NCUA Regulation Updates: Audits, Cyber Guidance, and Corporate Rules
Download MP3Speaker: Hey everyone, this is Mark Trekel
with another episode with Flying Colors.
NCUA went from not having a lot going
on publicly to having a lot going
on publicly and privately from what
I'm hearing through the grapevine.
And today I am recording
this on December 15th.
Of course December 18th is the Thursday
into a board meeting and they've
announced that they're going to be doing
the insurance update, the quarterly
briefing on the insurance fund, which is
where they reveal where camels are at.
So I'll be reporting on that here
on the podcast down the road.
And then they are also going to
be talking about their budget.
Lots of rumors out there
about their budget.
And whether or not they will keep the
same number of regions, whether or
not they will get rid of the Office
of National Exam and Supervision,
whether or not they will get rid of the
Office of Consumer Compliance office of
Credit Union expansion and resources,
all sorts of things floating around.
But I think we might have
some clarity on that.
On Thursday when the NCA Board of Won.
Will be taking action
relative to their budget.
And of course, I'll have some follow
ups here to the extent it's pertinent
for you listeners and viewers.
But on December 2nd Kyle Halman
chairman testified before the house.
And in that he talked about a
hat, he gave a hat tip to some
reg relief that was coming.
And then on December 10th, NCUA announced
that they have a project to simplify
regulations and they drop four proposed
changes to clarify some regulations
and to provide some regulatory relief.
I'm gonna walk through those four
and then on 12 1212 excuse me.
Yeah, 1211.
Kaman said something similar
about what had just been done
at the FS o annual meeting and.
He, so things are gearing up.
He testified at the house.
He testified or made statements
at the FS o annual meeting.
He's announced a board meeting
coming later this month as opposed
to skipping a board meeting or two.
And then the four regulations
with changes were proposed.
So again, things are heating up
as we wrap up the year here now.
The project to simplify the
regulations relate to four.
The, so the agency's stated goals
of the project are to improve
clarity without weakening safety and
soundness reduce compliance burden.
Where possible better align
in CUA regulations with in.
Practices and statutory requirements
and make future updates faster,
especially for technology related items.
The new initiative is similar to
the modernization efforts the agency
undertook a decade ago, but now
with a renewed push driven by tech
changes, cyber considerations, and
the evolving supervisory environment.
As part of this simplification
project, NCUA issued four proposed
rules that fit together as a package.
I'm gonna walk through each one of these.
The first regulation is with the
proposed change is part 7 1 15 for the
supervisory committee audits N C's.
Main focus here is that it proposes to
update part 7 1 5 to improve clarity
around supervisory committee audits.
Align the regulation with industry
standards and give credit unions more
flexibility in how they meet their audit.
Requirements.
The key points are that it
clarifies expectations for the
annual supervisory committee audit.
It updates terminology and definitions
to better match modern auditing practice.
It simplifies the rule without
changing the core statutory obligation.
It reinforces that credit
unions over $500 million.
Are still required to
have a CPA opinion audit.
That threshold is not being touched or
changed, and all the other thresholds,
by the way, make remain the same.
Focuses on making the rule easier
to follow and reducing ambiguity
for committees, examiners, and CPAs.
It also supports NSU a's goal of making
rules easier to understand, easier to
comply with, and easier to examine.
Those are the proposed, the
proposals, proposed improvement areas.
What it really means for credit
unions, minimal operational
change, but improve clarity.
Fewer exam surprises because
expectations theoretically
are spelled out more plainly.
And supervisory committee, of course,
should review their policies to ensure
their alignment with the updated
language once the rule is finalized.
Again, this is just a proposal has to be
voted on separately, likely by notation,
vote under the current structure.
To be a final rule, and that's
what you have to deal with
the changes that relate to it.
Now for corporate credit unions
there's not a lot of 'em.
11 or 12 corporate credit unions left.
The main focus is targeting updates
to corporate rules to reduce
outdated requirements and strengthen
gov governance expectations.
The key points are it highlights
and clarifies certain board
governance provisions.
It updates reporting requirements
to reflect current practice.
It removes outdated cross-references
and cleans up legacy language
from pre-crisis regulations.
Pre-crisis regulations refers to the the.
The Great Recession and the NCA having
to issue the NGN Bond program back
in the day when when all the AAA
rated securities turned into junk.
And NCA had to figure out a way to
hold those so that credit unions
losses could be normalized and.
