WEBVTT NOTE This file was generated by Descript 00:00:00.469 --> 00:00:02.339 Samantha: Hello, this is Samantha Shares. 00:00:02.880 --> 00:00:07.269 This episode covers Guidance on Response Programs for Unauthorized Access to 00:00:07.269 --> 00:00:09.250 Member Information and Member Notice. 00:00:09.899 --> 00:00:12.399 The following is an audio version of that document. 00:00:12.939 --> 00:00:16.110 This podcast is educational and is not legal advice. 00:00:16.610 --> 00:00:20.620 We are sponsored by Credit Union Exam Solutions Incorporated, whose 00:00:20.620 --> 00:00:23.750 team has over two hundred and forty years of National Credit 00:00:23.750 --> 00:00:25.690 Union Administration experience. 00:00:26.239 --> 00:00:29.979 We assist our clients with N C U A so they save time and money. 00:00:30.450 --> 00:00:34.520 If you are worried about a recent, upcoming, or in process N C U A 00:00:34.520 --> 00:00:38.729 examination, reach out to learn how they can assist at Mark Treichel dot com. 00:00:39.330 --> 00:00:43.540 Also check out our other podcast called With Flying Colors where we provide tips 00:00:43.540 --> 00:00:46.110 on how to achieve success with N C U A. 00:00:46.630 --> 00:00:47.650 And now the document. 00:00:48.415 --> 00:00:52.915 The N C U A Board is proposing to remove Appendix B to part seven forty eight. 00:00:53.535 --> 00:00:58.355 Appendix B provides guidance on response programs for unauthorized access to member 00:00:58.355 --> 00:01:00.625 information and guidance on member notice. 00:01:01.135 --> 00:01:04.445 It was issued in two thousand five to help federally insured credit 00:01:04.445 --> 00:01:08.865 unions create programs to address and respond to instances of unauthorized 00:01:08.905 --> 00:01:10.645 access to member information. 00:01:10.985 --> 00:01:13.945 The Board now believes that placing Appendix B inside the 00:01:13.945 --> 00:01:17.855 Code of Federal Regulations may be confusing, because Appendix B is 00:01:17.855 --> 00:01:19.685 guidance rather than a binding rule. 00:01:20.185 --> 00:01:23.855 The Board proposes instead to publish the content of Appendix B as 00:01:23.855 --> 00:01:27.425 separate guidance, which will make it easier to update and will help 00:01:27.425 --> 00:01:29.995 streamline N C U A’s regulations. 00:01:30.747 --> 00:01:34.937 Comments on this proposal must be received within sixty days of publication. 00:01:35.447 --> 00:01:38.717 Written comments may be submitted through Regulations dot gov under 00:01:38.717 --> 00:01:42.977 Docket Number N C U A dash two thousand twenty five dash one three zero five, 00:01:43.297 --> 00:01:47.177 or by mail or hand delivery to the Secretary of the Board at N C U A 00:01:47.177 --> 00:01:49.397 headquarters in Alexandria, Virginia. 00:01:50.114 --> 00:01:51.574 Supplementary information. 00:01:52.034 --> 00:01:53.454 Introduction and background. 00:01:54.084 --> 00:01:57.984 On May second, two thousand five, the Board issued a final rule revising 00:01:57.984 --> 00:02:01.754 part seven forty eight to require federally insured credit unions to 00:02:01.754 --> 00:02:05.554 respond to incidents of unauthorized access to member information. 00:02:06.234 --> 00:02:09.454 Appendix B was included to help credit unions develop and 00:02:09.454 --> 00:02:11.394 maintain these response programs. 00:02:11.954 --> 00:02:16.234 It was intended as an interpretation of the Gramm Leach Bliley Act requirement 00:02:16.234 --> 00:02:20.464 that federal regulators adopt standards for safeguarding customer information. 00:02:21.197 --> 00:02:25.177 Appendix B explains that millions of Americans fall victim to identity 00:02:25.177 --> 00:02:28.907 theft each year, including through misuse of personal information 00:02:28.907 --> 00:02:30.507 obtained from credit unions. 