Guidelines for Safeguarding Member Information

NATIONAL CREDIT UNION ADMINISTRATION <CFR>12 CFR Part 748</CFR> <RIN>RIN 3133-AF76</RIN> <SUBJECT>Guidelines for Safeguarding Member Information</SUBJECT> <HD SOURCE="HED">AGENCY:</HD> National Credit Union Administration (NCUA). <HD SOURCE="HED">ACTION:</HD> Proposed rule. <SUM> <HD SOURCE="HED">SUMMARY:</HD> The NCUA Board (Board) is proposing to remove Appendix A to part 748, guidelines for safeguarding member information, from the Code of Federal Regulations (CFR). Appendix A was issued to satisfy the NCUA's statutory obligation to establish appropriate standards for federally insured credit unions (FICUs) to protect the security and confidentiality of customer records and information and to protect against unauthorized access to or use of such records. The Board now believes that the placement of Appendix A in the CFR may be confusing because Appendix A is not a regulation but rather a set of guidelines intended to assist FICUs with their statutory compliance obligations. The Board will remove Appendix A from the CFR and publish its contents as a Letter to Credit Unions, which enables more efficient revisions, and streamlines the NCUA's regulations. </SUM> <EFFDATE> <HD SOURCE="HED">DATES:</HD> Comments must be received on or before February 9, 2026. </EFFDATE> <HD SOURCE="HED">ADDRESSES:</HD> Comments may be submitted in one of the following ways. ( <E T="03">Please send comments by one method only</E> ): • <E T="03">Federal eRulemaking Portal: https://www.regulations.gov.</E> The docket number for this proposed rule is NCUA-2025-1304. Follow the “Submit a comment” instructions. If you are reading this document on <E T="03"> federalregister.gov,</E> you may use the green “SUBMIT A PUBLIC COMMENT” button beneath this rulemaking's title to submit a comment to the <E T="03">regulations.g</E> ov docket. A plain language summary of the proposed rule is also available on the docket website. • <E T="03">Mail:</E> Address to Melane Conyers-Ausbrooks, Secretary of the Board, National Credit Union Administration, 1775 Duke Street, Alexandria, Virginia 22314-3428. • <E T="03">Hand Delivery/Courier:</E> Same as mailing address. Mailed and hand-delivered comments must be received by the close of the comment period. <E T="03">Public inspection:</E> Please follow the search instructions on <E T="03">https://www.regulations.gov</E> to view the public comments. Do not include any personally identifiable information (such as name, address, or other contact information) or confidential business information that you do not want publicly disclosed. All comments are public records; they are publicly displayed exactly as received, and will not be deleted, modified, or redacted. Comments may be submitted anonymously. If you are unable to access public comments on the internet, you may contact the NCUA for alternative access by calling (703) 518-6540 or emailing <E T="03">OGCMail@ncua.gov.</E> <FURINF> <HD SOURCE="HED">FOR FURTHER INFORMATION CONTACT:</HD> Gira Bose, Senior Staff Attorney, at (703) 518-6540 or at 1775 Duke Street, Alexandria, VA 22314. </FURINF> <SUPLINF> <HD SOURCE="HED">SUPPLEMENTARY INFORMATION:</HD> <HD SOURCE="HD1">I. Introduction</HD> <HD SOURCE="HD2">A. Background</HD> In November 1999, Congress passed the Gramm-Leach Bliley Act (GLBA). <SU>1</SU> <FTREF/> Section 501 of GLBA, entitled Protection of Nonpublic Personal Information, required the NCUA, the federal banking agencies (FBAs), and other regulators to establish appropriate standards for financial institutions subject to their respective jurisdictions relating to administrative, technical, and physical safeguards for customer records and information. <SU>2</SU> <FTREF/> These safeguards are intended to: (1) insure [sic]  <SU>3</SU> <FTREF/> the security and confidentiality of customer records and information, (2) protect against any anticipated threats or hazards to the security or integrity of such records, and (3) protect against unauthorized access to or use of such records or information that would result in substantial harm or inconvenience to any customer. <SU>4</SU> <FTREF/> <FTNT> <SU>1</SU>  15 U.S.C. 6801 <E T="03">et. seq.</E> (Nov. 12, 1999). </FTNT> <FTNT> <SU>2</SU>   <E T="03">Id.