Newsroom
June 12, 2015
CUs don't need new rules in wake of NCUA policy gaps, NAFCU says
Rather than increase regulation for credit unions in response to the violation of data security as the result of a lost thumb drive, NCUA should focus on executing recommendations for improving its own security policies and training, NAFCU said in the wake of a new inspector general report.
The IG report, dated June 8, says NCUA is working to present a proposed rule to the agency board by year-end that would require credit unions providing personally identifiable member information to NCUA to do so in an "encrypted or otherwise secure" manner. It says NCUA is also working to complete implementation of a secure file transfer solution by this year-end.
The report was the NCUA Office of Inspector General analysis of an incident last October during the examination of Palm Springs Federal Credit Union of Palm Springs, Calif., in which the NCUA examiner on site was given unencrypted flash drive containing member information, which was later lost.
According to the OIG account, the data violation occurred as a result of NCUA failing to stress its "External Data Protection Policy" in its staff training and policies to protect credit union member information. The report recommends that the agency provide staff with "practical guidance" for addressing "issues within the context of their job responsibilities" as they handle sensitive, confidential, and personally identifiable credit union member information throughout the examination process.
In all, there were seven recommendations in the report, the one noted above, and six others that deal specifically with NCUA's policies, procedures, training and guidance to its staff.
NAFCU Director of Regulatory Affairs Alicia Nealon challenged the agency's approach regarding credit unions. "While we recognize NCUA's efforts to assess its systems and internal policies, NAFCU would oppose a new data encryption rule that would impose unnecessary costs and burdens on credit unions," she said. "Credit unions must already follow stringent data security and privacy requirements, and they have a strong track record of regulatory compliance with these requirements."
She added that credit unions also constantly strive to implement the highest safeguards for their members' data, including voluntarily implementing many of NCUA's suggested best practices. "Rather than promulgating additional regulatory burdens on credit unions, NCUA should focus on implementing the Inspector General's recommendations for improving the agency's internal policies and training to better protect the credit unions data in its care," she said.
The IG report, dated June 8, says NCUA is working to present a proposed rule to the agency board by year-end that would require credit unions providing personally identifiable member information to NCUA to do so in an "encrypted or otherwise secure" manner. It says NCUA is also working to complete implementation of a secure file transfer solution by this year-end.
The report was the NCUA Office of Inspector General analysis of an incident last October during the examination of Palm Springs Federal Credit Union of Palm Springs, Calif., in which the NCUA examiner on site was given unencrypted flash drive containing member information, which was later lost.
According to the OIG account, the data violation occurred as a result of NCUA failing to stress its "External Data Protection Policy" in its staff training and policies to protect credit union member information. The report recommends that the agency provide staff with "practical guidance" for addressing "issues within the context of their job responsibilities" as they handle sensitive, confidential, and personally identifiable credit union member information throughout the examination process.
In all, there were seven recommendations in the report, the one noted above, and six others that deal specifically with NCUA's policies, procedures, training and guidance to its staff.
NAFCU Director of Regulatory Affairs Alicia Nealon challenged the agency's approach regarding credit unions. "While we recognize NCUA's efforts to assess its systems and internal policies, NAFCU would oppose a new data encryption rule that would impose unnecessary costs and burdens on credit unions," she said. "Credit unions must already follow stringent data security and privacy requirements, and they have a strong track record of regulatory compliance with these requirements."
She added that credit unions also constantly strive to implement the highest safeguards for their members' data, including voluntarily implementing many of NCUA's suggested best practices. "Rather than promulgating additional regulatory burdens on credit unions, NCUA should focus on implementing the Inspector General's recommendations for improving the agency's internal policies and training to better protect the credit unions data in its care," she said.
Share This
Related Resources
Data Privacy Issue Brief
Whitepapers
Data Privacy Issue Brief
Whitepapers
NAFCU Data Privacy Principles
Whitepapers
Compliance Monitor - August 2018
Newsletter
Get daily updates.
Subscribe to NAFCU today.