Response Programs for Unauthorized Access – Removal of Appendix B

NCUA has also proposed removing Appendix B to Part 748, which contains guidance on response programs for unauthorized access to member information and guidance on member notice requirements. Like Appendix A, this guidance will continue to exist but will be published as a Letter to Credit Unions rather than regulatory text.

Understanding the Proposed Rule

Appendix B was originally issued in 2005 to help federally insured credit unions develop risk-based programs to detect, respond to, and notify members about unauthorized access to their information. The guidance was created in coordination with the federal banking agencies to align industry practices across the financial sector.

The guidance covers expectations such as:

• Establishing procedures to respond to incidents

• Assessing the likelihood of harm or inconvenience to affected members

• Providing notice where required

• Implementing security controls appropriate to the credit union’s size and complexity

Although helpful, Appendix B is guidance rather than regulation. Keeping it inside the CFR can create confusion about its binding effect.

Why NCUA Is Making This Change

By moving Appendix B into a Letter to Credit Unions, NCUA aims to:

• Clarify that the content is advisory

• Make future updates more agile

• Streamline and simplify Part 748

• Better distinguish between what credit unions must do and what represents best practice

The agency also noted that industry is already accustomed to receiving guidance in this format.

What This Means for Credit Unions

Credit unions still must maintain a response program for unauthorized access to member information under Part 748. They must also notify members when unauthorized access could result in substantial harm.

None of those expectations change.

What does change is where the supporting guidance lives and how it can be updated. Credit unions should anticipate periodic revisions as cyber threats evolve.

Practical Steps to Consider

Now is a good time to:

1. Review incident-response policies to ensure they reflect current risks

2. Confirm notification procedures are clearly documented

3. Evaluate whether safeguards scale appropriately with the credit union’s size and complexity

4. Ensure staff understand the difference between regulatory requirements and guidance

Removing Appendix B from the CFR does not reduce regulatory expectations — it simply makes the structure cleaner.

Final Thoughts

This is another example of NCUA modernizing its regulations by separating binding rules from explanatory guidance. The obligation to respond appropriately to unauthorized access remains unchanged. What changes is how the guidance will be communicated.