</E> At this time, “federal banking agencies” refers to the Office of the Comptroller of the Currency, the Federal Reserve Board, and the Federal Deposit Insurance Corporation, although at the time of GLBA's passage the term included the now-defunct Office of Thrift Supervision. </FTNT> <FTNT> <SU>3</SU>  The statute uses the word “insure,” but should likely read “ensure.” </FTNT> <FTNT> <SU>4</SU>  15 U.S.C. 6801(b). </FTNT> After passage of GLBA, the Board determined that the standards required by GLBA could be most effectively adopted through an amendment to the NCUA's existing regulation governing security programs in FICUs. <SU>5</SU> <FTREF/> This approach is consistent with the FBAs by design: NCUA staff worked with the FBAs to align the agency's guidance with the guidelines approved by the FBAs. <SU>6</SU> <FTREF/> Thus, the NCUA adopted the standards required under GLBA as an appendix to part 748. The resulting Appendix A is intended to provide FICUs with guidance in developing the security program required under § 748.0. <FTNT> <SU>5</SU>  66 FR 8152 (Jan. 30, 2001). </FTNT> <FTNT> <SU>6</SU>  65 FR 35162 (June 1, 2000). </FTNT> Appendix A has been amended over the years to reflect new requirements and maintain consistency with comparable regulations and guidelines issued by the FBAs. In 2004, the agency revised Appendix A to incorporate amendments to the Fair Credit Reporting Act (FCRA) with respect to the proper disposal of consumer information. <SU>7</SU> <FTREF/> Section 216 of the Fair and Accurate Credit Transactions Act (FACT Act) added a new section to FCRA that was designed to protect a consumer against the risks associated with unauthorized access to information about the consumer contained in a consumer report. <E T="03">The FACT Act made mandatory the NCUA's practice of maintaining consistency with GLBA through consistency and consultation with the FBAs.</E> The changes to Appendix A were intended to provide guidance to FCUs for compliance with § 717.83 and were done in consultation with the FBAs. <SU>8</SU> <FTREF/> <FTNT> <SU>7</SU>  The Fair Credit Reporting Act, 15 U.S.C. 1681s(b) and 1681w, as amended by the Fair and Accurate Credit Transactions Act of 2003, 15 U.S.C. 1681s. </FTNT> <FTNT> <SU>8</SU>  69 FR 69269 (Nov. 29, 2004). While the FACT Act applied only to FCUs and the changes to the guidelines were done to assist FCUs in complying with § 717.83, as drafted, the changes to the Appendix A guidance apply to all FICUs. As the Board explained in the preamble to the 2004 changes, “the requirements of this final rule only apply to FCUs, while federally insured state-chartered credit unions are subject to the jurisdiction of the FTC on this matter. The NCUA believes, however, that federally insured state charters may find this guidance helpful in adopting meaningful and effective security programs that deal with the disposal of consumer information.” </FTNT> In 2012 and 2013, the Board again amended part 748 and Appendix A with technical changes mandated by the Dodd-Frank Wall Street Reform and Consumer Protection Act (Dodd-Frank Act) and based on the NCUA's rolling, 3-year regulatory review. <SU>9</SU> <FTREF/> The Dodd-Frank Act, among other things, transferred rulemaking authority for many consumer protection regulations from the Federal Reserve Board to the Consumer Financial Protection Bureau (CFPB). <SU>10</SU> <FTREF/> As a result, the NCUA was required to update certain cross citations within its regulations and rescind part 716 governing the “Privacy of Consumer Financial Information” under GLBA. <SU>11</SU> <FTREF/> <FTNT> <SU>9</SU>  77 FR 71085 (Nov. 29, 2012); 78 FR 32541 (May 31, 2013). </FTNT> <FTNT> <SU>10</SU>  12 U.S.C. 5581(b)(6) (July 21, 2010). </FTNT> <FTNT> <SU>11</SU>  12 CFR part 716. To assist FICUs, the part 716 heading was retained with a cross citation to the CFPB's republished version of the regulation at 12 CFR part 1016. </FTNT> <HD SOURCE="HD1">B. Legal Authority</HD> The Board is issuing this proposed rule pursuant to its authority under the Federal Credit Union Act (FCU Act). <SU>12</SU> <FTREF/> Under the FCU Act, the NCUA is the chartering and supervisory authority for federal credit unions (FCUs) and the federal supervisory authority for federally insured credit unions (FICUs). The FCU Act grants the NCUA a broad mandate to issue regulations governing both FCUs and FICUs. Section 120 of the FCU Act is a general grant of regulatory authority and authorizes the Board to prescribe regulations for the administration of the FCU Act. <SU>13</SU> <FTREF/> Section 209 of the FCU Act is a plenary grant of regulatory authority to the NCUA to issue regulations necessary or appropriate to carry out its role as share insurer for all FICUs. <SU>14</SU> <FTREF/> The FCU Act also includes an express grant of authority for the Board to subject federally chartered central, or corporate, credit unions to such rules, regulations, and orders as the Board deems appropriate. <SU>15</SU> <FTREF/> <FTNT> <SU>12</SU>  12 U.S.C. 1751 <E T="03">et seq.</E> </FTNT> <FTNT> <SU>13</SU>  12 U.S.C. 1766(a). </FTNT> <FTNT> <SU>14</SU>  12 U.S.C. 1789. </FTNT> <FTNT> <SU>15</SU>  12 U.S.C. 1766(a). </FTNT> <HD SOURCE="HD1">II. Proposed Rule</HD> The Board is issuing this proposed rule to remove Appendix A from the CFR. The Board believes that the information conveyed in Appendix A can be provided through Letters to Credit Unions, ther ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ Preview showing 10k of 19k characters. Full document text is stored and available for version comparison. ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━