Skip to main content

Search

Fair Credit Reporting: TABLE OF CONTENTS

I. Introduction

A. Scope

B. Definitions

II. Guidelines for Safeguarding Member Information

A. Information Security Program

B. Objectives

III. Development and Implementation of Member Information Security Program

A. Involve the Board of Directors

B. Assess Risk

C. Manage and Control Risk

D. Oversee Service Provider Arrangements

E. Adjust the Program

F. Report to the Board

Fair Credit Reporting: I. INTRODUCTION

The Guidelines for Safeguarding Member Information (Guidelines) set forth standards pursuant to sections 501 and 505(b), codified at 15 U.S.C. 6801 and 6805(b), of the Gramm-Leach-Bliley Act. These Guidelines provide guidance standards for developing and implementing administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of member information. These Guidelines also address standards with respect to the proper disposal of consumer information pursuant to sections 621(b) and 628 of the Fair Credit Reporting Act (15 U.S.C.

Fair Credit Reporting: II. STANDARDS FOR SAFEGUARDING MEMBER INFORMATION

A. Information Security Program. A comprehensive written information security program includes administrative, technical, and physical safeguards appropriate to the size and complexity of the credit union and the nature and scope of its activities. While all parts of the credit union are not required to implement a uniform set of policies, all elements of the information security program must be coordinated.

Fair Credit Reporting: III. DEVELOPMENT AND IMPLEMENTATION OF MEMBER INFORMATION SECURITY PROGRAM

A. Involve the Board of Directors. The board of directors or an appropriate committee of the board of each credit union should:

1. Approve the credit union’s written information security policy and program; and

2. Oversee the development, implementation, and maintenance of the credit union’s information security program, including assigning specific responsibility for its implementation and reviewing reports from management.

Fair Credit Reporting: Amendment History

[66 Fed. Reg. 8161 (Jan. 30, 2001); 69 Fed. Reg. 69,269 (Nov. 29, 2004); 77 Fed. Reg. 71,085 (Nov. 29, 2012); 78 Fed. Reg. 32,545 (May 31, 2013); 84 Fed. Reg. 1609 (Feb. 5, 2019)]

Fair Credit Reporting: I. Background

This appendix provides guidance on NCUA’s Security Program, Suspicious Transactions, Catastrophic Acts, Cyber Incidents, and Bank Secrecy Act Compliance regulation,70 interprets section 501(b) of the Gramm-Leach-Bliley Act (“GLBA”) and describes response programs, including member notification procedures, that a federally insured credit union should develop and implement to address unauthorized access to or use of member information that could result in substantial harm or inconvenience to a member.

Fair Credit Reporting: II. Response Program

i. Millions of Americans, throughout the country, have been victims of identity theft.75 Identity thieves misuse personal information they obtain from a number of sources, including credit unions, to perpetrate identity theft. Therefore, credit unions should take preventative measures to safeguard member information against such attempts to gain unauthorized access to the information.

Fair Credit Reporting: III. Member Notice

i. Credit unions have an affirmative duty to protect their members’ information against unauthorized access or use. Notifying members of a security incident involving the unauthorized access or use of the member’s information in accordance with the standard set forth below is a key part of that duty.

Fair Credit Reporting: G.4 Sample Opt-Out Notices

This appendix section reprints the sample clauses that the CFPB has designated as meeting the opt-out notice requirements of the Gramm-Leach-Bliley Act and its regulations. Regulated institutions do not have to use these clauses, however.

Fair Credit Reporting: E.1 Introduction

The full text of FTC Staff Opinion Letters can be found online as companion material to this treatise, under “Primary Sources.” Search tips to pinpoint the appropriate letter on the website are set out below.

Fair Credit Reporting: E.3.1 Overview

The informal opinion letters listed in this index were mostly written by FTC staff in response to written inquiries from consumer reporting agencies, creditors and other users of consumer reports, and consumers. The letters are informal; they are not approved by the FTC Commissioners and they are not formal advisory opinions. They are not even interpretations of an FTC regulation, but of the statute itself. As such, they are not entitled to formal deference by a court of law.

Fair Credit Reporting: FCRA § 603d, 15 U.S.C. § 1681a Definition of “Consumer Report”

Carson (Mar. 20, 1971)

Conway (Mar. 30, 1971)

Silbergeld (Apr. 1, 1971)

Carson (Apr. 8, 1971)

Feldman (Apr. 15, 1971)

Kahn (Apr. 27, 1971)

Feldman (May 5, 1971)

Wan (June 2, 1971)

Goldfarb (June 16, 1971)

Feldman (July 15, 1971)

Carson (Sept. 1, 1972)

Russell (Jan. 30, 1973)

Wan (May 25, 1973)

Grimes (July 5, 1973)

Wan (July 5, 1973)

Grimes (Sept. 5, 1973)

Russell (Sept. 26, 1973)

Russell (Sept. 27, 1973)

Conway (Dec. 3, 1973)

Russell (Dec. 3, 1973)

Fair Credit Reporting: FCRA § 603e, 15 U.S.C. § 1681a Definition of an “Investigative Consumer Report”

Russell (Dec. 3, 1973)

Peeler (Apr. 15, 1974)

Dea (May 1, 1974)

Dea (Apr. 2, 1975)

Dea (Sept. 24, 1975)

Peeler (May 5, 1976)

Grimes (Dec. 9, 1983)

Grimes (Oct. 4, 1985)

Fortney (Jan. 30, 1986)

Grimes (Oct. 10, 1986)

Kane (Aug. 9, 1993)

Isaac (Sept. 26, 1996)

Kane (July 9, 1998) Hinkle

Brinckerhoff (Mar. 25, 1999) Willner

Keller (Apr. 5, 1999) Vail

Medine (Aug. 31, 1999) Meisinger

Brinckerhoff (Oct. 1, 1999) Fischel

Fair Credit Reporting: FCRA § 603f, 15 U.S.C. § 1681a Definition of “Consumer Reporting Agency”

Silbergeld (Apr. 1, 1971)

Carson (Apr. 8, 1971)

Kahn (Apr. 27, 1971)

Goldfarb (Apr. 29, 1971)

Feldman (May 5, 1971)

Carson (May 21, 1971)

Martin (May 26, 1971)

Bragg (May 16, 1972)

Carson (Sept. 1, 1972)

Wan (May 25, 1973)

Grimes (July 5, 1973)

Grimes (Sept. 5, 1973)

Russell (Sept. 27, 1973)

Russell (Dec. 3, 1973)

Conway (Dec. 3, 1973)

Grimes (Jan. 9, 1974)

Feldman (Mar. 10, 1974)

Dea (May 1, 1974)

Russell (May 15, 1974)

Dea (July 18, 1974)

Feldman (Sept. 5, 1974)