(a) A credit union may use, or participate with others to use, electronic means or facilities to perform any function or provide any product or service as part of an authorized activity. Electronic means or facilities include, but are not limited to, automated teller machines, automated loan machines, mobile applications, personal computers, the Internet, telephones, and other similar electronic devices.     
      (b) To optimize the use of its resources, a credit union may market and sell, or participate with others to market and sell, electronic capacities and by-products to others, provided the credit union acquired or developed these capacities and by-products in good faith as part of providing financial services to its members.     
      (c) If a credit union uses electronic means and facilities authorized by this rule, the credit union's board of directors must require staff to:      
        (1) Identify, assess, and mitigate potential risks and establish prudent internal controls, and system backup procedures;       
        (2) Implement security measures designed to ensure secure operations. Such measures should take into consideration:                  (A) the prevention of unauthorized access to credit union records and credit union members' records;                   (B) the prevention of financial fraud through the use of electronic means or facilities; and                   (C) compliance with applicable security device requirements for teller machines contained elsewhere in Chapter 91; and         
        (3) Employ an incident response plan, which has been subjected to reasonable testing, to minimize the impact of a data breach or other electronic incident while quickly restoring operations, credibility, and security.       
      (d) All credit unions engaging in such electronic activities must comply with all applicable state and federal laws and regulations as well as address all safety and soundness concerns.     
      (e) A credit union shall review, on at least an annual basis, its system backup procedures for all electronic activities.     
      (f) A credit union shall not be considered doing business in this State solely because it physically maintains technology, such as a server, in this State, or because the credit union's product or services are accessed through electronic means by members located in this State.     
      (g) A credit union that shares electronic space, including a co-branded web site, with a credit union affiliate, or another third-party must take reasonable steps to clearly and conspicuously distinguish between products and services offered by the credit union and those offered by the credit union's affiliate, or the third-party.     
     Source Note:        The provisions of this §91.4001 adopted to be effective May 13, 1999, 24 TexReg 3475; amended to be effective May 11, 2000, 25 TexReg 3953; amended to be effective December 8, 2002, 27 TexReg 11074; amended to be effective March 13, 2006, 31 TexReg 1648; amended to be effective March 29, 2018, 43 TexReg 1837