WEBVTT

NOTE
This file was generated by Descript 

00:00:00.450 --> 00:00:02.380
Samantha: Hello, this is Samantha Shares.

00:00:02.950 --> 00:00:07.450
This episode covers N C U Aâs letter
to credit unions number twenty two dash

00:00:07.450 --> 00:00:12.060
zero seven Federally Insured Credit Union
Use of Distributed Ledger Technologies

00:00:12.761 --> 00:00:16.191
The following is an audio version of
that letter  and the press release.

00:00:16.761 --> 00:00:19.941
This podcast is educational
and is not legal advice.

00:00:20.381 --> 00:00:24.391
We are sponsored by Credit Union
Exam Solutions Incorporated, whose

00:00:24.391 --> 00:00:27.491
team has over two hundred and
Forty years of National Credit

00:00:27.491 --> 00:00:29.351
Union  Administration experience.

00:00:29.861 --> 00:00:33.551
We assist our clients with N C
U A so they save time and money.

00:00:33.931 --> 00:00:37.901
If you are worried about a recent,
upcoming or in process N C U A

00:00:37.901 --> 00:00:42.301
examination, reach out to learn how they
can assist at Mark Treichel DOT COM.

00:00:42.781 --> 00:00:47.151
Also check out our other podcast called
With Flying Colors where we provide tips

00:00:47.151 --> 00:00:49.711
on how to achieve success with N C U A.

00:00:50.442 --> 00:00:51.332
And now the letter.

00:00:52.047 --> 00:00:55.167
The National Credit Union
Administration supports initiatives

00:00:55.167 --> 00:00:58.587
by federally insured credit unions
to better serve their members.

00:00:59.147 --> 00:01:02.867
The rapid emergence of financial
technology is creating opportunities

00:01:02.867 --> 00:01:06.567
for credit unions to increase
speed of service, improve security,

00:01:06.707 --> 00:01:08.597
and expand products and services.

00:01:09.287 --> 00:01:13.267
In this spirit, the Board is exploring
how the agency can provide clarity

00:01:13.267 --> 00:01:17.427
around expectations regarding financial
technology adoption to not impede

00:01:17.427 --> 00:01:21.737
safe, fair, and responsible federally
insured credit union engagement.

00:01:22.480 --> 00:01:26.570
This letter clarifies certain expectations
for credit unions contemplating the

00:01:26.570 --> 00:01:30.570
use of new or emerging distributed
ledger technologies (D L T).

00:01:31.230 --> 00:01:34.380
The agency does not prohibit
credit unions from developing,

00:01:34.440 --> 00:01:36.420
procuring, or using D L T.

00:01:36.720 --> 00:01:41.420
D L T used as an underlying technology
by credit unions is not prohibited

00:01:41.470 --> 00:01:45.160
if it is deployed for permissible
activities and in compliance with

00:01:45.160 --> 00:01:49.930
all applicable laws and regulations,
including applicable state laws or state

00:01:49.930 --> 00:01:51.950
supervisory authority requirements.

00:01:52.260 --> 00:01:56.170
As with the internet at its inception,
the AGENCY recognizes that new

00:01:56.170 --> 00:01:59.800
technologies may transform how
credit unions perform traditional

00:01:59.800 --> 00:02:01.880
financial operations and services.

00:02:02.626 --> 00:02:06.476
This letter reiterates the importance of
sound governance and planning related to

00:02:06.476 --> 00:02:08.946
deploying new technologies like D L T.

00:02:09.496 --> 00:02:14.076
While D L T is maturing, the AGENCY
recognizes that cases for implementation

00:02:14.076 --> 00:02:17.976
may expand rapidly as the technology
becomes more widespread and credit

00:02:17.976 --> 00:02:19.906
unions become more familiar with it.

00:02:20.586 --> 00:02:24.576
For this reason, this letter provides
areas for credit unions to consider

00:02:24.576 --> 00:02:26.966
when evaluating whether to use D L T.

00:02:27.406 --> 00:02:31.836
The AGENCY also recognizes that the
specific application of D L T may

00:02:31.836 --> 00:02:35.946
necessitate additional due diligence
by credit unions, and approaches that

00:02:35.946 --> 00:02:39.136
vary with some of the more general
guidance provided in this letter.

