(a) Each federally insured credit union will develop a written security program within 90 days of the effective date of insurance.

(b) The security program will be designed to:

(1) Protect each credit union office from robberies, burglaries, larcenies, and embezzlement;

(2) Ensure the security and confidentiality of member records, protect against the anticipated threats or hazards to the security or integrity of such records, and protect against unauthorized access to or use of such records that could result in substantial harm or serious inconvenience to a member;

(3) Respond to incidents of unauthorized access to or use of member information that could result in substantial harm or serious inconvenience to a member;

(4) Assist in the identification of persons who commit or attempt such actions and crimes, and

(5) Prevent destruction of vital records, as defined in 12 CFR part 749.

(c) Each Federal credit union, as part of its information security program, must properly dispose of any consumer information the Federal credit union maintains or otherwise possesses, as required under § 717.83 of this chapter.

[50 FR 53295, Dec. 31, 1985, as amended at 53 FR 4845, Feb. 18, 1988; 66 FR 8161, Jan. 30, 2001; 69 FR 69274, Nov. 29, 2004; 70 FR 22778, May 2, 2005]

(a) The president or managing official of each federally insured credit union must certify compliance with the requirements of this part in its Credit Union Profile annually through NCUA's online information management system.

(b) Catastrophic act report. Each federally insured credit union will notify the regional director within 5 business days of any catastrophic act that occurs at its office(s). A catastrophic act is any disaster, natural or otherwise, resulting in physical destruction or damage to the credit union or causing an interruption in vital member services, as defined in § 749.1 of this chapter, projected to last more than two consecutive business days. Within a reasonable time after a catastrophic act occurs, the credit union shall ensure that a record of the incident is prepared and filed at its main office. In the preparation of such record, the credit union should include information sufficient to indicate the office where the catastrophic act occurred; when it took place; the amount of the loss, if any; whether any operational or mechanical deficiency(ies) might have contributed to the catastrophic act; and what has been done or is planned to be done to correct the deficiency(ies).

(c) Cyber incident report. Each federally insured credit union must notify the appropriate NCUA-designated point of contact of the occurrence of a reportable cyber incident via email, telephone, or other similar methods that the NCUA may prescribe. The NCUA must receive this notification as soon as possible but no later than 72 hours after a federally insured credit union reasonably believes that it has experienced a reportable cyber incident or, if reporting pursuant to paragraph (c)(1)(i)(C) of this section, within 72 hours of being notified by a third-party, whichever is sooner.

(1) Reportable cyber incident. (i) A reportable cyber incident is any substantial cyber incident that leads to one or more of the following:

(A) A substantial loss of confidentiality, integrity, or availability of a network or member information system as defined in appendix A, section I.B.2. e., of this part that results from the unauthorized access to or exposure of sensitive data, disrupts vital member services as defined in § 749.1 of this chapter, or has a serious impact on the safety and resiliency of operational systems and processes.

(B) A disruption of business operations, vital member services, or a member information system resulting from a cyberattack or exploitation of vulnerabilities.

(C) A disruption of business operations or unauthorized access to sensitive data facilitated through, or caused by, a compromise of a credit union service organization, cloud service provider, or other third-party data hosting provider or by a supply chain compromise.

(ii) A reportable cyber incident does not include any event where the cyber incident is performed in good faith by an entity in response to a specific request by the owner or operators of the system.

(2) Definitions. For purposes of this part:

Compromise means the unauthorized disclosure, modification, substitution, or use of sensitive data or the unauthorized modification of a security-related system, device, or process in order to gain unauthorized access.

Confidentiality means preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information.

Cyber incident means an occurrence that actually or imminently jeopardizes, without lawful authority, the integrity, confidentiality, or availability of information on an information system, or actually or imminently jeopardizes, without lawful authority, an information system.

Cyberattack means an attack, via cyberspace, targeting an enterprise's use of cyberspace for the purpose of disrupting, disabling, destroying, or maliciously controlling a computing environment/infrastructure; or destroying the integrity of the data or stealing controlled information.

Disruption means an unplanned event that causes an information system to be inoperable for a length of time.

Integrity means guarding against improper information modification or destruction and includes ensuring information non-repudiation and authenticity.

Sensitive data means any information which by itself, or in combination with other information, could be used to cause harm to a credit union or credit union member and any information concerning a person or their account which is not public information, including any non-public personally identifiable information.

(d) Suspicious Activity Report. A credit union must file a report if it knows, suspects, or has reason to suspect that any crime or any suspicious transaction related to money laundering activity or a violation of the Bank Secrecy Act has occurred. For the purposes of this paragraph (c) credit union means a federally insured credit union and official means any member of the board of directors or a volunteer committee.

(1) Reportable activity. Transaction for purposes of this paragraph means a deposit, withdrawal, transfer between accounts, exchange of currency, loan, extension of credit, purchase or sale of any stock, bond, share certificate, or other monetary instrument or investment security, or any other payment, transfer, or delivery by, through, or to a financial institution, by whatever means effected. A credit union must report any known or suspected crime or any suspicious transaction related to money laundering or other illegal activity, for example, terrorism financing, loan fraud, or embezzlement, or a violation of the Bank Secrecy Act by sending a completed suspicious activity report (SAR) to the Financial Crimes Enforcement Network (FinCEN) in the following circumstances:

(i) Insider abuse involving any amount. Whenever the credit union detects any known or suspected Federal criminal violations, or pattern of criminal violations, committed or attempted against the credit union or involving a transaction or transactions conducted through the credit union, where the credit union believes it was either an actual or potential victim of a criminal violation, or series of criminal violations, or that the credit union was used to facilitate a criminal transaction, and the credit union has a substantial basis for identifying one of the credit union's officials, employees, or agents as having committed or aided in the commission of the criminal violation, regardless of the amount involved in the violation;

(ii) Transactions aggregating $5,000 or more where a suspect can be identified. Whenever the credit union detects any known or suspected Federal criminal violation, or pattern of criminal violations, committed or attempted against the credit union or involving a transaction or transactions conducted through the credit union, and involving or aggregating $5,000 or more in funds or other assets, where the credit union believes it was either an actual or potential victim of a criminal violation, or series of criminal violations, or that the credit union was used to facilitate a criminal transaction, and the credit union has a substantial basis for identifying a possible suspect or group of suspects. If it is determined before filing this report that the identified suspect or group of suspects has used an alias, then information regarding the true identity of the suspect or group of suspects, as well as alias identifiers, such as drivers' licenses or social security numbers, addresses and telephone numbers, must be reported;

(iii) Transactions aggregating $25,000 or more regardless of potential suspects. Whenever the credit union detects any known or suspected Federal criminal violation, or pattern of criminal violations, committed or attempted against the credit union or involving a transaction or transactions conducted through the credit union, involving or aggregating $25,000 or more in funds or other assets, where the credit union believes it was either an actual or potential victim of a criminal violation, or series of criminal violations, or that the credit union was used to facilitate a criminal transaction, even though the credit union has no substantial basis for identifying a possible suspect or group of suspects; or

(iv) Transactions aggregating $5,000 or more that involve potential money laundering or violations of the Bank Secrecy Act. Any transaction conducted or attempted by, at or through the credit union and involving or aggregating $5,000 or more in funds or other assets, if the credit union knows, suspects, or has reason to suspect:

(A) The transaction involves funds derived from illegal activities or is intended or conducted in order to hide or disguise funds or assets derived from illegal activities (including, without limitation, the ownership, nature, source, location, or control of such funds or assets) as part of a plan to violate or evade any Federal law or regulation or to avoid any transaction reporting requirement under Federal law;

(B) The transaction is designed to evade any regulations promulgated under the Bank Secrecy Act; or

(C) The transaction has no business or apparent lawful purpose or is not the sort of transaction in which the particular member would normally be expected to engage, and the credit union knows of no reasonable explanation for the transaction after examining the available facts, including the background and possible purpose of the transaction.

(v) Exceptions. A credit union is not required to file a SAR for a robbery or burglary committed or attempted that is reported to appropriate law enforcement authorities, or for lost, missing, counterfeit, or stolen securities and the credit union files a report pursuant to the reporting requirements of 17 CFR 240.17f-1.

(2) Filing procedures—(i) Timing. A credit union must file a SAR with FinCEN no later than 30 calendar days from the date the suspicious activity is initially detected, unless there is no identified suspect on the date of detection. If no suspect is identified on the date of detection, a credit union may use an additional 30 calendar days to identify a suspect before filing a SAR. In no case may a credit union take more than 60 days from the date it initially detects a reportable transaction to file a SAR. In situations involving violations requiring immediate attention, such as ongoing money laundering schemes, a credit union must immediately notify, by telephone, an appropriate law enforcement authority and its supervisory authority, in addition to filing a SAR.

(ii) Content. A credit union must complete, fully and accurately, SAR form TDF 90-22.47, Suspicious Activity Report (also known as NCUA Form 2362) in accordance with the form's instructions and 31 CFR 1020.320. A copy of the SAR form may be obtained from the credit union resources section of NCUA's Web site, http://www.ncua.gov, or the regulatory section of FinCEN's Web site, http://www.fincen.gov. These sites include other useful guidance on SARs, for example, forms and filing instructions, Frequently Asked Questions, and the FFIEC Bank Secrecy Act/Anti-Money Laundering Examination Manual.

(iii) Compliance. Failure to file a SAR as required by the form's instructions and 31 CFR 1020.320 may subject the credit union, its officials, employees, and agents to the assessment of civil money penalties or other administrative actions.

(3) Retention of Records. A credit union must maintain a copy of any SAR that it files and the original or business record equivalent of all supporting documentation to the report for a period of five years from the date of the report. Supporting documentation must be identified and maintained by the credit union as such. Supporting documentation is considered a part of the filed report even though it should not be actually filed with the submitted report. A credit union must make all supporting documentation available to appropriate law enforcement authorities and its regulatory supervisory authority upon request.

(4) Notification to board of directors—(i) Generally. The management of the credit union must promptly notify its board of directors, or a committee designated by the board of directors to receive such notice, of any SAR filed.

(ii) Suspect is a director or committee member. If a credit union files a SAR and the suspect is a director or member of a committee designated by the board of directors to receive notice of SAR filings, the credit union may not notify the suspect, pursuant to 31 U.S.C. 5318(g)(2), but must notify the remaining directors, or designated committee members, who are not suspects.

(5) Confidentiality of reports. SARs are confidential. Any credit union, including its officials, employees, and agents, subpoenaed or otherwise requested to disclose a SAR or the information in a SAR must decline to produce the SAR or to provide any information that would disclose that a SAR was prepared or filed, citing this part, applicable law, for example, 31 U.S.C. 5318(g), or both, and notify NCUA of the request. A credit union must make the filed report and all supporting documentation available to appropriate law enforcement authorities and its regulatory supervisory authority upon request.

(6) Safe Harbor. Any credit union, including its officials, employees, and agents, that makes a report of suspected or known criminal violations and suspicious activities to law enforcement and financial institution supervisory authorities, including supporting documentation, are protected from liability for any disclosure in the report, or for failure to disclose the existence of the report, or both, to the full extent provided by 31 U.S.C. 5318(g)(3). This protection applies if the report is filed pursuant to this part or is filed on a voluntary basis.

[50 FR 53295, Dec. 31, 1985, as amended at 53 FR 26232, July 12, 1988; 58 FR 17492, Apr. 5, 1993; 61 FR 11527, Mar. 21, 1996; 71 FR 62878, Oct. 27, 2006; 72 FR 42273, Aug. 2, 2007; 74 FR 35769, July 21, 2009; 76 FR 18366, Apr. 4, 2011; 78 FR 64885, Oct. 30, 2013; 88 FR 12816, Mar. 1, 2023]

(a) Purpose. This section is issued to ensure that all federally insured credit unions establish and maintain procedures reasonably designed to assure and monitor compliance with the requirements of subchapter II of chapter 53 of title 31, United States Code, the Financial Recordkeeping and Reporting of Currency and Foreign Transactions Act, and the implementing regulations promulgated under it by the Department of Treasury, 31 CFR chapter X.

(b) Establishment of a BSA compliance program—(1) Program requirement. Each federally insured credit union shall develop and provide for the continued administration of a program reasonably designed to assure and monitor compliance with the recordkeeping and recording requirements in subchapter II of chapter 53 of title 31, United States Code and implementing regulations issued by the Department of Treasury at 31 CFR chapter X. The compliance program must be written, approved by the credit union's board of directors, and reflected in the credit union's minutes.

(2) Customer identification program. Each federally insured credit union is subject to the requirements of 31 U.S.C. 5318(l) and the implementing regulation jointly promulgated by the NCUA and Department of the Treasury at 31 CFR 1020.220, which require a customer identification program to be implemented as part of the BSA compliance program required under this section.

(c) Contents of compliance program. Such compliance program shall at a minimum—

(1) Provide for a system of internal controls to assure ongoing compliance;

(2) Provide for independent testing for compliance to be conducted by credit union personnel or outside parties;

(3) Designate an individual responsible for coordinating and monitoring day-to-day compliance; and

(4) Provide training for appropriate personnel.

(Approved by the Office of Management and Budget under control number 3133-0094) [52 FR 2861, Jan. 27, 1987, as amended at 52 FR 8062, Mar. 16, 1987; 68 FR 25112, May 9, 2003; 76 FR 18366, Apr. 4, 2011]

Table of Contents I. Introduction A. Scope B. Definitions II. Guidelines for Safeguarding Member Information A. Information Security Program B. Objectives III. Development and Implementation of Member Information Security Program A. Involve the Board of Directors B. Assess Risk C. Manage and Control Risk D. Oversee Service Provider Arrangements E. Adjust the Program

F. Report to the Board

I. Introduction

The Guidelines for Safeguarding Member Information (Guidelines) set forth standards pursuant to sections 501 and 505(b), codified at 15 U.S.C. 6801 and 6805(b), of the Gramm-Leach-Bliley Act. These Guidelines provide guidance standards for developing and implementing administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of member information. These Guidelines also address standards with respect to the proper disposal of consumer information pursuant to sections 621(b) and 628 of the Fair Credit Reporting Act (15 U.S.C. 1681s(b) and 1681w).

A. Scope. The Guidelines apply to member information maintained by or on behalf of federally insured credit unions. Such entities are referred to in this appendix as “the credit union.” These Guidelines also apply to the proper disposal of consumer information by such entities.

B. Definitions. 1. In general. Except as modified in the Guidelines or unless the context otherwise requires, the terms used in these Guidelines have the same meanings as set forth in 12 CFR part 1016.

2. For purposes of the Guidelines, the following definitions apply:

a. Consumer information means any record about an individual, whether in paper, electronic, or other form, that is a consumer report or is derived from a consumer report and that is maintained or otherwise possessed by or on behalf of the credit union for a business purpose. Consumer information also means a compilation of such records. The term does not include any record that does not identify an individual.

b. Consumer report has the same meaning as set forth in the Fair Credit Reporting Act, 15 U.S.C. 1681a(d). The meaning of consumer report is broad and subject to various definitions, conditions and exceptions in the Fair Credit Reporting Act. It includes written or oral communications from a consumer reporting agency to a third party of information used or collected for use in establishing eligibility for credit or insurance used primarily for personal, family or household purposes, and eligibility for employment purposes. Examples include credit reports, bad check lists, and tenant screening reports.

c. Member means any member of the credit union as defined in 12 CFR 1016.3(n).

d. Member information means any records containing nonpublic personal information, as defined in 12 CFR 1016.3(p), about a member, whether in paper, electronic, or other form, that is maintained by or on behalf of the credit union.

e. Member information system means any method used to access, collect, store, use, transmit, protect, or dispose of member information.

f. Service provider means any person or entity that maintains, processes, or otherwise is permitted access to member information through its provision of services directly to the credit union.

II. Standards for Safeguarding Member Information

A. Information Security Program. A comprehensive written information security program includes administrative, technical, and physical safeguards appropriate to the size and complexity of the credit union and the nature and scope of its activities. While all parts of the credit union are not required to implement a uniform set of policies, all elements of the information security program must be coordinated.

B. Objectives. A credit union's information security program should be designed to: ensure the security and confidentiality of member information; protect against any anticipated threats or hazards to the security or integrity of such information; protect against unauthorized access to or use of such information that could result in substantial harm or inconvenience to any member; and ensure the proper disposal of member information and consumer information. Protecting confidentiality includes honoring members' requests to opt out of disclosures to nonaffiliated third parties, as described in 12 CFR 1016.1(a)(3).

III. Development and Implementation of Member Information Security Program

A. Involve the Board of Directors. The board of directors or an appropriate committee of the board of each credit union should:

1. Approve the credit union's written information security policy and program; and

2. Oversee the development, implementation, and maintenance of the credit union's information security program, including assigning specific responsibility for its implementation and reviewing reports from management.

B. Assess Risk. Each credit union should:

1. Identify reasonably foreseeable internal and external threats that could result in unauthorized disclosure, misuse, alteration, or destruction of member information or member information systems;

2. Assess the likelihood and potential damage of these threats, taking into consideration the sensitivity of member information; and

3. Assess the sufficiency of policies, procedures, member information systems, and other arrangements in place to control risks.

C. Manage and Control Risk. Each credit union should:

1. Design its information security program to control the identified risks, commensurate with the sensitivity of the information as well as the complexity and scope of the credit union's activities. Each credit union must consider whether the following security measures are appropriate for the credit union and, if so, adopt those measures the credit union concludes are appropriate:

a. Access controls on member information systems, including controls to authenticate and permit access only to authorized individuals and controls to prevent employees from providing member information to unauthorized individuals who may seek to obtain this information through fraudulent means;

b. Access restrictions at physical locations containing member information, such as buildings, computer facilities, and records storage facilities to permit access only to authorized individuals;

c. Encryption of electronic member information, including while in transit or in storage on networks or systems to which unauthorized individuals may have access;

d. Procedures designed to ensure that member information system modifications are consistent with the credit union's information security program;

e. Dual controls procedures, segregation of duties, and employee background checks for employees with responsibilities for or access to member information;

f. Monitoring systems and procedures to detect actual and attempted attacks on or intrusions into member information systems;

g. Response programs that specify actions to be taken when the credit union suspects or detects that unauthorized individuals have gained access to member information systems, including appropriate reports to regulatory and law enforcement agencies; and

h. Measures to protect against destruction, loss, or damage of member information due to potential environmental hazards, such as fire and water damage or technical failures.

2. Train staff to implement the credit union's information security program.

3. Regularly test the key controls, systems and procedures of the information security program. The frequency and nature of such tests should be determined by the credit union's risk assessment. Tests should be conducted or reviewed by independent third parties or staff independent of those that develop or maintain the security programs.

4. Develop, implement, and maintain, as part of its information security program, appropriate measures to properly dispose of member information and consumer information in accordance with the provisions in paragraph III.

D. Oversee Service Provider Arrangements. Each credit union should:

1. Exercise appropriate due diligence in selecting its service providers;

2. Require its service providers by contract to implement appropriate measures designed to meet the objectives of these guidelines; and

3. Where indicated by the credit union's risk assessment, monitor its service providers to confirm that they have satisfied their obligations as required by paragraph D.2. As part of this monitoring, a credit union should review audits, summaries of test results, or other equivalent evaluations of its service providers.

E. Adjust the Program. Each credit union should monitor, evaluate, and adjust, as appropriate, the information security program in light of any relevant changes in technology, the sensitivity of its member information, internal or external threats to information, and the credit union's own changing business arrangements, such as mergers and acquisitions, alliances and joint ventures, outsourcing arrangements, and changes to member information systems.

F. Report to the Board. Each credit union should report to its board or an appropriate committee of the board at least annually. This report should describe the overall status of the information security program and the credit union's compliance with these guidelines. The report should discuss material matters related to its program, addressing issues such as: risk assessment; risk management and control decisions; service provider arrangements; results of testing; security breaches or violations and management's responses; and recommendations for changes in the information security program.

[66 FR 8161, Jan. 30, 2001, as amended at 69 FR 69274, Nov. 29, 2004; 77 FR 71085, Nov. 29, 2012; 78 FR 32545, May 31, 2013; 84 FR 1609, Feb. 5, 2019]

I. Background

This appendix provides guidance on NCUA's Security Program, Suspicious Transactions, Catastrophic Acts, Cyber Incidents, and Bank Secrecy Act Compliance regulation, 1 interprets section 501(b) of the Gramm-Leach-Bliley Act (“GLBA”), and describes response programs, including member notification procedures, that a federally insured credit union should develop and implement to address unauthorized access to or use of member information that could result in substantial harm or inconvenience to a member. The scope of, and definitions of terms used in, this Guidance are identical to those of appendix A to this part (appendix A). For example, the term “member information” is the same term used in appendix A, and means any record containing nonpublic personal information about a member, whether in paper, electronic, or other form, maintained by or on behalf of the credit union.

1This part.

A. Security Guidelines

Section 501(b) of the GLBA required the NCUA to establish appropriate standards for credit unions subject to its jurisdiction that include administrative, technical, and physical safeguards to protect the security and confidentiality of member information. Accordingly, the NCUA amended Part 748 of its rules to require credit unions to develop appropriate security programs, and issued appendix A, reflecting its expectation that every federally insured credit union would develop an information security program designed to:

1. Ensure the security and confidentiality of member information;

2. Protect against any anticipated threats or hazards to the security or integrity of such information; and

3. Protect against unauthorized access to or use of such information that could result in substantial harm or inconvenience to any member.

B. Risk Assessment and Controls

1. Appendix A directs every credit union to assess the following risks, among others, when developing its information security program:

a. Reasonably foreseeable internal and external threats that could result in unauthorized disclosure, misuse, alteration, or destruction of member information or member information systems;

b. The likelihood and potential damage of threats, taking into consideration the sensitivity of member information; and

c. The sufficiency of policies, procedures, member information systems, and other arrangements in place to control risks. 2

2 See 12 CFR Part 748, appendix A, Paragraph III.B.

2. Following the assessment of these risks, appendix A directs a credit union to design a program to address the identified risks. The particular security measures a credit union should adopt will depend upon the risks presented by the complexity and scope of its business. At a minimum, the credit union should consider the specific security measures enumerated in appendix A, 3 and adopt those that are appropriate for the credit union, including:

3 See appendix A, paragraph III.C.

a. Access controls on member information systems, including controls to authenticate and permit access only to authorized individuals and controls to prevent employees from providing member information to unauthorized individuals who may seek to obtain this information through fraudulent means;

b. Background checks for employees with responsibilities for access to member information; and

c. Response programs that specify actions to be taken when the credit union suspects or detects that unauthorized individuals have gained access to member information systems, including appropriate reports to regulatory and law enforcement agencies. 4

4 See appendix A, Paragraph III.C.

C. Service Providers

Appendix A advises every credit union to require its service providers by contract to implement appropriate measures designed to protect against unauthorized access to or use of member information that could result in substantial harm or inconvenience to any member. 5

5 See appendix A, Paragraph III.B. and III.D. Further, the NCUA notes that, in addition to contractual obligations to a credit union, a service provider may be required to implement its own comprehensive information security program in accordance with the Safeguards Rule promulgated by the Federal Trade Commission (“FTC”), 12 CFR Part 314.

