Guidelines for Safeguarding Member Information

Issuing agencies

Abstract

The NCUA Board (Board) is proposing to remove Appendix A to part 748, guidelines for safeguarding member information, from the Code of Federal Regulations (CFR). Appendix A was issued to satisfy the NCUA's statutory obligation to establish appropriate standards for federally insured credit unions (FICUs) to protect the security and confidentiality of customer records and information and to protect against unauthorized access to or use of such records. The Board now believes that the placement of Appendix A in the CFR may be confusing because Appendix A is not a regulation but rather a set of guidelines intended to assist FICUs with their statutory compliance obligations. The Board will remove Appendix A from the CFR and publish its contents as a Letter to Credit Unions, which enables more efficient revisions, and streamlines the NCUA's regulations.

Full Text

<html>
<head>
<title>Federal Register, Volume 90 Issue 236 (Thursday, December 11, 2025)</title>
</head>
<body><pre>
[Federal Register Volume 90, Number 236 (Thursday, December 11, 2025)]
[Proposed Rules]
[Pages 57399-57401]
From the Federal Register Online via the Government Publishing Office [<a href="http://www.gpo.gov">www.gpo.gov</a>]
[FR Doc No: 2025-22489]


-----------------------------------------------------------------------

NATIONAL CREDIT UNION ADMINISTRATION

12 CFR Part 748

RIN 3133-AF76


Guidelines for Safeguarding Member Information

AGENCY: National Credit Union Administration (NCUA).

ACTION:  Proposed rule.

-----------------------------------------------------------------------

SUMMARY:  The NCUA Board (Board) is proposing to remove Appendix A to 
part 748, guidelines for safeguarding member information, from the Code 
of Federal Regulations (CFR). Appendix A was issued to satisfy the 
NCUA's statutory obligation to establish appropriate standards for 
federally insured credit unions (FICUs) to protect the security and 
confidentiality of customer records and information and to protect 
against unauthorized access to or use of such records. The Board now 
believes that the placement of Appendix A in the CFR may be confusing 
because Appendix A is not a regulation but rather a set of guidelines 
intended to assist FICUs with their statutory compliance obligations. 
The Board will remove Appendix A from the CFR and publish its contents 
as a Letter to Credit Unions, which enables more efficient revisions, 
and streamlines the NCUA's regulations.

DATES:  Comments must be received on or before February 9, 2026.

ADDRESSES:  Comments may be submitted in one of the following ways. 
(Please send comments by one method only):
    <bullet> Federal eRulemaking Portal: <a href="https://www.regulations.gov">https://www.regulations.gov</a>. 
The docket number for this proposed rule is NCUA-2025-1304. Follow the 
``Submit a comment'' instructions. If you are reading this document on 
<a href="http://federalregister.gov">federalregister.gov</a>, you may use the green ``SUBMIT A PUBLIC COMMENT'' 
button beneath this rulemaking's title to submit a comment to the 
<a href="http://regulations.gov">regulations.gov</a> docket. A plain language summary of the proposed rule 
is also available on the docket website.
    <bullet> Mail: Address to Melane Conyers-Ausbrooks, Secretary of 
the Board, National Credit Union Administration, 1775 Duke Street, 
Alexandria, Virginia 22314-3428.
    <bullet> Hand Delivery/Courier: Same as mailing address.
    Mailed and hand-delivered comments must be received by the close of 
the comment period.
    Public inspection: Please follow the search instructions on <a href="https://www.regulations.gov">https://www.regulations.gov</a> to view the public comments. Do not include any 
personally identifiable information (such as name, address, or other 
contact information) or confidential business information that you do 
not want publicly disclosed. All comments are public records; they are 
publicly displayed exactly as received, and will not be deleted, 
modified, or redacted. Comments may be submitted anonymously. If you 
are unable to access public comments on the internet, you may contact 
the NCUA for alternative access by calling (703) 518-6540 or emailing 
<a href="/cdn-cgi/l/email-protection#5a151d19173b33361a34392f3b743d352c"><span class="__cf_email__" data-cfemail="8bc4ccc8c6eae2e7cbe5e8feeaa5ece4fd">[email&#160;protected]</span></a>.

FOR FURTHER INFORMATION CONTACT:  Gira Bose, Senior Staff Attorney, at 
(703) 518-6540 or at 1775 Duke Street, Alexandria, VA 22314.