00:02:39.676 --> 00:02:43.206
As such, the AGENCY expects that
this letter may generate follow-up

00:02:43.206 --> 00:02:46.466
inquiries where additional
guidance is requested and prudent.

00:02:47.106 --> 00:02:51.246
This letter also signals to the broader
financial and technology communities that

00:02:51.246 --> 00:02:55.416
credit unions are a market to consider
when designing products, considering

00:02:55.416 --> 00:02:57.426
partnerships, or making investments.

00:02:58.152 --> 00:03:02.612
As with all new and emerging technology,
the AGENCY expects credit unions

00:03:02.612 --> 00:03:07.262
to exercise judgment, apply sound
risk-management practices, and conduct

00:03:07.262 --> 00:03:11.242
necessary due diligence when choosing
a platform, product, or service.

00:03:11.772 --> 00:03:15.332
When considering D L T, credit
unions should first evaluate the

00:03:15.332 --> 00:03:19.352
permissibility of the activity itself
and then assess the opportunities

00:03:19.352 --> 00:03:21.332
and risks relative to the activity.

00:03:21.852 --> 00:03:27.132
Finally, given the emerging nature of D L
T and its potential use by credit unions,

00:03:27.162 --> 00:03:31.472
considerations introduced in this letter
should not be construed as all inclusive.

00:03:32.295 --> 00:03:34.245
Governance, Oversight and Planning

00:03:34.911 --> 00:03:39.241
As with the development of any new product
or service, when deploying a platform,

00:03:39.371 --> 00:03:44.101
product, or service using D L T as part
of the underlying technology, credit

00:03:44.101 --> 00:03:48.201
unions should find an appropriate balance
between the opportunities and the risks.

00:03:48.641 --> 00:03:52.381
Related project plans and risk
assessments should include examining

00:03:52.381 --> 00:03:56.151
internal constraints and obstacles,
and ensuring, at a minimum:

00:03:56.868 --> 00:04:00.498
â¢	The credit unionâs board of directors
is notified of advancements in the

00:04:00.498 --> 00:04:05.828
underlying technology, the purposes of
the technology, and how using D L T aligns

00:04:05.828 --> 00:04:10.258
with the credit unionâs strategic planning
objectives and approved risk tolerances.

00:04:11.004 --> 00:04:15.664
â¢	Credit union staff and third parties using
and managing the technology are complying

00:04:15.664 --> 00:04:19.744
with applicable laws and regulations
and acting in a safe-and-sound manner.

00:04:20.493 --> 00:04:24.423
â¢	Effective risk-management practices
are followed to identify, assess,

00:04:24.513 --> 00:04:28.883
and mitigate risks associated with
D L T and the specific activities

00:04:28.883 --> 00:04:30.223
for which it will be deployed.

00:04:30.998 --> 00:04:34.518
â¢	Risk assessment and audit functions
can validate and attest to the

00:04:34.518 --> 00:04:38.338
effectiveness of risk-mitigation
practices in accordance with internal

00:04:38.338 --> 00:04:40.748
policy and industry leading practices.

00:04:41.449 --> 00:04:43.689
Risk and Risk-Mitigation Strategies

00:04:44.405 --> 00:04:47.085
All technology and systems
have inherent risks.

00:04:47.635 --> 00:04:51.235
Credit unions are responsible for
ensuring sound operations whether

00:04:51.235 --> 00:04:55.275
delivery of services is accomplished
internally or through third parties.

00:04:55.695 --> 00:04:59.545
For example, the AGENCY recognizes
third-party relationships may be

00:04:59.545 --> 00:05:04.255
valuable to credit unions in facilitating
implementation and use of, and member

00:05:04.255 --> 00:05:07.035
access to, new and emerging technology.

00:05:07.315 --> 00:05:11.475
Inadequately managed and controlled
third-party relationships, however, can

00:05:11.475 --> 00:05:16.945
result in harm to members, unanticipated
costs, legal disputes, and financial loss.

00:05:17.665 --> 00:05:20.295
Therefore, effective risk
management is important.

00:05:21.047 --> 00:05:26.197
Credit unions must identify, assess, and
mitigate risks associated with D L T.

