Accounting And Cyber Security Highlight The Summer Regulatory Season

August 3, 2022 at 9:53 am 1 comment

I have some depressing news for you all: It’s August, which means that before you know it, it will be September, and all those things that you have been putting off until the fall will have to get accomplished. 

On that inspiring note, there are some recent developments that I wanted to make you aware of as you continue to sip your gin-and-tonic. 

First, with the caveat that yours truly knows just enough about accounting to know he doesn’t know all that much about accounting, I think you should all take a look at guidance proposed by NCUA and its fellow financial regulators which would for the first time since 2009 update accounting and regulatory principals related to troubled commercial real estate loans.  Even if you don’t deal with commercial real estate, this proposed guidance is a good example of how the advent of CECL will impact the way credit unions with $10M or more in assets will account for troubled debts under GAAP. 

Most importantly, in March of this year the accounting board changed how financial institutions will account for delinquent loans.  The erstwhile TDR is going away.  Ultimately, by the end of 2023, all credit unions subject to GAAP will have to adopt this new standard and the proposed guidance explains how the new accounting approach will impact creditors during and after the transition to the new standard.  Besides the financial regulators have not issued guidance in this area since 2009, and for those of you with commercial real estate the new changes come just in time for the next recession. 

Secondly, NCUA also joined its other financial regulators in issuing a proposed regulation mandating that federally insured credit unions have no more than 72 hours to report a suspected cyber incident.

The proposal would define a cyber incident as “an occurrence that actually or imminently jeopardizes, without lawful authority, the integrity, confidentiality, or availability of information on an information system, or actually or imminently jeopardizes, without lawful authority, an information system.”

This is certainly worthy of its own blog, so stay tuned. 

Entry filed under: Compliance, Regulatory. Tags: , , , , , .

News Flash– Washington Working! New York State Proposes Key Amendments to Cybersecurity Reg

1 Comment Add your own

  • 1. Joy Peterson  |  August 5, 2022 at 11:19 am

    Our Incidence Response Policy has included a requirement for the prompt notification to NCUA since at least 2011. More important than how quickly we notify NCUA is what they plan to do with the information. I think it is equally important to really define what is meant by a cyber incident. Using the definition quoted here, I would have been notifying NCUA of cyber incidents constantly when using a vendor that couldn’t seem to keep their system up and running.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Trackback this post  |  Subscribe to the comments via RSS Feed

Authored By:

Henry Meier, Esq., Senior Vice President, General Counsel, New York Credit Union Association.

The views Henry expresses are Henry’s alone and do not necessarily reflect the views of the Association. In addition, although Henry strives to give his readers useful and accurate information on a broad range of subjects, many of which involve legal disputes, his views are not a substitute for legal advise from retained counsel.

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Join 785 other followers


%d bloggers like this: