NCUA Issues Updated AI Resource Hub
On December 22, the National Credit Union Administration (NCUA) updated its Artificial Intelligence (AI) resource page to consolidate key technical and policy references for federally insured credit unions. This page is part of NCUA’s broader cybersecurity and financial technology resources and is explicitly framed as support for evaluating and performing due diligence on third-party AI vendors.
The updated page links AI oversight back to existing NCUA guidance on third-party relationships, including 07-CU-13 (Evaluating Third Party Relationships) and 01-CU-20 (Due Diligence Over Third Party Service Providers).
AI Usage in Credit Unions
NCUA notes that credit unions are increasingly using AI to enhance member service, streamline operations, and maintain competitiveness while also facing AI-specific risks. These risks include:
- Algorithmic opacity
- Fair lending concerns
- Data privacy and security
- Operational resilience
- Model risk
The resources on the page are presented as tools to help address these issues rather than as new regulatory requirements.
AI Governance and Risk Management
For AI governance, NCUA directs credit unions to the U.S. Department of Commerce’s National Institute of Standards and Technology (NIST) AI resources. NIST’s materials provide a structured approach to AI design, development, governance, and use, including practical recommendations for managing risks to individuals and organizations.
NCUA highlights that these resources may assist credit unions in developing “trustworthy” AI systems that align with their cooperative, member-focused mission. Additionally, NCUA references a Committee of Sponsoring Organizations (COSO) of the Treadway Commission paper titled “Realize the Full Potential of Artificial Intelligence,” which applies the COSO enterprise risk management framework to AI.
AI Data Security and Secure Deployment
The NCUA resource page points to two AI-focused publications from the Cybersecurity and Infrastructure Security Agency (CISA). The first publication is a Cybersecurity Information Sheet on AI Data Security, which discusses securing the data that powers AI systems across their lifecycle, including:
- Data supply chain security
- Protection against maliciously modified data
- Managing data drift to preserve the integrity and accuracy of AI-driven decisions
NCUA notes that these materials may assist credit unions in building data security frameworks for AI training and operational data.
The second CISA document, “Deploying AI Systems Securely,” addresses methods for securely deploying and operating AI systems developed by external entities. It covers issues such as:
- Protecting model weights
- Implementing secure APIs
- Establishing continuous monitoring protocols for AI systems in production
AI in Financial Services and Deepfake-Driven Fraud
To place AI in a financial sector context, NCUA references a U.S. Department of the Treasury report, “Artificial Intelligence in Financial Services.” This report examines traditional AI and generative AI use cases, addressing data privacy and security standards, bias and explainability challenges, consumer protection issues, concentration risk, and third-party vendor management related to AI technologies.
NCUA suggests that credit unions can use this report to better understand the regulatory landscape and risk mitigation expectations as they evaluate AI tools. Furthermore, NCUA highlights a FinCEN report on “Fraud Schemes Involving Deepfake Media Targeting Financial Institutions,” which describes how criminals use AI-generated deepfakes to create fake identity documents, photos, and videos.
This publication outlines specific red-flag indicators of such activity and offers best practices for strengthening identity verification and reporting suspicious activity. NCUA notes that credit unions can use this material to enhance fraud detection capabilities and member protection against AI-enabled scams.
Conclusion
In summary, NCUA’s updated AI resource hub signals that supervisory expectations around AI will be grounded in existing, well-known frameworks rather than in a bespoke AI rulebook or through regulation by enforcement action. The update confirms that AI is firmly within the scope of third-party oversight and traditional safety-and-soundness, compliance, and cybersecurity disciplines. Credit unions exploring or expanding AI use can expect NCUA examiners to use these same sources as benchmarks when assessing how credit unions are governing AI solutions and managing associated risks.