00:02:30.897 --> 00:02:34.817 Credit unions should take preventative measures to safeguard member information 00:02:34.947 --> 00:02:38.717 in a way that reflects the size and complexity of the credit union and the 00:02:38.717 --> 00:02:40.777 nature and scope of its activities. 00:02:41.297 --> 00:02:45.637 The guidance is risk based and intended to provide flexibility so that credit 00:02:45.637 --> 00:02:49.837 unions can address incidents of unauthorized access or use of member 00:02:49.837 --> 00:02:53.917 information that could cause substantial harm or inconvenience to a member. 00:02:54.659 --> 00:02:55.589 Legal authority. 00:02:56.179 --> 00:03:00.509 The Gramm Leach Bliley Act requires federal regulators to establish standards 00:03:00.509 --> 00:03:02.539 for safeguarding customer information. 00:03:03.169 --> 00:03:07.239 Under the Federal Credit Union Act, the N C U A examines all federally 00:03:07.239 --> 00:03:11.129 insured credit unions and must ensure safe and sound operations. 00:03:11.709 --> 00:03:15.929 The Act requires the agency to correct unsafe or unsound practices. 00:03:16.429 --> 00:03:20.089 It provides broad authority to require information and reports, to 00:03:20.089 --> 00:03:24.139 examine credit unions, and to take corrective action when necessary. 00:03:24.599 --> 00:03:28.639 These authorities give the N C U A Board the ability to issue regulations 00:03:28.639 --> 00:03:32.229 to protect credit unions, their member owners, and the National 00:03:32.229 --> 00:03:34.299 Credit Union Share Insurance Fund. 00:03:35.093 --> 00:03:36.013 Proposed rule. 00:03:36.653 --> 00:03:40.853 The Board proposes to remove Appendix B from the Code of Federal Regulations. 00:03:41.453 --> 00:03:44.753 The Board believes the same information can be issued through a Letter to 00:03:44.753 --> 00:03:48.143 Credit Unions, which would make its nonbinding nature clearer. 00:03:48.843 --> 00:03:52.043 Publishing the guidance separately would prevent confusion about whether 00:03:52.043 --> 00:03:57.003 Appendix B is a regulation or guidance and would streamline the regulatory text. 00:03:57.737 --> 00:04:00.997 The Board considered retaining Appendix B in its current form. 00:04:01.537 --> 00:04:04.787 The current placement ensures review every three years under the 00:04:04.787 --> 00:04:08.727 agency’s regulatory review process and ensures any changes would be 00:04:08.727 --> 00:04:10.437 published in the Federal Register. 00:04:10.987 --> 00:04:14.787 It also maintains comparability with similar guidance issued by the federal 00:04:14.787 --> 00:04:19.147 banking agencies, which is also located in the Code of Federal Regulations. 00:04:19.587 --> 00:04:22.717 However, the Board now believes that separating the guidance from 00:04:22.717 --> 00:04:26.077 the regulation will create clearer distinctions between binding 00:04:26.077 --> 00:04:27.857 rules and nonbinding guidance. 00:04:28.157 --> 00:04:31.567 The Board seeks comment on whether Appendix B should be removed, 00:04:31.657 --> 00:04:35.487 retained, or modified, and whether any cross-references in other 00:04:35.487 --> 00:04:37.497 regulations would need to be revised. 00:04:38.245 --> 00:04:39.745 Regulatory procedures. 00:04:40.305 --> 00:04:43.755 Under the Providing Accountability Through Transparency Act, this 00:04:43.755 --> 00:04:47.775 proposed rule includes a link to a plain-language summary of no more than 00:04:47.775 --> 00:04:50.075 one hundred words on Regulations dot gov. 00:04:50.795 --> 00:04:55.205 The summary explains that the Board proposes to remove Appendix B and instead 00:04:55.235 --> 00:05:00.065 issue its content as guidance, simplifying the regulatory text without altering 00:05:00.115 --> 00:05:02.465 any substantive compliance obligations. 00:05:03.140 --> 00:05:04.270 Executive Orders. 