Guidance on Response Programs for Unauthorized Access to Member Information and Member Notice

Issuing agencies

Abstract

The NCUA Board (Board) is proposing to remove Appendix B to part 748, Guidance on Response Programs for Unauthorized Access to Member Information and Member Notice. Appendix B was issued in June 2005. Its purpose was to provide federally insured credit unions (FICUs) with guidance for creating programs to address and respond to instances of unauthorized access to member information. The Board now believes that the placement of Appendix B in the Code of Federal Regulations (CFR) may be confusing because Appendix B itself is guidance to assist FICUs in developing the response programs required pursuant to regulation. The Board instead would publish the content of Appendix B as guidance. This will be a better vehicle for conveying and updating this information and will help to streamline NCUA's regulations.

Full Text

<html>
<head>
<title>Federal Register, Volume 90 Issue 236 (Thursday, December 11, 2025)</title>
</head>
<body><pre>
[Federal Register Volume 90, Number 236 (Thursday, December 11, 2025)]
[Proposed Rules]
[Pages 57397-57399]
From the Federal Register Online via the Government Publishing Office [<a href="http://www.gpo.gov">www.gpo.gov</a>]
[FR Doc No: 2025-22490]


-----------------------------------------------------------------------

NATIONAL CREDIT UNION ADMINISTRATION

12 CFR Part 748

RIN 3133-AF79


Guidance on Response Programs for Unauthorized Access to Member 
Information and Member Notice

AGENCY: National Credit Union Administration (NCUA).

ACTION: Proposed rule.

-----------------------------------------------------------------------

SUMMARY: The NCUA Board (Board) is proposing to remove Appendix B to 
part 748, Guidance on Response Programs for Unauthorized Access to 
Member Information and Member Notice. Appendix B was issued in June 
2005. Its purpose was to provide federally insured credit unions 
(FICUs) with guidance for creating programs to address and respond to 
instances of unauthorized access to member information. The Board now 
believes that the placement of Appendix B in the Code of Federal 
Regulations (CFR) may be confusing because Appendix B itself is 
guidance to assist FICUs in developing the response programs required 
pursuant to regulation. The Board instead would publish the content of 
Appendix B as guidance. This will be a better vehicle for conveying and 
updating this information and will help to streamline NCUA's 
regulations.

DATES: Comments must be received on or before February 9, 2026.

ADDRESSES: You may submit written comments by any of the following 
methods identified by RIN (Please send comments by one method only):
    <bullet> Federal eRulemaking Portal: <a href="https://www.regulations.gov">https://www.regulations.gov</a>. 
Follow the instructions for submitting comments for Docket Number NCUA-
2025-1305.
    <bullet> Mail: Address to Melane Conyers-Ausbrooks, Secretary of 
the Board, National Credit Union Administration, 1775 Duke Street, 
Alexandria, Virginia 22314-3428.
    <bullet> Hand Delivery/Courier: Same as mail address.
    Mailed and hand-delivered comments must be received by the close of 
the comment period.
    Public Inspection: All public comments are available on the Federal 
eRulemaking Portal at <a href="https://www.regulations.gov">https://www.regulations.gov</a> as submitted, except 
when impossible for technical reasons. Public comments will not be 
edited to remove any identifying or contact information. If you are 
unable to access public comments on the internet, you may contact NCUA 
for alternative access by calling (703) 518-6540 or emailing 
<a href="/cdn-cgi/l/email-protection#08474f4b4569616448666b7d69266f677e"><span class="__cf_email__" data-cfemail="5f10181c123e36331f313c2a3e71383029">[email&#160;protected]</span></a>.

FOR FURTHER INFORMATION CONTACT: Gira Bose, Senior Staff Attorney, at 
(703) 518-6540 or at 1775 Duke Street, Alexandria, VA 22314.

SUPPLEMENTARY INFORMATION:

I. Introduction

A. Background

    On May 2, 2005, the Board issued a final rule to revise 12 CFR part 
748 to include a requirement that FICUs respond to incidents of 
unauthorized access to member information.\1\ Appendix B, entitled 
Guidance on Response Programs for Unauthorized Access to Member 
Information and Member Notice, was included in the final rule to assist 
FICUs in developing and maintaining their response programs. It was a 
further interpretation of the Gramm Leach Bliley Act's requirement that 
NCUA and other regulators adopt standards for safeguarding customer 
information that financial institutions could adopt.\2\
---------------------------------------------------------------------------

    \1\ 70 FR 22764 (May 2, 2005).
    \2\ 15 U.S.C. 6801 et. seq. (Nov. 12, 1999). Appendix B was 
issued in consultation with the federal banking agencies (FBAs), 
comprising the Office of the Comptroller of the Currency, the 
Federal Reserve Board, the Federal Deposit Insurance Corporation, 
and the now-defunct Office of Thrift Supervision. The FBAs issued 
similar guidance on a joint basis. 70 FR 15736 (Mar. 29, 2005).
---------------------------------------------------------------------------

