NCUA BOARD ACTIONS FROM LAST THURSDAY’S MEETING DEAL WITH CYBER SECURITY AND FIELD OF MEMBERSHIP
Wednesday, February 22, 2023
Let’s take a look at the two actions taken at last week’s NCUA Board meeting. We hope the following is a synopsis that you can use to evaluate the two actions – one a final rule on cyber security and the other a notice of proposed rulemaking on field of membership for federal credit unions.
NCUA ISSUES NEXT IN WHAT IS EXPECTED TO BE LONG LINE OF CYBER SECURITY RULES
First, let’s look at cyber security where there was action taken on a final rule – expected to be the next in a line of many over the next year or so.
Under the final rule approved last week by a unanimous 3-0 vote, federally insured credit unions are required to report a cyber incident that leads to a substantial loss of confidentiality, integrity, or availability of a network or member information system as a result of the exposure of sensitive data, disruption of vital member services, or that has a serious impact on the safety and resiliency of operational systems and processes.
Additionally, cyberattacks that disrupt a credit union’s business operations, vital member services, or a member information system must be reported to the NCUA within 72 hours of a credit union’s reasonable belief that it has experienced a cyberattack.
The 72-hour notification requirement provides an early alert to the NCUA and does not require credit unions to provide a full incident assessment to the NCUA within the 72-hour timeframe.
The rule does not define the key terms that will determine how far-reaching this rule may be. For example, what constitutes a “substantial” breach? Does the incident actually “disrupt” member service? What is a “vital” member service? How is “reasonable belief” defined?
So, there are still some determinations that might – and very well may – be disagreed upon between a credit union and NCUA as to whether reporting is required. But the rule clearly shows that NCUA is extending their reach further and further into the cyber security issue at all federally-insured (notice not just federally-chartered) credit unions.
The effective date of this final rule is September 1, 2023. The NCUA will provide additional reporting guidance prior to the final rule going into effect.
As we have indicated in several recent Client Updates, our sources at NCUA have made it clear that business-as-usual in the cyber security field is not going to cut it with exam teams in 2023-24.
They are going to want to see progression in a credit union’s cyber security programs, additional training in the cyber field, more investment in cyber technology, shopping additional cyber security vendors and a fiduciary recognition of the importance of cyber security by the credit union’s board of directors.
We have participated in a number of cyber security webinars over the past year as more and more credit unions are looking for the best options possible to help them satisfy the growing examiner expectations in this field. From what we have seen and heard coming out of NCUA, it has become our point throughout all these presentations that a credit union cannot wait until the water heater explodes with surrounding damage before it begins to look at whether there may be leaks, rust or simply out-of-date parts in the existing water heater.
It is not enough today to simply say the water is hot because it still comes on when we turn the faucet. The damage from an outdated water heater with unassessed problems waiting to manifest themselves is too great.
In cyber security, the hacker only has to be right once to get a credit union on the front pages of the news. The credit union must be right every time.
NCUA is obviously hot on the cyber security issue. It is, unquestionably, going to become a major and unavoidable exam issue for credit unions.
More regulation is almost certain. More exam scrutiny is absolutely certain. Keep this on your current radar screen. Let us know if we can assist you with any information or contacts that we have made as we have been brought into the regulatory and supervisory world of cyber security through exam developments of the past two years.
A link to the final rule is provided below.
FIELD OF MEMBERSHIP FOR FCUs IS BACK WITH A NOTICE OF PROPOSED RULEMAKING THAT TINKERS AROUND NEEDED EDGES – BUT IS HARDLY EARTH-SHATTERING
Last week at its February meeting the NCUA Board unanimously approved and put out for a 90-day comment period an advanced notice of proposed rulemaking (ANPR) that would amend the agency’s chartering and field of membership rules.
While any attempt to change or streamline the agency’s rules and regulations regarding FOM has the potential to be either a good thing or a bad thing depending upon the proposal, you can be sure that when FOM is involved – it will attract attention from stakeholders and critics alike.
This ANPR is certainly no exception. Credit unions are saying that it doesn’t go far enough to strengthen the federal charter when over 80% of the largest credit unions in the country are state-chartered, largely because of more expansive field of membership options in most states. Bank associations, of course, called it another unjustified grab by tax-exempt credit unions to add what they called “millions” of new members who should not be otherwise qualified to join a credit union.
We’ll let the trade associations battle out their talking points. But as a firm that deals with field of membership issues on a daily basis and has assisted more credit unions with FOM expansions over the past eighteen years than any other firm in the country, we will give you the straight scoop on this ANPR and where it seems to be going with respect to federal FOM rules.
Basically, here’s the deal as we see it. The reality is that there is nothing particularly earthshattering from the NCUA FOM proposal passed last week.
