CUNA Regulatory Comment Call

June 7, 2000

NCUA's Proposed Rule on Guidelines for Safeguarding Member Information



Please feel free to fax your responses to CUNA at 202-371-8240; e-mail them to Associate General Counsel Mary Dunn at or to Assistant General Counsel Jeffrey Bloch at; or mail them to Mary or Jeff in c/o CUNA's Regulatory Advocacy Department, 805 15th Street, NW, Suite 300, Washington, DC 20005. Please contact us if you need more information. you may also contact us if you would like a copy of the proposed rule or you may access it on the internet at the following address:


The privacy provisions of the Act require the NCUA and other financial institution regulators to establish appropriate standards relating to the administrative, technical, and physical safeguards for consumer records and information. The Act requires that the standards accomplish the following:

On May 8, 2000, the NCUA Board approved the final privacy rules that are required under the Act. The rules are effective as of November 13, 2000, although compliance is optional until July 1, 2001. Under these rules, credit unions must disclose their policies and practices with respect to protecting the confidentiality, security, and integrity of nonpublic personal information as part of the initial and annual privacy notices that are sent to members.


Description of the Proposed Rule

To fulfill the requirements under the Act, the proposed rule amends NCUA's existing rules regarding the security programs in federally-insured credit unions. The rule requires that a credit union's security program include features to ensure the safety and confidentiality of member's records, protect against anticipated threats or hazards to the security or integrity of such records, and protect against unauthorized access to or use of such records that could result in substantial harm or inconvenience to a member.

The NCUA Board may take administrative action if a credit union fails to establish an adequate security program. This may include cease and desist orders or civil money penalties.

As with the privacy rules approved on May 8, this proposed rule will also be effective on November 13, 2000, although compliance will be optional until July 1, 2001. Newly-chartered or insured credit unions will need to establish its security program within 90 days from the date of insurance.

Description of the Guidelines

The Guidelines clarify that "member" has the same meaning as defined in the privacy rules approved on May 8. As under the privacy rules, "member" includes certain nonmembers, such as nonmember joint accountholders, nonmembers establishing an account at a low-income designated credit union, and nonmembers holding an account in a state-chartered credit union under state law.

Under the Guidelines, the security program must include administrative, technical, and physical safeguards appropriate to the size and complexity of the credit union and the nature and scope of its activities.

The credit union's board of directors will approve the information security program and oversee efforts to develop, implement, and maintain an effective program. In order to implement such a program, the credit union's management should accomplish the following on a regular basis:

To assess risk to member information, credit unions should:

Each credit union needs a comprehensive risk management plan, which should include the following:

The credit union will continue to be responsible for safeguarding member information when it gives a service provider access to that information. The credit union should monitor such outsourcing arrangements to confirm that the service provider has implemented an effective security program.

(Most of these are issues raised by NCUA)

Eric Richard • General Counsel • (202) 508-6742 •
Mary Mitchell Dunn • SVP & Associate General Counsel • (202) 508-6736 •
Jeffrey Bloch • Assistant General Counsel • (202) 508-6732 •
Catherine Orr • Senior Regulatory Counsel • (202) 508-6743 •