In a guidance letter to regulated entities, the National Credit Union Administration (NCUA) has provided information and recommendations on the use of distributed ledger technology (DLT), more commonly referred to as blockchain.
According to the NCUA, any projects relating to DLT should include examining internal restraints and, at a minimum, the following:
- The credit union’s board of directors is notified of advancements in the underlying technology, the purposes of the technology, and how using DLT aligns with the credit union’s strategic planning objectives and approved risk tolerances.
- Credit union staff and third parties using and managing the technology are complying with applicable laws and regulations and acting in a safe-and-sound manner.
- Effective risk-management practices are followed to identify, assess, and mitigate risks associated with DLT and the specific activities for which it will be deployed.
- Risk assessment and audit functions can validate and attest to the effectiveness of risk-mitigation practices in accordance with internal policy and industry leading practices.
The NCUA also provided a list of questions to consider regarding risk-mitigation strategies when developing or using DLT. The list included questions relating to information and cybersecurity risks, legal and compliance risks, strategic and reputational risks, liquidity risks, and third-party risks.
“Credit unions must remain alert to new or evolving risks posed by use of an emerging technology or approach,” the letter concluded. “The NCUA expects credit unions to exercise good judgment and apply sound risk-management practices when choosing to offer a new platform, product, or service, including where DLT is part of the underlying technology. These reviews include evaluating the permissibility of the activity itself and the opportunities and risks associated with any underlying technology, such as DLT. Examiners will evaluate the rigor with which credit unions exercised good judgement, applied sound risk management, and executed compliance and risk oversight of acquisition or development and deployment of new systems and technology.”