As distributed ledger technology has evolved over the last few years, the National Credit Union Administration (NCUA) has stepped into the unknown and has provided their supervised entities with guidance on the topic. In fact, they published two:

In this article, we will define some terms you need to know, take a deep dive into the guidance, and talk about what changes you might need to make to your cybersecurity program in response.

First, Defining Terms

Have you ever been at a pool and when you go to take a step in, you promptly find out the first step is much farther down than expected, so you just fall in? That's how I feel about this topic. There is no such thing as a casual interest in crypto. You're either out or you can probably relate a little too much to the "it's all connected" guy.

Distributed ledger technology. Digital assets. Cryptocurrency. Bitcoin. Yes, it really is all connected, and no, they don't all mean the same thing, which is why it is important to define these terms first, especially since the guidance does not provide much definition.

(Disclaimer: The next few sections are intentionally a "kiddie pool" level introduction. This article will not cover all the ins-and-outs or even all the key terms related to this world. It exists just to clarify what the terms used in NCUA guidance mean, how they're related, and why they impact credit unions.)

Distributed Ledger Technology (DLT)

"The technological infrastructure and protocols that allows simultaneous access, validation, and record updating in an immutable manner across a network that's spread across multiple entities or locations." (Investopedia)

Before we get into an analogy, there are two other things you need to know:

  1. DLT is synonymous with the term "blockchain technology."
  2. Every transaction performed by DLT is secured via cryptography.

That said, think of DLT like a highway. It's a smart highway. Not only does it help cars get from Point A to Point B, but it also records each car's entire history and can validate anything you would ever want to know. It can tell you when the car was created, where the car came from, where the car is going, how long the car has been at any location in the history of the car's existence, and probably even what road trip snacks were consumed along the way.

Digital Assets

"An asset that is issued and transferred using distributed ledger or blockchain technology." (SEC)

Continuing with the highway analogy, digital assets would be equivalent to the cars. You can't drive these cars just anywhere; they are uniquely created to be driven only on this highway.

Digital assets are split into two categories:

  • Fungible Tokens are unique, but reproducible, like a Ford Focus or a Honda Accord. Each one exists with its own unique identity, but at the same time, there are hundreds of thousands of them produced each year which effectively hold the same value. Cryptocurrencies (e.g., Bitcoin, Etherium, Cardano, Dogecoin, etc.) are an example of a "fungible token."

  • Non-Fungible Tokens (i.e., NFTs) are unique and are not reproducible, like the 1959 Cadillac Miller-Meteor driven in Ghostbusters. It is a one-of-a-kind asset that does not have a comparable trade value.

In the world of digital assets, whichever kind of "car" you choose, it can be purchased using real world money. Due to several factors, certain cars can develop greater values over others. Some factors might include:

  • Brand. For example, Bitcoin is like the Cadillac of cryptocurrency. It's been around the longest and holds its value better than others on the market.

  • Efficiency. Since each asset is secured through cryptography, certain systems (called "miners") go through a mathematical process to verify the asset is legitimate each time it is used. Due to how the assets are "minted," it is much more efficient for miners to verify Etherium than Bitcoin, like how fuel efficiency is better in a 2022 Mini Cooper than a 1975 Dodge Ram.

  • Limited Supply. There are certain "special edition" and "limited supply" assets. For example, some people just think it is really cool to have a DeLorean. The same is true about certain kinds of niche digital assets. For example, the original "Charlie Bit My Finger" video was turned into an NFT, and someone purchased it for more than $760,000. Another example would be Bitcoin. Bitcoin has a finite number of coins which can be minted, which makes it unique in comparison to the U.S. Dollar.

Bottom line, digital assets now exist as a form of currency. Since people exchange dollars for digital assets, this gives them value and has created an entire finance ecosystem outside of the United States financial system.

Credit Union Guidance on DLT and Digital Assets

So, now that we've established what DLT is, the relationship between DLT and digital assets, and why digital assets carry a real-world monetary value, you don't have to cannonball into the deep end to see the impact this could have on financial institutions.

