Guidance on Response Programs for Unauthorized Access to Member Information and Member Notice

#  Procedures for monitoring Bank Secrecy Act (BSA) compliance.

**AGENCY:**

National Credit Union Administration (NCUA).

**ACTION:**

Proposed rule.

**SUMMARY:**

The NCUA Board (Board) is proposing to remove Appendix B to part 748, Guidance on Response Programs for Unauthorized Access to Member Information and Member Notice. Appendix B was issued in June 2005. Its purpose was to provide federally insured credit unions (FICUs) with guidance for creating programs to address and respond to instances of unauthorized access to member information. The Board now believes that the placement of Appendix B in the Code of Federal Regulations (CFR) may be confusing because Appendix B itself is guidance to assist FICUs in developing the response programs required pursuant to regulation. The Board instead would publish the content of Appendix B as guidance. This will be a better vehicle for conveying and updating this information and will help to streamline NCUA's regulations.

**DATES:**

Comments must be received on or before February 9, 2026.

**ADDRESSES:**

You may submit written comments by any of the following methods identified by RIN (Please send comments by one method only):

• *Federal eRulemaking Portal: https://www.regulations.gov.* Follow the instructions for submitting comments for Docket Number NCUA-2025-1305.

• *Mail:* Address to Melane Conyers-Ausbrooks, Secretary of the Board, National Credit Union Administration, 1775 Duke Street, Alexandria, Virginia 22314-3428.

• *Hand Delivery/Courier:* Same as mail address.

Mailed and hand-delivered comments must be received by the close of the comment period.

*Public Inspection:* All public comments are available on the Federal eRulemaking Portal at *https://www.regulations.gov* as submitted, except when impossible for technical reasons. Public comments will not be edited to remove any identifying or contact information. If you are unable to access public comments on the internet, you may contact NCUA for alternative access by calling (703) 518-6540 or emailing *[email protected].*

**FOR FURTHER INFORMATION CONTACT:**

Gira Bose, Senior Staff Attorney, at (703) 518-6540 or at 1775 Duke Street, Alexandria, VA 22314.

**SUPPLEMENTARY INFORMATION:**

**I. Introduction**

**A. Background**

On May 2, 2005, the Board issued a final rule to revise 12 CFR part 748 to include a requirement that FICUs respond to incidents of unauthorized access to member information. [^1] Appendix B, entitled Guidance on Response Programs for Unauthorized Access to Member Information and Member Notice, was included in the final rule to assist FICUs in developing and maintaining their response programs. It was a further interpretation of the Gramm Leach Bliley Act's requirement that NCUA and other regulators adopt standards for safeguarding customer information that financial institutions could adopt. [^2]

[^1] 70 FR 22764 (May 2, 2005).

[^2] 15 U.S.C. 6801 *et. seq.* (Nov. 12, 1999). Appendix B was issued in consultation with the federal banking agencies (FBAs), comprising the Office of the Comptroller of the Currency, the Federal Reserve Board, the Federal Deposit Insurance Corporation, and the now-defunct Office of Thrift Supervision. The FBAs issued similar guidance on a joint basis. 70 FR 15736 (Mar. 29, 2005).

Appendix B notes that each year, millions of Americans throughout the country fall victim to identify theft as a result of the misuse of their personal information obtained by identity thieves from a number of sources, including credit unions. [^3] It goes on to state that, as a result, credit unions should take preventative measures to safeguard member information against such attempts, and to do so in a way that is appropriate to the size and complexity of the credit union and the nature and scope of its activities. Thus, Appendix B is designed to be risk-based and to give FICUs discretion in addressing incidents of unauthorized access to or use of member information that could result in substantial harm or inconvenience to a member.

[^3] 12 CFR 748 App. B (II)(i).

