Overview

In 2001, NCUA amended 12 CFR Part 748 to fulfill a requirement in Section 501 of Gramm-Leach-Bliley (GLB) to modernize the nation’ financial services industries, updating the ways financial companies are allowed to do business, and take advantage of advanced technologies. As a result of GLB, the need to protect the integrity and privacy of member data were highlighted.

Title V of GLB focuses specifically on privacy and the protections of member data. It requires specific privacy and security measures be in place at financial institutions by July 1, 2001. The act applies to all national banks and the federal branches of foreign banks that are subject to the supervision of the Federal Reserve System, the Office of Thrift Supervision, the Office of the Comptroller of the Currency, or the Federal Deposit Insurance Corporation.

Section 501 of Subtitle A of Title V, entitled Protection of Nonpublic Personal Information, limits the instances in which financial institutions may disclose nonpublic personal information about a member to nonaffiliated third parties, requires them to disclose certain privacy policies and practices as well as establish safeguards to protect that information.

Subtitle A, Section 501a states: Each financial institution has an affirmative and continuing obligation to respect the privacy of its members and to protect the security and confidentiality of those members’ nonpublic personal information.

Subtitle B, Section 501b states: Each agency shall establish appropriate standards for the financial institutions within their jurisdiction relating to administration, technical, and physical safeguards:

• to insure the security and confidentiality of member records and information;
• to protect against any anticipated threats or hazards to the security or integrity of such records; and
• to protect against unauthorized access to or use of such records or information which could result in substantial harm or inconvenience to any member.

Since these guidelines where issued under the authority of Section 39 of the Federal Deposit Insurance Act and Section 39 does not apply to NCUA, the NCUA Board amended regulation 12 CFR Part 748 Appendix A, January 30, 2001.

Appendix A is intended to “outline industry best practices and assist credit unions to develop meaningful and effective security programs to ensure compliance.

Guidelines require each credit union to “Implement a comprehensive written information security program that includes administrative, technical, and physical safeguards.” The following are the basic elements every institution must apply in developing a comprehensive information security program.

1. Involve the Board of Directors to approve and oversee the program.
2. Identify and Assess risks to member information.
3. Manage and Control risk to member information.
4. Require service providers, by contract, to implement safeguards for member information.
5. Adjust the Program to reflect changing conditions.
6. Report to the Board annually at a minimum.
7. Implement these standards by July 1, 2001.

These guidelines emphasize that the security of member information is not a discrete event, but an ongoing and dynamic process that must be maintained and adjusted.

Appendix B describes NCUA’s expectations that every credit union develop a response program to include:

1. Assess nature and scope of an incident
2. Notify the appropriate NCUA regional director
3. Consistent with NCUA’s Suspicious Activity Report
4. Take appropriate steps to contain and control the incident
5. Notify members when warned

Using Pivot Group to assist with Reg 748 Compliance

• Policies, Processes, and Procedures Reviews and Improvement
• Risk Assessments
• Monitoring, Auditing, and Reporting
• Technology Recommendations and Deployment
• Best Practice Education
• Incident Response Program Development

For more information about Reg 748, please refer to our Resource Guide.