[Federal Register Volume 65, Number 115 (Wednesday, June 14, 2000)]
[Proposed Rules]
[Pages 37302-37308]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 00-14783]


=======================================================================
-----------------------------------------------------------------------

NATIONAL CREDIT UNION ADMINISTRATION

12 CFR Part 748


Guidelines for Safeguarding Member Information

AGENCY: National Credit Union Administration (NCUA).

ACTION: Notice of proposed rulemaking and request for comment.

-----------------------------------------------------------------------

SUMMARY: The NCUA Board is proposing a modification to the security 
program requirements to include security of member information. 
Further, the NCUA Board is requesting comment on proposed Guidelines 
for safeguarding member information published to implement certain 
provisions of the Gramm-Leach-Bliley Act (the GLB Act or Act).
    The GLB Act requires the NCUA Board to establish appropriate 
standards for federally-insured credit unions relating to 
administrative, technical, and physical safeguards for member records 
and information. These safeguards are intended to: insure the security 
and confidentiality of member records and information; protect against 
any anticipated threats or hazards to the security or integrity of such 
records; and protect against unauthorized access to or use of such 
records or information that could result in substantial harm or 
inconvenience to any member.

DATES: NCUA must receive comments not later than August 14, 2000.

ADDRESSES: Direct comments to: Becky Baker, Secretary of the Board. 
Mail or hand-deliver comments to: National Credit Union Administration, 
1775 Duke Street, Alexandria, Virginia 22314-3428. You may fax comments 
to (703) 518-6319, or e-mail comments to [email protected]. Please 
send comments by one method only.

FOR FURTHER INFORMATION CONTACT: Matthew Biliouris, Information Systems 
Officer, or Jodee Jackson, Compliance Officer, Office of Examination 
and Insurance, at the above address or telephone (703) 518-6360.

SUPPLEMENTARY INFORMATION: The contents of this preamble are listed in 
the following outline:

I. Background
II. Section-by-Section Analysis
III. Regulatory Procedures
    A. Paperwork Reduction Act
    B. Regulatory Flexibility Act
    C. Executive Order 13132
    D. Treasury and General Government Appropriations Act, 1999
IV. Agency Regulatory Goal

I. Background

    On November 12, 1999, President Clinton signed the GLB Act (Pub. L. 
106-102) into law. Section 501, entitled Protection of Nonpublic 
Personal Information, requires the NCUA Board, the federal banking 
agencies, including the Office of the Comptroller of the Currency, the 
Board of Governors of the Federal Reserve System, the Federal Deposit 
Insurance Corporation, and the Office of Thrift Supervision, the 
Securities and Exchange Commission, state insurance authorities, and 
the Federal Trade Commission (collectively, the ``Agencies'') to 
establish appropriate standards for the financial institutions subject 
to their respective jurisdictions relating to the administrative, 
technical, and physical safeguards for customer records and 
information. These safeguards are intended to: (1) Insure the security 
and confidentiality of customer records and information; (2) protect 
against any anticipated threats or hazards to the security or integrity 
of such records; and (3) protect against unauthorized access to or use 
of such records or information that would result in substantial harm or 
inconvenience to any customer.
    Section 505(b) of the GLB Act provides that these standards are to 
be implemented by the NCUA and the federal banking agencies in the same 
manner, to the extent practicable, as standards pursuant to section 
39(a) of the Federal Deposit Insurance Act (FDIA). Section 39(a) of the 
FDIA

[[Page 37303]]

requires the federal banking agencies to establish operational and 
managerial standards for insured depository institutions relative to, 
among other things, internal controls, information systems, and 
internal audit systems, as well as such other operational and 
managerial standards as determined to be appropriate. 12 U.S.C. 
1831p(a). Section 39 of the FDIA provides for standards to be 
prescribed by guideline or by rule. 12 U.S.C. 1831p(d)(1). The FDIA 
also provides that, if an institution fails to comply with a standard 
issued as a rule, the institution must submit a compliance plan within 
particular time frames while, if an institution fails to comply with a 
standard issued as a guideline, the agency has the discretion as to 
whether to require an institution to submit a compliance plan. 12 
U.S.C. 1831p(e)(1). Section 39 of the FDIA does not apply to the NCUA, 
and the Federal Credit Union Act does not contain a similar, regulatory 
framework for the issuance and enforcement of standards. In preparation 
of NCUA's proposed regulation and appendix with guidelines, NCUA staff 
has worked with an interagency group that has included representatives 
from the federal banking agencies. The NCUA Board's understanding is 
that the federal banking agencies intend to issue proposed standards by 
guidelines that will be published as an appendix to their safety and 
soundness standards.
    The NCUA Board has determined that it can best meet the 
congressional directive to prescribe standards through an amendment to 
NCUA's existing regulation governing security programs in federally-
insured credit unions. The proposed regulation will require that 
federally-insured credit unions establish a security program addressing 
the safeguards required by the GLB Act. The Board also proposes to 
publish an appendix to the regulation that will set out guidelines, the 
text of which is substantively identical to the guidelines anticipated 
from the federal banking agencies. The guidelines are intended to 
outline industry best practices and assist credit unions to develop 
meaningful and effective security programs to ensure their compliance 
with the safeguards contained in the regulation.
    Currently, NCUA regulations require that federally-insured credit 
unions have a written security program designed to protect each credit 
union from robberies, burglaries, embezzlement, and assist in the 
identification of persons who attempt such crimes. Expanding the 
environment of protection to include threats or hazards to member 
information systems is a natural fit within a comprehensive security 
program. To evaluate compliance, the NCUA will expand its review of 
credit union security programs and annual certifications. This review 
will take place during safety and soundness examinations for federal 
credit unions and within the established oversight procedures for 
state-chartered, federally-insured credit unions. If a credit union 
fails to establish a security program meeting the regulatory 
objectives, the NCUA Board could take a variety of administrative 
actions. The Board could use its cease and desist authority, including 
its authority to require affirmative action to correct deficiencies in 
a credit union's security program. 12 U.S.C. 1786(e) and (f). In 
addition, the Board could employ its authority to impose civil money 
penalties. 12 U.S.C. 1786(k). A finding that a credit union is in 
violation of the requirements of proposed Sec. 748.0(b)(2) would 
typically result only if a credit union fails to establish a written 
policy or its written policy is insufficient to reasonably address the 
objectives set out in the proposed regulation.
    The proposed Guidelines apply to ``nonpublic personal information'' 
of ``members'' as those terms are defined in 12 CFR part 716, the 
Privacy Rule. Under Section 503(b)(3) of the GLB Act and part 716, 
credit unions will be required to disclose their policies and practices 
with respect to protecting the confidentiality, security, and integrity 
of nonpublic personal information as part of the initial and annual 
notices to their members. Defining terms consistently should facilitate 
the ability of credit unions to develop their privacy notices in light 
of the guidelines set forth here. NCUA derived key components of the 
proposed Guidelines from security-related supervisory guidance 
developed with the federal banking agencies through the Federal 
Financial Institutions Examination Council (FFIEC).
    The NCUA Board requests comment on all aspects of the proposed 
amendment of Sec. 748.0 and the guidelines, as well as comment on the 
specific provisions and issues highlighted in the section-by-section 
analysis below.

II. Section-by-Section Analysis

    The discussion that follows applies to the proposed rule Part 748.
    The security program in Sec. 748.0(b) previously addressed only 
those threats due to acts such as robberies, burglaries, larcenies, and 
embezzlement. In the emerging electronic marketplace, the threats to 
members, credit unions, and the information they share to have a 
productive, technologically competitive, financial relationship, have 
increased. The security programs to ensure protections against these 
emerging crimes and harmful actions must keep pace. Congress directed 
in Section 501(b) of the GLB Act that the Agencies establish standards 
to ensure financial institutions protect the security and 
confidentiality of the nonpublic personal information of its customers.
    To meet this directive, the proposed rule revises paragraph (b) of 
Sec. 748.0 to require that a credit union's security program include 
protections to ensure the security and confidentiality of member 
records, protect against anticipated threats or hazards to the security 
or integrity of such records, and protect against unauthorized access 
to or use of such records that could result in substantial harm or 
inconvenience to a member. This modification expands the security 
program objectives to include the emerging threats and hazards to 
members, credit unions, and the information they share to have a 
financial relationship.
    The proposed rule would have an effective date of November 13, 
2000; however, compliance would not be required until July 1, 2001. 
This is consistent with Part 716, the Privacy Rule, and the other 
Agencies. NCUA intends to maintain its 90-day compliance period for 
newly-chartered or insured credit unions found in Sec. 748.0(a). This 
section requires that each credit union establish its written security 
program within 90 days from the date of insurance. While the GLB Act, 
and the other Agencies regulations are silent as to compliance for 
newly chartered or insured institutions, NCUA believes it is reasonable 
to continue to provide this compliance time frame for such credit 
unions.
    The discussion that follows applies to the NCUA's proposed 
Guidelines.

Appendix A to Part 748--Guidelines for Safeguarding Member 
Information

I. Introduction

    Proposed paragraph I. sets forth the general purpose of the 
proposed Guidelines, which is to provide guidance to each credit 
union in establishing and implementing administrative, technical, 
and physical safeguards to protect the security, confidentiality, 
and integrity of member information. This paragraph also sets forth 
the statutory authority for the proposed Guidelines, sections 501 
and 505(b) of the GLB Act. 15 U.S.C. 6801 & 6805(b).

I.A. Scope

    Paragraph I.A. describes the scope of the proposed Guidelines. 
The proposed Guidelines can apply to all federally-insured credit 
unions.

[[Page 37304]]

I.B. Definitions

    Paragraph I.B. sets forth the definitions of various terms for 
purposes of the proposed Guidelines.
    I.B.1. In General. Paragraph I.B.1. provides that terms used in 
the proposed Guidelines have the same meanings as set forth in 12 
CFR part 716, except to the extent that the definition of the term 
is modified in the proposed Guidelines or where the context requires 
otherwise.
    I.B.2. Member information. Proposed paragraph I.B.2. defines 
member information. Member information includes any records, data, 
files, or other information about a member containing nonpublic 
personal information, as defined in 12 CFR 716.3(q). This includes 
records in paper, electronic, or any other form that are within the 
control of a credit union or that are maintained by any service 
provider on behalf of a credit union. Although the GLB Act uses both 
the terms ``records'' and ``information,'' for the sake of 
simplicity, in the proposed Guidelines the term ``records'' 
encompasses all member information.
    Section 501(b) refers to safeguarding the security and 
confidentiality of ``customer'' information. The term ``customer'' 
is also used in other sections of Title V of the GLB Act. The NCUA 
Board has used the term ``member'' in place of the term ``customer'' 
in implementing these sections of the GLB Act in Part 716. The term 
``member'' includes individuals who are not actually members, but 
are entitled to the same privacy protections under Part 716 as 
members. Examples of individuals that fall within the definition of 
member in Part 716 are nonmember joint account holders, nonmembers 
establishing an account at a low-income designated credit union, and 
nonmembers holding an account in a state-chartered credit union 
under state law. The term ``member'' does not cover business 
members, or consumers who have not established an ongoing 
relationship with the credit union (e.g., those consumers that 
merely use an ATM or purchase travelers checks). See 12 CFR 716.3(n) 
and (o).
    The NCUA Board proposes defining ``member'' for purposes of the 
Guidelines consistently with Part 716 to facilitate the ability of a 
credit union to develop the privacy notices and to make disclosures 
required under Section 503(b)(3). However, the NCUA Board is 
considering whether the scope of the Guidelines should address 
records for all consumers, the credit union's business account 
holders, or all of a credit union's records. The NCUA Board solicits 
comment on whether a broader definition will change the information 
security program that a credit union would implement, or, whether, 
as a practical matter, credit unions will respond to the Guidelines 
by implementing an information security program for all types of 
records under their control rather than segregating ``member'' 
records for special treatment.
    I.B.3. Member. Proposed paragraph I.B.3. defines member to 
include any member of a credit union as defined in 12 CFR 716.3(n). 
A member is a consumer who has established a continuing relationship 
with a credit union under which the credit union provides one or 
more financial products or services to the member to be used 
primarily for personal, family or household purposes.
    I.B.4. Service provider. Proposed paragraph I.B.4. defines a 
service provider as any person or entity that maintains or processes 
member information on behalf of a credit union, or is otherwise 
granted access to member information through its provision of 
services to a credit union.
    I.B.5. Member information system. Proposed paragraph I.B.5. 
defines member information system to be electronic or physical 
methods used to access, collect, store, use, transmit, and protect 
member information.

II. Standards for Safeguarding Member Information

II.A. Information Security Program

    The proposed Guidelines describe NCUA's expectations for the 
creation, implementation, and maintenance of an information security 
program. The proposed Guidelines first describe the oversight role 
of the board of directors in this process and management's 
continuing duty to evaluate and report to the credit union's board 
on the overall status of the program. The proposed Guidelines 
proceed to describe a four-step information security program that: 
(1) Identifies and assesses the risks that may threaten member 
information; (2) develops a written plan containing policies and 
procedures to manage and control these risks; (3) implements and 
tests the plan; and (4) adjusts the plan on a continuing basis to 
account for changes in technology, the sensitivity of member 
information, and internal or external threats to information 
security.
    Lastly, the proposed Guidelines describe responsibilities for 
overseeing outsourcing arrangements.
    Proposed paragraph II.A. sets forth the general requirement in 
section 501 of the GLB Act that each credit union have a 
comprehensive information security program. This program is to 
include administrative, technical, and physical safeguards 
appropriate to the size and complexity of the credit union and the 
nature and scope of its activities.

II.B. Objectives

    Proposed paragraph II.B. describes the objectives for an 
information security program. They are to ensure the security and 
confidentiality of member information, protect against any 
anticipated threats or hazards to the security or integrity of such 
information, and protect against unauthorized access to or use of 
member information that could either: (1) Result in substantial harm 
or inconvenience to any member; or (2) present a safety and 
soundness risk to the credit union.
    Unauthorized access to or use of member information does not 
include access to or use of member information with the member's 
consent. The NCUA Board requests comment on whether there are 
additional or alternative objectives that should be included in the 
Guidelines.

III. Development and Implementation of Information Security Program

III.A. Involve the Board of Directors and Management

    Proposed paragraph III.A. describes the involvement of the board 
and management in the development and implementation of an 
information security program. This paragraph specifies these board 
responsibilities: (1) Approve the credit union's written information 
security policy and program; and (2) oversee efforts to develop, 
implement, and maintain an effective information security program, 
including the regular review of management reports.
    The proposed Guidelines set forth three responsibilities for 
management as part of its implementation of the credit union's 
information security program. The first provision recognizes the 
need for an ongoing assessment of changes in technology and their 
impact on the credit union, as appropriate. On a regular basis, 
management has a responsibility to evaluate the impact on the credit 
union's security program of changing business arrangements (e.g. 
alliances, joint ventures, or outsourcing arrangements), and changes 
to member information systems.
    The second provision describes management's responsibility to 
document compliance with these Guidelines.
    The third responsibility of management is to keep the credit 
union's board of directors informed of the current status of the 
credit union's information security program. On a regular basis, 
management should report to the board on the overall status of the 
information security program, including material matters related to: 
risk assessment; risk management and control decisions; results of 
testing; attempted or actual security breaches or violations and 
responsive actions taken by management; and any recommendations for 
improvements to the information security program.
    The NCUA Board invites comment as to whether the Guidelines 
should provide that in some instances the credit union's board of 
directors should designate an Information Security Officer or other 
responsible individual who would have the authority, subject to the 
board's approval, to develop and administer the credit union's 
information security program. The NCUA Board also invites comment on 
what best practices or business models would be most appropriate for 
the assignment of these tasks, depending upon the size and 
complexity of the credit union.
    The NCUA Board invites comment regarding the appropriate 
frequency of reports to the credit union's board of directors. 
Should the Guidelines specify best practices for reporting 
intervals-monthly, quarterly, or annually? How often should 
management report to the credit union's board of directors regarding 
the credit union's information security program and why are these 
intervals appropriate?

III.B. Assess Risk

    Proposed paragraph III.B. describes the risk assessment process 
that should be developed as part of the information security 
program. First, as described in paragraph III.B.1, a

[[Page 37305]]

credit union should identify and assess risks that may threaten the 
security, confidentiality, or integrity of member information, 
whether in storage, processing, or transit. The risk assessment 
should be made in light of a credit union's operations and 
technology. A credit union should determine the sensitivity of 
member information to be protected as part of this analysis.
    Next, as described in paragraph III.B.2, a credit union should 
conduct an assessment of the sufficiency of existing policies, 
procedures, member information systems, and other arrangements 
intended to control the risks identified under III.B.1.
    Finally, as described in paragraph III.B.3, a credit union 
should monitor, evaluate, and adjust, their risk assessments, taking 
into consideration any technological or other changes or the 
sensitivity of the information.

III.C. Manage and Control Risk

    Proposed paragraph III.C describes the elements of a 
comprehensive risk management plan designed to control identified 
risks and to achieve the overall objective of ensuring the security 
and confidentiality of member information. Paragraph 1 identifies 
the factors a credit union should consider in evaluating the 
adequacy of its policies and procedures to effectively manage these 
risks commensurate with the sensitivity of the information as well 
as the complexity and scope of the credit union and its activities. 
Specifically, a credit union should consider whether its risk 
management program includes appropriate:
    (a) Access rights to member information;
    (b) Access controls on member information systems, including 
controls to authenticate and grant access only to authorized 
individuals and companies;
    (c) Access restrictions at locations containing member 
information, such as buildings, computer facilities, and records 
storage facilities;
    (d) Encryption of electronic member information, including, 
while in transit or in storage on networks or systems to which 
unauthorized individuals may have access;
    (e) Procedures to confirm that member information system 
modifications are consistent with the credit union's information 
security program;
    (f) Dual control procedures, segregation of duties, and employee 
background checks for employees with responsibilities for or access 
to member information;
    (g) Contract provisions and oversight mechanisms to protect the 
security of member information maintained or processed by service 
providers;
    (h) Monitoring systems and procedures to detect actual and 
attempted attacks on or intrusions into member information systems;
    (i) Response programs that specify actions to be taken when 
unauthorized access to member information systems is suspected or 
detected;
    (j) Protection against destruction of member information due to 
potential physical hazards, such as fire and water damage; and
    (k) Response programs to preserve the integrity and security of 
member information in the event of computer or other technological 
failure, including, where appropriate, reconstructing lost or 
damaged member information.
    The NCUA Board intends that these elements accommodate credit 
unions with varying operations and risk management structures. The 
NCUA Board invites comment on the degree of detail that should be 
included in the Guidelines regarding the risk management program, 
which elements should be specified in the Guidelines, and any other 
components of a risk management program that should be included.
    Paragraph 2 refers to staff training. The information security 
program should include a training component designed to teach 
employees to recognize and respond to fraudulent attempts to obtain 
member information and report any attempts to regulatory and law 
enforcement agencies.
    Paragraph 3 refers to testing procedures. An information 
security program should include regular testing of systems to 
confirm the credit union, and its service providers, control 
identified risks and achieve the objectives to ensure the security 
and confidentiality of member information. The NCUA Board invites 
comment on whether the Guidelines should address specific types of 
security tests, such as penetration tests or intrusion detections 
tests. Should there be a degree of independence in connection with 
the testing of information security systems and the review of test 
results. Should the tests or reviews of tests be conducted by 
persons who are not employees or volunteers of the credit union? If 
employees, or volunteers such as members of the credit union's 
supervisory committee, what measures, if any, are appropriate to 
assure their independence?
    Paragraph 4 describes the need for an ongoing process of 
monitoring, evaluation, and adjustment of the information security 
program in light of any relevant changes in technology, the 
sensitivity of member information, and internal or external threats 
to information security.

III.D. Oversee Outsourcing Arrangements

    Proposed paragraph III.D addresses outsourcing. A credit union 
should exercise appropriate due diligence in managing and monitoring 
its outsourcing arrangements to confirm that its service providers 
have implemented an effective information security program to 
protect member information and member information systems consistent 
with these Guidelines.
    The NCUA Board welcomes comments on the appropriate treatment of 
outsourcing arrangements. For example, which ``best practices'' most 
effectively monitor service provider compliance with security 
precautions? Do service providers accommodate requests for specific 
contract provisions regarding information security? To the extent 
that service providers do not accommodate these requests, how does a 
credit union implement an effective information security program? 
Should these Guidelines contain specific contract provisions for 
service provider performance standards in connection with the 
security of member information?

III. Regulatory Procedures

A. Paperwork Reduction Act

    The NCUA Board has determined that the proposed information 
security plan requirements are covered under the Paperwork Reduction 
Act. NCUA is submitting a copy of this proposed rule to the Office of 
Management and Budget (OMB) for its review.
    The proposed amendment would require federally-insured credit 
unions to develop a written information security plan to protect the 
security, confidentiality, or integrity of member information systems. 
The Board estimates it will take an average of 40 hours for a credit 
union to comply with the information security plan requirement. The 
Board also estimates that 10,525 credit unions will have to develop 
this plan so the total initial paperwork burden is estimated to be 
approximately 421,000 hours. The estimate of annual burden of review 
and changes is 15 hours for 10,500 credit unions, totaling 157,500.
    The Paperwork Reduction Act of 1995 and OMB regulations require 
that the public be provided an opportunity to comment on the paperwork 
requirements, including an agency's estimate of the burden of the 
paperwork requirements. The NCUA Board invites comment on: (1) Whether 
the paperwork requirements are necessary; (2) the accuracy of NCUA's 
estimate on the burden of the paperwork requirements; (3) ways to 
enhance the quality, utility, and clarity of the paperwork 
requirements; and (4) ways to minimize the burden of the paperwork 
requirements. Comments should be sent to: OMB Reports Management 
Branch, New Executive Office Building, Room 10202, Washington, DC 
20503; Attention: Alex T. Hunt, Desk Officer for NCUA. Please send NCUA 
a copy of any comments you submit to OMB.

B. Regulatory Flexibility Act

    The Regulatory Flexibility Act (5 U.S.C. 601-612) (RFA) requires an 
agency to publish an initial regulatory flexibility analysis with this 
proposed rule except to the extent provided in the RFA, whenever the 
agency is required to publish a general notice of proposed rulemaking 
for a proposed rule. The Board cannot at this time determine whether 
the proposed rule would have significant economic impact on a 
substantial number of small entities as defined by the RFA. Therefore, 
pursuant to subsections 603(b) and (c) of the RFA, the Board provides 
the following initial regulatory flexibility analysis.

[[Page 37306]]

1. Reasons for Proposed Rule
    The NCUA is requesting comment on the proposed interagency 
Guidelines published pursuant to section 501 of the GLB Act. Section 
501 requires the Agencies to publish standards for financial 
institutions relating to administrative, technical, and physical 
standards to: (1) Insure the security and confidentiality of customer 
records and information; (2) protect against any anticipated threats or 
hazards to the security or integrity of such records; and (3) protect 
against unauthorized access to or use of such records or information 
which could result in substantial harm or inconvenience to any 
customer. Since these requirements are expressly mandated by the GLB 
Act, it is the view of the Board that the GLB Act's requirements 
account for most, if not all, of the economic impact of the proposed 
Guidelines.
2. Statement of Objectives and Legal Basis
    The SUPPLEMENTARY INFORMATION section above contains this 
information. The legal basis for the proposed rule is the GLB Act.
3. Estimate of Small Credit Unions to Which the Rule Applies
    The proposed rule would apply to all federally insured credit 
unions. Small credit unions are those with less than $1,000,000 in 
assets of which there are approximately 1,624.
4. Projected Reporting, Recordkeeping and Other Compliance Requirements
    The information collection requirements imposed by the proposed 
rule are discussed above in the section on the Paperwork Reduction Act.
5. General Requirements
    The statute and the proposed rule require a credit union to develop 
an information security program to safeguard member information. 
Development of such a program involves assessing risks to member 
information, establishing policies, procedures, and training to control 
risks, testing the program's effectiveness, and managing and monitoring 
service providers. The NCUA believes that the establishment of 
information security programs is a sound business practice for a credit 
union and is already addressed by existing supervisory procedures. 
However, some credit unions may need to establish or enhance 
information security programs, but the cost of doing so is not known. 
The NCUA seeks any information or comment on the costs of establishing 
information security programs.
6. Identification of Duplicative, Overlapping, or Conflicting Federal 
Rules
    The NCUA is unable to identify any statutes or rules which would 
overlap or conflict with the requirement to develop and implement an 
information security program. The NCUA seeks comment and information 
about any such statutes or rules, as well as any other state, local, or 
industry rules or policies that require a credit union to implement 
business practices that would comply with the requirements of the 
proposed rule.
7. Discussion of Significant Alternatives
    As previously noted, the proposed rule's requirements are expressly 
mandated by the GLB Act. The proposed rule attempts to clarify the 
statutory requirements for all credit unions. The proposed rule also 
provides substantial flexibility so that any credit union, regardless 
of size, may adopt an information security program tailored to its 
individual needs. The NCUA welcomes comment on any significant 
alternatives, consistent with the GLB Act, that would minimize the 
impact on small credit unions.

C. Executive Order 13132

    Executive Order 13132 encourages independent regulatory agencies to 
consider the impact of their regulatory actions on state and local 
interests. In adherence to fundamental federalism principles, NCUA, an 
independent regulatory agency as defined in 44 U.S.C. 3502(5), 
voluntarily complies with the executive order. This proposed rule, if 
adopted, will not have substantial direct effects on the states, on the 
relationship between the national government and the states, or on the 
distribution of power and responsibilities among the various levels of 
government. NCUA has determined the proposed rule and appendix does not 
constitute a policy that has federalism implications for purposes of 
the executive order.

D. Treasury and General Government Appropriations Act, 1999

    NCUA has determined that the proposed rule and appendix will not 
affect family well-being within the meaning of section 654 of the 
Treasury and General Government Appropriations Act, 1999, Pub. L. 105-
277, 112 Stat. 2681 (1998).

