1.14 - National Credit Union Administration (NCUA)

Overview

The NCUA is the independent federal agency responsible for regulating and supervising federally chartered credit unions and for administering the National Credit Union Share Insurance Fund, which insures deposits at all federally insured credit unions (FICUs). See 12 U.S.C. ch. 14. Compared to the FDIC, the OCC, and the Fed, the NCUA has taken a notably light-touch approach to digital assets. Between December 2021 and May 2022, it issued only two guidance letters: the first affirmed that FICUs possess existing authority to partner with third-party digital asset service providers, and the second clarified that the NCUA "does not prohibit credit unions from developing, procuring, or using" distributed ledger technology. Todd M. Harper, Letter to Federally Insured Credit Unions, Relationships with Third Parties that Provide Services Related to Digital Assets (2021.12) (updated 2024.11.14); Todd M. Harper, Letter to Federally Insured Credit Unions, Federally Insured Credit Union Use of Distributed Ledger Technologies (2022.05.25).

Through 2023 and 2024, the NCUA held a steady course. It finalized a principles-based Financial Innovation rule facilitating credit union-fintech partnerships, participated in interagency AML/CFT rulemaking, and did not list digital assets as a standalone supervisory priority. Notably, the NCUA was excluded from the January and February 2023 interagency joint statements warning of crypto-asset risks to banking organizations -- those statements were issued by the Fed, the FDIC, and the OCC, and the Fed only. That exclusion arguably reflected the NCUA's more permissive posture, or at minimum its distinct regulatory lane as the credit union regulator rather than a bank regulator.

In January 2025, Kyle S. Hauptman -- who had served as Vice Chairman since 2020 and had consistently advocated for credit union engagement with digital assets -- was designated Chairman of the NCUA Board. Following the removal of the other two Board members in April 2025, Chairman Hauptman codified a "no regulation-by-enforcement" policy and steered the agency toward an explicitly pro-innovation posture. The passage of the GENIUS Act in July 2025 then transformed the NCUA's role entirely: the statute designates the NCUA as a primary federal payment stablecoin regulator for federally insured credit unions, and the agency submitted its proposed implementing rule to OMB in December 2025, with final regulations due by July 2026. The 2026 Supervisory Priorities letter marked the first time the NCUA explicitly referenced stablecoin legislation in its examination expectations. NCUA, Letter 26-CU-01, 2026 Supervisory Priorities (2026.01).

Guidance

This letter lays out what it views as the legal basis for federal credit unions to engage in these types of relationships, relying primarily on the "incidental powers" provision of the Federal Credit Union Act and Part 721 of the NCUA's implementing regulation. See 12 U.S.C. § 1757(17); 12 CFR Part 721. In relying on this provision, the NCUA takes a remarkably crypto-positive attitude by taking the position that "[i]ntroducing members to third parties that may provide members with services related to digital assets" is:

1. useful in carrying out the credit union's business because it facilitates the credit union serving as members' primary financial institution;

2. "is the logical outgrowth of an FCU's business"

3. involves a similar level of risk FCUs already assume in referring members to other third-parties that provide non-deposit financial products or services

The letter warns, however, that credit unions must ensure compliance with conflicts of interest provisions of Part 721.7 and any other applicable law or regulation.

The letter openly acknowledges that this is an evolving field and invites cooperative development of regulation by encouraging "interested parties to contact the agency with suggestions that would provide further clarity and certainty." For federally insured state credit unions (FISCUs), the letter provides no guidance on authority to engage in these types of relationships and points FISCUs to state law. Note, however, that all FISCUs, regardless of charter status, will have to comply with the NCUA's guidance in this area on implementing such an arrangement.

Legal Framework for All Federally Insured Credit Unions (FICUs)

Other than general enabling provisions in the Federal Credit Union Act, and state credit union laws (which the Letter stresses repeatedly FISCUs must look to determine their own authority), the NCUA points to previous letters it has issued for guidance in navigating relationships with third-parties, depending on the nature of the service being provided to members. It specifically points to:

• Letter to Federal Credit Unions, 10-FCU-30, "Sales of Nondeposit Investments."