In fact, most of the changes could be characterized as low-hanging fruit that are primarily technical and administrative in nature and do not rise to the level of some of the more significant changes and revisions we have seen in recent FOM proposals.
That is not to say that the proposed changes will not be welcomed. They will. Or that they are not good. They are. Anytime a federal agency makes a genuine attempt to streamline and simplify the bureaucratic process it should be viewed in a positive light. In that regard, the agency should be given some degree of credit for attempting to do so, even though it could be argued that they could have done much more within their current statutory authority and through broader interpretation of existing regulation.
Again, we believe the changes being proposed are good, solid changes but as stated before they are not likely to be viewed as monumental (or perhaps even particularly significant) – and perhaps that is the agency’s intent.
It is likely that after the nearly four-year legal battle that ensued from NCUA’s last major FOM rewrite that there is not much appetite at the Board level or in the General Counsel’s office to get too strung out on FOM right now.
Given the nature of the changes being proposed we don’t think there is much likelihood in the Board being accused of going too far with this proposal.
In fact, we find it interesting that this proposal is being sent out as an advanced notice of proposed rulemaking, as many of the changes proposed are already taking place in practice. A strong case could be made that the Board could have put this out as a proposed rule with a much sooner effective date.
That said, there is some benefit in getting stakeholder comments on an advanced notice of proposed rule that may go beyond what the agency seems prepared to do with this FOM proposal.
So, let’s take a look at some of the proposed changes and revisions.
The full text of the advanced notice of proposed rulemaking can be found at the link below.
https://www.ncua.gov/files/agenda-items/chartering-field-membership-proposed-rule-20230216.pdf
While it is not our intent to opine on each and every small proposed change this ANPR covers in this Client Update, we do have a few general observations about the most significant aspects of the proposal and perhaps a few thoughts on what is not in the proposal.
The proposal primarily focuses on the following areas:
Underserved Areas
The proposal would make four changes to the rules for underserved areas that multiple common-bond federal credit unions may seek to add to their fields of membership. The intent behind the proposed changes appears to be one that seeks to streamline existing application requirements and clarify the role of data and criteria that other federal agencies provide relating to underserved areas.
The proposed changes in this area are primarily procedural and technical in nature. In fact, most of the proposed changes are already taking place in practice.
For example, the proposal would clarify how NCUA applies the CDFI Fund’s economic distress criteria as required by the FCU Act for qualifying underserved areas and would eliminate US Census block groups as a geographic unit for composing an underserved area. Pretty much technical stuff that is already taking place in practice.
As far as streamlining the application for underserved areas is concerned, the proposal would seek to simplify and reduce the burden for FCUs on the required statement of unmet needs that must accompany a request to serve an underserved area.
This is a good change on paper, but probably won’t do very much to actually streamline an underserved application.
The proposal falls short in that it still doesn’t eliminate the significant unmet needs section of the application. The proposed change only removes the one-page statement of unmet needs requirement and 3rd party sources. An application will still require a detailed product evaluation. In practice this change will do very little, if anything, to streamline underserved area applications.
Conversion to Federal Charter
The proposed rule would eliminate the business and marketing plan requirement for certain federally insured, state-chartered credit unions that seek to convert to a federal charter while serving the same community field of membership.
This is a good change and perhaps one of the better parts of this proposal, even though it is rarely an issue in practice as NCUA has been realistic on the fact that a longstanding and financially strong state-chartered credit union is unlikely to lose its ability to manage if it converts to a federal charter and maintains its same field of membership. The agency is simply codifying into regulation what is already happening in practice. Again, a good change to put this in writing, but it is rightfully agency standard practice. There is little significance in the way of policy change here.
Community Charters
The proposed rule makes a few changes intended to reduce the regulatory burden for community charter applications or conversions. Specifically, the proposed rule would establish a simplified business and marketing plan for community charter applications.
Generally speaking, the proposal eliminates the need for the applicant to regurgitate all of its product and service offerings in the application. If the credit union is a full-service credit union the agency will assume it has a wide array of product and service offerings. Clearly such information can be gleaned from a quick review of a credit union’s website.
While eliminating the necessity of listing all of these products in the actual application is a good thing, it is unlikely that this minor change will result in any significant streamlining by the agency. If history is any indication the focus will simply shift to other aspects of the business plan. This change makes for good speech material and has perhaps even has some sizzle to it, but there is not much steak here.
Additionally, the proposal would provide a standardized, fillable application for community charter conversion or expansion requests. On its face this would appear to be a significant enhancement, but successfully implementing a standardized, fillable application is always easier said than done. We find it hard to envision a scenario where the NCUA analyst evaluating an application is going to be satisfied with a fill in the blank application.
Such has not been the agency’s practice on Association requests that are essentially submitted on a fillable form. Almost without exception, there is follow up and a request for more information-even on association requests that fall into the category of pre-approved associations.
