[Federal Register Volume 88, Number 128 (Thursday, July 6, 2023)]
[Notices]
[Pages 43152-43155]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2023-14274]


-----------------------------------------------------------------------

NATIONAL CREDIT UNION ADMINISTRATION


Privacy Act of 1974: Systems of Records

AGENCY: National Credit Union Administration (NCUA).

ACTION: Notice of a modified system of records.

-----------------------------------------------------------------------

SUMMARY: Pursuant to the Privacy Act of 1974, the National Credit Union 
Administration (NCUA) gives notice of a proposed modified Privacy Act 
system of records titled NCUA-11, ``Office of Inspector General (OIG) 
Investigative Records.'' The OIG Investigative Records system of 
records documents the investigative work of the OIG, including 
complaints received through the OIG Hotline, OIG mail, and otherwise, 
enabling the OIG to secure and maintain necessary investigative 
information and to coordinate with other law enforcement agencies as 
appropriate.

DATES: Submit comments on or before August 7, 2023. This modification 
will be effective immediately, and new routine uses will be effective 
on August 7, 2023.

ADDRESSES: You may submit comments by any of the following methods, but 
please send comments by one method only:
     Federal eRulemaking Portal: http://www.regulations.gov. 
Follow the instructions for submitting comments.
     NCUA website: http://www.ncua.gov/RegulationsOpinionsLaws/proposed_regs/proposed_regs.html. Follow the instructions for 
submitting comments.
     Fax: (703) 518-6319. Use the subject line described above 
for email.
     Mail: Address to Melane Conyers-Ausbrooks, Secretary of 
the Board, National Credit Union Administration, 1775 Duke Street, 
Alexandria, Virginia 22314-3428.
     Hand Delivery/Courier: Same as mail address.

FOR FURTHER INFORMATION CONTACT: Marta Erceg, Counsel to the Inspector 
General/Assistant Inspector General, Office of the Inspector General, 
(703) 518-6350, or Jennifer Harrison, Attorney-Advisor, Office of 
General

[[Page 43153]]

Counsel, (703) 518-6540, 1775 Duke Street, Alexandria, VA 22314.

SUPPLEMENTARY INFORMATION: The NCUA has made the following substantive 
changes to this System of Records Notice:
    1. NCUA has updated the Purpose(s) of the System to provide 
additional details of why records are being collected.
    2. NCUA has updated the Categories of Records in the System to 
provide additional details of what types of records are being 
collected.
    3. NCUA has updated its Routine Uses. NCUA has added a routine use 
relating to obtaining legal advice from the Department of Justice and 
other prosecutors. NCUA has added a routine use to entities responsible 
for the oversight of Federal funds. NCUA has added a routine use for 
disclosure records relating to suspension and debarment actions. NCUA 
has added a routine use for disclosure of records to the Council of the 
Inspectors General for Integrity and Efficiency. NCUA has added a 
routine use to allow the OIG to disclose records to a complainant's 
employer who at the time of the alleged reprisal was an NCUA 
contractor, subcontractor, grantee, or subgrantee, without requiring 
the complainant's consent, to comply with the requirements of 41 U.S.C. 
4712(b)(1). NCUA has also added text of the routine uses that had been 
previously contained in the agency's ``Standard Routine Uses.'' 
Finally, NCUA has added two routine uses relating to the disclosure of 
records in the event of a suspected or actual privacy breach.
    4. NCUA has updated Policies and Practices for Storage of Records 
to reflect that records are electronically maintained.
    5. NCUA has updated Policies and Practices for Retention and 
Disposal of Records to reflect that NCUA uses National Archives and 
Records Administration-approved records schedules.
    6. NCUA has updated Administrative, Technical, and Physical 
Safeguards to accurately reflect how these records are protected.
    7. NCUA has updated Record Access, Contesting Record, and 
Notification Procedures to accurately reflect the NCUA procedures as 
detailed in 12 CFR 792.55.
    8. NCUA has updated History to accurately reflect the SORN's 
publication history. Non-substantive modifications have also been made 
to ensure that the format NCUA-11 aligns with the guidance set forth in 
Office of Management and Budget Circular A-108.

    By the National Credit Union Administration Board on June 30, 
2023.
Melane Conyers-Ausbrooks,
Secretary of the Board.

SYSTEM NAME AND NUMBER:
    NCUA-11, Office of Inspector General (OIG) Investigative Records.

SECURITY CLASSIFICATION:
    Unclassified.

SYSTEM LOCATION:
    Office of Inspector General, National Credit Union Administration, 
1775 Duke Street, Alexandria, VA 22314-3428.