• Letter to Credit Unions, 07-CU-13, "Evaluating Third Party Relationships" and Letter to Credit Unions, 08-CU-09, "Evaluating Third Party Relationships Questionnaire."

• Letter to Credit Unions, 01-CU-20, "Due Diligence Over Third Party Service Providers."

• Letter to Credit Unions, 03-CU-08, "Web linking: Identifying Risks Risk Management Techniques."

• FFIEC IT Booklet Outsourcing Technology Services (opens new window) June 2004.

• FIN-2019-G001, "Application of FinCEN's Regulations to Certain Business Models Involving Convertible Virtual Currencies," (May 9, 2019).

However, the letter does go on to provide some specific ideas for how risk assessments, policies, procedures, contracts, and advertising must be conducted.

Risk Assessment

The NCUA stresses that risk assessment will play a key role in taking on any third-party digital asset partnership, "including legal risk, reputation risks, and economic risks," and that credit unions must conduct appropriate due diligence before taking on such a relationship and during the relationship given "the rapidly changing technological environment" and changing regulatory and compliance landscape.

The NCUA notes that its risk assessment in this area will specifically affect a credit union's CAMELS ratings and that "as part of the supervisory process, examiners will evaluate the rigor with which FICUs execute compliance and risk oversight of third-party relationships established to deliver member access to digital asset services."

Policies and Procedures / Written Contract

Next, the NCUA opines that all FICUs looking to engage with a third-party provider of digital asset services should adopt written policies and procedures that will "ensure appropriate internal controls and ongoing compliance with applicable law," including by engaging legal counsel for this specific purpose due to "the breadth and rapid evolution of the digital asset sector." Highlighting the quickly evolving nature of regulation, the NCUA's Vice Chairman, Kyle S. Hauptman (later designated Chairman in January 2025), in remarks from March 2021, noted that the Office of the Comptroller of the Currency had recently issued guidance on the custody of digital assets and the use of stablecoins, particularly that such guidance "moves the U.S. closer to the real-time payment systems already used in other countries," and that the NCUA would be looking to see what it could "take from the OCC's experience." Kyle S. Hauptman, Remarks before CUNA's 2021 Governmental Affairs Conference (2021.03.03). Hauptman's remarks emphasize the need for a robust compliance program to successfully engage digital asset vendors.

The Letter provides specific guidance that written policies and procedures, along with any written contract, must address at least the following:

• the features of the program, including type of digital asset products, services, and technologies; identification of specific legal and regulatory requirements; qualitative considerations regarding the offerings to members based on volatility and complexity. On this criteria, the NCUA says that "comprehensive quantitative and qualitative data (such as key ratios, dollar amounts, and risk parameters, among others) should be prepared and presented to the FICU's management and board of directors for review."

• description of the responsibilities of the FICU and the third party, stressing the third-party is responsible for compliance with applicable law, while retaining the right of the FICU to audit member accounts

• indemnification of the FICU by the third party, specifically for fraud

• roles of the FICU and the third party

• location of nondeposit sales, specifically "how those sales will be logically separated from deposit-taking activities."

• use and disposition of FICU member information, including an explicit agreement by the third-party "to comply with the FICU's policies on information practices."

• termination of the contract, specifically a provision allowing termination for cause and convenience

• ongoing compliance with requirements of all applicable law, including the ability to monitor compliance by the third party, monitor member complaints, and randomly sample member account activity "to look for evidence of abuse," and provide compliance reports to their boards of directors to ensure appropriate oversight.

Advertising and Conduct

The NCUA stresses that any offering of digital asset services through a third-party must not be confusing or mislead members, specifically about the fact that these products are not insured. To that end, the NCUA says that in selling, advertising, or marketing uninsured digital assets, the FICU or its vendor must conspicuously inform members that the products (1) are not federally insured; (2) are not obligations of the FICU; (3) are not guaranteed by the FICU; (4) are or may be heavily speculative and volatile; (5) may have associated fees; (6) may not allow member recourse; and (7) are being offered by a third party.

