Relationships with Third Parties that Provide Services Related to Digital Assets

21-CU-16 / December 2021
Relationships with Third Parties that Provide Services Related to Digital Assets
To
Federally Insured Credit Unions
Subject
Digital Assets/Cryptocurrency
Status
Active
To
Federally Insured Credit Unions
Subj
Relationships with Third Parties that Provide Services Related to Digital Assets

Dear Boards of Directors and Chief Executive Officers:

The purpose of this letter is to provide clarity about the already existing authority of federally insured credit unions (FICUs) to establish relationships with third-party providers that offer digital asset services to the FICUs’ members, provided certain conditions are met. This includes third-party provided services to allow FICU members to buy, sell, and hold uninsured digital assets with the third-party provider outside of the FICU. Digital assets are one of many terms used to describe distributed ledger technology (DLT) based tokens.1

As insurer, the NCUA does not prohibit FICUs from establishing these relationships. The authority for federal credit unions (FCUs) to establish these relationships is described in section II of this letter. The authority for federally insured, state-chartered credit unions (FISCUs) to establish these relationships will depend upon the laws and regulations of their states.

A FICU’s relationship with third parties offering these services and related technologies will be evaluated by the NCUA in the same manner as all other third-party relationships. This includes a FICU exercising sound judgment and conducting the necessary due diligence, risk assessment, and planning when choosing to introduce or bring together an outside vendor with its members. FICUs should establish effective risk measurement, monitoring, and control practices for such third-party arrangements.

I. Background

In July 2021, the NCUA Board issued a request for information with the aim of gathering information and soliciting comments from interested parties about the current and potential impact on FICUs, related entities, and the NCUA of activities connected to digital assets and related technologies.2 Comments on this request for information were due by October 27, 2021.3 The NCUA has been reviewing the comments received and studying the various issues raised.

Based on these comments, inquiries received, and activity in the marketplace, the NCUA is now clarifying that the NCUA does not prohibit FICUs from partnering with third-party providers of digital asset services that leverage evolving technologies. This includes facilitating member relationships with third parties that allow FICU members to buy, sell, and hold various uninsured digital assets with the third-party provider outside of the FICU. FICUs should conduct adequate due diligence and ensure compliance with all applicable laws and regulations when engaging in any such activity to ensure safety and soundness; comply with consumer financial protection, investor protection, and anti-money laundering/terrorism finance laws; and protect cybersecurity.

As with other evolving technological changes, the NCUA acknowledges further guidance may be needed as questions continue to arise related to digital assets and DLT. This may include potential regulatory and statutory changes in the future.4 The NCUA encourages interested parties to contact the agency with suggestions that would provide further clarity and certainty.

The NCUA also recognizes that some activities in the digital asset sector fall within the jurisdiction of other regulatory agencies, including the Securities and Exchange Commission, the Commodity Futures Trading Commission, the Financial Crimes Enforcement Network (FinCEN), and individual state agencies. FICUs interested in this sector should be cognizant of this fact. The NCUA will continue to study and address these issues.

II. Authority to Connect Members with Third-Party Providers and Related Legal Considerations

FCUs may continue to act as a finder to bring together their members and providers of third-party services, including services related to digital assets. As noted above, FISCUs should look to applicable state laws and regulations.

The Federal Credit Union Act (FCU Act) authorizes an FCU “to exercise such incidental powers as shall be necessary or requisite to enable it to carry on effectively the business for which it is incorporated.”5 Part 721 of the NCUA’s regulations implements the incidental powers provision of the FCU Act.6

Introducing members to third parties that may provide members with services related to digital assets is permissible as it: (1) is useful in carrying out an FCU’s business because it facilitates member services that allow an FCU to serve as their members’ primary financial institution; (2) is the logical outgrowth of an FCU’s business, including its role in serving as its members’ primary financial institution; and (3) involves risks similar in nature to those FCUs already assume in serving their members, including referring members to various third-party service providers of other non-deposit financial products and services.

FCUs performing finder activities must ensure compliance with §721.7 of the NCUA’s regulations, which details the potential conflicts of interest for officials and employees when FCUs engage in activities approved under part 721.7

FICUs engaging in this sector must ensure their compliance with all applicable federal and state laws. For FCUs, §721.5 states that FCUs “must comply with any applicable NCUA regulations, policies, and legal opinions, as well as applicable state and federal law, if an activity authorized under this part is otherwise regulated or conditioned.”8 Activities related to digital assets may be subject to laws and regulations administered by other state and federal agencies.

Although FCUs are permitted to perform administrative functions in connection with finder activities, they should be cautious that these functions do not create an agency or brokerage relationship and trigger compliance problems under any applicable laws. Further, it is of paramount importance to the NCUA that a FICU exercising its incidental powers authority under part 721 of the NCUA’s regulations or state law should continue to comply with all applicable laws and sound business practices with respect to: 1) consumer financial and investor protection; 2) cybersecurity; 3) Bank Secrecy Act and anti-money laundering; 4) Office of Foreign Assets Control sanctions requirements; and 5) other safety-and-soundness practices.

