Skip to content
LexBuild

Guidelines for Safeguarding Member Information 

---
identifier: "/us/fr/2025-22489"
source: "fr"
legal_status: "authoritative_unofficial"
title: "Guidelines for Safeguarding Member Information"
title_number: 0
title_name: "Federal Register"
section_number: "2025-22489"
section_name: "Guidelines for Safeguarding Member Information"
positive_law: false
currency: "2025-12-11"
last_updated: "2025-12-11"
format_version: "1.1.0"
generator: "[email protected]"
agency: "National Credit Union Administration"
document_number: "2025-22489"
document_type: "proposed_rule"
publication_date: "2025-12-11"
agencies:
  - "National Credit Union Administration"
cfr_references:
  - "12 CFR Part 748"
rin: "3133-AF76"
fr_citation: "90 FR 57399"
fr_volume: 90
comments_close_date: "2026-02-09"
fr_action: "Proposed rule."
---

#  Procedures for monitoring Bank Secrecy Act (BSA) compliance.

**AGENCY:**

National Credit Union Administration (NCUA).

**ACTION:**

Proposed rule.

**SUMMARY:**

The NCUA Board (Board) is proposing to remove Appendix A to part 748, guidelines for safeguarding member information, from the Code of Federal Regulations (CFR). Appendix A was issued to satisfy the NCUA's statutory obligation to establish appropriate standards for federally insured credit unions (FICUs) to protect the security and confidentiality of customer records and information and to protect against unauthorized access to or use of such records. The Board now believes that the placement of Appendix A in the CFR may be confusing because Appendix A is not a regulation but rather a set of guidelines intended to assist FICUs with their statutory compliance obligations. The Board will remove Appendix A from the CFR and publish its contents as a Letter to Credit Unions, which enables more efficient revisions, and streamlines the NCUA's regulations.

**DATES:**

Comments must be received on or before February 9, 2026.

**ADDRESSES:**

Comments may be submitted in one of the following ways. ( *Please send comments by one method only* ):

*Federal eRulemaking Portal: https://www.regulations.gov.* The docket number for this proposed rule is NCUA-2025-1304. Follow the “Submit a comment” instructions. If you are reading this document on * federalregister.gov,* you may use the green “SUBMIT A PUBLIC COMMENT” button beneath this rulemaking's title to submit a comment to the *regulations.g* ov docket. A plain language summary of the proposed rule is also available on the docket website.

*Mail:* Address to Melane Conyers-Ausbrooks, Secretary of the Board, National Credit Union Administration, 1775 Duke Street, Alexandria, Virginia 22314-3428.

*Hand Delivery/Courier:* Same as mailing address.

Mailed and hand-delivered comments must be received by the close of the comment period.

*Public inspection:* Please follow the search instructions on *https://www.regulations.gov* to view the public comments. Do not include any personally identifiable information (such as name, address, or other contact information) or confidential business information that you do not want publicly disclosed. All comments are public records; they are publicly displayed exactly as received, and will not be deleted, modified, or redacted. Comments may be submitted anonymously. If you are unable to access public comments on the internet, you may contact the NCUA for alternative access by calling (703) 518-6540 or emailing *[email protected].*

**FOR FURTHER INFORMATION CONTACT:**

Gira Bose, Senior Staff Attorney, at (703) 518-6540 or at 1775 Duke Street, Alexandria, VA 22314.

**SUPPLEMENTARY INFORMATION:**

**I. Introduction**

**A. Background**

In November 1999, Congress passed the Gramm-Leach Bliley Act (GLBA). [^1] Section 501 of GLBA, entitled Protection of Nonpublic Personal Information, required the NCUA, the federal banking agencies (FBAs), and other regulators to establish appropriate standards for financial institutions subject to their respective jurisdictions relating to administrative, technical, and physical safeguards for customer records and information. [^2] These safeguards are intended to: (1) insure [sic] [^3] the security and confidentiality of customer records and information, (2) protect against any anticipated threats or hazards to the security or integrity of such records, and (3) protect against unauthorized access to or use of such records or information that would result in substantial harm or inconvenience to any customer. [^4]

[^1] 15 U.S.C. 6801 *et. seq.* (Nov. 12, 1999).