The NCUA says ideally these disclosures and products would be made in a physically separate space than ordinary deposit products to emphasize the degree of risk and the lack of insurance.

Federally Insured Credit Union Use of Distributed Ledger Technologies

In contrast to the first letter from six months earlier, the second letter clarifies that credit unions may take a direct approach to distributed ledger technologies (DLT), and that the NCUA "does not prohibit credit unions from developing, procuring, or using DLT," but also does not specify any particular areas that credit unions may or should engage in. Todd M. Harper, Letter to Federally Insured Credit Unions, Federally Insured Credit Union Use of Distributed Ledger Technologies (2022.05.25).

What the letter focuses on instead is what proper governance, oversight, and planning would look like for a credit union looking to implement DLT to ensure the safety and soundness of such a decision. Thus, credit unions "should consider specific questions related to DLT as part of their due diligence efforts and ensure activities are permissible and in compliance with all applicable laws and regulations." It then goes on to set forth those questions in five different areas:

• information and cybersecurity risk;

• legal and compliance risk;

• strategic and reputation risk;

• liquidity risk;

• third-party risk

But, as the letter stresses, this is more than just upfront planning. Each of these areas must be susceptible to validation by the credit union's risk assessment and audit functions. Moreover, the credit union must make its board of directors aware of its use of DLT, how the technology is changing, and how DLT fits in with the credit union's strategic planning and risk tolerance.

Post-2022 Developments

Financial Innovation Final Rule (October 2023)

On September 29, 2023, the NCUA Board unanimously approved a final rule on financial innovation, published at 88 Fed. Reg. 67,024. NCUA, Financial Innovation: Loan Participations, Eligible Obligations, and Notes of Liquidating Credit Unions, 88 Fed. Reg. 67,024 (2023.09.29). The rule, effective October 30, 2023, shifted the NCUA's approach to fintech partnerships from prescriptive limits to a principles-based framework with policy, due diligence, and risk-management requirements tailored to each credit union's risk profile. While not specifically a digital asset rule, the Financial Innovation rule lowered barriers for credit union-fintech partnerships, including partnerships with digital asset service providers. See id.

Interagency AML/CFT Proposed Rulemaking (June 2024)

On June 28, 2024, the NCUA joined FinCEN, the Fed, the FDIC, and the OCC in issuing a proposed rule to modernize AML/CFT compliance programs for all BSA-covered financial institutions. NCUA, Agencies Request Comment on Anti-Money Laundering/Countering the Financing of Terrorism Proposed Rule (2024.06.28). Under the proposal, supervised institutions would be required to identify, evaluate, and document illicit finance risks and to incorporate FinCEN's published national AML/CFT priorities into their compliance programs. The broader rulemaking addressed modernizing compliance expectations for digital assets, including clarifying obligations with respect to virtual assets and virtual asset service providers.

Supervisory Priorities (2023-2026)

Digital assets did not appear as a standalone supervisory priority in 2023, 2024, or 2025. See NCUA, Letter 23-CU-01; NCUA, Letter 24-CU-01; NCUA, Letter 25-CU-01. During those years, the NCUA's examination focus centered on interest rate risk, liquidity risk, credit risk, cybersecurity, and consumer financial protection, with BSA/AML compliance restored as a priority in 2024 after a one-year absence.

The 2026 Supervisory Priorities letter, however, marked a watershed. For the first time, the NCUA explicitly referenced digital asset legislation, stating the agency would "execute streamlined examination processes and align with recent legislative and executive directives, including the Guiding and Establishing National Innovation for U.S. Stablecoins (GENIUS) Act." NCUA, Letter 26-CU-01, 2026 Supervisory Priorities (2026.01). This was the first supervisory priorities letter to tie examination expectations directly to stablecoin legislation.