II. Response Program

i. Millions of Americans, throughout the country, have been victims of identity theft. 6 Identity thieves misuse personal information they obtain from a number of sources, including credit unions, to perpetrate identity theft. Therefore, credit unions should take preventative measures to safeguard member information against such attempts to gain unauthorized access to the information. For example, credit unions should place access controls on member information systems and conduct background checks for employees who are authorized to access member information. 7 However, every credit union should also develop and implement a risk-based response program to address incidents of unauthorized access to member information in member information systems that occur nonetheless. 8 A response program should be a key part of a credit union's information security program. 9 The program should be appropriate to the size and complexity of the credit union and the nature and scope of its activities.

6 The FTC estimates that nearly 10 million Americans discovered they were victims of some form of identity theft in 2002. See The Federal Trade Commission, Identity Theft Survey Report, (September 2003), available at http://www.ftc.gov/os/2003/09synovatereport.pdf.

7 Credit unions should also conduct background checks of employees to ensure that the credit union does not violate 12 U.S.C. 1785(d), which prohibits a credit union from hiring an individual convicted of certain criminal offenses or who is subject to a prohibition order under 12 U.S.C. 1786(g).

8 Under 12 CFR Part 748, appendix A, a credit union's member information systems consists of all of the methods used to access, collect, store, use, transmit, protect, or dispose of member information, including the systems maintained by its service providers. See 12 CFR Part 748, appendix A, Paragraph I.C.2.d.

9 See FFIEC Information Technology Examination Handbook, Information Security Booklet, (December, 2002), available at http://www.ffiec.gov/ffiecinfobase/html_pages/it_01.htm1#infosec, for additional guidance on preventing, detecting, and responding to intrusions into financial institution computer systems.

ii. In addition, each credit union should be able to address incidents of unauthorized access to member information in member information systems maintained by its domestic and foreign service providers. Therefore, consistent with the obligations in this Guidance that relate to these arrangements, and with existing guidance on this topic issued by the NCUA, 10 a credit union's contract with its service provider should require the service provider to take appropriate actions to address incidents of unauthorized access to or use of the credit union's member information, including notification of the credit union as soon as possible of any such incident, to enable the institution to expeditiously implement its response program.

10 See FFIEC Information Technology Examination Handbook, Outsourcing Technology Services Booklet, (June 2004), available at http://www.ffiec.gov/ffiecinfobase/html_pages/it_01.htm1#outscouring for additional guidance on managing outsourced relationships.

A. Components of a Response Program

1. At a minimum, a credit union's response program should contain procedures for the following:

a. Assessing the nature and scope of an incident, and identifying what member information systems and types of member information have been accessed or misused;

b. Notifying the appropriate NCUA Regional Director, and, in the case of state-chartered credit unions, its applicable state supervisory authority, as soon as possible when the credit union becomes aware of an incident involving unauthorized access to or use of sensitive member information as defined below.

c. Consistent with the NCUA's Suspicious Activity Report (“SAR”) regulations, 11 notifying appropriate law enforcement authorities, in addition to filing a timely SAR in situations involving Federal criminal violations requiring immediate attention, such as when a reportable violation is ongoing;

11 A credit union's obligation to file a SAR is set forth in § 748.1(d).

d. Taking appropriate steps to contain and control the incident to prevent further unauthorized access to or use of member information, for example, by monitoring, freezing, or closing affected accounts, while preserving records and other evidence; 12 and

12 See FFIEC Information Technology Examination Handbook, Information Security Booklet, (December 2002), pp. 68-74.

e. Notifying members when warranted.

2. Where an incident of unauthorized access to member information involves member information systems maintained by a credit union's service providers, it is the responsibility of the credit union to notify the credit union's members and regulator. However, a credit union may authorize or contract with its service provider to notify the credit union's members or regulators on its behalf.

III. Member Notice

i. Credit unions have an affirmative duty to protect their members' information against unauthorized access or use. Notifying members of a security incident involving the unauthorized access or use of the member's information in accordance with the standard set forth below is a key part of that duty.

ii. Timely notification of members is important to manage a credit union's reputation risk. Effective notice also may reduce a credit union's legal risk, assist in maintaining good member relations, and enable the credit union's members to take steps to protect themselves against the consequences of identity theft. When member notification is warranted, a credit union may not forgo notifying its customers of an incident because the credit union believes that it may be potentially embarrassed or inconvenienced by doing so.