[^2]*Id.* At this time, “federal banking agencies” refers to the Office of the Comptroller of the Currency, the Federal Reserve Board, and the Federal Deposit Insurance Corporation, although at the time of GLBA's passage the term included the now-defunct Office of Thrift Supervision.

[^3] The statute uses the word “insure,” but should likely read “ensure.”

[^4] 15 U.S.C. 6801(b).

After passage of GLBA, the Board determined that the standards required by GLBA could be most effectively adopted through an amendment to the NCUA's existing regulation governing security programs in FICUs. [^5] This approach is consistent with the FBAs by design: NCUA staff worked with the FBAs to align the agency's guidance with the guidelines approved by the  FBAs. [^6] Thus, the NCUA adopted the standards required under GLBA as an appendix to part 748. The resulting Appendix A is intended to provide FICUs with guidance in developing the security program required under § 748.0.

[^5] 66 FR 8152 (Jan. 30, 2001).

[^6] 65 FR 35162 (June 1, 2000).

Appendix A has been amended over the years to reflect new requirements and maintain consistency with comparable regulations and guidelines issued by the FBAs. In 2004, the agency revised Appendix A to incorporate amendments to the Fair Credit Reporting Act (FCRA) with respect to the proper disposal of consumer information. [^7] Section 216 of the Fair and Accurate Credit Transactions Act (FACT Act) added a new section to FCRA that was designed to protect a consumer against the risks associated with unauthorized access to information about the consumer contained in a consumer report. *The FACT Act made mandatory the NCUA's practice of maintaining consistency with GLBA through consistency and consultation with the FBAs.* The changes to Appendix A were intended to provide guidance to FCUs for compliance with § 717.83 and were done in consultation with the FBAs. [^8]

[^7] The Fair Credit Reporting Act, 15 U.S.C. 1681s(b) and 1681w, as amended by the Fair and Accurate Credit Transactions Act of 2003, 15 U.S.C. 1681s.

[^8] 69 FR 69269 (Nov. 29, 2004). While the FACT Act applied only to FCUs and the changes to the guidelines were done to assist FCUs in complying with § 717.83, as drafted, the changes to the Appendix A guidance apply to all FICUs. As the Board explained in the preamble to the 2004 changes, “the requirements of this final rule only apply to FCUs, while federally insured state-chartered credit unions are subject to the jurisdiction of the FTC on this matter. The NCUA believes, however, that federally insured state charters may find this guidance helpful in adopting meaningful and effective security programs that deal with the disposal of consumer information.”

In 2012 and 2013, the Board again amended part 748 and Appendix A with technical changes mandated by the Dodd-Frank Wall Street Reform and Consumer Protection Act (Dodd-Frank Act) and based on the NCUA's rolling, 3-year regulatory review. [^9] The Dodd-Frank Act, among other things, transferred rulemaking authority for many consumer protection regulations from the Federal Reserve Board to the Consumer Financial Protection Bureau (CFPB). [^10] As a result, the NCUA was required to update certain cross citations within its regulations and rescind part 716 governing the “Privacy of Consumer Financial Information” under GLBA. [^11]

[^9] 77 FR 71085 (Nov. 29, 2012); 78 FR 32541 (May 31, 2013).

[^10] 12 U.S.C. 5581(b)(6) (July 21, 2010).

[^11] 12 CFR part 716. To assist FICUs, the part 716 heading was retained with a cross citation to the CFPB's republished version of the regulation at 12 CFR part 1016.

