Advanced Search

Records Preservation Program and Appendices-Record Retention Guidelines; Catastrophic Act Preparedness Guidelines


Published: 2007-08-02

Subscribe to a Global-Regulation Premium Membership Today!

Key Benefits:

Subscribe Now for only USD$40 per month.
ACTION:
Final rule.
SUMMARY:
NCUA is issuing a final rule to amend its regulations regarding a federally-insured credit union's obligation to maintain a records preservation program. The final rule clarifies the meaning of catastrophic act and the requirements for preserving vital records. The agency also provides a new Appendix B that offers guidelines for developing a program to prepare for a catastrophic act. NCUA believes the revised rule language and new appendix will facilitate the recovery of essential operations after a catastrophic act resulting in continued member confidence in the credit union system.
DATES:
This rule is effective September 4, 2007.
FOR FURTHER INFORMATION CONTACT:
Andrew Healey, Program Officer, Division of Supervision, Office of Examination and Insurance, at (703) 518-6360 or Linda K. Dent, Staff Attorney, Office of General Counsel, at (703) 518-6540.
SUPPLEMENTARY INFORMATION:
Background
On March 15, 2007, the NCUA Board (Board) requested comments on proposed amendments to parts 748 and 749 addressing catastrophic act events, vital records preservation, and vital member services restoration. The agency's previous experiences with catastrophic acts underscored the importance of preserving vital records and swiftly restoring vital member services. In particular, NCUA's review of events in the aftermath of hurricanes Katrina and Rita demonstrated the need for advance planning and preparation to respond to a catastrophic act successfully. In reviewing these experiences, the Board determined the most immediate issues for credit unions and their members concerned access to funds and account information, access to facilities, and locating and communicating with staff. The proposed amendments drew from these experiences to identify program elements the Board considered essential to restoring vital records and member services.
While many of these elements are covered in previous NCUA guidance issued to federally-insured credit unions on disaster recovery planning, the Board wants to ensure that credit unions are maintaining sufficient plans and safeguards to preserve vital records. The Board believes the regulatory changes are necessary to ensure credit unions establish certain minimum standards for preserving vital records. The Board also believes the recommendations and guidance offered, concerning restoring vital member services and development of a program to prepare for a catastrophic act, provide important information about maintaining member services and confidence in the credit union system if a catastrophic act occurs.
Summary of Comments
The Board received twelve comments on the proposed regulation: Four from natural person credit unions, one corporate credit union, two national trade associations, and five state trade associations. While all commenters generally supported the overall purpose of the proposed changes, about half of them offered recommendations on the definitions for catastrophic act, vital member services, and vital records, and the proposed new Appendix B to Part 749. Comments for these items were mixed and are discussed in further detail below.
Section 748.1(b). Catastrophic Act Report
The Board proposed to revise the definition of catastrophic act to include any event, natural or otherwise, causing an interruption in vital member services for more than two business days. Seven commenters recommended additional changes: Four commenters believe the definition should clarify what constitutes a business day; two commenters suggested including cross-references to relevant definitions in parts 748 and 749; and one commenter felt the definition of catastrophic act should focus only on whether a loss of vital member services has occurred without regard to whether physical damage has occurred.
Section 748.1(b) previously required a credit union to file a report when a catastrophic act caused physical damage to its facilities. The proposed rule retained this requirement but added that a catastrophic act would include an interruption in vital member services lasting for more than two consecutive business days, regardless of whether physical damage is present. In the final rule, the Board has substituted the word “disaster” for “event” and added the word “causing” before “an interruption” to address concerns that relatively minor events could be construed to trigger the need to file a report and, also, clarifying the causal link between a disaster and an interruption in vital member services. The Board believes these changes are consistent with the usual and customary meaning of the word catastrophe. These changes also reinforce the Board's view that the reporting requirement applies only to a disaster as opposed to a circumstance where physical damage or a business closing occurs but is not disaster-related.