SYSTEM MANAGER(S):
    Counsel to the Inspector General/Assistant Inspector General for 
Investigations, National Credit Union Administration, 1775 Duke Street, 
Alexandria, Virginia 22314-3428.

AUTHORITY FOR MAINTENANCE OF THE SYSTEM:
    Federal Credit Union Act, 12 U.S.C. 1751, et seq., and the 
Inspector General Act of 1978, 5 U.S.C. 401, et seq.

PURPOSE(S) OF THE SYSTEM:
    This system is maintained for the purposes of:
    1. Conducting and documenting investigations by the OIG or other 
investigative agencies regarding NCUA programs, operations, personnel, 
and contractors, and reporting the results of investigations to NCUA 
management, other Federal agencies, and other public authorities or 
professional organizations that have the authority to bring criminal 
prosecutions or civil or administrative actions, or to impose 
disciplinary sanctions;
    2. Documenting the outcome of OIG investigations;
    3. Maintaining a record of the activities that were the subject of 
investigations;
    4. Reporting investigative findings for use in operating and 
evaluating NCUA programs or operations and in the imposition of 
sanctions;
    5. Maintaining a record of complaints and allegations received 
regarding NCUA programs, operations, and personnel, and documenting the 
outcome of OIG reviews and disposition of those complaints and 
allegations;
    6. Coordinating relationships with other Federal agencies, State 
and local governmental agencies, and nongovernmental entities in 
matters relating to the statutory responsibilities of the OIG and 
reporting to such entities on government-wide efforts pursuant to the 
oversight of Federal funds;
    7. Acting as a repository and source for information necessary to 
fulfill the reporting requirements of the Inspector General Act, 5 
U.S.C. 401-424;
    8. Reporting on OIG activities to the Council of Inspectors General 
for Integrity and Efficiency (CIGIE); and
    9. Participating in CIGIE's investigative qualitative assessment 
review process.

CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:
    Subjects of investigation, complainants, and witnesses referred to 
in complaints or investigative cases, reports, accompanying documents, 
and correspondence prepared by, compiled by, or referred to the OIG.

CATEGORIES OF RECORDS IN THE SYSTEM:
    The system is comprised of OIG investigation files and complaint 
files. These files include reports of investigations with related 
exhibits, statements, affidavits, or other pertinent documents. Files 
may contain memoranda; computer-generated background information; 
location information; payroll, time sheets, and travel records; 
correspondence, including call, text, and email records; and reports 
from or to other law enforcement bodies pertaining to violations or 
potential violations of criminal laws, fraud, or abuse with respect to 
administration of NCUA programs and operations, and violations of 
employee and contractor standards of conduct. Records in this system 
may contain personally identifiable information such as names, Social 
Security numbers, dates of birth, and addresses. This system may also 
contain such information as employment history, bank account 
information, driver's licenses, vehicle registration, educational 
records, criminal history, photographs, voice recordings, and other 
information of a personal nature provided or obtained in connection 
with an investigation.

ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES 
OF USERS AND THE PURPOSES OF SUCH USES:
    In addition to those disclosures generally permitted under 5 U.S.C. 
552a(b) of the Privacy Act, these records or information contained 
therein may specifically be disclosed outside the NCUA as a routine use 
pursuant to 5 U.S.C. 552a(b)(3) as follows:
    1. If a record in a system of records indicates a violation or 
potential violation of civil or criminal law or a regulation, and 
whether arising by general statute or particular program statute, or by 
regulation, rule, or order, the relevant records in the system of 
records may be disclosed as a routine use to the appropriate agency, 
whether

[[Page 43154]]

Federal, State, local, or foreign, charged with the responsibility of 
investigating or prosecuting such violation or charged with enforcing 
or implementing the statute, rule, regulation, or order issued pursuant 
thereto;
    2. A record in a system of records may be disclosed as a routine 
use to a member of Congress or to a congressional staff member in 
response to an inquiry from the congressional office made at the 
request of the individual about whom the record is maintained;
    3. A record in a system of records may be disclosed as a routine 
use to the Department of Justice, when: (a) NCUA, or any of its 
components or employees acting in their official capacities, is a party 
to litigation; or (b) Any employee of NCUA in his or her individual 
capacity is a party to litigation and where the Department of Justice 
has agreed to represent the employee; or (c) The United States is a 
party in litigation, where NCUA determines that litigation is likely to 
affect the agency or any of its components, is a party to litigation or 
has an interest in such litigation, and NCUA determines that use of 
such records is relevant and necessary to the litigation;
    4. A record in a system of records may be disclosed as a routine 
use in a proceeding before a court or adjudicative body before which 
NCUA is authorized to appear (a) when NCUA or any of its components or 
employees are acting in their official capacities; (b) where NCUA or 
any employee of NCUA in his or her individual capacity has agreed to 
represent the employee; or (c) where NCUA determines that litigation is 
likely to affect the agency or any of its components, is a party to 
litigation or has an interest in such litigation, and NCUA determines 
that use of such records is relevant and necessary to the litigation;
    5. A record from a system of records may be disclosed as a routine 
use to contractors, experts, consultants, and the agents thereof, and 
others performing or working on a contract, service, cooperative 
agreement, or other assignment for NCUA when necessary to accomplish an 
agency function or administer an employee benefit program. Individuals 
provided information under this routine use are subject to the same 
Privacy Act requirements and limitations on disclosure as are 
applicable to NCUA employees;
    6. A record from a system of records may be disclosed as a routine 
use to the Department of Justice, including its U.S. Attorney's 
Offices, and State and local prosecutors, to the extent necessary to 
obtain legal advice on any matter relevant to an OIG investigation, 
audit, inspection, or other inquiry related to the responsibilities of 
the OIG;
    7. A record from a system of records may be disclosed as a routine 
use to any Federal agency, entity, or board responsible for 
coordinating and conducting oversight of Federal funds, in order to 
prevent fraud, waste, and abuse related to Federal funds, or for 
assisting in the enforcement, investigation, prosecution, or oversight 
of violations of administrative, civil, or criminal law or regulation, 
if that information is relevant to any enforcement, regulatory, 
investigative, prosecutorial, or oversight responsibility of the NCUA 
or of the receiving entity;
    8. A record from a system of records may be disclosed as a routine 
use to another Federal agency considering suspension or debarment 
action if the information is relevant to the suspension or debarment 
action. The OIG also may disclose information to another agency to gain 
information in support of the NCUA's own debarment and suspension 
actions;
    9. A record from a system of records may be disclosed as a routine 
use to the Council of the Inspectors General on Integrity and 
Efficiency (CIGIE) to assist in its preparation of reports, analysis, 
surveys, coordination of investigations, and other CIGIE activities;
    10. A record from a system of records may be disclosed as a routine 
use to other Federal entities, such as other Offices of Inspector 
General, to the Government Accountability Office, or to a private party 
with which the OIG or the NCUA has contracted or with which it 
contemplates contracting, for the purpose of auditing or reviewing the 
performance or internal management of the OIG's audit or investigative 
programs.
    11. A record from a system of records may be disclosed as a routine 
use to a complainant alleging whistleblower reprisal and the 
complainant's employer (current or former) that at the time of the 
alleged reprisal was a grantee, subgrantee, contractor, or 
subcontractor of the NCUA, to fulfill the whistleblower reprisal 
investigation reporting requirements of 41 U.S.C. 4712(b)(1) or any 
other whistleblower reprisal law requiring a disclosure to a 
complainant or an entity that employs or employed the complainant;
    12. A record from a system of records may be disclosed to 
appropriate agencies, entities, and persons when (1) NCUA suspects or 
has confirmed that the security or confidentiality of information in 
the system of records has been compromised; (2) NCUA has determined 
that as a result of the suspected or confirmed compromise there is a 
risk of harm to economic or property interests, identity theft or 
fraud, or harm to the security or integrity of this system or other 
systems or programs (whether maintained by NCUA or another agency or 
entity) that rely upon the compromised information; and (3) the 
disclosure made to such agencies, entities, and persons is reasonably 
necessary to assist in connection with NCUA's efforts to respond to the 
suspected or confirmed compromise and prevent, minimize, or remedy such 
harm; and
    13. A record from a system of records may be disclosed to another 
Federal agency or Federal entity, when the NCUA determines that 
information from this system of records is reasonably necessary to 
assist the recipient agency or entity in (1) responding to a suspected 
or confirmed breach or (2) preventing, minimizing, or remedying the 
risk of harm to individuals, the recipient agency or entity (including 
its information systems, programs, and operations), the Federal 
Government, or national security, resulting from a suspected or 
confirmed breach.

POLICIES AND PRACTICES FOR STORAGE OF RECORDS:
    Electronic records and backups are stored on secure servers, 
approved by NCUA's Office of the Chief Information Officer (OCIO), 
within a FedRAMP-authorized commercial Cloud Service Provider's (CSP) 
Software-as-a-Service solution hosting environment and accessed only by 
authorized personnel.

POLICIES AND PRACTICES FOR RETRIEVAL OF RECORDS:
    Information is retrieved by case number, general subject matter, or 
name of the subject of investigation.

POLICIES AND PRACTICES FOR RETENTION AND DISPOSAL OF RECORDS:
    Records are maintained and disposed in accordance with the General 
Records Retention Schedules issued by the National Archives and Records 
Administration (NARA) or an NCUA records disposition schedule approved 
by NARA.

ADMINISTRATIVE, TECHNICAL, AND PHYSICAL SAFEGUARDS:
    NCUA and the Cloud Service Provider have implemented the 
appropriate administrative, technical, and physical controls in 
accordance with the Federal Information Security Modernization Act of 
2014, Public Law 113-283, S. 2521, and NCUA's information security 
policies to protect the confidentiality, integrity, and availability of 
the

[[Page 43155]]

information system and the information contained therein. Access is 
limited only to individuals authorized through NIST-compliant Identity, 
Credential, and Access Management policies and procedures. The records 
are maintained behind a layered defensive posture consistent with all 
applicable Federal laws and regulations, including OMB Circular A-130 
and NIST Special Publication 800-37.

RECORD ACCESS PROCEDURES:
    Individuals wishing access to their records should submit a written 
request to the Senior Agency Official for Privacy, NCUA, 1775 Duke 
Street, Alexandria, VA 22314, and provide the following information:
    1. Full name.
    2. Any available information regarding the type of record involved.
    3. The address to which the record information should be sent.
    4. You must sign your request.
    Attorneys or other persons acting on behalf of an individual must 
provide written authorization from that individual for the 
representative to act on their behalf. Individuals requesting access 
must also comply with NCUA's Privacy Act regulations regarding 
verification of identity and access to records (12 CFR 792.55).

CONTESTING RECORD PROCEDURES:
    Individuals wishing to request an amendment to their records should 
submit a written request to the Senior Agency Official for Privacy, 
NCUA, 1775 Duke Street, Alexandria, VA 22314, and provide the following 
information:
    1. Full name.
    2. Any available information regarding the type of record involved.
    3. A statement specifying the changes to be made in the records and 
the justification therefore.
    4. The address to which the response should be sent.
    5. You must sign your request.
    Attorneys or other persons acting on behalf of an individual must 
provide written authorization from that individual for the 
representative to act on their behalf.

NOTIFICATION PROCEDURES:
    Individuals wishing to learn whether this system of records 
contains information about them should submit a written request to the 
Senior Agency Official for Privacy, NCUA, 1775 Duke Street, Alexandria, 
VA 22314, and provide the following information:
    1. Full name.
    2. Any available information regarding the type of record involved.
    3. The address to which the record information should be sent.
    4. You must sign your request.
    Attorneys or other persons acting on behalf of an individual must 
provide written authorization from that individual for the 
representative to act on their behalf. Individuals requesting access 
must also comply with NCUA's Privacy Act regulations regarding 
verification of identity and access to records (12 CFR 792.55).

EXEMPTIONS PROMULGATED FOR THE SYSTEM:
    Pursuant to 5 U.S.C. 552a(j)(2), this system of records is exempt 
from subsections (c)(3) and (4), (d), (e)(1), (e)(2), (e)(3), 
(e)(4)(G), (e)(4)(H), (e)(4)(I), (e)(5), (e)(8), (f) and (g) of the 
Act. This exemption applies to information in the system that relates 
to criminal law enforcement and meets the criteria of the (j)(2) 
exemption. Pursuant to 5 U.S.C. 552a(k)(2), to the extent that the 
system contains investigative material compiled for law enforcement 
purposes, other than material within the scope of subsection (j)(2), 
this system of records is exempt from 5 U.S.C. 552a(c)(3), (d), (e)(1), 
(e)(4)(G), (H), and (I), and (f). The exemption rule is contained in 12 
CFR 792.66 of the NCUA regulations.

HISTORY:
    This SORN was published originally as NCUA-20, ``Investigation 
Files,'' at 53 FR 37372 (Sept. 26, 1988); renamed to ``Office of 
Inspector General Investigative Records'' at 60 FR 18149 (April 10, 
1995); and renumbered as NCUA-11 at 65 FR 3486 (Feb. 20, 2000). 
Subsequent modifications were published at 71 FR 77807 (Dec. 27, 2006) 
and 75 FR 41539 (July 16, 2010).

[FR Doc. 2023-14274 Filed 7-5-23; 8:45 am]
BILLING CODE 7535-01-P