Federally Insured Credit Union Use of Distributed Ledger Technologies

Samantha: Hello, this is Samantha Shares.

This episode covers N C U A’s letter
to credit unions number twenty two dash

zero seven Federally Insured Credit Union
Use of Distributed Ledger Technologies

The following is an audio version of
that letter and the press release.

This podcast is educational
and is not legal advice.

We are sponsored by Credit Union
Exam Solutions Incorporated, whose

team has over two hundred and
Forty years of National Credit

Union Administration experience.

We assist our clients with N C
U A so they save time and money.

If you are worried about a recent,
upcoming or in process N C U A

examination, reach out to learn how they
can assist at Mark Treichel DOT COM.

Also check out our other podcast called
With Flying Colors where we provide tips

on how to achieve success with N C U A.

And now the letter.

The National Credit Union
Administration supports initiatives

by federally insured credit unions
to better serve their members.

The rapid emergence of financial
technology is creating opportunities

for credit unions to increase
speed of service, improve security,

and expand products and services.

In this spirit, the Board is exploring
how the agency can provide clarity

around expectations regarding financial
technology adoption to not impede

safe, fair, and responsible federally
insured credit union engagement.

This letter clarifies certain expectations
for credit unions contemplating the

use of new or emerging distributed
ledger technologies (D L T).

The agency does not prohibit
credit unions from developing,

procuring, or using D L T.

D L T used as an underlying technology
by credit unions is not prohibited

if it is deployed for permissible
activities and in compliance with

all applicable laws and regulations,
including applicable state laws or state

supervisory authority requirements.

As with the internet at its inception,
the AGENCY recognizes that new

technologies may transform how
credit unions perform traditional

financial operations and services.

This letter reiterates the importance of
sound governance and planning related to

deploying new technologies like D L T.

While D L T is maturing, the AGENCY
recognizes that cases for implementation

may expand rapidly as the technology
becomes more widespread and credit

unions become more familiar with it.

For this reason, this letter provides
areas for credit unions to consider

when evaluating whether to use D L T.

The AGENCY also recognizes that the
specific application of D L T may

necessitate additional due diligence
by credit unions, and approaches that

vary with some of the more general
guidance provided in this letter.

As such, the AGENCY expects that
this letter may generate follow-up

inquiries where additional
guidance is requested and prudent.

This letter also signals to the broader
financial and technology communities that

credit unions are a market to consider
when designing products, considering

partnerships, or making investments.

As with all new and emerging technology,
the AGENCY expects credit unions

to exercise judgment, apply sound
risk-management practices, and conduct

necessary due diligence when choosing
a platform, product, or service.

When considering D L T, credit
unions should first evaluate the

permissibility of the activity itself
and then assess the opportunities

and risks relative to the activity.

Finally, given the emerging nature of D L
T and its potential use by credit unions,

considerations introduced in this letter
should not be construed as all inclusive.

Governance, Oversight and Planning

As with the development of any new product
or service, when deploying a platform,

product, or service using D L T as part
of the underlying technology, credit

unions should find an appropriate balance
between the opportunities and the risks.

Related project plans and risk
assessments should include examining

internal constraints and obstacles,
and ensuring, at a minimum:

• The credit union’s board of directors
is notified of advancements in the

underlying technology, the purposes of
the technology, and how using D L T aligns

with the credit union’s strategic planning
objectives and approved risk tolerances.

• Credit union staff and third parties using
and managing the technology are complying

with applicable laws and regulations
and acting in a safe-and-sound manner.

• Effective risk-management practices
are followed to identify, assess,

and mitigate risks associated with
D L T and the specific activities

for which it will be deployed.

• Risk assessment and audit functions
can validate and attest to the

effectiveness of risk-mitigation
practices in accordance with internal

policy and industry leading practices.

Risk and Risk-Mitigation Strategies

All technology and systems
have inherent risks.

Credit unions are responsible for
ensuring sound operations whether

delivery of services is accomplished
internally or through third parties.

For example, the AGENCY recognizes
third-party relationships may be

valuable to credit unions in facilitating
implementation and use of, and member

access to, new and emerging technology.

Inadequately managed and controlled
third-party relationships, however, can

result in harm to members, unanticipated
costs, legal disputes, and financial loss.

Therefore, effective risk
management is important.

Credit unions must identify, assess, and
mitigate risks associated with D L T.