SUPPLEMENTARY INFORMATION: 

I. Introduction

A. Background

    In November 1999, Congress passed the Gramm-Leach Bliley Act 
(GLBA).\1\ Section 501 of GLBA, entitled Protection of Nonpublic 
Personal Information, required the NCUA, the federal banking agencies 
(FBAs), and other regulators to establish appropriate standards for 
financial institutions subject to their respective jurisdictions 
relating to administrative, technical, and physical safeguards for 
customer records and information.\2\ These safeguards are intended to: 
(1) insure [sic] \3\ the security and confidentiality of customer 
records and information, (2) protect against any anticipated threats or 
hazards to the security or integrity of such records, and (3) protect 
against unauthorized access to or use of such records or information 
that would result in substantial harm or inconvenience to any 
customer.\4\
---------------------------------------------------------------------------

    \1\ 15 U.S.C. 6801 et. seq. (Nov. 12, 1999).
    \2\ Id. At this time, ``federal banking agencies'' refers to the 
Office of the Comptroller of the Currency, the Federal Reserve 
Board, and the Federal Deposit Insurance Corporation, although at 
the time of GLBA's passage the term included the now-defunct Office 
of Thrift Supervision.
    \3\ The statute uses the word ``insure,'' but should likely read 
``ensure.''
    \4\ 15 U.S.C. 6801(b).
---------------------------------------------------------------------------

    After passage of GLBA, the Board determined that the standards 
required by GLBA could be most effectively adopted through an amendment 
to the NCUA's existing regulation governing security programs in 
FICUs.\5\ This approach is consistent with the FBAs by design: NCUA 
staff worked with the FBAs to align the agency's guidance with the 
guidelines approved by the

[[Page 57400]]

FBAs.\6\ Thus, the NCUA adopted the standards required under GLBA as an 
appendix to part 748. The resulting Appendix A is intended to provide 
FICUs with guidance in developing the security program required under 
Sec.  748.0.
---------------------------------------------------------------------------

    \5\ 66 FR 8152 (Jan. 30, 2001).
    \6\ 65 FR 35162 (June 1, 2000).
---------------------------------------------------------------------------

    Appendix A has been amended over the years to reflect new 
requirements and maintain consistency with comparable regulations and 
guidelines issued by the FBAs. In 2004, the agency revised Appendix A 
to incorporate amendments to the Fair Credit Reporting Act (FCRA) with 
respect to the proper disposal of consumer information.\7\ Section 216 
of the Fair and Accurate Credit Transactions Act (FACT Act) added a new 
section to FCRA that was designed to protect a consumer against the 
risks associated with unauthorized access to information about the 
consumer contained in a consumer report. The FACT Act made mandatory 
the NCUA's practice of maintaining consistency with GLBA through 
consistency and consultation with the FBAs. The changes to Appendix A 
were intended to provide guidance to FCUs for compliance with Sec.  
717.83 and were done in consultation with the FBAs.\8\
---------------------------------------------------------------------------

    \7\ The Fair Credit Reporting Act, 15 U.S.C. 1681s(b) and 1681w, 
as amended by the Fair and Accurate Credit Transactions Act of 2003, 
15 U.S.C. 1681s.
    \8\ 69 FR 69269 (Nov. 29, 2004). While the FACT Act applied only 
to FCUs and the changes to the guidelines were done to assist FCUs 
in complying with Sec.  717.83, as drafted, the changes to the 
Appendix A guidance apply to all FICUs. As the Board explained in 
the preamble to the 2004 changes, ``the requirements of this final 
rule only apply to FCUs, while federally insured state-chartered 
credit unions are subject to the jurisdiction of the FTC on this 
matter. The NCUA believes, however, that federally insured state 
charters may find this guidance helpful in adopting meaningful and 
effective security programs that deal with the disposal of consumer 
information.''
---------------------------------------------------------------------------

    In 2012 and 2013, the Board again amended part 748 and Appendix A 
with technical changes mandated by the Dodd-Frank Wall Street Reform 
and Consumer Protection Act (Dodd-Frank Act) and based on the NCUA's 
rolling, 3-year regulatory review.\9\ The Dodd-Frank Act, among other 
things, transferred rulemaking authority for many consumer protection 
regulations from the Federal Reserve Board to the Consumer Financial 
Protection Bureau (CFPB).\10\ As a result, the NCUA was required to 
update certain cross citations within its regulations and rescind part 
716 governing the ``Privacy of Consumer Financial Information'' under 
GLBA.\11\
---------------------------------------------------------------------------

    \9\ 77 FR 71085 (Nov. 29, 2012); 78 FR 32541 (May 31, 2013).
    \10\ 12 U.S.C. 5581(b)(6) (July 21, 2010).
    \11\ 12 CFR part 716. To assist FICUs, the part 716 heading was 
retained with a cross citation to the CFPB's republished version of 
the regulation at 12 CFR part 1016.
---------------------------------------------------------------------------

