December 2025

Each year, regulatory thresholds are adjusted to account for inflation. The following policies have been updated to reflect these threshold adjustments effective January 1, 2026. 

• 2210.14 - Health Savings Accounts (REDLINED)
• 7350 - Ability to Repay (REDLINED)
• 9220 - Home Ownership and Equity Protection Act (REDLINED)
• 7302 - Real Estate Appraisals (REDLINED)
• 7370 - HOEPA Rule Requirements (REDLINED)

Changes have been made to the Succession Planning Policy/Plan and some associated materials to reflect the training requirements for the succession planning rule and to provide some additional consistency with terminology.

• 1520 - Succession Planning (REDLINED)
• 1520.10 - Succession Plan (REDLINED)
• 1100.15 - Education and Volunteer Training Guidelines (REDLINED)
• 1100.12 - Board of Director's Duties (REDLINED)

November 2025

As the usage of artificial intelligence continues to evolve, this policy will continue to evolve to keep pace with expectations for the safe, ethical, and compliant use of AI.  With the publication of the National Institute of Standards and Technology Artificial Intelligence Risk Management Framework (AI RMF), credit unions now have a foundation upon which to build.  More was added to this policy to assist in developing a more comprehensive program, along with more specific examples such as key controls and risks.  (Recommended)

• 4500 - Artificial Intelligence (REDLINED)

Policy 7510 was revised to reference and incorporate compliance with the Servicemembers Civil Relief Act (SCRA) and Military Lending Act (MLA).  Additional revisions were made to reference the requirement to follow state law, and follow internal policies on loan workouts.

• 7510 - Collection Process (REDLINED)

Policy 2245 is being updated to include two new key fields for credit unions to include the actual age as defined in their state for a senior citizen/elder and vulnerable adult, under financial abuse laws.  Since each state defines this differently, the credit union will need to research and update their policy accordingly.  Other minor changes were made to the policy to improve readability.

• 2245 Elder and/or Vulnerable Adult Protections (REDLINED)

Policy 2290 was updated to clarify that the member has one year from receipt of confirmation that a wire transfer has been sent in their name to object to the payment, under the Uniform Commercial Code (Article 4A), along with reference to the specific applicability of Subpart B of Regulation E for International Remittance Transfers.

• 2290 Wire Transfers (REDLINED)

Quarterly Update (June - October, 2025)

October 2025

•  Overview of Changes (June 2025 - October 2025).docx
•  1615 - Privacy and Confidential Information (REDLINED).docx
•  2225 - Digital Banking (REDLINED2).docx
•  2225.10 - Anti Phishing (REDLINED).docx
•  4120 - Information Security (REDLINED).docx
•  4125 - Incident Response (REDLINED).docx
•  7302.10 - Reconsiderations of Value Final (REDLINED).docx

September 2025

•  1100.15 - Education and Volunteer Training Guidelines (REDLINED).docx
•  2400 - Funds Availability (REDLINED).docx

August 2025

•  2110 - BSA-Anti-Money Laundering Program (REDLINED).docx

June 2025

•  4125.10 - Corporate Account Takeover (REDLINED).docx

Quarterly Update (May, 2025)

May 2025

•  Overview of Changes - May 2025.docx
•  1240 - Enterprise Risk Management (REDLINED).docx
•  1520 - Succession Planning (REDLINED).docx
•  1520.10 - Succession Plan (REDLINED).docx
•  1520.20 - Associate Board Member (NEW).docx
•  2145 - Office of Foreign Assets Control (REDLINED).docx
•  2185 - Vendor Management (REDLINED).docx
•  2205 - Unlawful Internet Gambling (REDLINED).docx
•  2223 - COPPA (REDLINED).docx
•  7140 - Loan Add On Products (REDLINED).docx
•  7244 - Integrated-Mortgage-Disclosures-(REDLINED).docx
•  7303 - Real Estate Appraisals Appendices (REDLINED).docx

November 2025

Section 1673 - Full Cyber Incident Life Cycle was updated to change the NCUA ACET link to the CISA CPG Checklist (recommended)

• 1673 - Full Cyber Incident Life Cycle (REDLINED)

January 2025

The NCUA has new cyber incident reporting requirements and an updated webform to make these reports. Sections 1640 and 1654 were updated in response to the availability of the new webform.

•  January 2025 Overview RecoveryPro.docx
•  1640 - Cyber Incident Contacts (REDLINE).docx
•  1654 - Cyber Incident Reporting (REDLINE).docx

November 2024

Several sections of the Cyber Incident Response content had minor updates due to recent examiner feedback. One new section (1663: NCUA Guidance – SAR Reporting in a Cyber Incident) was added to the Model BCP.

•  November 2024 Overview RecoveryPro.docx
•  1600 - Introduction (REDLINED).docx
•  1640 - Cyber Incident Contacts (REDLINED).docx
•  1663 - NCUA Guidance - SAR Reporting in a Cyber Incident (NEW CONTENT).docx
•  1671 - Cyber Incident Scenario Examples (RECLINED).docx
•  1673 - Full Cyber Incident Life Cycle (REDLINED).docx