Interagency Coordination

The NCUA's position in the broader interagency landscape on digital assets is distinctive. The agency was party to the July 2022 joint statement on risk-based customer due diligence, which affirmed that no customer type automatically presents a high risk of illicit financial activity -- a principle directly relevant to crypto businesses seeking credit union relationships. NCUA, Letter 22-CU-08, Joint Statement on Risk-Based Approach to Assessing Customer Relationships and Conducting Customer Due Diligence (2022.07.06). The NCUA was also party to the June 2024 interagency AML/CFT proposed rulemaking discussed above.

However, the NCUA was notably excluded from the two cautionary interagency joint statements on crypto-asset risks issued in early 2023. The January 3, 2023 Joint Statement on Crypto-Asset Risks to Banking Organizations and the February 23, 2023 Joint Statement on Liquidity Risks from Crypto-Asset Market Vulnerabilities were issued by the Fed, the FDIC, and the OCC only. The NCUA's absence from those statements reflected its distinct regulatory lane -- credit unions rather than banks -- and arguably a more permissive institutional posture toward digital assets. Both of those joint statements were subsequently withdrawn by the Fed and the FDIC in April 2025 as part of the broader deregulatory shift under the new administration. See FDIC, Agencies Withdraw Joint Statements on Crypto-Assets (2025.04).

In August 2025, President Trump issued Executive Order 14331 "Guaranteeing Fair Banking for All Americans," directing the NCUA and other federal banking regulators to scrutinize financial institutions for "politicized or unlawful debanking." The order has direct implications for crypto businesses seeking credit union services, reinforcing the anti-debanking principle articulated in the 2022 joint CDD statement.

Leadership Transition

Hauptman Designated Chairman (January 2025)

On January 20, 2025, President Trump designated Kyle S. Hauptman as the thirteenth Chairman of the NCUA Board, replacing Todd M. Harper. NCUA, Kyle S. Hauptman Designated NCUA Board Chairman (2025.01.20). Hauptman had served as Vice Chairman since December 2020 and had consistently advocated for credit union engagement with emerging technologies, including digital assets and stablecoins. His strategic plan focused on safety and soundness while "creating space for credit unions to innovate responsibly, especially in leveraging artificial intelligence and cryptocurrencies." NCUA, Chairman Hauptman's Testimony before the House Financial Services Committee (2025).

Board Changes

On April 17, 2025, President Trump terminated the positions of both Todd M. Harper and Tanya F. Otsuka from the NCUA Board, leaving Chairman Hauptman as the sole remaining member. NCUA, Staff Message on Current NCUA Board (2025.04). In July 2025, U.S. District Judge Amir H. Ali ruled that the removals were unlawful and ordered Harper and Otsuka reinstated. However, the D.C. Circuit Court of Appeals granted the Trump administration's request to stay the reinstatement order in August 2025, keeping Harper and Otsuka off the Board pending appeal. Chairman Hauptman has operated as sole Board member since April 2025, relying on the NCUA's longstanding position that a single Board member constitutes a quorum when no other members have been appointed or confirmed.

"No Regulation-by-Enforcement" Policy

On October 1, 2025, Chairman Hauptman codified a formal policy prohibiting regulation-by-enforcement at the NCUA:

"Regulation-by-enforcement is unethical and not permitted at NCUA."

NCUA, Chairman Hauptman on Regulation by Enforcement (2025.10.01). Under the policy, enforcement actions shall only occur for clear and significant violations of existing law or regulation. No enforcement action may set or clarify policy; if harmful practices are identified that are not addressed by existing law, the appropriate next step is rulemaking, not enforcement. This approach parallels the broader deregulatory shift across federal agencies, including the SEC's rescission of SAB 121 and the FDIC's withdrawal of prior crypto guidance, and signals that the NCUA will not use enforcement to create de facto digital asset policy.

