National Credit Union Administration (NCUA) 

Cyber Incident Notification Requirements Update to Letter 23-CU-07 

The NCUA issued Letter to Credit Unions 25-CU-02 to update the previous letter to credit unions regarding cyber incident notification requirements. In addition, the NCUA announced the availability of a new cyber incident reporting webform. The NCUA also provided an updated Cyber Incident Reporting Quick Reference Guide. 

To report a cyber incident, federally insured credit unions may notify the NCUA through one of the following channels: 

• Complete the Cyber Incident Credit Union Reporting System online form to send a secure incident report. This webform is mobile device friendly and is available under the Cybersecurity Resources webpage on NCUA.gov. 

• Call the NCUA at 1.833.CYBERCU (1.833.292.3728) and leave a voicemail. 

• Email the NCUA utilizing the Secure Email Message Center to send a secure email to cybercu@ncua.gov. 

Credit unions are strongly advised to maintain a high level of vigilance and continually enhance their ability to respond to evolving cybersecurity threats. 

For access to more cybersecurity information and resources, including detailed information on cyber incident reporting, credit unions are encouraged to visit the NCUA’s Cybersecurity Resources webpage. These resources provide valuable information and guidance to help credit unions strengthen their cybersecurity stance and stay informed of the latest developments. 

_________________________________________________________________________ 

Consumer Financial Protection Bureau (CFPB) 

CFPB Seeks Input on Digital Payment Privacy and Consumer Protections 

The CFPB is seeking comment on strengthening privacy protections and preventing harmful surveillance in digital payments offered through large technology platforms. 

The CFPB is requesting public comment to better understand how companies that offer or provide consumer financial products or services collect, use, share, and protect consumers’ personal financial data, including data harvested from consumer payments. The Request for Information seeks comments about the effectiveness (or lack thereof) of existing regulations, including the existing model form, privacy notices, and opt-out mechanisms. The request solicits input on ways to strengthen the existing framework, as well as the types of data the public believes that the CFPB should monitor on a routine basis. 

In addition, the CFPB has proposed an interpretive rule on how the Electronic Fund Transfer Act (EFTA) and Regulation E would apply to new and emerging digital payment mechanisms. Among other protections, EFTA gives consumers the right to dispute erroneous or fraudulent transactions. 

CFPB Proposes Rule to Prohibit Certain Contract Clauses 

The CFPB has proposed a rule to stop companies from using a variety of contract clauses that limit waivers of substantive legal rights and fine print that suppresses speech. The CFPB believes these “take-it-or-leave-it" contracts seek an unfair leg up by attempting to deny individuals the benefit of a free market.  

In 2023, the CFPB increased its focus on clauses that force consumers to forfeit their rights. The CFPB is now issuing this proposed rule to ensure consumer finance contracts focus on the main terms of a deal, not the fine print to take people’s rights. This rule is passed will block companies from: 

• Undermining Rule of Law 

• Deplatforming and Suppressing Speech 

• Amending Key Terms by Fiat 

• Forcing Customers to Automatically Plead Guilty  

CFPB Finds Hundreds of Thousands of Mortgages in Southeast and Central Southwest US Likely Underinsured Against Flood Risk 

The CFPB has issued a new report that found significant differences in the likelihood that homeowners with a mortgage are adequately insured against flooding based on location and income/assets. Per these findings, homeowners in coastal areas were more likely to have flood insurance and generally had higher income/assets. This suggests that these homeowners were in a better position to recover from flooding. However, homeowners living near inland streams and rivers, were less likely to have flood insurance and less likely to have other financial resources to draw on.  

This report was taken from a sample of mortgage applications from 2018-2022. It looks at flood risk in the southeast and central southwest census regions of the U.S. The key findings concluded that current flood insurance maps may not be capturing accurate flood risk exposure, over 400,000 homes may be underinsured, and homeowners who may be underinsured are least likely to be able to self-insure and recover from flooding.  

CFPB Research Reveals Heavy Buy Now, Pay Later Use Among Borrowers with High Credit Balances and Multiple Pay-in-Four Loans 

The CFPB released a study on Buy Now, Pay Later borrowers that found that more than one-fifth of consumers with a credit record used these services in 2022, with most of those consumers having subprime or deep subprime credit scores. This research also revealed that more than three-fifths of Buy Now, Pay Later borrowers held multiple Buy Now, Pay Later loans at some point during the year, and one-third of them had loans from multiple lenders. Buy Now, Pay Later borrowers were also more likely than other consumers to have higher balances on other unsecured credit lines such as credit cards.  

