This podcast provides you the ability to listen to new regulatory guidance issued by the National Credit Union Administration, and occasionally the F D I C, the O C C, the F F I E C, or the C F P B. We will focus on new and material agency guidance, and historically important and still active guidance from past years that NCUA cites in examinations or conversations. This podcast is educational only and is not legal advice. We are sponsored by Credit Union Exam Solutions Incorporated. We also have another podcast called With Flying Colors where we provide tips for achieving success with the N C U A examination process and discuss hot topics that impact your credit union.
Samantha: Hello, this is Samantha Shares.
This episode covers N C U Aâs letter
to credit unions number twenty two dash
zero seven Federally Insured Credit Union
Use of Distributed Ledger Technologies
The following is an audio version of
that letter and the press release.
This podcast is educational
and is not legal advice.
We are sponsored by Credit Union
Exam Solutions Incorporated, whose
team has over two hundred and
Forty years of National Credit
Union Administration experience.
We assist our clients with N C
U A so they save time and money.
If you are worried about a recent,
upcoming or in process N C U A
examination, reach out to learn how they
can assist at Mark Treichel DOT COM.
Also check out our other podcast called
With Flying Colors where we provide tips
on how to achieve success with N C U A.
And now the letter.
The National Credit Union
Administration supports initiatives
by federally insured credit unions
to better serve their members.
The rapid emergence of financial
technology is creating opportunities
for credit unions to increase
speed of service, improve security,
and expand products and services.
In this spirit, the Board is exploring
how the agency can provide clarity
around expectations regarding financial
technology adoption to not impede
safe, fair, and responsible federally
insured credit union engagement.
This letter clarifies certain expectations
for credit unions contemplating the
use of new or emerging distributed
ledger technologies (D L T).
The agency does not prohibit
credit unions from developing,
procuring, or using D L T.
D L T used as an underlying technology
by credit unions is not prohibited
if it is deployed for permissible
activities and in compliance with
all applicable laws and regulations,
including applicable state laws or state
supervisory authority requirements.
As with the internet at its inception,
the AGENCY recognizes that new
technologies may transform how
credit unions perform traditional
financial operations and services.
This letter reiterates the importance of
sound governance and planning related to
deploying new technologies like D L T.
While D L T is maturing, the AGENCY
recognizes that cases for implementation
may expand rapidly as the technology
becomes more widespread and credit
unions become more familiar with it.
For this reason, this letter provides
areas for credit unions to consider
when evaluating whether to use D L T.
The AGENCY also recognizes that the
specific application of D L T may
necessitate additional due diligence
by credit unions, and approaches that
vary with some of the more general
guidance provided in this letter.
As such, the AGENCY expects that
this letter may generate follow-up
inquiries where additional
guidance is requested and prudent.
This letter also signals to the broader
financial and technology communities that
credit unions are a market to consider
when designing products, considering
partnerships, or making investments.
As with all new and emerging technology,
the AGENCY expects credit unions
to exercise judgment, apply sound
risk-management practices, and conduct
necessary due diligence when choosing
a platform, product, or service.
When considering D L T, credit
unions should first evaluate the
permissibility of the activity itself
and then assess the opportunities
and risks relative to the activity.
Finally, given the emerging nature of D L
T and its potential use by credit unions,
considerations introduced in this letter
should not be construed as all inclusive.
Governance, Oversight and Planning
As with the development of any new product
or service, when deploying a platform,
product, or service using D L T as part
of the underlying technology, credit
unions should find an appropriate balance
between the opportunities and the risks.
Related project plans and risk
assessments should include examining
internal constraints and obstacles,
and ensuring, at a minimum:
⢠The credit unionâs board of directors
is notified of advancements in the
underlying technology, the purposes of
the technology, and how using D L T aligns
with the credit unionâs strategic planning
objectives and approved risk tolerances.
⢠Credit union staff and third parties using
and managing the technology are complying
with applicable laws and regulations
and acting in a safe-and-sound manner.
⢠Effective risk-management practices
are followed to identify, assess,
and mitigate risks associated with
D L T and the specific activities
for which it will be deployed.
⢠Risk assessment and audit functions
can validate and attest to the
effectiveness of risk-mitigation
practices in accordance with internal
policy and industry leading practices.
Risk and Risk-Mitigation Strategies
All technology and systems
have inherent risks.
Credit unions are responsible for
ensuring sound operations whether
delivery of services is accomplished
internally or through third parties.
For example, the AGENCY recognizes
third-party relationships may be
valuable to credit unions in facilitating
implementation and use of, and member
access to, new and emerging technology.
