Regulatory Alerts, Rule Amendments, and Content Updates

5/25/2023

Content Changes and Regulatory Alerts

Every year, the CFPB amends thresholds within regulations, which are tied to consumer price indices. These threshold changes require content within ComplySight to be amended. The following content within ComplySight has recently been updated:

Area Name	Item Name	Changes
Loans	Allowance for Loan and Lease Loss (ALLL)	Changed Item Name to “Allowance for Credit Losses (ACL); Updated item to reflect CECL updates
Loans	High-Cost & Higher-Priced Mortgage Loans	Annual threshold changes
Loans	Ability to Repay	Annual threshold changes and updates to qualified mortgage categories
Loans	Home Ownership and Equity Protection Act (HOEPA)	Annual threshold changes
Loans	Home Mortgage Disclosure Act (HMDA)	Annual threshold changes
Leasing	Consumer Leasing Act	Updated thresholds and reviewed content for consistency with regulatory language
Accounts	HSA Contribution Limits	Updated contribution limits and reviewed content for consistency with regulatory language
Accounts	Reserve Requirements of Depository Institutions	Updated reserve requirements for 2022 and reviewed content to ensure consistency with regulatory language

Rule Amendments and Upcoming Content Changes

The NCUA Board approved two final rule amendments related to cyber incidents and subordinated debt.

NCUA Final Rule – Cyber Incident Notification Requirements for Federally Insured Credit Unions

Effective on September 1, 2023, credit unions will need to comply with new of the NCUA Regulations to report cyber incidents as soon as possible, but not later than 72 hours after the possible cyber incident is believed to have occurred.

What is a Reportable Cyber Incident that needs to be reported under the new rules? Any substantial cyber incident that leads to one or more of the following:

A substantial loss of confidentiality, integrity, or availability of a network or member information system that results from the unauthorized access to or exposure of sensitive data, disrupts vital member services, or has a serious impact on the safety and resiliency of operational systems and processes.
Disruption of business operations, vital member services, or a member information system resulting from a cyberattack or exploitation of vulnerabilities.
Disruption of business operations or unauthorized access to sensitive data facilitated through, or caused by, a compromise of a credit union service organization, cloud service provider, or other third-party data hosting provider or by a supply chain compromise.

A reportable cyber incident does not include any event where the cyber incident is performed in good faith by an entity in response to a specific request by the owner or operators of the system.

In the commentary to the final rule, the NCUA indicated that they will be providing additional reporting guidance and examples of reportable incidents and non-reportable incidents prior to the effective date of the final rule.

Credit unions should also be aware that Congress enacted the Cyber Incident Reporting for Critical Infrastructure Act of 2022 requiring covered entities to report covered cyber incidents to the Cybersecurity and Infrastructure Security Agency (CISA) not later than 72 hours after the entity reasonably believes that a covered cyber incident has occurred. CISA has until 2025 to publish a final rule implementing the requirements and defining terms. While the NCUA’s final rule is intended to serve as an early alert to the NCUA and not intended to include a lengthy assessment of the incident, we can expect the rules to evolve as the NCUA coordinates and works with CISA on future credit union cyber incident reporting in their efforts to avoid duplication.

NCUA Final Rule – Subordinated Debt Rule to Support ECIP Participation

The NCUA Board is amending the current Subordinated Debt rule, finalized in December 2020 and effective January 1, 2022. This final rule makes two changes related to the maturity of Subordinated Debt Notes and Grandfathered Secondary Capital. Specifically, this final rule:

Replaces the maximum permissible maturity of Subordinated Debt notes with a requirement that any credit union seeking to issue Subordinated Debt with maturities longer than 20 years demonstrate how such instruments would continue to be considered “debt”.
Extends the Regulatory Capital treatment of Grandfathered Secondary Capital to the later of 30 years from the date of issuance or January 1, 2052 aligning the Regulatory Capital treatment of Grandfathered Secondary Capital with the maximum permissible maturity for any secondary capital issued by low-income credit unions (LICUs) under 2022 U.S. Department of the Treasury’s (Treasury) Emergency Capital Investment Program (ECIP) or other programs administered by the U.S. Government.
Is making four minor modifications to other sections of the current rule to make it more user-friendly and flexible, such as:
1. Clarification of the definition of “Qualified Counsel”;
2. Removal of the statement of cash flow from the Pro Forma Financial Statements requirement and replace it with a requirement for “cash flow projections”;
3. Replaced requirement for credit union to submit all documents via the NCUA’s website with requirement to submit all documents directly to the Appropriate Supervision Office; and
4. Removed “(discounted secondary capital” re-categorized as Subordinated Debt)” from the description of Grandfathered Secondary Capital that may be redeemed by a credit union.

The NCUA announced their support the rule because it facilitates the access of eligible credit unions to the Treasury’s ECIP. This rule change ensures that credit unions that are MDIs or CDFIs will be in good position to advance economic equity and continue to meet the needs of their members, especially if they are of modest means.

Be sure to watch for notifications that ComplySight has been updated with these amendments.

« Return to "Resources"