A. Standard for Providing Notice

When a credit union becomes aware of an incident of unauthorized access to sensitive member information, the credit union should conduct a reasonable investigation to promptly determine the likelihood that the information has been or will be misused. If the credit union determines that misuse of its information about a member has occurred or is reasonably possible, it should notify the affected member as soon as possible. Member notice may be delayed if an appropriate law enforcement agency determines that notification will interfere with a criminal investigation and provides the credit union with a written request for the delay. However, the credit union should notify its members as soon as notification will no longer interfere with the investigation.

1. Sensitive Member Information

Under Part 748.0, a credit union must protect against unauthorized access to or use of member information that could result in substantial harm or inconvenience to any member. Substantial harm or inconvenience is most likely to result from improper access to sensitive member information because this type of information is most likely to be misused, as in the commission of identity theft.

For purposes of this Guidance, sensitive member information means a member's name, address, or telephone number, in conjunction with the member's social security number, driver's license number, account number, credit or debit card number, or a personal identification number or password that would permit access to the member's account. Sensitive member information also includes any combination of components of member information that would allow someone to log onto or access the member's account, such as user name and password or password and account number.

2. Affected Members

If a credit union, based upon its investigation, can determine from its logs or other data precisely which members' information has been improperly accessed, it may limit notification to those members with regard to whom the credit union determines that misuse of their information has occurred or is reasonably possible. However, there may be situations where the credit union determines that a group of files has been accessed improperly, but is unable to identify which specific member's information has been accessed. If the circumstances of the unauthorized access lead the credit union to determine that misuse of the information is reasonably possible, it should notify all members in the group.

B. Content of Member Notice

1. Member notice should be given in a clear and conspicuous manner. The notice should describe the incident in general terms and the type of member information that was the subject of unauthorized access or use. It also should generally describe what the credit union has done to protect the members' information from further unauthorized access. In addition, it should include a telephone number that members can call for further information and assistance. 13 The notice also should remind members of the need to remain vigilant over the next twelve to twenty-four months, and to promptly report incidents of suspected identity theft to the credit union. The notice should include the following additional items, when appropriate:

13 The credit union should, therefore, ensure that it has reasonable policies and procedures in place, including trained personnel, to respond appropriately to member inquiries and requests for assistance.

a. A recommendation that the member review account statements and immediately report any suspicious activity to the credit union;

b. A description of fraud alerts and an explanation of how the member may place a fraud alert in the member's consumer reports to put the member's creditors on notice that the member may be a victim of fraud;

c. A recommendation that the member periodically obtain credit reports from each nationwide credit reporting agency and have information relating to fraudulent transactions deleted;

d. An explanation of how the member may obtain a credit report free of charge; and

e. Information about the availability of the FTC's online guidance regarding steps a consumer can take to protect against identity theft. The notice should encourage the member to report any incidents of identity theft to the FTC, and should provide the FTC's Web site address and toll-free telephone number that members may use to obtain the identity theft guidance and report suspected incidents of identity theft. 14

14 Currently, the FTC Web site for the ID Theft brochure and the FTC Hotline phone number are http://www.ftc.gov/idtheft and 1-877-IDTHEFT. The credit union may also refer members to any materials developed pursuant to section 15(1)(b) of the FACT Act (educational materials developed by the FTC to teach the public how to prevent identity theft).

2. NCUA encourages credit unions to notify the nationwide consumer reporting agencies prior to sending notices to a large number of members that include contact information for the reporting agencies.

C. Delivery of Member Notice

Member notice should be delivered in any manner designed to ensure that a member can reasonably be expected to receive it. For example, the credit union may choose to contact all members affected by telephone or by mail, or by electronic mail for those members for whom it has a valid e-mail address and who have agreed to receive communications electronically.

[70 FR 22778, May 2, 2005, as amended at 85 FR 62214, Oct. 2, 2020; 88 FR 12817, Mar. 1, 2023]