Significant agency time/resources will need to be used on creating a form that is not likely going to accomplish its intended result or worse may even result in frustrating stakeholders who will be required to submit significant supporting documentation on a fillable form that they thought was going to reduce regulatory burden.
Again, this is a noble undertaking and the intent behind this proposed change seems genuine, but practically may be difficult to pull off.
The proposal would also add a fifth affinity group qualifier to include a paid employee for a legal entity headquartered in the community, neighborhood, or rural district.
The Board believes this rule change will help FCUs adapt to serve everyone with ties to a community by providing employees access to a community credit union with which they have a bond through their employer, even if they do not physically work in the well-defined local community or rural district.
This is a good addition and perhaps the most beneficial part of this proposal. It is a recognition of the realities of the 21st century workplace, although most community credit unions are already doing this through the “work in” and “regularly conduct” business qualifier.
Clarity in this area is good and may even help provide some needed momentum to get NCUA to finally start recognizing the realities of how technology is not only affecting work patterns and behaviors, but also how consumers transact their financial business and otherwise.
If NCUA can recognize the realities of the workplace where an individual working remotely and paid from a company headquartered in a community can be eligible for membership into a credit union and can access their account from a laptop to see if their paycheck has actually been deposited into their account, then one would hope it is near the point where the time has come where the definition of what constitutes a credit union service facility needs to be revisited.
Clearly, the agency needs to fully embrace the use of technology relative to whether mobile apps, online access, etc. satisfy the definition of service facility.
It is fascinating that, fueled even faster by the Covid era, individual Americans are now holding conferences, attending church, ordering groceries, having appointments with their doctors and buying automobiles from their laptop or iPhone – but yet NCUA still requires a physical branch presence for any significant FOM expansion.
This is 1980s thinking. Treating technology as a service access point sufficient to meet the definition of a service facility is long, long overdue here in 2023.
We’ve got NCUA Board Members talking about the need for credit unions to embrace blockchain technology and then proposing FOM rules that still require a brick and mortar physical presence for any FOM expansion of significance.
Hopefully, this change may be a springboard to revisit the arguments that Board Member Hood made in 2020 when considering recent changes to the service facility rule. He indicated that expanding the definition of service facility to include the digital delivery mechanism by which most members are accessing their credit unions today was an idea whose time should be coming in NCUA regulations.
That time is long past coming. It is here. It is time for NCUA service facility rules to recognize the service facility of today that is in our pocket, under our arms or on our laps.
The agency clearly has the data to support a change in this direction if it wants to go there. This would be an excellent area to provide additional comment on this proposal given the Board’s request to seek additional input on future policies or rulemaking outside the scope of this proposed rule.
Other Persons in FOM
The proposal also includes a provision to allow all federal credit unions to better capture the ongoing bond between individuals within a field of membership and their immediate family members following the death of a member.
This is a good, common-sense change that will give credit unions some additional flexibility in qualifying new members. Admittedly, this is not a huge expansion of the FOM rules in the big scheme of things, but it is a solid change nonetheless. We are awaiting the banking lobby’s opposition to believing family relationships are still considered by most people to survive the passing of a loved one. Probably will happen, but this is a solid move that most credit unions find a way to get around through other living family members today.
Comments on the proposed rule must be received no later than 90 days following publication in the Federal Register.
As this is an ANPR (Advanced Notice of Proposed Rulemaking), it must first become a proposed rule and be sent out for another comment period before it can become a finalized rule.
Therefore, any FOM changes such as this will likely have a full year or more before being finalized.
As it goes through this comment period and the one to follow when a proposed rule is approved, this field of membership ANPR process would provide a good time for credit unions to comment on possible meaningful expansions of FOM, such as expanding the definition of service facility to include laptops, iPads and smart phones.
Or perhaps allowing any contiguous county to a census bureau defined CSA or MSA to be considered a presumed interactive community extension allowable for FCUs to expand their services into provided the credit union submits a satisfactory marketing plan to do so.
How about allowing credit unions to have different types of FOMs provided the differences came through a merger voted favorably upon by the members of the merging credit union?
Or allowing low-income designated community-chartered credit unions to take underserved areas and/or SEG’s outside their approved community.
How about expanding associational group approvals to extend to any membership-based association certified as registered by the Secretary of State in the state in which the credit union is headquartered?
There are some meaningful steps such as those above that could truly bring the federal charter into closer parity with those states that have greatly enhanced their field of membership options.
NCUA should be commended for recognizing that this lack of parity in FOM exists. Now they should be encouraged through comments to this interesting, but not far-reaching, ANPR to go further and utilize the authorities granted NCUA under the 1998 Credit Union Membership Access Act to help more Americans truly have the “access” that the Act intended.
Until next time.
Dennis Dollar