August 26, 2015

NCUA institutes encryption protocols for data provided to examiners

NCUA has instituted data encryption protocols as suggested by its Office of Inspector General this June following review of an examiner's loss of a thumb drive containing credit union members' data.

The protocols were communicated Aug. 21 in a letter from NCUA Examination and Insurance Director Larry Fazio to the chief executives of federally insured credit unions.

The letter says the agency's examiners now will accept data files from credit unions only if the files are encrypted first by the credit union or, if the credit union is unable or does not wish to do that, via transfer to NCUA's encrypted equipment. In either case, parties involved will sign a "chain of custody" document. The letter, in a footnote, also advises credit unions against electronically transmitting unencrypted data to examiners.

Encryption protocols outlined in the letter will remain in use until the agency acquires a secure file transfer solution that will allow credit unions and exam staff to "securely and efficiently" exchange information, Fazio wrote. That solution is expected to be in place early next year.

NAFCU Director of Regulatory Affairs Alicia Nealon reiterated concerns aired in June about the agency's safekeeping of data. "Credit unions shouldn't be hit with costly new requirements when it is within NCUA's power to ensure against mishaps with credit union members' data," she said.

She also encouraged NCUA to follow through with the numerous other recommendations of the OIG, including better training of staff in the safe handling of credit union members' data.