January 07, 2015

NAFCU to NCUA: CUs already protect member info

NAFCU Director of Regulatory Affairs Alicia Nealon, noting a report that NCUA is "contemplating" a possible rulemaking on encryption of credit union data, said Wednesday that credit unions already follow data security requirements and are not in need of more regulation.

NCUA Board Chairman Debbie Matz, according to Credit Union Times, said just such a rulemaking is being considered after an agency examiner's loss of a thumb drive containing sensitive credit union member data. The report quotes Matz citing estimated cost of $15,000 to $20,000 as a result of the incident, which she said the agency will cover.

"Credit unions must already follow stringent data security and privacy requirements, and they have a strong track record of regulatory compliance with these requirements," Nealon said. "Credit unions also constantly strive to implement the highest safeguards for their members' data.

"A recent survey of NAFCU's member credit unions found that credit unions not only meet the regulatory requirements, but also voluntarily implement many of NCUA's suggested best practices in order to better safeguard their members data," she continued. "Rather than promulgating additional regulatory burdens on credit unions, NCUA should take a look internally at what actions the agency can take to better protect the credit union data in its care."

NCUA has placed cybersecurity at the top of its 2015 supervisory priorities list. As for any rulemaking on encryption, CU Times also said Matz noted the agency would consider a solution after the NCUA inspector general's investigation is over.

NAFCU President and CEO Dan Berger urged a thorough investigation into the thumb drive incident. He said NAFCU "looks forward to seeing improvements in the way NCUA handles and protects the sensitive data it receives from insured credit unions."