III. Further Guidance and NCUA’s Examination of Federally Insured Credit Unions

While both the NCUA and FICUs are continuing to understand the opportunities and risks that come with various digital asset activities, the framework under which FCUs may connect their members to third-party service providers has not changed. As noted above, FCUs are not limited in the types of products and services they may introduce to their members through third parties, but should exercise sound judgment and due diligence when choosing to introduce or bring together an outside vendor with its members. FCU management should have a complete understanding of the products and services it introduces to members through third-party providers. As always, FICUs must act in accordance with all applicable laws, including those designed to ensure safety and soundness; comply with consumer financial protection, investor protection, and anti-money laundering/terrorism finance laws; and protect cybersecurity.

A. Scope

The guidelines in this letter provide assistance to FICUs bringing together outside vendors with their members, so the two parties may negotiate and consummate transactions and other services related to digital assets.9 Depending on the nature of the digital asset products and services provided, FICUs may look to various letters to credit unions and other guidance for further assistance, including:

  • guidance on sales of nondeposit investments;10
  • guidance on evaluating third-party relationships11 and third-party due diligence;12
  • guidance on web linking;13
  • the Federal Financial Institutions Examination Council (FFIEC) IT Handbook on Outsourcing Technology Services;14 and
  • the FinCEN letter on the application of FinCEN’s regulations to certain business models involving convertible virtual currencies.15

While this letter provides some guidance specific to relationships with third-party providers of digital asset services and related technologies, safe-and-sound practices depend upon the nature of the third-party relationship and the specific services and technologies provided. As such, FICUs are encouraged to look to the existing guidance documents referenced above and any other applicable guidance as their situation may dictate. The NCUA recognizes that issues involving digital assets and DLT are rapidly evolving and will look to provide further clarifications and guidance, as appropriate.

B. General Guidelines

FICUs must comply with applicable laws and should follow safe-and-sound business practices in the provision of digital asset services through third-party arrangements. FICUs should fully evaluate the risks involved with digital asset activities, including legal risks, reputation risks, and economic risks. In light of the rapidly changing technological environment and the variety of digital asset products and services available, FICUs should actively monitor that they, and the third-party service providers they facilitate member relationships with, remain in ongoing compliance with all laws. FICUs should ensure that effective risk measurement, monitoring, and control practices are in place to successfully manage such third-party arrangements once established.

1. Due Diligence

FICUs should take care to select an appropriate third-party service provider before entering into an arrangement that allows for the provision of digital asset services to the FICUs’ members. In selecting a third-party service provider, FICUs should review NCUA’s existing guidance on evaluating third-party relationships16 and third-party due diligence.17

2. Credit Union Policies, Procedures and Agreements

A FICU should adopt written policies and procedures concerning third-party provision of digital asset services to ensure appropriate internal controls and ongoing compliance with applicable law. FICUs should consider engaging legal counsel to evaluate their policies, procedures, and contractual agreements. This may be particularly useful given the breadth and rapid evolution of the digital asset sector.

FICUs should have a written agreement outlining the duties and responsibilities of each party in a third-party arrangement. Contracts with third-party providers of digital asset services should reflect the FICU’s policies and procedures about these arrangements. The FICU’s policies, procedures, and contracts should at least address the following:

  • The features of the program. FICU policies and agreements should describe the types of digital asset products, services, and technologies a third-party provider may offer through the third-party arrangement. For all products, the FICU should identify specific laws, regulations, and any other limitations or requirements, including qualitative considerations, that will expressly govern the selection and marketing of products a third party may offer. Qualitative considerations include an analysis of the level of complexity and volatility in the digital assets the FICU will permit the third party to offer members. For example, comprehensive quantitative and qualitative data (such as key ratios, dollar amounts, and risk parameters, among others) should be prepared and presented to the FICU’s management and board of directors for review.
  • A description of the responsibilities of the FICU and the third party. FICU policies and contracts should make clear that the third-party digital asset service provider is responsible for ensuring the digital asset services are conducted in compliance with all applicable laws and policies. The FICU should maintain the right to check for compliance and access member accounts for verification and oversight.
  • Indemnification by the third party. FICUs should require contracts with third parties to include provisions to indemnify the FICU for any monetary damages arising from the provision of digital asset services, including fraud.
  • The roles of the FICU and the third party. Policies should describe the roles of FICU employees in performing administrative functions to facilitate transactions between members and the third parties, including the limits on their activities.
  • The location of nondeposit sales. FICU policies should describe the method by which nondeposit sales are made and how those sales will be logically separated from deposit-taking activities.
  • The use and disposition of FICU member information. Policies should describe the information that may be transferred between the FICU and the third party. The policies and contracts should describe how such information will be used, where and how the information will be stored and safeguarded, and the associated privacy notices to be provided to members. The policies and contract terms should comply with all applicable laws. The third party should agree in writing to comply with the FICU’s policies on information practices.
  • Termination of the contract. Contracts should contain a provision that permits the FICU to terminate the contract for both cause and for the convenience of the FICU.
  • Ongoing compliance with the requirements of all applicable law. FICUs should maintain programs to monitor compliance by the third party and any other entities involved in providing digital asset services to members. The compliance function should include a system that monitors member complaints and periodically reviews and randomly samples member account activity to look for evidence of abuse. FICUs should also provide regular, periodic compliance reports to their boards of directors to ensure appropriate oversight.