00:05:04.800 --> 00:05:08.090 The Office of Management and Budget has determined that this proposed 00:05:08.090 --> 00:05:11.760 rule is not a significant regulatory action under Executive Order 00:05:11.760 --> 00:05:13.880 twelve eight six six, as amended. 00:05:14.380 --> 00:05:18.700 Executive Order thirteen five six three directs agencies to streamline and 00:05:18.700 --> 00:05:22.950 modernize regulations, and this proposal is consistent with that direction. 00:05:23.540 --> 00:05:28.380 Under Executive Order fourteen one nine two, agencies must offset new regulatory 00:05:28.380 --> 00:05:30.630 costs by eliminating costs elsewhere. 00:05:31.320 --> 00:05:33.890 This proposal is expected to be deregulatory. 00:05:34.643 --> 00:05:36.453 Regulatory Flexibility Act. 00:05:37.093 --> 00:05:40.853 The N C U A certifies that the proposed rule would not have a significant 00:05:40.883 --> 00:05:44.603 economic impact on a substantial number of small credit unions. 00:05:45.093 --> 00:05:49.133 Removing Appendix B from regulation and issuing it instead as guidance 00:05:49.133 --> 00:05:52.973 does not impose new requirements or change substantive expectations. 00:05:53.593 --> 00:05:57.083 Small credit unions, defined as those with under one hundred million 00:05:57.083 --> 00:06:01.093 dollars in assets, should not experience material economic effects. 00:06:01.775 --> 00:06:03.255 Paperwork Reduction Act. 00:06:03.865 --> 00:06:06.345 The proposed rule does not create or revise 00:06:06.345 --> 00:06:08.245 information-collection requirements. 00:06:08.955 --> 00:06:12.335 Therefore, no Paperwork Reduction Act changes are required. 00:06:13.088 --> 00:06:16.248 Executive Order thirteen one three two on federalism. 00:06:16.778 --> 00:06:20.528 The proposal removes nonbinding guidance from the regulation and does 00:06:20.528 --> 00:06:24.128 not substantively change requirements applicable to federally insured 00:06:24.128 --> 00:06:25.798 state-chartered credit unions. 00:06:26.298 --> 00:06:29.708 It is not intended to affect the division of responsibility between 00:06:29.708 --> 00:06:31.448 federal and state regulators. 00:06:32.193 --> 00:06:34.093 Assessment of effects on families. 00:06:34.703 --> 00:06:37.673 The N C U A has determined that this proposed rule would 00:06:37.673 --> 00:06:39.273 not affect family well-being. 00:06:39.893 --> 00:06:42.693 Removing nonbinding guidance from the regulation would have 00:06:42.783 --> 00:06:44.733 only indirect effects, if any. 00:06:45.432 --> 00:06:46.612 Regulation text. 00:06:47.212 --> 00:06:51.762 For the reasons stated in the preamble, the N C U A Board proposes to amend title 00:06:51.762 --> 00:06:56.272 twelve of the Code of Federal Regulations, part seven forty eight, as follows. 00:06:56.732 --> 00:07:00.662 Part seven forty eight, Security Program, Suspicious Transactions, 00:07:00.772 --> 00:07:05.022 Catastrophic Acts, Cyber Incidents, and Bank Secrecy Act Compliance. 00:07:05.742 --> 00:07:09.642 The authority citation for part seven forty eight continues unchanged. 00:07:10.172 --> 00:07:14.232 The table of contents is amended to include sections seven forty eight point 00:07:14.232 --> 00:07:19.092 zero Security Program, seven forty eight point one Filing of Reports, and seven 00:07:19.092 --> 00:07:23.432 forty eight point two Procedures for Monitoring Bank Secrecy Act Compliance. 00:07:23.952 --> 00:07:26.792 Appendix B to part seven forty eight is removed. 00:07:27.531 --> 00:07:28.961 This concludes the document. 00:07:29.411 --> 00:07:33.631 If your credit union could use assistance with your exam, reach out to Mark Treichel 00:07:33.631 --> 00:07:36.061 on LinkedIn or at Mark Treichel dot com. 00:07:36.681 --> 00:07:39.341 This is Samantha Shares, and we thank you for listening.