To connect the dots though, money is leaving the U.S. financial system. No single person, company, or country owns DLT, which means it is a self-regulated entity. This makes it appealing to certain populations, but also a volatile investment option and one that can be easily leveraged for nefarious and fraudulent purposes. DLT lacks the consumer protection features U.S. government-backed financial institutions offer. Yet DLT offers privacy, faster payments, novelty, and financial autonomy to name a few reasons why consumers continue to move towards it.

The NCUA asked credit unions for their thoughts on the topic through a "request for information" which was open from July 2021 through October 2021. In response to what they learned, the NCUA published two documents to guide each credit union's relationship with DLT.

Where the Guidance Documents are the Same

Both guidance documents share some common elements related to DLT and digital asset activities. For example, both guidance documents make it clear that federal credit unions:

  • Are not prohibited from engaging in these activities.
  • Are expected to ensure these activities comply with laws and regulations.
  • Are expected to evaluate the risks involved with these activities.
  • Are to be prepared for examiners to "evaluate the rigor" with which these activities are implemented.
  • Are to be prepared for future guidance to be issued on the topic.

Outside these five points, the two guidance documents do not have a lot in common. Both documents feature a unique focus, tone, and recommendations.

The First Guidance

Relationships with Third Parties that Provide Services Related to Digital Assets

  • Focus: This guidance focuses on a specific use case where a credit union would act as a middleman (i.e., "finder") between their members and a third party, helping their members "buy, sell, and hold various uninsured digital assets with the third-party provider outside of the [credit union]."

  • Tone: The tone of the guidance is not necessarily risk averse, but it is certainly risk aware. The guidance places a heavy emphasis on the legal considerations associated with digital assets, referencing various laws and guidance on federal credit union operations, consumer protection, and third-party risk management.

  • Recommendations: While early sections of the guidance focus on existing requirements, the guidance does contribute new recommendations on the following topics:

    • Policies, procedures, and agreements to guide relationships with digital asset service providers.

    • Advertising and conduct to ensure members clearly understand the difference between traditional services provided by the credit union and digital asset services.

The Second Guidance

Federally Insured Credit Union Use of Distributed Ledger Technologies

  • Focus: This guidance has a much broader focus, addressing how credit unions may develop, procure, or use any form of DLT.

  • Tone: The tone of the guidance finds a balance between risks and opportunities, and goes so far as to compare the emergence of DLT with the inception of the internet. The guidance acknowledges "the rapid emergence of financial technology is creating opportunities for credit unions to increase speed of service, improve security, and expand products and services."

  • Recommendations: The guidance contributes a series of recommendations and questions, designed to guide a credit union's discussions around the topic of DLT. Areas of focus include:

    • Governance, oversight, and planning to ensure the Board of Directors, credit union staff, and third parties understand their roles and responsibilities in relation to DLT.

    • Risk and risk-mitigation strategies for information and cybersecurity, legal and compliance, strategic and reputation, liquidity, and third-party risks.

Do I Need to Change My Cybersecurity Program?

I can see how that's one of the first places your mind goes. The answer is: maybe. Here are some questions to guide you through determining if you need to update your cybersecurity program:

"Are DLT and digital asset activities part of the credit union's strategic plan?"

As the NCUA guidance points out, there are a lot of potential threats and opportunities right now. Depending on your credit union's risk appetite, mission, and member needs, DLT and digital assets may or may not be something you want to pursue.

If your credit union does plan to engage with DLT, the next question you'll want to ask is:

"How are we planning to engage?"

There are a million and one ways to engage with this strange new world, from being a finder to minting your own cryptocurrency. How you plan to engage will determine how your cybersecurity program needs to be updated.

Once you have the answer to this question, you can conduct the risk assessments you need, update your cybersecurity policies, oversee your DLT and digital asset third-party service providers, etc.

Tandem works with community credit unions, like yours, to help provide the resources you need for adequate cybersecurity governance, risk management, and compliance (GRC). As you continue to figure out how your credit union is going to engage with the world of DLT, let us know how we can help. If you would be interested in any resources or templates related to this topic, please email info@tandem.app.

See how Tandem can help you build your cybersecurity program at https://tandem.app.