The NCUA does not require credit unions to encrypt members' information during examinations or use available NCUA tools to protect that information.
That was a key finding in the agency's Office of Inspector General's audit that investigated whether the NCUA has adequate controls to protect members' confidential information.
Even though the OIG audit determined the NCUA provided examiners with appropriate tools with which to securely receive electronic information from credit unions during the examination process, the audit quoted an NCUA management official said that it is not uncommon for credit unions to provide data in an unprotected manner.
"Those credit unions that do not take appropriate measures to protect member data on their own or do not allow NCUA staff to use available agency data protection measures will forestall NCUA data protection efforts and ultimately continue to place credit union member information at risk of exposure," according to the OIG audit.
The OIG's 19-page audit also said the NCUA needs to improve its policies, procedures and training to help ensure that examiners take appropriate measures to protect member information during an examine and that the federal agency needs to improve its guidance to require the NCUA staff to use specific tools to transfer confidential members information during examinations.
The audit was triggered after NCUA examiners lost an unencrypted flash drive containing confidential members' information from the $13 million Palm Springs Federal Credit Union in Palm Springs, Calif., on Oct. 20, 2014. Although the flash drive contained the names, addresses, Social Security numbers and account numbers of members, it did not include member passwords or PINs.
The NCUA concluded that the examiners failed to exercise proper care over the PSFCU member information.
The OIG audit made seven recommendations, including one that would require credit unions to provide the NCUA with confidential member information in an "encrypted or otherwise secure manner," which means files protected with strong passwords whether using the credit unions' own secure tools or measures or using available NCUA secure tools or measures."
"(The) NCUA concurs with the inspector general's recommendations and has laid out a plan for addressing the points raised in the report," the NCUA said in a prepared statement Thursday. "The security of credit union members' personally identifiable information is a top priority. (The) NCUA has taken several steps to reinforce training and to update policies and procedures, and the agency will continue to work to improve in this area. (The) NCUA is planning to have a secure online portal for credit unions to safely transmit this information to the agency by the end of the year."
The other recommendations center around improving how examiners protect member information, enhancing security and privacy awareness training, implementing a secure file solution to transfer confidential member information, and requiring secure tools or alternate procedures that NCUA staff must use to transfer member information.
Carrie R. Hunt, NAFCU's senior vice president of government affairs and general counsel, noted credit unions must already follow stringent data security and privacy requirements, and they have a strong track record of regulatory compliance with these requirements.
"Credit unions should not have to pay for NCUA's mistakes," she said, reacting to the OIG audit. "The report indicates that the inspector general has made seven recommendations that the NCUA is going to adopt. Six of those deal with internal NCUA policies. We also believe NCUA should focus on implementing the inspector general's recommendations for improving the agency's internal policies and training to better protect the credit union data in its care."
In the NCUA's response letter to the OIG audit, the federal agency said it is working on a proposed regulation to require all information provided by credit unions to be encrypted or otherwise provided in a secure manner.
The NCUA said it expects that the proposed regulation will be presented to the NCUA board by the end of this year.
The OIG audit also determined the NCUA's policies, procedures and training for data protection do not fully specify and reinforce requirements or guidelines that staff must follow to protect electronic credit union member information. Additionally, the NCUA does not adequately stress to staff the importance of protecting credit union member information or the consequences for failing to protect this information.
"We believe these issues contributed to the NCUA examiners accepting and failing to adequately protect the unsecured advice from credit union staff that ultimately resulted in the loss of the PSFCU member information," according to the OIG audit.
The audit also found that even though the NCUA provides examiners with an encrypted flash drive and email encryption solution, the federal agency did not provide sufficient guidance to staff regarding under what circumstances it is appropriate or required to use these tools to protect member information.
© 2025 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