B. Legal Authority

    The Board is issuing this proposed rule pursuant to its authority 
under the Federal Credit Union Act (FCU Act).\12\ Under the FCU Act, 
the NCUA is the chartering and supervisory authority for federal credit 
unions (FCUs) and the federal supervisory authority for federally 
insured credit unions (FICUs). The FCU Act grants the NCUA a broad 
mandate to issue regulations governing both FCUs and FICUs. Section 120 
of the FCU Act is a general grant of regulatory authority and 
authorizes the Board to prescribe regulations for the administration of 
the FCU Act.\13\ Section 209 of the FCU Act is a plenary grant of 
regulatory authority to the NCUA to issue regulations necessary or 
appropriate to carry out its role as share insurer for all FICUs.\14\ 
The FCU Act also includes an express grant of authority for the Board 
to subject federally chartered central, or corporate, credit unions to 
such rules, regulations, and orders as the Board deems appropriate.\15\
---------------------------------------------------------------------------

    \12\ 12 U.S.C. 1751 et seq.
    \13\ 12 U.S.C. 1766(a).
    \14\ 12 U.S.C. 1789.
    \15\ 12 U.S.C. 1766(a).
---------------------------------------------------------------------------

II. Proposed Rule

    The Board is issuing this proposed rule to remove Appendix A from 
the CFR. The Board believes that the information conveyed in Appendix A 
can be provided through Letters to Credit Unions, thereby reinforcing 
its intended use as nonbinding guidance. The Board believes that 
issuing Appendix A alongside part 748 may give the false impression 
that it is a legally binding rule rather than merely an aid to credit 
unions in satisfying the regulatory requirements of part 748.
    The Board seeks comments on all aspects of this proposed rule, 
including any references to Appendix A in other parts of NCUA's 
regulations that may need to be revised.
    As discussed above, Appendix A was first issued to meet a statutory 
requirement, and it has been amended several times to reflect new 
statutory requirements and to remain consistent with guidelines issued 
by the FBAs. The Board considered retaining Appendix A in its current 
form for two reasons: first, the current practice ensures the agency 
reviews Appendix A once every three years as part of its one third 
regulatory review process. Second, maintaining Appendix A as part of 
the NCUA's regulations also guarantees that any changes, whether 
technical or substantive, are published in the Federal Register, 
typically with an opportunity for public notice and comment (unless an 
exemption under the Administrative Procedure Act applies).
    However, the Board now believes that streamlining the NCUA's 
regulations and creating a greater separation between binding 
regulations and nonbinding guidelines outweighs the benefits of the 
current approach. The Board also believes that the Agency's adoption of 
Letters to Credit Unions as a communication method is well known to the 
industry and is appropriate for communicating guidelines such as those 
in Appendix A. The Board is soliciting feedback on all aspects of this 
proposed rule, including the option of maintaining the status quo.

III. Regulatory Procedures

A. Providing Accountability Through Transparency Act of 2023

    The Providing Accountability Through Transparency Act of 2023 (5 
U.S.C. 553(b)(4)) (Act) requires that a notice of proposed rulemaking 
include the internet address of a summary of not more than 100 words in 
length of a proposed rule, in plain language, that must be posted on 
the internet website under section 206(d) of the E-Government Act of 
2002 (44 U.S.C. 3501 note) (commonly known as <a href="http://regulations.gov">regulations.gov</a>). In 
summary, the Board is proposing to remove Appendix A to part 748 from 
the CFR. The Board now believes that the placement of Appendix A in the 
CFR may be confusing because Appendix A is not a regulation but rather 
a set of guidelines intended to assist FICUs with their statutory 
compliance obligations. The Board believes that moving Appendix A to a 
Letter to Credit Unions is a better vehicle for conveying this 
information and will help to streamline NCUA's regulations.
    The proposal and the required summary can be found at <a href="https://www.regulations.gov">https://www.regulations.gov</a>.

B. Executive Orders 12866, 13563, and 14192

    Pursuant to Executive Order 12866 (``Regulatory Planning and 
Review''), as amended by Executive Order 14215, a determination must be 
made whether a regulatory action is significant and therefore subject 
to review by the Office of Management and Budget (OMB) in accordance 
with the requirements of the

[[Page 57401]]

Executive Order.\16\ Executive Order 13563 (``Improving Regulation and 
Regulatory Review'') supplements and reaffirms the principles, 
structures, and definitions governing contemporary regulatory review 
established in Executive Order 12866.\17\ This proposed rule was 
drafted and reviewed in accordance with Executive Order 12866 and 
Executive Order 13563. OMB has determined that this proposed rule is 
not a ``significant regulatory action'' as defined in section 3(f)(1) 
of Executive Order 12866. Further, this proposed rule is consistent 
with Executive Order 13563. This proposed rule will streamline the 
NCUA's regulations by removing nonbinding guidelines.
---------------------------------------------------------------------------

    \16\ 58 FR 51735 (Oct. 4, 1993).
    \17\ 76 FR 3821 (Jan.21, 2011).
---------------------------------------------------------------------------

    Executive Order 14192 (``Unleashing Prosperity Through 
Deregulation'') requires that any new incremental costs associated with 
new regulations shall, to the extent permitted by law, be offset by the 
elimination of existing costs associated with at least 10 prior 
regulations.\18\ This proposed rule is expected to be a deregulatory 
action for purposes of Executive Order 14192.
---------------------------------------------------------------------------

    \18\ 90 FR 9065 (Feb. 6, 2025),
---------------------------------------------------------------------------

C. Regulatory Flexibility Act

    The Regulatory Flexibility Act \19\ generally requires an agency to 
conduct a regulatory flexibility analysis of any rule subject to notice 
and comment rulemaking requirements, unless the agency certifies that 
the rule will not have a significant economic impact on a substantial 
number of small entities. If the agency makes such a certification, it 
must publish the certification at the time of publication of either the 
proposed rule or the final rule, along with a statement providing the 
factual basis for such certification.\20\ For purposes of this 
analysis, the NCUA considers small credit unions to be those having 
under $100 million in assets.\21\ The Board fully considered the 
potential economic impacts of the regulatory amendments on small credit 
unions.
---------------------------------------------------------------------------

    \19\ 5 U.S.C. 601 et seq.
    \20\ 5 U.S.C. 605(b).
    \21\ 80 FR 57512 (Sept. 24, 2015).
---------------------------------------------------------------------------

    The proposed rule removes nonbinding guidelines but would retain 
them in another format without substantive change. Accordingly, the 
NCUA certifies the proposed rule would not have a significant economic 
impact on a substantial number of small credit unions.

D. Paperwork Reduction Act

    The Paperwork Reduction Act of 1995 (PRA) generally provides that 
an agency may not conduct or sponsor, and not withstanding any other 
provision of law, a person is not required to respond to, a collection 
of information, unless it displays a currently valid OMB control 
number. The PRA applies to rulemakings in which an agency creates a new 
or amends existing information collection requirements. For purposes of 
the PRA, an information-collection requirement may take the form of a 
reporting, recordkeeping, or a third-party disclosure requirement. NCUA 
has determined that the changes in the proposed rule do not create a 
new information collection or revise an existing information collection 
as defined by the PRA.

E. Executive Order 13132 on Federalism

    Executive Order 13132 encourages certain agencies to consider the 
impact of their actions on state and local interests. The NCUA, an 
agency as defined in 44 U.S.C. 3502(5), complies with the executive 
order to adhere to fundamental federalism principles. This proposed 
rule is intended to remove nonbinding guidelines from the NCUA's 
regulations. While it does impact provisions that apply to FISCUs, it 
does not make a substantive change. The rulemaking would therefore not 
have direct effect on the states, the relationship between the national 
government and the states, or on the distribution of power and 
responsibilities among the various levels of government.

F. Assessment of Federal Regulations and Policies on Families

    The NCUA has determined that this proposed rule would not affect 
family well-being within the meaning of section 654 of the Treasury and 
General Government Appropriations Act, 1999.\22\ The proposed rule 
removes nonbinding guidelines from the NCUA's regulations, and any 
effect on family well-being is expected to be indirect.
---------------------------------------------------------------------------

    \22\ Public Law 105-277, 112 Stat. 2681 (1998).
---------------------------------------------------------------------------

List of Subjects in 12 CFR Part 748

    Administrative practice and procedure, Banks, Banking, Credit, 
Credit unions, Personally identifiable information, Privacy, Reporting 
and recordkeeping requirements.

    By the National Credit Union Administration Board, this 8th day 
of December 2025.
Melane Conyers-Ausbrooks,
Secretary of the Board.

    For the reasons stated in the preamble, the Board proposes to 
revise part 748 as follows:

PART 748--SECURITY PROGRAM, SUSPICIOUS TRANSACTIONS, CATASTROPHIC 
ACTS, CYBER INCIDENTS, AND BANK SECRECY ACT COMPLIANCE

0
1. The authority citation for part 748 continues to read as follows:

    Authority: 12 U.S.C. 1766(a), 1786(b)(1), 1786(q), 1789(a)(11); 
15 U.S.C. 6801-6809; 31 U.S.C. 5311 and 5318.

0
2. The table of contents is revised to read as follows:

Sec.
748.0 Security Program.
748.1 Filing of Reports.
748.2 Procedures for monitoring Bank Secrecy Act (BSA) compliance.
Appendix A to Part 748--Guidance on Response Programs for 
Unauthorized Access to Member Information and Member Notice.

0
3. Remove Appendix A to part 748--Guidelines for Safeguarding Member 
Information.

[FR Doc. 2025-22489 Filed 12-10-25; 8:45 am]
BILLING CODE 7535-01-P


</pre><script data-cfasync="false" src="/cdn-cgi/scripts/5c5dd728/cloudflare-static/email-decode.min.js"></script></body>
</html>