Safeguarding Member Information – NCUA Proposes Removing Appendix A

NCUA has proposed removing Appendix A to Part 748, which includes the long-standing Guidelines for Safeguarding Member Information. Although the content of Appendix A is not going away, the agency intends to publish it as a Letter to Credit Unions instead of keeping it within the Code of Federal Regulations.

This move reflects NCUA’s push to separate binding regulations from advisory guidance and to make future updates easier.

Understanding the Proposed Rule

Appendix A was originally issued to satisfy requirements under the Gramm-Leach-Bliley Act. It provides detailed guidelines for protecting member information, implementing administrative and technical safeguards, and ensuring the confidentiality of sensitive data.

Over time, Appendix A has been amended to reflect:

• Updates to the Fair Credit Reporting Act

• Changes resulting from the Dodd-Frank Act

• Evolving expectations for security and privacy programs

Despite living inside the CFR, Appendix A has always been guidance rather than a regulation. NCUA now believes maintaining guidance inside regulatory text can mislead credit unions about what is mandatory.

Why NCUA Is Making This Change

Moving guidance into a Letter to Credit Unions allows:

• Faster updates when technology or risk environments change

• Clearer separation between statutory requirements and best-practice recommendations

• A more streamlined and readable Part 748

NCUA also notes that using Letters to Credit Unions is familiar to the industry and improves clarity about the nonbinding nature of guidance.

What This Means for Credit Unions

Nothing changes about the responsibility to safeguard member information. Credit unions must still maintain a security program, protect against unauthorized access, and comply with statutory obligations relating to confidentiality.

Examiners will continue evaluating whether controls are appropriate for the size, complexity, and risk profile of each credit union.

The only change is that Appendix A will no longer appear inside the regulation. The expectations themselves remain intact.

Practical Steps to Consider

Credit unions should:

1. Review their existing information security programs to ensure alignment with Appendix A’s principles

2. Prepare for future revisions that may come faster once the guidelines are no longer tied to formal rulemaking

3. Ensure staff understand the distinction between regulatory requirements and best-practice guidance

Appendix A will still matter — it just will no longer be misinterpreted as formal regulatory text.

Final Thoughts

This proposal is part of a larger effort to modernize the rulebook and ensure clarity between what is required and what is recommended. Safeguarding member information remains essential, and NCUA’s expectations have not changed.