The NCUA board issued proposals on simplifying share insurance coverage rules and fair hiring and heard a cybersecurity update at its board meeting Thursday.

The first item would amend the NCUA’s regulations governing share insurance coverage.

Specifically, the proposal would:

• Simplify the share insurance regulations by establishing a “trust accounts” category that would provide for coverage of funds of both revocable trusts and irrevocable trusts deposited at credit unions in the accounts of members or those otherwise eligible to maintain insured accounts;
• Provide consistent share insurance treatment for all mortgage servicing account balances held to satisfy principal and interest obligations to a lender; and
• Provide more flexible recordkeeping requirements to explicitly allow the NCUA to look to records held in the normal course of businesses that are maintained by parties other than a credit union and its members on their behalf.

These would align with Federal Deposit Insurance Corporation changes scheduled to become effective in April 2024.

Comments will be accepted for 60 days following publication in the Federal Register.

The fair hiring proposal would incorporate NCUA’s “Second Chance” Interpretive Ruling and Policy Statement (IRPS 19-1) regarding statutory prohibitions imposed by Section 205(d) of the FCU Act into NCUA’s regulations. The section prohibits a person who has been convicted of certain criminal offenses involving dishonesty or breach of trust from participating in the conduct of the affairs of a credit union.

The proposal rule would amend the NCUA’s policies and procedures, as currently reflected in IRPS 19-1 and consistent with amendments made by the recent Fair Hiring in Banking Act and with comparable FDIC regulations.

It would also: expand certain de minimis offenses included in IRPS 19-1; and amend the regulation governing the conditions under which newly chartered or troubled credit unions must notify the NCUA of any proposed changes to the credit union’s board of directors, committee members, or senior executive staff.

Comments will be open for 60 days following publication in the Federal Register.

Agency staff provided the cybersecurity update, noting that—based on 2023 Information Security Examinations—credit unions should focus on the following:

• Report information security risk assessment results to the board of directors;
• Provide test results of key or critical controls to their board of directors; and
• Provide third-party service provider cybersecurity contract provisions to their board of directors.

 Staff also added 146 incidents have been reported within the first 30 days of implementation of the new cybersecurity reporting rule, and more than 60% of reported incidents were due to third-party compromises.