00:05:26.687 --> 00:05:30.147
Credit unions should consider
specific questions related to D L

00:05:30.147 --> 00:05:33.797
T as part of their due diligence
efforts and ensure activities are

00:05:33.797 --> 00:05:37.997
permissible and in compliance with
all applicable laws and regulations.

00:05:38.477 --> 00:05:42.257
Depending upon the characteristics
of the D L T being deployed and

00:05:42.257 --> 00:05:46.147
how it is being used, other risk
factors may merit consideration.

00:05:46.507 --> 00:05:49.587
Credit unions should employ a
comprehensive approach to risk

00:05:49.587 --> 00:05:53.347
identification, assessment, and
mitigation as part of the development

00:05:53.347 --> 00:05:55.187
and implementation of D L T.

00:05:55.637 --> 00:05:59.777
In cases where vendor-provided solutions
are considered, the responsibility

00:05:59.777 --> 00:06:03.797
to identify, understand, and mitigate
material risks resides with the

00:06:03.797 --> 00:06:07.407
board and management of the credit
union and not solely the vendor.

00:06:08.146 --> 00:06:11.706
Depending on the purpose for which
the D L T is being implemented,

00:06:11.916 --> 00:06:15.416
credit unions should consider the
following questions, among others:

00:06:16.130 --> 00:06:18.220
Information and Cybersecurity Risk

00:06:19.004 --> 00:06:22.924
â¢	What are the primary characteristics
of the D L T network architecture?

00:06:23.509 --> 00:06:26.929
â¢	Does the D L T exist within
a private or public network?

00:06:27.637 --> 00:06:31.767
â¢	Has the risk of compromise related to many
points of entry (nodes) been assessed?

00:06:32.392 --> 00:06:36.012
â¢	Are consensus mechanisms built
into the D L T architecture

00:06:36.012 --> 00:06:37.942
immune to external exploitation?

00:06:38.619 --> 00:06:41.949
â¢	How are permissions and identity
management credentials managed?

00:06:42.586 --> 00:06:45.556
â¢	By whom and how is governance
over the network conducted?

00:06:46.235 --> 00:06:48.935
â¢	What are the data quality
control expectations among

00:06:48.935 --> 00:06:50.535
participants within the network?

00:06:51.219 --> 00:06:54.349
â¢	Are D L T solutions deployed
within a strictly governed

00:06:54.349 --> 00:06:57.739
coding process in accordance
with industry leading practices?

00:06:58.377 --> 00:07:00.017
Legal and Compliance Risk

00:07:00.764 --> 00:07:04.954
â¢	Have the potential legal and compliance
risks been assessed, including those

00:07:04.954 --> 00:07:09.944
related to maintaining confidentiality,
privacy, data security, recordkeeping,

00:07:10.034 --> 00:07:11.944
and consumer and fraud protections?

00:07:12.574 --> 00:07:17.054
â¢	When deploying the D L T, will the credit
union comply with applicable laws and

00:07:17.054 --> 00:07:22.474
regulations, such as requirements of the
Bank Secrecy Act (BSA), including customer

00:07:22.474 --> 00:07:26.934
due diligence, âKnow Your Customer,â
and anti-money laundering requirements?

00:07:27.550 --> 00:07:31.040
â¢	Are each of the nodes on the
D L T network BSA compliant?

00:07:31.691 --> 00:07:35.311
â¢	If the application involves the
use of smart contracts, is testing

00:07:35.311 --> 00:07:38.241
of the underlying architecture
in place and documented?

00:07:38.761 --> 00:07:42.501
Has the credit union confirmed with
whom and to what extent oversight,

00:07:42.631 --> 00:07:46.871
governance, and maintenance of the smart
contract application reside and exist?

00:07:47.492 --> 00:07:49.392
Strategic and Reputation Risk

00:07:50.154 --> 00:07:54.494
â¢	Have potential strategic and reputational
risks related to the D L T been

00:07:54.494 --> 00:07:56.734
identified, assessed, and mitigated?

00:07:57.364 --> 00:08:00.974
â¢	Are consensus mechanisms built
into the D L T architecture

00:08:00.974 --> 00:08:02.644
well understood by management?

00:08:03.292 --> 00:08:07.652
â¢	Is a process in place to monitor
emerging risks and changes in technology?