The GENIUS Act and Stablecoin Regulation

NCUA as Primary Stablecoin Regulator

The Guiding and Establishing National Innovation for U.S. Stablecoins Act (GENIUS Act), signed into law on July 18, 2025, designates the NCUA as a primary federal payment stablecoin regulator for federally insured credit unions and their subsidiaries. A "payment stablecoin" under the Act is a digital asset issued on a public blockchain designed for payment and settlement purposes. This designation represents a transformative expansion of the NCUA's regulatory mandate: an agency that had issued only two guidance letters on digital assets between 2021 and 2022 -- and was excluded from the interagency cautionary statements of early 2023 -- is now one of the federal agencies responsible for supervising stablecoin issuance and custody. Stablecoins issued under the Act are expressly not "deposits" insured by the NCUA Share Insurance Fund. See Gibson Dunn, The GENIUS Act: A New Era of Stablecoin Regulation (2025.07).

Credit Union Service Organizations (CUSOs)

The GENIUS Act explicitly allows Credit Union Service Organizations (CUSOs) to serve as issuing entities for payment stablecoins. This provision creates a pathway for credit union-affiliated stablecoin issuance through the cooperative model that is central to the credit union system, potentially enabling credit unions to offer stablecoin products to their members through jointly owned service organizations. See NACUSO, Navigating New Stablecoin Regulations (2025).

Rulemaking Status

In December 2025, the NCUA submitted its proposed implementing rule to the Office of Management and Budget (OMB). Investments in and Licensing of Permitted Payment Stablecoin Issuers, 91 Fed. Reg. 6531 (2026.02.12). The rule is expected to set conditions under which FICUs may issue or custody payment stablecoins, including risk management, capital, liquidity, governance, and BSA/AML expectations. The GENIUS Act requires final regulations by July 18, 2026. America's Credit Unions, the primary industry trade association, urged the NCUA to "move quickly to begin rulemaking that will permit credit unions to provide digital-asset custody in a safe and sound manner." America's Credit Unions, President Signs GENIUS Act into Law; NCUA Should Move Quickly on Rulemaking (2025.07).

Index of Sources

Sources are listed in reverse chronological order.

• NCUA, Letter 26-CU-01, 2026 Supervisory Priorities (2026.01)

• America's Credit Unions, NCUA Submits GENIUS Act Rulemaking to OMB (2025.12)

• NCUA, Chairman Hauptman on Regulation by Enforcement (2025.10.01)

• Gibson Dunn, The GENIUS Act: A New Era of Stablecoin Regulation (2025.07)

• America's Credit Unions, President Signs GENIUS Act into Law; NCUA Should Move Quickly on Rulemaking (2025.07)

• NACUSO, Navigating New Stablecoin Regulations (2025)

• NCUA, Staff Message on Current NCUA Board (2025.04)

• NCUA, Chairman Hauptman's Testimony before the House Financial Services Committee (2025)

• NCUA, Letter 25-CU-01, 2025 Supervisory Priorities (2025.01)

• NCUA, Kyle S. Hauptman Designated NCUA Board Chairman (2025.01.20)

• NCUA, Letter 21-CU-16, Relationships with Third Parties that Provide Services Related to Digital Assets (2021.12; updated 2024.11.14)

• NCUA, Letter 24-CU-01, 2024 Supervisory Priorities (2024.01)

• NCUA, Agencies Request Comment on Anti-Money Laundering/Countering the Financing of Terrorism Proposed Rule (2024.06.28)

• NCUA, Financial Innovation: Loan Participations, Eligible Obligations, and Notes of Liquidating Credit Unions, 88 Fed. Reg. 67,024 (2023.09.29)

• NCUA, Letter 23-CU-01, 2023 Supervisory Priorities (2023.01)

• NCUA, Letter 22-CU-08, Joint Statement on Risk-Based Approach to Assessing Customer Relationships and Conducting Customer Due Diligence (2022.07.06)

• Todd M. Harper, Letter to Federally Insured Credit Unions, Federally Insured Credit Union Use of Distributed Ledger Technologies (2022.05.25)

• Todd M. Harper, Letter to Federally Insured Credit Unions, Relationships with Third Parties that Provide Services Related to Digital Assets (2021.12)

• Kyle S. Hauptman, Remarks before CUNA's 2021 Governmental Affairs Conference (2021.03.03)

Authors

This article was originally drafted by @Lawtoshi and is subsequently being updated in conjunction with Claude Code.