**B. Legal Authority**

The Board is issuing this proposed rule pursuant to its authority under the Federal Credit Union Act (FCU Act). [^12] Under the FCU Act, the NCUA is the chartering and supervisory authority for federal credit unions (FCUs) and the federal supervisory authority for federally insured credit unions (FICUs). The FCU Act grants the NCUA a broad mandate to issue regulations governing both FCUs and FICUs. Section 120 of the FCU Act is a general grant of regulatory authority and authorizes the Board to prescribe regulations for the administration of the FCU Act. [^13] Section 209 of the FCU Act is a plenary grant of regulatory authority to the NCUA to issue regulations necessary or appropriate to carry out its role as share insurer for all FICUs. [^14] The FCU Act also includes an express grant of authority for the Board to subject federally chartered central, or corporate, credit unions to such rules, regulations, and orders as the Board deems appropriate. [^15]

[^12] 12 U.S.C. 1751 *et seq.*

[^13] 12 U.S.C. 1766(a).

[^14] 12 U.S.C. 1789.

[^15] 12 U.S.C. 1766(a).

**II. Proposed Rule**

The Board is issuing this proposed rule to remove Appendix A from the CFR. The Board believes that the information conveyed in Appendix A can be provided through Letters to Credit Unions, thereby reinforcing its intended use as nonbinding guidance. The Board believes that issuing Appendix A alongside part 748 may give the false impression that it is a legally binding rule rather than merely an aid to credit unions in satisfying the regulatory requirements of part 748.

The Board seeks comments on all aspects of this proposed rule, including any references to Appendix A in other parts of NCUA's regulations that may need to be revised.

As discussed above, Appendix A was first issued to meet a statutory requirement, and it has been amended several times to reflect new statutory requirements and to remain consistent with guidelines issued by the FBAs. The Board considered retaining Appendix A in its current form for two reasons: first, the current practice ensures the agency reviews Appendix A once every three years as part of its one third regulatory review process. Second, maintaining Appendix A as part of the NCUA's regulations also guarantees that any changes, whether technical or substantive, are published in the *Federal Register* , typically with an opportunity for public notice and comment (unless an exemption under the Administrative Procedure Act applies).

However, the Board now believes that streamlining the NCUA's regulations and creating a greater separation between binding regulations and nonbinding guidelines outweighs the benefits of the current approach. The Board also believes that the Agency's adoption of Letters to Credit Unions as a communication method is well known to the industry and is appropriate for communicating guidelines such as those in Appendix A. The Board is soliciting feedback on all aspects of this proposed rule, including the option of maintaining the status quo.

**III. Regulatory Procedures**

**A. Providing Accountability Through Transparency Act of 2023**

The Providing Accountability Through Transparency Act of 2023 (5 U.S.C. 553(b)(4)) (Act) requires that a notice of proposed rulemaking include the internet address of a summary of not more than 100 words in length of a proposed rule, in plain language, that must be posted on the internet website under section 206(d) of the E-Government Act of 2002 (44 U.S.C. 3501 note) (commonly known as regulations.gov). In summary, the Board is proposing to remove Appendix A to part 748 from the CFR. The Board now believes that the placement of Appendix A in the CFR may be confusing because Appendix A is not a regulation but rather a set of guidelines intended to assist FICUs with their statutory compliance obligations. The Board believes that moving Appendix A to a Letter to Credit Unions is a better vehicle for conveying this information and will help to streamline NCUA's regulations.

The proposal and the required summary can be found at *https://www.regulations.gov.*

**B. Executive Orders 12866, 13563, and 14192**

Pursuant to Executive Order 12866 (“Regulatory Planning and Review”), as amended by Executive Order 14215, a determination must be made whether a regulatory action is significant and therefore subject to review by the Office of Management and Budget (OMB) in accordance with the requirements of the  Executive Order. [^16] Executive Order 13563 (“Improving Regulation and Regulatory Review”) supplements and reaffirms the principles, structures, and definitions governing contemporary regulatory review established in Executive Order 12866. [^17] This proposed rule was drafted and reviewed in accordance with Executive Order 12866 and Executive Order 13563. OMB has determined that this proposed rule is not a “significant regulatory action” as defined in section 3(f)(1) of Executive Order 12866. Further, this proposed rule is consistent with Executive Order 13563. This proposed rule will streamline the NCUA's regulations by removing nonbinding guidelines.

[^16] 58 FR 51735 (Oct. 4, 1993).