The Board believes adding a definition of business day is unnecessary and could be cumbersome because the hours and days of operations vary significantly among credit unions. The word “consecutive” has been added to the regulation so the requirement to submit a report due to an interruption in vital member services caused by a disaster will be triggered when the interruption is “projected to last more than two consecutive business days.” Two consecutive business days means full consecutive days on which a credit union would normally be open for business. For example, if a credit union, normally operating Monday through Friday from 9 a.m. to 5 p.m., shuts early on Thursday because a hurricane has caused a loss of power, the credit union must file a report only if it is unable to provide vital member services, through any of its delivery channels, by 9:00 am on Tuesday. Finally, as suggested in the comments, the Board also included a cross-reference to the definition of vital member services in part 749.
Part 749
Vital Member Services
Six commenters generally supported the proposed definition, while two of the commenters addressing this subject suggested including a clarification that vital member services can be provided by any means or delivery channel. The Board believes the additional clarification is unnecessary as the final rule does not restrict the manner in which vital member services are provided.
Vital Records
Eight commenters provided comments on the proposed definition: Four were in support of the proposed change and four recommended changes. Two of the recommendations, one from a national trade association and the other from a state trade association, expressed concern about the rule's impact on small, non-automated credit unions and recommended flexibility, or exemption, for such institutions. The Board is not persuaded an exemption for small credit unions is warranted; this is discussed below in the section on the Regulatory Flexibility Act.
Another recommendation suggested the Board include the general ledger as a vital record. This is unnecessary because the content of the general ledger is contained in the records designated as vital; the Board notes credit unions are free to classify additional records as vital if they choose.
As proposed, vital records is defined to include a “list of share, deposit, and loan balances for each member's account as of the most recent business day,” and another recommendation was that the phrase “as of the most recent business day” would be clearer if the word “completed” were added before “business” or the phrase “day of normal operations” was substituted for “business day.” To clarify, the Board has revised the phrase to read “as of the close of the most recent business day.” This means the credit union must have this record as of the close of the most recent day the credit union was open for business.
The Board is aware of some concern about the level of detail required in the records log, particularly where records may be stored in an electronic format and various individuals may be involved in scanning paper records for storage. This provision is re-worded slightly in the amendment but substantively unchanged from previous requirements; the Board believes recording this information is not unduly burdensome and ensures accountability for this important function. The log can take various forms, for example, a data processing system log. Where various persons may be involved in preparing records for storage, whether in an electronic format or otherwise, the log should identify who is responsible, as stated in the regulation, for “sending the record to storage.”
Appendix B—Catastrophic Act Preparedness Guidelines
Nine commenters expressed an opinion on whether to include a new Appendix B in the regulation: Three supported including it and six recommended against it. Five of the six commenters that opposed including the appendix felt sufficient guidance already existed. One of these five, a national trade association, also expressed a concern that including the appendix and other recommendations in the regulation would cause examiners and credit union staff to misconstrue the guidance as being enforceable like a regulation. The sixth commenter felt it would be more appropriate to integrate the guidance into the regulation.
The Board has weighed the fact the guidance is available from other sources and the potential for confusion regarding enforceability of a regulation versus guidance. The Board believes the benefit to credit unions in having the guidance in proximity to the regulatory requirement will enhance access to the guidance and will facilitate compliance. The Board believes including specific words like “recommended” and “guidance” means, as a legal matter, that the guidance is just that—guidance—and is not enforceable as a regulation. These words clarify and minimize, to the extent linguistically possible, the potential for misinterpretation.
NCUA, as a matter of its supervisory obligation to protect the interests of credit union members and the National Credit Union Share Insurance Fund, offers guidance to help federally-insured credit unions meet their obligation to protect their operations. Federally-insured credit unions may choose to meet this obligation through other alternatives appropriate for their operations.
