Blog Post

NCUA Finalizes Cyber Incident Reporting Rule

Michael Christians • February 23, 2023

At its February board meeting, the National Credit Union Administration (NCUA) approved a final rule requiring federally insured credit unions to notify the NCUA within 72 hours after the occurrence of a reportable cyber incident.

The rule defines a reportable cyber incident as:

A substantial loss in the confidentiality, integrity, or availability of a network or information system that disrupts vital member services or has a serious impact on the safety and resiliency of operational systems and processes,
A disruption of business operations, vital member services, or a member information system resulting from a cyberattack, or
A disruption of business operations or unauthorized access to sensitive data facilitated through or caused by a third-party service provider.

The rule, which takes effect on September 1st of this year, makes it clear that the 72-hour notification is an early alert to the NCUA and does not require delivery of a full incident assessment within that timeframe.

You can find a copy of the final rule here.

< Older Post Newer Post >

Share this post

Recent Blog Posts

Parties Reach Deal to Vacate Credit Card Late Fee Rule

By Michael Christians • April 15, 2025

On April 14 th , the Chamber of Commerce of the United States and the Consumer Financial Protection Bureau (CFPB) filed a joint motion for entry of consent judgment to resolve litigation in the US District Court for the Northern District of Texas regarding the CFPB’s credit card late fee rule. In March 2024, the CFPB issued a final rule that would have limited large card issuers (those with more than 1 million open and active credit card accounts) from charging a late fee that exceeds $8. Almost immediately, a lawsuit was brought by the US Chamber of Commerce in federal district court asserting that the rule violated the CARD Act. To resolve this litigation, the parties have jointly asked the court to vacate the rule. Once the terms of the settlement have been approved by the court, card issuers will return to the safe harbor fee amounts outlined in 12 CFR 1026.52.

CFPB to Reopen Small Business Lending Data Collection Rule

By Michael Christians • April 5, 2025

In a filing submitted in connection with a lawsuit in the US District Court for the Southern District of Florida challenging the small business lending data collection rule, the Consumer Financial Protection Bureau (CFPB) has indicated its intent to reopen the rule to make changes. According to the filing, the agency intends to issue a notice of proposed rulemaking as expeditiously as reasonably possible. By way of reminder, the rule is currently stayed by the 5th Circuit in companion litigation, but only for members of the American Bankers Association, America’s Credit Unions and other plaintiffs/intervenors. All other covered financial institutions are required to begin complying with the rule as soon as July 18, 2025 (depending on loan volume). However, the CFPB’s filing in the Florida case also agreed that “subjecting similarly situated entities to different compliance dates for Section 1071’s data collection requirements would not serve the public interest.” As a result, it is anticipated that the agency will announce that it does not intend to enforce the rule, in its current form, against any institution. Stay tuned for further developments.

CFPB Will Not Prioritize Enforcement of Payday Lending Rule

By Michael Christians • April 3, 2025

On March 28, 2025, the Consumer Financial Protection Bureau (CFPB) announced that it will not prioritize enforcement or supervision actions with regard to the payday lending rule. In its press release , the CFPB said that it is contemplating issuing a notice of proposed rulemaking that would further narrow the scope of the rule. As a reminder, the payday lending rule, which took effect on March 30th, requires covered financial institutions to: Obtain new and specific automatic payment authorization for a covered loan after two consecutive automatic payment attempts have failed, and Provide specific disclosures and notices in connection with a covered loan. Only lenders that originate 2,500 or more covered loans in a calendar year are covered by the requirements of the rule.

Address

5438 South Prairie View Drive

West Des Moines, IA 50266

Phone

319-325-1171

Email

michael@mchristiansconsulting.com

Michael Christians Consulting, LLC

This website has been built to be accessible for all users. If you experience any difficulty in accessing this website, please contact us for assistance.

Powered by MyCase

Share by: