On May 25, 2022, the US National Credit Union Administration (“NCUA”) issued an industry letter authorizing federally insured credit unions to use distributed ledger technologies (“DLT Letter”).1 The DLT Letter also describes some of the agency’s supervisory expectations for governance and risk management of DLT and notes that any use must comply with other applicable law.
The DLT Letter addresses the use of DLT as an underlying technology to support otherwise permissible activities of a credit union. It does not authorize specific uses of DLT, such as issuing cryptocurrency or validating digital asset transactions. However, it also does not require prior approval from the NCUA for DLT activities or explicitly prohibit any activities involving DLT. Therefore, the path for credit union involvement in digital asset innovation remains open and may present fewer obstacles than the route for banks.
In this Legal Update, we summarize the DLT Letter and discuss its possible implications for credit unions.
The DLT Letter does not define the term “DLT,” but the NCUA historically has defined it as “a shared electronic database where copies of the same information are stored on a distributed network of computers.”2 The DLT Letter states that the use of DLT “as an underlying technology by credit unions is not prohibited if it is deployed for permissible activities and in compliance with all applicable laws and regulations.”
The DLT Letter notes that DLT is a new and emerging technology and, therefore, should be subject to sound governance and risk management practices. A credit union may rely on a third-party vendor for support with DLT but cannot place these responsibilities solely on a vendor.
For governance, the NCUA’s expectations include notifying the credit union's board prior to deploying DLT and ensuring that the credit union and third parties comply with applicable laws and act in a safe and sound manner.
For risk management, the NCUA’s expectations include the application of a comprehensive risk management framework to the proposed DLT and consideration of relevant risks. The DLT Letter notes that relevant risks for DLT include information and cybersecurity risk, legal and compliance risk, strategic and reputation risk, liquidity risk and third-party risk.
Additionally, the DLT Letter states that credit unions should conduct appropriate due diligence of proposed DLTs and ensure that the activity being supported by the DLT is permissible for credit unions and will be conducted in compliance with applicable law, including applicable state law.
The DLT Letter builds on the agency’s prior engagement with the digital assets industry. Most notably, in July 2021, the NCUA issued a request for information on how digital assets and related technology may affect the credit union industry.3 This was followed in December 2021 with a letter that explicitly authorized credit unions to establish relationships with third-party vendors that offer digital asset services to a credit union’s members, subject to appropriate risk management practices.4
The DLT Letter is noteworthy in its own right in that it implies no prior approval from the NCUA is required for a credit union to use DLT.5 Rather, it states that the agency expects credit unions to use good judgment in deploying DLTs and indicates that NCUA examiners will review that judgment on a retrospective basis (i.e., after the credit union has implemented the DLT). This is in contrast to the landscape confronting banks, where the Office of the Comptroller of the Currency and Federal Deposit Insurance Corporation have stated that banks must obtain prior approval to use DLT in connection with cryptocurrency activities.6
The DLT Letter does not authorize credit unions to use DLT for specific activities, such as issuing cryptocurrency or validating digital asset transactions. Instead, it states that DLT may be used with any activity that otherwise is permissible for the credit union (again, subject to appropriate risk management practices). It therefore leaves open the door to future NCUA determinations that specific digital asset activities are permissible for credit unions. As with the banking regulators, we expect to see significant engagement from the digital asset and credit union industries on which activities should or should not be deemed permissible.
2 86 Fed. Reg. 40,213 (July 27, 2021).
3 86 Fed. Reg. 40,213 (July 27, 2021).
4 NCUA, 21-CU-16 (Dec. 16, 2021).
5 A statement from NCUA Vice Chairman Kyle Hauptman indicates that some credit unions already are using DLT, but that the agency felt it necessary to issue the DLT Letter to clarify that credit unions generally should feel comfortable pursuing DLT if they are interested. See https://www.ncua.gov/newsroom/speech/2022/ncua-vice-chairman-kyle-s-hauptman-statement-credit-union-use-distributed-ledger-technologies-letter.
6 See OCC, NR 2021-121 (Nov. 23, 2021); FDIC, FIL-16-2022 (Apr. 7, 2022). Please see our Legal Update on the OCC’s prior approval requirement: https://www.mayerbrown.com/en/perspectives-events/publications/2021/11/us-banking-regulators-release-roadmap-for-cryptorelated-activities-by-banks.