Regulatory Procedures
Regulatory Flexibility Act
The Regulatory Flexibility Act requires NCUA to prepare an analysis to describe any significant economic impact a proposed rule may have on a substantial number of small credit unions (those under $10 million in assets). This proposed rule modifies a preexisting requirement for federally-insured credit unions to file reports of catastrophic acts and to have a vital records preservation program. The requirement to maintain vital records as of the most recent business day versus the existing month-end requirement may pose some burden for non-automated credit unions. There are approximately 122 non-automated credit unions or approximately 3.3% of all small credit unions. The NCUA has determined and certifies that this proposed rule, if adopted, will not have a significant economic impact on a substantial number of small credit unions. Accordingly, the NCUA has determined that an RFA analysis is not required.
Paperwork Reduction Act
The changes involve information collection requirements. As required by the Paperwork Reduction Act of 1995 (44 U.S.C. 3507(d)), NCUA submitted a copy of the proposed rule as part of an information collection package to the Office of Management and Budget (OMB) for its review. OMB has approved this collection as a revision to an existing collection, OMB Control Number 3133-0032.
Executive Order 13132
Executive Order 13132 encourages independent regulatory agencies to consider the impact of their regulatory actions on state and local interests. In adherence to fundamental federalism principles, NCUA, an independent regulatory agency as defined in 44 U.S.C. 3502(5), voluntarily complies with the executive order. This proposed rule, if adopted, will not have substantial direct effects on the states, on the relationship between the national government and states, or on the distribution of power and responsibilities among the various levels of government. NCUA has determined the proposed rule does not constitute a policy that has federalism implications for purposes of the executive order.
Treasury and General Government Appropriations Act, 1999
NCUA has determined that the proposed rule will not affect family well-being within the meaning of section 654 of the Treasury and General Appropriations Act, 1999, Public Law 105-277, 112 Stat. 2681 (1998).
List of Subjects
Credit Unions, Reporting and record keeping requirements.
Credit Unions, Reporting and record keeping requirements.
By the National Credit Union Administration Board on July 26, 2007.
Mary Rupp,
Secretary of the Board.
For the reasons set forth in the preamble, the Board amends 12 CFR parts 748 and 749 as set forth below.
Accordingly, NCUA amends 12 CFR parts 748 and 749 as follows:
PART 748—SECURITY PROGRAM, REPORT OF SUSPECTED CRIMES, SUSPICIOUS TRANSACTIONS, CATASTROPHIC ACTS AND BANK SECRECY ACT COMPLIANCE
1. The authority citation for part 748 continues to read as follows:
Authority:
12 U.S.C. 1766(a) and 1786(q); 15 U.S.C. 6801 and 6805(b); 31 U.S.C. 5311 and 5318.
2. Amend § 748.1 by revising the second sentence of paragraph (b) to read as follows:
§ 748.1
(b) * * * A catastrophic act is any disaster, natural or otherwise, resulting in physical destruction or damage to the credit union or causing an interruption in vital member services, as defined in § 749.1 of this chapter, projected to last more than two consecutive business days. * * *
PART 749—RECORDS PRESERVATION PROGRAM AND APPENDICES—RECORD RETENTION GUIDELINES; CATASTROPHIC ACT PREPAREDNESS GUIDELINES
1. The authority citation for part 749 continues to read as follows:
Authority:
12 U.S.C. 1766, 1783 and 1789; 15 U.S.C. 7001(d).
2. Amend part 749 by revising the part heading as set forth above.
3. Revise § 749.0 to read as follows:
§ 749.0
(a) This part describes the obligations of all federally-insured credit unions to maintain a records preservation program to identify, store and reconstruct vital records in the event that the credit union's records are destroyed and provides recommendations for restoring vital member services. All credit unions must have a written program that includes plans for safeguarding records and reconstructing vital records. To complement these plans, it is recommended a credit union develop a method for restoring vital member services in the event of a catastrophic act as defined in § 748.1(b) of this chapter. Additionally, the regulation establishes flexibility in the format credit unions may use for maintaining writings, records or information required by other NCUA regulations.
(b) Appendix A to this part provides guidance concerning the appropriate length of time credit unions should retain various types of operational records. Appendix B to this part also provides guidance for developing a program for responding to a catastrophic act to ensure duplicate vital records can be used for restoration of vital member services.
