319-325-1171
5438 South Prairie View Drive West Des Moines, IA 50266
Blog Post
NCUA Finalizes Cyber Incident Reporting Rule
Michael Christians • February 23, 2023
At its February board meeting, the National Credit Union Administration (NCUA) approved a final rule requiring federally insured credit unions to notify the NCUA within 72 hours after the occurrence of a reportable cyber incident.
The rule defines a reportable cyber incident as:
- A substantial loss in the confidentiality, integrity, or availability of a network or information system that disrupts vital member services or has a serious impact on the safety and resiliency of operational systems and processes,
- A disruption of business operations, vital member services, or a member information system resulting from a cyberattack, or
- A disruption of business operations or unauthorized access to sensitive data facilitated through or caused by a third-party service provider.
The rule, which takes effect on September 1st of this year, makes it clear that the 72-hour notification is an early alert to the NCUA and does not require delivery of a full incident assessment within that timeframe.
You can find a copy of the final rule here.
Share this post
Recent Blog Posts
In Letter to Credit Unions 25-CU-03 , the National Credit Union Administration (NCUA) announced its new exam scheduling policy. Effective January 1, 2025, federally insured credit unions (FICUs) will be examined according to the following schedule: 8 to 12 months following its last examination date FICUs with ANY of the following characteristics - A CAMELS rating of 3, 4, or 5, Considered less than well capitalized, An outstanding enforcement action, or Assets greater than or equal to $10 billion. FICUs with assets between $1 billion and $10 billion, and A CAMELS rating of 3, 4, or 5, or A change in CEO since its last examination. 12 to 16 months following its last examination date FICUs with assets between $1 billion and $10 billion, and A CAMELS rating of 1 or 2, and No change in CEO since its last examination. 14 to 18 months following its last examination date Federal credit unions (FCUs) not included above Once every 5 years Federally insured state-chartered credit unions (FISCUs) not included above The NCUA believes this revised schedule will allow it to better respond to emerging risks and priorities using available resources. It is important to note that nothing in the new schedule limits the NCUA's authority to examine any FICU as frequently as the agency deems necessary.
Back in December 2023, the Federal Communications Commission (FCC) adopted a new rule amending the prior express written consent requirements under the Telephone Consumer Protection Act (TCPA). That rulemaking would have done a couple of things. First, it would have clarified that a consumer’s prior express written consent can apply to not more than one seller. In other words, the rule would have prevented a company from obtaining a consumer’s consent to the receipt of advertising and telemarketing messages both for itself as well as its affiliates. Second, the rule would have required that a consumer’s consent be logically and topically associated with the interaction that prompted the consent. That second requirement was particularly concerning for financial institutions. The language of the rulemaking seemed to suggest that an institution that captured prior express written consent at the time of account opening could not later rely on that same consent for purposes of sending advertising or telemarketing messages related to loans, credit cards, or other non-deposit products. The Insurance Marketing Coalition asked for a judicial review of the rulemaking at the Eleventh Circuit Court of Appeals. On January 24, 2025, that court vacated the new requirements. In its order, the court found that the FCC exceeded its statutory authority because the amendments to the definition of prior express written consent impermissibly conflicted with the statutory definition of the same term under the TCPA.
Following years of litigation, the Consumer Financial Protection Bureau’s 2017 payday lending rule will take effect on March 30, 2025. Three types of consumer loans are covered by the payday lending rule: Short-term loans that require repayment within 45 days, Longer term loans with a balloon payment, and Longer term loans for which the APR exceeds 36% and automatic payment is required from the consumer's account. Under the rule, covered lenders will have to adhere to both payment restrictions and notice requirements. First, when two consecutive automatic payment attempts have failed in connection with a covered loan, the lender is prohibited from attempting another withdrawal until it has obtained a new and specific authorization from the consumer. Second, the rule imposes the following notice requirements in connection with a covered loan: Written notice before the lender attempts to withdraw the first automatic payment from the consumer's account, Written notice before a subsequent automatic payment attempt that will differ in amount or effective date, and Written notice when two consecutive payment attempts have failed. Lenders that do not originate more than 2,500 covered loans in a calendar year are exempt from the rule’s requirements. Additional implementation resources regarding the payday lending rule are available from the CFPB here .
Address
5438 South Prairie View Drive
West Des Moines, IA 50266
Phone
319-325-1171
michael@mchristiansconsulting.com
Michael Christians Consulting, LLC
This website has been built to be accessible for all users. If you experience any difficulty in accessing this website, please contact us for assistance.
