September 6, 2001

Richard S. Schulman, Esq. 
Roach & Carpenter, P.C.
24 School Street
Boston, MA  02108

Re:  Guidelines for Safeguarding Member Information, Appendix A to Part 748.

Dear Mr. Schulman:

You have asked if the language:  “Each credit union should:  . . . [r]equire its service providers by contract to implement appropriate measures designed to meet the objectives of these guidelines,” in NCUA’s Guidelines for Safeguarding Member Information (Guidelines), requires credit unions to enter into written contracts with attorneys and other professionals.  12 C.F.R. Part 748, app. A, III.D.2.  The answer is no. 

The privacy provisions of the Gramm-Leach-Bliley Act of 1999 (GLB Act) require financial institutions to establish and implement administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of customer information.  15 U.S.C. §6801(b).  NCUA modified its security program requirements and issued the Guidelines, effective July 1, 2001, to implement those GLB Act provisions.  According to the rule’s preamble, “The final regulation requires that federally-insured credit unions establish a security program addressing the safeguards required by the GLB Act.”   66 Fed. Reg. 8152, 8152 (Jan. 30, 2001); 12 C.F.R. §748.0(b)(2). 

The preamble also discusses the Appendix to Part 748.  “The Board is also issuing an appendix to the regulation that sets out guidelines . . . intended to outline industry best practices and assist credit unions to develop meaningful and effective security programs to ensure their compliance with the safeguards contained in the regulation.”  66 Fed. Reg. at 8152; 12 C.F.R. Part 748, app. A.  The Appendix itself does not contain requirements. 

Further, with respect to the appropriate level of oversight a credit union should exercise over its service providers who are attorneys and other professionals, the preamble acknowledges that:  “Other service providers may already be subject to legal and professional standards that require them to safeguard the credit union’s member information.”  66 Fed. Reg. at 8159.  

 

                                                                        Sincerely,

 

                                                                        Sheila A. Albin
                                                                        Associate General Counsel

GC/RMM:bhs
SSIC 3500
01-0741