Credit unions should consider
specific questions related to D L

T as part of their due diligence
efforts and ensure activities are

permissible and in compliance with
all applicable laws and regulations.

Depending upon the characteristics
of the D L T being deployed and

how it is being used, other risk
factors may merit consideration.

Credit unions should employ a
comprehensive approach to risk

identification, assessment, and
mitigation as part of the development

and implementation of D L T.

In cases where vendor-provided solutions
are considered, the responsibility

to identify, understand, and mitigate
material risks resides with the

board and management of the credit
union and not solely the vendor.

Depending on the purpose for which
the D L T is being implemented,

credit unions should consider the
following questions, among others:

Information and Cybersecurity Risk

• What are the primary characteristics
of the D L T network architecture?

• Does the D L T exist within
a private or public network?

• Has the risk of compromise related to many
points of entry (nodes) been assessed?

• Are consensus mechanisms built
into the D L T architecture

immune to external exploitation?

• How are permissions and identity
management credentials managed?

• By whom and how is governance
over the network conducted?

• What are the data quality
control expectations among

participants within the network?

• Are D L T solutions deployed
within a strictly governed

coding process in accordance
with industry leading practices?

Legal and Compliance Risk

• Have the potential legal and compliance
risks been assessed, including those

related to maintaining confidentiality,
privacy, data security, recordkeeping,

and consumer and fraud protections?

• When deploying the D L T, will the credit
union comply with applicable laws and

regulations, such as requirements of the
Bank Secrecy Act (BSA), including customer

due diligence, “Know Your Customer,”
and anti-money laundering requirements?

• Are each of the nodes on the
D L T network BSA compliant?

• If the application involves the
use of smart contracts, is testing

of the underlying architecture
in place and documented?

Has the credit union confirmed with
whom and to what extent oversight,

governance, and maintenance of the smart
contract application reside and exist?

Strategic and Reputation Risk

• Have potential strategic and reputational
risks related to the D L T been

identified, assessed, and mitigated?

• Are consensus mechanisms built
into the D L T architecture

well understood by management?

• Is a process in place to monitor
emerging risks and changes in technology?

Can the credit union or third-party
apply changes in deployment and

internal controls in response?

• Do contracts with third-party
vendors provide reasonable “exit

strategies” in the event of
deterioration in financial condition

or service delivery by the vendor?

Liquidity Risk

• Have potential liquidity risks been
identified, assessed, and mitigated?

Third-Party Risk

• Have potential legal and compliance risks
associated with new-entry participants

and third-party agreements been assessed?

• Have the appropriate due diligence steps
been taken in the selection of the third

party before entering a D L T arrangement?

Has AGENCY’s existing guidance on
evaluating third-party relationships and

third-party due diligence been reviewed?

Conclusion

Examples of current and evolving use
of D L T in various applications exist

within the credit union industry and
larger financial services sector.

This letter explains that credit unions
may appropriately use D L T as an

underlying technology and highlights a
variety of relevant issues credit unions

should evaluate prior to deployment.

Credit unions can responsibly
explore the use of D L T for business

uses to enhance their operations
and ongoing competitiveness.

Credit unions must remain alert to
new or evolving risks posed by use of

an emerging technology or approach.

The AGENCY expects credit unions to
exercise good judgment and apply sound

risk-management practices when choosing
to offer a new platform, product,

or service, including where D L T is
part of the underlying technology.

These reviews include evaluating
the permissibility of the activity

itself and the opportunities
and risks associated with any

underlying technology, such as D L T.

Examiners will evaluate the rigor with
which credit unions exercised good

judgement, applied sound risk management,
and executed compliance and risk oversight

of acquisition or development and
deployment of new systems and technology.

The AGENCY supports innovations that
are safe and sound, in compliance

with all applicable laws and
regulations, and fair to consumers.

The AGENCY also believes that D L
T-related activities are rapidly

evolving, and present questions and
evolving risks not yet well understood.

The AGENCY reserves the right to
issue future guidance, as appropriate.

This concludes the AGENCY Letter to credit
unions on Federally Insured Credit Union

Use of Distributed Ledger Technologies.

If your Credit union could use assistance
with your exam, reach out to Mark Treichel

on LinkedIn, or at mark Treichel dot com.

This is Samantha Shares and
we Thank you for listening.

Federally Insured Credit Union Use of Distributed Ledger Technologies
Broadcast by