NCUA issues guidelines for FICUs working with third-party providers of digital asset services

A set of guidelines aimed at clarifying federally insured credit unions’ (FICUs) authority to establish relationships with third-party providers that offer digital asset services to their members – along with key safety and soundness considerations – was issued Thursday by the National Credit Union Administration (NCUA) in a letter to credit unions.

The guidelines follow a request for information (RFI) issued in July seeking information about potential and current impacts of the use of digital assets and related technologies on FICUs, related entities, and the NCUA. Regarding some of the share insurance and resolution considerations noted in the RFI, the guidelines include a number of caveats credit unions are expected to communicate so members are aware such products, which are not federally insured, may be highly speculative and may offer no recourse, among other things.

The letter (21-CU-16), signed by agency Chairman Todd Harper, notes that the NCUA does not prohibit federal credit unions from forming relationships with third-party providers of digital asset services, but it points out credit unions’ responsibilities to their members.

“A FICU’s relationship with third parties offering these services and related technologies will be evaluated by the NCUA in the same manner as all other third-party relationships,” states the letter. “This includes a FICU exercising sound judgment and conducting the necessary due diligence, risk assessment, and planning when choosing to introduce or bring together an outside vendor with its members. FICUs should establish effective risk measurement, monitoring, and control practices for such third-party arrangements.”

The guidelines, which are detailed, present four key considerations, including due diligence as well as credit union policies, procedures, and agreements; advertising and conduct in third-party arrangements; and supervisory considerations.

“FICUs are responsible for safeguarding member assets and ensuring sound operations irrespective of whether delivery of services is accomplished internally or through a third-party relationship,” it states in the section on supervision. “Accordingly, when assigning supervisory risk and CAMELS ratings as part of the supervisory process, examiners will evaluate the rigor with which FICUs execute compliance and risk oversight of third-party relationships established to deliver member access to digital asset services.”

Thursday’s letter also gives a list of previous, and still active, letters to credit unions and outside federal agency guidance on topics such as nondeposit investments, third-party relationships, and the application of Financial Crimes Enforcement Network (FinCEN) regulations to certain business models involving convertible virtual currencies.

NCUA Letter 21-CU-16: Relationships with Third Parties that Provide Services Related to Digital Assets (December 2021)