**B. Legal Authority**

The standards in Appendix B fulfill a requirement in the Gramm-Leach-Bliley Act, through which Congress directed NCUA and other federal regulators to establish standards for financial institutions relating to the safeguarding of customer information. [^4] Under the Federal Credit Union Act (FCU Act), NCUA examines all FICUs and is required to ensure that all FICUs operate safely and soundly. In particular, 12 U.S.C. 1786(b) compels the agency to act to correct unsafe or unsound conditions or practices in FICUs. Sections 120 and 209 of the FCU Act are plenary grants of regulatory authority to the Board to examine and require information and reports from credit unions as well as issue the regulations necessary or appropriate to carry out its roles as regulator and share insurer. Section 204 of the FCU Act requires the Board to  appoint examiners who shall have the power to thoroughly examine the affairs of (FICUs) and report to the Board. Section 206 of the FCU Act requires the agency to impose corrective measures whenever, in the opinion of the Board, any credit union is engaged in or has engaged in unsafe or unsound practices in conducting its business. Accordingly, the FCU Act grants the Board broad rulemaking authority to protect credit unions, their member owners, and the National Credit Union Share Insurance Fund.

[^4] 15 U.S.C. 6801 *et seq.* (Nov. 12, 1999).

**II. Proposed Rule**

The Board is now issuing this proposed rule to remove Appendix B from the CFR. The Board believes that the information conveyed in Appendix B can be just as easily communicated by a Letter to Credit Unions, which would have the advantage of being better recognized by FICUs as nonbinding guidance. The Board believes that issuing Appendix B alongside part 748 may give the false impression that it is a legally binding rule rather than an aid to credit unions that can help them meet the regulatory requirements of part 748. The Board seeks comments on all aspects of this proposed rule, including any references to Appendix B in other parts of NCUA's regulations that may need to be revised.

The Board considered retaining Appendix B in its current form. The current practice ensures the agency reviews Appendix B once every three years as part of its one third regulatory review process. Maintaining Appendix B as part of NCUA's regulations also guarantees that any changes, whether technical or substantive, are published in the *Federal Register* typically with an opportunity for public notice and comment (unless an exception under the Administrative Procedure Act applies). Maintaining the current placement would maintain comparability with the FBAs whose guidance is also located in the CFR. However, the Board now believes that streamlining NCUA's regulations and creating a greater separation between binding regulations and nonbinding guidelines outweighs the benefits of the current approach. The Board also believes that the Agency's adoption of separate guidance is appropriate for communicating guidelines such as those in Appendix B. The Board is soliciting feedback on all aspects of this proposed rule, including the option of maintaining the status quo.

**III. Regulatory Procedures**

**A. Providing Accountability Through Transparency Act of 2023**

The Providing Accountability Through Transparency Act of 2023 (5 U.S.C. 553(b)(4)) requires that a notice of proposed rulemaking include the internet address of a summary of not more than 100 words in length of a proposed rule, in plain language, that shall be posted on the internet website under section 206(d) of the E-Government Act of 2002 (44 U.S.C. 3501 note) (commonly known as *regulations.gov* ).

In summary, the Board is proposing to remove Appendix B to part 748, Guidance on Response Programs for Unauthorized Access to Member Information and Member Notice. The Board believes that moving Appendix B to a Letter to Credit Unions is a better vehicle for conveying this information and will help to streamline the NCUA's regulations. The intended effect is to simplify the regulatory text and make it easier to navigate, without altering any substantive compliance obligations.

The proposed rule and the required summary are available at *https://www.regulations.gov.*

**B. Executive Orders 12866, 13563, and 14192**

Pursuant to Executive Order 12866 (“Regulatory Planning and Review”), as amended by Executive Order 14215, a determination must be made whether a regulatory action is significant and therefore subject to review by the Office of Management and Budget (OMB) in accordance with the requirements of the Executive Order. OMB has determined that this proposed rule is not a “significant regulatory action” as defined in section 3(f)(1) of Executive Order 12866.