CFPB Sues Capital One for Cheating Consumers Out of More Than $2 Billion in Interest Payments on Savings Accounts 

The CFPB sued Capital One, N.A. and its parent company, Capital One Financial Corp., for cheating millions of consumers out of more than $2 billion in interest. It is alleged that Capital One promised consumers that its flagship savings account, “360 Savings,” provided one of the nation’s “best” and “highest” interest rates, but instead the bank froze the interest rate at a low level while rates rose nationally. At the same time, Capital One created an identical product, “360 Performance Savings,” that differed from “360 Savings” by paying out substantially more in interest. Capital One failed to notify 360 Savings account holders of the newer product, and instead purposely kept them in the dark. The CFPB alleges that Capital One obscured the new product from the 360 Savings accountholders and cost millions of consumers more than $2 billion in lost interest payments. This lawsuit seeks to stop Capital One’s unlawful conduct, provide redress for harmed consumers, and impose civil money penalties to be paid into the CFPB’s victims relief fund.  

CFPB Orders Operator of Cash App to Pay $175 Million and Fix Its Failures on Fraud 

The CFPB has ordered Block, the operator of the app Cash App, to refund and pay redress to consumers up to $120 million and pay a penalty of $55 million to the CFPB’s victim relief fund. Block employed weak security protocols for Cash App and put its users at risk. Block is required by law to investigate and resolve disputes about unauthorized transactions; however, the company's investigations were incomplete. Block directed users that reported financial fraud to ask their bank to attempt to reverse these transactions. Block also deployed tactics to suppress Cash App users from seeking help, reducing its owner costs.  

Cash App attempted to avoid investigative obligations though tricking consumers with its Terms of Service. In the Terms of Service, consumers were led to believe that disputes were the responsibility of the linked bank. However, this violates Regulation E as it requires peer-to-peer platforms, including Cash App, to investigate disputes directly. When Cash App/Block did investigate these reports, they are intentionally poor investigation practices to close reports in the company’s favor.  

Block also deprived users of effective customer service and left the network vulnerable to criminals. The phone number posted to the back of their Cash Cards and in the app did not connect to customer service. When users searched the web for a phone number for customer service, they were targeted by fraudsters posing as Cash App representatives that tricked them into giving up their passwords and other personal data. Block was aware of this and failed to address the issue.  

League InfoSight Highlight: InfoSight360 Coming First Quarter 2025

For years, InfoSight, CU PolicyPro, and RecoveryPro have stood as leaders in their respective categories, each known for their unique functionality and industry-leading content. We’ve listened closely to credit union feedback and realized that the future is about creating a more unified experience – one where the strengths of our products come together in a way that not only amplifies their individual features but also creates new possibilities. 

In Q1 2025, we will be unveiling InfoSight360, a groundbreaking product combination that brings together the best elements of our three flagship products into one seamless solution. Credit unions using any of our three products will be automatically migrated to InfoSight360 upon its launch. 

This all-new offering promises to redefine how you interact with our technology, bringing comprehensive compliance information, policies, and business continuity planning (BCP) resources together in one place.  

Stay tuned for more information about InfoSight360 and the upcoming launch schedule! 

2025 NCUA Supervisory Priorities 

The NCUA has set their supervisory priorities for 2025! NCUA’s priorities are set each year based on where they see the highest risk to credit union members, the industry, and the Share Insurance Fund. Some trends include loan delinquencies and charge-offs at a high point, return on average assets under pressure from the interest rate environment, and provision for loan and lease loss expenses increasing. That lead the NCUA to focus on these priorities for 2025: 

1.    Credit Risk.

A.   Examiners will review the credit union’s lending and related risk-management practices. This will include loan underwriting standards, collection programs, Allowance for Credit Loss reserves, charge-off practices, management and board reporting, and management of any concentrations of credit risk.

B.   If the credit union outsources any lending, servicing, or collection functions, the examiners will be looking at third-party risk management practices related to those entities.

C.   Modification and workout strategies for borrowers experiencing financial difficulties, including assessing whether efforts were reasonable and conducted with proper controls and management oversight.

2.   Balance Sheet Management and Risk to Earnings and Net Worth.

A.   Examiners will weigh current and prospective sources of earnings and the composition of net worth relative to the credit union’s approved plans and thresholds.

B.    Examiners will consider current and prospective sources of liquidity compared to funding needs to determine the adequacy of the credit union’s liquidity risk-management framework.

C.   Examiners will be reviewing the credit union’s policies, procedures, risk limits, and evaluating the adequacy of the credit union’s risk-management framework.

3.    Cybersecurity.

A.    Examiners will use the information security examination procedures to assess the credit union’s information security programs.

B.    The NCUA also encourages the credit union board of directors to prioritize cybersecurity as a top oversight and governance responsibility, as outlined in their previous letter 24-CU-02.

