Guidance on Response Programs for Unauthorized Access to Member Information and Member Notice

NATIONAL CREDIT UNION ADMINISTRATION <CFR>12 CFR Part 748</CFR> <RIN>RIN 3133-AF79</RIN> <SUBJECT>Guidance on Response Programs for Unauthorized Access to Member Information and Member Notice</SUBJECT> <HD SOURCE="HED">AGENCY:</HD> National Credit Union Administration (NCUA). <HD SOURCE="HED">ACTION:</HD> Proposed rule. <SUM> <HD SOURCE="HED">SUMMARY:</HD> The NCUA Board (Board) is proposing to remove Appendix B to part 748, Guidance on Response Programs for Unauthorized Access to Member Information and Member Notice. Appendix B was issued in June 2005. Its purpose was to provide federally insured credit unions (FICUs) with guidance for creating programs to address and respond to instances of unauthorized access to member information. The Board now believes that the placement of Appendix B in the Code of Federal Regulations (CFR) may be confusing because Appendix B itself is guidance to assist FICUs in developing the response programs required pursuant to regulation. The Board instead would publish the content of Appendix B as guidance. This will be a better vehicle for conveying and updating this information and will help to streamline NCUA's regulations. </SUM> <EFFDATE> <HD SOURCE="HED">DATES:</HD> Comments must be received on or before February 9, 2026. </EFFDATE> <HD SOURCE="HED">ADDRESSES:</HD> You may submit written comments by any of the following methods identified by RIN (Please send comments by one method only): • <E T="03">Federal eRulemaking Portal: https://www.regulations.gov.</E> Follow the instructions for submitting comments for Docket Number NCUA-2025-1305. • <E T="03">Mail:</E> Address to Melane Conyers-Ausbrooks, Secretary of the Board, National Credit Union Administration, 1775 Duke Street, Alexandria, Virginia 22314-3428. • <E T="03">Hand Delivery/Courier:</E> Same as mail address. Mailed and hand-delivered comments must be received by the close of the comment period. <E T="03">Public Inspection:</E> All public comments are available on the Federal eRulemaking Portal at <E T="03">https://www.regulations.gov</E> as submitted, except when impossible for technical reasons. Public comments will not be edited to remove any identifying or contact information. If you are unable to access public comments on the internet, you may contact NCUA for alternative access by calling (703) 518-6540 or emailing <E T="03">OGCMail@ncua.gov.</E> <FURINF> <HD SOURCE="HED">FOR FURTHER INFORMATION CONTACT:</HD> Gira Bose, Senior Staff Attorney, at (703) 518-6540 or at 1775 Duke Street, Alexandria, VA 22314. </FURINF> <SUPLINF> <HD SOURCE="HED">SUPPLEMENTARY INFORMATION:</HD> <HD SOURCE="HD1">I. Introduction</HD> <HD SOURCE="HD2">A. Background</HD> On May 2, 2005, the Board issued a final rule to revise 12 CFR part 748 to include a requirement that FICUs respond to incidents of unauthorized access to member information. <SU>1</SU> <FTREF/> Appendix B, entitled Guidance on Response Programs for Unauthorized Access to Member Information and Member Notice, was included in the final rule to assist FICUs in developing and maintaining their response programs. It was a further interpretation of the Gramm Leach Bliley Act's requirement that NCUA and other regulators adopt standards for safeguarding customer information that financial institutions could adopt. <SU>2</SU> <FTREF/> <FTNT> <SU>1</SU>  70 FR 22764 (May 2, 2005). </FTNT> <FTNT> <SU>2</SU>  15 U.S.C. 6801 <E T="03">et. seq.</E> (Nov. 12, 1999). Appendix B was issued in consultation with the federal banking agencies (FBAs), comprising the Office of the Comptroller of the Currency, the Federal Reserve Board, the Federal Deposit Insurance Corporation, and the now-defunct Office of Thrift Supervision. The FBAs issued similar guidance on a joint basis. 70 FR 15736 (Mar. 29, 2005). </FTNT> Appendix B notes that each year, millions of Americans throughout the country fall victim to identify theft as a result of the misuse of their personal information obtained by identity thieves from a number of sources, including credit unions. <SU>3</SU> <FTREF/> It goes on to state that, as a result, credit unions should take preventative measures to safeguard member information against such attempts, and to do so in a way that is appropriate to the size and complexity of the credit union and the nature and scope of its activities. Thus, Appendix B is designed to be risk-based and to give FICUs discretion in addressing incidents of unauthorized access to or use of member information that could result in substantial harm or inconvenience to a member. <FTNT> <SU>3</SU>  12 CFR 748 App. B (II)(i). </FTNT> <HD SOURCE="HD2">B. Legal Authority</HD> The standards in Appendix B fulfill a requirement in the Gramm-Leach-Bliley Act, through which Congress directed NCUA and other federal regulators to establish standards for financial institutions relating to the safeguarding of customer information. <SU>4</SU> <FTREF/> Under the Federal Credit Union Act (FCU Act), NCUA examines all FICUs and is required to ensure that all FICUs operate safely and soundly. In particular, 12 U.S.C. 1786(b) compels the agency to act to correct unsafe or unsound conditions or practices in FICUs. Sections 120 and 209 of the FCU Act are plenary grants of regulatory authority to the Board to examine and require information and reports from credit unions as well as issue the regulations necessary or appropriate to carry out its roles as regulator and share insurer. Section 204 of the FCU Act requires the Board to appoint examiners who shall have the power to thoroughly examine the affairs of (FICUs) and report to the Board. Section 206 of the FCU Act requires the agency to impose corrective measures whenever, in the opinion of the Board, any credit union is engaged in or has engaged in unsafe or unsound practices in conducting its business. Accordingly, the FCU Act grants the Board broad rulemaking authority to protect credit unions, their member owners, and the National Credit Union Share Insurance Fund. <FTNT> <SU>4</SU>  15 U.S.C. 6801 <E T="03">et seq.</E> (Nov. 12, 1999). </FTNT> <HD SOURCE="HD1">II. Proposed Rule</HD> The Board is now issuing this proposed rule to remove Appendix B from the CFR. The Board believes that the information conveyed in Appendix B can be just as easily communicated by a Letter to Credit Unions, which would have the advantage of being better recognized by FICUs as nonbinding guidance. The Board believes that issuing Appendix B alongside part 748 may give the false impression that it is a legally binding rule rather than an aid to credit unions that can help them meet the regulatory requirements of part 748. The Board seeks comments on all aspects of this proposed rule, including any references to Appendix B in other parts of NCUA's regulations that may need to be revised. The Board considered retaining Appendix B in its current form. The current practice ensures the agency reviews Appendix B once every three years as part of its one third regulatory review process. Maintaining Appendix B as part of NCUA's regulations also guarantees that any changes, whether technical or substantive, are published in the <E T="04">Federal Register</E> typically with an opportunity for public notice and comment (unless an exception under the Administrative Procedure Act applies). Maintaining the current placement would maintain comparability with the FBAs whose guidance is also located in the CFR. However, the Board now believes that streamlining NCUA's regulations and creating a greater separation between binding regulations and nonbinding guidelines outweighs the benefits of the current approach. The Board also believes that the Agency's adoption of separate guidance is appropriate for communicating guidelines such as those in Appendix B. The Board is soliciting feedback on all aspects of this proposed rule, including the option of maintaining the status quo. <HD SOURCE="HD1">III. Regulatory Procedures</HD> <HD SOURCE="HD2">A. Providing Accountability Through Transparency Act of 2023</HD> The Providing Accountability Through Transparency Act of 2023 (5 U.S.C. 553(b)(4)) requires that a notice of proposed rulemaking include the internet address of a summary of not more than 100 words in length of a proposed rule, in plain language, that shall be posted on the internet website under section 206(d) of the E-Government Act of 2002 (44 U.S.C. 3501 note) (commonly known as <E T="03">regulations.gov</E> ). In summary, the Board is proposing to remove Appendix B to part 748, Guidance on Response Programs for Unauthorized Access to Member Information and Member Notice. The Board believes that moving Appendix B to a Letter to Credit Unions is a better vehicle for conveying this information and will help to streamline the NCUA's regulations. The intended effect is to simplify the regulatory text and make it easier to navigate, without altering any substantive compliance obligations. The proposed rule and the required summary are available at <E T="03">https://www.regulations.gov.</E> <HD SOURCE="HD2">B. Executive Orders 12866, 13563, and 14192</HD> Pursuant to Executive Order 12866 (“Regulatory Planning and Review”), as amended by Executive Order 14215, a determination must be made whether a regulatory action is significant and therefore subject to review by the Office of Management and Budget (OMB) in accordance with the requirements of the Executive Order. OMB has determined that this proposed rule is not a “significant regulatory action” as defined in section 3(f)(1) of Executive Order 12866. Executive Order 13563 (“Improving Regulations and Regulatory Review”) directs executive agencies to analyze regulations that are “outmoded, ineffective, insufficient, or excessively burdensome, and to modify, streamline, expand, or repe ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ Preview showing 10k of 15k characters. Full document text is stored and available for version comparison. ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━