NCUA headquarters, Washington, D.C. Credit/NCUA

The NCUA on Wednesday unveiled four separate proposed rules scheduled to be published in the Federal Register, each aimed at streamlining regulations and reducing prescriptive or outdated requirements for federally insured credit unions and corporate credit unions. The proposals touch on cybersecurity guidance, supervisory committee audits, and corporate governance, continuing the agency’s broader effort to distinguish binding regulations from advisory material and to modernize its oversight framework.

Two of the proposals focus on Part 748, the NCUA’s rules governing information security and incident response. The agency is seeking to remove Appendix A (safeguarding member information) and Appendix B (breach response and member notification), clarifying that both appendices are guidance, not enforceable rules. NCUA said publishing these materials as Letters to Credit Unions, rather than embedding them in the Code of Federal Regulations, will allow more flexible updates and reduce confusion about compliance expectations. The changes would not alter any underlying Gramm-Leach-Bliley Act or Part 748 requirements.

A third proposed rule would amend Part 715, which governs supervisory committee audits. The NCUA aims to eliminate redundant provisions, remove rigid definitions, streamline auditor engagement requirements, and strike regulatory language that is already addressed under federal statute or generally accepted auditing standards. The agency said the revisions would reduce burden while preserving the integrity of the audit process.

The fourth rule targets Part 704 for corporate credit unions. It proposes removing the requirement that a corporate’s Asset and Liability Committee include a member of the board of directors, and it would eliminate longstanding filing requirements for annual reports and auditor management letters. NCUA emphasized that examiners retain full access to these materials and that the filing mandates provide little marginal benefit.

Comments on all four proposals are due 60 days after publication.

Takeaways by Filing:
1. Appendix B – Incident Response & Member Notice

  • Removes breach-response guidance from the CFR
  • Reissued as Letter to Credit Unions
  • No change to Part 748 requirements
  • Aims to clarify what is binding vs. advisory
2. Appendix A – Safeguarding Member Information

  • GLBA security guidelines removed from CFR
  • Maintained as nonbinding guidance
  • Streamlines information-security regulations
  • Enhances flexibility for future updates
3. Supervisory Committee Audits (Part 715)

  • Reduces prescriptive definitions and duplicative rules
  • Eases engagement-letter and reporting requirements
  • Drops redundant language on audit access and objectives
  • Maintains overall audit rigor and compliance structure
4. Corporate Credit Unions (Part 704)

  • Eliminates board-member requirement on ALCO
  • Removes annual report and management-letter filing mandates
  • Retains examiner access to audit materials
  • Increases governance and operational flexibility

NOT FOR REPRINT

© Arc, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to TMSalesOperations@arc-network.com. For more information visit Asset & Logo Licensing.