3. Advertising and Conduct in Third-Party Arrangements

FICUs offering members the opportunity to obtain digital assets and related services through a third-party arrangement must neither mislead nor confuse members as to the nature or risks of these uninsured products.18 To avoid member confusion, third parties should not offer products with a product name that is intentionally similar to a FICU’s name.

When selling, advertising, or otherwise marketing uninsured digital assets to members, members should be informed that the products offered:

  • are not federally insured;
  • are not obligations of the FICU;
  • are not guaranteed by the FICU;
  • are or may be heavily speculative and volatile;
  • may have associated fees;
  • may not allow member recourse; and
  • are being offered by a third party.

These disclosures should be made in writing and in a location and type size that are clear and conspicuous to the member. Oral disclosures should also be made as part of any oral presentation or customer support.

FICU policies should specifically address the methods by which digital asset services will take place, including public-facing online services and those offered through mobile banking. The FICU’s routine deposit-taking activities should be physically separated from nondeposit product sales functions to emphasize that important differences exist between these activities, such as the degree of risk and insurability. If limited office space makes physical separation of these functions impractical, nondeposit product sales and deposit-taking may be conducted in close proximity to each other if appropriate disclosures, as described above, are made to members. For services offered online and in mobile banking applications, FICUs should refer to any previously issued guidance, including guidance on web linking.19

IV. Supervisory Considerations

The NCUA recognizes third-party relationships may be valuable to FICUs in facilitating member access to the new and emerging digital asset services currently evolving within the marketplace. However, FICUs are responsible for safeguarding member assets and ensuring sound operations irrespective of whether delivery of services is accomplished internally or through a third-party relationship. Accordingly, when assigning supervisory risk and CAMELS ratings as part of the supervisory process, examiners will evaluate the rigor with which FICUs execute compliance and risk oversight of third-party relationships established to deliver member access to digital asset services.

V. Additional Information

Please contact your NCUA Regional Office if you have any questions about relationships with third-party providers that offer digital asset services.

Sincerely,

/s/

Todd M. Harper
Chairman

Footnotes


1 There are a number of terms used to describe DLT-based tokens including virtual currencies, cryptocurrencies, crypto-assets, utility tokens, and digital assets.

2 86 FR 40213 (July 27, 2021).

3 86 FR 53692 (Sept. 28. 2021).

4See, e.g., President’s Working Group on Financial Markets, the Federal Deposit Insurance Corporation, and the Office of the Comptroller of the Currency, Report on Stablecoins, available at https://home.treasury.gov/system/files/136/StableCoinReport_Nov1_508.pdf.

5 12 U.S.C. 1757(17).

6 12 CFR part 721.

7 12 CFR 721.7.

8 12 CFR 721.5.

9 As noted throughout this letter, FISCUs should look to state law in determining their authority to facilitate these relationships.

10 Letter to Federal Credit Unions, 10-FCU-30, “Sales of Nondeposit Investments.”

11 See Letter to Credit Unions, 07-CU-13, “Evaluating Third Party Relationships” and Letter to Credit Unions, 08-CU-09, “Evaluating Third Party Relationships Questionnaire.”

12 Letter to Credit Unions, 01-CU-20, “Due Diligence Over Third Party Service Providers.”

13 Letter to Credit Unions, 03-CU-08, “Web linking: Identifying Risks Risk Management Techniques.”

14 FFIEC IT Booklet Outsourcing Technology Services June 2004.

15 FIN-2019-G001, “Application of FinCEN’s Regulations to Certain Business Models Involving Convertible Virtual Currencies,” (May 9, 2019).

16 See Letter to Credit Unions, 07-CU-13, “Evaluating Third Party Relationships” and Letter to Credit Unions, 08-CU-09, “Evaluating Third Party Relationships Questionnaire.”

17 See Letter to Credit Unions, 01-CU-20, “Due Diligence Over Third Party Service Providers.”

18 12 CFR 740.2.

19 Letter to Credit Unions, 03-CU-08, “Web linking: Identifying Risks Risk Management Techniques.”

Cybersecurity Fraud
Last modified on
01/07/22