National Credit Union Administration (NCUA)
In 2001, NCUA amended 12 CFR Part 748 to fulfill a requirement in Section 501 of Gramm-Leach-Bliley (GLB) to modernize the nation’ financial services industries, updating the ways financial companies are allowed to do business, and take advantage of advanced technologies. As a result of GLB, the need to protect the integrity and privacy of member data were highlighted.
Title V of GLB focuses specifically on privacy and the protections of member data. It requires specific privacy and security measures be in place at financial institutions by July 1, 2001. The act applies to all national banks and the federal branches of foreign banks that are subject to the supervision of the Federal Reserve System, the Office of Thrift Supervision, the Office of the Comptroller of the Currency, or the Federal Deposit Insurance Corporation.
Section 501 of Subtitle A of Title V, entitled Protection of Nonpublic Personal Information, limits the instances in which financial institutions may disclose nonpublic personal information about a member to nonaffiliated third parties, requires them to disclose certain privacy policies and practices as well as establish safeguards to protect that information.
Subtitle A, Section 501a states: Each financial institution has an affirmative and continuing obligation to respect the privacy of its members and to protect the security and confidentiality of those members’ nonpublic personal information.
Subtitle B, Section 501b states: Each agency shall establish appropriate standards for the financial institutions within their jurisdiction relating to administration, technical, and physical safeguards:
Since these guidelines where issued under the authority of Section 39 of the Federal Deposit Insurance Act and Section 39 does not apply to NCUA, the NCUA Board amended regulation 12 CFR Part 748 Appendix A, January 30, 2001.
Appendix A is intended to “outline industry best practices and assist credit unions to develop meaningful and effective security programs to ensure compliance.
Guidelines require each credit union to “Implement a comprehensive written information security program that includes administrative, technical, and physical safeguards.” The following are the basic elements every institution must apply in developing a comprehensive information security program.
These guidelines emphasize that the security of member information is not a discrete event, but an ongoing and dynamic process that must be maintained and adjusted.
Appendix B describes NCUA’s expectations that every credit union develop a response program to include:
Using Pivot Group to assist with Reg 748 Compliance
For more information about Reg 748, please refer to our Resource Guide.