    Appendix B notes that each year, millions of Americans throughout 
the country fall victim to identify theft as a result of the misuse of 
their personal information obtained by identity thieves from a number 
of sources, including credit unions.\3\ It goes on to state that, as a 
result, credit unions should take preventative measures to safeguard 
member information against such attempts, and to do so in a way that is 
appropriate to the size and complexity of the credit union and the 
nature and scope of its activities. Thus, Appendix B is designed to be 
risk-based and to give FICUs discretion in addressing incidents of 
unauthorized access to or use of member information that could result 
in substantial harm or inconvenience to a member.
---------------------------------------------------------------------------

    \3\ 12 CFR 748 App. B (II)(i).
---------------------------------------------------------------------------

B. Legal Authority

    The standards in Appendix B fulfill a requirement in the Gramm-
Leach-Bliley Act, through which Congress directed NCUA and other 
federal regulators to establish standards for financial institutions 
relating to the safeguarding of customer information.\4\ Under the 
Federal Credit Union Act (FCU Act), NCUA examines all FICUs and is 
required to ensure that all FICUs operate safely and soundly. In 
particular, 12 U.S.C. 1786(b) compels the agency to act to correct 
unsafe or unsound conditions or practices in FICUs. Sections 120 and 
209 of the FCU Act are plenary grants of regulatory authority to the 
Board to examine and require information and reports from credit unions 
as well as issue the regulations necessary or appropriate to carry out 
its roles as regulator and share insurer. Section 204 of the FCU Act 
requires the Board to

[[Page 57398]]

appoint examiners who shall have the power to thoroughly examine the 
affairs of (FICUs) and report to the Board. Section 206 of the FCU Act 
requires the agency to impose corrective measures whenever, in the 
opinion of the Board, any credit union is engaged in or has engaged in 
unsafe or unsound practices in conducting its business. Accordingly, 
the FCU Act grants the Board broad rulemaking authority to protect 
credit unions, their member owners, and the National Credit Union Share 
Insurance Fund.
---------------------------------------------------------------------------

    \4\ 15 U.S.C. 6801 et seq. (Nov. 12, 1999).
---------------------------------------------------------------------------

II. Proposed Rule

    The Board is now issuing this proposed rule to remove Appendix B 
from the CFR. The Board believes that the information conveyed in 
Appendix B can be just as easily communicated by a Letter to Credit 
Unions, which would have the advantage of being better recognized by 
FICUs as nonbinding guidance. The Board believes that issuing Appendix 
B alongside part 748 may give the false impression that it is a legally 
binding rule rather than an aid to credit unions that can help them 
meet the regulatory requirements of part 748. The Board seeks comments 
on all aspects of this proposed rule, including any references to 
Appendix B in other parts of NCUA's regulations that may need to be 
revised.
    The Board considered retaining Appendix B in its current form. The 
current practice ensures the agency reviews Appendix B once every three 
years as part of its one third regulatory review process. Maintaining 
Appendix B as part of NCUA's regulations also guarantees that any 
changes, whether technical or substantive, are published in the Federal 
Register typically with an opportunity for public notice and comment 
(unless an exception under the Administrative Procedure Act applies). 
Maintaining the current placement would maintain comparability with the 
FBAs whose guidance is also located in the CFR. However, the Board now 
believes that streamlining NCUA's regulations and creating a greater 
separation between binding regulations and nonbinding guidelines 
outweighs the benefits of the current approach. The Board also believes 
that the Agency's adoption of separate guidance is appropriate for 
communicating guidelines such as those in Appendix B. The Board is 
soliciting feedback on all aspects of this proposed rule, including the 
option of maintaining the status quo.

III. Regulatory Procedures

A. Providing Accountability Through Transparency Act of 2023

    The Providing Accountability Through Transparency Act of 2023 (5 
U.S.C. 553(b)(4)) requires that a notice of proposed rulemaking include 
the internet address of a summary of not more than 100 words in length 
of a proposed rule, in plain language, that shall be posted on the 
internet website under section 206(d) of the E-Government Act of 2002 
(44 U.S.C. 3501 note) (commonly known as <a href="http://regulations.gov">regulations.gov</a>).
    In summary, the Board is proposing to remove Appendix B to part 
748, Guidance on Response Programs for Unauthorized Access to Member 
Information and Member Notice. The Board believes that moving Appendix 
B to a Letter to Credit Unions is a better vehicle for conveying this 
information and will help to streamline the NCUA's regulations. The 
intended effect is to simplify the regulatory text and make it easier 
to navigate, without altering any substantive compliance obligations.
    The proposed rule and the required summary are available at <a href="https://www.regulations.gov">https://www.regulations.gov</a>.

