FOM, cyber incident rules top NCUA board approvals at February board meeting

The NCUA approved two items at its February board of directors meeting: a notice of proposed rulemaking to amend the agency’s federal credit union chartering and field-of-membership rules and a final rule on cyber incident reporting requirements.

Chartering and field of membership
This proposed rule would amend the chartering and field-of-membership rules through changes to enhance consumer access to safe, fair and affordable financial services, especially in under-resourced communities, according to the NCUA.

Todd Harper, board chairman, said that the board should, where it can within its existing rules and the law’s current requirements, take appropriate and tailored action to “simplify, streamline, and strengthen federal chartering options.”

The proposed rule would:

  • make changes to the rules for underserved areas that multiple common-bond federal credit unions may seek to add to their fields of membership, to streamline existing application requirements and clarify the role of data and criteria that other federal agencies provide relating to underserved areas;
  • eliminate the business and marketing plan requirement for certain federally insured, state-chartered credit unions that seek to convert to a federal charter while serving the same community field of membership; and
  • expand the community-based field-of-membership affinities — relationships between a person and the geographic community — to recognize the growth of telecommuting and remote work for companies headquartered in a community.

Reportable cyber incidents
This final rule requires a federally insured credit union to notify the NCUA as soon as possible, within 72 hours, after it reasonably believes that a reportable cyber incident has occurred.

Under the final rule, federally insured credit unions are required to report a cyber incident that leads to a “substantial loss of confidentiality, integrity, or availability of a network or member information system as a result of the exposure of sensitive data, disruption of vital member services, or that has a serious impact on the safety and resiliency of operational systems and processes.”

Additionally, cyberattacks that disrupt a credit union’s business operations, vital member services, or a member information system must be reported to the NCUA within 72 hours of a credit union’s reasonable belief that it has experienced a cyberattack. The rule is effective Sept. 1, 2023.

Share Insurance Fund
The board also received a briefing on the performance of the National Credit Union Share Insurance Fund during the fourth quarter of 2022.

As of Dec. 31, 2022, the Share Insurance Fund’s calculated equity ratio was 1.30%, an increase from 1.26% reported as of June 30, 2022. The equity ratio was calculated on an insured share base of $1.69 trillion. The equity ratio was lower than the board-approved normal operating level of 1.33%.

Leave a Reply