IV. Agency Regulatory Goal

    NCUA's goal is clear, understandable regulations that impose 
minimal regulatory burden. NCUA requests comments on whether the 
proposed rule and appendix are understandable and minimally intrusive 
if implemented as proposed. NCUA invites comments on how to make this 
proposal easier to understand. For example:
    (1) Has NCUA organized the material to suit your needs? If not, how 
could this material be better organized?
    (2) Are the provisions in the Guidelines clearly stated? If not, 
how could the Guidelines be more clearly stated?
    (3) Do the Guidelines contain technical language or jargon that is 
not clear? If so, which language requires clarification?
    (4) Would a different format (grouping and order of sections, use 
of headings, paragraphing) make the Guidelines easier to understand? If 
so, what changes to the format would make the Guidelines easier to 
understand?
    (5) What else could NCUA do to make the Guidelines easier to 
understand?

List of Subjects in 12 CFR Part 748

    Credit unions, Crime, Currency, Reporting and recordkeeping 
requirements, Security measures.

    By the National Credit Union Administration Board on June 6, 
2000.
Becky Baker,
Secretary of the Board.
    For the reasons set forth in the preamble, the NCUA Board proposes 
to amend 12 CFR 748 as follows:

PART 748--SECURITY PROGRAM, REPORT OF CRIME AND CATASTROPHIC ACT 
AND BANK SECRECY ACT COMPLIANCE

    1. The authority citation for Part 748 is revised to read as 
follows:

    Authority: 12 U.S.C. 1766(a), 1786(Q); 15 U.S.C. 6801 and 
6805(b); 31 U.S.C. 5311.

    2. Heading for Part 748 is revised to read as set forth above.
    3. In Sec. 748.0 revise paragraph (b) to read as follows:


Sec. 748.0  Security program.

* * * * *
    (b) The security program will be designed to:
    (1) Protect each credit union office from robberies, burglaries, 
larcenies, and embezzlement;
    (2) Ensure the security and confidentiality of member records, 
protect against anticipated threats or hazards to the security or 
integrity of such records, and protect against unauthorized access to 
or use of such records that could result in substantial harm or serious 
inconvenience to a member;

[[Page 37307]]

    (3) Assist in the identification of persons who commit or attempt 
such actions and crimes; and
    (4) Prevent destruction of vital records, as defined in the 
Accounting Manual for Federal Credit Unions.
    4. Add Appendix A to read as follows:

Appendix A to Part 748--Guidelines for Safeguarding Member Information

I. Introduction
    A. Scope
    B. Definitions
II. Guidelines for Safeguarding Member Information
    A. Information Security Program
    B. Objectives
III. Development and Implementation of Member Information Security 
Program
    A. Involve the Board of Directors and Management
    B. Assess Risk
    C. Manage and Control Risk
    D. Oversee Outsourcing Arrangements

I. Introduction

    The Guidelines for Safeguarding Member Information (Guidelines) 
set forth standards pursuant to sections 501 and 505(b), codified at 
15 U.S.C. 6801 and 6805(b), of the Gramm-Leach-Bliley Act. These 
Guidelines provide guidance standards for developing and 
implementing administrative, technical, and physical safeguards to 
protect the security, confidentiality, and integrity of member 
information.
    A. Scope. The Guidelines apply to member information maintained 
by or on behalf of federally-insured credit unions. Such entities 
are referred to in this appendix as ``the credit union.''
    B. Definitions. For purposes of the Guidelines, the following 
definitions apply:
    1. In general. For purposes of the Guidelines, except as 
modified in the Guidelines or unless the context otherwise requires, 
the terms used have the same meanings as set forth in 12 CFR part 
716.
    2. Member information means any records, data, files, or other 
information containing nonpublic personal information, as defined in 
12 CFR 716.3(q), about a member, whether in paper, electronic or 
other form, that are maintained by or on behalf of the credit union.
    3. Member means any member of the credit union as defined in 12 
CFR 716.3(n).
    4. Service provider means any person or entity that maintains or 
processes member information on behalf of the credit union, or is 
otherwise granted access to member information through its provision 
of services to the credit union.
    5. Member information systems means the electronic or physical 
methods used to access, collect, store, use, transmit and protect 
member information.

II. Guidelines for Safeguarding Member Information

    A. Information Security Program. A comprehensive information 
security program includes administrative, technical, and physical 
safeguards appropriate to the size and complexity of the credit 
union and the nature and scope of its activities.
    B. Objectives. An information security program: ensures the 
security and confidentiality of member information; protects against 
any anticipated threats or hazards to the security or integrity of 
such information; and protects against unauthorized access to or use 
of such information that could result in substantial harm or 
inconvenience to any member or risk to the safety and soundness of 
the credit union. Protecting confidentiality includes honoring 
members' requests to opt out of disclosures to non-affiliated third 
parties, as described in 12 CFR 716.1(a)(3).

