Compliance Blog

Compliance Team Update; NCUA Issues Letter to CEOs on Encrypting Exam Data

Compliance Team Update

Written by Carrie Hunt, SVP of Government Affairs and General Counsel

Today marks JiJi Bahhur's last day at NAFCU.  She is moving on from the NAFCU family to return to work directly for a credit union.  I have known JiJi for over three and half years and have admired her hard work and appreciated her counsel. JiJi has done a great job for NAFCU members, and everyone here wishes her the best!  But JiJi leaves NAFCU in good hands, as Brandy Bruyere, NAFCU's Senior Regulatory Compliance Counsel will take over as NAFCU's Director of Regulatory Compliance on Monday.  Many of you know Brandy, and for those of you who don't, I urge you to reach out and send her a note.

NAFCU has a great team and there is nothing we enjoy more than serving our members. 

***

NCUA Issues Letter to CEOs on Encrypting Data Provided to Examiners

Written by Brandy Bruyere, Senior Regulatory Compliance Counsel

On August 21, 2015 NCUA's Office of Examination and Insurance sent a letter to CEOs of federally-insured credit unions regarding new requirements allowing NCUA examiners to only accept sensitive data electronically if properly encrypted. A link to the letter can be found here. This letter implements one recommendation made by NCUA's Office of the Inspector General report auditing NCUA's controls to protect credit union information during exams after agency examiners misplaced an unencrypted flash drive containing sensitive credit union member information in October 2014.

The letter clarifies that "sensitive data" is defined as (1) any information which by itself, or in combination with other information, could be used to cause harm to a credit union, credit union member, or any other party external to NCUA, and (2) any information concerning a person or their account which is not public information, including any non-public personally identifiable information. NCUA examiners may only accept sensitive data electronically using one of two forms.

First, theac "preferred method" is for data files to be provided on removable media (thumb drives, external hard drives, etc.) or transmitted through a secure electronic transmission. This information can be provided using either the credit union's own hardware, by NCUA if permitted under the credit union's internal policies and procedures. The minimum encryption requirements are as follows:

  • 128-bit AES encryption
  • Strong password (a minimum of eight characters; mixture of upper- and lower-case, numbers, and special characters; not easily guessable, etc.)
  • Password must be provided separately from the device or transmission

The second option is by a controlled in-person transfer using removable media that does not include encryption. However, NCUA examiners may then only accept such data electronically if a credit union representative in person provides the data file(s) to the examiner and remains physically present while the examiner transfers the data to NCUA's encrypted equipment. In order to perform the transfer, the credit union's representative must:

  • "Take receipt of the removable media from the examiner immediately after the data transfer is complete, and
  • Sign the Chain of Custody document to acknowledge receipt of the removable media."

Credit unions will want to review the letter in full to be clear on the requirements for providing sensitive data to NCUA examiners electronically and review sample documents such as the Chain of Custody Tracking Form. This letter implements one of the seven recommendations made in the NCUA OIG report so this is probably not the last we will hear from the agency in this area.