[^17] 76 FR 3821 (Jan.21, 2011).

Executive Order 14192 (“Unleashing Prosperity Through Deregulation”) requires that any new incremental costs associated with new regulations shall, to the extent permitted by law, be offset by the elimination of existing costs associated with at least 10 prior regulations. [^18] This proposed rule is expected to be a deregulatory action for purposes of Executive Order 14192.

[^18] 90 FR 9065 (Feb. 6, 2025),

**C. Regulatory Flexibility Act**

The Regulatory Flexibility Act [^19] generally requires an agency to conduct a regulatory flexibility analysis of any rule subject to notice and comment rulemaking requirements, unless the agency certifies that the rule will not have a significant economic impact on a substantial number of small entities. If the agency makes such a certification, it must publish the certification at the time of publication of either the proposed rule or the final rule, along with a statement providing the factual basis for such certification. [^20] For purposes of this analysis, the NCUA considers small credit unions to be those having under $100 million in assets. [^21] The Board fully considered the potential economic impacts of the regulatory amendments on small credit unions.

[^19] 5 U.S.C. 601 *et seq.*

[^20] 5 U.S.C. 605(b).

[^21] 80 FR 57512 (Sept. 24, 2015).

The proposed rule removes nonbinding guidelines but would retain them in another format without substantive change. Accordingly, the NCUA certifies the proposed rule would not have a significant economic impact on a substantial number of small credit unions.

**D. Paperwork Reduction Act**

The Paperwork Reduction Act of 1995 (PRA) generally provides that an agency may not conduct or sponsor, and not withstanding any other provision of law, a person is not required to respond to, a collection of information, unless it displays a currently valid OMB control number. The PRA applies to rulemakings in which an agency creates a new or amends existing information collection requirements. For purposes of the PRA, an information-collection requirement may take the form of a reporting, recordkeeping, or a third-party disclosure requirement. NCUA has determined that the changes in the proposed rule do not create a new information collection or revise an existing information collection as defined by the PRA.

**E. Executive Order 13132 on Federalism**

Executive Order 13132 encourages certain agencies to consider the impact of their actions on state and local interests. The NCUA, an agency as defined in 44 U.S.C. 3502(5), complies with the executive order to adhere to fundamental federalism principles. This proposed rule is intended to remove nonbinding guidelines from the NCUA's regulations. While it does impact provisions that apply to FISCUs, it does not make a substantive change. The rulemaking would therefore not have direct effect on the states, the relationship between the national government and the states, or on the distribution of power and responsibilities among the various levels of government.

**F. Assessment of Federal Regulations and Policies on Families**

The NCUA has determined that this proposed rule would not affect family well-being within the meaning of section 654 of the Treasury and General Government Appropriations Act, 1999. [^22] The proposed rule removes nonbinding guidelines from the NCUA's regulations, and any effect on family well-being is expected to be indirect.

[^22] Public Law 105-277, 112 Stat. 2681 (1998).

**List of Subjects in 12 CFR Part 748**

Administrative practice and procedure, Banks, Banking, Credit, Credit unions, Personally identifiable information, Privacy, Reporting and recordkeeping requirements.

By the National Credit Union Administration Board, this 8th day of December 2025.

Melane Conyers-Ausbrooks,

Secretary of the Board.

For the reasons stated in the preamble, the Board proposes to revise part 748 as follows:

**PART 748—SECURITY PROGRAM, SUSPICIOUS TRANSACTIONS, CATASTROPHIC ACTS, CYBER INCIDENTS, AND BANK SECRECY ACT COMPLIANCE**

1. The authority citation for part 748 continues to read as follows:

**Authority:**

12 U.S.C. 1766(a), 1786(b)(1), 1786(q), 1789(a)(11); 15 U.S.C. 6801-6809; 31 U.S.C. 5311 and 5318.

2. The table of contents is revised to read as follows:

748.0

748.1

748.2

Appendix A to Part 748—Guidance on Response Programs for Unauthorized Access to Member Information and Member Notice.

3. Remove Appendix A to part 748—Guidelines for Safeguarding Member Information.