4.    Consumer Financial Protection.

A.    Overdraft Programs – Policies, procedures, disclosures, fees, account statements, member complaints, internal reviews, and websites. (Policy 7215: Overdraft Protection).

B.    Fair Lending – Policies and practices for identifying and mitigating potential discrimination in real estate valuation practices. (Policy 7120: Fair Lending, Policy 7302: Real Estate Appraisals, 7302.10: Reconsiderations of Value).

C.    Home Mortgage Disclosure Act (HMDA) – Data collection, reporting policies, practices, and transaction testing for applicable credit unions. (Policy 9200: Regulation C: Home Mortgage Disclosure Act).

D.    Military Lending Act – Policies, procedures, compliance management system, and checking/monitoring for military status. (Policy 7213 – Military Personnel Loans).

E.    Electronic Fund Transfer Act (Regulation E) – Policies, procedures related to payments and error resolution. (2615.10: Electronic Fund Transfers, 2615.11: Real-Time Payment Options – Risk and Controls, Error Resolution also addressed in product specific policies such as: Policy 2615: ATM or Debit Cards, Policy 2605: International Remittance Transfers, 7210.10: Credit Cards Program Procedures, etc.).

Many resources directly related to these supervisory priorities can be found within InfoSight, CU PolicyPro, and RecoveryPro to help credit unions prepare for their 2025 examination. If you need assistance, don’t hesitate to reach out to your League/Association, or us directly at info@leagueinfosight.com. 

Glory LeDu 

CEO, League InfoSight & CU Risk Intelligence 

Treasury, IRS Issue Proposed Regulations on New Roth Catch-up Rule, Other Secure 2.0 Act Provisions 

LFG (Looking for Gamers): CFPB Wants to Hear About Your Video Game Loot 

New Protections for Payday and Installment Loans Take Effect March 30 

Regulation Z Adjustment to Asset-Size Exemption Threshold 

HMDA Adjustment to Asset-Size Exemption Threshold 

Treasury, IRS Issue Proposed Regulations on New Automatic Enrollment Requirement for 401(k) and 403(b) Plans 

Strengthening State-Level Consumer Protections 

Federal and State Financial Regulatory Agencies Issue Interagency Statement on Supervisory Practices Regarding Financial Institutions Affected by California Wildfires and Straight-line Winds 

Mortgage Lenders Must Comply with the Law, Not Invent Loopholes 

What We’re Watching: Language Access in Consumer Finance 

IRS Issues Guidance for the District of Columbia and States That Have Paid Family and Medical Leave Programs 

Fraud Victims Hit Again by Scammers Promising to Recover Stolen Cash 

Jan. 23, 2025: NCUA/CDFI Webinar on Grant Opportunities 

Jan. 27, 2025: FCC – Targeting and Eliminating Unlawful Text Messages 

March 2, 2025: CFPB Proposed Rule – Amendments to Regulation V to Limit Data Broker Sales of Personal Information 

July 1, 2025: CFPB and FRB – Reg CC Threshold Adjustments 

July 18, 2025: CFPB – Small Business Lending Data – ECOA 

Oct. 1, 2025: Quality Control Standards AVMs 

Oct. 1, 2025: CFPB: Overdraft Lending: Very Large Financial Institutions (Over $10 billion)

Jan. 1, 2026: NCUA – Succession Planning Effective Date

March 1, 2026: CFPB: Residential Property Assessed Clean Energy Financing (Reg Z) 

April 1, 2026: Compliance Date – CFPB Personal Financial Data Rights for Credit Union’s over $10 billion in assets 

June 19, 2026: NACHA – Fraud Return Reason Code

We would like to enter into an arrangement with a third party to conduct research on behalf of our credit union. Is this permissible under NCUA's privacy regulation? 

NCUA's privacy regulation states that a credit union does not have to follow the opt out requirements when you provide non-public personal information to a non-affiliated third party to perform services for you, as long as you: 

1. Have provided the initial privacy disclosure to your members; and 

2. You entered into a contractual agreement with the third party that prohibits the third party from disclosing or using the information other than to carry out the purposes for which you disclosed the information. 

For your individualized login, select your state below. 

If you have questions about this communication, contact us at 800.546.4465 or via our shared email inbox at compliance@gowest.org.

Have a great weekend!

Your GoWest Compliance Team, 

Copyright © 2023 GoWest Credit Union Association. All Rights Reserved.

Mailing Address:
GoWest Credit Union Association, 18000 International Blvd Ste. 1102, SeaTac, WA 98188, United States
1.800.995.9064

View in Browser | Manage Your Preferences | Unsubscribe