Go to:

March 2019
< Feb Apr >
Leaguer Email Subscription

You are not currently subscribed. Click Subscribe below to receive the Leaguer email.

OIG Makes 7 Recommendations for NCUA Data Safety during Exams
Tuesday, June 16, 2015 6:45 AM

The Office of Inspector General (OIG) audited the National Credit Union Administration’s measures to protect sensitive, confidential, or personally identifiable electronic credit union member information during the examination process and, as a result, the OIG issued a report on June with seven recommendations.

The recommendations mean that federally insured credit unions could face a proposed rule that would require them to provide encrypted, password-protected, or other protected data to the agency during their exams.

The NCUA needs to improve its policies, procedures and training to help ensure its staff appropriately protect sensitive data during the examination and improve its guidance to require staff to use specific tools to transfer the sensitive data, said OIG.

The seven recommendations are:

  1. Require federally insured credit unions to provide the sensitive electronic member information to the NCUA and its staff “in an encrypted or otherwise secure manner,” such as with files protected by strong passwords, whether using the credit union’s secure tools or the agency’s. 
  2. Complete revision of the NCUA’s Instruction 13500.9 to consolidate, include, or reference:  1) the agency’s specific policy, procedure, or alternate practical guidance—depending on the examination scenario—agency staff must adhere to or follow to help ensure protection of the information; and 2) the consequences the NCUA staff face for failing to follow the agency’s requirements, procedures, or guidance for protecting the information. The NCUA management has revised the instruction and will implement it after the NTEU bargaining obligation.
  3. Enhance the NCUA annual security awareness training or provide additional supplementary periodic training that reinforces the data protection requirements in NCUA Instruction 13500.9 and provides staff with practical guidance for addressing issues within the context of their job responsibilities as they handle the information during examinations.
  4. Enhance the NCUA’s annual privacy training to stress protecting sensitive member information; address and reinforce to staff the consequences of violating or failing to follow policy, requirements, and procedures for protecting information; and address potential consequences the NCUA and credit unions face if staff fail to protect the information.
  5. Continue to pursue and implement the secure file transfer solution NCUA is assessing to transfer sensitive, confidential, or personally identifiable electronic credit union member information.
  6. Complete revising Instruction 13500.09 to require and provide guidance on secure tools or alternative procedures NCUA staff must use under various circumstances to transfer the sensitive information during examinations.
  7. Enhance the NCUA’s annual security awareness training to reinforce to NCUA staff the availability, use, and applicability of secure NCUA tools to transfer the information.

CUNA agrees that credit union member data should be protected during the exam process; however, the association doesn't want another regulation added to the regulatory burden that credit unions already face.