B. Executive Orders 12866, 13563, and 14192

    Pursuant to Executive Order 12866 (``Regulatory Planning and 
Review''), as amended by Executive Order 14215, a determination must be 
made whether a regulatory action is significant and therefore subject 
to review by the Office of Management and Budget (OMB) in accordance 
with the requirements of the Executive Order. OMB has determined that 
this proposed rule is not a ``significant regulatory action'' as 
defined in section 3(f)(1) of Executive Order 12866.
    Executive Order 13563 (``Improving Regulations and Regulatory 
Review'') directs executive agencies to analyze regulations that are 
``outmoded, ineffective, insufficient, or excessively burdensome, and 
to modify, streamline, expand, or repeal them in accordance with what 
has been learned.'' Executive Order 13563 also directs that, where 
relevant, feasible, and consistent with regulatory objectives, and to 
the extent permitted by law, agencies are to identify and consider 
regulatory approaches that reduce burdens and maintain flexibility and 
freedom of choice for the public. This proposed rule will streamline 
the NCUA's regulations by removing nonbinding guidelines. This proposed 
rule is consistent with Executive Order 13563.
    Executive Order 14192 (``Unleashing Prosperity Through 
Deregulation'') requires that any new incremental costs associated with 
new regulations shall, to the extent permitted by law, be offset by the 
elimination of existing costs associated with at least 10 prior 
regulations.\18\ This proposed rule is expected to be a deregulatory 
action for purposes of Executive Order 14192.

C. The Regulatory Flexibility Act

    The Regulatory Flexibility Act generally requires an agency to 
conduct a regulatory flexibility analysis of any rule subject to notice 
and comment rulemaking requirements, unless the agency certifies that 
the rule will not have a significant economic impact on a substantial 
number of small entities.\5\ If the agency makes such a certification, 
it shall publish the certification at the time of publication of either 
the proposed rule or the final rule, along with a statement providing 
the factual basis for such certification.\6\ For purposes of this 
analysis, the NCUA considers small credit unions to be those having 
under $100 million in assets.\7\ The Board fully considered the 
potential economic impacts of the regulatory amendments on small credit 
unions. The proposed rule removes nonbinding guidelines but would 
retain them in another format without substantive change. Accordingly, 
the NCUA certifies that the proposed rule would not have a significant 
economic impact on a substantial number of small credit unions.

D. The Paperwork Reduction Act

    The Paperwork Reduction Act of 1995 (PRA) generally provides that 
an agency may not conduct or sponsor, and not withstanding any other 
provision of law, a person is not required to respond to, a collection 
of information, unless it displays a currently valid OMB control 
number. The PRA applies to rulemakings in which an agency creates a new 
or amends existing information collection requirements. For purposes of 
the PRA, an information-collection requirement may take the form of a 
reporting, recordkeeping, or a third-party disclosure requirement. The 
NCUA has determined that the changes in the proposed rule do not create 
a new information collection or revise an existing information 
collection as defined by the PRA.

E. Analysis on Executive Order 13132 on Federalism

    Executive Order 13132 encourages certain agencies to consider the 
impact of their actions on state and local interests. The NCUA, an 
agency as

[[Page 57399]]

defined in 44 U.S.C. 3502(5), complies with the executive order to 
adhere to fundamental federalism principles. This proposed rule is 
intended to remove nonbinding guidelines from the NCUA's regulations. 
While it does impact provisions that apply to FISCUs, it does not make 
a substantive change and is not intended to affect the division of 
responsibilities between the NCUA and state regulatory authorities.

F. Assessment of Federal Regulations and Policies on Families

    The NCUA has determined that this proposed rule would not affect 
family well-being within the meaning of section 654 of the Treasury and 
General Government Appropriations Act, 1999. The proposed rule removes 
nonbinding guidelines from the NCUA's regulations, and any effect on 
family well-being is expected to be indirect.

List of Subjects in 12 CFR Part 748

    Administrative practice and procedure, Banks, banking, Credit, 
Credit unions, Personally identifiable information, Privacy, Reporting 
and recordkeeping requirements.

    By the National Credit Union Administration Board, this 8th day 
of December 2025.
Melane Conyers-Ausbrooks,
Secretary of the Board.

    For the reasons stated in the preamble, the NCUA Board proposes to 
amend 12 CFR part 748 as follows:

PART 748--SECURITY PROGRAM, SUSPICIOUS TRANSACTIONS, CATASTROPHIC 
ACTS, CYBER INCIDENTS, AND BANK SECRECY ACT COMPLIANCE

0
1. The authority citation for part 748 continues to read as follows:

    Authority:  12 U.S.C. 1766(a), 1786(b)(1), 1786(q), 1789(a)(11); 
15 U.S.C. 6801-6809; 31 U.S.C. 5311 and 5318.

0
2. The table of contents is amended to read as follows:

Sec.
748.0 Security Program.
748.1 Filing of Reports.
748.2 Procedures for monitoring Bank Secrecy Act (BSA) compliance.
0
3. Remove Appendix B to part 748--Guidance on Response Programs for 
Unauthorized Access to Member Information and Member Notice.

[FR Doc. 2025-22490 Filed 12-10-25; 8:45 am]
BILLING CODE 7535-01-P


</pre><script data-cfasync="false" src="/cdn-cgi/scripts/5c5dd728/cloudflare-static/email-decode.min.js"></script></body>
</html>