Executive Order 13563 (“Improving Regulations and Regulatory Review”) directs executive agencies to analyze regulations that are “outmoded, ineffective, insufficient, or excessively burdensome, and to modify, streamline, expand, or repeal them in accordance with what has been learned.” Executive Order 13563 also directs that, where relevant, feasible, and consistent with regulatory objectives, and to the extent permitted by law, agencies are to identify and consider regulatory approaches that reduce burdens and maintain flexibility and freedom of choice for the public. This proposed rule will streamline the NCUA's regulations by removing nonbinding guidelines. This proposed rule is consistent with Executive Order 13563.

Executive Order 14192 (“Unleashing Prosperity Through Deregulation”) requires that any new incremental costs associated with new regulations shall, to the extent permitted by law, be offset by the elimination of existing costs associated with at least 10 prior regulations. <sup>18</sup> This proposed rule is expected to be a deregulatory action for purposes of Executive Order 14192.

**C. The Regulatory Flexibility Act**

The Regulatory Flexibility Act generally requires an agency to conduct a regulatory flexibility analysis of any rule subject to notice and comment rulemaking requirements, unless the agency certifies that the rule will not have a significant economic impact on a substantial number of small entities. <sup>5</sup> If the agency makes such a certification, it shall publish the certification at the time of publication of either the proposed rule or the final rule, along with a statement providing the factual basis for such certification. <sup>6</sup> For purposes of this analysis, the NCUA considers small credit unions to be those having under $100 million in assets. <sup>7</sup> The Board fully considered the potential economic impacts of the regulatory amendments on small credit unions. The proposed rule removes nonbinding guidelines but would retain them in another format without substantive change. Accordingly, the NCUA certifies that the proposed rule would not have a significant economic impact on a substantial number of small credit unions.

**D. The Paperwork Reduction Act**

The Paperwork Reduction Act of 1995 (PRA) generally provides that an agency may not conduct or sponsor, and not withstanding any other provision of law, a person is not required to respond to, a collection of information, unless it displays a currently valid OMB control number. The PRA applies to rulemakings in which an agency creates a new or amends existing information collection requirements. For purposes of the PRA, an information-collection requirement may take the form of a reporting, recordkeeping, or a third-party disclosure requirement. The NCUA has determined that the changes in the proposed rule do not create a new information collection or revise an existing information collection as defined by the PRA.

**E. Analysis on Executive Order 13132 on Federalism**

Executive Order 13132 encourages certain agencies to consider the impact of their actions on state and local interests. The NCUA, an agency as  defined in 44 U.S.C. 3502(5), complies with the executive order to adhere to fundamental federalism principles. This proposed rule is intended to remove nonbinding guidelines from the NCUA's regulations. While it does impact provisions that apply to FISCUs, it does not make a substantive change and is not intended to affect the division of responsibilities between the NCUA and state regulatory authorities.

**F. Assessment of Federal Regulations and Policies on Families**

The NCUA has determined that this proposed rule would not affect family well-being within the meaning of section 654 of the Treasury and General Government Appropriations Act, 1999. The proposed rule removes nonbinding guidelines from the NCUA's regulations, and any effect on family well-being is expected to be indirect.

**List of Subjects in 12 CFR Part 748**

Administrative practice and procedure, Banks, banking, Credit, Credit unions, Personally identifiable information, Privacy, Reporting and recordkeeping requirements.

By the National Credit Union Administration Board, this 8th day of December 2025.

Melane Conyers-Ausbrooks,

Secretary of the Board.

For the reasons stated in the preamble, the NCUA Board proposes to amend 12 CFR part 748 as follows:

**PART 748—SECURITY PROGRAM, SUSPICIOUS TRANSACTIONS, CATASTROPHIC ACTS, CYBER INCIDENTS, AND BANK SECRECY ACT COMPLIANCE**

1. The authority citation for part 748 continues to read as follows:

**Authority:**

12 U.S.C. 1766(a), 1786(b)(1), 1786(q), 1789(a)(11); 15 U.S.C. 6801-6809; 31 U.S.C. 5311 and 5318.

2. The table of contents is amended to read as follows:

748.0

748.1

748.2

3. Remove Appendix B to part 748—Guidance on Response Programs for Unauthorized Access to Member Information and Member Notice.