4. Revise § 749.1 to read as follows:
§ 749.1
For purposes of this part:
Vital member services mean informational account inquiries, share withdrawals and deposits, and loan payments and disbursements.
Vital records refer to the following records:
(a) A list of share, deposit, and loan balances for each member's account as of the close of the most recent business day that:
(1) Shows each balance individually identified by a name or number;
(2) Lists multiple loans of one account separately; and
(3) Contains information sufficient to enable the credit union to locate each member, such as address and telephone number.
(b) A financial report, which lists all of the credit union's asset and liability accounts and bank reconcilements, current as of the most recent month-end.
(c) A list of the credit union's accounts at financial institutions, insurance policies, and investments along with related contact information, current as of the most recent month-end.
(d) Emergency contact information for employees, officials, regulatory offices, and vendors used to support vital records.
5. Revise § 749.2 to read as follows:
§ 749.2
The board of directors of a credit union is responsible for establishing a vital records preservation program within 6 months after its insurance certificate is issued. The program must be in writing and contain procedures for maintaining duplicate vital records at a vital records center. The procedures must include: designated staff responsible for vital records preservation, a schedule for the storage and destruction of records, and a records preservation log detailing for each record stored, its name, storage location, storage date, and name of the person sending the record for storage. It is recommended credit unions include in these procedures a method for using duplicate records to restore vital member services in the event of catastrophic act. Credit unions which have some or all of their records maintained by an off-site data processor are considered to be in compliance for the storage of those records if the service agreement specifies the data processor safeguards against the simultaneous destruction of production and back-up information.
6. Revise § 749.3 to read as follows:
§ 749.3
A vital records center is defined as a storage facility, which may include another federally-insured credit union, at any location far enough from the credit union's offices to avoid the simultaneous loss of both sets of records in the event of a catastrophic act. A credit union must maintain or contract with a third party to maintain any equipment or software for its vital records center necessary to access records.
7. Revise § 749.4 to read as follows:
§ 749.4
Preserved records may be in any format that can be used to reconstruct the credit union's records. The format used must accurately reflect the information in the record, remain accessible to all persons entitled to access by statute, regulation or rule of law, and be capable of reproduction by transmission, printing, or otherwise.
8. Revise § 749.5 to read as follows:
§ 749.5
Where NCUA regulations require credit unions to retain certain writings, records or information, credit unions may use any format that accurately reflects the information in the record, is accessible to all persons entitled to access by statute, regulation or rule of law, and is capable of being reproduced by transmission, printing, or otherwise. The credit union must maintain the necessary equipment or software to permit an examiner to access the records during the examination process.
9. Add new Appendix B to part 749 to read as follows:
Appendix B to Part 749—Catastrophic Act Preparedness Guidelines
Credit unions often look to NCUA for guidance on preparing for a catastrophic act. While NCUA has minimal regulation in this area, 1
as an aid to credit unions it is publishing this appendix of suggested guidelines. It is recommended that all credit unions develop a program to prepare for a catastrophic act. The program should be developed with oversight and approval of the board of directors. It is recommended the program address the following five elements:
(1) A business impact analysis to evaluate potential threats;
(2) A risk assessment to determine critical systems and necessary resources;
(3) A written plan addressing:
i. Persons with authority to enact the plan;
ii. Preservation and ability to restore vital records;
iii. A method for restoring vital member services through identification of alternate operating location(s) or mediums to provide services, such as telephone centers, shared service centers, agreements with other credit unions, or other appropriate methods;
iv. Communication methods for employees and members;
v. Notification of regulators as addressed in 12 CFR 748.1(b);
vi. Training and documentation of training to ensure all employees and volunteer officials are aware of procedures to follow in the event of destruction of vital records or loss of vital member services; and
vii. Testing procedures, including a means for documenting the testing results.
(4) Internal controls for reviewing the plan at least annually and for revising the plan as circumstances warrant, for example, to address changes in the credit union's operations; and
(5) Annual testing.
[FR Doc. E7-14851 Filed 8-1-07; 8:45 am]
BILLING CODE 7535-01-P