1.14 - National Credit Union Administration (NCUA)
The NCUA has so far taken a light-touch approach to digital assets, releasing only two letters of guidance. In the first, dated December 2021, the NCUA took the position that federally insured credit unions have “already existing authority . . . to establish relationships with third-party providers that offer digital asset services to the FICU’s members, provided certain conditions are met.” Todd M. Harper, Letter to Federally Insured Credit Unions, Relationships with Third Parties that Provide Services Related to Digital Assets (2021.12).
In the second, dated May 2022, the NCUA expanded that guidance to clarify that credit unions may make use of distributed ledger technology (DLT) directly, provided they engage in a robust risk management process, and provided an explicit overview of what that would look like. In so doing, it noted that "NCUA does not prohibit credit unions from developing, procuring, or using DLT." Todd M. Harper, Letter to Federally Insured Credit Unions, Federally Insured Credit Union Use of Distributed Ledger Technologies (2022.05.25).
This letter lays out what it views as the legal basis for federal credit unions to engage in these types of relationships, relying primarily on the “incidental powers” provision of the Federal Credit Union Act and Part 721 of the NCUA’s implementing regulation. See 12 U.S.C. § 1757(17); 12 CFR Part 721. In relying on this provision, the NCUA takes a remarkably crypto-positive attitude by taking the position that “[i]ntroducing members to third parties that may provide members with services related to digital assets” is:
- 1.useful in carrying out the credit union’s business because it facilitates the credit union serving as members’ primary financial institution;
- 2.“is the logical outgrowth of an FCU’s business”
- 3.involves a similar level of risk FCUs already assume in referring members to other third-parties that provide non-deposit financial products or services
The letter openly acknowledges that this is an evolving field and invites cooperative development of regulation by encouraging “interested parties to contact the agency with suggestions that would provide further clarity and certainty.” For federally insured state credit unions (FISCUs), the letter provides no guidance on authority to engage in these types of relationships and points FISCUs to state law. Note, however, that all FISCUs, regardless of charter status, will have to comply with the NCUA’s guidance in this area on implementing such an arrangement.
Other than general enabling provisions in the Federal Credit Union Act, and state credit union laws (which the Letter stresses repeatedly FISCUs must look to determine their own authority), the NCUA points to previous letters it has issued for guidance in navigating relationships with third-parties, depending on the nature of the service being provided to members. It specifically points to:
However, the letter does go on to provide some specific ideas for how risk assessments, policies, procedures, contracts, and advertising must be conducted.
The NCUA stresses that risk assessment will play a key role in taking on any third-party digital asset partnership, “including legal risk, reputation risks, and economic risks,” and that credit unions must conduct appropriate due diligence before taking on such a relationship and during the relationship given “the rapidly changing technological environment” and changing regulatory and compliance landscape.
The NCUA notes that its risk assessment in this area will specifically affect a credit union’s CAMELS ratings and that “as part of the supervisory process, examiners will evaluate the rigor with which FICUs execute compliance and risk oversight of third-party relationships established to deliver member access to digital asset services.”
Next, the NCUA opines that all FICUs looking to engage with a third-party provider of digital asset services should adopt written policies and procedures that will “ensure appropriate internal controls and ongoing compliance with applicable law,” including by engaging legal counsel for this specific purpose due to “the breadth and rapid evolution of the digital asset sector.” Highlighting the quickly evolving nature of regulation, the NCUA’s Vice Chairman, Kyle S. Hauptman, in remarks from March 2021, noted that the Office of the Comptroller of the Currency had recently issued guidance on the custody of digital assets and the use of stablecoins, particularly that such guidance “moves the U.S. closer to the real-time payment systems already used in other countries,” and that the NCUA would be looking to see what it could “take from the OCC’s experience.” Kyle S. Hauptman, Remarks before CUNA’s 2021 Governmental Affairs Conference (2021.03.03). VC Hauptman’s remarks emphasize the need for a robust compliance program to successfully engage digital asset vendors.
The Letter provides specific guidance that written policies and procedures, along with any written contract, must address at least the following:
- the features of the program, including type of digital asset products, services, and technologies; identification of specific legal and regulatory requirements; qualitative considerations regarding the offerings to members based on volatility and complexity. On this criteria, the NCUA says that “comprehensive quantitative and qualitative data (such as key ratios, dollar amounts, and risk parameters, among others) should be prepared and presented to the FICU’s management and board of directors for review.”
- description of the responsibilities of the FICU and the third party, stressing the third-party is responsible for compliance with applicable law, while retaining the right of the FICU to audit member accounts
- indemnification of the FICU by the third party, specifically for fraud
- roles of the FICU and the third party
- location of nondeposit sales, specifically “how those sales will be logically separated from deposit-taking activities.”
- use and disposition of FICU member information, including an explicit agreement by the third-party “to comply with the FICU’s policies on information practices.”
- termination of the contract, specifically a provision allowing termination for cause and convenience
- ongoing compliance with requirements of all applicable law, including the ability to monitor compliance by the third party, monitor member complaints, and randomly sample member account activity “to look for evidence of abuse,” and provide compliance reports to their boards of directors to ensure appropriate oversight.
The NCUA stresses that any offering of digital asset services through a third-party must not be confusing or mislead members, specifically about the fact that these products are not insured. To that end, the NCUA says that in selling, advertising, or marketing uninsured digital assets, the FICU or its vendor must conspicuously inform members that the products (1) are not federally insured; (2) are not obligations of the FICU; (3) are not guaranteed by the FICU; (4) are or may be heavily speculative and volatile; (5) may have associated fees; (6) may not allow member recourse; and (7) are being offered by a third party.
The NCUA says ideally these disclosures and products would be made in a physically separate space than ordinary deposit products to emphasize the degree of risk and the lack of insurance.
In contrast to the first letter from six months earlier, the second letter clarifies that credit unions may take a direct approach to distributed ledger technologies (DLT), and that the NCUA "does not prohibit credit unions from developing, procuring, or using DLT," but also does not specify any particular areas that credit unions may or should engage in. Todd M. Harper, Letter to Federally Insured Credit Unions, Federally Insured Credit Union Use of Distributed Ledger Technologies (2022.05.25).
What the letter focuses on instead is what proper governance, oversight, and planning would look like for a credit union looking to implement DLT to ensure the safety and soundness of such a decision. Thus, credit unions "should consider specific questions related to DLT as part of their due diligence efforts and ensure activities are permissible and in compliance with all applicable laws and regulations." It then goes on to set forth those questions in five different areas:
- information and cybersecurity risk;
- legal and compliance risk;
- strategic and reputation risk;
- liquidity risk;
- third-party risk
But, as the letter stresses, this is more than just upfront planning. Each of these areas must be susceptible to validation by the credit union's risk assessment and audit functions. Moreover, the credit union must make its board of directors aware of its use of DLT, how the technology is changing, and how DLT fits in with the credit union's strategic planning and risk tolerance.
Sources are listed in reverse chronological order.