That's what there were regulation
changes made to back then that they
felt they could pull out to simplify.
It also aligns more closely with
standardized governance frameworks.
For example, not requiring a
board member to sit on committees.
And it's intended as part of ongoing
corporate rule maintenance, not a broad.
Rewrite what this means for
corporate credit unions, mostly
technical and clarifying updates.
Some governance responsibilities may be
spelled out more explicitly, like those
the change of who can be on committees
and no new major operational requirements.
But clarity improves compliance and
consistency across the corporates.
Number three, safeguarding
member information.
The main idea, appendix A to part 7 48.
The safeguarding of member information
guidelines is being removed from the
regulation and reissued as guidance
via a letter to credit union.
It's funny that the regulation says
it's a guideline, but it's a regulation.
So this makes perfect sense.
Guidelines or guidelines
shouldn't be in a regulation.
So it was key points appendix A was
always intended as guidance under the
Graham Leach Bliley Act, not a regulation,
keeping guidance inside the CFR.
Blurs the line between what's required
and what's advisory and moving it
to a letter to of credit unions
makes updates faster and clear.
Why is that?
Typically it's faster to do a letter to
credit unions because it doesn't go out
for public comment and it can be sent out
with the signature of the NCA Chairman.
In this instance right now the
chairman is the full board.
So while.
While you could argue that under
a one board member scenario, it's
not any quicker under reality.
Guidance is much quicker.
I had actually done podcasts and
posts about why I thought that
succession planning should be done
by guidance and not regulation.
'cause it, it bakes it in and
it makes it harder to change.
And actually, I believe that's
what Todd Harper's intent was
to make it harder to change.
He wanted it baked in.
And in some instances doing things
by guidance makes much more sense.
And I think in this instance, NCA
has hit a home run on this proposal.
So it also the eliminates any
confusion but does not change the
requirement for each credit union
to have a written security program.
So the still need to have a
written security program and it
eliminates confusion on whether
or not that's required or not.
What this also means for credit
unions, there's really no substantive
cybersecurity requirement.
Being removed.
So cybersecurity as per usual, which
means you throw a lot of money at it
and hope that you don't get hacked.
Number two, your security
program must still meet the Gram
Leach Bliley Act expectations.
And this move again, is just purely
structural guidance belongs in letters
and not in the regulatory code.
Lastly response programs for unauthorized
access removal from Appendix B,
similar to Appendix A, appendix
B, which outlines expectations for
response programs to unauthorized
access is also being removed from
regulation and republished as guidance.
Again, housekeeping.
Aligning with the CFR with how
guidance is supposed to work.
The content's not going away.
It's being placed in different
formats in letters to credit unions.
It's important because technology
and cyber responses, expectations
change frequently, which make it
easier to put this out in a letter
to credit unions as opposed to a
regulation makes it more nimble.
Again, you need to comply.
You must have an incidents
response program.
You must notify NCA when there's
a significant cyber incident.
But the day-to-day expectations
that have unchanged, they'll be
put into a letter to credit unions.
And then ultimately updates
when there are changes.
You'll see them theoretically in
letters to credit unions as opposed to.
As opposed to into a regulation.
This is a first step towards NCUA, making
some minor tweaks to their regulations.
And I did some post on LinkedIn,
did some emails to my mailing list.
If you're not on my mailing list and
you'd like to get on the mailing list
send me a, a message on LinkedIn.
Lot coming this week.
N Sue's board meeting on Thursday.
I believe that they should
make some announcements about
offices that are closing.
I believe they will say the large
credit union program and the.
Corporate credit union will
be pushed into the regions.
I believe they may make some structural
changes as to how many regions and
or regional directors are out there.
But that's just chatter amongst
through the grapevine, if you will.
After NSU a's board of one meets
on Thursday, I will be listening
to that via the YouTube live.
Feed that they do, which is great, and I
will have a podcast about that coming up.
We also have a podcast with my
team, Steve, Todd, and Dennis on the
quarterly data that came out from
NCOA, comparing that to some of the
banking data and what we see that
meeting potentially for credit unions.
Also, I hope to do a.
Summary of 2025 on the podcast episode
coming up here between now and the
end of the year, and I've got some
exciting guests planned for January
and or later this year as well as we
come to a wrap here in 2025, as always.
And as a wrap on this podcast episode,
I wanna thank you for watching.
Thank you for listening.
This is Mark drl siding
off with flying colors.
