National Credit Union Administration (NCUA)
The purpose of this blog post is to give an overview of the National Credit Union Administration (NCUA) and the guidance it has issued related to cryptocurrencies.
NOTE: Regulatory guidance in this area is rapidly evolving. As such, this blog post may not be entirely up to date. Please DYOR.
INTRODUCTION
The NCUA is a federal agency that insures deposits at federally insured credit unions and charters and regulates these federal credit unions. Its stated mission is to protect members who own credit unions. The difference between the NCUA and the FDIC is that the FDIC insures bank deposits and the NCUA insures credit union deposits.
The NCUA so far has issued two letters related to cryptocurrencies.
DECEMBER 2021 LETTER
In this letter, the NCUA outlined that federally insured credit unions have “already existing authority . . . to establish relationships with third-party providers that offer digital asset services to the FICU’s members, provided certain conditions are met.” See Relationships with Third Parties that Provide Services Related to Digital Assets (Letter 1).
Specifically, the letter spells out the legal basis (in its view) for federal credit unions to engage with third parties that provide digital asset services. Namely, the NCUA relies primarily on the “incidental powers” provision of the Federal Credit Union Act and Part 721 of the NCUA implementing regulation. See 12 U.S.C. § 1757(17); 12 CFR Part 721. Notably, the NCUA appears to take a friendly position towards third parties that may provide crypto services, calling them “useful” and a “logical outgrowth” of a federal credit union’s business.
The letter does warn that credit unions must ensure compliance with conflicts of interest provisions of 12 CFR Part 721 and any other applicable laws/regulations.
Notably, the letter does not provide guidance to federally insured state credit unions on their authority to engage in these third party relationships and rather points them to state law for guidance to determine their authority.
The letter does however provide guidance related to risk assessments, contracts and advertising.
In terms of risk assessments, the NCUA stated that credit unions must conduct “appropriate due diligence” before taking on a relationship with a third party offering digital assets and during the relationship given the pace of regulatory change in the digital asset space. The NCUA also noted that the risk assessment will affect the credit union’s CAMELS ratings (an international rating system used by regulatory banking authorities to assess the strength of a bank) depending on the rigor with which the credit union undertakes risk oversight of their third party relationships.
In terms of policies and written contracts, the NCUA outlined that all credit unions should adopt written policies and procedures to “ensure appropriate internal controls and ongoing compliance with applicable law,” which includes engaging legal counsel for this specific purpose due to “the breadth and rapid evolution of the digital asset sector.” The letter also outlined that written policies and procedures must at least address certain items, such as (1) a description of the responsibilities of the credit union and the third party, (2) indemnification of the credit union by the third party (specifically for fraud), (3) the use and disposition of FICU member information and (4) ongoing compliance with requirements of all applicable law.
For a full list of required items, please see the letter. Relationships with Third Parties that Provide Services Related to Digital Assets.
In terms of advertising, the NCUA outlined that any offering of cryptocurrency services through a third party must not be confusing or misleading to members, in particular about the fact that the products ARE NOT insured. Specifically, the NCUA spelled out that any advertising materials must “conspicuously inform” members that such products are not federally insured, are not obligations or guarantees of the credit union, are volatile and speculative, may have fees, may not allow member recourse and are offered by a third party.
MAY 2022 Letter
The NCUA’s second letter clarifies that credit unions may take a “direct approach” to distributed ledger technologies (i.e, blockchain technology, or in layman’s terms, a protocol that enables the secure functioning of a decentralized digital database) and that the NCUA “does not prohibit credit unions from developing, procuring, or using DLT.” See Federally Insured Credit Union Use of Distributed Ledger Technologies (Letter 2).
The letter generally sets forth five difference areas that credit unions should focus on when implementing DLTs: (1) information and cybersecurity risk; (2) legal and compliance risk; (3) strategic and reputation risk; (4) liquidity risk; and (5) third-party risk.
In regards to the above, the letter outlines that each of these areas must be “susceptible to validation” by the credit union’s risk assessment and audit functions and that the credit union must make its board of directors aware that the credit union is using DLT and how the DLT squares with the credit union’s strategic planning and risk tolerance.
Disclaimer: This blog and the content herein are available for informational and educational purposes only. The content herein is not a solicitation to provide legal services and is not legal or investments advice on any subject matter. Nothing in this blog shall create an attorney-client relationship. The legal information in this blog is provided “as is” without any representations or warranties, express or implied. The author makes no representations or warranties in relation to the legal information on this website. You must not rely on the information on this website as an alternative to legal advice from your attorney or investment advisor. Please see the disclaimer section for more information.
