which already discusses requirements for a credit union’s security program, suspicious transactions, catastrophic acts, and bank secrecy act compliance.
As with any rule/regulation understanding the new vocab is key. This final rule includes definitions for “compromise,” “confidentiality,” “cyberattack,” “disruption,” “integrity” and “sensitive information.” However, understanding the scope of this rule starts with looking at what is a “reportable cyber incident.” First, “Cyber incident” means an occurrence that actually or imminently jeopardizes, without lawful authority, the integrity, confidentiality, or availability of information on an information system, or actually or imminently jeopardizes, without lawful authority, an information system.
The final rule defines, “reportable cyber incident” to be “any substantial cyber incident that leads to one or more of the following:
With regard to the first provision, the NCUA explains in the preamble of the final rule that “there are many technological reasons why services may not be available at any given time as, for example, computer servers are offline, or systems are being updated. Such events are routine and thus would not be reportable to the NCUA. However, a failed system upgrade or change that results in unplanned widespread user outages for FICU members and employees would be reportable.”
An example of the second provision would be, a distributed denial of service (DDoS) attack that disrupts member account access and would therefore be reportable. Blocked phishing attempts, failed attempts to gain access to systems, or unsuccessful malware attacks do not have to be reported.
The final rule provides that a reportable cyber incident does not include any event where the cyber incident is performed in good faith by an entity in response to a specific request by the owner or operators of the system.
Each federally insured credit union must notify the appropriate NCUA designated point of contact of the occurrence of a reportable cyber incident via email, telephone, or other similar methods that the NCUA may prescribe. The NCUA will be providing more detailed reporting guidance before the effective date of the final rule.
The cyber incident report must be received by the NCUA as soon as possible but no later than 72 hours after a federally insured credit union reasonably believes that it has experienced a reportable cyber incident or within 72 hours of being notified by a third-party, whichever is sooner.
The Telephone Consumer Protection Act topic in the Advertising channel has been updated to include the effective date of the Pallone-Thune Telephone Robocall Abuse Criminal Enforcement and Deterrence Act (TRACED Act), which was originally published back on February 25, 2021. Compliance is now required for the previously delayed components of the Act by July 20, 2023. The topic content has been updated to reflect this effective date.
Want to stay on top of what’s new in InfoSight? The InfoSight dashboard includes a customizable Recent Updates area to easily view changes to topics that are most important to you! Don’t hesitate to contact me with any compliance related questions.
The Memo is DakCU's newsletter that keeps
Want the Memo delivered straight to your inbox?