00:08:08.032 --> 00:08:11.812
Can the credit union or third-party
apply changes in deployment and

00:08:11.812 --> 00:08:13.662
internal controls in response?

00:08:14.238 --> 00:08:17.638
â¢	Do contracts with third-party
vendors provide reasonable âexit

00:08:17.638 --> 00:08:21.338
strategiesâ in the event of
deterioration in financial condition

00:08:21.338 --> 00:08:23.258
or service delivery by the vendor?

00:08:23.896 --> 00:08:24.846
Liquidity Risk

00:08:25.611 --> 00:08:29.621
â¢	Have potential liquidity risks been
identified, assessed, and mitigated?

00:08:30.262 --> 00:08:31.322
Third-Party Risk

00:08:32.111 --> 00:08:36.771
â¢	Have potential legal and compliance risks
associated with new-entry participants

00:08:36.771 --> 00:08:38.761
and third-party agreements been assessed?

00:08:39.367 --> 00:08:43.127
â¢	Have the appropriate due diligence steps
been taken in the selection of the third

00:08:43.127 --> 00:08:45.787
party before entering a D L T arrangement?

00:08:46.207 --> 00:08:50.697
Has AGENCYâs existing guidance on
evaluating third-party relationships and

00:08:50.697 --> 00:08:52.697
third-party due diligence been reviewed?

00:08:53.372 --> 00:08:54.112
Conclusion

00:08:54.747 --> 00:08:59.417
Examples of current and evolving use
of D L T in various applications exist

00:08:59.417 --> 00:09:03.217
within the credit union industry and
larger financial services sector.

00:09:03.817 --> 00:09:07.977
This letter explains that credit unions
may appropriately use D L T as an

00:09:08.007 --> 00:09:12.477
underlying technology and highlights a
variety of relevant issues credit unions

00:09:12.477 --> 00:09:14.387
should evaluate prior to deployment.

00:09:14.867 --> 00:09:18.857
Credit unions can responsibly
explore the use of D L T for business

00:09:18.857 --> 00:09:22.507
uses to enhance their operations
and ongoing competitiveness.

00:09:23.265 --> 00:09:27.515
Credit unions must remain alert to
new or evolving risks posed by use of

00:09:27.515 --> 00:09:29.595
an emerging technology or approach.

00:09:30.085 --> 00:09:34.305
The AGENCY expects credit unions to
exercise good judgment and apply sound

00:09:34.305 --> 00:09:38.365
risk-management practices when choosing
to offer a new platform, product,

00:09:38.475 --> 00:09:42.795
or service, including where D L T is
part of the underlying technology.

00:09:43.285 --> 00:09:46.725
These reviews include evaluating
the permissibility of the activity

00:09:46.725 --> 00:09:50.095
itself and the opportunities
and risks associated with any

00:09:50.095 --> 00:09:52.795
underlying technology, such as D L T.

00:09:53.065 --> 00:09:57.095
Examiners will evaluate the rigor with
which credit unions exercised good

00:09:57.095 --> 00:10:02.175
judgement, applied sound risk management,
and executed compliance and risk oversight

00:10:02.175 --> 00:10:06.275
of acquisition or development and
deployment of new systems and technology.

00:10:06.973 --> 00:10:10.943
The AGENCY supports innovations that
are safe and sound, in compliance

00:10:10.943 --> 00:10:14.613
with all applicable laws and
regulations, and fair to consumers.

00:10:15.153 --> 00:10:19.273
The AGENCY also believes that D L
T-related activities are rapidly

00:10:19.273 --> 00:10:23.753
evolving, and present questions and
evolving risks not yet well understood.

00:10:24.323 --> 00:10:28.163
The AGENCY reserves the right to
issue future guidance, as appropriate.

00:10:28.914 --> 00:10:33.494
This concludes the AGENCY Letter to credit
unions on  Federally Insured Credit Union

00:10:33.494 --> 00:10:35.744
Use of Distributed Ledger Technologies.

00:10:36.450 --> 00:10:40.620
If your Credit union could use assistance
with your exam, reach out to Mark Treichel

00:10:40.620 --> 00:10:43.330
on LinkedIn, or at mark Treichel dot com.

00:10:43.930 --> 00:10:46.540
This is Samantha Shares and
we Thank you for listening.