NCUA Vendor Oversight Authority Passes the House; NCUA Proposes New Rule on Cyber Incident Notification

Following up on a previous post regarding legislation that would grant the NCUA authority to regulate and examine all vendors that do business with a credit union, the House recently passed the National Defense Authorization Act including an amendment that would grant the NCUA such oversight authority over a credit union’s third-party vendors. As previously mentioned, the NCUA has consistently argued for vendor authority over the past twenty years and is now closer to achieving that goal. The proposed legislation now moves to the Senate for consideration. We will continue to monitor the progress of this legislation and will continue to provide commentary on its potential impact on the industry.

In other regulatory news, the NCUA has also proposed a new rule to require credit unions to report what the NCUA defines as a “cyber incident” to the NCUA within seventy-two hours of the credit union reasonably believing that such an incident occurred. The new rule was published at the Federal Register on July 27, 2022, triggering the sixty day commentary period. The proposed rule is supposed to bring the NCUA into alignment with other federal financial institution regulators that previously enacted a similar reporting requirement last November.

If you have any questions or want more information about either the proposed NCUA vendor authority legislation and/or the NCUA’s new cyber incident reporting requirement and how each rule may impact your credit union or CUSO, feel free to contact us.