Inadequately managed and controlled
third-party relationships, however, can
result in harm to members, unanticipated
costs, legal disputes, and financial loss.
Therefore, effective risk
management is important.
Credit unions must identify, assess, and
mitigate risks associated with D L T.
Credit unions should consider
specific questions related to D L
T as part of their due diligence
efforts and ensure activities are
permissible and in compliance with
all applicable laws and regulations.
Depending upon the characteristics
of the D L T being deployed and
how it is being used, other risk
factors may merit consideration.
Credit unions should employ a
comprehensive approach to risk
identification, assessment, and
mitigation as part of the development
and implementation of D L T.
In cases where vendor-provided solutions
are considered, the responsibility
to identify, understand, and mitigate
material risks resides with the
board and management of the credit
union and not solely the vendor.
Depending on the purpose for which
the D L T is being implemented,
credit unions should consider the
following questions, among others:
Information and Cybersecurity Risk
⢠What are the primary characteristics
of the D L T network architecture?
⢠Does the D L T exist within
a private or public network?
⢠Has the risk of compromise related to many
points of entry (nodes) been assessed?
⢠Are consensus mechanisms built
into the D L T architecture
immune to external exploitation?
⢠How are permissions and identity
management credentials managed?
⢠By whom and how is governance
over the network conducted?
⢠What are the data quality
control expectations among
participants within the network?
⢠Are D L T solutions deployed
within a strictly governed
coding process in accordance
with industry leading practices?
Legal and Compliance Risk
⢠Have the potential legal and compliance
risks been assessed, including those
related to maintaining confidentiality,
privacy, data security, recordkeeping,
and consumer and fraud protections?
⢠When deploying the D L T, will the credit
union comply with applicable laws and
regulations, such as requirements of the
Bank Secrecy Act (BSA), including customer
due diligence, âKnow Your Customer,â
and anti-money laundering requirements?
⢠Are each of the nodes on the
D L T network BSA compliant?
⢠If the application involves the
use of smart contracts, is testing
of the underlying architecture
in place and documented?
Has the credit union confirmed with
whom and to what extent oversight,
governance, and maintenance of the smart
contract application reside and exist?
Strategic and Reputation Risk
⢠Have potential strategic and reputational
risks related to the D L T been
identified, assessed, and mitigated?
⢠Are consensus mechanisms built
into the D L T architecture
well understood by management?
⢠Is a process in place to monitor
emerging risks and changes in technology?
Can the credit union or third-party
apply changes in deployment and
internal controls in response?
⢠Do contracts with third-party
vendors provide reasonable âexit
strategiesâ in the event of
deterioration in financial condition
or service delivery by the vendor?
Liquidity Risk
⢠Have potential liquidity risks been
identified, assessed, and mitigated?
Third-Party Risk
⢠Have potential legal and compliance risks
associated with new-entry participants
and third-party agreements been assessed?
⢠Have the appropriate due diligence steps
been taken in the selection of the third
party before entering a D L T arrangement?
Has AGENCYâs existing guidance on
evaluating third-party relationships and
third-party due diligence been reviewed?
Conclusion
Examples of current and evolving use
of D L T in various applications exist
within the credit union industry and
larger financial services sector.
This letter explains that credit unions
may appropriately use D L T as an
underlying technology and highlights a
variety of relevant issues credit unions
should evaluate prior to deployment.
Credit unions can responsibly
explore the use of D L T for business
uses to enhance their operations
and ongoing competitiveness.
Credit unions must remain alert to
new or evolving risks posed by use of
an emerging technology or approach.
The AGENCY expects credit unions to
exercise good judgment and apply sound
risk-management practices when choosing
to offer a new platform, product,
or service, including where D L T is
part of the underlying technology.
These reviews include evaluating
the permissibility of the activity
itself and the opportunities
and risks associated with any
underlying technology, such as D L T.
Examiners will evaluate the rigor with
which credit unions exercised good
judgement, applied sound risk management,
and executed compliance and risk oversight
of acquisition or development and
deployment of new systems and technology.
The AGENCY supports innovations that
are safe and sound, in compliance
with all applicable laws and
regulations, and fair to consumers.
The AGENCY also believes that D L
T-related activities are rapidly
evolving, and present questions and
evolving risks not yet well understood.
The AGENCY reserves the right to
issue future guidance, as appropriate.
This concludes the AGENCY Letter to credit
unions on Federally Insured Credit Union
Use of Distributed Ledger Technologies.
If your Credit union could use assistance
with your exam, reach out to Mark Treichel
on LinkedIn, or at mark Treichel dot com.
This is Samantha Shares and
we Thank you for listening.