NCUA Releases Letter to Credit Unions About Distributed Ledger Technologies
NCUA recently released NCUA Letter to Credit Unions 22-CU-07 (letter) discussing the use of distributed ledger technologies. NCUA’s tone suggests a “form-agnostic” approach, one championed by NAFCU in a September comment letter to NCUA relating to Digital Assets and Related Technologies RFI, to the use of distributed ledger technologies by federally insured credit unions (FICUs). In its letter, NCUA offers a framework for FICUs interested in dipping their toes in the proverbial distributed ledger technologies-pond and to deploy the technologies for “permissible activities,” so long as FICUs follow both applicable state and federal laws and regulations.
NCUA provides general guidance on how a FICU may evaluate the use of distributed ledger technologies and “signal[s] to the broader financial and technology communities that credit unions are a market to consider when designing products, considering partnerships, or making investments.” NCUA’s letter also emphasizes a rapidly evolving technological environment and acknowledges the additional applications of distributed ledger technologies may require additional due diligence obligations by credit unions and approaches that may go beyond the initial general guidance. In other words, this will likely not be the last NCUA letter relating to this type of technology.
NCUA expects FICUs to treat distributed ledger technologies similar to other “new and emerging” tech, highlighting the need to exercise judgment, sound business practices, and due diligence. The letter directs FICUs to determine the permissibility of the activity and to assess opportunities and risks relative to each activity. The letter also stresses the considerations NCUA suggests FICUs weigh when evaluating the distributed ledger technologies may change based on the technologies’ different applications and to not construe these considerations “as all inclusive.”
NCUA suggests FICUs balance opportunities and risks when approaching distributed ledger technologies. A FICU’s governance, oversight, and planning should, at a minimum, consider the following:
· The credit union’s board of directors is notified of use of the underlying technology, the purpose of the technology, and how using [distributed ledger technologies] aligns with the credit union’s strategic planning objectives and approved risk tolerances;
· Credit union staff and third parties using and managing the technology are complying with applicable laws and regulations and acting in safe-and-sound manner;
· Effective risk-management practices are followed to identify, assess, and mitigate risks associated with [distributed ledger technologies] and the specific activities for which it will be deployed; and
· Risk assessments and audit functions can validate and attest to the effectiveness of risk-mitigation practices in accordance with internal policy and industry leading practices.
NCUA gives additional guidance that may help a FICU develop and later operate distributed ledger technology either internally or through third-party services. The additional guidance identifies several potential risk areas such as information and cybersecurity and third-party risk and accompanying questions a FICU may use as guideposts to address these risk areas in relation to a FICU’s adoption of distributed ledger technologies. The type of questions may change based on why the FICU is adopting distributed ledger technologies.
The NCUA letter outlines a framework for how NCUA expects FICUs to use distributed ledger technologies. With this guidance, NCUA provides a framework for FICUs to “explore the use of [distributed ledger technologies] for business uses to enhance their operations and ongoing competitiveness” while also establishing expectations that FICUs practice good judgment, risk-management, and the know-how to meet these expectations.
As a note, a FICU interested in distributed ledger technologies may also want to review the letter’s footnotes. These footnotes may offer helpful information such as the definition of distributed ledger technology NCUA used when writing the letter, additional information on information and cybersecurity risk, information and definitions relating to smart contracts, and NCUA guidance relating to third-party relationships.
If there are any additional questions regarding distributed ledger technologies, please do not hesitate to contact the NAFCU’s Regulatory Compliance team at firstname.lastname@example.org.
About the Author
Justin joined NAFCU as a regulatory compliance counsel in August 2021. As part of the Regulatory Compliance Team, he provides daily compliance assistance to member credit unions on a variety of topics.