III. Development and Implementation of Member Information Security 
Program

A. Involve the Board of Directors and Management.

    1. The board of directors of each credit union:
    a. Approves the credit union's written information security 
policy and program; and
    b. Oversees efforts to develop, implement, and maintain an 
effective information security program.
    2. In conjunction with responsibilities to implement the credit 
union's information security program, management should regularly:
    a. Evaluate the impact on the credit union's security program of 
changing business arrangements, such as alliances and, outsourcing 
arrangements, and changes to member information systems;
    b. Document its compliance with these Guidelines; and
    c. Report to the board of directors on the overall status of the 
information security program, including material matters related to: 
risk assessment; risk management and control decisions; results of 
testing; attempted or actual security breaches or violations and 
responsive actions taken by management; and any recommendations for 
improvements in the information security program.
    B. Assess Risk. To achieve the objectives of its information 
security program, credit unions should:
    1. Identify and assess the risks that may threaten the security, 
confidentiality, or integrity of member information systems. As part 
of the risk assessment, a credit union should determine the 
sensitivity of member information and the internal or external 
threats to the credit union's member information systems;
    2. Assess the sufficiency of policies, procedures, member 
information systems, and other arrangements in place to control 
risks identified in this appendix; and
    3. Monitor, evaluate, and adjust its risk assessment in light of 
any relevant changes to technology, the sensitivity of member 
information, and internal or external threats to information 
security.
    C. Manage and Control Risk. As part of a comprehensive risk 
management plan, each credit union should:
    1. Establish written policies and procedures that are adequate 
to control the identified risks and achieve the overall objectives 
of the credit union's information security program. Policies and 
procedures should be commensurate with the sensitivity of the 
information as well as the complexity and scope of the credit union 
and its activities. In establishing the policies and procedures, 
each credit union should consider appropriate:
    a. Access rights to member information;
    b. Access controls on member information systems, including 
controls to authenticate and grant access only to authorized 
individuals and companies;
    c. Access restrictions at locations containing member 
information, such as buildings, computer facilities, and records 
storage facilities;
    d. Encryption of electronic customer information, including, 
while in transit or in storage on networks or systems to which 
unauthorized individuals may have access;
    e. Procedures to confirm that member information system 
modifications are consistent with the credit union's information 
security program;
    f. Dual control procedures, segregation of duties, and employee 
background checks for employees with responsibilities for or access 
to member information;
    g. Contract provisions and oversight mechanisms to protect the 
security of member information maintained or processed by service 
providers;
    h. Monitoring systems and procedures to detect actual and 
attempted attacks on or intrusions into member information systems;
    i. Response programs that specify actions to be taken when 
unauthorized access to member information systems is suspected or 
detected;
    j. Protection against destruction of member information due to 
potential physical hazards, such as fire and water damage; and
    k. Response programs to preserve the integrity and security of 
member information in the event of computer or other technological 
failure, including, where appropriate, reconstructing lost or 
damaged member information.
    2. Train staff to recognize, respond to, and, where appropriate, 
report to regulatory and law enforcement agencies, any unauthorized 
or fraudulent attempts to obtain member information.
    3. Regularly test the key controls, systems and procedures of 
the information security program to confirm that they control the 
risks and achieve the overall objectives of the credit union's 
information security program. The frequency and nature of such tests 
should be determined by the risk assessment, and adjusted as 
necessary to reflect changes in internal and external conditions. 
Tests should be conducted, where appropriate, by independent third 
parties or staff independent of those that develop or maintain the 
security programs. Test results should be reviewed by independent 
third parties or staff independent of those whom conducted the test.
    4. Monitor, evaluate, and adjust, as appropriate, the 
information security program in light of any relevant changes in 
technology, the sensitivity of its member information, and internal 
or external threats to information security.
    D. Oversee Outsourcing Arrangements. The credit union continues 
to be responsible for safeguarding member information even when

[[Page 37308]]

it gives a service provider access to that information. The credit 
union should exercise appropriate due diligence in managing and 
monitoring its outsourcing arrangements to confirm that its service 
providers have implemented an effective information security program 
to protect member information and member information systems 
consistent with these Guidelines.

[FR Doc. 00-14783 Filed 6-13-00; 8:45 am]
BILLING CODE 7535-01-P